Code Monkey home page Code Monkey logo

incubator-milagro-crypto-c's Introduction

AMCL - Apache Milagro Crypto Library

Master Branch

Description

AMCL - Apache Milagro Crypto Library

AMCL is a standards compliant C cryptographic library with no external dependencies.

AMCL is provided in C language but includes a Python wrapper for some modules to aid development work.

NOTE: This product includes software developed at The Apache Software Foundation.

Software Dependencies

In order to build this library, the following packages are required:

  • CMake is required to build the source code.
  • CFFI, the C Foreign Function Interface for Python is required in order to execute tests.
  • Doxygen is required to build the source code documentation.
  • Python language is required to build the Python language wrapper.

The above packages can be installed in different ways, depending on the Operating System used:

  • Ubuntu 18.04 Linux
sudo dpkg --add-architecture i386

echo "add repositories cache"
sudo apt-get update -y

echo "install packages"
sudo apt-get install -y \
     build-essential \
     cmake \
     doxygen \
     parallel \
     mingw-w64 \
     wine64 \
     wine32 \
     lcov \
     python3-dev \
     python3-pip \
     gcc-multilib \
     git \
     rpm \
     checkinstall

sudo pip3 install cffi autopep8
  • Fedora 30 Linux
sudo dnf config-manager --add-repo https://dl.winehq.org/wine-builds/fedora/30/winehq.repo
sudo dnf install -y @development-tools \
    cmake \
    libffi-devel \
    libasan \
    parallel \
    mingw64-gcc \
    mingw32-gcc \
    lcov \
    winehq-stable \
    libstdc++-*.i686 \
    glibc-*.i686 \
    libgcc.i686

sudo pip3 install cffi autopep8
sudo yum install rpm-build
  • MacOS
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
brew install cmake
brew install pkg-config libffi
sudo pip install cffi
brew install doxygen
brew install parallel

  • Windows

  • install MinGW Please select the mingw32-base and mingw32-gcc-g++ components. Add C:\MinGW\bin to the PATH variable

  • install Python. Either Python 2.7.x or 3.8.x may be used. During the installation, ensure that the option to add Python to the Windows PATH variable is selected.

  • install CMake. During installation, ensure that the option to add the CMake executable to the Windows PATH variable is selected.

  • install Doxygen

  • install Git

Build Instructions

Linux and Mac

Quick start

Clone the repository

git clone https://github.com/apache/incubator-milagro-crypto-c.git
cd incubator-milagro-crypto-c

Edit and run this script

./scripts/build.sh

or use the docker build

./scripts/docker.sh -h
Multiple curves and RSA security levels

The default build (see config.mk) uses multiple curves and RSA security levels. There is an example called testall.c in the examples directory that shows how to write a program to use the different curves etc in a single program. To build and run the example use this script;

./scripts/buildMulti.sh
Manual build

NOTE: The default build is for 64 bit machines. Either use Git to clone the repository:

git clone https://github.com/apache/incubator-milagro-crypto-c.git
cd incubator-milagro-crypto-c

Or, if using an official Apache release, download the compressed archive, extract it and navigate into its root directory.

mkdir -p target/build
cd target/build
cmake ../..
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:./
make
make test
make doc
sudo make install

NOTE: When running the ASan tests, make sure to export the following variable:

export ASAN_OPTIONS=verify_asan_link_order=0

On Debian/Ubuntu machine instead of executing the "sudo make install" command it is possible to execute "sudo checkinstall" to build and install a DEB package.

Now you can set the path to where libs and python package are installed:

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:./:/opt/amcl/lib
export PYTHONPATH=/usr/lib/python2.7/dist-packages

NOTE: The build can be configured by setting flags on the command line, for example:

cmake -DAMCL_CHUNK=64 ../..
cmake -D CMAKE_INSTALL_PREFIX=/opt/amcl -D AMCL_CHUNK=64 -D BUILD_WCC=on ../..

It is possible also to build the library supporting more than one elliptic curve and more than one RSA security level, for example

cmake -DAMCL_CURVE=BN254CX,NIST254 -DAMCL_RSA=2048,3072 ../..

To list other available CMake options, use:

cmake -LH
Uninstall software
sudo make uninstall
Building an installer

After having built the libraries you can build a binary installer and a source distribution by running this command

sudo make package

Windows

Start a command prompt as an administrator and either use Git to clone the repository

git clone https://github.com/apache/incubator-milagro-crypto-c.git
cd incubator-milagro-crypto-c

Or, if using an official Apache release, download the compressed archive, extract it and navigate into its root directory.

mkdir build
cd build
cmake -G "MinGW Makefiles" -D WORD_SIZE=64 ..
mingw32-make
mingw32-make test
mingw32-make doc
mingw32-make install

Post install append the PATH system variable to point to the install ./lib:

Control Panel - System and Security - System - Advanced System Settings - Environment Variables

The build can be configured using by setting flags on the command line i.e.

cmake -G "MinGW Makefiles" -D WORD_SIZE=64  -D BUILD_PYTHON=on ..
Uninstall software
mingw32-make uninstall
Building an installer

After having built the libraries you can build a Windows installer using this command

mingw32-make package

In order for this to work NSIS has to have been installed

Contributions

This project includes a Makefile that allows you to test and build the project in a Linux-compatible system with simple commands. All the artifacts and reports produced using this Makefile are stored in the target folder.

All the packages listed in the Dockerfile are required in order to build and test all the library options in the current environment. Alternatively, everything can be built inside a Docker container using the command "make -f Makefile.docker buildall".

To see all available options:

make help

To build the builder Docker image:

make -f Makefile.docker

To build the project inside a Docker container (requires Docker) you need to build a builder image (once), and then build the project in its context:

make -f Makefile.docker buildall

To build a particular set of predefined makefile options inside a Docker container:

make -f Makefile.docker build TYPE=LINUX_64BIT_NIST256_RSA2048

or in the current environment:

make build TYPE=LINUX_64BIT_NIST256_RSA2048

To execute all the test builds and generate reports in the current environment:

make qa

To format the code (please use this command before submitting any pull request):

make format

Contributors

The following people have contributed to milagro-crypto-c

  • Mike Scott
  • Kealan McCusker
  • Alessandro Budroni
  • Samuele Andreoli

Please add yourself here if you make or have made a contribution.

Making a Contribution

  1. Check for open issues or start a discussion around a feature idea or a bug by sending a mail to [email protected]
  2. Fork the repository to start making your changes. Please use the master branch as a basis.
  3. Write a test which shows that the bug was fixed or that the feature works as expected.
  4. Make a pull request with a reference to the issue

Crypto Notice

This distribution includes cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software. BEFORE using any encryption software, please check your country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted. See http://www.wassenaar.org/ for more information.

The Apache Software Foundation has classified this software as Export Commodity Control Number (ECCN) 5D002, which includes information security software using or performing cryptographic functions with asymmetric algorithms. The form and manner of this Apache Software Foundation distribution makes it eligible for export under the "publicly available" Section 742.15(b) exemption (see the BIS Export Administration Regulations, Section 742.15(b)) for both object code and source code.

Disclaimer

Apache Milagro is an effort undergoing incubation at The Apache Software Foundation (ASF), sponsored by the Apache Incubator. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF.

incubator-milagro-crypto-c's People

Contributors

aadomnqredo avatar giorgiozoppi avatar jaromil avatar jfclere avatar johnmcw avatar kamaci avatar kealan avatar ruphy avatar samuele-andreoli avatar spector-in-london avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

paulgoleary placrosse shyamalschandra guillaumecisco gimre-xymcity zhangliang-home goyamamoto kwvg isabella232 chrisgreenaway ruphy ltajan matthiasgoergens aadomnqredo bushidonggua

incubator-milagro-crypto-c's Issues

Warnings in build

The default build for the project triggers a few warnings on compilation

Steps to reproduce

This was observed on Ubuntu 19.10
using cc (Ubuntu 9.2.1-9ubuntu2) 9.2.1 20191008
running the default build is enough to highlight some of the warnings, but more are triggered if a full build is executed.

