Ejemplo n.º 1
0
    def verify(self, params, pk, m, n, sig):
        """
		Verifies a signature on messages m
		e(R,V) e(S,H) Pi e(M_i,W_i) == e(G,Z)
		e(R,T) Pi e(U_i, N_i) == e(G,H)
		"""
        #print("BSPS: Verify")
        R, S, T = sig
        o, G, g1, g2, e = params
        if (R.eq(G1Elem.inf(G)) and S.eq(G1Elem.inf(G))
                and T.eq(G2Elem.inf(G))):
            print("BSPS: Verify --- Error: signature null")
            print("BSPS: Verify", 0)
            return 0

        U, W, V, Z = pk

        res1 = e(R, V) * e(S, g2)
        for i in range(self.msg_g1):
            if i < len(m):
                res1 = res1 * e(m[i], W[i])
            else:
                res1 = res1 * e(g1, W[i])

        res2 = e(R, T)
        for j in range(self.msg_g2):
            if j < len(n):
                res2 = res2 * e(U[j], n[j])
            else:
                res2 = res2 * e(U[j], g2)

        return res1.eq(e(g1, Z)) and res2.eq(e(g1, g2))
Ejemplo n.º 2
0
def blind_verify(params, aggr_vk, sigma, kappa, nu, pi_v, public_m=[]):
	"""
	Verify credentials.

	Parameters:
		- `params`: public parameters generated by `setup`
		- `aggr_vk` (G2Elem, G2Elem, [G2Elem]): aggregated verification key
		- `sigma` (G1Elem, G1Elem): credential
		- `kappa` (G2Elem): group element to verify the credentials
		- `nu` (G2Elem): group element to verify the credentials
		- `pi_v`: zero-knowledge proof asserting correctness of `kappa` and `nu`
		- `public_m` [Bn]: optional, array containing the public attributes

	Returns:
		- `ret` (bool): whether the credential verifies
	"""
	(G, o, g1, hs, g2, e) = params
	(g2, _, beta) = aggr_vk
	(h, s) = sigma
	private_m_len = len(pi_v[1])
	assert len(public_m)+private_m_len <= len(beta)
	# verify proof of correctness
	assert verify_pi_v(params, aggr_vk, sigma, kappa, nu, pi_v)
	# add clear text messages
	aggr = G2Elem.inf(G) 
	if len(public_m) != 0:
		aggr = ec_sum([public_m[i]*beta[i+private_m_len] for i in range(len(public_m))])
	# verify
	return not h.isinf() and e(h, kappa+aggr) == e(s+nu, g2)
Ejemplo n.º 3
0
    def sign(self, params, sk, m, n):
        """Signs a list of group elements of G1 and G2"""
        #print("BSPS: Sign")
        o, G, g1, g2, _ = params
        if len(m) > self.msg_g1 or len(n) > self.msg_g2:
            print("BSPS: Sign --- Error: message(s) too long", len(m), ">?",
                  self.msg_g1, len(n), ">?", self.msg_g2)
            return (G1Elem.inf(G), G1Elem.inf(G), G2Elem.inf(G))
        u, w, v, z = sk

        r = o.random()
        R = r * g1
        temp = z.mod_sub(r.mod_mul(v, o), o)
        S = temp * g1
        T = g2

        for i in range(self.msg_g1):
            if i < len(m):
                S = S + w[i].int_neg() * m[i]
            else:
                S = S + w[i].int_neg() * g1
        for j in range(self.msg_g2):
            if j < len(n):
                T = T + u[j].int_neg() * n[j]
            else:
                T = T + u[j].int_neg() * g2

        return [R, S, r.mod_inverse(o) * T]
Ejemplo n.º 4
0
 def getflag(self):
     print(
         "gonna have to see some credentials, you know at least two admins gotta sign off on this stuff:"
     )
     (s0, p0) = self.getsignature(
         "first signature, please\n",
         "and who is this from (the public key, if you please)?\n",
     )
     (s1, p1) = self.getsignature(
         "OK, and the second?\n", "who gave you this one (again, by public key)?\n"
     )
     assert s0 != s1
     p2 = G2Elem.from_bytes(
         b64decode(
             str(
                 raw_input(
                     "who didn't sign? We need their public key to run everything\n"
                 )
             )
         ),
         self.params[0],
     )
     if verify(
         self.params,
         aggregate_vk(self.params, [p0, p1, p2], threshold=True),
         aggregate_sigma(self.params, [s0, s1], threshold=True),
         "this stuff",
     ):
         with open("flag.txt") as f:
             print(f.read())
     else:
         print("lol nice try")
Ejemplo n.º 5
0
def verify_cred(params, aggr_vk, Theta, public_m=[]):
    """
    Verify credentials.

