def verify(self, params, pk, m, n, sig):
"""
Verifies a signature on messages m
e(R,V) e(S,H) Pi e(M_i,W_i) == e(G,Z)
e(R,T) Pi e(U_i, N_i) == e(G,H)
"""
#print("BSPS: Verify")
R, S, T = sig
o, G, g1, g2, e = params
if (R.eq(G1Elem.inf(G)) and S.eq(G1Elem.inf(G))
and T.eq(G2Elem.inf(G))):
print("BSPS: Verify --- Error: signature null")
print("BSPS: Verify", 0)
return 0
U, W, V, Z = pk
res1 = e(R, V) * e(S, g2)
for i in range(self.msg_g1):
if i < len(m):
res1 = res1 * e(m[i], W[i])
else:
res1 = res1 * e(g1, W[i])
res2 = e(R, T)
for j in range(self.msg_g2):
if j < len(n):
res2 = res2 * e(U[j], n[j])
else:
res2 = res2 * e(U[j], g2)
return res1.eq(e(g1, Z)) and res2.eq(e(g1, g2))
def blind_verify(params, aggr_vk, sigma, kappa, nu, pi_v, public_m=[]): """ Verify credentials. Parameters: - `params`: public parameters generated by `setup` - `aggr_vk` (G2Elem, G2Elem, [G2Elem]): aggregated verification key - `sigma` (G1Elem, G1Elem): credential - `kappa` (G2Elem): group element to verify the credentials - `nu` (G2Elem): group element to verify the credentials - `pi_v`: zero-knowledge proof asserting correctness of `kappa` and `nu` - `public_m` [Bn]: optional, array containing the public attributes Returns: - `ret` (bool): whether the credential verifies """ (G, o, g1, hs, g2, e) = params (g2, _, beta) = aggr_vk (h, s) = sigma private_m_len = len(pi_v[1]) assert len(public_m)+private_m_len <= len(beta) # verify proof of correctness assert verify_pi_v(params, aggr_vk, sigma, kappa, nu, pi_v) # add clear text messages aggr = G2Elem.inf(G) if len(public_m) != 0: aggr = ec_sum([public_m[i]*beta[i+private_m_len] for i in range(len(public_m))]) # verify return not h.isinf() and e(h, kappa+aggr) == e(s+nu, g2)
def sign(self, params, sk, m, n):
"""Signs a list of group elements of G1 and G2"""
#print("BSPS: Sign")
o, G, g1, g2, _ = params
if len(m) > self.msg_g1 or len(n) > self.msg_g2:
print("BSPS: Sign --- Error: message(s) too long", len(m), ">?",
self.msg_g1, len(n), ">?", self.msg_g2)
return (G1Elem.inf(G), G1Elem.inf(G), G2Elem.inf(G))
u, w, v, z = sk
r = o.random()
R = r * g1
temp = z.mod_sub(r.mod_mul(v, o), o)
S = temp * g1
T = g2
for i in range(self.msg_g1):
if i < len(m):
S = S + w[i].int_neg() * m[i]
else:
S = S + w[i].int_neg() * g1
for j in range(self.msg_g2):
if j < len(n):
T = T + u[j].int_neg() * n[j]
else:
T = T + u[j].int_neg() * g2
return [R, S, r.mod_inverse(o) * T]
def getflag(self):
print(
"gonna have to see some credentials, you know at least two admins gotta sign off on this stuff:"
)
(s0, p0) = self.getsignature(
"first signature, please\n",
"and who is this from (the public key, if you please)?\n",
)
(s1, p1) = self.getsignature(
"OK, and the second?\n", "who gave you this one (again, by public key)?\n"
)
assert s0 != s1
p2 = G2Elem.from_bytes(
b64decode(
str(
raw_input(
"who didn't sign? We need their public key to run everything\n"
)
)
),
self.params[0],
)
if verify(
self.params,
aggregate_vk(self.params, [p0, p1, p2], threshold=True),
aggregate_sigma(self.params, [s0, s1], threshold=True),
"this stuff",
):
with open("flag.txt") as f:
print(f.read())
else:
print("lol nice try")
def verify_cred(params, aggr_vk, Theta, public_m=[]):
"""
Verify credentials.
