def encrypt(self,m,r=None,s=None):
''' Outputs a PPATSCiphertext on m using r as the randomness for the
commitment and s as the randomness for the encryption
'''
#limit = 2**self.maxexp
#assert m < limit
#assert m >= 0
order = self.PPATSpp.order
if r == None:
r = randint(1,int(order))
if s == None:
s = randint(1,int(order))
# notations
g1 = self.g1
ECG = g1.ECG
Jcoord = self.PPATSpp.Jcoord
# commitment part
d,r = self.commit(m,r)
#d = (r*h)+(m*h1)
# encryption part
c1t = oEC.mul_comb2_EFp2(ECG,s,self.precomp_g,Jcoord)
c1 = oEC.toEFp2(ECG,c1t,Jcoord)
#c1 = s*g
rgt = oEC.mul_comb2_EFp2(ECG,r,self.precomp_g,Jcoord)
sg1t = oEC.mul_comb2_EFp2(ECG,s,self.precomp_g1,Jcoord)
c2t = oEC.addEFp2(ECG,rgt,sg1t,Jcoord)
c2 = oEC.toEFp2(ECG,c2t,Jcoord)
#c2 = (r*g)+(s*g1)
return PPATSCiphertext(d,c1,c2,self)
def encrypt(self,m,r1=None,r2=None, r3=None):
''' Outputs a PPATCCiphertext on m using r1,r2 as the randomness for the
commitment and r1,r2,r3 as the randomness for the encryption
'''
# notations
q = self.PPATCpp.order
g = self.PPATCpp.g
ECG = g.ECG # EFp2
Jcoord = self.PPATCpp.Jcoord
if r1 == None:
r1 = randint(1,int(q))
if r2 == None:
r2 = randint(1,int(q))
if r3 == None:
r3 = randint(1,int(q))
# commitment
d = self.commit(m,r1,r2)
# encryption
c1t = oEC.mul_comb2_EFp2(ECG,r2,self.precomp_g,Jcoord)
c1 = oEC.toEFp2(ECG,c1t,Jcoord)
#c1 = r2*g
c2t = oEC.mul_comb2_EFp2(ECG,r3,self.precomp_g,Jcoord)
c2 = oEC.toEFp2(ECG,c2t,Jcoord)
#c2 = r3*g
c31t = oEC.mul_comb2_EFp2(ECG,r1,self.precomp_g1,Jcoord)
c32t = oEC.mul_comb2_EFp2(ECG,r3,self.precomp_g2,Jcoord)
c3t = oEC.addEFp2(ECG,c31t,c32t,Jcoord)
c3 = oEC.toEFp2(ECG,c3t,Jcoord)
#c3 = (r1*g1)+(r3*g2)
return PPATCCiphertext(d,c1,c2,c3,self)
def encrypt(self, m, r1=None, r2=None, r3=None):
''' Outputs a PPATCCiphertext on m using r1,r2 as the randomness for the
commitment and r1,r2,r3 as the randomness for the encryption
'''
# notations
q = self.PPATCpp.order
g = self.PPATCpp.g
ECG = g.ECG # EFp2
Jcoord = self.PPATCpp.Jcoord
if r1 == None:
r1 = randint(1, int(q))
if r2 == None:
r2 = randint(1, int(q))
if r3 == None:
r3 = randint(1, int(q))
# commitment
d = self.commit(m, r1, r2)
# encryption
c1t = oEC.mul_comb2_EFp2(ECG, r2, self.precomp_g, Jcoord)
c1 = oEC.toEFp2(ECG, c1t, Jcoord)
#c1 = r2*g
c2t = oEC.mul_comb2_EFp2(ECG, r3, self.precomp_g, Jcoord)
c2 = oEC.toEFp2(ECG, c2t, Jcoord)
#c2 = r3*g
c31t = oEC.mul_comb2_EFp2(ECG, r1, self.precomp_g1, Jcoord)
c32t = oEC.mul_comb2_EFp2(ECG, r3, self.precomp_g2, Jcoord)
c3t = oEC.addEFp2(ECG, c31t, c32t, Jcoord)
c3 = oEC.toEFp2(ECG, c3t, Jcoord)
#c3 = (r1*g1)+(r3*g2)
return PPATCCiphertext(d, c1, c2, c3, self)
def commit(self, m, r1=None, r2=None):
q = self.PPATCpp.order
if r1 == None:
r1 = randint(1, int(q))
if r2 == None:
r2 = randint(1, int(q))
# notations
Jcoord = self.PPATCpp.Jcoord
ECG1 = self.h1.ECG
ECG2 = self.g1.ECG
# commitment
d11t = oEC.mul_comb2_EFp(ECG1, r1, self.precomp_h, Jcoord)
d12t = oEC.mul_comb2_EFp(ECG1, r2, self.precomp_h1, Jcoord)
