-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathecctest.py
executable file
·145 lines (119 loc) · 4.33 KB
/
ecctest.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
#!/usr/bin/python3
#
# toyecc - A small Elliptic Curve Cryptography Demonstration.
# Copyright (C) 2011-2022 Johannes Bauer
#
# This file is part of toyecc.
#
# toyecc is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; this program is ONLY licensed under
# version 3 of the License, later versions are explicitly excluded.
#
# toyecc is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with toyecc; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# Johannes Bauer <[email protected]>
#
import sys
from toyecc import AffineCurvePoint, ShortWeierstrassCurve, getcurvebyname
from toyecc import ECPrivateKey
def separator():
print("-" * 150)
usedcurve = getcurvebyname("secp112r1")
#usedcurve = getcurvebyname("brainpoolP160r1")
#usedcurve = getcurvebyname("secp192k1")
print("Selected curve parameters:")
print(str(usedcurve))
separator()
privatekey = ECPrivateKey(0x12345, usedcurve)
print("Generated privatekey")
print(str(privatekey))
separator()
########################### Encryption example ###########################
e = privatekey.pubkey.ecies_encrypt()
print("Encryption")
print("Transmitted R :", e["R"])
print("Symmetric key S:", e["S"])
separator()
# And decrypt at receiver
print("Decryption")
recovered_s = privatekey.ecies_decrypt(e["R"])
print("Recovered S :", recovered_s)
separator()
########################### Signature example ###########################
print("Signing message")
signature = privatekey.ecdsa_sign(b"foobar", "sha1")
print("r:", signature.r)
print("s:", signature.s)
separator()
print("Verification of signature")
verify_original = privatekey.pubkey.ecdsa_verify(b"foobar", signature)
verify_modified = privatekey.pubkey.ecdsa_verify(b"foobaz", signature)
print("Original message: %s (should be True)" % (verify_original))
print("Modified message: %s (should be False)" % (verify_modified))
assert(verify_original)
assert(not verify_modified)
separator()
########################### Identical-nonce-in-signature exploit ###########################
print("Generating signatures with identical nonces for exploitation")
signature1 = privatekey.ecdsa_sign(b"foobar", "sha1", k = 123456)
signature2 = privatekey.ecdsa_sign(b"foobaz", "sha1", k = 123456)
print("r1:", signature1.r)
print("s1:", signature1.s)
print("r2:", signature2.r)
print("s2:", signature2.s)
recvr = privatekey.pubkey.ecdsa_exploit_reused_nonce(b"foobar", signature1, b"foobaz", signature2)
print("Recovered nonce :", int(recvr["nonce"]))
print("Recovered private key: 0x%x" % (int(recvr["privatekey"])))
separator()
########################### Finding arbitrary points on the curve ###########################
x = 123456
print("Finding points on the curve with x == %d" % (x))
points = usedcurve.getpointwithx(x)
if points:
(pt1, pt2) = points
print("Point 1:", pt1)
print("Point 2:", pt2)
print("On curve? %s/%s (should be True/True)" % (pt1.oncurve(), pt2.oncurve()))
assert(pt1.oncurve())
assert(pt2.oncurve())
else:
print("No point found")
separator()
########################### Generating tiny curve for example purposes ###########################
print("Generating a tiny curve")
tinycurve = ShortWeierstrassCurve(
2, # A
3, # B
263, # p
270, # n (order)
1, # cofactor
200, # G_x
39 # G_y
)
print(str(tinycurve))
print("Curve order is #E(F_p) = %d" % (tinycurve.curve_order))
print("Generator is of order %d" % (tinycurve.G.naive_order_calculation()))
print("Determining points of small order (weak points), this could take a while...")
for point in tinycurve.enumerate_points():
order = point.naive_order_calculation()
if order <= 6:
print("%-20s order %d" % (str(point), order))
separator()
########################### Checking point compression ###########################
for randomnumber in range(125, 125 + 2):
p = usedcurve.G * randomnumber
print("Uncompressed point:", p)
c = p.compress()
print("Compressed point :", c)
u = usedcurve.uncompress(c)
print("Uncompressed point:", u)
assert(u == p)
separator()