def test_pollard_rho(self):
q = gmpy2.mpz(getPrime(512))
p = gmpy2.mpz(getPrime(20))
if p > q :
p , q = q , p
n = p * q
self.assertEqual((p, q), number.pollard_rho(n))
def gen_dh():
p, a = number.getPrime(64), number.getPrime(32)
g = choice([2, 3, 5, 7, 11, 13, 17, 23])
A = pow(g, a, p)
if A < 2 or A > p - 1 or pow(A, (p - 1) // 2, p) != 1:
return gen_dh()
return p, g, A, a
def create_rsa_keys(bits_length=512, e=65537):
"""
产生有关 RSA 的一切参数, 包括 p, q, n ,phi_n, d, e
本来想用 pycrypto 库的 RSA 来生成的, 但是这个库至少要求 1024bits, 还是自己手搓吧
:param bits_length: p 和 q 的位长度限制
:param e: 指定的 e
:return: dict(), RSA 的一切参数作为字典返回
"""
rsa = dict()
while True:
p = gmpy2.mpz(getPrime(bits_length))
q = gmpy2.mpz(getPrime(bits_length))
n = p * q
phi_n = (p - 1) * (q - 1)
if gmpy2.gcd(e, phi_n) == 1:
break
rsa["p"] = p
rsa["q"] = q
rsa["n"] = n
rsa["phi"] = phi_n
rsa["d"] = gmpy2.invert(e, rsa["phi"])
rsa["e"] = e
return rsa
def generatePuzzle( self, message, modulus=const.PUZZLE_MODULUS_LENGTH):
"""Generates a new time-lock puzzle by locking the given message and
using the given modulus. The new puzzle is then returned."""
assert (len(message) * 8) < const.PUZZLE_MODULUS_LENGTH
if (modulus % 8) != 0:
raise ValueError("Modulus must be divisible by 8.")
puzzle = {}
while True:
# Generate random primes and add `n' (= p * q) to the puzzle.
p = number.getPrime(modulus / 2)
q = number.getPrime(modulus / 2)
n = p * q
puzzle["n"] = n
# Use phi_n as a shortcut to ``encrypt'' the message.
phi_n = (p - 1) * (q - 1)
e = pow(2, self.t, phi_n)
b = pow(self.a, e, n)
Ck = (int(message.encode("hex"), 16) + b) % n
puzzle["Ck"] = Ck
# Make sure that the puzzle is always of the same size.
if len(util.dump(puzzle["n"])) == \
len(util.dump(puzzle["Ck"])) == (modulus / 8):
return puzzle
def gen(factor_length=2048, random_function=_random.read, all_values=False):
"""Return an RSA keypair
Returned keys are two dictionaries, public (with keys n and e) and private (with keys n and d)
Will use the provided random_function to get random bytes.
If all_values is True, the private key will also include e, p, q, and phi.
"""
# Choose p and q and calculate n and phi
p, q = getPrime(factor_length, random_function), getPrime(factor_length, random_function)
n = p * q
phi = n - p - q + 1
# Select e
if phi > 65537:
# 65537 is a good value for e, so use it as long as it's in the acceptable range 1 < e < phi
e = 65537
else:
# Otherwise pick the largest acceptable value
try:
e = next(filter(
lambda x: (_gcd(x, phi) == 1) and (pow(x, 2, phi) != 1),
range(phi - 1, 1, -1)
))
except StopIteration:
raise ValueError("No valid choice for e")
# Compute d
d = _mmi(e, phi)
# Return keys
public = {'n': n, 'e': e}
private = {'n': n, 'd': d}
if all_values:
private.update({'e': e, 'p': p, 'q': q, 'phi': phi})
return public, private
def makepuzzle(t): # Init PyCrypto RNG rnd = randpool.RandomPool() # Generate 512-bit primes p = number.getPrime(512, rnd.get_bytes) q = number.getPrime(512, rnd.get_bytes) n = p * q phi = (p - 1) * (q - 1) # AES key --- this is what we will encode into the puzzle solution key = number.getRandomNumber(128, rnd.get_bytes) # Need a random starting value for the puzzle, between 1 and n a = number.getRandomNumber(4096, rnd.get_bytes) a = a % n # *** puzzle shortcut *** # fast way to compute (a^2)^t (if you know phi) e = pow(2, t, phi) b = pow(a, e, n) # So b = (a^2)^t, and we encode the key into this solution ck = (key + b) % n return (key, (n, a, t, ck))
def generate(bits, randfunc=None, progress_func=None):
obj = Paillierobj()
# Generate the prime factors of n
if progress_func:
progress_func("p,q\n")
p = q = 1L
assert bits % 2 == 0, "Not an even number of bits"
while number.size(p * q) < bits:
p = number.getPrime(bits >> 1, randfunc)
q = number.getPrime(bits >> 1, randfunc)
