def sign(self, params, sk, m, n):
"""Signs a list of group elements of G1 and G2"""
#print("BSPS: Sign")
o, G, g1, g2, _ = params
if len(m) > self.msg_g1 or len(n) > self.msg_g2:
print("BSPS: Sign --- Error: message(s) too long", len(m), ">?",
self.msg_g1, len(n), ">?", self.msg_g2)
return (G1Elem.inf(G), G1Elem.inf(G), G2Elem.inf(G))
u, w, v, z = sk
r = o.random()
R = r * g1
temp = z.mod_sub(r.mod_mul(v, o), o)
S = temp * g1
T = g2
for i in range(self.msg_g1):
if i < len(m):
S = S + w[i].int_neg() * m[i]
else:
S = S + w[i].int_neg() * g1
for j in range(self.msg_g2):
if j < len(n):
T = T + u[j].int_neg() * n[j]
else:
T = T + u[j].int_neg() * g2
return [R, S, r.mod_inverse(o) * T]
def verify(self, params, pk, m, n, sig):
"""
Verifies a signature on messages m
e(R,V) e(S,H) Pi e(M_i,W_i) == e(G,Z)
e(R,T) Pi e(U_i, N_i) == e(G,H)
"""
#print("BSPS: Verify")
R, S, T = sig
o, G, g1, g2, e = params
if (R.eq(G1Elem.inf(G)) and S.eq(G1Elem.inf(G))
and T.eq(G2Elem.inf(G))):
print("BSPS: Verify --- Error: signature null")
print("BSPS: Verify", 0)
return 0
U, W, V, Z = pk
res1 = e(R, V) * e(S, g2)
for i in range(self.msg_g1):
if i < len(m):
res1 = res1 * e(m[i], W[i])
else:
res1 = res1 * e(g1, W[i])
res2 = e(R, T)
for j in range(self.msg_g2):
if j < len(n):
res2 = res2 * e(U[j], n[j])
else:
res2 = res2 * e(U[j], g2)
return res1.eq(e(g1, Z)) and res2.eq(e(g1, g2))
def test_proof():
from bplib.bp import G1Elem
from bplib.bp import G2Elem
from bplib.bp import GTElem
from petlib.bn import Bn
from gsproof import GSProof
gsp = GSProof()
gsp.ExtGen()
params = gsp.P
sps = USPS()
sk, pk = sps.keygen(params)
gz, gr = pk[0], pk[1]
pki = pk[2:]
M = [b"Hello World!", b"Hello me!", b"Hello us!"]
m = []
for i in range(len(M)):
if type(M[i]) == bytes:
m.append(gsp.G.hashG1(M[i]))
elif type(M[i]) == G1Elem:
m.append(M[i])
else:
print("Error: wrong input, expected G1, got ", type(M[i]))
return 0, []
if len(m) < sps.nb_msg:
for i in range(sps.nb_msg - len(m)):
m.append(G1Elem.inf(gsp.G))
elif sps.nb_msg < len(m):
return
sig = sps.sign(params, sk, m)
verify, res = sps.proof_usps_hidesigandsigner(gsp, pk, M, sig)
assert verify
def verifyEq(self, eq, x, b, a, y, c, t):
#print("verifyEq")
if eq in ["PPE", "PN1", "PC1", "PN2", "PC2"]:
#print("eq in [\"PPE\", \"PN1\", \"PC1\", \"PN2\", \"PC2\"]")
T = GTElem.zero(self.G)
for i in range(min(len(x), len(b))):
T = T * self.e(x[i]["value"], b[i]["value"])
for j in range(min(len(a), len(y))):
T = T * self.e(a[j]["value"], y[j]["value"])
for i in range(len(c)):
for j in range(len(c[i])):
T = T * self.e(c[i][j] * x[i]["value"], y[j]["value"])
return T.eq(t)
else:
#print("eq NOT in [\"PPE\", \"PN1\", \"PC1\", \"PN2\", \"PC2\"]")
T = Bn(0)
if eq in ["ME1", "MN1", "MC1", "ML1"]:
T = G1Elem.inf(self.G)
elif eq in ["ME2", "MN2", "MC2", "ML2"]:
T = G2Elem.inf(self.G)
elif eq not in ["QE", "QC1", "QC2"]:
print("eq error", eq)
return 0
for i in range(min(len(x), len(b))):
T += x[i]["value"] * b[i]["value"]
for j in range(min(len(a), len(y))):
T += a[j]["value"] * y[j]["value"]
for i in range(len(c)):
for j in range(len(c[i])):
if c[i][j] != 0:
T += c[i][j] * x[i]["value"] * y[j]["value"]
return T.eq(t)
def proof_pkuv(gsp, X, Y):
res = []
B = []
A = []
C = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
row.append(Bn(0))
C.append(row)
C[6][0] = Bn(1) # pk_uv
C[5][1] = Bn(-1) # - h_v^sku
success, result = gsp.Prove_aggreg("MC1", X, B, A, Y, C, G1Elem.inf(gsp.G))
verify = 0
if success:
eq_type, X, Y, C, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result
#verify = gsp.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
#if verify:
res = [C, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]]
#print("Do we successfully create a proof?", success)
#print("Does the proof successfully verify?", verify)
print("\n----pk uv")
for i in range(len(res[1])):
for j in range(2):
if type(res[1][i][j]) == G1Elem:
print(i, j, type(res[1][i][j]),
res[1][i][j].eq(G1Elem.inf(gsp.G)))
else:
print(i, j, type(res[1][i][j]),
res[1][i][j].eq(G2Elem.inf(gsp.G)))
b = challenge(result)
for i in range(len(res[0])):
for j in range(len(res[0][0])):
if res[0][i][j] != 0:
res[0][i][j] = b * res[0][i][j]
for i in range(len(res[1])):
for j in range(len(res[1][i])):
res[1][i][j] = b * res[1][i][j]
#verify = gsp.Verify("ME1", X, Y, C, res[1][0], res[1][1], res[1][2], res[1][3])
#print("Does the (aggregate) proof verify?", verify)
return res
def proof_exponent_gs1_pk_public(gsp, g1, sk, pk):
