def _dsa_verify(self, exponent, signature, public_key):
"""
Verifies that the provided DSA-signature `signature` signs the given
`exponent` under the given `public_key`
:type exponent: mpz
:type signature: dict
:type public_key: ModPrimeElement
:rtype: bool
"""
__group = self.__group
__q = self.__order
_, c_1, c_2 = self.extract_dsa_signature(signature)
# Commitments' validity check
for c in (c_1, c_2):
if not 0 < c < __q:
return False
# Proceed to signature validation
c_2_inv = invert(c_2, __q) # c_2 ^ -1 modq
v_1 = mul(exponent, c_2_inv) % __q # (e + c_2 ^ -1) modq
v_2 = mul(c_1, c_2_inv) % __q # (v_1 * c_2 ^ -1) modq
element = (__group.generate(v_1) * public_key ** v_2).value # (g ^ v_1 * y ^ v_2) modp
# ((g ^ v_1 * y ^ v_2) modp) modq == c_1 ?
return element % __q == c_1
def mlmul(u, v):
""" Multi-library multiplication function. """
if u.mp_t != v.mp_t:
return None
if u.mp_t == 'bigfloat':
from bigfloat import BigFloat, mul
z_real = mul(u.mp_c.real, v.mp_c.real) - \
mul(u.mp_c.imag, v.mp_c.imag)
z_imag = mul(u.mp_c.real, v.mp_c.imag) + \
mul(u.mp_c.imag, v.mp_c.real)
z = Arguments({'real': z_real, 'imag': z_imag})
else:
from mpmath import fmul
z = fmul(u.mp_c, v.mp_c)
return MultiLibMPC(z.real, z.imag, u.mp_t, u.prec)
def sameR():
f3 = open(r"packet3/message3", 'r')
f4 = open(r"packet4/message4", 'r')
data3 = f3.read()
data4 = f4.read()
sha = sha1()
sha.update(data3)
m3 = int(sha.hexdigest(), 16)
sha = sha1()
sha.update(data4)
m4 = int(sha.hexdigest(), 16)
print m3, m4
s3 = 0x1B474F2C1C9E85B72841AD84D9A871A11EF0F323
s4 = 0x0EA21858C18AA1EDF4058B6EB9E02B0176243658
r = 0x12E780EE8471DC3552572BB6E818F6D22CE16EA4
#k(s1-s2) = H(m1)-H(m2) mod q
ds = s4 - s3
dm = m4 - m3
k = gmpy2.mul(dm, gmpy2.invert(ds, q))
k = gmpy2.f_mod(k, q)
#x = r^(-1) * (ks-H(m)) mod q
tmp = gmpy2.mul(k, s3) - m3
x = tmp * gmpy2.invert(r, q)
x = gmpy2.f_mod(x, q)
print hex(x)
def compute_N(self, Ni_list):
L1 = mpz(int((0 - 2) * (0 - 3) / ((1 - 2) * (1 - 3))))
L2 = mpz(int((0 - 1) * (0 - 3) / ((2 - 1) * (2 - 3))))
L3 = mpz(int((0 - 1) * (0 - 2) / ((3 - 1) * (3 - 2))))
self.N = gmpy2.f_mod(gmpy2.mul(Ni_list[0], L1) + gmpy2.mul(Ni_list[1], L2) + gmpy2.mul(Ni_list[2], L3), self.PP)
# print("Ni_list = ", Ni_list)
print("Candidate modulus = ", self.N)
def decrypt(self, common_pk, sk, vec, ct, max_inner_prod):
assert len(ct['ct_dict']) == len(sk['d'])
p = gp.mpz(common_pk['p'])
g = gp.mpz(common_pk['g'])
z = gp.mpz(sk['z'])
d = sk['d']
vec_parties = self._split_vector(vec, ct['parties'])
ct_dict = ct['ct_dict']
g_f = gp.mpz(1)
for idx in ct_dict.keys():
vec_idx = vec_parties[idx]
c_idx = ct_dict[idx]['c']
t_idx = ct_dict[idx]['t']
d_idx = d[idx]
assert len(vec_idx) == len(c_idx)
init_idx = gp.mpz(1)
for j in range(len(c_idx)):
init_idx = gp.mul(
init_idx, gp.powmod(gp.mpz(c_idx[j]), gp.mpz(vec_idx[j]),
p))
g_f = gp.mul(
g_f,
gp.divm(init_idx, gp.powmod(gp.mpz(t_idx), gp.mpz(d_idx), p),
p))
g_f = gp.divm(g_f, gp.powmod(g, z, p), p)
f = self._solve_dlog(p, g, g_f, max_inner_prod)
return f
def runPart3(N):
A2 = add(isqrt(mul(24, N)), 1)
x2 = isqrt(sub(mul(A2, A2), mul(24, N)))
p = div(sub(A2, x2), 6)
q = div(add(A2, x2), 4)
return p, q
def Q1Q4():
N = mpz('17976931348623159077293051907890247336179769789423065727343008115\
77326758055056206869853794492129829595855013875371640157101398586\
47833778606925583497541085196591615128057575940752635007475935288\
71082364994994077189561705436114947486504671101510156394068052754\
0071584560878577663743040086340742855278549092581')
A = isqrt(N) + 1
x = isqrt(sub(mul(A, A), N))
p = sub(A, x)
q = add(A, x)
print("Q1:")
print(p)
fiN = mul(sub(p, 1), sub(q, 1))
e = mpz(65537)
d = gmpy2.invert(e, fiN)
ct = mpz('22096451867410381776306561134883418017410069787892831071731839143\
67613560012053800428232965047350942434394621975151225646583996794\
28894607645420405815647489880137348641204523252293201764879166664\
02997509188729971690526083222067771600019329260870009579993724077\
458967773697817571267229951148662959627934791540')
pt = gmpy2.powmod(ct, d, N)
ptstr = pt.digits(16)
pos = ptstr.find('00')
payload = ptstr[pos + 2:]
print("Q4:")
print(binascii.unhexlify(payload))
def main():
start = time.clock()
