bug 1190603 - import PyECC library r=gps,gerv

Obtained from https://github.com/amintos/PyECC.git
(commit 1bfd3a41410c3650e57d58f7bd016bb0819af250)
This commit is contained in:
David Keeler 2015-08-03 15:17:00 -07:00
parent 76ba93fbf9
commit 5bd4392e56
16 changed files with 1728 additions and 0 deletions

View File

@ -31,3 +31,4 @@ redo.pth:python/redo
requests.pth:python/requests
rsa.pth:python/rsa
futures.pth:python/futures
ecc.pth:python/PyECC

1
python/PyECC/MANIFEST.in Normal file
View File

@ -0,0 +1 @@
include README.md

29
python/PyECC/README.md Normal file
View File

@ -0,0 +1,29 @@
ecc
===
Pure Python implementation of an elliptic curve cryptosystem based on FIPS 186-3
License
=======
The MIT License (MIT)
Copyright (c) 2010-2015 Toni Mattis
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

320
python/PyECC/ecc/Key.py Normal file
View File

@ -0,0 +1,320 @@
# ====================================================================
#
# ELLIPTIC CURVE KEY ENCAPSULATION
# Version 2011-01-26
#
# Copyright (c) 2010 - 2011 | Toni Mattis
#
# ====================================================================
"""
== Elliptic Curve Key Encapsulation ==
Keypairs
--------
Keypairs are generated using: Key.generate(bits)
The number of bits is tied to the NIST-proposed elliptic curves
and has to be 192, 224, 256, 384 or 521 (not 512!).
The result is a Key object containing public and private key.
private() is a method for checking whether the Key object is a
pure public key or also includes the private part.
Exchange
--------
Public keys have to be exported using the export()-Method without
passing an argument. The result is a string which can be safely
transmitted.
Using Key.decode(<encoded key>) the receiver obtains a new
public Key object of the sender.
Storage
-------
For storing a key, export(True) exports both private and public
key as a string. Make sure this information is properly encrypted
when stored.
Key.decode(<encoded key>) obtains the full Key object from the
encoded keypair.
Public Keys
-----------
A public Key object can perform the following cryptographic
operations:
* validate() Checks key integrity, i.e. after loading the
key from a file. Returns True if the key is
valid. Invalid keys should be discarded.
* fingerprint() Returns the public key fingerprint used to
identify the key. Optional arguments:
1. as_hex - True, if output should be formatted
as hexadecimal number (default: True).
2. hashfunc - The official name of the hash
function being used (default: 'sha1')
For supported hash functions see below.
* keyid() Returns a (mostly) unique Key ID, which is
shorter than the fingerprint. The result
is an integer of max. 64 bits.
* verify() Verifies whether the given data (argument 1)
matches the signature (argument 2) issued
by the owner of this key. A falsification
can have multiple causes:
- Data, public key or signature were altered
during transmission/storage.
- The siganture was not issued by the owner
of this key but may be valid with another
key.
- The signature was issued for different data.
- The signature was issued using a different
hash function. Another hash function may work.
Optionally, the name of a hash algorithm
can be provided. For hash names see below.
* encrypt() Encrypts a packet of data destined for the owner
of this key*. After encryption only the holder
of this Key's private part is able to decrypt
the message.
Private Keys / Keypairs
-----------------------
If the key object is private, then it is a keypair consisting of
a public and a private key. Therefore all Public key operations
are supported.
Additional functions:
* sign() Signs given data using this private key. The
result is a signature which can be passed as
argument to the verify() function in addition
to the data being verified.
As additional argument the name of the hash
function can be provided (defaults to 'sha256').
For hash names see below.
* auth_encrypt() Performs authenticated encryption of data
(argument 1) for the holder of the key provided
as second argument. Only the receiver whose
public key is given is able to derypt and verify
the message. The message will be implicitly
signed using the own private key. *
* decrypt() Decrypts a message which has been encrypted
using the public key of this keypair*. If
decryption yields random data, this can have
multiple causes:
- You were not the intended receiver, a different
private key may be able to decrypt it.
- The message was altered.
- Your private key is damaged.
* auth_decrypt() Decrypts a message while verifying whether
it has been authentically issued by the holder
of the given key (argument 2). When
authentication failed, a
SecurityViolationException is thrown. Reasons
for this to happen are those mentioned with
decrypt() and verify(). *
*) The encryption used here depends on the "eccrypt" module imported
by this module. Default implementation should use RABBIT as cipher
and do the asymmetric part using an optimized El-Gamal scheme.
Hash functions
--------------
The following hash functions can be passed at the moment:
name | hash size | security level
| (bits, bytes, hex digits)
---------+------------------------+----------------
'sha1' 160 / 20 / 40 medium
'sha224' 224 / 28 / 56 medium-strong
'sha256' 256 / 32 / 64 strong
'sha384' 384 / 48 / 96 very strong
'sha512' 512 / 64 / 128 very strong
'md5' 128 / 16 / 32 weak (not recommended!)
Curves
------
According to FIPS 186-3, Appendix D.1.2 there are 5 elliptic
curves recommended. All of those are strong, but those with
a higher bit number even stronger.
192 and 224 bits are sufficient for most purposes.
256 bits offer an additional magnitude of security.
(i.e. for classified / strongly confidential data)
384 and 521 bits provide exceptionally strong security. According
to current research they most probably keep this level for
decades in the future.
FIPS also recommends curves over polynomial fields but actually
only prime fields are implemented here. (Because 2^521-1 is a mersenne
prime having great security characteristics, 521 bits are preferred
over a constructed 512 bit field.)
"""
from encoding import *
from eccrypt import *
import ecdsa
import hashlib
from SecurityViolationException import *
class Key:
# --- KEY SETUP ------------------------------------------------------------
def __init__(self, public_key, private_key = None):
'''Create a Key(pair) from numeric keys.'''
self._pub = public_key
self._priv = private_key
self._fingerprint = {}
self._id = None
@staticmethod
def generate(bits):
'''Generate a new ECDSA keypair'''
return Key(*ecdsa.keypair(bits))
# --- BINARY REPRESENTATION ------------------------------------------------
def encode(self, include_private = False):
'''Returns a strict binary representation of this Key'''
e = Encoder().int(self.keyid(), 8)
e.int(self._pub[0], 2).point(self._pub[1], 2)
if include_private and self._priv:
e.long(self._priv[1], 2)
else:
e.long(0, 2)
return e.out()
def compress(self):
'''Returns a compact public key representation'''
@staticmethod
def decode(s):
'''Constructs a new Key object from its binary representation'''
kid, ksize, pub, priv = Decoder(s).int(8).int(2).point(2).long(2).out()
k = Key((ksize, pub), (ksize, priv) if priv else None)
if kid == k.keyid():
return k
else:
raise ValueError, "Invalid Key ID"
# --- IDENTIFICATION AND VALIDATION ----------------------------------------
def private(self):
'''Checks whether Key object contains private key'''
return bool(self._priv)
def validate(self):
'''Checks key validity'''
if ecdsa.validate_public_key(self._pub):
if self._priv: # ? validate and match private key
return ecdsa.validate_private_key(self._priv) and \
ecdsa.match_keys(self._pub, self._priv)
else:
return True # : everything valid
else:
return False
def fingerprint(self, as_hex = True, hashfunc = 'sha1'):
'''Get the public key fingerprint'''
if hashfunc in self._fingerprint:
return self._fingerprint[hashfunc] if not as_hex else \
self._fingerprint[hashfunc].encode("hex")
else:
h = hashlib.new(hashfunc, enc_point(self._pub[1]))
d = h.digest()
self._fingerprint[hashfunc] = d
return d.encode("hex") if as_hex else d
def keyid(self):
'''Get a short, unique identifier'''
if not self._id:
self._id = dec_long(self.fingerprint(False, 'sha1')[:8])
return self._id
# --- DIGITAL SIGNATURES ---------------------------------------------------
def sign(self, data, hashfunc = 'sha256'):
'''Sign data using the specified hash function'''
if self._priv:
h = dec_long(hashlib.new(hashfunc, data).digest())
s = ecdsa.sign(h, self._priv)
return enc_point(s)
else:
raise AttributeError, "Private key needed for signing."
def verify(self, data, sig, hashfunc = 'sha256'):
'''Verify the signature of data using the specified hash function'''
h = dec_long(hashlib.new(hashfunc, data).digest())
s = dec_point(sig)
return ecdsa.verify(h, s, self._pub)
# --- HYBRID ENCRYPTION ----------------------------------------------------
def encrypt(self, data):
'''Encrypt a message using this public key'''
ctext, mkey = encrypt(data, self._pub)
return Encoder().point(mkey).str(ctext, 4).out()
def decrypt(self, data):
'''Decrypt an encrypted message using this private key'''
mkey, ctext = Decoder(data).point().str(4).out()
return decrypt(ctext, mkey, self._priv)
# --- AUTHENTICATED ENCRYPTION ---------------------------------------------
def auth_encrypt(self, data, receiver):
'''Sign and encrypt a message'''
sgn = self.sign(data)
ctext, mkey = encrypt(data, receiver._pub)
return Encoder().point(mkey).str(ctext, 4).str(sgn, 2).out()
def auth_decrypt(self, data, source):
'''Decrypt and verify a message'''
mkey, ctext, sgn = Decoder(data).point().str(4).str(2).out()
text = decrypt(ctext, mkey, self._priv)
if source.verify(text, sgn):
return text
else:
raise SecurityViolationException, "Invalid Signature"
if __name__ == "__main__":
import time
def test_overhead():
print "sender", "receiver", "+bytes", "+enctime", "+dectime"
for s in [192, 224, 256, 384, 521]:
sender = Key.generate(s)
for r in [192, 224, 256, 384, 521]:
receiver = Key.generate(r)
t = time.time()
e = sender.auth_encrypt("", receiver)
t1 = time.time() - t
t = time.time()
receiver.auth_decrypt(e, sender)
t2 = time.time() - t
print s, r, len(e), t1, t2

