def rsa(bits): # only prove correctness up to 1024bits proof = (bits <= 1024) p = next_prime(ZZ.random_element(2**(bits // 2 + 1)), proof=proof) q = next_prime(ZZ.random_element(2**(bits // 2 + 1)), proof=proof) n = p * q phi_n = (p - 1) * (q - 1) while True: e = ZZ.random_element(1, phi_n) if gcd(e, phi_n) == 1: break d = lift(Mod(e, phi_n)**(-1)) return e, d, n
def sign(self, h, sk, klen=256, return_k=False): """ Sign ``h`` and signing key ``sk`` :param h: "hash" :param sk: signing key :param klen: number of bits in the nonce. :param return_k: """ d = btoi(sk.to_string()) hi = btoi(h) k = ZZ.random_element(2 ** klen) r = Integer((self.GG * k).xy()[0]) s = lift(inverse_mod(k, self.n) * mod(hi + d * r, self.n)) sig = itob(r, self.baselen) + itob(s, self.baselen) if return_k: return k, sig return sig
def crack_given_decrypt(n, m): n = Integer(n) m = Integer(m) while True: if is_odd(m): break divide_out = True for _ in range(5): a = randrange(1, n) if gcd(a, n) == 1: if Mod(a, n) ** (m // 2) != 1: divide_out = False break if divide_out: m //= 2 else: break while True: a = randrange(1, n) g = gcd(lift(Mod(a, n) ** (m // 2)) - 1, n) if g != 1 and g != n: return g
def gen_lattice(self, d=None): """FIXME! briefly describe function :param d: """ try: I = self.indices[self.nbases] # noqa self.nbases += 1 except ValueError: raise StopIteration("No more bases to sample.") p = self.ecdsa.n # w = 2 ** (self.klen - 1) w_list = [2 ** (klen - 1) for klen in self.klen_list] r_list = [self.r_list[i] for i in I] s_list = [self.s_list[i] for i in I] h_list = [self.h_list[i] for i in I] rm = r_list[-1] sm = s_list[-1] hm = h_list[-1] wm = w_list[-1] a_list = [ lift( wi - mod(r, p) * inverse_mod(s, p) * inverse_mod(rm, p) * mod(sm, p) * wm - inverse_mod(s, p) * mod(h, p) + mod(r, p) * inverse_mod(s, p) * mod(hm, p) * inverse_mod(rm, p) ) for wi, h, r, s in zip(w_list[:-1], h_list[:-1], r_list[:-1], s_list[:-1]) ] t_list = [ -lift(mod(r, p) * inverse_mod(s, p) * inverse_mod(rm, p) * sm) for r, s in zip(r_list[:-1], s_list[:-1]) ] d = self.d A = IntegerMatrix(d, d) f_list = [Integer(max(w_list) / w) for w in w_list] for i in range(d - 2): A[i, i] = p * f_list[i] for i in range(d - 2): A[d - 2, i] = t_list[i] * f_list[i] A[d - 2, d - 2] = f_list[-1] for i in range(d - 2): A[d - 1, i] = a_list[i] * f_list[i] A[d - 1, d - 1] = max(w_list) if self.ecdsa.nbits > 384: M = GSO.Mat( A, U=IntegerMatrix.identity(A.nrows, int_type=A.int_type), UinvT=IntegerMatrix.identity(A.nrows, int_type=A.int_type), float_type="ld", flags=GSO.ROW_EXPO, ) else: M = GSO.Mat( A, U=IntegerMatrix.identity(A.nrows, int_type=A.int_type), UinvT=IntegerMatrix.identity(A.nrows, int_type=A.int_type), flags=GSO.ROW_EXPO, ) M.update_gso() return M
def decrypt(c, d, n): return lift(Mod(c, n)**d)
def encrypt(m, e, n): return lift(Mod(m, n)**e)