[GF2-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20%5Ctextrm%7BGF%7D%282%29 [GF2p15-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20%5Ctextrm%7BGF%7D%282%5E%7B15%7D%29 [GF2p15p17-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20%5Ctextrm%7BGF%7D%28%282%5E%7B15%7D%29%5E%7B17%7D%29 [A-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20A [B-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20B [D-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20D [G-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20G [M-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20M [P-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20P [h-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20h [k-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20k [l-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20l [n-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20n [r-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20r [s-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20s [T-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20T [UU-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20U [LL-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20L [Rnd-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20Rnd [Temp-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20Temp [UID-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20UID [Data-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20Data [Data0-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20Data%5E0 [Data1-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20Data%5E1 [Data2-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20Data%5E2 [Data3-inlined]: http://latex.codecogs.com/svg.latex?%5Cinline%20Data%5E3 # How is "rarreg.key" generated? WinRAR uses an ECC-based signature algorithm to generate `rarreg.key`. The algorithm it used is a varient of Chinese SM2 digital signature algorithm. Different to many standard ECDSAs, the curve that WinRAR selected is a curve over composite field ![GF2p15p17-inlined]. ## 1. Composite field ![GF2p15p17-inlined] Elements in ground field ![GF2p15-inlined] are represented with standard basis, i.e. polynomial basis. The irreducible polynomial is

$P(\alpha)=\alpha^{15}+\alpha+1$ where each coefficients is in ![GF2-inlined]. If we use

$B_1=\{1,\alpha,\alpha^2,\ldots,\alpha^{14}\}$ as the standard basis of the ground field, an element ![A-inlined] in ![GF2p15-inlined] can be denoted as

$A=\sum_{i=0}^{14}a_i\alpha^i \quad \quad \quad a_i\in\textrm{GF}(2)$ --- The irreducible polynomial of composite field ![GF2p15p17-inlined] is

$Q(\beta)=\beta^{17}+\beta^3+1$ where each coefficients is in ![GF2p15-inlined]. If we use

$B_2=\{1,\beta,\beta^2,\ldots,\beta^{16}\}$ as the standard basis of the composite field, an element ![B-inlined] in ![GF2p15p17-inlined] can be denoted as

$B=\sum_{j=0}^{16}(\sum_{i=0}^{14}a_{j,i}\alpha^i)\beta^j=\sum_{j=0}^{16}\sum_{i=0}^{14}a_{j,i}\alpha^i\beta^j \quad \quad \quad a_{j,i}\in\textrm{GF}(2)$ --- For clarity, we use ![D-inlined], which is a 255-bits-long integer to denote an element ![B-inlined] in ![GF2p15p17-inlined]. The map between them is

$B=\sum_{j=0}^{16}\sum_{i=0}^{14}a_{j,i}\alpha^i\beta^j \leftrightarrow D=\sum_{j=0}^{16}\sum_{i=0}^{14}a_{j,i}\cdot 2^{15j+i}$ ## 2. Elliptic curve over ![GF2p15p17-inlined] The equation of the elliptic curve that WinRAR uses is

$y^2+xy=x^3+161 \quad \quad \quad 161\in\textrm{GF}((2^{15})^{17})$ The base point ![G-inlined] is

$\begin{aligned} G&=(G_x,G_y) \\ G_x&=\textrm{0x56fdcbc6a27acee0cc2996e0096ae74feb1acf220a2341b898b549440297b8cc} \quad G_x\in\textrm{GF}((2^{15})^{17})\\ G_y&=\textrm{0x20da32e8afc90b7cf0e76bde44496b4d0794054e6ea60f388682463132f931a7} \quad G_y\in\textrm{GF}((2^{15})^{17}) \end{aligned}$ whose order ![n-inlined] is

$n=\textrm{0x1026dd85081b82314691ced9bbec30547840e4bf72d8b5e0d258442bbcd31} \quad n\in\nolinebreak\mathbb{Z}$ ## 3. Message hash algorithm We use

