def __init__(self, group=None, p=0, q=0, secparam=512):
        self.group = group if group is not None else IntegerGroupQ()
        self.group.p, self.group.q, self.group.r = p, q, 2

        if self.group.p == 0 or self.group.q == 0:
            self.group.paramgen(secparam)

        self.p = self.group.p
        self.q = self.group.q

        self.x, self.g, = self.group.random(), self.group.randomGen()
        self.z, self.h, = self.group.randomGen(), self.group.randomGen()

        self.y = (self.g ** self.x) % self.p

        hs1 = hashlib.new('sha256')
        hs1.update(Conversion.IP2OS(integer(self.p)))
        hs1.update(Conversion.IP2OS(integer(self.q)))
        hs1.update(Conversion.IP2OS(integer(self.g)))
        hs1.update(Conversion.IP2OS(integer(self.h)))
        hs1.update(Conversion.IP2OS(integer(self.y)))

        msg = integer(Conversion.OS2IP(hs1.digest()))
        self.z = ((msg ** ((self.p - 1) / self.q)) % self.p)

        self.u = None
        self.d = None
        self.s1 = None
        self.s2 = None
Exemple #2
0
    def round_1(self, n1):

        Ro = self.pk_i['Ro']

        df02_commit = CM_DF02()
        pk_commit = {'S': self.pk_i['S'], 'Z': Ro, 'N': self.pk_i['N']}
        (U, self.vPrime) = df02_commit.commit(pk_commit, self.ms, (ln + lo))

        mTilde = integer(randomBits(lm + lo + lh + 1))
        (Utilde, vPrimeTilde) = df02_commit.commit(pk_commit, mTilde,
                                                   (lm + lo + lh + 1))

        s1 = hashlib.new('sha256')

        s1.update(Conversion.IP2OS(self.context))
        s1.update(Conversion.IP2OS(U))
        s1.update(Conversion.IP2OS(Utilde))
        s1.update(Conversion.IP2OS(n1))

        c = integer(s1.digest())

        # Responses to challenge

        vPrimeHat = vPrimeTilde + (c * self.vPrime)
        sHat = mTilde + (c * self.ms)

        p1 = {'c': c, 'vPrimeHat': vPrimeHat, 'sHat': sHat, 'U': U}
        n2 = integer(randomBits(lo))

        return p1, n2
Exemple #3
0
    def round_2(self, U, p1, attr, n2):

        if self.__verify_p1(p1):
            pass
            # print "P1 verified"
        else:
            return None

        e = randomPrime(le)

        vTilde = integer(randomBits(lv - 1))
        vPrimePrime = (2 ** (lv - 1)) + vTilde

        R = self.pk_i['R']
        Cx = 1 % self.pk_i['N']

        for i in range(1, len(attr) + 1):
            Cx = Cx * (R[str(i)] ** attr[str(i)])

        sigA = self.signAttributesLong(attr, vPrimePrime, U, e)

        A = sigA['A']
        Q = sigA['Q']

        phi_N = (self.sk_i['p'] - 1) * (self.sk_i['q'] - 1)
        e2 = e % phi_N

        r = randomPrime(le)
        Atilde = (Q ** r) % self.pk_i['N']

        s3 = hashlib.new('sha256')

        s3.update(Conversion.IP2OS(self.context))
        s3.update(Conversion.IP2OS(Q))
        s3.update(Conversion.IP2OS(A))
        s3.update(Conversion.IP2OS(n2))
        s3.update(Conversion.IP2OS(Atilde))

        cPrime = integer(s3.digest())
        e2Prime = e2 ** - 1

        Se = r - (cPrime * integer(e2Prime))

        signature = {'A': A, 'e': e, 'vPrimePrime': vPrimePrime}
        P2 = {'Se': Se, 'cPrime': cPrime}

        print signature
        print P2
        return signature, P2
Exemple #4
0
    def verifyProof(self, credential, predicate, P, nv):
        T_hat = {}
        T_hat['t-values'] = self.__verify_cl(credential, predicate, P)

