def verify(self, message, sig): """ Verify the message and the signature """ assert len(message) == 32 lr, r, ls, s = unpack("H32sH32s", sig) sig = Bn.from_binary(r[:lr]), Bn.from_binary(s[:ls]) return do_ecdsa_verify(self.G, self.pub, sig, message)
def gen_key(): """Example naive RSA key generation""" p = Bn.get_prime(512) q = Bn.get_prime(512) m = p * q phi = (p - 1) * (q - 1) e = Bn(2**16 + 1) d = e.mod_inverse(phi) pub = (e, m) priv = (d,) return pub, priv
def point_add(a, b, p, x0, y0, x1, y1): """Define the "addition" operation for 2 EC Points. Reminder: (xr, yr) = (xq, yq) + (xp, yp) is defined as: lam = (yq - yp) * (xq - xp)^-1 (mod p) xr = lam^2 - xp - xq (mod p) yr = lam * (xp - xr) - yp (mod p) Return the point resulting from the addition. Raises an Exception if the points are equal. """ xr, yr = None, None if not all([x0, y0, x1, y1]): # Either is origin; inf is "(0,0)" xr = x0 or x1 yr = y0 or y1 elif (x0 == x1 and y0 == y1): # Point doubling #xr, yr = point_double(a, b, p, x0, y0) # NOTE: asked to raise exact exception raise Exception("EC Points must not be equal") elif (y0 + y1) % p == Bn(0): # Negation, checking y coord, return origin pass else: inv = (x1 - x0).mod_inverse(p) lam = ((y1 - y0) * inv) % p xr = (lam**2 - x0 - x1) % p yr = (lam * (x0 - xr) - y0) % p return (xr, yr)
def verifyK(self,pi,P,Q): # c是内部的?C也是内部的?r也是内部的?不用不用,pi传入了 # 预处理 n = len(Q) (C,c,r) = pi # 得到c_,同样分为(1),(2),(3),(4)四步 # (1)得到P,Qi,C各自的二进制表示P_,Q_[],C_,Sigma_(1,n){ri*Qi+r_{n+1}*P+c*C}_ P_ = P.export() Q_ = [] for i in range(n): Q_.append(Q[i].export()) C_ = C.export() # 求点Sigma的位置: Sigma = r[n] * P + c * C for i in range(n): Sigma += r[i] * Q[i] # 将点Sigma转换成byte形式 Sigma_ = Sigma.export() # (2)将P_,Q_[],C_,Sigma_(1,n){ri*Qi+r_{n+1}*P+c*C}顺次拼接在一起,得到二进制串bytestr bytestr = P_ for i in range(n): bytestr += Q_[i] bytestr += C_ + Sigma_ # (3)将二进制串bytestr转换成字符串str0 str0 = str(bytestr) # (4)调用hashlib中的md5函数,将str0映射成为十六进制数字c_,再进一步转换为Bn类型的大整数对象c_ c_ = hashlib.md5(str0.encode('utf8')).hexdigest() c_ = Bn.from_hex(str(c_)) return c_==c
def verifyDL(self,pi,Q): # 预处理 n = len(Q) (C,c,r) = pi # 得到c_,同样分为(1),(2),(3),(4)四步 # (1)得到{Qi},C,Sigma_(1,n){ri*Qi+c*C}各自的二进制表示Q_[],C_,Sigma_ Q_ = [] for i in range(n): Q_.append(Q[i].export()) C_ = C.export() # 求点Sigma的位置: Sigma = c * C for i in range(n): Sigma += r[i] * Q[i] # 将点Sigma转换成byte形式 Sigma_ = Sigma.export() # (2)将Q_[],C_,Sigma_顺次拼接在一起,得到二进制串bytestr bytestr = Q_[0] for i in range(1,n): bytestr += Q_[i] bytestr += C_ + Sigma_ # (3)将二进制串bytestr转换成字符串str0 str0 = str(bytestr) # (4)调用hashlib中的md5函数,将str0映射成为十六进制数字c_,再进一步转换为Bn类型的大整数对象c_ c_ = hashlib.md5(str0.encode('utf8')).hexdigest() c_ = Bn.from_hex(str(c_)) return c_==c
def layer_C1_4(gk, Chi_share, Chi, g1_chipows, g1_polyhats, n, mpc): print("\n Layer C1.4") g2_chipows = [gk.g2] g1_beta_chipows = [] g1_betahat_polyhats = [] share_chi = Chi_share.chi share_beta = Chi_share.beta share_betahat = Chi_share.betahat g2_chi = Chi.g2_chi share_chi_pow = Bn(1) md_list_x = [] md_list_bx = [MD_Elems(gk, share_beta, 1, g1_chipows[0])] md_list_bp = [] q = gk.q share_chi = Chi_share.chi for i in range(1, n + 1): md_list_x.append(MD_Elems(gk, share_chi_pow, 1, g2_chi)) share_chi_pow = share_chi * share_chi_pow % q md_list_bx.append(MD_Elems(gk, share_beta, 1, g1_chipows[i])) md_list_bp.append(MD_Elems(gk, share_betahat, 1, g1_polyhats[i - 1])) g2_chipows.extend(mpc.parallel_md(md_list_x)) g1_beta_chipows.extend(mpc.parallel_md(md_list_bx)) g1_betahat_polyhats.extend(mpc.parallel_md(md_list_bp)) return g2_chipows, g1_beta_chipows, g1_betahat_polyhats
def test_bbsplus_and_range(): from zksk.primitives.rangeproof import RangeStmt from zksk.utils import make_generators mG = BilinearGroupPair() keypair = BBSPlusKeypair.generate(mG, 9) pk, sk = keypair.pk, keypair.sk generators, h0 = keypair.generators, keypair.h0 creator = BBSPlusSignatureCreator(pk) msg_val = Bn(30) lhs = creator.commit([msg_val]) presignature = sk.sign(lhs.com_message) signature = creator.obtain_signature(presignature) e, s, m = Secret(signature.e), Secret(signature.s), Secret(msg_val) p1 = BBSPlusSignatureStmt([e, s, m], pk, signature) g, h = make_generators(2, mG.G1) randomizer = Secret(value=mG.G1.order().random()) com = m * g + randomizer * h p2 = RangeStmt(com.eval(), g, h, 18, 9999, m, randomizer) stmt = p1 & p2 proof = stmt.prove() assert stmt.verify(proof)
def test_randomize(): params = setup() sk, pk = keygen(params) from petlib.bn import Bn from hashlib import sha256 m = Bn.from_binary(sha256("Hello World!").digest()) signature = sign(params, sk, m) signature = randomize(params, signature) assert verify(params, pk, m, signature) m2 = Bn.from_binary(sha256("Other Hello World!").digest()) assert not verify(params, pk, m2, signature)
def __init__(self, name, ip, port, prvk, cascade=1, layered=1): print "Mix: init", name, ip, port, prvk, cascade, layered #Mix initialization self.name = name # Name of the mix self.port = port # Port of the mix self.ip = ip # IP of the mix #Mix keys self.G = EcGroup(713) self.o = self.G.order() self.g = self.G.generator() self.o_bytes = int( math.ceil(math.log(float(int(self.o))) / math.log(256))) self.s = (self.G, self.o, self.g, self.o_bytes) self.prvk = Bn.from_binary( base64.b64decode( "/m8A5kOfWNhP4BMcUm7DF0/G0/TBs2YH8KAYzQ==")) #mix private key self.pubk = self.prvk * self.g #mix public key self.setup = (self.G, self.o, self.g, self.o_bytes, self.prvk, self.pubk) self.sessions = {} # Eviction session self.sessionlock = threading.Lock( ) #lock for accessing any information
def enc(pub, plaintext): """Naive RSA encryption""" e, m = pub plain = Bn.from_binary(plaintext) assert 1 < plain < m cipher = pow(plain, e, m) return cipher.binary()
