def sign(m, p, q, g, x): k = utils.randomnumber(q - 1, inf=2) while True: r = utils.powmod(g, k, p) % q if r == 0: k = utils.randomnumber(q, inf=2) continue break inv = utils.invert(k, q) h = m + x * r s = inv * h % q return r, s
def run_secdsa(): # Aclice x1 = utils.randomnumber(ecdsa.n, inf=2) y1 = ecdsa.get_pub(x1) ka_pub, ka_priv = paillier.gen_key() # Bob x2 = utils.randomnumber(ecdsa.n, inf=2) y2 = ecdsa.get_pub(x2) kb_pub, kb_priv = paillier.gen_key() zkp = eczkp.gen_params(1024) pub = ecdsa.get_pub(x1 * x2 % ecdsa.n) # pub_a = ecdsa.point_mult(y2, x1) # pub_b = ecdsa.point_mult(y1, x2) # pem.generate_tecdsa_pem(x1, ecdsa.expand_pub(pub), y2, ka_priv, kb_pub, zkp) # pem.generate_tecdsa_pem(x2, ecdsa.expand_pub(pub), y1, kb_priv, ka_pub, zkp) # Message hash message = "hello" h = hashlib.sha256() h.update(message.encode("utf-8")) m = long(h.hexdigest(), 16) print "Message to sign: ", message print "Hash: ", m # ALICE ROUND 1 k1, z1, alpha, zeta, rr1, rr2 = alice_round_1(m, x1, y1, ka_pub, ka_priv) # BOB ROUND 1 k2, r2 = bob_round_1(alpha, zeta) # ALICE ROUND 2 r, pi = alice_round_2(alpha, zeta, r2, k1, y1, z1, x1, zkp, ka_pub, rr1, rr2) # eczkp_pem.pi_to_pem(pi) # BOB ROUND 2 mu, mup, pi2 = bob_round_2(pi, m, alpha, zeta, r, k2, x2, r2, y1, y2, ka_pub, kb_pub, zkp) # eczkp_pem.pi_to_pem2(pi2) # ALICE ROUND 3 (final) sig = alice_round_3(pi2, r, r2, y2, mup, mu, alpha, zeta, zkp, ka_priv, kb_pub) print "Signature:" print sig r, s = sig print "Sig status: ", ecdsa.verify(sig, m, pub, ecdsa.G, ecdsa.n)
def pi(c, d, w1, w2, m1, m2, r1, r2, x1, x2, n, h1, h2, ka_pub): pkn, g = ka_pub q3 = pow(dsa.Q, 3) q3n = q3 * n alpha = utils.randomnumber(q3) beta = rnd_inv(pkn) gamma = utils.randomnumber(q3n) p1 = utils.randomnumber(dsa.Q * n) delta = utils.randomnumber(q3) mu = rnd_inv(pkn) vu = utils.randomnumber(q3n) p2 = utils.randomnumber(dsa.Q * n) p3 = utils.randomnumber(dsa.Q) epsilon = utils.randomnumber(dsa.Q) n2 = pkn * pkn z1 = (pow(h1, x1, n) * pow(h2, p1, n)) % n u1 = pow(c, alpha, dsa.P) u2 = (pow(g, alpha, n2) * pow(beta, pkn, n2)) % n2 u3 = (pow(h1, alpha, n) * pow(h2, gamma, n)) % n z2 = (pow(h1, x2, n) * pow(h2, p2, n)) % n y = pow(d, x2 + p3, dsa.P) v1 = pow(d, delta + epsilon, dsa.P) v2 = (pow(w2, alpha, dsa.P) * pow(d, epsilon, dsa.P)) % dsa.P v3 = (pow(g, delta, n2) * pow(mu, pkn, n2)) % n2 v4 = (pow(h1, delta, n) * pow(h2, vu, n)) % n h = hashlib.sha256() h.update(str(c)) h.update(str(w1)) h.update(str(d)) h.update(str(w2)) h.update(str(m1)) h.update(str(m2)) h.update(str(z1)) h.update(str(u1)) h.update(str(u2)) h.update(str(u3)) h.update(str(z2)) h.update(str(y)) h.update(str(v1)) h.update(str(v2)) h.update(str(v3)) h.update(str(v4)) e = long(h.hexdigest(), 16) s1 = e * x1 + alpha s2 = (pow(r1, e, pkn) * beta) % pkn s3 = e * p1 + gamma t1 = e * x2 + delta t2 = (e * p3 + epsilon) % dsa.Q t3 = (pow(r2, e, n2) * mu) % n2 t4 = e * p2 + vu return z1, u1, u2, u3, z2, y, v1, v2, v3, v4, s1, s2, s3, t1, t2, t3, t4, e
