In [2]:
from hashlib import sha256

W = 257
msglen = 20
siglen = 40
n1 = siglen // 256 + 1
n2 = W // 256 + 1

Support = [
              8,  17,  26,  32,  52,  53,  57,  58,
             59,  63,  64,  66,  67,  71,  73,  76,
             79,  81, 111, 115, 132, 135, 141, 144,
            151, 157, 170, 176, 191, 192, 200, 201,
            202, 207, 216, 224, 228, 237, 241, 252,
        ]

def H(s, m, i, j):
    def _byte_xor(b1, b2):
        assert len(b1) == len(b2), "Error: byte strings of different length."
        return bytes([x ^^ y for x, y in zip(b1, b2)])
    return sha256(
        _byte_xor(
            s,
            sha256(
                m + i.to_bytes(n1) + j.to_bytes(n2)
            ).digest()
        )
    ).digest()

def encoding(msg):
    w = [0] * len(Support)
    for i in range(len(Support)):
        for j in range(len(msg)):
            # Constant coefficient is zero
            w[i] += msg[j][0] * pow(Support[i],(j  + 1), W)
        w[i] %= W
    return w

def verif(pk, message, signature):
    mask_seed, PK = pk

    w = encoding(message)
    signature_check = signature.copy()
    for i in range(40):
        for j in range(w[i] + 1, 257):
            signature_check[i] = H(signature_check[i], mask_seed, i, j)
    return all(s == pk for s, pk in zip(signature_check, PK))

In [3]:
from Crypto.Util.number import long_to_bytes

message = b'WINTERNITZ IS COMING'
message = [long_to_bytes(c) for c in message]
w = encoding(message)
forged_message = [157, 15, 237, 141, 42, 58, 188, 131, 85, 159, 23, 64, 123, 110, 100, 171, 151, 224, 131, 169]
forged_message = [long_to_bytes(c) for c in forged_message]
w_forged = encoding(forged_message)
diff = [w_forged[i]- w[i] for i in range (40)]

In [29]:
import numpy


In [110]:
from numpy import argsort
import logging

W = 257
Support = [
              8,  17,  26,  32,  52,  53,  57,  58,
             59,  63,  64,  66,  67,  71,  73,  76,
             79,  81, 111, 115, 132, 135, 141, 144,
            151, 157, 170, 176, 191, 192, 200, 201,
            202, 207, 216, 224, 228, 237, 241, 252,
        ]

Zp = FiniteField (257)
M = Matrix(Zp, 40, 20)
for i in range (40):
    for j in range (20):
        M[i, j] = pow(Support[i],(j  + 1), W)

message = vector([Zp(c) for c in b'WINTERNITZ IS COMING'])
w = M * message
I = list(argsort(w))[20:40]
J = list(numpy.argsort(w))[:20]

P = M[I].inverse()
w_I = vector([w[i] for i in I])

logging.info("beginning of bruteforce")
while True:
    v = vector([randint(0, 256-a) for a in w_I])
    c = M * (P * (w_I + v))
    if all(c[j] >= w[j] for j in J):
        forged_message = P * (w_I + v)
        break
logging.info("ending of bruteforce")

w_forged = M * forged_message
assert all(i >= j for i, j in zip (w_forged, w))
print("message found!")
print(forged_message)

message found!
(246, 78, 5, 99, 163, 176, 89, 92, 217, 76, 236, 106, 221, 55, 233, 253, 183, 30, 0, 140)


In [99]:
w_I

(189, 202, 207, 207, 208, 208, 209, 212, 226, 234, 235, 235, 239, 239, 239, 240, 241, 243, 243, 250)

False

In [105]:
a = vector((6, 14, 61, 95, 188, 230, 48, 199, 25, 122, 47, 214, 186, 26, 184, 36, 7, 1, 233, 87))

In [106]:
M * a

(170, 166, 232, 122, 244, 243, 184, 240, 63, 240, 207, 153, 237, 251, 256, 246, 215, 256, 159, 219, 246, 224, 235, 256, 231, 247, 154, 246, 126, 250, 208, 219, 231, 197, 207, 247, 237, 95, 244, 94)

In [107]:
w

(131, 11, 208, 118, 239, 239, 179, 68, 14, 202, 176, 127, 207, 180, 240, 189, 209, 243, 37, 212, 241, 50, 177, 250, 207, 234, 91, 239, 125, 235, 165, 139, 226, 65, 148, 235, 208, 75, 243, 27)