def generate(bits, randfunc, progress_func=None): """generate(bits:int, randfunc:callable, progress_func:callable) Generate an ElGamal key of length 'bits', using 'randfunc' to get random data and 'progress_func', if present, to display the progress of the key generation. """ obj=ElGamalobj() # Generate a safe prime p # See Algorithm 4.86 in Handbook of Applied Cryptography if progress_func: progress_func('p\n') while 1: q = bignum(getPrime(bits-1, randfunc)) obj.p = 2*q+1 if number.isPrime(obj.p, randfunc=randfunc): break # Generate generator g # See Algorithm 4.80 in Handbook of Applied Cryptography # Note that the order of the group is n=p-1=2q, where q is prime if progress_func: progress_func('g\n') while 1: # We must avoid g=2 because of Bleichenbacher's attack described # in "Generating ElGamal signatures without knowning the secret key", # 1996 # obj.g = number.getRandomRange(3, obj.p, randfunc) safe = 1 if pow(obj.g, 2, obj.p)==1: safe=0 if safe and pow(obj.g, q, obj.p)==1: safe=0 # Discard g if it divides p-1 because of the attack described # in Note 11.67 (iii) in HAC if safe and divmod(obj.p-1, obj.g)[1]==0: safe=0 # g^{-1} must not divide p-1 because of Khadir's attack # described in "Conditions of the generator for forging ElGamal # signature", 2011 ginv = number.inverse(obj.g, obj.p) if safe and divmod(obj.p-1, ginv)[1]==0: safe=0 if safe: break # Generate private key x if progress_func: progress_func('x\n') obj.x=number.getRandomRange(2, obj.p-1, randfunc) # Generate public key y if progress_func: progress_func('y\n') obj.y = pow(obj.g, obj.x, obj.p) return obj
def brent_rho(number): """ Richard Brent variant of the rho algorithm Pollard's rho algorithm is a general-purpose integer factorization algorithm. It is particularly effective at splitting composite numbers with small factors. """ if number % 2 == 0: return 2 rand_y = nutil.getRandomRange(1, number - 1, urandom) rand_c = nutil.getRandomRange(1, number - 1, urandom) rand_m = nutil.getRandomRange(1, number - 1, urandom) index_g, index_r, index_q = 1, 1, 1 while index_g == 1: copy_y = rand_y index_k = 0 index = 0 while index < index_r: rand_y = ((rand_y * rand_y) % number + rand_c) % number index += 1 while (index_k < index_r and index_g == 1): y_copy2 = rand_y index = 0 limit = min(rand_m, index_r - index_k) while index < limit: rand_y = ((rand_y * rand_y) % number + rand_c) % number index_q = index_q * (abs(copy_y - rand_y)) % number index += 1 index_g = gcd(index_q, number) index_k = index_k + rand_m index_r = index_r * 2 if index_g == number: while True: y_copy2 = ((y_copy2 * y_copy2) % number + rand_c) % number index_g = gcd(abs(copy_y - y_copy2), number) if index_g > 1: break return index_g
def DSAGenParameter(): print "Génération des paramètres" # On génère Q print "Génération de Q" q = number.getPrime(160) print "Q généré" # On génère P print "Génération de P" while True: r = number.getRandomInteger(480) p = (q*r)+1 if number.isPrime(p): break print "P généré" # On génère G print "Génération de G" while True: y = number.getRandomRange(0, p) g = pow(y, (p-1)/q, p) if g != 1: break print "G généré" print "Paramètres générés" return p, q, y, g
def find_generator_and_safe_prime(bits, gen_max_bits = False): stdout.write('Trying to find prime p ') while(1): stdout.write('.') q = number.getPrime(bits-1) # zeby pomnozona przez 2 byla na pewno mniejsza od p, (+1 pomijam, zakladam ze nie przekroczy) p = (q << 1) + 1 if number.isPrime(p): print '\n' + str(number.size(p)) + ' bits prime p found' p_sub_1 = p - 1 stdout.write('Trying to find generator g ') while(1): if gen_max_bits: # generator moze miec dowolna liczbe bitow g = number.getRandomNBitInteger(bits) if g >= p: continue else: g = number.getRandomRange(2, p) if pow(g, 2, p) == 1 or pow(g, q, p) == 1: stdout.write('.') continue print '\n' + str(number.size(g)) + ' bits generator g found' return p, g
