def RSA_OAEP_Enc(m, e, N, R): k = N.bit_length()-2 m0k1 = m << k1 shake = SHAKE128.new(R.to_bytes(k0//8, byteorder='big')) GR = shake.read((k-k0)//8) m0k1GR = m0k1 ^ int.from_bytes(GR, byteorder='big') shake = SHAKE128.new(m0k1GR.to_bytes((m0k1GR.bit_length()+7)//8, byteorder='big')) Hm0k1GR = shake.read(k0//8) RHm0k1GR = R ^ int.from_bytes(Hm0k1GR, byteorder='big') m_ = (m0k1GR << k0) + RHm0k1GR c = pow(m_, e, N) return c
def RSA_OAEP_Dec(c, d, N): k = N.bit_length()-2 m_ = pow(c, d, N) m0k1GR = m_ >> k0 RHm0k1GR = m_ % 2**k0 shake = SHAKE128.new(m0k1GR.to_bytes((m0k1GR.bit_length()+7)//8, byteorder='big')) Hm0k1GR = shake.read(k0//8) R = int.from_bytes(Hm0k1GR, byteorder='big') ^ RHm0k1GR shake = SHAKE128.new(R.to_bytes(k0//8, byteorder='big')) GR = shake.read((k-k0)//8) m0k1 = m0k1GR ^ int.from_bytes(GR, byteorder='big') m = m0k1 >> k1 return m
def challenge_amo(PP, seed, p): shake = SHAKE128.new() shake.update(seed) # absolutely not effective val_bytes = 2 rnd = shake.read(int(val_bytes * 2 * p * PP.amo_n)) rnd_offset = 0 c = [] for i in range(p): row = [0] * PP.amo_n for j in range(PP.amo_n): while True: if rnd_offset < len(rnd): r = int.from_bytes(rnd[rnd_offset:rnd_offset + val_bytes], byteorder='big') rnd_offset += val_bytes else: r = int.from_bytes(shake.read(int(val_bytes)), byteorder='big') r & 511 if r <= 257: if r == 0: row[j] = 0 else: row[j] = (-1)**(r & 1) * PP.X**((r - 1) // 2) break c.append(row) return c
def _uniform_poly_single(PP, seed, nonce): d = PP.d shake = SHAKE128.new() shake.update(int(nonce).to_bytes(8, byteorder='big')) shake.update(seed) # absolutely not effective deltabytes = (PP.logdelta1 + 1 + 7) // 8 assert (PP.logdelta1 + 1 <= deltabytes * 8) rnd = shake.read(int(deltabytes * d)) samples_len = d arr = [0] * (samples_len) i = 0 rnd_offset = 0 while i < samples_len: if rnd_offset < len(rnd): r = int.from_bytes(rnd[rnd_offset:rnd_offset + deltabytes], byteorder='big') rnd_offset += deltabytes else: r = int.from_bytes(shake.read(int(deltabytes)), byteorder='big') r = (r & ((PP.delta1 << 1) - 1)) - PP.delta1 if r != -PP.delta1: arr[i] = r i += 1 return PP.P(arr), nonce + 1
def test_generate(self): key = ECC.generate(curve="Ed25519") self.assertTrue(key.has_private()) point = EccPoint(_curves['Ed25519'].Gx, _curves['Ed25519'].Gy, curve="Ed25519") * key.d self.assertEqual(key.pointQ, point) # Always random key2 = ECC.generate(curve="Ed25519") self.assertNotEqual(key, key2) # Other names ECC.generate(curve="Ed25519") # Random source key1 = ECC.generate(curve="Ed25519", randfunc=SHAKE128.new().read) key2 = ECC.generate(curve="Ed25519", randfunc=SHAKE128.new().read) self.assertEqual(key1, key2)
def test_short_128(self): test_vectors = load_tests("SHA3", "ShortMsgKAT_SHAKE128.txt") for result, data, desc in test_vectors: data = tobytes(data) hobj = SHAKE128.new(data=data) assert (len(result) % 2 == 0) digest = hobj.read(len(result) // 2) hexdigest = "".join(["%02x" % bord(x) for x in digest]) self.assertEqual(hexdigest, result)
def test_short_128(self): test_vectors = load_tests("SHA3", "ShortMsgKAT_SHAKE128.txt") for result, data, desc in test_vectors: data = tobytes(data) hobj = SHAKE128.new(data=data) assert(len(result) % 2 == 0) digest = hobj.read(len(result)//2) hexdigest = "".join(["%02x" % bord(x) for x in digest]) self.assertEqual(hexdigest, result)