obj.p = p
obj.q = q
obj.n = p * q
obj.n_sq = obj.n * obj.n
if progress_func:
progress_func("l\n")
obj.l = number.LCM(obj.p - 1, obj.q - 1)
if progress_func:
progress_func("g\n")
obj.g = obj._getRandomMult() * obj.n + 1 # TODO: check
gExp = L(pow(obj.g, obj.l, obj.n_sq), obj.n)
while not number.GCD(gExp, obj.n) == 1:
obj.g = obj._getRandomMult() * obj.n + 1 # TODO: check
gExp = L(pow(obj.g, obj.l, obj.n_sq), obj.n)
obj.m = number.inverse(gExp, obj.n)
assert bits <= 1 + obj.size(), "Generated key is too small"
return obj
def __genDHParams__(self): ''' Generates DH parameters ''' self.DH_PRIME = getPrime(self.DH_PARAM_SIZE,Random.new().read) self.DH_PRIVATE = getPrime(self.DH_PARAM_SIZE,Random.new().read) self.DH_GENERATOR = getPrime(self.DH_PARAM_SIZE,Random.new().read) self.DH_PUBLIC = pow(self.DH_GENERATOR,self.DH_PRIVATE,self.DH_PRIME)
def generate_keys(bits=512): p = getPrime(bits//2) q = getPrime(bits//2) n = p*q lmbda = (p-1)*(q-1) g = n+1 mu = modinv(((p-1)*(q-1)), n) return Key(n, g, lmbda, mu)
def __init__(self): self.p = number.getPrime(128) self.gamma = self.gamma_gen() self.alpha = self.alpha_gen() self.x = number.getPrime(128) self.y = self.exponentation(self.x) self.U = number.getPrime(128) self.Z = self.exponentation(self.U)
def generate_public_key(bits_length=512, e=3):
# 注意验证p和q的合法性, 要求与3互质
while True:
p = getPrime(bits_length)
q = getPrime(bits_length)
if gmpy2.gcd(p, e) == 1 and gmpy2.gcd(q, e) == 1:
return gmpy2.mpz(p) * gmpy2.mpz(q), e
def generate_keys(nbits):
p = cry.getPrime(nbits//2)
q = cry.getPrime(nbits//2)
n = p*q
g = n+1
l = (p-1)*(q-1)
mu = gmpy.invert(((p-1)*(q-1)), n)
return (n, g, l, mu)
def __init__(self, p=None, g=None, x=None, s=None):
self.bits = 512
self.p = p or number.getPrime(self.bits + 1)
self.g = g or number.getPrime(512)
self.x = x or number.getPrime(512)
self.A = pow(self.g, self.x, self.p)
self.s = s or None
self.S = None
self.pub = (self.A, self.g, self.p)
def __init__(s, numBits, e):
s.e = e
coprime = False
while (not coprime):
p = number.getPrime(numBits)
q = number.getPrime(numBits)
et = (p-1) * (q-1)
s.d = number.inverse(s.e, et)
coprime = s.d != 1
s.n = p * q
def calibrate_speed():
p = number.getPrime(MOD_BITS/2, rnd.get_bytes)
q = number.getPrime(MOD_BITS/2, rnd.get_bytes)
N = p*q
bignum = number.getRandomNumber(MOD_BITS, rnd.get_bytes)
start = time.time()
trials = 100
for i in range(trials):
bignum = pow(bignum, 2, N)
return int(trials/(time.time() - start))
def __init__(self, modsize=1024):
phiN = 0
while gcd(65537, phiN) != 1:
p, q = number.getPrime(modsize), number.getPrime(modsize)
N, phiN = p * q, (p-1) * (q-1)
e = 65537
d = mod_inv(e, phiN)
self.n, self.e, self.d = N, e, d
def rabin_key_generator(): while True: p = number.getPrime(100) if (p+1)%4 == 0: break while True: q = number.getPrime(100) if (q+1)%4 == 0: break n = p*q; return [n,p,q]
def support(): p = number.getPrime(100) q = number.getPrime(100) n = p*q; euler_n = (p-1)*(q-1) while True: e = random.randint(2,euler_n) if(gcd(e,euler_n) == 1): d = multiplicative_inverse(e,euler_n) break return [e,d,n]
def test_wiener(self):
q = gmpy2.mpz(getPrime(512))
p = gmpy2.mpz(getPrime(512))
if q > p :
p , q = q , p
n = p * q
phi = (p - 1) * (q - 1)
d = gmpy2.iroot(n, 5)[0]
while gmpy2.gcd(d, phi) != 1 :
d -= 1
e = gmpy2.invert(d , phi)
self.assertEqual((d, p, q), number.wiener_attack(n, e))
def key_generator(): p = number.getPrime(1024) print p q = 91 while True: r = number.getPrime(100) euler_n = p-1 print r if(order(r,p) == euler_n): e1 = r break print e1
def generate_n_with_seed(seed):
"""
Generates an n value for use in the RSA protocol using the given
parameter as the seed for the random number generator.
Returns the tuple (p, q, n) where p, q are the prime factors of n.
