[Cryptech-Commits] [core/math/modexpng] 04/92: Added blinding support to test vector generation scripts.

git at cryptech.is git at cryptech.is
Sat Mar 14 18:18:43 UTC 2020

Previous message (by thread): [Cryptech-Commits] [core/math/modexpng] 03/92: Instructions on how to use the vector generation scripts.
Next message (by thread): [Cryptech-Commits] [core/math/modexpng] 05/92: Updated readme file.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is an automated email from the git hooks/post-receive script.

paul at psgd.org pushed a commit to branch master
in repository core/math/modexpng.

commit eb859f8df6013c673e570799c73da0057848a06c
Author: Pavel V. Shatov (Meister) <meisterpaul1 at yandex.ru>
AuthorDate: Sat Mar 23 10:48:24 2019 +0300

    Added blinding support to test vector generation scripts.
---
 vector/vector_format.py |  10 +++--
 vector/vector_util.py   | 104 +++++++++++++++++++++++++++++++++++++-----------
 2 files changed, 87 insertions(+), 27 deletions(-)

diff --git a/vector/vector_format.py b/vector/vector_format.py
index accf691..67a50f0 100644
--- a/vector/vector_format.py
+++ b/vector/vector_format.py
@@ -40,7 +40,8 @@ SCRIPT_USAGE = "USAGE: vector_format.py [openssl_binary]"
 
 KEY_LENGTH = 1024
 
-RNG_SEED = 0
+RNG_SEED_MESSAGE = 1
+RNG_SEED_BLINDING = 2
 
 
 if __name__ == "__main__":
@@ -49,10 +50,11 @@ if __name__ == "__main__":
 
     if len(OPENSSL_BINARY) > 0:
 
-        MESSAGE = vector_util.random_message(RNG_SEED, KEY_LENGTH)
-        VECTOR = vector_util.load_vector(OPENSSL_BINARY, KEY_LENGTH)
+        MESSAGE  = vector_util.random_message(RNG_SEED_MESSAGE, KEY_LENGTH)
+        BLINDING = vector_util.random_blinding(RNG_SEED_BLINDING, KEY_LENGTH)
+        VECTOR   = vector_util.load_vector(OPENSSL_BINARY, KEY_LENGTH)
 
-        vector_ok = VECTOR.selfcheck(MESSAGE)
+        vector_ok = VECTOR.selfcheck(MESSAGE, BLINDING)
         if vector_ok:
             vector_util.save_vector(VECTOR)
             print("Test vector formatted.")
diff --git a/vector/vector_util.py b/vector/vector_util.py
index 413cb61..37e4fb6 100644
--- a/vector/vector_util.py
+++ b/vector/vector_util.py
@@ -42,18 +42,21 @@ from enum import Enum, auto
 
 
 class VectorPiece(Enum):
-    VectorPieceX    = auto()
-    VectorPieceN    = auto()
-    VectorPieceD    = auto()
-    VectorPieceP    = auto()
-    VectorPieceQ    = auto()
-    VectorPieceDP   = auto()
-    VectorPieceDQ   = auto()
-    VectorPieceQINV = auto()
+    VectorPieceOther = auto()
+    VectorPieceN     = auto()
+    VectorPieceD     = auto()
+    VectorPieceP     = auto()
+    VectorPieceQ     = auto()
+    VectorPieceDP    = auto()
+    VectorPieceDQ    = auto()
+    VectorPieceQINV  = auto()
 
 
 class Vector:
 
+    # public exponent
+    _f4 = 0x10001
+
     def __init__(self, length):
         self._bits = length
         self._n    = ""
@@ -101,7 +104,25 @@ class Vector:
 
         return r
 
-    def selfcheck(self, message):
+    def _calc_blind_y(self, x, modulus):
+        x_inv = self._modinv(x, modulus)
+        return pow(x_inv, self._f4, modulus)
+
+    def _egcd(self, a, b):
+        if a == 0:
+            return (b, 0, 1)
+        else:
+            g, y, x = self._egcd(b % a, a)
+        return (g, x - (b // a) * y, y)
+
+    def _modinv(self, a, m):
+        g, x, y = self._egcd(a, m)
+        if g != 1:
+            raise Exception("_modinv() failed!")
+        else:
+            return x % m
+
+    def selfcheck(self, message, blinding):
 
         self.m    = message             # message (padded)
         self.n    = int(self._n,    16) # modulus
@@ -112,6 +133,9 @@ class Vector:
         self.dq   = int(self._dq,   16) # smaller exponent
         self.qinv = int(self._qinv, 16) # helper coefficient
 