d1t = oEC.addEFp(ECG1, d11t, d12t, Jcoord)
d1 = oEC.toEFp(ECG1, d1t, Jcoord)
#d1 = (r1*h)+(r2*h1)
mp = self.encode(m)
d21t = oEC.mul_comb2_EFp2(ECG2, r2, self.precomp_g1, Jcoord)
d2t = oEC.addEFp2(ECG2, mp, d21t, Jcoord)
d2 = oEC.toEFp2(ECG2, d2t, Jcoord)
#d2 = mp + r2*g1
return PPATCCommitment(d1, d2, self)
def commit(self,m,r1=None,r2=None):
q = self.PPATCpp.order
if r1 == None:
r1 = randint(1,int(q))
if r2 == None:
r2 = randint(1,int(q))
# notations
Jcoord = self.PPATCpp.Jcoord
ECG1 = self.h1.ECG
ECG2 = self.g1.ECG
# commitment
d11t = oEC.mul_comb2_EFp(ECG1,r1,self.precomp_h,Jcoord)
d12t = oEC.mul_comb2_EFp(ECG1,r2,self.precomp_h1,Jcoord)
d1t = oEC.addEFp(ECG1,d11t,d12t,Jcoord)
d1 = oEC.toEFp(ECG1,d1t,Jcoord)
#d1 = (r1*h)+(r2*h1)
mp = self.encode(m)
d21t = oEC.mul_comb2_EFp2(ECG2,r2,self.precomp_g1,Jcoord)
d2t = oEC.addEFp2(ECG2,mp,d21t,Jcoord)
d2 = oEC.toEFp2(ECG2,d2t,Jcoord)
#d2 = mp + r2*g1
return PPATCCommitment(d1,d2,self)
def splitCommitment(ppatspk, com, m, a):
''' This method is a simpler version of self.decomposeCommitment()
Assuming that commitment com commits on the message m and has opening a.
The method decomposes com in two parts com1,com2 such that
com = com1+com2. com2 is a commitment on 0, com1 is a commitment on m
The output of the method is a list of two elements : the two commitments
com1 and com2 together with the randomness and opening used in each.
Remark : The point of doing this is, in some way, to modify the randomness
used in the commitment. For example, suppose that you know the opening
of the commitment but not the randomness used in the commitment. With
this method, you can create another commitment that commits on the same
value but now, you know the randomness used in it. This is usefull in
order to produce set membership proofs.
'''
g = ppatspk.PPATSpp.g
Jcoord = ppatspk.PPATSpp.Jcoord
com1, r1 = ppatspk.commit(m)
ECG = g.ECG
a1t = oEC.mul_comb2_EFp2(ECG, r1, ppatspk.precomp_g, Jcoord)
a1 = oEC.toEFp2(ECG, a1t, Jcoord)
com2d = com.d - com1.d
com2 = ppat.ppats.PPATSCommitment(com2d, ppatspk)
a2 = a - a1
comlist = [(m, r1, a1, com1), (0, None, a2, com2)]
return comlist
def splitCommitment(ppatspk, com, m, a):
""" This method is a simpler version of self.decomposeCommitment()
Assuming that commitment com commits on the message m and has opening a.
The method decomposes com in two parts com1,com2 such that
com = com1+com2. com2 is a commitment on 0, com1 is a commitment on m
The output of the method is a list of two elements : the two commitments
com1 and com2 together with the randomness and opening used in each.
Remark : The point of doing this is, in some way, to modify the randomness
used in the commitment. For example, suppose that you know the opening
of the commitment but not the randomness used in the commitment. With
this method, you can create another commitment that commits on the same
value but now, you know the randomness used in it. This is usefull in
order to produce set membership proofs.
