def prove_decryption(self, ciphertext):
"""
given g, y, alpha, beta/(encoded m), prove equality of discrete log
with Chaum Pedersen, and that discrete log is x, the secret key.
Prover sends a=g^w, b=alpha^w for random w
Challenge c = sha1(a,b) with and b in decimal form
Prover sends t = w + xc
Verifier will check that g^t = a * y^c
and alpha^t = b * beta/m ^ c
"""
m = (Utils.inverse(pow(ciphertext.alpha, self.x, self.pk.p), self.pk.p) * ciphertext.beta) % self.pk.p
beta_over_m = (ciphertext.beta * Utils.inverse(m, self.pk.p)) % self.pk.p
# pick a random w
w = Utils.random_mpz_lt(self.pk.q)
a = pow(self.pk.g, w, self.pk.p)
b = pow(ciphertext.alpha, w, self.pk.p)
c = int(hashlib.sha1(str(a) + "," + str(b)).hexdigest(),16)
t = (w + self.x * c) % self.pk.q
return m, {
'commitment' : {'A' : str(a), 'B': str(b)},
'challenge' : str(c),
'response' : str(t)
}
def prove_decryption(self, ciphertext):
"""
given g, y, alpha, beta/(encoded m), prove equality of discrete log
with Chaum Pedersen, and that discrete log is x, the secret key.
Prover sends a=g^w, b=alpha^w for random w
Challenge c = sha1(a,b) with and b in decimal form
Prover sends t = w + xc
Verifier will check that g^t = a * y^c
and alpha^t = b * beta/m ^ c
"""
m = (Utils.inverse(pow(ciphertext.alpha, self.x, self.pk.p), self.pk.p) * ciphertext.beta) % self.pk.p
beta_over_m = (ciphertext.beta * Utils.inverse(m, self.pk.p)) % self.pk.p
# pick a random w
w = Utils.random_mpz_lt(self.pk.q)
a = pow(self.pk.g, w, self.pk.p)
b = pow(ciphertext.alpha, w, self.pk.p)
c = int(hashlib.sha1(str(a) + "," + str(b)).hexdigest(),16)
t = (w + self.x * c) % self.pk.q
return m, {
'commitment' : {'A' : str(a), 'B': str(b)},
'challenge' : str(c),
'response' : str(t)
}
def decrypt(self, decryption_factors, public_key):
"""
decrypt a ciphertext given a list of decryption factors (from multiple trustees)
For now, no support for threshold
"""
running_decryption = self.beta
for dec_factor in decryption_factors:
running_decryption = (running_decryption * Utils.inverse(dec_factor, public_key.p)) % public_key.p
return running_decryption
def simulate_encryption_proof(self, plaintext, challenge=None):
# generate a random challenge if not provided
if not challenge:
challenge = Utils.random_mpz_lt(self.pk.q)
proof = ZKProof()
proof.challenge = challenge
# compute beta/plaintext, the completion of the DH tuple
beta_over_plaintext = (self.beta * Utils.inverse(plaintext.m, self.pk.p)) % self.pk.p
# random response, does not even need to depend on the challenge
proof.response = Utils.random_mpz_lt(self.pk.q);
# now we compute A and B
proof.commitment['A'] = (Utils.inverse(pow(self.alpha, proof.challenge, self.pk.p), self.pk.p) * pow(self.pk.g, proof.response, self.pk.p)) % self.pk.p
proof.commitment['B'] = (Utils.inverse(pow(beta_over_plaintext, proof.challenge, self.pk.p), self.pk.p) * pow(self.pk.y, proof.response, self.pk.p)) % self.pk.p
return proof
def decrypt(self, decryption_factors, public_key):
"""
decrypt a ciphertext given a list of decryption factors (from multiple trustees)
For now, no support for threshold
"""
running_decryption = self.beta
for dec_factor in decryption_factors:
running_decryption = (running_decryption * Utils.inverse(dec_factor, public_key.p)) % public_key.p
return running_decryption
def simulate_encryption_proof(self, plaintext, challenge=None):
# generate a random challenge if not provided
if not challenge:
challenge = Utils.random_mpz_lt(self.pk.q)
proof = ZKProof()
proof.challenge = challenge
# compute beta/plaintext, the completion of the DH tuple
beta_over_plaintext = (self.beta * Utils.inverse(plaintext.m, self.pk.p)) % self.pk.p
# random response, does not even need to depend on the challenge
proof.response = Utils.random_mpz_lt(self.pk.q);
# now we compute A and B
proof.commitment['A'] = (Utils.inverse(pow(self.alpha, proof.challenge, self.pk.p), self.pk.p) * pow(self.pk.g, proof.response, self.pk.p)) % self.pk.p
proof.commitment['B'] = (Utils.inverse(pow(beta_over_plaintext, proof.challenge, self.pk.p), self.pk.p) * pow(self.pk.y, proof.response, self.pk.p)) % self.pk.p
return proof
def verify_encryption_proof(self, plaintext, proof):
"""
Checks for the DDH tuple g, y, alpha, beta/plaintext.
