def __init__(self, group=None, p=0, q=0, secparam=512):
self.group = group if group is not None else IntegerGroupQ()
self.group.p, self.group.q, self.group.r = p, q, 2
if self.group.p == 0 or self.group.q == 0:
self.group.paramgen(secparam)
self.p = self.group.p
self.q = self.group.q
self.x, self.g, = self.group.random(), self.group.randomGen()
self.z, self.h, = self.group.randomGen(), self.group.randomGen()
self.y = (self.g ** self.x) % self.p
hs1 = hashlib.new('sha256')
hs1.update(Conversion.IP2OS(integer(self.p)))
hs1.update(Conversion.IP2OS(integer(self.q)))
hs1.update(Conversion.IP2OS(integer(self.g)))
hs1.update(Conversion.IP2OS(integer(self.h)))
hs1.update(Conversion.IP2OS(integer(self.y)))
msg = integer(Conversion.OS2IP(hs1.digest()))
self.z = ((msg ** ((self.p - 1) / self.q)) % self.p)
self.u = None
self.d = None
self.s1 = None
self.s2 = None
def verify_blind(self, cp, blind_signature):
# Convert to modular integer dictionary
sig = SigConversion.convert_dict_modint(json.loads(blind_signature))
cp_pubk = get_cp_pubkey(cp, self.timestamp, self.policy)
verifier = BlindSignatureVerifier(cp_pubk)
message = Conversion.OS2IP(self.pubk)
return verifier.verify(sig, message)
def encrypt(self, pk, m, salt=None):
octetlen = int(ceil(int(pk['N']).bit_length() / 8.0))
EM = self.paddingscheme.encode(m, octetlen, "", salt)
if debug: print("EM == >", EM)
i = Conversion.OS2IP(EM)
ip = integer(i) % pk['N'] #Convert to modular integer
return (ip**pk['e']) % pk['N']
def setup_method(self, message=None):
key = ECC.generate(curve='P-256')
self.message = Conversion.OS2IP(key.public_key().export_key(
format='DER')) if message is None else message
challenge = self.signer.get_challenge()
self.e = self.user.challenge_response(challenge, self.message)
proofs = self.signer.get_proofs(self.e)
self.sig = self.user.gen_signature(proofs)
def hash_util(d: dict or list) -> int:
"""
Creates a SHA256 hash of dict or list. Merely a helper function.
:param d: Input on which a hash needs to be generated.
:return: (int) Hash of the input d.
"""
hash_tmp = SHA256Hash().new(json.dumps(d).encode())
return Conversion.OS2IP(hash_tmp.digest())
def hash_util(d: dict or list) -> int:
try:
assert type(d) == dict or type(d) == list
except AssertionError:
print(type(d), file=sys.stderr)
hashable = json.dumps(d)
hash_tmp = SHA256Hash().new(hashable.encode())
return Conversion.OS2IP(hash_tmp.digest())
def encrypt(self, pk, m, salt=None):
if (self.paddingscheme.name == "SAEPEncryptionPadding"):
EM = self.paddingscheme.encode(m, pk['n'], pk['s0'])
else:
m = self.redundancyscheme.encode(m)
octetlen = int(ceil(int(pk['N']).bit_length() / 8.0))
EM = self.paddingscheme.encode(m, octetlen, "", salt)
if debug: print("EM == >", EM)
i = Conversion.OS2IP(EM)
ip = integer(i) % pk['N'] #Convert to modular integer
return (ip**2) % pk['N']
def test1(client, p, nonce, key_client, key_p):
group_object = PairingGroup('SS512')
shared_key = group_object.random(GT)
crypter_a = SymmetricCryptoAbstraction(
extractor(bytesToObject(key_client, group_object)))
crypter_b = SymmetricCryptoAbstraction(
extractor(bytesToObject(key_p, group_object)))
package_b = crypter_b.encrypt(
objectToBytes([shared_key, serialize_endpoint(client)], group_object))
package_a = crypter_a.encrypt(
objectToBytes([
Conversion.OS2IP(nonce), shared_key,
serialize_endpoint(p), package_b
], group_object))
return package_a
def hash(self, strID):
'''Hash the identity string and break it up in to l bit pieces'''
assert type(strID) == str, "invalid input type"
hash = self.sha2(strID)
val = Conversion.OS2IP(hash) #Convert to integer format
bstr = bin(val)[2:] #cut out the 0b header
v=[]
for i in range(self._length): #z must be greater than or equal to 1
binsubstr = bstr[self._bitsize*i : self._bitsize*(i+1)]
intval = int(binsubstr, 2)
intelement = self._group.init(ZR, intval)
