def generate(bits, randfunc, progress_func=None):
"""generate(bits:int, randfunc:callable, progress_func:callable)
Generate an ElGamal key of length 'bits', using 'randfunc' to get
random data and 'progress_func', if present, to display
the progress of the key generation.
"""
obj=ElGamalobj()
# Generate a safe prime p
# See Algorithm 4.86 in Handbook of Applied Cryptography
if progress_func:
progress_func('p\n')
while 1:
q = bignum(getPrime(bits-1, randfunc))
obj.p = 2*q+1
if number.isPrime(obj.p, randfunc=randfunc):
break
# Generate generator g
# See Algorithm 4.80 in Handbook of Applied Cryptography
# Note that the order of the group is n=p-1=2q, where q is prime
if progress_func:
progress_func('g\n')
while 1:
# We must avoid g=2 because of Bleichenbacher's attack described
# in "Generating ElGamal signatures without knowning the secret key",
# 1996
#
obj.g = number.getRandomRange(3, obj.p, randfunc)
safe = 1
if pow(obj.g, 2, obj.p)==1:
safe=0
if safe and pow(obj.g, q, obj.p)==1:
safe=0
# Discard g if it divides p-1 because of the attack described
# in Note 11.67 (iii) in HAC
if safe and divmod(obj.p-1, obj.g)[1]==0:
safe=0
# g^{-1} must not divide p-1 because of Khadir's attack
# described in "Conditions of the generator for forging ElGamal
# signature", 2011
ginv = number.inverse(obj.g, obj.p)
if safe and divmod(obj.p-1, ginv)[1]==0:
safe=0
if safe:
break
# Generate private key x
if progress_func:
progress_func('x\n')
obj.x=number.getRandomRange(2, obj.p-1, randfunc)
# Generate public key y
if progress_func:
progress_func('y\n')
obj.y = pow(obj.g, obj.x, obj.p)
return obj
def brent_rho(number):
"""
Richard Brent variant of the rho algorithm
Pollard's rho algorithm is a general-purpose integer factorization
algorithm. It is particularly effective at splitting composite
numbers with small factors.
"""
if number % 2 == 0:
return 2
rand_y = nutil.getRandomRange(1, number - 1, urandom)
rand_c = nutil.getRandomRange(1, number - 1, urandom)
rand_m = nutil.getRandomRange(1, number - 1, urandom)
index_g, index_r, index_q = 1, 1, 1
while index_g == 1:
copy_y = rand_y
index_k = 0
index = 0
while index < index_r:
rand_y = ((rand_y * rand_y) % number + rand_c) % number
index += 1
while (index_k < index_r and index_g == 1):
y_copy2 = rand_y
index = 0
limit = min(rand_m, index_r - index_k)
while index < limit:
rand_y = ((rand_y * rand_y) % number + rand_c) % number
index_q = index_q * (abs(copy_y - rand_y)) % number
index += 1
index_g = gcd(index_q, number)
index_k = index_k + rand_m
index_r = index_r * 2
if index_g == number:
while True:
y_copy2 = ((y_copy2 * y_copy2) % number + rand_c) % number
index_g = gcd(abs(copy_y - y_copy2), number)
if index_g > 1:
break
return index_g
def DSAGenParameter(): print "Génération des paramètres" # On génère Q print "Génération de Q" q = number.getPrime(160) print "Q généré" # On génère P print "Génération de P" while True: r = number.getRandomInteger(480) p = (q*r)+1 if number.isPrime(p): break print "P généré" # On génère G print "Génération de G" while True: y = number.getRandomRange(0, p) g = pow(y, (p-1)/q, p) if g != 1: break print "G généré" print "Paramètres générés" return p, q, y, g
def find_generator_and_safe_prime(bits, gen_max_bits = False):
stdout.write('Trying to find prime p ')
while(1):
stdout.write('.')
q = number.getPrime(bits-1) # zeby pomnozona przez 2 byla na pewno mniejsza od p, (+1 pomijam, zakladam ze nie przekroczy)
p = (q << 1) + 1
if number.isPrime(p):
print '\n' + str(number.size(p)) + ' bits prime p found'
p_sub_1 = p - 1
stdout.write('Trying to find generator g ')
while(1):
if gen_max_bits: # generator moze miec dowolna liczbe bitow
g = number.getRandomNBitInteger(bits)
if g >= p:
continue
else:
g = number.getRandomRange(2, p)
if pow(g, 2, p) == 1 or pow(g, q, p) == 1:
stdout.write('.')