        # print "That:", T_hat['t-values']

        h_challenge = hashlib.new('sha256')
        h_challenge.update(Conversion.IP2OS(self.context))
        h_challenge = self.__add_dict_to_hash(P['common'], h_challenge)
        h_challenge = self.__add_dict_to_hash(T_hat, h_challenge)  # TODO: ricontrollare!
        h_challenge = self.__add_list_to_hash([], h_challenge)  # committed, representation, nym, dnym, verenc, msg
        h_challenge.update(Conversion.IP2OS(nv))
        c = integer(h_challenge.digest())

        return c == P['c']
Exemple #5
0
 def HW_hash(self, key, c, input, keyLen):
     C = integer(c)
     input_size = bitsize(c)
     input_b = Conversion.IP2OS(input, input_size)
     # Return c XOR PRF(k, input), where the output of PRF is keyLength bits
     result = C ^ self.Prf.eval(key, input_b)
     return result
Exemple #6
0
    def signer_state3(self, input):
        print("SIGNER state #3")

        rnd = (integer(randomBits(80)))

        msg = integer(SHA1(Conversion.IP2OS(rnd)))
        z1 = (msg**((p - 1) / q)) % p

        (g, y, h, z) = Protocol.get(self, ['g', 'y', 'h', 'z'])

        z2 = z / z1

        u = self.group.random()
        s1 = self.group.random()
        s2 = self.group.random()
        d = self.group.random()

        a = g**u

        b1 = (g**s1) * (z1**d)
        b2 = (h**s2) * (z2**d)

        Protocol.store(self, ('u', u), ('s1', s1), ('s2', s2), ('d', d))
        Protocol.setState(self, 5)

        return {'rnd': rnd, 'a': a, 'b1': b1, 'b2': b2}
Exemple #7
0
def verify(serial_data_and_sig, public_key):
    verifier = RSA_Sig()
    data_and_sig = bytesToObject(serial_data_and_sig, IntegerGroup())
    data, sig = data_and_sig
    sig = Conversion.IP2OS(sig)
    verdict = verifier.verify(public_key, data, sig)
    if verdict == True:
        return data
    else:
        return None
Exemple #8
0
    def signer_state1(self):
        print("SIGNER state #1")

        x, g, = self.group.random(), self.group.randomGen()
        z, h, = self.group.randomGen(), self.group.randomGen()

        y = g**x

        hs1 = hashlib.new('sha256')
        hs1.update(Conversion.IP2OS(integer(p)))
        hs1.update(Conversion.IP2OS(integer(q)))
        hs1.update(Conversion.IP2OS(integer(g)))
        hs1.update(Conversion.IP2OS(integer(h)))
        hs1.update(Conversion.IP2OS(integer(y)))

        msg = integer(hs1.digest())
        z = (msg**((p - 1) / q)) % p

        Protocol.store(self, ('g', g), ('y', y), ('x', x), ('h', h), ('z', z))
        Protocol.setState(self, 3)

        return {'g': g, 'y': y, 'h': h, 'z': z}
Exemple #9
0
    def build_proof(self, credentials, predicate, n1):
        # step 0.1
        for key, value in self.m.iteritems():
            self.v_tilde[key] = integer(randomBits(lm + lo + lh))
            # print self.v_hat
        self.v_tilde['0'] = integer(randomBits(lm + lo + lh))
        cl_prover = CLProver()
        # print self.all
        # step 1.1: t-values
        t_value, common_value = cl_prover.prove(self.pk_i, credentials,
                                                predicate, self.m,
                                                self.v_tilde)

        self.t_values['Z_tilde'] = t_value
        self.common_value['A_prime'] = common_value

        # step 2.1: challenge
        h_challenge = hashlib.new('sha256')
        h_challenge.update(Conversion.IP2OS(self.context))
        h_challenge = self.__add_dict_to_hash(self.common_value, h_challenge)
        h_challenge = self.__add_dict_to_hash(self.t_values, h_challenge)
        h_challenge = self.__add_list_to_hash(
            [],
            h_challenge)  # committed, representation, nym, dnym, verenc, msg
        h_challenge.update(Conversion.IP2OS(n1))
        c = integer(h_challenge.digest())

        # print "t-value:", t_value

        # step 3.1: s-values
        s_values = cl_prover.prove(self.pk_i, credentials, predicate, self.m,
                                   self.v_tilde, self.ms, c)

        # step 4.1: return proof
        proof = {}
        proof['c'] = c
        proof['s'] = s_values
        proof['common'] = self.common_value
        return proof
Exemple #10
0
    def round_3(self, signature, P2, n2):

        vPrimePrime = signature['vPrimePrime']

        A = signature['A']
        e = signature['e']

        v = vPrimePrime + self.vPrime

        cPrime = P2['cPrime']
        Se = P2['Se']

        Q2 = (self.pk_i['Z'] /
              ((self.pk_i['S']**v) * self.all)) % self.pk_i['N']