"""
g = ppatspk.PPATSpp.g
Jcoord = ppatspk.PPATSpp.Jcoord
com1, r1 = ppatspk.commit(m)
ECG = g.ECG
a1t = oEC.mul_comb2_EFp2(ECG, r1, ppatspk.precomp_g, Jcoord)
a1 = oEC.toEFp2(ECG, a1t, Jcoord)
com2d = com.d - com1.d
com2 = ppat.ppats.PPATSCommitment(com2d, ppatspk)
a2 = a - a1
comlist = [(m, r1, a1, com1), (0, None, a2, com2)]
return comlist
def test_encryption_decryption(self):
m1 = randint(1, self.n - 1)
ECG = self.ppatcpp.g.ECG
Jcoord = self.ppatcpp.Jcoord
#m1 = m1i*P
cipher1 = self.ppatcpk.encrypt(m1)
mp1 = self.ppatcsk.decrypt(cipher1)
mz1 = oEC.toEFp2(ECG, self.ppatcpk.encode(m1), Jcoord)
self.assertEqual(mz1, mp1)
def __mul__(self,a):
'''multiplication by a scalar
The result is a PPATC Ciphertext which encrypts and commits on e*m
'''
m = gmpy.mpz(1)
if not isinstance(a, int) and not isinstance(a, long) and not type(a)==type(m):
raise Exception("Multiplication of a PPATC Ciphertext by a non integer, long or mpz")
else :
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG = self.PPATCpk.g1.ECG
c1t = oEC.toTupleEFp2(self.c1,Jcoord)
nc1t = oEC.mulECP(ECG,c1t,a,sq=True,Jcoord=Jcoord)
newc1 = oEC.toEFp2(ECG,nc1t,Jcoord)
c2t = oEC.toTupleEFp2(self.c2,Jcoord)
nc2t = oEC.mulECP(ECG,c2t,a,sq=True,Jcoord=Jcoord)
newc2 = oEC.toEFp2(ECG,nc2t,Jcoord)
c3t = oEC.toTupleEFp2(self.c3,Jcoord)
nc3t = oEC.mulECP(ECG,c3t,a,sq=True,Jcoord=Jcoord)
newc3 = oEC.toEFp2(ECG,nc3t,Jcoord)
return PPATCCiphertext(a*self.d,newc1,newc2,newc3,self.PPATCpk)
def verifyEvalBatch(self, com, B, rem1_x, rem2_x, w_B):
'''
Check if com is a commitment on a polynomial phi such that (b_j,phi_b_j) belongs
to the polynomial for each b_j in B. The verification uses the witness w_B
and the remainder polynomial rem1_x, rem2_x (see self.createWitnessBatch(...)
for their construction).
Return True if the verification succeeds.
This method computes 3 pairings.
'''
Fr = self.Fr
e = oEC.OptimAtePairing
Pair = self.pairing
gp = self.gprimeVec[-1]
EFp2 = gp.ECG
Fp12 = Pair.Fpk
prod_x_minus_b_j = field.polynom(Fr,[Fr.one()])
for b_j in B :
x_minus_b_j = field.polynom(Fr,[Fr.one(),-b_j])
prod_x_minus_b_j *= x_minus_b_j
if len(prod_x_minus_b_j.coef) < self.deg_pol+1 :
# Append zeros coef to phi_x if its coef list is too short (< deg_pol+1)
diff = self.deg_pol+1 - len(prod_x_minus_b_j.coef)
L = [Fr.zero()]*diff
new_prod_x_minus_b_j = field.polynom(Fr,L+prod_x_minus_b_j.coef)
prod_x_minus_b_j = new_prod_x_minus_b_j
t1 = EFp2.infty
t1t = oEC.toTupleEFp2(t1, self.Jcoord)
#TODO: Optimize here # DONE
