def setup(self):
"""Generates the Bilinear param"""
#print("BSPS: setup")
G = BpGroup()
g1, g2 = G.gen1(), G.gen2()
e, o = G.pair, G.order()
return (o, G, g1, g2, e)
def params_gen(self):
"""Generates the AHEG for an EC group nid"""
print("CCA2EG: Setup")
G = BpGroup()
g1, g2 = G.gen1(), G.gen2()
e, o = G.pair, G.order()
return (G, g1, o)
def ExtGen(self):
#print("GS: Setup Binding")
self.G = BpGroup()
self.e = self.G.pair
self.order = self.G.order()
self.g1, self.g2 = self.G.gen1(), self.G.gen2()
self.gt = self.e(self.g1, self.g2)
self.P = (self.order, self.G, self.g1, self.g2, self.e)
rho = self.order.random()
xsi = self.order.random()
self.v1 = [xsi * self.g1, self.g1]
self.w1 = [rho * xsi * self.g1, rho * self.g1]
self.u1 = [rho * xsi * self.g1, rho * self.g1 + self.g1]
self.Xsi = [xsi.mod_inverse(self.order).int_neg(), 1]
sigma = self.order.random()
psi = self.order.random()
self.v2 = [psi * self.g2, self.g2]
self.w2 = [sigma * xsi * self.g2, sigma * self.g2]
self.u2 = [sigma * xsi * self.g2, sigma * self.g2 + self.g2]
self.Psi = [psi.mod_inverse(self.order).int_neg(), 1]
self.ck = (self.order, self.G, self.u1, self.v1, self.w1, self.u2,
self.v2, self.w2)
self.xk = (self.ck, self.Xsi, self.Psi)
return (self.ck, self.xk, self.P)
def params_gen(self):
"""Generates the AHEG for an EC group nid"""
print("CCA2EG: Setup")
G = BpGroup()
g1 = G.gen1()
o = G.order()
g2 = o.random() * g1
return [o, G, g1, g2]
def setup(): """ Generate the public parameters. Returns: - params: the publc parameters """ G = BpGroup() (g1, g2) = G.gen1(), G.gen2() (e, o) = G.pair, G.order() return (G, o, g1, g2, e)
def setup(q=1):
"""
Generate the public parameters.
Parameters:
- `q` (integer): the maximum number of attributes that can be embbed in the credentials
Returns:
- params: the publc parameters
"""
assert q > 0
G = BpGroup()
(g1, g2) = G.gen1(), G.gen2()
hs = [G.hashG1(("h%s" % i).encode("utf8")) for i in range(q)]
(e, o) = G.pair, G.order()
return (G, o, g1, hs, g2, e)
def setup(q=1):
""" generate all public parameters """
assert q > 0
G = BpGroup()
g1, g2 = G.gen1(), G.gen2()
hs = [G.hashG1(("h%s" % i).encode("utf8")) for i in range(q)]
e, o = G.pair, G.order()
return (G, o, g1, hs, g2, e)
def setup(q=1):
"""
Generate the public parameters.
Parameters:
- `q` (integer): the maximum number of attributes that can be embbed in the credentials
Returns:
- params: the publc parameters
"""
coco_ensure(q > 0, "Number of authorities must be positive.")
G = BpGroup()
(g1, g2) = G.gen1(), G.gen2()
hs = [G.hashG1(("h%s" % i).encode("utf8")) for i in range(q)]
h_blind = G.hashG1(("h_blind").encode("utf8"))
(e, o) = G.pair, G.order()
return (G, o, g1, hs, h_blind, g2, e)
def setup(q=1):
"""
Generate the public parameters.
