charm-crypto-framework 0.61.1__cp313-cp313-macosx_10_13_universal2.whl

charm/schemes/pkenc/pkenc_cs98.py

@@ -0,0 +1,108 @@
+'''
+**Cramer-Shoup Public Key Encryption Scheme (CS98)**
+
+*Authors:* R. Cramer, V. Shoup
+
+| **Title:** "A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack"
+| **Published in:** CRYPTO 1998
+| **Available from:** http://knot.kaist.ac.kr/seminar/archive/46/46.pdf
+| **Notes:**
+
+.. rubric:: Scheme Properties
+
+* **Type:** encryption (public key)
+* **Setting:** DDH-hard EC groups of prime order (F_p) or Integer Groups
+* **Assumption:** DDH
+
+.. rubric:: Implementation
+
+:Authors: Matthew Green
+:Date: 1/2011
+'''
+from charm.toolbox.ecgroup import G
+from charm.toolbox.PKEnc import PKEnc
+
+# type definitions
+#pk_t = { 'g1' : G, 'g2' : G, 'c' : G, 'd' : G, 'h' : G }
+#sk_t = { 'x1' : ZR, 'x2' : ZR, 'y1' : ZR, 'y2' : ZR, 'z' : ZR }
+#c_t = { 'u1' : G, 'u2' : G, 'e' : G, 'v' : G }
+#str_t = str
+
+debug = False
+class CS98(PKEnc):	
+    """
+    >>> from charm.toolbox.eccurve import prime192v1
+    >>> from charm.toolbox.ecgroup import ECGroup
+    >>> groupObj = ECGroup(prime192v1)
+    >>> pkenc = CS98(groupObj)
+    >>> (public_key, secret_key) = pkenc.keygen()
+    >>> msg = b"hello world!!!123456"
+    >>> cipher_text = pkenc.encrypt(public_key, msg)
+    >>> decrypted_msg = pkenc.decrypt(public_key, secret_key, cipher_text)
+    >>> decrypted_msg == msg
+    True
+    >>> from charm.toolbox.integergroup import IntegerGroup, integer
+    >>> p = integer(156053402631691285300957066846581395905893621007563090607988086498527791650834395958624527746916581251903190331297268907675919283232442999706619659475326192111220545726433895802392432934926242553363253333261282122117343404703514696108330984423475697798156574052962658373571332699002716083130212467463571362679)
+    >>> q = integer(78026701315845642650478533423290697952946810503781545303994043249263895825417197979312263873458290625951595165648634453837959641616221499853309829737663096055610272863216947901196216467463121276681626666630641061058671702351757348054165492211737848899078287026481329186785666349501358041565106233731785681339)
+    >>> groupObj = IntegerGroup()
+    >>> pkenc = CS98(groupObj, p, q)
+    >>> (public_key, secret_key) = pkenc.keygen(1024)
+    >>> msg = b"hello world. test message"
+    >>> cipher_text = pkenc.encrypt(public_key, msg)
+    >>> decrypted_msg = pkenc.decrypt(public_key, secret_key, cipher_text)
+    >>> decrypted_msg == msg
+    True
+    """
+    def __init__(self, groupObj, p=0, q=0):
+        PKEnc.__init__(self)
+        global group
+        group = groupObj
+        if group.groupSetting() == 'integer':
+            group.p, group.q, group.r = p, q, 2
+
+#    @output(pk_t, sk_t)
+    def keygen(self, secparam=0):
+        if group.groupSetting() == 'integer':
+            if group.p == 0 or group.q == 0:
+                group.paramgen(secparam)
+            p = group.p
+            g1, g2 = group.randomGen(), group.randomGen()
+        elif group.groupSetting() == 'elliptic_curve':
+            group.paramgen(secparam)
+            g1, g2 = group.random(G), group.random(G)
+        
+        x1, x2, y1, y2, z = group.random(), group.random(), group.random(), group.random(), group.random()		
+        c = ((g1 ** x1) * (g2 ** x2))
+        d = ((g1 ** y1) * (g2 ** y2)) 
+        h = (g1 ** z)
+		
+        pk = { 'g1' : g1, 'g2' : g2, 'c' : c, 'd' : d, 'h' : h }
+        sk = { 'x1' : x1, 'x2' : x2, 'y1' : y1, 'y2' : y2, 'z' : z }
+        return (pk, sk)
+
+#    @input(pk_t, bytes)
+#    @output(c_t)
+    def encrypt(self, pk, M):
+        r     = group.random()
+        u1    = (pk['g1'] ** r)
+        u2    = (pk['g2'] ** r)
+        e     = group.encode(M) * (pk['h'] ** r)
