def RSA_OAEP_Enc(m, e, N, R):
k = N.bit_length()-2
m0k1 = m << k1
shake = SHAKE128.new(R.to_bytes(k0//8, byteorder='big'))
GR = shake.read((k-k0)//8)
m0k1GR = m0k1 ^ int.from_bytes(GR, byteorder='big')
shake = SHAKE128.new(m0k1GR.to_bytes((m0k1GR.bit_length()+7)//8, byteorder='big'))
Hm0k1GR = shake.read(k0//8)
RHm0k1GR = R ^ int.from_bytes(Hm0k1GR, byteorder='big')
m_ = (m0k1GR << k0) + RHm0k1GR
c = pow(m_, e, N)
return c
def RSA_OAEP_Dec(c, d, N):
k = N.bit_length()-2
m_ = pow(c, d, N)
m0k1GR = m_ >> k0
RHm0k1GR = m_ % 2**k0
shake = SHAKE128.new(m0k1GR.to_bytes((m0k1GR.bit_length()+7)//8, byteorder='big'))
Hm0k1GR = shake.read(k0//8)
R = int.from_bytes(Hm0k1GR, byteorder='big') ^ RHm0k1GR
shake = SHAKE128.new(R.to_bytes(k0//8, byteorder='big'))
GR = shake.read((k-k0)//8)
m0k1 = m0k1GR ^ int.from_bytes(GR, byteorder='big')
m = m0k1 >> k1
return m
def challenge_amo(PP, seed, p):
shake = SHAKE128.new()
shake.update(seed)
# absolutely not effective
val_bytes = 2
rnd = shake.read(int(val_bytes * 2 * p * PP.amo_n))
rnd_offset = 0
c = []
for i in range(p):
row = [0] * PP.amo_n
for j in range(PP.amo_n):
while True:
if rnd_offset < len(rnd):
r = int.from_bytes(rnd[rnd_offset:rnd_offset + val_bytes],
byteorder='big')
rnd_offset += val_bytes
else:
r = int.from_bytes(shake.read(int(val_bytes)),
byteorder='big')
r & 511
if r <= 257:
if r == 0:
row[j] = 0
else:
row[j] = (-1)**(r & 1) * PP.X**((r - 1) // 2)
break
c.append(row)
return c
def _uniform_poly_single(PP, seed, nonce):
d = PP.d
shake = SHAKE128.new()
shake.update(int(nonce).to_bytes(8, byteorder='big'))
shake.update(seed)
# absolutely not effective
deltabytes = (PP.logdelta1 + 1 + 7) // 8
assert (PP.logdelta1 + 1 <= deltabytes * 8)
rnd = shake.read(int(deltabytes * d))
samples_len = d
arr = [0] * (samples_len)
i = 0
rnd_offset = 0
while i < samples_len:
if rnd_offset < len(rnd):
r = int.from_bytes(rnd[rnd_offset:rnd_offset + deltabytes],
byteorder='big')
rnd_offset += deltabytes
else:
r = int.from_bytes(shake.read(int(deltabytes)), byteorder='big')
r = (r & ((PP.delta1 << 1) - 1)) - PP.delta1
if r != -PP.delta1:
arr[i] = r
i += 1
return PP.P(arr), nonce + 1
def test_generate(self):
key = ECC.generate(curve="Ed25519")
self.assertTrue(key.has_private())
point = EccPoint(_curves['Ed25519'].Gx, _curves['Ed25519'].Gy, curve="Ed25519") * key.d
self.assertEqual(key.pointQ, point)
# Always random
key2 = ECC.generate(curve="Ed25519")
self.assertNotEqual(key, key2)
# Other names
ECC.generate(curve="Ed25519")
# Random source
key1 = ECC.generate(curve="Ed25519", randfunc=SHAKE128.new().read)
key2 = ECC.generate(curve="Ed25519", randfunc=SHAKE128.new().read)
self.assertEqual(key1, key2)
def test_short_128(self):
test_vectors = load_tests("SHA3", "ShortMsgKAT_SHAKE128.txt")
for result, data, desc in test_vectors:
data = tobytes(data)
hobj = SHAKE128.new(data=data)
assert (len(result) % 2 == 0)
digest = hobj.read(len(result) // 2)
hexdigest = "".join(["%02x" % bord(x) for x in digest])
self.assertEqual(hexdigest, result)
def test_short_128(self):
test_vectors = load_tests("SHA3", "ShortMsgKAT_SHAKE128.txt")
for result, data, desc in test_vectors:
data = tobytes(data)
hobj = SHAKE128.new(data=data)
assert(len(result) % 2 == 0)
digest = hobj.read(len(result)//2)
hexdigest = "".join(["%02x" % bord(x) for x in digest])
self.assertEqual(hexdigest, result)
def get_challenge_hash_amo(PP, T, W, p):
shake = SHAKE128.new()
for i in range(PP.kappa):
for j in range(p):
shake.update(poly_to_bytes(T[i][j]))