continue
print '\n' + str(number.size(g)) + ' bits generator g found'
return p, g
def _decrypt(self, M):
if (not hasattr(self, 'x')):
raise TypeError('Private key not available in this object')
r = number.getRandomRange(2, self.p-1, self._randfunc)
a_blind = (M[0] * pow(self.g, r, self.p)) % self.p
ax=pow(a_blind, self.x, self.p)
plaintext_blind = (M[1] * inverse(ax, self.p ) ) % self.p
plaintext = (plaintext_blind * pow(self.y, r, self.p)) % self.p
return plaintext
def sign_message(modulus, base, order, key, message):
while 1:
w = number.getRandomRange(3, order)
r = pow(base, w, modulus) % order
w = number.inverse(w, order)
s = w * (message + r*key)
if s != 0:
break
return {'r': r, 's': s, 'm': message}
def process_number(self):
"""Returns a posbile generator"""
while True:
# Get a random number
random_number = nutil.getRandomRange(2, self._prime - 2,
os.urandom)
# Check if it is co-prime
if gcd(random_number, self._prime) == 1:
break
return random_number
def _auth_step_one(self):
"""Compute pow(genrator, random_value)"""
# Generate a random number in (2, prime_number)
self._sts["c_exponent"] = nutil.getRandomRange(
2, self.data["prime_number"], os.urandom)
# Compute generator ^ x_exponent
self._sts["c_secret"] = str(pow(
long(self.data["generator"]), long(self._sts["c_exponent"]),
long(self.data["prime_number"])))
def generateSignature(p, q, g, x, message):
H = int(hexlify(CryptoBox.generateHash(message, 1)), 16)
k = number.getRandomRange(1, q)
r = utils.mod_exp(g, k, p) % q
k_inv = utils.inverse(k, q)
s = (k_inv * (H + x * r)) % q
if (r == 0 or s == 0):
# since it is very unlikely to make a recursive call, function will terminate eventually
return generateSignature(p, q, g, x, message)
return r, s
def pollard_rho(number):
"""
Pollard Rho is an integer factorization algorithm, which is quite fast
for large numbers.
"""
if number % 2 == 0:
return 2
rand_y = nutil.getRandomRange(1, number - 1, urandom)
rand_c = nutil.getRandomRange(1, number - 1, urandom)
copy_y = rand_y
index_g = 1
while index_g == 1:
rand_y = ((rand_y * rand_y) % number + rand_c) % number
copy_y = ((copy_y * copy_y) % number + rand_c) % number
copy_y = ((copy_y * copy_y) % number + rand_c) % number
index_g = gcd(abs(rand_y - copy_y), number)
return index_g
def _decrypt(self, c):
#(ciphertext,) = c
(ciphertext,) = c[:1] # HACK - We should use the previous line
# instead, but this is more compatible and we're
# going to replace the Crypto.PublicKey API soon
# anyway.
# Blinded RSA decryption (to prevent timing attacks):
# Step 1: Generate random secret blinding factor r, such that 0 < r < n-1
r = getRandomRange(1, self.key.n-1, randfunc=self._randfunc)
# Step 2: Compute c' = c * r**e mod n
cp = self.key._blind(ciphertext, r)
# Step 3: Compute m' = c'**d mod n (ordinary RSA decryption)
mp = self.key._decrypt(cp)
# Step 4: Compute m = m**(r-1) mod n
return self.key._unblind(mp, r)
def find_generator_and_prime(bits, n, gen_max_bits = False):
# p - 1 = q1 * q2 * q3 * ... * qn
p_sub_1 = 0 # p - 1
p = 0
stdout.write('Trying to find prime p ')
while(not number.isPrime(p)): # sprawdzamy czy liczba p jest pierwsza, inaczej nie ma sensu szukac generatora
stdout.write('.')
qs = [2] # lista q, inicjowana q1 = 2, bez 2 p+1 bylaby zawsze liczba parzysta czyli nie pierwsza
p_sub_1 = qs[0] # p - 1 = q1
for i in range(0, n):
q = number.getPrime(bits/n)
tmp_p_sub_1 = p_sub_1 * q
tmp_p = tmp_p_sub_1 + 1
if number.size(tmp_p) <= bits: # sprawdzamy czy liczba p ma tyle bitow ile chcemy
p_sub_1 = tmp_p_sub_1
p = tmp_p
qs.append(q)
else:
break
if(number.size(p_sub_1) != bits): # dopelniamy do oczekiwanej liczby bitow mnozac kilkukrotnie przez 2
p_sub_1 <<= bits-number.size(p_sub_1)
p = p_sub_1 + 1
stdout.write('\n' + str(number.size(p)) + ' bits prime p found\n')
stdout.write("Trying to find generator g ")
while(1): # kazda grupa cykliczna ma generator
stdout.write('.')
