def __init__(self, group=None, p=0, q=0, secparam=512):
self.group = group if group is not None else IntegerGroupQ()
self.group.p, self.group.q, self.group.r = p, q, 2
if self.group.p == 0 or self.group.q == 0:
self.group.paramgen(secparam)
self.p = self.group.p
self.q = self.group.q
self.x, self.g, = self.group.random(), self.group.randomGen()
self.z, self.h, = self.group.randomGen(), self.group.randomGen()
self.y = (self.g ** self.x) % self.p
hs1 = hashlib.new('sha256')
hs1.update(Conversion.IP2OS(integer(self.p)))
hs1.update(Conversion.IP2OS(integer(self.q)))
hs1.update(Conversion.IP2OS(integer(self.g)))
hs1.update(Conversion.IP2OS(integer(self.h)))
hs1.update(Conversion.IP2OS(integer(self.y)))
msg = integer(Conversion.OS2IP(hs1.digest()))
self.z = ((msg ** ((self.p - 1) / self.q)) % self.p)
self.u = None
self.d = None
self.s1 = None
self.s2 = None
def round_1(self, n1):
Ro = self.pk_i['Ro']
df02_commit = CM_DF02()
pk_commit = {'S': self.pk_i['S'], 'Z': Ro, 'N': self.pk_i['N']}
(U, self.vPrime) = df02_commit.commit(pk_commit, self.ms, (ln + lo))
mTilde = integer(randomBits(lm + lo + lh + 1))
(Utilde, vPrimeTilde) = df02_commit.commit(pk_commit, mTilde,
(lm + lo + lh + 1))
s1 = hashlib.new('sha256')
s1.update(Conversion.IP2OS(self.context))
s1.update(Conversion.IP2OS(U))
s1.update(Conversion.IP2OS(Utilde))
s1.update(Conversion.IP2OS(n1))
c = integer(s1.digest())
# Responses to challenge
vPrimeHat = vPrimeTilde + (c * self.vPrime)
sHat = mTilde + (c * self.ms)
p1 = {'c': c, 'vPrimeHat': vPrimeHat, 'sHat': sHat, 'U': U}
n2 = integer(randomBits(lo))
return p1, n2
def round_2(self, U, p1, attr, n2):
if self.__verify_p1(p1):
pass
# print "P1 verified"
else:
return None
e = randomPrime(le)
vTilde = integer(randomBits(lv - 1))
vPrimePrime = (2 ** (lv - 1)) + vTilde
R = self.pk_i['R']
Cx = 1 % self.pk_i['N']
for i in range(1, len(attr) + 1):
Cx = Cx * (R[str(i)] ** attr[str(i)])
sigA = self.signAttributesLong(attr, vPrimePrime, U, e)
A = sigA['A']
Q = sigA['Q']
phi_N = (self.sk_i['p'] - 1) * (self.sk_i['q'] - 1)
e2 = e % phi_N
r = randomPrime(le)
Atilde = (Q ** r) % self.pk_i['N']
s3 = hashlib.new('sha256')
s3.update(Conversion.IP2OS(self.context))
s3.update(Conversion.IP2OS(Q))
s3.update(Conversion.IP2OS(A))
s3.update(Conversion.IP2OS(n2))
s3.update(Conversion.IP2OS(Atilde))
cPrime = integer(s3.digest())
e2Prime = e2 ** - 1
Se = r - (cPrime * integer(e2Prime))
signature = {'A': A, 'e': e, 'vPrimePrime': vPrimePrime}
P2 = {'Se': Se, 'cPrime': cPrime}
print signature
print P2
return signature, P2
def verifyProof(self, credential, predicate, P, nv):
T_hat = {}
T_hat['t-values'] = self.__verify_cl(credential, predicate, P)
# print "That:", T_hat['t-values']
h_challenge = hashlib.new('sha256')
h_challenge.update(Conversion.IP2OS(self.context))
h_challenge = self.__add_dict_to_hash(P['common'], h_challenge)
h_challenge = self.__add_dict_to_hash(T_hat, h_challenge) # TODO: ricontrollare!
