def sign(m, p, q, g, x):
k = utils.randomnumber(q - 1, inf=2)
while True:
r = utils.powmod(g, k, p) % q
if r == 0:
k = utils.randomnumber(q, inf=2)
continue
break
inv = utils.invert(k, q)
h = m + x * r
s = inv * h % q
return r, s
def run_secdsa():
# Aclice
x1 = utils.randomnumber(ecdsa.n, inf=2)
y1 = ecdsa.get_pub(x1)
ka_pub, ka_priv = paillier.gen_key()
# Bob
x2 = utils.randomnumber(ecdsa.n, inf=2)
y2 = ecdsa.get_pub(x2)
kb_pub, kb_priv = paillier.gen_key()
zkp = eczkp.gen_params(1024)
pub = ecdsa.get_pub(x1 * x2 % ecdsa.n)
# pub_a = ecdsa.point_mult(y2, x1)
# pub_b = ecdsa.point_mult(y1, x2)
# pem.generate_tecdsa_pem(x1, ecdsa.expand_pub(pub), y2, ka_priv, kb_pub, zkp)
# pem.generate_tecdsa_pem(x2, ecdsa.expand_pub(pub), y1, kb_priv, ka_pub, zkp)
# Message hash
message = "hello"
h = hashlib.sha256()
h.update(message.encode("utf-8"))
m = long(h.hexdigest(), 16)
print "Message to sign: ", message
print "Hash: ", m
# ALICE ROUND 1
k1, z1, alpha, zeta, rr1, rr2 = alice_round_1(m, x1, y1, ka_pub, ka_priv)
# BOB ROUND 1
k2, r2 = bob_round_1(alpha, zeta)
# ALICE ROUND 2
r, pi = alice_round_2(alpha, zeta, r2, k1, y1, z1, x1, zkp, ka_pub, rr1, rr2)
# eczkp_pem.pi_to_pem(pi)
# BOB ROUND 2
mu, mup, pi2 = bob_round_2(pi, m, alpha, zeta, r, k2, x2, r2, y1, y2, ka_pub, kb_pub, zkp)
# eczkp_pem.pi_to_pem2(pi2)
# ALICE ROUND 3 (final)
sig = alice_round_3(pi2, r, r2, y2, mup, mu, alpha, zeta, zkp, ka_priv, kb_pub)
print "Signature:"
print sig
r, s = sig
print "Sig status: ", ecdsa.verify(sig, m, pub, ecdsa.G, ecdsa.n)
def pi(c, d, w1, w2, m1, m2, r1, r2, x1, x2, n, h1, h2, ka_pub):
pkn, g = ka_pub
q3 = pow(dsa.Q, 3)
q3n = q3 * n
alpha = utils.randomnumber(q3)
beta = rnd_inv(pkn)
gamma = utils.randomnumber(q3n)
p1 = utils.randomnumber(dsa.Q * n)
delta = utils.randomnumber(q3)
mu = rnd_inv(pkn)
vu = utils.randomnumber(q3n)
p2 = utils.randomnumber(dsa.Q * n)
p3 = utils.randomnumber(dsa.Q)
epsilon = utils.randomnumber(dsa.Q)
n2 = pkn * pkn
z1 = (pow(h1, x1, n) * pow(h2, p1, n)) % n
u1 = pow(c, alpha, dsa.P)
u2 = (pow(g, alpha, n2) * pow(beta, pkn, n2)) % n2
u3 = (pow(h1, alpha, n) * pow(h2, gamma, n)) % n
z2 = (pow(h1, x2, n) * pow(h2, p2, n)) % n
y = pow(d, x2 + p3, dsa.P)
v1 = pow(d, delta + epsilon, dsa.P)
v2 = (pow(w2, alpha, dsa.P) * pow(d, epsilon, dsa.P)) % dsa.P
v3 = (pow(g, delta, n2) * pow(mu, pkn, n2)) % n2
v4 = (pow(h1, delta, n) * pow(h2, vu, n)) % n
h = hashlib.sha256()
h.update(str(c))
