def verify_pi_v(params, aggr_vk, sigma, kappa, nu, pi_v): """ verify correctness of kappa and nu """ (G, o, g1, hs, g2, e) = params (g2, alpha, beta) = aggr_vk (h, s) = sigma (c, rm, rt) = pi_v # re-compute witnesses commitments Aw = c*kappa + rt*g2 + (1-c)*alpha + ec_sum([rm[i]*beta[i] for i in range(len(rm))]) Bw = c*nu + rt*h # compute the challenge prime return c == to_challenge([g1, g2, alpha, Aw, Bw]+hs+beta)
def verify_pi_v(params, aggr_vk, sigma, kappa, nu, pi_v):
""" verify correctness of kappa and nu """
(G, o, g1, hs, g2, e) = params
(g2, alpha, beta) = aggr_vk
(h, s) = sigma
(c, rm, rt) = pi_v
# re-compute witnesses commitments
Aw = c * kappa + rt * g2 + (1 - c) * alpha + ec_sum(
[rm[i] * beta[i] for i in range(len(rm))])
Bw = c * nu + rt * h
# compute the challenge prime
return c == to_challenge([g1, g2, alpha, Aw, Bw] + hs + beta)
def verify_pi_s(params, gamma, ciphertext, cm, proof):
""" verify orrectness of ciphertext and cm """
(G, o, g1, hs, g2, e) = params
(a, b) = zip(*ciphertext)
(c, rk, rm, rr) = proof
assert len(ciphertext) == len(rk)
# re-compute h
h = G.hashG1(cm.export())
# re-compute witnesses commitments
Aw = [c * a[i] + rk[i] * g1 for i in range(len(rk))]
Bw = [c * b[i] + rk[i] * gamma + rm[i] * h for i in range(len(ciphertext))]
Cw = c * cm + rr * g1 + ec_sum([rm[i] * hs[i] for i in range(len(rm))])
# compute the challenge prime
return c == to_challenge([g1, g2, cm, h, Cw] + hs + Aw + Bw)
def verify_pi_s(params, gamma, ciphertext, cm, proof): """ verify orrectness of ciphertext and cm """ (G, o, g1, hs, g2, e) = params (a, b) = zip(*ciphertext) (c, rk, rm, rr) = proof assert len(ciphertext) == len(rk) # re-compute h h = G.hashG1(cm.export()) # re-compute witnesses commitments Aw = [c*a[i] + rk[i]*g1 for i in range(len(rk))] Bw = [c*b[i] + rk[i]*gamma + rm[i]*h for i in range(len(ciphertext))] Cw = c*cm + rr*g1 + ec_sum([rm[i]*hs[i] for i in range(len(rm))]) # compute the challenge prime return c == to_challenge([g1, g2, cm, h, Cw]+hs+Aw+Bw)
def verify_pi_s_up(params, commits, cm, proof):
""" verify orrectness of ciphertext and cm """
(G, o, g1, hs, h_blind, g2, e) = params
(c, rL, rm, rr) = proof
assert len(commits) == len(rL)
# re-compute h
h = G.hashG1(cm.export())
# re-compute witnesses commitments
Com_w = [
c * commits[i] + rL[i] * h_blind + rm[i] * h
for i in range(len(commits))
]
Cw = c * cm + rr * g1 + ec_sum([rm[i] * hs[i] for i in range(len(rm))])
# compute the challenge prime
return c == to_challenge([g1, g2, cm, h, Cw] + hs + commits + Com_w)
def make_pi_v(params, aggr_vk, sigma, private_m, t): """ prove correctness of kappa and nu """ (G, o, g1, hs, g2, e) = params (g2, alpha, beta) = aggr_vk (h, s) = sigma # create the witnesses wm = [o.random() for _ in private_m] wt = o.random() # compute the witnesses commitments Aw = wt*g2 + alpha + ec_sum([wm[i]*beta[i] for i in range(len(private_m))]) Bw = wt*h # create the challenge c = to_challenge([g1, g2, alpha, Aw, Bw]+hs+beta) # create responses rm = [(wm[i] - c*private_m[i]) % o for i in range(len(private_m))] rt = wt - c*t % o return (c, rm, rt)
def make_pi_v(params, aggr_vk, sigma, private_m, t):
""" prove correctness of kappa and nu """
(G, o, g1, hs, g2, e) = params
(g2, alpha, beta) = aggr_vk
(h, s) = sigma
# create the witnesses
wm = [o.random() for _ in private_m]
wt = o.random()
# compute the witnesses commitments
Aw = wt * g2 + alpha + ec_sum(
[wm[i] * beta[i] for i in range(len(private_m))])
Bw = wt * h
# create the challenge
c = to_challenge([g1, g2, alpha, Aw, Bw] + hs + beta)
# create responses
rm = [(wm[i] - c * private_m[i]) % o for i in range(len(private_m))]
