charm-crypto-framework 0.61.1__cp313-cp313-macosx_10_13_universal2.whl

charm/toolbox/secretutil.py

@@ -0,0 +1,174 @@
+'''
+Contains all the auxillary functions to do linear secret sharing (LSS) over an access structure. Mainly, we represent the 
+access structure as a binary tree. This could also support matrices for representing access structures.
+'''
+from charm.core.math.pairing import ZR
+from charm.toolbox.policytree import *
+
+class SecretUtil:
+    def __init__(self, groupObj, verbose=True):
+        self.group = groupObj        
+#        self.parser = PolicyParser()
+
+    def P(self, coeff, x):
+        share = 0
+        # evaluate polynomial
+        for i in range(0, len(coeff)):
+            share += (coeff[i] * (x ** i))
+        return share
+
+    def genShares(self, secret, k, n):
+        if(k <= n):
+            rand = self.group.random
+            a = [] # will hold polynomial coefficients
+            for i in range(0, k):
+                if (i == 0): a.append(secret) # a[0]
+                else: a.append(rand(ZR))
+            Pfunc = self.P 
+            shares = [Pfunc(a, i) for i in range(0, n+1)]
+        return shares
+    
+    # shares is a dictionary
+    def recoverCoefficients(self, list):
+        """recovers the coefficients over a binary tree."""
+        coeff = {}
+        list2 = [self.group.init(ZR, i) for i in list]
+        for idx, i in enumerate(list):
+            i_zr = list2[idx]  # self.group.init(ZR, i)
+            result = 1
+            for j_zr in list2:
+                if not (i_zr == j_zr):
+                    # lagrange basis poly
+                    result *= (0 - j_zr) / (i_zr - j_zr)
+#                print("coeff '%d' => '%s'" % (i, result))
+            coeff[int(i)] = result
+        return coeff
+        
+    def recoverSecret(self, shares):
+        """take shares and attempt to recover secret by taking sum of coeff * share for all shares.
+        if user indeed has at least k of n shares, then secret will be recovered."""
+        list = shares.keys()
+        if self.verbose: print(list)
+        coeff = self.recoverCoefficients(list)
+        secret = 0
+        for i in list:
+            secret += (coeff[i] * shares[i])
+
+        return secret
+
+    def getCoefficients(self, tree):
+        coeffs = {}
+        self._getCoefficientsDict(tree, coeffs)
+        return coeffs
+    
+    def _getCoefficientsDict(self, tree, coeff_list, coeff=1):
+        """recover coefficient over a binary tree where possible node types are OR = (1 of 2)
+        and AND = (2 of 2) secret sharing. The leaf nodes are attributes and the coefficients are
+        recorded in a coeff-list dictionary.""" 
+        if tree:
+            node = tree.getNodeType()
+            if(node == OpType.AND):
+                this_coeff = self.recoverCoefficients([1,2])
+                # left child => coeff[1], right child => coeff[2]
+                self._getCoefficientsDict(tree.getLeft(), coeff_list, coeff * this_coeff[1])
+                self._getCoefficientsDict(tree.getRight(), coeff_list, coeff * this_coeff[2])
+            elif(node == OpType.OR):
+                this_coeff = self.recoverCoefficients([1])
+                self._getCoefficientsDict(tree.getLeft(), coeff_list, coeff * this_coeff[1])
+                self._getCoefficientsDict(tree.getRight(), coeff_list, coeff * this_coeff[1])
+            elif(node == OpType.ATTR):
+                attr = tree.getAttributeAndIndex()
+                coeff_list[ attr ] = coeff
+            else:
+                return None
+            
+    def _calculateShares(self, secret, tree, _type=dict):
+        """performs secret sharing over a policy tree. could be adapted for LSSS matrices."""
+        attr_list = []
+        self._compute_shares(secret, tree, attr_list)
+        if _type == list:
+            return attr_list
+        else: # assume dict
+            share = {}
+            for i in range(0, len(attr_list)):
+                key = attr_list[i][0].getAttributeAndIndex()
+                if not key in share.keys():
+                    share[ key ] = attr_list[i][1]
+            return share
+    
+    def calculateSharesList(self, secret, tree):
+        """calculate shares from given secret and returns a list of shares."""        