if gen_max_bits:
g = number.getRandomNBitInteger(bits) # generator moze miec dowolna liczbe bitow
if g >= p:
continue
else:
g = number.getRandomRange(2, p)
isGenerator = True
for q in qs:
if pow(g, p_sub_1/q, p) == 1: # nie jest generatorem jesli g ^ ((p-1) / q) mod p == 1
isGenerator = False
break;
if isGenerator:
stdout.write('\n' + str(number.size(g)) + ' bits generator g found\n')
return p, g
def sign(self, M, sk):
N = sk[0]
T = sk[1]
j = sk[2]
s = sk[3]
while True:
r = bignum(number.getRandomRange(3, N, self._randfunc))
if 1 == GCD(r, N):
break
order = pow(2, self._l * (T + 1 - j))
y = pow(r, order, N)
h = SHA256.new()
h.update(long_to_bytes(j))
h.update(long_to_bytes(y))
h.update(M)
sigma = h.digest()
z = (r * pow(s, bytes_to_long(sigma), N)) % N
return [j, [z, sigma]]
def generate_py(T, randfunc, progress_func=None):
"""generate(curve:CurveDomain, randfunc:callable, progress_func:callable)
Generate a ECDSA key on curve 'T', using 'randfunc' to get random
data and 'progress_func', if present, to display the progress of the key
generation.
"""
if not T.verify():
raise ValueError('Invalid curve')
# Generate private key d and public key Q = dg
if progress_func:
progress_func('d\n')
d = number.getRandomRange(1, T.n - 1, randfunc)
if progress_func:
progress_func('Q\n')
Q = T.G * d
return construct(Q, d)
def main():
s = getRandomRange(0, (1 << 64))
r = ''
for _ in range(200):
s = xorshift(s)
if os.urandom(1)[0] >= 128:
r += str(s & 1)
else:
r += '.'
print(f'[+] Here is the output')
print(r)
print('')
inp = int(input('[>] What is current state? '))
if inp == s:
print(f'[+] Flag: {FLAG}')
else:
print('[-] Noop')
def kxchang_demo(size):
# Generate keys for both parties
skA, pkA, nA = keygen(size)
skB, pkB, nB = keygen(size)
# Exchange public modulus and create the shared modulus
S = nA * nB
# One party generates a point between 1 and S minus 1
y = number.getRandomRange(1, (S - 1))
# Generate phase 1 by encrypting the public key
phase1A = pow(pkA, skA, S)
phase1B = pow(pkA, skB, S)
# Generate the phase 2 secret modulus
phase2A = pow(phase1B, skA, S)
phase2B = pow(phase1A, skB, S)
# Both parties encrypt y using the secret modulus and send phase3
phase3A = pow(y, skA, phase2A)
phase3B = pow(y, skB, phase2B)
# Compute the shared secret
phase4A = pow(phase3B, skA, phase2A)
phase4B = pow(phase3A, skB, phase2B)
def DSAsign(myMessage, p, q, g, sk):
# Préconditions
if myMessage == None or sk == None or p == None or q == None or g == None:
raise ValueError("Les paramètres ne sont pas tous renseignés")
# Traitement
print "Signature d'un message"
sha512 = SHA512.new()
sha512.update(myMessage)
hashMessage = number.bytes_to_long(sha512.digest())
k = number.getRandomRange(0, q)
r = pow(g, k, p) % q
s = ((hashMessage+(sk*r)) * number.inverse(k, q)) % q
print "Message signé"
return r, s
def keygen(self):
p = bignum(self.getbwinteger(self._k/2))
q = bignum(self.getbwinteger(self._k/2))
N = p * q
s = list()
u = list()
for i in range(0, self._l):
while True:
temp = number.getRandomRange(3, N, self._randfunc)
if temp < N and 1 == GCD(temp, N):
s.append(temp)
break
for i in range(0, self._l):
order = pow(2, self._T + 1)
temp = pow(s[i], order, N)
u.append(temp)
sk = [N, self._T, 0, s]
pk = [N, self._T, u]
return sk, pk
def key_exchange():
p = 0
while number.isPrime(p) == False:
q = number.getPrime(512)
p = 2 * q + 1
g = 2
while pow(g, 2, p) == 1 or pow(g, q, p) == 1:
g = number.getPrime(4)
conn.send(bytes(str(p), 'utf-8'))
print('p = ' + str(p) + '\n')
time.sleep(1)
conn.send(bytes(str(g), 'utf-8'))
print('g = ' + str(g) + '\n')
a = number.getRandomRange(1, p)
A = pow(g, a, p)
conn.send(bytes(str(A), 'utf-8'))
print('A = ' + str(A) + '\n')
m = conn.recv(1024)
B = int(m)
return str(pow(B, a, p))
def negdh_server(s):
sk, A, B = keygen(512)
s.send(str(B))
BBtmp = s.recv(8192)
BB = long(BBtmp)
U = B * BB
Tk = number.getRandomRange(1, (U - 1))
p1 = pow(A, Tk, U)
s.send(str(A) + "X" + str(p1))
P1pk = s.recv(8192)
pkB = long(P1pk.split('X')[1])
p1B = long(P1pk.split('X')[0])
p2 = pow(p1B, Tk, U)
p3 = pow(pkB, sk, p2)
P3 = s.recv(8192)
s.send(str(p3))
p3B = long(P3)
p4 = pow(p3B, sk, p2)
k = number.long_to_bytes(p4)
key = hashlib.sha256(k).digest()
return key
def generate_group_params(bits=1025, nworkers=None, use_threads=False,
progress=None):
""" Generates group parameters for ElGamal. """