h.update(str(w1))
h.update(str(d))
h.update(str(w2))
h.update(str(m1))
h.update(str(m2))
h.update(str(z1))
h.update(str(u1))
h.update(str(u2))
h.update(str(u3))
h.update(str(z2))
h.update(str(y))
h.update(str(v1))
h.update(str(v2))
h.update(str(v3))
h.update(str(v4))
e = long(h.hexdigest(), 16)
s1 = e * x1 + alpha
s2 = (pow(r1, e, pkn) * beta) % pkn
s3 = e * p1 + gamma
t1 = e * x2 + delta
t2 = (e * p3 + epsilon) % dsa.Q
t3 = (pow(r2, e, n2) * mu) % n2
t4 = e * p2 + vu
return z1, u1, u2, u3, z2, y, v1, v2, v3, v4, s1, s2, s3, t1, t2, t3, t4, e
def sign(e, g, n, d):
while True:
k = utils.randomnumber(n-1)
x, y = point_mult(g, k)
if x % n != 0:
break
r = x
s = utils.invert(k, n) * (e + r * d) % n
return r, s
def gen_params(bits):
while True:
ptildprim = utils.randomnumber(pow(2, bits >> 1))
qtildprim = utils.randomnumber(pow(2, bits >> 1))
ptild = (2 * ptildprim + 1)
qtild = (qtildprim + 1)
if utils.is_prime(ptild) and utils.is_prime(qtild):
break
ntild = ptild * qtild
pq = ptildprim * qtildprim
while True:
h2 = utils.randomnumber(ntild)
if utils.nonrec_gcd(h2, ntild) == 1 and utils.powmod(h2, pq,
ntild) == 1:
break
x = utils.randomnumber(pq)
h1 = utils.powmod(h2, x, ntild)
return ntild, h1, h2
def bob_round_2(pi, m, alpha, zeta, r, k2, x2, r2, y1, y2, ka_pub, kb_pub, zkp):
n, g = ka_pub
n2 = n * n
rq = r[0] % ecdsa.n
if rq == 0:
print("signature failed, retry")
exit(1)
z2 = utils.invert(k2, ecdsa.n)
x2z2 = (x2 * z2) % ecdsa.n
x3 = utils.randomnumber(pow(ecdsa.n, 5)-1, inf=1)
if not eczkp.pi_verify(pi, r, ecdsa.G, r2, y1, alpha, zeta, zkp, ka_pub):
print "Error: zkp failed"
exit(1)
mu1 = paillier.mult(alpha, m * z2, n2)
mu2 = paillier.mult(zeta, rq * x2z2, n2)
mu3, rnumb = paillier.encrypt(x3 * ecdsa.n, ka_pub)
mu = paillier.add(paillier.add(mu1, mu2, n2), mu3, n2)
muprim, rmuprim = paillier.encrypt(z2, kb_pub)
c = r2
d = ecdsa.G
w1 = ecdsa.G
w2 = y2
m1 = muprim # ENCRYPTED Z2
m2 = mu # ENCRYPTED RESULT
m3 = alpha # ENCRYPTED Z1
m4 = zeta # ENCRYPTED X1Z1
r1 = rmuprim
r2 = rnumb
x1 = z2
x2 = x2z2
x4 = m
x5 = rq
pi2 = eczkp.pi2(c, d, w1, w2, m1, m2, m3, m4, r1, r2, x1, x2, x3, x4, x5, zkp, ka_pub, kb_pub)
if not pi2:
print "Error: zkp failed"
exit(1)
return mu, muprim, pi2
def bob_round_2(pi, m, alpha, zeta, r, k2, x2, r2, y1, y2, ka_pub, kb_pub,
zkpa, zkpb):
n, g = ka_pub
n2 = n * n
rq = r % dsa.Q
N, h1, h2 = zkpa
if rq == 0:
print("signature failed, retry")
z2 = utils.invert(k2, dsa.Q)
x2z2 = (x2 * z2) % dsa.Q