+        return self._calculateShares(secret, tree, list)
+    
+    def calculateSharesDict(self, secret, tree):
+        """calculate shares from given secret and returns a dict as {attribute:shares} pairs"""        
+        return self._calculateShares(secret, tree, dict)
+    
+    def _compute_shares(self, secret, subtree, List):
+        """computes recursive secret sharing over the binary tree. Start by splitting 1-of-2 (OR) or 2-of-2 (AND nodes).
+         Continues recursively down the tree doing a round of secret sharing at each boolean node type."""
+        k = 0
+        if(subtree == None):
+            return None
+        
+        type = subtree.getNodeType()
+        if(type == OpType.ATTR):
+            # visiting a leaf node
+#            t = (subtree.getAttribute(), secret)
+            t = (subtree, secret)
+            List.append(t)
+            return None
+        elif(type == OpType.OR or type == OpType.AND):
+            k = subtree.threshold # 1-of-2 or 2-of-2
+#        elif(type == OpType.AND):
+#            k = 2 # 2-of-2
+        else:
+            return None
+        # generate shares for k and n        
+        shares = self.genShares(secret, k, n=2)
+        # recursively generate shares for children nodes
+        self._compute_shares(shares[1], subtree.getLeft(), List)
+        self._compute_shares(shares[2], subtree.getRight(), List)
+    
+    def strip_index(self, node_str):
+        if node_str.find('_') != -1: return node_str.split('_')[0]
+        return node_str
+        
+    
+    def createPolicy(self, policy_string):
+        assert type(policy_string) == str, "invalid type for policy_string"
+        parser = PolicyParser()        
+        policy_obj = parser.parse(policy_string)
+        _dictCount, _dictLabel = {}, {}
+        parser.findDuplicates(policy_obj, _dictCount)
+        for i in _dictCount.keys(): 
+            if _dictCount[ i ] > 1: _dictLabel[ i ] = 0
+        parser.labelDuplicates(policy_obj, _dictLabel)
+        return policy_obj
+        
+    def prune(self, policy, attributes):
+        """determine whether a given set of attributes satisfies the policy"""
+        parser = PolicyParser()        
+        return parser.prune(policy, attributes)
+    
+    def getAttributeList(self, Node):
+        aList = []
+        self._getAttributeList(Node, aList)
+        return aList
+            
+    def _getAttributeList(self, Node, List):
+        """retrieve the attributes that occur in a policy tree in order (left to right)"""
+        if(Node == None):
+            return None
+        # V, L, R
+        if(Node.getNodeType() == OpType.ATTR):
+            List.append(Node.getAttributeAndIndex()) # .getAttribute()
+        else:
+            self._getAttributeList(Node.getLeft(), List)
+            self._getAttributeList(Node.getRight(), List)
+        return None
+
+# TODO: add test cases here for SecretUtil
+if __name__ == "__main__":
+    pass
+

charm/toolbox/securerandom.py

@@ -0,0 +1,73 @@
+'''
+Base class for cryptographic secure random number generation
+:authors: Gary Belvin
+'''
+from charm.toolbox.bitstring import Bytes
+from charm.toolbox.conversion import Conversion
+from charm.core.math.integer import randomBits
+import datetime
+import math
+import random
+
+class SecureRandom():
+    def __init__(self):
+        pass
+    def getRandomBytes(self, length):
+        '''Returns a random bit string of length bytes'''
+        raise NotImplementedError
+    def addSeed(self, seed):
+        '''
+        Add randomness to the generator.  
+        Always increases entropy
+        '''
+        raise NotImplementedError
+
+class SecureRandomFactory():
+    '''
+    This class provides a central place to swap out the randomness engine
+    used by the charm framework.
+    Classes should call ``rand = SecureRandomFactory.getInstance()`` 
+    to acquire a randomnesss generator
+    '''
+    @classmethod
+    def getInstance(self):
+        return OpenSSLRand()
+    
+
+class OpenSSLRand(SecureRandom):
+    '''Uses the OpenSSL PRNG for random bits'''
+    def __init__(self):
+        SecureRandom.__init__(self)
+        #seed with a little bit of random data. This is not the only source
+        #of randomness. Internally, OpenSSL samples additional physical randomness.