# Find a safe prime as modulus. This will take at least several
# seconds on a single core. Thus: we will parallelize.
start_time = time.time()
if nworkers is None:
nworkers = multiprocessing.cpu_count()
l.debug('Searching for a %s bit safe prime p as modulus on %s workers',
bits, nworkers)
safe_prime_density = asymptotic_safe_prime_density / (bits - 1)
if progress:
progress('p', None)
def _progress(n):
progress('p', pol.progressbar.coin(safe_prime_density, n))
else:
_progress = None
p = pol.parallel.parallel_try(_find_safe_prime, (bits,),
initializer=_find_safe_prime_initializer,
progress=_progress, nworkers=nworkers,
use_threads=use_threads)
# Find a safe `g` as generator.
# Algorithm taken from Crypto.PublicKey.ElGamal.generate
# TODO Should we use a generator of a subgroup for performance?
if progress:
progress('g', None)
l.debug('Searching for a suitable generator g')
start_time = time.time()
q = (p - 1) / 2
while True:
g = gmpy.mpz(number.getRandomRange(3, p))
if (pow(g, 2, p) == 1 or pow(g, q, p) == 1 or divmod(p-1, g)[1] == 0):
continue
ginv = gmpy.invert(g, p)
if divmod(p - 1, ginv)[1] == 0:
continue
break
l.debug('Found one in %.2fs', time.time() - start_time)
return group_parameters(p=p, g=g)
def keggen(self):
safe=1
p = self.getbwinteger(self._k/2)
q = self.getbwinteger(self._k/2)
if (p - 1)*(q - 1) < pow(2, self._k - 1):
safe = 0
if p*q >= pow(2, self._k):
safe = 0
if safe == 0:
return None, None
N=p*q
while True:
s = bignum(number.getRandomRange(3, N, self._randfunc))
if 1 == GCD(s, N):
break
order = pow(2, self._l * (self._T + 1))
temp = pow(s, order, N)
u = inverse(temp, N)
sk = [N, self._T, 0, s]
pk = [N, u, self._T]
return sk, pk
def pickGeneratorG(self):
print "Entering pickGenerator"
while True:
a = number.getRandomRange(0, self.N)
if a > self.N:
return None
r0 = number.GCD(a, self.N)
if r0 == 1:
continue
r0 = a - 1
r1 = number.GCD(r0, self.N)
if r1 == 1:
continue
r0 = a + 1
r1 = number.GCD(r0, self.N)
if r1 == 1:
continue
break
g = a**2
print "Exiting pickGenerator"
return g
def DSAGenKey(p, q, y, g):
# Préconditions
if q == None or p == None or g == None or y == None:
raise ValueError("Les paramètres ne sont pas tous renseignés")
if ((p-1) % q) != 0:
raise ValueError("Les paramètres p et q ne sont pas corrects")
if g != pow(y, (p-1)/q, p):
raise ValueError("Les paramètres y et g ne sont pas corrects")
# Traitement
print "Génération d'une paire de clés"
sk = number.getRandomRange(0, q)
pk = pow(g, sk, p)
print "Génération des clés terminée"
return pk, sk
def pickGeneratorG(self): print "Entering pickGenerator" while True: a = number.getRandomRange(0,self.N) if a>self.N: return None r0 = number.GCD(a,self.N) if r0==1: continue r0 = a-1 r1 = number.GCD(r0,self.N) if r1 == 1: continue r0 = a+1 r1 = number.GCD(r0,self.N) if r1 == 1: continue break g = a**2 print "Exiting pickGenerator" return g
def negdh_client(s):
sk, A, B = keygen(512)
P0 = s.recv(8192)
BB = long(P0)
s.send(str(B))
P1pk = s.recv(8192)
pkB = long(P1pk.split('X')[0])
p1B = long(P1pk.split('X')[1])
U = B * BB
Tk = number.getRandomRange(1, (U - 1))
myp1 = pow(pkB, Tk, U)
p1string = str(myp1)
pkstring = str(A)
s.send(p1string + "X" + pkstring)
p2 = pow(p1B, Tk, U)
myp3 = pow(A, sk, p2)
s.send(str(myp3))