def _decrypt(self, M): if (not hasattr(self, 'x')): raise TypeError('Private key not available in this object') r = number.getRandomRange(2, self.p-1, self._randfunc) a_blind = (M[0] * pow(self.g, r, self.p)) % self.p ax=pow(a_blind, self.x, self.p) plaintext_blind = (M[1] * inverse(ax, self.p ) ) % self.p plaintext = (plaintext_blind * pow(self.y, r, self.p)) % self.p return plaintext
def sign_message(modulus, base, order, key, message): while 1: w = number.getRandomRange(3, order) r = pow(base, w, modulus) % order w = number.inverse(w, order) s = w * (message + r*key) if s != 0: break return {'r': r, 's': s, 'm': message}
def process_number(self): """Returns a posbile generator""" while True: # Get a random number random_number = nutil.getRandomRange(2, self._prime - 2, os.urandom) # Check if it is co-prime if gcd(random_number, self._prime) == 1: break return random_number
def _auth_step_one(self): """Compute pow(genrator, random_value)""" # Generate a random number in (2, prime_number) self._sts["c_exponent"] = nutil.getRandomRange( 2, self.data["prime_number"], os.urandom) # Compute generator ^ x_exponent self._sts["c_secret"] = str(pow( long(self.data["generator"]), long(self._sts["c_exponent"]), long(self.data["prime_number"])))
def generateSignature(p, q, g, x, message): H = int(hexlify(CryptoBox.generateHash(message, 1)), 16) k = number.getRandomRange(1, q) r = utils.mod_exp(g, k, p) % q k_inv = utils.inverse(k, q) s = (k_inv * (H + x * r)) % q if (r == 0 or s == 0): # since it is very unlikely to make a recursive call, function will terminate eventually return generateSignature(p, q, g, x, message) return r, s
def pollard_rho(number): """ Pollard Rho is an integer factorization algorithm, which is quite fast for large numbers. """ if number % 2 == 0: return 2 rand_y = nutil.getRandomRange(1, number - 1, urandom) rand_c = nutil.getRandomRange(1, number - 1, urandom) copy_y = rand_y index_g = 1 while index_g == 1: rand_y = ((rand_y * rand_y) % number + rand_c) % number copy_y = ((copy_y * copy_y) % number + rand_c) % number copy_y = ((copy_y * copy_y) % number + rand_c) % number index_g = gcd(abs(rand_y - copy_y), number) return index_g
def _decrypt(self, c): #(ciphertext,) = c (ciphertext,) = c[:1] # HACK - We should use the previous line # instead, but this is more compatible and we're # going to replace the Crypto.PublicKey API soon # anyway. # Blinded RSA decryption (to prevent timing attacks): # Step 1: Generate random secret blinding factor r, such that 0 < r < n-1 r = getRandomRange(1, self.key.n-1, randfunc=self._randfunc) # Step 2: Compute c' = c * r**e mod n cp = self.key._blind(ciphertext, r) # Step 3: Compute m' = c'**d mod n (ordinary RSA decryption) mp = self.key._decrypt(cp) # Step 4: Compute m = m**(r-1) mod n return self.key._unblind(mp, r)
def find_generator_and_prime(bits, n, gen_max_bits = False): # p - 1 = q1 * q2 * q3 * ... * qn p_sub_1 = 0 # p - 1 p = 0 stdout.write('Trying to find prime p ') while(not number.isPrime(p)): # sprawdzamy czy liczba p jest pierwsza, inaczej nie ma sensu szukac generatora stdout.write('.') qs = [2] # lista q, inicjowana q1 = 2, bez 2 p+1 bylaby zawsze liczba parzysta czyli nie pierwsza p_sub_1 = qs[0] # p - 1 = q1 for i in range(0, n): q = number.getPrime(bits/n) tmp_p_sub_1 = p_sub_1 * q tmp_p = tmp_p_sub_1 + 1 if number.size(tmp_p) <= bits: # sprawdzamy czy liczba p ma tyle bitow ile chcemy p_sub_1 = tmp_p_sub_1 p = tmp_p qs.append(q) else: break if(number.size(p_sub_1) != bits): # dopelniamy do oczekiwanej liczby bitow mnozac kilkukrotnie przez 2 p_sub_1 <<= bits-number.size(p_sub_1) p = p_sub_1 + 1 stdout.write('\n' + str(number.size(p)) + ' bits prime p found\n') stdout.write("Trying to find generator g ") while(1): # kazda grupa cykliczna ma generator stdout.write('.') if gen_max_bits: g = number.getRandomNBitInteger(bits) # generator moze miec dowolna liczbe bitow if g >= p: continue else: g = number.getRandomRange(2, p) isGenerator = True for q in qs: if pow(g, p_sub_1/q, p) == 1: # nie jest generatorem jesli g ^ ((p-1) / q) mod p == 1 isGenerator = False break; if isGenerator: stdout.write('\n' + str(number.size(g)) + ' bits generator g found\n') return p, g
