def checkFactors(p,q,N): x = g.f_mod( N, p ) y = g.f_mod( N, q ) zero = g.mpz('0') if g.is_prime(p) and g.is_prime(q): return N == g.mul(p,q) and x == zero and y == zero return False
def digitial_generation(self,message,Curve_Polynomial,X,Y,Order,A,d_A): r=np.array([0x0],dtype='uint32') m=hashlib.sha256(message).hexdigest() Order_np = self.str2nparray(Order) Order_int = int(Order,16) l=(len(Order_np)-1)*32+gmpy2.bit_length(int(Order_np[-1])) m = field.str2nparray(m) size = l/32+1 m=self.remove_1(m) if(l>=256): rem=l-256 chunk_added=(rem/32)+1 m=np.append(np.zeros(chunk_added,dtype='uint32'),m) part=32-(l+chunk_added)%32 else: m = m[len(m)-size:] part = 32-l%32 X1=m>>part Y1=m<<(32-part) Z=np.bitwise_xor(Y1[1:],X1[:-1]) Z=np.append(Z,X1[-1]) Z = self.nparray2str(Z) Z = int(Z,16) Z = gmpy2.f_mod(Z,Order_int) S=0 while(S==0): while(np.all(r[0]==0)): k=random.randint(1,Order_int-1) r=self.bin_public_key_gen(X,Y,A,k) k_inv=gmpy2.invert(k,Order_int) r = self.nparray2str(r[0]) r = int(r,16) r=gmpy2.f_mod(r,Order_int) rd_A = gmpy2.mul(r,d_A) rd_A = gmpy2.f_mod(rd_A,Order_int) Zrd_A = rd_A + Z Zrd_A = int(Zrd_A) k_inv = int(k_inv) S = gmpy2.mul(Zrd_A,k_inv) S = gmpy2.f_mod(S,Order_int) return r,S
def digitial_Verification(self,message,Order,X,Y,A,d_A,r,S): X=self.str2nparray(X) Y=self.str2nparray(Y) A=self.str2nparray(A) m=hashlib.sha256(message).hexdigest() Order_np = self.str2nparray(Order) Order_int = int(Order,16) l=(len(Order_np)-1)*32+gmpy2.bit_length(int(Order_np[-1])) m = field.str2nparray(m) size = l/32+1 m=self.remove_1(m) if(l>=256): rem=l-256 chunk_added=(rem/32)+1 m=np.append(np.zeros(chunk_added,dtype='uint32'),m) part=32-(l+chunk_added)%32 else: m = m[len(m)-size:] part = 32-l%32 X1=m>>part Y1=m<<(32-part) Z=np.bitwise_xor(Y1[1:],X1[:-1]) Z=np.append(Z,X1[-1]) Z = self.nparray2str(Z) Z = int(Z,16) Z = gmpy2.f_mod(Z,Order_int) #####Truncated Message w=gmpy2.invert(S,Order_int) u1 = gmpy2.mul(Z,w) u1 = gmpy2.f_mod(u1,Order_int) u2 = gmpy2.mul(r,w) u2 = gmpy2.f_mod(u2,Order_int) Q_A=self.public_key_gen(X,Y,A,d_A) #Q_A = d_A * G X1=self.public_key_gen(X,Y,A,int(u1)) X2=self.public_key_gen(Q_A[0],Q_A[1],A,int(u2)) #u2*Q_A X3=self.point_add(X1[0],X1[1],X2[0],X2[1],A) X3=self.nparray2str(X3[0]) X3 = gmpy2.f_mod(int(X3,16),Order_int) #print X3[0] return X3
def create_primes_index(list_primes): list_start_index = [] for i in range(0, n_smooth + 1): p = list_primes[i] sqr1 = sqrt_modulo.sqrt_modular(N, p) sqr2 = p - sqr1 start_index1 = gmpy2.f_mod(gmpy2.sub(sqr1 - start), p) start_index2 = gmpy2.f_mod(gmpy2.sub(sqr2 - start), p) list_start_index.append([start_index1, start_index2]) return list_start_index
def mypowmod(a, b, N): ret = 1 while b > 0: if b & 1 == 1: ret = gmpy2.mul(ret,a) ret = gmpy2.f_mod(ret,N) a = gmpy2.mul(a,a) a = gmpy2.f_mod(a,N) b = b >> 1 return gmpy2.f_mod(ret,N)
def main(): # predefine these, we will stop overwriting them when ready to run the big numbers p=mpz('13407807929942597099574024998205846127' '47936582059239337772356144372176403007' '35469768018742981669034276900318581848' '6050853753882811946569946433649006084171' ) g=mpz('117178298803662070095161175963353670885' '580849999989522055999794590639294997365' '837466705721764714603129285948296754282' '79466566527115212748467589894601965568' ) y=mpz('323947510405045044356526437872806578864' '909752095244952783479245297198197614329' '255807385693795855318053287892800149470' '6097394108577585732452307673444020333' ) log.info("Starting Discrete Log Calculation") log.info("p: %i", p) log.info("g: %i", g) log.info("y: %i", y) m = gmpy2.ceil(gmpy2.sqrt(p)) log.info("m: %i", m) # custom range since builtin has a size limit long_range = lambda start, stop: iter(itertools.count(start).next, stop) chunk_size = 100000 if m < 100000: chunk_size = m stop_at = chunk_size start = 0 while True: chunk = {} log.info("Starting chunk from %i to %i", start, stop_at) for i in xrange(start, stop_at): chunk[gmpy2.powmod(g,i,p)] = i for t in long_range(0,m): expone = mpz(gmpy2.mul(-m,t)) g_term = gmpy2.powmod(g, expone, p) res = gmpy2.f_mod(gmpy2.mul(y, g_term), p) if res in chunk: s = chunk[res] dc = gmpy2.f_mod(mpz(gmpy2.add(s, gmpy2.mul(m,t))), p) log.info("DC LOG FOUND") log.info("dc: %i", dc) return log.info("Completed chunk run: %i to %i no DC yet :(", start, stop_at) start = stop_at stop_at += chunk_size
def create_left_side_hash(self): dict = {} search_space = pow(2, SEARCH_SPACE_EXPONENT) for i in range(1, search_space): left_side_value = gmpy2.f_mod( (HVALUE * gmpy2.powmod(GENERATOR, -i, PRIME)), PRIME) dict[left_side_value] = i if gmpy2.f_mod(i, 100000) == 0: print i return dict
def bruteSmall(N): zero = g.mpz(0) two = g.mpz(2) if g.f_mod(N, two) == zero: return two, g.mpz(g.div(N, two)) i = g.mpz(3) while True: if g.f_mod(N, i) == zero: p = g.mpz(i) q = g.mpz( g.div(N,i) ) if checkFactors(p,q,N) : return p,q i = g.add(i, two)