x = [{"type": "com", "value": g1}, {"type": "com", "value": pk}]
b = [{"type": "sca", "value": Bn(0)}, {"type": "unt", "value": Bn(1)}]
a = [{"type": "pub", "value": G1Elem.inf(gsp.G)}]
y = [{"type": "sca", "value": sk}]
c = [[Bn(-1)], [Bn(0)]]
success, res = gsp.CommitProof_eq("ME1", x, b, a, y, c, G1Elem.inf(gsp.G))
verify = 0
if success:
eq_type, X, Y, C, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res
pi2_v1, pi2_w1, pi1_v2, pi1_w2 = gsp.Randomize(eq_type, pi2_v1_ap,
pi2_w1_ap, pi1_v2_ap,
pi1_w2_ap)
verify = gsp.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
if verify:
res = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2], [eq_type, X, Y, C, T_eq]]
print("Do we successfully create a first proof?", success)
print("Does the first proof successfully verify?", verify)
print()
return verify, res
def CommitG2Group(self, val, x2, r, s):
c0 = r * self.v2[0] + s * self.w2[0]
c1 = x2 + r * self.v2[1] + s * self.w2[1]
val["value"] = [c0, c1]
val["committed"] = {
1: G1Elem.inf(self.G),
2: x2,
"Zp": 0,
"r": r,
"s": s
}
return val
def CommitG2Scalar(self, val, x, r):
c0 = x * self.u2[0] + r * self.v2[0]
c1 = x * self.u2[1] + r * self.v2[1]
val["value"] = [c0, c1]
val["committed"] = {
1: G1Elem.inf(self.G),
2: G2Elem.inf(self.G),
"Zp": x,
"r": r,
"s": 0
}
return val
def sign(self, params, sk, m):
"""Signs a list of group elements of G1"""
#print("SPS: Sign")
(o, G, g1, g2, e) = params
if len(m) > self.nb_msg:
print("Error: too many messages to sign")
return (G1Elem.inf(G), G1Elem.inf(G))
M = []
for i in range(len(m)):
if type(m[i]) == G1Elem:
M.append(m[i])
elif type(m[i]) == bytes:
M.append(G.hashG1(m[i]))
else:
print("Error: type message")
return -1
sig = [sk[0][0].int_neg() * M[0], sk[0][1].int_neg() * M[0]]
for i in range(1, len(M)):
sig[0] = sig[0] + sk[i][0].int_neg() * M[i]
sig[1] = sig[1] + sk[i][1].int_neg() * M[i]
return sig
def Calc_MSG1(self, x1, b, a1, y, c, t1):
n = len(x1)
m = len(y)
if len(b) != n or len(a1) != m or len(c) != n * m or len(t1) != 1:
return 0
B1 = G1Elem.inf(self.G)
for i in range(m):
B1 += b[i] * x1[i]
A1 = G1Elem.inf(self.G)
for j in range(n):
A1 += y[j] * a1[j]
C1 = G1Elem.inf(self.G)
for i in range(n):
for j in range(m):
C1 += (c[i][j] * y[j]) * x1[i]
validate = 0
if A1 + B1 + C1 == t1:
validate = 1
return A1 + B1 + C1, t1, validate
def verify(self, params, pk, m, sig):
"""
Verifies a signature on messages m
e(z, g_z) e(r, g_r) Pi e(M_i, g_i) == e(g1, g2)
"""
#print("SPS: Verify")
(o, G, g1, g2, e) = params
s0, s1 = sig
if (s0 == G1Elem.inf(G) and s1 == G1Elem.inf(G)):
print("USPS: Verify --- Error: signature null")
print("SPS: Verify", 0)
return 0
M = []
for i in range(len(m)):
if type(m[i]) == G1Elem:
M.append(m[i])
elif type(m[i]) == bytes:
M.append(G.hashG1(m[i]))
else:
print("Error: type message")
return -1
ctr = 0
for i in range(len(M)):
if M[i] == G1Elem.inf(G):
ctr += 1
if ctr == len(M):
print("USPS: Verify --- Error: message null")
print("SPS: Verify", 0)
return 0
gz, gr = pk[0], pk[1]
pki = pk[2:]
res = e(s0, gz) * e(s1, gr)
for i in range(len(M)):
res = res * e(M[i], pki[i])
return res.eq(GTElem.one(G))
def CheckEqResult(self, eq, T):
#print("CheckEqResult")
if eq in ["PPE", "PN1", "PC1", "PN2", "PC2"]:
if T != GTElem.zero(self.G):
return 0
elif eq in ["ME1", "MN1", "MC1", "ML1"]:
if T != G1Elem.inf(self.G):
return 0
elif eq in ["ME2", "MN2", "MC2", "ML2"]:
if T != G2Elem.inf(self.G):
return 0
elif eq in ["QE", "QC1", "QC2"]:
if T != Bn(0):
return 0
return 1
def test_G2_scalar_comm():
GS = GSProof()
ck, xk, P = GS.ExtGen()
order, G, u1, v1, w1, u2, v2, w2 = ck
y = order.random()
r = order.random()
struct = {}
struct = GS.CommitG2Scalar(struct, y, r)
assert struct["value"][0] == y * GS.u2[0] + r * GS.v2[0]
assert struct["value"][1] == y * GS.u2[1] + r * GS.v2[1]
assert struct["committed"][1] == G1Elem.inf(G)
assert struct["committed"][2] == G2Elem.inf(G)
assert struct["committed"]["Zp"] == y
assert struct["committed"]["r"] == r
assert struct["committed"]["s"] == Bn(0)
def test_G2_group_comm():
GS = GSProof()
ck, xk, P = GS.ExtGen()
order, G, u1, v1, w1, u2, v2, w2 = ck
y2 = order.random() * G.gen2()
r = order.random()
s = order.random()
struct = {}
struct = GS.CommitG2Group(struct, y2, r, s)
assert struct["value"][0] == G2Elem.inf(G) + r * GS.v2[0] + s * GS.w2[0]
assert struct["value"][1] == y2 + r * GS.v2[1] + s * GS.w2[1]
assert struct["committed"][1] == G1Elem.inf(G)
assert struct["committed"][2] == y2