h_challenge = self.__add_list_to_hash([], h_challenge) # committed, representation, nym, dnym, verenc, msg
h_challenge.update(Conversion.IP2OS(nv))
c = integer(h_challenge.digest())
return c == P['c']
def HW_hash(self, key, c, input, keyLen):
C = integer(c)
input_size = bitsize(c)
input_b = Conversion.IP2OS(input, input_size)
# Return c XOR PRF(k, input), where the output of PRF is keyLength bits
result = C ^ self.Prf.eval(key, input_b)
return result
def signer_state3(self, input):
print("SIGNER state #3")
rnd = (integer(randomBits(80)))
msg = integer(SHA1(Conversion.IP2OS(rnd)))
z1 = (msg**((p - 1) / q)) % p
(g, y, h, z) = Protocol.get(self, ['g', 'y', 'h', 'z'])
z2 = z / z1
u = self.group.random()
s1 = self.group.random()
s2 = self.group.random()
d = self.group.random()
a = g**u
b1 = (g**s1) * (z1**d)
b2 = (h**s2) * (z2**d)
Protocol.store(self, ('u', u), ('s1', s1), ('s2', s2), ('d', d))
Protocol.setState(self, 5)
return {'rnd': rnd, 'a': a, 'b1': b1, 'b2': b2}
def verify(serial_data_and_sig, public_key):
verifier = RSA_Sig()
data_and_sig = bytesToObject(serial_data_and_sig, IntegerGroup())
data, sig = data_and_sig
sig = Conversion.IP2OS(sig)
verdict = verifier.verify(public_key, data, sig)
if verdict == True:
return data
else:
return None
def signer_state1(self):
print("SIGNER state #1")
x, g, = self.group.random(), self.group.randomGen()
z, h, = self.group.randomGen(), self.group.randomGen()
y = g**x
hs1 = hashlib.new('sha256')
hs1.update(Conversion.IP2OS(integer(p)))
hs1.update(Conversion.IP2OS(integer(q)))
hs1.update(Conversion.IP2OS(integer(g)))
hs1.update(Conversion.IP2OS(integer(h)))
hs1.update(Conversion.IP2OS(integer(y)))
msg = integer(hs1.digest())
z = (msg**((p - 1) / q)) % p
Protocol.store(self, ('g', g), ('y', y), ('x', x), ('h', h), ('z', z))
Protocol.setState(self, 3)
return {'g': g, 'y': y, 'h': h, 'z': z}
def build_proof(self, credentials, predicate, n1):
# step 0.1
for key, value in self.m.iteritems():
self.v_tilde[key] = integer(randomBits(lm + lo + lh))
# print self.v_hat
self.v_tilde['0'] = integer(randomBits(lm + lo + lh))
cl_prover = CLProver()
# print self.all
# step 1.1: t-values
t_value, common_value = cl_prover.prove(self.pk_i, credentials,
predicate, self.m,
self.v_tilde)
self.t_values['Z_tilde'] = t_value
self.common_value['A_prime'] = common_value
# step 2.1: challenge
h_challenge = hashlib.new('sha256')
h_challenge.update(Conversion.IP2OS(self.context))
h_challenge = self.__add_dict_to_hash(self.common_value, h_challenge)
h_challenge = self.__add_dict_to_hash(self.t_values, h_challenge)
h_challenge = self.__add_list_to_hash(
[],
h_challenge) # committed, representation, nym, dnym, verenc, msg
h_challenge.update(Conversion.IP2OS(n1))
c = integer(h_challenge.digest())
# print "t-value:", t_value
# step 3.1: s-values
s_values = cl_prover.prove(self.pk_i, credentials, predicate, self.m,
self.v_tilde, self.ms, c)
# step 4.1: return proof
proof = {}
proof['c'] = c
proof['s'] = s_values
proof['common'] = self.common_value