        # tmp_u = (self.pk_i['S'] ** self.vPrime) * (self.pk_i['Ro'] ** self.ms) % self.pk_i['N']

        # Q22 = (self.pk_i['Z'] / ((self.pk_i['S'] ** vPrimePrime) * self.ak * tmp_u)) % self.pk_i['N']

        Qhat = (A**e) % self.pk_i['N']
        q2Check = Q2 == Qhat

        Ahat = A**(cPrime + (Se * e)) % self.pk_i['N']

        s4 = hashlib.new('sha256')

        s4.update(Conversion.IP2OS(self.context))
        s4.update(Conversion.IP2OS(Q2))
        s4.update(Conversion.IP2OS(A))
        s4.update(Conversion.IP2OS(n2))
        s4.update(Conversion.IP2OS(Ahat))

        cHat2 = integer(s4.digest())
        c2Check = cHat2 == cPrime

        sig = {'A': A, 'e': e, 'v': v}

        return sig, q2Check, c2Check
Exemple #11
0
    def __verify_p1(self, p1):

        df02_commit = CM_DF02()
        pk_commit = {'S': self.pk_i['S'], 'Z': self.pk_i['Ro'], 'N': self.pk_i['N']}

        sHat = p1['sHat']
        vPrimeHat = p1['vPrimeHat']
        (cA, vPrimeHat) = df02_commit.commit(pk_commit, sHat, 0, vPrimeHat)

        U = p1['U'] % self.pk_i['N']
        c = p1['c']

        Uhat = cA * (U ** (-1 * c))

        s2 = hashlib.new('sha256')

        s2.update(Conversion.IP2OS(self.context))
        s2.update(Conversion.IP2OS(U))
        s2.update(Conversion.IP2OS(Uhat))
        s2.update(Conversion.IP2OS(self.n1))

        cHat = integer(s2.digest())

        return c == cHat
Exemple #12
0
    def check(self, signature: int):
        # Convert back to bytes
        sig = Conversion.IP2OS(signature)

        # Verifier setup
        ecc = ECC.import_key(self.pubk)
        verifier = DSS.new(ecc, 'fips-186-3')
        new_hash = SHA256.new(bytes.fromhex(self.y))

        # We need to verify the signature on the hash. The verifier throws an exception if it doesn't verify.
        try:
            verifier.verify(new_hash, sig)
            return True
        except Exception as e:
            print(str(e), file=sys.stderr)
            return False
Exemple #13
0
    def verify(self, pk, M, S, salt=None):
        #M = b'This is a malicious message'

        octetlen = int(ceil(int(pk['N']).bit_length() / 8.0))

        sig_mess = (integer(S['s1'])**2) % pk['N']
        sig_mess = Conversion.IP2OS(int(sig_mess), octetlen)
        if debug: print("OS1  =>", sig_mess)
        dec_mess = self.paddingscheme.decode(sig_mess)

        if debug:
            print("Verifying")
            print("sig_mess     =>", sig_mess)
            print("dec_mess    =>", dec_mess)
            print("S     =>", S)

        return (dec_mess == M)
Exemple #14
0
    def user_state4(self, input):
        print("USER state #4")

        (g, y, h, z) = Protocol.get(self, ['g', 'y', 'h', 'z'])

        rnd = input.get('rnd')
        a = input.get('a')
        b1 = input.get('b1')
        b2 = input.get('b2')

        msg = integer(SHA1(Conversion.IP2OS(rnd)))
        z1 = (msg**((p - 1) / q)) % p

        gamma = self.group.random()

        tau = self.group.random()

        t1 = self.group.random()
        t2 = self.group.random()
        t3 = self.group.random()
        t4 = self.group.random()
        t5 = self.group.random()

        zeta = z**gamma
        zeta1 = z1**gamma
        zeta2 = zeta / zeta1

        alpha = a * (g**t1) * (y**t2) % p
        beta1 = (b1**gamma) * (g**t3) * (zeta1**t4) % p
        beta2 = (b2**gamma) * (h**t5) * (zeta2**t4) % p
        eta = z**tau

        epsilon = self.group.hash(zeta, zeta1, alpha, beta1, beta2, eta, "msg")
        e = epsilon - t2 - t4

        Protocol.store(self, ('z', z), ('z1', z1), ('zeta', zeta),
                       ('zeta1', zeta1))
        Protocol.store(self, ('zeta2', zeta2), ('alpha', alpha),
                       ('beta1', beta1), ('beta2', beta2))
        Protocol.store(self, ('t1', t1), ('t2', t2), ('t3', t3), ('t4', t4),
                       ('t5', t5))
        Protocol.store(self, ('gamma', gamma), ('tau', tau), ('eta', eta))

