def verifiabilityProofCheck(ppatspk, d, proof): """ Return True if the ZKP proof is correct with respect to d meaning that d is a commitment on either 0 or 1 """ u0, u1, t0, t1 = proof # notations Jcoord = ppatspk.PPATSpp.Jcoord ECG = ppatspk.PPATSpp.h.ECG ddt = oEC.toTupleEFp(d.d, Jcoord) u0ht = oEC.mul_comb2_EFp(ECG, u0, ppatspk.precomp_h, Jcoord) ddt0 = oEC.mulECP(ECG, ddt, -t0, False, Jcoord) w0t = oEC.addEFp(ECG, u0ht, ddt0, Jcoord) w0v = oEC.toEFp(ECG, w0t, Jcoord) w0 = ppat.ppats.PPATSCommitment(w0v, ppatspk) ddt1 = oEC.mulECP(ECG, ddt, -t1, False, Jcoord) u1ht = oEC.mul_comb2_EFp(ECG, u1, ppatspk.precomp_h, Jcoord) t1h1t = oEC.mul_comb2_EFp(ECG, t1, ppatspk.precomp_h1, Jcoord) ad1 = oEC.addEFp(ECG, ddt1, u1ht, Jcoord) w1t = oEC.addEFp(ECG, ad1, t1h1t, Jcoord) w1v = oEC.toEFp(ECG, w1t, Jcoord) w1 = ppat.ppats.PPATSCommitment(w1v, ppatspk) return t0 + t1 == ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1])
def verifiabilityProofCheck(ppatspk, d, proof): ''' Return True if the ZKP proof is correct with respect to d meaning that d is a commitment on either 0 or 1 ''' u0, u1, t0, t1 = proof # notations Jcoord = ppatspk.PPATSpp.Jcoord ECG = ppatspk.PPATSpp.h.ECG ddt = oEC.toTupleEFp(d.d, Jcoord) u0ht = oEC.mul_comb2_EFp(ECG, u0, ppatspk.precomp_h, Jcoord) ddt0 = oEC.mulECP(ECG, ddt, -t0, False, Jcoord) w0t = oEC.addEFp(ECG, u0ht, ddt0, Jcoord) w0v = oEC.toEFp(ECG, w0t, Jcoord) w0 = ppat.ppats.PPATSCommitment(w0v, ppatspk) ddt1 = oEC.mulECP(ECG, ddt, -t1, False, Jcoord) u1ht = oEC.mul_comb2_EFp(ECG, u1, ppatspk.precomp_h, Jcoord) t1h1t = oEC.mul_comb2_EFp(ECG, t1, ppatspk.precomp_h1, Jcoord) ad1 = oEC.addEFp(ECG, ddt1, u1ht, Jcoord) w1t = oEC.addEFp(ECG, ad1, t1h1t, Jcoord) w1v = oEC.toEFp(ECG, w1t, Jcoord) w1 = ppat.ppats.PPATSCommitment(w1v, ppatspk) return t0 + t1 == ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1])
def verifiabilityProof2(ppatspk, d, m, r, b=None, u=None, t=None): """ This ZK proof ensures that d = r*h+m*h1 is a commitment on m = 0 or 1 b,u,t are the randomness used in the proof (optional) """ # notations order = ppatspk.PPATSpp.order h = ppatspk.PPATSpp.h h1 = ppatspk.h1 ECG = h.ECG Jcoord = ppatspk.PPATSpp.Jcoord # ht = oEC.toTupleEFp(ECG,h,Jcoord) nh1t = oEC.toTupleEFp(ECG, -h1, Jcoord) ddt = oEC.toTupleEFp(ECG, d.d, Jcoord) # assert h*r+h1*m == d.d # commitment is well formed assert m == 0 or m == 1 # the proof works only if m = 0 or 1 if b == None: b = randint(1, int(order)) if u == None: u = randint(1, int(order)) if t == None: t = randint(1, int(order)) hbt = oEC.mul_comb2_EFp(ECG, b, ppatspk.precomp_h, Jcoord) hb = oEC.toEFp(ECG, hbt, Jcoord) if m == 0: u1 = u t1 = t # commitment # w0 = PPATSCommitment(h*b,self) w0 = ppat.ppats.PPATSCommitment(hb, ppatspk) hu1t = oEC.mul_comb2_EFp(ECG, u1, ppatspk.precomp_h, Jcoord) s1 = oEC.addEFp(ECG, ddt, nh1t, Jcoord) s1t1 = oEC.mulECP(ECG, s1, -t1, False, Jcoord) w1t = oEC.addEFp(ECG, hu1t, s1t1, Jcoord) w1v = oEC.toEFp(ECG, w1t, Jcoord) w1 = ppat.ppats.PPATSCommitment(w1v, ppatspk) # challenge t0 = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1]) - t1 # response u0 = b + r * t0 if m == 1: u0 = u t0 = t # commitment hu0t = oEC.mul_comb2_EFp(ECG, u0, ppatspk.precomp_h, Jcoord) ddt0 = oEC.mulECP(ECG, ddt, -t0, False, Jcoord) w0t = oEC.addEFp(ECG, hu0t, ddt0, Jcoord) w0v = oEC.toEFp(ECG, w0t, Jcoord) w0 = ppat.ppats.PPATSCommitment(w0v, ppatspk) w1 = ppat.ppats.PPATSCommitment(hb, ppatspk) # challenge t1 = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1]) - t0 # response u1 = b + r * t1 return [u0, u1, t0, t1] """
def verifiabilityProof2(ppatspk, d, m, r, b=None, u=None, t=None): ''' This ZK proof ensures that d = r*h+m*h1 is a commitment on m = 0 or 1 b,u,t are the randomness used in the proof (optional) ''' # notations order = ppatspk.PPATSpp.order h = ppatspk.PPATSpp.h h1 = ppatspk.h1 ECG = h.ECG Jcoord = ppatspk.PPATSpp.Jcoord #ht = oEC.toTupleEFp(ECG,h,Jcoord) nh1t = oEC.toTupleEFp(ECG, -h1, Jcoord) ddt = oEC.toTupleEFp(ECG, d.d, Jcoord) #assert h*r+h1*m == d.d # commitment is well formed assert m == 0 or m == 1 # the proof works only if m = 0 or 1 if b == None: b = randint(1, int(order)) if u == None: u = randint(1, int(order)) if t == None: t = randint(1, int(order)) hbt = oEC.mul_comb2_EFp(ECG, b, ppatspk.precomp_h, Jcoord) hb = oEC.toEFp(ECG, hbt, Jcoord) if m == 0: u1 = u t1 = t # commitment #w0 = PPATSCommitment(h*b,self) w0 = ppat.ppats.PPATSCommitment(hb, ppatspk) hu1t = oEC.mul_comb2_EFp(ECG, u1, ppatspk.precomp_h, Jcoord) s1 = oEC.addEFp(ECG, ddt, nh1t, Jcoord) s1t1 = oEC.mulECP(ECG, s1, -t1, False, Jcoord) w1t = oEC.addEFp(ECG, hu1t, s1t1, Jcoord) w1v = oEC.toEFp(ECG, w1t, Jcoord) w1 = ppat.ppats.PPATSCommitment(w1v, ppatspk) # challenge t0 = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1]) - t1 # response u0 = b + r * t0 if m == 1: u0 = u t0 = t # commitment hu0t = oEC.mul_comb2_EFp(ECG, u0, ppatspk.precomp_h, Jcoord) ddt0 = oEC.mulECP(ECG, ddt, -t0, False, Jcoord) w0t = oEC.addEFp(ECG, hu0t, ddt0, Jcoord) w0v = oEC.toEFp(ECG, w0t, Jcoord) w0 = ppat.ppats.PPATSCommitment(w0v, ppatspk) w1 = ppat.ppats.PPATSCommitment(hb, ppatspk) # challenge t1 = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1]) - t0 # response u1 = b + r * t1 return [u0, u1, t0, t1] """
def multiplicationProofCheck(ppatspk, d1, d2, d3, proof): """ d1,d2,d3 are PPATS Commitment proof is a ZK proof that d3 commits on the product of the message commited in d1 and d2. the method returns True if this assertion is correct and False otherwise """ # assert isinstance(d1,ppat.ppats.PPATSCommitment) # assert isinstance(d2,ppat.ppats.PPATSCommitment) # assert isinstance(d3,ppat.ppats.PPATSCommitment) # Notations ECG = ppatspk.PPATSpp.h.ECG Jcoord = ppatspk.PPATSpp.Jcoord nu, z1, z2, s1, s2, s3 = proof # a1 = s1*h + z1*h1 a1c, s1 = ppatspk.commit(z1, s1) a1 = a1c.d # a2 = s2*h + z2*h1 a2c, s2 = ppatspk.commit(z2, s2) a2 = a2c.d s3ht = oEC.mul_comb2_EFp(ECG, s3, ppatspk.precomp_h, Jcoord) d1t = oEC.toTupleEFp(d1.d, Jcoord) z2d1t = oEC.mulECP(ECG, d1t, z2, False, Jcoord) a3t = oEC.addEFp(ECG, s3ht, z2d1t, Jcoord) # a3 = s3*h + z2*d1.d d2t = oEC.toTupleEFp(d2.d, Jcoord) d3t = oEC.toTupleEFp(d3.d, Jcoord) mnud1t = oEC.mulECP(ECG, d1t, -nu, False, Jcoord) mnud2t = oEC.mulECP(ECG, d2t, -nu, False, Jcoord) mnud3t = oEC.mulECP(ECG, d3t, -nu, False, Jcoord) a1t = oEC.toTupleEFp(a1, Jcoord) a2t = oEC.toTupleEFp(a2, Jcoord) e1t = oEC.addEFp(ECG, a1t, mnud1t, Jcoord) e2t = oEC.addEFp(ECG, a2t, mnud2t, Jcoord) e3t = oEC.addEFp(ECG, a3t, mnud3t, Jcoord) e1 = oEC.toEFp(ECG, e1t, Jcoord) e2 = oEC.toEFp(ECG, e2t, Jcoord) e3 = oEC.toEFp(ECG, e3t, Jcoord) d1p = ppat.ppats.PPATSCommitment(e1, ppatspk) d2p = ppat.ppats.PPATSCommitment(e2, ppatspk) d3p = ppat.ppats.PPATSCommitment(e3, ppatspk) nup = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d1, d2, d3, d1p, d2p, d3p]) return nu == nup
def multiplicationProofCheck(ppatspk, d1, d2, d3, proof): ''' d1,d2,d3 are PPATS Commitment proof is a ZK proof that d3 commits on the product of the message commited in d1 and d2. the method returns True if this assertion is correct and False otherwise ''' #assert isinstance(d1,ppat.ppats.PPATSCommitment) #assert isinstance(d2,ppat.ppats.PPATSCommitment) #assert isinstance(d3,ppat.ppats.PPATSCommitment) # Notations ECG = ppatspk.PPATSpp.h.ECG Jcoord = ppatspk.PPATSpp.Jcoord nu, z1, z2, s1, s2, s3 = proof #a1 = s1*h + z1*h1 a1c, s1 = ppatspk.commit(z1, s1) a1 = a1c.d #a2 = s2*h + z2*h1 a2c, s2 = ppatspk.commit(z2, s2) a2 = a2c.d s3ht = oEC.mul_comb2_EFp(ECG, s3, ppatspk.precomp_h, Jcoord) d1t = oEC.toTupleEFp(d1.d, Jcoord) z2d1t = oEC.mulECP(ECG, d1t, z2, False, Jcoord) a3t = oEC.addEFp(ECG, s3ht, z2d1t, Jcoord) #a3 = s3*h + z2*d1.d d2t = oEC.toTupleEFp(d2.d, Jcoord) d3t = oEC.toTupleEFp(d3.d, Jcoord) mnud1t = oEC.mulECP(ECG, d1t, -nu, False, Jcoord) mnud2t = oEC.mulECP(ECG, d2t, -nu, False, Jcoord) mnud3t = oEC.mulECP(ECG, d3t, -nu, False, Jcoord) a1t = oEC.toTupleEFp(a1, Jcoord) a2t = oEC.toTupleEFp(a2, Jcoord) e1t = oEC.addEFp(ECG, a1t, mnud1t, Jcoord) e2t = oEC.addEFp(ECG, a2t, mnud2t, Jcoord) e3t = oEC.addEFp(ECG, a3t, mnud3t, Jcoord) e1 = oEC.toEFp(ECG, e1t, Jcoord) e2 = oEC.toEFp(ECG, e2t, Jcoord) e3 = oEC.toEFp(ECG, e3t, Jcoord) d1p = ppat.ppats.PPATSCommitment(e1, ppatspk) d2p = ppat.ppats.PPATSCommitment(e2, ppatspk) d3p = ppat.ppats.PPATSCommitment(e3, ppatspk) nup = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d1, d2, d3, d1p, d2p, d3p]) return nu == nup
def test_MulEFp_opt(self): _ = oEC.mulECP(EFp, oEC.toTupleEFp(P, Jcoord=True), r, sq=False, Jcoord=True) t = time.time() - self.startTime print "%s: %.4f" % ("EFp point multiplication -- optimized", t)