270
python/PyECC/ecc/Rabbit.py Normal file
View File

@ -0,0 +1,270 @@
# ------------------------------------------------------------------------------
#
# R A B B I T Stream Cipher
# by M. Boesgaard, M. Vesterager, E. Zenner (specified in RFC 4503)
#
#
# Pure Python Implementation by Toni Mattis
#
# ------------------------------------------------------------------------------
WORDSIZE = 0x100000000
rot08 = lambda x: ((x << 8) & 0xFFFFFFFF) | (x >> 24)
rot16 = lambda x: ((x << 16) & 0xFFFFFFFF) | (x >> 16)
def _nsf(u, v):
'''Internal non-linear state transition'''
s = (u + v) % WORDSIZE
s = s * s
return (s ^ (s >> 32)) % WORDSIZE
class Rabbit:
def __init__(self, key, iv = None):
'''Initialize Rabbit cipher using a 128 bit integer/string'''
if isinstance(key, str):
# interpret key string in big endian byte order
if len(key) < 16:
key = '\x00' * (16 - len(key)) + key
# if len(key) > 16 bytes only the first 16 will be considered
k = [ord(key[i + 1]) | (ord(key[i]) << 8)
for i in xrange(14, -1, -2)]
else:
# k[0] = least significant 16 bits
# k[7] = most significant 16 bits
k = [(key >> i) & 0xFFFF for i in xrange(0, 128, 16)]
# State and counter initialization
x = [(k[(j + 5) % 8] << 16) | k[(j + 4) % 8] if j & 1 else
(k[(j + 1) % 8] << 16) | k[j] for j in xrange(8)]
c = [(k[j] << 16) | k[(j + 1) % 8] if j & 1 else
(k[(j + 4) % 8] << 16) | k[(j + 5) % 8] for j in xrange(8)]
self.x = x
self.c = c
self.b = 0
self._buf = 0 # output buffer
self._buf_bytes = 0 # fill level of buffer
self.next()
self.next()
self.next()
self.next()
for j in xrange(8):
c[j] ^= x[(j + 4) % 8]
self.start_x = self.x[:] # backup initial key for IV/reset
self.start_c = self.c[:]
self.start_b = self.b
if iv != None:
self.set_iv(iv)
def reset(self, iv = None):
'''Reset the cipher and optionally set a new IV (int64 / string).'''
self.c = self.start_c[:]
self.x = self.start_x[:]
self.b = self.start_b
self._buf = 0
self._buf_bytes = 0
if iv != None:
self.set_iv(iv)
def set_iv(self, iv):
'''Set a new IV (64 bit integer / bytestring).'''
if isinstance(iv, str):
i = 0
for c in iv:
i = (i << 8) | ord(c)
iv = i
c = self.c
i0 = iv & 0xFFFFFFFF
i2 = iv >> 32
i1 = ((i0 >> 16) | (i2 & 0xFFFF0000)) % WORDSIZE
i3 = ((i2 << 16) | (i0 & 0x0000FFFF)) % WORDSIZE
c[0] ^= i0
c[1] ^= i1
c[2] ^= i2
c[3] ^= i3
c[4] ^= i0
c[5] ^= i1
c[6] ^= i2
c[7] ^= i3
self.next()
self.next()
self.next()
self.next()
def next(self):
'''Proceed to the next internal state'''
c = self.c
x = self.x
b = self.b
t = c[0] + 0x4D34D34D + b
c[0] = t % WORDSIZE
t = c[1] + 0xD34D34D3 + t // WORDSIZE
c[1] = t % WORDSIZE
t = c[2] + 0x34D34D34 + t // WORDSIZE
c[2] = t % WORDSIZE
t = c[3] + 0x4D34D34D + t // WORDSIZE
c[3] = t % WORDSIZE
t = c[4] + 0xD34D34D3 + t // WORDSIZE
c[4] = t % WORDSIZE
t = c[5] + 0x34D34D34 + t // WORDSIZE
c[5] = t % WORDSIZE
t = c[6] + 0x4D34D34D + t // WORDSIZE
c[6] = t % WORDSIZE
t = c[7] + 0xD34D34D3 + t // WORDSIZE
c[7] = t % WORDSIZE
b = t // WORDSIZE
g = [_nsf(x[j], c[j]) for j in xrange(8)]
x[0] = (g[0] + rot16(g[7]) + rot16(g[6])) % WORDSIZE
x[1] = (g[1] + rot08(g[0]) + g[7]) % WORDSIZE
x[2] = (g[2] + rot16(g[1]) + rot16(g[0])) % WORDSIZE
x[3] = (g[3] + rot08(g[2]) + g[1]) % WORDSIZE
x[4] = (g[4] + rot16(g[3]) + rot16(g[2])) % WORDSIZE
x[5] = (g[5] + rot08(g[4]) + g[3]) % WORDSIZE
x[6] = (g[6] + rot16(g[5]) + rot16(g[4])) % WORDSIZE
x[7] = (g[7] + rot08(g[6]) + g[5]) % WORDSIZE
self.b = b
return self
def derive(self):
'''Derive a 128 bit integer from the internal state'''
x = self.x
return ((x[0] & 0xFFFF) ^ (x[5] >> 16)) | \
(((x[0] >> 16) ^ (x[3] & 0xFFFF)) << 16)| \
(((x[2] & 0xFFFF) ^ (x[7] >> 16)) << 32)| \
(((x[2] >> 16) ^ (x[5] & 0xFFFF)) << 48)| \
(((x[4] & 0xFFFF) ^ (x[1] >> 16)) << 64)| \
(((x[4] >> 16) ^ (x[7] & 0xFFFF)) << 80)| \
(((x[6] & 0xFFFF) ^ (x[3] >> 16)) << 96)| \
(((x[6] >> 16) ^ (x[1] & 0xFFFF)) << 112)
def keystream(self, n):
'''Generate a keystream of n bytes'''
res = ""
b = self._buf
j = self._buf_bytes
next = self.next
derive = self.derive
for i in xrange(n):
if not j:
j = 16
next()
b = derive()
res += chr(b & 0xFF)
j -= 1
b >>= 1
self._buf = b
self._buf_bytes = j
return res
def encrypt(self, data):
'''Encrypt/Decrypt data of arbitrary length.'''
res = ""
b = self._buf
j = self._buf_bytes
next = self.next
derive = self.derive
for c in data:
if not j: # empty buffer => fetch next 128 bits
j = 16
next()
b = derive()
res += chr(ord(c) ^ (b & 0xFF))
j -= 1
b >>= 1
self._buf = b
self._buf_bytes = j
return res
decrypt = encrypt
if __name__ == "__main__":
import time
# --- Official Test Vectors ---
# RFC 4503 Appendix A.1 - Testing without IV Setup
r = Rabbit(0)
assert r.next().derive() == 0xB15754F036A5D6ECF56B45261C4AF702
assert r.next().derive() == 0x88E8D815C59C0C397B696C4789C68AA7
assert r.next().derive() == 0xF416A1C3700CD451DA68D1881673D696
r = Rabbit(0x912813292E3D36FE3BFC62F1DC51C3AC)
assert r.next().derive() == 0x3D2DF3C83EF627A1E97FC38487E2519C
assert r.next().derive() == 0xF576CD61F4405B8896BF53AA8554FC19
assert r.next().derive() == 0xE5547473FBDB43508AE53B20204D4C5E
r = Rabbit(0x8395741587E0C733E9E9AB01C09B0043)
assert r.next().derive() == 0x0CB10DCDA041CDAC32EB5CFD02D0609B
assert r.next().derive() == 0x95FC9FCA0F17015A7B7092114CFF3EAD
assert r.next().derive() == 0x9649E5DE8BFC7F3F924147AD3A947428
# RFC 4503 Appendix A.2 - Testing with IV Setup
r = Rabbit(0, 0)
assert r.next().derive() == 0xC6A7275EF85495D87CCD5D376705B7ED
assert r.next().derive() == 0x5F29A6AC04F5EFD47B8F293270DC4A8D
assert r.next().derive() == 0x2ADE822B29DE6C1EE52BDB8A47BF8F66
r = Rabbit(0, 0xC373F575C1267E59)
assert r.next().derive() == 0x1FCD4EB9580012E2E0DCCC9222017D6D
assert r.next().derive() == 0xA75F4E10D12125017B2499FFED936F2E
assert r.next().derive() == 0xEBC112C393E738392356BDD012029BA7
r = Rabbit(0, 0xA6EB561AD2F41727)
assert r.next().derive() == 0x445AD8C805858DBF70B6AF23A151104D
assert r.next().derive() == 0x96C8F27947F42C5BAEAE67C6ACC35B03
assert r.next().derive() == 0x9FCBFC895FA71C17313DF034F01551CB
# --- Performance Tests ---
def test_gen(n = 1048576):
'''Measure time for generating n bytes => (total, bytes per second)'''
r = Rabbit(0)
t = time.time()
r.keystream(n)
t = time.time() - t
return t, n / t
def test_enc(n = 1048576):
'''Measure time for encrypting n bytes => (total, bytes per second)'''
r = Rabbit(0)
x = 'x' * n
t = time.time()
r.encrypt(x)
t = time.time() - t
return t, n / t

