Skip to content

Instantly share code, notes, and snippets.

#BLS6 curve taken from https://eprint.iacr.org/2019/431.pdf Table 15
def computeS(n,c):
"""
(Algorithm 2.35: Lenstra, Verheul: An overview of the XTR public key system)
Computes S_n(c) as defined in Lenstra, Verheul.
Parameters:
(int) n>0;
(GF(p^2)) c
Returns:
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
p = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab
r = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
# assert p.is_prime()
# assert r.is_prime()
proof.arithmetic(False)
Fp = GF(p)
Fpx.<x> = Fp[]
test
function recover(privateKey) {
console.log("recover");
const MALICIOUS_PRIME = new Uint8Array([129,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17]);
// this generator has order 5
const MALICIOUS_GENERATOR = new Uint8Array([46,35,147,92,93,21,176,170,70,144,93,164,112,85,178,126]);
privateKey.algorithm.generator = MALICIOUS_GENERATOR;
privateKey.algorithm.prime = MALICIOUS_PRIME;
window.crypto.subtle.generateKey(
{
/*
* Arguments:
* priv: CryptoKey representing a DH private key
* pub: CryptoKey representing a DH public key
*
* Returns: Promise resolving to ArrayBuffer
*/
async function secret(priv, pub) {
return await window.crypto.subtle.deriveBits(
{
/*
* Arguments: None
*
* Returns: Promise resolving to:
* {
* privateKey: CryptoKey,
* publicKey: CryptoKey,
* }
*/
<script>
window.crypto.subtle.generateKey(
{
name: "AES-GCM",
length: 256, //can be 128, 192, or 256
},
false, //whether the key is extractable (i.e. can be used in exportKey)
["encrypt", "decrypt"] //can "encrypt", "decrypt", "wrapKey", or "unwrapKey"
)
.then(function(key){
//https://github.com/diafygi/webcrypto-examples
window.crypto.subtle.encrypt(
{
name: "AES-GCM",
//Don't re-use initialization vectors!
//Always generate a new iv every time your encrypt!
//Recommended to use 12 bytes length
iv: window.crypto.getRandomValues(new Uint8Array(12)),