B = 2**20
x1 = 0
x0 = 0
g_reverse = mpz(reverse(g,p)) #g**-1
g_B = mpz(pow(g,B,p)) #(g**B) mod p
#Iterazio bakoitzean berreketa guztia kalkulatu beharrean,
#aurreko iterazioko balioari berreketaren oinarria bidertu
# x**3 = (x**2)*x; x**4 = (x**3)*x ...
next_value = h #x1=0 => h/g**x1=h/1=h
try:
for x1 in xrange(B):
#Lortu h/g**x1 eta gorde hiztegian
hashTable[next_value] = x1
#next_value = h/g**(x1 + 1) = h/(g**x1)*g:
next_value = mpz(mul(next_value,g_reverse)%p)
print 'Hiztegia amaitu da: ' + str(time.clock() - start)
next_value = 1 #x0=0 => (g**B)**x0=1
for x0 in xrange(B):
#Lortu (g**B)**x0 eta bilatu hiztegian
if hashTable.has_key(next_value):
print 'Emaitza aurkitu da: ' + str(time.clock() - start)
print ' x0 = ' + str(x0)
print ' x1 = ' + str(hashTable[next_value])
print ' x = ' + str(mpz(addmul(mpz(hashTable[next_value]),mpz(x0),mpz(B))%p))
sys.exit()
next_value = mpz(mul(next_value,g_B)%p)
except KeyboardInterrupt:
print 'Keyboard interrupt: x1=' + str(x1) + ', x0=' + str(x0)
print 'Denbora: ' + str(time.clock() - start)
sys.exit()
def generate_keys(n_bits=1024):
"""
Generates keys necessary to Pailler's Cryptossystem
Parameters:
Kwargs:
n_bits: Size of the key, in bits (default=1024)
Returns:
Tuple: Tuple containing two tuples:
t0: Tuple containing the public key (n,g)
t1: Tuple containing the private key (lambda,mu)
"""
one = gmpy2.mpz(1)
p = new_prime(n_bits=n_bits)
q = new_prime(n_bits=n_bits)
# public key
n = gmpy2.mul(p, q)
g = gmpy2.add(n, one)
#private key
lbd = gmpy2.mul(gmpy2.sub(p, one), gmpy2.sub(q, one))
mu = gmpy2.powmod(lbd, -1, n)
return ((n, g), (lbd, mu))
def factor_n1():
'''
Factoring challenge #1:
The following modulus N is a products of two primes p and q where
|p−q| < 2N^(1/4). Find the smaller of the two factors and enter it
as a decimal integer.
'''
N = gmpy2.mpz(
'179769313486231590772930519078902473361797697894230657273430081157732675805505620686985379449212982959585501387537164015710139858647833778606925583497541085196591615128057575940752635007475935288710823649949940771895617054361149474865046711015101563940680527540071584560878577663743040086340742855278549092581'
)
A = gmpy2.add(gmpy2.isqrt(N), one)
x = gmpy2.isqrt(gmpy2.sub(gmpy2.mul(A, A), N))
print 'Calculating first factors...'
ticks = 0
while True:
p = gmpy2.sub(A, x)
q = gmpy2.add(A, x)
if gmpy2.is_prime(p) and gmpy2.is_prime(q) and gmpy2.mul(p, q) == N:
print "p =", p, "q =", q, "ticks =", ticks
return
else:
x = gmpy2.add(x, one)
ticks += 1
if ticks % 10000 == 0:
print 'ticks:', ticks
def calc_near6(self):
""" Solves the Extra Credit question Q3
See:
Uses only integer arithmetic to avoid issues with rounding errors
Solution credit to Francois Degros:
https://class.coursera.org/crypto-011/forum/thread?thread_id=517#post-2279
:return: the prime factors of ```self.n```, p and q
:rtype: tuple
"""
# A = ceil(sqrt(24 N)) - the use of isqrt() won't matter, as we seek the ceil
A = add(isqrt(mul(self.n, mpz(24))), mpz(1))
# D = A^2 - 24 N
D = sub(mul(A, A), mul(24, self.n))
# E = sqrt(D) - note D is a perfect square and we can use integer arithmetic
E = isqrt(D)
assert sub(mul(E, E), D) == mpz(0)
p = div(sub(A, E), 6)
q = div(add(A, E), 4)
if self._check_sol(p, q):
return p, q
# The above is the right solution, however, there is another possible solution:
p = div(add(A, E), 6)
q = div(sub(A, E), 4)
if self._check_sol(p, q):
return p, q
print 'Could not find a solution'
return 0, 0
def factoring_challenge_3():
"""
Given |3p - 2q| < N^(1/4) and considering A = (3p + 2q) / 2 we can show that
A - sqrt(6N) < 1 => A = ceil(sqrt(6N)).
Let x be equal distance from A to 3p and 2q, then x = sqrt(A^2 - 6N)
=> we can calculate p and q based on this.