def hash_table(h, g, p, B): table = dict() # Table to store x1 and h/(g**x1) values for x1 in range(B - 1): val = gmpy2.f_mod(gmpy2.mul(h, gmpy2.powmod(g, -x1, p)), p) table.update({val: x1}) return table
def findx(table,numiter): gb = gmpy2.f_mod(pow(g1,numiter),p1) res = gb for i in range(0,numiter+1): if i == 0: aux = 1 else: aux = gmpy2.f_mod(gmpy2.mul(res,gb),p1) res = aux if aux in hashtable: x1 = hashtable[aux] x = i * numiter + x1 print "x=", x
def gen_hash_table(numiter): hash_table = {} hash_table[0] = gmpy2.f_mod(h1,p1) r = gmpy2.divm(h1,g1,p1) aux2 = gmpy2.divm(mpz(1),g1,p1) for i in range(1,numiter+1): if i == 1: aux = gmpy2.f_mod(gmpy2.mul(r,1),p1) else: aux = gmpy2.f_mod(gmpy2.mul(r,aux2),p1) hash_table[aux] = i r = aux return hash_table
def check_right_side_against_hash(self, hashed_left_data): search_space = pow(2, SEARCH_SPACE_EXPONENT) for i in range(1, search_space): e = search_space * i right_side_result = gmpy2.powmod(GENERATOR, e, PRIME) if right_side_result in hashed_left_data: print("x1: ", i) print("x0: ", hashed_left_data[right_side_result]) final_answer = gmpy2.f_mod(( (i * search_space) + hashed_left_data[right_side_result]), PRIME) print("x0 * B + x1 mod p: ", final_answer) print("Check final answer: ", gmpy2.powmod(GENERATOR, final_answer, PRIME)) return if gmpy2.f_mod(i, 100000) == 0: print("Checked: ", i)
def eea(a, b): r, r1 = a, b s, s1 = 1, 0 t, t1 = 0, 1 while r1 != 0: q = gmpy2.div(r, r1) r2 = gmpy2.f_mod(r, r1) r, s, t, r1, s1, t1 = r1, s1, t1, r2, gmpy2.sub(s, gmpy2.mul(s1, q)), gmpy2.sub(t, gmpy2.mul(t1, q)) d = r return d, s, t
def findLog(): leftSide = {} for x1 in range(0,middleSize): leftSide[calculateLeft(x1)] = x1 for x0 in range(0,middleSize): num = calculateRight(x0) if num in leftSide: print "x0: ", x0 print "x1: ", leftSide[num] print "x: ", gmpy2.f_mod(gmpy2.mul(x0*middleSize)+leftSide[num],p) break
def probable_prime(prime, i): for k in range(0,10000000): p = prime + k # check to see if p is prime a = gmpy2.powmod(2, p-1, p) # check to see if 3 divides into prime - 1 b = gmpy2.mpz(gmpy2.f_mod(p-1, 3)) if (a == 1 and b == 1): print "k_%i = %i" %(i, k) print "p_%i = %i" %(i, p) return p
def run(p,g,h): B=mpz(2**20) limit = B+1 g = gmpy2.f_mod(g,p) hashd={} st = time.time() for x1 in xrange(limit+1): hashd[ gmpy2.f_mod( h* gmpy2.powmod(g,-x1,p) ,p) ] =x1 # if gmpy2.f_mod( h* gmpy2.powmod(g,-x1,p) ,p) <> #gmpy2.f_mod( gmpy2.f_div( h, gmpy2.powmod(g,x1,p) ),p): # print x1 g_pow_B = gmpy2.powmod(g,B,p) print 'finished stage A',time.time()-st print len(hashd) st = time.time() for x0 in xrange(limit+1): rhs = gmpy2.powmod(g_pow_B,x0,p) if rhs in hashd: x1=hashd[rhs] x0,x1 = mpz(x0),mpz(x1) print x0,x1,gmpy2.f_mod(x0*B+x1,p),x0*B+x1 print 'finished stage B',time.time()-st
def compute_discrete_log(p, h, g, B): map = {} g_to_the_B = powmod(g, B, p) for x0 in range(1, 2 ** 20): map[powmod(g_to_the_B, x0, p)] = x0 print("Done with step 1!") for x1 in range(1, 2 ** 20): g_to_x1 = powmod(g, x1, p) left_hand = f_mod(invert(g_to_x1, p) * h, p) if map.get(left_hand) is not None: x0 = map.get(left_hand) print((x0, x1, B)) return mpz(x0) * B + mpz(x1) return "No luck"
def compute_hash_table(h, g, p): """ :param h: 22 :param g: 43 :param p: 35 :return: {mpz(8): 2, mpz(1): 3, mpz(29): 1, mpz(22): 0} """ hash_table = dict() for x1 in range(2 ** 20 + 1): denominv = pow(g, x1, p) # 计算分母 denom = gmpy2.invert(denominv, p) # 计算1/分母 tval = gmpy2.mul(h, denom) # 计算h * 1/分母 res = gmpy2.f_mod(tval, p) # 对p求模 hash_table.setdefault(res, x1) return hash_table
def get_smoothness(_start, delta, list_primes, pos, output): print("start process " + str(pos)) segment = math.ceil(delta / 10) V = [] for k in range(0, 10): start_p = pos * delta + k * segment end_p = pos * delta + (k + 1) * segment if end_p > offset: end_p = offset listNN = [] for j in range(start_p, end_p): listNN.append(gmpy2.sub(gmpy2.mul(gmpy2.add(_start, j), gmpy2.add(_start, j)), N)) for i in range(0, n_smooth + 1): p = list_primes[i] index = 0 for index in range(0, len(listNN)): if gmpy2.f_mod(listNN[index], p) == 0: break index += start_p start_index1 = gmpy2.f_mod(index, p) for n in range(index - start_p, len(listNN), p): while gmpy2.f_mod(listNN[n], p) == 0: listNN[n] = gmpy2.div(listNN[n], p) start_index2 = gmpy2.f_mod(gmpy2.sub(gmpy2.sub(p, gmpy2.f_mod(gmpy2.add(_start, start_index1), p)), _start),p) index2 = gmpy2.sub(p, gmpy2.f_mod(gmpy2.sub(start_p, start_index2), p)) if start_index2 != start_index1: for n in range(index2, len(listNN), p): while gmpy2.f_mod(listNN[n], p) == 0: listNN[n] = gmpy2.div(listNN[n], p) for i in range(0, len(listNN)): if listNN[i] == 1: start1 = gmpy2.add(_start, start_p) num = gmpy2.sub(gmpy2.mul(gmpy2.add(start1, i), gmpy2.add(start1, i)), N) V.append(num) output.put((pos, V)) print("end process " + str(pos))
