def __init__(self, x=0, y=None):
self.z = 1
if x == 0:
self.x, self.y = 0, 0
elif x is None:
while True:
self.x = random.randint(0, P)
if gmpy2.jacobi((self.x**3 + A * (self.x**2) + self.x) *
gmpy2.invert(B, P), P) == 1:
self.y = int(
sqrt1((self.x**3 + A * (self.x**2) + self.x) *
gmpy2.invert(B, P), P)) % P
break
else:
self.x = x % P
if gmpy2.jacobi(
(self.x**3 + A *
(self.x**2) + self.x) * gmpy2.invert(B, P), P) != 1:
print("Bad x coordinates:", self.x)
exit(0)
if y is None:
self.y = None
else:
self.y = y
tmp1 = (B * self.y**2) % P
tmp2 = (self.x**3 + A * (self.x**2) + self.x) % P
if tmp1 != tmp2:
print("Bad y coordinates:", y)
exit(0)
def test_pkg_extract():
cocks_pkg = CocksPKG()
_, a = cocks_pkg.extract("test")
assert gmpy2.jacobi(a, cocks_pkg.n) == 1
_, a = cocks_pkg.extract("012345678938")
assert gmpy2.jacobi(a, cocks_pkg.n) == 1
_, a = cocks_pkg.extract("this is a longer user identity string")
assert gmpy2.jacobi(a, cocks_pkg.n) == 1
_, a = cocks_pkg.extract("111111111111111111111111111111111111111111111111")
assert gmpy2.jacobi(a, cocks_pkg.n) == 1
pytest.raises(InvalidIdentityString, cocks_pkg.extract, "")
def generate_montgomery_curve():
while True:
b = 1 # random.randint(2, P)
if gmpy2.jacobi(b, P) != 1:
continue
x = random.randint(2, P)
a = random.randint(2, P)
if b * (a ** 2 - 4) == 0 \
or a == 2 \
or a == P - 2 \
or gmpy2.jacobi((x ** 3 + a * (x ** 2) + x) * gmpy2.invert(b, P), P) != 1:
continue
y = sqrt1((x**3 + a * (x**2) + x) * gmpy2.invert(b, P), P)
return a, b, x, int(y)
def biprimality_check(self):
ggt = self.gen_coprime(self.N)
while gmpy2.jacobi(ggt, self.N) != 1:
ggt = self.gen_coprime(self.N)
self.gg = ggt
self.send_data(self.gg, 2)
self.send_data(11112222, 2)
self.send_data(self.gg, 3)
self.send_data(11113333, 3)
self.Q = gmpy2.powmod(self.gg,
gmpy2.f_div((self.N + 1 - self.pi - self.qi), 4),
self.N)
self.send_data(self.Q, 2)
self.send_data(11112222, 2)
self.send_data(self.Q, 3)
self.send_data(11113333, 3)
while True:
if self.flag_send_1_to_3.value == 0:
break
Q_list = self.receive_Q_list()
# print("Q_list = ", Q_list)
# print("Q_list = ", Q_list)
Q1 = Q_list[0]
Q2 = Q_list[1]
Q3 = Q_list[2]
Q2_inv = gmpy2.invert(Q2, self.N)
Q3_inv = gmpy2.invert(Q3, self.N)
check_data = gmpy2.f_mod((Q1 * Q2_inv * Q3_inv), self.N)
if check_data == gmpy2.f_mod(
mpz(1), self.N) or check_data == gmpy2.f_mod(mpz(-1), self.N):
return True
return False
def generate_montgomery_curve_from_weierstrass(wa, wb, wx, wy, p):
from sympy.polys.domains import ZZ
import sympy
from sympy.polys.galoistools import gf_factor
f = [1, 0, wa, wb]
sympy.Poly.from_list(f, sympy.Symbol('x'))
factor = gf_factor(f, p, ZZ)
x = None
for r in factor: # f*****g sympy
if isinstance(r, list):
for root in r:
if len(root) == 2 \
and len(root[0]) == 2 \
and gmpy2.jacobi(3 * ((p - root[0][-1]) ** 2) + wa, p) == 1:
x = p - root[0][-1]
break
assert x is not None
s = sqrt1(gmpy2.invert(3 * x**2 + wa, p), p)
mb = s
ma = (3 * x * s) % p
mx = (s * (wx - x)) % p
my = (s * wy) % p
return (ma, p - ma), (mb, p - mb), (mx, p - mx), (my, p - my)
def test_gen_keys(iters = 1):
print "test_gen_keys:"
for i in range(iters):
keys = generate_keys()
n = keys['pub']
p, q = keys['priv']
assert(jacobi(n-1, n) == 1)
print "test_gen_keys pass"
def decrypt_gm(cipher_numbers, priv_key):
p, q = priv_key
n = p * q
sk_gm = (p-1)*(q-1) / 4
for c in cipher_numbers:
if c >= n or jacobi(c, n) != 1:
# rejct
return None
bits_str = ''.join([decrypt_bit_gm(c, sk_gm, n) for c in cipher_numbers])
return int(bits_str, 2)
def _encrypt_bit(self, m_bit, a):
"""
Encrypts an individual message bit.