def get_prover(self, secrets_dict=None): """ Get a prover for the current proof statement. Args: secrets_dict: Optional mapping from secrets or secret names to their values. Returns: :py:class:`DLRepProver` or None: Prover object if all secret values are known. """ if secrets_dict is None: secrets_dict = {} # First we update the dictionary we have with the additional secrets, and process it self.secret_values.update(secrets_dict) secrets_dict = self.secret_values # If missing secrets or simulation parameter set, return now if (self.set_simulated() or secrets_dict == {} or any(sec not in secrets_dict.keys() for sec in set(self.secret_vars))): # TODO: Make this raise: # raise IncompleteValuesError(self.secret_vars) return None # We check everything is indeed a big number, else we cast it for name, sec in secrets_dict.items(): if not isinstance(sec, Bn): secrets_dict[name] = Bn(sec) return DLRepProver(self, secrets_dict)
def CommitG1(self, x): try: ttype = x["type"] if ttype == "unt": return self.G1unt() elif ttype == "bas": return self.G1bas() value = x["value"] if type(value) == G1Elem: if ttype == "pub": return self.G1pub(value) elif ttype == "enc": return self.G1enc(value) elif ttype == "com": return self.G1com(value) if type(value) == Bn or type(value) == int: if type(value) == int: value = Bn(value) if ttype == "sca": return self.G1sca(value) except Exception as e: print("Error G1 commit", e)
def BL_check_signature(params, issuer_pub, signature, db, keys): (_, q, g, h, z, _) = params (y_issuer, ) = issuer_pub (m, zet, zet1, zet2, om, omp, ro, ro1p, ro2p, mu) = signature #load this service's public key y_verifier = keys[1] if y_issuer != y_verifier: print "This verifier didn't issue this key" return False lhs = (om + omp) % q rhs_h = [ zet, zet1, ro * g + om * y_verifier, ro1p * g + omp * zet1, ro2p * h + omp * zet2, mu * z + omp * zet ] Hstr = list(map(EcPt.export, rhs_h)) + [m] Hhex = b"|".join(map(b64encode, Hstr)) rhs = Bn.from_binary(sha256(Hhex).digest()) % q #Check the database to see if this hash already exists! coinExists = database.checkDB_coinExists(rhs, db) if rhs == lhs and coinExists == False: database.insert2DB_Coin(rhs, db) return m else: return False
def prove_knowledge(self, pparam, prand, values): """ A non-interactive proof of knowledge of opening an commitment. Args: pparam (CommitPram): prameters prand (PedersenRand): commitment's secret values (Bn[]): commitment's values Returns: (PedersenProof) """ # sigma protocol's commitment phase r_h = pparam.q.random() r_vs = [pparam.q.random() for _ in range(len(values))] R = r_h * pparam.H R += pparam.group.wsum(r_vs, pparam.HS[:len(r_vs)]) # sigma protocol's challenge: Fiat-Shamir chash = sha256(self.commit.export() + R.export()).digest() e = Bn.from_binary(chash) % pparam.q # sigma protocol's response phase s_h = r_h - prand * e s_vs = [r - x * e for (x, r) in zip(values, r_vs)] return PedersenProof(e, (s_h, s_vs))
def BL_user_validation(user_state, issuer_pub, msg_to_user, message=b''): (G, q, g, h, z, hs) = user_state.params # (z1, gam, zet, zet1, zet2, tau, eta) = user_private_state (a, a1p, a2p) = msg_to_user (y, ) = issuer_pub assert G.check_point(a) assert G.check_point(a1p) assert G.check_point(a2p) t1, t2, t3, t4, t5 = [q.random() for _ in range(5)] alph = a + t1 * g + t2 * y alph1 = user_state.gam * a1p + t3 * g + t4 * user_state.zet1 alph2 = user_state.gam * a2p + t5 * h + t4 * user_state.zet2 # Make epsilon H = [user_state.zet, user_state.zet1, alph, alph1, alph2, user_state.eta] Hstr = list(map(EcPt.export, H)) + [message] Hhex = b"|".join(map(b64encode, Hstr)) epsilon = Bn.from_binary(sha256(Hhex).digest()) % q e = epsilon.mod_sub(t2, q).mod_sub(t4, q) user_state.ts = [t1, t2, t3, t4, t5] user_state.message = message msg_to_issuer = e return msg_to_issuer
def BL_user_validation(user_state, idp_pub, msg_to_user, message=b''): (G, q, g, h, z, hs) = user_state.params # (z1, gam, zet, zet1, zet2, tau, eta) = user_private_state (a, a1p, a2p) = msg_to_user (y,) = idp_pub assert G.check_point(a) assert G.check_point(a1p) assert G.check_point(a2p) t1,t2,t3,t4,t5 = [q.random() for _ in range(5)] alph = a + t1 * g + t2 * y alph1 = user_state.gam * a1p + t3 * g + t4 * user_state.zet1 alph2 = user_state.gam * a2p + t5 * h + t4 * user_state.zet2 # Make epsilon H = [user_state.zet, user_state.zet1, alph, alph1, alph2, user_state.eta] Hstr = list(map(EcPt.export, H)) + [message] Hhex = b"|".join(map(b64encode, Hstr)) epsilon = Bn.from_binary(sha256(Hhex).digest()) % q e = epsilon.mod_sub(t2,q).mod_sub(t4, q) user_state.ts = [t1, t2, t3, t4, t5] user_state.message = message msg_to_issuer = e return msg_to_issuer
def cred_show_check(params, publics, secrets, creds, sig, cred_show_proof=cred_show_proof, xenv={}): # Parse the inputs G, g, h, _ = params sk, _ = secrets Cx0, iparams = publics (u, Cmis, Cup) = creds n = len(iparams) ## Recompute a V V = sk[0] * u + (- Cup) for xi, Cmi in zip(sk[1:], Cmis): V = V + xi * Cmi # Define the proof, and instanciate it with variables zk = cred_show_proof(params, n) env = ZKEnv(zk) env.u = u env.g, env.h = g, h env.V = V env.minus1 = -Bn(1) env.Xi = iparams env.Cmi = Cmis if xenv: xenv(env) # Return the result of the verification return zk.verify_proof(env.get(), sig)
def test_range_proof_big_range(): x = Secret(value=7) lo = 0 hi = Bn(2) ** 65 stmt = RangeOnlyStmt(lo, hi, x) nizk = stmt.prove() assert stmt.verify(nizk) == True
def point_scalar_multiplication_double_and_add(a, b, p, x, y, scalar): """ Implement Point multiplication with a scalar: r * (x, y) = (x, y) + ... + (x, y) (r times) Reminder of Double and Multiply algorithm: r * P Q = infinity for i = 0 to num_bits(P)-1 if bit i of r == 1 then Q = Q + P P = 2 * P return Q """ assert Bn.is_prime(p) Q = (None, None) P = (x, y) for i in range(scalar.num_bits()): if scalar.is_bit_set(i): Q = point_add(a, b, p, P[0], P[1], Q[0], Q[1]) else: # Wasteful point addition, added to prevent side channel attack W = point_add(a, b, p, P[0], P[1], Q[0], Q[1]) P = point_double(a, b, p, P[0], P[1]) return Q
def create_tumbler_checker(inputs, reference_inputs, parameters, outputs, returns, dependencies): try: # retrieve ID list spent_list = loads(outputs[1]) # retrieve vvk & sig packed_vvk = spent_list['vvk'] sig = pet_unpack(parameters[0]) # check format if len(inputs) != 1 or len(reference_inputs) != 0 or len(outputs) != 2 or len(returns) != 0: return False # check types if loads(inputs[0])['type'] != 'TToken' or loads(outputs[0])['type'] != 'TToken': return False if spent_list['type'] != 'TList': return False # verify that the spent list is empty if spent_list['list']: return False # verify signature bp_params = bp_setup() hasher = sha256() hasher.update(outputs[1].encode('utf8')) m = Bn.from_binary(hasher.digest()) vvk = (unpackG2(bp_params,packed_vvk[0]), unpackG2(bp_params,packed_vvk[1]), unpackG2(bp_params,packed_vvk[2])) if not verify(bp_params, vvk, m, sig): return False # otherwise return True except (KeyError, Exception): return False
