def Verify(self, eq, X, Y, C, pi2_v1, pi2_w1, pi1_v2, pi1_w2):
#print("Verify")
if self.CheckEqFormat(eq, X, Y, C) == 0:
print("Verify: Error - eqformat")
return 0
for i in range(2):
if type(pi2_v1[i]) != G2Elem:
print("Verify: Error - pi2v1 type")
return 0
if type(pi2_w1[i]) != G2Elem:
print("Verify: Error - pi2w1 type")
return 0
if type(pi1_v2[i]) != G1Elem:
print("Verify: Error - pi1v2 type")
return 0
if type(pi1_w2[i]) != G1Elem:
print("Verify: Error - pi1w2 type")
return 0
res_eq = [GTElem.one(self.G), GTElem.one(self.G)]
#count_exp_g1 = 0
#pairing = -1
#count_add_gt = -1
for i in range(len(X)):
for j in range(len(Y)):
cij = C[i][j]
xi = X[i]["value"]
yj = Y[j]["value"]
if cij != 0:
for vec in range(2):
res_eq[vec] = res_eq[vec] * self.e(
cij * xi[vec], yj[vec])
#count_exp_g1 += 1
#count_add_gt += 1
#pairing += 1
res_proof = [GTElem.one(self.G), GTElem.one(self.G)]
for vec in range(2):
res_proof[vec] = res_proof[vec] * self.e(self.v1[vec], pi2_v1[vec])
res_proof[vec] = res_proof[vec] * self.e(self.w1[vec], pi2_w1[vec])
res_proof[vec] = res_proof[vec] * self.e(pi1_v2[vec], self.v2[vec])
res_proof[vec] = res_proof[vec] * self.e(pi1_w2[vec], self.w2[vec])
#count_add_gt += 4
#pairing += 4
#print("Exp G1", count_exp_g1)
#print("Add GT", count_add_gt)
#print("Pairing", pairing)
res = 1
for vec in range(2):
if res_eq[vec] != res_proof[vec]:
print("Verify: Equation", vec, "does not verify")
res = 0
return res
def verifyEq(self, eq, x, b, a, y, c, t):
#print("verifyEq")
if eq in ["PPE", "PN1", "PC1", "PN2", "PC2"]:
#print("eq in [\"PPE\", \"PN1\", \"PC1\", \"PN2\", \"PC2\"]")
T = GTElem.zero(self.G)
for i in range(min(len(x), len(b))):
T = T * self.e(x[i]["value"], b[i]["value"])
for j in range(min(len(a), len(y))):
T = T * self.e(a[j]["value"], y[j]["value"])
for i in range(len(c)):
for j in range(len(c[i])):
T = T * self.e(c[i][j] * x[i]["value"], y[j]["value"])
return T.eq(t)
else:
#print("eq NOT in [\"PPE\", \"PN1\", \"PC1\", \"PN2\", \"PC2\"]")
T = Bn(0)
if eq in ["ME1", "MN1", "MC1", "ML1"]:
T = G1Elem.inf(self.G)
elif eq in ["ME2", "MN2", "MC2", "ML2"]:
T = G2Elem.inf(self.G)
elif eq not in ["QE", "QC1", "QC2"]:
print("eq error", eq)
return 0
for i in range(min(len(x), len(b))):
T += x[i]["value"] * b[i]["value"]
for j in range(min(len(a), len(y))):
T += a[j]["value"] * y[j]["value"]
for i in range(len(c)):
for j in range(len(c[i])):
if c[i][j] != 0:
T += c[i][j] * x[i]["value"] * y[j]["value"]
return T.eq(t)
def Calc_PPE(self, x1, b2, a1, y2, c, t):
n = len(x1)
m = len(y2)
if len(b2) != n or len(a1) != m or len(c) != n * m or len(t) != 1:
return 0
Bt = GTElem.one(self.G)
for i in range(m):
Bt = Bt * self.e(x1[i], b2[i])
At = GTElem.one(self.G)
for j in range(n):
At = At * self.e(a1[j], y2[j])
Ct = GTElem.one(self.G)
for i in range(n):
for j in range(m):
Ct = Ct * self.e(c[i][j] * x1[i], y2[j])
validate = 0
if At * Bt * Ct == t:
validate = 1
return At * Bt * Ct, t, validate
def CheckEqResult(self, eq, T):
#print("CheckEqResult")
if eq in ["PPE", "PN1", "PC1", "PN2", "PC2"]:
if T != GTElem.zero(self.G):
return 0
elif eq in ["ME1", "MN1", "MC1", "ML1"]:
if T != G1Elem.inf(self.G):
return 0
elif eq in ["ME2", "MN2", "MC2", "ML2"]:
if T != G2Elem.inf(self.G):
return 0
elif eq in ["QE", "QC1", "QC2"]:
if T != Bn(0):
return 0
return 1
def proof_sigi(gsp, X, Y, M):
"""" creates GS proof that a USPS signature verifies
with the verifying key, the signature and the first message secret"""