for i in range(self.deg_pol+1):
#t1 += prod_x_minus_b_j.coef[i].val*self.gprimeVec[i]
a = oEC.mul_comb2_EFp2(EFp2,prod_x_minus_b_j.coef[i].val,self.gprimeVecTab[i],self.Jcoord)
t1t = oEC.addEFp2(EFp2,t1t,a,self.Jcoord)
t1g = oEC.toEFp2(EFp2,t1t,self.Jcoord)
if self.Jcoord :
t1g.toAffine()
#assert t1g == t1
u1 , rem2_x = self.commit(rem1_x,rem2_x)
rm = e(com.c,gp,Pair)
lm1 = e(w_B.c,t1g,Pair)
lm2 = e(u1.c,gp,Pair)
lm = oEC.mulFp12(Fp12,lm1,lm2)
return rm == lm
def __add__(self,b):
''' Addition between two PPATC ciphertext
The result is a PPATC ciphertext which encrypts and commits
on the sum of the initial messages
'''
assert isinstance(b,PPATCCiphertext)
assert self.PPATCpk == b.PPATCpk # ciphertexts built using the same public key
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG = self.PPATCpk.g1.ECG
newcom = self.d+b.d
c1t = oEC.toTupleEFp2(self.c1,Jcoord)
bc1t = oEC.toTupleEFp2(b.c1,Jcoord)
nc1t = oEC.addEFp2(ECG,c1t,bc1t,Jcoord)
newc1 = oEC.toEFp2(ECG,nc1t,Jcoord)
c2t = oEC.toTupleEFp2(self.c2,Jcoord)
bc2t = oEC.toTupleEFp2(b.c2,Jcoord)
nc2t = oEC.addEFp2(ECG,c2t,bc2t,Jcoord)
newc2 = oEC.toEFp2(ECG,nc2t,Jcoord)
c3t = oEC.toTupleEFp2(self.c3,Jcoord)
bc3t = oEC.toTupleEFp2(b.c3,Jcoord)
nc3t = oEC.addEFp2(ECG,c3t,bc3t,Jcoord)
newc3 = oEC.toEFp2(ECG,nc3t,Jcoord)
return PPATCCiphertext(newcom,newc1,newc2,newc3,self.PPATCpk)
def __mul__(self, a):
'''multiplication by a scalar
The result is a PPATC Ciphertext which encrypts and commits on e*m
'''
m = gmpy.mpz(1)
if not isinstance(a, int) and not isinstance(
a, long) and not type(a) == type(m):
raise Exception(
"Multiplication of a PPATC Ciphertext by a non integer, long or mpz"
)
else:
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG = self.PPATCpk.g1.ECG
c1t = oEC.toTupleEFp2(self.c1, Jcoord)
nc1t = oEC.mulECP(ECG, c1t, a, sq=True, Jcoord=Jcoord)
newc1 = oEC.toEFp2(ECG, nc1t, Jcoord)
c2t = oEC.toTupleEFp2(self.c2, Jcoord)
nc2t = oEC.mulECP(ECG, c2t, a, sq=True, Jcoord=Jcoord)
newc2 = oEC.toEFp2(ECG, nc2t, Jcoord)
c3t = oEC.toTupleEFp2(self.c3, Jcoord)
nc3t = oEC.mulECP(ECG, c3t, a, sq=True, Jcoord=Jcoord)
newc3 = oEC.toEFp2(ECG, nc3t, Jcoord)
return PPATCCiphertext(a * self.d, newc1, newc2, newc3,
self.PPATCpk)
def __add__(self, b):
''' Addition between two PPATC ciphertext
The result is a PPATC ciphertext which encrypts and commits
on the sum of the initial messages
'''
assert isinstance(b, PPATCCiphertext)
assert self.PPATCpk == b.PPATCpk # ciphertexts built using the same public key
