def get_data_for_auditor(self, padded_RSA_half, N_ba):
self.padded_RSA_half = padded_RSA_half
self.N = ba2int(N_ba)
self.data_for_auditor = bi2ba(self.N, fixed=256) + bi2ba(self.P.n, fixed=513) # contains server pubkey N, Paillier pubkey n and P(A), P(A^2), P(A^3) for each round
iv = ba2int(self.padded_RSA_half) #initial value (A for the first round)
N = self.N
P = self.P
n_len = self.n_len
for i in range(8):
T1 = pow(iv, 4, N)
#P2 stand for "part of T2"
P2 = P.encrypt(4*pow(iv, 3, N) % N)
P3 = P.encrypt(6*pow(iv, 2, N) % N)
P4 = P.encrypt(4*iv % N)
#len(K) < len(n_len) because we add K to another n_len-2 value. The sum must not overflow n
K = randint(2**(n_len-2))
#prepare iv for next round (L in the paper)
iv = (T1 - K) % N
self.data_for_auditor += bi2ba(P2, fixed=1026) + bi2ba(P3, fixed=1026) + bi2ba(P4, fixed=1026)
self.K_values.append( {'K':K})
#round 9
X = iv
A = ba2int(self.padded_RSA_half)
PX = P.encrypt(X)
PA = P.encrypt(A)
self.data_for_auditor += bi2ba(PX, fixed=1026) + bi2ba(PA, fixed=1026)
self.X = X
#we now have 1KB*(3*8+2) ~26 KB worth of data
return self.data_for_auditor
def get_data_for_auditor(self, padded_RSA_half, N_ba):
self.padded_RSA_half = padded_RSA_half
self.N = ba2int(N_ba)
self.data_for_auditor = bi2ba(self.N, fixed=256) + bi2ba(
self.P.n, fixed=513
) # contains server pubkey N, Paillier pubkey n and P(A), P(A^2), P(A^3) for each round
iv = ba2int(
self.padded_RSA_half) #initial value (A for the first round)
N = self.N
P = self.P
n_len = self.n_len
for i in range(8):
T1 = pow(iv, 4, N)
#P2 stand for "part of T2"
P2 = P.encrypt(4 * pow(iv, 3, N) % N)
P3 = P.encrypt(6 * pow(iv, 2, N) % N)
P4 = P.encrypt(4 * iv % N)
#len(K) < len(n_len) because we add K to another n_len-2 value. The sum must not overflow n
K = randint(2**(n_len - 2))
#prepare iv for next round (L in the paper)
iv = (T1 - K) % N
self.data_for_auditor += bi2ba(P2, fixed=1026) + bi2ba(
P3, fixed=1026) + bi2ba(P4, fixed=1026)
self.K_values.append({'K': K})
#round 9
X = iv
A = ba2int(self.padded_RSA_half)
PX = P.encrypt(X)
PA = P.encrypt(A)
self.data_for_auditor += bi2ba(PX, fixed=1026) + bi2ba(PA, fixed=1026)
self.X = X
#we now have 1KB*(3*8+2) ~26 KB worth of data
return self.data_for_auditor
def set_enc_second_half_pms(self):
if not self.server_modulus:
raise TLSNSSLError("Failed to set enc second half pms")
ones_length = 103 + ba2int(self.server_mod_length) - 256
self.pms2 = self.auditor_secret + (
'\x00' * (24 - self.n_auditor_entropy - 1)) + '\x01'
self.enc_second_half_pms = pow( ba2int('\x01'+('\x01'*(ones_length))+\
self.auditor_padding_secret+ ('\x00'*25)+self.pms2), self.server_exponent, self.server_modulus )
def do_ninth_round(self, PSum):
A = ba2int(self.padded_RSA_half)
enc_pms = (self.P.decrypt(PSum) + (A * self.X)) % self.N
return enc_pms
def __init__(self, padded_RSA_half,
linkdata): #the data which auditee passes in the link
assert len(linkdata) == (256 + 513 + 1026 * (3 * 8 + 2))
self.paillier_rounds = []
N_ba = linkdata[:256]
self.N = ba2int(N_ba)
pubkey = linkdata[256:256 + 513]
self.P = Paillier(pubkey=ba2int(pubkey))
offset = 256 + 513
self.n_len = 4096 + 8
for i in range(8):
d = {}
d['P2'] = ba2int(linkdata[offset:offset + 1026])