def decrypt(c, lbd, mu, n): """ Decrypts encrypted number c with respect to private keys lambda and mu (and public key n) Parameters: m: number to be encrypted lbd,mu: private keys used for the decryption n: public key necessary for decryption Returns: c: encrypted representation of m """ n2 = pow(n, 2) one = gmpy2.mpz(1) x = gmpy2.sub(gmpy2.powmod(c, lbd, n2), one) m = gmpy2.f_mod(gmpy2.mul(gmpy2.f_div(x, n), mu), n) if m >= gmpy2.f_div(n, 2): m = m - n return m
def verifyByCode(self, vArr, verbal): randomVec = [ int(gmpy2.mpz_random(self.rs, self.order)) for i in range(self.n - self.t) ] codewordInDual = self.code.getCodewordInDual(randomVec) codewordInDual = [ gmpy2.f_mod(mpz(int(ele)), self.order) for ele in codewordInDual ] if verbal: print "Random codeword from dual : " + tostr(codewordInDual) if verbal: print "Intermediates" product = (0L, 0L) for vi, ci in zip(vArr, codewordInDual): temp = ec.multiply(vi, ci) if verbal: print str(ci) + " x " + tostr(vi) + " = " + tostr(temp) product = ec.add(product, temp) if verbal: print "Product : " + tostr(product) if product == (0L, 0L): if verbal: print "...Codeword valid : v"
def F_x(self,k,lsc,lc):#lsc是s的系数列表,lc是常数项列表 Fk = list() Fc = gmpy2.mpz(1) self.Fkg = list() qm = gmpy2.mpz(730750818665451621361119245571504901405976559617) for i in range(k): Fc = Fc * lsc[i] temp1 = gmpy2.divm(gmpy2.mpz(1),lsc[i],qm) lc[i] = gmpy2.mul(lc[i],temp1) #lsc[i] = gmpy2.mpz(1) for i in range(k): p = np.poly1d([gmpy2.mpz(1),lc[i]]) #print(p) Fk.append(p) temp = Fk[0] for j in range(1,k): temp = temp * Fk[j] self.Fkg = list(temp.coef) for n in range(k): self.Fkg[n] = self.Fkg[n] * Fc self.Fkg[i] = gmpy2.f_mod(self.Fkg[i],q)
def encrypt(m, n, g): """ Encrypts a message, given a public key. Parameters: m: number to be encrypted n,g: public keys used for the decryption Returns: c: encrypted representation of m """ n2 = pow(n, 2) one = gmpy2.mpz(1) state = gmpy2.random_state(int_time()) r = gmpy2.mpz_random(state, n) while gmpy2.gcd(r, n) != one: state = gmpy2.random_state(int_time()) r = gmpy2.mpz_random(state, n) x = gmpy2.powmod(r, n, n2) c = gmpy2.f_mod(gmpy2.mul(gmpy2.powmod(g, m, n2), x), n2) return c
def william_p1(n, process_id): # this algorithm technically works but literally none of the modulos were p+1 so idk # choose a B (work limit) to start with if gmpy2.bit_length(gmpy2.mpz(n)) <= 2044: work_limit = pow(n, (1 / 6)) else: work_limit = gmpy2.div(n, 27) threshold = 3 previous_sub2 = 2 # A needs to be greater than 2 to start with so we therefore start with 3 A = process_id + 3 previous = A counter = 0 # if the counter ever reaches m, terminate while counter != threshold: counter += 1 # current = (a^(current-1) - current-2) % n) current = (((A**previous) - previous_sub2) % n) # move the previous variables forward previous_sub2 = previous previous = current d = gmpy2.gcd(current - 2, n) if d != 1 and d != n: # calculate the factorial of m mult = gmpy2.fac(threshold) if DEBUG: print(d, mult) # check to see if we've found the terminating conditions for p + 1 if gmpy2.f_mod(mult, d): return d else: # increment threshold by 1 if we haven't found anything threshold += 1 if threshold > work_limit: return 1 return 1
def __init__(self, a_in, b_in, p_in): self.a = mpz(a_in) self.b = mpz(b_in) self.p = mpz(p_in) self.generator = (0, 0) self.field = [] self.sqrtCheats = {mpz(0): mpz(0)} self.q = 0 for i in range(1, self.p // 2 + 1): sq = gmpy2.f_mod(mpz(i * i), self.p) self.sqrtCheats[sq] = mpz(i) #print self.sqrtCheats self.points = [] for i in range(self.p): x = mpz(i) y = self.findY(x) if y != None: if y == 0: self.points.append((x, y)) else: self.points += [(x, y), (x, self.p - y)]
def findFactoredNeighboredPrime(nbits): rs = gmpy2.random_state(gmpy2.f_mod(mpz(time.time()), 60)) m = mpz(2**(nbits - 1)) test = mpz(1) while not gmpy2.is_prime(test + 1) or test < mpz(2**(nbits - 1)): seq = [m] temp = m # Algorithm 9.5, V.Shoup # constructs a random non-increasing sequence with m as maximum while temp > 1: temp = gmpy2.mpz_random(rs, temp) + 1 seq.append(temp) test = mpz(1) seq.reverse() primes = [] for num in seq: if gmpy2.is_prime(num): test *= num primes.append(num) if test > 2**(nbits - 1): break return (test + 1, primes)
def Gen_response(self,slist,split_ID,hksplit_ID):#t代表多项式的项数,n代表分片的数量 pairing = global_variable.get_pairing() g1 = global_variable.get_g1() self.__response = gmpy2.mpz(0) coef_hk = dict() for i in range(len(slist)-2): temp = slist[i] temp1 = hksplit_ID[len(slist)-1-i] temp2 = gmpy2.mul(temp , temp1) temp2 = gmpy2.f_mod(temp2,q) coef_hk[i+2] = temp2 #存m个f(i)+a[i]连乘的结果 fk_ID = (np.polyval(slist,split_ID)) fk_ID = fk_ID % q for l in coef_hk: coefhk = coef_hk[l] fk_ID = gmpy2.sub(fk_ID , coefhk) fk_ID = fk_ID % q self.__response = fk_ID self.__comm_response_ID = Element(pairing, G1) self.__comm_response_ID = g1 ** int(self.__response) return self.__comm_response_ID,self.__response
def check_delta(self): """"check delta condidtion with definition, gcd(delta, n) = 1""" return f_mod((4 * (self.A * self.A * self.A) + 27 * (self.B * self.B)), self.P) != 0
