def keygen(self, secparam=512, p=0, q=0):
if (p == 0):
pprime = randomPrime(secparam)
while (not isPrime(2 * pprime + 1)):
pprime = randomPrime(secparam)
p = 2 * pprime + 1
print(p)
if (q == 0):
qprime = randomPrime(secparam)
while (not isPrime(2 * qprime + 1)):
qprime = randomPrime(secparam)
q = 2 * qprime + 1
print(q)
N = p * q
a = randomQR(N)
b = randomQR(N)
c = randomQR(N)
pk = {'N': N, 'a': a, 'b': b, 'c': c}
sk = {'p': p, 'q': q}
return (pk, sk)
def keygen(self, secparam=512, p=0, q=0):
if(p == 0):
pprime = randomPrime(secparam)
while(not isPrime(2*pprime + 1)):
pprime = randomPrime(secparam)
p = 2 * pprime + 1
print(p)
if(q == 0):
qprime = randomPrime(secparam)
while(not isPrime(2*qprime + 1)):
qprime = randomPrime(secparam)
q = 2 * qprime + 1
print(q)
N = p * q
a = randomQR(N)
b = randomQR(N)
c = randomQR(N)
pk = { 'N':N, 'a':a, 'b':b, 'c':c }
sk = { 'p':p, 'q':q }
return (pk, sk)
def setup():
print("SETUP:")
print("1. Select random l_p-bit primes and modulus n = pq")
while True:
p, q = randomPrime(l_p), randomPrime(l_p)
if isPrime(p) and isPrime(q) and p != q:
n = p * q
phi_n = (p - 1) * (q - 1)
break
print("2. Choose random a, a_0, g, h in QR(n)")
while True:
g = random(n)
if is_cyclic(g, n):
g = g**2
break
a, a_0, h = [(g**random(n)) % n for _ in range(3)]
print("3. Choose random secret element x and set public key y = g**x")
x = random(phi_n)
y = (g**x) % n
print("4. The group public key Y: (n, a, a_0, y, g, h)")
Y = {"n": n, "a": a, "a_0": a_0, "y": y, "g": g, "h": h}
print("5. Corresponding secret key S: (p, q, phi_n, x)")
S = {"p": p, "q": q, "phi_n": phi_n, "x": x}
return (Y, S)
def paramgen(self, secparam):
while True:
p, q = randomPrime(secparam), randomPrime(secparam)
if isPrime(p) and isPrime(q) and gcd(p * q, (p - 1) * (q - 1)) == 1:
break
self.p = p
self.q = q
return (p, q, p * q)
def paramgen(self, secparam):
while True:
p, q = randomPrime(secparam), randomPrime(secparam)
if isPrime(p) and isPrime(q) and p != q:
N = p * q
phi_N = (p - 1) * (q - 1)
break
return (p, q, N, phi_N)
def paramgen(self, secparam):
while True:
p, q = randomPrime(secparam), randomPrime(secparam)
if isPrime(p) and isPrime(q) and p != q:
N = p * q
phi_N = (p - 1) * (q - 1)
break
return (p, q, N, phi_N)
def paramgen(self, secparam):
while True:
p, q = randomPrime(secparam), randomPrime(secparam)
if isPrime(p) and isPrime(q) and gcd(p * q,
(p - 1) * (q - 1)) == 1:
break
self.p = p
self.q = q
return (p, q, p * q)
def generatePrimes(self, n):
while True:
p = randomPrime(n)
if (isPrime(p) and (((p - 3) % 4) == 0)):
break
while True:
q = randomPrime(n)
if (isPrime(q) and (((q - 3) % 4) == 0) and not (q == p)):
break
return (p, q)
def generatePrimes(self, n):
while True:
p = randomPrime(n)
if isPrime(p) and (((p - 3) % 4) == 0):
break
while True:
q = randomPrime(n)
if isPrime(q) and (((q - 3) % 4) == 0) and not (q == p):
break
return (p, q)
def roundNumber2(self, U, attr, n2):
# TODO: Adaptar IRMA
e = randomPrime(le)
vTilde = integer(randomBits(lv - 1))
vPrimePrime = (2 ** (lv - 1)) + vTilde
R = self.pk_i['R']
Cx = 1 % self.pk_i['N']
for i in range(1, len(attr) + 1):