        Protocol.setState(self, 6)

        return {'e': e}
Exemple #15
0
    def sign(self, sk, M, salt=None):
        #apply encoding
        modbits = int(sk['N']).bit_length()
        k = int(ceil(modbits / 8.0))
        emLen = int(ceil((modbits - 1) / 8.0))

        em = self.paddingscheme.encode(M, modbits - 1, salt)
        m = Conversion.OS2IP(em)
        m = integer(m) % sk['N']  #ERRROR m is larger than N
        s = (m**sk['d']) % sk['N']
        S = Conversion.IP2OS(s, k)
        if debug:
            print("Signing")
            print("k     =>", k)
            print("emLen =>", emLen)
            print("m     =>", m)
            print("em    =>", em)
            print("s     =>", s)
            print("S     =>", S)
        return S
Exemple #16
0
 def verify(self, pk, M, S):
     modbits = int(pk['N']).bit_length()
     k = int(ceil(modbits / 8.0))
     emLen = int(ceil((modbits - 1) / 8.0))
     if len(S) != k:
         if debug: print("Sig is %s octets long, not %" % (len(S), k))
         return False
     s = Conversion.OS2IP(S)
     s = integer(s) % pk['N']  #Convert to modular integer
     m = (s**pk['e']) % pk['N']
     EM = Conversion.IP2OS(m, emLen)
     if debug:
         print("Verifying")
         print("k     =>", k)
         print("emLen =>", emLen)
         print("s     =>", s)
         print("m       =>", m)
         print("em      =>", EM)
         print("S     =>", S)
     return self.paddingscheme.verify(M, EM, modbits - 1)
    def challenge_response(self, input, message):
        rnd = input.get('rnd')
        a = input.get('a')
        b1 = input.get('b1')
        b2 = input.get('b2')

        msg = integer(Conversion.OS2IP(SHA1(Conversion.IP2OS(rnd))))
        z1 = (msg**((self.p - 1) / self.q)) % self.p

        gamma = self.group.random()

        tau = self.group.random()

        t1 = self.group.random()
        t2 = self.group.random()
        t3 = self.group.random()
        t4 = self.group.random()
        t5 = self.group.random()

        zeta = self.z**gamma
        zeta1 = z1**gamma
        zeta2 = zeta / zeta1

        alpha = a * (self.g**t1) * (self.y**t2) % self.p
        beta1 = (b1**gamma) * (self.g**t3) * (zeta1**t4) % self.p
        beta2 = (b2**gamma) * (self.h**t5) * (zeta2**t4) % self.p
        eta = self.z**tau

        epsilon = integer(
            hash_int([zeta, zeta1, alpha, beta1, beta2, eta, message
                      ])) % self.q
        e = (epsilon - t2 - t4) % self.q

        self.__store__(self, ('z1', z1), ('zeta', zeta), ('zeta1', zeta1))
        self.__store__(self, ('zeta2', zeta2), ('alpha', alpha),
                       ('beta1', beta1), ('beta2', beta2))
        self.__store__(self, ('t1', t1), ('t2', t2), ('t3', t3), ('t4', t4),
                       ('t5', t5))
        self.__store__(self, ('gamma', gamma), ('tau', tau), ('eta', eta))

        return {'e': e}
    def get_challenge(self):
        rnd = randomBits(80)

        msg = integer(Conversion.OS2IP(SHA1(Conversion.IP2OS(rnd))))

        z1 = ((msg ** ((self.p - 1) / self.q)) % self.p)
        inv_z1 = (mulinv(z1, self.p)) % self.p

        z2 = (int(self.z) * int(inv_z1)) % self.p

        self.u = self.group.random()
        self.s1 = self.group.random()
        self.s2 = self.group.random()
        self.d = self.group.random()

        a = self.g ** self.u

        b1 = (self.g ** self.s1) * (z1 ** self.d)
        b2 = (self.h ** self.s2) * (z2 ** self.d)

        return {'rnd': rnd, 'a': a, 'b1': b1, 'b2': b2}
Exemple #19
0
    hp_1_value = hp_1_value % group_p_value
    hp_2_value = hp_2_value % group_p_value
    u_1_value = u_1_value % group_p_value
    u_2_value = u_2_value % group_p_value
    X_value = X_value % group_p_value

    alpha_1_prime_value = randomBits(group_order_bits) % group_order
    alpha_2_prime_value = randomBits(group_order_bits) % group_order
    beta_1_prime_value = randomBits(group_order_bits) % group_order
    beta_2_prime_value = randomBits(group_order_bits) % group_order
    #print('alpha_1_prime_value = ', alpha_1_prime_value)
    #print('alpha_2_prime_value = ', alpha_2_prime_value)
    #print('beta_1_prime_value = ', beta_1_prime_value)
    #print('beta_2_prime_value = ', beta_2_prime_value)