def enc(self, params, pub, m): """Encrypts the values of a group element""" print("CCA2EG: Enc") G, g1, o = params r1 = o.random() r2 = o.random() c11 = r1 * pub[0] + m c21 = r2 * pub[1] + m c12 = r1 * g1 c22 = r2 * g1 d = o.random() * g1 s1 = o.random() s2 = o.random() e11 = s1 * pub[0] + d e21 = s2 * pub[1] + d e12 = s1 * g1 e22 = s2 * g1 state = [g1, pub[0], pub[1], c11, c21, c12, c22, e11, e21, e12, e22] hash_c = self.challenge(state) c = Bn.from_binary(hash_c) % o z = c*m +d z1 = (r1 * c + s1) % o z2 = (r2 * c + s2) % o return ((c11, c12), (c21, c22), (e11, e12), (e21, e22), c, z, z1, z2)
def CommitG2(self, y): try: ttype = y["type"] if ttype == "bas": return self.G2bas() elif ttype == "unt": return self.G2unt() value = y["value"] if type(value) == G2Elem: if ttype == "pub": return self.G2pub(value) elif ttype == "enc": return self.G2enc(value) elif ttype == "com": return self.G2com(value) if type(value) == Bn or type(value) == int: if type(value) == int: value = Bn(value) if ttype == "sca": return self.G2sca(value) except Exception as e: print("Error G2 commit", e)
def dec(pub, priv, ciphertext): """Naive RSA decryption. NOT const. time.""" _, m = pub d, = priv cipher = Bn.from_binary(ciphertext) assert 1 < cipher < m plain = pow(cipher, d, m) return plain.binary()
def keygen(self, p): # 调用petlib.bn中的Bn,生成(0,p)的随机数,作为私钥sk self.x = Bn().from_decimal(str(self.p)).random() # 将私钥x与g2做标量乘法,得到公钥X self.X = self.x * self.g2 sk = (self.x) vk = (self.X) return sk, vk
def from_roots_opt(roots, modulo): """ Calculate polynomial from roots, optimally Example: >>> a = Polynomial.from_roots_opt([Bn.from_num(1), Bn.from_num(1)], Bn.from_num(7)) >>> a.eval(1) 0 >>> a = Polynomial.from_roots_opt([1, 2, 3, 3, 4, 5], Bn.from_num(7)) >>> a.coefficients [3, 3, 4, 3, 4, 3, 1] >>> a.eval(3) 0 >>> a.eval(5) 0 >>> a.eval(6) 3 >>> order = Bn.from_decimal("52137169930799554717614356857506293818498877974737694294258188871929297414763123103907744062376810056827189091305705434921846346757741920691072816664704800302679217118985586829201265273391676324053123901757229727135241424267879269925766038354395247471758947327023181961662857375240340094119735806654078071568415490759313899749642836086369437285822445537863499850137938649445050574793896418443324129366783154447555359885480360150449533448644540185781810834062108093885074870413486811350157518533438291933078172819638193255100503198570696887787567964374981238663391668092217407521167528524716096503249760795640678745829") >>> roots = [Bn.from_decimal('24328626682289136570751536147321521934883276496444403637200791710959330225351187858816284221467749949170967552592192324486105274675745073644298833869379510880054061897691638487850358168087009962101666739301242027780261176000688299869458451077243785452946211728488732020837306283402441986288004713904032620106051702880664181957060410226643578290964003019109479261826859822942513350862756778747973875209750342357933539552875979843312957639435564366361012366291495216191958522420513908595748516389774971404368853339932587005401457667821996489027145786706555858193202229433265835452932244580820310037045608574782179678733') for _ in range(4)] >>> big_poly = Polynomial.from_roots_opt(roots, order) >>> big_poly.eval(roots[0]) 0 >>> Polynomial.from_roots_opt([1, 2, 3, 3, 4, 5], Bn.from_num(1000)).coefficients [360, 58, 949, 520, 130, 982, 1] """ if type(modulo) == int: modulo = Bn.from_num(modulo) if type(roots[0]) == int: roots = [Bn.from_num(a) for a in roots] degree_poly = len(roots) polynomial = [0] * degree_poly polynomial[0] = 1 for i in range(degree_poly): new_poly = [] new_poly.append((-polynomial[0] * roots[i]).mod(modulo)) for j in range(1, i + 1): new_poly.append( (-polynomial[j] * roots[i] + polynomial[j - 1]).mod(modulo) ) new_poly.append(1) polynomial = new_poly return Polynomial(polynomial, modulo)
def sum_bn_array(arr, modulus): """ Sum an array of big numbers under a modulus. >>> a = [Bn(5), Bn(7)] >>> m = 10 >>> sum_bn_array(a, m) 2 """ if not isinstance(modulus, Bn): modulus = Bn(modulus) res = Bn(0) for elem in arr: if not isinstance(elem, Bn): elem = Bn(elem) res = res.mod_add(elem, modulus) return res
def sign(self, sk, m): # 输入类型检测,要求m属于Zp try: m = Bn.from_decimal(str(m)) if m < 0 or m > self.p: # if not a positive int print message and ask for input again print( "m is out of range, please ensure m to be an integer in [0,p)" ) except ValueError: print("m is not an int, please ensure m to be an integer in [0,p)") # 把这个整数类型的信息m转化为字符串类型,便于使用hashG1函数 # while语句使得x + m != 0 if self.x + m == 0: print("x有问题") theta = (Bn.from_decimal(str(self.x + m)).mod_inverse(self.G.order()) * self.g1) return theta
def __init__(self, arch, enc, el1, el2, el3, el4, ports): print("CF: init") self.done = Deferred() self.c_proto = None self.G = EcGroup(713) self.o = self.G.order() self.g = self.G.generator() self.o_bytes = int(math.ceil(math.log(float(int(self.o))) / math.log(256))) self.data = ["STT", int(urandom(2).encode('hex'),16), [ Actor("DB", "127.0.0.1", 8000, ""), 3]] if arch: if enc: self.data[2].extend([["", Bn.from_binary(base64.b64decode(el2))]]) else: self.data[2].extend([[Bn.from_binary(base64.b64decode(el2)), Bn.from_binary(base64.b64decode(el2))]]) else: if enc: self.data[2].extend([["", Bn.from_binary(base64.b64decode(el2))],[["", Bn.from_binary(base64.b64decode(el4))]]]) else: self.data[2].extend([ [Bn.from_binary(base64.b64decode(el1)), Bn.from_binary(base64.b64decode(el2))], [Bn.from_binary(base64.b64decode(el3)), Bn.from_binary(base64.b64decode(el4))]]) actors=[] for i in range(len(ports)): actors.extend([Actor("M"+str(i), "127.0.0.1", 8001+i, "")]) self.data[2].extend([[actors]])