def sign(self, M, sk): N = sk[0] T = sk[1] j = sk[2] s = sk[3] while True: r = bignum(number.getRandomRange(3, N, self._randfunc)) if 1 == GCD(r, N): break order = pow(2, self._l * (T + 1 - j)) y = pow(r, order, N) h = SHA256.new() h.update(long_to_bytes(j)) h.update(long_to_bytes(y)) h.update(M) sigma = h.digest() z = (r * pow(s, bytes_to_long(sigma), N)) % N return [j, [z, sigma]]
def generate_py(T, randfunc, progress_func=None): """generate(curve:CurveDomain, randfunc:callable, progress_func:callable) Generate a ECDSA key on curve 'T', using 'randfunc' to get random data and 'progress_func', if present, to display the progress of the key generation. """ if not T.verify(): raise ValueError('Invalid curve') # Generate private key d and public key Q = dg if progress_func: progress_func('d\n') d = number.getRandomRange(1, T.n - 1, randfunc) if progress_func: progress_func('Q\n') Q = T.G * d return construct(Q, d)
def main(): s = getRandomRange(0, (1 << 64)) r = '' for _ in range(200): s = xorshift(s) if os.urandom(1)[0] >= 128: r += str(s & 1) else: r += '.' print(f'[+] Here is the output') print(r) print('') inp = int(input('[>] What is current state? ')) if inp == s: print(f'[+] Flag: {FLAG}') else: print('[-] Noop')
def kxchang_demo(size): # Generate keys for both parties skA, pkA, nA = keygen(size) skB, pkB, nB = keygen(size) # Exchange public modulus and create the shared modulus S = nA * nB # One party generates a point between 1 and S minus 1 y = number.getRandomRange(1, (S - 1)) # Generate phase 1 by encrypting the public key phase1A = pow(pkA, skA, S) phase1B = pow(pkA, skB, S) # Generate the phase 2 secret modulus phase2A = pow(phase1B, skA, S) phase2B = pow(phase1A, skB, S) # Both parties encrypt y using the secret modulus and send phase3 phase3A = pow(y, skA, phase2A) phase3B = pow(y, skB, phase2B) # Compute the shared secret phase4A = pow(phase3B, skA, phase2A) phase4B = pow(phase3A, skB, phase2B)
def DSAsign(myMessage, p, q, g, sk): # Préconditions if myMessage == None or sk == None or p == None or q == None or g == None: raise ValueError("Les paramètres ne sont pas tous renseignés") # Traitement print "Signature d'un message" sha512 = SHA512.new() sha512.update(myMessage) hashMessage = number.bytes_to_long(sha512.digest()) k = number.getRandomRange(0, q) r = pow(g, k, p) % q s = ((hashMessage+(sk*r)) * number.inverse(k, q)) % q print "Message signé" return r, s
def keygen(self): p = bignum(self.getbwinteger(self._k/2)) q = bignum(self.getbwinteger(self._k/2)) N = p * q s = list() u = list() for i in range(0, self._l): while True: temp = number.getRandomRange(3, N, self._randfunc) if temp < N and 1 == GCD(temp, N): s.append(temp) break for i in range(0, self._l): order = pow(2, self._T + 1) temp = pow(s[i], order, N) u.append(temp) sk = [N, self._T, 0, s] pk = [N, self._T, u] return sk, pk
def key_exchange(): p = 0 while number.isPrime(p) == False: q = number.getPrime(512) p = 2 * q + 1 g = 2 while pow(g, 2, p) == 1 or pow(g, q, p) == 1: g = number.getPrime(4) conn.send(bytes(str(p), 'utf-8')) print('p = ' + str(p) + '\n') time.sleep(1) conn.send(bytes(str(g), 'utf-8')) print('g = ' + str(g) + '\n') a = number.getRandomRange(1, p) A = pow(g, a, p) conn.send(bytes(str(A), 'utf-8')) print('A = ' + str(A) + '\n') m = conn.recv(1024) B = int(m) return str(pow(B, a, p))