def mpz_mod_modified(op1, op2): rop = gmpy2.f_mod(mpz(op1), mpz(op2)) temp = gmpy2.f_div(mpz(op2), two) if rop > temp: rop = gmpy2.sub(rop, mpz(op2)) return rop
def check_point(self, X, Y): """"Check if point belong to this curve Y^2 == X^3 + A*X + B """ return f_mod((Y * Y), self.P) == f_mod( (X * X * X + self.A * X + self.B), self.P)
import gmpy2 from timeit import default_timer as timer start=timer() p=gmpy2.mpz(13407807929942597099574024998205846127479365820592393377723561443721764030073546976801874298166903427690031858186486050853753882811946569946433649006084171) g=gmpy2.mpz(11717829880366207009516117596335367088558084999998952205599979459063929499736583746670572176471460312928594829675428279466566527115212748467589894601965568) h=gmpy2.mpz(3239475104050450443565264378728065788649097520952449527834792452971981976143292558073856937958553180532878928001494706097394108577585732452307673444020333) print(p+g) PA={} B=gmpy2.mpz(2**20) index=[] for i in range(1,2**20):#2**20): guess=gmpy2.f_mod( gmpy2.mul(gmpy2.invert( gmpy2.powmod(g,i,p),p),h),p) #table[guess%B].append(guess%p) #table[guess%B].append(i) PA[guess]=i for j in range(1,2**20): result=gmpy2.powmod(g,B*j,p) if result in PA: print("Found X=",PA[result]+j*B) break end=timer() print(end-start)
77723561443721764030073546976801874298166903427690031\ 858186486050853753882811946569946433649006084171') g = mpz('11717829880366207009516117596335367088558084999998952205\ 59997945906392949973658374667057217647146031292859482967\ 5428279466566527115212748467589894601965568') h = mpz('323947510405045044356526437872806578864909752095244\ 952783479245297198197614329255807385693795855318053\ 2878928001494706097394108577585732452307673444020333') B = 2 ** 20 hash = {} print 'start building...' for x1 in range(B): if x1 % 10000 == 0: print '%d completed.' % x1 left = f_mod(h * powmod(g, -x1, p), p) hash[left] = x1 for x0 in range(B): if x0 % 10000 == 0: print '%d completed.' % x0 right = powmod(g, x0 * B, p) if right in hash: x = x0 * B + hash[right] print 'Solution:\t', x break
def recover_poly(self, split, t, userid): poly_coef_up = dict() poly_coef_down = list() poly_coef = dict() qm = gmpy2.mpz(730750818665451621361119245571504901405976559617) for i in range(t): coef_of_variable = list() coef_of_constant = list() akcoef1 = list() temp1 = 1 for j in range(t): if j != i: coef_of_variable.append(1) coef_of_constant.append(-(userid[j + 1])) coef = self.__F_x(len(coef_of_variable), coef_of_variable, coef_of_constant) poly_coef_up[i + 1] = coef for m in range(t): akcoef1.append(userid[m + 1]) for m in range(t): if m != i: temp1 = gmpy2.mul(temp1, (gmpy2.sub(akcoef1[i], akcoef1[m]))) temp1 = gmpy2.f_mod(temp1, q) poly_coef_down.append(temp1) for i in range(t): poly_coef_up_i = poly_coef_up[i + 1] poly_coef_down_i = poly_coef_down[i] temp4 = list() for j in range(len(poly_coef_up_i)): poly_coef_up_i[0] = gmpy2.mpz(1) temp2 = poly_coef_up_i[j] temp3 = gmpy2.divm(temp2, poly_coef_down_i, qm) temp4.append(temp3) poly_coef[i + 1] = temp4 split_recover = list() #存用于恢复多项式的分片 __recover_poly_coef = list() #恢复后的多项式系数 split_mul_poly = dict() m = 0 for i in range(t): m += 1 if m <= 3: split_recover.append(split[akcoef1[i]]) for i in range(t): temp7 = list() temp5 = poly_coef[i + 1] for j in range(len(temp5)): temp6 = gmpy2.mul(split_recover[i], temp5[j]) temp6 = gmpy2.f_mod(temp6, q) temp7.append(temp6) split_mul_poly[i] = temp7 __recover_poly_coef = split_mul_poly[0] for i in range(t): if i != 0: temp = split_mul_poly[i] for j in range(len(__recover_poly_coef)): __recover_poly_coef[j] = gmpy2.add(__recover_poly_coef[j], temp[j]) __recover_poly_coef[j] = gmpy2.f_mod( __recover_poly_coef[j], q) __secret_of_poly = np.polyval(__recover_poly_coef, 0) #由恢复出来的多项式得到的秘密值 __secret_of_poly = gmpy2.f_mod(__secret_of_poly, qm) return __recover_poly_coef, __secret_of_poly
def calculateRight(x0): power = pow(g,gmpy2.mul(middleSize , x0),p) return gmpy2.f_mod(power,p)
def mod(self, a): return gmpy2.f_mod(a, self.Prime)
def add(self, x, y): sum = gmpy2.f_mod(gmpy2.mul(x, y), self.N * self.N) return sum
print("======g=0(mod q)=======") g=0 k=147 x1=1331 x2=3131 m1="Hello,world" m2="Goodbye,world" a=sha.new() h1=a.update(m1) h1=a.hexdigest() a=sha.new() h2=a.update(m2) h2=a.hexdigest() c=DSA() r=c.calcR(k,p,q) s1=gmpy2.f_mod(gmpy2.mpz(gmpy2.mul(gmpy2.invert(k,q),gmpy2.add(int(h1,16),gmpy2.mul(x1,r)))),q) s2=gmpy2.f_mod(gmpy2.mpz(gmpy2.mul(gmpy2.invert(k,q),gmpy2.add(int(h1,16),gmpy2.mul(x2,r)))),q) print "当x=1331,s等于:"+str(s1) print "当x=3131,s等于:"+str(s2) print "可见签名与私钥无关!" s3=gmpy2.f_mod(gmpy2.mul(gmpy2.mul(gmpy2.invert(k,q),(int(h1,16))),gmpy2.mul(gmpy2.invert(int(h1,16),q),int(h2,16))),q) s4=gmpy2.f_mod(gmpy2.mpz(gmpy2.mul(gmpy2.invert(k,q),gmpy2.add(int(h2,16),gmpy2.mul(x2,r)))),q) print "由hello,world的伪造的签名(s)值:"+str(s3) print "计算goodbye,world的签名(s)值:"+str(s4) print "伪造成功!" print("\n======g=1(mod q)=======") g=p+1 y=gmpy2.powmod(g,k,p) import random z=random.randint(1,1301019) print "对任意z都成立!"
