def generate_random_point(p):
while True:
a, x, y = (randrange(0, p) for _ in range(3))
b = (pow(y, 2, p) - pow(x, 3, p) - a * x) % p
if (4 * pow(a, 3, p) + 27 * pow(b, 2, p)) % p != 0:
break
return Curve(None, p, a, b, None, x, y).G
def __init__(self):
a, b, p, o, G, Go = random.choice(PRECOMPUTED_CURVES)
self._a = a
self._b = b
self._p = p
self.curve = Curve('generic curve', p, a, b, Go, G[0], G[1])
self.curve_order = o
self.generator_order = Go
self.generator = self.curve.G
self.priv = self.gen_private_key()
self.pub = self.generator * self.priv
def elliptic_hash(msg: bytes, CURVE: Curve):
p = CURVE.p
i = 0
while True:
i += 1
prefixed_msg = str(i).encode() + msg
h = sha256(prefixed_msg).hexdigest()
x = int(h, 16)
if x >= p:
continue
y_sq = (x ** 3 + CURVE.a * x + CURVE.b) % p
y = mod_sqrt(y_sq, p)[0]
if CURVE.is_point_on_curve((x, y)):
b = int(md5(prefixed_msg).hexdigest(), 16) % 2
return Point(x, y, CURVE) if b else Point(x, p - y, CURVE)
def encrypt(msg):
name = 'curve'.encode('utf-8')
p, a, b, q, gx, gy, aux = 241, 173, 41, 256, 53, 192, ''
curve = Curve(name, p, a, b, q, gx, gy)
G = Point(gx, gy, curve=curve)
for c in msg:
aux += c2p(c, G)
B = enmat(aux, 3)
S = list(range(1, 6))
random.shuffle(S)
for i in range(5):
B = dict_traversal[S[i]](B)
C = circulant([0 for i in range(len(B) - 1)] + [1])
a, l = [random.randint(2, len(B)) for _ in '01']
CL = pow_matrix(C, l)
CAL = pow_matrix(CL, a)
enc = (CL[0], multiply(B, CAL))
return enc
def gen():
while True:
p = getStrongPrime(512)
if p % 4 == 3:
break
while True:
q = getStrongPrime(512)
if q % 4 == 3:
break
n = p * q
a = randrange(n)
b = randrange(n)
while True:
x = randrange(n)
y2 = (x**3 + a * x + b) % n
assert y2 % n == (x**3 + a * x + b) % n
if pow(y2, (p - 1) // 2, p) == 1 and pow(y2, (q - 1) // 2, q) == 1:
yp, yq = pow(y2, (p + 1) // 4, p), pow(y2, (q + 1) // 4, q)
_, s, t = xgcd(p, q)
y = (s * p * yq + t * q * yp) % n
break
return Curve(None, n, a, b, None, x, y)
from fastecdsa.curve import Curve
from fastecdsa.point import Point
from starkware.crypto.signature import (
ALPHA, BETA, CONSTANT_POINTS, EC_ORDER, FIELD_PRIME, N_ELEMENT_BITS_HASH, SHIFT_POINT)
curve = Curve(
'Curve0',
FIELD_PRIME,
ALPHA,
BETA,
EC_ORDER,
*SHIFT_POINT)
LOW_PART_BITS = 248
LOW_PART_MASK = 2**248 - 1
HASH_SHIFT_POINT = Point(*SHIFT_POINT, curve=curve)
P_0 = Point(*CONSTANT_POINTS[2], curve=curve)
P_1 = Point(*CONSTANT_POINTS[2 + LOW_PART_BITS], curve=curve)
P_2 = Point(*CONSTANT_POINTS[2 + N_ELEMENT_BITS_HASH], curve=curve)
P_3 = Point(*CONSTANT_POINTS[2 + N_ELEMENT_BITS_HASH + LOW_PART_BITS], curve=curve)
def process_single_element(element: bytes, p1, p2) -> Point:
assert len(element) == 32, 'Unexpected element length'
val = int.from_bytes(element, 'big', signed=False)
assert val < EC_ORDER, 'Element int value >= EC_ORDER'
high_nibble = val >> LOW_PART_BITS
low_part = val & LOW_PART_MASK
#!/usr/bin/env python3
from fastecdsa.curve import Curve
from fastecdsa.point import Point
from string import printable
import math, random
from config import enc
from itertools import permutations
name = 'curve'.encode('utf-8')
p, a, b, q, gx, gy, aux = 241, 173, 41, 256, 53, 192, ''
curve = Curve(name, p, a, b, q, gx, gy)