v.append(intelement)
return v
def stringToInt(strID, zz, ll):
'''Hash the identity string and break it up in to l bit pieces'''
h = hashlib.new('sha1')
h.update(bytes(strID, 'utf-8'))
_hash = Bytes(h.digest())
val = Conversion.OS2IP(_hash) #Convert to integer format
bstr = bin(val)[2:] #cut out the 0b header
v=[]
for i in range(zz): #z must be greater than or equal to 1
binsubstr = bstr[ll*i : ll*(i+1)]
intval = int(binsubstr, 2)
intelement = group.init(ZR, intval)
v.append(intelement)
return v
def strToId(pk, strID):
getUserGlobals()
hash = sha1(strID)
val = Conversion.OS2IP(hash)
bstr = bin(val)[2:]
v = []
for i in range(pk[listIndexNoOfN_StrToId]):
binsubstr = bstr[pk[listIndexNoOfl_StrToId] *
i:pk[listIndexNoOfl_StrToId] * (i + 1)]
print(binsubstr)
intval = int(binsubstr, 2)
intelement = groupObjBuiltInFuncs.init(ZR, intval)
v.append(intelement)
return v
def gen_proof_handler(e: dict):
key = KeyModel.query.get((current_user.timestamp, current_user.policy))
signer = key.signer
signer.d = current_user.d
signer.u = current_user.u
signer.s1 = current_user.s1
signer.s2 = current_user.s2
# Do the appropriate conversions so that we can serialize
e = SigConversion.convert_dict_modint(e)
proofs = SigConversion.convert_dict_strlist(signer.get_proofs(e))
hash_tmp = SHA256Hash().new(json.dumps(proofs).encode())
hash_proof = Conversion.OS2IP(hash_tmp.digest())
resp = {'proof': proofs, 'hash': hash_proof}
return resp
def verify(self, pk, M, S):
modbits = int(pk['N']).bit_length()
k = int(ceil(modbits / 8.0))
emLen = int(ceil((modbits - 1) / 8.0))
if len(S) != k:
if debug: print("Sig is %s octets long, not %" % (len(S), k))
return False
s = Conversion.OS2IP(S)
s = integer(s) % pk['N'] #Convert to modular integer
m = (s**pk['e']) % pk['N']
EM = Conversion.IP2OS(m, emLen)
if debug:
print("Verifying")
print("k =>", k)
print("emLen =>", emLen)
print("s =>", s)
print("m =>", m)
print("em =>", EM)
print("S =>", S)
return self.paddingscheme.verify(M, EM, modbits - 1)
def sign(self, sk, M, salt=None):
#apply encoding
modbits = int(sk['N']).bit_length()
k = int(ceil(modbits / 8.0))
emLen = int(ceil((modbits - 1) / 8.0))
em = self.paddingscheme.encode(M, modbits - 1, salt)
m = Conversion.OS2IP(em)
m = integer(m) % sk['N'] #ERRROR m is larger than N
s = (m**sk['d']) % sk['N']
S = Conversion.IP2OS(s, k)
if debug:
print("Signing")
print("k =>", k)
print("emLen =>", emLen)
print("m =>", m)
print("em =>", em)
print("s =>", s)
print("S =>", S)
return S
def sign(self, sk, M, salt=None):
#apply encoding
while True:
octetlen = int(ceil(int(sk['N']).bit_length() / 8.0))
em = self.paddingscheme.encode(M, octetlen, "", salt)
m = Conversion.OS2IP(em)
m = integer(m) % sk['N'] #ERRROR m is larger than N
p = sk['p']
q = sk['q']
yp = sk['yp']
yq = sk['yq']
mp = (m**((p + 1) / 4)) % p
mq = (m**((q + 1) / 4)) % q
r1 = ((int(yp) * int(p) * int(mq)) +
((int(yq) * int(q) * int(mp)))) % int(sk['N'])
r2 = int(sk['N']) - int(r1)
s1 = (int(yp) * int(p) * int(mq) -
int(yq) * int(q) * int(mp)) % int(sk['N'])
s2 = int(sk['N']) - int(s1)
if (((int((integer(r1)**2) % sk['N'] - m)) == 0)
or ((int((integer(r2)**2) % sk['N'] - m)) == 0)
or ((int((integer(s1)**2) % sk['N'] - m)) == 0)
or ((int((integer(s2)**2) % sk['N'] - m)) == 0)):
break
S = {'s1': r1, 's2': r2, 's3': s1, 's4': s2}
if debug:
print("Signing")
print("m =>", m)
print("em =>", em)
print("S =>", S)
return S
def challenge_response(self, input, message):
rnd = input.get('rnd')
a = input.get('a')
b1 = input.get('b1')
b2 = input.get('b2')
msg = integer(Conversion.OS2IP(SHA1(Conversion.IP2OS(rnd))))
z1 = (msg**((self.p - 1) / self.q)) % self.p
gamma = self.group.random()
tau = self.group.random()
t1 = self.group.random()
t2 = self.group.random()
t3 = self.group.random()
t4 = self.group.random()
t5 = self.group.random()
zeta = self.z**gamma
zeta1 = z1**gamma
zeta2 = zeta / zeta1
