def decrypt(self,c):
assert isinstance(c,PPATCCiphertext)
#notations
Jcoord = self.PPATCpp.Jcoord
ECG = self.PPATCpp.g.ECG
d2 = c.d.d2
d2t = oEC.toTupleEFp2(d2,Jcoord)
c1 = c.c1
c1t = oEC.toTupleEFp2(c1,Jcoord)
c1x1t = oEC.mulECP(ECG,c1t,-self.x1,sq= True, Jcoord = Jcoord)
d2c1x1t = oEC.addEFp2(ECG,d2t,c1x1t,Jcoord)
dec = oEC.toEFp2(ECG,d2c1x1t,Jcoord)
# dec = d2 - (self.x1*c1)
return dec
def opens(self,c):
assert isinstance(c,PPATCCiphertext)
#notations
Jcoord = self.PPATCpp.Jcoord
ECG = self.PPATCpp.g.ECG
c2 = c.c2
c3 = c.c3
c2t = oEC.toTupleEFp2(c2,Jcoord)
c3t = oEC.toTupleEFp2(c3,Jcoord)
c2x2t = oEC.mulECP(ECG,c2t,-self.x2,sq= True, Jcoord = Jcoord)
c3c2x2t = oEC.addEFp2(ECG,c3t,c2x2t,Jcoord)
ope = oEC.toEFp2(ECG,c3c2x2t,Jcoord)
# ope = c3-(self.x2*c2)
return ope
def opens(self, c):
assert isinstance(c, PPATCCiphertext)
#notations
Jcoord = self.PPATCpp.Jcoord
ECG = self.PPATCpp.g.ECG
c2 = c.c2
c3 = c.c3
c2t = oEC.toTupleEFp2(c2, Jcoord)
c3t = oEC.toTupleEFp2(c3, Jcoord)
c2x2t = oEC.mulECP(ECG, c2t, -self.x2, sq=True, Jcoord=Jcoord)
c3c2x2t = oEC.addEFp2(ECG, c3t, c2x2t, Jcoord)
ope = oEC.toEFp2(ECG, c3c2x2t, Jcoord)
# ope = c3-(self.x2*c2)
return ope
def decrypt(self, c):
assert isinstance(c, PPATCCiphertext)
#notations
Jcoord = self.PPATCpp.Jcoord
ECG = self.PPATCpp.g.ECG
d2 = c.d.d2
d2t = oEC.toTupleEFp2(d2, Jcoord)
c1 = c.c1
c1t = oEC.toTupleEFp2(c1, Jcoord)
c1x1t = oEC.mulECP(ECG, c1t, -self.x1, sq=True, Jcoord=Jcoord)
d2c1x1t = oEC.addEFp2(ECG, d2t, c1x1t, Jcoord)
dec = oEC.toEFp2(ECG, d2c1x1t, Jcoord)
# dec = d2 - (self.x1*c1)
return dec
def __add__(self,b):
''' Addition between two PPATC commitments
The result is a PPATC commitment which commits
on the sum of the initial messages
'''
assert isinstance(b,PPATCCommitment)
assert self.PPATCpk == b.PPATCpk # commitments built using the same public key
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG1 = self.PPATCpk.h1.ECG
ECG2 = self.PPATCpk.g1.ECG
d1t = oEC.toTupleEFp(self.d1,Jcoord)
bd1t = oEC.toTupleEFp(b.d1,Jcoord)
nd1t = oEC.addEFp(ECG1,d1t,bd1t,Jcoord)
newd1 = oEC.toEFp(ECG1,nd1t,Jcoord)
d2t = oEC.toTupleEFp2(self.d2,Jcoord)
bd2t = oEC.toTupleEFp2(b.d2,Jcoord)
nd2t = oEC.addEFp2(ECG2,d2t,bd2t,Jcoord)
newd2 = oEC.toEFp2(ECG2,nd2t,Jcoord)
return PPATCCommitment(newd1,newd2,self.PPATCpk)
def __mul__(self,a):
'''multiplication by a scalar
The result is a PPATC Ciphertext which encrypts and commits on e*m
'''
m = gmpy.mpz(1)
if not isinstance(a, int) and not isinstance(a, long) and not type(a)==type(m):
raise Exception("Multiplication of a PPATC Ciphertext by a non integer, long or mpz")
else :
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG = self.PPATCpk.g1.ECG
c1t = oEC.toTupleEFp2(self.c1,Jcoord)
nc1t = oEC.mulECP(ECG,c1t,a,sq=True,Jcoord=Jcoord)
newc1 = oEC.toEFp2(ECG,nc1t,Jcoord)
c2t = oEC.toTupleEFp2(self.c2,Jcoord)
nc2t = oEC.mulECP(ECG,c2t,a,sq=True,Jcoord=Jcoord)
newc2 = oEC.toEFp2(ECG,nc2t,Jcoord)
c3t = oEC.toTupleEFp2(self.c3,Jcoord)
nc3t = oEC.mulECP(ECG,c3t,a,sq=True,Jcoord=Jcoord)
newc3 = oEC.toEFp2(ECG,nc3t,Jcoord)
return PPATCCiphertext(a*self.d,newc1,newc2,newc3,self.PPATCpk)
def __add__(self, b):
''' Addition between two PPATC commitments
The result is a PPATC commitment which commits