Files

As far as I can tell these are the affected files:

test/test_ecdsa_verify_WWWW.c.in
test/test_mpin_vectors_dta_WWW.c.in
test/test_rsa_sign_WWW.c.in
test/test_x509_WWW_ZZZ.c.in

src/fp12.c.in
src/fp24.c.in
src/ecp.c.in
src/ecp2.c.in
src/ecp4.c.in

Steps

As far as I can tell the tests should be trivial to fix. The warning is about the strncpy being used for non null terminated strings when reading the octets from test vector. Swappping strncpy for memcpy should solve the warning.
The warnings on the source might be slightly more involved. At a first glance they look like unused variables and possibly uninitialized variables.

ZKP-Enabled Ephemeral APIs

Hello! I am an API architect and I am exploring and contributing to solutions around ZKP-Enabled Ephemeral APIs that is an extension of OAuth Access Token Expiry mechanism.

Though we are able to expire token and revoke access, we want to all together expire the data that was returned by the API call.

Is ZKP-Enabled Ephemeral APIs something I can contribute to?

Use trick for g = n+1 in Paillier encryption

In the Paillier encryption the form of g = n+1 can be exploited to reduce the modular exponentiation g^pt to a simple multiplication.

g^pt mod n^2 = (n+1)^pt mod n^2 = 1 + npt + n^2(other terms) mod n^2 = 1 + n * pt

Remove unused or curves with less that 128 security from incubator-milagro-crypto-c

Goal

Remove from incubator-milagro-crypto-c curves that are no longer used such as HIFIVE or curves
that do not meet our security level such as BN254

Resources

These are the list of curves to consider

  • ANSSI
  • BLS24
  • BLS381
  • BLS383
  • BLS461
  • BLS48
  • BN254
  • BN254CX
  • BRAINPOOL
  • C25519
  • C41417
  • ED25519
  • FP256BN
  • FP512BN
  • GOLDILOCKS
  • HIFIVE
  • NIST256
  • NIST384
  • NIST521
  • NUMS256E
  • NUMS256W
  • NUMS384E
  • NUMS384W
  • NUMS512E
  • NUMS512W
  • SECP256K1

Acceptance criteria

  1. The number of curves has been reduced using the criteria that they are not used or are insecure
  2. The tests pass with 80% coverage

generate BLS public keys

To support BLS-SSS it is required that public keys can be generated from pre-calculated private keys

Modern C++17 Wrapper.

After the first release will have a stabilized code and we wrap the current c code to c+17 in a couple of week. The current c+ wrapper is just old style C. So we will start directly from the c library.

React JavaScript Milagro Widget

As user we want to provide a react.js component and a react.native component
in a way that Milagro will seamless integrate in any react based website. The code is already present in the javascript libraries. Just create a react component with the updated javascript library and test the,.

Packaging with Nix - Error: test_output_functions_BLS381 (Failed)

I'm trying to package this library with Nix. But I'm getting the following error:

       > 97% tests passed, 1 tests failed out of 39
       >
       > Total Test time (real) =   1.35 sec
       >
       > The following tests FAILED:
       >         33 - test_output_functions_BLS381 (Failed)
       > Errors while running CTest
       > make: *** [Makefile:114: test] Error 8

and, with ctest:

33/39 Test #33: test_output_functions_BLS381 .....***Failed  Required regular expression not found. Regex=[SUCCESS
]  0.00 sec

When I try to build the library directly on my system (arch linux x86_64) everything seems to work just fine.
I'm using the cmake flags that are needed to build Decentralized Trust Authority.

Does anyone knows the reason why this is happening?

SonarCube review.

Dear all,
i asked to Gavin McDonald of INFRA to add the library to SonarCloud.io, you can see by ourself logging with your github the result of analysis https://sonarcloud.io/dashboard?id=milagro.
Brian, do you plan to use Travis-CI, this should integrated in the travis CI. As suspected our coverage system it has not detected by sonar because tests are independent files. but it is ok.

Python wrappers

Hello there.

I'm trying to implement some idemix support for the fabric hyperledger tool.
Main thread here: https://lists.hyperledger.org/g/fabric/message/6625

I wonder if all the python wrappers are available for the milagro crypto c libreary.
For exemple. I need to translate this:
go implementation:

// RandModOrder returns a random element in 0, ..., GroupOrder-1
func RandModOrder(rng *amcl.RAND) *FP256BN.BIG {
   // curve order q
   q := FP256BN.NewBIGints(FP256BN.CURVE_Order)

   // Take random element in Zq
   return FP256BN.Randomnum(q, rng)
}

or
java implementation

public static BIG randModOrder(RAND rng) {
    BIG q = new BIG(ROM.CURVE_Order);

    // Takes random element in this Zq.
    return BIG.randomnum(q, rng);
}

to python code.
Is this achievable right now?

Thanks,

BIG comp (and potentially others) not constant time

The BIG comparison is not constant time. It should use a constant time implementation. For instance

/* sodium constant time implementation */
int BIG_XXX_comp(BIG_XXX a, BIG_XXX b)
{
    int i;
    chunk gt=0; chunk eq=1;
    for (i = NLEN_XXX-1; i>=0; i--)
    {
        gt |= ((b[i]-a[i]) >> BASEBITS_XXX) & eq;
        eq &= ((b[i]^a[i])-1) >> BASEBITS_XXX;
    }
    return (int)(gt+gt+eq-1);
}

Review the BIG implementation to make sure it is constant time

Enable MSVC compilation

Hello,

We've prepared bunch of changes that enable milagro compilation in MS Visual Studio.

The changes can be divided into 3 groups:

  1. trivial name<->type clash
  2. variable array stack allocation (this is C99, which VS does not fully support, solutions below)
  3. static and dynamic symbol export (most intrusive part)

Re 2. In case of C code adding const to array length vars doesn't change anything (in VS). There are 2 various solutions applied:

  • where possible, variable holding length is turned into define (i.e. int n -> #define NUM_SHARES)
  • where it's not possible _alloca is used (i.e. where length is passed via function arg)

Re 3. Static libs should compile with modifications from 1 and 2, dynamic libs, require few more changes.
Cmake's CMAKE_WINDOWS_EXPORT_ALL_SYMBOLS is used to export most of the symbols, this however does not work for data exported via amcl_curve_* libraries
To fix that:

  • definitions are prefixed with SYMBOL_EXPORT defined as emtpy for non-msvc in amcl.h.in
  • declarations are prefixed with EXTERNAL_SYMBOL_DECLARATION,
    • in case of non-vs, this is == extern
    • in vs case this is either declspec(dllexport) in case of amcl_curve_* libraries and declspec(dllimport) for all other libraries including those header files.

Finally my question is following: would you prefer this change split into some smaller chunks, or is ok to issue it as a single pull request?

FYI: whole change is here: develop...nemtech:msvc-compilation

Python test wrappers - python 3?

Are current python tests for python wrappers compatible with python 3?
It looks like not :/
Can someone confirm me that?

Thanks,

update code

The code has fallen out of sync with the "golden" repo and needs to be updated.