def __mul__(self,a): '''multiplication by a scalar a The result is a PPATC Commitment which encrypts and commits on a*m ''' m = gmpy.mpz(1) if not isinstance(a, int) and not isinstance(a, long) and not type(a)==type(m): raise Exception("Multiplication of a PPATC Commitment by a non integer, long or mpz") else : Jcoord = self.PPATCpk.PPATCpp.Jcoord ECG1 = self.PPATCpk.h1.ECG ECG2 = self.PPATCpk.g1.ECG d1t = oEC.toTupleEFp(self.d1,Jcoord) nd1t = oEC.mulECP(ECG1,d1t,a,sq=False,Jcoord=Jcoord) newd1 = oEC.toEFp(ECG1,nd1t,Jcoord) d2t = oEC.toTupleEFp2(self.d2,Jcoord) nd2t = oEC.mulECP(ECG2,d2t,a,sq=True,Jcoord=Jcoord) newd2 = oEC.toEFp2(ECG2,nd2t,Jcoord) return PPATCCommitment(newd1,newd2,self.PPATCpk)
def __mul__(self,a): '''multiplication by a scalar The result is a PPATC Ciphertext which encrypts and commits on e*m ''' m = gmpy.mpz(1) if not isinstance(a, int) and not isinstance(a, long) and not type(a)==type(m): raise Exception("Multiplication of a PPATC Ciphertext by a non integer, long or mpz") else : Jcoord = self.PPATCpk.PPATCpp.Jcoord ECG = self.PPATCpk.g1.ECG c1t = oEC.toTupleEFp2(self.c1,Jcoord) nc1t = oEC.mulECP(ECG,c1t,a,sq=True,Jcoord=Jcoord) newc1 = oEC.toEFp2(ECG,nc1t,Jcoord) c2t = oEC.toTupleEFp2(self.c2,Jcoord) nc2t = oEC.mulECP(ECG,c2t,a,sq=True,Jcoord=Jcoord) newc2 = oEC.toEFp2(ECG,nc2t,Jcoord) c3t = oEC.toTupleEFp2(self.c3,Jcoord) nc3t = oEC.mulECP(ECG,c3t,a,sq=True,Jcoord=Jcoord) newc3 = oEC.toEFp2(ECG,nc3t,Jcoord) return PPATCCiphertext(a*self.d,newc1,newc2,newc3,self.PPATCpk)
def __mul__(self, a): '''multiplication by a scalar a The result is a PPATC Commitment which encrypts and commits on a*m ''' m = gmpy.mpz(1) if not isinstance(a, int) and not isinstance( a, long) and not type(a) == type(m): raise Exception( "Multiplication of a PPATC Commitment by a non integer, long or mpz" ) else: Jcoord = self.PPATCpk.PPATCpp.Jcoord ECG1 = self.PPATCpk.h1.ECG ECG2 = self.PPATCpk.g1.ECG d1t = oEC.toTupleEFp(self.d1, Jcoord) nd1t = oEC.mulECP(ECG1, d1t, a, sq=False, Jcoord=Jcoord) newd1 = oEC.toEFp(ECG1, nd1t, Jcoord) d2t = oEC.toTupleEFp2(self.d2, Jcoord) nd2t = oEC.mulECP(ECG2, d2t, a, sq=True, Jcoord=Jcoord) newd2 = oEC.toEFp2(ECG2, nd2t, Jcoord) return PPATCCommitment(newd1, newd2, self.PPATCpk)
def multiplicationCommitFromTriplet(self,a1,a2,a3,m1,m2): ''' This method builds a commitment d3 based on three precomputed commitments a1,a2,a3 such that a1 commits (m_a-m1),a2 commits on (m_b-m2) and a3 commits on some m_a*m_b+..., the output is d3 that commits on m_a*m_b but it does not perform any verification whatsoever ''' Jcoord = self.PPATSpp.Jcoord ECG = self.h1.ECG order = self.PPATSpp.order a1dt = oEC.toTupleEFp(a1.d,Jcoord) a2dt = oEC.toTupleEFp(a2.d,Jcoord) a3dt = oEC.toTupleEFp(a3.d,Jcoord) m2a1dt = oEC.mulECP(ECG,a1dt,m2,False,Jcoord) m1a2dt = oEC.mulECP(ECG,a2dt,m1,False,Jcoord) m1m2h1t = oEC.mul_comb2_EFp(ECG,(m1*m2)%order,self.precomp_h1,Jcoord) a1t = oEC.addEFp(ECG,m2a1dt,m1a2dt,Jcoord) a2t = oEC.addEFp(ECG,a1t,a3dt,Jcoord) d3t = oEC.addEFp(ECG,a2t,m1m2h1t,Jcoord) d3 = oEC.toEFp(ECG,d3t,Jcoord) #d3p = (m2*a1.d)+(m1*a2.d)+a3.d+((m1*m2)*h1) #assert d3 == d3p return PPATSCommitment(d3,self)