+        alpha = group.hash((u1, u2, e))
+        v     = (pk['c'] ** r) * (pk['d'] ** (r * alpha))		
+		# Assemble the ciphertext
+                
+        c = { 'u1' : u1, 'u2' : u2, 'e' : e, 'v' : v }
+        return c
+    
+#    @input(pk_t, sk_t, c_t)
+#    @output(bytes)
+    def decrypt(self, pk, sk, c):
+        alpha = group.hash((c['u1'], c['u2'], c['e']))
+        v_prime = (c['u1'] ** (sk['x1'] + (sk['y1'] * alpha))) * (c['u2'] ** (sk['x2'] + (sk['y2'] * alpha)))
+        if (c['v'] != v_prime):
+            return 'ERROR' 
+
+        if debug: print("c['v'] => %s" % c['v'])
+        if debug: print("v' => %s" % v_prime)
+        return group.decode(c['e'] / (c['u1'] ** sk['z']))
+

charm/schemes/pkenc/pkenc_elgamal85.py

@@ -0,0 +1,122 @@
+'''
+**ElGamal Public Key Encryption Scheme (ElGamal85)**
+
+*Authors:* T. ElGamal
+
+| **Title:** "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms"
+| **Published in:** CRYPTO 1984
+| **Available from:** http://en.wikipedia.org/wiki/ElGamal_encryption
+| **Notes:**
+
+.. rubric:: Scheme Properties
+
+* **Type:** encryption (public key)
+* **Setting:** DDH-hard prime order group
+* **Assumption:** DDH
+
+.. rubric:: Implementation
+
+:Authors: J. Ayo Akinyele
+:Date: 3/2011
+'''
+
+from charm.toolbox.PKEnc import PKEnc
+from charm.toolbox.ecgroup import G
+
+debug = False
+class ElGamalCipher(dict):
+    def __init__(self, ct):
+        if type(ct) != dict: assert False, "Not a dictionary!"
+        if not set(ct).issubset(['c1', 'c2']): assert False, "'c1','c2' keys not present."
+        dict.__init__(self, ct)
+
+    def __add__(self, other):
+        if type(other) == int:
+           lhs_c1 = dict.__getitem__(self, 'c1')
+           lhs_c2 = dict.__getitem__(self, 'c2')
+           return ElGamalCipher({'c1':lhs_c1, 'c2':lhs_c2 + other})
+        else:
+           pass 
+
+    def __mul__(self, other):
+        if type(other) == int:
+           lhs_c1 = dict.__getitem__(self, 'c1')
+           lhs_c2 = dict.__getitem__(self, 'c2')
+           return ElGamalCipher({'c1':lhs_c1, 'c2':lhs_c2 * other})
+        else:
+           lhs_c1 = dict.__getitem__(self, 'c1') 
+           rhs_c1 = dict.__getitem__(other, 'c1')
+
+           lhs_c2 = dict.__getitem__(self, 'c2') 
+           rhs_c2 = dict.__getitem__(other, 'c2')
+           return ElGamalCipher({'c1':lhs_c1 * rhs_c1, 'c2':lhs_c2 * rhs_c2})
+        return None
+
+class ElGamal(PKEnc):
+    """
+    >>> from charm.toolbox.eccurve import prime192v2
+    >>> from charm.toolbox.ecgroup import ECGroup
+    >>> groupObj = ECGroup(prime192v2)
+    >>> el = ElGamal(groupObj)    
+    >>> (public_key, secret_key) = el.keygen()
+    >>> msg = b"hello world!12345678"
+    >>> cipher_text = el.encrypt(public_key, msg)
+    >>> decrypted_msg = el.decrypt(public_key, secret_key, cipher_text)    
+    >>> decrypted_msg == msg
+    True
+    >>> from charm.toolbox.integergroup import IntegerGroupQ, integer
+    >>> p = integer(148829018183496626261556856344710600327516732500226144177322012998064772051982752493460332138204351040296264880017943408846937646702376203733370973197019636813306480144595809796154634625021213611577190781215296823124523899584781302512549499802030946698512327294159881907114777803654670044046376468983244647367)
+    >>> q = integer(74414509091748313130778428172355300163758366250113072088661006499032386025991376246730166069102175520148132440008971704423468823351188101866685486598509818406653240072297904898077317312510606805788595390607648411562261949792390651256274749901015473349256163647079940953557388901827335022023188234491622323683)
+    >>> groupObj = IntegerGroupQ()
+    >>> el = ElGamal(groupObj, p, q)    
+    >>> (public_key, secret_key) = el.keygen()
+    >>> msg = b"hello world!"