P3 = s.recv(8192)
p3 = long(P3)
p4 = pow(p3, sk, p2)
k = number.long_to_bytes(p4)
key = hashlib.sha256(k).digest()
return key
def sign(self, point, prv_key, digest, test=False):
q = self.q
e = bytes_to_long(digest) % q
if e == 0:
e = 1
while True:
if test:
k = 0x77105C9B20BCD3122823C8CF6FCC7B956DE33814E95B7FE64FED924594DCEAB3
else:
k = getRandomRange(1, q)
r, _ = self.scalar_mult(k, point)
r %= q
if r == 0:
continue
s = (prv_key*r + k*e) % q
if s == 0:
continue
break
return long_to_bytes(r) + long_to_bytes(s)
def randQR(N):
return pow(getRandomRange(1, N), 2, N)
def poly_rand(self):
return [number.getRandomRange(0, self.N) for i in range(0, self.order)]
def genPrivKey(prime):
sk = number.getRandomRange(2, prime - 1)
return sk
def genSK(self, p):
s = number.getRandomRange(2, p - 1)
return s
def encrypt(m, pk):
(p, q, g, h) = pk
r = getRandomRange(2, q)
c1 = pow(g, r, p)
c2 = m * pow(h, r, p) % p
return (c1, c2)
def _sign(self, m, k):
blind_factor = getRandomRange(1, self.key.q, self._randfunc)
return self.key._sign(m, k, blind_factor)
def randomingroupstar(self, N):
while True:
r = number.getRandomRange(3, N, self._randfunc)
if 1 == GCD(r, N):
return r
i = 1
while i <= padlen:
if text[-i] != padbyte:
raise Exception
i += 1
def CBC_decrypt(ciphertext, key, iv):
obj2 = AES.new(key, AES.MODE_CBC, iv)
plaintext = obj2.decrypt(ciphertext)
PKCS7pad_validate(plaintext)
return plaintext
list1 = open("strings.txt", 'r').read().split("\n")
plaintext = list1[getRandomRange(0, len(list1))].decode(
"base64") # Attacker doesn't have access to plaintext
print "plaintext being encrypted: ", plaintext
ciphertext = CBC_encrypt(plaintext, key, iv)
print "ciphertext is: ", ciphertext.encode("hex")
master_plaintext = ""
for i in range(16, len(ciphertext), 16):
pt_block = "\x00" * 16
ct_prev = ciphertext[i - 16:i]
for j in range(15, -1, -1):
custom_ctblock = "\x00" * 16
for i1 in range(15, j, -1):
custom_ctblock = custom_ctblock[:i1] + chr(
(16 - j) ^ ord(pt_block[i1])
^ ord(ct_prev[i1])) + custom_ctblock[i1 + 1:]
def _getRandomMult(self):
r = self.p # start while loop
while (r % self.p == 0) or (r % self.q == 0):
r = number.getRandomRange(1, self.n - 1, self._randfunc)
return r
def keygen(size):
A, B = genBase(size)
sk = number.getRandomRange(1, (B - 1))
return sk, A, B
def generate(bits, randfunc, progress_func=None):
"""Randomly generate a fresh, new ElGamal key.
The key will be safe for use for both encryption and signature
(although it should be used for **only one** purpose).
:Parameters:
bits : int
Key length, or size (in bits) of the modulus *p*.
Recommended value is 2048.
randfunc : callable
Random number generation function; it should accept
a single integer N and return a string of random data
N bytes long.
progress_func : callable
Optional function that will be called with a short string
containing the key parameter currently being generated;
it's useful for interactive applications where a user is
waiting for a key to be generated.
:attention: You should always use a cryptographically secure random number generator,
such as the one defined in the ``Crypto.Random`` module; **don't** just use the
current time and the ``random`` module.
:Return: An ElGamal key object (`ElGamalobj`).