"""
random.seed(seed)
p = number.getPrime(512, randfunction)
q = number.getPrime(512, randfunction)
n = p * q
return (p, q, n)
def main(): verify() usage = """ ** ** ** ********** /** /** /** /////**/// /** * /** ***** /** ***** ****** ********** /** ****** /** *** /** **///** /** **///** **////**//**//**//** /** **////** /** **/**/**/******* /**/** // /** /** /** /** /** /** /** /** /**** //****/**//// /**/** **/** /** /** /** /** /** /** /** /**/ ///**//****** ***//***** //****** *** /** /** /** //****** // // ////// /// ///// ////// /// // // // ////// ** ** ****** ********** ******** ******* ******** ** /** /** **////**/////**/// /**///// /**////** **////// **** /** /** ** // /** /** /** /** /** **//** /**********/** /** /******* /******* /********* ** //** /**//////**/** /** /**//// /**///** ////////** ********** /** /**//** ** /** /** /** //** /**/**//////** /** /** //****** /** /** /** //** ******** /** /** // // ////// // // // // //////// // // ******** **//////** ** // ****** ********** ***** /** //////** //**//**//** **///** /** ***** ******* /** /** /**/******* //** ////** **////** /** /** /**/**//// //******** //******** *** /** /**//****** //////// //////// /// // // ////// """ print usage print "This is a RSA Decryption System" print "Please enter Your team token: " token = raw_input() try: flag = get_flag(token) assert len(flag) == 38 except: print "Token error!" m_exit(-1) p=getPrime(2048) q=getPrime(2048) n = p * q e, d = get_ed(p, q) print "n: ", hex(n) print "e: ", hex(e) flag = bytes_to_long(flag) enc_flag = pow(flag, e, n) print "Your flag is: ", hex(enc_flag)
def gen_keys():
p = pycrypto.getPrime(PRIME_SIZE)
q = pycrypto.getPrime(PRIME_SIZE)
n = p * q
l = ((p-1) * (q-1))//pycrypto.GCD(p-1,q-1)
while True:
g = pycrypto.getRandomInteger(PRIME_SIZE * 4) % (n * n)
if pycrypto.GCD(g,n) == 1:
c = (pow(g, l, n * n) - 1)//n
if pycrypto.GCD(c, n) == 1:
mu = pycrypto.inverse(c, n)
break
return PublicKey(n,g), PrivateKey(l, mu)
def rsa_genkeys(bits, e):
bits = bits / 2
et = e
while GCD(e, et) != 1:
if bits < 512:
#getStrongPrime won't accept bits < 512
p, q = getPrime(bits), getPrime(bits)
else:
p, q = getStrongPrime(bits, e), getStrongPrime(bits, e)
et = (p-1) * (q-1)
n = p * q
d = invmod(e, et)
return (e,n), (d,n)
def testkey (self, key, randfunc, verbose=0):
plaintext="Hello"
# Generate maximum-size plaintext
maxplain = (key.size() // 8) * '\377'
if key.can_encrypt():
if verbose: print ' Encryption/decryption test'
K=number.getPrime(10, randfunc)
ciphertext=key.encrypt(plaintext, K)
self.test_val('key.decrypt(ciphertext)', plaintext)
ciphertext=key.encrypt(maxplain, K)
self.test_val('key.decrypt(ciphertext)', maxplain)
if key.can_sign():
if verbose: print ' Signature test'
K=number.getPrime(30, randfunc)
signature=key.sign(plaintext, K)
self.test_bool('key.verify(plaintext, signature)')
self.test_bool('key.verify(plaintext[:-1], signature)',
want_true=0)
# Change a single bit in the plaintext
badtext=plaintext[:-3]+chr( 1 ^ ord(plaintext[-3]) )+plaintext[-3:]
self.test_bool('key.verify(badtext, signature)', want_true=0)
if verbose: print ' Removing private key data'
pubonly=key.publickey()
self.test_bool('pubonly.verify(plaintext, signature)')
# Test blinding
if key.can_blind():
if verbose: print ' Blinding test'
K=number.getPrime(30, randfunc)
B="garbage"
blindedtext=key.blind(plaintext, B)
signature=key.sign(blindedtext, K)
unblindedsignature=(key.unblind(signature[0], B),)
self.test_bool('key.verify(plaintext, unblindedsignature)')
self.test_val('key.sign(plaintext, K)', unblindedsignature)
# Change a single bit in the blinding factor
badB=B[:-3]+chr( 1 ^ ord(B[-3]) )+B[-3:]
badunblindedsignature=(key.unblind(signature[0], badB),)
self.test_false('key.verify(badtext, badunblindedsignature)')
badblindedtext=key.blind(plaintext, badB)
badsignature=key.sign(blindedtext, K)
badunblindedsignature2=(key.unblind(signature[0], B),)
self.test_false('key.verify(badtext, badunblindedsignature2)')
def makepuzzle(t):
# Generate 512-bit primes
p = number.getPrime(MOD_BITS/2, rnd.get_bytes)
q = number.getPrime(MOD_BITS/2, rnd.get_bytes)
N = p*q
totient = (p-1)*(q-1)
key = number.getRandomNumber(AES_BITS, rnd.get_bytes)
a = number.getRandomNumber(MOD_BITS, rnd.get_bytes) % N
e = pow(2, t, totient)
b = pow(a, e, N)
cipher_key = (key + b) % N
return (key, {'N': N, 'a': a, 'steps': t, 'cipher_key': cipher_key})
def find_generator_and_safe_prime(bits, gen_max_bits = False):
stdout.write('Trying to find prime p ')
while(1):
stdout.write('.')