def sign(e, g, n, d): while True: k = utils.randomnumber(n-1) x, y = point_mult(g, k) if x % n != 0: break r = x s = utils.invert(k, n) * (e + r * d) % n return r, s
def gen_params(bits): while True: ptildprim = utils.randomnumber(pow(2, bits >> 1)) qtildprim = utils.randomnumber(pow(2, bits >> 1)) ptild = (2 * ptildprim + 1) qtild = (qtildprim + 1) if utils.is_prime(ptild) and utils.is_prime(qtild): break ntild = ptild * qtild pq = ptildprim * qtildprim while True: h2 = utils.randomnumber(ntild) if utils.nonrec_gcd(h2, ntild) == 1 and utils.powmod(h2, pq, ntild) == 1: break x = utils.randomnumber(pq) h1 = utils.powmod(h2, x, ntild) return ntild, h1, h2
def bob_round_2(pi, m, alpha, zeta, r, k2, x2, r2, y1, y2, ka_pub, kb_pub, zkp): n, g = ka_pub n2 = n * n rq = r[0] % ecdsa.n if rq == 0: print("signature failed, retry") exit(1) z2 = utils.invert(k2, ecdsa.n) x2z2 = (x2 * z2) % ecdsa.n x3 = utils.randomnumber(pow(ecdsa.n, 5)-1, inf=1) if not eczkp.pi_verify(pi, r, ecdsa.G, r2, y1, alpha, zeta, zkp, ka_pub): print "Error: zkp failed" exit(1) mu1 = paillier.mult(alpha, m * z2, n2) mu2 = paillier.mult(zeta, rq * x2z2, n2) mu3, rnumb = paillier.encrypt(x3 * ecdsa.n, ka_pub) mu = paillier.add(paillier.add(mu1, mu2, n2), mu3, n2) muprim, rmuprim = paillier.encrypt(z2, kb_pub) c = r2 d = ecdsa.G w1 = ecdsa.G w2 = y2 m1 = muprim # ENCRYPTED Z2 m2 = mu # ENCRYPTED RESULT m3 = alpha # ENCRYPTED Z1 m4 = zeta # ENCRYPTED X1Z1 r1 = rmuprim r2 = rnumb x1 = z2 x2 = x2z2 x4 = m x5 = rq pi2 = eczkp.pi2(c, d, w1, w2, m1, m2, m3, m4, r1, r2, x1, x2, x3, x4, x5, zkp, ka_pub, kb_pub) if not pi2: print "Error: zkp failed" exit(1) return mu, muprim, pi2
def bob_round_2(pi, m, alpha, zeta, r, k2, x2, r2, y1, y2, ka_pub, kb_pub, zkpa, zkpb): n, g = ka_pub n2 = n * n rq = r % dsa.Q N, h1, h2 = zkpa if rq == 0: print("signature failed, retry") z2 = utils.invert(k2, dsa.Q) x2z2 = (x2 * z2) % dsa.Q c = x3 = utils.randomnumber(pow(dsa.Q, 5) - 1, inf=1) if not zkp.pi_verify(pi, r, dsa.G, r2, y1, alpha, zeta, N, h1, h2, ka_pub): return False mu1 = paillier.mult(alpha, (m * z2) % dsa.Q, n2) mu2 = paillier.mult(zeta, (rq * x2z2) % dsa.Q, n2) mu3, rnumb = paillier.encrypt(c * dsa.Q, ka_pub) mu = paillier.add(paillier.add(mu1, mu2, n2), mu3, n2) muprim, rmuprim = paillier.encrypt((m * z2) % dsa.Q, kb_pub) c = r2 d = dsa.G w2 = y2 m1 = muprim m2 = mu m3 = alpha m4 = zeta r1 = rmuprim r2 = rnumb x1 = z2 x2 = (rq * x2z2) % dsa.Q w1 = dsa.G pi2 = zkp.pi2(m, c, d, w1, w2, m1, m2, m3, m4, r1, r2, x1, x2, x3, zkpb, ka_pub, kb_pub) return mu, muprim, pi2
def gen_key(p, q, g): # 0 < x < q x = utils.randomnumber(q, inf=0) if 0 < x and x < q: y = utils.powmod(g, x, p) return x, y
def gen_priv(): return utils.randomnumber(n-1)
def key_gen(g=G): d = utils.randomnumber(n-1) Q = get_pub(d, g) return Q, d
def bob_round_1(alpha, zeta): k2 = utils.randomnumber(ecdsa.n-1, inf=1) r2 = ecdsa.point_mult(ecdsa.G, k2) return k2, r2