def negdh_server(s): sk, A, B = keygen(512) s.send(str(B)) BBtmp = s.recv(8192) BB = long(BBtmp) U = B * BB Tk = number.getRandomRange(1, (U - 1)) p1 = pow(A, Tk, U) s.send(str(A) + "X" + str(p1)) P1pk = s.recv(8192) pkB = long(P1pk.split('X')[1]) p1B = long(P1pk.split('X')[0]) p2 = pow(p1B, Tk, U) p3 = pow(pkB, sk, p2) P3 = s.recv(8192) s.send(str(p3)) p3B = long(P3) p4 = pow(p3B, sk, p2) k = number.long_to_bytes(p4) key = hashlib.sha256(k).digest() return key
def generate_group_params(bits=1025, nworkers=None, use_threads=False, progress=None): """ Generates group parameters for ElGamal. """ # Find a safe prime as modulus. This will take at least several # seconds on a single core. Thus: we will parallelize. start_time = time.time() if nworkers is None: nworkers = multiprocessing.cpu_count() l.debug('Searching for a %s bit safe prime p as modulus on %s workers', bits, nworkers) safe_prime_density = asymptotic_safe_prime_density / (bits - 1) if progress: progress('p', None) def _progress(n): progress('p', pol.progressbar.coin(safe_prime_density, n)) else: _progress = None p = pol.parallel.parallel_try(_find_safe_prime, (bits,), initializer=_find_safe_prime_initializer, progress=_progress, nworkers=nworkers, use_threads=use_threads) # Find a safe `g` as generator. # Algorithm taken from Crypto.PublicKey.ElGamal.generate # TODO Should we use a generator of a subgroup for performance? if progress: progress('g', None) l.debug('Searching for a suitable generator g') start_time = time.time() q = (p - 1) / 2 while True: g = gmpy.mpz(number.getRandomRange(3, p)) if (pow(g, 2, p) == 1 or pow(g, q, p) == 1 or divmod(p-1, g)[1] == 0): continue ginv = gmpy.invert(g, p) if divmod(p - 1, ginv)[1] == 0: continue break l.debug('Found one in %.2fs', time.time() - start_time) return group_parameters(p=p, g=g)
def keggen(self): safe=1 p = self.getbwinteger(self._k/2) q = self.getbwinteger(self._k/2) if (p - 1)*(q - 1) < pow(2, self._k - 1): safe = 0 if p*q >= pow(2, self._k): safe = 0 if safe == 0: return None, None N=p*q while True: s = bignum(number.getRandomRange(3, N, self._randfunc)) if 1 == GCD(s, N): break order = pow(2, self._l * (self._T + 1)) temp = pow(s, order, N) u = inverse(temp, N) sk = [N, self._T, 0, s] pk = [N, u, self._T] return sk, pk
def pickGeneratorG(self): print "Entering pickGenerator" while True: a = number.getRandomRange(0, self.N) if a > self.N: return None r0 = number.GCD(a, self.N) if r0 == 1: continue r0 = a - 1 r1 = number.GCD(r0, self.N) if r1 == 1: continue r0 = a + 1 r1 = number.GCD(r0, self.N) if r1 == 1: continue break g = a**2 print "Exiting pickGenerator" return g
def DSAGenKey(p, q, y, g): # Préconditions if q == None or p == None or g == None or y == None: raise ValueError("Les paramètres ne sont pas tous renseignés") if ((p-1) % q) != 0: raise ValueError("Les paramètres p et q ne sont pas corrects") if g != pow(y, (p-1)/q, p): raise ValueError("Les paramètres y et g ne sont pas corrects") # Traitement print "Génération d'une paire de clés" sk = number.getRandomRange(0, q) pk = pow(g, sk, p) print "Génération des clés terminée" return pk, sk
def pickGeneratorG(self): print "Entering pickGenerator" while True: a = number.getRandomRange(0,self.N) if a>self.N: return None r0 = number.GCD(a,self.N) if r0==1: continue r0 = a-1 r1 = number.GCD(r0,self.N) if r1 == 1: continue r0 = a+1 r1 = number.GCD(r0,self.N) if r1 == 1: continue break g = a**2 print "Exiting pickGenerator" return g
def negdh_client(s): sk, A, B = keygen(512) P0 = s.recv(8192) BB = long(P0) s.send(str(B)) P1pk = s.recv(8192) pkB = long(P1pk.split('X')[0]) p1B = long(P1pk.split('X')[1]) U = B * BB Tk = number.getRandomRange(1, (U - 1)) myp1 = pow(pkB, Tk, U) p1string = str(myp1) pkstring = str(A) s.send(p1string + "X" + pkstring) p2 = pow(p1B, Tk, U) myp3 = pow(A, sk, p2) s.send(str(myp3)) P3 = s.recv(8192) p3 = long(P3) p4 = pow(p3, sk, p2) k = number.long_to_bytes(p4) key = hashlib.sha256(k).digest() return key