Cx = Cx*(R[str(i)] ** attr[str(i)])
sigA = self.signAttributesLong(attr, vPrimePrime, U, e)
A = sigA['A']
Q = sigA['Q']
phi_N = (self.sk_i['p']-1)*(self.sk_i['q']-1)
e2 = e % phi_N
# The issuer creates an SPK for proving the knowledge of
# e^(-1) according to the equivalence of A and Q^{e-1}
r = randomPrime(le)
Atilde = (Q ** r) % self.pk_i['N']
s3 = hashlib.new('sha256')
s3.update(Conversion.IP2OS(self.context))
s3.update(Conversion.IP2OS(Q))
s3.update(Conversion.IP2OS(A))
s3.update(Conversion.IP2OS(n2))
s3.update(Conversion.IP2OS(Atilde))
#print "issuer Q #1", Q
#print "issuer A", A
#print "issuer n2", n2
#print "issuer Atilde", Atilde
cPrime = integer(s3.digest())
e2Prime = e2 ** - 1
Se = r - (cPrime * integer(e2Prime))
signature = { 'A':A, 'e':e, 'vPrimePrime':vPrimePrime }
P2 = { 'Se':Se, 'cPrime':cPrime }
return (signature, P2)
def paramgen(self, secparam):
while True:
p = randomPrime(secparam)
if isPrime(p) and (((p-3)%4) == 0):
break
while True:
q = randomPrime(secparam)
if isPrime(q) and (((q-3)%4) == 0) and not(q == p):
break
N = p * q
yp = (p % q) ** -1
yq = (q % p) ** -1
return (p, yp, q, yq, N)
def round_2(self, U, p1, attr, n2):
if self.__verify_p1(p1):
pass
# print "P1 verified"
else:
return None
e = randomPrime(le)
vTilde = integer(randomBits(lv - 1))
vPrimePrime = (2 ** (lv - 1)) + vTilde
R = self.pk_i['R']
Cx = 1 % self.pk_i['N']
for i in range(1, len(attr) + 1):
Cx = Cx * (R[str(i)] ** attr[str(i)])
sigA = self.signAttributesLong(attr, vPrimePrime, U, e)
A = sigA['A']
Q = sigA['Q']
phi_N = (self.sk_i['p'] - 1) * (self.sk_i['q'] - 1)
e2 = e % phi_N
r = randomPrime(le)
Atilde = (Q ** r) % self.pk_i['N']
s3 = hashlib.new('sha256')
s3.update(Conversion.IP2OS(self.context))
s3.update(Conversion.IP2OS(Q))
s3.update(Conversion.IP2OS(A))
s3.update(Conversion.IP2OS(n2))
s3.update(Conversion.IP2OS(Atilde))
cPrime = integer(s3.digest())
e2Prime = e2 ** - 1
Se = r - (cPrime * integer(e2Prime))
signature = {'A': A, 'e': e, 'vPrimePrime': vPrimePrime}
P2 = {'Se': Se, 'cPrime': cPrime}
print signature
print P2
return signature, P2
def sign(self, pk, sk, m, v=0, u=0, e=0):
if (e == 0):
e = randomPrime(le)
lv = ln + lm + lr
if (v == 0):
v = integer(randomBits(lv))
R = pk['R']
Cx = 1 % pk['N']
for i in range(1, len(m) + 1):
Cx = Cx * (R[str(i)] ** m[str(i)])
phi_N = (sk['p']-1)*(sk['q']-1)
e2 = e % phi_N
if (u != 0):
u = u % pk['N']
Cx = Cx*u
q = pk['Z'] / (Cx*(pk['S'] ** v)) % pk['N']
a = q ** (e2 ** -1) % pk['N']
sig = { 'A':a, 'Q':q, 'e':e, 'v':v }
return sig
def sign(self, pk, sk, m, v=0, u=0, e=0):
if (e == 0):
e = randomPrime(le)
lv = ln + lm + lr
if (v == 0):
v = integer(randomBits(lv))
R = pk['R']
Cx = 1 % pk['N']
for i in range(1, len(m) + 1):
Cx = Cx * (R[str(i)]**m[str(i)])
phi_N = (sk['p'] - 1) * (sk['q'] - 1)
e2 = e % phi_N
if (u != 0):
u = u % pk['N']
Cx = Cx * u
q = pk['Z'] / (Cx * (pk['S']**v)) % pk['N']
a = q**(e2**-1) % pk['N']
sig = {'A': a, 'Q': q, 'e': e, 'v': v}
return sig
def paramgen(self, bits, r=2):
# determine which group
while True:
self.p = randomPrime(bits, 1)
self.q = (self.p - 1) / 2
if (isPrime(self.p) and isPrime(self.q)):
break
self.r = r