c = x3 = utils.randomnumber(pow(dsa.Q, 5) - 1, inf=1)
if not zkp.pi_verify(pi, r, dsa.G, r2, y1, alpha, zeta, N, h1, h2, ka_pub):
return False
mu1 = paillier.mult(alpha, (m * z2) % dsa.Q, n2)
mu2 = paillier.mult(zeta, (rq * x2z2) % dsa.Q, n2)
mu3, rnumb = paillier.encrypt(c * dsa.Q, ka_pub)
mu = paillier.add(paillier.add(mu1, mu2, n2), mu3, n2)
muprim, rmuprim = paillier.encrypt((m * z2) % dsa.Q, kb_pub)
c = r2
d = dsa.G
w2 = y2
m1 = muprim
m2 = mu
m3 = alpha
m4 = zeta
r1 = rmuprim
r2 = rnumb
x1 = z2
x2 = (rq * x2z2) % dsa.Q
w1 = dsa.G
pi2 = zkp.pi2(m, c, d, w1, w2, m1, m2, m3, m4, r1, r2, x1, x2, x3, zkpb,
ka_pub, kb_pub)
return mu, muprim, pi2
def gen_key(p, q, g):
# 0 < x < q
x = utils.randomnumber(q, inf=0)
if 0 < x and x < q:
y = utils.powmod(g, x, p)
return x, y
def gen_priv():
return utils.randomnumber(n-1)
def key_gen(g=G):
d = utils.randomnumber(n-1)
Q = get_pub(d, g)
return Q, d
def bob_round_1(alpha, zeta):
k2 = utils.randomnumber(ecdsa.n-1, inf=1)
r2 = ecdsa.point_mult(ecdsa.G, k2)
return k2, r2
def pi(c, d, w1, w2, m1, m2, r1, r2, x1, x2, zkp, ka_pub):
Ntild, h1, h2 = zkp
pkn, g = ka_pub
n3 = pow(ecdsa.n, 3)
n3ntild = n3 * Ntild
alpha = utils.randomnumber(n3)
beta = rnd_inv(pkn)
gamma = utils.randomnumber(n3ntild)
p1 = utils.randomnumber(ecdsa.n * Ntild)
delta = utils.randomnumber(n3)
mu = rnd_inv(pkn)
nu = utils.randomnumber(n3ntild)
p2 = utils.randomnumber(ecdsa.n * Ntild)
p3 = utils.randomnumber(ecdsa.n)
epsilon = utils.randomnumber(ecdsa.n)
n2 = pkn * pkn
z1 = (pow(h1, x1, Ntild) * pow(h2, p1, Ntild)) % Ntild
u1 = ecdsa.point_mult(c, alpha) # POINT
u2 = (pow(g, alpha, n2) * pow(beta, pkn, n2)) % n2
u3 = (pow(h1, alpha, Ntild) * pow(h2, gamma, Ntild)) % Ntild
z2 = (pow(h1, x2, Ntild) * pow(h2, p2, Ntild)) % Ntild
y = ecdsa.point_mult(d, x2 + p3) # POINT
v1 = ecdsa.point_mult(d, delta + epsilon) # POINT
v2 = ecdsa.point_add(ecdsa.point_mult(w2, alpha),
ecdsa.point_mult(d, epsilon)) # POINT
v3 = (pow(g, delta, n2) * pow(mu, pkn, n2)) % n2
v4 = (pow(h1, delta, Ntild) * pow(h2, nu, Ntild)) % Ntild
h = hashlib.sha256()
h.update(ecdsa.expand_pub(c))
h.update(ecdsa.expand_pub(w1))
h.update(ecdsa.expand_pub(d))
h.update(ecdsa.expand_pub(w2))
h.update(str(m1))
h.update(str(m2))
h.update(str(z1))
h.update(ecdsa.expand_pub(u1))
h.update(str(u2))
h.update(str(u3))
h.update(str(z2))
h.update(ecdsa.expand_pub(y))
h.update(ecdsa.expand_pub(v1))
h.update(ecdsa.expand_pub(v2))