alpha = a * (self.g**t1) * (self.y**t2) % self.p
beta1 = (b1**gamma) * (self.g**t3) * (zeta1**t4) % self.p
beta2 = (b2**gamma) * (self.h**t5) * (zeta2**t4) % self.p
eta = self.z**tau
epsilon = integer(
hash_int([zeta, zeta1, alpha, beta1, beta2, eta, message
])) % self.q
e = (epsilon - t2 - t4) % self.q
self.__store__(self, ('z1', z1), ('zeta', zeta), ('zeta1', zeta1))
self.__store__(self, ('zeta2', zeta2), ('alpha', alpha),
('beta1', beta1), ('beta2', beta2))
self.__store__(self, ('t1', t1), ('t2', t2), ('t3', t3), ('t4', t4),
('t5', t5))
self.__store__(self, ('gamma', gamma), ('tau', tau), ('eta', eta))
return {'e': e}
def get_challenge(self):
rnd = randomBits(80)
msg = integer(Conversion.OS2IP(SHA1(Conversion.IP2OS(rnd))))
z1 = ((msg ** ((self.p - 1) / self.q)) % self.p)
inv_z1 = (mulinv(z1, self.p)) % self.p
z2 = (int(self.z) * int(inv_z1)) % self.p
self.u = self.group.random()
self.s1 = self.group.random()
self.s2 = self.group.random()
self.d = self.group.random()
a = self.g ** self.u
b1 = (self.g ** self.s1) * (z1 ** self.d)
b2 = (self.h ** self.s2) * (z2 ** self.d)
return {'rnd': rnd, 'a': a, 'b1': b1, 'b2': b2}
def gen_proofs_handler(policy, es):
# Get policy from database and setup list
policy = PolicyModel.query.get(policy)
resp = list()
# Iterate through the challenge responses received
for x in es:
# Retrieve KeyModel object
timestamp = x.get('timestamp')
key = policy.get_key(timestamp)
# Retrieve SigVarsModel object so we can populate the signer with u and d
sigvars = current_user.get_sigvar(timestamp, policy.policy)
# Get policy pool
pool = policy.get_pool(timestamp)
if key and sigvars:
signer = key.signer
signer.d = sigvars.d
signer.u = sigvars.u
signer.s1 = sigvars.s1
signer.s2 = sigvars.s2
# Do the appropriate conversions so that we can serialize
x['e'] = SigConversion.strlist2modint(x.get('e'))
proofs = SigConversion.convert_dict_strlist(signer.get_proofs(x))
hash_tmp = SHA256Hash().new(json.dumps(proofs).encode())
hash_proof = Conversion.OS2IP(hash_tmp.digest())
# Add proofs to the pool
pool.append_to_pool(proofs)
resp.append({'timestamp': timestamp, 'hash_proof': hash_proof})
resp = {'policy': policy.policy, 'hash_proofs': resp}
return resp
def handle_challenge_util(signer_type: str,
signer_id: int,
resp: dict,
policy: int,
message: int = None):
"""
Utility function that takes care of type conversions and ultimately calls the signing function
:param signer_type: Whether a blind signature is being requested from a CP or an AP.
:param signer_id: The CP\\AP's participant ID
:param resp: The CP\\AP response to the challenge request.
:param policy: The policy for which the signature needs to be generated.
:param message: The message that the blind signature needs to be generated on.
:return: e: The challenge response that is used by the CP/AP's to generate the proofs.
"""
pubk = SigConversion.convert_dict_modint(resp.get('public_key'))
challenge = SigConversion.convert_dict_modint(resp.get('challenge'))
timestamp = resp.get('timestamp')
# Generate signer and keymodel
signer = UserBlindSignature(pubk)
key_model = KeyModel(provider_type=signer_type,
p_id=signer_id,
policy=policy,
signer=signer,
interval=timestamp)
if message is None:
message = Conversion.OS2IP(key_model.public_key)
e = SigConversion.convert_dict_strlist(
signer.challenge_response(challenge, message))
e['timestamp'] = timestamp
key_model.signer = signer
key_model.save_to_db()
return e
lsk_A_prime = waters.sha2(alpha_bytes + beta_bytes + r_1_bytes)
lsk_A_prime = lsk_A_prime[0:16]
# hash e and r_2 together to get esk_A_prime
esk_A_prime = waters.sha2(e_bytes + r_2_bytes)
esk_A_prime = esk_A_prime[0:16]
# calculate r and w
prf1 = MYPRF(lsk_A_prime)
tmp1 = prf1._encrypt(e_bytes)
prf2 = MYPRF(esk_A_prime)
tmp2 = prf2._encrypt(r_1_bytes)
tmp1 = tmp1['CipherText']
tmp2 = tmp2['CipherText']