res = []
A = []
B = []
C = []
counter_i = len(X) - len(M) - 2
counter_j = len(Y) - len(M) - 2
for i in range(len(X)):
row = []
for j in range(len(Y)):
var = Bn(0)
if i == counter_i and j == counter_j:
var = Bn(1)
counter_i += 1
counter_j += 1
row.append(var)
C.append(row)
success, result = gsp.Prove_aggreg("PPE", X, B, A, Y, C,
GTElem.zero(gsp.G))
verify = 0
if success:
eq_type, X, Y, C, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result
#verify = gsp.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
#if verify:
res = [C, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]]
#print("Do we successfully create a proof?", success)
#print("Does the proof successfully verify?", verify)
b = challenge(result)
for i in range(len(res[0])):
for j in range(len(res[0][0])):
if res[0][i][j] != 0:
res[0][i][j] = b * res[0][i][j]
for i in range(len(res[1])):
for j in range(len(res[1][i])):
res[1][i][j] = b * res[1][i][j]
#verify = gsp.Verify("PPE", X, Y, res[0], res[1][0], res[1][1], res[1][2], res[1][3])
#print("Does the (aggregate) proof verify?", verify)
return res
def proof_usps_hidesigandsigner(gsp, pk, M, sig):
"""" creates GS proof that a USPS signature verifies
with the verifying key, the signature and the first message secret"""
params = gsp.P
gz, gr = pk[0], pk[1]
pki = pk[2:]
X = [sig[0], sig[1]]
B = []
A = []
Y = [gz, gr]
for i in range(len(M)):
X.append(M[i])
Y.append(pki[i])
C = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
var = Bn(0)
if i == j:
var = Bn(1)
row.append(var)
C.append(row)
success, res = gsp.Prove_eq("PPE", X, B, A, Y, C, GTElem.zero(gsp.G))
verify = 0
if success:
eq_type, X1, Y1, C1, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = res
verify = gsp.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2,
pi1_w2)
if verify:
res = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
[eq_type, X1, Y1, C1, T_eq]]
print("Do we successfully create a proof?", success)
print("Does the proof successfully verify?", verify)
return verify, res
def verify(self, params, pk, m, sig):
"""
Verifies a signature on messages m
e(z, g_z) e(r, g_r) Pi e(M_i, g_i) == e(g1, g2)
"""
#print("SPS: Verify")
(o, G, g1, g2, e) = params
s0, s1 = sig
if (s0 == G1Elem.inf(G) and s1 == G1Elem.inf(G)):
print("USPS: Verify --- Error: signature null")
print("SPS: Verify", 0)
return 0
M = []
for i in range(len(m)):
if type(m[i]) == G1Elem:
M.append(m[i])
elif type(m[i]) == bytes:
M.append(G.hashG1(m[i]))
else:
print("Error: type message")
return -1
ctr = 0
for i in range(len(M)):
if M[i] == G1Elem.inf(G):
ctr += 1
if ctr == len(M):
print("USPS: Verify --- Error: message null")
print("SPS: Verify", 0)
return 0
gz, gr = pk[0], pk[1]
pki = pk[2:]
res = e(s0, gz) * e(s1, gr)
for i in range(len(M)):
res = res * e(M[i], pki[i])
return res.eq(GTElem.one(G))
def test_ppe_wrongformat():
GS = GSProof()
ck, xk, P = GS.ExtGen()
order, G, u1, v1, w1, u2, v2, w2 = ck
x = []
y = []
a = []
b = []
for xtype in GS.eqs["PPE"][1]:
for ytype in GS.eqs["PPE"][2]:
x1 = order.random() * GS.g1
y2 = order.random() * GS.g2
x.append({"type": "pub", "value": x1})
a.append({"type": ytype, "value": x1})
y.append({"type": ytype, "value": y2})
b.append({"type": "pub", "value": y2})
c = []
for i in range(len(x)):
row = []
for j in range(len(y)):
if i == j:
row.append(Bn(-2))
else:
row.append(0)
c.append(row)
t = GTElem.zero(G)
try:
success, res = GS.CommitProof_eq("PPE", x, b, a, y, c, t)