+    >>> cipher_text = el.encrypt(public_key, msg)
+    >>> decrypted_msg = el.decrypt(public_key, secret_key, cipher_text)    
+    >>> decrypted_msg == msg
+    True
+    """
+    def __init__(self, groupObj, p=0, q=0):
+        PKEnc.__init__(self)
+        global group
+        group = groupObj
+        if group.groupSetting() == 'integer':
+            group.p, group.q, group.r = p, q, 2
+
+    def keygen(self, secparam=1024):
+        if group.groupSetting() == 'integer':
+            if group.p == 0 or group.q == 0:
+                group.paramgen(secparam)
+            g = group.randomGen()
+        elif group.groupSetting() == 'elliptic_curve':
+            g = group.random(G)
+        # x is private, g is public param
+        x = group.random(); h = g ** x
+        if debug:
+            print('Public parameters...')
+            print('h => %s' % h)
+            print('g => %s' % g)
+            print('Secret key...')
+            print('x => %s' % x)
+        pk = {'g':g, 'h':h }
+        sk = {'x':x}
+        return (pk, sk)
+    
+    def encrypt(self, pk, M):
+        y = group.random()
+        c1 = pk['g'] ** y 
+        s = pk['h'] ** y
+        # check M and make sure it's right size
+        c2 = group.encode(M) * s
+        return ElGamalCipher({'c1':c1, 'c2':c2})
+    
+    def decrypt(self, pk, sk, c):
+        s = c['c1'] ** sk['x']
+        m = c['c2'] * (s ** -1)
+        if group.groupSetting() == 'integer':
+            M = group.decode(m % group.p)
+        elif group.groupSetting() == 'elliptic_curve':
+            M = group.decode(m)
+        if debug: print('m => %s' % m)
+        if debug: print('dec M => %s' % M)
+        return M

charm/schemes/pkenc/pkenc_gm82.py

@@ -0,0 +1,98 @@
+'''
+**Goldwasser-Micali Public Key Encryption Scheme (GM82)**
+
+*Authors:* S. Goldwasser, S. Micali
+
+| **Title:** "Probabilistic Encryption and How to Play Mental Poker Keeping Secret All Partial Information"
+| **Published in:** 14th Symposium on Theory of Computing (STOC), 1982
+| **Available from:** http://groups.csail.mit.edu/cis/pubs/shafi/1982-stoc.pdf
+| **Notes:**
+
+.. rubric:: Scheme Properties
+
+* **Type:** encryption (public key)
+* **Setting:** Integer
+* **Assumption:** Quadratic Residuosity
+
+.. rubric:: Implementation
+
+:Authors: Guillermo Ramos
+:Date: 01/2015
+'''
+
+from charm.core.math.integer import legendre, gcd
+from charm.toolbox.integergroup import RSAGroup, integer
+from charm.toolbox.PKEnc import PKEnc
+
+# Upper bound to the number of rounds the keygen is able to make
+# to search for a quadratic non-residue
+maxtimes = 30
+
+# Is x a quadratic residue of N = p1*p2?
