def verify_pi_v(params, aggr_vk, sigma, kappa, nu, pi_v): """ verify correctness of kappa and nu """ (G, o, g1, hs, g2, e) = params (g2, alpha, beta) = aggr_vk (h, s) = sigma (c, rm, rt) = pi_v # re-compute witnesses commitments Aw = c*kappa + rt*g2 + (1-c)*alpha + ec_sum([rm[i]*beta[i] for i in range(len(rm))]) Bw = c*nu + rt*h # compute the challenge prime return c == to_challenge([g1, g2, alpha, Aw, Bw]+hs+beta)
def verify_pi_v(params, aggr_vk, sigma, kappa, nu, pi_v): """ verify correctness of kappa and nu """ (G, o, g1, hs, g2, e) = params (g2, alpha, beta) = aggr_vk (h, s) = sigma (c, rm, rt) = pi_v # re-compute witnesses commitments Aw = c * kappa + rt * g2 + (1 - c) * alpha + ec_sum( [rm[i] * beta[i] for i in range(len(rm))]) Bw = c * nu + rt * h # compute the challenge prime return c == to_challenge([g1, g2, alpha, Aw, Bw] + hs + beta)
def verify_pi_s(params, gamma, ciphertext, cm, proof): """ verify orrectness of ciphertext and cm """ (G, o, g1, hs, g2, e) = params (a, b) = zip(*ciphertext) (c, rk, rm, rr) = proof assert len(ciphertext) == len(rk) # re-compute h h = G.hashG1(cm.export()) # re-compute witnesses commitments Aw = [c * a[i] + rk[i] * g1 for i in range(len(rk))] Bw = [c * b[i] + rk[i] * gamma + rm[i] * h for i in range(len(ciphertext))] Cw = c * cm + rr * g1 + ec_sum([rm[i] * hs[i] for i in range(len(rm))]) # compute the challenge prime return c == to_challenge([g1, g2, cm, h, Cw] + hs + Aw + Bw)
def verify_pi_s(params, gamma, ciphertext, cm, proof): """ verify orrectness of ciphertext and cm """ (G, o, g1, hs, g2, e) = params (a, b) = zip(*ciphertext) (c, rk, rm, rr) = proof assert len(ciphertext) == len(rk) # re-compute h h = G.hashG1(cm.export()) # re-compute witnesses commitments Aw = [c*a[i] + rk[i]*g1 for i in range(len(rk))] Bw = [c*b[i] + rk[i]*gamma + rm[i]*h for i in range(len(ciphertext))] Cw = c*cm + rr*g1 + ec_sum([rm[i]*hs[i] for i in range(len(rm))]) # compute the challenge prime return c == to_challenge([g1, g2, cm, h, Cw]+hs+Aw+Bw)
def verify_pi_s_up(params, commits, cm, proof): """ verify orrectness of ciphertext and cm """ (G, o, g1, hs, h_blind, g2, e) = params (c, rL, rm, rr) = proof assert len(commits) == len(rL) # re-compute h h = G.hashG1(cm.export()) # re-compute witnesses commitments Com_w = [ c * commits[i] + rL[i] * h_blind + rm[i] * h for i in range(len(commits)) ] Cw = c * cm + rr * g1 + ec_sum([rm[i] * hs[i] for i in range(len(rm))]) # compute the challenge prime return c == to_challenge([g1, g2, cm, h, Cw] + hs + commits + Com_w)
def make_pi_v(params, aggr_vk, sigma, private_m, t): """ prove correctness of kappa and nu """ (G, o, g1, hs, g2, e) = params (g2, alpha, beta) = aggr_vk (h, s) = sigma # create the witnesses wm = [o.random() for _ in private_m] wt = o.random() # compute the witnesses commitments Aw = wt*g2 + alpha + ec_sum([wm[i]*beta[i] for i in range(len(private_m))]) Bw = wt*h # create the challenge c = to_challenge([g1, g2, alpha, Aw, Bw]+hs+beta) # create responses rm = [(wm[i] - c*private_m[i]) % o for i in range(len(private_m))] rt = wt - c*t % o return (c, rm, rt)
def make_pi_v(params, aggr_vk, sigma, private_m, t): """ prove correctness of kappa and nu """ (G, o, g1, hs, g2, e) = params (g2, alpha, beta) = aggr_vk (h, s) = sigma # create the witnesses wm = [o.random() for _ in private_m] wt = o.random() # compute the witnesses commitments Aw = wt * g2 + alpha + ec_sum( [wm[i] * beta[i] for i in range(len(private_m))]) Bw = wt * h # create the challenge c = to_challenge([g1, g2, alpha, Aw, Bw] + hs + beta) # create responses rm = [(wm[i] - c * private_m[i]) % o for i in range(len(private_m))] rt = wt - c * t % o return (c, rm, rt)