return None
def paramgen(self, bits, r=2):
# determine which group
while True:
self.p = randomPrime(bits, 1)
self.q = (self.p - 1) / 2
if (isPrime(self.p) and isPrime(self.q)):
break
self.r = r
return None
def sign(self, pk, sk, m):
e = randomPrime(le)
ls = ln + lm + l
s = integer(randomBits(ls))
phi_N = (sk['p']-1)*(sk['q']-1)
e2 = e % phi_N
v = (((pk['a'] ** m)*(pk['b'] ** s)*pk['c']) ** (e2 ** -1)) % pk['N']
sig = { 'e':e, 's':s, 'v':v }
return sig
def signCommit(self, pk, sk, Cx):
e = randomPrime(le)
ls = ln + lm + l
rprime = integer(randomBits(ls))
phi_N = (sk['p'] - 1) * (sk['q'] - 1)
e2 = e % phi_N
v = (((Cx) * (pk['b']**rprime) * pk['c'])**(e2**-1)) % pk['N']
sig = {'e': e, 'rprime': rprime, 'v': v}
return sig
def __init__(self, secparam):
# generate p,q
while True:
p, q = randomPrime(secparam), randomPrime(secparam)
if isPrime(p) and isPrime(q) and p != q:
N = p * q
phi = (p - 1) * (q - 1)
break
# calculate private key and public key
while True:
e = random(phi)
if not gcd(e, phi) == 1:
continue
d = e**-1
break
# prepare public key
self.pk = {'N': N, 'e': toInt(e)}
# prepare private key
self.sk = {'phi': phi, 'd': d, 'N': N}
def sign(self, pk, sk, m):
e = randomPrime(le)
ls = ln + lm + l
s = integer(randomBits(ls))
phi_N = (sk['p'] - 1) * (sk['q'] - 1)
e2 = e % phi_N
v = (((pk['a']**m) * (pk['b']**s) * pk['c'])**(e2**-1)) % pk['N']
sig = {'e': e, 's': s, 'v': v}
return sig
def signCommit(self, pk, sk, Cx):
e = randomPrime(le)
ls = ln + lm + l
rprime = integer(randomBits(ls))
phi_N = (sk['p']-1)*(sk['q']-1)
e2 = e % phi_N
v = (((Cx)*(pk['b'] ** rprime)*pk['c']) ** (e2 ** -1)) % pk['N']
sig = { 'e':e, 'rprime':rprime, 'v':v }
return sig
def __init__(self, l, p, q, secparam, context):
self.secparam = secparam
self.l = l
self.context = context
self.pksig = 0
if (p == 0):
pprime = randomPrime(secparam)
while (not isPrime(2 * pprime + 1)):
pprime = randomPrime(secparam)
self.p = integer(2 * pprime + 1)
else:
self.p = p
if (q == 0):
qprime = randomPrime(secparam)
while (not isPrime(2 * qprime + 1)):
qprime = randomPrime(secparam)
self.q = integer(2 * qprime + 1)
else:
self.q = q
def __init__(self, l, p, q, secparam, context):
self.secparam = secparam
self.l = l
self.context = context
self.pksig = 0
if(p == 0):
pprime = randomPrime(secparam)
while(not isPrime(2*pprime + 1)):
pprime = randomPrime(secparam)
self.p = integer(2 * pprime + 1)
else:
self.p = p
if(q == 0):
qprime = randomPrime(secparam)
while(not isPrime(2*qprime + 1)):
qprime = randomPrime(secparam)
self.q = integer(2 * qprime + 1)
else:
self.q = q
def key_gen(key_size, message_elem_bit_len, vector_len):
"""
Generate keys for vector commitment
:param key_size: security key size (k in the paper)
:param message_elem_bit_len: length of message in bits (l in the paper)
:param vector_len: length of commitment vector (q in the paper)
:return:
"""
k = key_size
l = message_elem_bit_len
q = vector_len
private_key = rsa.generate_private_key(public_exponent=65537,
key_size=k,
backend=default_backend())
private_numbers = private_key.private_numbers()
n = private_numbers.public_numbers.n
p_1 = private_numbers.p