def proof_pkuv(gsp, X, Y): res = [] B = [] A = [] C = [] for i in range(len(X)): row = [] for j in range(len(Y)): row.append(Bn(0)) C.append(row) C[6][0] = Bn(1) # pk_uv C[5][1] = Bn(-1) # - h_v^sku success, result = gsp.Prove_aggreg("MC1", X, B, A, Y, C, G1Elem.inf(gsp.G)) verify = 0 if success: eq_type, X, Y, C, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result #verify = gsp.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2, pi1_w2) #if verify: res = [C, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]] #print("Do we successfully create a proof?", success) #print("Does the proof successfully verify?", verify) print("\n----pk uv") for i in range(len(res[1])): for j in range(2): if type(res[1][i][j]) == G1Elem: print(i, j, type(res[1][i][j]), res[1][i][j].eq(G1Elem.inf(gsp.G))) else: print(i, j, type(res[1][i][j]), res[1][i][j].eq(G2Elem.inf(gsp.G))) b = challenge(result) for i in range(len(res[0])): for j in range(len(res[0][0])): if res[0][i][j] != 0: res[0][i][j] = b * res[0][i][j] for i in range(len(res[1])): for j in range(len(res[1][i])): res[1][i][j] = b * res[1][i][j] #verify = gsp.Verify("ME1", X, Y, C, res[1][0], res[1][1], res[1][2], res[1][3]) #print("Does the (aggregate) proof verify?", verify) return res
def H_hat(pi_NIZK, phi, otsvk): X_ = otsvk[0].export() Y_ = otsvk[1].export() X_str = str(X_) Y_str = str(Y_) str0 = pi_NIZK + phi + X_str + Y_str c_ = hashlib.md5(str0.encode('utf8')).hexdigest() c_ = Bn.from_hex(str(c_)) return c_
def challenge(self, elements): """Packages a challenge in a bijective way""" elem = [len(elements)] + elements elem_str = map(str, elem) elem_len = map(lambda x: "%s||%s" % (len(x), x), elem_str) state = "|".join(elem_len) H = sha256() H.update(state.encode("utf8")) return Bn.from_binary(H.digest()) % self.o
def challenge(elements): """Packages a challenge in a bijective way""" elem = [len(elements)] + elements elem_str = list(map(str, elem)) elem_len = list(map(lambda x: "%s||%s" % (len(x) , x), elem_str)) state = "|".join(elem_len) H = sha256() H.update(state.encode("utf8")) return Bn.from_binary(H.digest())
def test_sign(): params = setup() sk, pk = keygen(params) from petlib.bn import Bn from hashlib import sha256 m = Bn.from_binary(sha256("Hello World!").digest()) sign(params, sk, m)
def sign(self, sk, m): # 输入类型检测,要求m属于Zp try: m = Bn.from_decimal(str(m)) if m < 0 or m > self.p: # if not a positive int print message and ask for input again print( "m is out of range, please ensure m to be an integer in [0,p)" ) except ValueError: print("m is not an int, please ensure m to be an integer in [0,p)") # while语句使得x + r*y + m != 0 while self.x + self.r * self.y + m == 0: self.r = Bn().from_decimal(str(self.p)).random() self.theta_prime = (Bn.from_decimal( str(self.x + self.r * self.y + m)).mod_inverse( self.G.order())) * self.g1 theta = (self.theta_prime, self.r) return theta
def verify(params, h, g, proof, m=""): """Verify the statement ZK(x ; h = g^x)""" G, _, o = params c, r = proof W = (r * g + c * h) state = ['schnorr', G.nid(), g, h, m, W] hash_c = challenge(state) c2 = Bn.from_binary(hash_c) % o return c == c2
def __init__(self, key_bytes, public=True): """ Make a key given a public or private key in bytes """ self.G = _globalECG if public: self.sec = None self.pub = EcPt.from_binary(key_bytes, self.G) self.optim = None else: self.sec = Bn.from_binary(sha256(key_bytes).digest()) self.pub = self.sec * self.G.generator() self.optim = do_ecdsa_setup(self.G, self.sec)
def mix_operate(message, triplet, setup): mname, mpub, msec = triplet elem, forward, backwards = message G, o, g, o_bytes = setup aes = Cipher("AES-128-CTR") # Derive first key k1 = KDF((msec * elem).export()) # Derive the blinding factor b = Bn.from_binary(k1.b) % o new_elem = b * elem # Check the forward MAC mac1 = hmac.new(k1.kmac, forward[20:], digestmod=sha1).digest() assert forward[:20] == mac1 # Decrypt the payload enc = aes.dec(k1.kenc, k1.iv) pt = enc.update(forward[20:]) pt += enc.finalize() # Parse the forward message xfrom, xto, the_bs, new_forw = pt[:4], pt[4:8], pt[8:8+o_bytes], pt[8+o_bytes:] old_bs = Bn.from_binary(the_bs) # Now encrypt the return part k2 = KDF(((msec * old_bs) * elem).export()) new_bs = old_bs.mod_inverse(o).binary() enc = aes.enc(k2.kenc, k2.iv) new_back_body = enc.update(xto + xfrom + new_bs + backwards) new_back_body += enc.finalize() mac2 = hmac.new(k2.kmac, new_back_body, digestmod=sha1).digest() new_back = mac2 + new_back_body return ((xfrom, xto), (new_elem, new_forw, new_back) )
def prove(params, h, g, x, m=""): """Schnorr proof of the statement ZK(x ; h = g^x)""" assert x * g == h G, _, o = params w = o.random() W = w * g state = ['schnorr', G.nid(), g, h, m, W] hash_c = challenge(state) c = Bn.from_binary(hash_c) % o r = (w - c * x) % o return (c, r)
def ext_hook(code, data): if code==0: num = Bn.from_binary(data[1:]) if data[0] == ord("-") or data[0] == "-": return -num return num elif code==1: nid = msgpack.unpackb(data) return EcGroup(nid) elif code == 2: nid, ptdata = msgpack.unpackb(data) return EcPt.from_binary(ptdata, EcGroup(nid)) return msgpack.ExtType(code, data)
def build_proof(self, env, message=""): """Generates a proof within an environment of assigned public and secret variables.""" self._check_env(env) # Do sanity check on the proofs if __debug__: for base, expr in self.proofs: xGen = base.val(env) xExpr = expr.val(env) try: assert xGen == xExpr except: raise Exception("Proof about '%s' does not hold." % base.name) G = self.G order = G.order() ## Make a list of all the public state state = ['ZKP', G.nid(), message] for v in sorted(self.Const.keys()): state += [env[v]] for v in sorted(self.Pub.keys()): state += [env[v]] ## Set witnesses for all secrets witnesses = dict(env.items()) for w in self.Sec.keys(): assert w in witnesses witnesses[w] = order.random() ## Compute the first message and add it to the state for base, expr in self.proofs: Cw = expr.val(witnesses) state += [Cw] ## Compute the challenge using all the state hash_c = challenge(state) c = Bn.from_binary(hash_c) % order ## Compute all the resources responses = dict(env.items()) for w in self.Sec.keys(): responses[w] = (witnesses[w] - c * env[w]) % order for v in self.Const: del responses[v] return (c, responses)