tmp = group_order_bits // 8
r_value = Conversion.OS2IP(tmp1[0:tmp], True) + Conversion.OS2IP(
tmp2[0:tmp], True)
w_value = Conversion.OS2IP(tmp1[tmp:2 * tmp], True) + Conversion.OS2IP(
tmp2[tmp:2 * tmp], True)
r_value = r_value % group_order
w_value = w_value % group_order
capital_W_value = (g**w_value) % N_square
capital_X_value = (g**r_value) % N_square
capital_W_bytes = Conversion.IP2OS(capital_W_value, bits // 8)
capital_X_bytes = Conversion.IP2OS(capital_X_value, bits // 8)
# send N, group_order, g, hp_1, hp_2, W, X, t to party B
N_bytes = Conversion.IP2OS(N, bits // 8)
g_bytes = Conversion.IP2OS(g, bits // 8)
group_order_bytes = Conversion.IP2OS(group_order, bits // 8)
def access_service_post():
# Get nonce from service
res = requests.get('http://{}/request'.format(
current_app.config['service_host'])).json()
service_y = res.get('y')
# Setup parameters that are sent to the AP
params = {
'cp':
int(request.form.get('cp')),
'timestamp':
int(dateutil.parser.parse(request.form.get('timestamp')).timestamp()),
'policy':
int(request.form.get('policy'))
}
# Request-certs CP_i
res = requests.get('http://{}/request_certs'.format(
current_app.config['ap_host']),
params=params)
if res.status_code == 500:
flash("Error when requesting certs: " + res.json().get('message'),
"access_service_error")
return render_template('service_authenticate.html')
# Get data from response and find corresponding keymodel
data = res.json()
key_model = KeyModel.query.filter_by(
provider_type_=1,
p_id_=params.get('cp'),
policy_=params.get('policy'),
interval_timestamp_=params.get('timestamp')).first()
# Validate that block has not been altered
try:
validate_block(data)
except Exception as e:
flash("Error when validating block: " + str(e), "access_service_error")
return render_template('service_authenticate.html')
pubk = {'pubk': Conversion.OS2IP(key_model.public_key)}
# Get the challenge from the AP in order to prove that the user owns a specific keypair
res = requests.get('http://{}/prove_owner'.format(
current_app.config['ap_host']),
params=pubk)
y = res.json().get('y')
# Prove the user owns the private key corresponding to a set of proofs in the block
# Proof consists of the signature of the private key on the nonce y and the blind signature on the public key
try:
(proof, proof_owner) = prove_owner(y, data, key_model.proof_hash)
blind_signature = key_model.generate_blind_signature(
proof.get('proofs'))
proof_resp = json.dumps({
'y':
y,
'signature':
proof_owner[1],
'blind_signature':
json.dumps(SigConversion.convert_dict_strlist(blind_signature))
})
# Post the proofs
res = requests.post('http://{}/prove_owner'.format(
current_app.config['ap_host']),
json=proof_resp,
params=params)
# Receive access token for AP
access_info = res.json()
err = access_info
headers = {'Authorization': "Bearer " + access_info.get('access')}
# Request challenge from AP to issue blind signature
challenge = requests.get('http://{}/init_sig'.format(
current_app.config['ap_host']),
headers=headers).json()
# Handle challenge
try:
challenge['timestamp'] = params.get('timestamp')
e = json.dumps(
handle_challenge_ap(challenge, params.get('policy'),
service_y))
# Send Response
proof_response = requests.post('http://{}/generate_proof'.format(
current_app.config['ap_host']),
json=e,
headers=headers)
proofs = proof_response.json()
# Validate Response
try:
validate_proof(proofs)
except Exception as e:
flash("Error when validating proofs: " + str(e),
"access_service_error")
return render_template('service_authenticate.html')
# Get AP Keymodel
ap_key_model = KeyModel.query.filter_by(p_id_=2000,
provider_type_=2).first()
# Build signature
blind_signature = ap_key_model.generate_blind_signature(
proofs.get('proof'))
# Send signature on service_y to service
resp_service = {
'y':
service_y,
'sig':
json.dumps(
SigConversion.convert_dict_strlist(blind_signature)),