h.update(str(v3))
h.update(str(v4))
e = long(h.hexdigest(), 16)
s1 = e * x1 + alpha
s2 = (pow(r1, e, pkn) * beta) % pkn
s3 = e * p1 + gamma
t1 = e * x2 + delta
t2 = (e * p3 + epsilon) % ecdsa.n
t3 = (pow(r2, e, n2) * mu) % n2
t4 = e * p2 + nu
return z1, z2, y, e, s1, s2, s3, t1, t2, t3, t4
def alice_round_1(m, x1, y1, ka_pub, ka_priv):
k1 = utils.randomnumber(dsa.Q - 1, inf=2)
z1 = utils.invert(k1, dsa.Q)
alpha, r1 = paillier.encrypt(z1, ka_pub)
zeta, r2 = paillier.encrypt(x1 * z1 % dsa.Q, ka_pub)
return k1, z1, alpha, zeta, r1, r2
def bob_round_1(alpha, zeta):
k2 = utils.randomnumber(dsa.Q - 1, inf=2)
r2 = utils.powmod(dsa.G, k2, dsa.P)
return k2, r2
m3 = alpha
m4 = zeta
if not zkp.pi2_verify(pi2, c, d, w1, w2, m1, m2, m3, m4, zkpb, ka_pub,
kb_pub):
print "Error PI2 proof"
return False
s = paillier.decrypt(mu, ka_priv) % dsa.Q
return r, s
if __name__ == "__main__":
print("S-DSA")
# Aclice
x1 = utils.randomnumber(dsa.Q, inf=2)
y1 = dsa.gen_pub(x1, dsa.G, dsa.P, dsa.Q)
ka_pub, ka_priv = paillier.gen_key()
zkpa = zkp.gen_params(1024)
# Bob
x2 = utils.randomnumber(dsa.Q, inf=2)
y2 = dsa.gen_pub(x2, dsa.G, dsa.P, dsa.Q)
kb_pub, kb_priv = paillier.gen_key()
y_x = dsa.gen_pub(x1 * x2 % dsa.Q, dsa.G, dsa.P, dsa.Q)
y_a = utils.powmod(y2, x1, dsa.P)
y_b = utils.powmod(y1, x2, dsa.P)
# Message hash
message = "hello"
def pi2(m, c, d, w1, w2, m1, m2, m3, m4, r1, r2, x1, x2, x3, zkpparam, ka_pub,
kb_pub):
pkn, g = ka_pub
pkn2 = pkn * pkn
pknprim, gprim = kb_pub
pknprim2 = pknprim * pknprim
ntild, h1, h2 = zkpparam
q3 = pow(dsa.Q, 3)
q5 = pow(dsa.Q, 5)
q6 = pow(dsa.Q, 6)
q8 = pow(dsa.Q, 8)
q3ntild = q3 * ntild
qntild = dsa.Q * ntild
if pkn <= q8:
return False
if pknprim <= q6:
return False
if (utils.nonrec_gcd(c, dsa.P) != 1 or utils.nonrec_gcd(d, dsa.P) != 1
or utils.nonrec_gcd(w1, dsa.P) != 1
or utils.nonrec_gcd(w2, dsa.P) != 1):
return False
if (pow(c, dsa.Q, dsa.P) != 1 or pow(d, dsa.Q, dsa.P) != 1
or pow(w1, dsa.Q, dsa.P) != 1 or pow(w2, dsa.Q, dsa.P) != 1):
return False
if m1 > pknprim2 or utils.nonrec_gcd(m1, pknprim2) != 1:
return False
if m2 > pkn2 or utils.nonrec_gcd(m2, pkn2) != 1:
return False
if x1 > dsa.Q or x2 > dsa.Q:
print x1 > dsa.Q
print x2 > dsa.Q
return False
if x3 > q5:
return False
if r1 > pknprim or utils.nonrec_gcd(r1, pknprim) != 1:
return False
if r2 > pkn or utils.nonrec_gcd(r2, pkn) != 1:
return False
alpha = utils.randomnumber(q3)
beta = rnd_inv(pknprim)
gamma = utils.randomnumber(q3ntild)
