In [11]:
"""
ECE 458 Project 1
Skeleton solution file.

You need to assign values to variables, and implement two functions as part of your answers to this project
You are not allowed to call any DSA signature package.
You are allowed to define whatever subroutines you like to structure your code.
"""

import hashlib
import binascii
import math

"""
sha3_224_hex() is design to take a hexadecimal string as the input and compute it's sha3_224 hash value. 
You may call sha3_224_hex() in your project for both DSA signature and sha3_224 hash computation
Don't directly call hashlib.sha3_224() which only takes a character string (then encode the string to utf-8 format) as the input.
No prefix for the input string, and len(hexstr) is even
e.g.  sha3_224_hex("4c")
"""

def sha3_224_hex( hexstr ):
	if len(hexstr)%2 != 0:
		raise ValueError("Error: Length of hex string should be even")
	m = hashlib.sha3_224()
	data = binascii.a2b_hex(str(hexstr))
	m.update(data)
	return m.hexdigest()

def hexstr_to_decimal( hexstr ):
    binaryVal = "{0:08b}".format(int(hexstr, 16))
    # return decimal value from binaryVal
    return int(binaryVal, 2)

def hexstr_to_binstr ( hexstr ):
    return "{0:08b}".format(int(hexstr, 16))

def binstr_to_hexstr ( binstr ):
    decimalVal = int(binstr, 2)
    hexstr = str(hex(decimalVal))[2:]
    if(len(hexstr)%2!=0):
        hexstr="0"+hexstr
    return hexstr

def dec_to_hexstr(dec):
    hexstr=str(hex(dec))[2:]
    if(len(hexstr)%2!=0):
        return "0"+hexstr
    return hexstr

def pow_mod(g, c, n):
    z = 1
    c_bits = str(bin(c))[2:]
    for i in range(len(c_bits)-1, -1, -1):
        z = pow(z, 2, n)
        if c_bits[i]=="1":
            z=z*g%n
    return z

# from NIST standard, Appendix C.1
# Link: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
def pow_mod_inverse(z, a):
    if (z <= 0 or a <= 0):
        raise ValueError("z & a must be greater than 0!")
    if(z >= a):
        raise ValueError("z < a is the requirement!")
        
    i=a
    j=z
    y2=0
    y1=1
    while(j > 0):
        quotient=math.floor(i/j)
        remainder=i-(j*quotient)
        y=y2-(y1*quotient)
        i=j
        j=remainder
        y2=y1
        y1=y
    if (i != 1):
        raise ValueError("No answer")
    return y2%a
#--------------------------------------------------------------------------------

# Part 1:Copy and paste your parameters here
# p,q,g are DSA domain parameters, sk_i (secret keys),pk_i (public keys),k_i (random numbers) are used in each signature and verification
p=16158504202402426253991131950366800551482053399193655122805051657629706040252641329369229425927219006956473742476903978788728372679662561267749592756478584653187379668070077471640233053267867940899762269855538496229272646267260199331950754561826958115323964167572312112683234368745583189888499363692808195228055638616335542328241242316003188491076953028978519064222347878724668323621195651283341378845128401263313070932229612943555693076384094095923209888318983438374236756194589851339672873194326246553955090805398391550192769994438594243178242766618883803256121122147083299821412091095166213991439958926015606973543
q=13479974306915323548855049186344013292925286365246579443817723220231
g=9891663101749060596110525648800442312262047621700008710332290803354419734415239400374092972505760368555033978883727090878798786527869106102125568674515087767296064898813563305491697474743999164538645162593480340614583420272697669459439956057957775664653137969485217890077966731174553543597150973233536157598924038645446910353512441488171918287556367865699357854285249284142568915079933750257270947667792192723621634761458070065748588907955333315440434095504696037685941392628366404344728480845324408489345349308782555446303365930909965625721154544418491662738796491732039598162639642305389549083822675597763407558360

sk1=7939731680553828959339338103722003137477446847294746673411939838142
sk2=2180011689269164882489130633696059518903640085444494524282198303794
sk3=4901811335044021096902476247372973271301450083095822517780991706975


