Added CreateCryptoGroup(securityLevel) to MultiplicativeGroupAlgebra.

lumip · lumip · commit 9890f78827e0 · 2022-08-13T21:44:44.000+03:00
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
@@ -1,6 +1,8 @@
 # SPDX-License-Identifier: CC0-1.0
 # SPDX-FileCopyrightText: Lukas Prediger
 
+- 2.1.0: Added more elliptic curve parameters and convenience functions
+    to obtain groups for a specified security level.
 - 2.0.0-alpha
     - Fix: MultiplicativeGroupAlgebra.Negate now works correctly for all elements
         in the prime field, not only the subgroup.
diff --git a/CompactCryptoGroupAlgebra.LibCrypto/CHANGELOG.txt b/CompactCryptoGroupAlgebra.LibCrypto/CHANGELOG.txt
@@ -1,4 +1,6 @@
 # SPDX-License-Identifier: CC0-1.0
 # SPDX-FileCopyrightText: Lukas Prediger
 
+- 1.1.0: Added more elliptic curve parameters and convenience functions
+    to obtain groups for a specified security level.
 - 1.0.0-alpha: Initial release of CompactCryptoGroupAlgebra.LibCrypto library
diff --git a/CompactCryptoGroupAlgebra.Tests/BigPrimeTests.cs b/CompactCryptoGroupAlgebra.Tests/BigPrimeTests.cs
@@ -1,6 +1,6 @@
 ﻿// CompactCryptoGroupAlgebra - C# implementation of abelian group algebra for experimental cryptography
 
-// SPDX-FileCopyrightText: 2020-2021 Lukas Prediger <lumip@lumip.de>
+// SPDX-FileCopyrightText: 2022 Lukas Prediger <lumip@lumip.de>
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileType: SOURCE
 
@@ -147,6 +147,24 @@ public void TestEqualsIsFalseForDifferent()
             Assert.AreNotEqual(prime, otherPrime);
         }
 
+        [Test]
+        public void TestEqualsIsTrueForEqualBigInteger()
+        {
+            var prime = BigPrime.CreateWithoutChecks(11);
+            var bigint = new BigInteger(11);
+
+            Assert.AreEqual(prime, bigint);
+        }
+
+        [Test]
+        public void TestEqualsIsFalseForUnequalBigInteger()
+        {
+            var prime = BigPrime.CreateWithoutChecks(11);
+            var bigint = new BigInteger(13);
+
+            Assert.AreNotEqual(prime, bigint);
+        }
+
         [Test]
         public void TestEqualsIsFalseForNull()
         {
diff --git a/CompactCryptoGroupAlgebra.Tests/Multiplicative/MultiplicativeGroupAlgebraTests.cs b/CompactCryptoGroupAlgebra.Tests/Multiplicative/MultiplicativeGroupAlgebraTests.cs
@@ -1,6 +1,6 @@
 ﻿// CompactCryptoGroupAlgebra - C# implementation of abelian group algebra for experimental cryptography
 
-// SPDX-FileCopyrightText: 2020-2021 Lukas Prediger <lumip@lumip.de>
+// SPDX-FileCopyrightText: 2022 Lukas Prediger <lumip@lumip.de>
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileType: SOURCE
 
@@ -19,8 +19,11 @@
 
 using System;
 using System.Numerics;
+using System.Security.Cryptography;
+using System.Diagnostics;
 
 using NUnit.Framework;
+using Moq;
 
 namespace CompactCryptoGroupAlgebra.Multiplicative
 {
@@ -296,5 +299,68 @@ public void TestCreateCryptoGroup()
             Assert.AreEqual(groupAlgebra, group.Algebra);
         }
 