View File

@ -0,0 +1,2 @@
class SecurityViolationException(Exception):
pass

View File

View File

@ -0,0 +1,81 @@
#
# Predefined Elliptic Curves
# for use in signing and key exchange
#
'''
Predefined elliptic curves for use in signing and key exchange.
This Module implements FIPS approved standard curves P-192, P-224, P-256,
P-384 and P-521 along with two weak non-standard curves of field size 128
and 160 bits.
The weak curves cannot be used for signing but provide a faster way to
obfuscate non-critical transmissions.
'''
# FIPS approved elliptic curves over prime fields
# (see FIPS 186-3, Appendix D.1.2)
DOMAINS = {
# Bits : (p, order of E(GF(P)), parameter b, base point x, base point y)
192 : (0xfffffffffffffffffffffffffffffffeffffffffffffffffL,
0xffffffffffffffffffffffff99def836146bc9b1b4d22831L,
0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1L,
0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012L,
0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811L),
224 : (0xffffffffffffffffffffffffffffffff000000000000000000000001L,
0xffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3dL,
0xb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4L,
0xb70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21L,
0xbd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34L),
256 : (0xffffffff00000001000000000000000000000000ffffffffffffffffffffffffL,
0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551L,
0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604bL,
0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296L,
0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5L),
384 : (0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffffL,
0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973L,
0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aefL,
0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7L,
0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5fL),
521 : (0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffL,
0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409L,
0x051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00L,
0x0c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66L,
0x11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650L)
}
# Additional non-standard curves for low security but high performance
# (not intended for use in signing, hence the missing group order)
DOMAINS.update({
128 : (0xffffffffffffffffffffffffffffff61L,
None,
0xd83d3eb8266a89927d73d5fe263d5f23L,
0xa94d2d8531f7af8bde367def12b98eadL,
0x9f44e1d671beb68fd2df7f877ab13fa6L),
160 : (0xffffffffffffffffffffffffffffffffffffffd1L,
None,
0x94bfe70deef7b94742c089ca4db3ca27fbe1f754L,
0xcc6562c2969ac57524b8d0f300d1f598c908c121L,
0x952ddde80a252683dd7ba90fb5919899b5af69f5L)
})
CURVE_P = 3 # global parameter of all curves (for efficiency reasons)
def get_curve(bits):
'''Get a known curve of the given size => (bits, prime, order, p, q, point).
Order may be None if unknown.'''
if bits in DOMAINS:
p, n, b, x, y = DOMAINS[bits]
return bits, p, n, CURVE_P, p - b, (x, y)
else:
raise KeyError, "Key size not implemented: %s" % bits
def implemented_keys(must_sign = False):
return [k for k in DOMAINS if not must_sign or DOMAINS[k][1]]

View File

@ -0,0 +1,65 @@
# Elliptic Curve Hybrid Encryption Scheme
#
# COPYRIGHT (c) 2010 by Toni Mattis <solaris@live.de>
#
from curves import get_curve
from elliptic import mulp
from encoding import enc_long
from random import SystemRandom
from Rabbit import Rabbit
# important for cryptographically secure random numbers:
random = SystemRandom()
# Encryption Algorithm:
# ---------------------
# Input: Message M, public key Q
#
# 0. retrieve the group from which Q was generated.
# 1. generate random number k between 1 and the group order.
# 2. compute KG = k * G (where G is the base point of the group).
# 3. compute SG = k * Q (where Q is the public key of the receiver).
# 4. symmetrically encrypt M to M' using SG's x-coordinate as key.
#
# Return: Ciphertext M', temporary key KG
def encrypt(message, qk, encrypter = Rabbit):
'''Encrypt a message using public key qk => (ciphertext, temp. pubkey)'''
bits, q = qk
try:
bits, cn, n, cp, cq, g = get_curve(bits)
if not n:
raise ValueError, "Key size %s not suitable for encryption" % bits
except KeyError:
raise ValueError, "Key size %s not implemented" % bits
k = random.randint(1, n - 1) # temporary private key k
kg = mulp(cp, cq, cn, g, k) # temporary public key k*G
sg = mulp(cp, cq, cn, q, k) # shared secret k*Q = k*d*G
return encrypter(enc_long(sg[0])).encrypt(message), kg
# Decryption Algorithm:
# ---------------------
# Input: Ciphertext M', temporary key KG, private key d
#
# 0. retrieve the group from which d and KG were generated.
# 1. compute SG = q * KG.
# 2. symmetrically decrypt M' to M using SG's x-coordinate as key.
#
# Return: M
def decrypt(message, kg, dk, decrypter = Rabbit):
'''Decrypt a message using temp. public key kg and private key dk'''
bits, d = dk
try:
bits, cn, n, cp, cq, g = get_curve(bits)
except KeyError:
raise ValueError, "Key size %s not implemented" % bits
sg = mulp(cp, cq, cn, kg, d) # shared secret d*(k*G) = k*d*G
return decrypter(enc_long(sg[0])).decrypt(message)