for i in range(PP.kappa):
for j in range(PP.amo_n):
shake.update(poly_to_bytes(W[i][j]))
c_hash = shake.read(int(PP.seedlen))
return c_hash
def test_several_lengths(self):
prng = SHAKE128.new().update(b('Test'))
for length in range(1, 100):
base = Integer.from_bytes(prng.read(length))
modulus2 = Integer.from_bytes(prng.read(length)) | 1
exponent2 = Integer.from_bytes(prng.read(length))
expected = pow(base, exponent2, modulus2)
result = monty_pow(base, exponent2, modulus2)
self.assertEqual(result, expected)
def Sig_Ver(message, r, s, beta, q, p, g):
shake = SHAKE128.new(message)
h = int.from_bytes(shake.read(q.bit_length() // 8), byteorder='big')
u1 = (modinv(s, q) * h) % q
u2 = (modinv(s, q) * r) % q
v1 = (pow(g, u1, p) * pow(beta, u2, p) % p) % q
if v1 == r:
return True
else:
return False
def get_challenge_hash(PP, gamma_hash, t3, vpp, h, vulp):
shake = SHAKE128.new()
shake.update(gamma_hash)
shake.update(poly_to_bytes(t3))
shake.update(poly_to_bytes(vpp))
shake.update(poly_to_bytes(h))
if PP.k == 1:
shake.update(poly_to_bytes(vulp))
else:
for i in range(PP.k):
shake.update(poly_to_bytes(vulp[i]))
c_hash = shake.read(int(PP.seedlen))
return c_hash
def shake_128(self, size: int = 64):
"""Get Shake-128 hash
Shake is an Extendable Output Function (XOF) of the SHA-3 hash algorithm,
part of the Keccak family, allowing for variable output length/size.
Args:
size (int, optional): How many bytes to read, by default 64
Returns:
Chepy: The Chepy object.
"""
h = SHAKE128.new()
h.update(self._convert_to_bytes())
self.state = binascii.hexlify(h.read(size))
return self
def get_challenge_hash_amo_to_zero(PP, T0, T1, W0, W1, p):
shake = SHAKE128.new()
for i in range(PP.kappa):
for j in range(p):
shake.update(poly_to_bytes(T0[i][j]))
for i in range(PP.npoly):
for j in range(p):
shake.update(poly_to_bytes(T1[i][j]))
for i in range(PP.kappa):
for j in range(PP.amo_n):
shake.update(poly_to_bytes(W0[i][j]))
for i in range(PP.npoly):
for j in range(PP.amo_n):
shake.update(poly_to_bytes(W1[i][j]))
c_hash = shake.read(int(PP.seedlen))
return c_hash
def _chi_poly_single(PP, seed, nonce):
shake = SHAKE128.new()
shake.update(int(nonce).to_bytes(8, byteorder='big'))
shake.update(seed)
samples_len = PP.d
rnd = shake.read(int(samples_len * 4 // 8))
arr = [0] * (samples_len)
a = [0] * 4
for i in range(samples_len // 2):
r = rnd[i]
for j in range(2):
for k in range(4):
a[k] = r & 1
r >>= 1
c = (a[0] + a[1] - a[2] - a[3]) % 3
arr[i * 2 + j] = _chi_map(c)
return PP.P(arr), nonce + 1
def challenge(PP, seed):
d = PP.d
shake = SHAKE128.new()
shake.update(seed)
rnd = shake.read(int(d * 2 // 8))
arr = [0] * d
a = [0] * 2
for i in range(d // 4):
r = rnd[i]
for j in range(4):
for k in range(2):
a[k] = r & 1
r >>= 1
c = a[0] - a[1]
arr[i * 4 + j] = c
return PP.P(arr)
def random_poly_with_zeros(PP, seed, nonce, degree, zeros):
shake = SHAKE128.new()
shake.update(int(nonce).to_bytes(8, byteorder='big'))
shake.update(seed)
rnd = shake.read(int(4 * degree))
rnd_cnt = 0
lst = [0] * degree
i = zeros
while i < degree:
if rnd_cnt < degree:
r = int.from_bytes(rnd[rnd_cnt * 4:(rnd_cnt + 1) * 4],
byteorder='big')
rnd_cnt += 1
else:
r = int.from_bytes(shake.read(int(4)), byteorder='big')
r = r & ((1 << PP.q_bits) - 1)
if r >= PP.q:
continue
else:
lst[i] = r
i += 1
return PP.P(lst), nonce + 1
def get_alpha_gamma(PP, t0, t1, t2, W):
k = PP.k
shake = SHAKE128.new()
for i in range(PP.kappa):
shake.update(poly_to_bytes(t0[i]))
for i in range(PP.npoly):
shake.update(poly_to_bytes(t1[i]))