return proof
def round_3(self, signature, P2, n2):
vPrimePrime = signature['vPrimePrime']
A = signature['A']
e = signature['e']
v = vPrimePrime + self.vPrime
cPrime = P2['cPrime']
Se = P2['Se']
Q2 = (self.pk_i['Z'] /
((self.pk_i['S']**v) * self.all)) % self.pk_i['N']
# tmp_u = (self.pk_i['S'] ** self.vPrime) * (self.pk_i['Ro'] ** self.ms) % self.pk_i['N']
# Q22 = (self.pk_i['Z'] / ((self.pk_i['S'] ** vPrimePrime) * self.ak * tmp_u)) % self.pk_i['N']
Qhat = (A**e) % self.pk_i['N']
q2Check = Q2 == Qhat
Ahat = A**(cPrime + (Se * e)) % self.pk_i['N']
s4 = hashlib.new('sha256')
s4.update(Conversion.IP2OS(self.context))
s4.update(Conversion.IP2OS(Q2))
s4.update(Conversion.IP2OS(A))
s4.update(Conversion.IP2OS(n2))
s4.update(Conversion.IP2OS(Ahat))
cHat2 = integer(s4.digest())
c2Check = cHat2 == cPrime
sig = {'A': A, 'e': e, 'v': v}
return sig, q2Check, c2Check
def __verify_p1(self, p1):
df02_commit = CM_DF02()
pk_commit = {'S': self.pk_i['S'], 'Z': self.pk_i['Ro'], 'N': self.pk_i['N']}
sHat = p1['sHat']
vPrimeHat = p1['vPrimeHat']
(cA, vPrimeHat) = df02_commit.commit(pk_commit, sHat, 0, vPrimeHat)
U = p1['U'] % self.pk_i['N']
c = p1['c']
Uhat = cA * (U ** (-1 * c))
s2 = hashlib.new('sha256')
s2.update(Conversion.IP2OS(self.context))
s2.update(Conversion.IP2OS(U))
s2.update(Conversion.IP2OS(Uhat))
s2.update(Conversion.IP2OS(self.n1))
cHat = integer(s2.digest())
return c == cHat
def check(self, signature: int):
# Convert back to bytes
sig = Conversion.IP2OS(signature)
# Verifier setup
ecc = ECC.import_key(self.pubk)
verifier = DSS.new(ecc, 'fips-186-3')
new_hash = SHA256.new(bytes.fromhex(self.y))
# We need to verify the signature on the hash. The verifier throws an exception if it doesn't verify.
try:
verifier.verify(new_hash, sig)
return True
except Exception as e:
print(str(e), file=sys.stderr)
return False
def verify(self, pk, M, S, salt=None):
#M = b'This is a malicious message'
octetlen = int(ceil(int(pk['N']).bit_length() / 8.0))
sig_mess = (integer(S['s1'])**2) % pk['N']
sig_mess = Conversion.IP2OS(int(sig_mess), octetlen)
if debug: print("OS1 =>", sig_mess)
dec_mess = self.paddingscheme.decode(sig_mess)
if debug:
print("Verifying")
print("sig_mess =>", sig_mess)
print("dec_mess =>", dec_mess)
print("S =>", S)
return (dec_mess == M)
def user_state4(self, input):
print("USER state #4")
(g, y, h, z) = Protocol.get(self, ['g', 'y', 'h', 'z'])
rnd = input.get('rnd')
a = input.get('a')
b1 = input.get('b1')
b2 = input.get('b2')
msg = integer(SHA1(Conversion.IP2OS(rnd)))
z1 = (msg**((p - 1) / q)) % p
gamma = self.group.random()
tau = self.group.random()
t1 = self.group.random()
t2 = self.group.random()
t3 = self.group.random()
t4 = self.group.random()
t5 = self.group.random()
zeta = z**gamma
zeta1 = z1**gamma
zeta2 = zeta / zeta1
alpha = a * (g**t1) * (y**t2) % p
beta1 = (b1**gamma) * (g**t3) * (zeta1**t4) % p
beta2 = (b2**gamma) * (h**t5) * (zeta2**t4) % p
eta = z**tau
epsilon = self.group.hash(zeta, zeta1, alpha, beta1, beta2, eta, "msg")
e = epsilon - t2 - t4