q = number.getPrime(bits-1) # zeby pomnozona przez 2 byla na pewno mniejsza od p, (+1 pomijam, zakladam ze nie przekroczy)
p = (q << 1) + 1
if number.isPrime(p):
print '\n' + str(number.size(p)) + ' bits prime p found'
p_sub_1 = p - 1
stdout.write('Trying to find generator g ')
while(1):
if gen_max_bits: # generator moze miec dowolna liczbe bitow
g = number.getRandomNBitInteger(bits)
if g >= p:
continue
else:
g = number.getRandomRange(2, p)
if pow(g, 2, p) == 1 or pow(g, q, p) == 1:
stdout.write('.')
continue
print '\n' + str(number.size(g)) + ' bits generator g found'
return p, g
def _alice_dh_values(self):
pool = self._get_random_pool()
g = 5
p = getPrime(PRIME_BITS, pool.get_bytes)
a = self._get_dh_secret(pool)
A = self.modExp(g, a, p)
return a, g, p, A
def get_keys():
d = 0
e = 3
while d == 0:
p = number.getPrime(1024)
q = number.getPrime(1024)
n = p * q
et = (p - 1) * (q - 1)
try:
d = invmod(e, et)
except ValueError:
pass
return [e, n], [d, n]
def gen(weight):
m = getPrime(ceil(log2(weight)))
g = randint(10, 1000)
c = phi(m)
while True:
ex = False
for q in prime_factors(c):
a = powmod(g, c // q, m)
if a == 1:
ex = True
break
if not ex:
break
else:
g += 1
return g, m
def produceKeys():
# generator g , initially it was 2
g = 10
# Prime q
q = number.getPrime(64)
## Key generation:
#Private signing key x
# x <- Secret Key
x = randint(1, q - 1)
# calculate public verification key y
y = pow(g, x, q)
return x, y, g, q
def getprimeover(N):
"""Return a random N-bit prime number using the System's best
Cryptographic random source.
Use GMP if available, otherwise fallback to PyCrypto
"""
if HAVE_GMP:
randfunc = random.SystemRandom()
r = gmpy2.mpz(randfunc.getrandbits(N))
r = gmpy2.bit_set(r, N - 1)
return int(gmpy2.next_prime(r))
elif HAVE_CRYPTO:
return number.getPrime(N, os.urandom)
else:
randfunc = random.SystemRandom()
n = randfunc.randrange(2**(N-1), 2**N) | 1
while not is_prime(n):
n += 2
return n
def generate_n():
lis_prima = []
while len(lis_prima) < 99:
tmp = getPrime(512)
if tmp not in lis_prima:
lis_prima.append(tmp)
lis_n = []
for i in range(0, len(lis_prima) - 1, 2):
p = lis_prima[i]
q = lis_prima[i + 1]
n = p * q
lis_n.append(n)
rand = random.randint(0, 97)
lis_n.append(lis_prima[rand] * lis_prima[98])
random.shuffle(lis_n)
return lis_n
def test_to_reg():
for i in range(num_data_to_mont):
n = 32
prime = num.getPrime(n)
Px = randint(0, 2**32)
Py = randint(0, 2**32)
Px = Px % prime
Py = Py % prime
print("Prime:", prime)
print("Px:", Px)
print("Py:", Py)
px_mont, Px_step = to_mont(Px, prime)
py_mont, Py_step = to_mont(Py, prime)
print("px_mont:", px_mont)
print("py_mont:", py_mont)
px_reg, _ = to_reg(px_mont, prime)
py_reg, _ = to_reg(py_mont, prime)
print("px_reg:", px_reg)
print("py_reg:", py_reg)
print("Is the transformation correct?", px_reg == Px and py_reg == Py)
def get_next_prime(start):
# Returns prime p such that start <= p
start_bytes = long_to_bytes(start)
assert start_bytes[0] & 0x80 == 0x80, "Prime must have MSB set"
def randfunc(n):
#print(f"randfunc({start:x}, {n})")
if n == len(start_bytes) - 1:
# Starting bytes, big-endian, from which it iterates up
return start_bytes[1:]
if n == 1:
# Bottom bits of top byte (it gets shifted right 1 and or'ed with 0x80)
return bytes([(start_bytes[0] << 1) & 0xfe])
if n == 65:
# Presumably Miller-Rabin
return get_random_bytes(1) * 65
return getPrime(len(start_bytes) * 8, randfunc)
def __init__(self, N=2048, p=None, h=sha256, g=None):
'''
N: key length
p: N-bit prime number
h: hash function
g: generator g < p of the multiplicative group of integers modulo p, Zp*
'''
# for parameter generation
# 1. Choose a key length N
# this will be passed or defaulted to 2048
# 2. Choose a cryptographic hash function h with output length L bits. If L>N, only the leftmost N bits of the hash output are used.