+    
+    def getRandomBytes(self, length):
+        bits = length * 8;
+        val = randomBits(bits)
+        return Conversion.IP2OS(val, length)
+    
+    def getRandomBits(self, length):
+        i = randomBits(length)
+        len = math.ceil(length / 8)
+        return Conversion.IP2OS(i, len)
+
+
+class WeakRandom(SecureRandom):
+    def __init__(self):
+        SecureRandom.__init__(self)
+    def getRandomBytes(self, length):
+        return self.myrandom(length, False)
+    def addSeed(self, seed):
+        raise NotImplementedError()
+    @classmethod
+    def myrandom(self, length, printable=False):
+        '''
+        This method does **NOT** provide cryptographically secure random numbers.
+        This should **NOT** be used for production code
+        '''
+        if(printable):
+            #Nice printable characters for testing purposes
+            return Bytes(random.randrange(0x20, 0x7E) for i in range(length))
+        else:
+            return Bytes(random.randrange(0, 256) for i in range(length))
+    

charm/toolbox/sigmaprotocol.py

@@ -0,0 +1,46 @@
+
+from charm.core.engine.protocol import Protocol
+from charm.core.engine.util import *
+from charm. toolbox.enum import Enum
+
+#party = Enum('Prover', 'Verifier')
+
+class Sigma(Protocol):
+    def __init__(self, groupObj, common_input=None):        
+        Protocol.__init__(self, None)  # think of something for handling errors      
+        self.verifier_states = { 2:self.verifier_state2, 4:self.verifier_state4, 6:self.verifier_state6 }
+        self.prover_states = { 1:self.prover_state1, 3:self.prover_state3, 5:self.prover_state5 }
+        self.PROVER, self.VERIFIER = 1, 2  # PROVER = 1, VERIFIER = 2
+
+        self.verifier_trans = { 2:4, 4:6 }
+        self.prover_trans = { 1:3, 3:5 }
+        # describe the parties involved and the valid transitions
+        Protocol.addPartyType(self, self.VERIFIER, self.verifier_states, self.verifier_trans)
+        Protocol.addPartyType(self, self.PROVER, self.prover_states, self.prover_trans, True)
+
+        self.group = groupObj
+        # proof parameter generation
+        if common_input == None: # generate common parameters to P and V
+            db = {}
+        else: # can be used as a sub-protocol if common_input is specified by caller
+            db = common_input            
+        Protocol.setSubclassVars(self, self.group, db)      
+    
+    # must be implemented by sub class... 
+    def prover_state1(self):
+        pass
+    
+    def prover_state3(self, input):
+        pass
+    
+    def prover_state5(self, input):
+        pass
+    
+    def verifier_state2(self, input):
+        pass
+
+    def verifier_state4(self, input):
+        pass
+    
+    def verifier_state6(self, input):
+        pass

charm/toolbox/specialprimes.py

@@ -0,0 +1,45 @@
+'''
+Generates a Blum-Williams integer, which is the product of two distinct primes
+each congruent to 3 mod 4
+'''
+
+from charm.core.math.integer import integer,isPrime,randomPrime
+
+class BlumWilliamsInteger:
+    def __init__(self):
+        pass
+
+    def generatePrimes(self, n):
+        # Add safety limit to prevent infinite loops on Python 3.12+
+        # Blum-Williams primes (p ≡ 3 mod 4) are approximately 50% of all primes
+        # so we should find one within a reasonable number of attempts
+        max_attempts = 10000
+
+        for attempt in range(max_attempts):
+            p = randomPrime(n)
+            if(isPrime(p) and (((p-3)%4) == 0)):
+                break
+        else:
+            raise RuntimeError(
+                f"Could not generate Blum-Williams prime p after {max_attempts} attempts"
+            )
+
+        for attempt in range(max_attempts):
+            q = randomPrime(n)
+            if(isPrime(q) and (((q-3)%4) == 0) and not(q == p)):
+                break
+        else:
+            raise RuntimeError(
+                f"Could not generate Blum-Williams prime q after {max_attempts} attempts"
+            )
+
+        return (p, q)
+
+    def generateBlumWilliamsInteger(self, n, p=0, q=0):
+        if((p == 0) or (q == 0)):
+            (p,q) = self.generatePrimes(n)
+            N = p * q
+            return (p, q, N)
+        else:
+            N = p * q
+            return N

charm/toolbox/symcrypto.py

@@ -0,0 +1,279 @@
+from charm.toolbox.paddingschemes import PKCS7Padding
+from charm.toolbox.securerandom import OpenSSLRand
+from charm.core.crypto.cryptobase import MODE_CBC,AES,selectPRP
+from hashlib import sha256 as sha2
+import json
+import hmac
+from base64 import b64encode, b64decode
+
+class MessageAuthenticator(object):
+    """ Abstraction for constructing and verifying authenticated messages
+
+        A large number of the schemes can only encrypt group elements
+        and do not provide an efficient mechanism for encoding byte in
+        those elements. As such we don't pick a symmetric key and encrypt
+        it asymmetrically. Rather, we hash a random group element to get the
+        symmetric key.