except Exception as e:
print(e)
else:
assert success == 0
def proof_bsps_hidemandsig(gsp, pk, M1, M2, t, sig):
""" create GS proof that sig verifies with the signature and all but the first message secret """
params = gsp.P
U, W, V, Z = pk
R, S, T = sig
res = []
#print("----- first equation")
x1 = [gsp.Commit({"group": 1, "type": "bas", "value": gsp.g1}), R, S]
b1 = []
a1 = []
y1 = [Z, V, gsp.Commit({"group": 2, "type": "bas", "value": gsp.g2})]
#res1 = e(R,V) * e(S,g2)
#res1.eq(e(g1,Z))
for i in range(len(W)):
x1.append(M1[i])
y1.append(W[i])
#res1 = res1 * e(m1[i],W[i])
c1 = []
for i in range(len(x1)):
row = []
for j in range(len(y1)):
c = Bn(0)
if i == j:
c = Bn(1)
if i == 0:
c = Bn(-1)
if i == 3:
if type(t) == int:
t = Bn(t)
c = t
row.append(c)
c1.append(row)
success1, res1 = gsp.Prove_eq("PPE", x1, b1, a1, y1, c1,
GTElem.zero(gsp.G))
verify1 = 0
if success1:
eq_type, X1, Y1, C1, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = res1
verify1 = gsp.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2,
pi1_w2)
if verify1:
res1 = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
[eq_type, X1, Y1, C1, T_eq]]
res.append(res1)
#print("Do we successfully create a first proof?", success1)
#print("Does the first proof successfully verify?", verify1)
#print("----- second equation")
x2 = [gsp.Commit({"group": 1, "type": "bas", "value": gsp.g1}), R]
b2 = []
a2 = []
y2 = [gsp.Commit({"group": 2, "type": "bas", "value": gsp.g2}), T]
#res2 = e(R,T)
#res2.eq(e(g1,g2))
for j in range(len(U)):
x2.append(U[j])
y2.append(M2[j])
#res2 = res2 * e(U[j],m2[j])
c2 = []
for i in range(len(x2)):
row = []
for j in range(len(y2)):
c = Bn(0)
if i == j:
c = Bn(1)
if (i == 0):
c = Bn(-1)
row.append(c)
c2.append(row)
success2, res2 = gsp.Prove_eq("PPE", x2, b2, a2, y2, c2,
GTElem.zero(gsp.G))
verify2 = 0
if success2:
eq_type, X2, Y2, C2, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = res2
verify2 = gsp.Verify(eq_type, X2, Y2, C2, pi2_v1, pi2_w1, pi1_v2,
pi1_w2)
if verify2:
res2 = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
[eq_type, X2, Y2, C2, T_eq]]
res.append(res2)
#print("Do we successfully create a second proof?", success2)
#print("Does the second proof successfully verify?", verify2)
print("Are all the proofs successfull created?", success1 * success2)
print("Do all the proofs verify?", verify1 * verify2)
return verify1 * verify2, res
def get_infT(gk):
return GTElem.one(gk.G)
def proof_usps_hidesigandsigner(self,
M=[
b"Hello World!", b"Hello me!",
b"Hello us!"
]):
"""" creates GS proof that sig verifies with pk, signature and first message secret"""
#print("SPS: Prove")
self.ExtGen()
params = (self.G, self.order, self.g1, self.g2, self.e)
sps = USPS()
sk, pk = sps.keygen(params)
gz, gr, pki = pk
m = []
for i in range(len(M)):
if type(M[i]) == bytes:
m.append(self.G.hashG1(M[i]))
elif type(M[i]) == G1Elem:
m.append(M[i])
else:
return 0, []
if len(m) < sps.n:
for i in range(sps.nb_msg - len(m)):
m.append(G1Elem.inf(self.G))
elif sps.nb_msg < len(m):
return
sig = sps.sign(params, sk, m)
if sps.verify(params, pk, m, sig) == 0:
print("Signature does not verify")
return
print(len(m))
X = [{
"type": "com",
"value": sig[0]
}, {
"type": "com",
"value": sig[1]
}]
B = [{
"type": "pub",
"value": G2Elem.inf(self.G)
}, {
"type": "pub",
"value": G2Elem.inf(self.G)
}]
A = [{
"type": "pub",
"value": G1Elem.inf(self.G)
}, {
"type": "pub",
"value": G1Elem.inf(self.G)
}]