Protocol.store(self, ('z', z), ('z1', z1), ('zeta', zeta),
('zeta1', zeta1))
Protocol.store(self, ('zeta2', zeta2), ('alpha', alpha),
('beta1', beta1), ('beta2', beta2))
Protocol.store(self, ('t1', t1), ('t2', t2), ('t3', t3), ('t4', t4),
('t5', t5))
Protocol.store(self, ('gamma', gamma), ('tau', tau), ('eta', eta))
Protocol.setState(self, 6)
return {'e': e}
def sign(self, sk, M, salt=None):
#apply encoding
modbits = int(sk['N']).bit_length()
k = int(ceil(modbits / 8.0))
emLen = int(ceil((modbits - 1) / 8.0))
em = self.paddingscheme.encode(M, modbits - 1, salt)
m = Conversion.OS2IP(em)
m = integer(m) % sk['N'] #ERRROR m is larger than N
s = (m**sk['d']) % sk['N']
S = Conversion.IP2OS(s, k)
if debug:
print("Signing")
print("k =>", k)
print("emLen =>", emLen)
print("m =>", m)
print("em =>", em)
print("s =>", s)
print("S =>", S)
return S
def verify(self, pk, M, S):
modbits = int(pk['N']).bit_length()
k = int(ceil(modbits / 8.0))
emLen = int(ceil((modbits - 1) / 8.0))
if len(S) != k:
if debug: print("Sig is %s octets long, not %" % (len(S), k))
return False
s = Conversion.OS2IP(S)
s = integer(s) % pk['N'] #Convert to modular integer
m = (s**pk['e']) % pk['N']
EM = Conversion.IP2OS(m, emLen)
if debug:
print("Verifying")
print("k =>", k)
print("emLen =>", emLen)
print("s =>", s)
print("m =>", m)
print("em =>", EM)
print("S =>", S)
return self.paddingscheme.verify(M, EM, modbits - 1)
def challenge_response(self, input, message):
rnd = input.get('rnd')
a = input.get('a')
b1 = input.get('b1')
b2 = input.get('b2')
msg = integer(Conversion.OS2IP(SHA1(Conversion.IP2OS(rnd))))
z1 = (msg**((self.p - 1) / self.q)) % self.p
gamma = self.group.random()
tau = self.group.random()
t1 = self.group.random()
t2 = self.group.random()
t3 = self.group.random()
t4 = self.group.random()
t5 = self.group.random()
zeta = self.z**gamma
zeta1 = z1**gamma
zeta2 = zeta / zeta1
alpha = a * (self.g**t1) * (self.y**t2) % self.p
beta1 = (b1**gamma) * (self.g**t3) * (zeta1**t4) % self.p
beta2 = (b2**gamma) * (self.h**t5) * (zeta2**t4) % self.p
eta = self.z**tau
epsilon = integer(
hash_int([zeta, zeta1, alpha, beta1, beta2, eta, message
])) % self.q
e = (epsilon - t2 - t4) % self.q
self.__store__(self, ('z1', z1), ('zeta', zeta), ('zeta1', zeta1))
self.__store__(self, ('zeta2', zeta2), ('alpha', alpha),
('beta1', beta1), ('beta2', beta2))
self.__store__(self, ('t1', t1), ('t2', t2), ('t3', t3), ('t4', t4),
('t5', t5))
self.__store__(self, ('gamma', gamma), ('tau', tau), ('eta', eta))
return {'e': e}
def get_challenge(self):
rnd = randomBits(80)
msg = integer(Conversion.OS2IP(SHA1(Conversion.IP2OS(rnd))))
z1 = ((msg ** ((self.p - 1) / self.q)) % self.p)
inv_z1 = (mulinv(z1, self.p)) % self.p
z2 = (int(self.z) * int(inv_z1)) % self.p
self.u = self.group.random()
self.s1 = self.group.random()
self.s2 = self.group.random()
self.d = self.group.random()
a = self.g ** self.u
b1 = (self.g ** self.s1) * (z1 ** self.d)
b2 = (self.h ** self.s2) * (z2 ** self.d)
return {'rnd': rnd, 'a': a, 'b1': b1, 'b2': b2}
