def sign(self, params, sk, m, n): """Signs a list of group elements of G1 and G2""" #print("BSPS: Sign") o, G, g1, g2, _ = params if len(m) > self.msg_g1 or len(n) > self.msg_g2: print("BSPS: Sign --- Error: message(s) too long", len(m), ">?", self.msg_g1, len(n), ">?", self.msg_g2) return (G1Elem.inf(G), G1Elem.inf(G), G2Elem.inf(G)) u, w, v, z = sk r = o.random() R = r * g1 temp = z.mod_sub(r.mod_mul(v, o), o) S = temp * g1 T = g2 for i in range(self.msg_g1): if i < len(m): S = S + w[i].int_neg() * m[i] else: S = S + w[i].int_neg() * g1 for j in range(self.msg_g2): if j < len(n): T = T + u[j].int_neg() * n[j] else: T = T + u[j].int_neg() * g2 return [R, S, r.mod_inverse(o) * T]
def verify(self, params, pk, m, n, sig): """ Verifies a signature on messages m e(R,V) e(S,H) Pi e(M_i,W_i) == e(G,Z) e(R,T) Pi e(U_i, N_i) == e(G,H) """ #print("BSPS: Verify") R, S, T = sig o, G, g1, g2, e = params if (R.eq(G1Elem.inf(G)) and S.eq(G1Elem.inf(G)) and T.eq(G2Elem.inf(G))): print("BSPS: Verify --- Error: signature null") print("BSPS: Verify", 0) return 0 U, W, V, Z = pk res1 = e(R, V) * e(S, g2) for i in range(self.msg_g1): if i < len(m): res1 = res1 * e(m[i], W[i]) else: res1 = res1 * e(g1, W[i]) res2 = e(R, T) for j in range(self.msg_g2): if j < len(n): res2 = res2 * e(U[j], n[j]) else: res2 = res2 * e(U[j], g2) return res1.eq(e(g1, Z)) and res2.eq(e(g1, g2))
def test_proof(): from bplib.bp import G1Elem from bplib.bp import G2Elem from bplib.bp import GTElem from petlib.bn import Bn from gsproof import GSProof gsp = GSProof() gsp.ExtGen() params = gsp.P sps = USPS() sk, pk = sps.keygen(params) gz, gr = pk[0], pk[1] pki = pk[2:] M = [b"Hello World!", b"Hello me!", b"Hello us!"] m = [] for i in range(len(M)): if type(M[i]) == bytes: m.append(gsp.G.hashG1(M[i])) elif type(M[i]) == G1Elem: m.append(M[i]) else: print("Error: wrong input, expected G1, got ", type(M[i])) return 0, [] if len(m) < sps.nb_msg: for i in range(sps.nb_msg - len(m)): m.append(G1Elem.inf(gsp.G)) elif sps.nb_msg < len(m): return sig = sps.sign(params, sk, m) verify, res = sps.proof_usps_hidesigandsigner(gsp, pk, M, sig) assert verify
def verifyEq(self, eq, x, b, a, y, c, t): #print("verifyEq") if eq in ["PPE", "PN1", "PC1", "PN2", "PC2"]: #print("eq in [\"PPE\", \"PN1\", \"PC1\", \"PN2\", \"PC2\"]") T = GTElem.zero(self.G) for i in range(min(len(x), len(b))): T = T * self.e(x[i]["value"], b[i]["value"]) for j in range(min(len(a), len(y))): T = T * self.e(a[j]["value"], y[j]["value"]) for i in range(len(c)): for j in range(len(c[i])): T = T * self.e(c[i][j] * x[i]["value"], y[j]["value"]) return T.eq(t) else: #print("eq NOT in [\"PPE\", \"PN1\", \"PC1\", \"PN2\", \"PC2\"]") T = Bn(0) if eq in ["ME1", "MN1", "MC1", "ML1"]: T = G1Elem.inf(self.G) elif eq in ["ME2", "MN2", "MC2", "ML2"]: T = G2Elem.inf(self.G) elif eq not in ["QE", "QC1", "QC2"]: print("eq error", eq) return 0 for i in range(min(len(x), len(b))): T += x[i]["value"] * b[i]["value"] for j in range(min(len(a), len(y))): T += a[j]["value"] * y[j]["value"] for i in range(len(c)): for j in range(len(c[i])): if c[i][j] != 0: T += c[i][j] * x[i]["value"] * y[j]["value"] return T.eq(t)
def proof_pkuv(gsp, X, Y): res = [] B = [] A = [] C = [] for i in range(len(X)): row = [] for j in range(len(Y)): row.append(Bn(0)) C.append(row) C[6][0] = Bn(1) # pk_uv C[5][1] = Bn(-1) # - h_v^sku success, result = gsp.Prove_aggreg("MC1", X, B, A, Y, C, G1Elem.inf(gsp.G)) verify = 0 if success: eq_type, X, Y, C, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result #verify = gsp.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2, pi1_w2) #if verify: res = [C, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]] #print("Do we successfully create a proof?", success) #print("Does the proof successfully verify?", verify) print("\n----pk uv") for i in range(len(res[1])): for j in range(2): if type(res[1][i][j]) == G1Elem: print(i, j, type(res[1][i][j]), res[1][i][j].eq(G1Elem.inf(gsp.G))) else: print(i, j, type(res[1][i][j]), res[1][i][j].eq(G2Elem.inf(gsp.G))) b = challenge(result) for i in range(len(res[0])): for j in range(len(res[0][0])): if res[0][i][j] != 0: res[0][i][j] = b * res[0][i][j] for i in range(len(res[1])): for j in range(len(res[1][i])): res[1][i][j] = b * res[1][i][j] #verify = gsp.Verify("ME1", X, Y, C, res[1][0], res[1][1], res[1][2], res[1][3]) #print("Does the (aggregate) proof verify?", verify) return res