"""
obj=ElGamalobj()
# Generate a safe prime p
# See Algorithm 4.86 in Handbook of Applied Cryptography
if progress_func:
progress_func('p\n')
while 1:
q = bignum(getPrime(bits-1, randfunc))
obj.p = 2*q+1
if number.isPrime(obj.p, randfunc=randfunc):
break
# Generate generator g
# See Algorithm 4.80 in Handbook of Applied Cryptography
# Note that the order of the group is n=p-1=2q, where q is prime
if progress_func:
progress_func('g\n')
while 1:
# We must avoid g=2 because of Bleichenbacher's attack described
# in "Generating ElGamal signatures without knowning the secret key",
# 1996
#
obj.g = number.getRandomRange(3, obj.p, randfunc)
safe = 1
if pow(obj.g, 2, obj.p)==1:
safe=0
if safe and pow(obj.g, q, obj.p)==1:
safe=0
# Discard g if it divides p-1 because of the attack described
# in Note 11.67 (iii) in HAC
if safe and divmod(obj.p-1, obj.g)[1]==0:
safe=0
# g^{-1} must not divide p-1 because of Khadir's attack
# described in "Conditions of the generator for forging ElGamal
# signature", 2011
ginv = number.inverse(obj.g, obj.p)
if safe and divmod(obj.p-1, ginv)[1]==0:
safe=0
if safe:
break
# Generate private key x
if progress_func:
progress_func('x\n')
obj.x=number.getRandomRange(2, obj.p-1, randfunc)
# Generate public key y
if progress_func:
progress_func('y\n')
obj.y = pow(obj.g, obj.x, obj.p)
return obj
flag = os.environ.get("FLAG", "0nepoint{GOLDEN SMILE & SILVER TEARS}")
flag = int(flag.encode().hex(), 16)
P = 2**1000 - 1
while not isPrime(P):
P -= 2
p = getPrime(512)
q = getPrime(512)
e = 65537
phi = (p - 1) * (q - 1)
d = inverse(e, phi)
n = p * q
key = getRandomRange(0, n)
ciphertext = pow(flag, e, P) ^ key
x1 = getRandomRange(0, n)
x2 = getRandomRange(0, n)
print("P = {}".format(P))
print("n = {}".format(n))
print("e = {}".format(e))
print("x1 = {}".format(x1))
print("x2 = {}".format(x2))
# pick a random number k and compute v = k**e + (x1|x2)
# if you add x1, you can get key = c1 - k mod n
# elif you add x2, you can get ciphertext = c2 - k mod n
v = int(input("v: "))
def generate(bits, randfunc, progress_func=None):
"""generate(bits:int, randfunc:callable, progress_func:callable)
Generate an ElGamal key of length 'bits', using 'randfunc' to get
random data and 'progress_func', if present, to display
the progress of the key generation.
"""
obj=ElGamalobj()
# Generate a safe prime p
# See Algorithm 4.86 in Handbook of Applied Cryptography
counter = 0
while 1:
if progress_func:
progress_func('p [%d]\r' % counter)
counter += 1
#q = bignum(number.getStrongPrime(bits-1, e=0, false_positive_prob=1e-6, randfunc=randfunc))
q = bignum(number.getPrime(bits-1, randfunc=randfunc))
obj.p = 2*q+1
if number.isPrime(obj.p, randfunc=randfunc):
break
if progress_func:
progress_func('p \n')
counter = 0
# Generate generator g
# See Algorithm 4.80 in Handbook of Applied Cryptography
# Note that the order of the group is n=p-1=2q, where q is prime
while 1:
# We must avoid g=2 because of Bleichenbacher's attack described
# in "Generating ElGamal signatures without knowning the secret key",
# 1996
#
if progress_func:
progress_func('g [%d]\r' % counter)
counter += 1
obj.g = number.getRandomRange(2**196, obj.p, randfunc)
safe = 1
if pow(obj.g, 2, obj.p)==1:
safe=0
if safe and pow(obj.g, q, obj.p)==1:
safe=0
# Discard g if it divides p-1 because of the attack described
# in Note 11.67 (iii) in HAC
if safe and divmod(obj.p-1, obj.g)[1]==0:
safe=0
# g^{-1} must not divide p-1 because of Khadir's attack
# described in "Conditions of the generator for forging ElGamal
# signature", 2011
ginv = number.inverse(obj.g, obj.p)
if safe and divmod(obj.p-1, ginv)[1]==0:
safe=0
if safe:
break
# Generate private key x
if progress_func:
progress_func('g \n')
progress_func('x\n')
obj.x=number.getRandomRange(2**196, obj.p-1, randfunc)
# Generate public key y
if progress_func:
progress_func('y\n')
obj.y = pow(obj.g, obj.x, obj.p)
return obj
#Service Provider
def reconstruct(self, mult, p, *dec):
cipher = 1
for x in dec:
cipher *= x
dec = pow(cipher, p - 2, p)
result = (dec * mult[1]) % p
return result
#
# message1 = 100
# message2 = 10
#
p = number.getPrime(160, Random.new().read)
g = number.getRandomRange(3, p - 1)
node1 = Node()
sk1 = node1.genSK(p)
pk1 = node1.genPK(p, g, sk1)
node2 = Node()
sk2 = node2.genSK(p)
pk2 = node2.genPK(p, g, sk2)
print pk1, pk2
owner1 = Owner()