p1 = utils.randomnumber(qntild)
delta = utils.randomnumber(q3)
mu = rnd_inv(pkn)
vu = utils.randomnumber(q3ntild)
p2 = utils.randomnumber(qntild)
p3 = utils.randomnumber(dsa.Q)
p4 = utils.randomnumber(pow(dsa.Q, 5) * ntild)
epsilon = utils.randomnumber(dsa.Q)
sigma = utils.randomnumber(pow(dsa.Q, 7))
tau = utils.randomnumber(pow(dsa.Q, 7) * ntild)
z1 = pow(h1, x1, ntild) * pow(h2, p1, ntild) % ntild
u1 = pow(c, alpha, dsa.P)
u2 = (pow(gprim, alpha, pknprim2) *
pow(beta, pknprim, pknprim2)) % pknprim2
u3 = (pow(h1, alpha, ntild) * pow(h2, gamma, ntild)) % ntild
z2 = (pow(h1, x2, ntild) * pow(h2, p2, ntild)) % ntild
y = pow(d, x2 + p3, dsa.P)
v1 = pow(d, delta + epsilon, dsa.P)
v2 = (pow(w2, alpha, dsa.P) * pow(d, epsilon, dsa.P)) % dsa.P
v3 = (pow(m3, alpha, pkn2) * pow(m4, delta, pkn2) *
pow(g, dsa.Q * sigma, pkn2) * pow(mu, pkn, pkn2)) % pkn2
v4 = (pow(h1, delta, ntild) * pow(h2, vu, ntild)) % ntild
z3 = (pow(h1, x3, ntild) * pow(h2, p4, ntild)) % ntild
v5 = (pow(h1, sigma, ntild) * pow(h2, tau, ntild)) % ntild
h = hashlib.sha256()
h.update(str(c))
h.update(str(w1))
h.update(str(d))
h.update(str(w2))
h.update(str(m1))
h.update(str(m2))
h.update(str(z1))
h.update(str(u1))
h.update(str(u2))
h.update(str(u3))
h.update(str(z2))
h.update(str(z3))
h.update(str(y))
h.update(str(v1))
h.update(str(v2))
h.update(str(v3))
h.update(str(v4))
h.update(str(v5))
e = long(h.hexdigest(), 16)
s1 = e * x1 + alpha
s2 = (pow(r1, e, pknprim) * beta) % pknprim
s3 = e * p1 + gamma
s4 = e * ((x1 * m) % dsa.Q) + alpha
t1 = e * x2 + delta
t2 = (e * p3 + epsilon) % dsa.Q
t3 = (pow(r2, e, pkn) * mu) % pkn
t4 = e * p2 + vu
t5 = e * x3 + sigma
t6 = e * p4 + tau
return (z1, u1, u2, u3, z2, z3, y, v1, v2, v3, v4, v5, s1, s2, s3, s4, t1,
t2, t3, t4, t5, t6, e)
def pi2(c, d, w1, w2, m1, m2, m3, m4, r1, r2, x1, x2, x3, x4, x5, zkp, ka_pub,
kb_pub):
pkn, g = ka_pub
pkn2 = pkn * pkn
pknprim, gprim = kb_pub
pknprim2 = pknprim * pknprim
ntild, h1, h2 = zkp
n3 = pow(ecdsa.n, 3)
n5 = pow(ecdsa.n, 5)
n6 = pow(ecdsa.n, 6)
n7 = pow(ecdsa.n, 7)
n8 = pow(ecdsa.n, 8)
n3ntild = n3 * ntild
nntild = ecdsa.n * ntild
if pkn <= n8:
return False
if pknprim <= n6:
return False
alpha = utils.randomnumber(n3)
beta = rnd_inv(pknprim)
gamma = utils.randomnumber(n3ntild)
p1 = utils.randomnumber(nntild)
delta = utils.randomnumber(n3)
mu = rnd_inv(pkn)
nu = utils.randomnumber(n3ntild)
p2 = utils.randomnumber(nntild)
p3 = utils.randomnumber(ecdsa.n)