def BL_check_signature(params, issuer_pub, signature): (G, q, g, h, z, hs) = params (y,) = issuer_pub (m, zet, zet1, zet2, om, omp, ro, ro1p, ro2p, mu) = signature lhs = (om + omp) % q rhs_h = [zet, zet1, ro * g + om * y, ro1p * g + omp * zet1, ro2p * h + omp * zet2, ## problem mu * z + omp * zet] Hstr = list(map(EcPt.export, rhs_h)) + [m] Hhex = b"|".join(map(b64encode, Hstr)) rhs = Bn.from_binary(sha256(Hhex).digest()) % q if rhs == lhs: return m else: return False
def verify_proof(self, env, sig, message="", strict=True): """Verifies a proof within an environment of assigned public only variables.""" ## Select the constants for the env env_l = [(k,v) for k,v in env.items() if k in self.Const] if __debug__ and strict: env_not = [k for k,v in env.items() if k not in self.Const] if len(env_not): raise Exception("Did not check: " + (", ".join(env_not))) c, responses = sig responses = dict(list(responses.items()) + env_l) ## Ensure all variables we need are here self._check_env(responses) ## Define the maths group we work in G = self.G order = G.order() ## Make a list of all the public state state = ['ZKP', G.nid(), message] for v in sorted(self.Const.keys()): state += [responses[v]] for v in sorted(self.Pub.keys()): state += [responses[v]] ## Compute the first message and add it to the state for base, expr in self.proofs: Cr = expr.val(responses) Cx = base.val(responses) Cw = Cr + c * Cx state += [Cw] ## Compute the challenge using all the state hash_c = challenge(state) c_prime = Bn.from_binary(hash_c) % order ## Check equality return (c == c_prime)
def BL_verify_age(params, issuer_pub, num_attributes, signature, sig, gam_hs, zet1p, gam_g): m = BL_check_signature(params, issuer_pub, signature) assert m != False (G, q, g, h, z, hs) = params (m, zet, zet1, zet2, om, omp, ro, ro1p, ro2p, mu) = signature zk = BL_show_zk_proof(params, num_attributes) #we get this from the user env = ZKEnv(zk) # Constants env.g = g env.z = z env.zet = zet env.zet1 = zet1p env.hs = gam_hs[:num_attributes + 1] ## Extract the proof res = zk.verify_proof(env.get(), sig) assert res lhs = (om + omp) % q rhs_h = [zet, zet1, ro * g + om * y, ro1p * g + omp * zet1, ro2p * h + omp * zet2, ## problem mu * z + omp * zet] Hstr = list(map(EcPt.export, rhs_h)) + [m] Hhex = b"|".join(map(b64encode, Hstr)) rhs = Bn.from_binary(sha256(Hhex).digest()) % q # Check the (future) ZK proof # assert rnd * gam_g + R * gam_hs[0] + L1 * gam_hs[1] + L2 * gam_hs[2] == zet1 assert rnd * gam_g + R * gam_hs[0] + L1 * gam_hs[1] == zet1 - Age * gam_hs[2] return m
def VerifyOneOfN(ck, cis, proof, message = ""): """ Verify the ring signature on message """ n = int(math.ceil(math.log(len(cis)) / math.log(2))) (G, g, h, o) = ck (Celi, Cai, Cbi, cdi, fi, zai, zbi, zd) = proof ## Check all parts of the proof are in the right groups assert 0 <= zd < o for k in range(n): assert 0 <= fi[k] < o assert 0 <= zai[k] < o assert 0 <= zbi[k] < o assert G.check_point(Celi[k]) assert G.check_point(Cai[k]) assert G.check_point(Cbi[k]) assert G.check_point(cdi[k]) # Recompute the challenge x = challenge(list(ck) + cis + Celi + Cai + Cbi + cdi + [ message ]) ret = True for i in range(n): ret &= x * Celi[i] + Cai[i] == Com(ck, fi[i], zai[i]) ret &= (x - fi[i]) * Celi[i] + Cbi[i] == Com(ck, Bn(0), zbi[i]) # acc = G.infinite() bases = [] expons = [] for idx, ci in enumerate(cis): idx = Bn(idx) idxi = [Bn(int(idx.is_bit_set(i))) for i in range(n)] acc_exp = Bn(1) for k, ij in enumerate(idxi): if ij == 0: acc_exp = acc_exp.mod_mul(x - fi[k], o) else: acc_exp = acc_exp.mod_mul(fi[k], o) bases += [ ci ] expons += [ acc_exp ] # acc = acc + acc_exp * ci for k in range(n): expi = (- pow(x,k,o)) # acc = acc + expi * cdi[k] bases += [ cdi[k] ] expons += [ expi ] # assert G.wsum(expons, bases) == acc acc = G.wsum(expons, bases) ret &= acc == Com(ck, 0, zd) return ret
def test_protocol(): # Parameters of the BL schemes G = EcGroup(713) q = G.order() g = G.hash_to_point(b"g") h = G.hash_to_point(b"h") z = G.hash_to_point(b"z") hs = [G.hash_to_point(("h%s" % i).encode("utf8")) for i in range(100)] # Inputs from user R = q.random() L1 = 10 L2 = 20 #age C = R * hs[0] + L1 * hs[1] + L2 * hs[2] m = b"Hello World!" # Inputs from the Issuer # TODO: check ZK on C x = q.random() y = x * g # Preparation rnd = q.random() z1 = C + rnd * g z2 = z + (-z1) ## Send: (rnd,) to user if rnd % q == 0: raise z1 = C + rnd * g gam = q.random() zet = gam * z zet1 = gam * z1 zet2 = zet + (-zet1) tau = q.random() eta = tau * z # Validation: Issuer u, r1p, r2p, cp = [q.random() for _ in range(4)] a = u * g a1p = r1p * g + cp * z1 a2p = r2p * h + cp * z2 ## Send(a, ap = (a1p, a2p)) # User side assert G.check_point(a) assert G.check_point(a1p) assert G.check_point(a2p) t1, t2, t3, t4, t5 = [q.random() for _ in range(5)] alph = a + t1 * g + t2 * y alph1 = gam * a1p + t3 * g + t4 * zet1 alph2 = gam * a2p + t5 * h + t4 * zet2 # Make epsilon H = [zet, zet1, alph, alph1, alph2, eta] Hstr = list(map(EcPt.export, H)) + [m] Hhex = b"|".join(map(b64encode, Hstr)) epsilon = Bn.from_binary(sha256(Hhex).digest()) % q e = epsilon.mod_sub(t2, q).mod_sub(t4, q) ## Send: (e,) to Issuer c = e.mod_sub(cp, q) r = u.mod_sub((c * x), q) ## Send: (c,r, cp, rp = (r1p, r2p)) to User ro = r.mod_add(t1, q) om = c.mod_add(t2, q) ro1p = (gam * r1p + t3) % q ro2p = (gam * r2p + t5) % q omp = (cp + t4) % q mu = (tau - omp * gam) % q signature = (m, zet, zet1, zet2, om, omp, ro, ro1p, ro2p) gam_hs = [gam * hsi for hsi in hs] zet1p = zet1 - L2 * gam_hs[2] # Check verification equation lhs = (om + omp) % q rhs_h = [zet, zet1p, ro * g + om * y, ro1p * g + omp * zet1p, ro2p * h + omp * zet2, ## problem mu * z + omp * zet] Hstr = list(map(EcPt.export, rhs_h)) + [m] Hhex = b"|".join(map(b64encode, Hstr)) rhs = Bn.from_binary(sha256(Hhex).digest()) % q # Check the (future) ZK proof assert zet == gam * z gam_hs = [gam * hsi for hsi in hs] gam_g = gam * g #assert rnd * gam_g + R * gam_hs[0] + L1 * gam_hs[1] + L2 * gam_hs[2] == zet1 assert rnd * gam_g + R * gam_hs[0] + L1 * gam_hs[1] == zet1 - L2 * gam_hs[2] print(rhs == lhs)