def make_pi_s_up(params, Ls, commits, cm, r, public_m, private_m): """ prove correctness of ciphertext and cm """ (G, o, g1, hs, h_blind, g2, e) = params attributes = private_m + public_m assert len(commits) == len(private_m) assert len(attributes) <= len(hs) # create the witnesses wr = o.random() wL = [o.random() for _ in Ls] wm = [o.random() for _ in attributes] # compute h h = G.hashG1(cm.export()) # compute the witnesses commitments Com_w = [wL[i] * h_blind + wm[i] * h for i in range(len(private_m))] Cw = wr * g1 + ec_sum([wm[i] * hs[i] for i in range(len(attributes))]) # create the challenge c = to_challenge([g1, g2, cm, h, Cw] + hs + commits + Com_w) # create responses rr = (wr - c * r) % o rL = [(wL[i] - c * Ls[i]) % o for i in range(len(wL))] rm = [(wm[i] - c * attributes[i]) % o for i in range(len(wm))] return (c, rL, rm, rr)
def make_pi_s(params, gamma, ciphertext, cm, k, r, public_m, private_m): """ prove correctness of ciphertext and cm """ (G, o, g1, hs, g2, e) = params attributes = private_m + public_m assert len(ciphertext) == len(k) and len(ciphertext) == len(private_m) assert len(attributes) <= len(hs) # create the witnesses wr = o.random() wk = [o.random() for _ in k] wm = [o.random() for _ in attributes] # compute h h = G.hashG1(cm.export()) # compute the witnesses commitments Aw = [wki * g1 for wki in wk] Bw = [wk[i] * gamma + wm[i] * h for i in range(len(private_m))] Cw = wr * g1 + ec_sum([wm[i] * hs[i] for i in range(len(attributes))]) # create the challenge c = to_challenge([g1, g2, cm, h, Cw] + hs + Aw + Bw) # create responses rr = (wr - c * r) % o rk = [(wk[i] - c * k[i]) % o for i in range(len(wk))] rm = [(wm[i] - c * attributes[i]) % o for i in range(len(wm))] return (c, rk, rm, rr)
def make_pi_s(params, gamma, ciphertext, cm, k, r, public_m, private_m): """ prove correctness of ciphertext and cm """ (G, o, g1, hs, g2, e) = params attributes = private_m + public_m assert len(ciphertext) == len(k) and len(ciphertext) == len(private_m) assert len(attributes) <= len(hs) # create the witnesses wr = o.random() wk = [o.random() for _ in k] wm = [o.random() for _ in attributes] # compute h h = G.hashG1(cm.export()) # compute the witnesses commitments Aw = [wki*g1 for wki in wk] Bw = [wk[i]*gamma + wm[i]*h for i in range(len(private_m))] Cw = wr*g1 + ec_sum([wm[i]*hs[i] for i in range(len(attributes))]) # create the challenge c = to_challenge([g1, g2, cm, h, Cw]+hs+Aw+Bw) # create responses rr = (wr - c * r) % o rk = [(wk[i] - c*k[i]) % o for i in range(len(wk))] rm = [(wm[i] - c*attributes[i]) % o for i in range(len(wm))] return (c, rk, rm, rr)
sk_owners = [cu.poly_eval(v, i) % o for i in range(1, n_owners + 1)] print("\nSecret Keys of the petition owners: ") for i in range(n_owners): print("sk[" + str(i) + "] : " + str(sk_owners[i])) pk_owner = [xi * g for xi in sk_owners] print("\nPublic keys of the petition owners: ") for i in range(n_owners): print("pk[" + str(i) + "] : " + str_ec_pt(pk_owner[i])) l = cu.lagrange_basis(range(1, t_owners + 1), o, 0) aggr_pk_owner = cu.ec_sum([l[i] * pk_owner[i] for i in range(t_owners)]) print("\nAggregate public key for owners: " + str_ec_pt(aggr_pk_owner)) # coconut parameters print("Coconut setup") t, n = 4, 5 # threshold and total number of authorities bp_params = cs.setup() # bp system's parameters (sk, vk) = cs.ttp_keygen(bp_params, t, n) # authorities keys print("\nSecret keys of the authorities (Credential issuers):") for i in range(n): print("sk_auth[" + str(i) + "] : " + str(sk[i]))