Home Explore Help
Sign In
mmgen
/
mmgen-wallet
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 85236cd601
Branches Tags
mmgen-wallet
/
mmgen
/
sha2.py

sha2.py 6.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199 
  1. #!/usr/bin/env python3
    2. 

  2. #
    3. 

  3. # mmgen = Multi-Mode GENerator, command-line Bitcoin cold storage solution
    4. 

  4. # Copyright (C)2013-2019 The MMGen Project <mmgen@tuta.io>
    5. 

  5. #
    6. 

  6. # This program is free software: you can redistribute it and/or modify
    7. 

  7. # it under the terms of the GNU General Public License as published by
    8. 

  8. # the Free Software Foundation, either version 3 of the License, or
    9. 

  9. # (at your option) any later version.
    10. 

  10. #
    11. 

  11. # This program is distributed in the hope that it will be useful,
    12. 

  12. # but WITHOUT ANY WARRANTY; without even the implied warranty of
    13. 

  13. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    14. 

  14. # GNU General Public License for more details.
    15. 

  15. #
    16. 

  16. # You should have received a copy of the GNU General Public License
    17. 

  17. # along with this program.  If not, see <http://www.gnu.org/licenses/>.
    18. 

  18. 

  19. """
    20. 

  20. sha2.py: A non-optimized but very compact implementation of the SHA2 hash
    21. 

  21.          algorithm for the MMGen suite.  Implements SHA256, SHA512 and
    22. 

  22.          SHA256Compress (unpadded SHA256, required for Zcash addresses)
    23. 

  23. """
    24. 

  24. 

  25. from struct import pack,unpack
    26. 

  26. 

  27. class Sha2(object):
    28. 

  28. 	'Implementation based on the pseudocode at https://en.wikipedia.org/wiki/SHA-2'
    29. 

  29. 	K = None
    30. 

  30. 

  31. 	@classmethod
    32. 

  32. 	def initConstants(cls):
    33. 

  33. 

  34. 		from math import sqrt
    35. 

  35. 

  36. 		def nextPrime(n=2):
    37. 

  37. 			while True:
    38. 

  38. 				for factor in range(2,int(sqrt(n))+1):
    39. 

  39. 					if n % factor == 0:
    40. 

  40. 						break
    41. 

  41. 				else:
    42. 

  42. 					yield n
    43. 

  43. 				n += 1
    44. 

  44. 

  45. 		# Find the first nRounds primes
    46. 

  46. 		npgen = nextPrime()
    47. 

  47. 		primes = [next(npgen) for x in range(cls.nRounds)]
    48. 

  48. 

  49. 		fb_mul = 2 ** cls.wordBits
    50. 

  50. 		def getFractionalBits(n):
    51. 

  51. 			return int((n - int(n)) * fb_mul)
    52. 

  52. 

  53. 		if cls.use_gmp:
    54. 

  54. 			from gmpy2 import context,set_context,sqrt,cbrt
    55. 

  55. 			set_context(context(precision=75))
    56. 

  56. 		else:
    57. 

  57. 			cbrt = lambda n: pow(n, 1 / 3)
    58. 

  58. 

  59. 		# First wordBits bits of the fractional parts of the square roots of the first 8 primes
    60. 

  60. 		H = (getFractionalBits(sqrt(n)) for n in primes[:8])
    61. 

  61. 

  62. 		# First wordBits bits of the fractional parts of the cube roots of the first nRounds primes
    63. 

  63. 		K = (getFractionalBits(cbrt(n)) for n in primes)
    64. 

  64. 

  65. 		cls.H_init = tuple(H)
    66. 

  66. 		cls.K      = tuple(K)
    67. 

  67. 

  68. 	def __init__(self,message,preprocess=True):
    69. 

  69. 		'Use preprocess=False for Sha256Compress'
    70. 

  70. 		assert type(message) in (bytes,bytearray,list),'message must be of type bytes, bytearray or list'
    71. 

  71. 		if self.K == None:
    72. 