+        [Test]
+        public void TestCreateCryptoGroupForLevelRngReturnsOdd()
+        {
+            int securityLevel = 32;
+            var expectedPrimeLength = MultiplicativeGroupAlgebra.ComputePrimeLengthForSecurityLevel(securityLevel);
+            var expectedOrderLength = NumberLength.FromBitLength(expectedPrimeLength.InBits - 1);
+
+            var primeBeforeOrder = BigInteger.Parse("332306998946228968225951765070101393");
+            var order = BigPrime.CreateWithoutChecks(BigInteger.Parse("166153499473114484112975882535050719"));
+            var prime = BigPrime.CreateWithoutChecks(BigInteger.Parse("332306998946228968225951765070101439"));
+
+            var rngResponse = (primeBeforeOrder - 2).ToByteArray();
+
+            Debug.Assert(expectedPrimeLength.InBits == NumberLength.GetLength(prime).InBits);
+            Debug.Assert(expectedOrderLength.InBits == NumberLength.GetLength(order).InBits);
+
+            var rngMock = new Mock<RandomNumberGenerator>(MockBehavior.Strict);
+            rngMock.Setup(rng => rng.GetBytes(It.IsAny<byte[]>()))
+                   .Callback<byte[]>(buffer => {
+                        Buffer.BlockCopy(buffer, 0, rngResponse, 0, Math.Min(rngResponse.Length, buffer.Length));
+                    });
+
+            var group = MultiplicativeGroupAlgebra.CreateCryptoGroup(securityLevel, rngMock.Object);
+            Assert.IsInstanceOf<MultiplicativeGroupAlgebra>(group.Algebra);
+
+            Assert.That(group.SecurityLevel >= securityLevel, "Created group does not meet security level!");
+            Assert.AreEqual(order, group.Algebra.Order);
+            Assert.AreEqual(prime, ((MultiplicativeGroupAlgebra)group.Algebra).Prime);
+            Assert.That(group.Algebra.IsSafeElement(group.Algebra.Generator));
+        }
+
+
+        [Test]
+        public void TestCreateCryptoGroupForLevelRngReturnsEven()
+        {
+            int securityLevel = 32;
+            var expectedPrimeLength = MultiplicativeGroupAlgebra.ComputePrimeLengthForSecurityLevel(securityLevel);
+            var expectedOrderLength = NumberLength.FromBitLength(expectedPrimeLength.InBits - 1);
+
+            var primeBeforeOrder = BigInteger.Parse("332306998946228968225951765070101393");
+            var order = BigPrime.CreateWithoutChecks(BigInteger.Parse("166153499473114484112975882535050719"));
+            var prime = BigPrime.CreateWithoutChecks(BigInteger.Parse("332306998946228968225951765070101439"));
+
+            var rngResponse = (primeBeforeOrder - 3).ToByteArray();
+
+            Debug.Assert(expectedPrimeLength.InBits == NumberLength.GetLength(prime).InBits);
+            Debug.Assert(expectedOrderLength.InBits == NumberLength.GetLength(order).InBits);
+
+            var rngMock = new Mock<RandomNumberGenerator>(MockBehavior.Strict);
+            rngMock.Setup(rng => rng.GetBytes(It.IsAny<byte[]>()))
+                   .Callback<byte[]>(buffer => {
+                        Buffer.BlockCopy(buffer, 0, rngResponse, 0, Math.Min(rngResponse.Length, buffer.Length));
+                    });
+
+            var group = MultiplicativeGroupAlgebra.CreateCryptoGroup(securityLevel, rngMock.Object);
+            Assert.IsInstanceOf<MultiplicativeGroupAlgebra>(group.Algebra);
+
+            Assert.That(group.SecurityLevel >= securityLevel, "Created group does not meet security level!");
+            Assert.AreEqual(order, group.Algebra.Order);
+            Assert.AreEqual(prime, ((MultiplicativeGroupAlgebra)group.Algebra).Prime);
+            Assert.That(group.Algebra.IsSafeElement(group.Algebra.Generator));
+        }
+
     }
 }
diff --git a/CompactCryptoGroupAlgebra.Tests/RandomNumberGeneratorExtensionsTests.cs b/CompactCryptoGroupAlgebra.Tests/RandomNumberGeneratorExtensionsTests.cs
@@ -1,6 +1,6 @@
 ﻿// CompactCryptoGroupAlgebra - C# implementation of abelian group algebra for experimental cryptography
 