def get_challenge_hash_amo(PP, T, W, p): shake = SHAKE128.new() for i in range(PP.kappa): for j in range(p): shake.update(poly_to_bytes(T[i][j])) for i in range(PP.kappa): for j in range(PP.amo_n): shake.update(poly_to_bytes(W[i][j])) c_hash = shake.read(int(PP.seedlen)) return c_hash
def test_several_lengths(self): prng = SHAKE128.new().update(b('Test')) for length in range(1, 100): base = Integer.from_bytes(prng.read(length)) modulus2 = Integer.from_bytes(prng.read(length)) | 1 exponent2 = Integer.from_bytes(prng.read(length)) expected = pow(base, exponent2, modulus2) result = monty_pow(base, exponent2, modulus2) self.assertEqual(result, expected)
def Sig_Ver(message, r, s, beta, q, p, g): shake = SHAKE128.new(message) h = int.from_bytes(shake.read(q.bit_length() // 8), byteorder='big') u1 = (modinv(s, q) * h) % q u2 = (modinv(s, q) * r) % q v1 = (pow(g, u1, p) * pow(beta, u2, p) % p) % q if v1 == r: return True else: return False
def get_challenge_hash(PP, gamma_hash, t3, vpp, h, vulp): shake = SHAKE128.new() shake.update(gamma_hash) shake.update(poly_to_bytes(t3)) shake.update(poly_to_bytes(vpp)) shake.update(poly_to_bytes(h)) if PP.k == 1: shake.update(poly_to_bytes(vulp)) else: for i in range(PP.k): shake.update(poly_to_bytes(vulp[i])) c_hash = shake.read(int(PP.seedlen)) return c_hash
def shake_128(self, size: int = 64): """Get Shake-128 hash Shake is an Extendable Output Function (XOF) of the SHA-3 hash algorithm, part of the Keccak family, allowing for variable output length/size. Args: size (int, optional): How many bytes to read, by default 64 Returns: Chepy: The Chepy object. """ h = SHAKE128.new() h.update(self._convert_to_bytes()) self.state = binascii.hexlify(h.read(size)) return self
def get_challenge_hash_amo_to_zero(PP, T0, T1, W0, W1, p): shake = SHAKE128.new() for i in range(PP.kappa): for j in range(p): shake.update(poly_to_bytes(T0[i][j])) for i in range(PP.npoly): for j in range(p): shake.update(poly_to_bytes(T1[i][j])) for i in range(PP.kappa): for j in range(PP.amo_n): shake.update(poly_to_bytes(W0[i][j])) for i in range(PP.npoly): for j in range(PP.amo_n): shake.update(poly_to_bytes(W1[i][j])) c_hash = shake.read(int(PP.seedlen)) return c_hash
def _chi_poly_single(PP, seed, nonce): shake = SHAKE128.new() shake.update(int(nonce).to_bytes(8, byteorder='big')) shake.update(seed) samples_len = PP.d rnd = shake.read(int(samples_len * 4 // 8)) arr = [0] * (samples_len) a = [0] * 4 for i in range(samples_len // 2): r = rnd[i] for j in range(2): for k in range(4): a[k] = r & 1 r >>= 1 c = (a[0] + a[1] - a[2] - a[3]) % 3 arr[i * 2 + j] = _chi_map(c) return PP.P(arr), nonce + 1
def challenge(PP, seed): d = PP.d shake = SHAKE128.new() shake.update(seed) rnd = shake.read(int(d * 2 // 8)) arr = [0] * d a = [0] * 2 for i in range(d // 4): r = rnd[i] for j in range(4): for k in range(2): a[k] = r & 1 r >>= 1 c = a[0] - a[1] arr[i * 4 + j] = c return PP.P(arr)
def random_poly_with_zeros(PP, seed, nonce, degree, zeros): shake = SHAKE128.new() shake.update(int(nonce).to_bytes(8, byteorder='big')) shake.update(seed) rnd = shake.read(int(4 * degree)) rnd_cnt = 0 lst = [0] * degree i = zeros while i < degree: if rnd_cnt < degree: r = int.from_bytes(rnd[rnd_cnt * 4:(rnd_cnt + 1) * 4], byteorder='big') rnd_cnt += 1 else: r = int.from_bytes(shake.read(int(4)), byteorder='big') r = r & ((1 << PP.q_bits) - 1) if r >= PP.q: continue else: lst[i] = r i += 1 return PP.P(lst), nonce + 1
