def generate_ecdsa_pem(pk):
ecPrivateKey = ECPrivateKey()
ecPrivateKey['version'] = 1
ecPrivateKey['privateKey'] = ints2octs(i2osp(pk, 32))
ecParam = ECParameters().subtype(implicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatSimple,
0)) # 1.3.132.0.10 ansip256k1(10)
ecParam.setComponentByName("namedCurve", _buildOid(1, 3, 132, 0, 10))
print ecParam.prettyPrint()
ecPrivateKey.setComponentByName('parameters', ecParam)
pub = ecdsa.expand_pub(ecdsa.point_mult(ecdsa.G, pk))
# pb = univ.BitString(long(pub, 16))
ecPrivateKey.setComponentByName('publicKey', long(pub, 16))
print ecPrivateKey.prettyPrint()
res = "-----BEGIN EC PRIVATE KEY-----\n"
b = base64.b64encode(der_encoder(ecPrivateKey))
n = 64
r = [b[i:i + n] for i in range(0, len(b), n)]
for l in r:
res += l + "\n"
res += "-----END EC PRIVATE KEY-----\n"
return res
def pi_verify(pi, c, d, w1, w2, m1, m2, zkp, ka_pub):
ntild, h1, h2 = zkp
z1, z2, y, e, s1, s2, s3, t1, t2, t3, t4 = pi
n, g = ka_pub
n2 = n * n
n3 = pow(ecdsa.n, 3)
if s1 > n3 or t1 > n3:
return False
minuse = (e * -1) % ecdsa.n
u1prim = ecdsa.point_add(ecdsa.point_mult(c, s1),
ecdsa.point_mult(w1, minuse))
u2inv = utils.inverse_mod(m1, n2)
u2prim = (pow(g, s1, n2) * pow(s2, n, n2) * pow(u2inv, e, n2)) % n2
u3inv = utils.inverse_mod(z1, ntild)
u3prim = (pow(h1, s1, ntild) * pow(h2, s3, ntild) *
pow(u3inv, e, ntild)) % ntild
v1prim = ecdsa.point_add(ecdsa.point_mult(d, t1 + t2),
ecdsa.point_mult(y, minuse))
v2prim = ecdsa.point_add(
ecdsa.point_add(ecdsa.point_mult(w2, s1), ecdsa.point_mult(d, t2)),
ecdsa.point_mult(y, minuse))
v3inv = utils.inverse_mod(m2, n2)
v3prim = (pow(g, t1, n2) * pow(t3, n, n2) * pow(v3inv, e, n2)) % n2
v4inv = utils.inverse_mod(z2, ntild)
v4prim = (pow(h1, t1, ntild) * pow(h2, t4, ntild) *
pow(v4inv, e, ntild)) % ntild
h = hashlib.sha256()
h.update(ecdsa.expand_pub(c))
h.update(ecdsa.expand_pub(w1))
h.update(ecdsa.expand_pub(d))
h.update(ecdsa.expand_pub(w2))
h.update(str(m1))
h.update(str(m2))
h.update(str(z1))
h.update(ecdsa.expand_pub(u1prim))
h.update(str(u2prim))
h.update(str(u3prim))
h.update(str(z2))
h.update(ecdsa.expand_pub(y))
h.update(ecdsa.expand_pub(v1prim))
h.update(ecdsa.expand_pub(v2prim))
h.update(str(v3prim))
h.update(str(v4prim))
eprime = long(h.hexdigest(), 16)
print "\n****************************************"
print "Verifying Pi zkp:"
print "e", e
print "e'", eprime
print "****************************************"
return e == eprime
def pub_to_pub(extended_pub, i):
pub, chain = extended_pub
if i >= 0x80000000:
return None, None
else:
# Not hardened
k = "%x" % chain
data = "00%s%08x" % (ecdsa.expand_pub(pub), i)
hmac = hashlib.pbkdf2_hmac('sha512', k, data, 100)
l = binascii.hexlify(hmac)
point = ecdsa.point_mult(ecdsa.G, long(l[:64], 16))
c = long(l[64:], 16)
return ecdsa.point_add(point, pub), c
def gen_pem(name1, name2):
pub1, priv1 = ecdsa.key_gen(ecdsa.G)
pub2, priv2 = ecdsa.key_gen(ecdsa.G)
pub = ecdsa.point_mult(pub1, priv2)
pub = ecdsa.expand_pub(pub)
privEncPub, privEncPriv = paillier.gen_key()
pairedEncPub, pairedEncPriv = paillier.gen_key()