p_2 = private_numbers.q
# logger.info(p_1)
# logger.info(p_2)
phi_n = (p_1 - 1) * (p_2 - 1)
# generate list of primes [e_1,...,e_q], each has length (l+1)
e = list()
while True:
tmp_prime = reduce(randomPrime(l + 1) % n)
if isPrime(tmp_prime) and phi_n % int(tmp_prime) != 0:
e.append(int(tmp_prime))
if len(e) == q:
break
a = random(n)
s = list()
for i in range(q):
tmp_exponent = integer(1) % n
for j in range(q):
if j != i:
tmp_exponent = reduce(tmp_exponent * (integer(e[j]) % n))
s_i = reduce(a**tmp_exponent)
s.append(int(s_i))
return n, int(a), s, e, p_1, p_2
security_level = 128 # this value can be 80, 112, 128, 256
# calculate length of group elements
bits = 1024
if security_level == 80:
bits = 1024
elif security_level == 112:
bits = 2048
elif security_level == 128:
bits = 3072
elif security_level == 256:
bits = 15360
group_order_bits = 2 * security_level
group_p = 0 # the prime number for mod calculation
group_order = randomPrime(group_order_bits)
#print('group_order = ', group_order)
while True:
random_k_value = randomBits(bits - group_order_bits)
group_p = random_k_value * group_order + 1
if isPrime(group_p):
break
#print('group_p = ', group_p)
group_g = 0
while True:
i = random(group_p)
tmp1 = (group_p - 1) / group_order
tmp2 = (i**tmp1) % group_p
if tmp2 != 1 and i > 1:
'''
@Descripttion:
@version:
@Author: HuiKwok
@Date: 2019-10-10 06:53:46
@LastEditors: HuiKwok
@LastEditTime: 2019-10-10 07:01:56
'''
from charm.toolbox.integergroup import IntegerGroup
from charm.schemes.pkenc.pkenc_rsa import RSA_Enc, RSA_Sig
from charm.core.math.integer import integer, randomBits, random, randomPrime, isPrime, encode, decode, hashInt, bitsize, legendre, gcd, lcm, serialize, deserialize, int2Bytes, toInt
secparam = 1024
p, q = randomPrime(int(secparam / 2),
True), randomPrime(int(secparam / 2), True)
N = p * q
N2 = N * N
g = random(N2)
print(type(g))
int(g) - 1
bits = 2048
elif security_level == 128:
bits = 3072
elif security_level == 256:
bits = 15360
prime_bits = bits // 2
group_order_bits = 2 * security_level
# generate p, p_prime, q, q_prime
p = 0
p_prime = 0
q = 0
q_prime = 0
while True:
p = randomPrime(prime_bits, 1)
p_prime = (p - 1) / 2
if (isPrime(p) and isPrime(p_prime)):
break
while True:
q = randomPrime(prime_bits, 1)
q_prime = (q - 1) / 2
if (isPrime(q) and isPrime(q_prime)):
break
N = p * q
group_order = 2 * p_prime * q_prime # order of L_DCR
N_square = N * N
print('p = ', p)
print('q = ', q)
def __init__(self, secparam=1024, param=None):
if param:
self.N2 = param.N2
self.N = param.N
self.g = param.g
self.k = param.k
else:
self.p, self.q = randomPrime(int(secparam / 2), True), randomPrime(
int(secparam / 2), True)
self.pp = (self.p - 1) / 2
self.qq = (self.q - 1) / 2
self.N = self.p * self.q
while True: # choose a good N
if bitsize(self.N) == secparam and len(int2Bytes(
self.N)) == int(
secparam / 8) and int2Bytes(self.N)[0] & 128 != 0:
break
self.p, self.q = randomPrime(int(secparam / 2),
True), randomPrime(
int(secparam / 2), True)
self.pp = (self.p - 1) / 2
self.qq = (self.q - 1) / 2
self.N = self.p * self.q
self.N2 = self.N**2
self.g = random(self.N2)