def __mul__(self, a): '''multiplication by a scalar The result is a PPATC Ciphertext which encrypts and commits on e*m ''' m = gmpy.mpz(1) if not isinstance(a, int) and not isinstance( a, long) and not type(a) == type(m): raise Exception( "Multiplication of a PPATC Ciphertext by a non integer, long or mpz" ) else: Jcoord = self.PPATCpk.PPATCpp.Jcoord ECG = self.PPATCpk.g1.ECG c1t = oEC.toTupleEFp2(self.c1, Jcoord) nc1t = oEC.mulECP(ECG, c1t, a, sq=True, Jcoord=Jcoord) newc1 = oEC.toEFp2(ECG, nc1t, Jcoord) c2t = oEC.toTupleEFp2(self.c2, Jcoord) nc2t = oEC.mulECP(ECG, c2t, a, sq=True, Jcoord=Jcoord) newc2 = oEC.toEFp2(ECG, nc2t, Jcoord) c3t = oEC.toTupleEFp2(self.c3, Jcoord) nc3t = oEC.mulECP(ECG, c3t, a, sq=True, Jcoord=Jcoord) newc3 = oEC.toEFp2(ECG, nc3t, Jcoord) return PPATCCiphertext(a * self.d, newc1, newc2, newc3, self.PPATCpk)
def opens(self,c): assert isinstance(c,PPATCCiphertext) #notations Jcoord = self.PPATCpp.Jcoord ECG = self.PPATCpp.g.ECG c2 = c.c2 c3 = c.c3 c2t = oEC.toTupleEFp2(c2,Jcoord) c3t = oEC.toTupleEFp2(c3,Jcoord) c2x2t = oEC.mulECP(ECG,c2t,-self.x2,sq= True, Jcoord = Jcoord) c3c2x2t = oEC.addEFp2(ECG,c3t,c2x2t,Jcoord) ope = oEC.toEFp2(ECG,c3c2x2t,Jcoord) # ope = c3-(self.x2*c2) return ope
def decrypt(self, c): assert isinstance(c, PPATCCiphertext) #notations Jcoord = self.PPATCpp.Jcoord ECG = self.PPATCpp.g.ECG d2 = c.d.d2 d2t = oEC.toTupleEFp2(d2, Jcoord) c1 = c.c1 c1t = oEC.toTupleEFp2(c1, Jcoord) c1x1t = oEC.mulECP(ECG, c1t, -self.x1, sq=True, Jcoord=Jcoord) d2c1x1t = oEC.addEFp2(ECG, d2t, c1x1t, Jcoord) dec = oEC.toEFp2(ECG, d2c1x1t, Jcoord) # dec = d2 - (self.x1*c1) return dec
def opens(self, c): assert isinstance(c, PPATCCiphertext) #notations Jcoord = self.PPATCpp.Jcoord ECG = self.PPATCpp.g.ECG c2 = c.c2 c3 = c.c3 c2t = oEC.toTupleEFp2(c2, Jcoord) c3t = oEC.toTupleEFp2(c3, Jcoord) c2x2t = oEC.mulECP(ECG, c2t, -self.x2, sq=True, Jcoord=Jcoord) c3c2x2t = oEC.addEFp2(ECG, c3t, c2x2t, Jcoord) ope = oEC.toEFp2(ECG, c3c2x2t, Jcoord) # ope = c3-(self.x2*c2) return ope
def decrypt(self,c): assert isinstance(c,PPATCCiphertext) #notations Jcoord = self.PPATCpp.Jcoord ECG = self.PPATCpp.g.ECG d2 = c.d.d2 d2t = oEC.toTupleEFp2(d2,Jcoord) c1 = c.c1 c1t = oEC.toTupleEFp2(c1,Jcoord) c1x1t = oEC.mulECP(ECG,c1t,-self.x1,sq= True, Jcoord = Jcoord) d2c1x1t = oEC.addEFp2(ECG,d2t,c1x1t,Jcoord) dec = oEC.toEFp2(ECG,d2c1x1t,Jcoord) # dec = d2 - (self.x1*c1) return dec
def test_MulEFp2_opt(self): _ = oEC.mulECP(EFp2, oEC.toTupleEFp2(Q), r, sq=True) t = time.time() - self.startTime print "%s: %.4f" % ("EFp2 point multiplication -- optimized", t)