"""
modulus = mpz(
"72006226374735042527956443552558373833808445147399984182665305798191"
"63556901883377904234086641876639384851752649940178970835240791356868"
"77441155132015188279331812309091996246361896836573643119174094961348"
"52463970788523879939683923036467667022162701835329944324119217381272"
"9276147530748597302192751375739387929"
)
a, rem = gmpy2.isqrt_rem(6 * modulus)
if rem > 0:
a += 1
x = gmpy2.isqrt(a ** 2 - 6 * modulus)
a_minus_x, a_plus_x = a - x, a + x
# either p = (A - x) / 3 and q = (A + x) / 2
p, rem = gmpy2.f_divmod(a_minus_x, 3)
if rem == 0:
q, rem = gmpy2.f_divmod(a_plus_x, 2)
if gmpy2.mul(p, q) == modulus:
return p if p < q else q
# or p = (A + x) / 3 and q = (A - x) / 2
p, rem = gmpy2.f_divmod(a_plus_x, 3)
if rem == 0:
q = gmpy2.f_div(a_minus_x, 2)
if gmpy2.mul(p, q) == modulus:
return p if p < q else q
def chinrest(aas, ns):
count = len(aas)
m = 1
ms = [1] * count
ees = [mpz(0)] * count
# product of all ns
for i in range(0, count):
m = gmpy2.mul(m, ns[i])
# products of all but one ns
for i in range(0, count):
ms[i] = gmpy2.div(m, ns[i])
# extended euclid to get the factors
for i in range(0, count):
ggtn, r, s = gmpy2.gcdext(mpz(ns[i]), mpz(ms[i]))
ees[i] = gmpy2.mul(s, ms[i])
# calculating x
x = 0
for i in range(0, count):
x = gmpy2.add(x, gmpy2.mul(aas[i], ees[i]))
# making x positive. just in case
x = gmpy2.t_mod(mpz(x), mpz(m))
while x < 0:
x = gmpy2.t_mod(mpz(x + m), mpz(m))
return m, x
def factor_prime(prime):
# p - 1 is 37-smooth
base = 2
k_sm = 37
# pow(base,k_sm!) mod prime
a = gmpy2.powmod(base, gmpy2.fac(k_sm), prime)
# gcd(r_k - 1, prime)
p = gmpy2.gcd(a-1, prime)
# get second factor of prime
q = (prime / p)
# make sure factors (pq) are prime
if (gmpy2.is_prime(p) and gmpy2.is_prime(q)):
print "p = ", p
print "q = ", q
# make sure n = p*q = prime number
n = gmpy2.mul(p,q)
if (n == prime):
print "n = ", gmpy2.mul(p,q)
return
def _dsa_signature(self, exponent, private_key):
"""
Returns and computes the DSA-signature
{
'exponent': e,
'commitments': {
'c_1': (g ^ r modp) modq
'c_2': (e + x * c_1)/r modq
}
}
of the provided `exponent` e (assumed to be in the range {1, ..., q - 1})
under the `private_key` x for a once used randmoness 1 < r < q
:type exponent: mpz
:type private_key: mpz
:rtype: dict
"""
__group = self.__group
__q = self.__order
randomness = __group.random_exponent() # 1 < r < q
c_1 = __group.generate(randomness).value % __q # (g ^ r modp) modq
exps = __group.add_exponents(exponent, mul(private_key, c_1)) # (e + x * c_1) modq
r_inv = invert(randomness, __q) # r ^ -1 modq
c_2 = mul(exps, r_inv) % __q # (e + x * c_1)/r modq
signature = self.set_dsa_signature(exponent, c_1, c_2)
return signature
def rsa():
p = gmpy2.mpz(int(request.values.get('p')))
# print(p)
q = gmpy2.mpz(int(request.values.get('q')))
e = gmpy2.mpz(int(request.values.get('e')))
operator = request.values.get('operator')
try:
if p and q and e and operator:
if not gmpy2.is_prime(p) or not gmpy2.is_prime(q):
resu = {'code': 9999, 'message': 'p和q必须是素数'}
return json.dumps(resu, ensure_ascii=False)
n = gmpy2.mul(p, q)
if operator == 'decode':
c = gmpy2.mpz(int(request.values.get('c')))
phi_n = gmpy2.mul(gmpy2.sub(p, 1), gmpy2.sub(q, 1))
d = gmpy2.invert(e, phi_n) # private key
m = gmpy2.powmod(c, d, n)
print(m)
print(d)
resu = {'code': 200, 'm': str(m), 'd': str(d)}
return json.dumps(resu, ensure_ascii=False)
elif operator == 'encode':
m = gmpy2.mpz(int(request.values.get('m')))
c = gmpy2.powmod(m, e, n)
resu = {'code': 201, 'c': str(c)}
return json.dumps(resu, ensure_ascii=False)
else:
resu = {'code': 10001, 'message': '参数不能为空!'}
return json.dumps(resu, ensure_ascii=False)
except:
resu = {'code': 10002, 'message': '异常。'}
return json.dumps(resu, ensure_ascii=False)
def digitial_generation(self,message,Curve_Polynomial,X,Y,Order,A,d_A):
r=np.array([0x0],dtype='uint32')
m=hashlib.sha256(message).hexdigest()
Order_np = self.str2nparray(Order)
Order_int = int(Order,16)
l=(len(Order_np)-1)*32+gmpy2.bit_length(int(Order_np[-1]))
m = field.str2nparray(m)
size = l/32+1
m=self.remove_1(m)
if(l>=256):
rem=l-256
chunk_added=(rem/32)+1
m=np.append(np.zeros(chunk_added,dtype='uint32'),m)
part=32-(l+chunk_added)%32
else:
m = m[len(m)-size:]
part = 32-l%32
X1=m>>part
Y1=m<<(32-part)
Z=np.bitwise_xor(Y1[1:],X1[:-1])
Z=np.append(Z,X1[-1])
Z = self.nparray2str(Z)
Z = int(Z,16)
Z = gmpy2.f_mod(Z,Order_int)
S=0
while(S==0):
while(np.all(r[0]==0)):
k=random.randint(1,Order_int-1)
r=self.bin_public_key_gen(X,Y,A,k)
k_inv=gmpy2.invert(k,Order_int)
r = self.nparray2str(r[0])
r = int(r,16)
r=gmpy2.f_mod(r,Order_int)
rd_A = gmpy2.mul(r,d_A)
rd_A = gmpy2.f_mod(rd_A,Order_int)
Zrd_A = rd_A + Z
Zrd_A = int(Zrd_A)
k_inv = int(k_inv)
S = gmpy2.mul(Zrd_A,k_inv)
S = gmpy2.f_mod(S,Order_int)
return r,S
def digitial_generation(self,message,Curve_Polynomial,X,Y,Order,A,d_A):
r=np.array([0x0],dtype='uint32')