Parameters:
- `q` (integer): the maximum number of attributes that can be embbed in the credentials
Returns:
- params: the publc parameters
"""
assert q > 0
G = BpGroup()
(g1, g2) = G.gen1(), G.gen2()
hs = [G.hashG1(("h%s" % i).encode("utf8")) for i in range(q)]
(e, o) = G.pair, G.order()
return (G, o, g1, hs, g2, e)
def params():
G = BpGroup()
Zp = G.order()
return (G, Zp)
def setup(): """ generate all public parameters """ G = BpGroup() (g1, g2) = G.gen1(), G.gen2() (e, o) = G.pair, G.order() return (G, o, g1, g2, e)
class GSProof():
cms = ["bas", "pub", "enc", "com", "unt", "sca"]
eqs = {
"PPE": {
1: ["bas", "pub", "enc", "com"],
2: ["bas", "pub", "enc", "com"]
},
"PN1": {
1: ["bas", "pub", "enc"],
2: ["bas", "com"]
},
"PC1": {
1: ["bas", "pub"],
2: ["bas", "com"]
},
"PN2": {
1: ["bas", "com"],
2: ["bas", "pub", "enc"]
},
"PC2": {
1: ["bas", "com"],
2: ["bas", "pub"]
},
"ME1": {
1: ["bas", "pub", "enc", "com"],
2: ["unt", "sca"]
},
"MN1": {
1: ["bas", "pub", "enc"],
2: ["unt", "sca"]
},
"MC1": {
1: ["bas", "pub"],
2: ["unt", "sca"]
},
"ML1": {
1: ["bas", "com"],
2: ["unt"]
},
"ME2": {
1: ["unt", "sca"],
2: ["bas", "pub", "enc", "com"]
},
"MN2": {
1: ["unt", "sca"],
2: ["bas", "pub", "enc"]
},
"MC2": {
1: ["unt", "sca"],
2: ["bas", "pub"]
},
"ML2": {
1: ["unt"],
2: ["bas", "com"]
},
"QE": {
1: ["unt", "sca"],
2: ["unt", "sca"]
},
"QC1": {
1: ["unt"],
2: ["unt", "sca"]
},
"QC2": {
1: ["unt", "sca"],
2: ["unt"]
}
}
def __init__(self):
#print("GS: Init")
return
def ExtGen(self):
#print("GS: Setup Binding")
self.G = BpGroup()
self.e = self.G.pair
self.order = self.G.order()
self.g1, self.g2 = self.G.gen1(), self.G.gen2()
self.gt = self.e(self.g1, self.g2)
self.P = (self.order, self.G, self.g1, self.g2, self.e)
rho = self.order.random()
xsi = self.order.random()
self.v1 = [xsi * self.g1, self.g1]
self.w1 = [rho * xsi * self.g1, rho * self.g1]
self.u1 = [rho * xsi * self.g1, rho * self.g1 + self.g1]
self.Xsi = [xsi.mod_inverse(self.order).int_neg(), 1]
sigma = self.order.random()
psi = self.order.random()
self.v2 = [psi * self.g2, self.g2]
self.w2 = [sigma * xsi * self.g2, sigma * self.g2]
self.u2 = [sigma * xsi * self.g2, sigma * self.g2 + self.g2]
self.Psi = [psi.mod_inverse(self.order).int_neg(), 1]
self.ck = (self.order, self.G, self.u1, self.v1, self.w1, self.u2,
self.v2, self.w2)
self.xk = (self.ck, self.Xsi, self.Psi)
return (self.ck, self.xk, self.P)
def G1pub(self, x1):
val = {}
val["type"] = "pub"
val["group"] = 1
val = self.CommitG1Group(val, x1, 0, 0)
return val
def G1enc(self, x1):
r = self.order.random()
val = {}
val["type"] = "enc"
val["group"] = 1
val = self.CommitG1Group(val, x1, r, 0)
return val
def G1com(self, x1):
r = self.order.random()
s = self.order.random()
val = {}
val["type"] = "com"
val["group"] = 1
val = self.CommitG1Group(val, x1, r, s)
return val
def G1bas(self):
val = {}
val["type"] = "bas"
val["group"] = 1
val = self.CommitG1Group(val, self.g1, 0, 0)
return val
def G1sca(self, x):
r = self.order.random()
val = {}
val["type"] = "sca"
val["group"] = 1
val = self.CommitG1Scalar(val, x, r)
return val
def G1unt(self):
val = {}
val["type"] = "unt"
val["group"] = 1
val = self.CommitG1Scalar(val, 1, 0)
return val
def CommitG1Group(self, val, x1, r, s):
c0 = r * self.v1[0] + s * self.w1[0]
c1 = x1 + r * self.v1[1] + s * self.w1[1]
val["value"] = [c0, c1]
val["committed"] = {
1: x1,
2: G2Elem.inf(self.G),
"Zp": 0,
"r": r,
"s": s
}
return val
def CommitG1Scalar(self, val, x, r):
c0 = x * self.u1[0] + r * self.v1[0]
c1 = x * self.u1[1] + r * self.v1[1]
val["value"] = [c0, c1]
val["committed"] = {
1: G1Elem.inf(self.G),
2: G2Elem.inf(self.G),
"Zp": x,
"r": r,
"s": 0
}
return val
def CommitG1(self, x):
try:
ttype = x["type"]
if ttype == "unt":
return self.G1unt()
elif ttype == "bas":
return self.G1bas()