'policy':
params.get('policy'),
'timestamp':
params.get('timestamp')
}
# Get access to service
res = requests.post('http://{}/response'.format(
current_app.config['service_host']),
json=json.dumps(resp_service))
if res.status_code == 200:
return render_template('thanks.html')
else:
message = res.json().get('message')
flash("Response code was not 200: " + message,
"access_service_error")
return render_template('service_authenticate.html')
except Exception as e:
flash("There was an error when handling the challenge: " + str(e),
"access_service_error")
return render_template('service_authenticate.html')
except Exception as e:
flash(
"There was an error in the ownership proving stage. The blind signature likely failed to verify: "
+ str(e), "access_service_error")
return render_template('service_authenticate.html')
def sign(self, y:str) -> Tuple[int, int]:
key = self.key_pair
msg_hash = SHA256.new(bytes.fromhex(y))
signer = DSS.new(key, 'fips-186-3')
signature = signer.sign(msg_hash)
return Conversion.OS2IP(msg_hash.digest()), Conversion.OS2IP(signature)
def testPSSVector(self):
# ==================================
# Example 1: A 1024-bit RSA Key Pair
# ==================================
# ------------------------------
# Components of the RSA Key Pair
# ------------------------------
# RSA modulus n:
n = a2b_hex('\
a2 ba 40 ee 07 e3 b2 bd 2f 02 ce 22 7f 36 a1 95 \
02 44 86 e4 9c 19 cb 41 bb bd fb ba 98 b2 2b 0e \
57 7c 2e ea ff a2 0d 88 3a 76 e6 5e 39 4c 69 d4 \
b3 c0 5a 1e 8f ad da 27 ed b2 a4 2b c0 00 fe 88 \
8b 9b 32 c2 2d 15 ad d0 cd 76 b3 e7 93 6e 19 95 \
5b 22 0d d1 7d 4e a9 04 b1 ec 10 2b 2e 4d e7 75 \
12 22 aa 99 15 10 24 c7 cb 41 cc 5e a2 1d 00 ee \
b4 1f 7c 80 08 34 d2 c6 e0 6b ce 3b ce 7e a9 a5 '.replace(' ', ''))
n = Conversion.OS2IP(n, True)
# RSA public exponent e:
e = a2b_hex('01 00 01'.replace(' ', ''))
e = Conversion.OS2IP(e, True)
# Prime p:
p = a2b_hex('\
d1 7f 65 5b f2 7c 8b 16 d3 54 62 c9 05 cc 04 a2 \
6f 37 e2 a6 7f a9 c0 ce 0d ce d4 72 39 4a 0d f7 \
43 fe 7f 92 9e 37 8e fd b3 68 ed df f4 53 cf 00 \
7a f6 d9 48 e0 ad e7 57 37 1f 8a 71 1e 27 8f 6b '.replace(' ', ''))
p = Conversion.OS2IP(p, True)
# Prime q:
q = a2b_hex('\
c6 d9 2b 6f ee 74 14 d1 35 8c e1 54 6f b6 29 87 \
53 0b 90 bd 15 e0 f1 49 63 a5 e2 63 5a db 69 34 \
7e c0 c0 1b 2a b1 76 3f d8 ac 1a 59 2f b2 27 57 \
46 3a 98 24 25 bb 97 a3 a4 37 c5 bf 86 d0 3f 2f'.replace(' ', ''))
q = Conversion.OS2IP(q, True)
phi_N = (p - 1) * (q - 1)
e = e % phi_N
d = e**-1
# ---------------------------------
# Step-by-step RSASSA-PSS Signature
# ---------------------------------
# Message to be signed:
m = a2b_hex('\
85 9e ef 2f d7 8a ca 00 30 8b dc 47 11 93 bf 55 \
bf 9d 78 db 8f 8a 67 2b 48 46 34 f3 c9 c2 6e 64 \
78 ae 10 26 0f e0 dd 8c 08 2e 53 a5 29 3a f2 17 \
3c d5 0c 6d 5d 35 4f eb f7 8b 26 02 1c 25 c0 27 \
12 e7 8c d4 69 4c 9f 46 97 77 e4 51 e7 f8 e9 e0 \
4c d3 73 9c 6b bf ed ae 48 7f b5 56 44 e9 ca 74 \
ff 77 a5 3c b7 29 80 2f 6e d4 a5 ff a8 ba 15 98 \
90 fc '.replace(' ', ''))
# mHash:
mHash = a2b_hex('\
37 b6 6a e0 44 58 43 35 3d 47 ec b0 b4 fd 14 c1 \
10 e6 2d 6a'.replace(' ', ''))
# salt:
salt = a2b_hex('\
e3 b5 d5 d0 02 c1 bc e5 0c 2b 65 ef 88 a1 88 d8 \
3b ce 7e 61'.replace(' ', ''))
# M':
mPrime = a2b_hex('\
00 00 00 00 00 00 00 00 37 b6 6a e0 44 58 43 35 \
3d 47 ec b0 b4 fd 14 c1 10 e6 2d 6a e3 b5 d5 d0 \
02 c1 bc e5 0c 2b 65 ef 88 a1 88 d8 3b ce 7e 61'.replace(' ', ''))
# H:
H = a2b_hex('\
df 1a 89 6f 9d 8b c8 16 d9 7c d7 a2 c4 3b ad 54 \
6f be 8c fe'.replace(' ', ''))
# DB:
DB = a2b_hex('\
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 01 e3 b5 d5 d0 02 c1 bc e5 0c \
2b 65 ef 88 a1 88 d8 3b ce 7e 61'.replace(' ', ''))
# dbMask:
dbMask = a2b_hex('\
66 e4 67 2e 83 6a d1 21 ba 24 4b ed 65 76 b8 67 \
d9 a4 47 c2 8a 6e 66 a5 b8 7d ee 7f bc 7e 65 af \
50 57 f8 6f ae 89 84 d9 ba 7f 96 9a d6 fe 02 a4 \