m=hashlib.sha256(message).hexdigest()
Order_np = self.str2nparray(Order)
Order_int = int(Order,16)
l=(len(Order_np)-1)*32+gmpy2.bit_length(int(Order_np[-1]))
m = field.str2nparray(m)
size = l/32+1
m=self.remove_1(m)
if(l>=256):
rem=l-256
chunk_added=(rem/32)+1
m=np.append(np.zeros(chunk_added,dtype='uint32'),m)
part=32-(l+chunk_added)%32
else:
m = m[len(m)-size:]
part = 32-l%32
X1=m>>part
Y1=m<<(32-part)
Z=np.bitwise_xor(Y1[1:],X1[:-1])
Z=np.append(Z,X1[-1])
Z = self.nparray2str(Z)
Z = int(Z,16)
Z = gmpy2.f_mod(Z,Order_int)
S=0
while(S==0):
while(np.all(r[0]==0)):
k=random.randint(1,Order_int-1)
r=self.bin_public_key_gen(X,Y,A,k)
k_inv=gmpy2.invert(k,Order_int)
r = self.nparray2str(r[0])
r = int(r,16)
r=gmpy2.f_mod(r,Order_int)
rd_A = gmpy2.mul(r,d_A)
rd_A = gmpy2.f_mod(rd_A,Order_int)
Zrd_A = rd_A + Z
Zrd_A = int(Zrd_A)
k_inv = int(k_inv)
S = gmpy2.mul(Zrd_A,k_inv)
S = gmpy2.f_mod(S,Order_int)
return r,S
def chinese_remainder(n, a):
sum = 0
prod = reduce(gmpy2.mul, n)
for n_i, a_i in zip(n, a):
p = gmpy2.div(prod, n_i)
sum += gmpy2.mul(gmpy2.mul(a_i, mul_inv(p, n_i)), p)
return sum % prod
def solve_quadratic(a, b, c):
""" Solves the quadratic equation ```a x2 + b x + c = 0```
:return: the GMP result of solving the quadratic equation usign multi-precision numbers
"""
bb = sqrt(sub(mul(b, b), mul(mpz(4), mul(a, c))))
x1 = gmpy2.div(sub(-b, bb), mul(mpz(2), a))
x2 = gmpy2.div(add(-b, bb), mul(mpz(2), a))
return x1, x2
def digitial_Verification(self,message,Order,X,Y,A,d_A,r,S):
X=self.str2nparray(X)
Y=self.str2nparray(Y)
A=self.str2nparray(A)
m=hashlib.sha256(message).hexdigest()
Order_np = self.str2nparray(Order)
Order_int = int(Order,16)
l=(len(Order_np)-1)*32+gmpy2.bit_length(int(Order_np[-1]))
m = field.str2nparray(m)
size = l/32+1
m=self.remove_1(m)
if(l>=256):
rem=l-256
chunk_added=(rem/32)+1
m=np.append(np.zeros(chunk_added,dtype='uint32'),m)
part=32-(l+chunk_added)%32
else:
m = m[len(m)-size:]
part = 32-l%32
X1=m>>part
Y1=m<<(32-part)
Z=np.bitwise_xor(Y1[1:],X1[:-1])
Z=np.append(Z,X1[-1])
Z = self.nparray2str(Z)
Z = int(Z,16)
Z = gmpy2.f_mod(Z,Order_int) #####Truncated Message
w=gmpy2.invert(S,Order_int)
u1 = gmpy2.mul(Z,w)
u1 = gmpy2.f_mod(u1,Order_int)
u2 = gmpy2.mul(r,w)
u2 = gmpy2.f_mod(u2,Order_int)
Q_A=self.public_key_gen(X,Y,A,d_A) #Q_A = d_A * G
X1=self.public_key_gen(X,Y,A,int(u1))
X2=self.public_key_gen(Q_A[0],Q_A[1],A,int(u2)) #u2*Q_A
X3=self.point_add(X1[0],X1[1],X2[0],X2[1],A)
X3=self.nparray2str(X3[0])
X3 = gmpy2.f_mod(int(X3,16),Order_int)
#print X3[0]
return X3
def three():
N = mpz('720062263747350425279564435525583738338084451473999841826653057981916355690188337790423408664187663938485175264994017897083524079135686877441155132015188279331812309091996246361896836573643119174094961348524639707885238799396839230364676670221627018353299443241192173812729276147530748597302192751375739387929')
A = mul(isqrt(mul(6,N)),2)
A = add(A,1)
x = isqrt(sub(mul(A,A),mul(24,N)))
p = t_div(sub(A,x),6)
q = t_div(add(A,x),4)
if mul(p,q) == N:
print "3. " + str(p)
def digitial_Verification(self,message,Order,X,Y,A,d_A,r,S):
X=self.str2nparray(X)
Y=self.str2nparray(Y)
A=self.str2nparray(A)
m=hashlib.sha256(message).hexdigest()
Order_np = self.str2nparray(Order)
Order_int = int(Order,16)
l=(len(Order_np)-1)*32+gmpy2.bit_length(int(Order_np[-1]))
m = field.str2nparray(m)
size = l/32+1
m=self.remove_1(m)
if(l>=256):
rem=l-256
chunk_added=(rem/32)+1
m=np.append(np.zeros(chunk_added,dtype='uint32'),m)
part=32-(l+chunk_added)%32
else:
m = m[len(m)-size:]
part = 32-l%32
X1=m>>part
Y1=m<<(32-part)
Z=np.bitwise_xor(Y1[1:],X1[:-1])
Z=np.append(Z,X1[-1])
Z = self.nparray2str(Z)
Z = int(Z,16)
Z = gmpy2.f_mod(Z,Order_int) #####Truncated Message
w=gmpy2.invert(S,Order_int)
u1 = gmpy2.mul(Z,w)
u1 = gmpy2.f_mod(u1,Order_int)
u2 = gmpy2.mul(r,w)
u2 = gmpy2.f_mod(u2,Order_int)
Q_A=self.public_key_gen(X,Y,A,d_A) #Q_A = d_A * G
X1=self.public_key_gen(X,Y,A,int(u1))
X2=self.public_key_gen(Q_A[0],Q_A[1],A,int(u2)) #u2*Q_A
X3=self.point_add(X1[0],X1[1],X2[0],X2[1],A)
X3=self.nparray2str(X3[0])
X3 = gmpy2.f_mod(int(X3,16),Order_int)
#print X3[0]
return X3
def calculate_shared_secret(self):
val = powmod(self.generator, self.get_identity_hash(), self.modulus)
val2 = mul(self.get_multiplier(), val)
val3 = sub(self.get_server_public_value(), val2)
val4 = mul(self.get_scrambler(), self.get_identity_hash())
val5 = add(self.get_private_value(), val4)
val6 = t_mod(val3, self.modulus)
val7 = t_mod(val5, self.modulus)
self.shared_secret = powmod(val6, val7, self.modulus)
def test_factors2(self):
p = gmpy2.mpz('776531419')
q = gmpy2.mpz('776531479')
n = gmpy2.mul(p, q)
factor = factoring.Factoring(n)
pc, qc = factor.calc_near()
self.assertEquals(p, pc)
self.assertEquals(q, qc)
self.assertEquals(n, gmpy2.mul(pc, qc))
def crt(mp, mq, p, q, q_inverse, n):
"""the Chinese Remainder Theorem as needed for decryption.