value = x["value"]
if type(value) == G1Elem:
if ttype == "pub":
return self.G1pub(value)
elif ttype == "enc":
return self.G1enc(value)
elif ttype == "com":
return self.G1com(value)
if type(value) == Bn or type(value) == int:
if type(value) == int:
value = Bn(value)
if ttype == "sca":
return self.G1sca(value)
except Exception as e:
print("Error G1 commit", e)
def G2pub(self, x2):
val = {}
val["type"] = "pub"
val["group"] = 2
val = self.CommitG2Group(val, x2, 0, 0)
return val
def G2enc(self, x2):
r = self.order.random()
val = {}
val["type"] = "enc"
val["group"] = 2
val = self.CommitG2Group(val, x2, r, 0)
return val
def G2com(self, x2):
r = self.order.random()
s = self.order.random()
val = {}
val["type"] = "com"
val["group"] = 2
val = self.CommitG2Group(val, x2, r, s)
return val
def G2bas(self):
val = {}
val["type"] = "bas"
val["group"] = 2
val = self.CommitG2Group(val, self.g2, 0, 0)
return val
def G2sca(self, x):
r = self.order.random()
val = {}
val["type"] = "sca"
val["group"] = 2
val = self.CommitG2Scalar(val, x, r)
return val
def G2unt(self):
val = {}
val["type"] = "unt"
val["group"] = 2
val = self.CommitG2Scalar(val, 1, 0)
return val
def CommitG2Group(self, val, x2, r, s):
c0 = r * self.v2[0] + s * self.w2[0]
c1 = x2 + r * self.v2[1] + s * self.w2[1]
val["value"] = [c0, c1]
val["committed"] = {
1: G1Elem.inf(self.G),
2: x2,
"Zp": 0,
"r": r,
"s": s
}
return val
def CommitG2Scalar(self, val, x, r):
c0 = x * self.u2[0] + r * self.v2[0]
c1 = x * self.u2[1] + r * self.v2[1]
val["value"] = [c0, c1]
val["committed"] = {
1: G1Elem.inf(self.G),
2: G2Elem.inf(self.G),
"Zp": x,
"r": r,
"s": 0
}
return val
def CommitG2(self, y):
try:
ttype = y["type"]
if ttype == "bas":
return self.G2bas()
elif ttype == "unt":
return self.G2unt()
value = y["value"]
if type(value) == G2Elem:
if ttype == "pub":
return self.G2pub(value)
elif ttype == "enc":
return self.G2enc(value)
elif ttype == "com":
return self.G2com(value)
if type(value) == Bn or type(value) == int:
if type(value) == int:
value = Bn(value)
if ttype == "sca":
return self.G2sca(value)
except Exception as e:
print("Error G2 commit", e)
def Commit(self, to_commit):
try:
group = to_commit["group"]
if group == 1:
return self.CommitG1(to_commit)
elif group == 2:
return self.CommitG2(to_commit)
else:
print("Commit error: group to commit with unknown")
except Exception as e:
print("Error commit:", e)
def CheckEqFormat(self, eq, X, Y, C):
#print("CheckEqFormat")
m = len(X)
n = len(Y)
if len(C) != m:
print("Wrong size (#rows)")
return 0
for i in range(m):
if len(C[i]) != n:
print("Wrong size (#cols)")
return 0
potential_x_format_error = 0
if m != 0:
one = list(set(x["type"] for x in X))
for tone in one:
if tone not in self.eqs[eq][1]:
potential_x_format_error = 1
if potential_x_format_error != 0:
for i in range(m):
if X[i]["type"] not in self.eqs[eq][1]:
for j in range(n):
if C[i][j] != 0:
print("X wrong format:", tone, "not in",
self.eqs[eq][1])
return 0
potential_y_format_error = 0
if n != 0:
two = list(set(y["type"] for y in Y))
for ttwo in two:
if ttwo not in self.eqs[eq][2]:
potential_y_format_error = 1
if potential_y_format_error != 0:
for j in range(n):
if Y[j]["type"] not in self.eqs[eq][2]:
for i in range(m):
if C[i][j] != 0:
print("Y wrong format:", ttwo, "not in",
self.eqs[eq][2])
return 0
if eq == "PPE":
for i in range(m):
x = X[i]
if x["type"] == "pub" or x["type"] == "enc":
for j in range(n):
y = Y[j]
if y["type"] == "pub" or y["type"] == "enc":
if C[i][j] != 0:
print("cij = 0 for pub/enc vars", i, j)
return 0
return 1
def CheckEqType(self, eq, X, Y, C):
#print("CheckEqType")
if eq in ["PPE", "PN1", "PC1", "PN2", "PC2"]:
for x in X:
if type(x["value"][0]) != G1Elem:
print("element in C not from G1", x)
return 0
if "committed" in x:
if x["committed"][2] != G2Elem.inf(
