def test_signature_and_dlrne_fails_on_wrong_secret():
"""
We manually modify a secret in the DLNE member, i.e we wrongfully claim to use the same "s" i the
signature and in the DLNE.
Should be detected and raise an Exception.
"""
mG = BilinearGroupPair()
keypair = BBSPlusKeypair.generate(mG, 9)
messages = [Bn(30), Bn(31), Bn(32)]
pk, sk = keypair.pk, keypair.sk
generators, h0 = keypair.generators, keypair.h0
creator = BBSPlusSignatureCreator(pk)
lhs = creator.commit(messages)
presignature = sk.sign(lhs.com_message)
signature = creator.obtain_signature(presignature)
e, s, m1, m2, m3 = (Secret() for _ in range(5))
secret_dict = {
e: signature.e,
s: signature.s,
m1: messages[0],
m2: messages[1],
m3: messages[2],
}
sigproof = BBSPlusSignatureStmt([e, s, m1, m2, m3], pk, signature)
g1 = mG.G1.generator()
pg1 = signature.s * g1
pg2, g2 = mG.G1.order().random() * g1, mG.G1.order().random() * g1
dneq = DLNotEqual((pg1, g1), (pg2, g2), s, bind=True)
secrets = [Secret() for _ in range(5)]
sigproof1 = BBSPlusSignatureStmt(secrets, pk, signature)
dneq1 = DLNotEqual((pg1, g1), (pg2, g2), secrets[1], bind=True)
andp = sigproof & dneq
andp1 = sigproof1 & dneq1
prov = andp.get_prover(secret_dict)
prov.subs[1].secret_values[s] = signature.s + 1
ver = andp1.get_verifier()
ver.process_precommitment(prov.precommit())
commitment = prov.commit()
challenge = ver.send_challenge(commitment)
responses = prov.compute_response(challenge)
with pytest.raises(ValidationError):
ver.verify(responses)
def test_signature_and_dlrne_does_not_fail_on_wrong_secret_when_non_binding():
"""
Manually modify a secret in the DLNE member, i.e we wrongfully claim to use the same "s" i the
signature and in the DLNE. Should not be detected since bindings in the DLNE are False.
"""
mG = BilinearGroupPair()
keypair = BBSPlusKeypair.generate(mG, 9)
messages = [Bn(30), Bn(31), Bn(32)]
pk, sk = keypair.pk, keypair.sk
generators, h0 = keypair.generators, keypair.h0
creator = BBSPlusSignatureCreator(pk)
lhs = creator.commit(messages)
presignature = sk.sign(lhs.com_message)
signature = creator.obtain_signature(presignature)
e, s, m1, m2, m3 = (Secret() for _ in range(5))
secret_dict = {
e: signature.e,
s: signature.s,
m1: messages[0],
m2: messages[1],
m3: messages[2],
}
sigproof = BBSPlusSignatureStmt([e, s, m1, m2, m3], pk, signature)
g1 = mG.G1.generator()
pg1 = signature.s * g1 + g1
pg2, g2 = mG.G1.order().random() * g1, mG.G1.order().random() * g1
splus = Secret(signature.s + 1)
dneq = DLNotEqual((pg1, g1), (pg2, g2), splus, bind=False)
secrets = [Secret() for _ in range(5)]
sigproof1 = BBSPlusSignatureStmt(secrets, pk, signature)