    alpha_1_prime_bytes = Conversion.IP2OS(alpha_1_prime_value,
                                           group_order_bits // 8)
    alpha_2_prime_bytes = Conversion.IP2OS(alpha_2_prime_value,
                                           group_order_bits // 8)
    beta_1_prime_bytes = Conversion.IP2OS(beta_1_prime_value,
                                          group_order_bits // 8)
    beta_2_prime_bytes = Conversion.IP2OS(beta_2_prime_value,
                                          group_order_bits // 8)

    # print('type of g_1 value is: ', type(g_1_value))
    # print('type of alpha1_prime_value is: ', type(alpha_1_prime_value))
    # print(g_1_value)
    # print('haha')
    # print(alpha_1_prime_value)
    tmp1 = (g_1_value**alpha_1_prime_value) % group_p_value
    tmp2 = (g_2_value**alpha_2_prime_value) % group_p_value
    hp_1_prime_value = (tmp1 * tmp2) % group_p_value
Exemple #20
0
 def decrypt(self, pk, sk, c):
     octetlen = int(ceil(int(pk['N']).bit_length() / 8.0))
     M = (c**(sk['d'] % sk['phi_N'])) % pk['N']
     os = Conversion.IP2OS(int(M), octetlen)
     if debug: print("OS  =>", os)
     return self.paddingscheme.decode(os)
Exemple #21
0


# long-term key generation, session execution, then session key output

# length of group elements, may change this later
# generate the group G
bits = 1024
group = IntegerGroup()
group.paramgen(bits)
group_order = group.q
#print('group order is ', group_order)
print('group.p = ', group.p)
print('group.q = ', group.q)

group_p_bytes = Conversion.IP2OS(group.p, 128)
group_q_bytes = Conversion.IP2OS(group.q, 128)


alpha_1_value = randomBits(160) % group_order
alpha_2_value = randomBits(160) % group_order
beta_1_value = randomBits(160) % group_order
beta_2_value = randomBits(160) % group_order
alpha_1_bytes = Conversion.IP2OS(alpha_1_value, 20)
alpha_2_bytes = Conversion.IP2OS(alpha_2_value, 20)
beta_1_bytes = Conversion.IP2OS(beta_1_value, 20)
beta_2_bytes = Conversion.IP2OS(beta_2_value, 20)

# two random generators of group G
g_1 = group.randomGen()
g_2 = group.randomGen()
def hash_int(args):
    hash = SHA256Hash()
    for arg in args:
        hash.update(Conversion.IP2OS(arg))
    return Conversion.OS2IP(hash.digest())
Exemple #23
0
g = N_square - toInt(val1)
g = g % N_square
print('g = ', g)

alpha_value = random(N_square / 2)  # of length bits
beta_value = random(N_square / 2)
hp_1_value = (g**alpha_value) % N_square
hp_2_value = (g**beta_value) % N_square

# t_1(k) and u(k) are calculated from the length of r and x
t_1_length = 2 * group_order_bits - 128  # length of IV is 16 bytes
u_length = 2 * group_order_bits - 128

r_1_value = randomBits(t_1_length)
r_2_value = randomBits(640)  # the length of r2 does not matter
r_1_bytes = Conversion.IP2OS(r_1_value, t_1_length // 8)
r_2_bytes = Conversion.IP2OS(r_2_value, 80)
t_value = randomBits(160)  # the length of t does not matter
t_bytes = Conversion.IP2OS(t_value, 20)

# session execution
e_value = randomBits(u_length)
e_bytes = Conversion.IP2OS(e_value, u_length // 8)
# set l_1, l_2 (length of the output of extractor 1 and extractor 2) to be 128 bits, the length of AES key

# hash alpha, beta, r_1 together to get lsk_A_prime
group_for_hash = PairingGroup("SS512")
waters = Waters(group_for_hash)
alpha_bytes = Conversion.IP2OS(alpha_value, bits // 8)
beta_bytes = Conversion.IP2OS(beta_value, bits // 8)
lsk_A_prime = waters.sha2(alpha_bytes + beta_bytes + r_1_bytes)
Exemple #24
0
    def __add_dict_to_hash(self, dict_obj, hash_obj):
        for k, v in dict_obj.iteritems():
            hash_obj.update(Conversion.IP2OS(v))

        return hash_obj
Exemple #25
0
 def __add_list_to_hash(self, list_obj, hash_obj):
     for e in list_obj:
         hash_obj.update(Conversion.IP2OS(e))
     return hash_obj
Exemple #26
0
    def testRSAVector(self):
        # ==================================
        # Example 1: A 1024-bit RSA Key Pair
        # ==================================