def proof_exponent_gs1_pk_public(gsp, g1, sk, pk): x = [{"type": "com", "value": g1}, {"type": "com", "value": pk}] b = [{"type": "sca", "value": Bn(0)}, {"type": "unt", "value": Bn(1)}] a = [{"type": "pub", "value": G1Elem.inf(gsp.G)}] y = [{"type": "sca", "value": sk}] c = [[Bn(-1)], [Bn(0)]] success, res = gsp.CommitProof_eq("ME1", x, b, a, y, c, G1Elem.inf(gsp.G)) verify = 0 if success: eq_type, X, Y, C, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res pi2_v1, pi2_w1, pi1_v2, pi1_w2 = gsp.Randomize(eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap) verify = gsp.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2, pi1_w2) if verify: res = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2], [eq_type, X, Y, C, T_eq]] print("Do we successfully create a first proof?", success) print("Does the first proof successfully verify?", verify) print() return verify, res
def CommitG2Group(self, val, x2, r, s): c0 = r * self.v2[0] + s * self.w2[0] c1 = x2 + r * self.v2[1] + s * self.w2[1] val["value"] = [c0, c1] val["committed"] = { 1: G1Elem.inf(self.G), 2: x2, "Zp": 0, "r": r, "s": s } return val
def CommitG2Scalar(self, val, x, r): c0 = x * self.u2[0] + r * self.v2[0] c1 = x * self.u2[1] + r * self.v2[1] val["value"] = [c0, c1] val["committed"] = { 1: G1Elem.inf(self.G), 2: G2Elem.inf(self.G), "Zp": x, "r": r, "s": 0 } return val
def sign(self, params, sk, m): """Signs a list of group elements of G1""" #print("SPS: Sign") (o, G, g1, g2, e) = params if len(m) > self.nb_msg: print("Error: too many messages to sign") return (G1Elem.inf(G), G1Elem.inf(G)) M = [] for i in range(len(m)): if type(m[i]) == G1Elem: M.append(m[i]) elif type(m[i]) == bytes: M.append(G.hashG1(m[i])) else: print("Error: type message") return -1 sig = [sk[0][0].int_neg() * M[0], sk[0][1].int_neg() * M[0]] for i in range(1, len(M)): sig[0] = sig[0] + sk[i][0].int_neg() * M[i] sig[1] = sig[1] + sk[i][1].int_neg() * M[i] return sig
def Calc_MSG1(self, x1, b, a1, y, c, t1): n = len(x1) m = len(y) if len(b) != n or len(a1) != m or len(c) != n * m or len(t1) != 1: return 0 B1 = G1Elem.inf(self.G) for i in range(m): B1 += b[i] * x1[i] A1 = G1Elem.inf(self.G) for j in range(n): A1 += y[j] * a1[j] C1 = G1Elem.inf(self.G) for i in range(n): for j in range(m): C1 += (c[i][j] * y[j]) * x1[i] validate = 0 if A1 + B1 + C1 == t1: validate = 1 return A1 + B1 + C1, t1, validate
def verify(self, params, pk, m, sig): """ Verifies a signature on messages m e(z, g_z) e(r, g_r) Pi e(M_i, g_i) == e(g1, g2) """ #print("SPS: Verify") (o, G, g1, g2, e) = params s0, s1 = sig if (s0 == G1Elem.inf(G) and s1 == G1Elem.inf(G)): print("USPS: Verify --- Error: signature null") print("SPS: Verify", 0) return 0 M = [] for i in range(len(m)): if type(m[i]) == G1Elem: M.append(m[i]) elif type(m[i]) == bytes: M.append(G.hashG1(m[i])) else: print("Error: type message") return -1 ctr = 0 for i in range(len(M)): if M[i] == G1Elem.inf(G): ctr += 1 if ctr == len(M): print("USPS: Verify --- Error: message null") print("SPS: Verify", 0) return 0 gz, gr = pk[0], pk[1] pki = pk[2:] res = e(s0, gz) * e(s1, gr) for i in range(len(M)): res = res * e(M[i], pki[i]) return res.eq(GTElem.one(G))
def CheckEqResult(self, eq, T): #print("CheckEqResult") if eq in ["PPE", "PN1", "PC1", "PN2", "PC2"]: if T != GTElem.zero(self.G): return 0 elif eq in ["ME1", "MN1", "MC1", "ML1"]: if T != G1Elem.inf(self.G): return 0 elif eq in ["ME2", "MN2", "MC2", "ML2"]: if T != G2Elem.inf(self.G): return 0 elif eq in ["QE", "QC1", "QC2"]: if T != Bn(0): return 0 return 1
def test_G2_scalar_comm(): GS = GSProof() ck, xk, P = GS.ExtGen() order, G, u1, v1, w1, u2, v2, w2 = ck y = order.random() r = order.random() struct = {} struct = GS.CommitG2Scalar(struct, y, r) assert struct["value"][0] == y * GS.u2[0] + r * GS.v2[0] assert struct["value"][1] == y * GS.u2[1] + r * GS.v2[1] assert struct["committed"][1] == G1Elem.inf(G) assert struct["committed"][2] == G2Elem.inf(G) assert struct["committed"]["Zp"] == y assert struct["committed"]["r"] == r assert struct["committed"]["s"] == Bn(0)
def test_G2_group_comm(): GS = GSProof() ck, xk, P = GS.ExtGen() order, G, u1, v1, w1, u2, v2, w2 = ck y2 = order.random() * G.gen2() r = order.random() s = order.random() struct = {} struct = GS.CommitG2Group(struct, y2, r, s) assert struct["value"][0] == G2Elem.inf(G) + r * GS.v2[0] + s * GS.w2[0] assert struct["value"][1] == y2 + r * GS.v2[1] + s * GS.w2[1] assert struct["committed"][1] == G1Elem.inf(G) assert struct["committed"][2] == y2 assert struct["committed"]["Zp"] == Bn(0) assert struct["committed"]["r"] == r assert struct["committed"]["s"] == s