return the solution modulo n=pq.
"""
# u = (mp - mq) * self.q_inverse % self.p
# x = (mq + (u * self.q)) % self.public_key.n
u = gmpy2.mul(mp-mq, q_inverse) % p
x = (mq + gmpy2.mul(u, q)) % n
return int(x)
def one():
N = mpz('179769313486231590772930519078902473361797697894230657273430081157732675805505620686985379449212982959585501387537164015710139858647833778606925583497541085196591615128057575940752635007475935288710823649949940771895617054361149474865046711015101563940680527540071584560878577663743040086340742855278549092581')
A = isqrt(N)
A = add(A,1)
x = isqrt(sub(mul(A,A),N))
p = sub(A,x)
q = add(A,x)
if mul(p,q) == N:
print "1. " + str(p)
return p, q, N
def mypowmod(a, b, N):
ret = 1
while b > 0:
if b & 1 == 1:
ret = gmpy2.mul(ret,a)
ret = gmpy2.f_mod(ret,N)
a = gmpy2.mul(a,a)
a = gmpy2.f_mod(a,N)
b = b >> 1
return gmpy2.f_mod(ret,N)
def compute(self):
self.build_table(end=self.B)
rhs = self.g_B
for x0 in xrange(1, self.B):
x1 = self.lookup_table.get(rhs, None)
if x1:
res = gmpy2.f_mod(gmpy2.add(gmpy2.mul(x0, self.B), x1), self.p)
return res
if x0 and (x0 % self.CHECKPOINT) == 0:
self.log.print_progress(x0)
rhs = gmpy2.f_mod(gmpy2.mul(rhs, self.g_B), self.p)
def two():
N = mpz('648455842808071669662824265346772278726343720706976263060439070378797308618081116462714015276061417569195587321840254520655424906719892428844841839353281972988531310511738648965962582821502504990264452100885281673303711142296421027840289307657458645233683357077834689715838646088239640236866252211790085787877')
A = isqrt(N)
while True:
A = add(A,1)
x = isqrt(sub(mul(A,A),N))
p = sub(A,x)
q = add(A,x)
if mul(p,q) == N:
print "2. " + str(p)
break
def mit_in_the_middle(h, g, p, B):
tab = hash_table(h, g, p, B)
for x in range(B - 1):
val = gmpy2.powmod(g, gmpy2.mul(B, x), p)
if val in tab:
# print val
x0 = x
x1 = tab[val]
# print x0, x1
return gmpy2.mul(x0, B) + x1
def main():
# predefine these, we will stop overwriting them when ready to run the big numbers
p=mpz('13407807929942597099574024998205846127'
'47936582059239337772356144372176403007'
'35469768018742981669034276900318581848'
'6050853753882811946569946433649006084171'
)
g=mpz('117178298803662070095161175963353670885'
'580849999989522055999794590639294997365'
'837466705721764714603129285948296754282'
'79466566527115212748467589894601965568'
)
y=mpz('323947510405045044356526437872806578864'
'909752095244952783479245297198197614329'
'255807385693795855318053287892800149470'
'6097394108577585732452307673444020333'
)
log.info("Starting Discrete Log Calculation")
log.info("p: %i", p)
log.info("g: %i", g)
log.info("y: %i", y)
m = gmpy2.ceil(gmpy2.sqrt(p))
log.info("m: %i", m)
# custom range since builtin has a size limit
long_range = lambda start, stop: iter(itertools.count(start).next, stop)
chunk_size = 100000
if m < 100000:
chunk_size = m
stop_at = chunk_size
start = 0
while True:
chunk = {}
log.info("Starting chunk from %i to %i", start, stop_at)
for i in xrange(start, stop_at):
chunk[gmpy2.powmod(g,i,p)] = i
for t in long_range(0,m):
expone = mpz(gmpy2.mul(-m,t))
g_term = gmpy2.powmod(g, expone, p)
res = gmpy2.f_mod(gmpy2.mul(y, g_term), p)
if res in chunk:
s = chunk[res]
dc = gmpy2.f_mod(mpz(gmpy2.add(s, gmpy2.mul(m,t))), p)
log.info("DC LOG FOUND")
log.info("dc: %i", dc)
return
log.info("Completed chunk run: %i to %i no DC yet :(", start, stop_at)
start = stop_at
stop_at += chunk_size
def three():
N = mpz(
'720062263747350425279564435525583738338084451473999841826653057981916355690188337790423408664187663938485175264994017897083524079135686877441155132015188279331812309091996246361896836573643119174094961348524639707885238799396839230364676670221627018353299443241192173812729276147530748597302192751375739387929'
)
A = mul(isqrt(mul(6, N)), 2)
A = add(A, 1)
x = isqrt(sub(mul(A, A), mul(24, N)))
p = t_div(sub(A, x), 6)
q = t_div(add(A, x), 4)
if mul(p, q) == N:
print "3. " + str(p)