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG = self.PPATCpk.g1.ECG
newcom = self.d + b.d
c1t = oEC.toTupleEFp2(self.c1, Jcoord)
bc1t = oEC.toTupleEFp2(b.c1, Jcoord)
nc1t = oEC.addEFp2(ECG, c1t, bc1t, Jcoord)
newc1 = oEC.toEFp2(ECG, nc1t, Jcoord)
c2t = oEC.toTupleEFp2(self.c2, Jcoord)
bc2t = oEC.toTupleEFp2(b.c2, Jcoord)
nc2t = oEC.addEFp2(ECG, c2t, bc2t, Jcoord)
newc2 = oEC.toEFp2(ECG, nc2t, Jcoord)
c3t = oEC.toTupleEFp2(self.c3, Jcoord)
bc3t = oEC.toTupleEFp2(b.c3, Jcoord)
nc3t = oEC.addEFp2(ECG, c3t, bc3t, Jcoord)
newc3 = oEC.toEFp2(ECG, nc3t, Jcoord)
return PPATCCiphertext(newcom, newc1, newc2, newc3, self.PPATCpk)
def decrypt(self,c):
assert isinstance(c,PPATCCiphertext)
#notations
Jcoord = self.PPATCpp.Jcoord
ECG = self.PPATCpp.g.ECG
d2 = c.d.d2
d2t = oEC.toTupleEFp2(d2,Jcoord)
c1 = c.c1
c1t = oEC.toTupleEFp2(c1,Jcoord)
c1x1t = oEC.mulECP(ECG,c1t,-self.x1,sq= True, Jcoord = Jcoord)
d2c1x1t = oEC.addEFp2(ECG,d2t,c1x1t,Jcoord)
dec = oEC.toEFp2(ECG,d2c1x1t,Jcoord)
# dec = d2 - (self.x1*c1)
return dec
def decrypt(self, c):
assert isinstance(c, PPATCCiphertext)
#notations
Jcoord = self.PPATCpp.Jcoord
ECG = self.PPATCpp.g.ECG
d2 = c.d.d2
d2t = oEC.toTupleEFp2(d2, Jcoord)
c1 = c.c1
c1t = oEC.toTupleEFp2(c1, Jcoord)
c1x1t = oEC.mulECP(ECG, c1t, -self.x1, sq=True, Jcoord=Jcoord)
d2c1x1t = oEC.addEFp2(ECG, d2t, c1x1t, Jcoord)
dec = oEC.toEFp2(ECG, d2c1x1t, Jcoord)
# dec = d2 - (self.x1*c1)
return dec
def opens(self,c):
assert isinstance(c,PPATCCiphertext)
#notations
Jcoord = self.PPATCpp.Jcoord
ECG = self.PPATCpp.g.ECG
c2 = c.c2
c3 = c.c3
c2t = oEC.toTupleEFp2(c2,Jcoord)
c3t = oEC.toTupleEFp2(c3,Jcoord)
c2x2t = oEC.mulECP(ECG,c2t,-self.x2,sq= True, Jcoord = Jcoord)
c3c2x2t = oEC.addEFp2(ECG,c3t,c2x2t,Jcoord)
ope = oEC.toEFp2(ECG,c3c2x2t,Jcoord)
# ope = c3-(self.x2*c2)
return ope
def opens(self, c):
assert isinstance(c, PPATCCiphertext)
#notations
Jcoord = self.PPATCpp.Jcoord
ECG = self.PPATCpp.g.ECG
c2 = c.c2
c3 = c.c3
c2t = oEC.toTupleEFp2(c2, Jcoord)
c3t = oEC.toTupleEFp2(c3, Jcoord)
c2x2t = oEC.mulECP(ECG, c2t, -self.x2, sq=True, Jcoord=Jcoord)
c3c2x2t = oEC.addEFp2(ECG, c3t, c2x2t, Jcoord)
ope = oEC.toEFp2(ECG, c3c2x2t, Jcoord)
# ope = c3-(self.x2*c2)
return ope
def verifyEval(self, com, b, phi_b, phiprime_b, w_b):
'''
Check if com is a commitment on a polynomial phi such that (b,phi_b) belongs
to the polynomial. The verification uses the witness w_b and the evaluation
of the polynomial phiprime at b.
Return True if the verification succeeds.
This method computes 3 pairings.