assert struct["committed"]["Zp"] == Bn(0)
assert struct["committed"]["r"] == r
assert struct["committed"]["s"] == s
def test_G1_group_comm():
GS = GSProof()
ck, xk, P = GS.ExtGen()
order, G, u1, v1, w1, u2, v2, w2 = ck
x1 = order.random() * G.gen1()
r = order.random()
s = order.random()
struct = {}
struct = GS.CommitG1Group(struct, x1, r, s)
assert struct["value"][0] == G1Elem.inf(G) + r * GS.v1[0] + s * GS.w1[0]
assert struct["value"][1] == x1 + r * GS.v1[1] + s * GS.w1[1]
assert struct["committed"][1] == x1
assert struct["committed"][2] == G2Elem.inf(G)
assert struct["committed"]["Zp"] == Bn(0)
assert struct["committed"]["r"] == r
assert struct["committed"]["s"] == s
def MakeMatrices(self, x, b, a, y, c, t):
#print("Make Matrices")
X = []
X.extend(x)
X.extend(a)
Y = []
Y.extend(y)
Y.extend(b)
C = []
for i in range(len(x) + len(a)):
row = []
for j in range(len(y) + len(b)):
if i < len(x):
if j < len(y):
temp = c[i][j]
if type(temp) != Bn:
temp = Bn(temp)
row.append(c[i][j])
elif j == len(y) + i:
temp = Bn(1)
if b[j - len(y)]["committed"][2] == G2Elem.inf(
self.G) and b[j - len(y)]["type"] == "pub":
temp = Bn(0)
row.append(temp)
else:
row.append(Bn(0))
else:
if i == len(x) + j:
temp = Bn(1)
if a[i - len(x)]["committed"][1] == G1Elem.inf(
self.G) and a[i - len(x)]["type"] == "pub":
temp = Bn(0)
row.append(temp)
else:
row.append(Bn(0))
C.append(row)
return X, Y, C, t
def enc_proof(gsp, X, Y, a):
res = []
#print("--- first equation")
# e = h_i + h*r
res1 = []
A1 = []
B1 = []
C1 = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
row.append(Bn(0))
C1.append(row)
C1[12][0] = Bn(-1) # - e
C1[7][0] = Bn(1) # + h_i
C1[4][2] = Bn(1) # + h*r
success1, result1 = gsp.Prove_aggreg("ME1", X, B1, A1, Y, C1,
G1Elem.inf(gsp.G))
verify1 = 0
if success1:
eq_type, X1, Y1, C1, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result1
#verify1 = gsp.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
#if verify1:
res1 = [C1, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]]
res.append(res1)
#print("Do we successfully create a first proof?", success1)
#print("Does the first proof successfully verify?", verify1)
#print("--- second equation")
#u1 = g1_enc*r
res2 = []
B2 = []
A2 = []
C2 = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
row.append(Bn(0))
C2.append(row)
C2[0][2] = Bn(-1) # - g1enc*r
C2[10][0] = Bn(1) # + u1
success2, result2 = gsp.Prove_aggreg("MC1", X, B2, A2, Y, C2,
G1Elem.inf(gsp.G))
verify2 = 0
if success2:
eq_type, X2, Y2, C2, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result2
#verify2 = gsp.Verify(eq_type, X2, Y2, C2, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
#if verify2:
res2 = [C2, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]]
res.append(res2)
#print("Do we successfully create a second proof?", success2)
#print("Does the second proof successfully verify?", verify2)
#print("--- third equation")
#u2 = g2_enc*r
res3 = []
B3 = []
A3 = []
C3 = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
row.append(Bn(0))
C3.append(row)
C3[1][2] = Bn(-1) # - g2_enc * r
C3[11][0] = Bn(1) # + u2
success3, result3 = gsp.Prove_aggreg("ME1", X, B3, A3, Y, C3,
G1Elem.inf(gsp.G))
verify3 = 0
if success3:
eq_type, X3, Y3, C3, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result3
#verify3 = gsp.Verify(eq_type, X3, Y3, C3, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
#if verify3:
res3 = [C3, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]]
res.append(res3)
#print("Do we successfully create a third proof?", success3)
#print("Does the third proof successfully verify?", verify3)
""" We perform this check with a hash
#print("--- fourth equation")
# da = d*a
res4 = []
B4 = []
A4 = []
C4 = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
row.append(Bn(0))
C4.append(row)
C4[9][0] = Bn(-1) # - da
C4[3][0] = a # + d*a
success4, result4 = gsp.Prove_aggreg("ME1", X, B4, A4, Y, C4, G1Elem.inf(gsp.G))
verify4 = 0
if success4:
eq_type, X4, Y4, C4, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result4
#verify4 = gsp.Verify(eq_type, X4, Y4, C4, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
#if verify4:
res4 = [C4, [pi2_v1, pi2_w1, pi1_v2, pi1_w2] ]
res.append(res4)
#print("Do we successfully create an fourth proof?", success4)
#print("Does the fourth proof successfully verify?", verify4)
"""
#print("--- fifth equation")
#v = c*r + d*(a*r) = c*r + da*r
res5 = []
B5 = []
A5 = []