    Parameters:
        - `params`: public parameters generated by `setup`
        - `aggr_vk`: aggregated verification key
        - `Theta`: credential and cryptographic material to verify them
        - `public_m` [Bn]: optional, array containing the public attributes

    Returns:
        - `ret` (bool): whether the credential verifies
    """
    (G, o, g1, hs, g2, e) = params
    (g2, _, beta) = aggr_vk
    (kappa, nu, sigma, pi_v) = Theta
    (h, s) = sigma
    private_m_len = len(pi_v[1])
    assert len(public_m) + private_m_len <= len(beta)
    # verify proof of correctness
    assert verify_pi_v(params, aggr_vk, sigma, kappa, nu, pi_v)
    # add clear text messages
    aggr = G2Elem.inf(G)
    if len(public_m) != 0:
        aggr = ec_sum([
            public_m[i] * beta[i + private_m_len] for i in range(len(public_m))
        ])
    # verify
    return not h.isinf() and e(h, kappa + aggr) == e(s + nu, g2)
Ejemplo n.º 6
0
 def getflag(self):
   print('gonna have to see some credentials, you know at least two admins gotta sign off on this stuff:')
   (s0, p0) = self.getsignature('first signature, please\n', 'and who is this from (the public key, if you please)?\n')
   (s1, p1) = self.getsignature('OK, and the second?\n', 'who gave you this one (again, by public key)?\n')
   p2 = G2Elem.from_bytes(b64decode(str(raw_input('who didn\'t sign? We need their public key to run everything\n'))), self.params[0])
   assert(s0 != s1 and p0 != p1 and p1 != p2 and p2 != p0)
   if verify(self.params, aggregate_vk(self.params, [p0,p1,p2], threshold=True), aggregate_sigma(self.params, [s0, s1], threshold=True), 'this stuff'):
     with open('flag.txt') as f: print(f.read())
   else:
     print('lol nice try')
Ejemplo n.º 7
0
def mix_verify(params, vk, kappa, sig, proof, m):
    """ verify a signature on a mixed clear and hidden message """
    (G, o, g1, h1, g2, e) = params
    (g2, X, Y) = vk
    (h, epsilon) = sig
    hidden_m_len = len(proof[1])
    assert len(m) + hidden_m_len <= len(Y)
    # verify proof of correctness
    assert verify_mix_show(params, vk, kappa, proof)
    # add clear text messages
    aggr = G2Elem.inf(G)
    if len(m) != 0:
        aggr = ec_sum([m[i] * Y[i + hidden_m_len] for i in range(len(m))])
    # verify
    return not h.isinf() and e(h, kappa + aggr) == e(epsilon, g2)
Ejemplo n.º 8
0
def proof_pkuv(gsp, X, Y):
    res = []
    B = []
    A = []
    C = []
    for i in range(len(X)):
        row = []
        for j in range(len(Y)):
            row.append(Bn(0))
        C.append(row)
    C[6][0] = Bn(1)  # pk_uv
    C[5][1] = Bn(-1)  # - h_v^sku
    success, result = gsp.Prove_aggreg("MC1", X, B, A, Y, C, G1Elem.inf(gsp.G))
    verify = 0
    if success:
        eq_type, X, Y, C, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result
        #verify = gsp.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
        #if verify:
        res = [C, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]]
    #print("Do we successfully create a proof?", success)
    #print("Does the proof successfully verify?", verify)

    print("\n----pk uv")
    for i in range(len(res[1])):
        for j in range(2):
            if type(res[1][i][j]) == G1Elem:
                print(i, j, type(res[1][i][j]),
                      res[1][i][j].eq(G1Elem.inf(gsp.G)))
            else:
                print(i, j, type(res[1][i][j]),
                      res[1][i][j].eq(G2Elem.inf(gsp.G)))

    b = challenge(result)
    for i in range(len(res[0])):
        for j in range(len(res[0][0])):
            if res[0][i][j] != 0:
                res[0][i][j] = b * res[0][i][j]
    for i in range(len(res[1])):
        for j in range(len(res[1][i])):
            res[1][i][j] = b * res[1][i][j]

    #verify = gsp.Verify("ME1", X, Y, C, res[1][0], res[1][1], res[1][2], res[1][3])
    #print("Does the (aggregate) proof verify?", verify)

    return res
Ejemplo n.º 9
0
def get_infs(gk):
    inf1 = G1Elem.inf(gk.G)
    inf2 = G2Elem.inf(gk.G)
    return inf1, inf2