153
python/PyECC/ecc/ecdsa.py Normal file
View File

@ -0,0 +1,153 @@
#
# Elliptic Curve Digital Signature Algorithm (ECDSA)
#
# COPYRIGHT (c) 2010 by Toni Mattis <solaris@live.de>
#
from elliptic import inv, mulf, mulp, muladdp, element
from curves import get_curve, implemented_keys
from os import urandom
import hashlib
def randkey(bits, n):
'''Generate a random number (mod n) having the specified bit length'''
rb = urandom(bits / 8 + 8) # + 64 bits as recommended in FIPS 186-3
c = 0
for r in rb:
c = (c << 8) | ord(r)
return (c % (n - 1)) + 1
def keypair(bits):
'''Generate a new keypair (qk, dk) with dk = private and qk = public key'''
try:
bits, cn, n, cp, cq, g = get_curve(bits)
except KeyError:
raise ValueError, "Key size %s not implemented" % bits
if n > 0:
d = randkey(bits, n)
q = mulp(cp, cq, cn, g, d)
return (bits, q), (bits, d)
else:
raise ValueError, "Key size %s not suitable for signing" % bits
def supported_keys():
'''Return a list of all key sizes implemented for signing'''
return implemented_keys(True)
def validate_public_key(qk):
'''Check whether public key qk is valid'''
bits, q = qk
x, y = q
bits, cn, n, cp, cq, g = get_curve(bits)
return q and 0 < x < cn and 0 < y < cn and \
element(q, cp, cq, cn) and (mulp(cp, cq, cn, q, n) == None)
def validate_private_key(dk):
'''Check whether private key dk is valid'''
bits, d = dk
bits, cn, n, cp, cq, g = get_curve(bits)
return 0 < d < cn
def match_keys(qk, dk):
'''Check whether dk is the private key belonging to qk'''
bits, d = dk
bitz, q = qk
if bits == bitz:
bits, cn, n, cp, cq, g = get_curve(bits)
return mulp(cp, cq, cn, g, d) == q
else:
return False
def truncate(h, hmax):
'''Truncate a hash to the bit size of hmax'''
while h > hmax:
h >>= 1
return h
def sign(h, dk):
'''Sign the numeric value h using private key dk'''
bits, d = dk
bits, cn, n, cp, cq, g = get_curve(bits)
h = truncate(h, cn)
r = s = 0
while r == 0 or s == 0:
k = randkey(bits, cn)
kinv = inv(k, n)
kg = mulp(cp, cq, cn, g, k)
r = kg[0] % n
if r == 0:
continue
s = (kinv * (h + r * d)) % n
return r, s
def verify(h, sig, qk):
'''Verify that 'sig' is a valid signature of h using public key qk'''
bits, q = qk
try:
bits, cn, n, cp, cq, g = get_curve(bits)
except KeyError:
return False
h = truncate(h, cn)
r, s = sig
if 0 < r < n and 0 < s < n:
w = inv(s, n)
u1 = (h * w) % n
u2 = (r * w) % n
x, y = muladdp(cp, cq, cn, g, u1, q, u2)
return r % n == x % n
return False
def hash_sign(s, dk, hashfunc = 'sha256'):
h = int(hashlib.new(hashfunc, s).hexdigest(), 16)
return (hashfunc,) + sign(h, dk)
def hash_verify(s, sig, qk):
h = int(hashlib.new(sig[0], s).hexdigest(), 16)
return verify(h, sig[1:], qk)
if __name__ == "__main__":
import time
testh1 = 0x0123456789ABCDEF
testh2 = 0x0123456789ABCDEE
for k in supported_keys():
qk, dk = keypair(k)
s1 = sign(testh1, dk)
s2 = sign(testh1, (dk[0], dk[1] ^ 1))
s3 = (s1[0], s1[1] ^ 1)
qk2 = (qk[0], (qk[1][0] ^ 1, qk[1][1]))
assert verify(testh1, s1, qk) # everything ok -> must succeed
assert not verify(testh2, s1, qk) # modified hash -> must fail
assert not verify(testh1, s2, qk) # different priv. key -> must fail
assert not verify(testh1, s3, qk) # modified signature -> must fail
assert not verify(testh1, s1, qk2) # different publ. key -> must fail
def test_perf(bits, rounds = 50):
'''-> (key generations, signatures, verifications) / second'''
h = 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
d = get_curve(bits)
t = time.time()
for i in xrange(rounds):
qk, dk = keypair(bits)
tgen = time.time() - t
t = time.time()
for i in xrange(rounds):
s = sign(0, dk)
tsign = time.time() - t
t = time.time()
for i in xrange(rounds):
verify(0, s, qk)
tver = time.time() - t
return rounds / tgen, rounds / tsign, rounds / tver

