#
#   qNEW.py : The q-NEW signature algorithm.
#
#  Part of the Python Cryptography Toolkit
#
# Distribute and use freely; there are no restrictions on further
# dissemination and usage except those imposed by the laws of your
# country of residence.    This software is provided "as is" without
# warranty of fitness for use or suitability for any purpose, express
# or implied. Use at your own risk or not at all.
#

__revision__ = "$Id: qNEW.py,v 1.8 2003/04/04 15:13:35 akuchling Exp $"

from Crypto.PublicKey import pubkey
from Crypto.Util.number import *
from Crypto.Hash import SHA

class error (Exception):
    pass

HASHBITS = 160   # Size of SHA digests

def generate(bits, randfunc, progress_func=None):
    """generate(bits:int, randfunc:callable, progress_func:callable)

    Generate a qNEW key of length 'bits', using 'randfunc' to get
    random data and 'progress_func', if present, to display
    the progress of the key generation.
    """
    obj=qNEWobj()

    # Generate prime numbers p and q.  q is a 160-bit prime
    # number.  p is another prime number (the modulus) whose bit
    # size is chosen by the caller, and is generated so that p-1
    # is a multiple of q.
    #
    # Note that only a single seed is used to
    # generate p and q; if someone generates a key for you, you can
    # use the seed to duplicate the key generation.  This can
    # protect you from someone generating values of p,q that have
    # some special form that's easy to break.
    if progress_func:
        progress_func('p,q\n')
    while (1):
        obj.q = getPrime(160, randfunc)
        #           assert pow(2, 159L)<obj.q<pow(2, 160L)
        obj.seed = S = long_to_bytes(obj.q)
        C, N, V = 0, 2, {}
        # Compute b and n such that bits-1 = b + n*HASHBITS
        n= (bits-1) / HASHBITS
        b= (bits-1) % HASHBITS ; powb=2L << b
        powL1=pow(long(2), bits-1)
        while C<4096:
            # The V array will contain (bits-1) bits of random
            # data, that are assembled to produce a candidate
            # value for p.
            for k in range(0, n+1):
                V[k]=bytes_to_long(SHA.new(S+str(N)+str(k)).digest())
            p = V[n] % powb
            for k in range(n-1, -1, -1):
                p= (p << long(HASHBITS) )+V[k]
            p = p+powL1         # Ensure the high bit is set

            # Ensure that p-1 is a multiple of q
            p = p - (p % (2*obj.q)-1)

            # If p is still the right size, and it's prime, we're done!
            if powL1<=p and isPrime(p):
                break

            # Otherwise, increment the counter and try again
            C, N = C+1, N+n+1
        if C<4096:
            break   # Ended early, so exit the while loop
        if progress_func:
            progress_func('4096 values of p tried\n')

    obj.p = p
    power=(p-1)/obj.q

    # Next parameter: g = h**((p-1)/q) mod p, such that h is any
    # number <p-1, and g>1.  g is kept; h can be discarded.
    if progress_func:
        progress_func('h,g\n')
    while (1):
        h=bytes_to_long(randfunc(bits)) % (p-1)
        g=pow(h, power, p)
        if 1<h<p-1 and g>1:
            break
    obj.g=g

    # x is the private key information, and is
    # just a random number between 0 and q.
    # y=g**x mod p, and is part of the public information.
    if progress_func:
        progress_func('x,y\n')
    while (1):
        x=bytes_to_long(randfunc(20))
        if 0 < x < obj.q:
            break
    obj.x, obj.y=x, pow(g, x, p)

    return obj

# Construct a qNEW object
def construct(tuple):
    """construct(tuple:(long,long,long,long)|(long,long,long,long,long)
    Construct a qNEW object from a 4- or 5-tuple of numbers.
    """
    obj=qNEWobj()
    if len(tuple) not in [4,5]:
        raise error, 'argument for construct() wrong length'
    for i in range(len(tuple)):
        field = obj.keydata[i]
        setattr(obj, field, tuple[i])
    return obj

class qNEWobj(pubkey.pubkey):
    keydata=['p', 'q', 'g', 'y', 'x']

    def _sign(self, M, K=''):
        if (self.q<=K):
            raise error, 'K is greater than q'
        if M<0:
            raise error, 'Illegal value of M (<0)'
        if M>=pow(2,161L):
            raise error, 'Illegal value of M (too large)'
        r=pow(self.g, K, self.p) % self.q
        s=(K- (r*M*self.x % self.q)) % self.q
        return (r,s)
    def _verify(self, M, sig):
        r, s = sig
        if r<=0 or r>=self.q or s<=0 or s>=self.q:
            return 0
        if M<0:
            raise error, 'Illegal value of M (<0)'
        if M<=0 or M>=pow(2,161L):
            return 0
        v1 = pow(self.g, s, self.p)
        v2 = pow(self.y, M*r, self.p)
        v = ((v1*v2) % self.p)
        v = v % self.q
        if v==r:
            return 1
        return 0

    def size(self):
        "Return the maximum number of bits that can be handled by this key."
        return 160

    def has_private(self):
        """Return a Boolean denoting whether the object contains
        private components."""
        return hasattr(self, 'x')

    def can_sign(self):
        """Return a Boolean value recording whether this algorithm can generate signatures."""
        return 1

    def can_encrypt(self):
        """Return a Boolean value recording whether this algorithm can encrypt data."""
        return 0

    def publickey(self):
        """Return a new key object containing only the public information."""
        return construct((self.p, self.q, self.g, self.y))

object = qNEWobj