def fun(self,coef_poly,k,t,x):
ff = gmpy2.mpz(0)
for j in range(k*t-k+1)[::-1]:
temp = gmpy2.mul(ff,x)
ff = gmpy2.add(temp,coef_poly[j])
if j == 1:
break
temp = gmpy2.mul(ff,x) #temp = at-1*xt-1+...+a1*x
ff = gmpy2.add(temp,coef_poly[0]) #f = temp+a0
ff = gmpy2.f_mod(ff,q)
return ff
def rptsq(base, toraise):
#repeated squaring algo
#base = value to raise, toraise = exponent
binstr = bin(toraise)[2:] #string in binary of toraise
curmult = base
curval = mpz('1')
for digit in reversed(xrange(len(binstr))):
if binstr[digit] == '1':
curval = gmpy2.mul(curval, curmult)
curmult = gmpy2.mul(curmult, base)
return curval
def one():
N = mpz(
'179769313486231590772930519078902473361797697894230657273430081157732675805505620686985379449212982959585501387537164015710139858647833778606925583497541085196591615128057575940752635007475935288710823649949940771895617054361149474865046711015101563940680527540071584560878577663743040086340742855278549092581'
)
A = isqrt(N)
A = add(A, 1)
x = isqrt(sub(mul(A, A), N))
p = sub(A, x)
q = add(A, x)
if mul(p, q) == N:
print "1. " + str(p)
return p, q, N
def mandelfun(c, z0, e, n):
"""
Provides methods used to compute multi-privkey key types.
Takes mpc objects as parameters.
"""
z = z0
while n > 0:
z = mul(z, mul(e, mul(c, c)))
n -= 1
return z
def get_lambda_i(x, i):
lambda_i = mpz(1)
for j in xrange(len(x)):
if i != j:
if x[i] == x[j] and __debug__:
print x
print i
print j
print config.q
tmp = gmpy2.invert(gmpy2.sub(x[j], x[i]), config.q)
tmp = gmpy2.t_mod(gmpy2.mul(x[j], tmp), config.q)
lambda_i = gmpy2.t_mod(gmpy2.mul(lambda_i, tmp), config.q)
return lambda_i
def computeN3Factors():
A = gmpy2.ceil(gmpy2.mul(2, gmpy2.sqrt(gmpy2.mul(6, N3))))
X = gmpy2.ceil(
gmpy2.sqrt(
gmpy2.sub(
pow(A, 2),
gmpy2.mul(24, N3)
)
)
)
p = gmpy2.ceil(gmpy2.div(gmpy2.sub(A, X), 6)) # Only round one.
q = gmpy2.div(N3, p)
confirmed(N3, p, q)
def two():
N = mpz(
'648455842808071669662824265346772278726343720706976263060439070378797308618081116462714015276061417569195587321840254520655424906719892428844841839353281972988531310511738648965962582821502504990264452100885281673303711142296421027840289307657458645233683357077834689715838646088239640236866252211790085787877'
)
A = isqrt(N)
while True:
A = add(A, 1)
x = isqrt(sub(mul(A, A), N))
p = sub(A, x)
q = add(A, x)
if mul(p, q) == N:
print "2. " + str(p)
break
def runPart2(N):
A = isqrt(N)
maxVal = add(isqrt(N), 2**20)
p = 0
q = 0
while mul(p, q) != N and A <= maxVal:
A = add(A, 1)
x = isqrt(sub(mul(A,A), N))
p = sub(A, x)
q = add(A, x)
return p, q
def factorize(number, delta):
for i in xrange(1, delta + 1):
square_root = isqrt(number)
average = square_root + i
average_squared = mul(average, average)
x = isqrt(average_squared - number)
p = (average - x)
q = (average + x)
if mul(p, q) == number:
return (p, q, i)
return (0, 0, 0)
def q3():
N = 720062263747350425279564435525583738338084451473999841826653057981916355690188337790423408664187663938485175264994017897083524079135686877441155132015188279331812309091996246361896836573643119174094961348524639707885238799396839230364676670221627018353299443241192173812729276147530748597302192751375739387929
rt = gmpy2.sqrt(gmpy2.mul(N, 6))
A = gmpy2.ceil(rt)
A2 = pow(A, 2)
assert A2 > N
x = gmpy2.sqrt(gmpy2.sub(A2, N))
x = gmpy2.mul(x, 3 / 2)
p = gmpy2.sub(A, x)
q = gmpy2.add(A, x)
gotcha(N, p, q)
def regenerate_key(bits,x,x_i,L,leave):
""" Regenerate the key r when some peer join or leave the team. All the variables' name are the same as those used in the paper.
Args:
bits: int, the number of bits of p, which can be set to be larger than the length of r.
x: list, x_i which has been distributed members.
x_i: int, the x_i of a member who wants to join or leave the team.
L: int, the value of product of x_is before the member join or leave.
leave: bool. True if the x_i is leaving the team. False if the x_i is join the team.
