Christopher Wood chris-wood

## client.go
package main

import (
	"crypto/ed25519"
	"crypto/sha256"
	"crypto/tls"
	"encoding/base64"
	"fmt"
	"net/http"
	"net/http/httputil"

## strongrsa.py
"""
$ python3 strongrsa.py 1024
p := "dcd90af1be463632c0d5ea555256a20605af3db667475e190e3af12a34a3324c46a3094062c59fb4b249e0ee6afba8bee14e0276d126c99f4784b23009bf6168ff628ac1486e5ae8e23ce4d362889de4df63109cbd90ef93db5ae64372bfe1c55f832766f21e94ea3322eb2182f10a891546536ba907ad74b8d72469bea396f3"
q := "f8ba5c89bd068f57234a3cf54a1c89d5b4cd0194f2633ca7c60b91a795a56fa8c8686c0e37b1c4498b851e3420d08bea29f71d195cfbd3671c6ddc49cf4c1db5b478231ea9d91377ffa98fe95685fca20ba4623212b2f2def4da5b281ed0100b651f6db32112e4017d831c0da668768afa7141d45bbc279f1e0f8735d74395b3"
phi := "d6930820f71fe517bf3259d14d40209b02a5c0d3d61991c731dd7da39f8d69821552e2318d6c9ad897e603887a476ea3162c1205da9ac96f02edf31df049bd55f142134c17d4382a0e78e275345f165fbe8e49cdca6cf5c726c599dd39e09e75e0f330a33121e73976e4facba9cfa001c28b7c96f8134f9981db6750b43a416f39be72c6c5b13d8687f285674b4827fba44ae6224a5342464472196489c85af10cbc544c76e850c5854908fd1c1581b12c322efe22a6d1867ec03df1622afa63828f7e19a004dd4ef959812a6916f0301abffa7515ae0eaee94f3fe3075a395ac2833881

## wide_reduction.sage
# Width reduction formula derived from https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-5
def width(p):
    k = 128 # target security level
    return ceil((ceil(log(p) / log(2), bits = 1000) + k) / 8, bits = 1000)

# Simplified approximation for width based on 128-bit security level
def simple_width(p):
    return ceil(((3 * ceil(log(p) / log(2), bits = 1000)) / 2) / 8, bits = 1000)

primes = {

## blind_rsa_attack.sage
#!/usr/bin/sage
# vim: syntax=python

def public_key_permutation_proof(N, e, phi):
    """
    This function runs the protocol from [1] for checking that (N, e) is a well-formed
    RSA public key pair, i.e., that raising RSA elements to the power e modulo N
    forms a permutation over \mathbb{Z}_N. It is implicitly parameterized by three values:

    - k, the security parameter, set to 128,

## clamp_leak.sage
import random
import numpy as np

# https://gist.github.com/tammoippen/4474e838e969bf177155231ebba52386
def crappyhist(a, bins=50, width=140):
    h, b = np.histogram(a, bins)

    for i in range (0, bins):
        print('{:12.5f}  | {:{width}s} {}'.format(
            b[i],

## blind_ed25519.py
### Extracted from RFC8032
# https://datatracker.ietf.org/doc/html/rfc8032#section-6

## First, some preliminaries that will be needed.

import hashlib

def sha512(s):
    return hashlib.sha512(s).digest()

## spake2_check.go
package main

// Questions:
// - Should we include a definition of UKS attacks inline, rather than cite draft-ietf-mmusic-sdp-uks?
// - Should SPAKE2 require that the output length of Hash is at least 256-bits? (It's output is split in half to derive Ke and Ka, and we probably want those to have at least 128 bits.)
// - What does it mean to exchange messages symmetrically? (In the per-user M and N section)
// - Beyond scalar multiplication being constant time, are there any other constant time considerations we should include?
// - Why is Ke not included in the test vectors? It may be redundant, but it seems useful as an additional sanity check.
// - There are currently no test vectors that include AAD -- should we add some?
// - Why is len() a little-endian output?

## gist:c6b17a441cdb502b98e5ba31d465b030
# ech_provider.go

// EXP_UnmarshalECHKeys parses a sequence of ECH keys.
func EXP_MarshalECHKeys(version uint16, keys []EXP_ECHKey) []byte {
	var b cryptobyte.Builder
	for i := 0; i < len(keys); i++ {
		// kem := hpke.KEM(keys[i].config.kemId)
		skM, err := keys[i].sk.MarshalBinary()
		if err != nil {
			panic("failed")

## format_hpke_vectors.py
import sys
import json
import textwrap

ordered_keys = [
    "mode", "kemID", "kdfID", "aeadID", "info", "skR",
    "skS", "skE", "psk", "pskID", "pkR", "pkS", "pkE",
    "enc", "zz", "context", "secret", "key", "nonce",
    "exporterSecret",
]