Add BLS SSS test vectors

Test vectors should be source or developed with external library to cover;

  1. Add test vectors for SSS
  2. Add test vectors for BLS SSS

add sss to bls

Add Shamir's Secret Sharing (SSS) algorithm to enable this functionality

  1. Split BLS secret key into shares
  2. Recombine BLS signatures shares using SSS so that they form the original signature

Bug in Paillier decryption

In 'paillier.c' the PAILLIER_DECRYPT is using incorrectly sized workspaces for the plain texts modulo p and q before reduction, causing the decryption to fail depending on the allocated memory alignment.

Incorrect RSA private key generation and potentials for fault attack

Hi,

I recently run into a rather interesting problem. It appears to me that the RSA key generation in milagro might sometimes be incorrect, and I have no ideas to why that would be the case.

Here's the source code I prepared to illustrate the problem. For simplicity I just replaced the source code of test/test_rsa_2048.c with this. The build target I used was LINUX_64BIT_NIST256_RSA2048.

#include <stdio.h>
#include <time.h>
#include "rsa_2048.h"
#include "randapi.h"

void print_keypair(rsa_private_key_2048 *priv, rsa_public_key_2048 *pub)
{
    printf(" priv->p = ");
    FF_2048_output(priv->p,FFLEN_2048/2);
    printf("\n");
    printf(" priv->q = ");
    FF_2048_output(priv->q,FFLEN_2048/2);
    printf("\n");

    printf("\n");

    printf("  pub->n = ");
    FF_2048_output(pub->n,FFLEN_2048);
    printf("\n");

    printf("\n");

    printf("priv->dp = ");
    FF_2048_output(priv->dp,FFLEN_2048/2);
    printf("\n");
    printf("priv->dq = ");
    FF_2048_output(priv->dq,FFLEN_2048/2);
    printf("\n");
    printf(" priv->c = ");
    FF_2048_output(priv->c,FFLEN_2048/2);
    printf("\n");
}

int main(int argc, char *argv[])
{
    char m[RFS_2048],ml[RFS_2048],c[RFS_2048],s[RFS_2048];
    char p[RFS_2048/2], q[RFS_2048/2];

    rsa_public_key_2048 pub;
    rsa_private_key_2048 priv;

    octet M= {0,sizeof(m),m};
    octet ML= {0,sizeof(ml),ml};
    octet C= {0,sizeof(c),c};
    octet S= {0,sizeof(s),s};
    octet P= {sizeof(p), sizeof(p), p};
    octet Q= {sizeof(q), sizeof(q), q};

    // somehow this prime number leads to incorrect dp, which is quite weird
    OCT_fromHex(&P, "f55d1f9bde519d3d30e9a0820a0850f3a6d05efa82dcc7ef948a09834224ad6fb77ee792f53b1ee6efc0270e5e8fdd59fab40ada833df0ea69eb2f0b37d717a3fd0329280cd47525fd22970c8fd860c7be749482c42a6e16a4b5b7edf27e01214f55fd5839a11c86be6bbd8b01e5ddeef743bca59e896c1751145d4b6a9da9ed");

    OCT_fromHex(&Q,"f34e8af7a6b3b2d2906890db77f56b8c4c5a5af42bec8cacd79fc479606d85eeb641ec95aef73d0e7e24f0da9115a524d9787d573ed3a1868bff2765cc5b9e1238a7931bdd5afd51a0bd6bf93f26909fff6d93d335e6785959c14f851205ad4a8ce995e6f92e490e7a5feab2b9fcda0080bedc17fa816227f2d6034044c0c363");

    // use our choice of P and Q
    RSA_2048_KEY_PAIR(NULL,3,&priv,&pub,&P,&Q);

    print_keypair(&priv, &pub);

// ======
    printf("\n===\n\n");

    OCT_fromHex(&P, "db59a11194cb81be97715d9ea436484c7fd39cee1a71dd1e896e08cc2d91d95a2d6d561f48db72acea57450ecfd4dc5399c1f8ce7abbb8b99c92f9c7be7ab2df6990b473c5a464eaa4d34747d022e47c17b549905db305986af5970442ad54714ee7fce2c8c443da7b22f4354e105c009a8d36de733d9fb02bfbcd57803bdcfb");

    OCT_fromHex(&Q, "f6457c323b66f43fa7a20f03b01a8c09c257f7fa65c7ce6a01acd816bca4de5da7692fd82ac036ca18bcc1d36e03a9ca6c2c1cf9007c106932c946cb51acb151c5c2912369553a70ddea742bc5673baaa962f8028c5ec7f4699bffd6c7beab3c278424a15548a4fce75946784036d2a9a118698224b3f218e66d980786252c93");

    // use our choice of P and Q
    RSA_2048_KEY_PAIR(NULL,3,&priv,&pub,&P,&Q);

    print_keypair(&priv, &pub);

// === clean up ===

    RSA_2048_PRIVATE_KEY_KILL(&priv);

    OCT_clear(&M);
    OCT_clear(&ML);   /* clean up afterwards */
    OCT_clear(&C);

    return 0;
}

Which produces the following output:

priv->p = f55d1f9bde519d3d30e9a0820a0850f3a6d05efa82dcc7ef948a09834224ad6fb77ee792f53b1ee6efc0270e5e8fdd59fab40ada833df0ea69eb2f0b37d717a3fd0329280cd47525fd22970c8fd860c7be749482c42a6e16a4b5b7edf27e01214f55fd5839a11c86be6bbd8b01e5ddeef743bca59e896c1751145d4b6a9da9ed
priv->q = f34e8af7a6b3b2d2906890db77f56b8c4c5a5af42bec8cacd79fc479606d85eeb641ec95aef73d0e7e24f0da9115a524d9787d573ed3a1868bff2765cc5b9e1238a7931bdd5afd51a0bd6bf93f26909fff6d93d335e6785959c14f851205ad4a8ce995e6f92e490e7a5feab2b9fcda0080bedc17fa816227f2d6034044c0c363

pub->n = e932ac92252f585b3a80a4dd76a897c8b7652952fe788f6ec8dd640587a1ee5647670a8ad4c2be0f9fa6e49c605adf77b5174230af7bd50e5d6d6d6d28ccf0a886a514cc72e51d209cc772a52ef419f6a953f3135929588ebe9b351fca61ced78f346fe00dbb6306e5c2a4c6dfc3779af85ab417371cf34d8387b9b30ae46d7a 5ff5a655b8d8455f1b94ae736989d60a6f2fd5cadbffbd504c5a756a2e6bb5cecc13bca7503f6df8b52ace5c410997e98809db4dc30d943de4e812a47553dce54844a78e36401d13f77dc650619fed88d8b3926e3d8e319c80c744779ac5d6abe252896950917476ece5e8fc27d5f053d6018d91b502c4787558a002b9283da7

priv->dp = 4c8b6ace1ba4747563b3d9f6c29e01fb968c96e116707fb4556b811f39b047aac0d7fc303650ff6a0a14e969656094a08dab8231a71c76613ae1063d87aea343b8a2146fc5b850693e1d7167ab97e063b8c383462e8394f47ff0fdb4c6d4e5872c49c2b459841670b808f68173248883f16d95c698b0dd39a5e167e840047571
priv->dq = a2345ca519cd21e1b59b0b3cfaa39d0832e6e74d729db31de5152da6404903f479814863c9fa28b45418a091b60e6e1890fafe3a29e26baf07ff6f9932e7beb6d06fb767e8e7538bc07e47fb7f6f0b1554f3b7e223eefae63bd6350361591e31b34663ef50c98609a6ea9c7726a89155ab29e80ffc56416ff73957802dd5d797
priv->c = 6f1e5e6d113bffba6e9fe60cbfd0b959f0b78fb8f71db4ab4f63147abec85beb2a982acde258672046843ce3b9f93a33ff1b25602762dfd8dbddf36e3b9815a1bf14a9dbba3d28df3dfb830fb976662cc1b41026207aa16686f49c23f93f1312ba29ef76a0c13fb03e727247b632dda5a06bf6d385da9831af4ec18d1d23df95