"""
p=generate_large_prime(bits)
(m,q)=generate_m(p)
delta= generate_large_prime(len(bin(min(x)))-2)
k=delta-p
a=generate_large_prime(bits)
g=gmpy2.powmod(a,q,m)
r=gmpy2.powmod(g,k,m)
if leave :
L=gmpy2.div(L,x_i)
else:
L=gmpy2.mul(L,x_i)
u=gmpy2.invert(delta,L)
while get_key(g,m,u,x[0])!=r:
p=generate_large_prime(bits)
(m,q)=generate_m(p)
delta= generate_large_prime(len(bin(min(x)))-2)
k=delta-p
a=generate_large_prime(bits)
g=gmpy2.powmod(a,q,m)
r=gmpy2.powmod(g,k,m)
if leave :
L=gmpy2.div(L,x_i)
else:
L=gmpy2.mul(L,x_i)
u=gmpy2.invert(delta,L)
return (g,m,u,L,r)
def q3():
N = 720062263747350425279564435525583738338084451473999841826653057981916355690188337790423408664187663938485175264994017897083524079135686877441155132015188279331812309091996246361896836573643119174094961348524639707885238799396839230364676670221627018353299443241192173812729276147530748597302192751375739387929
rt = gmpy2.sqrt(gmpy2.mul(N, 6))
A = gmpy2.ceil(rt)
A2 = pow(A, 2)
assert A2 > N
x = gmpy2.sqrt(gmpy2.sub(A2, N))
x = gmpy2.mul(x, 3/2)
p = gmpy2.sub(A, x)
q = gmpy2.add(A, x)
gotcha(N, p, q)
def rsa_recovery(dp, dq, ciphertext, keysize=1024, start=3):
'''
This extensive process loops through all unknown e, typically between 3..65537
and given the dP and dQ will search for primes p and q, then attempt to
decrypt the ciphertext that is known to have been encrypted with them.
'''
# init counters
r, p, q, d, count, count2, count3 = (0L, 0L, 0L, 0L, 0, 0, 0)
# start generalised loop for an unknown e
for j in range(start, 65538, 2):
dp1 = long(gmpy2.mul(dp, j) - 1)
for k in range(3, j):
d = long(k)
a, r = gmpy2.t_divmod(dp1, d)
assert(dp1 == (k * a) + r)
if r == 0:
count += 1
p = long(a + 1)
if gmpy2.is_odd(p) and gmpy2.is_strong_prp(p, 10):
count2 += 1
dq1 = long(gmpy2.mul(dq, j) - 1)
for l in range(3, j):
d = long(l)
a, r = gmpy2.t_divmod(dq1, d)
assert(dq1 == (l * a) + r)
if r == 0:
q = long(a + 1)
if gmpy2.is_odd(q) and gmpy2.is_strong_prp(q, 10):
count3 += 1
# just some basic progress on the console
if count3 % 10 == 0:
sys.stdout.write('.')
sys.stdout.flush()
# only attempt the decrypt if p,q are expected bitlength
if p.bit_length() + q.bit_length() == keysize:
try:
result = rsa_decrypt(p, q, ciphertext, j)
if len(result) == 0 or result == "None":
# indicates a failed decryption attempt
sys.stdout.write('x')
else:
# SUCCESS! This is your decrypted message, sir...
print "\n:: DECRYPTED::\n message = %s" % result
# show all the p, q candidates just in case
print "\np = %X\nq = %X\n" % (p, q)
except Exception as e:
print "ERROR: ", e # if cipher text length wrong, change decryption padding etc.
pass # do nothing
# finish with a counter summary
print "count: %d count2: %d count3: %d\n\n" % (count, count2, count3)
def find_factors_6n(n):
n24 = gmp.mul(n, 24)
a = gmp.isqrt(n24)
p = 0
q = 0
while not check(n, p, q):
a = gmp.add(a, 1)
a2 = gmp.mul(a, a)
x = gmp.isqrt(gmp.sub(a2, n24))
p = gmp.mpz(gmp.div(gmp.sub(a, x), 6))
q = gmp.mpz(gmp.div(gmp.add(a, x), 4))
return (p, q)
def invHessian(x, y, t_1, t_2):
hess = hessian(x, y, t_1, t_2)
a = mpfr(hess[0][0])
b = mpfr(hess[0][1])
c = mpfr(hess[1][0])
d = mpfr(hess[1][1])
det = mpfr(a * d - b * c)
H_inv = np.ones((2, 2), dtype=object)
q = (mpfr(1.0) / det)
H_inv[0][0] = gmpy2.mul(q, d)
H_inv[0][1] = gmpy2.mul(-q, b)
H_inv[1][0] = gmpy2.mul(-q, c)
H_inv[1][1] = gmpy2.mul(q, a)
return H_inv
def check_sterbenz_apply(interval1, interval2):
with gmpy2.local_context(gmpy2.context(),
round=gmpy2.RoundDown,
precision=mpfr_proxy_precision) as ctx:
two_y_left = gmpy2.mul(mpfr("2.0"), mpfr(interval2.lower))
two_x_left = gmpy2.mul(mpfr("2.0"), mpfr(interval1.lower))
with gmpy2.local_context(gmpy2.context(),
round=gmpy2.RoundUp,
precision=mpfr_proxy_precision) as ctx:
y_right = mpfr(interval2.upper)
x_right = mpfr(interval1.upper)
if x_right <= two_y_left and y_right <= two_x_left:
return True
return False
def generate_key_r(bits,x):
""" Generate the key r. All the variables' name are the same as those used in the paper.
Args:
bits: int, the number of bits of p, which can be set to be larger than the length of r.
x: list, includes x_i which has been distributed members.
"""
p=generate_large_prime(bits)
(m,q)=generate_m(p)
delta= generate_large_prime(len(bin(min(x)))-2)
k=delta-p
a=generate_large_prime(bits)
g=gmpy2.powmod(a,q,m)
r=gmpy2.powmod(g,k,m)
L=1
for x_i in x :
L=gmpy2.mul(L,x_i)
u=gmpy2.invert(delta,L)
""" Because the primes generated are pseudo primes that has passed probable
prime test, it is possible that the member cannot calculat the right key.
Verify the members can calculate the key rightly.