def ProveOneOfN(ck, cis, el, r, message = ""): """ NIZK Proof that Com(0; r) is within Cis. The fact that it is the el'th commitmtnet is not revealed. + Ring signature on "message". """ n = int(math.ceil(math.log(len(cis)) / math.log(2))) assert Com(ck, 0, r) == cis[el] (G, g, h, o) = ck ## Commit to the bits of the index el = Bn(el) eli = [Bn(int(el.is_bit_set(i))) for i in range(n)] ri = [o.random() for i in range(n)] ai = [o.random() for i in range(n)] si = [o.random() for i in range(n)] ti = [o.random() for i in range(n)] Celi = [Com(ck, elix, rix) for elix, rix in zip(eli, ri)] Cai = [Com(ck, a, s) for a, s in zip(ai, si)] Cbi = [Com(ck, l * a , s) for l, a, s in zip(eli, ai, ti)] # Compute p_idxi(x) p_idx_i = [] for idx in range(len(cis)): idx = Bn(idx) idxi = [Bn(int(idx.is_bit_set(i))) for i in range(n)] p = [Bn(1)] for j, idxi_j in enumerate(idxi): if idxi_j == 0: p = poly_mul(o, p, [ -ai[j] , - eli[j] + 1] ) else: p = poly_mul(o, p, [ ai[j] , eli[j] ]) p_idx_i += [p] # Compute all Cdi's roi = [] cdi = [] for i in range(n): roi_i = o.random() roi += [ roi_i ] # cdi_i = Com(ck, 0, roi_i) wis = [] for idx, cidx in enumerate(cis): wis += [ p_idx_i[idx][i] ] # cdi_i += p_idx_i[idx][i] * cidx # assert G.wsum(wis, cis) + Com(ck, 0, roi_i) == cdi_i cdi_i = G.wsum(wis, cis) + Com(ck, 0, roi_i) cdi += [ cdi_i ] ## The challenge x = challenge(list(ck) + cis + Celi + Cai + Cbi + cdi + [ message ]) ## The responses fi = [(elj * x + aj) % o for elj, aj in zip(eli, ai)] zai = [(rj * x + sj) % o for rj, sj in zip(ri, si)] zbi = [(rj * (x - fj) + tj) % o for rj, fj, tj in zip(ri, fi, ti)] zd = r * pow(x, n, o) % o for k in range(n): zd = (zd - roi[k] * pow(x, k, o)) % o proof = (Celi, Cai, Cbi, cdi, fi, zai, zbi, zd) return proof
def mix_operate(message, triplet, setup, generate_return_message=False): ''' Operate a Mix with a received message, and its keys. ''' mname, mpub, msec = triplet elem, forward, backwards = message G, o, g, o_bytes = setup aes = Cipher("AES-128-CTR") # Derive first key k1 = KDF((msec * elem).export()) # Derive the blinding factor b = Bn.from_binary(k1.b) % o new_elem = b * elem # Check the forward MAC mac1 = hmac.new(k1.kmac, forward[20:], digestmod=sha1).digest() if not (forward[:20] == mac1): raise Exception("Wrong MAC1") # Decrypt the payload enc = aes.dec(k1.kenc, k1.iv) pt = enc.update(forward[20:]) pt += enc.finalize() # Parse the forward message xcode = pt[0] if not (xcode == "0" or xcode == "1"): raise Exception("Wrong routing code") pt = pt[1:] if xcode == "0": xfrom, xto, the_bs, new_forw = pt[:4], pt[4:8], pt[8:8+o_bytes], pt[8+o_bytes:] old_bs = Bn.from_binary(the_bs) # Now package the return part k2 = KDF(((msec * old_bs) * elem).export()) enc = aes.enc(k2.kenc, k2.iv) new_back_body = enc.update("1" + xto + xfrom + backwards) new_back_body += enc.finalize() mac2 = hmac.new(k2.kmac, new_back_body, digestmod=sha1).digest() new_back = mac2 + new_back_body if generate_return_message: ret_elem = old_bs * elem ret_forw = new_back ret_back = None return ((xto, xfrom), (ret_elem, ret_forw, ret_back) ) else: xfrom, xto, new_forw = pt[:4], pt[4:8], pt[8:] # Returns do not need to build returns if not (backwards == None): raise Exception("Backwards header should be None") new_back = None return ((xfrom, xto), (new_elem, new_forw, new_back) )
def mix_package(sender, receiver, triplets): ''' Package a message through a mix-net. ''' aes = Cipher("AES-128-CTR") Bs = [] _, ypub, y = sender pubs = [ ypub ] round_trip = triplets + [ receiver ] + list(reversed(triplets)) secrets = [] prod_bs = Bn(1) for i, (mname, mpub, msec) in enumerate(round_trip): xysec2 = (y * prod_bs) * mpub secrets += [ xysec2 ] if __debug__ and msec is not None: xysec1 = (msec * prod_bs) * ypub assert xysec2 == xysec1 # Blinding factor k = KDF(xysec2.export()) b = Bn.from_binary(k.b) % o Bs += [ b ] # y = (b * y) % o prod_bs = (b * prod_bs) % o #ypub = b * ypub pubs += [ prod_bs * ypub ] # Precompute the correction factors correction_factors = [] for i in range(len(triplets)): total_b = Bn(1) for j in range(i, 2 * len(triplets) - i): total_b = (total_b * Bs[j]) % o assert round_trip[i][0] == round_trip[2 * len(triplets) - i][0] assert total_b * pubs[i] == pubs[2 * len(triplets) - i] correction_factors += [ total_b ] all_factors = [] + correction_factors all_factors += [ Bn(1) ] all_factors += [bf.mod_inverse(o) for bf in reversed(correction_factors)] assert len(all_factors) == len(round_trip) # Generate data stream data = [ sender ] + round_trip + [ sender ] addressing = [] for i, _ in enumerate(round_trip): addressing += [(data[1 + i-1][0], data[1 + i+1][0])] # Derive all keys all_data = zip(round_trip, all_factors, pubs, addressing, secrets) all_keys = [] for (mname, mpub, msec), bs, yelem, (xfrom, xto), Ksec in all_data: k1 = KDF(Ksec.export()) k2 = KDF( (bs * Ksec).export()) all_keys += [(k1, k2)] all_data = zip(round_trip, all_factors, pubs, addressing, all_keys) # Build the backwards path prev = '' backwards_stages = [ ] for j in range(len(mix_names) + 1): (mname, mpub, msec), bs, yelem, (xfrom, xto), (k1, k2) = all_data[j] the_bs = bs.mod_inverse(o).binary() enc = aes.enc(k2.kenc, k2.iv) ciphertext = enc.update(xto + xfrom + the_bs + prev) ciphertext += enc.finalize() mac = hmac.new(k2.kmac, ciphertext, digestmod=sha1).digest() prev = mac + ciphertext backwards_stages += [ prev ] # Build the forwards path prev = '' forwards_stages = [] for jp in range(len(mix_names) + 1): j = len(mix_names) - jp (mname, mpub, msec), bs, yelem, (xfrom, xto), (k1, k2) = all_data[j] the_bs = bs.binary() enc = aes.enc(k1.kenc, k1.iv) ciphertext = enc.update(xfrom + xto + the_bs + prev) ciphertext += enc.finalize() mac = hmac.new(k1.kmac, ciphertext, digestmod=sha1).digest() prev = mac + ciphertext forwards_stages += [ prev ] forwards_stages = list(reversed(forwards_stages)) stages = zip(forwards_stages, backwards_stages) # Check all the MACs if __debug__: for j in range(len(mix_names) + 1): (msg_f, msg_b) = stages.pop(0) (mname, mpub, msec), bs, yelem, (xfrom, xto), (k1, k2) = all_data[j] mac1 = hmac.new(k1.kmac, msg_f[20:], digestmod=sha1).digest() assert msg_f[:20] == mac1 enc = aes.dec(k1.kenc, k1.iv) plaintext = enc.update(msg_f[20:]) plaintext += enc.finalize() assert xfrom == plaintext[:4] and xto == plaintext[4:8] mac2 = hmac.new(k2.kmac, msg_b[20:], digestmod=sha1).digest() assert msg_b[:20] == mac2 # End __debug__ return zip(pubs[:len(mix_names) + 1], forwards_stages + [''], [''] + backwards_stages)