C5 = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
row.append(Bn(0))
C5.append(row)
C5[2][2] = Bn(1) # + c*r
C5[9][2] = Bn(1) # + da*r
C5[13][0] = Bn(-1) # - v
success5, result5 = gsp.Prove_aggreg("MC1", X, B5, A5, Y, C5,
G1Elem.inf(gsp.G))
verify5 = 0
if success5:
eq_type, X5, Y5, C5, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result5
#verify5 = gsp.Verify(eq_type, X5, Y5, C5, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
#if verify5:
res5 = [C5, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]]
res.append(res5)
#print("Do we successfully create a fifth proof?", success5)
#print("Does the fifth proof successfully verify?", verify5)
#print("Do we successfully create all the proofs?", success1*success2*success3*success4*success5)
#print("Do all the proofs successfully verify?", verify1*verify2*verify3*verify4*verify5)
b1 = challenge(result1)
b2 = challenge(result2)
b3 = challenge(result3)
#b4 = challenge(result4)
b5 = challenge(result5)
C = []
for i in range(len(C1)):
row = []
for j in range(len(C1[0])):
cij = Bn(0)
if C1[i][j] != 0:
cij += b1 * C1[i][j]
if C2[i][j] != 0:
cij += b2 * C2[i][j]
if C3[i][j] != 0:
cij += b3 * C3[i][j]
#if C4[i][j] != 0:
# cij += b4*C4[i][j]
if C5[i][j] != 0:
cij += b5 * C5[i][j]
row.append(cij)
C.append(row)
pi = []
for i in range(len(res1[1])):
pi_i = []
for j in range(len(res1[1][0])):
pi_ij = b1 * res1[1][i][j] + b2 * res2[1][i][j] + b3 * res3[1][i][
j] + b5 * res5[1][i][j] # + b4*res4[1][i][j]
pi_i.append(pi_ij)
pi.append(pi_i)
print("\n--- enc")
for i in range(len(res)):
print("proof #" + str(i))
for j in range(4):
for k in range(2):
if type(res[i][1][j][k]) == G1Elem:
print(i, j, k, type(res[i][1][j][k]),
res[i][1][j][k].eq(G1Elem.inf(gsp.G)))
else:
print(i, j, k, type(res[i][1][j][k]),
res[i][1][j][k].eq(G2Elem.inf(gsp.G)))
#verify = gsp.Verify("ME1", X, Y, C, pi[0], pi[1], pi[2], pi[3])
#print("Does the (aggregate) proof verify?", verify)
return C, pi, res
def MakeProof(self, X, Y, C):
#print("MakeProof")
pi2_v1 = [G2Elem.inf(self.G), G2Elem.inf(self.G)]
pi2_w1 = [G2Elem.inf(self.G), G2Elem.inf(self.G)]
pi1_v2 = [G1Elem.inf(self.G), G1Elem.inf(self.G)]
pi1_w2 = [G1Elem.inf(self.G), G1Elem.inf(self.G)]
#count_exp_g1 = 0
#count_add_g1 = -1
#count_exp_g2 = 0
#count_add_g2 = -1
for i in range(len(X)):
xi = X[i]["value"]
xr = 0
xs = 0
if "committed" in X[i]:
xr = X[i]["committed"]["r"]
xs = X[i]["committed"]["s"]
for j in range(len(Y)):
yj = Y[j]["value"]
yr = 0
ys = 0
if "committed" in Y[j]:
yr = Y[j]["committed"]["r"]
ys = Y[j]["committed"]["s"]
cij = C[i][j]
if cij != 0:
for vec in range(2):
""" We need to work on the commitment of x|y and not on the value of x|y not to make any assumption on the type of x|y"""
if xr != 0:
pi2_v1[vec] += (xr * cij) * yj[vec]
#count_exp_g1 += 1
#count_add_g1 += 1
if xs != 0:
pi2_w1[vec] += (xs * cij) * yj[vec]
#count_exp_g1 += 1
#count_add_g1 += 1
if yr != 0:
temp = xi[vec]
if xr != 0:
temp = temp - self.v1[vec] * xr
#count_exp_g2 += 1
#count_add_g2 += 1
if xs != 0:
temp = temp - self.w1[vec] * xs
#count_exp_g2 += 1
#count_add_g2 += 1
pi1_v2[vec] += temp * (cij * yr)
#count_exp_g2 += 1
#count_add_g2 += 1
if ys != 0:
temp = xi[vec]
if xr != 0:
temp = temp - self.v1[vec] * xr
#count_exp_g2 += 1
#count_add_g2 += 1
if xs != 0:
temp = temp - self.w1[vec] * xs
#count_exp_g2 += 1
#count_add_g2 += 1
pi1_w2[vec] += temp * (cij * ys)
#count_exp_g2 += 1
#count_add_g2 += 1
#print("Exp in G1", count_exp_g1)
#print("Exp in G2", count_exp_g2)
#print("Add in G1", count_add_g1)
#print("Add in G2", count_add_g2)
return pi2_v1, pi2_w1, pi1_v2, pi1_w2
def prepare_proofs(auth, vkI, pki, pkv, m, sig_t, t, pk_ui, pk_uv, sku, cipher,
ek, r):
#print("Prepare aggregated proofs")
#print("Prepare proof: Commit")
#import time
#t_start = time.time()
U, W, V, Z = vkI
cm_U = []
for i in range(len(U)):
cm_U.append(auth.GS.Commit({"group": 1, "type": "pub", "value": U[i]}))
cm_W = []
for i in range(len(W)):
cm_W.append(auth.GS.Commit({"group": 2, "type": "pub", "value": W[i]}))
cm_V = auth.GS.Commit({"group": 2, "type": "pub", "value": V})
cm_Z = auth.GS.Commit({"group": 2, "type": "pub", "value": Z})
cm_vkI = [cm_U, cm_W, cm_V, cm_Z]
h_i, vk_i, sig0_i = pki
cm_h_i = auth.GS.Commit({"group": 1, "type": "com", "value": h_i})
cm_vk_i = []
for i in range(len(vk_i)):
cm_vk_i.append(
auth.GS.Commit({
"group": 2,
"type": "com",
"value": vk_i[i]
}))
cm_sig0_i = []
cm_sig0_i.append(
auth.GS.Commit({
"group": 1,
"type": "com",
