def check_proof_multi(commitment, proof, x, ys, setup):
"""
Check a proof for a Kate commitment for an evaluation f(x w^i) = y_i
"""
n = len(ys)
root_of_unity = get_root_of_unity(n)
# Interpolate at a coset. Note because it is a coset, not the subgroup, we have to multiply the
# polynomial coefficients by x^i
interpolation_polynomial = fft(ys, MODULUS, root_of_unity, True)
interpolation_polynomial = [div(c, pow(x, i, MODULUS)) for i, c in enumerate(interpolation_polynomial)]
# Verify the pairing equation
#
# e([commitment - interpolation_polynomial(s)], [1]) = e([proof], [s^n - x^n])
# equivalent to
# e([commitment - interpolation_polynomial]^(-1), [1]) * e([proof], [s^n - x^n]) = 1_T
#
xn_minus_yn = b.add(setup[1][n], b.multiply(b.neg(b.G2), pow(x, n, MODULUS)))
commitment_minus_interpolation = b.add(commitment, b.neg(lincomb(
setup[0][:len(interpolation_polynomial)], interpolation_polynomial, b.add, b.Z1)))
pairing_check = b.pairing(b.G2, b.neg(commitment_minus_interpolation), False)
pairing_check *= b.pairing(xn_minus_yn, proof, False)
pairing = b.final_exponentiate(pairing_check)
return pairing == b.FQ12.one()
def _CoreAggregateVerify(cls, PKs: Sequence[BLSPubkey],
messages: Sequence[bytes],
signature: BLSSignature, DST: bytes) -> bool:
try:
if len(PKs) != len(messages):
raise ValidationError(
'len(PKs) != len(messages): got len(PKs)=%s, len(messages)=%s'
% (len(PKs), len(messages)))
if len(PKs) < 1:
raise ValidationError(
'Insufficient number of PKs: should be greater than'
' or equal to 1, got %d' % len(PKs))
signature_point = signature_to_G2(signature)
aggregate = FQ12.one()
for pk, message in zip(PKs, messages):
pubkey_point = pubkey_to_G1(pk)
message_point = hash_to_G2(message, DST, cls.xmd_hash_function)
aggregate *= pairing(message_point,
pubkey_point,
final_exponentiate=False)
aggregate *= pairing(signature_point,
neg(G1),
final_exponentiate=False)
return final_exponentiate(aggregate) == FQ12.one()
except (ValidationError, ValueError, AssertionError):
return False
def _CoreVerify(cls, PK: BLSPubkey, message: bytes,
signature: BLSSignature, DST: bytes) -> bool:
try:
# Inputs validation
assert cls._is_valid_pubkey(PK)
assert cls._is_valid_message(message)
assert cls._is_valid_signature(signature)
# Procedure
assert cls.KeyValidate(PK)
signature_point = signature_to_G2(signature)
if not subgroup_check(signature_point):
return False
final_exponentiation = final_exponentiate(
pairing(
signature_point,
G1,
final_exponentiate=False,
) * pairing(
hash_to_G2(message, DST, cls.xmd_hash_function),
neg(pubkey_to_G1(PK)),
final_exponentiate=False,
))
return final_exponentiation == FQ12.one()
except (ValidationError, ValueError, AssertionError):
return False
def verify_multiple(pubkeys: Sequence[BLSPubkey], messages: Sequence[bytes],
signature: BLSSignature, domain: int) -> bool:
len_msgs = len(messages)
if len(pubkeys) != len_msgs:
raise ValidationError(
"len(pubkeys) (%s) should be equal to len(messages) (%s)" %
(len(pubkeys), len_msgs))
try:
o = FQ12([1] + [0] * 11)
for m_pubs in set(messages):
# aggregate the pubs
group_pub = Z1
for i in range(len_msgs):
if messages[i] == m_pubs:
group_pub = add(group_pub, decompress_G1(pubkeys[i]))