Inputs:
m_bit : Message bit in {-1,1}
a : Hashed identity value
Output:
(c1, c2) : Ciphertext tuple
"""
t1 = t2 = gmpy2.mpz_random(random_state, self.n)
while gmpy2.jacobi(t1, self.n) != m_bit:
t1 = gmpy2.mpz_random(random_state, self.n)
while gmpy2.jacobi(t2, self.n) != m_bit or t1 == t2:
t2 = gmpy2.mpz_random(random_state, self.n)
c1 = (t1 + a * gmpy2.invert(t1, self.n)) % self.n
c2 = (t2 - a * gmpy2.invert(t2, self.n)) % self.n
return (c1, c2)
def receive_gg(self):
q31_list = []
while True:
while not self.q31.empty():
q31_list.append(mpz(self.q31.get()))
if q31_list:
if q31_list[-1] == 11113333:
break
if q31_list:
if q31_list[-1] == 11113333:
break
ggt = q31_list[0]
if gmpy2.jacobi(ggt, self.N) == 1:
self.gg = ggt
else:
raise Exception("gg generation Error!")
def _decrypt_bit(self, c1, c2, r, a):
"""
Decrypts an individual message bit from a ciphertext tuple,
given the user's private key and their hashed ID value.
Inputs:
(c1, c2) : Ciphertext tuple
r : User's secret key
a : Hashed identity value
Output:
(x|n) : Decrypted message bit in {-1,1}
"""
r2 = (r * r) % self.n
x = c1 + 2 * r if r2 == a else c2 + 2 * r
return gmpy2.jacobi(x, self.n)
def kronecker(x, y):
"""Return the Kronecker symbol (x|y)."""
k = 1
if y == 0:
if abs(x) != 1:
k = 0
y = 1
if y < 0:
if x < 0:
k = -k
y = -y
if y & 1 == 0:
t = (y & -y).bit_length() - 1
if x & 1 == 0:
k = 0
elif t & 1 and (x & 7 == 3 or x & 7 == 5):
k = -k
y = y >> t
return k * jacobi(x, y)
def IsMember(x, secparams):
"""
Algorithm 7.2: Checks if x is an element of G_q.
The core of the algorithm is the computation of the Jacobi symbol for which we refer to existing algorithms
Args:
x (mpz): The number to test x \in N
secparams (SecurityParams): Collection of public security parameters
Returns:
bool: True if x is a member of G_q, False if not
"""
AssertNumeric(x)
AssertClass(secparams, SecurityParams)
if 1 <= x and x < secparams.p:
return jacobi(x, secparams.p) == 1
return False
def IsMemberOfGroupe(x, param):
"""
Algorithm 7.2 extended: Checks if x is in the same groupe as param .
The core of the algorithm is the computation of the Jacobi symbol for which we refer to existing algorithms
Args:
x (mpz): The number to test x \in N
param (Element of SecurityParams): Element of Collection of public security parameters
Returns:
bool: True if x is in the same groupe as param, False if not
"""
AssertNumeric(x)
AssertNumeric(param)
if 1 <= x and x < param:
return jacobi(x, param) == 1
return False
def is_prime(n, k=4):
if not n & 1:
return False
var = []
for _ in range(k):
a = random.randint(1, n-1)
while a in var:
a = random.randint(1, n-1)
var.append(a)
if math.gcd(a, n) != 1:
return False
r = powmod(a, (n - 1) // 2, n)
if r != 1 and r != n-1:
return False
s=jacobi(a, n)
if s < 0:
s += n
if r != s:
return False
return True
def extract(self, id_str):
"""
Extracts a user's private key from their identity string.
If necessary, the ID string, a, is hashed iteratively until (a|n)==1.