# this will be defaulted to SHA256
# 3. Choose a generator g < p such that g belongs to GF(p)
# and because p is prime so g will be any number from {1...p-1}
self.N = N
self.p = p or num.getPrime(self.N)
# print("is p prime:", num.isPrime(self.p))
self.h = h
self.g = g or self.rand_g()
def Setup(candidate_p_count=1, verbose=False):
bitSizeP = 2048
bitSizeQ = 224
isPFound = False
# Generate q and p:
while isPFound == False:
q = number.getPrime(bitSizeQ, os.urandom)
p = 0
maxP = (2**bitSizeP) - 1
k = (maxP - 1) // q
candidates = []
while k > 1:
k = k - 1
p = (k * q) + 1
if number.isPrime(p):
isPFound = True
candidates.append(p)
if len(candidates) >= candidate_p_count:
break
p = random.choice(candidates)
# Generate g:
g = 1
exponent = (p - 1) // q
while g == 1:
alpha = random.randint(1, p - 1)
g = pow(alpha, exponent, p)
if verbose:
print("q: %d \n\np: %d \n\ng: %d" % (q, p, g))
return q, p, g
def __init__(self, bitsize: int = 1024):
self.e = 3
self.bitsize = bitsize
p, q = getPrime(bitsize // 2), getPrime(bitsize // 2)
while int.bit_length(p * q) != bitsize:
p, q = getPrime(bitsize // 2), getPrime(bitsize // 2)
phi, self.N = (p - 1) * (q - 1), p * q
while gcd(phi, self.e) != 1:
p, q = getPrime(bitsize // 2), getPrime(bitsize // 2)
phi, self.N = (p - 1) * (q - 1), p * q
self._d = invmod(self.e, phi)
def setup():
global prime, poly
if os.path.exists('prime'):
with open('prime') as f:
prime = ast.literal_eval(f.read())
else:
with open('prime', 'w+') as f:
prime = getPrime(8*len(flag))
f.write(str(prime))
if os.path.exists('poly'):
with open('poly') as f:
poly = ast.literal_eval(f.read())
assert poly[0] == bytes_to_long(flag.encode()), "secrets don't match up"
else:
with open('poly', 'w+') as f:
poly = [0] * K
for i in range(1, K):
poly[i] = random.randrange(1, prime)
poly[0] = bytes_to_long(flag.encode())
f.write(str(poly))
def __init__(self, isClients: bool = False, rsa: object = None):
"""
Init
Args:
isClients (bool): If this is from a client
rsa (RSA): A rsa instance from pycryptodome, not required
Attributes:
_rsa (RSA): The rsa instance
_pkcs (PKCS): The pkcs instance
"""
if rsa is None:
self._rsa = _RSA.generate(
CONSTS["CLIENT_RSA"] if isClients else CONSTS["SERVER_RSA"],
e=getPrime(CONSTS["RSA_PRIME"]
)) # If no rsa was passed, generate new one
else:
self._rsa = rsa # Save rsa if it was already created
self._pkcs = _PKCS.new(
self._rsa, hashAlgo=_SHA256) # Save PKCS for RSA using SHA256
def generatePG(self):
'''
采用素数库生成一个GENBIT位的素数,尝试寻找原根。
最大生成MAXROUND次,超过即失败。
'''
i = 0
print('Start to generate P and G...')
while (i < self.MAXROUND):
print('Round:', i)
p = number.getPrime(self.GENBIT)
rt = self.getPrimitiveRoot(p)
if rt:
print('Success!', p, rt)
self.P = p
self.G = rt
return True
else:
print('Time out!', p)
i += 1
print('Failed...')