rt = wt - c * t % o
return (c, rm, rt)
def make_pi_s_up(params, Ls, commits, cm, r, public_m, private_m):
""" prove correctness of ciphertext and cm """
(G, o, g1, hs, h_blind, g2, e) = params
attributes = private_m + public_m
assert len(commits) == len(private_m)
assert len(attributes) <= len(hs)
# create the witnesses
wr = o.random()
wL = [o.random() for _ in Ls]
wm = [o.random() for _ in attributes]
# compute h
h = G.hashG1(cm.export())
# compute the witnesses commitments
Com_w = [wL[i] * h_blind + wm[i] * h for i in range(len(private_m))]
Cw = wr * g1 + ec_sum([wm[i] * hs[i] for i in range(len(attributes))])
# create the challenge
c = to_challenge([g1, g2, cm, h, Cw] + hs + commits + Com_w)
# create responses
rr = (wr - c * r) % o
rL = [(wL[i] - c * Ls[i]) % o for i in range(len(wL))]
rm = [(wm[i] - c * attributes[i]) % o for i in range(len(wm))]
return (c, rL, rm, rr)
def make_pi_s(params, gamma, ciphertext, cm, k, r, public_m, private_m):
""" prove correctness of ciphertext and cm """
(G, o, g1, hs, g2, e) = params
attributes = private_m + public_m
assert len(ciphertext) == len(k) and len(ciphertext) == len(private_m)
assert len(attributes) <= len(hs)
# create the witnesses
wr = o.random()
wk = [o.random() for _ in k]
wm = [o.random() for _ in attributes]
# compute h
h = G.hashG1(cm.export())
# compute the witnesses commitments
Aw = [wki * g1 for wki in wk]
Bw = [wk[i] * gamma + wm[i] * h for i in range(len(private_m))]
Cw = wr * g1 + ec_sum([wm[i] * hs[i] for i in range(len(attributes))])
# create the challenge
c = to_challenge([g1, g2, cm, h, Cw] + hs + Aw + Bw)
# create responses
rr = (wr - c * r) % o
rk = [(wk[i] - c * k[i]) % o for i in range(len(wk))]
rm = [(wm[i] - c * attributes[i]) % o for i in range(len(wm))]
return (c, rk, rm, rr)
def make_pi_s(params, gamma, ciphertext, cm, k, r, public_m, private_m): """ prove correctness of ciphertext and cm """ (G, o, g1, hs, g2, e) = params attributes = private_m + public_m assert len(ciphertext) == len(k) and len(ciphertext) == len(private_m) assert len(attributes) <= len(hs) # create the witnesses wr = o.random() wk = [o.random() for _ in k] wm = [o.random() for _ in attributes] # compute h h = G.hashG1(cm.export()) # compute the witnesses commitments Aw = [wki*g1 for wki in wk] Bw = [wk[i]*gamma + wm[i]*h for i in range(len(private_m))] Cw = wr*g1 + ec_sum([wm[i]*hs[i] for i in range(len(attributes))]) # create the challenge c = to_challenge([g1, g2, cm, h, Cw]+hs+Aw+Bw) # create responses rr = (wr - c * r) % o rk = [(wk[i] - c*k[i]) % o for i in range(len(wk))] rm = [(wm[i] - c*attributes[i]) % o for i in range(len(wm))] return (c, rk, rm, rr)
sk_owners = [cu.poly_eval(v, i) % o for i in range(1, n_owners + 1)]
print("\nSecret Keys of the petition owners: ")
for i in range(n_owners):
print("sk[" + str(i) + "] : " + str(sk_owners[i]))
pk_owner = [xi * g for xi in sk_owners]
print("\nPublic keys of the petition owners: ")
for i in range(n_owners):
print("pk[" + str(i) + "] : " + str_ec_pt(pk_owner[i]))
l = cu.lagrange_basis(range(1, t_owners + 1), o, 0)
aggr_pk_owner = cu.ec_sum([l[i] * pk_owner[i] for i in range(t_owners)])
print("\nAggregate public key for owners: " + str_ec_pt(aggr_pk_owner))
# coconut parameters
print("Coconut setup")
t, n = 4, 5 # threshold and total number of authorities
bp_params = cs.setup() # bp system's parameters
(sk, vk) = cs.ttp_keygen(bp_params, t, n) # authorities keys
print("\nSecret keys of the authorities (Credential issuers):")
for i in range(n):
print("sk_auth[" + str(i) + "] : " + str(sk[i]))