o *= pairing(hash_to_G2(m_pubs, domain),
group_pub,
final_exponentiate=False)
o *= pairing(decompress_G2(signature),
neg(G1),
final_exponentiate=False)
final_exponentiation = final_exponentiate(o)
return final_exponentiation == FQ12.one()
except (ValidationError, ValueError, AssertionError):
return False
def _CoreAggregateVerify(cls, PKs: Sequence[BLSPubkey],
messages: Sequence[bytes],
signature: BLSSignature, DST: bytes) -> bool:
try:
# Inputs validation
for pk in PKs:
assert cls._is_valid_pubkey(pk)
for message in messages:
assert cls._is_valid_message(message)
assert len(PKs) == len(messages)
assert cls._is_valid_signature(signature)
# Preconditions
assert len(PKs) >= 1
# Procedure
signature_point = signature_to_G2(signature)
if not subgroup_check(signature_point):
return False
aggregate = FQ12.one()
for pk, message in zip(PKs, messages):
assert cls.KeyValidate(pk)
pubkey_point = pubkey_to_G1(pk)
message_point = hash_to_G2(message, DST, cls.xmd_hash_function)
aggregate *= pairing(message_point,
pubkey_point,
final_exponentiate=False)
aggregate *= pairing(signature_point,
neg(G1),
final_exponentiate=False)
return final_exponentiate(aggregate) == FQ12.one()
except (ValidationError, ValueError, AssertionError):
return False
def check_proof_single(commitment, proof, x, y, setup):
"""
Check a proof for a Kate commitment for an evaluation f(x) = y
"""
# Verify the pairing equation
#
# e([commitment - y], [1]) = e([proof], [s - x])
# equivalent to
# e([commitment - y]^(-1), [1]) * e([proof], [s - x]) = 1_T
#
s_minus_x = b.add(setup[1][1], b.multiply(b.neg(b.G2), x))
commitment_minus_y = b.add(commitment, b.multiply(b.neg(b.G1), y))
pairing_check = b.pairing(b.G2, b.neg(commitment_minus_y), False)
pairing_check *= b.pairing(s_minus_x, proof, False)
pairing = b.final_exponentiate(pairing_check)
return pairing == b.FQ12.one()
def verify_proof(proof, commitment_root, indices, values, setup):
# Regenerate the same r value as above
r = int.from_bytes(
hash(str([commitment_root[0].n] + indices).encode('utf-8')),
'big') % b.curve_order
#print("r", r)
commitments, witness = proof
# We're making a big pairing check that essentially checks the equation:
# sum [(P_i - y_i) * r_i * Z(everything except x_i)] = w * Z(everything) = sum [Q_i * r_i * Z(everything)]
# where Z(set) = product: (X - s) for s in set
pairing_check = b.FQ12.one()
for i, (c, index, v) in enumerate(zip(commitments, indices, values)):
for d in range(DEPTH):
rfactor = pow(r, i * DEPTH + d, MODULUS)
position_of_leaf = index // WIDTH**(DEPTH - d - 1)
# Position of this leaf in the data
sub_index = position_of_leaf % WIDTH
#print('d', d, 'i', index, 'rfactor', rfactor, 'pos', position_of_leaf)
# P_i
comm = c[d - 1] if d else commitment_root
comm = (comm[0], comm[1], b.FQ.one())
leaf = hash_point_to_field(c[d]) if d < DEPTH - 1 else v
#print('comm', comm, 'subindex', sub_index, 'leaf', leaf)
# (P_i - y_i) * r_i
comm_minus_leaf_times_r = b.multiply(
b.add(comm, b.multiply(b.G1, MODULUS - leaf)), rfactor)
# Z(everything except x_i)
Z_comm = b.multiply(setup[3][sub_index],
field.inv(LAGRANGE_POLYS[sub_index][-1]))