+
+    >>> from charm.toolbox.pairinggroup import PairingGroup,GT,extract_key
+    >>> groupObj = PairingGroup('SS512')
+    >>> key = groupObj.random(GT)
+    >>> m = MessageAuthenticator(extract_key(key))
+    >>> AuthenticatedMessage = m.mac('Hello World')
+    >>> m.verify(AuthenticatedMessage)
+    True
+    """
+    def __init__(self, key, alg="HMAC_SHA2"):
+        """
+        Creates a message authenticator and verifier under the specified key
+        """
+        if alg != "HMAC_SHA2":
+            raise ValueError("Currently only HMAC_SHA2 is supported as an algorithm")
+        self._algorithm = alg
+        self._key = key
+
+    def mac(self, msg, associatedData=b''):
+        """
+        Authenticates (MAC) a message. The MAC is computed as:
+        MAC = HMAC(key, algorithm + associatedData + message).
+
+        Parameters
+        ----------
+        msg : str or byte str
+            The message serving as input to the HMAC algorithm, in addition to the HMAC algorithm and associated data.
+        associatedData : str or byte str, optional
+            Associated data that will be MACed together with the ciphertext and algorithm; the associated data will not be encrypted.
+
+        Returns
+        -------
+        dict
+            Dictionary composed of the MAC algorithm, the MACed message (or ciphertext), and the digest computed by MACing HMAC_algorithm + associatedData + msg.
+        """
+        # Ensure the associated data is in byte format, convert if necessary.
+        if type(associatedData) != bytes :
+            associatedData = bytes(associatedData, "utf-8")
+        return {
+                "alg": self._algorithm,
+                "msg": msg,
+                "digest": hmac.new(self._key, bytes(self._algorithm, "utf-8") + associatedData + bytes(msg, "utf-8"), digestmod=sha2).hexdigest()
+               }
+
+    def verify(self, msgAndDigest, associatedData=b''):
+        """
+        Verifies whether the MAC digest from input ciphertext and digest matches the computed one over ciphertext and associated data.
+
+        Parameters
+        ----------
+        msgAndDigest : dict
+            Dictionary composed of the MAC algorithm, the MACed message (or ciphertext), and the digest computed by MACing HMAC_algorithm + associatedData + msg.
+            It is the format generated by the mac() function within this class.
+        associatedData : str or byte str, optional
+            Associated data that will be MACed together with the ciphertext and algorithm; the associated data will not be encrypted.
+
+        Returns
+        -------
+        bool
+            True if the digests match, False otherwise.
+
+        Raises
+        ------
+        ValueError
+            If the HMAC algorithm is not supported.
+        """
+        if msgAndDigest['alg'] != self._algorithm:
+            raise ValueError("Currently only HMAC_SHA2 is supported as an algorithm")
+        expected = bytes(self.mac(msgAndDigest['msg'], associatedData=associatedData)['digest'], 'utf-8')
+        received = bytes(msgAndDigest['digest'], 'utf-8')
+        # we compare the hash instead of the direct value to avoid a timing attack
+        return sha2(expected).digest() == sha2(received).digest()
+
+class SymmetricCryptoAbstraction(object):
+    """
+    Abstraction for symmetric encryption and decryption of data.
+    Ideally provide an INDCCA2 secure symmetric container for arbitrary data.
+    Currently only supports primitives that JSON can encode and decode.