        # ------------------------------
        # Components of the RSA Key Pair
        # ------------------------------

        # RSA modulus n:
        n = a2b_hex('\
        bb f8 2f 09 06 82 ce 9c 23 38 ac 2b 9d a8 71 f7 \
        36 8d 07 ee d4 10 43 a4 40 d6 b6 f0 74 54 f5 1f \
        b8 df ba af 03 5c 02 ab 61 ea 48 ce eb 6f cd 48 \
        76 ed 52 0d 60 e1 ec 46 19 71 9d 8a 5b 8b 80 7f \
        af b8 e0 a3 df c7 37 72 3e e6 b4 b7 d9 3a 25 84 \
        ee 6a 64 9d 06 09 53 74 88 34 b2 45 45 98 39 4e \
        e0 aa b1 2d 7b 61 a5 1f 52 7a 9a 41 f6 c1 68 7f \
        e2 53 72 98 ca 2a 8f 59 46 f8 e5 fd 09 1d bd cb '.replace(' ', ''))
        n = Conversion.OS2IP(n, True)

        # RSA public exponent e:
        e = a2b_hex('11')
        e = Conversion.OS2IP(e, True)

        # Prime p:
        p = a2b_hex('\
        ee cf ae 81 b1 b9 b3 c9 08 81 0b 10 a1 b5 60 01 \
        99 eb 9f 44 ae f4 fd a4 93 b8 1a 9e 3d 84 f6 32 \
        12 4e f0 23 6e 5d 1e 3b 7e 28 fa e7 aa 04 0a 2d \
        5b 25 21 76 45 9d 1f 39 75 41 ba 2a 58 fb 65 99 '.replace(' ', ''))
        p = Conversion.OS2IP(p, True)

        # Prime q:
        q = a2b_hex('\
        c9 7f b1 f0 27 f4 53 f6 34 12 33 ea aa d1 d9 35 \
        3f 6c 42 d0 88 66 b1 d0 5a 0f 20 35 02 8b 9d 86 \
        98 40 b4 16 66 b4 2e 92 ea 0d a3 b4 32 04 b5 cf \
        ce 33 52 52 4d 04 16 a5 a4 41 e7 00 af 46 15 03'.replace(' ', ''))
        q = Conversion.OS2IP(q, True)

        phi_N = (p - 1) * (q - 1)
        e = e % phi_N

        d = e**-1

        # ----------------------------------
        # Step-by-step RSAES-OAEP Encryption
        # ----------------------------------

        # Message to be encrypted:
        M = a2b_hex('\
        d4 36 e9 95 69 fd 32 a7 c8 a0 5b bc 90 d3 2c 49'.replace(' ', ''))

        lhash = a2b_hex('\
        da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 \
        af d8 07 09'.replace(' ', ''))

        # DB:
        db = a2b_hex('\
        da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 \
        af d8 07 09 00 00 00 00 00 00 00 00 00 00 00 00 \
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
        00 00 00 00 00 00 00 00 00 00 01 d4 36 e9 95 69 \
        fd 32 a7 c8 a0 5b bc 90 d3 2c 49'.replace(' ', ''))

        # Seed:
        seed = a2b_hex('\
        aa fd 12 f6 59 ca e6 34 89 b4 79 e5 07 6d de c2 \
        f0 6c b5 8f '.replace(' ', ''))

        # dbMask:
        dbmask = a2b_hex('\
        06 e1 de b2 36 9a a5 a5 c7 07 d8 2c 8e 4e 93 24 \
        8a c7 83 de e0 b2 c0 46 26 f5 af f9 3e dc fb 25 \
        c9 c2 b3 ff 8a e1 0e 83 9a 2d db 4c dc fe 4f f4 \
        77 28 b4 a1 b7 c1 36 2b aa d2 9a b4 8d 28 69 d5 \
        02 41 21 43 58 11 59 1b e3 92 f9 82 fb 3e 87 d0 \
        95 ae b4 04 48 db 97 2f 3a c1 4e af f4 9c 8c 3b \
        7c fc 95 1a 51 ec d1 dd e6 12 64'.replace(' ', ''))