def sign(self, point, prv_key, digest, test=False): q = self.q e = bytes_to_long(digest) % q if e == 0: e = 1 while True: if test: k = 0x77105C9B20BCD3122823C8CF6FCC7B956DE33814E95B7FE64FED924594DCEAB3 else: k = getRandomRange(1, q) r, _ = self.scalar_mult(k, point) r %= q if r == 0: continue s = (prv_key*r + k*e) % q if s == 0: continue break return long_to_bytes(r) + long_to_bytes(s)
def randQR(N): return pow(getRandomRange(1, N), 2, N)
def poly_rand(self): return [number.getRandomRange(0, self.N) for i in range(0, self.order)]
def genPrivKey(prime): sk = number.getRandomRange(2, prime - 1) return sk
def genSK(self, p): s = number.getRandomRange(2, p - 1) return s
def encrypt(m, pk): (p, q, g, h) = pk r = getRandomRange(2, q) c1 = pow(g, r, p) c2 = m * pow(h, r, p) % p return (c1, c2)
def _sign(self, m, k): blind_factor = getRandomRange(1, self.key.q, self._randfunc) return self.key._sign(m, k, blind_factor)
def randomingroupstar(self, N): while True: r = number.getRandomRange(3, N, self._randfunc) if 1 == GCD(r, N): return r
i = 1 while i <= padlen: if text[-i] != padbyte: raise Exception i += 1 def CBC_decrypt(ciphertext, key, iv): obj2 = AES.new(key, AES.MODE_CBC, iv) plaintext = obj2.decrypt(ciphertext) PKCS7pad_validate(plaintext) return plaintext list1 = open("strings.txt", 'r').read().split("\n") plaintext = list1[getRandomRange(0, len(list1))].decode( "base64") # Attacker doesn't have access to plaintext print "plaintext being encrypted: ", plaintext ciphertext = CBC_encrypt(plaintext, key, iv) print "ciphertext is: ", ciphertext.encode("hex") master_plaintext = "" for i in range(16, len(ciphertext), 16): pt_block = "\x00" * 16 ct_prev = ciphertext[i - 16:i] for j in range(15, -1, -1): custom_ctblock = "\x00" * 16 for i1 in range(15, j, -1): custom_ctblock = custom_ctblock[:i1] + chr( (16 - j) ^ ord(pt_block[i1]) ^ ord(ct_prev[i1])) + custom_ctblock[i1 + 1:]
def _getRandomMult(self): r = self.p # start while loop while (r % self.p == 0) or (r % self.q == 0): r = number.getRandomRange(1, self.n - 1, self._randfunc) return r
def keygen(size): A, B = genBase(size) sk = number.getRandomRange(1, (B - 1)) return sk, A, B
def generate(bits, randfunc, progress_func=None): """Randomly generate a fresh, new ElGamal key. The key will be safe for use for both encryption and signature (although it should be used for **only one** purpose). :Parameters: bits : int Key length, or size (in bits) of the modulus *p*. Recommended value is 2048. randfunc : callable Random number generation function; it should accept a single integer N and return a string of random data N bytes long. progress_func : callable Optional function that will be called with a short string containing the key parameter currently being generated; it's useful for interactive applications where a user is waiting for a key to be generated. :attention: You should always use a cryptographically secure random number generator, such as the one defined in the ``Crypto.Random`` module; **don't** just use the current time and the ``random`` module. :Return: An ElGamal key object (`ElGamalobj`). """ obj=ElGamalobj() # Generate a safe prime p # See Algorithm 4.86 in Handbook of Applied Cryptography if progress_func: progress_func('p\n') while 1: q = bignum(getPrime(bits-1, randfunc)) obj.p = 2*q+1 if number.isPrime(obj.p, randfunc=randfunc): break # Generate generator g # See Algorithm 4.80 in Handbook of Applied Cryptography # Note that the order of the group is n=p-1=2q, where q is prime if progress_func: progress_func('g\n') while 1: # We must avoid g=2 because of Bleichenbacher's attack described # in "Generating ElGamal signatures without knowning the secret key", # 1996 # obj.g = number.getRandomRange(3, obj.p, randfunc) safe = 1 if pow(obj.g, 2, obj.p)==1: safe=0 if safe and pow(obj.g, q, obj.p)==1: safe=0 # Discard g if it divides p-1 because of the attack described # in Note 11.67 (iii) in HAC if safe and divmod(obj.p-1, obj.g)[1]==0: safe=0 # g^{-1} must not divide p-1 because of Khadir's attack # described in "Conditions of the generator for forging ElGamal # signature", 2011 ginv = number.inverse(obj.g, obj.p) if safe and divmod(obj.p-1, ginv)[1]==0: safe=0 if safe: break # Generate private key x if progress_func: progress_func('x\n') obj.x=number.getRandomRange(2, obj.p-1, randfunc) # Generate public key y if progress_func: progress_func('y\n') obj.y = pow(obj.g, obj.x, obj.p) return obj
flag = os.environ.get("FLAG", "0nepoint{GOLDEN SMILE & SILVER TEARS}") flag = int(flag.encode().hex(), 16) P = 2**1000 - 1 while not isPrime(P): P -= 2 p = getPrime(512) q = getPrime(512) e = 65537 phi = (p - 1) * (q - 1) d = inverse(e, phi) n = p * q key = getRandomRange(0, n) ciphertext = pow(flag, e, P) ^ key x1 = getRandomRange(0, n) x2 = getRandomRange(0, n) print("P = {}".format(P)) print("n = {}".format(n)) print("e = {}".format(e)) print("x1 = {}".format(x1)) print("x2 = {}".format(x2)) # pick a random number k and compute v = k**e + (x1|x2) # if you add x1, you can get key = c1 - k mod n # elif you add x2, you can get ciphertext = c2 - k mod n v = int(input("v: "))
def generate(bits, randfunc, progress_func=None): """generate(bits:int, randfunc:callable, progress_func:callable) Generate an ElGamal key of length 'bits', using 'randfunc' to get random data and 'progress_func', if present, to display the progress of the key generation. """ obj=ElGamalobj() # Generate a safe prime p # See Algorithm 4.86 in Handbook of Applied Cryptography counter = 0 while 1: if progress_func: progress_func('p [%d]\r' % counter) counter += 1 #q = bignum(number.getStrongPrime(bits-1, e=0, false_positive_prob=1e-6, randfunc=randfunc)) q = bignum(number.getPrime(bits-1, randfunc=randfunc)) obj.p = 2*q+1 if number.isPrime(obj.p, randfunc=randfunc): break if progress_func: progress_func('p \n') counter = 0 # Generate generator g # See Algorithm 4.80 in Handbook of Applied Cryptography # Note that the order of the group is n=p-1=2q, where q is prime while 1: # We must avoid g=2 because of Bleichenbacher's attack described # in "Generating ElGamal signatures without knowning the secret key", # 1996 # if progress_func: progress_func('g [%d]\r' % counter) counter += 1 obj.g = number.getRandomRange(2**196, obj.p, randfunc) safe = 1 if pow(obj.g, 2, obj.p)==1: safe=0 if safe and pow(obj.g, q, obj.p)==1: safe=0 # Discard g if it divides p-1 because of the attack described # in Note 11.67 (iii) in HAC if safe and divmod(obj.p-1, obj.g)[1]==0: safe=0 # g^{-1} must not divide p-1 because of Khadir's attack # described in "Conditions of the generator for forging ElGamal # signature", 2011 ginv = number.inverse(obj.g, obj.p) if safe and divmod(obj.p-1, ginv)[1]==0: safe=0 if safe: break # Generate private key x if progress_func: progress_func('g \n') progress_func('x\n') obj.x=number.getRandomRange(2**196, obj.p-1, randfunc) # Generate public key y if progress_func: progress_func('y\n') obj.y = pow(obj.g, obj.x, obj.p) return obj
#Service Provider def reconstruct(self, mult, p, *dec): cipher = 1 for x in dec: cipher *= x dec = pow(cipher, p - 2, p) result = (dec * mult[1]) % p return result # # message1 = 100 # message2 = 10 # p = number.getPrime(160, Random.new().read) g = number.getRandomRange(3, p - 1) node1 = Node() sk1 = node1.genSK(p) pk1 = node1.genPK(p, g, sk1) node2 = Node() sk2 = node2.genSK(p) pk2 = node2.genPK(p, g, sk2) print pk1, pk2 owner1 = Owner() owner2 = Owner() message1 = 12