===

priv->p = db59a11194cb81be97715d9ea436484c7fd39cee1a71dd1e896e08cc2d91d95a2d6d561f48db72acea57450ecfd4dc5399c1f8ce7abbb8b99c92f9c7be7ab2df6990b473c5a464eaa4d34747d022e47c17b549905db305986af5970442ad54714ee7fce2c8c443da7b22f4354e105c009a8d36de733d9fb02bfbcd57803bdcfb
priv->q = f6457c323b66f43fa7a20f03b01a8c09c257f7fa65c7ce6a01acd816bca4de5da7692fd82ac036ca18bcc1d36e03a9ca6c2c1cf9007c106932c946cb51acb151c5c2912369553a70ddea742bc5673baaa962f8028c5ec7f4699bffd6c7beab3c278424a15548a4fce75946784036d2a9a118698224b3f218e66d980786252c93

pub->n = d303aa59c3248225f2ff52e32e33cdcb797c3b501fed5e51c0189f27ef7cd614c7c4cbf2079e663b24f7ae2e9683b4878ce662d6c944196874f4a48422353303c9ad8ffd2824b4f70996ee558a89e1e98679305209a124aaf62eecd3187d2d8ee2cf5eb1b5a1b7347958aa53205b1f726856903d6a953ed72a74673c92f46f52 92b4f1c59cdb645a6afc4d0381dec80444775658c54995bf0cba58e5f90f152a557172bc040c432fe63ede5b1cf14f2f1a11d30d3a96baa24c3a3982461292be8e9db35fd088a8cbaf0e26326e630ee690368cd0a8868502e9ddb17dde45179ce7bb22b10f9deb2e3d8ddcd30ca97c9bae84ca7c3c9a13afa95de4783ea20821

priv->dp = 923bc0b66332567f0fa0e9146d7985885537bdf411a13e145b9eb0881e613b91739e396a30924c7346e4d8b48a8de837bbd6a5defc7d25d1130ca68529a721ea4660784d2e6d989c6de22f85356c9852ba78dbb593ccae659ca3ba02d71e384b89effdec85d82d3c52174d78deb592ab11b379e9a22915201d5288e50027e8a7**
priv->dq = a42e52cc2799f82a6fc15f57cabc5d5bd6e54ffc43da899c011de5647dc33ee91a461fe571d579dc107dd68cf40271319d72bdfb55a80af0cc862f32367320e12e81b6179b8e26f5e946f81d2e44d271c641faac5d94854d9bbd5539da7f1cd2c502c31638db18a89a3b84502acf371bc0baf1016dcd4c10999e655a596e1db7
priv->c = b163cc8298e63ea294f20288143304adc9a555ca170e55942954773801405652d8f998da549541782bb565ff49b32ae5f6d814bf38a878c598c6307fc294a0151f2681b8a39d6ace0a732feb6cb514a03de8d92290a8f1499231a945d698c8461cde13156d9bfc5b09ca3bf0d27a770f3ab3fedb375bd4135c8dcb57f9d60881

The primes P and Q were all copied from RSA private keys generated by OpenSSL. If we use OpenSSL to check the numbers of the 2 private keys:

$ openssl rsa -in privkey.pem -noout -text
RSA Private-Key: (2048 bit, 2 primes)
modulus:
    00:e9:32:ac:92:25:2f:58:5b:3a:80:a4:dd:76:a8:
    97:c8:b7:65:29:52:fe:78:8f:6e:c8:dd:64:05:87:
    a1:ee:56:47:67:0a:8a:d4:c2:be:0f:9f:a6:e4:9c:
    60:5a:df:77:b5:17:42:30:af:7b:d5:0e:5d:6d:6d:
    6d:28:cc:f0:a8:86:a5:14:cc:72:e5:1d:20:9c:c7:
    72:a5:2e:f4:19:f6:a9:53:f3:13:59:29:58:8e:be:
    9b:35:1f:ca:61:ce:d7:8f:34:6f:e0:0d:bb:63:06:
    e5:c2:a4:c6:df:c3:77:9a:f8:5a:b4:17:37:1c:f3:
    4d:83:87:b9:b3:0a:e4:6d:7a:5f:f5:a6:55:b8:d8:
    45:5f:1b:94:ae:73:69:89:d6:0a:6f:2f:d5:ca:db:
    ff:bd:50:4c:5a:75:6a:2e:6b:b5:ce:cc:13:bc:a7:
    50:3f:6d:f8:b5:2a:ce:5c:41:09:97:e9:88:09:db:
    4d:c3:0d:94:3d:e4:e8:12:a4:75:53:dc:e5:48:44:
    a7:8e:36:40:1d:13:f7:7d:c6:50:61:9f:ed:88:d8:
    b3:92:6e:3d:8e:31:9c:80:c7:44:77:9a:c5:d6:ab:
    e2:52:89:69:50:91:74:76:ec:e5:e8:fc:27:d5:f0:
    53:d6:01:8d:91:b5:02:c4:78:75:58:a0:02:b9:28:
    3d:a7
publicExponent: 3 (0x3)
privateExponent:
    00:9b:77:1d:b6:c3:74:e5:92:27:00:6d:e8:f9:c5:
    ba:85:cf:98:c6:37:54:50:5f:9f:30:93:98:03:af:
    c1:49:8e:da:44:b1:b1:e3:2c:7e:b5:15:19:ed:bd:
    95:91:ea:4f:ce:0f:81:75:ca:52:8e:09:93:9e:48:
    f3:70:88:a0:70:59:c3:63:32:f7:43:68:c0:68:84:
    f7:18:c9:f8:11:4f:1b:8d:4c:b7:90:c6:3b:09:d4:
    67:78:bf:dc:41:34:8f:b4:cd:9f:ea:b3:d2:42:04:
    99:2c:6d:d9:ea:82:4f:bc:a5:91:cd:64:cf:68:a2:
    33:ad:05:26:77:5c:98:48:fa:fa:31:52:81:77:e1:
    f8:df:91:81:a8:b9:45:08:11:06:fd:58:bd:3d:73:
    79:9b:22:95:75:c4:f3:b2:91:01:a0:3e:e1:f0:54:
    72:b3:61:57:84:d9:24:4c:e0:ed:63:9c:77:e8:e2:
    12:ab:52:ab:dd:f4:a9:28:22:4b:6b:6f:74:b7:11:
    47:86:dd:60:71:bd:91:13:d7:87:0c:6b:52:c0:bc:
    8b:9c:10:2c:fe:32:1d:ac:35:7e:03:0e:d6:c5:80:
    04:0c:a4:1c:13:d6:b4:96:78:11:80:7e:f2:a2:25:
    98:3e:a9:f8:8d:67:fa:a4:26:20:f4:2a:4f:5b:db:
    e0:3b
prime1:
    00:f5:5d:1f:9b:de:51:9d:3d:30:e9:a0:82:0a:08:
    50:f3:a6:d0:5e:fa:82:dc:c7:ef:94:8a:09:83:42:
    24:ad:6f:b7:7e:e7:92:f5:3b:1e:e6:ef:c0:27:0e:
    5e:8f:dd:59:fa:b4:0a:da:83:3d:f0:ea:69:eb:2f:
    0b:37:d7:17:a3:fd:03:29:28:0c:d4:75:25:fd:22:
    97:0c:8f:d8:60:c7:be:74:94:82:c4:2a:6e:16:a4:
    b5:b7:ed:f2:7e:01:21:4f:55:fd:58:39:a1:1c:86:
    be:6b:bd:8b:01:e5:dd:ee:f7:43:bc:a5:9e:89:6c:
    17:51:14:5d:4b:6a:9d:a9:ed
prime2:
    00:f3:4e:8a:f7:a6:b3:b2:d2:90:68:90:db:77:f5:
    6b:8c:4c:5a:5a:f4:2b:ec:8c:ac:d7:9f:c4:79:60:
    6d:85:ee:b6:41:ec:95:ae:f7:3d:0e:7e:24:f0:da:
    91:15:a5:24:d9:78:7d:57:3e:d3:a1:86:8b:ff:27:
    65:cc:5b:9e:12:38:a7:93:1b:dd:5a:fd:51:a0:bd:
    6b:f9:3f:26:90:9f:ff:6d:93:d3:35:e6:78:59:59:
    c1:4f:85:12:05:ad:4a:8c:e9:95:e6:f9:2e:49:0e:
    7a:5f:ea:b2:b9:fc:da:00:80:be:dc:17:fa:81:62:
    27:f2:d6:03:40:44:c0:c3:63
exponent1:
    00:a3:93:6a:67:e9:8b:be:28:cb:46:6b:01:5c:05:
    8b:4d:19:e0:3f:51:ac:93:2f:f5:0d:b1:5b:ac:d6:
    c3:1e:4a:7a:54:9a:61:f8:d2:14:99:f5:2a:c4:b4:
    3f:0a:93:91:51:cd:5c:91:ac:d3:f5:f1:9b:f2:1f:
    5c:cf:e4:ba:6d:53:57:70:c5:5d:e2:f8:c3:fe:17:
    0f:5d:b5:3a:eb:2f:d4:4d:b8:57:2d:71:9e:b9:c3:
    23:cf:f3:f6:fe:ab:6b:8a:39:53:90:26:6b:68:59:
    d4:47:d3:b2:01:43:e9:49:fa:2d:28:6e:69:b0:f2:
    ba:36:0d:93:87:9c:69:1b:f3
exponent2:
    00:a2:34:5c:a5:19:cd:21:e1:b5:9b:0b:3c:fa:a3:
    9d:08:32:e6:e7:4d:72:9d:b3:1d:e5:15:2d:a6:40:
    49:03:f4:79:81:48:63:c9:fa:28:b4:54:18:a0:91:
    b6:0e:6e:18:90:fa:fe:3a:29:e2:6b:af:07:ff:6f:
    99:32:e7:be:b6:d0:6f:b7:67:e8:e7:53:8b:c0:7e:
    47:fb:7f:6f:0b:15:54:f3:b7:e2:23:ee:fa:e6:3b:
    d6:35:03:61:59:1e:31:b3:46:63:ef:50:c9:86:09:
    a6:ea:9c:77:26:a8:91:55:ab:29:e8:0f:fc:56:41:
    6f:f7:39:57:80:2d:d5:d7:97
coefficient:
    00:85:4e:43:ad:27:2d:f5:81:12:c9:84:ca:73:eb:
    bf:9a:57:8a:56:53:ff:eb:79:dc:43:a4:20:27:b5:
    5a:69:27:d7:74:65:c4:2d:83:e9:d8:ee:9e:7c:bc:
    91:6f:ed:76:2a:7b:90:24:a5:bd:ee:8a:f3:1d:38:
    d5:c1:84:0d:80:78:13:9a:3c:b0:04:7c:c7:36:cf:
    22:4d:99:25:f6:1a:42:fd:0f:48:87:09:e7:24:a5:
    c6:f3:21:40:a0:5f:22:e4:9b:37:2d:f7:f4:39:c6:
    ad:86:07:89:6b:d6:b3:8a:d5:9e:bd:be:1b:8d:e9:
    32:54:35:25:7e:4c:a4:b0:9d
$ openssl rsa -in privkey.pem -noout -text
RSA Private-Key: (2048 bit, 2 primes)
modulus:
    00:d3:03:aa:59:c3:24:82:25:f2:ff:52:e3:2e:33:
    cd:cb:79:7c:3b:50:1f:ed:5e:51:c0:18:9f:27:ef:
    7c:d6:14:c7:c4:cb:f2:07:9e:66:3b:24:f7:ae:2e:
    96:83:b4:87:8c:e6:62:d6:c9:44:19:68:74:f4:a4:
    84:22:35:33:03:c9:ad:8f:fd:28:24:b4:f7:09:96:
    ee:55:8a:89:e1:e9:86:79:30:52:09:a1:24:aa:f6:
    2e:ec:d3:18:7d:2d:8e:e2:cf:5e:b1:b5:a1:b7:34:
    79:58:aa:53:20:5b:1f:72:68:56:90:3d:6a:95:3e:
    d7:2a:74:67:3c:92:f4:6f:52:92:b4:f1:c5:9c:db:
    64:5a:6a:fc:4d:03:81:de:c8:04:44:77:56:58:c5:
    49:95:bf:0c:ba:58:e5:f9:0f:15:2a:55:71:72:bc:
    04:0c:43:2f:e6:3e:de:5b:1c:f1:4f:2f:1a:11:d3:
    0d:3a:96:ba:a2:4c:3a:39:82:46:12:92:be:8e:9d:
    b3:5f:d0:88:a8:cb:af:0e:26:32:6e:63:0e:e6:90:
    36:8c:d0:a8:86:85:02:e9:dd:b1:7d:de:45:17:9c:
    e7:bb:22:b1:0f:9d:eb:2e:3d:8d:dc:d3:0c:a9:7c:
    9b:ae:84:ca:7c:3c:9a:13:af:a9:5d:e4:78:3e:a2:
    08:21
publicExponent: 3 (0x3)
privateExponent:
    00:8c:ad:1c:3b:d7:6d:ac:19:4c:aa:37:42:1e:cd:
    33:dc:fb:a8:27:8a:bf:f3:94:36:80:10:6a:1a:9f:
    a8:8e:b8:85:2d:dd:4c:05:14:44:27:6d:fa:74:1f:
    0f:02:78:5a:5d:ee:ec:8f:30:d8:10:f0:4d:f8:6d:
    ad:6c:23:77:57:db:c9:0a:a8:c5:6d:cd:fa:06:64:
    9e:e3:b1:b1:41:46:59:a6:20:36:b1:16:18:71:f9:
    74:9d:e2:10:53:73:b4:97:34:e9:cb:ce:6b:cf:78:
    50:e5:c6:e2:15:92:14:f6:f0:39:b5:7e:47:0e:29:
    e4:c6:f8:44:d3:0c:a2:f4:e0:80:b9:38:56:88:70:
    9e:e8:1d:45:ea:eb:73:b3:f7:c9:56:dd:2b:a0:2e:
    0a:9c:24:56:6a:50:02:09:e5:93:a1:ab:11:f3:2d:
    b5:a0:66:7b:42:1c:8f:a5:ea:10:86:0b:62:c2:7e:
    2e:7f:94:a0:ff:a8:93:fb:4a:23:f2:1f:08:ea:31:
    9e:85:c1:0a:06:4a:c8:35:9c:7f:3b:3b:49:d5:34:
    be:dc:d3:d4:4d:cf:a4:0e:32:bc:6c:8d:3b:65:4a:
    4b:8a:00:c8:a1:0b:56:e4:92:0b:c1:6e:54:41:89:
    4b:a1:ea:1c:12:6d:c5:ab:ef:0f:4d:aa:10:d0:2b:
    54:63
prime1:
    00:f6:45:7c:32:3b:66:f4:3f:a7:a2:0f:03:b0:1a:
    8c:09:c2:57:f7:fa:65:c7:ce:6a:01:ac:d8:16:bc:
    a4:de:5d:a7:69:2f:d8:2a:c0:36:ca:18:bc:c1:d3:
    6e:03:a9:ca:6c:2c:1c:f9:00:7c:10:69:32:c9:46:
    cb:51:ac:b1:51:c5:c2:91:23:69:55:3a:70:dd:ea:
    74:2b:c5:67:3b:aa:a9:62:f8:02:8c:5e:c7:f4:69:
    9b:ff:d6:c7:be:ab:3c:27:84:24:a1:55:48:a4:fc:
    e7:59:46:78:40:36:d2:a9:a1:18:69:82:24:b3:f2:
    18:e6:6d:98:07:86:25:2c:93
prime2:
    00:db:59:a1:11:94:cb:81:be:97:71:5d:9e:a4:36:
    48:4c:7f:d3:9c:ee:1a:71:dd:1e:89:6e:08:cc:2d:
    91:d9:5a:2d:6d:56:1f:48:db:72:ac:ea:57:45:0e:
    cf:d4:dc:53:99:c1:f8:ce:7a:bb:b8:b9:9c:92:f9:
    c7:be:7a:b2:df:69:90:b4:73:c5:a4:64:ea:a4:d3:
    47:47:d0:22:e4:7c:17:b5:49:90:5d:b3:05:98:6a:
    f5:97:04:42:ad:54:71:4e:e7:fc:e2:c8:c4:43:da:
    7b:22:f4:35:4e:10:5c:00:9a:8d:36:de:73:3d:9f:
    b0:2b:fb:cd:57:80:3b:dc:fb
exponent1:
    00:a4:2e:52:cc:27:99:f8:2a:6f:c1:5f:57:ca:bc:
    5d:5b:d6:e5:4f:fc:43:da:89:9c:01:1d:e5:64:7d:
    c3:3e:e9:1a:46:1f:e5:71:d5:79:dc:10:7d:d6:8c:
    f4:02:71:31:9d:72:bd:fb:55:a8:0a:f0:cc:86:2f:
    32:36:73:20:e1:2e:81:b6:17:9b:8e:26:f5:e9:46:
    f8:1d:2e:44:d2:71:c6:41:fa:ac:5d:94:85:4d:9b:
    bd:55:39:da:7f:1c:d2:c5:02:c3:16:38:db:18:a8:
    9a:3b:84:50:2a:cf:37:1b:c0:ba:f1:01:6d:cd:4c:
    10:99:9e:65:5a:59:6e:1d:b7
exponent2:
    00:92:3b:c0:b6:63:32:56:7f:0f:a0:e9:14:6d:79:
    85:88:55:37:bd:f4:11:a1:3e:14:5b:9e:b0:88:1e:
    61:3b:91:73:9e:39:6a:30:92:4c:73:46:e4:d8:b4:
    8a:8d:e8:37:bb:d6:a5:de:fc:7d:25:d1:13:0c:a6:
    85:29:a7:21:ea:46:60:78:4d:2e:6d:98:9c:6d:e2:
    2f:85:35:6c:98:52:ba:78:db:b5:93:cc:ae:65:9c:
    a3:ba:02:d7:1e:38:4b:89:ef:fd:ec:85:d8:2d:3c:
    52:17:4d:78:de:b5:92:ab:11:b3:79:e9:a2:29:15:
    20:1d:52:88:e5:00:27:e8:a7
coefficient:
    00:b1:63:cc:82:98:e6:3e:a2:94:f2:02:88:14:33:
    04:ad:c9:a5:55:ca:17:0e:55:94:29:54:77:38:01:
    40:56:52:d8:f9:98:da:54:95:41:78:2b:b5:65:ff:
    49:b3:2a:e5:f6:d8:14:bf:38:a8:78:c5:98:c6:30:
    7f:c2:94:a0:15:1f:26:81:b8:a3:9d:6a:ce:0a:73:
    2f:eb:6c:b5:14:a0:3d:e8:d9:22:90:a8:f1:49:92:
    31:a9:45:d6:98:c8:46:1c:de:13:15:6d:9b:fc:5b:
    09:ca:3b:f0:d2:7a:77:0f:3a:b3:fe:db:37:5b:d4:
    13:5c:8d:cb:57:f9:d6:08:81