$M=m_0m_1 \ldots m_{l-1} \quad \quad m_i\in[0, 256)$ to denote a message whose length is ![l-inlined]. So the SHA1 value of ![M-inlined] should be

$\textrm{SHA}_1(M)=S_0||S_1||S_2||S_3||S_4 \quad \quad S_i\in[0, 2^{32})$ where ![](http://latex.codecogs.com/svg.latex?%5Cinline%20S_0%2CS_1%2CS_2%2CS_3%2CS_4) are 5 state values when SHA1 outputs. Generally speaking, the final SHA1 value should be the join of these 5 state values while each of state values is serialized in big-endian. However, WinRAR doesn't serialize the 5 state values. Instead, it use a big integer ![h-inlined] as the hash of the input message.

$h=(\sum_{i=0}^{4}S_i \cdot 2^{32i})+\textrm{0x1bd10xb4e33c7c0ffd8d43} \cdot 2^{32*5}$ ## 4. ECC digital signature algorithm We use ![k-inlined] to denote private key, ![P-inlined] to denote public key. So there must be

$P=k \cdot G$ If we use ![h-inlined] to denote the hash of input data, WinRAR use the following algorithm to perform signing: 1. Generate a random big integer ![Rnd-inlined] which satisfies ![](http://latex.codecogs.com/svg.latex?%5Cinline%200%3CRnd%3Cn). 2. Calculate ![r-inlined]

$r=((Rnd \cdot G)_x+h)\ \ Mod\ \ n$

where ![](http://latex.codecogs.com/svg.latex?%5Cinline%20%28Rnd%20%5Ccdot%20G%29_x) means we take X coordinate of ![](http://latex.codecogs.com/svg.latex?%5Cinline%20Rnd%20%5Ccdot%20G) and convert it from ![GF2p15p17-inlined] to a big integer. If ![](http://latex.codecogs.com/svg.latex?%5Cinline%20r%3D0) or ![](http://latex.codecogs.com/svg.latex?%5Cinline%20r+Rnd%3Dn), go back to step 1. 3. Calculate ![s-inlined]

$s=(Rnd-kr)\ \ Mod\ \ n$

If ![](http://latex.codecogs.com/svg.latex?%5Cinline%20s%3D0), go back to step 1. 4. Output ![](http://latex.codecogs.com/svg.latex?%5Cinline%20%28r%2Cs%29). ## 5. WinRAR private key generation algorithm We use

$T=t_0t_1 \ldots t_{l-1} \quad \quad t_i\in[0,256)$

to denote input data whose length is ![l-inlined]. WinRAR use it to generate private key ![k-inlined]. 1. We use ![](http://latex.codecogs.com/svg.latex?%5Cinline%20g_0%2Cg_1%2Cg_2%2Cg_3%2Cg_4%2Cg_5) to denote 6 32-bits-long integer. So there is

$g_j=\sum_{i=0}^{3}g_{j,i} \cdot 2^{8i} \quad \quad g_{j,i}\in[0,256)$

2. Let ![](http://latex.codecogs.com/svg.latex?%5Cinline%20g_0%3D0). 3. If ![](http://latex.codecogs.com/svg.latex?%5Cinline%20l%5Cneq%200), we calculate SHA1 value of ![T-inlined]. Then assign SHA1 state value ![](http://latex.codecogs.com/svg.latex?%5Cinline%20S_i) to ![](http://latex.codecogs.com/svg.latex?%5Cinline%20g_%7Bi+1%7D):

$\begin{aligned} \textrm{SHA}_1(T)&=S_0||S_1||S_2||S_3||S_4 \\ g_1&=S_0 \\ g_2&=S_1 \\ g_3&=S_2 \\ g_4&=S_3 \\ g_5&=S_4 \\ \end{aligned}$