+
+    A large number of the schemes can only encrypt group elements
+    and do not provide an efficient mechanism for encoding byte in
+    those elements. As such we don't pick a symmetric key and encrypt
+    it asymmetrically. Rather, we hash a random group element to get the
+    symmetric key.
+
+    >>> from charm.toolbox.pairinggroup import PairingGroup,GT,extract_key
+    >>> groupObj = PairingGroup('SS512')
+    >>> a = SymmetricCryptoAbstraction(extract_key(groupObj.random(GT)))
+    >>> ct = a.encrypt(b"Friendly Fire Isn't")
+    >>> a.decrypt(ct)
+    b"Friendly Fire Isn't"
+    """
+
+    def __init__(self, key, alg = AES, mode = MODE_CBC):
+        self._alg = alg
+        self.key_len = 16
+        self._block_size = 16
+        self._mode = mode
+        self._key = key[0:self.key_len] # expected to be bytes
+        assert len(self._key) == self.key_len, "SymmetricCryptoAbstraction key too short"
+        self._padding = PKCS7Padding()
+
+    def _initCipher(self,IV = None):
+        if IV == None :
+            IV =  OpenSSLRand().getRandomBytes(self._block_size)
+        self._IV = IV
+        return selectPRP(self._alg,(self._key,self._mode,self._IV))
+
+    def __encode_decode(self,data,func):
+        data['IV'] = func(data['IV'])
+        data['CipherText'] = func(data['CipherText'])
+        return data
+
+    #This code should be factored out into another class
+    #Because json is only defined over strings, we need to base64 encode the encrypted data
+    # and convert the base 64 byte array into a utf8 string
+    def _encode(self, data):
+        return self.__encode_decode(data, lambda x: b64encode(x).decode('utf-8'))
+
+    def _decode(self, data):
+        return self.__encode_decode(data, lambda x: b64decode(bytes(x, 'utf-8')))
+
+    def encrypt(self, message):
+        #This should be removed when all crypto functions deal with bytes"
+        if type(message) != bytes :
+            message = bytes(message, "utf-8")
+        ct = self._encrypt(message)
+        #JSON strings cannot have binary data in them, so we must base64 encode cipher
+        cte = json.dumps(self._encode(ct))
+        return cte
+
+    def _encrypt(self, message):
+        #Because the IV cannot be set after instantiation, decrypt and encrypt
+        # must operate on their own instances of the cipher
+        cipher = self._initCipher()
+        ct= {'ALG': self._alg,
+            'MODE': self._mode,
+            'IV': self._IV,
+            'CipherText': cipher.encrypt(self._padding.encode(message))
+            }
+        return ct
+
+    def decrypt(self, cipherText):
+        f = json.loads(cipherText)
+        return self._decrypt(self._decode(f))
+
+    def _decrypt(self, cipherText):
+        cipher = self._initCipher(cipherText['IV'])
+        msg = cipher.decrypt(cipherText['CipherText'])
+        return self._padding.decode(msg)
+
+class AuthenticatedCryptoAbstraction(SymmetricCryptoAbstraction):
+    """
+    Implements Authenticated Encryption with Associated Data (AEAD) abstraction. The associated data is optional, and this version is backwards compatible
+    with the same class without the associated data option.
+
+    Examples
+    --------
+    >>> from hashlib import sha256
+    >>> import charm.toolbox.symcrypto
+    >>> key = sha256(b'shameful secret key').digest()
+    >>> cipher = charm.toolbox.symcrypto.AuthenticatedCryptoAbstraction(key)
+    >>> ciphertext = cipher.encrypt('My age is 42.')
+    >>> cipher.decrypt(ciphertext)
+    b'My age is 42.'
+    >>> ciphertext2 = cipher.encrypt(b'My age is 42.')
+    >>> cipher.decrypt(ciphertext2)
+    b'My age is 42.'
