def verify(self, params, pk, m, n, sig): """ Verifies a signature on messages m e(R,V) e(S,H) Pi e(M_i,W_i) == e(G,Z) e(R,T) Pi e(U_i, N_i) == e(G,H) """ #print("BSPS: Verify") R, S, T = sig o, G, g1, g2, e = params if (R.eq(G1Elem.inf(G)) and S.eq(G1Elem.inf(G)) and T.eq(G2Elem.inf(G))): print("BSPS: Verify --- Error: signature null") print("BSPS: Verify", 0) return 0 U, W, V, Z = pk res1 = e(R, V) * e(S, g2) for i in range(self.msg_g1): if i < len(m): res1 = res1 * e(m[i], W[i]) else: res1 = res1 * e(g1, W[i]) res2 = e(R, T) for j in range(self.msg_g2): if j < len(n): res2 = res2 * e(U[j], n[j]) else: res2 = res2 * e(U[j], g2) return res1.eq(e(g1, Z)) and res2.eq(e(g1, g2))
def sign(self, params, sk, m, n): """Signs a list of group elements of G1 and G2""" #print("BSPS: Sign") o, G, g1, g2, _ = params if len(m) > self.msg_g1 or len(n) > self.msg_g2: print("BSPS: Sign --- Error: message(s) too long", len(m), ">?", self.msg_g1, len(n), ">?", self.msg_g2) return (G1Elem.inf(G), G1Elem.inf(G), G2Elem.inf(G)) u, w, v, z = sk r = o.random() R = r * g1 temp = z.mod_sub(r.mod_mul(v, o), o) S = temp * g1 T = g2 for i in range(self.msg_g1): if i < len(m): S = S + w[i].int_neg() * m[i] else: S = S + w[i].int_neg() * g1 for j in range(self.msg_g2): if j < len(n): T = T + u[j].int_neg() * n[j] else: T = T + u[j].int_neg() * g2 return [R, S, r.mod_inverse(o) * T]
def test_usps_proof(): gsp = GSProof() gsp.ExtGen() params = gsp.P sps = USPS() sk, pk = sps.keygen(params) gz, gr = pk[0], pk[1] pki = pk[2:] m = [ gsp.G.hashG1(b"Hello World!"), gsp.G.hashG1(b"Hello me!"), gsp.G.hashG1(b"Hello us!") ] if len(m) < len(pk) - 2: for i in range(len(pk) - 2 - len(m)): m.append(G1Elem.inf(gsp.G)) elif len(pk) - 2 < len(m): return sig = sps.sign(params, sk, m) print("Does the signature verify?", sps.verify(params, pk, m, sig)) PK = [] for i in range(len(pk)): PK.append(gsp.Commit({"group": 2, "type": "com", "value": pk[i]})) M = [ gsp.Commit({ "group": 1, "type": "com", "value": m[0] }), gsp.Commit({ "group": 1, "group": 1, "type": "pub", "value": m[1] }), gsp.Commit({ "group": 1, "type": "pub", "value": m[2] }) ] for i in range(len(pk) - 2 - len(m)): M.append( gsp.Commit({ "group": 1, "type": "pub", "value": G1Elem.inf(gsp.G) })) SIG = [] for i in range(len(sig)): SIG.append(gsp.Commit({"group": 1, "type": "com", "value": sig[i]})) verify, res = proof_usps_hidesigandsigner(gsp, PK, M, SIG) assert verify
def getsignature(self, ask, who): ask_s = b64decode(str(raw_input(ask))) s = G1Elem.from_bytes(ask_s, self.params[0]) ask_p = b64decode(str(raw_input(who))) p = G2Elem.from_bytes(ask_p, self.params[0]) assert p in self.vks return (s, p)
def aggr_pdf(pdfname, pdfpaths, origin_directory): params = setup() (G, o, g1, g2, e) = params # 从多个文件中读出所有签名 sigs = [] for path in pdfpaths: pdf = PdfReader(path + os.path.sep + pdfname) try: sig_str:str = pdf.Info.signature sig_str = sig_str[1:-1] sig_bytes = base64.b64decode( sig_str.encode("utf-8") ) sig_g1elem = G1Elem.from_bytes(sig_bytes,G) except: sig_g1elem = None sigs.append(sig_g1elem) print('all_sigs:',sigs) # 聚合所有签名 sigma = aggregate_sigma(params, sigs) print('type sigma:',type(sigma)) sigma_bytes = sigma.export() sigma_str = base64.b64encode(sigma_bytes).decode() # 将聚合后的签名写回运行路径中新建的以blockstackid命名的pdf中 pdf = PdfReader(origin_directory + os.path.sep + pdfname) metadata_new = PdfDict(signature = sigma_str) pdf.Info.update(metadata_new) PdfWriter().write(pdfname, pdf)