def test_G1_group_comm(): GS = GSProof() ck, xk, P = GS.ExtGen() order, G, u1, v1, w1, u2, v2, w2 = ck x1 = order.random() * G.gen1() r = order.random() s = order.random() struct = {} struct = GS.CommitG1Group(struct, x1, r, s) assert struct["value"][0] == G1Elem.inf(G) + r * GS.v1[0] + s * GS.w1[0] assert struct["value"][1] == x1 + r * GS.v1[1] + s * GS.w1[1] assert struct["committed"][1] == x1 assert struct["committed"][2] == G2Elem.inf(G) assert struct["committed"]["Zp"] == Bn(0) assert struct["committed"]["r"] == r assert struct["committed"]["s"] == s
def MakeMatrices(self, x, b, a, y, c, t): #print("Make Matrices") X = [] X.extend(x) X.extend(a) Y = [] Y.extend(y) Y.extend(b) C = [] for i in range(len(x) + len(a)): row = [] for j in range(len(y) + len(b)): if i < len(x): if j < len(y): temp = c[i][j] if type(temp) != Bn: temp = Bn(temp) row.append(c[i][j]) elif j == len(y) + i: temp = Bn(1) if b[j - len(y)]["committed"][2] == G2Elem.inf( self.G) and b[j - len(y)]["type"] == "pub": temp = Bn(0) row.append(temp) else: row.append(Bn(0)) else: if i == len(x) + j: temp = Bn(1) if a[i - len(x)]["committed"][1] == G1Elem.inf( self.G) and a[i - len(x)]["type"] == "pub": temp = Bn(0) row.append(temp) else: row.append(Bn(0)) C.append(row) return X, Y, C, t
def enc_proof(gsp, X, Y, a): res = [] #print("--- first equation") # e = h_i + h*r res1 = [] A1 = [] B1 = [] C1 = [] for i in range(len(X)): row = [] for j in range(len(Y)): row.append(Bn(0)) C1.append(row) C1[12][0] = Bn(-1) # - e C1[7][0] = Bn(1) # + h_i C1[4][2] = Bn(1) # + h*r success1, result1 = gsp.Prove_aggreg("ME1", X, B1, A1, Y, C1, G1Elem.inf(gsp.G)) verify1 = 0 if success1: eq_type, X1, Y1, C1, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result1 #verify1 = gsp.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2, pi1_w2) #if verify1: res1 = [C1, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]] res.append(res1) #print("Do we successfully create a first proof?", success1) #print("Does the first proof successfully verify?", verify1) #print("--- second equation") #u1 = g1_enc*r res2 = [] B2 = [] A2 = [] C2 = [] for i in range(len(X)): row = [] for j in range(len(Y)): row.append(Bn(0)) C2.append(row) C2[0][2] = Bn(-1) # - g1enc*r C2[10][0] = Bn(1) # + u1 success2, result2 = gsp.Prove_aggreg("MC1", X, B2, A2, Y, C2, G1Elem.inf(gsp.G)) verify2 = 0 if success2: eq_type, X2, Y2, C2, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result2 #verify2 = gsp.Verify(eq_type, X2, Y2, C2, pi2_v1, pi2_w1, pi1_v2, pi1_w2) #if verify2: res2 = [C2, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]] res.append(res2) #print("Do we successfully create a second proof?", success2) #print("Does the second proof successfully verify?", verify2) #print("--- third equation") #u2 = g2_enc*r res3 = [] B3 = [] A3 = [] C3 = [] for i in range(len(X)): row = [] for j in range(len(Y)): row.append(Bn(0)) C3.append(row) C3[1][2] = Bn(-1) # - g2_enc * r C3[11][0] = Bn(1) # + u2 success3, result3 = gsp.Prove_aggreg("ME1", X, B3, A3, Y, C3, G1Elem.inf(gsp.G)) verify3 = 0 if success3: eq_type, X3, Y3, C3, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result3 #verify3 = gsp.Verify(eq_type, X3, Y3, C3, pi2_v1, pi2_w1, pi1_v2, pi1_w2) #if verify3: res3 = [C3, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]] res.append(res3) #print("Do we successfully create a third proof?", success3) #print("Does the third proof successfully verify?", verify3) """ We perform this check with a hash #print("--- fourth equation") # da = d*a res4 = [] B4 = [] A4 = [] C4 = [] for i in range(len(X)): row = [] for j in range(len(Y)): row.append(Bn(0)) C4.append(row) C4[9][0] = Bn(-1) # - da C4[3][0] = a # + d*a success4, result4 = gsp.Prove_aggreg("ME1", X, B4, A4, Y, C4, G1Elem.inf(gsp.G)) verify4 = 0 if success4: eq_type, X4, Y4, C4, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result4 #verify4 = gsp.Verify(eq_type, X4, Y4, C4, pi2_v1, pi2_w1, pi1_v2, pi1_w2) #if verify4: res4 = [C4, [pi2_v1, pi2_w1, pi1_v2, pi1_w2] ] res.append(res4) #print("Do we successfully create an fourth proof?", success4) #print("Does the