'''
EFp = self.pairing.EFp
e = oEC.OptimAtePairing
Pair = self.pairing
Fp12 = Pair.Fpk
#gamma = Pair.gamma
#g = self.gVec[-1]
#h = self.hVec[-1]
gp = self.gprimeVec[-1]
EFp2 = gp.ECG
gp_alpha = self.gprimeVec[-2]
#TODO: Optimize here # DONE
#gprime_b = (b.val)*gp
gprime_bt = oEC.mul_comb2_EFp2(EFp2,b.val,self.gprimeVecTab[-1],self.Jcoord)
mgprime_bt = oEC.negEFp2(gprime_bt,self.Jcoord)
gpat = oEC.toTupleEFp2(gp_alpha,self.Jcoord)
t1t = oEC.addEFp2(EFp2,gpat,mgprime_bt,self.Jcoord)
#t1 = gp_alpha-gprime_b
#u1 = (phi_b.val)*g + (phiprime_b.val)*h
a1 = oEC.mul_comb2_EFp(EFp,phi_b.val,self.gVecTab[-1],self.Jcoord)
b1 = oEC.mul_comb2_EFp(EFp,phiprime_b.val,self.hVecTab[-1],self.Jcoord)
u1t = oEC.addEFp(EFp,a1,b1,self.Jcoord)
t1g = oEC.toEFp2(EFp2,t1t,self.Jcoord)
u1g = oEC.toEFp(EFp,u1t,self.Jcoord)
if self.Jcoord :
t1g.toAffine()
u1g.toAffine()
#assert t1g == t1
#assert u1g == u1
rm = e(com.c,gp,Pair)
lm1 = e(w_b.c,t1g,Pair)
lm2 = e(u1g,gp,Pair)
lm = oEC.mulFp12(Fp12,lm1,lm2)
return rm == lm
def __mul__(self,a):
'''multiplication by a scalar a
The result is a PPATC Commitment which encrypts and commits on a*m
'''
m = gmpy.mpz(1)
if not isinstance(a, int) and not isinstance(a, long) and not type(a)==type(m):
raise Exception("Multiplication of a PPATC Commitment by a non integer, long or mpz")
else :
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG1 = self.PPATCpk.h1.ECG
ECG2 = self.PPATCpk.g1.ECG
d1t = oEC.toTupleEFp(self.d1,Jcoord)
nd1t = oEC.mulECP(ECG1,d1t,a,sq=False,Jcoord=Jcoord)
newd1 = oEC.toEFp(ECG1,nd1t,Jcoord)
d2t = oEC.toTupleEFp2(self.d2,Jcoord)
nd2t = oEC.mulECP(ECG2,d2t,a,sq=True,Jcoord=Jcoord)
newd2 = oEC.toEFp2(ECG2,nd2t,Jcoord)
return PPATCCommitment(newd1,newd2,self.PPATCpk)
def __add__(self, b):
''' Addition between two PPATC commitments
The result is a PPATC commitment which commits
on the sum of the initial messages
'''
assert isinstance(b, PPATCCommitment)
assert self.PPATCpk == b.PPATCpk # commitments built using the same public key
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG1 = self.PPATCpk.h1.ECG
ECG2 = self.PPATCpk.g1.ECG
d1t = oEC.toTupleEFp(self.d1, Jcoord)
bd1t = oEC.toTupleEFp(b.d1, Jcoord)
nd1t = oEC.addEFp(ECG1, d1t, bd1t, Jcoord)
newd1 = oEC.toEFp(ECG1, nd1t, Jcoord)
d2t = oEC.toTupleEFp2(self.d2, Jcoord)
bd2t = oEC.toTupleEFp2(b.d2, Jcoord)
nd2t = oEC.addEFp2(ECG2, d2t, bd2t, Jcoord)
newd2 = oEC.toEFp2(ECG2, nd2t, Jcoord)
return PPATCCommitment(newd1, newd2, self.PPATCpk)
def __add__(self,b):
''' Addition between two PPATC commitments
The result is a PPATC commitment which commits
on the sum of the initial messages
'''
assert isinstance(b,PPATCCommitment)
assert self.PPATCpk == b.PPATCpk # commitments built using the same public key
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG1 = self.PPATCpk.h1.ECG
ECG2 = self.PPATCpk.g1.ECG
d1t = oEC.toTupleEFp(self.d1,Jcoord)
bd1t = oEC.toTupleEFp(b.d1,Jcoord)
nd1t = oEC.addEFp(ECG1,d1t,bd1t,Jcoord)