+def isResidue(x, p1, p2):
+    return legendre(x, p1) == 1 or legendre(x, p2) == 1
+
+# Goldwasser-Micali cryptosystem
+class GM82(PKEnc):
+    """
+    >>> gm82 = GM82()
+    >>> (pk, sk) = gm82.keygen(512)
+    >>> zero = gm82.encrypt(pk, 0)
+    >>> one = gm82.encrypt(pk, 1)
+    >>> gm82.decrypt(sk, zero)
+    0
+    >>> gm82.decrypt(sk, one)
+    1
+    >>> gm82.decrypt(sk, gm82.xor(pk, zero, zero))
+    0
+    >>> gm82.decrypt(sk, gm82.xor(pk, zero, one))
+    1
+    >>> gm82.decrypt(sk, gm82.xor(pk, one, zero))
+    1
+    >>> gm82.decrypt(sk, gm82.xor(pk, one, one))
+    0
+    """
+    def __init__(self):
+        PKEnc.__init__(self)
+        self.group = RSAGroup()
+
+    def keygen(self, secparam):
+        self.group.paramgen(secparam)
+
+        # Find a random quadratic non-residue in the group
+        x = self.group.random()
+        times = 1
+        while times < maxtimes and isResidue(x, self.group.p, self.group.q):
+            x = self.group.random()
+            times += 1
+
+        # If we are not able to find a quadratic non-residue after 'maxtimes'
+        # trials, abort and output error
+        if times == maxtimes:
+            print("ERROR: non-residue not found after {} trials.".format(times))
+            return None
+
+        pk = (self.group.n, x)
+        sk = (self.group.p, self.group.q)
+        return (pk, sk)
+
+    def encrypt(self, pk, m):
+        (n, x) = pk
+
+        y = self.group.random()
+        while gcd(n, y) != 1:
+            y = self.group.random()
+
+        if m == 0:
+            return y**2 % n
+        else:
+            return y**2 * x % n
+
+    def decrypt(self, sk, c):
+        (p, q) = sk
+        return 0 if isResidue(c, p, q) else 1
+
+    # Homomorphic XOR over ciphertexts
+    def xor(self, pk, c1, c2):
+        (n, _) = pk
+        return (c1 * c2) % n

charm/schemes/pkenc/pkenc_paillier99.py

@@ -0,0 +1,118 @@
+'''
+**Paillier Public Key Encryption Scheme (Paillier99)**
+
+*Authors:* P. Paillier
+
+| **Title:** "Public-Key Cryptosystems Based on Composite Degree Residuosity Classes"
+| **Published in:** EUROCRYPT 1999
+| **Available from:** http://link.springer.com/chapter/10.1007%2F3-540-48910-X_16
+| **Notes:** Additively homomorphic encryption scheme
+
+.. rubric:: Scheme Properties
+
+* **Type:** encryption (public key)
+* **Setting:** Integer
+* **Assumption:** Composite Residuosity
+
+.. rubric:: Implementation
+
+:Authors: J. Ayo Akinyele
+:Date: 4/2011 (updated 2/2016)
+'''
+from charm.toolbox.integergroup import lcm,integer,toInt
+from charm.toolbox.PKEnc import PKEnc
+
+debug = False
+"""A ciphertext class with homomorphic properties"""
+class Ciphertext(dict):
+    """
+    This tests the additively holomorphic properties of 
+    the Paillier encryption scheme.
+
+    >>> from charm.toolbox.integergroup import RSAGroup
+    >>> group = RSAGroup()
+    >>> pai = Pai99(group)
+    >>> (public_key, secret_key) = pai.keygen()
+
+    >>> msg_1=12345678987654321
+    >>> msg_2=12345761234123409
+    >>> msg_3 = msg_1 + msg_2
+        
+    >>> cipher_1 = pai.encrypt(public_key, msg_1)
+    >>> cipher_2 = pai.encrypt(public_key, msg_2)
+    >>> cipher_3 = cipher_1 + cipher_2
+    
+    >>> decrypted_msg_3 = pai.decrypt(public_key, secret_key, cipher_3)
+    >>> decrypted_msg_3 == msg_3
+    True
+    """
+    def __init__(self, ct, pk, key):
+        dict.__init__(self, ct)
+        self.pk, self.key = pk, key
+    
+    def __add__(self, other):
+        if type(other) == int: # rhs must be Cipher
+           lhs = dict.__getitem__(self, self.key)
+           return Ciphertext({self.key:lhs * ((self.pk['g'] ** other) % self.pk['n2']) }, 
+                             self.pk, self.key)        
+        else: # neither are plain ints
+           lhs = dict.__getitem__(self, self.key)
+           rhs = dict.__getitem__(other, self.key)
+        return Ciphertext({self.key:(lhs * rhs) % self.pk['n2']}, 
+                          self.pk, self.key) 
+        
+    def __mul__(self, other):