def __Gen_vk(self, t, n, k): #获取全局变量 pairing = global_variable.get_pairing() g1 = global_variable.get_g1() #生成秘密 secret 的承诺 secret_k = dict() secret = self.__f[0] temp = secret secret_k[1] = secret for i in range(k): if i >= 1: temp = gmpy2.mul(temp, secret) temp = gmpy2.f_mod(temp, q) secret_k[i + 1] = temp commitment_s_i = Element(pairing, G1) self.__commitment_s = dict() for i in secret_k: commitment_s_i = g1**int(secret_k[i]) self.__commitment_s[i] = commitment_s_i #print ("commitment_s = \n",self.__commitment_s) #生成 f(x) 的承诺 commitment_fx_coef = self.__comm(self.__f, 1, t, pairing, g1) print("the commitment of fx = \n", commitment_fx_coef) self.__commitment_fx_joint = str(commitment_fx_coef[0]) for i in range(t - 1): self.__commitment_fx_joint = self.__commitment_fx_joint + str( commitment_fx_coef[i + 1]) #print("the joint of fx = \n",self.__commitment_fx_joint) #生成 r self.__r = 0 r = sha256() r.update(self.__commitment_fx_joint.encode("utf8")) dr = r.hexdigest() self.__r = int(dr, 16) self.__r = gmpy2.mpz(self.__r) self.__r = gmpy2.f_mod(self.__r, q) #print("r = \n",self.__r) #生成 f(r) 和 f(r)^k 的承诺 self.__commitment_fr_k = dict() fr = self.__fun(self.__f, 1, t, self.__r) comm_fr = Element(pairing, G1) comm_fr = g1**int(fr) self.__commitment_fr_k[1] = comm_fr fr_i = fr for i in range(k - 1): fr_i = fr_i * fr comm_fr_i = Element(pairing, G1) comm_fr_i = g1**int(fr_i) self.__commitment_fr_k[i + 2] = comm_fr_i print("commitment_fr_k = \n", self.__commitment_fr_k) #生成 ck(x) 的承诺 commitment_ck_coef = dict() self.__commitment_ck_joint = dict() for i in self.__ck: commitment_ck_i = list() ck_i = self.__ck[i] commitment_ck_i = self.__comm(ck_i, 1, t, pairing, g1) commitment_ck_coef[i] = commitment_ck_i #print("commitment_ck_coef = \n", commitment_ck_coef) for i in commitment_ck_coef: comm_ci_coef = commitment_ck_coef[i] str_comm_ci_coef = str(comm_ci_coef[0]) str_comm_ci_coef = str_comm_ci_coef[:130] for j in range(t - 1): str_comm_ci_coef = str_comm_ci_coef + str(comm_ci_coef[j + 1]) self.__commitment_ck_joint[i] = str_comm_ci_coef #print("commitment_ck_joint = \n",self.__commitment_ck_joint) #生成 hk(x) 的承诺 commitment_hk_coef = dict() #用于存储基点与hk各个系数的点乘结果 self.__commitment_hk_joint = dict() #用于存储拼接后的hk的承诺 for i in self.__hk: commitment_hk_i = list() hk_i = self.__hk[i] commitment_hk_i = self.__comm(hk_i, i, t, pairing, g1) commitment_hk_coef[i] = commitment_hk_i #print("commitment_hk_coef = \n",commitment_hk_coef) for i in commitment_hk_coef: comm_hi_coef = commitment_hk_coef[i] str_comm_hi_coef = str(comm_hi_coef[0]) str_comm_hi_coef = str_comm_hi_coef[:130] for j in range(i * t - i): str_comm_hi_coef = str_comm_hi_coef + str(comm_hi_coef[j + 1]) self.__commitment_hk_joint[i] = str_comm_hi_coef #print("commitment_hk_joint = \n",self.__commitment_hk_joint) #生成 f(x) 分片 f(i) 的承诺,用于安全传输 self.__commitment_split = dict() for i in self.__split: comm_split = Element(pairing, G1) comm_split = g1**int(self.__split[i]) self.__commitment_split[i] = comm_split #print("commitment_split = \n",self.__commitment_split) #生成 hk(x) 分片 hk(i) 的承诺,用于安全传输 self.__commitment_hk_split = dict() for i in self.__hksplit: hksplit_key = self.__hksplit[i] comm_hksplit_key = dict() for key in hksplit_key: comm_hksplit = Element(pairing, G1) comm_hksplit = g1**int(hksplit_key[key]) comm_hksplit_key[key] = comm_hksplit self.__commitment_hk_split[i] = comm_hksplit_key
def calculateLeft(x1): denominv = gmpy2.f_mod(pow(g, x1,p),p) denom = gmpy2.invert(denominv, p) tval = gmpy2.mul(h, denom) return gmpy2.f_mod(tval, p)
def random_from_interval(random_state, low, high, m=32): M = int(g.ceil(g.log2(high))) random = g.mpz_urandomb(random_state, M + m) c = g.add(g.f_mod(random, g.add(g.sub(high, low), 1)), low) return c
77723561443721764030073546976801874298166903427690031\ 858186486050853753882811946569946433649006084171') g = mpz('11717829880366207009516117596335367088558084999998952205\ 59997945906392949973658374667057217647146031292859482967\ 5428279466566527115212748467589894601965568') h = mpz('323947510405045044356526437872806578864909752095244\ 952783479245297198197614329255807385693795855318053\ 2878928001494706097394108577585732452307673444020333') B = 2**20 hash = {} print 'start building...' for x1 in range(B): if x1 % 10000 == 0: print '%d completed.' % x1 left = f_mod(h * powmod(g, -x1, p), p) hash[left] = x1 for x0 in range(B): if x0 % 10000 == 0: print '%d completed.' % x0 right = powmod(g, x0 * B, p) if right in hash: x = x0 * B + hash[right] print 'Solution:\t', x break