d7 5f 74 45 fe fd d8 5b 6d 3a 47 7c 28 d2 4b a1 \
e3 75 6f 79 2d d1 dc e8 ca 94 44 0e cb 52 79 ec \
d3 18 3a 31 1f c8 97 39 a9 66 43 13 6e 8b 0f 46 \
5e 87 a4 53 5c d4 c5 9b 10 02 8d'.replace(' ', ''))
# maskedDB:
maskedDB = a2b_hex('\
66 e4 67 2e 83 6a d1 21 ba 24 4b ed 65 76 b8 67 \
d9 a4 47 c2 8a 6e 66 a5 b8 7d ee 7f bc 7e 65 af \
50 57 f8 6f ae 89 84 d9 ba 7f 96 9a d6 fe 02 a4 \
d7 5f 74 45 fe fd d8 5b 6d 3a 47 7c 28 d2 4b a1 \
e3 75 6f 79 2d d1 dc e8 ca 94 44 0e cb 52 79 ec \
d3 18 3a 31 1f c8 96 da 1c b3 93 11 af 37 ea 4a \
75 e2 4b db fd 5c 1d a0 de 7c ec'.replace(' ', ''))
# Encoded message EM:
EM = a2b_hex('\
66 e4 67 2e 83 6a d1 21 ba 24 4b ed 65 76 b8 67 \
d9 a4 47 c2 8a 6e 66 a5 b8 7d ee 7f bc 7e 65 af \
50 57 f8 6f ae 89 84 d9 ba 7f 96 9a d6 fe 02 a4 \
d7 5f 74 45 fe fd d8 5b 6d 3a 47 7c 28 d2 4b a1 \
e3 75 6f 79 2d d1 dc e8 ca 94 44 0e cb 52 79 ec \
d3 18 3a 31 1f c8 96 da 1c b3 93 11 af 37 ea 4a \
75 e2 4b db fd 5c 1d a0 de 7c ec df 1a 89 6f 9d \
8b c8 16 d9 7c d7 a2 c4 3b ad 54 6f be 8c fe bc'.replace(' ', ''))
# Signature S, the RSA decryption of EM:
S = a2b_hex('\
8d aa 62 7d 3d e7 59 5d 63 05 6c 7e c6 59 e5 44 \
06 f1 06 10 12 8b aa e8 21 c8 b2 a0 f3 93 6d 54 \
dc 3b dc e4 66 89 f6 b7 95 1b b1 8e 84 05 42 76 \
97 18 d5 71 5d 21 0d 85 ef bb 59 61 92 03 2c 42 \
be 4c 29 97 2c 85 62 75 eb 6d 5a 45 f0 5f 51 87 \
6f c6 74 3d ed dd 28 ca ec 9b b3 0e a9 9e 02 c3 \
48 82 69 60 4f e4 97 f7 4c cd 7c 7f ca 16 71 89 \
71 23 cb d3 0d ef 5d 54 a2 b5 53 6a d9 0a 74 7e'.replace(' ', ''))
if debug:
print("PSS Test Step by Step")
print("mHash = Hash(M)", mHash)
print("salt = random ", salt)
print("M' = Padding || mHash || salt", mPrime)
print("H = Hash(M')", H)
print("DB = Padding || salt", DB)
print("dbMask = MGF(H, length(DB))", dbMask)
print("maskedDB = DB xor dbMask", maskedDB)
print("EM = maskedDB || H || 0xbc", EM)
print("S = RSA decryption of EM", S)
rsa = RSA_Sig()
sk = {'phi_N': phi_N, 'd': d, 'N': n}
sig = rsa.sign(sk, m, salt)
assert S == sig
element_size = bits // 8
amount_expected = 7 * element_size + 20
data_received = b''
while len(data_received) < amount_expected:
data_received += connection.recv(amount_expected)
N_bytes = data_received[0:element_size]
group_order_bytes = data_received[element_size:2 * element_size]
g_bytes = data_received[2 * element_size:3 * element_size]
hp_1_bytes = data_received[3 * element_size:4 * element_size]
hp_2_bytes = data_received[4 * element_size:5 * element_size]
capital_W_bytes = data_received[5 * element_size:6 * element_size]
capital_X_bytes = data_received[6 * element_size:7 * element_size]
t_bytes = data_received[7 * element_size:amount_expected]
N_value = Conversion.OS2IP(N_bytes, True)
group_order = Conversion.OS2IP(group_order_bytes, True)
g_value = Conversion.OS2IP(g_bytes, True)
hp_1_value = Conversion.OS2IP(hp_1_bytes, True)
hp_2_value = Conversion.OS2IP(hp_2_bytes, True)
capital_W_value = Conversion.OS2IP(capital_W_bytes, True)
capital_X_value = Conversion.OS2IP(capital_X_bytes, True)
t_value = Conversion.OS2IP(t_bytes, True)
N_square = N_value**2
g_value = g_value % N_square
hp_1_value = hp_1_value % N_square
hp_2_value = hp_2_value % N_square
capital_X_value = capital_X_value % N_square
capital_W_value = capital_W_value % N_square
def testRSAVector(self):
# ==================================
# Example 1: A 1024-bit RSA Key Pair
# ==================================
# ------------------------------
# Components of the RSA Key Pair
# ------------------------------
# RSA modulus n:
n = a2b_hex('\
bb f8 2f 09 06 82 ce 9c 23 38 ac 2b 9d a8 71 f7 \
36 8d 07 ee d4 10 43 a4 40 d6 b6 f0 74 54 f5 1f \
b8 df ba af 03 5c 02 ab 61 ea 48 ce eb 6f cd 48 \
76 ed 52 0d 60 e1 ec 46 19 71 9d 8a 5b 8b 80 7f \
af b8 e0 a3 df c7 37 72 3e e6 b4 b7 d9 3a 25 84 \
ee 6a 64 9d 06 09 53 74 88 34 b2 45 45 98 39 4e \
