在pycrypto中使用RSA的盲因子 [英] Using a blinding factor for RSA in pycrypto
问题描述
在python,我试图盲目和消除一个消息。当我解开消息,我没有得到原始的消息。有谁知道我可能会做错了。以下是我的代码:
s ='Hello'
loadedPublic = get_publickey()
loadedPrivate = get_privatekey()
pub = loadedPublic.blind(s,23L)
pub2 = loadedPublic.unblind(pub,23L)
return HttpResponse(pub2)
Blinding是一种带有随机元素的加密。它通常用于 Blind Signatures ,其格式如下:
从Crypto.PublicKey导入RSA
从Crypto.Hash导入SHA256
从随机导入SystemRandom
#签名权限(SA)密钥
priv = RSA.generate(3072)
pub = priv.publickey()
##协议:盲签名##
#必须保证一致地随机选择
r = SystemRandom()。randrange(pub.n>> 10,pub.n)
msg =my message* 50#large消息(大于模数)
#散列消息,以便可以签署任意长度的消息
hash = SHA256.new()
hash.update(msg)
msgDigest = hash.digest()
#用户计算
msg_blinded = pub.blind(msgDigest,r)
#SA计算
msg_blinded_signature = priv.sign(msg_blinded,0)
#用户计算
msg_signature = pub.unblind(msg_blinded_signature [0],r)
#有人验证
hash = SHA256.new()
hash.update(msg)
msgDigest = hash.digest()
print(Message is authentic:+ str(pub.verify(msgDigest ,(msg_signature,))))
这是它的实现方式,因此您不能直接解除消息,没有
d
,因此盲元素必须先签名。为了使盲签名安全,您需要在签名模数范围内随机生成盲目因子r
。In python, I am trying to blind and unblind a message. When I unblind the message, I don't get the original message. Does anyone know what I might be doing wrong. The following is my code:
s = 'Hello' loadedPublic = get_publickey() loadedPrivate = get_privatekey() pub = loadedPublic.blind(s,23L) pub2 = loadedPublic.unblind(pub,23L) return HttpResponse(pub2)
解决方案Blinding is a sort of encryption with a random element. It is usually used for Blind Signatures which would look like this:
from Crypto.PublicKey import RSA from Crypto.Hash import SHA256 from random import SystemRandom # Signing authority (SA) key priv = RSA.generate(3072) pub = priv.publickey() ## Protocol: Blind signature ## # must be guaranteed to be chosen uniformly at random r = SystemRandom().randrange(pub.n >> 10, pub.n) msg = "my message" * 50 # large message (larger than the modulus) # hash message so that messages of arbitrary length can be signed hash = SHA256.new() hash.update(msg) msgDigest = hash.digest() # user computes msg_blinded = pub.blind(msgDigest, r) # SA computes msg_blinded_signature = priv.sign(msg_blinded, 0) # user computes msg_signature = pub.unblind(msg_blinded_signature[0], r) # Someone verifies hash = SHA256.new() hash.update(msg) msgDigest = hash.digest() print("Message is authentic: " + str(pub.verify(msgDigest, (msg_signature,))))
This is how it is implemented, so you cannot directly unblind the message, because you don't have
d
, so the blinded element must be signed first. In order for the blind signature to be secure, you need to randomly generate the blinding factorr
in the range of the signing modulus.这篇关于在pycrypto中使用RSA的盲因子的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!