data_1_to_2_queue, data_1_to_3_queue, q12, q13) d_paillier.distributed_RSA_modulus_generation() stop = time.time() print("RSA modulus generation success") print("modulus = ", d_paillier.N) print("duration = ", stop - start, "seconds") d_paillier.distributed_Paillier_key_generation() # decryption and encryption m1 = 464313146 m2 = 976311987 m3 = 598188167 print("m1 = ", m1) print("m2 = ", m2) print("m3 = ", m3) print("(m1 + m2) * m3 % N = ", gmpy2.f_mod((m1 + m2) * m3, d_paillier.N)) c1 = d_paillier.encrypt(m1) c2 = d_paillier.encrypt(m2) c3 = d_paillier.encrypt(m3) ciphertext = d_paillier.mul(d_paillier.add(c1, c2), m3) # (m1 + m2) * m3 % N d_paillier.send_ciphertext(ciphertext) partial_decryption = d_paillier.partial_decrypt(ciphertext) print("partial decryption = ", partial_decryption) d_paillier.send_partial_decryption(partial_decryption) partial_decryption_list = d_paillier.rec_partial_decryption_list( partial_decryption) decrypted_massage = d_paillier.combine_partial_decrypt( partial_decryption_list) print("decrypted massage = ", decrypted_massage)
def __Gen_polynomial(self, t, k): #生成 f(x) self.__f = list() #用于存储f(x)的系数 secret = random.randint(0, 2**255) secret = gmpy2.mpz(secret) #print("secret = \n",secret) self.__f.append(secret) for i in range(t - 1): #f(x)多项式的其他系数 fki = random.randint(0, 2**255) fki = gmpy2.mpz(fki) self.__f.append(fki) for i in range(t): self.__f[i] = gmpy2.f_mod(self.__f[i], q) #print("f = \n",self.__f) #生成 ck(x), k 取值为2,,,k,将某个 ck 的系数存在列表中,将生成的所有 ck(x) 存在字典中 self.__ck = dict() for i in range(k + 1): if i > 1: cki = list() cki.append(gmpy2.mpz(0)) for j in range(t - 1): ckii = random.randint(0, 2**255) ckii = gmpy2.mpz(ckii) cki.append(ckii) for l in range(t): cki[l] = gmpy2.f_mod(cki[l], q) self.__ck[i] = cki #print("ck = \n",self.__ck) #生成 fk(x), k 取值为 2,,,k,将某个 fk 的系数存在列表中,将生成的所有 fk(x) 存在字典中 self.__fk = dict() for m in range(k + 1): #生成f^2(x)至f^k(x),m表示生成f(x)的m次方 if m > 1: fki = [0] * (m * t - m + 1) for i in range(t): fki[i] = self.__f[i] for j in range(m - 1): fktemp = [0] * (m * t - m + 1) for p in range((m - 1) * t - m + 2): for l in range(t): temp = gmpy2.mul(fki[p], self.__f[l]) fktemp[p + l] = gmpy2.add(fktemp[p + l], temp) for w in range(m * t - m + 1): fki[w] = gmpy2.f_mod(fktemp[w], q) self.__fk[m] = fki #print("fk = \n",self.__fk) #计算 h^k(x),并将系数存在字典中 self.__hk = dict() fk1 = list() ck1 = list() for i in self.__fk: #取出字典中的列表进行h^k(x)的计算 hki = list() fk1 = self.__fk[i] ck1 = self.__ck[i] for j in range(t): temp = gmpy2.sub(fk1[j], ck1[j]) hki.append(temp) for l in range((i - 1) * t - i + 1): hki.append(fk1[t + l]) hki[0] = gmpy2.sub(hki[0], self.__f[0]**i) for m in range(i * t - i + 1): hki[m] = gmpy2.f_mod(hki[m], q) self.__hk[i] = hki
def mul(self, a, b): return gmpy2.f_mod(gmpy2.mul(a, b), self.Prime)
if rsa_dec(Cipher, prv) != m: print "Wrong~ " print rsa_dec(Cipher, prv) # Assume that now we capture the ciphertext m. # Here we can choose a integer > 1 as S and can not use 2*2*2*2*... S = 3 print "The S I chose is: " + str(S) # We can change our captured cipher using S # m' = S ^ e % N Cipher_mod = gmpy2.powmod(S, pub[0], pub[1]) # C' = (C * m') mod N Cipher_mod = gmpy2.f_mod(gmpy2.mul(Cipher, Cipher_mod), pub[1]) # M' = E(C') Message_mod = rsa_dec(Cipher_mod, prv) #transform ASCII to int Message_num = int(Message_mod.encode('hex'), 16) # The most important step : Message_num = gmpy2.f_mod(gmpy2.mul(gmpy2.mpz(Message_num), gmpy2.invert(S, pub[1])), pub[1]) # transform int to ASCII. Message = hex(Message_num).strip('0xXlL') if len(Message) % 2 == 1: Message = '0' + Message print 'The message we recovered: ' print Message.decode('hex')
def compute_tuple(self): self.PP = self.pick_pp() # print("pick PP done") self.coefficient_generation() # print("coefficient generation done") pi1 = gmpy2.f_mod((self.pi + self.a1 * 1), self.PP) ppi1 = gmpy2.f_mod((self.ppi + self.aa1 * 1), self.PP) qi1 = gmpy2.f_mod((self.qi + self.b1 * 1), self.PP) qqi1 = gmpy2.f_mod((self.qqi + self.bb1 * 1), self.PP) hi1 = gmpy2.f_mod((self.c0 + self.c1 * 1 + self.c2 * 1 * 1), self.PP) hhi1 = gmpy2.f_mod((self.cc0 + self.cc1 * 1 + self.cc2 * 1 * 1), self.PP) pi2 = gmpy2.f_mod((self.pi + self.a1 * 2), self.PP) ppi2 = gmpy2.f_mod((self.ppi + self.aa1 * 2), self.PP) qi2 = gmpy2.f_mod((self.qi + self.b1 * 2), self.PP) qqi2 = gmpy2.f_mod((self.qqi + self.bb1 * 2), self.PP) hi2 = gmpy2.f_mod((self.c0 + self.c1 * 2 + self.c2 * 2 * 2), self.PP) hhi2 = gmpy2.f_mod((self.cc0 + self.cc1 * 2 + self.cc2 * 2 * 2), self.PP) pi3 = gmpy2.f_mod((self.pi + self.a1 * 3), self.PP) ppi3 = gmpy2.f_mod((self.ppi + self.aa1 * 3), self.PP) qi3 = gmpy2.f_mod((self.qi + self.b1 * 3), self.PP) qqi3 = gmpy2.f_mod((self.qqi + self.bb1 * 3), self.PP) hi3 = gmpy2.f_mod((self.c0 + self.c1 * 3 + self.c2 * 3 * 3), self.PP) hhi3 = gmpy2.f_mod((self.cc0 + self.cc1 * 3 + self.cc2 * 3 * 3), self.PP) return [[pi1, ppi1, qi1, qqi1, hi1, hhi1], [pi2, ppi2, qi2, qqi2, hi2, hhi2], [pi3, ppi3, qi3, qqi3, hi3, hhi3]]