# Add the product into the pairing
pairing_check *= b.pairing(Z_comm, comm_minus_leaf_times_r, False)
# Z(everything)
global_Z_comm = b.add(setup[1][WIDTH], b.neg(setup[1][0]))
# Subtract out sum [Q_i * r_i * Z(everything)]
pairing_check *= b.pairing(b.neg(global_Z_comm),
(witness[0], witness[1], b.FQ.one()), False)
o = b.final_exponentiate(pairing_check)
assert o == b.FQ12.one(), o
return o == b.FQ12.one()
def verify(message: bytes, pubkey: int, signature: bytes, domain: int) -> bool:
try:
final_exponentiation = final_exponentiate(
pairing(
FQP_point_to_FQ2_point(decompress_G2(signature)),
G1,
final_exponentiate=False,
) * pairing(
FQP_point_to_FQ2_point(hash_to_G2(message, domain)),
neg(decompress_G1(pubkey)),
final_exponentiate=False,
))
return final_exponentiation == FQ12.one()
except (ValidationError, ValueError, AssertionError):
return False
def verify(message_hash: Hash32, pubkey: BLSPubkey, signature: BLSSignature,
domain: int) -> bool:
try:
final_exponentiation = final_exponentiate(
pairing(
signature_to_G2(signature),
G1,
final_exponentiate=False,
) * pairing(
hash_to_G2(message_hash, domain),
neg(pubkey_to_G1(pubkey)),
final_exponentiate=False,
))
return final_exponentiation == FQ12.one()
except (ValidationError, ValueError, AssertionError):
return False
def _CoreVerify(PK: BLSPubkey, message: bytes, signature: BLSSignature,
DST: bytes) -> bool:
try:
signature_point = signature_to_G2(signature)
final_exponentiation = final_exponentiate(
pairing(
signature_point,
G1,
final_exponentiate=False,
) * pairing(
hash_to_G2(message, DST),
neg(pubkey_to_G1(PK)),
final_exponentiate=False,
))
return final_exponentiation == FQ12.one()
except (ValidationError, ValueError, AssertionError):
return False
def _CoreAggregateVerify(pairs: Sequence[Tuple[BLSPubkey, bytes]],
signature: BLSSignature, DST: bytes) -> bool:
try:
signature_point = signature_to_G2(signature)
accumulator = FQ12.one()
for pk, message in pairs:
pubkey_point = pubkey_to_G1(pk)
message_point = hash_to_G2(message, DST)
accumulator *= pairing(message_point,
pubkey_point,
final_exponentiate=False)
accumulator *= pairing(signature_point,
neg(G1),
final_exponentiate=False)
return final_exponentiate(accumulator) == FQ12.one()
except (ValidationError, ValueError, AssertionError):
return False
def _CoreVerify(cls, PK: BLSPubkey, message: bytes,
signature: BLSSignature, DST: bytes) -> bool:
try:
assert BaseG2Ciphersuite.KeyValidate(PK)
signature_point = signature_to_G2(signature)
final_exponentiation = final_exponentiate(
pairing(
signature_point,
G1,
final_exponentiate=False,
) * pairing(
hash_to_G2(message, DST, cls.xmd_hash_function),
neg(pubkey_to_G1(PK)),
final_exponentiate=False,
))
return final_exponentiation == FQ12.one()
except (ValidationError, ValueError, AssertionError):
return False
def _fft(vals, modulus, roots_of_unity):
if len(vals) <= 4 and type(vals[0]) != tuple:
#return vals
return _simple_ft(vals, modulus, roots_of_unity)
elif len(vals) == 1 and type(vals[0]) == tuple:
return vals
L = _fft(vals[::2], modulus, roots_of_unity[::2])
R = _fft(vals[1::2], modulus, roots_of_unity[::2])
o = [0 for i in vals]
for i, (x, y) in enumerate(zip(L, R)):
y_times_root = b.multiply(
y,