on the sum of the initial messages
'''
assert isinstance(b, PPATCCommitment)
assert self.PPATCpk == b.PPATCpk # commitments built using the same public key
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG1 = self.PPATCpk.h1.ECG
ECG2 = self.PPATCpk.g1.ECG
d1t = oEC.toTupleEFp(self.d1, Jcoord)
bd1t = oEC.toTupleEFp(b.d1, Jcoord)
nd1t = oEC.addEFp(ECG1, d1t, bd1t, Jcoord)
newd1 = oEC.toEFp(ECG1, nd1t, Jcoord)
d2t = oEC.toTupleEFp2(self.d2, Jcoord)
bd2t = oEC.toTupleEFp2(b.d2, Jcoord)
nd2t = oEC.addEFp2(ECG2, d2t, bd2t, Jcoord)
newd2 = oEC.toEFp2(ECG2, nd2t, Jcoord)
return PPATCCommitment(newd1, newd2, self.PPATCpk)
def verifyEvalBatch(self, com, B, rem1_x, rem2_x, w_B):
'''
Check if com is a commitment on a polynomial phi such that (b_j,phi_b_j) belongs
to the polynomial for each b_j in B. The verification uses the witness w_B
and the remainder polynomial rem1_x, rem2_x (see self.createWitnessBatch(...)
for their construction).
Return True if the verification succeeds.
This method computes 3 pairings.
'''
Fr = self.Fr
e = oEC.OptimAtePairing
Pair = self.pairing
gp = self.gprimeVec[-1]
EFp2 = gp.ECG
Fp12 = Pair.Fpk
prod_x_minus_b_j = field.polynom(Fr,[Fr.one()])
for b_j in B :
x_minus_b_j = field.polynom(Fr,[Fr.one(),-b_j])
prod_x_minus_b_j *= x_minus_b_j
if len(prod_x_minus_b_j.coef) < self.deg_pol+1 :
# Append zeros coef to phi_x if its coef list is too short (< deg_pol+1)
diff = self.deg_pol+1 - len(prod_x_minus_b_j.coef)
L = [Fr.zero()]*diff
new_prod_x_minus_b_j = field.polynom(Fr,L+prod_x_minus_b_j.coef)
prod_x_minus_b_j = new_prod_x_minus_b_j
t1 = EFp2.infty
t1t = oEC.toTupleEFp2(t1, self.Jcoord)
#TODO: Optimize here # DONE
for i in range(self.deg_pol+1):
#t1 += prod_x_minus_b_j.coef[i].val*self.gprimeVec[i]
a = oEC.mul_comb2_EFp2(EFp2,prod_x_minus_b_j.coef[i].val,self.gprimeVecTab[i],self.Jcoord)
t1t = oEC.addEFp2(EFp2,t1t,a,self.Jcoord)
t1g = oEC.toEFp2(EFp2,t1t,self.Jcoord)
if self.Jcoord :
t1g.toAffine()
#assert t1g == t1
u1 , rem2_x = self.commit(rem1_x,rem2_x)
rm = e(com.c,gp,Pair)
lm1 = e(w_B.c,t1g,Pair)
lm2 = e(u1.c,gp,Pair)
lm = oEC.mulFp12(Fp12,lm1,lm2)
return rm == lm
def __mul__(self, a):
'''multiplication by a scalar
The result is a PPATC Ciphertext which encrypts and commits on e*m
'''
m = gmpy.mpz(1)
if not isinstance(a, int) and not isinstance(
a, long) and not type(a) == type(m):
raise Exception(
"Multiplication of a PPATC Ciphertext by a non integer, long or mpz"
)
else:
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG = self.PPATCpk.g1.ECG
c1t = oEC.toTupleEFp2(self.c1, Jcoord)
nc1t = oEC.mulECP(ECG, c1t, a, sq=True, Jcoord=Jcoord)
newc1 = oEC.toEFp2(ECG, nc1t, Jcoord)
c2t = oEC.toTupleEFp2(self.c2, Jcoord)
nc2t = oEC.mulECP(ECG, c2t, a, sq=True, Jcoord=Jcoord)
newc2 = oEC.toEFp2(ECG, nc2t, Jcoord)
c3t = oEC.toTupleEFp2(self.c3, Jcoord)
nc3t = oEC.mulECP(ECG, c3t, a, sq=True, Jcoord=Jcoord)
newc3 = oEC.toEFp2(ECG, nc3t, Jcoord)
return PPATCCiphertext(a * self.d, newc1, newc2, newc3,
self.PPATCpk)
def verifyEval(self, com, b, phi_b, phiprime_b, w_b):
'''
Check if com is a commitment on a polynomial phi such that (b,phi_b) belongs
to the polynomial. The verification uses the witness w_b and the evaluation
of the polynomial phiprime at b.