G = Point(gx, gy, curve=curve)
TEN = True
def c2p(c):
C = ord(c) * G
return bin(C.x)[2:].zfill(8) + bin(C.y)[2:].zfill(8)
def p2c(C):
x = int(C[:8], 2)
y = int(C[8:], 2)
for i in range(256):
c = chr(i)
temp = c2p(c)
tempx = int(temp[:8], 2)
tempy = int(temp[8:], 2)
if tempx == x and tempy == y:
return c
s_inv = modinv(s, C.q)
u = h * s_inv % C.q
v = r * s_inv % C.q
P = u * C.G + v * Q
return r == P.x
if __name__ == "__main__":
#sk = int(open("sk.txt", "r").read())
sk = 54989754048227462611102989128045902162485610361467521385775315607843320555920791685002430018879566596375253771775903449820104290331781361533849382269525
C = Curve(
"ANSSIFRP256v1",
0xF1FD178C0B3AD58F10126DE8CE42435B3961ADBCABC8CA6DE8FCF353D86E9C03, # p
0xF1FD178C0B3AD58F10126DE8CE42435B3961ADBCABC8CA6DE8FCF353D86E9C00, # a
0xEE353FCA5428A9300D4ABA754A44C00FDFEC0C9AE4B1A1803075ED967B7BB73F, # b
0xF1FD178C0B3AD58F10126DE8CE42435B53DC67E140D2BF941FFDD459C6D655E1, # q (order)
0xB6B3D4C356C139EB31183D4749D423958C27D2DCAF98B70164C97A2DD98F5CFF, # G.x
0x6142E0F7C8B204911F9271F0F3ECEF8C2701C307E8E4C9E183115A1554062CFB # G.y
)
print("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=")
print("=-= ECC-Based Secure Flag Storage =-=")
print("=-= (under development) =-=")
print("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=")
Q = sk * C.G
print("Public Point Q:")
print(" Q.x: 0x{:064x}".format(Q.x))
print(" Q.y: 0x{:064x}".format(Q.y))
#!/usr/bin/env python
from fastecdsa.curve import Curve
from fastecdsa.point import Point
from Crypto.Util.number import *
from secret import EC_params, flag, Q
p, a, b, q, Px, Py = EC_params
C = Curve('halloween', p, a, b, q, Px, Py)
P = Point(Px, Py, curve=C)
P1 = Point(p + 1, 467996041489418065436268622304855825266338280723, curve=C)
P2 = Point(p - 1, 373126988100715326072483107245781156204485119489, curve=C)
P3 = Point(p + 3, 245091091146774561796627894715885724307214901148, curve=C)
assert ((9 << 8 >> 4 << 9 << 12 << 6 >> 9 >> 2 << 5 >> 3 >> 4 >> 8 << 12 >> 1
>> 5 >> 7 << 13 >> 12 >> 12) * P).x == Q.x
assert bytes_to_long(flag) == P.x
assert ((-1) * Q).y == 621803439821606291947646422656643138592770518069
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m
def partition(point):
return point.x % n_of_set
curve32 = Curve(
'32bits', # (str): The name of the curve
long(4000001039), # (long): The value of p in the curve equation.
long(1745322301), # (long): The value of a in the curve equation.
long(130575212), # (long): The value of b in the curve equation.
long(3999907399), # (long): The order of the base point of the curve.
long(2951351449
), # (long): The x coordinate of the base point of the curve.
long(2085375757
), # (long): The y coordinate of the base point of the curve.
#oid # (str): The object identifier of the curve (optional).
)
curve36 = Curve(
'36bits', # (str): The name of the curve
long(50000001637), # (long): The value of p in the curve equation.
long(10730991330), # (long): The value of a in the curve equation.
long(10461429567), # (long): The value of b in the curve equation.
long(49999749391), # (long): The order of the base point of the curve.
long(39948220728
), # (long): The x coordinate of the base point of the curve.