+    >>> ad = b'\x10\x11\x11\x11'
+    >>> ciphertextAssociatedData = cipher.encrypt('Some network PDU.', associatedData=ad)
+    >>> cipher.decrypt(ciphertextAssociatedData)
+    Traceback (most recent call last):
+      File "<stdin>", line 1, in <module>
+      File "./charm/toolbox/symcrypto.py", line 233, in decrypt
+        raise ValueError("Invalid mac. Your data was tampered with or your key is wrong")
+    ValueError: Invalid mac. Your data was tampered with or your key is wrong
+    >>> cipher.decrypt(ciphertextAssociatedData, associatedData='wrong data')
+    Traceback (most recent call last):
+      File "<stdin>", line 1, in <module>
+      File "./charm/toolbox/symcrypto.py", line 233, in decrypt
+        raise ValueError("Invalid mac. Your data was tampered with or your key is wrong")
+    ValueError: Invalid mac. Your data was tampered with or your key is wrong
+    >>> cipher.decrypt(ciphertextAssociatedData, associatedData=b'\x10\x11\x11\x11')
+    b'Some network PDU.'
+    >>>
+    """
+    def encrypt(self, msg, associatedData=''):
+        """
+        Encrypts a message in AEAD mode (Authenticated Encryption with Associated Data) using the superclass symmetric encryption parameters.
+        The MAC is computed with both the ciphertext and associated data (and other cryptosystem parameters), but the associated data is not encrypted, nor
+        saved within the ciphertext structure.
+
+        Parameters
+        ----------
+        msg : str or byte str
+            The message to be encrypted.
+        associatedData : str or byte str, optional
+            Associated data that will be MACed together with the ciphertext and algorithm; the associated data will not be encrypted.
+
+        Returns
+        -------
+        dict
+            Dictionary structure containing:
+                msg: {'ALG': symmetric cryptosystem.
+                      'MODE': symmetric encryption mode.
+                      'IV': the IV for the encryption algorithm.
+                      'CipherText': the padded ciphertext (padding according to PKCS 7).
+                     }
+                "alg": The HMAC algorithm.
+                "digest": The MAC computed as MAC = HMAC(key, alg + associatedData + msg)
+
+        Notes
+        -----
+        The IV is included in the computation of the MAC. In fact, all cipher parameters are included: the encryption function returns a JSON object from
+        a dictionary composed of the cipher parameters (e.g., algorithm, mode, IV), and the ciphertext. The MAC function uses the whole JSON object/string
+        to compute the MAC, prepended with the HMAC algorithm + associatedData.
+
+        The MAC key is computed as sha2(b'Poor Mans Key Extractor" + key).
+        """
+        # warning only valid in the random oracle
+        mac_key = sha2(b'Poor Mans Key Extractor'+self._key).digest()
+        mac = MessageAuthenticator(mac_key)
+        enc = super(AuthenticatedCryptoAbstraction, self).encrypt(msg)
+        return mac.mac(enc, associatedData=associatedData)
+
+    def decrypt(self, cipherText, associatedData=''):
+        """
+        Decrypts a ciphertext in AEAD mode (Authenticated Encryption with Associated Data) using the superclass symmetric encryption parameters.
+        The MAC is computed with both the ciphertext and associated data (and other cryptosystem parameters), but the associated data is not encrypted, nor
+        available within the ciphertext structure.
+
+        Parameters
+        ----------
+        ciphertext : str or byte str
+            The message to be decrypted.
+        associatedData : str or byte str, optional
+            Associated data that will be MACed together with the ciphertext and algorithm. This associated text must be in plaintext.
+
+        Returns
+        -------
+        byte str
+            The decrypted plaintext, if the ciphertext was successfuly authenticated. Raise exception otherwise.
+
+        Raises
+        ------
+        ValueError
+            If the MAC is invalid.
+
+        Notes
+        -----
+        The IV is included in the computation of the MAC. In fact, all cipher parameters are included: the encryption function returns a JSON object from
+        a dictionary composed of the cipher parameters (e.g., algorithm, mode, IV), and the ciphertext. The MAC function uses the whole JSON object/string
+        to compute the MAC, prepended with the HMAC algorithm + associatedData.
+
+        The MAC key is computed as sha2(b'Poor Mans Key Extractor" + key).
+        """
+        # warning only valid in the random oracle
+        mac_key = sha2(b'Poor Mans Key Extractor'+self._key).digest()
+        mac = MessageAuthenticator(mac_key)
+        if not mac.verify(cipherText, associatedData=associatedData):
+            raise ValueError("Invalid mac. Your data was tampered with or your key is wrong")
+        else:
+            return super(AuthenticatedCryptoAbstraction, self).decrypt(cipherText['msg'])