self.G) or x["committed"]["Zp"] != 0:
print("not a commitment of G1")
return 0
for y in Y:
if type(y["value"][0]) != G2Elem:
print("element in D not from G2")
return 0
if "committed" in y:
if y["committed"][1] != G1Elem.inf(
self.G) or y["committed"]["Zp"] != 0:
print("not a commitment of G2")
return 0
elif eq in ["ME1", "MN1", "MC1", "ML1"]:
for x in X:
if type(x["value"][0]) != G1Elem:
print("element in C not from G1", type(x["value"][0]))
return 0
if "committed" in x:
if x["committed"][2] != G2Elem.inf(
self.G) or x["committed"]["Zp"] != 0:
print("not a commitment of G1")
return 0
for y in Y:
if type(y["value"][0]) != G2Elem:
print("element in D not from Zp", type(y["value"][0]))
return 0
if "committed" in y:
if y["committed"][1] != G1Elem.inf(
self.G) or y["committed"][2] != G2Elem.inf(self.G):
print("not a commitment of Zp")
return 0
elif eq in ["ME2", "MN2", "MC2", "ML2"]:
for x in X:
if type(x["value"][0]) != G1Elem:
print("element in C not from G1", type(x["value"][0]))
return 0
if "committed" in x:
if x["committed"][1] != G1Elem.inf(
self.G) or x["committed"][2] != G2Elem.inf(self.G):
print("not a commitment of Zp")
return 0
for y in Y:
if type(y["value"][0]) != G2Elem:
print("element in D not from G2", type(y["value"][0]))
return 0
if "committed" in y:
if y["committed"][1] != G1Elem.inf(
self.G) or y["committed"]["Zp"] != 0:
print("not a commitment of G2")
return 0
elif eq in ["QE", "QC1", "QC2"]:
for x in X:
if type(x["value"][0]) != G1Elem:
print("element in C not from Zp", type(x["value"][0]))
return 0
if "committed" in x:
if x["committed"][1] != G1Elem.inf(
self.G) or x["committed"][2] != G2Elem.inf(self.G):
print("not a commitment of Zp")
return 0
for y in Y:
if type(y["value"][0]) != G2Elem:
print("element in D not from Zp", type(y["value"][0]))
return 0
if "committed" in y:
if y["committed"][1] != G1Elem.inf(
self.G) or y["committed"][2] != G2Elem.inf(self.G):
print("not a commitment of Zp")
return 0
else:
print("ERROR: unknown eq", eq)
return 0
for i in range(len(X)):
for j in range(len(Y)):
if type(C[i][j]) != Bn and type(C[i][j]) != int:
print("element in Gamma not from Zp", i, j, C[i][j],
type(C[i][j]))
return 0
return 1
def CheckEqResult(self, eq, T):
#print("CheckEqResult")
if eq in ["PPE", "PN1", "PC1", "PN2", "PC2"]:
if T != GTElem.zero(self.G):
return 0
elif eq in ["ME1", "MN1", "MC1", "ML1"]:
if T != G1Elem.inf(self.G):
return 0
elif eq in ["ME2", "MN2", "MC2", "ML2"]:
if T != G2Elem.inf(self.G):
return 0
elif eq in ["QE", "QC1", "QC2"]:
if T != Bn(0):
return 0
return 1
def CheckEqRelation(self, eq, X, Y, C, T):
#print("CheckEqRelation")
if self.CheckEqType(eq, X, Y, C) == 0:
return 0
if self.CheckEqResult(eq, T) == 0:
return 0
return 1
def MakeProof(self, X, Y, C):
#print("MakeProof")
pi2_v1 = [G2Elem.inf(self.G), G2Elem.inf(self.G)]
pi2_w1 = [G2Elem.inf(self.G), G2Elem.inf(self.G)]
pi1_v2 = [G1Elem.inf(self.G), G1Elem.inf(self.G)]
pi1_w2 = [G1Elem.inf(self.G), G1Elem.inf(self.G)]
#count_exp_g1 = 0
#count_add_g1 = -1
#count_exp_g2 = 0
#count_add_g2 = -1
for i in range(len(X)):
xi = X[i]["value"]
xr = 0
xs = 0
if "committed" in X[i]:
xr = X[i]["committed"]["r"]
xs = X[i]["committed"]["s"]
for j in range(len(Y)):
yj = Y[j]["value"]
yr = 0
ys = 0
if "committed" in Y[j]:
yr = Y[j]["committed"]["r"]
ys = Y[j]["committed"]["s"]
cij = C[i][j]
if cij != 0:
for vec in range(2):
""" We need to work on the commitment of x|y and not on the value of x|y not to make any assumption on the type of x|y"""
if xr != 0:
pi2_v1[vec] += (xr * cij) * yj[vec]
#count_exp_g1 += 1
#count_add_g1 += 1
if xs != 0:
pi2_w1[vec] += (xs * cij) * yj[vec]
#count_exp_g1 += 1
#count_add_g1 += 1
if yr != 0:
temp = xi[vec]
if xr != 0:
temp = temp - self.v1[vec] * xr
#count_exp_g2 += 1
#count_add_g2 += 1
if xs != 0:
temp = temp - self.w1[vec] * xs