View File

@ -0,0 +1,381 @@
# --- ELLIPTIC CURVE MATH ------------------------------------------------------
#
# curve definition: y^2 = x^3 - p*x - q
# over finite field: Z/nZ* (prime residue classes modulo a prime number n)
#
#
# COPYRIGHT (c) 2010 by Toni Mattis <solaris@live.de>
# ------------------------------------------------------------------------------
'''
Module for elliptic curve arithmetic over a prime field GF(n).
E(GF(n)) takes the form y**2 == x**3 - p*x - q (mod n) for a prime n.
0. Structures used by this module
PARAMETERS and SCALARS are non-negative (long) integers.
A POINT (x, y), usually denoted p1, p2, ...
is a pair of (long) integers where 0 <= x < n and 0 <= y < n
A POINT in PROJECTIVE COORDINATES, usually denoted jp1, jp2, ...
takes the form (X, Y, Z, Z**2, Z**3) where x = X / Z**2
and y = Y / z**3. This form is called Jacobian coordinates.
The NEUTRAL element "0" or "O" is represented by None
in both coordinate systems.
1. Basic Functions
euclid() Is the Extended Euclidean Algorithm.
inv() Computes the multiplicative inversion modulo n.
curve_q() Finds the curve parameter q (mod n)
when p and a point are given.
element() Tests whether a point (x, y) is on the curve.
2. Point transformations
to_projective() Converts a point (x, y) to projective coordinates.
from_projective() Converts a point from projective coordinates
to (x, y) using the transformation described above.
neg() Computes the inverse point -P in both coordinate
systems.
3. Slow point arithmetic
These algorithms make use of basic geometry and modular arithmetic
thus being suitable for small numbers and academic study.
add() Computes the sum of two (x, y)-points
mul() Perform scalar multiplication using "double & add"
4. Fast point arithmetic
These algorithms make use of projective coordinates, signed binary
expansion and a JSP-like approach (joint sparse form).
The following functions consume and return projective coordinates:
addf() Optimized point addition.
doublef() Optimized point doubling.
mulf() Highly optimized scalar multiplication.
muladdf() Highly optimized addition of two products.
The following functions use the optimized ones above but consume
and output (x, y)-coordinates for a more convenient usage:
mulp() Encapsulates mulf()
muladdp() Encapsulates muladdf()
For single additions add() is generally faster than an encapsulation of
addf() which would involve expensive coordinate transformations.
Hence there is no addp() and doublep().
'''
# BASIC MATH -------------------------------------------------------------------
def euclid(a, b):
'''Solve x*a + y*b = ggt(a, b) and return (x, y, ggt(a, b))'''
# Non-recursive approach hence suitable for large numbers
x = yy = 0
y = xx = 1
while b:
q = a // b
a, b = b, a % b
x, xx = xx - q * x, x
y, yy = yy - q * y, y
return xx, yy, a
def inv(a, n):
'''Perform inversion 1/a modulo n. a and n should be COPRIME.'''
# coprimality is not checked here in favour of performance
i = euclid(a, n)[0]
while i < 0:
i += n
return i
def curve_q(x, y, p, n):
'''Find curve parameter q mod n having point (x, y) and parameter p'''
return ((x * x - p) * x - y * y) % n
def element(point, p, q, n):
'''Test, whether the given point is on the curve (p, q, n)'''
if point:
x, y = point
return (x * x * x - p * x - q) % n == (y * y) % n
else:
return True
def to_projective(p):
'''Transform point p given as (x, y) to projective coordinates'''
if p:
return (p[0], p[1], 1, 1, 1)
else:
return None # Identity point (0)
def from_projective(jp, n):
'''Transform a point from projective coordinates to (x, y) mod n'''
if jp:
return (jp[0] * inv(jp[3], n)) % n, (jp[1] * inv(jp[4], n)) % n
else:
return None # Identity point (0)
def neg(p, n):
'''Compute the inverse point to p in any coordinate system'''
return (p[0], (n - p[1]) % n) + p[2:] if p else None
# POINT ADDITION ---------------------------------------------------------------
# addition of points in y**2 = x**3 - p*x - q over <Z/nZ*; +>
def add(p, q, n, p1, p2):
'''Add points p1 and p2 over curve (p, q, n)'''
if p1 and p2:
x1, y1 = p1
x2, y2 = p2
if (x1 - x2) % n:
s = ((y1 - y2) * inv(x1 - x2, n)) % n # slope
x = (s * s - x1 - x2) % n # intersection with curve
return (x, n - (y1 + s * (x - x1)) % n)
else:
if (y1 + y2) % n: # slope s calculated by derivation
s = ((3 * x1 * x1 - p) * inv(2 * y1, n)) % n
x = (s * s - 2 * x1) % n # intersection with curve
return (x, n - (y1 + s * (x - x1)) % n)
else:
return None
else: # either p1 is not none -> ret. p1, otherwiese p2, which may be
return p1 if p1 else p2 # none too.
# faster addition: redundancy in projective coordinates eliminates
# expensive inversions mod n.
def addf(p, q, n, jp1, jp2):
'''Add jp1 and jp2 in projective (jacobian) coordinates.'''
if jp1 and jp2:
x1, y1, z1, z1s, z1c = jp1
x2, y2, z2, z2s, z2c = jp2
s1 = (y1 * z2c) % n
s2 = (y2 * z1c) % n
u1 = (x1 * z2s) % n
u2 = (x2 * z1s) % n
if (u1 - u2) % n:
h = (u2 - u1) % n
r = (s2 - s1) % n
hs = (h * h) % n
hc = (hs * h) % n
x3 = (-hc - 2 * u1 * hs + r * r) % n
y3 = (-s1 * hc + r * (u1 * hs - x3)) % n
z3 = (z1 * z2 * h) % n
z3s = (z3 * z3) % n
z3c = (z3s * z3) % n
return (x3, y3, z3, z3s, z3c)