p4 = utils.randomnumber(n5 * ntild)
epsilon = utils.randomnumber(ecdsa.n)
sigma = utils.randomnumber(n7)
tau = utils.randomnumber(n7 * ntild)
z1 = (pow(h1, x1, ntild) * pow(h2, p1, ntild)) % ntild
u1 = ecdsa.point_mult(c, alpha)
u2 = (pow(gprim, alpha, pknprim2) *
pow(beta, pknprim, pknprim2)) % pknprim2
u3 = (pow(h1, alpha, ntild) * pow(h2, gamma, ntild)) % ntild
z2 = (pow(h1, x2, ntild) * pow(h2, p2, ntild)) % ntild
y = ecdsa.point_mult(d, x2 + p3)
v1 = ecdsa.point_mult(d, delta + epsilon)
v2 = ecdsa.point_add(ecdsa.point_mult(w2, alpha),
ecdsa.point_mult(d, epsilon))
v3 = (pow(m3, alpha, pkn2) * pow(m4, delta, pkn2) *
pow(g, ecdsa.n * sigma, pkn2) * pow(mu, pkn, pkn2)) % pkn2
v4 = (pow(h1, delta, ntild) * pow(h2, nu, ntild)) % ntild
z3 = (pow(h1, x3, ntild) * pow(h2, p4, ntild)) % ntild
v5 = (pow(h1, sigma, ntild) * pow(h2, tau, ntild)) % ntild
h = hashlib.sha512()
h.update(ecdsa.expand_pub(c))
h.update(ecdsa.expand_pub(w1))
h.update(ecdsa.expand_pub(d))
h.update(ecdsa.expand_pub(w2))
h.update(str(m1))
h.update(str(m2))
h.update(str(z1))
h.update(ecdsa.expand_pub(u1))
h.update(str(u2))
h.update(str(u3))
h.update(str(z2))
h.update(str(z3))
h.update(ecdsa.expand_pub(y))
h.update(ecdsa.expand_pub(v1))
h.update(ecdsa.expand_pub(v2))
h.update(str(v3))
h.update(str(v4))
h.update(str(v5))
e = long(h.hexdigest(), 16)
s1 = e * x1 + alpha
s2 = (pow(r1, e, pknprim) * beta) % pknprim
s3 = e * p1 + gamma
s4 = e * x1 * x4 + alpha
t1 = e * x2 + delta
t2 = (e * p3 + epsilon) % ecdsa.n
t3 = (pow(r2, e, pkn) * mu) % pkn
t4 = e * p2 + nu
t5 = e * x3 + sigma
t6 = e * p4 + tau
t7 = e * x2 * x5 + delta
return z1, z2, z3, y, e, s1, s2, s3, s4, t1, t2, t3, t4, t5, t6, t7
def R(n):
return utils.randomnumber(n)
while True:
r = utils.randomnumber(n)
if utils.nonrec_gcd(r, n) == 1:
return r
def rnd_inv(n):
while True:
b = utils.randomnumber(n)
if utils.nonrec_gcd(b, n) == 1:
return b
h = hashlib.sha256()
h.update(message.encode("utf-8"))
m = long(h.hexdigest(), 16)
sig = sign(m, G, n, priv)
print(sig)
print(verify(sig, m, pub, G, n))
h.update("an other one".encode("utf-8"))
m = long(h.hexdigest(), 16)
print(verify(sig, m, pub, G, n))
if __name__ == "__main__":
print("ECDSA")
# test()
# run_ecdsa()
k1 = utils.randomnumber(n-1, inf=1)
z1 = utils.invert(k1, n)
k2 = utils.randomnumber(n-1, inf=1)
z2 = utils.invert(k2, n)
r2 = point_mult(G, k2)
r = point_mult(r2, k1)
r1 = point_mult(r, z1)
print r2
print r
print r1