#count_exp_g2 += 1
#count_add_g2 += 1
pi1_v2[vec] += temp * (cij * yr)
#count_exp_g2 += 1
#count_add_g2 += 1
if ys != 0:
temp = xi[vec]
if xr != 0:
temp = temp - self.v1[vec] * xr
#count_exp_g2 += 1
#count_add_g2 += 1
if xs != 0:
temp = temp - self.w1[vec] * xs
#count_exp_g2 += 1
#count_add_g2 += 1
pi1_w2[vec] += temp * (cij * ys)
#count_exp_g2 += 1
#count_add_g2 += 1
#print("Exp in G1", count_exp_g1)
#print("Exp in G2", count_exp_g2)
#print("Add in G1", count_add_g1)
#print("Add in G2", count_add_g2)
return pi2_v1, pi2_w1, pi1_v2, pi1_w2
def Randomize(self, eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2):
#print("Randomize")
a = Bn(0)
b = Bn(0)
c = Bn(0)
d = Bn(0)
#count_exp_g1 = 0
#count_add_g1 = -1
#count_exp_g2 = 0
#count_add_g2 = -1
if eq == "PPE":
a = self.order.random()
b = self.order.random()
c = self.order.random()
d = self.order.random()
elif eq in ["PN1", "ME2"]:
a = self.order.random()
b = self.order.random()
elif eq in ["PN2", "ME1"]:
a = self.order.random()
c = self.order.random()
elif eq in ["MN1", "MN2", "QE"]:
a = self.order.random()
for i in range(2):
if a != 0:
pi2_v1[i] += a * self.v2[i]
pi1_v2[i] += -a * self.v1[i]
#count_exp_g1 += 1
#count_exp_g2 += 1
#count_add_g1 += 1
#count_add_g2 += 1
if b != 0:
pi2_v1[i] += b * self.w2[i]
pi1_w2[i] += -b * self.v1[i]
#count_exp_g1 += 1
#count_exp_g2 += 1
#count_add_g1 += 1
#count_add_g2 += 1
if c != 0:
pi2_w1[i] += c * self.v2[i]
pi1_v2[i] += -c * self.w1[i]
#count_exp_g1 += 1
#count_exp_g2 += 1
#count_add_g1 += 1
#count_add_g2 += 1
if d != 0:
pi2_w1[i] += d * self.w2[i]
pi1_w2[i] += -d * self.w1[i]
#count_exp_g1 += 1
#count_exp_g2 += 1
#count_add_g1 += 1
#count_add_g2 += 1
#pi2_v1[i] += a*self.v2[i] + b*self.w2[i]
#pi2_w1[i] += c*self.v2[i] + d*self.w2[i]
#pi1_v2[i] += -a*self.v1[i] - c*self.w1[i]
#pi1_w2[i] += -b*self.v1[i] - d*self.w1[i]
#print("Exp in G1", count_exp_g1)
#print("Exp in G2", count_exp_g2)
#print("Add in G1", count_add_g1)
#print("Add in G2", count_add_g2)
return pi2_v1, pi2_w1, pi1_v2, pi1_w2
def MakeMatrices(self, x, b, a, y, c, t):
#print("Make Matrices")
X = []
X.extend(x)
X.extend(a)
Y = []
Y.extend(y)
Y.extend(b)
C = []
for i in range(len(x) + len(a)):
row = []
for j in range(len(y) + len(b)):
if i < len(x):
if j < len(y):
temp = c[i][j]
if type(temp) != Bn:
temp = Bn(temp)
row.append(c[i][j])
elif j == len(y) + i:
temp = Bn(1)
if b[j - len(y)]["committed"][2] == G2Elem.inf(
self.G) and b[j - len(y)]["type"] == "pub":
temp = Bn(0)
row.append(temp)
else:
row.append(Bn(0))
else:
if i == len(x) + j:
temp = Bn(1)
if a[i - len(x)]["committed"][1] == G1Elem.inf(
self.G) and a[i - len(x)]["type"] == "pub":
temp = Bn(0)
row.append(temp)
else:
row.append(Bn(0))
C.append(row)
return X, Y, C, t
def Prove_eq(self, eq, x, b, a, y, c, t):
#print("Prove_eq")
X, Y, C, T = self.MakeMatrices(x, b, a, y, c, t)
return self.Prove(eq, X, Y, C, T)
def Prove(self, eq, X, Y, C, T):
#print("Prove", eq, len(X), len(Y), len(C))
if self.CheckEqFormat(eq, X, Y, C) == 0:
print("Proof Error: check Format")
return 0, []
if self.CheckEqRelation(eq, X, Y, C, T) == 0:
print("Proof Error: check Relation")
return 0, []
pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = self.MakeProof(X, Y, C)
pi2_v1, pi2_w1, pi1_v2, pi1_w2 = self.Randomize(
eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap)
X, Y = self.CleanMatrices(X, Y)
return 1, [eq, X, Y, C, T, pi2_v1, pi2_w1, pi1_v2, pi1_w2]
def Prove_aggreg(self, eq, x, b, a, y, c, t):
#print("Prove", eq, len(X), len(Y), len(C))
X, Y, C, T = self.MakeMatrices(x, b, a, y, c, t)
if self.CheckEqFormat(eq, X, Y, C) == 0:
print("Proof Error: check Format")
return 0, []
if self.CheckEqRelation(eq, X, Y, C, T) == 0:
print("Proof Error: check Relation")
return 0, []
pi2_v1, pi2_w1, pi1_v2, pi1_w2 = self.MakeProof(X, Y, C)