def pi(c, d, w1, w2, m1, m2, r1, r2, x1, x2, zkp, ka_pub): Ntild, h1, h2 = zkp pkn, g = ka_pub n3 = pow(ecdsa.n, 3) n3ntild = n3 * Ntild alpha = utils.randomnumber(n3) beta = rnd_inv(pkn) gamma = utils.randomnumber(n3ntild) p1 = utils.randomnumber(ecdsa.n * Ntild) delta = utils.randomnumber(n3) mu = rnd_inv(pkn) nu = utils.randomnumber(n3ntild) p2 = utils.randomnumber(ecdsa.n * Ntild) p3 = utils.randomnumber(ecdsa.n) epsilon = utils.randomnumber(ecdsa.n) n2 = pkn * pkn z1 = (pow(h1, x1, Ntild) * pow(h2, p1, Ntild)) % Ntild u1 = ecdsa.point_mult(c, alpha) # POINT u2 = (pow(g, alpha, n2) * pow(beta, pkn, n2)) % n2 u3 = (pow(h1, alpha, Ntild) * pow(h2, gamma, Ntild)) % Ntild z2 = (pow(h1, x2, Ntild) * pow(h2, p2, Ntild)) % Ntild y = ecdsa.point_mult(d, x2 + p3) # POINT v1 = ecdsa.point_mult(d, delta + epsilon) # POINT v2 = ecdsa.point_add(ecdsa.point_mult(w2, alpha), ecdsa.point_mult(d, epsilon)) # POINT v3 = (pow(g, delta, n2) * pow(mu, pkn, n2)) % n2 v4 = (pow(h1, delta, Ntild) * pow(h2, nu, Ntild)) % Ntild h = hashlib.sha256() h.update(ecdsa.expand_pub(c)) h.update(ecdsa.expand_pub(w1)) h.update(ecdsa.expand_pub(d)) h.update(ecdsa.expand_pub(w2)) h.update(str(m1)) h.update(str(m2)) h.update(str(z1)) h.update(ecdsa.expand_pub(u1)) h.update(str(u2)) h.update(str(u3)) h.update(str(z2)) h.update(ecdsa.expand_pub(y)) h.update(ecdsa.expand_pub(v1)) h.update(ecdsa.expand_pub(v2)) h.update(str(v3)) h.update(str(v4)) e = long(h.hexdigest(), 16) s1 = e * x1 + alpha s2 = (pow(r1, e, pkn) * beta) % pkn s3 = e * p1 + gamma t1 = e * x2 + delta t2 = (e * p3 + epsilon) % ecdsa.n t3 = (pow(r2, e, n2) * mu) % n2 t4 = e * p2 + nu return z1, z2, y, e, s1, s2, s3, t1, t2, t3, t4
def alice_round_1(m, x1, y1, ka_pub, ka_priv): k1 = utils.randomnumber(dsa.Q - 1, inf=2) z1 = utils.invert(k1, dsa.Q) alpha, r1 = paillier.encrypt(z1, ka_pub) zeta, r2 = paillier.encrypt(x1 * z1 % dsa.Q, ka_pub) return k1, z1, alpha, zeta, r1, r2
def bob_round_1(alpha, zeta): k2 = utils.randomnumber(dsa.Q - 1, inf=2) r2 = utils.powmod(dsa.G, k2, dsa.P) return k2, r2
m3 = alpha m4 = zeta if not zkp.pi2_verify(pi2, c, d, w1, w2, m1, m2, m3, m4, zkpb, ka_pub, kb_pub): print "Error PI2 proof" return False s = paillier.decrypt(mu, ka_priv) % dsa.Q return r, s if __name__ == "__main__": print("S-DSA") # Aclice x1 = utils.randomnumber(dsa.Q, inf=2) y1 = dsa.gen_pub(x1, dsa.G, dsa.P, dsa.Q) ka_pub, ka_priv = paillier.gen_key() zkpa = zkp.gen_params(1024) # Bob x2 = utils.randomnumber(dsa.Q, inf=2) y2 = dsa.gen_pub(x2, dsa.G, dsa.P, dsa.Q) kb_pub, kb_priv = paillier.gen_key() y_x = dsa.gen_pub(x1 * x2 % dsa.Q, dsa.G, dsa.P, dsa.Q) y_a = utils.powmod(y2, x1, dsa.P) y_b = utils.powmod(y1, x2, dsa.P) # Message hash message = "hello"