#--------------------------------------------------------------------------------
# Part 2:Assign values that you compute to those parameters as part of your answers to (a) (b) and (c)
# (a) list all prime factors of p-1, list 3 public keys pk_i's corresponding to sk_i's, those numbers should be decimal integers
pfactor1=2
pfacotr2=q
pfactor3=599352188457547639693740171522680835865322184075286620256386716439921029334782998562008313995103840817116953210359643511447372101221464995653177706653918911634015555633001801773590292023083604552613918655194669929368962688659673544061885990566694774938089095597940505443430714573194211134223784784744939911387314440899638056016474270609853063142638329500429039904897328933858412897374253962878313102199163400319655392723027703101354927814377851954345336880097584669598515815463134218486896858352351187255794957262790967727451704317515673833695348341

# pk1=pow(g, sk1, p)
# pk2=pow(g, sk2, p)
# pk3=pow(g, sk3, p)
pk1=11168571763897266097909777537450543333261323527831451809719340065799502639130308027005813125156701719403215250661586615240629764508850142292316022863070179686639333756638815789989666732773790876485836846534852166273656336058128874884459171773658204542326739105249326093251161696230866784912189546708249590142956151917771527738794878728181672721164158286155252206610901307701772683797088930494317424838187744474123855770517385395801257862910487957133710071275633697260568076388874163125773267774796934038112805490007350784736866894480010013985968251353569156232821319370271861809290480680401895222189182306698427840121
pk2=15975619059570462500509384901264165082647183763742933176666805487278188097102861928312771845310551823068049142710967092141851309115790002559804014221436983953910014368879866500574867397342554178920523565746563678211472078351290562944804848801374498479005491883143824307447484799888367395296605370170745326497109627771528742456199067973778587443311487938158452631042370443932282759773929806058250763748814067912408823492721911284228625386142239010670179939089340295284318729922271740966812732643234701464253086235765228545213904099485127651742784509609737440756028584581983418416669517658940400502034489205918113699177
pk3=5870697316360175496832855198261891235978646155577135715950950785568512996281154117400000284371699001306734263708777420757557709521471287903842266582409606765767792251170484750329201935351412691938068272882121202561053751630086191868123047021677851121129757048546500810110169749291299860889181622037800866086182109659363876351002277482400547893989500060137979346977499153665757180572744926361572402124488619930119543105742144662138030804441053132759427389468540463503552981442270120182859402560459834261188129297373844595720306032261084327787679982901933798510105072414983145681324817316435045753952540234726360577299

# (b) Sig_sk1 and Sig_sk2, k_i is the random number used in signature. 
# u, v, w is the intermediate results when verifying Sig_sk1(m1)
# All variables should be decimal integers

# (b)(1)
# k1=hexstr_to_decimal(sha3_224_hex("01"))
k1=7636180595255512892709086526638263042018821609914680860810683215268
r1=pow(g, k1, p)%q
# r1=5102491627416874343359069298372509963208458310973379563071871951255
s1=0

# (b)(2)
u1=0
u2=0
v=0
w=0

# (b)(3)
# k2=hexstr_to_decimal(sha3_224_hex("02"))
k2=1126289620759427337161193756796339715982474853764963010968386403961
r2=pow(g, k2, p)%q
# r2=8516160244583270803284104545316545677581615323124894373363462902764
s2=0

# print("r1", r1)
# print("r2", r2)

# (c) PreImageOfPW1=h(amt0)||m1||nonce1, PreImageOfPW2=h(m1)||m2||nonce2, those two variables should be hex strings with on prefix of 0x

amt0_hex="05"
amt1_hex="04"
amt2_hex="03"
h_amt0=sha3_224_hex(amt0_hex)
h_amt1=sha3_224_hex(amt1_hex)

pk1_bits="0"+str(bin(pk1))[2:]
pk2_bits="0"+str(bin(pk2))[2:]
pk3_bits="00"+str(bin(pk3))[2:]

# print(len(pk1_bits), pk1_bits)
# print("")
# print(len(pk2_bits), pk2_bits)
# print("")
# print(len(pk3_bits), pk3_bits)

amt0_bits=hexstr_to_binstr("05")
amt1_bits=hexstr_to_binstr("04")
amt2_bits=hexstr_to_binstr("03")