def verifyEq(self, eq, x, b, a, y, c, t): #print("verifyEq") if eq in ["PPE", "PN1", "PC1", "PN2", "PC2"]: #print("eq in [\"PPE\", \"PN1\", \"PC1\", \"PN2\", \"PC2\"]") T = GTElem.zero(self.G) for i in range(min(len(x), len(b))): T = T * self.e(x[i]["value"], b[i]["value"]) for j in range(min(len(a), len(y))): T = T * self.e(a[j]["value"], y[j]["value"]) for i in range(len(c)): for j in range(len(c[i])): T = T * self.e(c[i][j] * x[i]["value"], y[j]["value"]) return T.eq(t) else: #print("eq NOT in [\"PPE\", \"PN1\", \"PC1\", \"PN2\", \"PC2\"]") T = Bn(0) if eq in ["ME1", "MN1", "MC1", "ML1"]: T = G1Elem.inf(self.G) elif eq in ["ME2", "MN2", "MC2", "ML2"]: T = G2Elem.inf(self.G) elif eq not in ["QE", "QC1", "QC2"]: print("eq error", eq) return 0 for i in range(min(len(x), len(b))): T += x[i]["value"] * b[i]["value"] for j in range(min(len(a), len(y))): T += a[j]["value"] * y[j]["value"] for i in range(len(c)): for j in range(len(c[i])): if c[i][j] != 0: T += c[i][j] * x[i]["value"] * y[j]["value"] return T.eq(t)
def test_proof(): from bplib.bp import G1Elem from bplib.bp import G2Elem from bplib.bp import GTElem from petlib.bn import Bn from gsproof import GSProof gsp = GSProof() gsp.ExtGen() params = gsp.P sps = USPS() sk, pk = sps.keygen(params) gz, gr = pk[0], pk[1] pki = pk[2:] M = [b"Hello World!", b"Hello me!", b"Hello us!"] m = [] for i in range(len(M)): if type(M[i]) == bytes: m.append(gsp.G.hashG1(M[i])) elif type(M[i]) == G1Elem: m.append(M[i]) else: print("Error: wrong input, expected G1, got ", type(M[i])) return 0, [] if len(m) < sps.nb_msg: for i in range(sps.nb_msg - len(m)): m.append(G1Elem.inf(gsp.G)) elif sps.nb_msg < len(m): return sig = sps.sign(params, sk, m) verify, res = sps.proof_usps_hidesigandsigner(gsp, pk, M, sig) assert verify
def proof_pkuv(gsp, X, Y): res = [] B = [] A = [] C = [] for i in range(len(X)): row = [] for j in range(len(Y)): row.append(Bn(0)) C.append(row) C[6][0] = Bn(1) # pk_uv C[5][1] = Bn(-1) # - h_v^sku success, result = gsp.Prove_aggreg("MC1", X, B, A, Y, C, G1Elem.inf(gsp.G)) verify = 0 if success: eq_type, X, Y, C, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result #verify = gsp.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2, pi1_w2) #if verify: res = [C, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]] #print("Do we successfully create a proof?", success) #print("Does the proof successfully verify?", verify) print("\n----pk uv") for i in range(len(res[1])): for j in range(2): if type(res[1][i][j]) == G1Elem: print(i, j, type(res[1][i][j]), res[1][i][j].eq(G1Elem.inf(gsp.G))) else: print(i, j, type(res[1][i][j]), res[1][i][j].eq(G2Elem.inf(gsp.G))) b = challenge(result) for i in range(len(res[0])): for j in range(len(res[0][0])): if res[0][i][j] != 0: res[0][i][j] = b * res[0][i][j] for i in range(len(res[1])): for j in range(len(res[1][i])): res[1][i][j] = b * res[1][i][j] #verify = gsp.Verify("ME1", X, Y, C, res[1][0], res[1][1], res[1][2], res[1][3]) #print("Does the (aggregate) proof verify?", verify) return res
def test_bsps_proof(): """ create GS proof that sig verifies with the signature and all but the first message secret """ gsp = GSProof() gsp.ExtGen() params = gsp.P sps = BSPS() sk, pk = sps.keygen(params) u, w, v, z = sk U, W, V, Z = pk t = Bn(7) m1 = [gsp.g1 * t, gsp.G.hashG1(b"Hello World!")] m2 = [Bn.from_binary(b"Hello you!") * gsp.g2] for i in range(len(W) - len(m1)): m1.append(G1Elem.inf(gsp.G)) for i in range(len(U) - len(m2)): m2.append(G2Elem.inf(gsp.G)) sig = sps.sign(params, sk, m1, m2) print("Does the signature