import sys from gmpy2 import mpz from gmpy2 import invert from gmpy2 import powmod from gmpy2 import f_mod from gmpy2 import mul b=2**20 B=mpz(b) p=mpz('13407807929942597099574024998205846127479365820592393377723561443721764030073546976801874298166903427690031858186486050853753882811946569946433649006084171') g=mpz('11717829880366207009516117596335367088558084999998952205599979459063929499736583746670572176471460312928594829675428279466566527115212748467589894601965568') h=mpz('3239475104050450443565264378728065788649097520952449527834792452971981976143292558073856937958553180532878928001494706097394108577585732452307673444020333') g_power_b=powmod(g,B,p) hash_table={} for x1 in range(B): hash_table[f_mod(mul(h,invert(powmod(g,x1,p),p)),p)]=x1 print "Table is completed" for x0 in range(B): middle_value=powmod(g_power_b,x0,p) if hash_table.has_key(middle_value): print x0 x1=hash_table[middle_value] print x1 break x=(x0*B+x1)%(p-1) print x
def calc1(i): denominv = pow(g, i, p) denom = gmpy2.invert(denominv, p) tval = gmpy2.mul(h, denom) retval = gmpy2.f_mod(tval, p) return retval
print q3 print "========" ########################################## c = mpz(22096451867410381776306561134883418017410069787892831071731839143676135600120538004282329650473509424343946219751512256465839967942889460764542040581564748988013734864120452325229320176487916666402997509188729971690526083222067771600019329260870009579993724077458967773697817571267229951148662959627934791540) phi_N1 = mpz(p1-1)*mpz(q1-1) e = mpz(65537) d = invert(e,phi_N1) m = powmod(c,d,N1) hex_m = '' while m > 0: mod = f_mod(m,16) hex_m = str(hex(mod))[2:]+hex_m m = (m-mod)/16 hex_m = '0x0'+hex_m print "========" print "plain:" print hex_m plain_m = '466163746f72696e67206c65747320757320627265616b205253412e' def hex_2_string(str_i): str_o = "" i=0 while i < len(str_i): str_o = str_o + chr(int(str_i[i:i+2],16)) i+=2
def findPrime(nbits): rs = gmpy2.random_state(gmpy2.f_mod(mpz(time.time()), 60)) test = mpz(1) while not gmpy2.is_prime(test): test = gmpy2.mpz_urandomb(rs, nbits - 1) + 2**(nbits - 1) return test
def checkD(e,d,phi): if not g.f_mod( g.mul(e,d), phi ) == g.mpz('1'): raise Exception("Bad D generated")
def break_primes(n, process_id, sync, output): # check to see if the primes were the same gmpy2.get_context().precision = 4096 n_sqrt = gmpy2.sqrt(n) # check to see if the modulo is a perfect square root of itself if n_sqrt % 1 == 0.0: processLock.acquire() if output.empty(): output.put(n_sqrt) sync.set() print("Duplicate primes detected! Prime is", n_sqrt) processLock.release() return n_sqrt # trial division processLock.acquire() # loop through the trivial primes for i in range(len(primes)): # check if we've haven't found anything yet if output.empty(): # the smaller of any factors of modulo has to be less than the sqrt of that modulo so we can give up if we # haven't found anything by then if primes[i] > gmpy2.sqrt(n): break elif gmpy2.f_mod(n, primes[i]) == 0.0: # share the result and handle the multiprocessing cleanup print("Trial Division Success! Divisible by", primes[i]) print("Result is", n // primes[i]) output.put(primes[i]) sync.set() # processLock.release() return primes[i] processLock.release() # informative statements if DEBUG: print("No Trivial") print("nothing easy :(") # check to see if the modulo is vulnerable to pollard p - 1 p1_result = pollard_p1(n, process_id) processLock.acquire() if p1_result > 1 and output.empty(): # share the result and handle the multiprocessing cleanup print(process_id, "p1 factor found:", p1_result) output.put(p1_result) sync.set() return p1_result if DEBUG: print(process_id, ": p1 no factors") processLock.release() # check to see if the modulo is vulnerable to william p + 1 william = 1 # william_p1(n, process_id) processLock.acquire() if william > 1 and output.empty(): # share the result and handle the multiprocessing cleanup print("William factor found:", william) output.put(william) sync.set() return william if DEBUG: print(process_id, ": william no factors") processLock.release() # if all else fails try pollard rho on it rho_result = pollard_rho(n, process_id) processLock.acquire() if output.empty(): # share the result and handle the multiprocessing cleanup print(process_id, "rho factor found:", rho_result) output.put_nowait(rho_result) sync.set() # processLock.release() return rho_result