(PoK of randomness r.)
Proof contains commitment = {A, B}, challenge, response
"""
# check that g^response = A * alpha^challenge
first_check = (pow(self.pk.g, proof.response, self.pk.p) == ((pow(self.alpha, proof.challenge, self.pk.p) * proof.commitment['A']) % self.pk.p))
# check that y^response = B * (beta/m)^challenge
beta_over_m = (self.beta * Utils.inverse(plaintext.m, self.pk.p)) % self.pk.p
second_check = (pow(self.pk.y, proof.response, self.pk.p) == ((pow(beta_over_m, proof.challenge, self.pk.p) * proof.commitment['B']) % self.pk.p))
# print "1,2: %s %s " % (first_check, second_check)
return (first_check and second_check)
def verify_encryption_proof(self, plaintext, proof):
"""
Checks for the DDH tuple g, y, alpha, beta/plaintext.
(PoK of randomness r.)
Proof contains commitment = {A, B}, challenge, response
"""
# check that g^response = A * alpha^challenge
first_check = (pow(self.pk.g, proof.response, self.pk.p) == ((pow(self.alpha, proof.challenge, self.pk.p) * proof.commitment['A']) % self.pk.p))
# check that y^response = B * (beta/m)^challenge
beta_over_m = (self.beta * Utils.inverse(plaintext.m, self.pk.p)) % self.pk.p
second_check = (pow(self.pk.y, proof.response, self.pk.p) == ((pow(beta_over_m, proof.challenge, self.pk.p) * proof.commitment['B']) % self.pk.p))
# print "1,2: %s %s " % (first_check, second_check)
return (first_check and second_check)
def decrypt(self, ciphertext, dec_factor = None, decode_m=False):
"""
Decrypt a ciphertext. Optional parameter decides whether to encode the message into the proper subgroup.
"""
if not dec_factor:
dec_factor = self.decryption_factor(ciphertext)
m = (Utils.inverse(dec_factor, self.pk.p) * ciphertext.beta) % self.pk.p
if decode_m:
# get m back from the q-order subgroup
if m < self.pk.q:
y = m
else:
y = -m % self.pk.p
return Plaintext(y-1, self.pk)
else:
return Plaintext(m, self.pk)
def decrypt(self, ciphertext, dec_factor=None, decode_m=False):
"""
Decrypt a ciphertext. Optional parameter decides whether to encode the message into the proper subgroup.
"""
if not dec_factor:
dec_factor = self.decryption_factor(ciphertext)
m = (Utils.inverse(dec_factor, self.pk.p) * ciphertext.beta) % self.pk.p
if decode_m:
# get m back from the q-order subgroup
if m < self.pk.q:
y = m
else:
y = -m % self.pk.p
return Plaintext(y-1, self.pk)
else:
return Plaintext(m, self.pk)