X, Y = self.CleanMatrices(X, Y)
return 1, [eq, X, Y, C, T, pi2_v1, pi2_w1, pi1_v2, pi1_w2]
def CleanMatrices(self, X, Y):
for i in range(len(X)):
x = {"type": X[i]["type"], "value": X[i]["value"]}
X[i] = x
for j in range(len(Y)):
y = {"type": Y[j]["type"], "value": Y[j]["value"]}
Y[j] = y
return X, Y
def CommitProof_eq(self, eq, x, b, a, y, c, t):
#print("CommitProof_eq")
if not self.verifyEq(eq, x, b, a, y, c, t):
print("uncommitted eq does not verify")
return 0, []
try:
for i in range(len(x)):
x[i] = self.CommitG1(x[i])
for i in range(len(a)):
a[i] = self.CommitG1(a[i])
for j in range(len(y)):
y[j] = self.CommitG2(y[j])
for j in range(len(b)):
b[j] = self.CommitG2(b[j])
return self.Prove_eq(eq, x, b, a, y, c, t)
except Exception as e:
print("Error:", e)
def verifyEq(self, eq, x, b, a, y, c, t):
#print("verifyEq")
if eq in ["PPE", "PN1", "PC1", "PN2", "PC2"]:
#print("eq in [\"PPE\", \"PN1\", \"PC1\", \"PN2\", \"PC2\"]")
T = GTElem.zero(self.G)
for i in range(min(len(x), len(b))):
T = T * self.e(x[i]["value"], b[i]["value"])
for j in range(min(len(a), len(y))):
T = T * self.e(a[j]["value"], y[j]["value"])
for i in range(len(c)):
for j in range(len(c[i])):
T = T * self.e(c[i][j] * x[i]["value"], y[j]["value"])
return T.eq(t)
else:
#print("eq NOT in [\"PPE\", \"PN1\", \"PC1\", \"PN2\", \"PC2\"]")
T = Bn(0)
if eq in ["ME1", "MN1", "MC1", "ML1"]:
T = G1Elem.inf(self.G)
elif eq in ["ME2", "MN2", "MC2", "ML2"]:
T = G2Elem.inf(self.G)
elif eq not in ["QE", "QC1", "QC2"]:
print("eq error", eq)
return 0
for i in range(min(len(x), len(b))):
T += x[i]["value"] * b[i]["value"]
for j in range(min(len(a), len(y))):
T += a[j]["value"] * y[j]["value"]
for i in range(len(c)):
for j in range(len(c[i])):
if c[i][j] != 0:
T += c[i][j] * x[i]["value"] * y[j]["value"]
return T.eq(t)
def CommitProof(self, eq, X, Y, C, T):
#print("CommitProof")
try:
for i in range(len(X)):
X[i] = self.CommitG1(X[i])
for j in range(len(Y)):
Y[j] = self.CommitG2(Y[j])
return self.Prove(eq, X, Y, C, T)
except Exception as e:
print("Error:", e)
def Verify(self, eq, X, Y, C, pi2_v1, pi2_w1, pi1_v2, pi1_w2):
#print("Verify")
if self.CheckEqFormat(eq, X, Y, C) == 0:
print("Verify: Error - eqformat")
return 0
for i in range(2):
if type(pi2_v1[i]) != G2Elem:
print("Verify: Error - pi2v1 type")
return 0
if type(pi2_w1[i]) != G2Elem:
print("Verify: Error - pi2w1 type")
return 0
if type(pi1_v2[i]) != G1Elem:
print("Verify: Error - pi1v2 type")
return 0
if type(pi1_w2[i]) != G1Elem:
print("Verify: Error - pi1w2 type")
return 0
res_eq = [GTElem.one(self.G), GTElem.one(self.G)]
#count_exp_g1 = 0
#pairing = -1
#count_add_gt = -1
for i in range(len(X)):
for j in range(len(Y)):
cij = C[i][j]
xi = X[i]["value"]
yj = Y[j]["value"]
if cij != 0:
for vec in range(2):
res_eq[vec] = res_eq[vec] * self.e(
cij * xi[vec], yj[vec])
#count_exp_g1 += 1
#count_add_gt += 1
#pairing += 1
res_proof = [GTElem.one(self.G), GTElem.one(self.G)]
for vec in range(2):
res_proof[vec] = res_proof[vec] * self.e(self.v1[vec], pi2_v1[vec])
res_proof[vec] = res_proof[vec] * self.e(self.w1[vec], pi2_w1[vec])
res_proof[vec] = res_proof[vec] * self.e(pi1_v2[vec], self.v2[vec])
res_proof[vec] = res_proof[vec] * self.e(pi1_w2[vec], self.w2[vec])
#count_add_gt += 4
#pairing += 4
#print("Exp G1", count_exp_g1)
#print("Add GT", count_add_gt)
#print("Pairing", pairing)
res = 1
for vec in range(2):
if res_eq[vec] != res_proof[vec]:
print("Verify: Equation", vec, "does not verify")
res = 0
return res
def Calc_PPE(self, x1, b2, a1, y2, c, t):
n = len(x1)
m = len(y2)
if len(b2) != n or len(a1) != m or len(c) != n * m or len(t) != 1:
return 0
Bt = GTElem.one(self.G)
for i in range(m):
Bt = Bt * self.e(x1[i], b2[i])
At = GTElem.one(self.G)
for j in range(n):
At = At * self.e(a1[j], y2[j])
Ct = GTElem.one(self.G)