"""
while get_key(g,m,u,x[0])!=r:
p=generate_large_prime(bits)
(m,q)=generate_m(p)
delta= generate_large_prime(len(bin(min(x)))-2)
k=delta-p
a=generate_large_prime(bits)
g=gmpy2.powmod(a,q,m)
r=gmpy2.powmod(g,k,m)
L=1
for x_i in x :
L=gmpy2.mul(L,x_i)
u=gmpy2.invert(delta,L)
return (g,m,u,L,r)
def _shared_key(a, x, x_pub, b_pub, y_pub, p):
l2 = 2**128
x_mod = gmpy2.t_mod_2exp(x_pub, 128)
d = gmpy2.add(l2, x_mod)
da = gmpy2.mul(d, a)
xda = gmpy2.add(x, da)
y_mod = gmpy2.t_mod_2exp(y_pub, 128)
e = gmpy2.add(l2, y_mod)
sa = gmpy2.powmod(b_pub, e, p)
sa = gmpy2.mul(sa, y_pub)
sa = gmpy2.f_mod(sa, p)
sa = gmpy2.powmod(sa, xda, p)
return sa
def main():
if not (sys.argv[1] == "-i"):
print("Invalid usage! rsa_mitm_attack_117516.py -i <filename>")
quit()
print("reading in values")
lines = [line.rstrip('\n') for line in open(sys.argv[2])]
n = mpz(lines[2])
e = int(lines[4])
C = mpz(lines[6])
b = int(lines[8])
S = int(b)
T = int(b)
print("starting dict creation")
found = False
dict = {}
if (S * T) < b:
print("S * T is too small")
print(S * T)
quit()
for s in range(1, S, 1):
Cs = fmod(mul(C, (powmod(powmod(s, e, n), -1, n))), n)
dict[Cs] = s
print("finished dict creation")
print("starting comparision")
for t in range(1, T, 1):
key = powmod(t, e, n)
if key in dict:
print("Found collision at s = " + str(dict[key]) + " and t = " +
str(t) + ", both equal " + str(key))
print("X = " + str(s * t))
found = True
if not found:
print("No collision found")
def encrypt(self, massage):
random = self.gen_coprime(self.N)
ciphertext = gmpy2.f_mod(
gmpy2.mul(gmpy2.powmod(self.generator, massage, self.N * self.N),
gmpy2.powmod(random, self.N, self.N * self.N)),
self.N * self.N)
return ciphertext
def hash_table(h, g, p, B):
table = dict() # Table to store x1 and h/(g**x1) values
for x1 in range(B - 1):
val = gmpy2.f_mod(gmpy2.mul(h, gmpy2.powmod(g, -x1, p)), p)
table.update({val: x1})
return table
def evaluate_error_at_sample(self, tree):
""" Sample from the leaf then evaluate tree in the tree's working precision"""
if tree.left is not None or tree.right is not None:
if tree.left is not None:
sample_l, lp_sample_l = self.evaluate_error_at_sample(
tree.left)
if tree.right is not None:
sample_r, lp_sample_r = self.evaluate_error_at_sample(
tree.right)
if tree.root_name == "+":
return (sample_l + sample_r), gmpy2.add(
mpfr(str(lp_sample_l)), mpfr(str(lp_sample_r)))
elif tree.root_name == "-":
return (sample_l - sample_r), gmpy2.sub(
mpfr(str(lp_sample_l)), mpfr(str(lp_sample_r)))
elif tree.root_name == "*":
return (sample_l * sample_r), gmpy2.mul(
mpfr(str(lp_sample_l)), mpfr(str(lp_sample_r)))
elif tree.root_name == "/":
return (sample_l / sample_r), gmpy2.div(
mpfr(str(lp_sample_l)), mpfr(str(lp_sample_r)))
elif tree.root_name == "exp":
return np.exp(sample_l), gmpy2.exp(mpfr(str(sample_l)))
elif tree.root_name == "sin":
return np.sin(sample_l), gmpy2.sin(mpfr(str(sample_l)))
elif tree.root_name == "cos":
return np.cos(sample_l), gmpy2.cos(mpfr(str(sample_l)))
elif tree.root_name == "abs":
return np.abs(sample_l), abs(mpfr(str(sample_l)))
else:
print("Operation not supported!")
exit(-1)
else:
sample = tree.root_value[0].getSampleSet(n=1)[0]
return sample, mpfr(str(sample))
def breakKey(N,e): P,Q = bruteSmall(N) phi = g.mul( g.sub(P,1), g.sub(Q,1) ) D = g.invert(e,phi) checkD(e,D,phi) return (P,Q,D)
def checkFactors(p,q,N):
x = g.f_mod( N, p )
y = g.f_mod( N, q )
zero = g.mpz('0')
if g.is_prime(p) and g.is_prime(q):
return N == g.mul(p,q) and x == zero and y == zero
return False
def main(argv):
lines = files.read_lines(argv[0])
N_1 = mpz(lines[0])
N_2 = mpz(lines[1])
N_3 = mpz(lines[2])
lines = files.read_lines(argv[1])
C = mpz(lines[0])
E = int(lines[1])
p1, q1, i1 = number.factorize(N_1, 1)
p2, q2, i2 = number.factorize(N_2, 1048576)
p3, q3, i3 = number.factorize(mul(N_3, 24), 1)
print
print 'Factorization Demo'
print
print ' 1st:'
print 'Iterations: ', i1
print ' p: ', p1
print ' q: ', q1
print
print ' 2nd:'
print 'Iterations: ', i2
print ' p: ', p2
print ' q: ', q2
print
print ' 3rd:'
print 'Iterations: ', i3
print ' p: ', div(p3, 6)
print ' q: ', div(q3, 4)
print
print
print ' Plaintext: ', encdec.rsa_decrypt(C, E, p1, q1, N_1)
print
def verify(A,x,N):
p = gmpy2.sub(A,x)
q = gmpy2.add(A,x)
if gmpy2.mul(p, q) == N:
return [True,p,q]
else:
return [False,p,q]
