def get_k_char_not_2_and_not_3(self, x1, y1, x2, y2):
if x1 == x2:
k = (3 * x1 * x1 + self.a) * inverse_mod(2 * y1, self.p)
else:
k = (y1 - y2) * inverse_mod(x1 - x2, self.p)
return k
def pi_verify(pi, c, d, w1, w2, m1, m2, zkp, ka_pub):
ntild, h1, h2 = zkp
z1, z2, y, e, s1, s2, s3, t1, t2, t3, t4 = pi
n, g = ka_pub
n2 = n * n
n3 = pow(ecdsa.n, 3)
if s1 > n3 or t1 > n3:
return False
minuse = (e * -1) % ecdsa.n
u1prim = ecdsa.point_add(ecdsa.point_mult(c, s1),
ecdsa.point_mult(w1, minuse))
u2inv = utils.inverse_mod(m1, n2)
u2prim = (pow(g, s1, n2) * pow(s2, n, n2) * pow(u2inv, e, n2)) % n2
u3inv = utils.inverse_mod(z1, ntild)
u3prim = (pow(h1, s1, ntild) * pow(h2, s3, ntild) *
pow(u3inv, e, ntild)) % ntild
v1prim = ecdsa.point_add(ecdsa.point_mult(d, t1 + t2),
ecdsa.point_mult(y, minuse))
v2prim = ecdsa.point_add(
ecdsa.point_add(ecdsa.point_mult(w2, s1), ecdsa.point_mult(d, t2)),
ecdsa.point_mult(y, minuse))
v3inv = utils.inverse_mod(m2, n2)
v3prim = (pow(g, t1, n2) * pow(t3, n, n2) * pow(v3inv, e, n2)) % n2
v4inv = utils.inverse_mod(z2, ntild)
v4prim = (pow(h1, t1, ntild) * pow(h2, t4, ntild) *
pow(v4inv, e, ntild)) % ntild
h = hashlib.sha256()
h.update(ecdsa.expand_pub(c))
h.update(ecdsa.expand_pub(w1))
h.update(ecdsa.expand_pub(d))
h.update(ecdsa.expand_pub(w2))
h.update(str(m1))
h.update(str(m2))
h.update(str(z1))
h.update(ecdsa.expand_pub(u1prim))
h.update(str(u2prim))
h.update(str(u3prim))
h.update(str(z2))
h.update(ecdsa.expand_pub(y))
h.update(ecdsa.expand_pub(v1prim))
h.update(ecdsa.expand_pub(v2prim))
h.update(str(v3prim))
h.update(str(v4prim))
eprime = long(h.hexdigest(), 16)
print "\n****************************************"
print "Verifying Pi zkp:"
print "e", e
print "e'", eprime
print "****************************************"
return e == eprime
def point_double(p):
# print("double")
if is_zero(p): return ZERO
px, py = p
lmbda = ((3 * px * px + a) * utils.inverse_mod(2 * py, P)) % P
rx = (lmbda * lmbda - 2 * px) % P
ry = (lmbda * (px - rx) - py) % P
return rx, ry
def decrypt(private_key, ciphertext):
N, r, key = private_key
s = inverse_mod(r, N)
C = (ciphertext * s) % N
p = 0
for i, k in enumerate(key[::-1]):
if C >= k:
C -= k
p |= (1 << (len(key) - i - 1))
return hex(long(p))[2:-1].decode('hex')
def decrypt(private_key, ciphertext):
N, r, key = private_key
s = inverse_mod(r, N)
C = (ciphertext * s) % N
p = 0
for i,k in enumerate(key[::-1]):
if C >= k:
C -= k
p |= (1 << (len(key)-i-1))
return hex(long(p))[2:-1].decode('hex')
def point_add(p, q):
# print("add")
px, py = p
qx, qy = q
if is_zero(p): return q
if is_zero(q): return p
if px == qx:
if (py + qy) % P == 0:
return ZERO
else:
return point_double(p)
lmbda = ((qy - py) * utils.inverse_mod(qx - px, P)) % P
rx = (lmbda * lmbda - px - qx) % P
ry = (lmbda * (px - rx) - py) % P
return rx, ry
def pi2_verify(pi2, c, d, w1, w2, m1, m2, m3, m4, zkp, ka_pub, kb_pub):
z1, z2, z3, y, e, s1, s2, s3, s4, t1, t2, t3, t4, t5, t6, t7 = pi2
pkn, g = ka_pub
pkn2 = pkn * pkn
pknprim, gprim = kb_pub
pknprim2 = pknprim * pknprim
ntild, h1, h2 = zkp
minuse = (e * -1) % ecdsa.n
u1prim = ecdsa.point_add(ecdsa.point_mult(c, s1),
ecdsa.point_mult(w1, minuse))
u2inv = utils.inverse_mod(m1, pknprim2)
u2prim = (pow(gprim, s1, pknprim2) * pow(s2, pknprim, pknprim2) *
pow(u2inv, e, pknprim2)) % pknprim2
u3inv = utils.inverse_mod(z1, ntild)
u3prim = (pow(h1, s1, ntild) * pow(h2, s3, ntild) *
pow(u3inv, e, ntild)) % ntild
v1prim = ecdsa.point_add(ecdsa.point_mult(d, t1 + t2),
ecdsa.point_mult(y, minuse))
v2prim = ecdsa.point_add(
ecdsa.point_add(ecdsa.point_mult(w2, s1), ecdsa.point_mult(d, t2)),
ecdsa.point_mult(y, minuse))
v3inv = utils.inverse_mod(m2, pkn2)
v3prim = (pow(m3, s4, pkn2) * pow(m4, t7, pkn2) *
pow(g, ecdsa.n * t5, pkn2) * pow(t3, pkn, pkn2) *
pow(v3inv, e, pkn2)) % pkn2
v4inv = utils.inverse_mod(z2, ntild)
v4prim = (pow(h1, t1, ntild) * pow(h2, t4, ntild) *
pow(v4inv, e, ntild)) % ntild
v5inv = utils.inverse_mod(z3, ntild)
v5prim = (pow(h1, t5, ntild) * pow(h2, t6, ntild) *
pow(v5inv, e, ntild)) % ntild
h = hashlib.sha512()
h.update(ecdsa.expand_pub(c))
h.update(ecdsa.expand_pub(w1))
h.update(ecdsa.expand_pub(d))
h.update(ecdsa.expand_pub(w2))
h.update(str(m1))
h.update(str(m2))
h.update(str(z1))
h.update(ecdsa.expand_pub(u1prim))
h.update(str(u2prim))
h.update(str(u3prim))
h.update(str(z2))
h.update(str(z3))
h.update(ecdsa.expand_pub(y))
h.update(ecdsa.expand_pub(v1prim))
h.update(ecdsa.expand_pub(v2prim))
h.update(str(v3prim))
h.update(str(v4prim))
h.update(str(v5prim))
eprime = long(h.hexdigest(), 16)
print "\n****************************************"
print "Verifying Pi' zkp:"
print "e", e
print "e'", eprime
print "****************************************\n"
return e == eprime