+        self.x    = blinding
+        self.y    = self._calc_blind_y(self.x, self.n)
+
         # check modulus
         if self.n == 0:
             print("ERROR: n == 0")
@@ -130,22 +154,40 @@ class Vector:
             print("ERROR: dq != (d % (q-1))")
             return False
 
-        # sign
-        s = pow(message, self.d, self.n)
+        # sign to obtain known good value
+        s_reference = pow(message, self.d, self.n)
+
+        # blind message
+        message_blinded = (message * self.y) % self.n
+
+        # sign blinded message
+        s_blinded = pow(message_blinded, self.d, self.n)
+
+        # unblind signature
+        s_unblinded = (s_blinded * self.x) % self.n
+
+        # check, that x and y actually work
+        if s_unblinded != s_reference:
+            print("ERROR: s_unblinded != s_reference!")
+            return False
+
+        # try to do crt with the blinded message
+        sp_blinded = pow(message_blinded, self.dp, self.p)
+        sq_blinded = pow(message_blinded, self.dq, self.q)
 
-        # try to do crt
-        sp = pow(message, self.dp, self.p)
-        sq = pow(message, self.dq, self.q)
+        # recover full blinded signature
+        sr_blinded = sp_blinded - sq_blinded
+        if sr_blinded < 0: sr_blinded += self.p
 
-        sr = sp - sq
-        if sr < 0: sr += self.p
+        sr_qinv_blinded = (sr_blinded * self.qinv) % self.p
 
-        srqinv = (sr * self.qinv) % self.p
+        s_crt_blinded = sq_blinded + self.q * sr_qinv_blinded
 
-        s_crt = sq + self.q * srqinv
+        # unblind crt signature
+        s_crt_unblinded = (s_crt_blinded * self.x) % self.n
 
-        if s_crt != s:
-            print("ERROR: s_crt != s!")
+        if s_crt_unblinded != s_reference:
+            print("ERROR: s_crt_unblinded != s_reference!")
             return False
 
         self.n_factor = self._calc_mont_factor(self._bits      + 16, self.n)
@@ -204,19 +246,33 @@ def random_message(seed, length):
     return message
 
 
+def random_blinding(seed, length):
+
+    blinding = 0
+    num_bytes = length // 8 - 1
+
+    random.seed(seed)
+
+    for i in range(num_bytes):
+        blinding <<= 8
+        blinding += random.getrandbits(8)
+
+    return blinding
+
+
 def load_vector(binary, length):
 
     vector = Vector(length)
-    piece_type = VectorPiece.VectorPieceX
+    piece_type = VectorPiece.VectorPieceOther
 
     filename = str(length) + "_randomized.key"
     openssl_command = [binary, "rsa", "-in", filename, "-noout", "-text"]
     openssl_stdout = subprocess.check_output(openssl_command).decode("utf-8").splitlines()
 
     for line in openssl_stdout:
-        if   line.startswith("RSA Private-Key:"): piece_type = VectorPiece.VectorPieceX
+        if   line.startswith("RSA Private-Key:"): piece_type = VectorPiece.VectorPieceOther
         elif line.startswith("modulus:"):         piece_type = VectorPiece.VectorPieceN
-        elif line.startswith("publicExponent:"):  piece_type = VectorPiece.VectorPieceX
+        elif line.startswith("publicExponent:"):  piece_type = VectorPiece.VectorPieceOther
         elif line.startswith("privateExponent:"): piece_type = VectorPiece.VectorPieceD
         elif line.startswith("prime1:"):          piece_type = VectorPiece.VectorPieceP
         elif line.startswith("prime2:"):          piece_type = VectorPiece.VectorPieceQ
@@ -252,6 +308,8 @@ def save_vector(vector):
     f.write("    n_coeff  = 0x%x\n" % vector.n_coeff)
     f.write("    p_coeff  = 0x%x\n" % vector.p_coeff)
     f.write("    q_coeff  = 0x%x\n" % vector.q_coeff)
+    f.write("    x        = 0x%x\n" % vector.x)
+    f.write("    y        = 0x%x\n" % vector.y)
 
     f.close()

Previous message (by thread): [Cryptech-Commits] [core/math/modexpng] 03/92: Instructions on how to use the vector generation scripts.
Next message (by thread): [Cryptech-Commits] [core/math/modexpng] 05/92: Updated readme file.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Commits mailing list