Parameters:
- `params`: public parameters generated by `setup`
- `aggr_vk`: aggregated verification key
- `Theta`: credential and cryptographic material to verify them
- `public_m` [Bn]: optional, array containing the public attributes
Returns:
- `ret` (bool): whether the credential verifies
"""
(G, o, g1, hs, g2, e) = params
(g2, _, beta) = aggr_vk
(kappa, nu, sigma, pi_v) = Theta
(h, s) = sigma
private_m_len = len(pi_v[1])
assert len(public_m) + private_m_len <= len(beta)
# verify proof of correctness
assert verify_pi_v(params, aggr_vk, sigma, kappa, nu, pi_v)
# add clear text messages
aggr = G2Elem.inf(G)
if len(public_m) != 0:
aggr = ec_sum([
public_m[i] * beta[i + private_m_len] for i in range(len(public_m))
])
# verify
return not h.isinf() and e(h, kappa + aggr) == e(s + nu, g2)
def getflag(self):
print('gonna have to see some credentials, you know at least two admins gotta sign off on this stuff:')
(s0, p0) = self.getsignature('first signature, please\n', 'and who is this from (the public key, if you please)?\n')
(s1, p1) = self.getsignature('OK, and the second?\n', 'who gave you this one (again, by public key)?\n')
p2 = G2Elem.from_bytes(b64decode(str(raw_input('who didn\'t sign? We need their public key to run everything\n'))), self.params[0])
assert(s0 != s1 and p0 != p1 and p1 != p2 and p2 != p0)
if verify(self.params, aggregate_vk(self.params, [p0,p1,p2], threshold=True), aggregate_sigma(self.params, [s0, s1], threshold=True), 'this stuff'):
with open('flag.txt') as f: print(f.read())
else:
print('lol nice try')
def mix_verify(params, vk, kappa, sig, proof, m):
""" verify a signature on a mixed clear and hidden message """
(G, o, g1, h1, g2, e) = params
(g2, X, Y) = vk
(h, epsilon) = sig
hidden_m_len = len(proof[1])
assert len(m) + hidden_m_len <= len(Y)
# verify proof of correctness
assert verify_mix_show(params, vk, kappa, proof)
# add clear text messages
aggr = G2Elem.inf(G)
if len(m) != 0:
aggr = ec_sum([m[i] * Y[i + hidden_m_len] for i in range(len(m))])
# verify
return not h.isinf() and e(h, kappa + aggr) == e(epsilon, g2)
def proof_pkuv(gsp, X, Y):
res = []
B = []
A = []
C = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
row.append(Bn(0))
C.append(row)
C[6][0] = Bn(1) # pk_uv
C[5][1] = Bn(-1) # - h_v^sku
success, result = gsp.Prove_aggreg("MC1", X, B, A, Y, C, G1Elem.inf(gsp.G))
verify = 0
if success:
eq_type, X, Y, C, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result
#verify = gsp.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
#if verify:
res = [C, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]]
#print("Do we successfully create a proof?", success)
#print("Does the proof successfully verify?", verify)
print("\n----pk uv")
for i in range(len(res[1])):
for j in range(2):
if type(res[1][i][j]) == G1Elem:
print(i, j, type(res[1][i][j]),
res[1][i][j].eq(G1Elem.inf(gsp.G)))
else:
print(i, j, type(res[1][i][j]),
res[1][i][j].eq(G2Elem.inf(gsp.G)))
b = challenge(result)
for i in range(len(res[0])):
for j in range(len(res[0][0])):
if res[0][i][j] != 0:
res[0][i][j] = b * res[0][i][j]
for i in range(len(res[1])):
for j in range(len(res[1][i])):
res[1][i][j] = b * res[1][i][j]
#verify = gsp.Verify("ME1", X, Y, C, res[1][0], res[1][1], res[1][2], res[1][3])
#print("Does the (aggregate) proof verify?", verify)
return res
def get_infs(gk):
inf1 = G1Elem.inf(gk.G)
inf2 = G2Elem.inf(gk.G)
return inf1, inf2