return False
def negotiate_key2(request):
"""
实现 DH 密钥交换 API 的第二步,这一步会生成服务器端的秘密信息,计算会话密钥后存入 session
:param request: data 内容被认为是十六进制的 g^speer % p
:return: 返回的 data 中是十六进制的 g^sthis % p
"""
try:
data = int(request.json.get("data"), 16)
DH_g, DH_p = request.session.get('DH_g'), request.session.get('DH_p')
assert DH_p is not None and DH_g is not None
except TypeError:
return json_response_zh(get_json_ret(40))
except ValueError:
return json_response_zh(get_json_ret(41))
except AssertionError:
return json_response_zh(get_json_ret(42))
secret = getPrime(64)
request.session['shared_secret'] = pow(data, secret, DH_p)
return json_response_zh(
get_json_ret(0, data=hex(pow(DH_g, secret, DH_p))[2:]))
def badRandomAttack(ex, c, e, n, start=0):
if start == 0: print ex
for i in range(start, 32768):
if i % 100 == 0: print i
random.seed(i)
p = number.getPrime(512, randfunction)
q = n // p
if q * p == n:
if start == 0: print "found at", i
totient = (p - 1) * (q - 1)
d = calcD(totient, e)
mi = pow(c, d, n)
assert pow(mi, e, n) == c
m = decode(mi, n)
print ex
print m
return
if start != 0:
print ex
print "------"
return
def elgamal_gen_key(bits):
# Prime number p
while True:
q = number.getPrime(bits - 1)
p = 2 * q + 1
if number.isPrime(p):
break
# Primitive element g
while True:
g = number.getRandomRange(3, p)
# Primitive element judgment
if pow(g, 2, p) == 1:
continue
if pow(g, q, p) == 1:
continue
break
# Secret value x
x = number.getRandomRange(2, p - 1)
# Public value y
y = pow(g, x, p)
return (p, g, y), x
def paramGen_old():
with open('/dev/urandom', 'rb') as f:
salt = f.read(12)
with open('./salt.bin', 'wb') as f:
f.write(salt)
# Invalid DSA with gen_smooth_prime(128, 8)
q = Integer(gen_smooth(128, 8))
p, g = map(Integer, gen_dsa_from_q(768, q))
c = Integer.random(exact_bits=q.size_in_bits() + 64)
x = c % (q - 1) + 1
y = pow(g, x, p)
key_dict = {'y': y, 'g': g, 'p': p, 'q': q, 'x': x}
dsa = myDSA(key_dict, salt)
with open('./vuln_pub.pem', 'w') as f:
f.write(dsa.export_key('pub'))
with open('./vuln_priv.pem', 'w') as f:
f.write(dsa.export_key('priv'))
# Valid DSA
q = Integer(getPrime(128))
p, g = map(Integer, gen_dsa_from_q(768, q))
c = Integer.random(exact_bits=q.size_in_bits() + 64)
x = c % (q - 1) + 1
y = pow(g, x, p)
key_dict = {'y': y, 'g': g, 'p': p, 'q': q, 'x': x}
dsa = myDSA(key_dict, salt)
with open('./pub.pem', 'w') as f:
f.write(dsa.export_key('pub'))
with open('./priv.pem', 'w') as f:
f.write(dsa.export_key('priv'))
def setup(self, security) -> list:
# Pick p, q primes such that p | q - 1, that is equvalent to
# say that q = r*p + 1 for some r
p = number.getPrime(security, Random.new().read)
print("PEDERSEN. p = ", p)
r = 1
while True:
q = r * p + 1
if number.isPrime(q):
print("PEDERSEN. q = ", q)
break
r += 1
# Compute elements of G = {i^r mod q | i in Z_q*}
G = []
last_i = 0
ctr_i = 0
for i in range(1, q):
i = randint(2, q)
if i != last_i:
aux = i**r % q # Z_q*
if aux != 1:
G.append(aux)
last_i = i
ctr_i += 1
if ctr_i == 2:
break
# Since the order of G is prime, any element of G except 1 is a generator
g = G[0]
print("PEDERSEN. g = ", g)
h = G[1]
print("PEDERSEN. h = ", h)
# g and h are elements of G such that nobody knows math.log(h, g) (log of h base g)
return [q, g, h]
def run():
choose=getPrime(512)
ps=gen512num()
print "gen over"
bchoose=bin(choose)[2:]
r=0
bchoose = "0"*(512-len(bchoose))+bchoose
for i in range(512):
if bchoose[i]=='1':
r=r^ps[i]
flag=open("flag","r").read()
key=long_to_bytes(int(hashlib.md5(long_to_bytes(choose)).hexdigest(),16))
aes_obj = AES.new(key, AES.MODE_ECB)
ef=aes_obj.encrypt(flag).encode("base64")
open("r", "w").write(str(r))
open("ef","w").write(ef)
gg=""
for p in ps:
gg+=str(p)+"\n"
open("ps","w").write(gg)
def encrypt_flag(plaintext_bytes):
while True:
p = number.getPrime(4096)
if p % 4 != 3:
continue
q = p + 2
while True:
if number.isPrime(q) and q % 4 == 3:
break
q += 2
break
n = int(p * q)
e = 0xcbfe
plaintext_bytes += b'\x00'
plaintext = 0
while plaintext * 3 <= n:
plaintext = int.from_bytes(plaintext_bytes, 'big')
plaintext_bytes += bytes([random.getrandbits(8)])
ciphertext = encrypt(plaintext, n, e)
open('ciphertext', 'w').write(str(ciphertext))
public_key = str(n) + ":" + str(e)
open('public_key', 'w').write(public_key)