d['P3'] = ba2int(linkdata[offset + 1026:offset + 2 * 1026])
d['P4'] = ba2int(linkdata[offset + 2 * 1026:offset + 3 * 1026])
offset += 3 * 1026
self.paillier_rounds.append(d)
#for round 9
PX = ba2int(linkdata[offset:offset + 1026])
offset += 1026
PA = ba2int(linkdata[offset:offset + 1026])
assert len(linkdata) - offset == 1026
self.padded_RSA_half = padded_RSA_half #initial value for each round. B for first round
self.paillier_rounds.append({'PX': PX, 'PA': PA})
self.D = 0 #mask from the previous round
def do_ninth_round(self, F):
N = self.N
P = self.P
Y = (F - self.D) % N
B = ba2int(self.padded_RSA_half)
p_rounds = self.paillier_rounds
BY = P.encrypt(B * Y % N)
BX = P.e_mul_const(p_rounds[8]['PX'], B)
AY = P.e_mul_const(p_rounds[8]['PA'], Y)
PSum = P.e_add(P.e_add(BY, BX), AY)
return PSum
def do_ninth_round(self, F):
N = self.N
P = self.P
Y = (F-self.D) % N
B = ba2int(self.padded_RSA_half)
p_rounds = self.paillier_rounds
BY = P.encrypt(B*Y % N)
BX = P.e_mul_const(p_rounds[8]['PX'], B)
AY = P.e_mul_const(p_rounds[8]['PA'], Y)
PSum = P.e_add(P.e_add(BY, BX), AY)
return PSum
def do_round(self, round_no, F):
assert round_no < 8
N = self.N
P = self.P
n_len = self.n_len
p_rounds = self.paillier_rounds
if round_no == 0:
iv = ba2int(self.padded_RSA_half)
else:
iv = (F - self.D) % N
T2 = P.e_mul_const(p_rounds[round_no]['P2'], iv)
T3 = P.e_mul_const(p_rounds[round_no]['P3'], pow(iv, 2, N))
T4 = P.e_mul_const(p_rounds[round_no]['P4'], pow(iv, 3, N))
T5 = P.encrypt(pow(iv, 4, N))
TSum = P.e_add(P.e_add(P.e_add(T2, T3), T4), T5)
#apply mask D
self.D = randint(2**(n_len - 2))
E = P.e_add(TSum, P.encrypt(self.D))
return E
def do_round(self, round_no, F):
assert round_no < 8
N = self.N
P = self.P
n_len = self.n_len
p_rounds = self.paillier_rounds
if round_no == 0:
iv = ba2int(self.padded_RSA_half)
else:
iv = (F-self.D) % N
T2 = P.e_mul_const(p_rounds[round_no]['P2'], iv )
T3 = P.e_mul_const(p_rounds[round_no]['P3'], pow(iv, 2, N) )
T4 = P.e_mul_const(p_rounds[round_no]['P4'], pow(iv, 3, N) )
T5 = P.encrypt( pow(iv, 4, N) )
TSum = P.e_add(P.e_add(P.e_add(T2, T3), T4), T5)
#apply mask D
self.D = randint(2**(n_len-2))
E = P.e_add(TSum, P.encrypt(self.D))
return E
def __init__(self, padded_RSA_half, linkdata): #the data which auditee passes in the link
assert len(linkdata) == (256+513+1026*(3*8+2))
self.paillier_rounds = []
N_ba = linkdata[:256]
self.N = ba2int(N_ba)
pubkey = linkdata[256:256+513]
self.P = Paillier(pubkey=ba2int(pubkey))
offset = 256+513
self.n_len = 4096+8
for i in range(8):
d = {}
d['P2'] = ba2int(linkdata[offset:offset+1026])
d['P3'] = ba2int(linkdata[offset+1026:offset+2*1026])
d['P4'] = ba2int(linkdata[offset+2*1026:offset+3*1026])
offset += 3*1026
self.paillier_rounds.append(d)
#for round 9
PX = ba2int(linkdata[offset:offset+1026])
offset += 1026
PA = ba2int(linkdata[offset:offset+1026])
assert len(linkdata)-offset == 1026
self.padded_RSA_half = padded_RSA_half #initial value for each round. B for first round
self.paillier_rounds.append( {'PX':PX, 'PA':PA} )
self.D = 0 #mask from the previous round
def do_ninth_round(self, PSum):
A = ba2int(self.padded_RSA_half)
enc_pms = (self.P.decrypt(PSum) + (A * self.X)) % self.N
return enc_pms