        # maskedDB:
        maskeddb = a2b_hex('\
        dc d8 7d 5c 68 f1 ee a8 f5 52 67 c3 1b 2e 8b b4 \
        25 1f 84 d7 e0 b2 c0 46 26 f5 af f9 3e dc fb 25 \
        c9 c2 b3 ff 8a e1 0e 83 9a 2d db 4c dc fe 4f f4 \
        77 28 b4 a1 b7 c1 36 2b aa d2 9a b4 8d 28 69 d5 \
        02 41 21 43 58 11 59 1b e3 92 f9 82 fb 3e 87 d0 \
        95 ae b4 04 48 db 97 2f 3a c1 4f 7b c2 75 19 52 \
        81 ce 32 d2 f1 b7 6d 4d 35 3e 2d '.replace(' ', ''))

        # seedMask:
        seedmask = a2b_hex('\
        41 87 0b 5a b0 29 e6 57 d9 57 50 b5 4c 28 3c 08 \
        72 5d be a9 '.replace(' ', ''))

        # maskedSeed:
        maskedseed = a2b_hex('\
        eb 7a 19 ac e9 e3 00 63 50 e3 29 50 4b 45 e2 ca \
        82 31 0b 26 '.replace(' ', ''))

        # EM = 00 || maskedSeed || maskedDB:
        em = a2b_hex('\
        00 eb 7a 19 ac e9 e3 00 63 50 e3 29 50 4b 45 e2 \
        ca 82 31 0b 26 dc d8 7d 5c 68 f1 ee a8 f5 52 67 \
        c3 1b 2e 8b b4 25 1f 84 d7 e0 b2 c0 46 26 f5 af \
        f9 3e dc fb 25 c9 c2 b3 ff 8a e1 0e 83 9a 2d db \
        4c dc fe 4f f4 77 28 b4 a1 b7 c1 36 2b aa d2 9a \
        b4 8d 28 69 d5 02 41 21 43 58 11 59 1b e3 92 f9 \
        82 fb 3e 87 d0 95 ae b4 04 48 db 97 2f 3a c1 4f \
        7b c2 75 19 52 81 ce 32 d2 f1 b7 6d 4d 35 3e 2d '.replace(' ', ''))

        # Encryption:
        enc = a2b_hex('\
        12 53 e0 4d c0 a5 39 7b b4 4a 7a b8 7e 9b f2 a0 \
        39 a3 3d 1e 99 6f c8 2a 94 cc d3 00 74 c9 5d f7 \
        63 72 20 17 06 9e 52 68 da 5d 1c 0b 4f 87 2c f6 \
        53 c1 1d f8 23 14 a6 79 68 df ea e2 8d ef 04 bb \
        6d 84 b1 c3 1d 65 4a 19 70 e5 78 3b d6 eb 96 a0 \
        24 c2 ca 2f 4a 90 fe 9f 2e f5 c9 c1 40 e5 bb 48 \
        da 95 36 ad 87 00 c8 4f c9 13 0a de a7 4e 55 8d \
        51 a7 4d df 85 d8 b5 0d e9 68 38 d6 06 3e 09 55 '.replace(' ', ''))

        rsa = RSA_Enc()
        pk = {'N': n, 'e': e}
        sk = {'phi_N': phi_N, 'd': d, 'N': n}

        c = rsa.encrypt(pk, M, seed)
        C = Conversion.IP2OS(c)

        if debug:
            print("RSA OEAP step by step")
            print("Label L  = empty string")
            print("lHash      = ", lhash)
            print("DB         = ", db)
            print("seed       = ", seed)
            print("dbMask     = ", dbmask)
            print("maskedDB   = ", maskeddb)
            print("seedMask   = ", seedmask)
            print("maskedSeed = ", maskedseed)
            print("EM         = ", em)

        assert C == enc
Exemple #27
0
 def getRandomBytes(self, length):
     bits = length * 8
     val = randomBits(bits)
     return Conversion.IP2OS(val, length)
Exemple #28
0
    capital_X_value = capital_X_value % N_square
    capital_W_value = capital_W_value % N_square

    # long term key generation
    alpha_prime_value = random(N_square / 2)
    beta_prime_value = random(N_square / 2)
    hp_1_prime_value = (g_value**alpha_prime_value) % N_square
    hp_2_prime_value = (g_value**beta_prime_value) % N_square

    # t_1(k) and u(k) are calculated from the length of r and x
    t_1_length = 2 * group_order_bits - 128  # length of IV is 16 bytes
    u_length = 2 * group_order_bits - 128

    r_1_prime_value = randomBits(t_1_length)
    r_2_prime_value = randomBits(640)  # the length of r2 does not matter
    r_1_prime_bytes = Conversion.IP2OS(r_1_prime_value, t_1_length // 8)
    r_2_prime_bytes = Conversion.IP2OS(r_2_prime_value, 80)
    t_prime_value = randomBits(160)  # the length of t does not matter
    t_prime_bytes = Conversion.IP2OS(t_prime_value, 20)