+        if type(other) == int:
+            lhs = dict.__getitem__(self, self.key)
+            return Ciphertext({self.key:(lhs ** other)}, self.pk, self.key)
+    
+    def randomize(self, r): # need to provide random value
+        lhs = dict.__getitem__(self, self.key)
+        rhs = (integer(r) ** self.pk['n']) % self.pk['n2']
+        return Ciphertext({self.key:(lhs * rhs) % self.pk['n2']})
+    
+    def __str__(self):
+        value = dict.__str__(self)
+        return value # + ", pk =" + str(pk)
+    
+class Pai99(PKEnc):
+    def __init__(self, groupObj):
+        PKEnc.__init__(self)
+        global group
+        group = groupObj
+    
+    def L(self, u, n):
+        # computes L(u) => ((u - 1) / n)
+        U = integer(int(u) - 1)
+        if int(U) == 0:
+            return integer(0, n)
+        return U / n
+                
+    def keygen(self, secparam=1024):
+        (p, q, n) = group.paramgen(secparam)
+        lam = lcm(p - 1, q - 1)
+        n2 = n ** 2
+        g = group.random(n2)
+        u = (self.L(((g % n2) ** lam), n) % n) ** -1
+        pk, sk = {'n':n, 'g':g, 'n2':n2}, {'lamda':lam, 'u':u}
+        return (pk, sk)
+
+    def encrypt(self, pk, m):
+        g, n, n2 = pk['g'], pk['n'], pk['n2']
+        r = group.random(pk['n'])
+        c = ((g % n2) ** m) * ((r % n2) ** n)
+        return Ciphertext({'c':c}, pk, 'c')
+    
+    def decrypt(self, pk, sk, ct):
+        n, n2 = pk['n'], pk['n2']
+        m = ((self.L(ct['c'] ** sk['lamda'], n) % n) * sk['u']) % n
+        return toInt(m)
+
+    def encode(self, modulus, message):
+        # takes a string and represents as a bytes object
+        elem = integer(message)
+        return elem % modulus
+        
+    def decode(self, pk, element):
+        pass
+

charm/schemes/pkenc/pkenc_rabin.py

@@ -0,0 +1,254 @@
+'''
+**Rabin Public Key Encryption Scheme (Rabin)**
+
+*Authors:* M. O. Rabin
+
+| **Title:** "Digitalized Signatures and Public-Key Functions as Intractable as Factorization"
+| **Published in:** MIT Laboratory for Computer Science, 1979
+| **Available from:**
+| **Notes:**
+
+.. rubric:: Scheme Properties
+
+* **Type:** encryption (public key)
+* **Setting:** Integer
+* **Assumption:** Integer Factorization
+
+.. rubric:: Implementation
+
+:Authors: Christina Garman
+:Date: 09/2011
+'''
+
+from charm.core.math.integer import integer
+from charm.toolbox.PKEnc import PKEnc
+from charm.toolbox.PKSig import PKSig
+from charm.toolbox.paddingschemes import OAEPEncryptionPadding,SAEPEncryptionPadding
+from charm.toolbox.redundancyschemes import InMessageRedundancy
+from charm.toolbox.conversion import Conversion
+from charm.toolbox.bitstring import Bytes
+from charm.toolbox.specialprimes import BlumWilliamsInteger
+from math import ceil
+
+debug = False
+
+class Rabin():
+    def __init__(self, modulus=BlumWilliamsInteger()):
+        self.modulustype = modulus
+
+    # generate p,q and n
+    def paramgen(self, secparam):
+        (p, q, N) = self.modulustype.generateBlumWilliamsInteger(secparam)
+
+        yp = (p % q) ** -1
+        yq = (q % p) ** -1
+
+        return (p, yp, q, yq, N)
+    
+    def keygen(self, s0, secparam=1024, params=None):
+        if params: 
+            (N, p, q, yp, yq) = self.convert(params)
+            pk = { 'N':N, 'n':secparam, 's0':s0 }
+            sk = { 'p':p, 'q':q, 'N':N , 'yp':yp, 'yq':yq }
+            return (pk, sk)
+
+        (p, yp, q, yq, N) = self.paramgen(secparam)
+        
+        pk = { 'N':N, 'n':secparam, 's0':s0 }
+        sk = { 'p':p, 'q':q, 'N':N , 'yp':yp, 'yq':yq }
+
+        return (pk, sk)
+    
+    def convert(self, N, p, q, yp, yq):
+        return (integer(N), integer(p), integer(q), integer(yp), integer(yq))
+    
+class Rabin_Enc(Rabin,PKEnc):
+    """
+    >>> rabin = Rabin_Enc()
+    >>> (public_key, secret_key) = rabin.keygen(128, 1024)
+    >>> msg = b'This is a test'
+    >>> cipher_text = rabin.encrypt(public_key, msg)
+    >>> decrypted_msg = rabin.decrypt(public_key, secret_key, cipher_text)