else:
if (s1 + s2) % n:
return doublef(p, q, n, jp1)
else:
return None
else:
return jp1 if jp1 else jp2
# explicit point doubling using redundant coordinates
def doublef(p, q, n, jp):
'''Double jp in projective (jacobian) coordinates'''
if not jp:
return None
x1, y1, z1, z1p2, z1p3 = jp
y1p2 = (y1 * y1) % n
a = (4 * x1 * y1p2) % n
b = (3 * x1 * x1 - p * z1p3 * z1) % n
x3 = (b * b - 2 * a) % n
y3 = (b * (a - x3) - 8 * y1p2 * y1p2) % n
z3 = (2 * y1 * z1) % n
z3p2 = (z3 * z3) % n
return x3, y3, z3, z3p2, (z3p2 * z3) % n
# SCALAR MULTIPLICATION --------------------------------------------------------
# scalar multiplication p1 * c = p1 + p1 + ... + p1 (c times) in O(log(n))
def mul(p, q, n, p1, c):
'''multiply point p1 by scalar c over curve (p, q, n)'''
res = None
while c > 0:
if c & 1:
res = add(p, q, n, res, p1)
c >>= 1 # c = c / 2
p1 = add(p, q, n, p1, p1) # p1 = p1 * 2
return res
# this method allows _signed_bin() to choose between 1 and -1. It will select
# the sign which leaves the higher number of zeroes in the binary
# representation (the higher GDB).
def _gbd(n):
'''Compute second greatest base-2 divisor'''
i = 1
if n <= 0: return 0
while not n % i:
i <<= 1
return i >> 2
# This method transforms n into a binary representation having signed bits.
# A signed binary expansion contains more zero-bits hence reducing the number
# of additions required by a multiplication algorithm.
#
# Example: 15 ( 0b1111 ) can be written as 16 - 1, resulting in (1,0,0,0,-1)
# and saving 2 additions. Subtraction can be performed as
# efficiently as addition.
def _signed_bin(n):
'''Transform n into an optimized signed binary representation'''
r = []
while n > 1:
if n & 1:
cp = _gbd(n + 1)
cn = _gbd(n - 1)
if cp > cn: # -1 leaves more zeroes -> subtract -1 (= +1)
r.append(-1)
n += 1
else: # +1 leaves more zeroes -> subtract +1 (= -1)
r.append(+1)
n -= 1
else:
r.append(0) # be glad about one more zero
n >>= 1
r.append(n)
return r[::-1]
# This multiplication algorithm combines signed binary expansion and
# fast addition using projective coordinates resulting in 5 to 10 times
# faster multiplication.
def mulf(p, q, n, jp1, c):
'''Multiply point jp1 by c in projective coordinates'''
sb = _signed_bin(c)
res = None
jp0 = neg(jp1, n) # additive inverse of jp1 to be used fot bit -1
for s in sb:
res = doublef(p, q, n, res)
if s:
res = addf(p, q, n, res, jp1) if s > 0 else \
addf(p, q, n, res, jp0)
return res
# Encapsulates mulf() in order to enable flat coordinates (x, y)
def mulp(p, q, n, p1, c):
'''Multiply point p by c using fast multiplication'''
return from_projective(mulf(p, q, n, to_projective(p1), c), n)
# Sum of two products using Shamir's trick and signed binary expansion
def muladdf(p, q, n, jp1, c1, jp2, c2):
'''Efficiently compute c1 * jp1 + c2 * jp2 in projective coordinates'''
s1 = _signed_bin(c1)
s2 = _signed_bin(c2)
diff = len(s2) - len(s1)
if diff > 0:
s1 = [0] * diff + s1
elif diff < 0:
s2 = [0] * -diff + s2
jp1p2 = addf(p, q, n, jp1, jp2)
jp1n2 = addf(p, q, n, jp1, neg(jp2, n))
precomp = ((None, jp2, neg(jp2, n)),
(jp1, jp1p2, jp1n2),
(neg(jp1, n), neg(jp1n2, n), neg(jp1p2, n)))
res = None
for i, j in zip(s1, s2):
res = doublef(p, q, n, res)
if i or j:
res = addf(p, q, n, res, precomp[i][j])
return res
# Encapsulate muladdf()
def muladdp(p, q, n, p1, c1, p2, c2):
'''Efficiently compute c1 * p1 + c2 * p2 in (x, y)-coordinates'''
return from_projective(muladdf(p, q, n,
to_projective(p1), c1,
to_projective(p2), c2), n)
# POINT COMPRESSION ------------------------------------------------------------
# Compute the square root modulo n
# Determine the sign-bit of a point allowing to reconstruct y-coordinates
# when x and the sign-bit are given:
def sign_bit(p1):
'''Return the signedness of a point p1'''
return p1[1] % 2 if p1 else 0
# Reconstruct the y-coordinate when curve parameters, x and the sign-bit of
# the y coordinate are given:
def y_from_x(x, p, q, n, sign):
'''Return the y coordinate over curve (p, q, n) for given (x, sign)'''
# optimized form of (x**3 - p*x - q) % n
a = (((x * x) % n - p) * x - q) % n
if __name__ == "__main__":
import rsa
import time
t = time.time()
n = rsa.get_prime(256/8, 20)
tp = time.time() - t
p = rsa.random.randint(1, n)
p1 = (rsa.random.randint(1, n), rsa.random.randint(1, n))
q = curve_q(p1[0], p1[1], p, n)
r1 = rsa.random.randint(1,n)
r2 = rsa.random.randint(1,n)
q1 = mulp(p, q, n, p1, r1)
q2 = mulp(p, q, n, p1, r2)
s1 = mulp(p, q, n, q1, r2)
s2 = mulp(p, q, n, q2, r1)
s1 == s2
tt = time.time() - t
def test(tcount, bits = 256):
n = rsa.get_prime(bits/8, 20)
p = rsa.random.randint(1, n)
p1 = (rsa.random.randint(1, n), rsa.random.randint(1, n))
q = curve_q(p1[0], p1[1], p, n)
p2 = mulp(p, q, n, p1, rsa.random.randint(1, n))
c1 = [rsa.random.randint(1, n) for i in xrange(tcount)]
c2 = [rsa.random.randint(1, n) for i in xrange(tcount)]
c = zip(c1, c2)
t = time.time()
for i, j in c:
from_projective(addf(p, q, n,
mulf(p, q, n, to_projective(p1), i),
mulf(p, q, n, to_projective(p2), j)), n)
t1 = time.time() - t
t = time.time()
for i, j in c:
muladdp(p, q, n, p1, i, p2, j)
t2 = time.time() - t
return tcount, t1, t2