one = integer(1) % self.N2
while True: #choose a good g
self.g = random(self.N2)
self.g = integer(
(int(self.g) - 1) * (int(self.g) - 1)) % self.N2
if self.g == one:
continue
tmp = self.g**self.p % self.N2
if tmp == one:
continue
tmp = self.g**self.pp % self.N2
if tmp == one:
continue
tmp = self.g**self.q % self.N2
if tmp == one:
continue
tmp = self.g**self.qq % self.N2
if tmp == one:
continue
tmp = self.g**(self.p * self.pp) % self.N2
if tmp == one:
continue
tmp = self.g**(self.p * self.q) % self.N2
if tmp == one:
continue
tmp = self.g**(self.p * self.qq) % self.N2
if tmp == one:
continue
tmp = self.g**(self.pp * self.q) % self.N2
if tmp == one:
continue
tmp = self.g**(self.pp * self.qq) % self.N2
if tmp == one:
continue
tmp = self.g**(self.q * self.qq) % self.N2
if tmp == one:
continue
tmp = self.g**(self.q * self.qq) % self.N2
if tmp == one:
continue
tmp = self.g**(self.p * self.pp * self.q) % self.N2
if tmp == one:
continue
tmp = self.g**(self.p * self.pp * self.qq) % self.N2
if tmp == one:
continue
tmp = self.g**(self.p * self.q * self.qq) % self.N2
if tmp == one:
continue
tmp = self.g**(self.pp * self.q * self.qq) % self.N2
if tmp == one:
continue
break
self.k = integer(
(int(self.g**(self.pp * self.qq)) - 1)) / self.N % self.N
self.MK = {"pp": self.pp, "qq": self.qq}
def roundNumber2IRMA(self, U, attr, n2):
offset = integer(1 << (le - 1))
while True:
e = randomBits(lePrime - 1)
e = e + offset
if isPrime(e):
break
vTilde = integer(randomBits(lv - 1))
vPrimePrime = (2 ** (lv - 1)) + vTilde
sigA = self.signAttributesLong(attr, vPrimePrime, U, e)
A = sigA['A']
Q = sigA['Q']
phi_N = (self.sk_i['p']-1)*(self.sk_i['q']-1)
e2 = e % phi_N
r = randomPrime(le)
Atilde = (Q ** r) % self.pk_i['N']
list_ints = []
list_ints.append(int(self.context))
list_ints.append(int(Q))
list_ints.append(int(A))
list_ints.append(int(n2))
list_ints.append(int(Atilde))
ber_context = univ.Integer(list_ints[0])
ber_q = univ.Integer(list_ints[1])
ber_a = univ.Integer(list_ints[2])
ber_n2 = univ.Integer(list_ints[3])
ber_atilde = univ.Integer(list_ints[4])
# ints
subheader = "0201" + "{:02x}".format(len(list_ints))
asn1_rep = subheader + ber_encoder.encode(ber_context).encode('hex') + \
ber_encoder.encode(ber_q).encode('hex') + \
ber_encoder.encode(ber_a).encode('hex') + \
ber_encoder.encode(ber_n2).encode('hex') + \
ber_encoder.encode(ber_atilde).encode('hex')
# header
asn1_rep_h = asn1_rep.decode("hex")
m_len = len(asn1_rep_h)
i = 0
len_code = []
if (m_len <= 0x7f):
len_code[i] = hex(m_len)
else:
j = 0x80;
while (0 < m_len):
len_code.append("{:02x}".format(m_len & 0xff))
m_len = m_len >> 8
j = j + 1
len_code.append("{:02x}".format(j))
len_code.reverse()
header = "30" + "".join(len_code) # 0x30, SEQ
asn1_rep = header + asn1_rep
s6 = hashlib.new('sha256')
s6.update(asn1_rep.decode("hex"))
cPrimeHex = s6.hexdigest()
cPrime = integer(s6.digest())
e2Prime = e2 ** - 1
pPrimeQprime = ((self.sk_i['p'] - 1)/2)*((self.sk_i['q'] - 1)/2)
Se = (r - (cPrime * integer(e2Prime))) % pPrimeQprime
signature = { 'A':A, 'e':e, 'vPrimePrime':vPrimePrime }
P2 = { 'Se':Se, 'cPrime':cPrimeHex }
return (signature, P2)