shake.update(poly_to_bytes(t2))
for i in range(k):
for j in range(PP.kappa):
shake.update(poly_to_bytes(W[i][j]))
ag_hash = shake.read(int(PP.seedlen))
nonce = 0
if k == 1:
gamma, _ = random_poly(PP, ag_hash, nonce, PP.d//PP.l)
return gamma, ag_hash
else:
alpha = [0] * (k * PP.npoly)
for i in range(k * PP.npoly):
alpha[i], nonce = random_poly(PP, ag_hash, nonce, PP.d)
gamma, nonce = random_zq(PP, ag_hash, nonce, k)
return alpha, gamma, ag_hash
def Sig_Gen(message, a, k, q, p, g):
shake = SHAKE128.new(message)
h = int.from_bytes(shake.read(q.bit_length()//8), byteorder='big')
r = pow(g, k, p)%q
s = (modinv(k, q)*(h+a*r))%q
return r, s
def new_test(self, data=data, result=tv.md):
hobj = SHAKE128.new(data=data)
digest = hobj.read(len(result))
self.assertEqual(digest, result)
def generate(self):
key = self.key1 + self.key2
shake = SHAKE128.new()
shake.update(key.encode())
key = shake.read(16)
return key
https://colab.research.google.com/drive/1kGC-qFXHVDuewUS2wT7fsedigucQSKk-
"""
!pip install pycryptodome
from DSA import modinv, egcd
from Crypto.Hash import SHA3_256
from Crypto.Hash import SHAKE128
#-----given in the question--------
s1 = 2412874836775368230194957659405258449579579568340501217618177629780
s2 = 343379365128270720539597367095485301128970178274104846189598795161
g = 13843079639351340920273184714590884400432847093058770970775133079628015343474638985949514224469231316509301786191837239734743524804707156837615319355419215945094865320399756037490734275197507243978890158231379210099367755690209217652326933425758170008835084657241675545571324146202714002127571892258435472678396358353938476569410849475658691697420643000086724156167275855286708191941521213998074404126295230559090196852525498568126029906179168789585152438330622252753643553805877257623433974639379577436808678860489830511416186993204671106346196262903362008285485594747047950971109814842643611103016670841253194356243
p = 21844102112122237484058484990223222527816981702828279171498143036582716271485474028380542696862193720852272618397503658771128114568430034544311836848132556591324273117839115478343051538427437664722980830771161939139222964707695276957432968033365352302080366315415735532111302710857807281798249043320899027800135122873123243743524724602070457967657285884563858968187732680723369906222214201250288443824722261682828970158731587663585174032887767988219143996717380923998096794060064023264584949115354715211375168860544716843940259887168163262505413440632980952366656691935232538721726450037087263854935179798694999345517
r = 6164572993148268278544315246158794966061243456603081427389792698784
q = 18462870797958734358460540315802311963744999954506807981508498635091
message1_byte = b"He who laugh last didn't get the joke"
message2_byte = b"Ask me no questions, and I'll tell you no lies"
shake1 = SHAKE128.new(message1_byte)
h1 = int.from_bytes(shake1.read(q.bit_length()//8), byteorder='big')
shake2 = SHAKE128.new(message2_byte)
h2 = int.from_bytes(shake2.read(q.bit_length()//8), byteorder='big')
secondPart = r * (s1 - s2)
secondPart_inv = modinv(secondPart, q)
firstPart = (s2*h1 - s1*h2) % q
a = (firstPart * secondPart_inv) % q
print(" secret key is:", a)
def sign(m, key):
if not key.private_key or len(key.private_key) != key.public_key.n:
raise Exception('invalid private key')
if isinstance(m, str):
m = io.StringIO(m)
elif isinstance(m, bytes):
m = io.BytesIO(m)
n = key.public_key.n
# create boxes
rounds_data = []
for t in range(k):
permutation = generate_perm(n)