def to_challenge(elements): """ Generates a Bn challenge by hashing a number of EC points """ Cstring = b",".join([hexlify(x.export()) for x in elements]) Chash = sha256(Cstring).digest() return Bn.from_binary(Chash)
def _handle_client(self, client_reader, client_writer): global paramsReceived while True: try: # data = (yield from client_reader.readline()).decode("utf-8") startWait = time.time() data = yield from client_reader.readuntil(separator=b'fireintheboof') endWait = time.time() print('IO wait: ', data[0:4], endWait - startWait) cmd = data[0:4] strippedData = data[4:-13] except asyncio.streams.IncompleteReadError: data = None if not data: # an empty string means the client disconnected break # cmd, *args = str(data).rstrip().split(' ') if cmd == 'id': """secrets = [3, 645, 3430, 420] seriSecrets = pickle.dumps(secrets) params = setup() C, r = commit(params, secrets) G = params[0] exportedC = C.export() retval = 'IDCONFIRMED' #client_writer.write("{!r}\n".format(retval).encode("utf-8")) #Interesting asyncio thingy here, if I send the data to the client first, the proof is never correct #THe client completes and sends the proof to the service provider before the SP receives the C from here.""" print(literal_eval(args[0])) print(type(literal_eval(args[0]))) reader_sp, writer_sp = yield from asyncio.streams.open_connection("localhost", 12345, loop = loop) params = BL_setup() LT_idp_state, idp_pub = BL_idp_keys(params) #conv_user_commit = bytes(args[0], "utf8") #user_commit = encdec.decode(conv_user_commit) user_commit = encdec.decode(literal_eval(args[0])) msg_to_user = BL_idp_prep(LT_idp_state, user_commit) elif cmd == b'para': #reader_sp, writer_sp = yield from asyncio.streams.open_connection("localhost", 12345, loop=loop) start = time.time() paramsReceived = True print('Starting...') params = decode(strippedData) G, q, g, h, z, hs = params LT_idp_state, idp_pub = BL_idp_keys(params) #send public key to user and service provider #writer_sp.write(b'ipub' + encode(idp_pub) + b'fireintheboof') client_writer.write(b'mypb' + encode(idp_pub) + b'fireinthepub') elif cmd == b'ucmt': user_commit, C, c, responses, L2, Age = decode(strippedData) rR, rx = responses H = G.hash_to_point(b'service_name') ID = L2 * H Cprime = C - Age * hs[2] Wprime = rR * hs[0] + rx * hs[1] + c * Cprime Wxprime = rx * H + c * ID stuffToHash = (Wprime, Wxprime, C, g, h, z, hs[0], hs[1], hs[2], hs[3], H) cstr = b",".join([hexlify(x.export()) for x in stuffToHash]) chash = sha256(cstr).digest() cprime = Bn.from_binary(chash) if c == cprime: print("success") else: print("no") #generate message to user msg_to_user = BL_idp_prep(LT_idp_state, user_commit) client_writer.write(encode(msg_to_user) + b'fireintheboof') elif cmd == b'prep': msg_to_user2 = BL_idp_validation(LT_idp_state) client_writer.write(encode(msg_to_user2) + b'fireintheboof') elif cmd == b'msgi': msg_to_idp = decode(strippedData) # generate 3rd message to user msg_to_user3 = BL_idp_validation_2(LT_idp_state, msg_to_idp) client_writer.write(encode(msg_to_user3) + b'fireintheboof') end = time.time() finalTime = end - start print('Total time taken: ', finalTime) else: #print("Bad command {!r}".format(data), file=sys.stderr) pass # This enables us to have flow control in our connection. yield from client_writer.drain()
def _handle_client(self, client_reader, client_writer): global count global paramsReceived IOtime = 0 while True: try:#data = (yield from client_reader.readline()).decode("utf-8") startWait = time.time() data = yield from client_reader.readuntil(separator=b'fireintheboof') endWait = time.time() #print('IO wait: ', data[0:4], endWait - startWait) IOtime += endWait-startWait cmd = data[0:4] strippedData = data[4:-13] except asyncio.streams.IncompleteReadError: data = None if not data: # an empty string means the client disconnected break #cmd, *args = str(data).rstrip().split(' ') if cmd == b'buys': retval = "id" client_writer.write("{!r}\n".format(retval).encode("utf-8")) start = time.time() count +=1 id = count print(id, 'Starting...') elif cmd == b'para': params = decode(strippedData) paramsReceived = True elif cmd == b'ipub': idp_pub = decode(strippedData) elif cmd == b'vsig': sig = decode(strippedData) elif cmd == b'vsg2': signature = decode(strippedData) startSigProof = time.time() m = BL_verify_cred(params, idp_pub, 2, sig, signature) endSigProof = time.time() finalSigProof = endSigProof - startSigProof if m != False: print('Signature Correct') else: print('Signature Incorrect') elif cmd == b'page': newStuff = decode(strippedData) c, responses, gam_g, gam_hs, Age, xran = newStuff rrnd, rR, rx = responses #print(gam_hs, Age) (G, q, g, h, z, hs) = params startProof = time.time() H = G.hash_to_point(b'service_name') ID = xran * H zet1 = sig[2] zet1p = zet1 - Age * gam_hs[2] Waprime = rrnd * gam_g + rR * gam_hs[0] + rx * gam_hs[1] + c * zet1p Wxprime = rx * H + c * ID stuffToHash = (gam_g, Waprime, Wxprime, zet1p, gam_hs[0], gam_hs[1], gam_hs[2], H) cstr = b",".join([hexlify(x.export()) for x in stuffToHash]) chash = sha256(cstr).digest() c_prime = Bn.from_binary(chash) if c == c_prime: end = time.time() finalTime = end-start timeList.append(finalTime) print(id, "Age & User match, time: ", finalTime, 'Time for proof: ', end - startProof, 'Sig proof: ', finalSigProof, 'IO time: ', IOtime) else: print("whops") elif cmd == 'Commitment': """params = setup() G = params[0] C = EcPt.from_binary(literal_eval(args[0]), G)""" elif cmd == 'Proof': """c = Bn.from_hex(literal_eval(args[0])) responses1 = pickle.loads(literal_eval(args[1])) params = setup() responses = [] for res in responses1: responses.append(Bn.from_hex(res)) proof = c, responses print(verifyCommitments(params, C, proof))""" # This enables us to have flow control in our connection. yield from client_writer.drain()
