def rsa(bits):
# only prove correctness up to 1024bits
proof = (bits <= 1024)
p = next_prime(ZZ.random_element(2**(bits // 2 + 1)),
proof=proof)
q = next_prime(ZZ.random_element(2**(bits // 2 + 1)),
proof=proof)
n = p * q
phi_n = (p - 1) * (q - 1)
while True:
e = ZZ.random_element(1, phi_n)
if gcd(e, phi_n) == 1:
break
d = lift(Mod(e, phi_n)**(-1))
return e, d, n
def sign(self, h, sk, klen=256, return_k=False):
"""
Sign ``h`` and signing key ``sk``
:param h: "hash"
:param sk: signing key
:param klen: number of bits in the nonce.
:param return_k:
"""
d = btoi(sk.to_string())
hi = btoi(h)
k = ZZ.random_element(2 ** klen)
r = Integer((self.GG * k).xy()[0])
s = lift(inverse_mod(k, self.n) * mod(hi + d * r, self.n))
sig = itob(r, self.baselen) + itob(s, self.baselen)
if return_k:
return k, sig
return sig
def crack_given_decrypt(n, m):
n = Integer(n)
m = Integer(m)
while True:
if is_odd(m):
break
divide_out = True
for _ in range(5):
a = randrange(1, n)
if gcd(a, n) == 1:
if Mod(a, n) ** (m // 2) != 1:
divide_out = False
break
if divide_out:
m //= 2
else:
break
while True:
a = randrange(1, n)
g = gcd(lift(Mod(a, n) ** (m // 2)) - 1, n)
if g != 1 and g != n:
return g
def gen_lattice(self, d=None):
"""FIXME! briefly describe function
:param d:
"""
try:
I = self.indices[self.nbases] # noqa
self.nbases += 1
except ValueError:
raise StopIteration("No more bases to sample.")
p = self.ecdsa.n
# w = 2 ** (self.klen - 1)
w_list = [2 ** (klen - 1) for klen in self.klen_list]
r_list = [self.r_list[i] for i in I]
s_list = [self.s_list[i] for i in I]
h_list = [self.h_list[i] for i in I]
rm = r_list[-1]
sm = s_list[-1]
hm = h_list[-1]
wm = w_list[-1]
a_list = [
lift(
wi
- mod(r, p) * inverse_mod(s, p) * inverse_mod(rm, p) * mod(sm, p) * wm
- inverse_mod(s, p) * mod(h, p)
+ mod(r, p) * inverse_mod(s, p) * mod(hm, p) * inverse_mod(rm, p)
)
for wi, h, r, s in zip(w_list[:-1], h_list[:-1], r_list[:-1], s_list[:-1])
]
t_list = [
-lift(mod(r, p) * inverse_mod(s, p) * inverse_mod(rm, p) * sm) for r, s in zip(r_list[:-1], s_list[:-1])
]
d = self.d
A = IntegerMatrix(d, d)
f_list = [Integer(max(w_list) / w) for w in w_list]
for i in range(d - 2):
A[i, i] = p * f_list[i]
for i in range(d - 2):
A[d - 2, i] = t_list[i] * f_list[i]
A[d - 2, d - 2] = f_list[-1]
for i in range(d - 2):
A[d - 1, i] = a_list[i] * f_list[i]
A[d - 1, d - 1] = max(w_list)
if self.ecdsa.nbits > 384:
M = GSO.Mat(
A,
U=IntegerMatrix.identity(A.nrows, int_type=A.int_type),
UinvT=IntegerMatrix.identity(A.nrows, int_type=A.int_type),
float_type="ld",
flags=GSO.ROW_EXPO,
)
else:
M = GSO.Mat(
A,
U=IntegerMatrix.identity(A.nrows, int_type=A.int_type),
UinvT=IntegerMatrix.identity(A.nrows, int_type=A.int_type),
flags=GSO.ROW_EXPO,
)
M.update_gso()
return M
def decrypt(c, d, n):
return lift(Mod(c, n)**d)
def encrypt(m, e, n):
return lift(Mod(m, n)**e)