-// SPDX-FileCopyrightText: 2020-2021 Lukas Prediger <lumip@lumip.de>
+// SPDX-FileCopyrightText: 2022 Lukas Prediger <lumip@lumip.de>
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileType: SOURCE
 
@@ -74,5 +74,74 @@ public void TestRandomBetweenDoesNotExceedUpperBound()
             Assert.AreEqual(expected, result);
             rngMock.Verify(rng => rng.GetBytes(It.IsAny<byte[]>()), Times.Exactly(2));
         }
+
+        [Test]
+        public void TestRandomWithLengthNonByteBoundary()
+        {
+            var length = NumberLength.FromBitLength(17);
+            
+            var leadingOneRngBuffer = ((BigInteger.One << (3 * 8)) - 1).ToByteArray(); // 3 bytes of ones
+            var leadingZeroRngBuffer = ((BigInteger.One << (length.InBits - 2))).ToByteArray(); // only bit 16 set
+            var expectedFirst = (BigInteger.One << length.InBits) - 1;
+            var expectedSecond = ((BigInteger.One << (length.InBits - 2)) ^ (BigInteger.One << (length.InBits - 1)));
+
+            bool firstCall = true;
+            var rngMock = new Mock<RandomNumberGenerator>(MockBehavior.Strict);
+            rngMock.Setup(rng => rng.GetBytes(It.IsAny<byte[]>()))
+                   .Callback<byte[]>(buffer => {
+                        if (firstCall)
+                            Buffer.BlockCopy(leadingOneRngBuffer, 0, buffer, 0, Math.Min(leadingOneRngBuffer.Length, buffer.Length));
+                        else
+                            Buffer.BlockCopy(leadingZeroRngBuffer, 0, buffer, 0, Math.Min(leadingZeroRngBuffer.Length, buffer.Length));
+                        firstCall = false;
+                   });
+
+            var firstResult = rngMock.Object.GetBigIntegerWithLength(length);
+            Assert.AreEqual(1, firstResult.Sign, "GetBigIntegerWithLength returned negative number");
+            Assert.AreEqual(length, NumberLength.GetLength(firstResult));
+            Assert.AreEqual(expectedFirst, firstResult);
+
+            var secondResult = rngMock.Object.GetBigIntegerWithLength(length);;
+            Assert.AreEqual(1, secondResult.Sign, "GetBigIntegerWithLength returned negative number");
+            Assert.AreEqual(length, NumberLength.GetLength(secondResult));
+            Assert.AreEqual(expectedSecond, secondResult);
+
+            rngMock.Verify(rng => rng.GetBytes(It.IsAny<byte[]>()), Times.Exactly(2));
+        }
+
+
+        [Test]
+        public void TestRandomWithLengthByteBoundary()
+        {
+            var length = NumberLength.FromBitLength(16);
+            
+            var leadingOneRngBuffer = ((BigInteger.One << (3 * 8)) - 1).ToByteArray(); // 3 bytes of ones
+            var leadingZeroRngBuffer = ((BigInteger.One << (length.InBits - 2))).ToByteArray(); // only bit 15 set
+            var expectedFirst = (BigInteger.One << length.InBits) - 1;
+            var expectedSecond = ((BigInteger.One << (length.InBits - 2)) ^ (BigInteger.One << (length.InBits - 1)));
+
+            bool firstCall = true;
+            var rngMock = new Mock<RandomNumberGenerator>(MockBehavior.Strict);
+            rngMock.Setup(rng => rng.GetBytes(It.IsAny<byte[]>()))
+                   .Callback<byte[]>(buffer => {
+                        if (firstCall)
+                            Buffer.BlockCopy(leadingOneRngBuffer, 0, buffer, 0, Math.Min(leadingOneRngBuffer.Length, buffer.Length));
+                        else
+                            Buffer.BlockCopy(leadingZeroRngBuffer, 0, buffer, 0, Math.Min(leadingZeroRngBuffer.Length, buffer.Length));
+                        firstCall = false;
+                   });
+
+            var firstResult = rngMock.Object.GetBigIntegerWithLength(length);
+            Assert.AreEqual(1, firstResult.Sign, "GetBigIntegerWithLength returned negative number");
+            Assert.AreEqual(length, NumberLength.GetLength(firstResult));
+            Assert.AreEqual(expectedFirst, firstResult);
+
+            var secondResult = rngMock.Object.GetBigIntegerWithLength(length);;
+            Assert.AreEqual(1, secondResult.Sign, "GetBigIntegerWithLength returned negative number");
+            Assert.AreEqual(length, NumberLength.GetLength(secondResult));
+            Assert.AreEqual(expectedSecond, secondResult);
+
+            rngMock.Verify(rng => rng.GetBytes(It.IsAny<byte[]>()), Times.Exactly(2));
+        }
     }
 }
diff --git a/CompactCryptoGroupAlgebra/BigPrime.cs b/CompactCryptoGroupAlgebra/BigPrime.cs
@@ -166,13 +166,15 @@ public static BigPrime Create(BigInteger primeValue, RandomNumberGenerator rando
         /// <inheritdoc/>
         public override bool Equals(object obj)
         {
+            if (obj is BigInteger)
+                return _value.Equals(obj);
             return obj is BigPrime prime && _value.Equals(prime._value);
         }
 