zkp = eczkp.gen_params(1024)
generate_tecdsa_pem(priv1, pub, pub2, privEncPriv, pairedEncPub, zkp)
generate_tecdsa_pem(priv2, pub, pub1, pairedEncPriv, privEncPub, zkp)
def d_pub(self, i):
if i >= pow(2, 31): # Only not hardened
raise Exception("Impossible to hardened")
k = "%x" % self.chain
data = "00%s%08x" % (ecdsa.expand_pub(self.master_pub), i)
hmac = hashlib.pbkdf2_hmac('sha256', k, data, 100)
point = ecdsa.point_mult(self.master_pub,
long(binascii.hexlify(hmac), 16))
data = "%08x" % (i)
hmac = hashlib.pbkdf2_hmac('sha256', k, data, 100)
c = long(binascii.hexlify(hmac), 16)
share = Share(c, self.master, self.secret)
share.set_master_pub(point)
return share
def d_priv(self, i):
k = "%x" % self.chain
data = "%08x" % (i)
hmac = hashlib.pbkdf2_hmac('sha256', k, data, 100)
c = long(binascii.hexlify(hmac), 16)
if i >= pow(2, 31): # Hardened
data = "00%32x%08x" % (self.secret, i)
else: # Not hardened
data = "00%s%08x" % (ecdsa.expand_pub(self.master_pub), i)
hmac = hashlib.pbkdf2_hmac('sha256', k, data, 100)
key = long(binascii.hexlify(hmac), 16) * self.secret
point = ecdsa.point_mult(self.master_pub,
long(binascii.hexlify(hmac), 16))
share = Share(c, self.master, key)
share.set_master_pub(point)
return share
def alice_round_2(alpha, zeta, r2, k1, y1, z1, x1, zkp, ka_pub, rr1, rr2):
Ntild, h1, h2 = zkp
eta1 = z1
eta2 = (x1 * z1) % ecdsa.n
r = ecdsa.point_mult(r2, k1)
c = r # POINT
d = ecdsa.G # POINT
w1 = r2 # POINT
w2 = y1 # POINT
m1 = alpha
m2 = zeta
x1 = eta1
x2 = eta2
r1 = rr1 # RANDOM ALPHA ENC
r2 = rr2 # RANDOM ZETA ENC
pi = eczkp.pi(c, d, w1, w2, m1, m2, r1, r2, x1, x2, zkp, ka_pub)
return r, pi
def pi(c, d, w1, w2, m1, m2, r1, r2, x1, x2, zkp, ka_pub):
Ntild, h1, h2 = zkp
pkn, g = ka_pub
n3 = pow(ecdsa.n, 3)
n3ntild = n3 * Ntild
alpha = utils.randomnumber(n3)
beta = rnd_inv(pkn)
gamma = utils.randomnumber(n3ntild)
p1 = utils.randomnumber(ecdsa.n * Ntild)
delta = utils.randomnumber(n3)
mu = rnd_inv(pkn)
nu = utils.randomnumber(n3ntild)
p2 = utils.randomnumber(ecdsa.n * Ntild)
p3 = utils.randomnumber(ecdsa.n)
epsilon = utils.randomnumber(ecdsa.n)
n2 = pkn * pkn
z1 = (pow(h1, x1, Ntild) * pow(h2, p1, Ntild)) % Ntild
u1 = ecdsa.point_mult(c, alpha) # POINT
u2 = (pow(g, alpha, n2) * pow(beta, pkn, n2)) % n2
u3 = (pow(h1, alpha, Ntild) * pow(h2, gamma, Ntild)) % Ntild
z2 = (pow(h1, x2, Ntild) * pow(h2, p2, Ntild)) % Ntild
y = ecdsa.point_mult(d, x2 + p3) # POINT
v1 = ecdsa.point_mult(d, delta + epsilon) # POINT
v2 = ecdsa.point_add(ecdsa.point_mult(w2, alpha),
ecdsa.point_mult(d, epsilon)) # POINT
v3 = (pow(g, delta, n2) * pow(mu, pkn, n2)) % n2
v4 = (pow(h1, delta, Ntild) * pow(h2, nu, Ntild)) % Ntild
h = hashlib.sha256()
h.update(ecdsa.expand_pub(c))
h.update(ecdsa.expand_pub(w1))
h.update(ecdsa.expand_pub(d))
h.update(ecdsa.expand_pub(w2))
h.update(str(m1))
h.update(str(m2))
h.update(str(z1))
h.update(ecdsa.expand_pub(u1))
h.update(str(u2))
h.update(str(u3))
h.update(str(z2))
h.update(ecdsa.expand_pub(y))
h.update(ecdsa.expand_pub(v1))
h.update(ecdsa.expand_pub(v2))
h.update(str(v3))
h.update(str(v4))
e = long(h.hexdigest(), 16)