Y = [{"type": "com", "value": gz}, {"type": "com", "value": gr}]
for i in range(len(m)):
if i == 0:
X.append({"type": "pub", "value": m[i]})
else:
X.append({"type": "com", "value": m[i]})
B.append({"type": "pub", "value": G2Elem.inf(self.G)})
for j in range(len(pki)):
Y.append({"type": "com", "value": pki[j]})
A.append({"type": "pub", "value": G1Elem.inf(self.G)})
C = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
var = Bn(0)
if i == j:
var = Bn(1)
row.append(var)
C.append(row)
print(C)
success, res = self.CommitProof_eq("PPE", X, B, A, Y, C,
GTElem.zero(self.G))
verify = 0
if success:
eq_type, X1, Y1, C1, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res
pi2_v1, pi2_w1, pi1_v2, pi1_w2 = self.Randomize(
eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap)
verify = self.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2,
pi1_w2)
if verify:
res = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
[eq_type, X1, Y1, C1, T_eq]]
print(success, verify)
print()
return verify, res
def test_all():
GS = GSProof()
ck, xk, P = GS.ExtGen()
order, G, u1, v1, w1, u2, v2, w2 = ck
for eq_type in GS.eqs.keys():
print("=============================== ", eq_type)
x = []
y = []
a = []
b = []
for xtype in GS.eqs[eq_type][1]:
for ytype in GS.eqs[eq_type][2]:
if eq_type != "PPE" or (eq_type == "PPE"
and xtype not in ["pub", "enc"]
and ytype not in ["pub", "enc"]):
rand1 = order.random()
x1 = rand1 * GS.g1
if xtype in ["bas"]:
rand1 = 1
x1 = GS.g1
if xtype in ["sca"]:
x1 = rand1
elif xtype in ["unt"]:
x1 = 1
rand2 = order.random()
y2 = rand2 * GS.g2
if ytype in ["bas"]:
rand2 = 1
y2 = GS.g2
if ytype in ["sca"]:
y2 = rand2
elif ytype in ["unt"]:
y2 = 1
#print(xtype, rand1, x1)
#print(ytype, rand2, y2)
x.append({"type": xtype, "value": x1})
a.append({"type": xtype, "value": x1})
y.append({"type": ytype, "value": y2})
b.append({"type": ytype, "value": y2})
c = []
for i in range(len(x)):
row = []
for j in range(len(y)):
if i == j:
row.append(Bn(-2))
else:
row.append(Bn(0))
c.append(row)
t = GTElem.zero(G)
if eq_type in ["ME1", "MN1", "MC1", "ML1"]:
t = G1Elem.inf(G)
if eq_type in ["ME2", "MN2", "MC2", "ML2"]:
t = G2Elem.inf(G)
if eq_type in ["QE", "QC1", "QC2"]:
t = 0
try:
success, res = GS.CommitProof_eq(eq_type, x, b, a, y, c, t)
print("success ?", success)
except Exception as e:
print(e)
else:
if success:
eq, X, Y, C, T, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = res
print(
"verify ?",
GS.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2,
pi1_w2))
assert (GS.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2,
pi1_w2))
def proof_bsps_hidemandsig(
self,
M1=[b"Hello World!", b"Hello me!", b"Hello us!"],
M2=[b"Hello you!"]):
""" create GS proof that sig verifies with the signature and all but the first message secret """
params = (self.G, self.order, self.g1, self.g2, self.e)
sps = BSPS()
sk, pk = sps.keygen(params)
u, w, v, z = sk
U, W, V, Z = pk
m1 = []
for i in range(len(M1)):
if type(M1[i]) == bytes:
m1.append(self.G.hashG1(M1[i]))
elif type(M1[i]) == G1Elem:
m1.append(M1[i])
else:
return 0, []
m2 = []
for j in range(len(M2)):
if type(M2[j]) == bytes:
m2.append(
Bn.from_binary(M2[j]).mod_add(Bn(0), self.order) * self.g2)
elif type(M2[j]) == G2Elem:
m2.append(M2[j])
else:
return 0, []
if len(m1) < sps.msg_g1:
for i in range(sps.msg_g1 - len(m1)):
m1.append(G1Elem.inf(self.G))
elif sps.msg_g1 < len(m1):
return 0, []
if len(m2) < sps.msg_g2:
for i in range(sps.msg_g2 - len(m2)):