perm_commitments = [commit(v) for v in permutation]
perm_boxes = [c for (c, r) in perm_commitments]
perm_keys = [r for (c, r) in perm_commitments]
graph_boxes = {}
graph_keys = {}
inv_permutation = inv(permutation)
for i in range(n):
for j in range(i+1, n):
c, r = commit(key.public_key[(inv_permutation[i], inv_permutation[j])])
graph_boxes[encode_tuple(i, j)] = c
graph_keys[encode_tuple(i, j)] = r
rounds_data.append(
(permutation, perm_boxes, perm_keys, graph_boxes, graph_keys)
)
# create hash
shake = SHAKE128.new()
for (permutation, perm_boxes, perm_keys, graph_boxes, graph_keys) in rounds_data:
shake.update(str(perm_boxes).encode())
shake.update(str(graph_boxes).encode())
m_bytes = m.read(CHUNK_SIZE)
while m_bytes:
shake.update(str(m_bytes).encode())
m_bytes = m.read(CHUNK_SIZE)
H = shake.read(k // 8)
# create output
# keys for boxes
rounds_keys = []
for (t, data) in zip(range(k), rounds_data):
(permutation, perm_boxes, perm_keys, graph_boxes, graph_keys) = data
bit = get_bit(H, t)
if bit:
# 1
keys = []
priv_key = key.private_key
for i in range(n):
u, v = permutation[priv_key[i]], permutation[priv_key[(i+1) % n]]
if u > v:
u, v = v, u
graph_key = graph_keys[encode_tuple(u, v)]
keys.append((u, v, graph_key))
else:
# 0
keys = []
for i in range(n):
keys.append((permutation[i], perm_keys[i]))
inv_permutation = inv(permutation)
for i in range(n):
for j in range(i+1, n):
keys.append(graph_keys[encode_tuple(i, j)])
rounds_keys.append(keys)
round_perm_boxes = [perm_boxes for (permutation, perm_boxes, perm_keys, graph_boxes, graph_keys) in rounds_data]
round_graph_boxes = [graph_boxes for (permutation, perm_boxes, perm_keys, graph_boxes, graph_keys) in rounds_data]
return (round_perm_boxes, round_graph_boxes, rounds_keys)
def verify_sign(m, key, signature):
if isinstance(m, str):
m = io.StringIO(m)
elif isinstance(m, bytes):
m = io.BytesIO(m)
n = key.public_key.n
(round_perm_boxes, round_graph_boxes, rounds_keys) = signature
shake = SHAKE128.new()
for (perm_boxes, graph_boxes) in zip(round_perm_boxes, round_graph_boxes):
shake.update(str(perm_boxes).encode())
shake.update(str(graph_boxes).encode())
m_bytes = m.read(CHUNK_SIZE)
while m_bytes:
shake.update(str(m_bytes).encode())
m_bytes = m.read(CHUNK_SIZE)
H = shake.read(k // 8)
try:
for t in range(k):
perm_boxes = round_perm_boxes[t]
graph_boxes = round_graph_boxes[t]
keys = rounds_keys[t]
bit = get_bit(H, t)
if bit:
# 1
cycle = []
for i in range(n):
u, v, graph_key = keys[i]
if not verify_commitment(1, graph_boxes[encode_tuple(u, v)], graph_key):
return False
next_u, next_v, _ = keys[(i + 1) % n]
intersection = set((u, v)).intersection(set((next_u, next_v)))
if not len(intersection) == 1:
return False
cycle.append(intersection.pop())
# verify if cycle is hamiltonian
if not len(set(cycle)) == n:
return False
else:
# 0
permutation = []
for i in range(n):
graph_perm, graph_key = keys[i]
permutation.append(graph_perm)
# verify permutation
if not verify_commitment(graph_perm, perm_boxes[i], graph_key):
return False
inv_permutation = inv(permutation)
index = n
for i in range(n):
for j in range(i+1, n):
graph_key = keys[index]
# verify graph
if not verify_commitment(
key.public_key[inv_permutation[i], inv_permutation[j]],
graph_boxes[encode_tuple(i, j)], graph_key):
return False
index += 1
except:
return False
return True
def get_fixed_prng():
return SHAKE128.new().update(b"SEED").read
def __init__(self, seed):
hash_input = seed.encode()
self.key = SHA256.new(data=hash_input).digest()
