def randomization(ssk, pp, r):
(pixelg2gen, h, hlist) = default_param
(time, g2r, hpoly, hvector) = copy.deepcopy(ssk)
# randomize g2r: g2r += g2^r
tmp = point_mul(r, pixelg2gen)
g2r = point_add(g2r, tmp)
# compute tmp = hv[0] * prod_i h[i]^time_vec[i]
tmp = hlist[0]
time_vec = time_to_vec(time, d)
for i in range(len(time_vec)):
tmp2 = point_mul(time_vec[i], hlist[i + 1])
tmp = point_add(tmp, tmp2)
# radomize tmp and set hpoly *= tmp^r
tmp = point_mul(r, tmp)
hpoly_new = point_add(hpoly, tmp)
# randmoize hvector:
# hvector_new[i] = hvector[i] * hlist[i+|t|+1]^r
hvector_new = []
for i in range(len(hvector)):
tmp = point_mul(r, hlist[i + 1 + len(time_vec)])
hvector_new.append(point_add(tmp, hvector[i]))
return (time, g2r, hpoly_new, hvector_new)
def sign_present(sk, tar_time, pp, msg):
ssk = sk[1][0]
assert ssk[0] == tar_time
timevec = time_to_vec(tar_time, d)
(pixelg2gen, h, hlist) = pp
r = prng_sample(sk[0],
b"Pixel randomness for signing" + msg + I2OSP(tar_time, 4))
m = hash_msg_into_fr(msg)
# sig1 = g2^r + ssk.g2r
sig1 = copy.deepcopy(ssk[1])
tmp = copy.deepcopy(pixelg2gen)
tmp = point_mul(r, tmp)
sig1 = point_add(sig1, tmp)
# tmp = h0 * \prod h_i ^ t_i * h_d^m
tmp = copy.deepcopy(hlist[0])
for i in range(len(timevec)):
tmp2 = copy.deepcopy(hlist[i + 1])
tmp2 = point_mul(timevec[i], tmp2)
tmp = point_add(tmp, tmp2)
tmp2 = copy.deepcopy(hlist[d])
tmp2 = point_mul(m, tmp2)
tmp = point_add(tmp, tmp2)
# sig2 = ssk.hpoly * hv[d]^m * tmp^r
sig2 = copy.deepcopy(ssk[2])
tmp3 = copy.deepcopy(ssk[3][len(ssk[3]) - 1])
tmp3 = point_mul(m, tmp3)
sig2 = point_add(sig2, tmp3)
tmp = point_mul(r, tmp)
sig2 = point_add(sig2, tmp)
return (tar_time, sig1, sig2)
def key_gen(seed):
(pixelg2gen, h, hlist) = default_param
# hard code the ciphersuite byte \0 in the salt
salt = b"Pixel master key\0"
info = b"key initialization"
prng = prng_init(seed, salt)
x, prng = prng_sample_then_update(prng,info)
# pk = g2^x
pk = point_mul(x, pixelg2gen)
# msk = h^x
msk = point_mul(x, h)
# r: randomness used in init
info = b"Pixel secret key init" + b"\0\0\0\1"
r, prng = prng_sample_then_update(prng,info)
# g2r = g2^2
g2r = point_mul(r, pixelg2gen)
# hpoly = h^x * h0^r
hpoly = point_mul(r, hlist[0])
hpoly = point_add(hpoly, msk)
# hvector = [hi^r] for i!=0
hvector = []
for i in range(len(hlist)-1):
tmp = point_mul(r, hlist[i+1])
hvector.append(tmp)
ssk1 = (1, g2r, hpoly, hvector)
sk = (prng, [ssk1])
return (pk, sk)
def delegate(ssk, tar_time):
(cur_time, g2r, hpoly, hvector) = copy.deepcopy(ssk)
cur_time_vec = time_to_vec(cur_time, d)
tar_time_vec = time_to_vec(tar_time, d)
# hpoly *= h_i ^ t_i
for i in range(len(tar_time_vec) - len(cur_time_vec)):
tmp = point_mul(tar_time_vec[i + len(cur_time_vec)], hvector[i])
hpoly = point_add(hpoly, tmp)
# remove the first `tar_vec_length - cur_vec_length` elements in h-vector
for _ in range(len(tar_time_vec) - len(cur_time_vec)):
del hvector[0]
# return the new ssk
return (tar_time, g2r, hpoly, hvector)
def G2mul(a,b): return point_mul(b,a)
def G1mul(a,b): ## a group element, b scalar return point_mul(b,a)
def pop_prove(x_prime, pk, ciphersuite):
pk_bytes = serialize(pk, True) # serialize in compressed form
P = map2curve_osswu2(pk_bytes, ciphersuite)
return point_mul(x_prime, P)
def sign(x_prime, msg, ciphersuite):
P = map2curve_osswu2(msg, ciphersuite)
return point_mul(x_prime, P)
def keygen(sk):
x_prime = Hr(sk)
return (x_prime, point_mul(x_prime, g1gen))
def _sign_aug(x_prime, msg, ciphersuite, pk=None, gen=None, sign_fn=sign):
if pk is None:
pk = point_mul(x_prime, gen)
pk_bytes = serialize(pk, True) # serialize in compressed form
return sign_fn(x_prime, pk_bytes + msg, ciphersuite)
def _sign(x_prime, msg, ciphersuite, map_fn):
P = map_fn(msg, ciphersuite)
return point_mul(x_prime, P)
def _keygen(sk, gen):
x_prime = xprime_from_sk(sk)
return (x_prime, point_mul(x_prime, gen))
def _keygen(sk, gen):
x_prime = Hr(sk)
return (x_prime, point_mul(x_prime, gen))