         /// <inheritdoc/>
         public override int GetHashCode()
         {
-            return -1937169414 + _value.GetHashCode();
+            return _value.GetHashCode();
         }
 
         /// <inheritdoc/>
diff --git a/CompactCryptoGroupAlgebra/Multiplicative/MultiplicativeGroupAlgebra.cs b/CompactCryptoGroupAlgebra/Multiplicative/MultiplicativeGroupAlgebra.cs
@@ -1,6 +1,6 @@
 // CompactCryptoGroupAlgebra - C# implementation of abelian group algebra for experimental cryptography
 
-// SPDX-FileCopyrightText: 2020-2021 Lukas Prediger <lumip@lumip.de>
+// SPDX-FileCopyrightText: 2022 Lukas Prediger <lumip@lumip.de>
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileType: SOURCE
 
@@ -20,6 +20,8 @@
 using System;
 using System.Collections.Generic;
 using System.Numerics;
+using System.Security.Cryptography;
+using System.Diagnostics;
 
 namespace CompactCryptoGroupAlgebra.Multiplicative
 {
@@ -195,6 +197,39 @@ public static CryptoGroup<BigInteger, BigInteger> CreateCryptoGroup(BigPrime pri
                 prime, order, generator
             ));
         }
+
+        /// <summary>
+        /// Creates a <see cref="CryptoGroup{BigInteger, BigInteger}" /> instance that satisfies at least a given security level.
+        /// 
+        /// Finds random primes q, p such that p = 2q+1 and the bit length of p satisfies the security level requirements.
+        /// Then finds an element of the q-order subgroup of the multiplicative group defined by p to use as the generator.
+        /// 
+        /// This process may take some time, depending on the security level chosen.
+        /// </summary>
+        /// <param name="securityLevel">The minimal security level for the group to be created.</param>
+        /// <param name="randomNumberGenerator">A random number generator (used for sampling primes).</param>
+        public static CryptoGroup<BigInteger, BigInteger> CreateCryptoGroup(int securityLevel, RandomNumberGenerator randomNumberGenerator)
+        {
+            var primeLength = ComputePrimeLengthForSecurityLevel(securityLevel);
+            var sgPrimeLength = NumberLength.FromBitLength(primeLength.InBits - 1);
+            BigInteger sgCandidate = randomNumberGenerator.GetBigIntegerWithLength(sgPrimeLength);
+            sgCandidate |= BigInteger.One; // ensure sgCandidate is odd
+            BigInteger primeCandidate = 2 * sgCandidate + 1;
+            while ( !PrimalityTest.IsProbablyPrime(sgCandidate, randomNumberGenerator) ||
+                    !PrimalityTest.IsProbablyPrime(primeCandidate, randomNumberGenerator) )
+            {
+                sgCandidate += 2;
+                primeCandidate += 4;
+            }
+            Debug.Assert(NumberLength.GetLength(sgCandidate).InBits == sgPrimeLength.InBits);