def pi2(m, c, d, w1, w2, m1, m2, m3, m4, r1, r2, x1, x2, x3, zkpparam, ka_pub, kb_pub): pkn, g = ka_pub pkn2 = pkn * pkn pknprim, gprim = kb_pub pknprim2 = pknprim * pknprim ntild, h1, h2 = zkpparam q3 = pow(dsa.Q, 3) q5 = pow(dsa.Q, 5) q6 = pow(dsa.Q, 6) q8 = pow(dsa.Q, 8) q3ntild = q3 * ntild qntild = dsa.Q * ntild if pkn <= q8: return False if pknprim <= q6: return False if (utils.nonrec_gcd(c, dsa.P) != 1 or utils.nonrec_gcd(d, dsa.P) != 1 or utils.nonrec_gcd(w1, dsa.P) != 1 or utils.nonrec_gcd(w2, dsa.P) != 1): return False if (pow(c, dsa.Q, dsa.P) != 1 or pow(d, dsa.Q, dsa.P) != 1 or pow(w1, dsa.Q, dsa.P) != 1 or pow(w2, dsa.Q, dsa.P) != 1): return False if m1 > pknprim2 or utils.nonrec_gcd(m1, pknprim2) != 1: return False if m2 > pkn2 or utils.nonrec_gcd(m2, pkn2) != 1: return False if x1 > dsa.Q or x2 > dsa.Q: print x1 > dsa.Q print x2 > dsa.Q return False if x3 > q5: return False if r1 > pknprim or utils.nonrec_gcd(r1, pknprim) != 1: return False if r2 > pkn or utils.nonrec_gcd(r2, pkn) != 1: return False alpha = utils.randomnumber(q3) beta = rnd_inv(pknprim) gamma = utils.randomnumber(q3ntild) p1 = utils.randomnumber(qntild) delta = utils.randomnumber(q3) mu = rnd_inv(pkn) vu = utils.randomnumber(q3ntild) p2 = utils.randomnumber(qntild) p3 = utils.randomnumber(dsa.Q) p4 = utils.randomnumber(pow(dsa.Q, 5) * ntild) epsilon = utils.randomnumber(dsa.Q) sigma = utils.randomnumber(pow(dsa.Q, 7)) tau = utils.randomnumber(pow(dsa.Q, 7) * ntild) z1 = pow(h1, x1, ntild) * pow(h2, p1, ntild) % ntild u1 = pow(c, alpha, dsa.P) u2 = (pow(gprim, alpha, pknprim2) * pow(beta, pknprim, pknprim2)) % pknprim2 u3 = (pow(h1, alpha, ntild) * pow(h2, gamma, ntild)) % ntild z2 = (pow(h1, x2, ntild) * pow(h2, p2, ntild)) % ntild y = pow(d, x2 + p3, dsa.P) v1 = pow(d, delta + epsilon, dsa.P) v2 = (pow(w2, alpha, dsa.P) * pow(d, epsilon, dsa.P)) % dsa.P v3 = (pow(m3, alpha, pkn2) * pow(m4, delta, pkn2) * pow(g, dsa.Q * sigma, pkn2) * pow(mu, pkn, pkn2)) % pkn2 v4 = (pow(h1, delta, ntild) * pow(h2, vu, ntild)) % ntild z3 = (pow(h1, x3, ntild) * pow(h2, p4, ntild)) % ntild v5 = (pow(h1, sigma, ntild) * pow(h2, tau, ntild)) % ntild h = hashlib.sha256() h.update(str(c)) h.update(str(w1)) h.update(str(d)) h.update(str(w2)) h.update(str(m1)) h.update(str(m2)) h.update(str(z1)) h.update(str(u1)) h.update(str(u2)) h.update(str(u3)) h.update(str(z2)) h.update(str(z3)) h.update(str(y)) h.update(str(v1)) h.update(str(v2)) h.update(str(v3)) h.update(str(v4)) h.update(str(v5)) e = long(h.hexdigest(), 16) s1 = e * x1 + alpha s2 = (pow(r1, e, pknprim) * beta) % pknprim s3 = e * p1 + gamma s4 = e * ((x1 * m) % dsa.Q) + alpha t1 = e * x2 + delta t2 = (e * p3 + epsilon) % dsa.Q t3 = (pow(r2, e, pkn) * mu) % pkn t4 = e * p2 + vu t5 = e * x3 + sigma t6 = e * p4 + tau return (z1, u1, u2, u3, z2, z3, y, v1, v2, v3, v4, v5, s1, s2, s3, s4, t1, t2, t3, t4, t5, t6, e)