fourth proof successfully verify?", verify4) """ #print("--- fifth equation") #v = c*r + d*(a*r) = c*r + da*r res5 = [] B5 = [] A5 = [] C5 = [] for i in range(len(X)): row = [] for j in range(len(Y)): row.append(Bn(0)) C5.append(row) C5[2][2] = Bn(1) # + c*r C5[9][2] = Bn(1) # + da*r C5[13][0] = Bn(-1) # - v success5, result5 = gsp.Prove_aggreg("MC1", X, B5, A5, Y, C5, G1Elem.inf(gsp.G)) verify5 = 0 if success5: eq_type, X5, Y5, C5, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result5 #verify5 = gsp.Verify(eq_type, X5, Y5, C5, pi2_v1, pi2_w1, pi1_v2, pi1_w2) #if verify5: res5 = [C5, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]] res.append(res5) #print("Do we successfully create a fifth proof?", success5) #print("Does the fifth proof successfully verify?", verify5) #print("Do we successfully create all the proofs?", success1*success2*success3*success4*success5) #print("Do all the proofs successfully verify?", verify1*verify2*verify3*verify4*verify5) b1 = challenge(result1) b2 = challenge(result2) b3 = challenge(result3) #b4 = challenge(result4) b5 = challenge(result5) C = [] for i in range(len(C1)): row = [] for j in range(len(C1[0])): cij = Bn(0) if C1[i][j] != 0: cij += b1 * C1[i][j] if C2[i][j] != 0: cij += b2 * C2[i][j] if C3[i][j] != 0: cij += b3 * C3[i][j] #if C4[i][j] != 0: # cij += b4*C4[i][j] if C5[i][j] != 0: cij += b5 * C5[i][j] row.append(cij) C.append(row) pi = [] for i in range(len(res1[1])): pi_i = [] for j in range(len(res1[1][0])): pi_ij = b1 * res1[1][i][j] + b2 * res2[1][i][j] + b3 * res3[1][i][ j] + b5 * res5[1][i][j] # + b4*res4[1][i][j] pi_i.append(pi_ij) pi.append(pi_i) print("\n--- enc") for i in range(len(res)): print("proof #" + str(i)) for j in range(4): for k in range(2): if type(res[i][1][j][k]) == G1Elem: print(i, j, k, type(res[i][1][j][k]), res[i][1][j][k].eq(G1Elem.inf(gsp.G))) else: print(i, j, k, type(res[i][1][j][k]), res[i][1][j][k].eq(G2Elem.inf(gsp.G))) #verify = gsp.Verify("ME1", X, Y, C, pi[0], pi[1], pi[2], pi[3]) #print("Does the (aggregate) proof verify?", verify) return C, pi, res
def MakeProof(self, X, Y, C): #print("MakeProof") pi2_v1 = [G2Elem.inf(self.G), G2Elem.inf(self.G)] pi2_w1 = [G2Elem.inf(self.G), G2Elem.inf(self.G)] pi1_v2 = [G1Elem.inf(self.G), G1Elem.inf(self.G)] pi1_w2 = [G1Elem.inf(self.G), G1Elem.inf(self.G)] #count_exp_g1 = 0 #count_add_g1 = -1 #count_exp_g2 = 0 #count_add_g2 = -1 for i in range(len(X)): xi = X[i]["value"] xr = 0 xs = 0 if "committed" in X[i]: xr = X[i]["committed"]["r"] xs = X[i]["committed"]["s"] for j in range(len(Y)): yj = Y[j]["value"] yr = 0 ys = 0 if "committed" in Y[j]: yr = Y[j]["committed"]["r"] ys = Y[j]["committed"]["s"] cij = C[i][j] if cij != 0: for vec in range(2): """ We need to work on the commitment of x|y and not on the value of x|y not to make any assumption on the type of x|y""" if xr != 0: pi2_v1[vec] += (xr * cij) * yj[vec] #count_exp_g1 += 1 #count_add_g1 += 1 if xs != 0: pi2_w1[vec] += (xs * cij) * yj[vec] #count_exp_g1 += 1 #count_add_g1 += 1 if yr != 0: temp = xi[vec] if xr != 0: temp = temp - self.v1[vec] * xr #count_exp_g2 += 1 #count_add_g2 += 1 if xs != 0: temp = temp - self.w1[vec] * xs #count_exp_g2 += 1 #count_add_g2 += 1 pi1_v2[vec] += temp * (cij * yr) #count_exp_g2 += 1 #count_add_g2 += 1 if ys != 0: temp = xi[vec] if xr != 0: temp = temp - self.v1[vec] * xr #count_exp_g2 += 1 #count_add_g2 += 1 if xs != 0: temp = temp - self.w1[vec] * xs #count_exp_g2 += 1 #count_add_g2 += 1 pi1_w2[vec] += temp * (cij * ys) #count_exp_g2 += 1 #count_add_g2 += 1 #print("Exp in G1", count_exp_g1) #print("Exp in G2", count_exp_g2) #print("Add in G1", count_add_g1) #print("Add in G2", count_add_g2) return pi2_v1, pi2_w1, pi1_v2, pi1_w2
def prepare_proofs(auth, vkI, pki, pkv, m, sig_t, t, pk_ui, pk_uv, sku, cipher, ek, r): #print("Prepare aggregated proofs") #print("Prepare proof: Commit") #import time #t_start = time.time() U, W, V, Z = vkI cm_U = [] for i in range(len(U)): cm_U.append(auth.GS.Commit({"group": 1, "type": "pub", "value": U[i]})) cm_W = [] for i in range(len(W)): cm_W.append(auth.GS.Commit({"group": 2, "type": "pub", "value": W[i]})) cm_V = auth.GS.Commit({"group": 2, "type": "pub", "value": V}) cm_Z = auth.GS.Commit({"group": 2, "type": "pub", "value": Z}) cm_vkI = [cm_U, cm_W, cm_V, cm_Z] h_i, vk_i, sig0_i = pki cm_h_i = auth.GS.Commit({"group": 1, "type": "com", "value": h_i}) cm_vk_i = [] for i in range(len(vk_i)): cm_vk_i.append( auth.GS.Commit({ "group": 2, "type": "com", "value": vk_i[i] })) cm_sig0_i = [] cm_sig0_i.append( auth.GS.Commit({ "group": 1, "type": "com", "value": sig0_i[0] })) cm_sig0_i.append( auth.GS.Commit({ "group": 1, "type": "enc", "value": sig0_i[1] })) cm_sig0_i.append( auth.GS.Commit({ "group": 2, "type": "enc", "value": sig0_i[2] })) h_v, vk_v, sig0_v = pkv cm_h_v = auth.GS.Commit({"group": 1, "type": "pub", "value": h_v}) cm_m = [] for i in range(len(m)): cm_m.append(auth.GS.Commit({"group": 1, "type": "pub", "value": m[i]})) for i in range(len(cm_vk_i) - 1 - 2 - len(cm_m)): cm_m.append( auth.GS.Commit({ "group": 1, "type": "pub", "value": G1Elem.inf(auth.GS.G) })) sig_i, c_it = sig_t cm_sig_i = [] for i in range(len(sig_i)): cm_sig_i.append( auth.GS.Commit({ "group": 1, "type": "enc", "value": sig_i[i] })) _, sigt_i = c_it cm_sigt_i = [] cm_sigt_i.append( auth.GS.Commit({ "group": 1, "type": "com", "value": sigt_i[0] })) cm_sigt_i.append( auth.GS.Commit({ "group": 1, "type": "enc", "value": sigt_i[1] })) cm_sigt_i.append( auth.GS.Commit({ "group": 2, "type": "enc", "value": sigt_i[2] })) #t: used as public scalar constraint (gamma_ij) cm_pk_ui = auth.GS.Commit({"group": 1, "type": "com", "value": pk_ui}) cm_pk_uv = auth.GS.Commit({"group": 1, "type": "pub", "value": pk_uv}) cm_sku = auth.GS.Commit({"group": 2, "type": "sca", "value": sku}) cm_cipher = [] for i in range(len(cipher)): cm_cipher.append( auth.GS.Commit({ "group": 1, "type": "pub", "value": cipher[i] })) cm_r = r cm_r[0] = auth.GS.Commit({"group": 2, "type": "sca", "value": r[0]}) cm_ek = [] for i in range(len(ek)): cm_ek.append( auth.GS.Commit({ "group": 1, "type": "pub", "value": ek[i] })) cm_da = auth.GS.Commit({ "group": 1, "type": "pub", "value": auth.ek[1] * r[1] }) cm_params_enc = [] cm_params_enc.append( auth.GS.Commit({ "group": 1, "type": "pub", "value": auth.GS.v1[0] })) cm_params_enc.append( auth.GS.Commit({ "group": 1, "type": "pub", "value": auth.GS.v1[1] })) cm_g1 = auth.GS.Commit({"group": 1, "type": "bas", "value": auth.GS.g1}) cm_g2 = auth.GS.Commit({"group": 2, "type": "bas", "value": auth.GS.g2}) cm_1 = auth.GS.Commit({"group": 2, "type": "unt", "value": 1}) #t_commit = time.time() #print("--- Commitment time:", t_commit - t_start) x_ppe = [cm_g1] x_ppe.extend(cm_vkI[0]) x_ppe.append(cm_h_i) x_ppe.extend([cm_sig0_i[0], cm_sig0_i[1]]) x_ppe.extend([cm_sigt_i[0], cm_sigt_i[1]]) x_ppe.extend(cm_sig_i) x_ppe.append(cm_pk_ui) x_ppe.extend(cm_m) #print("\nx_ppe", len(x_ppe), x_ppe) y_ppe = [cm_g2] y_ppe.append(cm_vkI[3]) y_ppe.append(cm_vkI[2]) y_ppe.extend(cm_vkI[1]) y_ppe.append(cm_sig0_i[2]) y_ppe.append(cm_sigt_i[2]) y_ppe.extend(cm_vk_i) #print("\ny_ppe", len(y_ppe), y_ppe) x_me1 = [] x_me1.extend(cm_params_enc) x_me1.extend(cm_ek) x_me1.append(cm_h_v) x_me1.append(cm_pk_uv) x_me1.append(cm_h_i) x_me1.append(cm_pk_ui) x_me1.append(cm_da) x_me1.extend(cm_cipher) #print("\nx_me1", len(x_me1), x_me1) y_me1 = [cm_1, cm_sku, cm_r[0]] #print("\ny_me1", len(y_me1), y_me1) #print("Prepare proof: Prove") #t_prove = time.time() #print("--- sigi proof") cm_msg = [cm_pk_ui] cm_msg.extend(cm_m) for i in range(len(cm_vk_i) - 2 - len(cm_msg)): cm_msg.append( auth.GS.Commit({ "group": 1, "type": "pub", "value": G1Elem.inf(auth.GS.G) })) C_sigi, pi_sigi = proof_sigi(auth.GS, x_ppe, y_ppe, cm_msg) cm_msg1 = [cm_g1, cm_h_i] cm_msg2 = cm_vk_i #print("--- sigi0 proof") C_sigi0, pi_sigi0, _ = proof_sigi0(auth.GS, x_ppe, y_ppe, cm_msg1, cm_msg2, Bn(0)) #print("--- sigit proof") C_sigit, pi_sigit, _ = proof_sigit(auth.GS, x_ppe, y_ppe, cm_msg1, cm_msg2, t) #print("--- Aggregate PPE proofs") c_ppe = [] for i in range(len(C_sigi)): row = [] for j in range(len(C_sigi[i])): cij = C_sigi[i][j] + C_sigit[i][j] + C_sigi0[i][j] row.append(cij) c_ppe.append(row) pi_ppe = [] for i in range(len(pi_sigi)): pi_i = [] for j in range(len(pi_sigi[i])): pi_ij = pi_sigi[i][j] + pi_sigit[i][j] + pi_sigi0[i][j] pi_i.append(pi_ij) pi_ppe.append(pi_i) #print("--- Randomize PPE proof") pi_ppe[0], pi_ppe[1], pi_ppe[2], pi_ppe[3] = auth.GS.Randomize( "PPE", pi_ppe[0], pi_ppe[1], pi_ppe[2], pi_ppe[3]) res_ppe = [c_ppe, pi_ppe] #t_ppe = time.time() print("--- exponent proofs pk_ui") C_pkui, pi_pkui = proof_pkui(auth.GS, x_me1, y_me1) print("--- exponent proofs pk_uv") C_pkuv, pi_pkuv = proof_pkuv(auth.GS, x_me1, y_me1) #print("--- enc