View File

@ -0,0 +1,178 @@
#
# Encodings and Formats for Elliptic Curve Cryptography
#
import StringIO
# Big-Endian Encoding
def enc_long(n):
'''Encodes arbitrarily large number n to a sequence of bytes.
Big endian byte order is used.'''
s = ""
while n > 0:
s = chr(n & 0xFF) + s
n >>= 8
return s
def enc_int(n):
'''Encodes an integer n to a 4-byte string.
Big endian byte order is used.'''
return chr((n >> 24) & 0xFF) + chr((n >> 16) & 0xFF) + \
chr((n >> 8) & 0xFF) + chr( n & 0xFF)
def enc_fixed_long(n, length):
return enc_long(n)[:length].rjust(length, '\x00')
def dec_long(s):
'''Decodes s to its numeric representation.
Big endian byte order is used.'''
n = 0
for c in s:
n = (n << 8) | ord(c)
return n
# dec_int not necessary,
# dec_long does the same when provided with 4 bytes input.
# Chunks
def enc_chunks(*args):
'''Chain given string args or sub-chunks to a single chunk'''
return ''.join([enc_int(len(a)) + a for a in args])
def dec_chunks(s):
'''Split a chunk into strings or sub-chunks'''
i = 0
result = []
while i < len(s):
size = dec_long(s[i : i + 4])
i += 4
result.append(s[i : i + size])
i += size
return result
# Point and signature data
def enc_point(p):
'''Encode a point p = (x, y)'''
x, y = p
sx = enc_long(x)
sy = enc_long(y)
diff = len(sx) - len(sy)
if diff > 0:
sy = '\x00' * diff + sy
elif diff < 0:
sx = '\x00' * -diff + sx
return sx + sy
def dec_point(s):
'''Decode an even length string s to a point(x, y)'''
d = len(s) / 2
return (dec_long(s[:d]), dec_long(s[d:]))
class Encoder:
def __init__(self):
self._io = StringIO.StringIO()
def int(self, n, size = 4):
self._io.write(enc_fixed_long(n, size))
return self
def long(self, n, pre = 2):
lstr = enc_long(n)
self._io.write(enc_fixed_long(len(lstr), pre) + lstr)
return self
def str(self, s, pre = 2):
self._io.write(enc_fixed_long(len(s), pre) + s)
return self
def point(self, p, pre = 2):
lstr = enc_point(p)
self._io.write(enc_fixed_long(len(lstr), pre) + lstr)
return self
def chunk(self, enc, pre = 2):
lstr = enc.out()
self._io.write(enc_fixed_long(len(lstr), pre) + lstr)
return self
def out(self):
return self._io.getvalue()
class Decoder:
def __init__(self, data, offset = 0):
self._io = StringIO.StringIO(data)
self._io.seek(offset)
self._res = []
self._limit = None
self._parent = None
def _ret(self):
## if self._parent and self._io.tell() >= self._limit:
## return self.exit()
## else:
## return self
return self
def int(self, size = 4):
self._res.append(dec_long(self._io.read(size)))
return self._ret()
def long(self, pre = 2):
llen = dec_long(self._io.read(pre))
self._res.append(dec_long(self._io.read(llen)))
return self._ret()
def str(self, pre = 2):
llen = dec_long(self._io.read(pre))
self._res.append(self._io.read(llen))
return self._ret()
def point(self, pre = 2):
llen = dec_long(self._io.read(pre))
self._res.append(dec_point(self._io.read(llen)))
return self._ret()
def enter(self, pre = 2):
llen = dec_long(self._io.read(pre))
subcoder = Decoder("")
subcoder._io = self._io
subcoder._parent = self
subcoder._limit = self._io.tell() + llen
return subcoder
def chunk(self, pre = 2):
llen = dec_long(self._io.read(pre))
self._res.append(Decoder(self._io.read(llen)))
return self._ret()
def exit(self):
if self._parent:
self._parent._io.seek(self._limit)
self._parent._res.append(self._res)
return self._parent
else:
raise RuntimeError, "Cannont exit top level Decoder"
def continues(self):
return (not self._limit) or (self._io.tell() < self._limit)
def out(self, exit_all = False):
if exit_all and self._parent:
return self.exit().out()
else:
r = self._res
self._res = []
return r
def only(self):
if self._res:
return self._res.pop(0)
else:
return RuntimeError, "Only what? (Empty decoder stack)"