owner2 = Owner()
message1 = 12
def commit(m):
r = number.getRandomRange(1, p - 1)
c = g**m * h**r
return (c, r)
def _sign(self, m, k):
blind_factor = getRandomRange(1, self.key.q, self._randfunc)
return self.key._sign(m, k, blind_factor)
def generate(cls,bits):
p = getPrime(bits//2)
q = getPrime(bits//2+ bits%2)
g = getRandomRange(0, (p*q)**2)
n = p * q
return cls((n,g,p,q))
def reconstruct(ctxt, prime, partMsg):
cipher = 1
for x in partMsg:
cipher *= x
partMsg = pow(cipher, prime - 2, prime)
msg = (partMsg * ctxt[1]) % prime
return msg
#### Parameter
security = 80
shares = 5
msg1, msg2 = number.getRandomRange(1, 100), number.getRandomRange(1, 100)
#### Key Generation
prime, generator = genParameter(security)
sk, pk = [], []
for i in range(shares):
sk.append(genPrivKey(prime))
pk.append(genPubKey(prime, generator, sk[i]))
#### Encryption
ctxt1, ctxt2 = enc(prime, generator, msg1, pk), enc(prime, generator, msg2, pk)
#### Decryption
partMsg1, partMsg2 = [], []
class Curve(object):
eliptic_function = staticmethod(lambda a, b, x, p: (pow(x, 3, p) +
(a * x) % p + b) % p)
getRandom = staticmethod(lambda p: number.getRandomRange(0, p - 1))
def __init__(self, init_prime_size=256):
self.init_prime_size = init_prime_size
self.a = 0
self.b = 0
self.p = 0
self.exampleX = 0
self.exampleY = 0
self.generate_function()
def generate_ec_xy_example(self):
x = self.getRandom(self.p)
y = pow(self.eliptic_function(self.a, self.b, x, self.p),
(self.p + 1) // 4, self.p)
if self.contains_point(x, y):
return x, y
else:
return self.generate_ec_xy_example()
def generate_function(self):
p = number.getPrime(self.init_prime_size)
self.p = p
if p % 4 != 3:
# print('p nie przytaje do 3 mod 4')
return self.generate_function()
a = self.getRandom(p)
b = self.getRandom(p)
self.a = a
self.b = b
x = self.getRandom(p)
delta = lambda a, b: ((4 * pow(a, 3, p)) % p +
(27 * pow(b, 2, p)) % p) % p
if delta(a, b) == 0:
print('delta == 0')
return self.generate_function()
if 1 != pow(self.eliptic_function(a, b, x, p), (p - 1) // 2, p):
# print('f nie jest reszta kwadratowa p')
return self.generate_function()
y = pow(self.eliptic_function(a, b, x, p), (p + 1) // 4, p)
if self.isQuatraticResidue(x) == False:
print('This is not quadratic residue')
return self.generate_function()
if self.contains_point(x, y):
self.a = a
self.b = b
self.p = p
self.exampleX = x
self.exampleY = y
else:
return self.generate_function()
def getCurveValue(self, x):
return (pow(x, 3, self.p) + (self.a * x) + self.b) % self.p
def isQuatraticResidue(self, x):
return pow(self.getCurveValue(x), (self.p - 1) // 2, self.p) == 1
def contains_point(self, *args, **kwargs):
if len(args) == 1 and isinstance(args[0], Point):
return self.__check_point(args[0].x, args[0].y)
elif len(args) == 0 and isinstance(kwargs.get('point', None), Point):
return self.__check_point(
kwargs.get('point').x,
kwargs.get('point').y)
elif len(args) == 2:
return self.__check_point(args[0], args[1])
elif kwargs.get('x', None) and kwargs.get('y', None):
return self.__check_point(kwargs['x'], kwargs['y'])
else:
raise BaseException('bad args')
def __check_point(self, x, y):
"""Is the point (x,y) on this curve?"""
return (y * y -
self.eliptic_function(self.a, self.b, x, self.p)) % self.p == 0
def __str__(self):
return f"Curve(\n\tp={self.p},\n\ta={self.a},\n\tb={self.b}\n)"
def genParameter(security):
prime = number.getPrime(2 * security)
generator = number.getRandomRange(1, prime - 1)
return prime, generator
def randomingroup(self, N):
while True:
r = bignum(number.getRandomRange(3, N, self._randfunc))
if 1 == GCD(r, N):
return r
f = open('little_secret', 'rb')
p = int(f.readline())
q = int(f.readline())
# N = p * q
N = int(f.readline())
# d = lcm(p-1, q-1)
d = int(f.readline())
# u = inverse_mod(d, N)
u = int(f.readline())
N2 = N * N
g = 1
while pow(g, d // 2, N) == 1:
g = getRandomRange(0, N)
ppub = paillier.PaillierPublicKey(n=N)
ppri = paillier.PaillierPrivateKey(ppub, p, q)
FLAG1 = f.readline().strip()
FLAG2 = f.readline().strip()
assert len(FLAG2) < 24
FLAG2 = FLAG2 + os.urandom(31 - len(FLAG2))
FLAG2 = int.from_bytes(FLAG2, 'little')
# FLAG2 -= 2
f.close()
def aesenc(m):
aes = AES.new(aeskey, AES.MODE_CBC, aesiv)
def randQR(N):
return pow(getRandomRange(1, N), 2, N)
def generate(bits, randfunc, progress_func=None):
"""Randomly generate a fresh, new ElGamal key.