verify?", sps.verify(params, pk, m1, m2, sig)) PK = [[], []] for i in range(len(U)): PK[0].append(gsp.Commit({"group": 1, "type": "pub", "value": U[i]})) for i in range(len(W)): PK[1].append(gsp.Commit({"group": 2, "type": "pub", "value": W[i]})) PK.append(gsp.Commit({"group": 2, "type": "pub", "value": V})) PK.append(gsp.Commit({"group": 2, "type": "pub", "value": Z})) M1 = [gsp.Commit({"group": 1, "type": "bas", "value": gsp.g1})] for i in range(len(m1) - 1): M1.append(gsp.Commit({"group": 1, "type": "com", "value": m1[i + 1]})) M2 = [] for i in range(len(m2)): M2.append(gsp.Commit({"group": 2, "type": "com", "value": m2[i]})) SIG = [ gsp.Commit({ "group": 1, "type": "com", "value": sig[0] }), gsp.Commit({ "group": 1, "type": "com", "value": sig[1] }), gsp.Commit({ "group": 2, "type": "com", "value": sig[2] }) ] verify, result = proof_bsps_hidemandsig(gsp, PK, M1, M2, t, SIG) assert verify
def get_sig(r, params, n, text): r.recvuntil("what do you want to do?") r.sendline(n) r.recvuntil("you want me to sign what?") r.sendline(text) r.recvline() r.recvline() l = r.recvline()[:-1] return G1Elem.from_bytes(b64decode(l), params[0])
def CommitG2Scalar(self, val, x, r): c0 = x * self.u2[0] + r * self.v2[0] c1 = x * self.u2[1] + r * self.v2[1] val["value"] = [c0, c1] val["committed"] = { 1: G1Elem.inf(self.G), 2: G2Elem.inf(self.G), "Zp": x, "r": r, "s": 0 } return val
def CommitG2Group(self, val, x2, r, s): c0 = r * self.v2[0] + s * self.w2[0] c1 = x2 + r * self.v2[1] + s * self.w2[1] val["value"] = [c0, c1] val["committed"] = { 1: G1Elem.inf(self.G), 2: x2, "Zp": 0, "r": r, "s": s } return val
def proof_exponent_gs1_pk_public(gsp, g1, sk, pk): x = [{"type": "com", "value": g1}, {"type": "com", "value": pk}] b = [{"type": "sca", "value": Bn(0)}, {"type": "unt", "value": Bn(1)}] a = [{"type": "pub", "value": G1Elem.inf(gsp.G)}] y = [{"type": "sca", "value": sk}] c = [[Bn(-1)], [Bn(0)]] success, res = gsp.CommitProof_eq("ME1", x, b, a, y, c, G1Elem.inf(gsp.G)) verify = 0 if success: eq_type, X, Y, C, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res pi2_v1, pi2_w1, pi1_v2, pi1_w2 = gsp.Randomize(eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap) verify = gsp.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2, pi1_w2) if verify: res = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2], [eq_type, X, Y, C, T_eq]] print("Do we successfully create a first proof?", success) print("Does the first proof successfully verify?", verify) print() return verify, res
def sign(self, params, sk, m): """Signs a list of group elements of G1""" #print("SPS: Sign") (o, G, g1, g2, e) = params if len(m) > self.nb_msg: print("Error: too many messages to sign") return (G1Elem.inf(G), G1Elem.inf(G)) M = [] for i in range(len(m)): if type(m[i]) == G1Elem: M.append(m[i]) elif type(m[i]) == bytes: M.append(G.hashG1(m[i])) else: print("Error: type message") return -1 sig = [sk[0][0].int_neg() * M[0], sk[0][1].int_neg() * M[0]] for i in range(1, len(M)): sig[0] = sig[0] + sk[i][0].int_neg() * M[i] sig[1] = sig[1] + sk[i][1].int_neg() * M[i] return sig
def Calc_MSG1(self, x1, b, a1, y, c, t1): n = len(x1) m = len(y) if len(b) != n or len(a1) != m or len(c) != n * m or len(t1) != 1: return 0 B1 = G1Elem.inf(self.G) for i in range(m): B1 += b[i] * x1[i] A1 = G1Elem.inf(self.G) for j in range(n): A1 += y[j] * a1[j] C1 = G1Elem.inf(self.G) for i in range(n): for j in range(m): C1 += (c[i][j] * y[j]) * x1[i] validate = 0 if A1 + B1 + C1 == t1: validate = 1 return A1 + B1 + C1, t1, validate