  72. 			type(self).initConstants()
    73. 

  73. 		self.H = list(self.H_init)
    74. 

  74. 		self.M = message
    75. 

  75. 		self.W = [0] * self.nRounds
    76. 

  76. 		if preprocess:
    77. 

  77. 			self.padMessage()
    78. 

  78. 		self.bytesToWords()
    79. 

  79. 		self.compute()
    80. 

  80. 

  81. 	def padMessage(self):
    82. 

  82. 		"""
    83. 

  83. 		Pre-processing (padding) (adapted from the standard, translating bits to bytes)
    84. 

  84. 		- Begin with the original message of length MSGLEN bytes
    85. 

  85. 		- Create MLPACK := MSGLEN * 8 encoded as a blkSize-bit big-endian integer
    86. 

  86. 		- Append 0x80 (0b10000000)
    87. 

  87. 		- Append PADLEN null bytes, where PADLEN is the minimum number >= 0 such that
    88. 

  88. 		  MSGLEN + 1 + PADLEN + len(MLPACK) is a multiple of blkSize
    89. 

  89. 		- Append MLPACK
    90. 

  90. 		"""
    91. 

  91. 		mlpack = self.pack_msglen()
    92. 

  92. 		padlen = self.blkSize - (len(self.M) % self.blkSize) - len(mlpack) - 1
    93. 

  93. 		if padlen < 0: padlen += self.blkSize
    94. 

  94. 		self.M = self.M + bytes([0x80] + [0] * padlen) + mlpack
    95. 

  95. 

  96. 	def bytesToWords(self):
    97. 

  97. 		ws = self.wordSize
    98. 

  98. 		assert len(self.M) % ws == 0
    99. 

  99. 		self.M = tuple([unpack(self.word_fmt,self.M[i*ws:ws+(i*ws)])[0] for i in range(len(self.M) // ws)])
    100. 

  100. 

  101. 	def digest(self):
    102. 

  102. 		return b''.join((pack(self.word_fmt,w) for w in self.H))
    103. 

  103. 

  104. 	def hexdigest(self):
    105. 

  105. 		return self.digest().hex()
    106. 

  106. 

  107. 	def compute(self):
    108. 

  108. 		for i in range(0,len(self.M),16):
    109. 

  109. 			self.processBlock(i)
    110. 

  110. 

  111. 	def processBlock(self,offset):
    112. 

  112. 		'Process a blkSize-byte chunk of the message'
    113. 

  113. 

  114. 		def rrotate(a,b): return ((a << self.wordBits-b) & self.wordMask) | (a >> b)
    115. 

  115. 		def addm(a,b): return (a + b) & self.wordMask
    116. 

  116. 

  117. 		# Copy chunk into first 16 words of message schedule array
    118. 

  118. 		for i in range(16):
    119. 

  119. 			self.W[i] = self.M[offset + i]
    120. 

  120. 

  121. 		# Extend the first 16 words into the remaining nRounds words of message schedule array
    122. 

  122. 		for i in range(16,self.nRounds):
    123. 

  123. 			g0 = self.W[i-15]
    124. 

  124. 			gamma0 = rrotate(g0,self.g0r1) ^ rrotate(g0,self.g0r2) ^ (g0 >> self.g0r3)
    125. 

  125. 			g1 = self.W[i-2]
    126. 

  126. 			gamma1 = rrotate(g1,self.g1r1) ^ rrotate(g1,self.g1r2) ^ (g1 >> self.g1r3)
    127. 

  127. 			self.W[i] = addm(addm(addm(gamma0,self.W[i-7]),gamma1),self.W[i-16])
    128. 

  128. 

  129. 		# Initialize working variables from current hash state
    130. 

  130. 		a,b,c,d,e,f,g,h = self.H
    131. 

  131. 

  132. 		# Compression function main loop
    133. 

  133. 		for i in range(self.nRounds):
    134. 

  134. 			ch = (e & f) ^ (~e & g)
    135. 