## x25519_small_subgroup.sage
#!/usr/bin/sage
# vim: syntax=python

import sys
import os

def decodeLittleEndian(b, bits):
    return sum([b[i] << 8*i for i in range((bits+7)/8)])

def decodeScalar25519(k):
	package main

	import (
	"crypto/ed25519"
	"crypto/sha256"
	"crypto/tls"
	"encoding/base64"
	"fmt"
	"net/http"
	"net/http/httputil"
	"""
	$ python3 strongrsa.py 1024
	p := "dcd90af1be463632c0d5ea555256a20605af3db667475e190e3af12a34a3324c46a3094062c59fb4b249e0ee6afba8bee14e0276d126c99f4784b23009bf6168ff628ac1486e5ae8e23ce4d362889de4df63109cbd90ef93db5ae64372bfe1c55f832766f21e94ea3322eb2182f10a891546536ba907ad74b8d72469bea396f3"
	q := "f8ba5c89bd068f57234a3cf54a1c89d5b4cd0194f2633ca7c60b91a795a56fa8c8686c0e37b1c4498b851e3420d08bea29f71d195cfbd3671c6ddc49cf4c1db5b478231ea9d91377ffa98fe95685fca20ba4623212b2f2def4da5b281ed0100b651f6db32112e4017d831c0da668768afa7141d45bbc279f1e0f8735d74395b3"
	phi := "d6930820f71fe517bf3259d14d40209b02a5c0d3d61991c731dd7da39f8d69821552e2318d6c9ad897e603887a476ea3162c1205da9ac96f02edf31df049bd55f142134c17d4382a0e78e275345f165fbe8e49cdca6cf5c726c599dd39e09e75e0f330a33121e73976e4facba9cfa001c28b7c96f8134f9981db6750b43a416f39be72c6c5b13d8687f285674b4827fba44ae6224a5342464472196489c85af10cbc544c76e850c5854908fd1c1581b12c322efe22a6d1867ec03df1622afa63828f7e19a004dd4ef959812a6916f0301abffa7515ae0eaee94f3fe3075a395ac2833881
	# Width reduction formula derived from https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-5
	def width(p):
	k = 128 # target security level
	return ceil((ceil(log(p) / log(2), bits = 1000) + k) / 8, bits = 1000)

	# Simplified approximation for width based on 128-bit security level
	def simple_width(p):
	return ceil(((3 * ceil(log(p) / log(2), bits = 1000)) / 2) / 8, bits = 1000)

	primes = {
	#!/usr/bin/sage
	# vim: syntax=python

	def public_key_permutation_proof(N, e, phi):
	"""
	This function runs the protocol from [1] for checking that (N, e) is a well-formed
	RSA public key pair, i.e., that raising RSA elements to the power e modulo N
	forms a permutation over \mathbb{Z}_N. It is implicitly parameterized by three values:

	- k, the security parameter, set to 128,
	import random
	import numpy as np

	# https://gist.github.com/tammoippen/4474e838e969bf177155231ebba52386
	def crappyhist(a, bins=50, width=140):
	h, b = np.histogram(a, bins)

	for i in range (0, bins):
	print('{:12.5f} \| {:{width}s} {}'.format(
	b[i],
	### Extracted from RFC8032
	# https://datatracker.ietf.org/doc/html/rfc8032#section-6

	## First, some preliminaries that will be needed.

	import hashlib

	def sha512(s):
	return hashlib.sha512(s).digest()
	package main

	// Questions:
	// - Should we include a definition of UKS attacks inline, rather than cite draft-ietf-mmusic-sdp-uks?
	// - Should SPAKE2 require that the output length of Hash is at least 256-bits? (It's output is split in half to derive Ke and Ka, and we probably want those to have at least 128 bits.)
	// - What does it mean to exchange messages symmetrically? (In the per-user M and N section)
	// - Beyond scalar multiplication being constant time, are there any other constant time considerations we should include?
	// - Why is Ke not included in the test vectors? It may be redundant, but it seems useful as an additional sanity check.
	// - There are currently no test vectors that include AAD -- should we add some?
	// - Why is len() a little-endian output?
	# ech_provider.go

	// EXP_UnmarshalECHKeys parses a sequence of ECH keys.
	func EXP_MarshalECHKeys(version uint16, keys []EXP_ECHKey) []byte {
	var b cryptobyte.Builder
	for i := 0; i < len(keys); i++ {
	// kem := hpke.KEM(keys[i].config.kemId)
	skM, err := keys[i].sk.MarshalBinary()
	if err != nil {
	panic("failed")
	import sys
	import json
	import textwrap

	ordered_keys = [
	"mode", "kemID", "kdfID", "aeadID", "info", "skR",
	"skS", "skE", "psk", "pskID", "pkR", "pkS", "pkE",
	"enc", "zz", "context", "secret", "key", "nonce",
	"exporterSecret",
	]