def pi2(c, d, w1, w2, m1, m2, m3, m4, r1, r2, x1, x2, x3, x4, x5, zkp, ka_pub, kb_pub): pkn, g = ka_pub pkn2 = pkn * pkn pknprim, gprim = kb_pub pknprim2 = pknprim * pknprim ntild, h1, h2 = zkp n3 = pow(ecdsa.n, 3) n5 = pow(ecdsa.n, 5) n6 = pow(ecdsa.n, 6) n7 = pow(ecdsa.n, 7) n8 = pow(ecdsa.n, 8) n3ntild = n3 * ntild nntild = ecdsa.n * ntild if pkn <= n8: return False if pknprim <= n6: return False alpha = utils.randomnumber(n3) beta = rnd_inv(pknprim) gamma = utils.randomnumber(n3ntild) p1 = utils.randomnumber(nntild) delta = utils.randomnumber(n3) mu = rnd_inv(pkn) nu = utils.randomnumber(n3ntild) p2 = utils.randomnumber(nntild) p3 = utils.randomnumber(ecdsa.n) p4 = utils.randomnumber(n5 * ntild) epsilon = utils.randomnumber(ecdsa.n) sigma = utils.randomnumber(n7) tau = utils.randomnumber(n7 * ntild) z1 = (pow(h1, x1, ntild) * pow(h2, p1, ntild)) % ntild u1 = ecdsa.point_mult(c, alpha) u2 = (pow(gprim, alpha, pknprim2) * pow(beta, pknprim, pknprim2)) % pknprim2 u3 = (pow(h1, alpha, ntild) * pow(h2, gamma, ntild)) % ntild z2 = (pow(h1, x2, ntild) * pow(h2, p2, ntild)) % ntild y = ecdsa.point_mult(d, x2 + p3) v1 = ecdsa.point_mult(d, delta + epsilon) v2 = ecdsa.point_add(ecdsa.point_mult(w2, alpha), ecdsa.point_mult(d, epsilon)) v3 = (pow(m3, alpha, pkn2) * pow(m4, delta, pkn2) * pow(g, ecdsa.n * sigma, pkn2) * pow(mu, pkn, pkn2)) % pkn2 v4 = (pow(h1, delta, ntild) * pow(h2, nu, ntild)) % ntild z3 = (pow(h1, x3, ntild) * pow(h2, p4, ntild)) % ntild v5 = (pow(h1, sigma, ntild) * pow(h2, tau, ntild)) % ntild h = hashlib.sha512() h.update(ecdsa.expand_pub(c)) h.update(ecdsa.expand_pub(w1)) h.update(ecdsa.expand_pub(d)) h.update(ecdsa.expand_pub(w2)) h.update(str(m1)) h.update(str(m2)) h.update(str(z1)) h.update(ecdsa.expand_pub(u1)) h.update(str(u2)) h.update(str(u3)) h.update(str(z2)) h.update(str(z3)) h.update(ecdsa.expand_pub(y)) h.update(ecdsa.expand_pub(v1)) h.update(ecdsa.expand_pub(v2)) h.update(str(v3)) h.update(str(v4)) h.update(str(v5)) e = long(h.hexdigest(), 16) s1 = e * x1 + alpha s2 = (pow(r1, e, pknprim) * beta) % pknprim s3 = e * p1 + gamma s4 = e * x1 * x4 + alpha t1 = e * x2 + delta t2 = (e * p3 + epsilon) % ecdsa.n t3 = (pow(r2, e, pkn) * mu) % pkn t4 = e * p2 + nu t5 = e * x3 + sigma t6 = e * p4 + tau t7 = e * x2 * x5 + delta return z1, z2, z3, y, e, s1, s2, s3, s4, t1, t2, t3, t4, t5, t6, t7
def R(n): return utils.randomnumber(n) while True: r = utils.randomnumber(n) if utils.nonrec_gcd(r, n) == 1: return r
def rnd_inv(n): while True: b = utils.randomnumber(n) if utils.nonrec_gcd(b, n) == 1: return b
h = hashlib.sha256() h.update(message.encode("utf-8")) m = long(h.hexdigest(), 16) sig = sign(m, G, n, priv) print(sig) print(verify(sig, m, pub, G, n)) h.update("an other one".encode("utf-8")) m = long(h.hexdigest(), 16) print(verify(sig, m, pub, G, n)) if __name__ == "__main__": print("ECDSA") # test() # run_ecdsa() k1 = utils.randomnumber(n-1, inf=1) z1 = utils.invert(k1, n) k2 = utils.randomnumber(n-1, inf=1) z2 = utils.invert(k2, n) r2 = point_mult(G, k2) r = point_mult(r2, k1) r1 = point_mult(r, z1) print r2 print r print r1