long(46724792678
from fastecdsa.point import Point
import labmath
qx = 0xa3907079bb6c33bbbe9478e8c6d1e5812563b5d8e13d754d6c74fdedbd9456c8
qy = 0x8c5b704a4453ba857d37b0b40ada22763e1d54148c31194c7b52260766df3a61
xx = 0xa3907079bb6c33bbbe9478e8c6d1e5812563b5d8e13d754d6c74fdedbd9456c8
yy = 0x8c5b704a4453ba857d37b0b40ada22763e1d54148c31194c7b52260766df3a61
msb_of_r1 = '0x49bfb7c67d0d1c7a0b1151d56d3a9c4a8d7550b15e0cd4265ad7bfaa3549'
lsb_of_r2 = '0x7078'
p = 0xc57d3e540e595f1304bf81dcdc471a1e4b8614472c5820f951f483c04d0c3d79
a = -3
b = 88217653075733538010802362020423294317799277142495418239747303142947508953346
curv = Curve('curva', p, a, b, None, xx, yy)
curve = curv.G
# 3179547229186215041788349730328093574817817367684014147655936757452044075920
distance = pow(7, 64, p)
ys = []
xs = []
for i in range(0x10000):
s = msb_of_r1 + str(hex(i))[2:]
y_squared = curv.evaluate(int(s, 16))
y = labmath.sqrtmod_prime(y_squared, p)
point = (int(s, 16), y)
if curv.is_point_on_curve(point):
point = Point(int(s, 16), y, curve=curv)
def ascii2pem(data, cmd='x509'):
return check_output(["openssl", cmd, "-inform", "der"], input=ascii2der(data))
def pem2ascii(data):
return der2ascii(check_output(["openssl", "x509", "-outform", "der"], input=data))
# extracted from "Microsoft EV ECC Root Certificate Authority 2017"
x = 0x34ddf9d700abe1262a5f9a368bb0bcc9c00573ccd5d621cbf657fccfb58bbde634af20b13d49aac5675582e1ed30dd6b
y = 0xed45cb7c2da1acae971f3f7660517facca8bffa59b41e5d34af225d501dbfdfb6c4ec996a3ddf753342b771e3156c2bf
Q = Point(x, y, curve=P384)
# src: https://crypto.stackexchange.com/questions/8925
secret_x = 1337
k = gmpy2.invert(secret_x, P384.q)
G = k * Q
assert secret_x * G == Q
F384 = Curve('F-384', P384.p, P384.a, P384.b, P384.q, G.x, G.y)
print('Modified generator:')
print('04%096x%096x' % (G.x, G.y))
print('Serializing root.txt and self-sign root certificate')
data = open('/app/templates/root.txt', 'rb').read()
msg = ascii2der(data[10:data.index(SIG_PREFIX)])
r, s = ecdsa.sign(msg, secret_x, curve=F384, hashfunc=hashlib.sha256)
data = data % (r, s)
ascii2f('ca/root.pem', data)
print('Serializing root private key')
data = open('/app/templates/root-key.txt', 'rb').read()
data = data % (secret_x, G.x, G.y, Q.x, Q.y)
ascii2f('ca/root-key.pem', data, 'ec')
from fastecdsa.curve import Curve
from fastecdsa.point import Point
from Crypto.Util.number import getPrime
from Crypto.Random.random import randrange
BITS = 80
while True:
p = getPrime(BITS)
if p % 4 == 3:
break
a, b = randrange(1, p), randrange(1, p)
C = Curve("FCSC", p, a, b, 0, 0, 0)
while True:
xP = randrange(1, p)
yP = (xP ** 3 + a * xP + b) % p
if pow(yP, (p - 1) // 2, p) == 1:
break
yP = pow(yP, (p + 1) // 4, p)
assert (xP ** 3 + a * xP + b - yP ** 2) % p == 0
P = Point(xP, yP, C)
Q = 2 * P
print("Can you find my secret curve equation: y^2 = x^3 + a*x + b (mod p)?")
print("I will give you two points:")
print(f"P = ({P.x}, {P.y})")
print(f"Q = ({Q.x}, {Q.y})")
from fastecdsa.curve import Curve
from fastecdsa.point import Point
# region Params
BITS = 56
INPUTSIZE = 1024
a = 1
b = 0
p = 3009944491747103173592552029257669572283120430367
order = 3009944491747103173592552029257669572283120430368
gx = 2900641855339024752663919275085178630626065454884
gy = 1803317565451817334919844936679231131166218238368
curve = Curve("Super Secure Elliptic Curve", p, a, b, order, gx, gy)
P = Point(gx, gy, curve)
# endregion Params
# region Communication utils
def intToBytes(number):
return number.to_bytes(24, byteorder='big')
def bytesToInt(b):
return int.from_bytes(b, byteorder='big')
from fastecdsa.curve import Curve
from fastecdsa.point import Point
from pygost.gost34112012 import GOST34112012
from app.crypto import gen_random_from_scalar_field, create_point, square_root_3_mod_4, square_root_exists
from binascii import hexlify
from app.helper import long_to_bytes
a = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94
b = 166
p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97
q = 0xffffffffffffffffffffffffffffffff6c611070995ad10045841b09b761b893
x_base = 1
y_base = 0x8D91E471E0989CDA27DF505A453F2B7635294F2DDF23E3B122ACC99C9E9F1E14
curve = Curve('GOST3210-2001', p, a, b, q, x_base, y_base)
base = Point(x_base, y_base, curve)
point_at_infinity = base - base
def gost_point_validate(P):
try:
Point(P[0], P[1], curve)
return True
except:
return False
def l2bLE(coord):
res = (long_to_bytes(coord, 'little', 64))
return res