+    >>> decrypted_msg == msg
+    True
+    """
+    def __init__(self, padding=SAEPEncryptionPadding(), redundancy=InMessageRedundancy(), params=None):
+        Rabin.__init__(self)
+        PKEnc.__init__(self)
+        self.paddingscheme = padding 
+        self.redundancyscheme = redundancy
+    # m : Bytes
+    def encrypt(self, pk, m, salt=None):
+        if(self.paddingscheme.name == "SAEPEncryptionPadding"):
+            EM = self.paddingscheme.encode(m, pk['n'], pk['s0'])
+        else:
+            m = self.redundancyscheme.encode(m)
+            octetlen = int(ceil(int(pk['N']).bit_length() / 8.0))
+            EM = self.paddingscheme.encode(m, octetlen, "", salt)
+
+        if debug: print("EM == >", EM)
+        i = Conversion.OS2IP(EM)
+        ip = integer(i) % pk['N']  #Convert to modular integer
+
+        return (ip ** 2) % pk['N']
+    
+    def decrypt(self, pk, sk, c):
+        p = sk['p']
+        q = sk['q']
+        yp = sk['yp']
+        yq = sk['yq']
+
+        mp = (c ** ((p+1)/4)) % p
+        mq = (c ** ((q+1)/4)) % q
+
+        if(not(((c % p) == (mp ** 2)) and ((c % q) == (mq ** 2)))):
+            assert False, "invalid ciphertext"
+
+        r1 = ((int(yp)*int(p)*int(mq)) + ((int(yq)*int(q)*int(mp)))) % int(sk['N'])
+        r2 = int(sk['N']) - int(r1)
+
+        s1 = (int(yp)*int(p)*int(mq) - int(yq)*int(q)*int(mp)) % int(sk['N'])
+        s2 = int(sk['N']) - int(s1)
+
+        m1 = r1 % int(sk['N'])
+        m2 = r2 % int(sk['N'])
+        m3 = s1 % int(sk['N'])
+        m4 = s2 % int(sk['N'])
+
+        if(self.paddingscheme.name == "SAEPEncryptionPadding"):        
+            if(m1 < integer(int(sk['N'])//2)):
+                os1 = Conversion.IP2OS(int(m1))
+                if(m2 < integer(int(sk['N'])//2)):
+                    os2 = Conversion.IP2OS(int(m2))
+                else:
+                    if(m3 < integer(int(sk['N'])//2)):
+                        os2 = Conversion.IP2OS(int(m3))
+                    else:
+                        os2 = Conversion.IP2OS(int(m4))
+            else:
+                if(m2 < integer(int(sk['N'])//2)):
+                    os1 = Conversion.IP2OS(int(m2))
+                    if(m3 < integer(int(sk['N'])//2)):
+                        os2 = Conversion.IP2OS(int(m3))
+                    else:
+                        os2 = Conversion.IP2OS(int(m4))
+                else:
+                    os1 = Conversion.IP2OS(int(m3))
+                    os2 = Conversion.IP2OS(int(m4))
+                
+            if debug:
+                print("OS1  =>", os1)
+                print("OS2  =>", os2)
+
+            (m1, t1) = self.paddingscheme.decode(os1, pk['n'], pk['s0'])
+            (m2, t2) = self.paddingscheme.decode(os2, pk['n'], pk['s0'])
+
+            if((t1 == Bytes.fill(b'\x00', pk['s0']/8)) and (t2 == Bytes.fill(b'\x00', pk['s0']/8))):
+                assert False, "invalid ciphertext"
+
+            if(t1 == Bytes.fill(b'\x00', pk['s0']/8)):
+                return m1
+            else:
+                if(t2 == Bytes.fill(b'\x00', pk['s0']/8)):
+                    return m2
+                else:
+                    assert False, "invalid ciphertext"
+        else:
+            octetlen = int(ceil(int(pk['N']).bit_length() / 8.0))
+            os1 = Conversion.IP2OS(int(m1), octetlen)
+            os2 = Conversion.IP2OS(int(m2), octetlen)
+            os3 = Conversion.IP2OS(int(m3), octetlen)
+            os4 = Conversion.IP2OS(int(m4), octetlen)
+            if debug:
+                print("OS1  =>", os1)
+                print("OS2  =>", os2)
+                print("OS3  =>", os3)
+                print("OS4  =>", os4)
+
+            for i in [os1, os2, os3, os4]:
+                (isMessage, message) = self.redundancyscheme.decode(self.paddingscheme.decode(i))
+                if(isMessage):
+                   return message        
+
+class Rabin_Sig(Rabin, PKSig):
+    """
+    RSASSA-PSS
+
+    >>> msg = b'This is a test message.'
