def test_signature_and_dlrne_fails_on_wrong_secret(): """ We manually modify a secret in the DLNE member, i.e we wrongfully claim to use the same "s" i the signature and in the DLNE. Should be detected and raise an Exception. """ mG = BilinearGroupPair() keypair = BBSPlusKeypair.generate(mG, 9) messages = [Bn(30), Bn(31), Bn(32)] pk, sk = keypair.pk, keypair.sk generators, h0 = keypair.generators, keypair.h0 creator = BBSPlusSignatureCreator(pk) lhs = creator.commit(messages) presignature = sk.sign(lhs.com_message) signature = creator.obtain_signature(presignature) e, s, m1, m2, m3 = (Secret() for _ in range(5)) secret_dict = { e: signature.e, s: signature.s, m1: messages[0], m2: messages[1], m3: messages[2], } sigproof = BBSPlusSignatureStmt([e, s, m1, m2, m3], pk, signature) g1 = mG.G1.generator() pg1 = signature.s * g1 pg2, g2 = mG.G1.order().random() * g1, mG.G1.order().random() * g1 dneq = DLNotEqual((pg1, g1), (pg2, g2), s, bind=True) secrets = [Secret() for _ in range(5)] sigproof1 = BBSPlusSignatureStmt(secrets, pk, signature) dneq1 = DLNotEqual((pg1, g1), (pg2, g2), secrets[1], bind=True) andp = sigproof & dneq andp1 = sigproof1 & dneq1 prov = andp.get_prover(secret_dict) prov.subs[1].secret_values[s] = signature.s + 1 ver = andp1.get_verifier() ver.process_precommitment(prov.precommit()) commitment = prov.commit() challenge = ver.send_challenge(commitment) responses = prov.compute_response(challenge) with pytest.raises(ValidationError): ver.verify(responses)
def test_signature_and_dlrne_does_not_fail_on_wrong_secret_when_non_binding(): """ Manually modify a secret in the DLNE member, i.e we wrongfully claim to use the same "s" i the signature and in the DLNE. Should not be detected since bindings in the DLNE are False. """ mG = BilinearGroupPair() keypair = BBSPlusKeypair.generate(mG, 9) messages = [Bn(30), Bn(31), Bn(32)] pk, sk = keypair.pk, keypair.sk generators, h0 = keypair.generators, keypair.h0 creator = BBSPlusSignatureCreator(pk) lhs = creator.commit(messages) presignature = sk.sign(lhs.com_message) signature = creator.obtain_signature(presignature) e, s, m1, m2, m3 = (Secret() for _ in range(5)) secret_dict = { e: signature.e, s: signature.s, m1: messages[0], m2: messages[1], m3: messages[2], } sigproof = BBSPlusSignatureStmt([e, s, m1, m2, m3], pk, signature) g1 = mG.G1.generator() pg1 = signature.s * g1 + g1 pg2, g2 = mG.G1.order().random() * g1, mG.G1.order().random() * g1 splus = Secret(signature.s + 1) dneq = DLNotEqual((pg1, g1), (pg2, g2), splus, bind=False) secrets = [Secret() for _ in range(5)] sigproof1 = BBSPlusSignatureStmt(secrets, pk, signature) # Note difference: dneq above uses an independent secret for dneq, # here it is bound to the secret s (secrets[1]) from the signature proof dneq1 = DLNotEqual((pg1, g1), (pg2, g2), secrets[1]) andp = sigproof & dneq andp1 = sigproof1 & dneq1 prov = andp.get_prover(secret_dict) ver = andp1.get_verifier() ver.process_precommitment(prov.precommit()) commitment = prov.commit() challenge = ver.send_challenge(commitment) responses = prov.compute_response(challenge) assert ver.verify(responses)
def test_bbsplus_and_range(): from zksk.primitives.rangeproof import RangeStmt from zksk.utils import make_generators mG = BilinearGroupPair() keypair = BBSPlusKeypair.generate(mG, 9) pk, sk = keypair.pk, keypair.sk generators, h0 = keypair.generators, keypair.h0 creator = BBSPlusSignatureCreator(pk) msg_val = Bn(30) lhs = creator.commit([msg_val]) presignature = sk.sign(lhs.com_message) signature = creator.obtain_signature(presignature) e, s, m = Secret(signature.e), Secret(signature.s), Secret(msg_val) p1 = BBSPlusSignatureStmt([e, s, m], pk, signature) g, h = make_generators(2, mG.G1) randomizer = Secret(value=mG.G1.order().random()) com = m * g + randomizer * h p2 = RangeStmt(com.eval(), g, h, 18, 9999, m, randomizer) stmt = p1 & p2 proof = stmt.prove() assert stmt.verify(proof)
def test_bbsplus_and_proof(): mG = BilinearGroupPair() keypair = BBSPlusKeypair.generate(mG, 9) messages = [Bn(30), Bn(31), Bn(32)] pk, sk = keypair.pk, keypair.sk generators, h0 = keypair.generators, keypair.h0 creator = BBSPlusSignatureCreator(pk) lhs = creator.commit(messages) presignature = sk.sign(lhs.com_message) signature = creator.obtain_signature(presignature) e, s, m1, m2, m3 = (Secret() for _ in range(5)) secret_dict = { e: signature.e, s: signature.s, m1: messages[0], m2: messages[1], m3: messages[2], } sigproof = BBSPlusSignatureStmt([e, s, m1, m2, m3], pk, signature) creator = BBSPlusSignatureCreator(pk) lhs = creator.commit(messages) presignature2 = sk.sign(lhs.com_message) signature2 = creator.obtain_signature(presignature2) e1, s1, m1, m2, m3 = (Secret() for _ in range(5)) secret_dict2 = { e1: signature2.e, s1: signature2.s, m1: messages[0], m2: messages[1], m3: messages[2], } sigproof1 = BBSPlusSignatureStmt([e1, s1, m1, m2, m3], pk, signature2) secret_dict.update(secret_dict2) andp = sigproof & sigproof1 prov = andp.get_prover(secret_dict) ver = andp.get_verifier() protocol = SigmaProtocol(ver, prov) assert protocol.verify()
