def _CoreAggregateVerify(cls, PKs: Sequence[BLSPubkey],
messages: Sequence[bytes],
signature: BLSSignature, DST: bytes) -> bool:
try:
# Inputs validation
for pk in PKs:
assert cls._is_valid_pubkey(pk)
for message in messages:
assert cls._is_valid_message(message)
assert len(PKs) == len(messages)
assert cls._is_valid_signature(signature)
# Preconditions
assert len(PKs) >= 1
# Procedure
signature_point = signature_to_G2(signature)
if not subgroup_check(signature_point):
return False
aggregate = FQ12.one()
for pk, message in zip(PKs, messages):
assert cls.KeyValidate(pk)
pubkey_point = pubkey_to_G1(pk)
message_point = hash_to_G2(message, DST, cls.xmd_hash_function)
aggregate *= pairing(message_point,
pubkey_point,
final_exponentiate=False)
aggregate *= pairing(signature_point,
neg(G1),
final_exponentiate=False)
return final_exponentiate(aggregate) == FQ12.one()
except (ValidationError, ValueError, AssertionError):
return False
def _CoreVerify(cls, PK: BLSPubkey, message: bytes,
signature: BLSSignature, DST: bytes) -> bool:
try:
# Inputs validation
assert cls._is_valid_pubkey(PK)
assert cls._is_valid_message(message)
assert cls._is_valid_signature(signature)
# Procedure
assert cls.KeyValidate(PK)
signature_point = signature_to_G2(signature)
if not subgroup_check(signature_point):
return False
final_exponentiation = final_exponentiate(
pairing(
signature_point,
G1,
final_exponentiate=False,
) * pairing(
hash_to_G2(message, DST, cls.xmd_hash_function),
neg(pubkey_to_G1(PK)),
final_exponentiate=False,
))
return final_exponentiation == FQ12.one()
except (ValidationError, ValueError, AssertionError):
return False
def OpBLS_Sign(arg):
op = json.loads(arg)
private_key = to_int(op['priv'])
if private_key == 0 or private_key >= 52435875175126190479447740508185965837690552500527637822603658699938581184513:
return
cleartext = bytes.fromhex(op['cleartext'])
aug = bytes.fromhex(op['aug'])
msg = aug + cleartext
signature = bls_pop.Sign(private_key, msg)
signature = signature_to_G2(signature)
x = signature[0] / signature[2]
y = signature[1] / signature[2]
signature = [[str(x.coeffs[0]), str(y.coeffs[0])],
[str(x.coeffs[1]), str(y.coeffs[1])]]
public_key = bls_pop.SkToPk(private_key)
point = pubkey_to_G1(public_key)
point = [str(point[0]), str(point[1])]
j = {}
j['signature'] = signature
j['pub'] = point
r = json.dumps(j)
return bytes(r, 'utf-8')
def checker(data, msg):
agg_pk = Z1
agg_sig = Z2
for i in range(len(data)):
if data[i]["Vote"].encode() == msg:
agg_pk = add(agg_pk, pubkey_to_G1(bytes.fromhex(data[i]["PK"])))
agg_sig = add(agg_sig,
signature_to_G2(bytes.fromhex(data[i]["Sign"])))
isok = singlechecker(agg_pk, agg_sig, msg)
print(isok)
def reconstruct_shared_bls_signature(
signatures: Dict[int, BLSSignature]) -> BLSSignature:
"""
Reconstructs shared BLS private key signature.
Copied from https://github.com/dankrad/python-ibft/blob/master/bls_threshold.py
"""
r = Z2
for i, sig in signatures.items():
sig_point = signature_to_G2(sig)
coef = 1
for j in signatures:
if j != i:
coef = -coef * (j + 1) * prime_field_inv(i - j, PRIME) % PRIME
r = add(r, multiply(sig_point, coef))
return G2_to_signature(r)
def Aggregate(cls, signatures: Sequence[BLSSignature]) -> BLSSignature:
"""
The Aggregate algorithm aggregates multiple signatures into one.
Raise `ValidationError` when there is input validation error.
"""
try:
# Inputs validation
for signature in signatures:
assert cls._is_valid_signature(signature)
# Preconditions
assert len(signatures) >= 1
except Exception as e:
raise ValidationError(e)
# Procedure
aggregate = Z2 # Seed with the point at infinity
for signature in signatures:
signature_point = signature_to_G2(signature)
aggregate = add(aggregate, signature_point)
return G2_to_signature(aggregate)
io = remote(Host, Port)
# io = process('./server.py')
for i in data:
j = dumps({"Name": i["Name"], "Vote": i["Vote"], "Sign": i["Sign"]})
io.recvuntil(b'> ')
io.sendline(j)
# io.interactive()
io.recvuntil(b'reward : ')
return io.recvline().strip()
order = 52435875175126190479447740508185965837690552500527637822603658699938581184513
m1, m2 = [int(sha256(i).hexdigest(), 16) for i in [b"D", b"R"]]
idx, ny = [(i, j) for i, j in enumerate(result) if j["Name"] == 'New York'][0]
ny["Sign"] = G2_to_signature(
multiply(multiply(signature_to_G2(unhex(ny["Sign"])), invert(m1, order)),
m2)).hex()
ny["Vote"] = "R"
assert bls.Verify(unhex(ny["PK"]), ny["Vote"].encode(), unhex(ny["Sign"]))
result[idx] = ny
xored_flag = unhex(connect(result).decode())
fake_result = result[:]
w = fake_result[idx + 1]
ny = fake_result[idx]
ny["Sign"] = G2_to_signature(
add(signature_to_G2(unhex(ny["Sign"])),
multiply(signature_to_G2(unhex(w["Sign"])), 2))).hex()
w["Sign"] = G2_to_signature(neg(signature_to_G2(unhex(w["Sign"])))).hex()
assert bls.Verify(bls._AggregatePKs([unhex(ny["PK"]),
checker(wow, b"R")
checker(wow, b"D")
ex = True
q = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab
cv = ((q**12) - 1) // 115
ex = True
cnt = 0
for i in range(len(wow)):
# res = singlechecker(pubkey_to_G1(bytes.fromhex(wow[i]["PK"])), signature_to_G2(bytes.fromhex(wow[i]["Sign"])), wow[i]["Vote"].encode())
# print(res)
pub = pubkey_to_G1(bytes.fromhex(wow[i]["PK"]))
sig = signature_to_G2(bytes.fromhex(wow[i]["Sign"]))
print("pubkey check", i, subgroup_check(pub))
print("sig check", i, subgroup_check(sig))
if wow[i]["Vote"] == "D":
if ex:
ex = False
fin = creator(wow[i]["Name"], "D", wow[i]["Sign"])
r.sendline(fin)
continue
res1 = hasher(b"D")
res2 = hasher(b"R")
tt = (res2 * inverse(res1, cv)) % cv
sigs = signature_to_G2(bytes.fromhex(wow[i]["Sign"]))
sigs = multiply(sigs, tt)
# do this part only if you want fake flag