m2.append(G2Elem.inf(self.G))
elif sps.msg_g2 < len(m2):
return 0, []
res = []
R, S, T = sps.sign(params, sk, m1, m2)
print("signature verifies?", sps.verify(params, pk, m1, m2, (R, S, T)))
print("first equation")
x1 = [{
"type": "com",
"value": R
}, {
"type": "com",
"value": S
}, {
"type": "bas",
"value": self.g1
}]
b1 = [{
"type": "pub",
"value": V
}, {
"type": "bas",
"value": self.g2
}, {
"type": "pub",
"value": Z * Bn(-1)
}]
a1 = []
y1 = []
#res1 = e(R,V) * e(S,g2)
#res1.eq(e(g1,Z))
for i in range(len(m1)):
if i == 0:
x1.append({"type": "pub", "value": m1[i]})
b1.append({"type": "bas", "value": W[i]})
else:
x1.append({"type": "com", "value": m1[i]})
b1.append({"type": "pub", "value": W[i]})
#res1 = res1 * e(m1[i],W[i])
c1 = []
for i in range(len(x1)):
row = []
for j in range(len(y1)):
c = Bn(0)
row.append(c)
c1.append(row)
print(c1)
success1, res1 = self.CommitProof_eq("PPE", x1, b1, a1, y1, c1,
GTElem.zero(self.G))
verify1 = 0
if success1:
eq_type, X1, Y1, C1, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res1
pi2_v1, pi2_w1, pi1_v2, pi1_w2 = self.Randomize(
eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap)
verify1 = self.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2,
pi1_w2)
if verify1:
res1 = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
[eq_type, X1, Y1, C1, T_eq]]
res.append(res1)
print(success1, verify1)
print()
print("second equation")
x2 = [{"type": "com", "value": R}, {"type": "bas", "value": self.g1}]
b2 = [{
"type": "pub",
"value": G2Elem.inf(self.G)
}, {
"type": "pub",
"value": G2Elem.inf(self.G)
}]
a2 = [{
"type": "pub",
"value": G1Elem.inf(self.G)
}, {
"type": "pub",
"value": G1Elem.inf(self.G)
}]
y2 = [{"type": "com", "value": T}, {"type": "bas", "value": self.g2}]
#res2 = e(R,T)
#res2.eq(e(g1,g2))
for j in range(len(m2)):
a2.append({"type": "pub", "value": U[j]})
y2.append({"type": "com", "value": m2[j]})
#res2 = res2 * e(U[j],m2[j])
c2 = []
for i in range(len(x2)):
row = []
for j in range(len(y2)):
c = Bn(0)
if (i == 0 and j == 0):
c = Bn(1)
if (i == 1 and j == 1):
c = Bn(-1)
row.append(c)
c2.append(row)
print(c2)
success2, res2 = self.CommitProof_eq("PPE", x2, b2, a2, y2, c2,
GTElem.zero(self.G))
verify2 = 0
if success2:
eq_type, X2, Y2, C2, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res2
pi2_v1, pi2_w1, pi1_v2, pi1_w2 = self.Randomize(
eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap)
verify2 = self.Verify(eq_type, X2, Y2, C2, pi2_v1, pi2_w1, pi1_v2,
pi1_w2)
if verify2:
res2 = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
[eq_type, X2, Y2, C2, T_eq]]
res.append(res2)
print(success2, verify2)
print()
print("success?", success1, success2)
print("verify?", verify1, verify2)
return verify1 * verify2, res
def proof_sigi0(gsp, X, Y, M1, M2, t):
""" create GS proof that sig verifies with the signature and all but the first message secret """
res = []
#print("----- first equation")
#res1 = e(R,V) * e(S,g2)* e(g1,Z)^-1 * Sum[] e(m1[i],W[i]) ]
res1 = []
B1 = []
A1 = []
C1 = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
c = Bn(0)
row.append(c)
C1.append(row)
C1[0][1] = Bn(-1) # e(g1,Z)^-1
C1[2 + len(M2)][2] = Bn(1) # e(R,V)
C1[3 + len(M2)][0] = Bn(1) # e(S,g2)
C1[0][3] = t # e(g1^t,W0)
C1[1 + len(M2)][4] = Bn(1) # e(h_i,W1)
success1, result1 = gsp.Prove_aggreg("PPE", X, B1, A1, Y, C1,
GTElem.zero(gsp.G))
verify1 = 0
if success1:
eq_type, X1, Y1, C1, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result1