Input:
id_str : Identity string
Output:
r : User's secret key
a : Hashed identity value such that (a | n) == 1
"""
if id_str == "" or id_str == None:
raise InvalidIdentityString("Invalid user identity string")
id_mpz = str_to_mpz(id_str)
a = hash_mpz(id_mpz, self.f)
a_tmp = 0
while gmpy2.jacobi(a_tmp, self.n) != 1:
a_tmp = hash_mpz(a_tmp, self.f)
a = a_tmp
logging.debug(f"Jacobi (a/n) = {gmpy2.jacobi(a, self.n)}")
logging.debug(f"Jacobi (-a/n) = {gmpy2.jacobi(-a, self.n)}")
r = pow(a, (self.n + 5 - (self.p + self.q)) // 8, self.n)
r2 = (r * r) % self.n
logging.debug(f"a = {a % self.n}")
logging.debug(f"-a = {-a %self.n}")
logging.debug(f"r = {r}")
logging.debug(f"r**2 = {r2}")
if r2 != (a % self.n) and r2 != (-a % self.n):
raise ExtractFailure(
"Error deriving r: r^2 != a (mod n) and r^2 != -a (mod n)!")
return (r, a)
def receive_gg(self):
ggt = 0
if gmpy2.jacobi(ggt, self.N) == 1:
self.gg = ggt
else:
raise Exception("gg generation Error!")
N = 9931755185060178541819350703860525202998395176620817326533726321103289514714482398301463938123540046323657927466230539048399765245482297315320621294942552040969779600220746703802727865488282400532525716200713822333260195215975219729008945628323420484667363474732308988705045216466104088114390575938974751250735732965167191025807650844438927688743083443181909932562840801876087928020419912615909929547090716236393628363582762357491323519758592285176474021090624649128022651674058738105123425788673915904447407748389441605828693561972112169848435886546096942841894411370737399277884692796708444598630421441967316945299
e = 0x10001
f = open('enc.txt')
cipher = f.readlines()
jacob = [0 for i in range(128)]
given = 'KOREA{WOW!!_You_'
given = bin(bytes_to_long(given))[2:].rjust(128, '0')
cipher.append('0')
for i in range(128):
t = given[(i - 128) % 128]
if (i % 8 == 0):
jacob[127 - i] = 0
elif (t == '0'):
jacob[127 - i] = gmpy2.jacobi(int(cipher[((i + 1) * -1)]), N) * 1
else:
jacob[127 - i] = gmpy2.jacobi(int(cipher[(i + 1) * -1]), N) * -1
mes = ''
check = 8
for i in range(0, len(cipher)):
if (i % 8 == 7):
mes = '0' + mes
check += 1
continue
jacobi = gmpy2.jacobi(int(cipher[i]), N) * jacob[check % 128]
check += 1
if (jacobi == 1):
mes = '0' + mes
def legendre(x):
return gmpy2.jacobi(x, MODULUS)
from pwn import *
from gmpy2 import jacobi
while (1):
r = remote('crypto.ctf.zer0pts.com', 10463)
r.recvuntil('g: ')
g = int(r.recvuntil(',')[:-1])
r.recvuntil('p: ')
p = int(r.recvline()[:-1])
li = [jacobi(1, p), jacobi(2, p), jacobi(3, p)]
val = 0
win = 0
if li != [1, -1, -1] or jacobi(g, p) != 1:
print("ERROR")
continue
else:
while (1):
r.recvuntil(' my commitment is=(')
a = int(r.recvuntil(',')[:-1])
b = int(r.recvuntil(')')[:-1])
a1 = jacobi(a, p)
b1 = jacobi(b, p)
if a1 == b1:
r.sendline('3')
else:
r.sendline('2')
r.recvline()
r.recvline()
r.recvline()
def jacobi_bit_mpz(a, n):
global legendre_evals
legendre_evals += 1
return (gmpy2.jacobi(a, n) + 1) // 2
def get_factor_base(n, B=4): # note that gmpy2.is_prime is *probabilistic* primes = [p for p in range(3,50) if gmpy2.is_prime(p)] fac_base = [2] + [p for p in primes if gmpy2.jacobi(p,n) == 1] return fac_base[:B]
def jacobi_bit_mpz(a, n):
return 1 if jacobi(a, n) >= 0 else 0
def legendre(x, y):
"""Return the Legendre symbol (x|y), assuming y is an odd prime."""
return jacobi(x, y) # ignore if y is not prime, like gmpy2 does
from Crypto.Util.number import long_to_bytes
import gmpy2
plaintext = ''
with open('output.txt') as f:
n = int(f.readline())
for line in f:
cipher = int(line)
if gmpy2.jacobi(cipher, n) == -1:
plaintext += '1'
else:
plaintext += '0'
print(long_to_bytes(int(plaintext, 2)))
def quad_residue(c, priv_key):
p, q = priv_key
n = p * q
sk_gm = (p-1)*(q-1) / 4
return jacobi(c, n) == 1 and powmod(c, sk_gm, n) == 1
def get_rand_Jn1(n, rand_gen=random):
r = rand_gen.randint(0, int(n-1))
while jacobi(r, n) != 1:
r = rand_gen.randint(0, int(n-1))
return r
def jacobi_bit_mpz(a, n):
return (gmpy2.jacobi(a, n) + 1) // 2
def legendre_bit_mpz(a, n):
return True if gmpy2.jacobi(a, n) >= 0 else False
