def __init__(self, privkey_bits=None, pubkey=None): if (privkey_bits and pubkey) or (not privkey_bits and not pubkey): raise Exception( 'Provide either privkey_bits=<bits> or pubkey=<modulus>') elif pubkey: self.n = pubkey self.n_sq = self.n * self.n self.g = self.n + 1 #we pre-compute r^n mod n^2 and use it for every encryption r = randint(self.n - 1) self.r_pow_n_mod_n_sq = pow(r, self.n, self.n_sq) return elif (privkey_bits < 1024): raise Exception( 'Please don\'t be ridiculous. The private key must have be at least 1024 bits these days' ) if (privkey_bits % 2 != 0): #p and q must be of the same size, need even bitlength raise Exception('Can only work with even bitlength keys') p = generate_prime(privkey_bits / 2) q = generate_prime(privkey_bits / 2) print('Finished with primes') self.n = p * q self.n_sq = self.n * self.n self.g = self.n + 1 self.l = (p - 1) * (q - 1) self.m = inverse(self.l, self.n) r = randint(self.n - 1) #we pre-compute r^n mod n^2 and use it for every encryption self.r_pow_n_mod_n_sq = pow(r, self.n, self.n_sq)
def __init__(self, privkey_bits=None, pubkey=None): if (privkey_bits and pubkey) or (not privkey_bits and not pubkey): raise Exception('Provide either privkey_bits=<bits> or pubkey=<modulus>') elif pubkey: self.n = pubkey self.n_sq = self.n * self.n self.g = self.n+1 #we pre-compute r^n mod n^2 and use it for every encryption r = randint(self.n-1) self.r_pow_n_mod_n_sq = pow(r, self.n, self.n_sq) return elif (privkey_bits < 1024): raise Exception ('Please don\'t be ridiculous. The private key must have be at least 1024 bits these days') if (privkey_bits % 2 != 0): #p and q must be of the same size, need even bitlength raise Exception('Can only work with even bitlength keys') p = generate_prime(privkey_bits / 2) q = generate_prime(privkey_bits / 2) print ('Finished with primes') self.n = p * q self.n_sq = self.n * self.n self.g = self.n + 1 self.l = (p-1) * (q-1) self.m = inverse(self.l, self.n) r = randint(self.n-1) #we pre-compute r^n mod n^2 and use it for every encryption self.r_pow_n_mod_n_sq = pow(r, self.n, self.n_sq)
def get_data_for_auditor(self, padded_RSA_half, N_ba): self.padded_RSA_half = padded_RSA_half self.N = ba2int(N_ba) self.data_for_auditor = bi2ba(self.N, fixed=256) + bi2ba( self.P.n, fixed=513 ) # contains server pubkey N, Paillier pubkey n and P(A), P(A^2), P(A^3) for each round iv = ba2int( self.padded_RSA_half) #initial value (A for the first round) N = self.N P = self.P n_len = self.n_len for i in range(8): T1 = pow(iv, 4, N) #P2 stand for "part of T2" P2 = P.encrypt(4 * pow(iv, 3, N) % N) P3 = P.encrypt(6 * pow(iv, 2, N) % N) P4 = P.encrypt(4 * iv % N) #len(K) < len(n_len) because we add K to another n_len-2 value. The sum must not overflow n K = randint(2**(n_len - 2)) #prepare iv for next round (L in the paper) iv = (T1 - K) % N self.data_for_auditor += bi2ba(P2, fixed=1026) + bi2ba( P3, fixed=1026) + bi2ba(P4, fixed=1026) self.K_values.append({'K': K}) #round 9 X = iv A = ba2int(self.padded_RSA_half) PX = P.encrypt(X) PA = P.encrypt(A) self.data_for_auditor += bi2ba(PX, fixed=1026) + bi2ba(PA, fixed=1026) self.X = X #we now have 1KB*(3*8+2) ~26 KB worth of data return self.data_for_auditor
def get_data_for_auditor(self, padded_RSA_half, N_ba): self.padded_RSA_half = padded_RSA_half self.N = ba2int(N_ba) self.data_for_auditor = bi2ba(self.N, fixed=256) + bi2ba(self.P.n, fixed=513) # contains server pubkey N, Paillier pubkey n and P(A), P(A^2), P(A^3) for each round iv = ba2int(self.padded_RSA_half) #initial value (A for the first round) N = self.N P = self.P n_len = self.n_len for i in range(8): T1 = pow(iv, 4, N) #P2 stand for "part of T2" P2 = P.encrypt(4*pow(iv, 3, N) % N) P3 = P.encrypt(6*pow(iv, 2, N) % N) P4 = P.encrypt(4*iv % N) #len(K) < len(n_len) because we add K to another n_len-2 value. The sum must not overflow n K = randint(2**(n_len-2)) #prepare iv for next round (L in the paper) iv = (T1 - K) % N self.data_for_auditor += bi2ba(P2, fixed=1026) + bi2ba(P3, fixed=1026) + bi2ba(P4, fixed=1026) self.K_values.append( {'K':K}) #round 9 X = iv A = ba2int(self.padded_RSA_half) PX = P.encrypt(X) PA = P.encrypt(A) self.data_for_auditor += bi2ba(PX, fixed=1026) + bi2ba(PA, fixed=1026) self.X = X #we now have 1KB*(3*8+2) ~26 KB worth of data return self.data_for_auditor
def do_round(self, round_no, F): assert round_no < 8 N = self.N P = self.P n_len = self.n_len p_rounds = self.paillier_rounds if round_no == 0: iv = ba2int(self.padded_RSA_half) else: iv = (F - self.D) % N T2 = P.e_mul_const(p_rounds[round_no]['P2'], iv) T3 = P.e_mul_const(p_rounds[round_no]['P3'], pow(iv, 2, N)) T4 = P.e_mul_const(p_rounds[round_no]['P4'], pow(iv, 3, N)) T5 = P.encrypt(pow(iv, 4, N)) TSum = P.e_add(P.e_add(P.e_add(T2, T3), T4), T5) #apply mask D self.D = randint(2**(n_len - 2)) E = P.e_add(TSum, P.encrypt(self.D)) return E
def do_round(self, round_no, F): assert round_no < 8 N = self.N P = self.P n_len = self.n_len p_rounds = self.paillier_rounds if round_no == 0: iv = ba2int(self.padded_RSA_half) else: iv = (F-self.D) % N T2 = P.e_mul_const(p_rounds[round_no]['P2'], iv ) T3 = P.e_mul_const(p_rounds[round_no]['P3'], pow(iv, 2, N) ) T4 = P.e_mul_const(p_rounds[round_no]['P4'], pow(iv, 3, N) ) T5 = P.encrypt( pow(iv, 4, N) ) TSum = P.e_add(P.e_add(P.e_add(T2, T3), T4), T5) #apply mask D self.D = randint(2**(n_len-2)) E = P.e_add(TSum, P.encrypt(self.D)) return E