proof") C_enc, pi_enc, _ = enc_proof(auth.GS, x_me1, y_me1, r[1]) #print("--- aggregate ME1 proofs") c_me1 = [] for i in range(len(C_enc)): row = [] for j in range(len(C_enc[i])): cij = C_enc[i][j] + C_pkui[i][j] + C_pkuv[i][j] row.append(cij) c_me1.append(row) pi_me1 = [] for i in range(len(pi_enc)): pi_i = [] for j in range(len(pi_enc[i])): pi_ij = pi_enc[i][j] + pi_pkui[i][j] + pi_pkuv[i][j] pi_i.append(pi_ij) pi_me1.append(pi_i) #print("------ Randomize ME1 proof") pi_me1[0], pi_me1[1], pi_me1[2], pi_me1[3] = auth.GS.Randomize( "PPE", pi_me1[0], pi_me1[1], pi_me1[2], pi_me1[3]) res_me1 = [c_me1, pi_me1] #t_end = time.time() #print("--- Prove & aggregation time:", t_end - t_commit, "(PPE proof: "+ str(t_ppe-t_commit) +"+ ME1 proof"+ str(t_end-t_ppe) +")") verify_ppe = auth.GS.Verify("PPE", x_ppe, y_ppe, c_ppe, pi_ppe[0], pi_ppe[1], pi_ppe[2], pi_ppe[3]) print("------ Aggregate PPE verify?", verify_ppe) verify_me1 = auth.GS.Verify("ME1", x_me1, y_me1, c_me1, pi_me1[0], pi_me1[1], pi_me1[2], pi_me1[3]) print("------ Aggregate ME1 verify?", verify_me1) verify = verify_ppe * verify_me1 res = [[ res_ppe[1], ["PPE", x_ppe, y_ppe, res_ppe[0], GTElem.zero(auth.GS.G)] ], [res_me1[1], ["ME1", x_me1, y_me1, res_me1[0], G1Elem.inf(auth.GS.G)]]] #print("--- Do all the proofs verify?", verify_ppe*verify_me1) return verify, res
def CheckEqType(self, eq, X, Y, C): #print("CheckEqType") if eq in ["PPE", "PN1", "PC1", "PN2", "PC2"]: for x in X: if type(x["value"][0]) != G1Elem: print("element in C not from G1", x) return 0 if "committed" in x: if x["committed"][2] != G2Elem.inf( self.G) or x["committed"]["Zp"] != 0: print("not a commitment of G1") return 0 for y in Y: if type(y["value"][0]) != G2Elem: print("element in D not from G2") return 0 if "committed" in y: if y["committed"][1] != G1Elem.inf( self.G) or y["committed"]["Zp"] != 0: print("not a commitment of G2") return 0 elif eq in ["ME1", "MN1", "MC1", "ML1"]: for x in X: if type(x["value"][0]) != G1Elem: print("element in C not from G1", type(x["value"][0])) return 0 if "committed" in x: if x["committed"][2] != G2Elem.inf( self.G) or x["committed"]["Zp"] != 0: print("not a commitment of G1") return 0 for y in Y: if type(y["value"][0]) != G2Elem: print("element in D not from Zp", type(y["value"][0])) return 0 if "committed" in y: if y["committed"][1] != G1Elem.inf( self.G) or y["committed"][2] != G2Elem.inf(self.G): print("not a commitment of Zp") return 0 elif eq in ["ME2", "MN2", "MC2", "ML2"]: for x in X: if type(x["value"][0]) != G1Elem: print("element in C not from G1", type(x["value"][0])) return 0 if "committed" in x: if x["committed"][1] != G1Elem.inf( self.G) or x["committed"][2] != G2Elem.inf(self.G): print("not a commitment of Zp") return 0 for y in Y: if type(y["value"][0]) != G2Elem: print("element in D not from G2", type(y["value"][0])) return 0 if "committed" in y: if y["committed"][1] != G1Elem.inf( self.G) or y["committed"]["Zp"] != 0: print("not a commitment of G2") return 0 elif eq in ["QE", "QC1", "QC2"]: for x in X: if type(x["value"][0]) != G1Elem: print("element in C not from Zp", type(x["value"][0])) return 0 if "committed" in x: if x["committed"][1] != G1Elem.inf( self.G) or x["committed"][2] != G2Elem.inf(self.G): print("not a commitment of Zp") return 0 for y in Y: if type(y["value"][0]) != G2Elem: print("element in D not from Zp", type(y["value"][0])) return 0 if "committed" in y: if y["committed"][1] != G1Elem.inf( self.G) or y["committed"][2] != G2Elem.inf(self.G): print("not a commitment of Zp") return 0 else: print("ERROR: unknown eq", eq) return 0 for i in range(len(X)): for j in range(len(Y)): if type(C[i][j]) != Bn and type(C[i][j]) != int: print("element in Gamma not from Zp", i, j, C[i][j], type(C[i][j])) return 0 return 1
def get_infs(gk): inf1 = G1Elem.inf(gk.G) inf2 = G2Elem.inf(gk.G) return inf1, inf2