#verify1 = gsp.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
#if verify1:
res1 = [C1, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]]
res.append(res1)
#print("Do we successfully create a first proof?", success1)
#print("Does the first proof successfully verify?", verify1)
#print("----- second equation")
#res2 = e(R,T) * e(g1,g2)^-1 * Sum [e(U[j],m2[j])]
res2 = []
B2 = []
A2 = []
C2 = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
c = Bn(0)
row.append(c)
C2.append(row)
C2[0][0] = Bn(-1) # e(g1,g2)^-1
C2[2 + len(M2)][5] = Bn(1) # e(R,T)
for i in range(len(M2)):
C2[1 + i][len(Y) - len(M2) + i] = Bn(1) # e(U, M2)
success2, result2 = gsp.Prove_aggreg("PPE", X, B2, A2, Y, C2,
GTElem.zero(gsp.G))
verify2 = 0
if success2:
eq_type, X2, Y2, C2, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result2
#verify2 = gsp.Verify(eq_type, X2, Y2, C2, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
#if verify2:
res2 = [C2, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]]
res.append(res2)
#print("Do we successfully create a second proof?", success2)
#print("Does the second proof successfully verify?", verify2)
#print("Are all the proofs successfull created?", success1*success2)
#print("Do all the proofs verify?", verify1*verify2)
b1 = challenge(result1)
b2 = challenge(result2)
C = []
for i in range(len(C1)):
row = []
for j in range(len(C1[0])):
cij = Bn(0)
if C1[i][j] != 0:
cij += b1 * C1[i][j]
if C2[i][j] != 0:
cij += b2 * C2[i][j]
row.append(cij)
C.append(row)
pi = []
for i in range(len(res1[1])):
pi_i = []
for j in range(len(res1[1][0])):
pi_ij = b1 * res1[1][i][j] + b2 * res2[1][i][j]
pi_i.append(pi_ij)
pi.append(pi_i)
#verify = gsp.Verify("PPE", X, Y, C, pi[0], pi[1], pi[2], pi[3])
#print("Does the (aggregate) proof verify?", verify)
return C, pi, res
def prepare_proofs(auth, vkI, pki, pkv, m, sig_t, t, pk_ui, pk_uv, sku, cipher,
ek, r):
#print("Prepare aggregated proofs")
#print("Prepare proof: Commit")
#import time
#t_start = time.time()
U, W, V, Z = vkI
cm_U = []
for i in range(len(U)):
cm_U.append(auth.GS.Commit({"group": 1, "type": "pub", "value": U[i]}))
cm_W = []
for i in range(len(W)):
cm_W.append(auth.GS.Commit({"group": 2, "type": "pub", "value": W[i]}))
cm_V = auth.GS.Commit({"group": 2, "type": "pub", "value": V})
cm_Z = auth.GS.Commit({"group": 2, "type": "pub", "value": Z})
cm_vkI = [cm_U, cm_W, cm_V, cm_Z]
h_i, vk_i, sig0_i = pki
cm_h_i = auth.GS.Commit({"group": 1, "type": "com", "value": h_i})
cm_vk_i = []
for i in range(len(vk_i)):
cm_vk_i.append(
auth.GS.Commit({
"group": 2,
"type": "com",
"value": vk_i[i]
}))
cm_sig0_i = []
cm_sig0_i.append(
auth.GS.Commit({
"group": 1,
"type": "com",
"value": sig0_i[0]
}))
cm_sig0_i.append(
auth.GS.Commit({
"group": 1,
"type": "enc",
"value": sig0_i[1]
}))
cm_sig0_i.append(
auth.GS.Commit({
"group": 2,
"type": "enc",
"value": sig0_i[2]
}))
h_v, vk_v, sig0_v = pkv
cm_h_v = auth.GS.Commit({"group": 1, "type": "pub", "value": h_v})
cm_m = []
for i in range(len(m)):
cm_m.append(auth.GS.Commit({"group": 1, "type": "pub", "value": m[i]}))
for i in range(len(cm_vk_i) - 1 - 2 - len(cm_m)):
cm_m.append(
auth.GS.Commit({
"group": 1,
"type": "pub",
"value": G1Elem.inf(auth.GS.G)
}))
sig_i, c_it = sig_t
cm_sig_i = []
for i in range(len(sig_i)):
cm_sig_i.append(
auth.GS.Commit({
"group": 1,
"type": "enc",
"value": sig_i[i]
}))
_, sigt_i = c_it
cm_sigt_i = []
cm_sigt_i.append(
auth.GS.Commit({
"group": 1,
"type": "com",