+    >>> rabin = Rabin_Sig()
+    >>> (public_key, secret_key) = rabin.keygen(1024)
+    >>> signature = rabin.sign(secret_key, msg)
+    >>> rabin.verify(public_key, msg, signature)
+    True
+    """
+
+    def __init__(self, padding=OAEPEncryptionPadding()):
+        Rabin.__init__(self)
+        PKSig.__init__(self)
+        self.paddingscheme = padding 
+
+    def sign(self,sk, M, salt=None):
+        #apply encoding
+
+        while True:
+            octetlen = int(ceil(int(sk['N']).bit_length() / 8.0))
+            em = self.paddingscheme.encode(M, octetlen, "", salt)
+
+            m = Conversion.OS2IP(em)
+            m = integer(m) % sk['N']  #ERRROR m is larger than N
+      
+            p = sk['p']
+            q = sk['q']
+            yp = sk['yp']
+            yq = sk['yq']
+
+            mp = (m ** ((p+1)/4)) % p
+            mq = (m ** ((q+1)/4)) % q
+
+            r1 = ((int(yp)*int(p)*int(mq)) + ((int(yq)*int(q)*int(mp)))) % int(sk['N'])
+            r2 = int(sk['N']) - int(r1)
+
+            s1 = (int(yp)*int(p)*int(mq) - int(yq)*int(q)*int(mp)) % int(sk['N'])
+            s2 = int(sk['N']) - int(s1)
+
+            if(((int((integer(r1) ** 2) % sk['N'] - m)) == 0) or ((int((integer(r2) ** 2) % sk['N'] - m)) == 0) or ((int((integer(s1) ** 2) % sk['N'] - m)) == 0) or ((int((integer(s2) ** 2) % sk['N'] - m)) == 0)):
+                break
+
+        S = { 's1':r1, 's2':r2, 's3':s1, 's4':s2 }
+
+        if debug:
+            print("Signing")
+            print("m     =>", m)
+            print("em    =>", em)
+            print("S     =>", S)
+
+        return S
+    
+    def verify(self, pk, M, S, salt=None):
+        #M = b'This is a malicious message'
+
+        octetlen = int(ceil(int(pk['N']).bit_length() / 8.0))
+
+        sig_mess = (integer(S['s1']) ** 2) % pk['N']
+        sig_mess = Conversion.IP2OS(int(sig_mess), octetlen)
+        if debug: print("OS1  =>", sig_mess)
+        dec_mess = self.paddingscheme.decode(sig_mess)
+
+        if debug:
+            print("Verifying")
+            print("sig_mess     =>", sig_mess)
+            print("dec_mess    =>", dec_mess)
+            print("S     =>", S)
+
+        return (dec_mess == M)
+    
+def main():
+    rabin = Rabin_Enc()
+    (public_key, secret_key) = rabin.keygen(128, 1024)
+    msg = b'This is a test'
+    cipher_text = rabin.encrypt(public_key, msg)
+    decrypted_msg = rabin.decrypt(public_key, secret_key, cipher_text)
+    print(decrypted_msg == msg)
+
+if __name__ == "__main__":
+    main()