self.nonce = SHAKE128.new(data=hash_input).read(length=8)
def string_to_32_byte_key(str: str) -> bytes:
shake = SHAKE128.new()
shake.update(str.encode('utf-8'))
return shake.read(32)
def get_tag_random(tag, length):
return SHAKE128.new(data=tobytes(tag)).read(length)
def get_tag_random(tag, length):
return SHAKE128.new(data=tobytes(tag)).read(length)
def new_test(self, data=data, result=tv.md):
hobj = SHAKE128.new(data=data)
digest = hobj.read(len(result))
self.assertEqual(digest, result)
def __init__(self, data):
self.shake = SHAKE128.new(data)
self.gauss_next = None
from Crypto.Hash import SHAKE128
q = 15141339084211537780798402821468668253233855293250282470707486523729
p = 15459352678170194999059797953835943703769299798522640485949251021230061239872933286596281671875036444766767260825161156339142374953144264667175663093532210016977000296281428180052962512096930034626707240943073909429948568647175489641923947055523690662397275499814011659615933313001220733558180164993086472379325887209418439076036830595968948122463542565488458285559269152814846930461678806155717771594791617514000333739836058367191702301817095873715810768950392576601345434651042282496258898798293897916341315693731763534513871295870117294672305447940132333142894162790759196704240972899412016593006223087871357404969
g = 3800569625008648766049545537807478639158256666453837543156865205157342453175195338293914518318389932512419197022492193267072466754594620461534567362497841710002599111953091344930343994503431071692400525354528547918075410538790275781900267312641988973075426468087022427855954288858299458927808889518984317490141729401786342725042250941182574740334793901912974170222604015177323368814264989835679407076289974855552414398779625521837257916022552980027627057473062644879659632681204107806120144998907991338913266334321160324651484012752441634140243465730939619242515280714356873699965985363402010686851443396200018800199
beta = 13811718194912887731259973687531659017221233072693758339320677556085961091741512534312991319990988012320895125273138799484930424656328618986338233650799555131896857586001490595604365368085682743275712428137943225119715628405892357306029150574584119785832325605674838801154641895745311161271889436502899846458131900988387777254676157672199525938326470244363881227814557082187788046660952433631553517068095734365024876910709029416850114854064043338879940542901936624969303248595208108795751225387203405395739941042570698164719973037261394764330314120509607344408485820133307388882699955010320183318447065675487861322141
m1_byte= b"He who laugh last didn't get the joke"
m2_byte = b"Ask me no questions, and I'll tell you no lies"
r1 = 7807207725923213670059456706077357545604668400924354746850607726310
r2 = 13601517662990253244919392623006368173804524139680316147330845851641
s1 = 10137413521818981860558295844142463248736280669671376607939774420169
s2 = 5354638027707905626045156057361096890377811387248394522419069236340
shake1 = SHAKE128.new(m1_byte)
h1 = int.from_bytes(shake1.read(q.bit_length()//8), byteorder='big')
shake2 = SHAKE128.new(m2_byte)
h2 = int.from_bytes(shake2.read(q.bit_length()//8), byteorder='big')
for x in range(200): #j=2, i=1
secondPart = ((s2*r1*x)%q) - ((s1*r2)%q)
secondInv = modinv(secondPart, q)
firstPart = s1*h2 - s2*h1*x
a = (firstPart * secondInv) % q
if beta == pow(g, a, p):
print("x:", x)
print("a:", a)
break
def create_rng(tag):
rng = StrongRandom(SHAKE128.new(data=tag))
return rng
def get_fixed_prng():
return SHAKE128.new().update(b"SEED").read
