def kasumi(arr, encrypt=True):
if len(arr) > 8:
raise ValueError("Error: Kasumi takes 64 bits as 8 bytes array in input")
config.WATCH_KASUMI_NUMBER += 1
exTime = time.time()
arr = bm.splitBytes(arr, 4)
left = arr[0]
right = arr[1]
for i in range(0, 8):
if not encrypt:
i = 7 - i
KO = [config.KO1[i], config.KO2[i], config.KO3[i]]
KI = [config.KI1[i], config.KI2[i], config.KI3[i]]
KL = [config.KL1[i], config.KL2[i]]
lp = left
if i % 2 == 0:
left = FL(KL, FO(KO, KI, left))
else:
left = FO(KO, KI, FL(KL, left))
left = bm.b_op(left, right, "XOR")
right = lp
config.WATCH_GLOBAL_KASUMI += time.time() - exTime
return right + left
def run(data, inFile="", encrypt=False, method=3, aad="", key=config.KEY):
"""
Run encryption of decryption.
data: file name with extension
encrypt: False to decrypte
method: Block cyphering method
"""
from threading import Thread
if len(data) > 100000:
thread = Thread(target=watch)
thread.daemon = True
config.WATCH_EXEC_STATUS = True
thread.start()
# Keys initialisation
kasu.set_key(key)
if len(data) > 0:
splitted = bm.splitBytes(data)
ciphered = cipher(splitted, method, encrypt, aad)
return bm.codeOut(ciphered, encrypt, inFile)
def encrypt(M: bytes, publicKey, saving: bool = False):
"""
Encrypt a message M to make him sendable.
"""
assert isinstance(M, bytes)
n, e = publicKey
def process(m):
return ut.square_and_multiply(m, e, n)
# First, turn M into int
Mint = bm.bytes_to_int(M)
if Mint < n:
# That's a short message
m = Mint
e = process(m)
else:
# M is a longer message, so it's divided into blocks
size = (it.getKeySize(publicKey) // 8) - 1
e = [process(bm.bytes_to_int(elt)) for elt in bm.splitBytes(M, size)]
if saving:
e = it.writeKeytoFile(e, "encrypted", config.DIRECTORY_PROCESSING, ".kat")
return e
def FI(b1, pKI):
b1 = bm.circularRotation(b1, 1, 2)
z = bm.splitBytes(pKI, 1)
subZ1 = S1[int.from_bytes(z[0], "big")].to_bytes(1, "big")
subZ2 = S2[int.from_bytes(z[1], "big")].to_bytes(1, "big")
return bm.b_op(b1, subZ1 + subZ2, "XOR")
def set_key(km=config.KEY):
"""Kasumi's keyscheduler."""
# Chosen as a "nothing up my sleeve" number
nums = b"\x124Vx\x9a\xbc\xde\xff\xed\xcb\xa9\x87eC!\x00"
# Additionally a modified key K', similarly divided into 16-bit sub keys K'i, is used.
kp = bm.b_op(km, nums, "XOR")
# The 128-bit key K is divided into eight 16-bit sub keys Ki
skm, skp = bm.splitBytes(km, 2), bm.splitBytes(kp, 2)
config.KL1 = [bytearray(bm.circularRotation(skm[x], 0, 1)) for x in range(0, 8)]
config.KL2 = [skp[(x + 2) % 8] for x in range(0, 8)]
config.KO1 = [bytearray(bm.circularRotation(skm[(x + 1) % 8], 0, 5)) for x in range(0, 8)]
config.KO2 = [bytearray(bm.circularRotation(skm[(x + 5) % 8], 0, 8)) for x in range(0, 8)]
config.KO3 = [bytearray(bm.circularRotation(skm[(x + 6) % 8], 0, 13)) for x in range(0, 8)]
config.KI1 = [skp[(x + 4) % 8] for x in range(0, 8)]
config.KI2 = [skp[(x + 3) % 8] for x in range(0, 8)]
config.KI3 = [skp[(x + 7) % 8] for x in range(0, 8)]
# SBoxes initialization considering the given master key !
initRC4(km)
def FO(pKO, pKI, arr):
if len(arr) != 4:
raise ValueError("FO takes 32 bits as 4 bytes array in input")
arr = bm.splitBytes(arr, 2)
left = arr[0]
right = arr[1]
for i in range(0, 3):
left = right
right = bm.b_op(right, FI(bm.b_op(left, pKO[i], "XOR"), pKI[i]), "XOR")
return left + right
def FL(pKL, arr):
if len(arr) != 4:
raise ValueError("FL takes 32 bits as 4 bytes array in input")
arr = bm.splitBytes(arr, 2)
left = arr[0]
right = arr[1]
rp = bm.b_op(bm.circularRotation(bm.b_op(left, pKL[0], "AND"), 0, 1), right, "XOR")
lp = bm.b_op(bm.circularRotation(bm.b_op(rp, pKL[1], "OR"), 0, 1), left, "XOR")
# Inverted in Galois Field
lp = invertGalois2(lp)
rp = invertGalois2(rp)
return lp + rp
def sponge(N: bytearray, d: int):
"""
Sponge construction for hash functions.