"value": sig0_i[0]
}))
cm_sig0_i.append(
auth.GS.Commit({
"group": 1,
"type": "enc",
"value": sig0_i[1]
}))
cm_sig0_i.append(
auth.GS.Commit({
"group": 2,
"type": "enc",
"value": sig0_i[2]
}))
h_v, vk_v, sig0_v = pkv
cm_h_v = auth.GS.Commit({"group": 1, "type": "pub", "value": h_v})
cm_m = []
for i in range(len(m)):
cm_m.append(auth.GS.Commit({"group": 1, "type": "pub", "value": m[i]}))
for i in range(len(cm_vk_i) - 1 - 2 - len(cm_m)):
cm_m.append(
auth.GS.Commit({
"group": 1,
"type": "pub",
"value": G1Elem.inf(auth.GS.G)
}))
sig_i, c_it = sig_t
cm_sig_i = []
for i in range(len(sig_i)):
cm_sig_i.append(
auth.GS.Commit({
"group": 1,
"type": "enc",
"value": sig_i[i]
}))
_, sigt_i = c_it
cm_sigt_i = []
cm_sigt_i.append(
auth.GS.Commit({
"group": 1,
"type": "com",
"value": sigt_i[0]
}))
cm_sigt_i.append(
auth.GS.Commit({
"group": 1,
"type": "enc",
"value": sigt_i[1]
}))
cm_sigt_i.append(
auth.GS.Commit({
"group": 2,
"type": "enc",
"value": sigt_i[2]
}))
#t: used as public scalar constraint (gamma_ij)
cm_pk_ui = auth.GS.Commit({"group": 1, "type": "com", "value": pk_ui})
cm_pk_uv = auth.GS.Commit({"group": 1, "type": "pub", "value": pk_uv})
cm_sku = auth.GS.Commit({"group": 2, "type": "sca", "value": sku})
cm_cipher = []
for i in range(len(cipher)):
cm_cipher.append(
auth.GS.Commit({
"group": 1,
"type": "pub",
"value": cipher[i]
}))
cm_r = r
cm_r[0] = auth.GS.Commit({"group": 2, "type": "sca", "value": r[0]})
cm_ek = []
for i in range(len(ek)):
cm_ek.append(
auth.GS.Commit({
"group": 1,
"type": "pub",
"value": ek[i]
}))
cm_da = auth.GS.Commit({
"group": 1,
"type": "pub",
"value": auth.ek[1] * r[1]
})
cm_params_enc = []
cm_params_enc.append(
auth.GS.Commit({
"group": 1,
"type": "pub",
"value": auth.GS.v1[0]
}))
cm_params_enc.append(
auth.GS.Commit({
"group": 1,
"type": "pub",
"value": auth.GS.v1[1]
}))
cm_g1 = auth.GS.Commit({"group": 1, "type": "bas", "value": auth.GS.g1})
cm_g2 = auth.GS.Commit({"group": 2, "type": "bas", "value": auth.GS.g2})
cm_1 = auth.GS.Commit({"group": 2, "type": "unt", "value": 1})
#t_commit = time.time()
#print("--- Commitment time:", t_commit - t_start)
x_ppe = [cm_g1]
x_ppe.extend(cm_vkI[0])
x_ppe.append(cm_h_i)
x_ppe.extend([cm_sig0_i[0], cm_sig0_i[1]])
x_ppe.extend([cm_sigt_i[0], cm_sigt_i[1]])
x_ppe.extend(cm_sig_i)
x_ppe.append(cm_pk_ui)
x_ppe.extend(cm_m)
#print("\nx_ppe", len(x_ppe), x_ppe)
y_ppe = [cm_g2]
y_ppe.append(cm_vkI[3])
y_ppe.append(cm_vkI[2])
y_ppe.extend(cm_vkI[1])
y_ppe.append(cm_sig0_i[2])
y_ppe.append(cm_sigt_i[2])
y_ppe.extend(cm_vk_i)
#print("\ny_ppe", len(y_ppe), y_ppe)
x_me1 = []
x_me1.extend(cm_params_enc)
x_me1.extend(cm_ek)
x_me1.append(cm_h_v)
x_me1.append(cm_pk_uv)
x_me1.append(cm_h_i)
x_me1.append(cm_pk_ui)
x_me1.append(cm_da)
x_me1.extend(cm_cipher)
#print("\nx_me1", len(x_me1), x_me1)
y_me1 = [cm_1, cm_sku, cm_r[0]]
#print("\ny_me1", len(y_me1), y_me1)
#print("Prepare proof: Prove")
#t_prove = time.time()
#print("--- sigi proof")
cm_msg = [cm_pk_ui]
cm_msg.extend(cm_m)
for i in range(len(cm_vk_i) - 2 - len(cm_msg)):
cm_msg.append(
auth.GS.Commit({
"group": 1,
"type": "pub",
"value": G1Elem.inf(auth.GS.G)
}))
C_sigi, pi_sigi = proof_sigi(auth.GS, x_ppe, y_ppe, cm_msg)
cm_msg1 = [cm_g1, cm_h_i]
cm_msg2 = cm_vk_i
#print("--- sigi0 proof")
C_sigi0, pi_sigi0, _ = proof_sigi0(auth.GS, x_ppe, y_ppe, cm_msg1, cm_msg2,
Bn(0))
#print("--- sigit proof")
C_sigit, pi_sigit, _ = proof_sigit(auth.GS, x_ppe, y_ppe, cm_msg1, cm_msg2,
t)
#print("--- Aggregate PPE proofs")
c_ppe = []
for i in range(len(C_sigi)):
row = []
for j in range(len(C_sigi[i])):
cij = C_sigi[i][j] + C_sigit[i][j] + C_sigi0[i][j]
row.append(cij)
c_ppe.append(row)
pi_ppe = []
for i in range(len(pi_sigi)):
pi_i = []
for j in range(len(pi_sigi[i])):
pi_ij = pi_sigi[i][j] + pi_sigit[i][j] + pi_sigi0[i][j]
pi_i.append(pi_ij)
pi_ppe.append(pi_i)
#print("--- Randomize PPE proof")
pi_ppe[0], pi_ppe[1], pi_ppe[2], pi_ppe[3] = auth.GS.Randomize(
"PPE", pi_ppe[0], pi_ppe[1], pi_ppe[2], pi_ppe[3])
res_ppe = [c_ppe, pi_ppe]
#t_ppe = time.time()
print("--- exponent proofs pk_ui")
C_pkui, pi_pkui = proof_pkui(auth.GS, x_me1, y_me1)
print("--- exponent proofs pk_uv")
C_pkuv, pi_pkuv = proof_pkuv(auth.GS, x_me1, y_me1)
#print("--- enc proof")
C_enc, pi_enc, _ = enc_proof(auth.GS, x_me1, y_me1, r[1])
#print("--- aggregate ME1 proofs")
c_me1 = []
for i in range(len(C_enc)):
row = []
for j in range(len(C_enc[i])):
cij = C_enc[i][j] + C_pkui[i][j] + C_pkuv[i][j]