"value": sigt_i[0]
}))
cm_sigt_i.append(
auth.GS.Commit({
"group": 1,
"type": "enc",
"value": sigt_i[1]
}))
cm_sigt_i.append(
auth.GS.Commit({
"group": 2,
"type": "enc",
"value": sigt_i[2]
}))
#t: used as public scalar constraint (gamma_ij)
cm_pk_ui = auth.GS.Commit({"group": 1, "type": "com", "value": pk_ui})
cm_pk_uv = auth.GS.Commit({"group": 1, "type": "pub", "value": pk_uv})
cm_sku = auth.GS.Commit({"group": 2, "type": "sca", "value": sku})
cm_cipher = []
for i in range(len(cipher)):
cm_cipher.append(
auth.GS.Commit({
"group": 1,
"type": "pub",
"value": cipher[i]
}))
cm_r = r
cm_r[0] = auth.GS.Commit({"group": 2, "type": "sca", "value": r[0]})
cm_ek = []
for i in range(len(ek)):
cm_ek.append(
auth.GS.Commit({
"group": 1,
"type": "pub",
"value": ek[i]
}))
cm_da = auth.GS.Commit({
"group": 1,
"type": "pub",
"value": auth.ek[1] * r[1]
})
cm_params_enc = []
cm_params_enc.append(
auth.GS.Commit({
"group": 1,
"type": "pub",
"value": auth.GS.v1[0]
}))
cm_params_enc.append(
auth.GS.Commit({
"group": 1,
"type": "pub",
"value": auth.GS.v1[1]
}))
cm_g1 = auth.GS.Commit({"group": 1, "type": "bas", "value": auth.GS.g1})
cm_g2 = auth.GS.Commit({"group": 2, "type": "bas", "value": auth.GS.g2})
cm_1 = auth.GS.Commit({"group": 2, "type": "unt", "value": 1})
#t_commit = time.time()
#print("--- Commitment time:", t_commit - t_start)
x_ppe = [cm_g1]
x_ppe.extend(cm_vkI[0])
x_ppe.append(cm_h_i)
x_ppe.extend([cm_sig0_i[0], cm_sig0_i[1]])
x_ppe.extend([cm_sigt_i[0], cm_sigt_i[1]])
x_ppe.extend(cm_sig_i)
x_ppe.append(cm_pk_ui)
x_ppe.extend(cm_m)
#print("\nx_ppe", len(x_ppe), x_ppe)
y_ppe = [cm_g2]
y_ppe.append(cm_vkI[3])
y_ppe.append(cm_vkI[2])
y_ppe.extend(cm_vkI[1])
y_ppe.append(cm_sig0_i[2])
y_ppe.append(cm_sigt_i[2])
y_ppe.extend(cm_vk_i)
#print("\ny_ppe", len(y_ppe), y_ppe)
x_me1 = []
x_me1.extend(cm_params_enc)
x_me1.extend(cm_ek)
x_me1.append(cm_h_v)
x_me1.append(cm_pk_uv)
x_me1.append(cm_h_i)
x_me1.append(cm_pk_ui)
x_me1.append(cm_da)
x_me1.extend(cm_cipher)
#print("\nx_me1", len(x_me1), x_me1)
y_me1 = [cm_1, cm_sku, cm_r[0]]
#print("\ny_me1", len(y_me1), y_me1)
#print("Prepare proof: Prove")
#t_prove = time.time()
#print("--- sigi proof")
cm_msg = [cm_pk_ui]
cm_msg.extend(cm_m)
for i in range(len(cm_vk_i) - 2 - len(cm_msg)):
cm_msg.append(
auth.GS.Commit({
"group": 1,
"type": "pub",
"value": G1Elem.inf(auth.GS.G)
}))
C_sigi, pi_sigi = proof_sigi(auth.GS, x_ppe, y_ppe, cm_msg)
cm_msg1 = [cm_g1, cm_h_i]
cm_msg2 = cm_vk_i
#print("--- sigi0 proof")
C_sigi0, pi_sigi0, _ = proof_sigi0(auth.GS, x_ppe, y_ppe, cm_msg1, cm_msg2,
Bn(0))
#print("--- sigit proof")
C_sigit, pi_sigit, _ = proof_sigit(auth.GS, x_ppe, y_ppe, cm_msg1, cm_msg2,
t)
#print("--- Aggregate PPE proofs")
c_ppe = []
for i in range(len(C_sigi)):
row = []
for j in range(len(C_sigi[i])):
cij = C_sigi[i][j] + C_sigit[i][j] + C_sigi0[i][j]
row.append(cij)
c_ppe.append(row)
pi_ppe = []
for i in range(len(pi_sigi)):
pi_i = []
for j in range(len(pi_sigi[i])):
pi_ij = pi_sigi[i][j] + pi_sigit[i][j] + pi_sigi0[i][j]
pi_i.append(pi_ij)
pi_ppe.append(pi_i)
#print("--- Randomize PPE proof")
pi_ppe[0], pi_ppe[1], pi_ppe[2], pi_ppe[3] = auth.GS.Randomize(
"PPE", pi_ppe[0], pi_ppe[1], pi_ppe[2], pi_ppe[3])
res_ppe = [c_ppe, pi_ppe]
#t_ppe = time.time()
print("--- exponent proofs pk_ui")
C_pkui, pi_pkui = proof_pkui(auth.GS, x_me1, y_me1)
print("--- exponent proofs pk_uv")
C_pkuv, pi_pkuv = proof_pkuv(auth.GS, x_me1, y_me1)
#print("--- enc proof")