def commit(m): r = number.getRandomRange(1, p - 1) c = g**m * h**r return (c, r)
def generate(cls,bits): p = getPrime(bits//2) q = getPrime(bits//2+ bits%2) g = getRandomRange(0, (p*q)**2) n = p * q return cls((n,g,p,q))
def reconstruct(ctxt, prime, partMsg): cipher = 1 for x in partMsg: cipher *= x partMsg = pow(cipher, prime - 2, prime) msg = (partMsg * ctxt[1]) % prime return msg #### Parameter security = 80 shares = 5 msg1, msg2 = number.getRandomRange(1, 100), number.getRandomRange(1, 100) #### Key Generation prime, generator = genParameter(security) sk, pk = [], [] for i in range(shares): sk.append(genPrivKey(prime)) pk.append(genPubKey(prime, generator, sk[i])) #### Encryption ctxt1, ctxt2 = enc(prime, generator, msg1, pk), enc(prime, generator, msg2, pk) #### Decryption partMsg1, partMsg2 = [], []
class Curve(object): eliptic_function = staticmethod(lambda a, b, x, p: (pow(x, 3, p) + (a * x) % p + b) % p) getRandom = staticmethod(lambda p: number.getRandomRange(0, p - 1)) def __init__(self, init_prime_size=256): self.init_prime_size = init_prime_size self.a = 0 self.b = 0 self.p = 0 self.exampleX = 0 self.exampleY = 0 self.generate_function() def generate_ec_xy_example(self): x = self.getRandom(self.p) y = pow(self.eliptic_function(self.a, self.b, x, self.p), (self.p + 1) // 4, self.p) if self.contains_point(x, y): return x, y else: return self.generate_ec_xy_example() def generate_function(self): p = number.getPrime(self.init_prime_size) self.p = p if p % 4 != 3: # print('p nie przytaje do 3 mod 4') return self.generate_function() a = self.getRandom(p) b = self.getRandom(p) self.a = a self.b = b x = self.getRandom(p) delta = lambda a, b: ((4 * pow(a, 3, p)) % p + (27 * pow(b, 2, p)) % p) % p if delta(a, b) == 0: print('delta == 0') return self.generate_function() if 1 != pow(self.eliptic_function(a, b, x, p), (p - 1) // 2, p): # print('f nie jest reszta kwadratowa p') return self.generate_function() y = pow(self.eliptic_function(a, b, x, p), (p + 1) // 4, p) if self.isQuatraticResidue(x) == False: print('This is not quadratic residue') return self.generate_function() if self.contains_point(x, y): self.a = a self.b = b self.p = p self.exampleX = x self.exampleY = y else: return self.generate_function() def getCurveValue(self, x): return (pow(x, 3, self.p) + (self.a * x) + self.b) % self.p def isQuatraticResidue(self, x): return pow(self.getCurveValue(x), (self.p - 1) // 2, self.p) == 1 def contains_point(self, *args, **kwargs): if len(args) == 1 and isinstance(args[0], Point): return self.__check_point(args[0].x, args[0].y) elif len(args) == 0 and isinstance(kwargs.get('point', None), Point): return self.__check_point( kwargs.get('point').x, kwargs.get('point').y) elif len(args) == 2: return self.__check_point(args[0], args[1]) elif kwargs.get('x', None) and kwargs.get('y', None): return self.__check_point(kwargs['x'], kwargs['y']) else: raise BaseException('bad args') def __check_point(self, x, y): """Is the point (x,y) on this curve?""" return (y * y - self.eliptic_function(self.a, self.b, x, self.p)) % self.p == 0 def __str__(self): return f"Curve(\n\tp={self.p},\n\ta={self.a},\n\tb={self.b}\n)"
def genParameter(security): prime = number.getPrime(2 * security) generator = number.getRandomRange(1, prime - 1) return prime, generator
def randomingroup(self, N): while True: r = bignum(number.getRandomRange(3, N, self._randfunc)) if 1 == GCD(r, N): return r
f = open('little_secret', 'rb') p = int(f.readline()) q = int(f.readline()) # N = p * q N = int(f.readline()) # d = lcm(p-1, q-1) d = int(f.readline()) # u = inverse_mod(d, N) u = int(f.readline()) N2 = N * N g = 1 while pow(g, d // 2, N) == 1: g = getRandomRange(0, N) ppub = paillier.PaillierPublicKey(n=N) ppri = paillier.PaillierPrivateKey(ppub, p, q) FLAG1 = f.readline().strip() FLAG2 = f.readline().strip() assert len(FLAG2) < 24 FLAG2 = FLAG2 + os.urandom(31 - len(FLAG2)) FLAG2 = int.from_bytes(FLAG2, 'little') # FLAG2 -= 2 f.close() def aesenc(m): aes = AES.new(aeskey, AES.MODE_CBC, aesiv)