def get_alpha_gamma(PP, t0, t1, t2, W): k = PP.k shake = SHAKE128.new() for i in range(PP.kappa): shake.update(poly_to_bytes(t0[i])) for i in range(PP.npoly): shake.update(poly_to_bytes(t1[i])) shake.update(poly_to_bytes(t2)) for i in range(k): for j in range(PP.kappa): shake.update(poly_to_bytes(W[i][j])) ag_hash = shake.read(int(PP.seedlen)) nonce = 0 if k == 1: gamma, _ = random_poly(PP, ag_hash, nonce, PP.d//PP.l) return gamma, ag_hash else: alpha = [0] * (k * PP.npoly) for i in range(k * PP.npoly): alpha[i], nonce = random_poly(PP, ag_hash, nonce, PP.d) gamma, nonce = random_zq(PP, ag_hash, nonce, k) return alpha, gamma, ag_hash
def Sig_Gen(message, a, k, q, p, g): shake = SHAKE128.new(message) h = int.from_bytes(shake.read(q.bit_length()//8), byteorder='big') r = pow(g, k, p)%q s = (modinv(k, q)*(h+a*r))%q return r, s
def new_test(self, data=data, result=tv.md): hobj = SHAKE128.new(data=data) digest = hobj.read(len(result)) self.assertEqual(digest, result)
def generate(self): key = self.key1 + self.key2 shake = SHAKE128.new() shake.update(key.encode()) key = shake.read(16) return key
https://colab.research.google.com/drive/1kGC-qFXHVDuewUS2wT7fsedigucQSKk- """ !pip install pycryptodome from DSA import modinv, egcd from Crypto.Hash import SHA3_256 from Crypto.Hash import SHAKE128 #-----given in the question-------- s1 = 2412874836775368230194957659405258449579579568340501217618177629780 s2 = 343379365128270720539597367095485301128970178274104846189598795161 g = 13843079639351340920273184714590884400432847093058770970775133079628015343474638985949514224469231316509301786191837239734743524804707156837615319355419215945094865320399756037490734275197507243978890158231379210099367755690209217652326933425758170008835084657241675545571324146202714002127571892258435472678396358353938476569410849475658691697420643000086724156167275855286708191941521213998074404126295230559090196852525498568126029906179168789585152438330622252753643553805877257623433974639379577436808678860489830511416186993204671106346196262903362008285485594747047950971109814842643611103016670841253194356243 p = 21844102112122237484058484990223222527816981702828279171498143036582716271485474028380542696862193720852272618397503658771128114568430034544311836848132556591324273117839115478343051538427437664722980830771161939139222964707695276957432968033365352302080366315415735532111302710857807281798249043320899027800135122873123243743524724602070457967657285884563858968187732680723369906222214201250288443824722261682828970158731587663585174032887767988219143996717380923998096794060064023264584949115354715211375168860544716843940259887168163262505413440632980952366656691935232538721726450037087263854935179798694999345517 r = 6164572993148268278544315246158794966061243456603081427389792698784 q = 18462870797958734358460540315802311963744999954506807981508498635091 message1_byte = b"He who laugh last didn't get the joke" message2_byte = b"Ask me no questions, and I'll tell you no lies" shake1 = SHAKE128.new(message1_byte) h1 = int.from_bytes(shake1.read(q.bit_length()//8), byteorder='big') shake2 = SHAKE128.new(message2_byte) h2 = int.from_bytes(shake2.read(q.bit_length()//8), byteorder='big') secondPart = r * (s1 - s2) secondPart_inv = modinv(secondPart, q) firstPart = (s2*h1 - s1*h2) % q a = (firstPart * secondPart_inv) % q print(" secret key is:", a)