# Note difference: dneq above uses an independent secret for dneq,
# here it is bound to the secret s (secrets[1]) from the signature proof
dneq1 = DLNotEqual((pg1, g1), (pg2, g2), secrets[1])
andp = sigproof & dneq
andp1 = sigproof1 & dneq1
prov = andp.get_prover(secret_dict)
ver = andp1.get_verifier()
ver.process_precommitment(prov.precommit())
commitment = prov.commit()
challenge = ver.send_challenge(commitment)
responses = prov.compute_response(challenge)
assert ver.verify(responses)
def test_bbsplus_and_range():
from zksk.primitives.rangeproof import RangeStmt
from zksk.utils import make_generators
mG = BilinearGroupPair()
keypair = BBSPlusKeypair.generate(mG, 9)
pk, sk = keypair.pk, keypair.sk
generators, h0 = keypair.generators, keypair.h0
creator = BBSPlusSignatureCreator(pk)
msg_val = Bn(30)
lhs = creator.commit([msg_val])
presignature = sk.sign(lhs.com_message)
signature = creator.obtain_signature(presignature)
e, s, m = Secret(signature.e), Secret(signature.s), Secret(msg_val)
p1 = BBSPlusSignatureStmt([e, s, m], pk, signature)
g, h = make_generators(2, mG.G1)
randomizer = Secret(value=mG.G1.order().random())
com = m * g + randomizer * h
p2 = RangeStmt(com.eval(), g, h, 18, 9999, m, randomizer)
stmt = p1 & p2
proof = stmt.prove()
assert stmt.verify(proof)
def test_bbsplus_and_proof():
mG = BilinearGroupPair()
keypair = BBSPlusKeypair.generate(mG, 9)
messages = [Bn(30), Bn(31), Bn(32)]
pk, sk = keypair.pk, keypair.sk
generators, h0 = keypair.generators, keypair.h0
creator = BBSPlusSignatureCreator(pk)
lhs = creator.commit(messages)
presignature = sk.sign(lhs.com_message)
signature = creator.obtain_signature(presignature)
e, s, m1, m2, m3 = (Secret() for _ in range(5))
secret_dict = {
e: signature.e,
s: signature.s,
m1: messages[0],
m2: messages[1],
m3: messages[2],
}
sigproof = BBSPlusSignatureStmt([e, s, m1, m2, m3], pk, signature)
creator = BBSPlusSignatureCreator(pk)
lhs = creator.commit(messages)
presignature2 = sk.sign(lhs.com_message)
signature2 = creator.obtain_signature(presignature2)
e1, s1, m1, m2, m3 = (Secret() for _ in range(5))
secret_dict2 = {
e1: signature2.e,
s1: signature2.s,
m1: messages[0],
m2: messages[1],
m3: messages[2],
}
sigproof1 = BBSPlusSignatureStmt([e1, s1, m1, m2, m3], pk, signature2)
secret_dict.update(secret_dict2)
andp = sigproof & sigproof1
prov = andp.get_prover(secret_dict)
ver = andp.get_verifier()
protocol = SigmaProtocol(ver, prov)
assert protocol.verify()
def test_signature_or_dlrne():
"""
Construct a signature on a set of messages, and then pairs the proof of knowledge of this signature with
a proof of non-equality of two DL, one of which is the blinding exponent 's' of the signature.