N: Thing to hash \n
d: size of hash wanted \n
return bytearray
"""
def pad(N, r):
iN = bm.bytes_to_int(N)
lN = int.bit_length(iN)
# Number of 0 to add
b = (r - ((lN + 3) % r)) % r
# Padding using the SHA-3 pattern 10*1: a 1 bit, followed by zero or more 0 bits (maximum r − 1) and a final 1 bit.
op = ((iN | (1 << b + lN + 1)) << 1) ^ 1
return bm.mult_to_bytes(op)
r = 8
d = int(d / 8)
blocks = bm.splitBytes(pad(N, r * 8), r)
S = bytearray(16)
# Absorbing
for block in blocks:
S[:r] = bm.b_op(S[:r], block)
S = md5(S)
O = bytearray()
# Squeezing
while len(O) < d:
O += S[:r]
S = md5(S)
# Truncating with the desired length
return O[:d]
def encrypt(M: bytes, publicKey, saving: bool = False):
assert isinstance(M, (bytes, bytearray))
p, g, h = publicKey
def process(m):
y = rd.randrange(1, p - 1)
# shared secret -> g^xy
c1 = ut.square_and_multiply(g, y, p)
s = ut.square_and_multiply(h, y, p)
c2 = (m * s) % p
return (c1, c2)
Mint = bm.bytes_to_int(M)
if Mint < p:
# That's a short message
m = Mint
e = process(m)
else:
# M is a longer message, so it's divided into blocks
# You need to choose a different y for each block to prevent
# from Eve's attacks.
size = (it.getKeySize(publicKey) // 8) - 1
e = [process(bm.bytes_to_int(elt)) for elt in bm.splitBytes(M, size)]
if saving:
e = it.writeKeytoFile(e, "encrypted", config.DIRECTORY_PROCESSING,
".kat")
return e
def md5(block):
"""
Return md5 hash
block: bytearray of data to hash
"""
import math
# Done using the Wikipedia algorithm
def iToB(i):
return int.to_bytes(i, 4, "little")
def p32(a, b):
return (a + b) % (1 << 32)
s = [
7,
12,
17,
22,
7,
12,
17,
22,
7,
12,
17,
22,
7,
12,
17,
22,
5,
9,
14,
20,
5,
9,
14,
20,
5,
9,
14,
20,
5,
9,
14,
20,
4,
11,
16,
23,
4,
11,
16,
23,
4,
11,
16,
23,
4,
11,
16,
23,
6,
10,
15,
21,
6,
10,
15,
21,
6,
10,
15,
21,
6,
10,
15,
21,
]
K = []
for i in range(64):
K.append((math.floor(2 ** 32 * abs(math.sin(i + 1)))) % (1 << 32))
iN = bm.bytes_to_int(block)
lN = len(block) * 8
# Number of 0 to add
b = 512 - ((lN + 1) % 512)
lN = int.from_bytes(lN.to_bytes(8, byteorder="little"), byteorder="big", signed=False)
iN = (((iN << 1) | 1) << b) ^ lN
block = bm.mult_to_bytes(iN)
b512 = bm.splitBytes(block, 64)
h1 = 0x67452301
h2 = 0xEFCDAB89
h3 = 0x98BADCFE
h4 = 0x10325476
for b5 in b512:
blocks = bm.splitBytes(b5, 4)
A = h1
B = h2
C = h3
D = h4
for i in range(64):
if i <= 15:
F = (B & C) | (~B & D)
g = i
elif i <= 31:
F = (D & B) | (~D & C)
g = (5 * i + 1) % 16
elif i <= 47:
F = B ^ C ^ D
g = (3 * i + 5) % 16
else:
# C xor (B or (not D))
F = C ^ (B | ~D) % (1 << 32)
g = (7 * i) % 16
# F + A + K[i] + M[g]
try:
F = p32(p32(p32(F, A), K[i]), int.from_bytes(blocks[g], "little"))
except IndexError:
print(i, K, blocks[g])
raise Exception("Error")
A = D
D = C
C = B
# B + leftrotate(F, s[i])
B = p32(B, ((F << s[i]) | (F >> (32 - s[i]))))
h1 = p32(A, h1)
h2 = p32(B, h2)
h3 = p32(C, h3)
h4 = p32(D, h4)
return bm.packSplittedBytes([iToB(h1), iToB(h2), iToB(h3), iToB(h4)])
