def get_state(p): """ given the prng p, get the 2 candidate current states of p """ out = p.get_num() F = p.P.x.field C = p.P.curve e = F(3) #backdoor! prime = p.P.x.p val = out * out * out + C.a * out + C.b points = [Point(C, F(out), F(y)) for y in tonelli_shanks(val.n, prime)] #print("points: ",points) states = [(e.n * T).x.n for T in points] #as both candidates are additive inverses of #one another, they have the same x coordinates return states[0]
def get_state(p): """ given the prng p, get the 2 candidate current states of p """ out = p.get_num() F = p.P.x.field C = p.P.curve e = F(3) #backdoor! prime = p.P.x.p val = out*out*out + C.a * out + C.b points = [Point(C,F(out),F(y)) for y in tonelli_shanks(val.n,prime)] #print("points: ",points) states = [(e.n*T).x.n for T in points] #as both candidates are additive inverses of #one another, they have the same x coordinates return states[0]
def __init__(self, out): """ given the initial output, init out guesser so we can guess all remaining outputs """ prime = 331337 F = FiniteField(prime, 1) C = EllipticCurve(a=F(1), b=F(1)) e = F(3) #backdoor! we'd have to pre-compute this xs = [(i << 15) | out for i in range(16)] print("xs:", xs) vals = [x * x * x + C.a * x + C.b for x in xs] print("vals:", vals) print(time.time(), ":", "finding roots...") # at this point, *some* vals won't be quadratic # residues, thus invalid points. But, we must # associate each possible preimage with its root coords = [] # list of tuples (x,y) for i in range(len(xs)): try: t = tonelli_shanks(vals[i].n, prime) coords.append((xs[i], t[0])) coords.append((xs[i], t[1])) except Exception: # not quadratic residue pass print("coords:", coords) print(time.time(), ":", "making points...") points = [Point(C, F(c[0]), F(c[1])) for c in coords] print(time.time(), ":", "recovering states...") states = [(e.n * T).x.n for T in points] print("states:", states) print(time.time(), ":", "generating candidates...") self.candidates = [prng(seed=s) for s in states]
def __init__(self, out): """ given the initial output, init out guesser so we can guess all remaining outputs """ prime=331337 F = FiniteField(prime,1) C = EllipticCurve(a=F(1),b=F(1)) e = F(3) #backdoor! we'd have to pre-compute this xs = [(i<<15) | out for i in range(16)] print("xs:",xs) vals = [x*x*x + C.a * x + C.b for x in xs] print("vals:",vals) print(time.time(),":","finding roots...") # at this point, *some* vals won't be quadratic # residues, thus invalid points. But, we must # associate each possible preimage with its root coords = [] # list of tuples (x,y) for i in range(len(xs)): try: t = tonelli_shanks(vals[i].n,prime) coords.append( (xs[i], t[0]) ) coords.append( (xs[i], t[1]) ) except Exception: # not quadratic residue pass print("coords:",coords) print(time.time(),":","making points...") points = [Point(C,F(c[0]),F(c[1])) for c in coords] print(time.time(),":","recovering states...") states = [(e.n*T).x.n for T in points] print("states:",states) print(time.time(),":","generating candidates...") self.candidates = [prng(seed=s) for s in states]