def generate(bits, randfunc, progress_func=None): """Randomly generate a fresh, new ElGamal key. The key will be safe for use for both encryption and signature (although it should be used for **only one** purpose). :Parameters: bits : int Key length, or size (in bits) of the modulus *p*. Recommended value is 2048. randfunc : callable Random number generation function; it should accept a single integer N and return a string of random data N bytes long. progress_func : callable Optional function that will be called with a short string containing the key parameter currently being generated; it's useful for interactive applications where a user is waiting for a key to be generated. :attention: You should always use a cryptographically secure random number generator, such as the one defined in the ``Crypto.Random`` module; **don't** just use the current time and the ``random`` module. :Return: An ElGamal key object (`ElGamalobj`). """ obj = ElGamalobj() # Generate a safe prime p # See Algorithm 4.86 in Handbook of Applied Cryptography if progress_func: progress_func('p\n') while 1: q = bignum(getPrime(bits - 1, randfunc)) obj.p = 2 * q + 1 if number.isPrime(obj.p, randfunc=randfunc): break # Generate generator g # See Algorithm 4.80 in Handbook of Applied Cryptography # Note that the order of the group is n=p-1=2q, where q is prime if progress_func: progress_func('g\n') while 1: # We must avoid g=2 because of Bleichenbacher's attack described # in "Generating ElGamal signatures without knowning the secret key", # 1996 # obj.g = number.getRandomRange(3, obj.p, randfunc) safe = 1 if pow(obj.g, 2, obj.p) == 1: safe = 0 if safe and pow(obj.g, q, obj.p) == 1: safe = 0 # Discard g if it divides p-1 because of the attack described # in Note 11.67 (iii) in HAC if safe and divmod(obj.p - 1, obj.g)[1] == 0: safe = 0 # g^{-1} must not divide p-1 because of Khadir's attack # described in "Conditions of the generator for forging ElGamal # signature", 2011 ginv = number.inverse(obj.g, obj.p) if safe and divmod(obj.p - 1, ginv)[1] == 0: safe = 0 if safe: break # Generate private key x if progress_func: progress_func('x\n') obj.x = number.getRandomRange(2, obj.p - 1, randfunc) # Generate public key y if progress_func: progress_func('y\n') obj.y = pow(obj.g, obj.x, obj.p) return obj
def gen_KM(n, q): xy = getRandomRange(0, n) print(xy) KM = (q**xy) % n return xy, KM
#!/usr/bin/python3 -u from hashlib import sha256 from Crypto.PublicKey import DSA from Crypto.Util.number import getRandomRange, long_to_bytes DSAkey = DSA.generate(1024) q = DSAkey.q k0 = 1 while pow(k0, (q - 1) // 2, q) != q - 1: k0 = getRandomRange(1, q) with open('/home/challenge/flag.txt') as f: FLAG = f.read().strip() MSG = b'GIMME THE FLAG !!!!!!!' MSG = int.from_bytes(MSG, 'little') % q def digest(s): return sha256(long_to_bytes(s)).digest() def sign(s): k = pow(k0, s, q) return DSAkey.sign(digest(s), k) def main(): print(f'[+] p: {DSAkey.p}')
A, B = genBase(size) sk = number.getRandomRange(1, (B - 1)) return sk, A, B size = 16 print "Generating Alice and Bob's keys" skA, pkA, nA = keygen(size) skB, pkB, nB = keygen(size) U = nA * nB print "Alice keys" print skA, pkA, nA print "Bob keys" print skB, pkB, nB print "Generating ephemeral public keys" TkA = number.getRandomRange(1, (U - 1)) TkB = number.getRandomRange(1, (U - 1)) p1 = pow(pkA, TkA, U) p1B = pow(pkA, TkB, U) if number.isPrime(p1): print "Prime" else: print "Not" print p1, p1B p2 = pow(p1B, TkA, U) p2B = pow(p1, TkB, U) if number.isPrime(p2): print "Prime" else: print "Not" print p2, p2B