def get_state(p):
"""
given the prng p, get the 2 candidate
current states of p
"""
out = p.get_num()
F = p.P.x.field
C = p.P.curve
e = F(3) #backdoor!
prime = p.P.x.p
val = out * out * out + C.a * out + C.b
points = [Point(C, F(out), F(y)) for y in tonelli_shanks(val.n, prime)]
#print("points: ",points)
states = [(e.n * T).x.n for T in points]
#as both candidates are additive inverses of
#one another, they have the same x coordinates
return states[0]
def get_state(p):
"""
given the prng p, get the 2 candidate
current states of p
"""
out = p.get_num()
F = p.P.x.field
C = p.P.curve
e = F(3) #backdoor!
prime = p.P.x.p
val = out*out*out + C.a * out + C.b
points = [Point(C,F(out),F(y)) for y in tonelli_shanks(val.n,prime)]
#print("points: ",points)
states = [(e.n*T).x.n for T in points]
#as both candidates are additive inverses of
#one another, they have the same x coordinates
return states[0]
def __init__(self, out):
"""
given the initial output,
init out guesser so we can guess
all remaining outputs
"""
prime = 331337
F = FiniteField(prime, 1)
C = EllipticCurve(a=F(1), b=F(1))
e = F(3) #backdoor! we'd have to pre-compute this
xs = [(i << 15) | out for i in range(16)]
print("xs:", xs)
vals = [x * x * x + C.a * x + C.b for x in xs]
print("vals:", vals)
print(time.time(), ":", "finding roots...")
# at this point, *some* vals won't be quadratic
# residues, thus invalid points. But, we must
# associate each possible preimage with its root
coords = [] # list of tuples (x,y)
for i in range(len(xs)):
try:
t = tonelli_shanks(vals[i].n, prime)
coords.append((xs[i], t[0]))
coords.append((xs[i], t[1]))
except Exception:
# not quadratic residue
pass
print("coords:", coords)
print(time.time(), ":", "making points...")
points = [Point(C, F(c[0]), F(c[1])) for c in coords]
print(time.time(), ":", "recovering states...")
states = [(e.n * T).x.n for T in points]
print("states:", states)
print(time.time(), ":", "generating candidates...")
self.candidates = [prng(seed=s) for s in states]
def __init__(self, out):
"""
given the initial output,
init out guesser so we can guess
all remaining outputs
"""
prime=331337
F = FiniteField(prime,1)
C = EllipticCurve(a=F(1),b=F(1))
e = F(3) #backdoor! we'd have to pre-compute this
xs = [(i<<15) | out for i in range(16)]
print("xs:",xs)
vals = [x*x*x + C.a * x + C.b for x in xs]
print("vals:",vals)
print(time.time(),":","finding roots...")
# at this point, *some* vals won't be quadratic
# residues, thus invalid points. But, we must
# associate each possible preimage with its root
coords = [] # list of tuples (x,y)
for i in range(len(xs)):
try:
t = tonelli_shanks(vals[i].n,prime)
coords.append( (xs[i], t[0]) )
coords.append( (xs[i], t[1]) )
except Exception:
# not quadratic residue
pass
print("coords:",coords)
print(time.time(),":","making points...")
points = [Point(C,F(c[0]),F(c[1])) for c in coords]
print(time.time(),":","recovering states...")
states = [(e.n*T).x.n for T in points]
print("states:",states)
print(time.time(),":","generating candidates...")
self.candidates = [prng(seed=s) for s in states]