# print(len(amt0_bits), amt0_bits)
# print(len(amt1_bits), amt1_bits)
# print(len(amt2_bits), amt2_bits)

m1_bits=pk1_bits+pk2_bits+amt1_bits
m2_bits=pk2_bits+pk3_bits+amt2_bits

# print(len(m1_bits))
# print(len(m2_bits))

m1=binstr_to_hexstr(m1_bits)
m2=binstr_to_hexstr(m2_bits)
h_m1=sha3_224_hex(m1)
h_m2=sha3_224_hex(m2)

concat1_bits=hexstr_to_binstr(h_amt0)+m1_bits
# print(len(concat1_bits))
concat2_bits="00"+hexstr_to_binstr(h_m1)+m2_bits
# print(len(concat2_bits))

nonce1=""
nonce2=""

PreImageOfPW1=""
PreImageOfPW2=""

# check if both of these are even length before sending to Sign and Verify functions
# make sure these variables are prefixed with 0x and add any 0s to make their length even

# print("PIW1: ", PreImageOfPW1)
# print("PIW2: ", PreImageOfPW2)
#--------------------------------------------------------------------------------

#Part 3: DSA signature and verification
# DSA signature function, p, q, g, k, sk are integers, Message are hex strings of even length.
def Sign( p, q, g, k, sk, Message ):
    if (len(Message)%2==1):
        print("ERROR: Message must be of EVEN length")
        
#     r=pow(g, k, p)%q
    r=pow_mod(g, k, p)%q
    temp=pow_mod_inverse(k, q)
    N=len(str(bin(q))[2:])
#   Since q is 224 bits and the hash functions also returns 224 bits, the 224 bits of h(Message)
#   is used in it's entirety when calculating z
    z=hexstr_to_decimal(sha3_224_hex(Message))
    s=(temp*(z+(sk*r)))%q
    
    return r,s

# DSA verification function,  p, q, g, k, pk are integers, Message are hex strings of even length.
def Verify( p, q, g, pk, Message, r, s ):
    if (len(Message)%2==1):
        raise ValueError("ERROR: Message must be of EVEN length")
    if (r <= 0 or s <= 0):
        raise ValueError("r and s must be greater than 0")
        
    if (r > q or s > q):
        raise ValueError("r and s must be less than q")
    
    w=pow_mod_inverse(s, q)
#   Since q is 224 bits and the hash functions also returns 224 bits, the 224 bits of h(Message)
#   is used in it's entirety when calculating z
    z=hexstr_to_decimal(sha3_224_hex(Message))
    u1=(z*w)%q
    u2=(r*w)%q
    y=pk
    v=((pow(g, u1)*pow(y, u2))%p)%q
    
    if v==r :
        return True
    else:   
        return False
    
# Sign and Verify
r, s = Sign(p, q, g, k1, sk1, m1)
print("r =",r)
print("s =",s)
# print(Verify(p, q, g, pk1, m1, r, s))




224
r = 7957224457688434329033876222327032123495834171895060763275447631495
s = 89724130746635059744696068289678371389466416557070037853632595323


In [18]:
pow_mod_inverse(8,11)

7

In [13]:
import math
math.floor(8/3)

2

In [153]:
def nonce(input):
    num_zeros=128-len(input)
    return ("0"*num_zeros)+input

def findNonce(input):
    check="0"*24
    if(len(input)!=4328):
        print("The input doesn't have the expected length!")
        return
    max = pow(2, 16)
    for j in range(8):
        for i in range(max):
            nonce_str=nonce(str(bin(i*pow(2, j))[2:]))
            hexstr=binstr_to_hexstr(input+nonce_str)
            hashed=sha3_224_hex(hexstr)
            hashed_binstr=hexstr_to_binstr(hashed)
            if(hashed_binstr[0:24]==check):
                return nonce_str
    return "Stupid"
        
nonce1=findNonce(concat1_bits)
print("DONE!")
print(nonce1)

DONE!
Stupid


In [154]:
nonce2=findNonce(concat2_bits)
print(nonce2)

Stupid


In [15]:
print(len(str(bin(q))[2:]))

224