row.append(cij)
c_me1.append(row)
pi_me1 = []
for i in range(len(pi_enc)):
pi_i = []
for j in range(len(pi_enc[i])):
pi_ij = pi_enc[i][j] + pi_pkui[i][j] + pi_pkuv[i][j]
pi_i.append(pi_ij)
pi_me1.append(pi_i)
#print("------ Randomize ME1 proof")
pi_me1[0], pi_me1[1], pi_me1[2], pi_me1[3] = auth.GS.Randomize(
"PPE", pi_me1[0], pi_me1[1], pi_me1[2], pi_me1[3])
res_me1 = [c_me1, pi_me1]
#t_end = time.time()
#print("--- Prove & aggregation time:", t_end - t_commit, "(PPE proof: "+ str(t_ppe-t_commit) +"+ ME1 proof"+ str(t_end-t_ppe) +")")
verify_ppe = auth.GS.Verify("PPE", x_ppe, y_ppe, c_ppe, pi_ppe[0],
pi_ppe[1], pi_ppe[2], pi_ppe[3])
print("------ Aggregate PPE verify?", verify_ppe)
verify_me1 = auth.GS.Verify("ME1", x_me1, y_me1, c_me1, pi_me1[0],
pi_me1[1], pi_me1[2], pi_me1[3])
print("------ Aggregate ME1 verify?", verify_me1)
verify = verify_ppe * verify_me1
res = [[
res_ppe[1], ["PPE", x_ppe, y_ppe, res_ppe[0],
GTElem.zero(auth.GS.G)]
], [res_me1[1], ["ME1", x_me1, y_me1, res_me1[0],
G1Elem.inf(auth.GS.G)]]]
#print("--- Do all the proofs verify?", verify_ppe*verify_me1)
return verify, res
def CheckEqType(self, eq, X, Y, C):
#print("CheckEqType")
if eq in ["PPE", "PN1", "PC1", "PN2", "PC2"]:
for x in X:
if type(x["value"][0]) != G1Elem:
print("element in C not from G1", x)
return 0
if "committed" in x:
if x["committed"][2] != G2Elem.inf(
self.G) or x["committed"]["Zp"] != 0:
print("not a commitment of G1")
return 0
for y in Y:
if type(y["value"][0]) != G2Elem:
print("element in D not from G2")
return 0
if "committed" in y:
if y["committed"][1] != G1Elem.inf(
self.G) or y["committed"]["Zp"] != 0:
print("not a commitment of G2")
return 0
elif eq in ["ME1", "MN1", "MC1", "ML1"]:
for x in X:
if type(x["value"][0]) != G1Elem:
print("element in C not from G1", type(x["value"][0]))
return 0
if "committed" in x:
if x["committed"][2] != G2Elem.inf(
self.G) or x["committed"]["Zp"] != 0:
print("not a commitment of G1")
return 0
for y in Y:
if type(y["value"][0]) != G2Elem:
print("element in D not from Zp", type(y["value"][0]))
return 0
if "committed" in y:
if y["committed"][1] != G1Elem.inf(
self.G) or y["committed"][2] != G2Elem.inf(self.G):
print("not a commitment of Zp")
return 0
elif eq in ["ME2", "MN2", "MC2", "ML2"]:
for x in X:
if type(x["value"][0]) != G1Elem:
print("element in C not from G1", type(x["value"][0]))
return 0
if "committed" in x:
if x["committed"][1] != G1Elem.inf(
self.G) or x["committed"][2] != G2Elem.inf(self.G):
print("not a commitment of Zp")
return 0
for y in Y:
if type(y["value"][0]) != G2Elem:
print("element in D not from G2", type(y["value"][0]))
return 0
if "committed" in y:
if y["committed"][1] != G1Elem.inf(
self.G) or y["committed"]["Zp"] != 0:
print("not a commitment of G2")
return 0
elif eq in ["QE", "QC1", "QC2"]:
for x in X:
if type(x["value"][0]) != G1Elem:
print("element in C not from Zp", type(x["value"][0]))
return 0
if "committed" in x:
if x["committed"][1] != G1Elem.inf(
self.G) or x["committed"][2] != G2Elem.inf(self.G):
print("not a commitment of Zp")
return 0
for y in Y:
if type(y["value"][0]) != G2Elem:
print("element in D not from Zp", type(y["value"][0]))
return 0
if "committed" in y:
if y["committed"][1] != G1Elem.inf(
self.G) or y["committed"][2] != G2Elem.inf(self.G):
print("not a commitment of Zp")
return 0
else:
print("ERROR: unknown eq", eq)
return 0
for i in range(len(X)):
for j in range(len(Y)):
if type(C[i][j]) != Bn and type(C[i][j]) != int:
print("element in Gamma not from Zp", i, j, C[i][j],
type(C[i][j]))
return 0
return 1
def get_infs(gk):
inf1 = G1Elem.inf(gk.G)
inf2 = G2Elem.inf(gk.G)
return inf1, inf2
def proof_bsps_hidemandsig(
self,
M1=[b"Hello World!", b"Hello me!", b"Hello us!"],
M2=[b"Hello you!"]):
""" create GS proof that sig verifies with the signature and all but the first message secret """
params = (self.G, self.order, self.g1, self.g2, self.e)
sps = BSPS()
sk, pk = sps.keygen(params)
u, w, v, z = sk
U, W, V, Z = pk
m1 = []
for i in range(len(M1)):
if type(M1[i]) == bytes:
m1.append(self.G.hashG1(M1[i]))
elif type(M1[i]) == G1Elem:
m1.append(M1[i])
else:
return 0, []
m2 = []
for j in range(len(M2)):
if type(M2[j]) == bytes:
m2.append(
Bn.from_binary(M2[j]).mod_add(Bn(0), self.order) * self.g2)
elif type(M2[j]) == G2Elem:
m2.append(M2[j])
else:
return 0, []
if len(m1) < sps.msg_g1:
for i in range(sps.msg_g1 - len(m1)):
m1.append(G1Elem.inf(self.G))
elif sps.msg_g1 < len(m1):
return 0, []