View File

@ -0,0 +1,50 @@
from Key import Key
import time
from collections import OrderedDict
def test_generation_perf(n = 100):
results = OrderedDict()
for bits in (192, 224, 256, 384, 521):
t = time.time()
for i in xrange(n):
k = Key.generate(bits)
t = time.time() - t
results[bits] = t
return results
def test_signing_perf(n = 100):
results = OrderedDict()
for bits in (192, 224, 256, 384, 521):
k = Key.generate(bits)
t = time.time()
for i in xrange(n):
k.sign("random string")
t = time.time() - t
results[bits] = t
return results
def test_verification_perf(n = 100):
results = OrderedDict()
for bits in (192, 224, 256, 384, 521):
k = Key.generate(bits)
s = k.sign("random string")
t = time.time()
for i in xrange(n):
k.verify("random string", s)
t = time.time() - t
results[bits] = t
return results
def print_dict(title, d):
print title
print '-' * len(title)
for k, v in d.items():
print k, '\t', v
print
n = 100
print_dict("Key generation", test_generation_perf(n))
print_dict("Signing", test_signing_perf(n))
print_dict("Verifying", test_verification_perf(n))

View File

@ -0,0 +1,82 @@
'''
This module implements simple prime generation and primality testing.
'''
from random import SystemRandom
random = SystemRandom()
from os import urandom
def exp(x, n, m):
'''Efficiently compute x ** n mod m'''
y = 1
z = x
while n > 0:
if n & 1:
y = (y * z) % m
z = (z * z) % m
n //= 2
return y
# Miller-Rabin-Test
def prime(n, k):
'''Checks whether n is probably prime (with probability 1 - 4**(-k)'''
if n % 2 == 0:
return False
d = n - 1
s = 0
while d % 2 == 0:
s += 1
d /= 2
for i in xrange(k):
a = long(2 + random.randint(0, n - 4))
x = exp(a, d, n)
if (x == 1) or (x == n - 1):
continue
for r in xrange(1, s):
x = (x * x) % n
if x == 1:
return False
if x == n - 1:
break
else:
return False
return True
# Generate and Test Algorithms
def get_prime(size, accuracy):
'''Generate a pseudorandom prime number with the specified size (bytes).'''
while 1:
# read some random data from the operating system
rstr = urandom(size - 1)
r = 128 | ord(urandom(1)) # MSB = 1 (not less than size)
for c in rstr:
r = (r << 8) | ord(c)
r |= 1 # LSB = 1 (odd)
# test whether this results in a prime number
if prime(r, accuracy):
return r
def get_prime_upto(n, accuracy):
'''Find largest prime less than n'''
n |= 1
while n > 0:
n -= 2
if prime(n, accuracy):
return n

View File

@ -0,0 +1,38 @@
# ------------------------------------------------------------------------------
#
# SHA-512-BASED FEISTEL CIPHER
# by Toni Mattis
#
# Feistel Function: SHA-512(Block || Key)
# Key Size: Fully Dynamic
# Block Size: 1024 Bits
# Rounds: User-Specified
#
# ------------------------------------------------------------------------------
from hashlib import sha512
BPOS = tuple(range(64))
def enc_block(block, key, rounds = 16):
x = block[:64]
y = block[64:]
for i in xrange(rounds):
h = sha512(x + key).digest()
y = ''.join([chr(ord(y[k]) ^ ord(h[k])) for k in BPOS])
h = sha512(y + key).digest()
x = ''.join([chr(ord(x[k]) ^ ord(h[k])) for k in BPOS])
return x + y
def dec_block(block, key, rounds = 16):
x = block[:64]
y = block[64:]
for i in xrange(rounds):
h = sha512(y + key).digest()
x = ''.join([chr(ord(x[k]) ^ ord(h[k])) for k in BPOS])
h = sha512(x + key).digest()
y = ''.join([chr(ord(y[k]) ^ ord(h[k])) for k in BPOS])
return x + y

77
python/PyECC/setup.py Normal file
View File

@ -0,0 +1,77 @@
#!/usr/bin/python2.4
#
# Copyright 2007 The Python-Twitter Developers
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# copied from https://github.com/bear/python-twitter/blob/master/setup.py
#
'''The setup and build script for the python-twitter library.'''
__author__ = 'niccokunzmann@aol.com'
__version__ = '0.0.1'
# The base package metadata to be used by both distutils and setuptools
METADATA = dict(
name = "ecc",
version = __version__,
packages = ['ecc'],
author='Toni Mattis',
author_email='solaris@live.de',
description='Pure Python implementation of an elliptic curve cryptosystem based on FIPS 186-3',
license='MIT',
url='https://github.com/niccokunzmann/ecc',
keywords='elliptic curve cryptosystem rabbit cipher',
)
# Extra package metadata to be used only if setuptools is installed
SETUPTOOLS_METADATA = dict(
install_requires = [],
include_package_data = True,
classifiers = [
'Development Status :: 4 - Beta',
'Intended Audience :: Developers',
'License :: OSI Approved :: MIT License',
'Topic :: Software Development :: Libraries :: Python Modules',
'Topic :: Communications',
'Topic :: Security :: Cryptography',
'Topic :: Internet',
],
## test_suite = 'distacc_test',
)
def Read(file):
return open(file).read()
def BuildLongDescription():
return '\n'.join([Read('README.md'), ])
def Main():
# Build the long_description from the README and CHANGES
METADATA['long_description'] = BuildLongDescription()
# Use setuptools if available, otherwise fallback and use distutils
try:
import setuptools
METADATA.update(SETUPTOOLS_METADATA)
setuptools.setup(**METADATA)
except ImportError:
import distutils.core
distutils.core.setup(**METADATA)
if __name__ == '__main__':
Main()