It can be seen that for the first RSA private key, the numbers dp and c (both styled in bold) are not right. This could be potentially dangerous when signatures are involved.

Because of the Chinese Remainder Theorem, if one uses the incorrectly computed private key to sign a message and sends the resulting wrong signature directly without first verifying it, this can lead to the so-called "fault attack" (e.g., explained here).

Continuing with the example above, if we sign the message Hello World\n using the first RSA private key:

    // somehow this prime number leads to incorrect dp, which is quite weird
    OCT_fromHex(&P, "f55d1f9bde519d3d30e9a0820a0850f3a6d05efa82dcc7ef948a09834224ad6fb77ee792f53b1ee6efc0270e5e8fdd59fab40ada833df0ea69eb2f0b37d717a3fd0329280cd47525fd22970c8fd860c7be749482c42a6e16a4b5b7edf27e01214f55fd5839a11c86be6bbd8b01e5ddeef743bca59e896c1751145d4b6a9da9ed");

    OCT_fromHex(&Q,"f34e8af7a6b3b2d2906890db77f56b8c4c5a5af42bec8cacd79fc479606d85eeb641ec95aef73d0e7e24f0da9115a524d9787d573ed3a1868bff2765cc5b9e1238a7931bdd5afd51a0bd6bf93f26909fff6d93d335e6785959c14f851205ad4a8ce995e6f92e490e7a5feab2b9fcda0080bedc17fa816227f2d6034044c0c363");

    // use our choice of P and Q
    RSA_2048_KEY_PAIR(NULL,3,&priv,&pub,&P,&Q);

    print_keypair(&priv, &pub);

    printf("Signing message\n");
    OCT_jstring(&M,(char *)"Hello World\n");
    PKCS15(HASH_TYPE_RSA_2048,&M,&C);

    RSA_2048_DECRYPT(&priv,&C,&S); /* create signature in S */

    printf("Signature= ");
    OCT_output(&S);

We get a faulty signature: s = 0xc606cf94940847b48011db1297bc1798af372bb3293e901bc1e065346f9ba1be85afc92e481870b3fe45eebe75e53a95cdeada659388cafcd88ece6ebdf039b57cb83d8119cdf589fa1b61c6ee42dbd59ac015117eb17fb4b8b577c39e42dd1a3041e471d2acf0ec2d669fcb2c85ab8b11309df32ef0a0116e2e579843467e2ee24f18f5a67148e843959df1f316fc3a483ebc9b065f52750f2863ba4a2f38fb1d6f2fa22204b2a723a76de740937438321b0102ce1ffbadbab0b0fcfd0a97f5a1f9d69fe31a4633ec70c0ad552f3be8740607194ee8ee434ca770da81e0c9fbcb02ace5838a848609443535066221ad24e7ff5da1a031fecac579645604a3b6.