+            Debug.Assert(NumberLength.GetLength(primeCandidate).InBits == primeLength.InBits);
+
+            var groupAlgebra = new MultiplicativeGroupAlgebra(
+                BigPrime.CreateWithoutChecks(primeCandidate), BigPrime.CreateWithoutChecks(sgCandidate), new BigInteger(4)
+            );
+
+            return new CryptoGroup<BigInteger, BigInteger>(groupAlgebra);
+        }
         
     }
 }
diff --git a/CompactCryptoGroupAlgebra/RandomNumberGeneratorExtensions.cs b/CompactCryptoGroupAlgebra/RandomNumberGeneratorExtensions.cs
@@ -1,6 +1,6 @@
 ﻿// CompactCryptoGroupAlgebra - C# implementation of abelian group algebra for experimental cryptography
 
-// SPDX-FileCopyrightText: 2020-2021 Lukas Prediger <lumip@lumip.de>
+// SPDX-FileCopyrightText: 2022 Lukas Prediger <lumip@lumip.de>
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileType: SOURCE
 
@@ -54,5 +54,25 @@ public static BigInteger GetBigIntegerBetween(
             Debug.Assert(delta >= BigInteger.Zero);
             return lower + delta;
         }
+
+        /// <summary>
+        /// Returns a random positive <see cref="BigInteger"/> with the given bit length.
+        /// </summary>
+        /// <param name="randomNumberGenerator">Random number generator.</param>
+        /// <param name="length">The bit length of the generator number.</param>
+        /// <returns>The random <see cref="BigInteger"/>.</returns>
+        public static BigInteger GetBigIntegerWithLength(
+            this RandomNumberGenerator randomNumberGenerator, NumberLength length
+        )
+        {
+            byte[] buffer = new byte[length.InBytes + 1];
+            randomNumberGenerator.GetBytes(buffer);
+            buffer[buffer.Length - 1] = 0; // ensure that there is an additional zero byte so that BigInteger does not treat it as negative
+
+            var candidate = new BigInteger(buffer);
+            candidate &= (BigInteger.One << length.InBits) - 1; // cut off additional bits generated in the highest-order byte
+            candidate |= BigInteger.One << (length.InBits - 1); // ensure msb is set to achieve desired length
+            return candidate;
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -166,13 +166,15 @@ public static BigPrime Create(BigInteger primeValue, RandomNumberGenerator rando`
`166`	`166`	`/// <inheritdoc/>`
`167`	`167`	`public override bool Equals(object obj)`
`168`	`168`	`{`
	`169`	`+ if (obj is BigInteger)`
	`170`	`+ return _value.Equals(obj);`
`169`	`171`	`return obj is BigPrime prime && _value.Equals(prime._value);`
`170`	`172`	`}`
`171`	`173`
`172`	`174`	`/// <inheritdoc/>`
`173`	`175`	`public override int GetHashCode()`
`174`	`176`	`{`
`175`		`- return -1937169414 + _value.GetHashCode();`
	`177`	`+ return _value.GetHashCode();`
`176`	`178`	`}`
`177`	`179`
`178`	`180`	`/// <inheritdoc/>`