hp_1_value = hp_1_value % group_p_value
hp_2_value = hp_2_value % group_p_value
u_1_value = u_1_value % group_p_value
u_2_value = u_2_value % group_p_value
X_value = X_value % group_p_value
alpha_1_prime_value = randomBits(group_order_bits) % group_order
alpha_2_prime_value = randomBits(group_order_bits) % group_order
beta_1_prime_value = randomBits(group_order_bits) % group_order
beta_2_prime_value = randomBits(group_order_bits) % group_order
#print('alpha_1_prime_value = ', alpha_1_prime_value)
#print('alpha_2_prime_value = ', alpha_2_prime_value)
#print('beta_1_prime_value = ', beta_1_prime_value)
#print('beta_2_prime_value = ', beta_2_prime_value)
alpha_1_prime_bytes = Conversion.IP2OS(alpha_1_prime_value,
group_order_bits // 8)
alpha_2_prime_bytes = Conversion.IP2OS(alpha_2_prime_value,
group_order_bits // 8)
beta_1_prime_bytes = Conversion.IP2OS(beta_1_prime_value,
group_order_bits // 8)
beta_2_prime_bytes = Conversion.IP2OS(beta_2_prime_value,
group_order_bits // 8)
# print('type of g_1 value is: ', type(g_1_value))
# print('type of alpha1_prime_value is: ', type(alpha_1_prime_value))
# print(g_1_value)
# print('haha')
# print(alpha_1_prime_value)
tmp1 = (g_1_value**alpha_1_prime_value) % group_p_value
tmp2 = (g_2_value**alpha_2_prime_value) % group_p_value
hp_1_prime_value = (tmp1 * tmp2) % group_p_value
def decrypt(self, pk, sk, c):
octetlen = int(ceil(int(pk['N']).bit_length() / 8.0))
M = (c**(sk['d'] % sk['phi_N'])) % pk['N']
os = Conversion.IP2OS(int(M), octetlen)
if debug: print("OS =>", os)
return self.paddingscheme.decode(os)
# long-term key generation, session execution, then session key output
# length of group elements, may change this later
# generate the group G
bits = 1024
group = IntegerGroup()
group.paramgen(bits)
group_order = group.q
#print('group order is ', group_order)
print('group.p = ', group.p)
print('group.q = ', group.q)
group_p_bytes = Conversion.IP2OS(group.p, 128)
group_q_bytes = Conversion.IP2OS(group.q, 128)
alpha_1_value = randomBits(160) % group_order
alpha_2_value = randomBits(160) % group_order
beta_1_value = randomBits(160) % group_order
beta_2_value = randomBits(160) % group_order
alpha_1_bytes = Conversion.IP2OS(alpha_1_value, 20)
alpha_2_bytes = Conversion.IP2OS(alpha_2_value, 20)
beta_1_bytes = Conversion.IP2OS(beta_1_value, 20)
beta_2_bytes = Conversion.IP2OS(beta_2_value, 20)
# two random generators of group G
g_1 = group.randomGen()
g_2 = group.randomGen()
def hash_int(args):
hash = SHA256Hash()
for arg in args:
hash.update(Conversion.IP2OS(arg))
return Conversion.OS2IP(hash.digest())
g = N_square - toInt(val1)
g = g % N_square
print('g = ', g)
alpha_value = random(N_square / 2) # of length bits
beta_value = random(N_square / 2)
hp_1_value = (g**alpha_value) % N_square
hp_2_value = (g**beta_value) % N_square
# t_1(k) and u(k) are calculated from the length of r and x
t_1_length = 2 * group_order_bits - 128 # length of IV is 16 bytes
u_length = 2 * group_order_bits - 128
r_1_value = randomBits(t_1_length)