Return True if the verification succeeds.
This method computes 3 pairings.
'''
EFp = self.pairing.EFp
e = oEC.OptimAtePairing
Pair = self.pairing
Fp12 = Pair.Fpk
#gamma = Pair.gamma
#g = self.gVec[-1]
#h = self.hVec[-1]
gp = self.gprimeVec[-1]
EFp2 = gp.ECG
gp_alpha = self.gprimeVec[-2]
#TODO: Optimize here # DONE
#gprime_b = (b.val)*gp
gprime_bt = oEC.mul_comb2_EFp2(EFp2,b.val,self.gprimeVecTab[-1],self.Jcoord)
mgprime_bt = oEC.negEFp2(gprime_bt,self.Jcoord)
gpat = oEC.toTupleEFp2(gp_alpha,self.Jcoord)
t1t = oEC.addEFp2(EFp2,gpat,mgprime_bt,self.Jcoord)
#t1 = gp_alpha-gprime_b
#u1 = (phi_b.val)*g + (phiprime_b.val)*h
a1 = oEC.mul_comb2_EFp(EFp,phi_b.val,self.gVecTab[-1],self.Jcoord)
b1 = oEC.mul_comb2_EFp(EFp,phiprime_b.val,self.hVecTab[-1],self.Jcoord)
u1t = oEC.addEFp(EFp,a1,b1,self.Jcoord)
t1g = oEC.toEFp2(EFp2,t1t,self.Jcoord)
u1g = oEC.toEFp(EFp,u1t,self.Jcoord)
if self.Jcoord :
t1g.toAffine()
u1g.toAffine()
#assert t1g == t1
#assert u1g == u1
rm = e(com.c,gp,Pair)
lm1 = e(w_b.c,t1g,Pair)
lm2 = e(u1g,gp,Pair)
lm = oEC.mulFp12(Fp12,lm1,lm2)
return rm == lm
def __mul__(self,a):
'''multiplication by a scalar a
The result is a PPATC Commitment which encrypts and commits on a*m
'''
m = gmpy.mpz(1)
if not isinstance(a, int) and not isinstance(a, long) and not type(a)==type(m):
raise Exception("Multiplication of a PPATC Commitment by a non integer, long or mpz")
else :
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG1 = self.PPATCpk.h1.ECG
ECG2 = self.PPATCpk.g1.ECG
d1t = oEC.toTupleEFp(self.d1,Jcoord)
nd1t = oEC.mulECP(ECG1,d1t,a,sq=False,Jcoord=Jcoord)
newd1 = oEC.toEFp(ECG1,nd1t,Jcoord)
d2t = oEC.toTupleEFp2(self.d2,Jcoord)
nd2t = oEC.mulECP(ECG2,d2t,a,sq=True,Jcoord=Jcoord)
newd2 = oEC.toEFp2(ECG2,nd2t,Jcoord)
return PPATCCommitment(newd1,newd2,self.PPATCpk)
def verifyZKS(self, com, b, proof):
'''
Checks that the NIZKPoK holds meaning that phi(b) = 0 or phi(b) != 0
where phi is the polynomial commited to in com.