The key will be safe for use for both encryption and signature
(although it should be used for **only one** purpose).
:Parameters:
bits : int
Key length, or size (in bits) of the modulus *p*.
Recommended value is 2048.
randfunc : callable
Random number generation function; it should accept
a single integer N and return a string of random data
N bytes long.
progress_func : callable
Optional function that will be called with a short string
containing the key parameter currently being generated;
it's useful for interactive applications where a user is
waiting for a key to be generated.
:attention: You should always use a cryptographically secure random number generator,
such as the one defined in the ``Crypto.Random`` module; **don't** just use the
current time and the ``random`` module.
:Return: An ElGamal key object (`ElGamalobj`).
"""
obj = ElGamalobj()
# Generate a safe prime p
# See Algorithm 4.86 in Handbook of Applied Cryptography
if progress_func:
progress_func('p\n')
while 1:
q = bignum(getPrime(bits - 1, randfunc))
obj.p = 2 * q + 1
if number.isPrime(obj.p, randfunc=randfunc):
break
# Generate generator g
# See Algorithm 4.80 in Handbook of Applied Cryptography
# Note that the order of the group is n=p-1=2q, where q is prime
if progress_func:
progress_func('g\n')
while 1:
# We must avoid g=2 because of Bleichenbacher's attack described
# in "Generating ElGamal signatures without knowning the secret key",
# 1996
#
obj.g = number.getRandomRange(3, obj.p, randfunc)
safe = 1
if pow(obj.g, 2, obj.p) == 1:
safe = 0
if safe and pow(obj.g, q, obj.p) == 1:
safe = 0
# Discard g if it divides p-1 because of the attack described
# in Note 11.67 (iii) in HAC
if safe and divmod(obj.p - 1, obj.g)[1] == 0:
safe = 0
# g^{-1} must not divide p-1 because of Khadir's attack
# described in "Conditions of the generator for forging ElGamal
# signature", 2011
ginv = number.inverse(obj.g, obj.p)
if safe and divmod(obj.p - 1, ginv)[1] == 0:
safe = 0
if safe:
break
# Generate private key x
if progress_func:
progress_func('x\n')
obj.x = number.getRandomRange(2, obj.p - 1, randfunc)
# Generate public key y
if progress_func:
progress_func('y\n')
obj.y = pow(obj.g, obj.x, obj.p)
return obj
def gen_KM(n, q):
xy = getRandomRange(0, n)
print(xy)
KM = (q**xy) % n
return xy, KM
#!/usr/bin/python3 -u
from hashlib import sha256
from Crypto.PublicKey import DSA
from Crypto.Util.number import getRandomRange, long_to_bytes
DSAkey = DSA.generate(1024)
q = DSAkey.q
k0 = 1
while pow(k0, (q - 1) // 2, q) != q - 1:
k0 = getRandomRange(1, q)
with open('/home/challenge/flag.txt') as f:
FLAG = f.read().strip()
MSG = b'GIMME THE FLAG !!!!!!!'
MSG = int.from_bytes(MSG, 'little') % q
def digest(s):
return sha256(long_to_bytes(s)).digest()
def sign(s):
k = pow(k0, s, q)
return DSAkey.sign(digest(s), k)
def main():
print(f'[+] p: {DSAkey.p}')
A, B = genBase(size)
sk = number.getRandomRange(1, (B - 1))
return sk, A, B
size = 16
print "Generating Alice and Bob's keys"
skA, pkA, nA = keygen(size)
skB, pkB, nB = keygen(size)
U = nA * nB
print "Alice keys"
print skA, pkA, nA
print "Bob keys"
print skB, pkB, nB
print "Generating ephemeral public keys"
TkA = number.getRandomRange(1, (U - 1))
TkB = number.getRandomRange(1, (U - 1))
p1 = pow(pkA, TkA, U)
p1B = pow(pkA, TkB, U)
if number.isPrime(p1):
print "Prime"
else:
print "Not"
print p1, p1B
p2 = pow(p1B, TkA, U)
p2B = pow(p1, TkB, U)
if number.isPrime(p2):
print "Prime"
else:
print "Not"
print p2, p2B