Otherwise, when ![](http://latex.codecogs.com/svg.latex?%5Cinline%20l%3D0), we let

$\begin{aligned} g_1&=\textrm{0xeb3eb781} \\ g_2&=\textrm{0x50265329} \\ g_3&=\textrm{0xdc5ef4a3} \\ g_4&=\textrm{0x6847b9d5} \\ g_5&=\textrm{0xcde43b4c} \\ \end{aligned}$

4. Regard ![](http://latex.codecogs.com/svg.latex?%5Cinline%20g_0) as counter, add itself by 1. Calculate SHA1:

$\textrm{SHA}_1(g_{0,0}||g_{0,1}||g_{0,2}||g_{0,3}||g_{1,0}||g_{1,1}||\ldots||g_{5,0}||g_{5,1}||g_{5,2}||g_{5,3})=S_0||S_1||S_2||S_3||S_4$

We takes the lowest 16 bits of ![](http://latex.codecogs.com/svg.latex?%5Cinline%20S_0) and donote it as ![](http://latex.codecogs.com/svg.latex?%5Cinline%20k_%7Bg_0%7D). 5. Repeat step 4 again with 14 times. 6. After that, we will get ![](http://latex.codecogs.com/svg.latex?%5Cinline%20k_1%2Ck_2%2Ck_3%2C%5Cldots%2Ck_%7B15%7D). Then output private key

$k=\sum_{i=1}^{15}k_i \cdot 2^{16i}$

## 6. The private key and public key of WinRAR Private key ![k-inlined] is

$k=\textrm{0x59fe6abcca90bdb95f0105271fa85fb9f11f467450c1ae9044b7fd61d65e} \quad \quad k\in\nolinebreak\mathbb{Z}$

This private key is generated by the algorithm describled in section 5 where the length of data ![T-inlined] is zero. Public key ![P-inlined] is

$\begin{aligned} P&=(P_x,P_y) \\ P_x&=\textrm{0x3861220ed9b36c9753df09a159dfb148135d495db3af8373425ee9a28884ba1a} \quad P_x\in\textrm{GF}((2^{15})^{17}) \\ P_y&=\textrm{0x12b64e62db43a56114554b0cbd573379338cea9124c8443c4f50e6c8b013ec20} \quad P_y\in\textrm{GF}((2^{15})^{17}) \end{aligned}$

## 7. Generation of "rarreg.key" The generation of license file `rarreg.key` requires 2 arguments: 1. Username, an ANSI-encoded string, without null-terminator. Denoted as

$U=u_0u_1 \ldots u_{l-1}$

2. License type, an ANSI-encoded string, without null-terminator. Denoted as

$L=l_0l_1 \ldots l_{l-1}$

The following is the algorithm to generate `rarreg.key`. 1. Use the algorithm describled in section 5, with argument ![UU-inlined], to generate private key ![](http://latex.codecogs.com/svg.latex?%5Cinline%20k_U) and public key ![](http://latex.codecogs.com/svg.latex?%5Cinline%20P_U). Then output hexlified public key string with SM2 compressed public key format. The hexlified public key is denoted as ![Temp-inlined]. The length of ![Temp-inlined] should be 64. If less, pad with `'0'` until the length is 64. 2. Let ![Data3-inlined] be

$Data^3=\texttt{"60"}||Temp_0||Temp_1||\ldots||Temp_{47}$

3. Use the algorithm describled in section 5, with argument ![Data3-inlined], to generate private key ![](http://latex.codecogs.com/svg.latex?%5Cinline%20k_%7BData%5E3%7D) and public key ![](http://latex.codecogs.com/svg.latex?%5Cinline%20P_%7BData%5E3%7D). Then output hexlified public key string with SM2 compressed public key format. The hexlified public key is denoted as ![Data0-inlined]. The length of ![Data0-inlined] should be 64. If less, pad with `'0'` until the length is 64. 4. Let ![UID-inlined] be