if len(m2) < sps.msg_g2:
for i in range(sps.msg_g2 - len(m2)):
m2.append(G2Elem.inf(self.G))
elif sps.msg_g2 < len(m2):
return 0, []
res = []
R, S, T = sps.sign(params, sk, m1, m2)
print("signature verifies?", sps.verify(params, pk, m1, m2, (R, S, T)))
print("first equation")
x1 = [{
"type": "com",
"value": R
}, {
"type": "com",
"value": S
}, {
"type": "bas",
"value": self.g1
}]
b1 = [{
"type": "pub",
"value": V
}, {
"type": "bas",
"value": self.g2
}, {
"type": "pub",
"value": Z * Bn(-1)
}]
a1 = []
y1 = []
#res1 = e(R,V) * e(S,g2)
#res1.eq(e(g1,Z))
for i in range(len(m1)):
if i == 0:
x1.append({"type": "pub", "value": m1[i]})
b1.append({"type": "bas", "value": W[i]})
else:
x1.append({"type": "com", "value": m1[i]})
b1.append({"type": "pub", "value": W[i]})
#res1 = res1 * e(m1[i],W[i])
c1 = []
for i in range(len(x1)):
row = []
for j in range(len(y1)):
c = Bn(0)
row.append(c)
c1.append(row)
print(c1)
success1, res1 = self.CommitProof_eq("PPE", x1, b1, a1, y1, c1,
GTElem.zero(self.G))
verify1 = 0
if success1:
eq_type, X1, Y1, C1, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res1
pi2_v1, pi2_w1, pi1_v2, pi1_w2 = self.Randomize(
eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap)
verify1 = self.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2,
pi1_w2)
if verify1:
res1 = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
[eq_type, X1, Y1, C1, T_eq]]
res.append(res1)
print(success1, verify1)
print()
print("second equation")
x2 = [{"type": "com", "value": R}, {"type": "bas", "value": self.g1}]
b2 = [{
"type": "pub",
"value": G2Elem.inf(self.G)
}, {
"type": "pub",
"value": G2Elem.inf(self.G)
}]
a2 = [{
"type": "pub",
"value": G1Elem.inf(self.G)
}, {
"type": "pub",
"value": G1Elem.inf(self.G)
}]
y2 = [{"type": "com", "value": T}, {"type": "bas", "value": self.g2}]
#res2 = e(R,T)
#res2.eq(e(g1,g2))
for j in range(len(m2)):
a2.append({"type": "pub", "value": U[j]})
y2.append({"type": "com", "value": m2[j]})
#res2 = res2 * e(U[j],m2[j])
c2 = []
for i in range(len(x2)):
row = []
for j in range(len(y2)):
c = Bn(0)
if (i == 0 and j == 0):
c = Bn(1)
if (i == 1 and j == 1):
c = Bn(-1)
row.append(c)
c2.append(row)
print(c2)
success2, res2 = self.CommitProof_eq("PPE", x2, b2, a2, y2, c2,
GTElem.zero(self.G))
verify2 = 0
if success2:
eq_type, X2, Y2, C2, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res2
pi2_v1, pi2_w1, pi1_v2, pi1_w2 = self.Randomize(
eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap)
verify2 = self.Verify(eq_type, X2, Y2, C2, pi2_v1, pi2_w1, pi1_v2,
pi1_w2)
if verify2:
res2 = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
[eq_type, X2, Y2, C2, T_eq]]
res.append(res2)
print(success2, verify2)
print()
print("success?", success1, success2)
print("verify?", verify1, verify2)
return verify1 * verify2, res
def test_all():
GS = GSProof()
ck, xk, P = GS.ExtGen()
order, G, u1, v1, w1, u2, v2, w2 = ck
for eq_type in GS.eqs.keys():
print("=============================== ", eq_type)
x = []
y = []
a = []
b = []
for xtype in GS.eqs[eq_type][1]:
for ytype in GS.eqs[eq_type][2]:
if eq_type != "PPE" or (eq_type == "PPE"
and xtype not in ["pub", "enc"]
and ytype not in ["pub", "enc"]):
rand1 = order.random()
x1 = rand1 * GS.g1
if xtype in ["bas"]:
rand1 = 1
x1 = GS.g1
if xtype in ["sca"]:
x1 = rand1
elif xtype in ["unt"]:
x1 = 1
rand2 = order.random()
y2 = rand2 * GS.g2
if ytype in ["bas"]:
rand2 = 1
y2 = GS.g2
if ytype in ["sca"]:
y2 = rand2
elif ytype in ["unt"]:
y2 = 1
#print(xtype, rand1, x1)
#print(ytype, rand2, y2)
x.append({"type": xtype, "value": x1})
a.append({"type": xtype, "value": x1})
y.append({"type": ytype, "value": y2})
b.append({"type": ytype, "value": y2})
c = []
for i in range(len(x)):
row = []
for j in range(len(y)):
if i == j:
row.append(Bn(-2))
else:
row.append(Bn(0))
c.append(row)
t = GTElem.zero(G)
if eq_type in ["ME1", "MN1", "MC1", "ML1"]:
t = G1Elem.inf(G)
if eq_type in ["ME2", "MN2", "MC2", "ML2"]:
t = G2Elem.inf(G)
if eq_type in ["QE", "QC1", "QC2"]:
t = 0
try:
success, res = GS.CommitProof_eq(eq_type, x, b, a, y, c, t)
print("success ?", success)
except Exception as e:
print(e)
else:
if success:
eq, X, Y, C, T, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = res
print(
"verify ?",
GS.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2,
pi1_w2))
assert (GS.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2,
pi1_w2))
def proof_usps_hidesigandsigner(self,
M=[
b"Hello World!", b"Hello me!",
b"Hello us!"