If an attacker obtains this signature, and knows the choice of hash algorithm as well as the message of Hello World\n, then he/she can also compute the hash value and prepare the PKCS1v1.5 structure accordingly: r = 0x0001ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff003031300d060960864801650304020105000420d2a84f4b8b650937ec8f73cd8be2c74add5a911ba64df27458ed8229da804a26

And now the attacker can factorize the modulus n by computing GCD(s^e - r, n). In Python3:

import math

# faulty signature
s = 0xc606cf94940847b48011db1297bc1798af372bb3293e901bc1e065346f9ba1be85afc92e481870b3fe45eebe75e53a95cdeada659388cafcd88ece6ebdf039b57cb83d8119cdf589fa1b61c6ee42dbd59ac015117eb17fb4b8b577c39e42dd1a3041e471d2acf0ec2d669fcb2c85ab8b11309df32ef0a0116e2e579843467e2ee24f18f5a67148e843959df1f316fc3a483ebc9b065f52750f2863ba4a2f38fb1d6f2fa22204b2a723a76de740937438321b0102ce1ffbadbab0b0fcfd0a97f5a1f9d69fe31a4633ec70c0ad552f3be8740607194ee8ee434ca770da81e0c9fbcb02ace5838a848609443535066221ad24e7ff5da1a031fecac579645604a3b6

# precomputed PKCS1v1.5 structure
r = 0x0001ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff003031300d060960864801650304020105000420d2a84f4b8b650937ec8f73cd8be2c74add5a911ba64df27458ed8229da804a26

# modulus
n = 0xe932ac92252f585b3a80a4dd76a897c8b7652952fe788f6ec8dd640587a1ee5647670a8ad4c2be0f9fa6e49c605adf77b5174230af7bd50e5d6d6d6d28ccf0a886a514cc72e51d209cc772a52ef419f6a953f3135929588ebe9b351fca61ced78f346fe00dbb6306e5c2a4c6dfc3779af85ab417371cf34d8387b9b30ae46d7a5ff5a655b8d8455f1b94ae736989d60a6f2fd5cadbffbd504c5a756a2e6bb5cecc13bca7503f6df8b52ace5c410997e98809db4dc30d943de4e812a47553dce54844a78e36401d13f77dc650619fed88d8b3926e3d8e319c80c744779ac5d6abe252896950917476ece5e8fc27d5f053d6018d91b502c4787558a002b9283da7

# now factorize n
p1 = math.gcd(pow(s,3,n)-r, n)
p2 = n // p1

print("p=",hex(max(p1,p2)))
print("q=",hex(min(p1,p2)))

Which outputs

p= 0xf55d1f9bde519d3d30e9a0820a0850f3a6d05efa82dcc7ef948a09834224ad6fb77ee792f53b1ee6efc0270e5e8fdd59fab40ada833df0ea69eb2f0b37d717a3fd0329280cd47525fd22970c8fd860c7be749482c42a6e16a4b5b7edf27e01214f55fd5839a11c86be6bbd8b01e5ddeef743bca59e896c1751145d4b6a9da9ed
q= 0xf34e8af7a6b3b2d2906890db77f56b8c4c5a5af42bec8cacd79fc479606d85eeb641ec95aef73d0e7e24f0da9115a524d9787d573ed3a1868bff2765cc5b9e1238a7931bdd5afd51a0bd6bf93f26909fff6d93d335e6785959c14f851205ad4a8ce995e6f92e490e7a5feab2b9fcda0080bedc17fa816227f2d6034044c0c363

Name for Julia bindings

Hi guys!

Thanks a lot for this wonderful lib!
I managed to generate the necessary bindings and expose the complete API of this lib in Julia and I'm working towards adding this to the Julia registry (e.g. similar to pypi for python):

I'm raising this issue to give you guys a chance to impact the Julia package name. The current proposal, AMCL, is not descriptive enough for the general public. Here are my suggestions (in order of preference):

  1. MilagroCrypto
  2. ApacheMilagroCrypto
  3. ApacheMilagroCryptoLibrary

I'm fine with whatever you guys want, but the Julia community might have opinions so please provide me multiple alternatives in the order you prefer. I'll wait around for you feedback until 26/4 then will go with MilagroCrypto.

Miller loop test fail in Zenroom using BLS383 and BLS381

Hi there! glad to find back your repo here, pity for the commit history, I guess per ASF policy...

In Zenroom I'm including milagro at the version you tagged as 4 before removing this repo.

Today I was trying to check this new repository out and see if it fits seamlessly and passes all my tests. I really appreciate the ECP_ZZZ_toOctet flag for compression! However I get an errror.

As per subject, one of my ECP2 pairing tests fails, more precisely the one where I check this property:

miller(sQ,P) = miller(Q,P)^s

where Q is an ECP2 point derived from the curve's generator multiplied by a random BIG modulo curve's order
and P is an ECP1 point derived the same way

I'm using your current master branch and BLS383. Will soon check out 381 too.

I understand this should pass and it did pass with the "older" version of milagro which you can see in zenroom's repository. Is there anything you can think of about this issue?
thanks,
ciao

Rust Based Crypto Library (AMCL)

Because the Rust programming language has better memory safety safeguards, is Rust Based Crypto Library (AMCL) in the pipeline/consideration?

Mismatched bounds

When I am building, I am getting warnings like the following:

/home/matthias/incubator-milagro-crypto-c/target/default/src/big_256_56.c:151:36: warning: argument 'f' of type 'DBIG_256_56' (aka 'long[10]') with mismatched bound [-Warray-parameter]
void BIG_256_56_dcmove(DBIG_256_56 f,DBIG_256_56 g,int d)
                                   ^
/home/matthias/incubator-milagro-crypto-c/target/default/include/big_256_56.h:115:42: note: previously declared as 'BIG_256_56' (aka 'long[5]') here
extern void BIG_256_56_dcmove(BIG_256_56 x,BIG_256_56 y,int s);

When checking the sources, I see BIG_XXX vs DBIG_XXX:

include/big.h.in:extern void BIG_XXX_dcmove(BIG_XXX x,BIG_XXX y,int s);
src/big.c.in:void BIG_XXX_dcmove(DBIG_XXX f,DBIG_XXX g,int d)

Is this intentional?

RSA PKCS#1 v1.5 signature scheme verification incompatibility issue

I was testing PKCS#1 v1.5 signature verification as implemented in milagro-crypto and noticed it rejects valid signature whose encoded message uses an implicit NULL parameter for hash algorithm (where digestAlgorithm ANS.1 der encoded does not have NULL parameter TLV; that is, 0x0500 is absent).
According to RFC4055, pg.5 and RFC8017, pg. 64, for SHA-1, and the SHA-2 family, the algorithm parameter has to be NULL and both explicit NULL parameter and implicit NULL parameter (ie, absent NULL parameter) are considered to be legal and equivalent. However, this implementation does not accept a valid PKCS input with implicit NULL parameter.

Reference notation and concrete values

  • N: public modulus
  • |N|: length of public modulus
  • d: private exponent
  • e: public exponent
  • H: hash function
  • m: message
  • I: to-be-singed RSA PKCS#1 v1.5 signature scheme input structure
  • S: signature value obtained by I^d mod N
N = 0xE932AC92252F585B3A80A4DD76A897C8B7652952FE788F6EC8DD640587A1EE5647670A8AD4C2BE0F9FA6E49C605ADF77B5174230AF7BD50E5D6D6D6D28CCF0A886A514CC72E51D209CC772A52EF419F6A953F3135929588EBE9B351FCA61CED78F346FE00DBB6306E5C2A4C6DFC3779AF85AB417371CF34D8387B9B30AE46D7A5FF5A655B8D8455F1B94AE736989D60A6F2FD5CADBFFBD504C5A756A2E6BB5CECC13BCA7503F6DF8B52ACE5C410997E98809DB4DC30D943DE4E812A47553DCE54844A78E36401D13F77DC650619FED88D8B3926E3D8E319C80C744779AC5D6ABE252896950917476ECE5E8FC27D5F053D6018D91B502C4787558A002B9283DA7

|N| = 256 bytes

d = 0x009b771db6c374e59227006de8f9c5ba85cf98c63754505f9f30939803afc1498eda44b1b1e32c7eb51519edbd9591ea4fce0f8175ca528e09939e48f37088a07059c36332f74368c06884f718c9f8114f1b8d4cb790c63b09d46778bfdc41348fb4cd9feab3d24204992c6dd9ea824fbca591cd64cf68a233ad0526775c9848fafa31528177e1f8df9181a8b945081106fd58bd3d73799b229575c4f3b29101a03ee1f05472b3615784d9244ce0ed639c77e8e212ab52abddf4a928224b6b6f74b7114786dd6071bd9113d7870c6b52c0bc8b9c102cfe321dac357e030ed6c580040ca41c13d6b4967811807ef2a225983ea9f88d67faa42620f42a4f5bdbe03b

e = 3

H = SHA-256 (OID = 0x608648016503040201)

m = "hello world!"