def verify(self, params, pk, m, sig): """ Verifies a signature on messages m e(z, g_z) e(r, g_r) Pi e(M_i, g_i) == e(g1, g2) """ #print("SPS: Verify") (o, G, g1, g2, e) = params s0, s1 = sig if (s0 == G1Elem.inf(G) and s1 == G1Elem.inf(G)): print("USPS: Verify --- Error: signature null") print("SPS: Verify", 0) return 0 M = [] for i in range(len(m)): if type(m[i]) == G1Elem: M.append(m[i]) elif type(m[i]) == bytes: M.append(G.hashG1(m[i])) else: print("Error: type message") return -1 ctr = 0 for i in range(len(M)): if M[i] == G1Elem.inf(G): ctr += 1 if ctr == len(M): print("USPS: Verify --- Error: message null") print("SPS: Verify", 0) return 0 gz, gr = pk[0], pk[1] pki = pk[2:] res = e(s0, gz) * e(s1, gr) for i in range(len(M)): res = res * e(M[i], pki[i]) return res.eq(GTElem.one(G))
def CheckEqResult(self, eq, T): #print("CheckEqResult") if eq in ["PPE", "PN1", "PC1", "PN2", "PC2"]: if T != GTElem.zero(self.G): return 0 elif eq in ["ME1", "MN1", "MC1", "ML1"]: if T != G1Elem.inf(self.G): return 0 elif eq in ["ME2", "MN2", "MC2", "ML2"]: if T != G2Elem.inf(self.G): return 0 elif eq in ["QE", "QC1", "QC2"]: if T != Bn(0): return 0 return 1
def test_G2_scalar_comm(): GS = GSProof() ck, xk, P = GS.ExtGen() order, G, u1, v1, w1, u2, v2, w2 = ck y = order.random() r = order.random() struct = {} struct = GS.CommitG2Scalar(struct, y, r) assert struct["value"][0] == y * GS.u2[0] + r * GS.v2[0] assert struct["value"][1] == y * GS.u2[1] + r * GS.v2[1] assert struct["committed"][1] == G1Elem.inf(G) assert struct["committed"][2] == G2Elem.inf(G) assert struct["committed"]["Zp"] == y assert struct["committed"]["r"] == r assert struct["committed"]["s"] == Bn(0)
def test_G1_group_comm(): GS = GSProof() ck, xk, P = GS.ExtGen() order, G, u1, v1, w1, u2, v2, w2 = ck x1 = order.random() * G.gen1() r = order.random() s = order.random() struct = {} struct = GS.CommitG1Group(struct, x1, r, s) assert struct["value"][0] == G1Elem.inf(G) + r * GS.v1[0] + s * GS.w1[0] assert struct["value"][1] == x1 + r * GS.v1[1] + s * GS.w1[1] assert struct["committed"][1] == x1 assert struct["committed"][2] == G2Elem.inf(G) assert struct["committed"]["Zp"] == Bn(0) assert struct["committed"]["r"] == r assert struct["committed"]["s"] == s
def test_G2_group_comm(): GS = GSProof() ck, xk, P = GS.ExtGen() order, G, u1, v1, w1, u2, v2, w2 = ck y2 = order.random() * G.gen2() r = order.random() s = order.random() struct = {} struct = GS.CommitG2Group(struct, y2, r, s) assert struct["value"][0] == G2Elem.inf(G) + r * GS.v2[0] + s * GS.w2[0] assert struct["value"][1] == y2 + r * GS.v2[1] + s * GS.w2[1] assert struct["committed"][1] == G1Elem.inf(G) assert struct["committed"][2] == y2 assert struct["committed"]["Zp"] == Bn(0) assert struct["committed"]["r"] == r assert struct["committed"]["s"] == s
def proof_exponent(gsp, pk_i, pk_ui, sku): x = [pk_i, pk_ui] b = [] a = [] y = [sku, gsp.Commit({"group": 2, "type": "unt", "value": 1})] c = [[1, 0], [0, -1]] eq = "MC1" if pk_ui["type"] == "com": eq = "ME1" success, res = gsp.Prove_eq(eq, x, b, a, y, c, G1Elem.inf(gsp.G)) verify = 0 if success: eq_type, X, Y, C, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = res verify = gsp.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2, pi1_w2) if verify: res = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2], [eq_type, X, Y, C, T_eq]] print("Do we successfully create a proof?", success) print("Does the proof successfully verify?", verify) print() return verify, res