]):
"""" creates GS proof that sig verifies with pk, signature and first message secret"""
#print("SPS: Prove")
self.ExtGen()
params = (self.G, self.order, self.g1, self.g2, self.e)
sps = USPS()
sk, pk = sps.keygen(params)
gz, gr, pki = pk
m = []
for i in range(len(M)):
if type(M[i]) == bytes:
m.append(self.G.hashG1(M[i]))
elif type(M[i]) == G1Elem:
m.append(M[i])
else:
return 0, []
if len(m) < sps.n:
for i in range(sps.nb_msg - len(m)):
m.append(G1Elem.inf(self.G))
elif sps.nb_msg < len(m):
return
sig = sps.sign(params, sk, m)
if sps.verify(params, pk, m, sig) == 0:
print("Signature does not verify")
return
print(len(m))
X = [{
"type": "com",
"value": sig[0]
}, {
"type": "com",
"value": sig[1]
}]
B = [{
"type": "pub",
"value": G2Elem.inf(self.G)
}, {
"type": "pub",
"value": G2Elem.inf(self.G)
}]
A = [{
"type": "pub",
"value": G1Elem.inf(self.G)
}, {
"type": "pub",
"value": G1Elem.inf(self.G)
}]
Y = [{"type": "com", "value": gz}, {"type": "com", "value": gr}]
for i in range(len(m)):
if i == 0:
X.append({"type": "pub", "value": m[i]})
else:
X.append({"type": "com", "value": m[i]})
B.append({"type": "pub", "value": G2Elem.inf(self.G)})
for j in range(len(pki)):
Y.append({"type": "com", "value": pki[j]})
A.append({"type": "pub", "value": G1Elem.inf(self.G)})
C = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
var = Bn(0)
if i == j:
var = Bn(1)
row.append(var)
C.append(row)
print(C)
success, res = self.CommitProof_eq("PPE", X, B, A, Y, C,
GTElem.zero(self.G))
verify = 0
if success:
eq_type, X1, Y1, C1, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res
pi2_v1, pi2_w1, pi1_v2, pi1_w2 = self.Randomize(
eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap)
verify = self.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2,
pi1_w2)
if verify:
res = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
[eq_type, X1, Y1, C1, T_eq]]
print(success, verify)
print()
return verify, res
def proof_usps_hidesigandsigner(self, gsp, pk, M, sig):
"""" creates GS proof that a USPS signature verifies
with the verifying key, the signature and the first message secret"""
#print("SPS: Prove")
from bplib.bp import G1Elem
from bplib.bp import G2Elem
from bplib.bp import GTElem
from petlib.bn import Bn
params = gsp.P
sps = USPS()
gz, gr = pk[0], pk[1]
pki = pk[2:]
m = []
for i in range(len(M)):
if type(M[i]) == bytes:
m.append(gsp.G.hashG1(M[i]))
elif type(M[i]) == G1Elem:
m.append(M[i])
else:
print("Error: wrong input, expected G1, got ", type(M[i]))
return 0, []
if len(m) < sps.nb_msg:
for i in range(sps.nb_msg - len(m)):
m.append(G1Elem.inf(gsp.G))
if sps.verify(params, pk, m, sig) == 0:
print("Signature does not verify")
return
X = [{
"type": "com",
"value": sig[0]
}, {
"type": "com",
"value": sig[1]
}]
B = [{
"type": "pub",
"value": G2Elem.inf(gsp.G)
}, {
"type": "pub",
"value": G2Elem.inf(gsp.G)
}]
A = [{
"type": "pub",
"value": G1Elem.inf(gsp.G)
}, {
"type": "pub",
"value": G1Elem.inf(gsp.G)
}]
Y = [{"type": "com", "value": gz}, {"type": "com", "value": gr}]
for i in range(len(m)):
if i == 0:
X.append({"type": "pub", "value": m[i]})
else:
X.append({"type": "com", "value": m[i]})
B.append({"type": "pub", "value": G2Elem.inf(gsp.G)})
for j in range(len(pki)):
Y.append({"type": "com", "value": pki[j]})
A.append({"type": "pub", "value": G1Elem.inf(gsp.G)})
C = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
var = Bn(0)
if i == j:
var = Bn(1)
row.append(var)
C.append(row)
success, res = gsp.CommitProof_eq("PPE", X, B, A, Y, C,
GTElem.zero(gsp.G))
verify = 0
if success:
eq_type, X1, Y1, C1, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res
pi2_v1, pi2_w1, pi1_v2, pi1_w2 = gsp.Randomize(
eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap)
verify = gsp.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2,
pi1_w2)
if verify:
res = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
[eq_type, X1, Y1, C1, T_eq]]
print("Do we successfully create a proof?", success)
print("Does the proof successfully verify?", verify)
print()
return verify, res