"""
mG = BilinearGroupPair()
keypair = BBSPlusKeypair.generate(mG, 9)
messages = [Bn(30), Bn(31), Bn(32)]
pk, sk = keypair.pk, keypair.sk
generators, h0 = keypair.generators, keypair.h0
creator = BBSPlusSignatureCreator(pk)
lhs = creator.commit(messages)
presignature = sk.sign(lhs.com_message)
signature = creator.obtain_signature(presignature)
e, s, m1, m2, m3 = (Secret() for _ in range(5))
secret_dict = {
e: signature.e,
s: signature.s,
m1: messages[0],
m2: messages[1],
m3: messages[2],
}
sigproof = BBSPlusSignatureStmt([e, s, m1, m2, m3], pk, signature)
g1 = mG.G1.generator()
pg1 = signature.s * g1
pg2, g2 = mG.G1.order().random() * g1, mG.G1.order().random() * g1
dneq = DLNotEqual((pg1, g1), (pg2, g2), s, bind=True)
andp = sigproof | dneq
secrets = [Secret() for _ in range(5)]
sigproof1 = BBSPlusSignatureStmt(secrets, pk)
dneq1 = DLNotEqual((pg1, g1), (pg2, g2), secrets[1], bind=True)
andp1 = sigproof1 | dneq1
prov = andp.get_prover(secret_dict)
ver = andp1.get_verifier()
ver.process_precommitment(prov.precommit())
commitment = prov.commit()
challenge = ver.send_challenge(commitment)
responses = prov.compute_response(challenge)
assert ver.verify(responses)
def test_and_sig_non_interactive():
mG = BilinearGroupPair()
keypair = BBSPlusKeypair.generate(mG, 9)
messages = [Bn(30), Bn(31), Bn(32)]
pk, sk = keypair.pk, keypair.sk
generators, h0 = keypair.generators, keypair.h0
creator = BBSPlusSignatureCreator(pk)
lhs = creator.commit(messages)
presignature = sk.sign(lhs.com_message)
signature = creator.obtain_signature(presignature)
e, s, m1, m2, m3 = (Secret() for _ in range(5))
secret_dict = {
e: signature.e,
s: signature.s,
m1: messages[0],
m2: messages[1],
m3: messages[2],
}
sigproof = BBSPlusSignatureStmt([e, s, m1, m2, m3], pk, signature)
creator = BBSPlusSignatureCreator(pk)
lhs = creator.commit(messages)
presignature2 = sk.sign(lhs.com_message)
signature2 = creator.obtain_signature(presignature2)
e1, s1 = (Secret() for _ in range(2))
secret_dict2 = {
e1: signature2.e,
s1: signature2.s,
m1: messages[0],
m2: messages[1],
m3: messages[2],
}
sigproof1 = BBSPlusSignatureStmt([e1, s1, m1, m2, m3], pk, signature2)
secret_dict.update(secret_dict2)
andp = sigproof & sigproof1
tr = andp.prove(secret_dict)
assert andp.verify(tr)
def test_signature_non_interactive_proof():
mG = BilinearGroupPair()
keypair = BBSPlusKeypair.generate(mG, 9)
messages = [Bn(30), Bn(31), Bn(32)]
pk, sk = keypair.pk, keypair.sk
generators, h0 = keypair.generators, keypair.h0
creator = BBSPlusSignatureCreator(pk)
lhs = creator.commit(messages)
presignature = sk.sign(lhs.com_message)
signature = creator.obtain_signature(presignature)
e, s, m1, m2, m3 = (Secret() for _ in range(5))
secret_dict = {
e: signature.e,
s: signature.s,
m1: messages[0],
m2: messages[1],
m3: messages[2],
}
p1 = BBSPlusSignatureStmt([e, s, m1, m2, m3], pk, signature)
tr = p1.prove(secret_dict)
p1 = BBSPlusSignatureStmt([Secret() for _ in range(5)], pk)
assert p1.verify(tr)
def test_signature_proof():
mG = BilinearGroupPair()
keypair = BBSPlusKeypair.generate(mG, 9)
messages = [Bn(30), Bn(31), Bn(32)]
pk, sk = keypair.pk, keypair.sk
generators, h0 = keypair.generators, keypair.h0
creator = BBSPlusSignatureCreator(pk)
lhs = creator.commit(messages)
presignature = sk.sign(lhs.com_message)
signature = creator.obtain_signature(presignature)
e, s, m1, m2, m3 = (Secret() for _ in range(5))
secret_dict = {
e: signature.e,
s: signature.s,
m1: messages[0],
m2: messages[1],
m3: messages[2],
}
p1 = BBSPlusSignatureStmt([e, s, m1, m2, m3], pk, signature)
prover = p1.get_prover(secret_dict)
p2 = BBSPlusSignatureStmt([Secret() for _ in range(5)], pk)
verifier = p2.get_verifier()
pc = prover.precommit()
verifier.process_precommitment(pc)
com = prover.commit()
chal = verifier.send_challenge(com)
resp = prover.compute_response(chal)
assert verifier.verify(resp)