def proof_bsps_hidemandsig( self, M1=[b"Hello World!", b"Hello me!", b"Hello us!"], M2=[b"Hello you!"]): """ create GS proof that sig verifies with the signature and all but the first message secret """ params = (self.G, self.order, self.g1, self.g2, self.e) sps = BSPS() sk, pk = sps.keygen(params) u, w, v, z = sk U, W, V, Z = pk m1 = [] for i in range(len(M1)): if type(M1[i]) == bytes: m1.append(self.G.hashG1(M1[i])) elif type(M1[i]) == G1Elem: m1.append(M1[i]) else: return 0, [] m2 = [] for j in range(len(M2)): if type(M2[j]) == bytes: m2.append( Bn.from_binary(M2[j]).mod_add(Bn(0), self.order) * self.g2) elif type(M2[j]) == G2Elem: m2.append(M2[j]) else: return 0, [] if len(m1) < sps.msg_g1: for i in range(sps.msg_g1 - len(m1)): m1.append(G1Elem.inf(self.G)) elif sps.msg_g1 < len(m1): return 0, [] if len(m2) < sps.msg_g2: for i in range(sps.msg_g2 - len(m2)): m2.append(G2Elem.inf(self.G)) elif sps.msg_g2 < len(m2): return 0, [] res = [] R, S, T = sps.sign(params, sk, m1, m2) print("signature verifies?", sps.verify(params, pk, m1, m2, (R, S, T))) print("first equation") x1 = [{ "type": "com", "value": R }, { "type": "com", "value": S }, { "type": "bas", "value": self.g1 }] b1 = [{ "type": "pub", "value": V }, { "type": "bas", "value": self.g2 }, { "type": "pub", "value": Z * Bn(-1) }] a1 = [] y1 = [] #res1 = e(R,V) * e(S,g2) #res1.eq(e(g1,Z)) for i in range(len(m1)): if i == 0: x1.append({"type": "pub", "value": m1[i]}) b1.append({"type": "bas", "value": W[i]}) else: x1.append({"type": "com", "value": m1[i]}) b1.append({"type": "pub", "value": W[i]}) #res1 = res1 * e(m1[i],W[i]) c1 = [] for i in range(len(x1)): row = [] for j in range(len(y1)): c = Bn(0) row.append(c) c1.append(row) print(c1) success1, res1 = self.CommitProof_eq("PPE", x1, b1, a1, y1, c1, GTElem.zero(self.G)) verify1 = 0 if success1: eq_type, X1, Y1, C1, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res1 pi2_v1, pi2_w1, pi1_v2, pi1_w2 = self.Randomize( eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap) verify1 = self.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2, pi1_w2) if verify1: res1 = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2], [eq_type, X1, Y1, C1, T_eq]] res.append(res1) print(success1, verify1) print() print("second equation") x2 = [{"type": "com", "value": R}, {"type": "bas", "value": self.g1}] b2 = [{ "type": "pub", "value": G2Elem.inf(self.G) }, { "type": "pub", "value": G2Elem.inf(self.G) }] a2 = [{ "type": "pub", "value": G1Elem.inf(self.G) }, { "type": "pub", "value": G1Elem.inf(self.G) }] y2 = [{"type": "com", "value": T}, {"type": "bas", "value": self.g2}] #res2 = e(R,T) #res2.eq(e(g1,g2)) for j in range(len(m2)): a2.append({"type": "pub", "value": U[j]}) y2.append({"type": "com", "value": m2[j]}) #res2 = res2 * e(U[j],m2[j]) c2 = [] for i in range(len(x2)): row = [] for j in range(len(y2)): c = Bn(0) if (i == 0 and j == 0): c = Bn(1) if (i == 1 and j == 1): c = Bn(-1) row.append(c) c2.append(row) print(c2) success2, res2 = self.CommitProof_eq("PPE", x2, b2, a2, y2, c2, GTElem.zero(self.G)) verify2 = 0 if success2: eq_type, X2, Y2, C2, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res2 pi2_v1, pi2_w1, pi1_v2, pi1_w2 = self.Randomize( eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap) verify2 = self.Verify(eq_type, X2, Y2, C2, pi2_v1, pi2_w1, pi1_v2, pi1_w2) if verify2: res2 = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2], [eq_type, X2, Y2, C2, T_eq]] res.append(res2) print(success2, verify2) print() print("success?", success1, success2) print("verify?", verify1, verify2) return verify1 * verify2, res
def test_all(): GS = GSProof() ck, xk, P = GS.ExtGen() order, G, u1, v1, w1, u2, v2, w2 = ck for eq_type in GS.eqs.keys(): print("=============================== ", eq_type) x = [] y = [] a = [] b = [] for xtype in GS.eqs[eq_type][1]: for ytype in GS.eqs[eq_type][2]: if eq_type != "PPE" or (eq_type == "PPE" and xtype not in ["pub", "enc"] and ytype not in ["pub", "enc"]): rand1 = order.random() x1 = rand1 * GS.g1 if xtype in ["bas"]: rand1 = 1 x1 = GS.g1 if xtype in ["sca"]: x1 = rand1 elif xtype in ["unt"]: x1 = 1 rand2 = order.random() y2 = rand2 * GS.g2 if ytype in ["bas"]: rand2 = 1 y2 = GS.g2 if ytype in ["sca"]: y2 = rand2 elif ytype in ["unt"]: y2 = 1 #print(xtype, rand1, x1) #print(ytype, rand2, y2) x.append({"type": xtype, "value": x1}) a.append({"type": xtype, "value": x1}) y.append({"type": ytype, "value": y2}) b.append({"type": ytype, "value": y2}) c = [] for i in range(len(x)): row = [] for j in range(len(y)): if i == j: row.append(Bn(-2)) else: row.append(Bn(0)) c.append(row) t = GTElem.zero(G) if eq_type in ["ME1", "MN1", "MC1", "ML1"]: t = G1Elem.inf(G) if eq_type in ["ME2", "MN2", "MC2", "ML2"]: t = G2Elem.inf(G) if eq_type in ["QE", "QC1", "QC2"]: t = 0 try: success, res = GS.CommitProof_eq(eq_type, x, b, a, y, c, t) print("success ?", success) except Exception as e: print(e) else: if success: eq, X, Y, C, T, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = res print( "verify ?", GS.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2, pi1_w2)) assert (GS.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2, pi1_w2))
