def __init__(self, privkey_bits=None, pubkey=None):
if (privkey_bits and pubkey) or (not privkey_bits and not pubkey):
raise Exception(
'Provide either privkey_bits=<bits> or pubkey=<modulus>')
elif pubkey:
self.n = pubkey
self.n_sq = self.n * self.n
self.g = self.n + 1
#we pre-compute r^n mod n^2 and use it for every encryption
r = randint(self.n - 1)
self.r_pow_n_mod_n_sq = pow(r, self.n, self.n_sq)
return
elif (privkey_bits < 1024):
raise Exception(
'Please don\'t be ridiculous. The private key must have be at least 1024 bits these days'
)
if (privkey_bits % 2 !=
0): #p and q must be of the same size, need even bitlength
raise Exception('Can only work with even bitlength keys')
p = generate_prime(privkey_bits / 2)
q = generate_prime(privkey_bits / 2)
print('Finished with primes')
self.n = p * q
self.n_sq = self.n * self.n
self.g = self.n + 1
self.l = (p - 1) * (q - 1)
self.m = inverse(self.l, self.n)
r = randint(self.n - 1)
#we pre-compute r^n mod n^2 and use it for every encryption
self.r_pow_n_mod_n_sq = pow(r, self.n, self.n_sq)
def __init__(self, privkey_bits=None, pubkey=None):
if (privkey_bits and pubkey) or (not privkey_bits and not pubkey):
raise Exception('Provide either privkey_bits=<bits> or pubkey=<modulus>')
elif pubkey:
self.n = pubkey
self.n_sq = self.n * self.n
self.g = self.n+1
#we pre-compute r^n mod n^2 and use it for every encryption
r = randint(self.n-1)
self.r_pow_n_mod_n_sq = pow(r, self.n, self.n_sq)
return
elif (privkey_bits < 1024):
raise Exception ('Please don\'t be ridiculous. The private key must have be at least 1024 bits these days')
if (privkey_bits % 2 != 0): #p and q must be of the same size, need even bitlength
raise Exception('Can only work with even bitlength keys')
p = generate_prime(privkey_bits / 2)
q = generate_prime(privkey_bits / 2)
print ('Finished with primes')
self.n = p * q
self.n_sq = self.n * self.n
self.g = self.n + 1
self.l = (p-1) * (q-1)
self.m = inverse(self.l, self.n)
r = randint(self.n-1)
#we pre-compute r^n mod n^2 and use it for every encryption
self.r_pow_n_mod_n_sq = pow(r, self.n, self.n_sq)
def get_data_for_auditor(self, padded_RSA_half, N_ba):
self.padded_RSA_half = padded_RSA_half
self.N = ba2int(N_ba)
self.data_for_auditor = bi2ba(self.N, fixed=256) + bi2ba(
self.P.n, fixed=513
) # contains server pubkey N, Paillier pubkey n and P(A), P(A^2), P(A^3) for each round
iv = ba2int(
self.padded_RSA_half) #initial value (A for the first round)
N = self.N
P = self.P
n_len = self.n_len
for i in range(8):
T1 = pow(iv, 4, N)
#P2 stand for "part of T2"
P2 = P.encrypt(4 * pow(iv, 3, N) % N)
P3 = P.encrypt(6 * pow(iv, 2, N) % N)
P4 = P.encrypt(4 * iv % N)
#len(K) < len(n_len) because we add K to another n_len-2 value. The sum must not overflow n
K = randint(2**(n_len - 2))
#prepare iv for next round (L in the paper)
iv = (T1 - K) % N
self.data_for_auditor += bi2ba(P2, fixed=1026) + bi2ba(
P3, fixed=1026) + bi2ba(P4, fixed=1026)
self.K_values.append({'K': K})
#round 9
X = iv
A = ba2int(self.padded_RSA_half)
PX = P.encrypt(X)
PA = P.encrypt(A)
self.data_for_auditor += bi2ba(PX, fixed=1026) + bi2ba(PA, fixed=1026)
self.X = X
#we now have 1KB*(3*8+2) ~26 KB worth of data
return self.data_for_auditor
def get_data_for_auditor(self, padded_RSA_half, N_ba):
self.padded_RSA_half = padded_RSA_half
self.N = ba2int(N_ba)
self.data_for_auditor = bi2ba(self.N, fixed=256) + bi2ba(self.P.n, fixed=513) # contains server pubkey N, Paillier pubkey n and P(A), P(A^2), P(A^3) for each round
iv = ba2int(self.padded_RSA_half) #initial value (A for the first round)
N = self.N
P = self.P
n_len = self.n_len
for i in range(8):
T1 = pow(iv, 4, N)
#P2 stand for "part of T2"
P2 = P.encrypt(4*pow(iv, 3, N) % N)
P3 = P.encrypt(6*pow(iv, 2, N) % N)
P4 = P.encrypt(4*iv % N)
#len(K) < len(n_len) because we add K to another n_len-2 value. The sum must not overflow n
K = randint(2**(n_len-2))
#prepare iv for next round (L in the paper)
iv = (T1 - K) % N
self.data_for_auditor += bi2ba(P2, fixed=1026) + bi2ba(P3, fixed=1026) + bi2ba(P4, fixed=1026)
self.K_values.append( {'K':K})
#round 9
X = iv
A = ba2int(self.padded_RSA_half)
PX = P.encrypt(X)
PA = P.encrypt(A)
self.data_for_auditor += bi2ba(PX, fixed=1026) + bi2ba(PA, fixed=1026)
self.X = X
#we now have 1KB*(3*8+2) ~26 KB worth of data
return self.data_for_auditor
def do_round(self, round_no, F):
assert round_no < 8
N = self.N
P = self.P
n_len = self.n_len
p_rounds = self.paillier_rounds
if round_no == 0:
iv = ba2int(self.padded_RSA_half)
else:
iv = (F - self.D) % N
T2 = P.e_mul_const(p_rounds[round_no]['P2'], iv)
T3 = P.e_mul_const(p_rounds[round_no]['P3'], pow(iv, 2, N))
T4 = P.e_mul_const(p_rounds[round_no]['P4'], pow(iv, 3, N))
T5 = P.encrypt(pow(iv, 4, N))
TSum = P.e_add(P.e_add(P.e_add(T2, T3), T4), T5)
#apply mask D
self.D = randint(2**(n_len - 2))
E = P.e_add(TSum, P.encrypt(self.D))
return E
def do_round(self, round_no, F):
assert round_no < 8
N = self.N
P = self.P
n_len = self.n_len
p_rounds = self.paillier_rounds
if round_no == 0:
iv = ba2int(self.padded_RSA_half)
else:
iv = (F-self.D) % N
T2 = P.e_mul_const(p_rounds[round_no]['P2'], iv )
T3 = P.e_mul_const(p_rounds[round_no]['P3'], pow(iv, 2, N) )
T4 = P.e_mul_const(p_rounds[round_no]['P4'], pow(iv, 3, N) )
T5 = P.encrypt( pow(iv, 4, N) )
TSum = P.e_add(P.e_add(P.e_add(T2, T3), T4), T5)
#apply mask D
self.D = randint(2**(n_len-2))
E = P.e_add(TSum, P.encrypt(self.D))
return E