'''
Fr = self.Fr
e = oEC.OptimAtePairing
Pair = self.pairing
Fp12 = Pair.Fpk
gp = self.gprimeVec[-1]
gp_alpha = self.gprimeVec[-2]
EFp2 = gp.ECG
bp, w_b, phiprime_b_eval, A = proof
if A == None :
return self.verifyEval(com, b, Fr.zero(), phiprime_b_eval, w_b)
elif phiprime_b_eval == None :
#TODO: Optimize here # DONE
z_j, proof_z_j = A
cond1 = self.checkOpeningNIZKPOK(com,proof_z_j)
#gprime_b = b.val*gp
gprime_bt = oEC.mul_comb2_EFp2(EFp2,b.val,self.gprimeVecTab[-1],self.Jcoord)
mgprime_bt = oEC.negEFp2(gprime_bt,self.Jcoord)
gpat = oEC.toTupleEFp2(gp_alpha,self.Jcoord)
t1t = oEC.addEFp2(EFp2,gpat,mgprime_bt,self.Jcoord)
t1g = oEC.toEFp2(EFp2,t1t,self.Jcoord)
if self.Jcoord :
t1g.toAffine()
#gprime_alpha_minus_b = self.gprimeVec[-2]-gprime_b
#assert gprime_alpha_minus_b == t1g
rm = e(com.c,gp,Pair)
lm1 = e(w_b.c,t1g,Pair)
lm2 = e(z_j,gp,Pair)
lm = oEC.mulFp12(Fp12,lm1,lm2)
#cond2 = e(com.c,gp,Pair) == e(w_b.c,t1g,Pair)*e(z_j,gp,Pair)
cond2 = rm == lm
return cond1 and cond2
else :
return False
def __mul__(self, a):
'''multiplication by a scalar a
The result is a PPATC Commitment which encrypts and commits on a*m
'''
m = gmpy.mpz(1)
if not isinstance(a, int) and not isinstance(
a, long) and not type(a) == type(m):
raise Exception(
"Multiplication of a PPATC Commitment by a non integer, long or mpz"
)
else:
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG1 = self.PPATCpk.h1.ECG
ECG2 = self.PPATCpk.g1.ECG
d1t = oEC.toTupleEFp(self.d1, Jcoord)
nd1t = oEC.mulECP(ECG1, d1t, a, sq=False, Jcoord=Jcoord)
newd1 = oEC.toEFp(ECG1, nd1t, Jcoord)
d2t = oEC.toTupleEFp2(self.d2, Jcoord)
nd2t = oEC.mulECP(ECG2, d2t, a, sq=True, Jcoord=Jcoord)
newd2 = oEC.toEFp2(ECG2, nd2t, Jcoord)
return PPATCCommitment(newd1, newd2, self.PPATCpk)
def __add__(self,b):
''' Addition between two PPATC ciphertext
The result is a PPATC ciphertext which encrypts and commits
on the sum of the initial messages
'''
assert isinstance(b,PPATCCiphertext)
assert self.PPATCpk == b.PPATCpk # ciphertexts built using the same public key
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG = self.PPATCpk.g1.ECG
newcom = self.d+b.d
c1t = oEC.toTupleEFp2(self.c1,Jcoord)
bc1t = oEC.toTupleEFp2(b.c1,Jcoord)
nc1t = oEC.addEFp2(ECG,c1t,bc1t,Jcoord)
newc1 = oEC.toEFp2(ECG,nc1t,Jcoord)
c2t = oEC.toTupleEFp2(self.c2,Jcoord)
bc2t = oEC.toTupleEFp2(b.c2,Jcoord)
nc2t = oEC.addEFp2(ECG,c2t,bc2t,Jcoord)
newc2 = oEC.toEFp2(ECG,nc2t,Jcoord)
c3t = oEC.toTupleEFp2(self.c3,Jcoord)
bc3t = oEC.toTupleEFp2(b.c3,Jcoord)
nc3t = oEC.addEFp2(ECG,c3t,bc3t,Jcoord)
newc3 = oEC.toEFp2(ECG,nc3t,Jcoord)
return PPATCCiphertext(newcom,newc1,newc2,newc3,self.PPATCpk)
def __add__(self, b):
''' Addition between two PPATC ciphertext
The result is a PPATC ciphertext which encrypts and commits
on the sum of the initial messages
'''
assert isinstance(b, PPATCCiphertext)
assert self.PPATCpk == b.PPATCpk # ciphertexts built using the same public key
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG = self.PPATCpk.g1.ECG
newcom = self.d + b.d
c1t = oEC.toTupleEFp2(self.c1, Jcoord)
bc1t = oEC.toTupleEFp2(b.c1, Jcoord)
nc1t = oEC.addEFp2(ECG, c1t, bc1t, Jcoord)
newc1 = oEC.toEFp2(ECG, nc1t, Jcoord)
c2t = oEC.toTupleEFp2(self.c2, Jcoord)
bc2t = oEC.toTupleEFp2(b.c2, Jcoord)
nc2t = oEC.addEFp2(ECG, c2t, bc2t, Jcoord)
newc2 = oEC.toEFp2(ECG, nc2t, Jcoord)
c3t = oEC.toTupleEFp2(self.c3, Jcoord)
bc3t = oEC.toTupleEFp2(b.c3, Jcoord)
nc3t = oEC.addEFp2(ECG, c3t, bc3t, Jcoord)
newc3 = oEC.toEFp2(ECG, nc3t, Jcoord)
return PPATCCiphertext(newcom, newc1, newc2, newc3, self.PPATCpk)
def test_MulEFp2_opt(self):
_ = oEC.mulECP(EFp2, oEC.toTupleEFp2(Q), r, sq=True)
t = time.time() - self.startTime
print "%s: %.4f" % ("EFp2 point multiplication -- optimized", t)