  135. 			maj = (a & b) ^ (a & c) ^ (b & c)
    136. 

  136. 

  137. 			sigma0 = rrotate(a,self.s0r1) ^ rrotate(a,self.s0r2) ^ rrotate(a,self.s0r3)
    138. 

  138. 			sigma1 = rrotate(e,self.s1r1) ^ rrotate(e,self.s1r2) ^ rrotate(e,self.s1r3)
    139. 

  139. 

  140. 			t1 = addm(addm(addm(addm(h,sigma1),ch),self.K[i]),self.W[i])
    141. 

  141. 			t2 = addm(sigma0,maj)
    142. 

  142. 

  143. 			h = g
    144. 

  144. 			g = f
    145. 

  145. 			f = e
    146. 

  146. 			e = addm(d,t1)
    147. 

  147. 			d = c
    148. 

  148. 			c = b
    149. 

  149. 			b = a
    150. 

  150. 			a = addm(t1,t2)
    151. 

  151. 

  152. 		# Save hash state
    153. 

  153. 		for n,v in enumerate((a,b,c,d,e,f,g,h)):
    154. 

  154. 			self.H[n] = addm(self.H[n],v)
    155. 

  155. 

  156. class Sha256(Sha2):
    157. 

  157. 	use_gmp = False
    158. 

  158. 	g0r1,g0r2,g0r3 = (7,18,3)
    159. 

  159. 	g1r1,g1r2,g1r3 = (17,19,10)
    160. 

  160. 	s0r1,s0r2,s0r3 = (2,13,22)
    161. 

  161. 	s1r1,s1r2,s1r3 = (6,11,25)
    162. 

  162. 	blkSize = 64
    163. 

  163. 	nRounds = 64
    164. 

  164. 	wordSize = 4
    165. 

  165. 	wordBits = 32
    166. 

  166. 	wordMask = 0xffffffff
    167. 

  167. 	word_fmt = '>I'
    168. 

  168. 

  169. 	def pack_msglen(self):
    170. 

  170. 		return pack('>Q',len(self.M)*8)
    171. 

  171. 

  172. class Sha512(Sha2):
    173. 

  173. 	"""
    174. 

  174. 	SHA-512 is identical in structure to SHA-256, but:
    175. 

  175. 	- the message is broken into 1024-bit chunks,
    176. 

  176. 	- the initial hash values and round constants are extended to 64 bits,
    177. 

  177. 	- there are 80 rounds instead of 64,
    178. 

  178. 	- the message schedule array W has 80 64-bit words instead of 64 32-bit words,
    179. 

  179. 	- to extend the message schedule array W, the loop is from 16 to 79 instead of from 16 to 63,
    180. 

  180. 	- the round constants are based on the first 80 primes 2..409,
    181. 

  181. 	- the word size used for calculations is 64 bits long,
    182. 

  182. 	- the appended length of the message (before pre-processing), in bits, is a 128-bit big-endian integer, and
    183. 

  183. 	- the shift and rotate amounts used are different.
    184. 

  184. 	"""
    185. 

  185. 	use_gmp = True
    186. 

  186. 	g0r1,g0r2,g0r3 = (1,8,7)
    187. 

  187. 	g1r1,g1r2,g1r3 = (19,61,6)
    188. 

  188. 	s0r1,s0r2,s0r3 = (28,34,39)
    189. 

  189. 	s1r1,s1r2,s1r3 = (14,18,41)
    190. 

  190. 	blkSize = 128
    191. 

  191. 	nRounds = 80
    192. 

  192. 	wordSize = 8
    193. 

  193. 	wordBits = 64
    194. 

  194. 	wordMask = 0xffffffffffffffff
    195. 

  195. 	word_fmt = '>Q'
    196. 

  196. 

  197. 	def pack_msglen(self):
    198. 

  198. 		return  pack('>Q', (len(self.M)*8) // (2**64)) + \
    199. 

  199. 				pack('>Q', (len(self.M)*8) % (2**64))
    200.