r_2_value = randomBits(640) # the length of r2 does not matter
r_1_bytes = Conversion.IP2OS(r_1_value, t_1_length // 8)
r_2_bytes = Conversion.IP2OS(r_2_value, 80)
t_value = randomBits(160) # the length of t does not matter
t_bytes = Conversion.IP2OS(t_value, 20)
# session execution
e_value = randomBits(u_length)
e_bytes = Conversion.IP2OS(e_value, u_length // 8)
# set l_1, l_2 (length of the output of extractor 1 and extractor 2) to be 128 bits, the length of AES key
# hash alpha, beta, r_1 together to get lsk_A_prime
group_for_hash = PairingGroup("SS512")
waters = Waters(group_for_hash)
alpha_bytes = Conversion.IP2OS(alpha_value, bits // 8)
beta_bytes = Conversion.IP2OS(beta_value, bits // 8)
lsk_A_prime = waters.sha2(alpha_bytes + beta_bytes + r_1_bytes)
def __add_dict_to_hash(self, dict_obj, hash_obj):
for k, v in dict_obj.iteritems():
hash_obj.update(Conversion.IP2OS(v))
return hash_obj
def __add_list_to_hash(self, list_obj, hash_obj):
for e in list_obj:
hash_obj.update(Conversion.IP2OS(e))
return hash_obj
def testRSAVector(self):
# ==================================
# Example 1: A 1024-bit RSA Key Pair
# ==================================
# ------------------------------
# Components of the RSA Key Pair
# ------------------------------
# RSA modulus n:
n = a2b_hex('\
bb f8 2f 09 06 82 ce 9c 23 38 ac 2b 9d a8 71 f7 \
36 8d 07 ee d4 10 43 a4 40 d6 b6 f0 74 54 f5 1f \
b8 df ba af 03 5c 02 ab 61 ea 48 ce eb 6f cd 48 \
76 ed 52 0d 60 e1 ec 46 19 71 9d 8a 5b 8b 80 7f \
af b8 e0 a3 df c7 37 72 3e e6 b4 b7 d9 3a 25 84 \
ee 6a 64 9d 06 09 53 74 88 34 b2 45 45 98 39 4e \
e0 aa b1 2d 7b 61 a5 1f 52 7a 9a 41 f6 c1 68 7f \
e2 53 72 98 ca 2a 8f 59 46 f8 e5 fd 09 1d bd cb '.replace(' ', ''))
n = Conversion.OS2IP(n, True)
# RSA public exponent e:
e = a2b_hex('11')
e = Conversion.OS2IP(e, True)
# Prime p:
p = a2b_hex('\
ee cf ae 81 b1 b9 b3 c9 08 81 0b 10 a1 b5 60 01 \
99 eb 9f 44 ae f4 fd a4 93 b8 1a 9e 3d 84 f6 32 \
12 4e f0 23 6e 5d 1e 3b 7e 28 fa e7 aa 04 0a 2d \
5b 25 21 76 45 9d 1f 39 75 41 ba 2a 58 fb 65 99 '.replace(' ', ''))
p = Conversion.OS2IP(p, True)
# Prime q:
q = a2b_hex('\
c9 7f b1 f0 27 f4 53 f6 34 12 33 ea aa d1 d9 35 \
3f 6c 42 d0 88 66 b1 d0 5a 0f 20 35 02 8b 9d 86 \
98 40 b4 16 66 b4 2e 92 ea 0d a3 b4 32 04 b5 cf \
ce 33 52 52 4d 04 16 a5 a4 41 e7 00 af 46 15 03'.replace(' ', ''))
q = Conversion.OS2IP(q, True)
phi_N = (p - 1) * (q - 1)
e = e % phi_N
d = e**-1
# ----------------------------------
# Step-by-step RSAES-OAEP Encryption
# ----------------------------------
# Message to be encrypted:
M = a2b_hex('\
d4 36 e9 95 69 fd 32 a7 c8 a0 5b bc 90 d3 2c 49'.replace(' ', ''))
lhash = a2b_hex('\
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 \
af d8 07 09'.replace(' ', ''))
# DB:
db = a2b_hex('\
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 \
af d8 07 09 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 01 d4 36 e9 95 69 \
fd 32 a7 c8 a0 5b bc 90 d3 2c 49'.replace(' ', ''))
# Seed:
seed = a2b_hex('\
aa fd 12 f6 59 ca e6 34 89 b4 79 e5 07 6d de c2 \