for gid in curves: G = EcGroup(gid) gx = G.order().random() * G.generator() rnd = [G.order().random() for _ in range(100)] t0 = time.clock() for r in rnd: dud = r * gx t1 = time.clock() repreats = 1000 t = [] for x in [2, 200]: o = Bn(2) ** x tests = [o.random() for _ in range(repreats)] tx = time.clock() for y in tests: dud = y * gx t += [time.clock() - tx] # print(x, t[-1] / repreats) if abs(t[0] - t[-1]) < 5.0 / 100: const = "CONST" else: const = "NOCONST" timings += [((t1-t0)*1000.0/100.0, gid, const)]
def load_store_list(self, w, d, store_dict): counter = 0 for i in range(d): for j in range(w): contents = store_dict[str(counter)] try: self.store[i][j] = Ct(EcPt.from_binary(binascii.unhexlify(contents['pub']),G), EcPt.from_binary(binascii.unhexlify(contents['a']),G), EcPt.from_binary(binascii.unhexlify(contents['b']),G), Bn.from_hex(contents['k']), Bn.from_hex(contents['m'])) counter += 1 except Exception as e: print "Exception while loading sketch store matrix: " + str(e) traceback.print_exc()
def client(): reader, writer = yield from asyncio.streams.open_connection( '127.0.0.1', 12345, loop=loop)#Service Provider reader2, writer2 = yield from asyncio.streams.open_connection( '127.0.0.1', 7878, loop=loop)#Identity Provider def send(msg, writer): print("> " + str(msg)) writer.write((msg + '\n').encode("utf-8")) print(msg) print(type(msg.encode("utf8"))) def sendBin(data, writer): #print("bin>" + str(data)) writer.write(data + b'fireintheboof') #writer.write_eof() def recv(reader): msgback = (yield from reader.readline()).decode("utf-8").rstrip() #print("< " + msgback) return msgback # send a line #send("buy", writer) sendBin(b'buys', writer) msg = yield from recv(reader) #if repr('id') == msg: if True: startWait = time.time() print("ok i go get ID") #generating, encoding, and sending parameters to both sp and idp params = BL_setup() G, q, g, h, z, hs = params endWait = time.time() sendBin(b'para' + encode(params), writer) sendBin(b'para' + encode(params), writer2) print('Time to generate params: ', endWait-startWait) seri_enc_idp_pub = yield from reader2.readuntil(separator=b'fireinthepub') if seri_enc_idp_pub[0:4] == b'mypb': #idp_pub = tuple(list_enc_idp_pub) idp_pub = decode(seri_enc_idp_pub[4:-12]) sendBin(b'ipub' + encode(idp_pub) + b'fireintheboof', writer) #h = Hmac(b'sha256', b'ServiceProviderID') L2 = q.random() Age = 21 #new #N = params[0].hash_to_point('service_name') #pseudonym = x * N #encode and send user_commit to idp LT_user_state, user_commit = BL_user_setup(params, [L2, Age]) startTimeProof = time.time() C = LT_user_state.C R = LT_user_state.R q = LT_user_state.params[1] H = params[0].hash_to_point(b'service_name') ID = L2 * H wR_id = q.random() wx_id = q.random() Wit = wR_id * hs[0] + wx_id * hs[1] WID_id = wx_id * H print(hs) stuffToHash = (Wit, WID_id, C, g, h, z, hs[0], hs[1], hs[2], hs[3], H) cstr = b",".join([hexlify(x.export()) for x in stuffToHash]) chash = sha256(cstr).digest() c = Bn.from_binary(chash) rR_id = wR_id - c * R rx_id = wx_id - c * L2 endTimeProof = time.time() print('Proof took: ', endTimeProof - startTimeProof) responses = (rR_id, rx_id) values = (user_commit, C, c, responses, L2, Age) sendBin(b'ucmt' + encode(values), writer2) msg2 = yield from reader2.readuntil(separator=b'fireintheboof') msg_to_user = decode(msg2[:-13]) BL_user_prep(LT_user_state, msg_to_user) #request idp's pubkey #sendBin(b'pubk', writer2) #inform idp Im prepped and ready to go sendBin(b'prep', writer2) msg3 = yield from reader2.readuntil(separator=b'fireintheboof') msg_to_user2 = decode(msg3[:-13]) #generate msg to idp msg_to_idp = BL_user_validation(LT_user_state, idp_pub, msg_to_user2) #encode, serialise, and send msg to idp sendBin(b'msgi' + encode(msg_to_idp), writer2) #receive last message from idp, generate signature msg4 = yield from reader2.readuntil(separator=b'fireintheboof') msg_to_user3 = decode(msg4[:-13]) sig = BL_user_validation_2(LT_user_state, msg_to_user3) sendBin(b'vsig' + encode(sig) + b'fireintheboof', writer) print('idppub: ', idp_pub) signature_gamhs = BL_user_prove_cred(LT_user_state) signature = signature_gamhs[0] gam_hs = signature_gamhs[1] gam_g = signature_gamhs[2] sendBin(b'vsg2' + encode(signature) + b'fireintheboof', writer) zet1p = LT_user_state.zet1 - Age * gam_hs[2] newStuff = (gam_hs, Age) #prove age #get variabels rnd = LT_user_state.rnd R = LT_user_state.R q = LT_user_state.params[1] wrnd = q.random() wR = q.random() wx = q.random() Wzet1p = wrnd * gam_g + wR * gam_hs[0] + wx * gam_hs[1] #remember to get gam_g WID = wx * params[0].hash_to_point(b'service_name') stuffToHash = (gam_g, Wzet1p, WID, zet1p, gam_hs[0], gam_hs[1], gam_hs[2], H) cstr = b",".join([hexlify(x.export()) for x in stuffToHash]) chash = sha256(cstr).digest() c = Bn.from_binary(chash) rrnd = wrnd - c*rnd rR = wR - c*R rx = wx - c*L2 responses = (rrnd, rR, rx) newStuff = (c, responses, gam_g, gam_hs, Age, L2) """Wprime = rrnd * gam_g + rR * gam_hs[0] + rx * gam_hs[1] + c * zet1p print(Wzet1p) print(Wprime)""" sendBin(b'page' + encode(newStuff) + b'fireintheboof', writer) #Close the connections to get rid of IncompleteReadError cmd = "asd" #cmd, *args = msg2.rstrip().split(' ') if repr('IDCONFIRMED') == cmd: #for encryption """key = keyGen() print(repr(key)) ciphertext = encrypt_AES(key, "HAUHEUheuahehaeuhUAEHUHEAUh") serialisedCiphertext = pickle.dumps(ciphertext) send(('key ' + repr(key)) + " " + repr(serialisedCiphertext), writer)""" """params = setup() G = params[0] C = EcPt.from_binary(literal_eval(args[0]), G) r = Bn.from_binary(literal_eval(args[1])) secrets = pickle.loads(literal_eval(args[2])) proof = proveCommitment(params, C, r, secrets) c, responses = proof #Here is where I send the proof to the service provider seriRes = pickle.dumps(responses) send('Proof ' + repr(c) + " " + repr(seriRes), writer) print("the end")""" end = time.time() print("Time: ", end-start) writer.close() writer2.close()