    # session execution
    e_prime_value = randomBits(u_length)
    e_prime_bytes = Conversion.IP2OS(e_prime_value, u_length // 8)
    # set l_1, l_2 (length of the output of extractor 1 and extractor 2) to be 128 bits, the length of AES key

    # hash alpha_prime, beta_prime, r_1_prime together to get lsk_B_prime
    group_for_hash = PairingGroup("SS512")
    waters = Waters(group_for_hash)
    alpha_prime_bytes = Conversion.IP2OS(alpha_prime_value, bits // 8)
    beta_prime_bytes = Conversion.IP2OS(beta_prime_value, bits // 8)
    lsk_B_prime = waters.sha2(alpha_prime_bytes + beta_prime_bytes +
Exemple #29
0
 def getRandomBits(self, length):
     i = randomBits(length)
     len = math.ceil(length / 8)
     return Conversion.IP2OS(i, len)
Exemple #30
0
    def decrypt(self, pk, sk, c):
        p = sk['p']
        q = sk['q']
        yp = sk['yp']
        yq = sk['yq']

        mp = (c**((p + 1) / 4)) % p
        mq = (c**((q + 1) / 4)) % q

        if (not (((c % p) == (mp**2)) and ((c % q) == (mq**2)))):
            assert False, "invalid ciphertext"

        r1 = ((int(yp) * int(p) * int(mq)) +
              ((int(yq) * int(q) * int(mp)))) % int(sk['N'])
        r2 = int(sk['N']) - int(r1)

        s1 = (int(yp) * int(p) * int(mq) - int(yq) * int(q) * int(mp)) % int(
            sk['N'])
        s2 = int(sk['N']) - int(s1)

        m1 = r1 % int(sk['N'])
        m2 = r2 % int(sk['N'])
        m3 = s1 % int(sk['N'])
        m4 = s2 % int(sk['N'])

        if (self.paddingscheme.name == "SAEPEncryptionPadding"):
            if (m1 < int(sk['N'] / 2)):
                os1 = Conversion.IP2OS(int(m1))
                if (m2 < int(sk['N'] / 2)):
                    os2 = Conversion.IP2OS(int(m2))
                else:
                    if (m3 < int(sk['N'] / 2)):
                        os2 = Conversion.IP2OS(int(m3))
                    else:
                        os2 = Conversion.IP2OS(int(m4))
            else:
                if (m2 < int(sk['N'] / 2)):
                    os1 = Conversion.IP2OS(int(m2))
                    if (m3 < int(sk['N'] / 2)):
                        os2 = Conversion.IP2OS(int(m3))
                    else:
                        os2 = Conversion.IP2OS(int(m4))
                else:
                    os1 = Conversion.IP2OS(int(m3))
                    os2 = Conversion.IP2OS(int(m4))

            if debug:
                print("OS1  =>", os1)
                print("OS2  =>", os2)

            (m1, t1) = self.paddingscheme.decode(os1, pk['n'], pk['s0'])
            (m2, t2) = self.paddingscheme.decode(os2, pk['n'], pk['s0'])

            if ((t1 == Bytes.fill(b'\x00', pk['s0'] / 8))
                    and (t2 == Bytes.fill(b'\x00', pk['s0'] / 8))):
                assert False, "invalid ciphertext"

            if (t1 == Bytes.fill(b'\x00', pk['s0'] / 8)):
                return m1
            else:
                if (t2 == Bytes.fill(b'\x00', pk['s0'] / 8)):
                    return m2
                else:
                    assert False, "invalid ciphertext"
        else:
            octetlen = int(ceil(int(pk['N']).bit_length() / 8.0))
            os1 = Conversion.IP2OS(int(m1), octetlen)
            os2 = Conversion.IP2OS(int(m2), octetlen)
            os3 = Conversion.IP2OS(int(m3), octetlen)
            os4 = Conversion.IP2OS(int(m4), octetlen)
            if debug:
                print("OS1  =>", os1)
                print("OS2  =>", os2)
                print("OS3  =>", os3)
                print("OS4  =>", os4)

            for i in [os1, os2, os3, os4]:
                (isMessage, message) = self.redundancyscheme.decode(
                    self.paddingscheme.decode(i))
                if (isMessage):
                    return message