def vote(PP, v_id, vote_arr, public_seed, BB):
seed = randombytes(PP.seedlen)
r_seed = randombytes(PP.seedlen)
nonce = 0
B0, b = gen_public_b(PP, public_seed)
m = m_from_vote_arr(PP, vote_arr)
x, _ = _secret_share_value(PP, m, PP.Na, seed, 0)
S = []
T0 = []
T1 = []
for i in range(PP.Na):
t0, t1, r, nonce = commit(PP, B0, b, x[i], r_seed, nonce)
S.append(r)
T0.append(t0)
T1.append(t1)
r = list(sum(S[j][i] for j in range(PP.Na)) for i in range(PP.baselen))
t0, t1 = commit_with_r(PP, B0, b, m, r)
vproof, additional_com = proof_v(PP, t0, t1, r, m, public_seed)
# We should sign ballots
signature = None
# S should be encrypted
ballot = Ballot(v_id, vproof, (T0, T1), additional_com, S, signature)
BB.add_ballot(ballot)
def verify(PP, result, public_seed, BB):
B0, b = gen_public_b(PP, public_seed)
T0_a = []
T1_a = []
for i in range(PP.Na):
T0_a.append(list())
T1_a.append(list())
for v_id, ballot in BB.correct_ballots():
T0, T1 = ballot.com
for i in range(PP.Na):
T0_a[i].append(T0[i])
T1_a[i].append(T1[i])
if _check_ballot_vproof(PP, ballot, public_seed):
print(f'voter {v_id} is cheating!')
return 1
j = 0
res = [0] * PP.npoly
for a_id, tally in BB.all_tallies():
if verify_sum_of_commitments(PP, tally.amo_proof, tally.amo_zero_proof,\
(T0_a[j], T1_a[j]), tally.additional_com, public_seed):
print(f'autority {a_id} is cheating!')
return 1
j += 1
zero, x = _extract_authority_result(PP, B0, b, tally)
if _check_zero(PP, zero):
print(f'autority {a_id} is cheating!')
return 1
for i in range(PP.npoly):
res[i] += x[i]
if _res_to_list_of_candidates(PP, res) != result:
print('results are wrong!')
return 1
return 0
def tally_all(PP, public_seed, BB):
B0, b = gen_public_b(PP, public_seed)
res = [0] * PP.npoly
for a_id, tally in BB.all_tallies():
zero, x = _extract_authority_result(PP, B0, b, tally)
if _check_zero(PP, zero):
raise Exception(f'autority {a_id} is cheating!')
for i in range(PP.npoly):
res[i] += x[i]
return _res_to_list_of_candidates(PP, res)
def verify_amo(PP, proof, T, p, public_seed):
R = PP.R
c_hash, Z = proof
C = get_challenge_amo(PP, c_hash, p)
C = Matrix(R, C)
B0, b = gen_public_b(PP, public_seed)
if check_Z_len(PP, Z):
return 1
W = Matrix(R, B0) * Z - T * C
c_hash_prime = get_challenge_hash_amo(PP, T, W, p)
if c_hash != c_hash_prime:
return 1
return 0
def proof_amo(PP, S, T, p, public_seed):
R = PP.R
B0, b = gen_public_b(PP, public_seed)
while True:
Y = discrete_gaussian_y(PP, PP.baselen, PP.amo_n, PP.sigma2)
W = Matrix(R, B0) * Y
c_hash = get_challenge_hash_amo(PP, T, W, p)
C = get_challenge_amo(PP, c_hash, p)
C = Matrix(R, C)
SC = S * C
Z = Y + SC
if rejection_sampling_matrix(Z, SC, PP.sigma2, PP.average_rejection_tries2, PP.q) \
and inf_norm_matr(Z, PP.q) < PP.inf_bound2:
break
return (c_hash, Z)
def verify_amo_to_zero(PP, proof, T0, T1, p, public_seed):
R = PP.R
c_hash, Z = proof
C = get_challenge_amo_to_zero(PP, c_hash, p)
C = Matrix(R, C)
B0, b = gen_public_b(PP, public_seed)
if check_Z_len(PP, Z):
return 1
W0 = Matrix(R, B0) * Z - T0 * C
W1 = Matrix(R,
list(vector(R, b[i]) * Z - T1[i] * C for i in range(PP.npoly)))
c_hash_prime = get_challenge_hash_amo_to_zero(PP, T0, T1, W0, W1, p)
if c_hash != c_hash_prime:
return 1
return 0
def proof_amo_to_zero(PP, S, T0, T1, p, public_seed):
R = PP.R
B0, b = gen_public_b(PP, public_seed)
while True:
Y = discrete_gaussian_y(PP, PP.baselen, PP.amo_n, PP.sigma2)
W0 = Matrix(R, B0) * Y