def MakeMatrices(self, x, b, a, y, c, t): #print("Make Matrices") X = [] X.extend(x) X.extend(a) Y = [] Y.extend(y) Y.extend(b) C = [] for i in range(len(x) + len(a)): row = [] for j in range(len(y) + len(b)): if i < len(x): if j < len(y): temp = c[i][j] if type(temp) != Bn: temp = Bn(temp) row.append(c[i][j]) elif j == len(y) + i: temp = Bn(1) if b[j - len(y)]["committed"][2] == G2Elem.inf( self.G) and b[j - len(y)]["type"] == "pub": temp = Bn(0) row.append(temp) else: row.append(Bn(0)) else: if i == len(x) + j: temp = Bn(1) if a[i - len(x)]["committed"][1] == G1Elem.inf( self.G) and a[i - len(x)]["type"] == "pub": temp = Bn(0) row.append(temp) else: row.append(Bn(0)) C.append(row) return X, Y, C, t
return b64encode(x.export()) params = setup() # ask_p = b64decode(str(raw_input("P0"))) p0 = G2Elem.from_bytes(p0, params[0]) # ask_p = b64decode(str(raw_input("P1"))) p1 = G2Elem.from_bytes(p1, params[0]) # ask_p = b64decode(str(raw_input("P2"))) p2 = G2Elem.from_bytes(p2, params[0]) # ask_s = b64decode(str(raw_input("S0"))) s0 = G1Elem.from_bytes(s0, params[0]) # ask_s = b64decode(str(raw_input("S2"))) s2 = G1Elem.from_bytes(s2, params[0]) (G, o, g1, g2, e) = params t = 3 l = [lagrange_basis(t, o, i, 0) for i in range(1, t + 1)] t = 2 l2 = [lagrange_basis(t, o, i, 0) for i in range(1, t + 1)] deetv = [p0, p1, p2 * l2[0] + (p0 * l[0]).neg() + (p1 * l[1]).neg()] deets = [s0 * l2[1] + s2, (s0 * l2[0]).neg()] verif = aggregate_vk(params, deetv, threshold=True) for i in deets:
params = setup() publics = [] r.recvlines(3) publics.append(G2Elem.from_bytes(b64decode(r.recvline()), params[0])) r.recvline() publics.append(G2Elem.from_bytes(b64decode(r.recvline()), params[0])) r.recvline() publics.append(G2Elem.from_bytes(b64decode(r.recvline()), params[0])) r.recvline() r.sendline('3') r.recvline() r.sendline('this stuff') r.recvline() s = G1Elem.from_bytes(b64decode(r.recvline()), params[0]) r.recvline() r.sendline('4') r.recvline() r.recvline() r.sendline(b64encode(s.export())) r.recvline() r.sendline(b64encode(publics[2].export())) r.recvline() r.sendline(b64encode((2 * s).export())) r.recvline() r.sendline(b64encode(publics[1].export()))
# signature of p3 for message "this stuff" s3 = io.recvline() io.recv() io.sendline("4") io.recvline() io.recvline() # generating a new public key b = 3 pk = b * g2 m = "this stuff" # signature of my key for message "this stuff" sm = sign(params, b, m) p3_point = G2Elem.from_bytes(b64decode(p3), G) s3_point = G1Elem.from_bytes(b64decode(s3), G) io.sendline(b64encode(sm.export())) io.recv() io.sendline(b64encode(p3_point.export())) io.recv() io.sendline(b64encode(s3_point.export())) io.recv() io.sendline(b64encode(p3_point.export())) io.recv() io.sendline(b64encode((pk + pk - p3_point).export())) print(io.recv()) io.close()
def prepare_proofs(auth, vkI, pki, pkv, m, sig_t, t, pk_ui, pk_uv, sku, cipher, ek, r): print("Prepare proof") print("Prepare proof: Commit") import time tc = time.time() U, W, V, Z = vkI cm_U = [] for i in range(len(U)): cm_U.append(auth.GS.Commit({"group": 1, "type": "pub", "value": U[i]})) cm_W = [] for i in range(len(W)): cm_W.append(auth.GS.Commit({"group": 2, "type": "pub", "value": W[i]})) cm_V = auth.GS.Commit({"group": 2, "type": "pub", "value": V}) cm_Z = auth.GS.Commit({"group": 2, "type": "pub", "value": Z}) cm_vkI = [cm_U, cm_W, cm_V, cm_Z] h_i, vk_i, sig0_i = pki cm_h_i = auth.GS.Commit({"group": 1, "type": "com", "value": h_i}) cm_vk_i = [] for i in range(len(vk_i)): cm_vk_i.append( auth.GS.Commit({ "group": 2, "type": "com", "value": vk_i[i] })) cm_sig0_i = [] for i in range(len(sig0_i)): cm_sig0_i.append( auth.GS.Commit({ "group": max(i, 1), "type": "com", "value": sig0_i[i] })) h_v, vk_v, sig0_v = pkv cm_h_v = auth.GS.Commit({"group": 1, "type": "pub", "value": h_v}) cm_m = [] for i in range(len(m)): cm_m.append(auth.GS.Commit({"group": 1, "type": "pub", "value": m[i]})) sig_i, c_it = sig_t cm_sig_i = [] for i in range(len(sig_i)): cm_sig_i.append( auth.GS.Commit({ "group": 1, "type": "com", "value": sig_i[i] })) _, sigt_i = c_it cm_sigt_i = [] for i in range(len(sigt_i)): cm_sigt_i.append( auth.GS.Commit({ "group": max(i, 1), "type": "com", "value": sigt_i[i] })) #t: used as public scalar constraint (gamma_ij) cm_pk_ui = auth.GS.Commit({"group": 1, "type": "com", "value": pk_ui}) cm_pk_uv = auth.GS.Commit({"group": 1, "type": "pub", "value": pk_uv}) cm_sku = auth.GS.Commit({"group": 2, "type": "sca", "value": sku}) cm_cipher = [] for i in range(len(cipher)): cm_cipher.append( auth.GS.Commit({ "group": 1, "type": "pub", "value": cipher[i] })) cm_r = r cm_r[0] = auth.GS.Commit({"group": 2, "type": "sca", "value": r[0]}) cm_ek = [] for i in range(len(ek)): cm_ek.append( auth.GS.Commit({ "group": 1, "type": "pub", "value": ek[i] })) cm_da = auth.GS.Commit({ "group": 1, "type": "pub", "value": auth.ek[1] * r[1] }) cm_params_enc = [] cm_params_enc.append( auth.GS.Commit({ "group": 1, "type": "pub", "value": auth.GS.v1[0] })) cm_params_enc.append( auth.GS.Commit({ "group": 1, "type": "pub", "value": auth.GS.v1[1] })) cm_g1 = auth.GS.Commit({"group": 1, "type": "bas", "value": auth.GS.g1}) cm_g2 = auth.GS.Commit({"group": 2, "type": "bas", "value": auth.GS.g2}) cm_1 = auth.GS.Commit({"group": 2, "type": "unt", "value": 1}) tcnd = time.time() print("--- Commitment time:", tcnd - tc) print("Prepare proof: Prove") tp = time.time() print("--- enc proof") verify_enc, res_enc = enc_proof(auth.GS, cm_params_enc, cm_ek, cm_da, cm_h_i, cm_cipher, cm_r) print("--- sigi proof") cm_msg = [cm_pk_ui] cm_msg.extend(cm_m) for i in range(len(cm_vk_i) - 2 - len(cm_msg)): cm_msg.append( auth.GS.Commit({ "group": 1, "type": "pub", "value": G1Elem.inf(auth.GS.G) })) verify_sigi, res_sigi = proof_usps_hidesigandsigner( auth.GS, cm_vk_i, cm_msg, cm_sig_i) print("--- sigi0 proof") cm_msg1 = [cm_g1, cm_h_i] cm_msg2 = cm_vk_i verify_sigi0, res_sigi0 = proof_bsps_hidemandsig(auth.GS, cm_vkI, cm_msg1, cm_msg2, Bn(0), cm_sig0_i) print("--- sigit proof") verify_sigit, res_sigit = proof_bsps_hidemandsig(auth.GS, cm_vkI, cm_msg1, cm_msg2, t, cm_sigt_i) print("--- exponent proofs") verify_pkui, res_pkui = proof_exponent(auth.GS, cm_h_i, cm_pk_ui, cm_sku) verify_pkuv, res_pkuv = proof_exponent(auth.GS, cm_h_v, cm_pk_uv, cm_sku) tpend = time.time() print("--- Proving time:", tp - tpend) verify = verify_enc * verify_sigi * verify_sigi0 * verify_sigit * verify_pkui * verify_pkuv res = [] res.extend(res_enc) res.append(res_pkui) res.append(res_pkuv) res.append(res_sigi) res.extend(res_sigi0) res.extend(res_sigit) print( "Do all the proofs verify?", verify_enc * verify_sigi * verify_sigi0 * verify_sigit * verify_pkui * verify_pkuv) return verify, res