def test_signature_or_dlrne(): """ Construct a signature on a set of messages, and then pairs the proof of knowledge of this signature with a proof of non-equality of two DL, one of which is the blinding exponent 's' of the signature. """ mG = BilinearGroupPair() keypair = BBSPlusKeypair.generate(mG, 9) messages = [Bn(30), Bn(31), Bn(32)] pk, sk = keypair.pk, keypair.sk generators, h0 = keypair.generators, keypair.h0 creator = BBSPlusSignatureCreator(pk) lhs = creator.commit(messages) presignature = sk.sign(lhs.com_message) signature = creator.obtain_signature(presignature) e, s, m1, m2, m3 = (Secret() for _ in range(5)) secret_dict = { e: signature.e, s: signature.s, m1: messages[0], m2: messages[1], m3: messages[2], } sigproof = BBSPlusSignatureStmt([e, s, m1, m2, m3], pk, signature) g1 = mG.G1.generator() pg1 = signature.s * g1 pg2, g2 = mG.G1.order().random() * g1, mG.G1.order().random() * g1 dneq = DLNotEqual((pg1, g1), (pg2, g2), s, bind=True) andp = sigproof | dneq secrets = [Secret() for _ in range(5)] sigproof1 = BBSPlusSignatureStmt(secrets, pk) dneq1 = DLNotEqual((pg1, g1), (pg2, g2), secrets[1], bind=True) andp1 = sigproof1 | dneq1 prov = andp.get_prover(secret_dict) ver = andp1.get_verifier() ver.process_precommitment(prov.precommit()) commitment = prov.commit() challenge = ver.send_challenge(commitment) responses = prov.compute_response(challenge) assert ver.verify(responses)
def test_and_sig_non_interactive(): mG = BilinearGroupPair() keypair = BBSPlusKeypair.generate(mG, 9) messages = [Bn(30), Bn(31), Bn(32)] pk, sk = keypair.pk, keypair.sk generators, h0 = keypair.generators, keypair.h0 creator = BBSPlusSignatureCreator(pk) lhs = creator.commit(messages) presignature = sk.sign(lhs.com_message) signature = creator.obtain_signature(presignature) e, s, m1, m2, m3 = (Secret() for _ in range(5)) secret_dict = { e: signature.e, s: signature.s, m1: messages[0], m2: messages[1], m3: messages[2], } sigproof = BBSPlusSignatureStmt([e, s, m1, m2, m3], pk, signature) creator = BBSPlusSignatureCreator(pk) lhs = creator.commit(messages) presignature2 = sk.sign(lhs.com_message) signature2 = creator.obtain_signature(presignature2) e1, s1 = (Secret() for _ in range(2)) secret_dict2 = { e1: signature2.e, s1: signature2.s, m1: messages[0], m2: messages[1], m3: messages[2], } sigproof1 = BBSPlusSignatureStmt([e1, s1, m1, m2, m3], pk, signature2) secret_dict.update(secret_dict2) andp = sigproof & sigproof1 tr = andp.prove(secret_dict) assert andp.verify(tr)
def test_signature_non_interactive_proof(): mG = BilinearGroupPair() keypair = BBSPlusKeypair.generate(mG, 9) messages = [Bn(30), Bn(31), Bn(32)] pk, sk = keypair.pk, keypair.sk generators, h0 = keypair.generators, keypair.h0 creator = BBSPlusSignatureCreator(pk) lhs = creator.commit(messages) presignature = sk.sign(lhs.com_message) signature = creator.obtain_signature(presignature) e, s, m1, m2, m3 = (Secret() for _ in range(5)) secret_dict = { e: signature.e, s: signature.s, m1: messages[0], m2: messages[1], m3: messages[2], } p1 = BBSPlusSignatureStmt([e, s, m1, m2, m3], pk, signature) tr = p1.prove(secret_dict) p1 = BBSPlusSignatureStmt([Secret() for _ in range(5)], pk) assert p1.verify(tr)
def test_signature_proof(): mG = BilinearGroupPair() keypair = BBSPlusKeypair.generate(mG, 9) messages = [Bn(30), Bn(31), Bn(32)] pk, sk = keypair.pk, keypair.sk generators, h0 = keypair.generators, keypair.h0 creator = BBSPlusSignatureCreator(pk) lhs = creator.commit(messages) presignature = sk.sign(lhs.com_message) signature = creator.obtain_signature(presignature) e, s, m1, m2, m3 = (Secret() for _ in range(5)) secret_dict = { e: signature.e, s: signature.s, m1: messages[0], m2: messages[1], m3: messages[2], } p1 = BBSPlusSignatureStmt([e, s, m1, m2, m3], pk, signature) prover = p1.get_prover(secret_dict) p2 = BBSPlusSignatureStmt([Secret() for _ in range(5)], pk) verifier = p2.get_verifier() pc = prover.precommit() verifier.process_precommitment(pc) com = prover.commit() chal = verifier.send_challenge(com) resp = prover.compute_response(chal) assert verifier.verify(resp)