def GCM(arr, encrypt=True, aad=""):
"""
GCM is CTR mode with authentification of additional data (AAD) authenticated with multiplication in a Galois Field
arr: array of bytearray of 8 bytes of data to encrypt/decrypt
encrypt: boolean, true to encypt
aad: string of additional authenticated data
"""
if encrypt:
iv = IV(arr)
else:
iv = IV_action(arr)
# Integrity Check Balue
icv = IV_action(arr)
# Additional authenticated data (AAD), which is denoted as A
A = []
if encrypt:
if aad != "":
aadc = aad.encode()
if len(aadc) > 1 << 64:
raise Exception("Too much AAD")
A = bm.splitBytes(aadc, 8)
A[-1] = bm.zfill_b(A[-1], 8)
else:
header = arr[0]
epos = int.from_bytes(header, "big")
A = arr[1:epos]
arr = arr[epos:]
# Encrypted message
C = []
# 1 + α + α3 + α4 + α64 - 64 field polynomial
p = int(
"10000000000000000000000000000000000000000000000000000000000001111", 2)
def lenb(i):
return (len(i) * 8).to_bytes(8, "big")
def GHASH64(H, A, C, X, i):
n = len(C)
m = len(A)
if i <= m:
# A1 = A[1-1]
return gz2.poly_mult_mod_2(
bm.bytes_to_int(bm.b_op(X, A[i - 1], "XOR")), H, p)
if i <= m + n:
return gz2.poly_mult_mod_2(
bm.bytes_to_int(bm.b_op(X, C[i - m - 1], "XOR")), H, p)
if i == m + n + 1:
return gz2.poly_mult_mod_2(
a=bm.bytes_to_int(
bm.b_op(
b1=gz2.poly_mult_mod_2(
bm.bytes_to_int(bm.b_op(X, lenb(A), "XOR")), H,
p).to_bytes(8, "big"),
b2=lenb(C),
ope="XOR",
)),
b=H,
mod=p,
)
H = bm.bytes_to_int(kasu.kasumi(b"\x00" * 8))
Y = GHASH64(H, b"", [iv], b"\x00", 1).to_bytes(8, "big")
E0 = kasu.kasumi(Y)
n = len(arr)
m = len(A)
# equivalent of CTR mode
for i in range(n):
config.WATCH_PERCENTAGE = (((n * 2 + m + 1) - ((n * 2 + m + 1) - i)) /
(n * 2 + m + 1)) * 100
exTime = time.time()
# treats the rightmost 32bits of its argument as a nonnegative integer with the least significant bit on the right, and increments this value modulo 2^32
Y = Y[:4] + (
(int.from_bytes(Y[-4:], "big") + 1) % 1 << 32).to_bytes(4, "big")
E = kasu.kasumi(Y)
C.append(bm.b_op(arr[i], E, "XOR"))
config.WATCH_GLOBAL_CIPHER += time.time() - exTime
config.WATCH_BLOC_CIPHER = config.WATCH_GLOBAL_CIPHER / (i + 1)
config.WATCH_BLOC_KASUMI = config.WATCH_GLOBAL_KASUMI / (i + 1)
res = C
# plaintext is in C when we decrypt, me must replace it with the ciphertext
if not encrypt:
C = arr
# first init of X = GHASH64(i=0) = b'\x00'
X = b"\x00"
for i in range(n + m + 1):
config.WATCH_PERCENTAGE = (((n * 2 + m + 1) - ((n * 2 + m + 1) -
(i + n))) /
(n * 2 + m + 1)) * 100
exTime = time.time()
X = GHASH64(H, A, C, X, i + 1).to_bytes(8, "big")
config.WATCH_GLOBAL_CIPHER += time.time() - exTime
config.WATCH_BLOC_CIPHER = config.WATCH_GLOBAL_CIPHER / (i + 1)
icvc = bm.b_op(E0, X, "XOR")
if not encrypt:
if icv != icvc:
print(
"\nYELLOW: INTEGRITY CHECK CONTROL INCORRECT, AAD HAVE BEEN MODIFIED !!"
)
if encrypt:
IV_action(res, icvc, "store")
# Adding the IV to the encrypted data
IV_action(res, iv, "store")
header = (1 + len(A)).to_bytes(8, "big")
res = [header] + A + res
return res