def enc_proof(gsp, params, pub, da, m, cipher, rand): g1enc, g2enc = params c, d, h = pub u1, u2, e, v = cipher r, a = rand res = [] #print("--- first equation") x1 = [e, m, h] a1 = [] y1 = [gsp.Commit({"group": 2, "type": "unt", "value": 1}), r] b1 = [] c1 = [[-1, 0], [1, 0], [0, 1]] success1, res1 = gsp.Prove_eq("ME1", x1, b1, a1, y1, c1, G1Elem.inf(gsp.G)) verify1 = 0 if success1: eq_type, X1, Y1, C1, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = res1 verify1 = gsp.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2, pi1_w2) if verify1: res1 = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2], [eq_type, X1, Y1, C1, T_eq]] res.append(res1) #print("Do we successfully create a first proof?", success1) #print("Does the first proof successfully verify?", verify1) #print("--- second equation") x2 = [g1enc, u1] b2 = [] a2 = [] y2 = [r, gsp.Commit({"group": 2, "type": "unt", "value": 1})] c2 = [[-1, 0], [0, 1]] success2, res2 = gsp.Prove_eq("MC1", x2, b2, a2, y2, c2, G1Elem.inf(gsp.G)) verify2 = 0 if success2: eq_type, X2, Y2, C2, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = res2 verify2 = gsp.Verify(eq_type, X2, Y2, C2, pi2_v1, pi2_w1, pi1_v2, pi1_w2) if verify2: res2 = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2], [eq_type, X2, Y2, C2, T_eq]] res.append(res2) #print("Do we successfully create a second proof?", success2) #print("Does the second proof successfully verify?", verify2) #print("--- third equation") x3 = [g2enc, u2] b3 = [] a3 = [] y3 = [r, gsp.Commit({"group": 2, "type": "unt", "value": 1})] c3 = [[-1, 0], [0, 1]] success3, res3 = gsp.Prove_eq("MC1", x3, b3, a3, y3, c3, G1Elem.inf(gsp.G)) verify3 = 0 if success3: eq_type, X3, Y3, C3, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = res3 verify3 = gsp.Verify(eq_type, X3, Y3, C3, pi2_v1, pi2_w1, pi1_v2, pi1_w2) if verify3: res3 = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2], [eq_type, X3, Y3, C3, T_eq]] res.append(res3) #print("Do we successfully create a third proof?", success3) #print("Does the third proof successfully verify?", verify3) #print("--- intermediary equation") x_int = [da, d] b_int = [] a_int = [] y_int = [gsp.Commit({"group": 2, "type": "unt", "value": 1})] c_int = [[-1], [a]] success_int, res_int = gsp.Prove_eq("MC1", x_int, b_int, a_int, y_int, c_int, G1Elem.inf(gsp.G)) verify_int = 0 if success_int: eq_type, X_int, Y_int, C_int, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = res_int verify_int = gsp.Verify(eq_type, X_int, Y_int, C_int, pi2_v1, pi2_w1, pi1_v2, pi1_w2) if verify_int: res_int = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2], [eq_type, X_int, Y_int, C_int, T_eq]] res.append(res_int) #print("Do we successfully create an int. proof?", success_int) #print("Does the int. proof successfully verify?", verify_int) #print("--- fourth equation") x4 = [c, da, v] b4 = [] a4 = [] y4 = [r, gsp.Commit({"group": 2, "type": "unt", "value": 1})] c4 = [[1, 0], [1, 0], [0, -1]] success4, res4 = gsp.Prove_eq("MC1", x4, b4, a4, y4, c4, G1Elem.inf(gsp.G)) verify4 = 0 if success4: eq_type, X4, Y4, C4, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = res4 verify4 = gsp.Verify(eq_type, X4, Y4, C4, pi2_v1, pi2_w1, pi1_v2, pi1_w2) if verify4: res4 = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2], [eq_type, X4, Y4, C4, T_eq]] res.append(res4) #print("Do we successfully create a fourth proof?", success4) #print("Does the fourth proof successfully verify?", verify4) print("Do we successfully create all the proofs?", success1 * success2 * success3 * success4 * success_int) print("Do all the proofs successfully verify?", verify1 * verify2 * verify3 * verify_int * verify4) return verify1 * verify2 * verify3 * verify_int * verify4, res
