def randomization(ssk, pp, r): (pixelg2gen, h, hlist) = default_param (time, g2r, hpoly, hvector) = copy.deepcopy(ssk) # randomize g2r: g2r += g2^r tmp = point_mul(r, pixelg2gen) g2r = point_add(g2r, tmp) # compute tmp = hv[0] * prod_i h[i]^time_vec[i] tmp = hlist[0] time_vec = time_to_vec(time, d) for i in range(len(time_vec)): tmp2 = point_mul(time_vec[i], hlist[i + 1]) tmp = point_add(tmp, tmp2) # radomize tmp and set hpoly *= tmp^r tmp = point_mul(r, tmp) hpoly_new = point_add(hpoly, tmp) # randmoize hvector: # hvector_new[i] = hvector[i] * hlist[i+|t|+1]^r hvector_new = [] for i in range(len(hvector)): tmp = point_mul(r, hlist[i + 1 + len(time_vec)]) hvector_new.append(point_add(tmp, hvector[i])) return (time, g2r, hpoly_new, hvector_new)
def sign_present(sk, tar_time, pp, msg): ssk = sk[1][0] assert ssk[0] == tar_time timevec = time_to_vec(tar_time, d) (pixelg2gen, h, hlist) = pp r = prng_sample(sk[0], b"Pixel randomness for signing" + msg + I2OSP(tar_time, 4)) m = hash_msg_into_fr(msg) # sig1 = g2^r + ssk.g2r sig1 = copy.deepcopy(ssk[1]) tmp = copy.deepcopy(pixelg2gen) tmp = point_mul(r, tmp) sig1 = point_add(sig1, tmp) # tmp = h0 * \prod h_i ^ t_i * h_d^m tmp = copy.deepcopy(hlist[0]) for i in range(len(timevec)): tmp2 = copy.deepcopy(hlist[i + 1]) tmp2 = point_mul(timevec[i], tmp2) tmp = point_add(tmp, tmp2) tmp2 = copy.deepcopy(hlist[d]) tmp2 = point_mul(m, tmp2) tmp = point_add(tmp, tmp2) # sig2 = ssk.hpoly * hv[d]^m * tmp^r sig2 = copy.deepcopy(ssk[2]) tmp3 = copy.deepcopy(ssk[3][len(ssk[3]) - 1]) tmp3 = point_mul(m, tmp3) sig2 = point_add(sig2, tmp3) tmp = point_mul(r, tmp) sig2 = point_add(sig2, tmp) return (tar_time, sig1, sig2)
def key_gen(seed): (pixelg2gen, h, hlist) = default_param # hard code the ciphersuite byte \0 in the salt salt = b"Pixel master key\0" info = b"key initialization" prng = prng_init(seed, salt) x, prng = prng_sample_then_update(prng,info) # pk = g2^x pk = point_mul(x, pixelg2gen) # msk = h^x msk = point_mul(x, h) # r: randomness used in init info = b"Pixel secret key init" + b"\0\0\0\1" r, prng = prng_sample_then_update(prng,info) # g2r = g2^2 g2r = point_mul(r, pixelg2gen) # hpoly = h^x * h0^r hpoly = point_mul(r, hlist[0]) hpoly = point_add(hpoly, msk) # hvector = [hi^r] for i!=0 hvector = [] for i in range(len(hlist)-1): tmp = point_mul(r, hlist[i+1]) hvector.append(tmp) ssk1 = (1, g2r, hpoly, hvector) sk = (prng, [ssk1]) return (pk, sk)
def delegate(ssk, tar_time): (cur_time, g2r, hpoly, hvector) = copy.deepcopy(ssk) cur_time_vec = time_to_vec(cur_time, d) tar_time_vec = time_to_vec(tar_time, d) # hpoly *= h_i ^ t_i for i in range(len(tar_time_vec) - len(cur_time_vec)): tmp = point_mul(tar_time_vec[i + len(cur_time_vec)], hvector[i]) hpoly = point_add(hpoly, tmp) # remove the first `tar_vec_length - cur_vec_length` elements in h-vector for _ in range(len(tar_time_vec) - len(cur_time_vec)): del hvector[0] # return the new ssk return (tar_time, g2r, hpoly, hvector)
def G2mul(a,b): return point_mul(b,a)
def G1mul(a,b): ## a group element, b scalar return point_mul(b,a)
def pop_prove(x_prime, pk, ciphersuite): pk_bytes = serialize(pk, True) # serialize in compressed form P = map2curve_osswu2(pk_bytes, ciphersuite) return point_mul(x_prime, P)
def sign(x_prime, msg, ciphersuite): P = map2curve_osswu2(msg, ciphersuite) return point_mul(x_prime, P)
def keygen(sk): x_prime = Hr(sk) return (x_prime, point_mul(x_prime, g1gen))
def _sign_aug(x_prime, msg, ciphersuite, pk=None, gen=None, sign_fn=sign): if pk is None: pk = point_mul(x_prime, gen) pk_bytes = serialize(pk, True) # serialize in compressed form return sign_fn(x_prime, pk_bytes + msg, ciphersuite)
def _sign(x_prime, msg, ciphersuite, map_fn): P = map_fn(msg, ciphersuite) return point_mul(x_prime, P)
def _keygen(sk, gen): x_prime = xprime_from_sk(sk) return (x_prime, point_mul(x_prime, gen))
def _keygen(sk, gen): x_prime = Hr(sk) return (x_prime, point_mul(x_prime, gen))