roots_of_unity[i]) if type(y) == tuple else y * roots_of_unity[i]
o[i] = b.add(
x,
y_times_root) if type(x) == tuple else (x + y_times_root) % modulus
o[i + len(L)] = b.add(x, b.neg(y_times_root)) if type(
x) == tuple else (x - y_times_root) % modulus
return o
def execute(cls, stack: MichelsonStack, stdout: List[str],
context: AbstractContext):
a = cast(
Union[IntType, NatType, BLS12_381_FrType, BLS12_381_G1Type,
BLS12_381_G2Type], stack.pop1())
res_type, = dispatch_types(type(a),
mapping={
(IntType, ): (IntType, ),
(NatType, ): (IntType, ),
(BLS12_381_FrType, ):
(BLS12_381_FrType, ),
(BLS12_381_G1Type, ):
(BLS12_381_G1Type, ),
(BLS12_381_G2Type, ):
(BLS12_381_G2Type, )
})
if issubclass(res_type, IntType):
res = IntType.from_value(-int(a))
else:
res = res_type.from_point(bls12_381.neg(a.to_point()))
stack.push(res)
stdout.append(format_stdout(cls.prim, [a], [res]))
return cls()
if ex:
ex = False
fin = creator(wow[i]["Name"], "D", wow[i]["Sign"])
r.sendline(fin)
continue
res1 = hasher(b"D")
res2 = hasher(b"R")
tt = (res2 * inverse(res1, cv)) % cv
sigs = signature_to_G2(bytes.fromhex(wow[i]["Sign"]))
sigs = multiply(sigs, tt)
# do this part only if you want fake flag
if cnt == 0:
sigs = add(sigs, G2)
if cnt == 1:
sigs = add(sigs, neg(G2))
# end
cnt += 1
sig = G2_to_signature(sigs).hex()
wow[i]["Sign"] = sig
wow[i]["Vote"] = "R"
fin = creator(wow[i]["Name"], "R", wow[i]["Sign"])
pub = pubkey_to_G1(bytes.fromhex(wow[i]["PK"]))
sig = signature_to_G2(bytes.fromhex(wow[i]["Sign"]))
print("sig check2", i, subgroup_check(sig))
r.sendline(fin)
checker(wow, b"R")
checker(wow, b"D")
def verify(message: bytes, pubkey: int, signature: bytes, domain: int) -> bool:
final_exponentiation = final_exponentiate(
pairing(FQP_point_to_FQ2_point(decompress_G2(signature)), G1, False) *
pairing(FQP_point_to_FQ2_point(hash_to_G2(message, domain)),
neg(decompress_G1(pubkey)), False))
return final_exponentiation == FQ12.one()
def neg(xxx: G1Point) -> G1Point:
return bls12_381.neg(xxx)
def neg(self) -> "WrappedCurvePoint":
return self.__class__(neg(self.py_ecc_object))
def singlechecker(agg_pk, agg_sig, msg):
final_exp = final_exponentiate(
pairing(agg_sig, G1, final_exponentiate=False) * pairing(
multiply(G2, hasher(msg)), neg(agg_pk), final_exponentiate=False))
isok = (final_exp == FQ12.one())
return isok
ny["Sign"] = G2_to_signature(
multiply(multiply(signature_to_G2(unhex(ny["Sign"])), invert(m1, order)),
m2)).hex()
ny["Vote"] = "R"
assert bls.Verify(unhex(ny["PK"]), ny["Vote"].encode(), unhex(ny["Sign"]))
result[idx] = ny
xored_flag = unhex(connect(result).decode())
fake_result = result[:]
w = fake_result[idx + 1]
ny = fake_result[idx]
ny["Sign"] = G2_to_signature(
add(signature_to_G2(unhex(ny["Sign"])),
multiply(signature_to_G2(unhex(w["Sign"])), 2))).hex()
w["Sign"] = G2_to_signature(neg(signature_to_G2(unhex(w["Sign"])))).hex()
assert bls.Verify(bls._AggregatePKs([unhex(ny["PK"]),
unhex(w["PK"])]), b'R',
bls.Aggregate([unhex(ny["Sign"]),
unhex(w["Sign"])]))
fake_result[idx] = ny
fake_result[idx + 1] = w
fake_flag = connect(fake_result)
flag = bytexor(fake_flag, xored_flag)
print(flag)
assert flag == b'inctf{BLS_574nd5_f0r_B0n3h_Lynn_Sh4ch4m}'