e0 aa b1 2d 7b 61 a5 1f 52 7a 9a 41 f6 c1 68 7f \
e2 53 72 98 ca 2a 8f 59 46 f8 e5 fd 09 1d bd cb '.replace(' ', ''))
n = Conversion.OS2IP(n, True)
# RSA public exponent e:
e = a2b_hex('11')
e = Conversion.OS2IP(e, True)
# Prime p:
p = a2b_hex('\
ee cf ae 81 b1 b9 b3 c9 08 81 0b 10 a1 b5 60 01 \
99 eb 9f 44 ae f4 fd a4 93 b8 1a 9e 3d 84 f6 32 \
12 4e f0 23 6e 5d 1e 3b 7e 28 fa e7 aa 04 0a 2d \
5b 25 21 76 45 9d 1f 39 75 41 ba 2a 58 fb 65 99 '.replace(' ', ''))
p = Conversion.OS2IP(p, True)
# Prime q:
q = a2b_hex('\
c9 7f b1 f0 27 f4 53 f6 34 12 33 ea aa d1 d9 35 \
3f 6c 42 d0 88 66 b1 d0 5a 0f 20 35 02 8b 9d 86 \
98 40 b4 16 66 b4 2e 92 ea 0d a3 b4 32 04 b5 cf \
ce 33 52 52 4d 04 16 a5 a4 41 e7 00 af 46 15 03'.replace(' ', ''))
q = Conversion.OS2IP(q, True)
phi_N = (p - 1) * (q - 1)
e = e % phi_N
d = e**-1
# ----------------------------------
# Step-by-step RSAES-OAEP Encryption
# ----------------------------------
# Message to be encrypted:
M = a2b_hex('\
d4 36 e9 95 69 fd 32 a7 c8 a0 5b bc 90 d3 2c 49'.replace(' ', ''))
lhash = a2b_hex('\
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 \
af d8 07 09'.replace(' ', ''))
# DB:
db = a2b_hex('\
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 \
af d8 07 09 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 01 d4 36 e9 95 69 \
fd 32 a7 c8 a0 5b bc 90 d3 2c 49'.replace(' ', ''))
# Seed:
seed = a2b_hex('\
aa fd 12 f6 59 ca e6 34 89 b4 79 e5 07 6d de c2 \
f0 6c b5 8f '.replace(' ', ''))
# dbMask:
dbmask = a2b_hex('\
06 e1 de b2 36 9a a5 a5 c7 07 d8 2c 8e 4e 93 24 \
8a c7 83 de e0 b2 c0 46 26 f5 af f9 3e dc fb 25 \
c9 c2 b3 ff 8a e1 0e 83 9a 2d db 4c dc fe 4f f4 \
77 28 b4 a1 b7 c1 36 2b aa d2 9a b4 8d 28 69 d5 \
02 41 21 43 58 11 59 1b e3 92 f9 82 fb 3e 87 d0 \
95 ae b4 04 48 db 97 2f 3a c1 4e af f4 9c 8c 3b \
7c fc 95 1a 51 ec d1 dd e6 12 64'.replace(' ', ''))
# maskedDB:
maskeddb = a2b_hex('\
dc d8 7d 5c 68 f1 ee a8 f5 52 67 c3 1b 2e 8b b4 \
25 1f 84 d7 e0 b2 c0 46 26 f5 af f9 3e dc fb 25 \
c9 c2 b3 ff 8a e1 0e 83 9a 2d db 4c dc fe 4f f4 \
77 28 b4 a1 b7 c1 36 2b aa d2 9a b4 8d 28 69 d5 \
02 41 21 43 58 11 59 1b e3 92 f9 82 fb 3e 87 d0 \
95 ae b4 04 48 db 97 2f 3a c1 4f 7b c2 75 19 52 \
81 ce 32 d2 f1 b7 6d 4d 35 3e 2d '.replace(' ', ''))
# seedMask:
seedmask = a2b_hex('\
41 87 0b 5a b0 29 e6 57 d9 57 50 b5 4c 28 3c 08 \
72 5d be a9 '.replace(' ', ''))
# maskedSeed:
maskedseed = a2b_hex('\
eb 7a 19 ac e9 e3 00 63 50 e3 29 50 4b 45 e2 ca \
82 31 0b 26 '.replace(' ', ''))
# EM = 00 || maskedSeed || maskedDB:
em = a2b_hex('\
00 eb 7a 19 ac e9 e3 00 63 50 e3 29 50 4b 45 e2 \
ca 82 31 0b 26 dc d8 7d 5c 68 f1 ee a8 f5 52 67 \
c3 1b 2e 8b b4 25 1f 84 d7 e0 b2 c0 46 26 f5 af \
f9 3e dc fb 25 c9 c2 b3 ff 8a e1 0e 83 9a 2d db \
4c dc fe 4f f4 77 28 b4 a1 b7 c1 36 2b aa d2 9a \
b4 8d 28 69 d5 02 41 21 43 58 11 59 1b e3 92 f9 \
82 fb 3e 87 d0 95 ae b4 04 48 db 97 2f 3a c1 4f \
7b c2 75 19 52 81 ce 32 d2 f1 b7 6d 4d 35 3e 2d '.replace(' ', ''))
# Encryption:
enc = a2b_hex('\
12 53 e0 4d c0 a5 39 7b b4 4a 7a b8 7e 9b f2 a0 \
39 a3 3d 1e 99 6f c8 2a 94 cc d3 00 74 c9 5d f7 \
63 72 20 17 06 9e 52 68 da 5d 1c 0b 4f 87 2c f6 \
53 c1 1d f8 23 14 a6 79 68 df ea e2 8d ef 04 bb \
6d 84 b1 c3 1d 65 4a 19 70 e5 78 3b d6 eb 96 a0 \
24 c2 ca 2f 4a 90 fe 9f 2e f5 c9 c1 40 e5 bb 48 \
da 95 36 ad 87 00 c8 4f c9 13 0a de a7 4e 55 8d \
51 a7 4d df 85 d8 b5 0d e9 68 38 d6 06 3e 09 55 '.replace(' ', ''))
rsa = RSA_Enc()
pk = {'N': n, 'e': e}
sk = {'phi_N': phi_N, 'd': d, 'N': n}
c = rsa.encrypt(pk, M, seed)
C = Conversion.IP2OS(c)
if debug:
print("RSA OEAP step by step")
print("Label L = empty string")
print("lHash = ", lhash)
print("DB = ", db)
print("seed = ", seed)
print("dbMask = ", dbmask)
print("maskedDB = ", maskeddb)
print("seedMask = ", seedmask)
print("maskedSeed = ", maskedseed)
print("EM = ", em)
assert C == enc
def testOS2IP(self):
#9,202,000 = (0x)8c 69 50.