$UID=Temp_{48}||Temp_{49}||\ldots||Temp_{63}||Data^0_0||Data^0_1||Data^0_2||Data^0_3$

5. Use the algorithm describled in section 4, with argument ![LL-inlined] and private key ![k-inlined] describled section 6, to get signature ![](http://latex.codecogs.com/svg.latex?%5Cinline%20%28r_L%2Cs_L%29). The bit length of ![](http://latex.codecogs.com/svg.latex?%5Cinline%20r_L) and ![](http://latex.codecogs.com/svg.latex?%5Cinline%20s_L) shall not be more than 240. Otherwise, repeat this step. 6. Convert ![](http://latex.codecogs.com/svg.latex?%5Cinline%20r_L) and ![](http://latex.codecogs.com/svg.latex?%5Cinline%20s_L) to hex-integer string ![](http://latex.codecogs.com/svg.latex?%5Cinline%20SZ%5E%7Br_L%7D) and ![](http://latex.codecogs.com/svg.latex?%5Cinline%20SZ%5E%7Bs_L%7D), without `"0x"` prefix. If the length of ![](http://latex.codecogs.com/svg.latex?%5Cinline%20SZ%5E%7Br_L%7D) or ![](http://latex.codecogs.com/svg.latex?%5Cinline%20SZ%5E%7Bs_L%7D) is less than 60, pad character `'0'` until the length is 60. 7. Let ![Data1-inlined] be

$Data^1=\texttt{"60"}||SZ^{s_L}||SZ^{r_L}$

8. Let ![Temp-inlined] be

$Temp=U||Data^0$

Use the algorithm describled in section 4, with argument ![Temp-inlined] and private key ![k-inlined] describled section 6, to get signature ![](http://latex.codecogs.com/svg.latex?%5Cinline%20%28r_%7BTemp%7D%2Cs_%7BTemp%7D%29). The bit length of ![](http://latex.codecogs.com/svg.latex?%5Cinline%20r_%7BTemp%7D) and ![](http://latex.codecogs.com/svg.latex?%5Cinline%20s_%7BTemp%7D) shall not be more than 240. Otherwise, repeat this step. 9. Convert ![](http://latex.codecogs.com/svg.latex?%5Cinline%20r_%7BTemp%7D) and ![](http://latex.codecogs.com/svg.latex?%5Cinline%20s_%7BTemp%7D) to hex-integer string ![](http://latex.codecogs.com/svg.latex?%5Cinline%20SZ%5E%7Br_%7BTemp%7D%7D) and ![](http://latex.codecogs.com/svg.latex?%5Cinline%20SZ%5E%7Bs_%7BTemp%7D%7D), without `"0x"` prefix. If the length of ![](http://latex.codecogs.com/svg.latex?%5Cinline%20SZ%5E%7Br_%7BTemp%7D%7D) or ![](http://latex.codecogs.com/svg.latex?%5Cinline%20SZ%5E%7Bs_%7BTemp%7D%7D) is less than 60, pad character `'0'` until the length is 60. 10. Let ![Data2-inlined] be

$Data^2=\texttt{"60"}||SZ^{s_{Temp}}||SZ^{r_{Temp}}$

11. Calculate CRC32 value of

$L||U||Data^0||Data^1||Data^2||Data^3$

The final checksum the complement of CRC32 value. Then convert the checksum to decimal string ![](http://latex.codecogs.com/svg.latex?%5Cinline%20SZ%5E%7Bchecksum%7D). If the length is less than 10, pad character `'0'` until the length is 10. 12. Let ![Data-inlined] be

$Data=Data^0||Data^1||Data^2||Data^3||SZ^{checksum}$

13. Output with format * A fixed header `"RAR registration data"`, taking one line. * Username, taking one line. * License type, taking one line * UID, taking one line, with format:

$\texttt{"UID="}||UID$

* Output ![Data-inlined], with 54 characters a line.