W1 = Matrix(R, list(vector(R, b[i]) * Y for i in range(PP.npoly)))
c_hash = get_challenge_hash_amo_to_zero(PP, T0, T1, W0, W1, p)
C = get_challenge_amo_to_zero(PP, c_hash, p)
C = Matrix(R, C)
SC = S * C
Z = Y + SC
if rejection_sampling_matrix(Z, SC, PP.sigma2, PP.average_rejection_tries2, PP.q) \
and inf_norm_matr(Z, PP.q) < PP.inf_bound2:
break
return (c_hash, Z)
def _gen_random_commitments_impl(PP, p, public_seed, m_func):
R = PP.R
B0, b = gen_public_b(PP, public_seed)
r_seed = randombytes(PP.seedlen)
seed = randombytes(PP.seedlen)
S = []
T0 = []
T1 = []
nonce = 0
for i in range(p):
xi = []
for i in range(PP.npoly):
x, nonce = m_func(PP, seed, nonce, PP.d)
xi.append(x)
t0, t1, r, nonce = commit(PP, B0, b, xi, r_seed, nonce)
S.append(r)
T0.append(t0)
T1.append(t1)
return Matrix(R, S).transpose(), Matrix(R, T0).transpose(), Matrix(
R, T1).transpose()
def sum_of_commitments(PP, S, T0, T1, public_seed):
d = PP.d
X = PP.X
u = PP.u
npoly = PP.npoly
p = len(S)
max_layers = ceil(log(p, u))
B0, b = gen_public_b(PP, public_seed)
X_poly = list(
list(T1[i][j] - scalar(b[j], S[i], X, d) for j in range(npoly))
for i in range(p))
S_amo = []
T0_amo = []
T1_amo = []
S_amo_zero = []
T0_amo_zero = []
T1_amo_zero = []
for i in range(p):
S_amo.append(S[i])
T0_amo.append(T0[i])
T1_amo.append(T1[i])
r_seed = randombytes(PP.seedlen)
nonce = 0
max_index = p
offset = 0
for layer in range(1, max_layers + 1):
blocks = ceil(p / u**layer)
for block in range(blocks):
start = block * u
end = min((block + 1) * u, max_index)
m = list(
sum(X_poly[i][j] for i in range(start, end))
for j in range(npoly))
X_poly[block] = m
t0, t1, r, nonce = commit(PP, B0, b, m, r_seed, nonce)
t0_prime = list(t0[i] - sum(T0_amo[j + offset][i]
for j in range(start, end))
for i in range(PP.kappa))
t1_prime = list(t1[i] - sum(T1_amo[j + offset][i]
for j in range(start, end))
for i in range(npoly))
r_prime = list(r[i] - sum(S_amo[j + offset][i]
for j in range(start, end))
for i in range(PP.baselen))
T0_amo.append(t0)
T1_amo.append(t1)
S_amo.append(r)
T0_amo_zero.append(t0_prime)
T1_amo_zero.append(t1_prime)
S_amo_zero.append(r_prime)
offset += max_index
max_index = blocks
R = PP.R
amo_proof = proof_amo(PP,
Matrix(R, S_amo).transpose(),
Matrix(R, T0_amo).transpose(), len(T1_amo),
public_seed)
amo_zero_proof = proof_amo_to_zero(PP,
Matrix(R, S_amo_zero).transpose(),
Matrix(R, T0_amo_zero).transpose(),
Matrix(R, T1_amo_zero).transpose(),
len(T1_amo_zero), public_seed)
return amo_proof, amo_zero_proof, (T0_amo[p:], T1_amo[p:]), S_amo[-1]
return 1
return 0
if __name__ == '__main__':
from commit import commit
from params import PublicParams
from public import gen_public_b
from utils import m_from_vote_arr
public_seed = b'-\xc2\xbd\xc1\x12\x94\xac\xd0f\xab~\x9f\x13\xb5\xac\xcaT\xbaFgD\xa6\x93\xd9\x92\xf2"\xb5\x006\x02\xa3'
PP = PublicParams(2, 129, 10)
v = [0] * PP.Nc
v[1] = 1
m = m_from_vote_arr(PP, v)
B0, b1 = gen_public_b(PP, public_seed)
r_seed = randombytes(PP.seedlen)
t0, t1, r, _ = commit(PP, B0, b1, m, r_seed, 0)
proof, additional_com = proof_v(PP, t0, t1, r, m, public_seed)
ver_result = verify_v(PP, proof, (t0, t1), additional_com, public_seed)
if ver_result == 0:
print('Verify is successfull')
else:
print('There is an error in verification')
print('Trying negative scenarios')
for v in ([1]*2 + [0]*(PP.Nc - 2), [2] + [0]*(PP.Nc - 1)):
m = m_from_vote_arr(PP, v)
B0, b1 = gen_public_b(PP, public_seed)
r_seed = randombytes(PP.seedlen)