s1 = e * x1 + alpha
s2 = (pow(r1, e, pkn) * beta) % pkn
s3 = e * p1 + gamma
t1 = e * x2 + delta
t2 = (e * p3 + epsilon) % ecdsa.n
t3 = (pow(r2, e, n2) * mu) % n2
t4 = e * p2 + nu
return z1, z2, y, e, s1, s2, s3, t1, t2, t3, t4
def pi2_verify(pi2, c, d, w1, w2, m1, m2, m3, m4, zkp, ka_pub, kb_pub):
z1, z2, z3, y, e, s1, s2, s3, s4, t1, t2, t3, t4, t5, t6, t7 = pi2
pkn, g = ka_pub
pkn2 = pkn * pkn
pknprim, gprim = kb_pub
pknprim2 = pknprim * pknprim
ntild, h1, h2 = zkp
minuse = (e * -1) % ecdsa.n
u1prim = ecdsa.point_add(ecdsa.point_mult(c, s1),
ecdsa.point_mult(w1, minuse))
u2inv = utils.inverse_mod(m1, pknprim2)
u2prim = (pow(gprim, s1, pknprim2) * pow(s2, pknprim, pknprim2) *
pow(u2inv, e, pknprim2)) % pknprim2
u3inv = utils.inverse_mod(z1, ntild)
u3prim = (pow(h1, s1, ntild) * pow(h2, s3, ntild) *
pow(u3inv, e, ntild)) % ntild
v1prim = ecdsa.point_add(ecdsa.point_mult(d, t1 + t2),
ecdsa.point_mult(y, minuse))
v2prim = ecdsa.point_add(
ecdsa.point_add(ecdsa.point_mult(w2, s1), ecdsa.point_mult(d, t2)),
ecdsa.point_mult(y, minuse))
v3inv = utils.inverse_mod(m2, pkn2)
v3prim = (pow(m3, s4, pkn2) * pow(m4, t7, pkn2) *
pow(g, ecdsa.n * t5, pkn2) * pow(t3, pkn, pkn2) *
pow(v3inv, e, pkn2)) % pkn2
v4inv = utils.inverse_mod(z2, ntild)
v4prim = (pow(h1, t1, ntild) * pow(h2, t4, ntild) *
pow(v4inv, e, ntild)) % ntild
v5inv = utils.inverse_mod(z3, ntild)
v5prim = (pow(h1, t5, ntild) * pow(h2, t6, ntild) *
pow(v5inv, e, ntild)) % ntild
h = hashlib.sha512()
h.update(ecdsa.expand_pub(c))
h.update(ecdsa.expand_pub(w1))
h.update(ecdsa.expand_pub(d))
h.update(ecdsa.expand_pub(w2))
h.update(str(m1))
h.update(str(m2))
h.update(str(z1))
h.update(ecdsa.expand_pub(u1prim))
h.update(str(u2prim))
h.update(str(u3prim))
h.update(str(z2))
h.update(str(z3))
h.update(ecdsa.expand_pub(y))
h.update(ecdsa.expand_pub(v1prim))
h.update(ecdsa.expand_pub(v2prim))
h.update(str(v3prim))
h.update(str(v4prim))
h.update(str(v5prim))
eprime = long(h.hexdigest(), 16)
print "\n****************************************"
print "Verifying Pi' zkp:"
print "e", e
print "e'", eprime
print "****************************************\n"
return e == eprime
def pi2(c, d, w1, w2, m1, m2, m3, m4, r1, r2, x1, x2, x3, x4, x5, zkp, ka_pub,
kb_pub):
pkn, g = ka_pub
pkn2 = pkn * pkn
pknprim, gprim = kb_pub
pknprim2 = pknprim * pknprim
ntild, h1, h2 = zkp
n3 = pow(ecdsa.n, 3)
n5 = pow(ecdsa.n, 5)
n6 = pow(ecdsa.n, 6)
n7 = pow(ecdsa.n, 7)
n8 = pow(ecdsa.n, 8)
n3ntild = n3 * ntild
nntild = ecdsa.n * ntild
if pkn <= n8:
return False
if pknprim <= n6:
return False
alpha = utils.randomnumber(n3)
beta = rnd_inv(pknprim)
gamma = utils.randomnumber(n3ntild)
p1 = utils.randomnumber(nntild)
delta = utils.randomnumber(n3)
mu = rnd_inv(pkn)
nu = utils.randomnumber(n3ntild)
p2 = utils.randomnumber(nntild)
p3 = utils.randomnumber(ecdsa.n)
p4 = utils.randomnumber(n5 * ntild)
epsilon = utils.randomnumber(ecdsa.n)
sigma = utils.randomnumber(n7)
tau = utils.randomnumber(n7 * ntild)
z1 = (pow(h1, x1, ntild) * pow(h2, p1, ntild)) % ntild
u1 = ecdsa.point_mult(c, alpha)
u2 = (pow(gprim, alpha, pknprim2) *