i = Conversion.OS2IP(b'\x8c\x69\x50')
self.assertEqual(i, 9202000)
def sign(data, private_key):
signer = RSA_Sig()
sig = signer.sign(private_key[1], data)
sig = Conversion.OS2IP(sig)
serial_data_and_sig = objectToBytes([data, sig], IntegerGroup())
return serial_data_and_sig
hp_2_bytes = data_received[element_size * 5 +
group_order_size:element_size * 6 +
group_order_size]
u_1_bytes = data_received[element_size * 6 +
group_order_size:element_size * 7 +
group_order_size]
u_2_bytes = data_received[element_size * 7 +
group_order_size:element_size * 8 +
group_order_size]
X_bytes = data_received[element_size * 8 +
group_order_size:element_size * 9 +
group_order_size]
t_bytes = data_received[element_size * 9 +
group_order_size:amount_expected]
group_p_value = Conversion.OS2IP(group_p_bytes, True)
#group_q_value = Conversion.OS2IP(group_q_bytes, True)
group_order = Conversion.OS2IP(group_order_bytes, True)
#print('group.p = ', group_p_value)
#print('group_order = ', group_order)
g_value = Conversion.OS2IP(g_bytes, True)
g_1_value = Conversion.OS2IP(g_1_bytes, True)
g_2_value = Conversion.OS2IP(g_2_bytes, True)
hp_1_value = Conversion.OS2IP(hp_1_bytes, True)
hp_2_value = Conversion.OS2IP(hp_2_bytes, True)
u_1_value = Conversion.OS2IP(u_1_bytes, True)
u_2_value = Conversion.OS2IP(u_2_bytes, True)
X_value = Conversion.OS2IP(X_bytes, True)
t_value = Conversion.OS2IP(t_bytes, True)
# group = IntegerGroup()
def hash_int(args):
hash = SHA256Hash()
for arg in args:
hash.update(Conversion.IP2OS(arg))
return Conversion.OS2IP(hash.digest())
lsk_A_prime = waters.sha2(tmp)
lsk_A_prime = lsk_A_prime[0:16] # get the first 128 bits
# hash e_bytes, r_2_bytes together to get esk_A_prime
tmp = e_bytes + r_2_bytes
esk_A_prime = waters.sha2(tmp)
esk_A_prime = esk_A_prime[0:16] # get the first 128 bits
# calculate r and x
prf1 = MYPRF(lsk_A_prime)
tmp1 = prf1._encrypt(e_bytes)
prf2 = MYPRF(esk_A_prime)
tmp2 = prf2._encrypt(r_1_bytes)
tmp1 = tmp1['CipherText']
tmp2 = tmp2['CipherText']
r_value = Conversion.OS2IP(tmp1[0:20], True) + Conversion.OS2IP(tmp2[0:20], True)
x_value = Conversion.OS2IP(tmp1[20:40], True) + Conversion.OS2IP(tmp2[20:40], True)
r_value = r_value % group_order
x_value = x_value % group_order
u_1_value = (g_1 ** r_value) % group.p
u_2_value = (g_2 ** r_value) % group.p
X_value = (g ** x_value) % group.p
# send group.p, group.q, g, g1, g2, hp1, hp2, u1, u2, X, t to party B
u_1_bytes = Conversion.IP2OS(u_1_value, 128)
u_2_bytes = Conversion.IP2OS(u_2_value, 128)
X_bytes = Conversion.IP2OS(X_value, 128)
to_send = group_p_bytes + group_q_bytes + g_bytes + g_1_bytes + g_2_bytes + hp_1_bytes + hp_2_bytes + u_1_bytes + u_2_bytes + X_bytes + t_bytes
# print('connecting to {} port {}'.format(*server_address))
# sock.connect(server_address)