f0 6c b5 8f '.replace(' ', ''))
# dbMask:
dbmask = a2b_hex('\
06 e1 de b2 36 9a a5 a5 c7 07 d8 2c 8e 4e 93 24 \
8a c7 83 de e0 b2 c0 46 26 f5 af f9 3e dc fb 25 \
c9 c2 b3 ff 8a e1 0e 83 9a 2d db 4c dc fe 4f f4 \
77 28 b4 a1 b7 c1 36 2b aa d2 9a b4 8d 28 69 d5 \
02 41 21 43 58 11 59 1b e3 92 f9 82 fb 3e 87 d0 \
95 ae b4 04 48 db 97 2f 3a c1 4e af f4 9c 8c 3b \
7c fc 95 1a 51 ec d1 dd e6 12 64'.replace(' ', ''))
# maskedDB:
maskeddb = a2b_hex('\
dc d8 7d 5c 68 f1 ee a8 f5 52 67 c3 1b 2e 8b b4 \
25 1f 84 d7 e0 b2 c0 46 26 f5 af f9 3e dc fb 25 \
c9 c2 b3 ff 8a e1 0e 83 9a 2d db 4c dc fe 4f f4 \
77 28 b4 a1 b7 c1 36 2b aa d2 9a b4 8d 28 69 d5 \
02 41 21 43 58 11 59 1b e3 92 f9 82 fb 3e 87 d0 \
95 ae b4 04 48 db 97 2f 3a c1 4f 7b c2 75 19 52 \
81 ce 32 d2 f1 b7 6d 4d 35 3e 2d '.replace(' ', ''))
# seedMask:
seedmask = a2b_hex('\
41 87 0b 5a b0 29 e6 57 d9 57 50 b5 4c 28 3c 08 \
72 5d be a9 '.replace(' ', ''))
# maskedSeed:
maskedseed = a2b_hex('\
eb 7a 19 ac e9 e3 00 63 50 e3 29 50 4b 45 e2 ca \
82 31 0b 26 '.replace(' ', ''))
# EM = 00 || maskedSeed || maskedDB:
em = a2b_hex('\
00 eb 7a 19 ac e9 e3 00 63 50 e3 29 50 4b 45 e2 \
ca 82 31 0b 26 dc d8 7d 5c 68 f1 ee a8 f5 52 67 \
c3 1b 2e 8b b4 25 1f 84 d7 e0 b2 c0 46 26 f5 af \
f9 3e dc fb 25 c9 c2 b3 ff 8a e1 0e 83 9a 2d db \
4c dc fe 4f f4 77 28 b4 a1 b7 c1 36 2b aa d2 9a \
b4 8d 28 69 d5 02 41 21 43 58 11 59 1b e3 92 f9 \
82 fb 3e 87 d0 95 ae b4 04 48 db 97 2f 3a c1 4f \
7b c2 75 19 52 81 ce 32 d2 f1 b7 6d 4d 35 3e 2d '.replace(' ', ''))
# Encryption:
enc = a2b_hex('\
12 53 e0 4d c0 a5 39 7b b4 4a 7a b8 7e 9b f2 a0 \
39 a3 3d 1e 99 6f c8 2a 94 cc d3 00 74 c9 5d f7 \
63 72 20 17 06 9e 52 68 da 5d 1c 0b 4f 87 2c f6 \
53 c1 1d f8 23 14 a6 79 68 df ea e2 8d ef 04 bb \
6d 84 b1 c3 1d 65 4a 19 70 e5 78 3b d6 eb 96 a0 \
24 c2 ca 2f 4a 90 fe 9f 2e f5 c9 c1 40 e5 bb 48 \
da 95 36 ad 87 00 c8 4f c9 13 0a de a7 4e 55 8d \
51 a7 4d df 85 d8 b5 0d e9 68 38 d6 06 3e 09 55 '.replace(' ', ''))
rsa = RSA_Enc()
pk = {'N': n, 'e': e}
sk = {'phi_N': phi_N, 'd': d, 'N': n}
c = rsa.encrypt(pk, M, seed)
C = Conversion.IP2OS(c)
if debug:
print("RSA OEAP step by step")
print("Label L = empty string")
print("lHash = ", lhash)
print("DB = ", db)
print("seed = ", seed)
print("dbMask = ", dbmask)
print("maskedDB = ", maskeddb)
print("seedMask = ", seedmask)
print("maskedSeed = ", maskedseed)
print("EM = ", em)
assert C == enc
def getRandomBytes(self, length):
bits = length * 8
val = randomBits(bits)
return Conversion.IP2OS(val, length)
capital_X_value = capital_X_value % N_square
capital_W_value = capital_W_value % N_square
# long term key generation
alpha_prime_value = random(N_square / 2)
beta_prime_value = random(N_square / 2)
hp_1_prime_value = (g_value**alpha_prime_value) % N_square
hp_2_prime_value = (g_value**beta_prime_value) % N_square
# t_1(k) and u(k) are calculated from the length of r and x
t_1_length = 2 * group_order_bits - 128 # length of IV is 16 bytes
u_length = 2 * group_order_bits - 128