def proof_usps_hidesigandsigner(self, M=[ b"Hello World!", b"Hello me!", b"Hello us!" ]): """" creates GS proof that sig verifies with pk, signature and first message secret""" #print("SPS: Prove") self.ExtGen() params = (self.G, self.order, self.g1, self.g2, self.e) sps = USPS() sk, pk = sps.keygen(params) gz, gr, pki = pk m = [] for i in range(len(M)): if type(M[i]) == bytes: m.append(self.G.hashG1(M[i])) elif type(M[i]) == G1Elem: m.append(M[i]) else: return 0, [] if len(m) < sps.n: for i in range(sps.nb_msg - len(m)): m.append(G1Elem.inf(self.G)) elif sps.nb_msg < len(m): return sig = sps.sign(params, sk, m) if sps.verify(params, pk, m, sig) == 0: print("Signature does not verify") return print(len(m)) X = [{ "type": "com", "value": sig[0] }, { "type": "com", "value": sig[1] }] B = [{ "type": "pub", "value": G2Elem.inf(self.G) }, { "type": "pub", "value": G2Elem.inf(self.G) }] A = [{ "type": "pub", "value": G1Elem.inf(self.G) }, { "type": "pub", "value": G1Elem.inf(self.G) }] Y = [{"type": "com", "value": gz}, {"type": "com", "value": gr}] for i in range(len(m)): if i == 0: X.append({"type": "pub", "value": m[i]}) else: X.append({"type": "com", "value": m[i]}) B.append({"type": "pub", "value": G2Elem.inf(self.G)}) for j in range(len(pki)): Y.append({"type": "com", "value": pki[j]}) A.append({"type": "pub", "value": G1Elem.inf(self.G)}) C = [] for i in range(len(X)): row = [] for j in range(len(Y)): var = Bn(0) if i == j: var = Bn(1) row.append(var) C.append(row) print(C) success, res = self.CommitProof_eq("PPE", X, B, A, Y, C, GTElem.zero(self.G)) verify = 0 if success: eq_type, X1, Y1, C1, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res pi2_v1, pi2_w1, pi1_v2, pi1_w2 = self.Randomize( eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap) verify = self.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2, pi1_w2) if verify: res = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2], [eq_type, X1, Y1, C1, T_eq]] print(success, verify) print() return verify, res
def sig(x): return G1Elem.from_bytes(b64decode(x), G)
def MakeProof(self, X, Y, C): #print("MakeProof") pi2_v1 = [G2Elem.inf(self.G), G2Elem.inf(self.G)] pi2_w1 = [G2Elem.inf(self.G), G2Elem.inf(self.G)] pi1_v2 = [G1Elem.inf(self.G), G1Elem.inf(self.G)] pi1_w2 = [G1Elem.inf(self.G), G1Elem.inf(self.G)] #count_exp_g1 = 0 #count_add_g1 = -1 #count_exp_g2 = 0 #count_add_g2 = -1 for i in range(len(X)): xi = X[i]["value"] xr = 0 xs = 0 if "committed" in X[i]: xr = X[i]["committed"]["r"] xs = X[i]["committed"]["s"] for j in range(len(Y)): yj = Y[j]["value"] yr = 0 ys = 0 if "committed" in Y[j]: yr = Y[j]["committed"]["r"] ys = Y[j]["committed"]["s"] cij = C[i][j] if cij != 0: for vec in range(2): """ We need to work on the commitment of x|y and not on the value of x|y not to make any assumption on the type of x|y""" if xr != 0: pi2_v1[vec] += (xr * cij) * yj[vec] #count_exp_g1 += 1 #count_add_g1 += 1 if xs != 0: pi2_w1[vec] += (xs * cij) * yj[vec] #count_exp_g1 += 1 #count_add_g1 += 1 if yr != 0: temp = xi[vec] if xr != 0: temp = temp - self.v1[vec] * xr #count_exp_g2 += 1 #count_add_g2 += 1 if xs != 0: temp = temp - self.w1[vec] * xs #count_exp_g2 += 1 #count_add_g2 += 1 pi1_v2[vec] += temp * (cij * yr) #count_exp_g2 += 1 #count_add_g2 += 1 if ys != 0: temp = xi[vec] if xr != 0: temp = temp - self.v1[vec] * xr #count_exp_g2 += 1 #count_add_g2 += 1 if xs != 0: temp = temp - self.w1[vec] * xs #count_exp_g2 += 1 #count_add_g2 += 1 pi1_w2[vec] += temp * (cij * ys) #count_exp_g2 += 1 #count_add_g2 += 1 #print("Exp in G1", count_exp_g1) #print("Exp in G2", count_exp_g2) #print("Add in G1", count_add_g1) #print("Add in G2", count_add_g2) return pi2_v1, pi2_w1, pi1_v2, pi1_w2