class gdh:
g = 2
p = number.getPrime(2048)
privateKeys = []
publicKeys = []
complementKeys = []
ids = []
secretKey = 0
central_node = 0
def insertNewUser(self):
n_users = len(gdh.privateKeys)
if (n_users >= 1):
exp_new = randint(1, int(gdh.p - 1))
gdh.privateKeys[0] = (gdh.privateKeys[0] * exp_new) % gdh.p
gdh.publicKeys[0] = pow(gdh.publicKeys[0], exp_new, gdh.p)
for i in range(0, n_users):
if (i != gdh.central_node):
gdh.complementKeys[i] = pow(gdh.complementKeys[i], exp_new,
gdh.p)
secretKey = pow(gdh.complementKeys[0], gdh.privateKeys[0], gdh.p)
gdh.privateKeys.append(randint(1, int(gdh.p - 1)))
gdh.publicKeys.append(pow(gdh.g, gdh.privateKeys[n_users], gdh.p))
gdh.complementKeys.append(secretKey)
gdh.ids.append(id_queue[0])
id_queue.append(id_queue[0] + 1)
id_queue.popleft()
for i in range(0, n_users + 1):
if (i != n_users):
gdh.complementKeys[i] = pow(gdh.complementKeys[i],
gdh.privateKeys[n_users],
gdh.p)
else:
gdh.privateKeys.append(randint(1, int(gdh.p - 1)))
gdh.publicKeys.append(pow(gdh.g, gdh.privateKeys[n_users], gdh.p))
gdh.complementKeys.append(1)
gdh.ids.append(id_queue[0])
id_queue.append(id_queue[0] + 1)
id_queue.popleft()
def generate_function(self):
p = number.getPrime(self.init_prime_size)
self.p = p
if p % 4 != 3:
# print('p nie przytaje do 3 mod 4')
return self.generate_function()
a = self.getRandom(p)
b = self.getRandom(p)
self.a = a
self.b = b
x = self.getRandom(p)
delta = lambda a, b: ((4 * pow(a, 3, p)) % p +
(27 * pow(b, 2, p)) % p) % p
if delta(a, b) == 0:
print('delta == 0')
return self.generate_function()
if 1 != pow(self.eliptic_function(a, b, x, p), (p - 1) // 2, p):
# print('f nie jest reszta kwadratowa p')
return self.generate_function()
y = pow(self.eliptic_function(a, b, x, p), (p + 1) // 4, p)
if self.isQuatraticResidue(x) == False:
print('This is not quadratic residue')
return self.generate_function()
if self.contains_point(x, y):
self.a = a
self.b = b
self.p = p
self.exampleX = x
self.exampleY = y
else:
return self.generate_function()
def __init__(self, THRESHOLD, PARTIES):
"""
Shamir THRESHOLD size polynomial constructor
"""
assert THRESHOLD > 0
assert PARTIES > 0
assert PARTIES >= THRESHOLD
self.THRESHOLD = THRESHOLD
self.PARTIES = PARTIES
self.BLOCK_SIZE = 30 # 30 bytes
self.PRIME_SIZE = 32 # 32 bytes
self.COOFICIENT_SIZE = self.PRIME_SIZE + 8 # Cooficients always 8 byte larger then PRIME
self.SHADOW_SIZE = 32 # 32 bytes
self.POLYNOMIAL_DEGREE = self.THRESHOLD - 1
self.P = number.getPrime(self.PRIME_SIZE * 8)
self.POLYNOMIAL_COEFFICIENTS = [
int(urandom(self.COOFICIENT_SIZE).hex(), 16)
for i in range(self.POLYNOMIAL_DEGREE)
]
def main():
msg = 'esto es facil de cifrar'
print("Mensaje original :", msg)
# q es p
q = getPrime(100) # se genera q con numeros random grandes
print("p numero primo usado : ", q)
g = random.randint(2, q) # se genera g en base a q
# key es a
key = gen_key(q) # se crea la llave privada
# K
h = powerMod(g, key, q) #Se realiza la exponenciacion modular
print("g usado : ", g)
print("La llave privada (key) de Alice es: ", key)
print("g**a usado : ", h)
en_msg, p = encrypt(msg, q, h, g) # se encripta el mensaje con q, h, g
print("Mensaje Cifrado :", en_msg)
dr_msg = decrypt(en_msg, p, key,
q) # se desencripta el mensaje con p, la llave y q
dmsg = ''.join(dr_msg) # se concatena el mensaje y se imprime
print("Mensaje Descifrado :", dmsg)
def __init__(self, sectors=10, key=None, prime=None, primebits=1024):
"""Initialization method
:param sectors: the number of sectors to break each chunk into. this
allows a trade off between communication complexity and storage
complexity. increase the number of sectors to decrease the server
storage requirement (tag size will decrease) but communication
complexity will increase
:param key: the key used for encryption and decryption of the state
:param prime: the prime to determine the modular group
:param primebits: optionally the number of bits to use for generation
of a prime if prime is given as None
"""
if (key is None):
self.key = Random.new().read(32)
else:
self.key = key
if (prime is None):
self.prime = number.getPrime(primebits)
else:
self.prime = prime
self.sectors = sectors
self.sectorsize = self.prime.bit_length() // 8
def gen(self, k: int):