I = 0x0001ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00302f300b060960864801650304020104207509e5bda0c762d2bac7f90d758b5b2263fa01ccbc542ab5e3df163be08e6ca9

S = 0xa0073057133ff3758e7e111b4d7441f1d8cbe4b2dd5ee4316a14264290dee5ed7f175716639bd9bb43a14e4f9fcb9e84dedd35e2205caac04828b2c053f68176d971ea88534dd2eeec903043c3469fc69c206b2a8694fd262488441ed8852280c3d4994e9d42bd1d575c7024095f1a20665925c2175e089c0d731471f6cc145404edf5559fd2276e45e448086f71c78d0cc6628fad394a34e51e8c10bc39bfe09ed2f5f742cc68bee899d0a41e4c75b7b80afd1c321d89ccd9fe8197c44624d91cc935dfa48de3c201099b5b417be748aef29248527e8bbb173cab76b48478d4177b338fe1f1244e64d7d23f07add560d5ad50b68d6649a49d7bc3db686daaa7

FP_ZERO redefintion in amcl.h prevents compiling

Enviroment : gcc-7 7.3.0-27ubuntu1~18.04
Additional Libraries: Protocol Buffers.
Screenshot%20from%202019-03-31%2014-54-11
The current amcl crypto that i am using as backend, redefine FP_ZERO, that it is by default defined in math.h in libgcc that it is included in protocol buffers, since i am rewriting dta and rps with protobuf3 using amcl.
This leads to users to be not able to compile. The solution is quite trivial, just put
#ifndef FP_ZERO
#define FP_ZERO 0
#endif
This will solve the issue.
Best Regards,
Giorgio

Only support 64 bit architecture

Goal

In order to simplify the project it is proposed to only build and test
for 64 bit architectures. The code that refers to 32 bit and 16 bit will
be removed.

Resources

Acceptance criteria

  1. Code is commented
  2. Tests pass with more than 80% test coverage
  3. Static analysis should pass
  4. Code should be reviewed by two engineers

Use of uninitialized values

When building with memory sanitizer, I am getting a lot of problems like the following:

==68141==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x7feab3c79dca in FF_2048_modmul ff_2048.c
    #1 0x7feab3c7a818 in FF_2048_ct_2w_pow (/home/matthias/incubator-milagro-crypto-c/target/default/lib/libamcl_rsa_2048.so.2+0x77818)
    #2 0x7feab3c7e0e0 in FF_2048_ct_pow_2 (/home/matthias/incubator-milagro-crypto-c/target/default/lib/libamcl_rsa_2048.so.2+0x7b0e0)
    #3 0x555bd4507b73 in main (/home/matthias/incubator-milagro-crypto-c/target/default/bin/test_ff_consistency_2048+0xb6b73)
    #4 0x7feab390628f in __libc_start_call_main /usr/src/debug/glibc/glibc/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0x7feab3906349 in __libc_start_main@GLIBC_2.2.5 /usr/src/debug/glibc/glibc/csu/../csu/libc-start.c:381:3
    #6 0x555bd4474404 in _start /build/glibc/src/glibc/csu/../sysdeps/x86_64/start.S:115

  Uninitialized value was stored to memory at
    #0 0x7feab3c0ea76 in BIG_1024_58_cmove (/home/matthias/incubator-milagro-crypto-c/target/default/lib/libamcl_rsa_2048.so.2+0xba76)

  Uninitialized value was stored to memory at
    #0 0x7feab3c0ea76 in BIG_1024_58_cmove (/home/matthias/incubator-milagro-crypto-c/target/default/lib/libamcl_rsa_2048.so.2+0xba76)

  Uninitialized value was stored to memory at
    #0 0x7feab3c0ea76 in BIG_1024_58_cmove (/home/matthias/incubator-milagro-crypto-c/target/default/lib/libamcl_rsa_2048.so.2+0xba76)

  Uninitialized value was stored to memory at
    #0 0x7feab3c0ea76 in BIG_1024_58_cmove (/home/matthias/incubator-milagro-crypto-c/target/default/lib/libamcl_rsa_2048.so.2+0xba76)

  Uninitialized value was stored to memory at
    #0 0x7feab3c0ea76 in BIG_1024_58_cmove (/home/matthias/incubator-milagro-crypto-c/target/default/lib/libamcl_rsa_2048.so.2+0xba76)

  Uninitialized value was stored to memory at
    #0 0x7feab3c0ea76 in BIG_1024_58_cmove (/home/matthias/incubator-milagro-crypto-c/target/default/lib/libamcl_rsa_2048.so.2+0xba76)

  Uninitialized value was created by an allocation of 'vla' in the stack frame of function 'FF_2048_ct_2w_pow'
    #0 0x7feab3c7a170 in FF_2048_ct_2w_pow (/home/matthias/incubator-milagro-crypto-c/target/default/lib/libamcl_rsa_2048.so.2+0x77170)

SUMMARY: MemorySanitizer: use-of-uninitialized-value ff_2048.c in FF_2048_modmul
Exiting

As far as I can tell, this specific example is caused by FF_WWW_ct_2w_pow not always initialising ws. But there are more examples in the code.

Fix Paillier encryption function to sample r from n

Goal

we only need to select r < n for encryption. In the existing code, r is sampled from n^2 and then raised to n mod n^2. Thus, the goal is to pick r from n.

##Resources

  • Public-Key Cryptosystems Based on Composite Degree Residuosity Classes

Acceptance criteria

  1. Well documented code
  2. Tests pass with more than 80% test coverage
  3. Static analysis should pass
  4. Code should be reviewed by two engineers

SHA hash might be not initialized correctly

Dear all,
in the function
**void ehashit(int sha,octet *p,int n,octet x,octet w,int pad)
You need a default in the switch since without any default all the flow will skip the hashing. I suggest that due to the current standards the default is SHA_256 for the parameters sha.
Just replace the code :
switch(sha)
{
case SHA256:
HASH256_process(&sha256,x->val[i]);
break;
case SHA384:
HASH384_process(&sha512,x->val[i]);
break;
case SHA512:
HASH512_process(&sha512,x->val[i]);
break;
}

with:
switch(sha)
{
case SHA256:
HASH256_process(&sha256,x->val[i]);
break;
case SHA384:
HASH384_process(&sha512,x->val[i]);
break;
case SHA512:
HASH512_process(&sha512,x->val[i]);
break;
default:
HASH256_process(&sha256,x->val[i]);
break;
}

In every case where it makes sense in that function. Suppose that put a not valid value, it will produce an hash. The other option is to check input value sha.
It is not a problem just a code smell and a recurring patten in the code.

SonarReport: File is not close

In the tests when you open the vector file, you never close it . This is not a big issue because each test is an independent program, but it has to be correct because is a bug. This happen many times.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.