def proof_usps_hidesigandsigner(self, M=[ b"Hello World!", b"Hello me!", b"Hello us!" ]): """" creates GS proof that sig verifies with pk, signature and first message secret""" #print("SPS: Prove") self.ExtGen() params = (self.G, self.order, self.g1, self.g2, self.e) sps = USPS() sk, pk = sps.keygen(params) gz, gr, pki = pk m = [] for i in range(len(M)): if type(M[i]) == bytes: m.append(self.G.hashG1(M[i])) elif type(M[i]) == G1Elem: m.append(M[i]) else: return 0, [] if len(m) < sps.n: for i in range(sps.nb_msg - len(m)): m.append(G1Elem.inf(self.G)) elif sps.nb_msg < len(m): return sig = sps.sign(params, sk, m) if sps.verify(params, pk, m, sig) == 0: print("Signature does not verify") return print(len(m)) X = [{ "type": "com", "value": sig[0] }, { "type": "com", "value": sig[1] }] B = [{ "type": "pub", "value": G2Elem.inf(self.G) }, { "type": "pub", "value": G2Elem.inf(self.G) }] A = [{ "type": "pub", "value": G1Elem.inf(self.G) }, { "type": "pub", "value": G1Elem.inf(self.G) }] Y = [{"type": "com", "value": gz}, {"type": "com", "value": gr}] for i in range(len(m)): if i == 0: X.append({"type": "pub", "value": m[i]}) else: X.append({"type": "com", "value": m[i]}) B.append({"type": "pub", "value": G2Elem.inf(self.G)}) for j in range(len(pki)): Y.append({"type": "com", "value": pki[j]}) A.append({"type": "pub", "value": G1Elem.inf(self.G)}) C = [] for i in range(len(X)): row = [] for j in range(len(Y)): var = Bn(0) if i == j: var = Bn(1) row.append(var) C.append(row) print(C) success, res = self.CommitProof_eq("PPE", X, B, A, Y, C, GTElem.zero(self.G)) verify = 0 if success: eq_type, X1, Y1, C1, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res pi2_v1, pi2_w1, pi1_v2, pi1_w2 = self.Randomize( eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap) verify = self.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2, pi1_w2) if verify: res = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2], [eq_type, X1, Y1, C1, T_eq]] print(success, verify) print() return verify, res
def proof_usps_hidesigandsigner(self, gsp, pk, M, sig): """" creates GS proof that a USPS signature verifies with the verifying key, the signature and the first message secret""" #print("SPS: Prove") from bplib.bp import G1Elem from bplib.bp import G2Elem from bplib.bp import GTElem from petlib.bn import Bn params = gsp.P sps = USPS() gz, gr = pk[0], pk[1] pki = pk[2:] m = [] for i in range(len(M)): if type(M[i]) == bytes: m.append(gsp.G.hashG1(M[i])) elif type(M[i]) == G1Elem: m.append(M[i]) else: print("Error: wrong input, expected G1, got ", type(M[i])) return 0, [] if len(m) < sps.nb_msg: for i in range(sps.nb_msg - len(m)): m.append(G1Elem.inf(gsp.G)) if sps.verify(params, pk, m, sig) == 0: print("Signature does not verify") return X = [{ "type": "com", "value": sig[0] }, { "type": "com", "value": sig[1] }] B = [{ "type": "pub", "value": G2Elem.inf(gsp.G) }, { "type": "pub", "value": G2Elem.inf(gsp.G) }] A = [{ "type": "pub", "value": G1Elem.inf(gsp.G) }, { "type": "pub", "value": G1Elem.inf(gsp.G) }] Y = [{"type": "com", "value": gz}, {"type": "com", "value": gr}] for i in range(len(m)): if i == 0: X.append({"type": "pub", "value": m[i]}) else: X.append({"type": "com", "value": m[i]}) B.append({"type": "pub", "value": G2Elem.inf(gsp.G)}) for j in range(len(pki)): Y.append({"type": "com", "value": pki[j]}) A.append({"type": "pub", "value": G1Elem.inf(gsp.G)}) C = [] for i in range(len(X)): row = [] for j in range(len(Y)): var = Bn(0) if i == j: var = Bn(1) row.append(var) C.append(row) success, res = gsp.CommitProof_eq("PPE", X, B, A, Y, C, GTElem.zero(gsp.G)) verify = 0 if success: eq_type, X1, Y1, C1, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res pi2_v1, pi2_w1, pi1_v2, pi1_w2 = gsp.Randomize( eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap) verify = gsp.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2, pi1_w2) if verify: res = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2], [eq_type, X1, Y1, C1, T_eq]] print("Do we successfully create a proof?", success) print("Does the proof successfully verify?", verify) print() return verify, res