C_enc, pi_enc, _ = enc_proof(auth.GS, x_me1, y_me1, r[1])
#print("--- aggregate ME1 proofs")
c_me1 = []
for i in range(len(C_enc)):
row = []
for j in range(len(C_enc[i])):
cij = C_enc[i][j] + C_pkui[i][j] + C_pkuv[i][j]
row.append(cij)
c_me1.append(row)
pi_me1 = []
for i in range(len(pi_enc)):
pi_i = []
for j in range(len(pi_enc[i])):
pi_ij = pi_enc[i][j] + pi_pkui[i][j] + pi_pkuv[i][j]
pi_i.append(pi_ij)
pi_me1.append(pi_i)
#print("------ Randomize ME1 proof")
pi_me1[0], pi_me1[1], pi_me1[2], pi_me1[3] = auth.GS.Randomize(
"PPE", pi_me1[0], pi_me1[1], pi_me1[2], pi_me1[3])
res_me1 = [c_me1, pi_me1]
#t_end = time.time()
#print("--- Prove & aggregation time:", t_end - t_commit, "(PPE proof: "+ str(t_ppe-t_commit) +"+ ME1 proof"+ str(t_end-t_ppe) +")")
verify_ppe = auth.GS.Verify("PPE", x_ppe, y_ppe, c_ppe, pi_ppe[0],
pi_ppe[1], pi_ppe[2], pi_ppe[3])
print("------ Aggregate PPE verify?", verify_ppe)
verify_me1 = auth.GS.Verify("ME1", x_me1, y_me1, c_me1, pi_me1[0],
pi_me1[1], pi_me1[2], pi_me1[3])
print("------ Aggregate ME1 verify?", verify_me1)
verify = verify_ppe * verify_me1
res = [[
res_ppe[1], ["PPE", x_ppe, y_ppe, res_ppe[0],
GTElem.zero(auth.GS.G)]
], [res_me1[1], ["ME1", x_me1, y_me1, res_me1[0],
G1Elem.inf(auth.GS.G)]]]
#print("--- Do all the proofs verify?", verify_ppe*verify_me1)
return verify, res
def proof_usps_hidesigandsigner(self, gsp, pk, M, sig):
"""" creates GS proof that a USPS signature verifies
with the verifying key, the signature and the first message secret"""
#print("SPS: Prove")
from bplib.bp import G1Elem
from bplib.bp import G2Elem
from bplib.bp import GTElem
from petlib.bn import Bn
params = gsp.P
sps = USPS()
gz, gr = pk[0], pk[1]
pki = pk[2:]
m = []
for i in range(len(M)):
if type(M[i]) == bytes:
m.append(gsp.G.hashG1(M[i]))
elif type(M[i]) == G1Elem:
m.append(M[i])
else:
print("Error: wrong input, expected G1, got ", type(M[i]))
return 0, []
if len(m) < sps.nb_msg:
for i in range(sps.nb_msg - len(m)):
m.append(G1Elem.inf(gsp.G))
if sps.verify(params, pk, m, sig) == 0:
print("Signature does not verify")
return
X = [{
"type": "com",
"value": sig[0]
}, {
"type": "com",
"value": sig[1]
}]
B = [{
"type": "pub",
"value": G2Elem.inf(gsp.G)
}, {
"type": "pub",
"value": G2Elem.inf(gsp.G)
}]
A = [{
"type": "pub",
"value": G1Elem.inf(gsp.G)
}, {
"type": "pub",
"value": G1Elem.inf(gsp.G)
}]
Y = [{"type": "com", "value": gz}, {"type": "com", "value": gr}]
for i in range(len(m)):
if i == 0:
X.append({"type": "pub", "value": m[i]})
else:
X.append({"type": "com", "value": m[i]})
B.append({"type": "pub", "value": G2Elem.inf(gsp.G)})
for j in range(len(pki)):
Y.append({"type": "com", "value": pki[j]})
A.append({"type": "pub", "value": G1Elem.inf(gsp.G)})
C = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
var = Bn(0)
if i == j:
var = Bn(1)
row.append(var)
C.append(row)
success, res = gsp.CommitProof_eq("PPE", X, B, A, Y, C,
GTElem.zero(gsp.G))
verify = 0
if success:
eq_type, X1, Y1, C1, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res
pi2_v1, pi2_w1, pi1_v2, pi1_w2 = gsp.Randomize(
eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap)
verify = gsp.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2,
pi1_w2)
if verify:
res = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
[eq_type, X1, Y1, C1, T_eq]]
print("Do we successfully create a proof?", success)
print("Does the proof successfully verify?", verify)
print()
return verify, res