def sign(m, key): if not key.private_key or len(key.private_key) != key.public_key.n: raise Exception('invalid private key') if isinstance(m, str): m = io.StringIO(m) elif isinstance(m, bytes): m = io.BytesIO(m) n = key.public_key.n # create boxes rounds_data = [] for t in range(k): permutation = generate_perm(n) perm_commitments = [commit(v) for v in permutation] perm_boxes = [c for (c, r) in perm_commitments] perm_keys = [r for (c, r) in perm_commitments] graph_boxes = {} graph_keys = {} inv_permutation = inv(permutation) for i in range(n): for j in range(i+1, n): c, r = commit(key.public_key[(inv_permutation[i], inv_permutation[j])]) graph_boxes[encode_tuple(i, j)] = c graph_keys[encode_tuple(i, j)] = r rounds_data.append( (permutation, perm_boxes, perm_keys, graph_boxes, graph_keys) ) # create hash shake = SHAKE128.new() for (permutation, perm_boxes, perm_keys, graph_boxes, graph_keys) in rounds_data: shake.update(str(perm_boxes).encode()) shake.update(str(graph_boxes).encode()) m_bytes = m.read(CHUNK_SIZE) while m_bytes: shake.update(str(m_bytes).encode()) m_bytes = m.read(CHUNK_SIZE) H = shake.read(k // 8) # create output # keys for boxes rounds_keys = [] for (t, data) in zip(range(k), rounds_data): (permutation, perm_boxes, perm_keys, graph_boxes, graph_keys) = data bit = get_bit(H, t) if bit: # 1 keys = [] priv_key = key.private_key for i in range(n): u, v = permutation[priv_key[i]], permutation[priv_key[(i+1) % n]] if u > v: u, v = v, u graph_key = graph_keys[encode_tuple(u, v)] keys.append((u, v, graph_key)) else: # 0 keys = [] for i in range(n): keys.append((permutation[i], perm_keys[i])) inv_permutation = inv(permutation) for i in range(n): for j in range(i+1, n): keys.append(graph_keys[encode_tuple(i, j)]) rounds_keys.append(keys) round_perm_boxes = [perm_boxes for (permutation, perm_boxes, perm_keys, graph_boxes, graph_keys) in rounds_data] round_graph_boxes = [graph_boxes for (permutation, perm_boxes, perm_keys, graph_boxes, graph_keys) in rounds_data] return (round_perm_boxes, round_graph_boxes, rounds_keys)
def verify_sign(m, key, signature): if isinstance(m, str): m = io.StringIO(m) elif isinstance(m, bytes): m = io.BytesIO(m) n = key.public_key.n (round_perm_boxes, round_graph_boxes, rounds_keys) = signature shake = SHAKE128.new() for (perm_boxes, graph_boxes) in zip(round_perm_boxes, round_graph_boxes): shake.update(str(perm_boxes).encode()) shake.update(str(graph_boxes).encode()) m_bytes = m.read(CHUNK_SIZE) while m_bytes: shake.update(str(m_bytes).encode()) m_bytes = m.read(CHUNK_SIZE) H = shake.read(k // 8) try: for t in range(k): perm_boxes = round_perm_boxes[t] graph_boxes = round_graph_boxes[t] keys = rounds_keys[t] bit = get_bit(H, t) if bit: # 1 cycle = [] for i in range(n): u, v, graph_key = keys[i] if not verify_commitment(1, graph_boxes[encode_tuple(u, v)], graph_key): return False next_u, next_v, _ = keys[(i + 1) % n] intersection = set((u, v)).intersection(set((next_u, next_v))) if not len(intersection) == 1: return False cycle.append(intersection.pop()) # verify if cycle is hamiltonian if not len(set(cycle)) == n: return False else: # 0 permutation = [] for i in range(n): graph_perm, graph_key = keys[i] permutation.append(graph_perm) # verify permutation if not verify_commitment(graph_perm, perm_boxes[i], graph_key): return False inv_permutation = inv(permutation) index = n for i in range(n): for j in range(i+1, n): graph_key = keys[index] # verify graph if not verify_commitment( key.public_key[inv_permutation[i], inv_permutation[j]], graph_boxes[encode_tuple(i, j)], graph_key): return False index += 1 except: return False return True