def calcR(self,k,p,q): r=gmpy2.f_mod(gmpy2.powmod(g,k,p),q) return r
def check_delta(self): """"Check delta condidtion properly with definition""" return f_mod((4 * (self.A * self.A * self.A) + 27 * (self.B * self.B)), self.P) != 0
def calcS(self,k,h,x,r): s=gmpy2.f_mod(gmpy2.mpz(gmpy2.mul(gmpy2.invert(k,q),gmpy2.add(h,gmpy2.mul(x,r)))),q) return s
def big_num(): operator = request.values.get('operator') result = '1' try: if operator == 'FACT' or operator == 'isPrime': p = gmpy2.mpz(int(request.values.get('p'))) if not p: resu = {'code': 10001, 'message': '参数不能为空!'} return json.dumps(resu, ensure_ascii=False) if operator == 'FACT': #p的阶层 result = gmpy2.fac(p) elif operator == 'isPrime': #判断p是否是素数 result = gmpy2.is_prime(p) elif operator == 'MULMN' or operator == 'POWMN': p = gmpy2.mpz(int(request.values.get('p'))) q = gmpy2.mpz(int(request.values.get('q'))) n = gmpy2.mpz(int(request.values.get('n'))) if not p and not q and not n: resu = {'code': 10001, 'message': '参数不能为空!'} return json.dumps(resu, ensure_ascii=False) if operator == 'POWMN': #计算p**q mod n result = gmpy2.powmod(p, q, n) elif operator == 'MULMN': #计算p*q mod n result = gmpy2.modf(gmpy2.mul(p, q), n) else: p = gmpy2.mpz(int(request.values.get('p'))) q = gmpy2.mpz(int(request.values.get('q'))) if not p and not q: resu = {'code': 10001, 'message': '参数不能为空!'} return json.dumps(resu, ensure_ascii=False) if operator == 'ADD': #相加 print('good') result = gmpy2.add(p, q) elif operator == 'SUB': #相减 result = gmpy2.sub(p, q) elif operator == 'MUL': #相乘 result = gmpy2.mul(p, q) elif operator == 'DIV': #相除 result = gmpy2.div(p, q) elif operator == 'MOD': #取余 result = gmpy2.f_mod(p, q) elif operator == 'POW': result = gmpy2.powmod(p, q) elif operator == 'GCD': #最大公因数 result = gmpy2.gcd(p, q) elif operator == 'LCM': result = gmpy2.lcm(p, q) elif operator == 'OR': #或 result = p | q elif operator == 'AND': #与 result = p & q elif operator == 'XOR': #抑或 result = p ^ q elif operator == 'SHL': #左移 result = p << q elif operator == 'SHR': #右移 result = p >> q resu = {'code': 200, 'result': str(result)} return json.dumps(resu, ensure_ascii=False) except: resu = {'code': 10002, 'message': '异常。'} return json.dumps(resu, ensure_ascii=False)
def linear_cong_rng(): x[0] = 56687054115473550533 x[1] = 71501923691929981066 x[2] = 1162551557687152936 x[3] = 88117163952857350660 x[4] = 16754986973331962115 t[0] = gmpy2.sub(x[1], x[0]) t[1] = gmpy2.sub(x[2], x[1]) t[2] = gmpy2.sub(x[3], x[2]) t[3] = gmpy2.sub(x[4], x[3]) u[0] = abs(gmpy2.mul(t[2], t[0]) - gmpy2.square(t[1])) u[1] = abs(gmpy2.mul(t[3], t[1]) - gmpy2.square(t[2])) # M' gcd = gmpy2.gcd(u[0], u[1]) # true M = M'/2 M = gmpy2.mpz(gmpy2.div(gcd, 2)) # x[2] = A * x[1] + B (mod M) # x[1] = A * x[0] + B (mod M) # --------------------------- # x[2] - x[1] = A (x[1] - x[0]) mod M # t[1] = A * t[0] mod M # A * t[0] = t[1] mod M # -x[0] * x[2] = -A * x[0] * x[1] - B * x[0] (mod M) # x[1] * x[1] = A * x[0] * x[1] + B * x[1] (mod M) # -------------------------------------------------- # x[1]^2 - (x[0] * x[2]) = B (x[1] - x[0]) mod M # B * t[0] = (x[1]^2 - (x[0] * x[2])) mod M # easier way to solve B: # find A first # (A * x[0] + B) = x[1] mod M # used Diophantine equations to retrieve A and B # using M #A = 12630192673789351314 #B = 35234390061212433526 # using M = M'/2 or M'/3 A = 12630192673789351314 B = 35234390061212433526 print "t[0] = %i\nt[1] = %i\nt[2] = %i\nt[3] = %i\n\nu[0] = %i\nu[1] = %i\n\nM' = gcd(u[0], u[1]) = %i\nM = M'/2 = %i\n" % ( t[0], t[1], t[2], t[3], u[0], u[1], gcd, M) x[5] = gmpy2.mpz( gmpy2.f_mod(gmpy2.add(gmpy2.mul(A, x[4]), gmpy2.mpz(B)), gmpy2.mpz(M))) x[6] = gmpy2.mpz( gmpy2.f_mod(gmpy2.add(gmpy2.mul(A, x[5]), gmpy2.mpz(B)), gmpy2.mpz(M))) x[7] = gmpy2.mpz( gmpy2.f_mod(gmpy2.add(gmpy2.mul(A, x[6]), gmpy2.mpz(B)), gmpy2.mpz(M))) x[8] = gmpy2.mpz( gmpy2.f_mod(gmpy2.add(gmpy2.mul(A, x[7]), gmpy2.mpz(B)), gmpy2.mpz(M))) x[9] = gmpy2.mpz( gmpy2.f_mod(gmpy2.add(gmpy2.mul(A, x[8]), gmpy2.mpz(B)), gmpy2.mpz(M))) x[10] = gmpy2.mpz( gmpy2.f_mod(gmpy2.add(gmpy2.mul(A, x[9]), gmpy2.mpz(B)), gmpy2.mpz(M))) x[11] = gmpy2.mpz( gmpy2.f_mod(gmpy2.add(gmpy2.mul(A, x[10]), gmpy2.mpz(B)), gmpy2.mpz(M))) #print "x[5] = ", x[5] #print "x[6] = ", x[6] #print "x[7] = ", x[7] #print "x[8] = ", x[8] #print "x[9] = ", x[9] print "x[10] = ", x[10] print "x[11] = ", x[11] print "A = ", A print "B = ", B return