pow(beta, pknprim, pknprim2)) % pknprim2
u3 = (pow(h1, alpha, ntild) * pow(h2, gamma, ntild)) % ntild
z2 = (pow(h1, x2, ntild) * pow(h2, p2, ntild)) % ntild
y = ecdsa.point_mult(d, x2 + p3)
v1 = ecdsa.point_mult(d, delta + epsilon)
v2 = ecdsa.point_add(ecdsa.point_mult(w2, alpha),
ecdsa.point_mult(d, epsilon))
v3 = (pow(m3, alpha, pkn2) * pow(m4, delta, pkn2) *
pow(g, ecdsa.n * sigma, pkn2) * pow(mu, pkn, pkn2)) % pkn2
v4 = (pow(h1, delta, ntild) * pow(h2, nu, ntild)) % ntild
z3 = (pow(h1, x3, ntild) * pow(h2, p4, ntild)) % ntild
v5 = (pow(h1, sigma, ntild) * pow(h2, tau, ntild)) % ntild
h = hashlib.sha512()
h.update(ecdsa.expand_pub(c))
h.update(ecdsa.expand_pub(w1))
h.update(ecdsa.expand_pub(d))
h.update(ecdsa.expand_pub(w2))
h.update(str(m1))
h.update(str(m2))
h.update(str(z1))
h.update(ecdsa.expand_pub(u1))
h.update(str(u2))
h.update(str(u3))
h.update(str(z2))
h.update(str(z3))
h.update(ecdsa.expand_pub(y))
h.update(ecdsa.expand_pub(v1))
h.update(ecdsa.expand_pub(v2))
h.update(str(v3))
h.update(str(v4))
h.update(str(v5))
e = long(h.hexdigest(), 16)
s1 = e * x1 + alpha
s2 = (pow(r1, e, pknprim) * beta) % pknprim
s3 = e * p1 + gamma
s4 = e * x1 * x4 + alpha
t1 = e * x2 + delta
t2 = (e * p3 + epsilon) % ecdsa.n
t3 = (pow(r2, e, pkn) * mu) % pkn
t4 = e * p2 + nu
t5 = e * x3 + sigma
t6 = e * p4 + tau
t7 = e * x2 * x5 + delta
return z1, z2, z3, y, e, s1, s2, s3, s4, t1, t2, t3, t4, t5, t6, t7
def test():
# p = ecdsa.expand_pub(pub)
# print(p)
# rec_pub = ecdsa.recover_pub(p)
# print(rec_pub == pub)
# print(get(pub))
chain = ecdsa.gen_priv()
# Shares
p1 = ecdsa.gen_priv()
pub1 = ecdsa.get_pub(p1)
p2 = ecdsa.gen_priv()
pub2 = ecdsa.get_pub(p2)
p3 = ecdsa.gen_priv()
pub3 = ecdsa.get_pub(p3)
p4 = ecdsa.gen_priv()
pub4 = ecdsa.get_pub(p4)
skmas = ecdsa.aggregate(p1, p2, p3, p4)
pkmas = ecdsa.get_pub(skmas)
print(get(pkmas))
# Compute master pubkey with shares
pkmas_shares = ecdsa.point_add(
ecdsa.point_add(ecdsa.point_add(pub1, pub2), pub3), pub4)
print(get(pkmas_shares))
i = 1
# Pubkey derivation
# each one knows:
# - chain code
# - master pubkey
# - i
# - own share
sha2 = hashlib.sha256()
m = "%x%s%x" % (chain, ecdsa.expand_pub(pub), i)
sha2.update(m)
T = long(sha2.hexdigest(), 16)
pki = ecdsa.point_mult(pkmas, T)
# print get(pki)
# Privkey derivation
p11 = p1 * T
p21 = p2
p31 = p3
p41 = p4
pkmas1 = ecdsa.get_pub(ecdsa.aggregate(p11, p21, p31, p41))
# print(get(pkmas1))
extended_priv = (skmas, chain)
extended_pub = (pkmas, chain)
ext_priv1h = priv_to_priv(extended_priv, 0x80000000)
ext_priv1 = priv_to_priv(extended_priv, 0x00000001)
ext_pub1 = pub_to_pub(extended_pub, 0x00000001)
ext_priv2 = priv_to_priv(ext_priv1, 0x00000001)
ext_pub2 = pub_to_pub(ext_pub1, 0x00000001)
print(get(ecdsa.get_pub(ext_priv1[0])))
print(get(ext_pub1[0]))
print(get(ecdsa.get_pub(ext_priv2[0])))
print(get(ext_pub2[0]))
print("Multiplicatively")
print(get(ecdsa.get_pub(p1 * p2)))
print(get(ecdsa.point_mult(pub1, p2)))
def bob_round_1(alpha, zeta):
k2 = utils.randomnumber(ecdsa.n-1, inf=1)
r2 = ecdsa.point_mult(ecdsa.G, k2)
return k2, r2