def get_fixed_prng(): return SHAKE128.new().update(b"SEED").read
def __init__(self, seed): hash_input = seed.encode() self.key = SHA256.new(data=hash_input).digest() self.nonce = SHAKE128.new(data=hash_input).read(length=8)
def string_to_32_byte_key(str: str) -> bytes: shake = SHAKE128.new() shake.update(str.encode('utf-8')) return shake.read(32)
def get_tag_random(tag, length): return SHAKE128.new(data=tobytes(tag)).read(length)
def __init__(self, data): self.shake = SHAKE128.new(data) self.gauss_next = None
from Crypto.Hash import SHAKE128 q = 15141339084211537780798402821468668253233855293250282470707486523729 p = 15459352678170194999059797953835943703769299798522640485949251021230061239872933286596281671875036444766767260825161156339142374953144264667175663093532210016977000296281428180052962512096930034626707240943073909429948568647175489641923947055523690662397275499814011659615933313001220733558180164993086472379325887209418439076036830595968948122463542565488458285559269152814846930461678806155717771594791617514000333739836058367191702301817095873715810768950392576601345434651042282496258898798293897916341315693731763534513871295870117294672305447940132333142894162790759196704240972899412016593006223087871357404969 g = 3800569625008648766049545537807478639158256666453837543156865205157342453175195338293914518318389932512419197022492193267072466754594620461534567362497841710002599111953091344930343994503431071692400525354528547918075410538790275781900267312641988973075426468087022427855954288858299458927808889518984317490141729401786342725042250941182574740334793901912974170222604015177323368814264989835679407076289974855552414398779625521837257916022552980027627057473062644879659632681204107806120144998907991338913266334321160324651484012752441634140243465730939619242515280714356873699965985363402010686851443396200018800199 beta = 13811718194912887731259973687531659017221233072693758339320677556085961091741512534312991319990988012320895125273138799484930424656328618986338233650799555131896857586001490595604365368085682743275712428137943225119715628405892357306029150574584119785832325605674838801154641895745311161271889436502899846458131900988387777254676157672199525938326470244363881227814557082187788046660952433631553517068095734365024876910709029416850114854064043338879940542901936624969303248595208108795751225387203405395739941042570698164719973037261394764330314120509607344408485820133307388882699955010320183318447065675487861322141 m1_byte= b"He who laugh last didn't get the joke" m2_byte = b"Ask me no questions, and I'll tell you no lies" r1 = 7807207725923213670059456706077357545604668400924354746850607726310 r2 = 13601517662990253244919392623006368173804524139680316147330845851641 s1 = 10137413521818981860558295844142463248736280669671376607939774420169 s2 = 5354638027707905626045156057361096890377811387248394522419069236340 shake1 = SHAKE128.new(m1_byte) h1 = int.from_bytes(shake1.read(q.bit_length()//8), byteorder='big') shake2 = SHAKE128.new(m2_byte) h2 = int.from_bytes(shake2.read(q.bit_length()//8), byteorder='big') for x in range(200): #j=2, i=1 secondPart = ((s2*r1*x)%q) - ((s1*r2)%q) secondInv = modinv(secondPart, q) firstPart = s1*h2 - s2*h1*x a = (firstPart * secondInv) % q if beta == pow(g, a, p): print("x:", x) print("a:", a) break
def create_rng(tag): rng = StrongRandom(SHAKE128.new(data=tag)) return rng