for i in range(n):
for j in range(m):
Ct = Ct * self.e(c[i][j] * x1[i], y2[j])
validate = 0
if At * Bt * Ct == t:
validate = 1
return At * Bt * Ct, t, validate
def Calc_MSG1(self, x1, b, a1, y, c, t1):
n = len(x1)
m = len(y)
if len(b) != n or len(a1) != m or len(c) != n * m or len(t1) != 1:
return 0
B1 = G1Elem.inf(self.G)
for i in range(m):
B1 += b[i] * x1[i]
A1 = G1Elem.inf(self.G)
for j in range(n):
A1 += y[j] * a1[j]
C1 = G1Elem.inf(self.G)
for i in range(n):
for j in range(m):
C1 += (c[i][j] * y[j]) * x1[i]
validate = 0
if A1 + B1 + C1 == t1:
validate = 1
return A1 + B1 + C1, t1, validate
def Calc_MSG2(self, x, b2, a, y2, c, t2):
n = len(x)
m = len(y2)
if len(b2) != n or len(a) != m or len(c) != n * m or len(t2) != 1:
return 0
B2 = G2Elem.one(self.G)
for i in range(m):
B2 += x[i] * b2[i]
A2 = G2Elem.one(self.G)
for j in range(n):
A += a[j] * y2[j]
C2 = G2Elem.one(self.G)
for i in range(n):
for j in range(m):
C2 += (c[i][j] * x[j]) * y2[i]
validate = 0
if A2 + B2 + C2 == t2:
z = 1
return A2 + B2 + C2, t2, validate
def Calc_QUAD(self, x, b, a, y, c, t):
n = len(x)
m = len(y)
if len(b) != n or len(a) != m or len(c) != n * m or len(t) != 1:
return 0
B = Bn(0)
for i in range(m):
B += x[i] * b[i]
A = Bn(0)
for j in range(n):
A += a[j] * y[j]
C = Bn(0)
for i in range(n):
for j in range(m):
C += (c[i][j] * x[j]) * y[i]
validate = 0
if A + B + C == t:
validate = 1
return A + B + C, t, validate
def proof_usps_hidesigandsigner(self,
M=[
b"Hello World!", b"Hello me!",
b"Hello us!"
]):
"""" creates GS proof that sig verifies with pk, signature and first message secret"""
#print("SPS: Prove")
self.ExtGen()
params = (self.G, self.order, self.g1, self.g2, self.e)
sps = USPS()
sk, pk = sps.keygen(params)
gz, gr, pki = pk
m = []
for i in range(len(M)):
if type(M[i]) == bytes:
m.append(self.G.hashG1(M[i]))
elif type(M[i]) == G1Elem:
m.append(M[i])
else:
return 0, []
if len(m) < sps.n:
for i in range(sps.nb_msg - len(m)):
m.append(G1Elem.inf(self.G))
elif sps.nb_msg < len(m):
return
sig = sps.sign(params, sk, m)
if sps.verify(params, pk, m, sig) == 0:
print("Signature does not verify")
return
print(len(m))
X = [{
"type": "com",
"value": sig[0]
}, {
"type": "com",
"value": sig[1]
}]
B = [{
"type": "pub",
"value": G2Elem.inf(self.G)
}, {
"type": "pub",
"value": G2Elem.inf(self.G)
}]
A = [{
"type": "pub",
"value": G1Elem.inf(self.G)
}, {
"type": "pub",
"value": G1Elem.inf(self.G)
}]
Y = [{"type": "com", "value": gz}, {"type": "com", "value": gr}]
for i in range(len(m)):
if i == 0:
X.append({"type": "pub", "value": m[i]})
else:
X.append({"type": "com", "value": m[i]})
B.append({"type": "pub", "value": G2Elem.inf(self.G)})
for j in range(len(pki)):
Y.append({"type": "com", "value": pki[j]})
A.append({"type": "pub", "value": G1Elem.inf(self.G)})
C = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
var = Bn(0)
if i == j:
var = Bn(1)
row.append(var)
C.append(row)
print(C)
success, res = self.CommitProof_eq("PPE", X, B, A, Y, C,
GTElem.zero(self.G))
verify = 0
if success:
eq_type, X1, Y1, C1, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res
pi2_v1, pi2_w1, pi1_v2, pi1_w2 = self.Randomize(
eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap)
verify = self.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2,
pi1_w2)
if verify:
res = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
[eq_type, X1, Y1, C1, T_eq]]
print(success, verify)
print()
return verify, res
def proof_bsps_hidemandsig(
self,
M1=[b"Hello World!", b"Hello me!", b"Hello us!"],
M2=[b"Hello you!"]):
""" create GS proof that sig verifies with the signature and all but the first message secret """
params = (self.G, self.order, self.g1, self.g2, self.e)
sps = BSPS()
sk, pk = sps.keygen(params)
u, w, v, z = sk
U, W, V, Z = pk
m1 = []
for i in range(len(M1)):
if type(M1[i]) == bytes:
m1.append(self.G.hashG1(M1[i]))
elif type(M1[i]) == G1Elem:
m1.append(M1[i])
else:
return 0, []
m2 = []
for j in range(len(M2)):
if type(M2[j]) == bytes:
m2.append(
Bn.from_binary(M2[j]).mod_add(Bn(0), self.order) * self.g2)
elif type(M2[j]) == G2Elem:
m2.append(M2[j])
else:
return 0, []
if len(m1) < sps.msg_g1:
for i in range(sps.msg_g1 - len(m1)):
m1.append(G1Elem.inf(self.G))
elif sps.msg_g1 < len(m1):
return 0, []
if len(m2) < sps.msg_g2:
for i in range(sps.msg_g2 - len(m2)):
m2.append(G2Elem.inf(self.G))
elif sps.msg_g2 < len(m2):
return 0, []
res = []
R, S, T = sps.sign(params, sk, m1, m2)
print("signature verifies?", sps.verify(params, pk, m1, m2, (R, S, T)))
print("first equation")
x1 = [{
"type": "com",
"value": R
}, {
"type": "com",
"value": S
}, {
"type": "bas",
"value": self.g1
}]
b1 = [{
"type": "pub",
"value": V
}, {
"type": "bas",
"value": self.g2
}, {
"type": "pub",
"value": Z * Bn(-1)
}]
a1 = []
y1 = []
#res1 = e(R,V) * e(S,g2)
#res1.eq(e(g1,Z))
for i in range(len(m1)):
if i == 0:
x1.append({"type": "pub", "value": m1[i]})
b1.append({"type": "bas", "value": W[i]})
else:
x1.append({"type": "com", "value": m1[i]})
b1.append({"type": "pub", "value": W[i]})
#res1 = res1 * e(m1[i],W[i])
c1 = []
for i in range(len(x1)):
row = []
for j in range(len(y1)):
c = Bn(0)
row.append(c)
c1.append(row)
print(c1)
success1, res1 = self.CommitProof_eq("PPE", x1, b1, a1, y1, c1,
GTElem.zero(self.G))
verify1 = 0
if success1:
eq_type, X1, Y1, C1, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res1
pi2_v1, pi2_w1, pi1_v2, pi1_w2 = self.Randomize(
eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap)
verify1 = self.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2,
pi1_w2)
if verify1:
res1 = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
[eq_type, X1, Y1, C1, T_eq]]
res.append(res1)
print(success1, verify1)
print()
print("second equation")
x2 = [{"type": "com", "value": R}, {"type": "bas", "value": self.g1}]
b2 = [{
"type": "pub",
"value": G2Elem.inf(self.G)
}, {
"type": "pub",
"value": G2Elem.inf(self.G)
}]
a2 = [{
"type": "pub",
"value": G1Elem.inf(self.G)
}, {
"type": "pub",
"value": G1Elem.inf(self.G)
}]
y2 = [{"type": "com", "value": T}, {"type": "bas", "value": self.g2}]
#res2 = e(R,T)
#res2.eq(e(g1,g2))
for j in range(len(m2)):
a2.append({"type": "pub", "value": U[j]})
y2.append({"type": "com", "value": m2[j]})
#res2 = res2 * e(U[j],m2[j])
c2 = []
for i in range(len(x2)):
row = []
for j in range(len(y2)):
c = Bn(0)
if (i == 0 and j == 0):
c = Bn(1)
if (i == 1 and j == 1):
c = Bn(-1)
row.append(c)
c2.append(row)
print(c2)
success2, res2 = self.CommitProof_eq("PPE", x2, b2, a2, y2, c2,
GTElem.zero(self.G))
verify2 = 0
if success2:
eq_type, X2, Y2, C2, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res2
pi2_v1, pi2_w1, pi1_v2, pi1_w2 = self.Randomize(
eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap)
verify2 = self.Verify(eq_type, X2, Y2, C2, pi2_v1, pi2_w1, pi1_v2,
pi1_w2)
if verify2:
res2 = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
[eq_type, X2, Y2, C2, T_eq]]
res.append(res2)
print(success2, verify2)
print()
print("success?", success1, success2)
print("verify?", verify1, verify2)
return verify1 * verify2, res
def bp_group():
return BpGroup()
def __init__(self, bp_group=None):
if bp_group is None:
self.bpgp = BpGroup()
self.GT = GTGroup(self)
self.G1 = G1Group(self)
self.G2 = G2Group(self)
def setup():
G = BpGroup()
g1, g2 = G.gen1(), G.gen2()
e, o = G.pair, G.order()
return (G, o, g1, g2, e)
def gen_params_bp_g2(nid=713):
G = BpGroup()
g = G.gen2()
o = G.order()
return (G, g, o)
from bplib.bp import BpGroup
import sha3
G = BpGroup()
g1 = G.gen1()
g2 = G.gen2()
e = G.pair
o = G.order()
def hash(m):
m = str(m)
enc = m.encode('utf-8')
return sha3.keccak_256(enc).digest()