# Pick p, q primes such that p | q - 1, that is equvalent to
# say that q = r*p + 1 for some r
#p is prime of length k
p = number.getPrime(k)
r = 1
while True:
q = r * p + 1
if number.isPrime(q):
break
r += 1
# Compute elements of G = {i^r mod q | i in Z_q*}
G = []
ctr = 0
self.t = q
#Choose two random elements inside G
last_i = 0
while True:
i = random.randint(1, q)
if i != last_i:
aux = pow(i, r, q)
if aux != 1:
G.append(aux)
ctr += 1
last_i = i
if ctr == 2:
break
# Since the order of G is prime, any element of G except 1 is a generator
self.g = G[0]
self.sk = G[1]
# pk= g^s
self.pk = fastModularExponentation(self.g, self.sk, q)
def test(tcount, bits=256):
n = getPrime(int(bits/8))
#n = rsa.get_prime(bits / 8, 20)
p = randint(1, n)
p1 = (randint(1, n), randint(1, n))
q = curve_q(p1[0], p1[1], p, n)
p2 = mulp(p, q, n, p1, randint(1, n))
c1 = [randint(1, n) for i in range(tcount)]
c2 = [randint(1, n) for i in range(tcount)]
c = list(zip(c1, c2))
t = time.time()
for i, j in c:
from_projective(addf(p, q, n,
mulf(p, q, n, to_projective(p1), i),
mulf(p, q, n, to_projective(p2), j)), n)
t1 = time.time() - t
t = time.time()
for i, j in c:
muladdp(p, q, n, p1, i, p2, j)
t2 = time.time() - t
return tcount, t1, t2
def paramGen_new():
with open('/dev/urandom', 'rb') as f:
salt = f.read(12)
with open('./salt.bin', 'wb') as f:
f.write(salt)
for i in [1, 2]:
# Valid DSA
q = Integer(getPrime(128))
p, g = map(Integer, gen_dsa_from_q(768, q))
c = Integer.random(exact_bits=q.size_in_bits() + 64)
x = c % (q - 1) + 1
y = pow(g, x, p)
key_dict = {'y': y, 'g': g, 'p': p, 'q': q, 'x': x}
dsa = myDSA(key_dict, salt)
with open('./server_%d_pub.pem' % (i, ), 'w') as f:
f.write(dsa.export_key('pub'))
with open('./server_%d_priv.pem' % (i, ), 'w') as f:
f.write(dsa.export_key('priv'))
def get_batch_z(self, ciphertext):
y_u = []
for i in range(0, self.max_million):
y_u.append(self.key.decrypt(ciphertext + i))
while True:
p = number.getPrime(self.num_bits // 2)
z_u = [y % p for y in y_u]
# print(z_u);
row = np.array(z_u).reshape((1, len(z_u)))
col = np.transpose(row)
diff = np.abs(row - col)
diff = diff + np.eye(len(z_u)) * 3
if np.all(diff >= 2):
break
final_z_u = []
for i, z in enumerate(z_u):
if i >= self.million:
z = (z + 1) % p
final_z_u.append(z)
return p, final_z_u
def signString(self, raw):
"""
Sign a string using private key
Arguments:
- raw - string to be signed
Returns:
- wrapped, base-64 encoded string of signature
Note - private key must already be present in the key object.
Call L{importKey} for the right private key first if needed.
"""
# hash the key with MD5
m = MD5.new()
m.update(raw)
d = m.digest()
#print "sign: digest"
#print repr(d)
# sign the hash with our current public key cipher
self.randpool.stir()
k = getPrime(128, self.randfunc)
self.randpool.stir()
s = self.k.sign(d, k)
# now wrap into a tuple with the public key cipher
tup = (self.algoPname, s)
# and pickle it
p = pickle.dumps(tup, True)
# lastly, wrap it into our base64
w = self._wrap("Signature", p)
return w
def generate_keys(self, key_size=1024):
p = None
while p is None:
try:
p = number.getPrime(key_size)
except Exception as err:
print(err)
alpha = randrange(1, p)
d = randrange(2, p - 1)
beta = pow(alpha, d, p)
self.keys = {
"pub": {
"p": p,
"alpha": alpha,
"beta": beta
},
"priv": {
"d": d
}
}
return self.keys
def sign_ElGamal(msg, key_tuple, k=None):
"""Create an ElGamal signature.
:Parameters:
- `msg`: string of data signature applies to
- `key_tuple`: tuple ElGamal key integers (p, g, x)
(see `ElGamal key tuple`_)
- `k`: integer (must be relatively prime to p-1)
:Returns: tuple (integer, integer) ElGamal signature values (a, b)
.. _ElGamal key tuple:
ElGamal key tuple:
- `p`: integer ElGamal prime
- `g`: integer ElGamal random "g" value
- `x`: integer ElGamal private key
"""
import Crypto.PublicKey.ElGamal as ELG
if k is None: # generate our own prime k value (k relatively prime to p-1)
import Crypto.Util.number as NUM
import Crypto.Util.randpool as RND
rnd = RND.RandomPool()
q = key_tuple[0] # no restrictions on bit length for k, good enough?
k = NUM.getPrime(8*len(STN.int2str(q)), rnd.get_bytes)
elg = ELG.construct((key_tuple[0], key_tuple[1], 0, key_tuple[2]))
return elg.sign(msg, k)