r_1_prime_value = randomBits(t_1_length)
r_2_prime_value = randomBits(640) # the length of r2 does not matter
r_1_prime_bytes = Conversion.IP2OS(r_1_prime_value, t_1_length // 8)
r_2_prime_bytes = Conversion.IP2OS(r_2_prime_value, 80)
t_prime_value = randomBits(160) # the length of t does not matter
t_prime_bytes = Conversion.IP2OS(t_prime_value, 20)
# session execution
e_prime_value = randomBits(u_length)
e_prime_bytes = Conversion.IP2OS(e_prime_value, u_length // 8)
# set l_1, l_2 (length of the output of extractor 1 and extractor 2) to be 128 bits, the length of AES key
# hash alpha_prime, beta_prime, r_1_prime together to get lsk_B_prime
group_for_hash = PairingGroup("SS512")
waters = Waters(group_for_hash)
alpha_prime_bytes = Conversion.IP2OS(alpha_prime_value, bits // 8)
beta_prime_bytes = Conversion.IP2OS(beta_prime_value, bits // 8)
lsk_B_prime = waters.sha2(alpha_prime_bytes + beta_prime_bytes +
def getRandomBits(self, length):
i = randomBits(length)
len = math.ceil(length / 8)
return Conversion.IP2OS(i, len)
def decrypt(self, pk, sk, c):
p = sk['p']
q = sk['q']
yp = sk['yp']
yq = sk['yq']
mp = (c**((p + 1) / 4)) % p
mq = (c**((q + 1) / 4)) % q
if (not (((c % p) == (mp**2)) and ((c % q) == (mq**2)))):
assert False, "invalid ciphertext"
r1 = ((int(yp) * int(p) * int(mq)) +
((int(yq) * int(q) * int(mp)))) % int(sk['N'])
r2 = int(sk['N']) - int(r1)
s1 = (int(yp) * int(p) * int(mq) - int(yq) * int(q) * int(mp)) % int(
sk['N'])
s2 = int(sk['N']) - int(s1)
m1 = r1 % int(sk['N'])
m2 = r2 % int(sk['N'])
m3 = s1 % int(sk['N'])
m4 = s2 % int(sk['N'])
if (self.paddingscheme.name == "SAEPEncryptionPadding"):
if (m1 < int(sk['N'] / 2)):
os1 = Conversion.IP2OS(int(m1))
if (m2 < int(sk['N'] / 2)):
os2 = Conversion.IP2OS(int(m2))
else:
if (m3 < int(sk['N'] / 2)):
os2 = Conversion.IP2OS(int(m3))
else:
os2 = Conversion.IP2OS(int(m4))
else:
if (m2 < int(sk['N'] / 2)):
os1 = Conversion.IP2OS(int(m2))
if (m3 < int(sk['N'] / 2)):
os2 = Conversion.IP2OS(int(m3))
else:
os2 = Conversion.IP2OS(int(m4))
else:
os1 = Conversion.IP2OS(int(m3))
os2 = Conversion.IP2OS(int(m4))
if debug:
print("OS1 =>", os1)
print("OS2 =>", os2)
(m1, t1) = self.paddingscheme.decode(os1, pk['n'], pk['s0'])
(m2, t2) = self.paddingscheme.decode(os2, pk['n'], pk['s0'])
if ((t1 == Bytes.fill(b'\x00', pk['s0'] / 8))
and (t2 == Bytes.fill(b'\x00', pk['s0'] / 8))):
assert False, "invalid ciphertext"
if (t1 == Bytes.fill(b'\x00', pk['s0'] / 8)):
return m1
else:
if (t2 == Bytes.fill(b'\x00', pk['s0'] / 8)):
return m2
else:
assert False, "invalid ciphertext"
else:
octetlen = int(ceil(int(pk['N']).bit_length() / 8.0))
os1 = Conversion.IP2OS(int(m1), octetlen)
os2 = Conversion.IP2OS(int(m2), octetlen)
os3 = Conversion.IP2OS(int(m3), octetlen)
os4 = Conversion.IP2OS(int(m4), octetlen)
if debug:
print("OS1 =>", os1)
print("OS2 =>", os2)
print("OS3 =>", os3)
print("OS4 =>", os4)
for i in [os1, os2, os3, os4]:
(isMessage, message) = self.redundancyscheme.decode(
self.paddingscheme.decode(i))
if (isMessage):
return message