newd1 = oEC.toEFp(ECG1,nd1t,Jcoord)
d2t = oEC.toTupleEFp2(self.d2,Jcoord)
bd2t = oEC.toTupleEFp2(b.d2,Jcoord)
nd2t = oEC.addEFp2(ECG2,d2t,bd2t,Jcoord)
newd2 = oEC.toEFp2(ECG2,nd2t,Jcoord)
return PPATCCommitment(newd1,newd2,self.PPATCpk)
def verify(self, c, m, a):
assert isinstance(c, PPATCCiphertext)
mp = oEC.toEFp2(self.g1.ECG, self.encode(m), self.PPATCpp.Jcoord)
# notoations
Pair = self.PPATCpp.Pair
d = self.derivCom(c)
d1, d2 = d.d1, d.d2
g1 = self.g1
h = self.PPATCpp.h
h1 = self.h1
e = self.PPATCpp.e
psi = self.PPATCpp.psi
psih = psi(h)
psih1 = psi(h1)
psid1 = psi(d1)
return e(psid1, g1, Pair) == e(psih, a, Pair) * e(psih1, d2 - mp, Pair)
def verify(self,c,m,a):
assert isinstance(c,PPATCCiphertext)
mp = oEC.toEFp2(self.g1.ECG,self.encode(m),self.PPATCpp.Jcoord)
# notoations
Pair = self.PPATCpp.Pair
d = self.derivCom(c)
d1,d2 = d.d1,d.d2
g1 = self.g1
h = self.PPATCpp.h
h1 = self.h1
e = self.PPATCpp.e
psi = self.PPATCpp.psi
psih = psi(h)
psih1 = psi(h1)
psid1 = psi(d1)
return e(psid1,g1,Pair) == e(psih,a,Pair)*e(psih1,d2-mp,Pair)
def verifyZKS(self, com, b, proof):
'''
Checks that the NIZKPoK holds meaning that phi(b) = 0 or phi(b) != 0
where phi is the polynomial commited to in com.
'''
Fr = self.Fr
e = oEC.OptimAtePairing
Pair = self.pairing
Fp12 = Pair.Fpk
gp = self.gprimeVec[-1]
gp_alpha = self.gprimeVec[-2]
EFp2 = gp.ECG
bp, w_b, phiprime_b_eval, A = proof
if A == None :
return self.verifyEval(com, b, Fr.zero(), phiprime_b_eval, w_b)
elif phiprime_b_eval == None :
#TODO: Optimize here # DONE
z_j, proof_z_j = A
cond1 = self.checkOpeningNIZKPOK(com,proof_z_j)
#gprime_b = b.val*gp
gprime_bt = oEC.mul_comb2_EFp2(EFp2,b.val,self.gprimeVecTab[-1],self.Jcoord)
mgprime_bt = oEC.negEFp2(gprime_bt,self.Jcoord)
gpat = oEC.toTupleEFp2(gp_alpha,self.Jcoord)
t1t = oEC.addEFp2(EFp2,gpat,mgprime_bt,self.Jcoord)
t1g = oEC.toEFp2(EFp2,t1t,self.Jcoord)
if self.Jcoord :
t1g.toAffine()
#gprime_alpha_minus_b = self.gprimeVec[-2]-gprime_b
#assert gprime_alpha_minus_b == t1g
rm = e(com.c,gp,Pair)
lm1 = e(w_b.c,t1g,Pair)
lm2 = e(z_j,gp,Pair)
lm = oEC.mulFp12(Fp12,lm1,lm2)
#cond2 = e(com.c,gp,Pair) == e(w_b.c,t1g,Pair)*e(z_j,gp,Pair)
cond2 = rm == lm
return cond1 and cond2
else :
return False
def __mul__(self, a):
'''multiplication by a scalar a
The result is a PPATC Commitment which encrypts and commits on a*m
'''
m = gmpy.mpz(1)
if not isinstance(a, int) and not isinstance(
a, long) and not type(a) == type(m):
raise Exception(
"Multiplication of a PPATC Commitment by a non integer, long or mpz"
)
else:
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG1 = self.PPATCpk.h1.ECG
ECG2 = self.PPATCpk.g1.ECG
d1t = oEC.toTupleEFp(self.d1, Jcoord)
nd1t = oEC.mulECP(ECG1, d1t, a, sq=False, Jcoord=Jcoord)
newd1 = oEC.toEFp(ECG1, nd1t, Jcoord)
d2t = oEC.toTupleEFp2(self.d2, Jcoord)
nd2t = oEC.mulECP(ECG2, d2t, a, sq=True, Jcoord=Jcoord)
newd2 = oEC.toEFp2(ECG2, nd2t, Jcoord)
return PPATCCommitment(newd1, newd2, self.PPATCpk)
