def verify_multiple(pubkeys: Sequence[BLSPubkey], messages: Sequence[bytes], signature: BLSSignature, domain: int) -> bool: len_msgs = len(messages) if len(pubkeys) != len_msgs: raise ValidationError( "len(pubkeys) (%s) should be equal to len(messages) (%s)" % (len(pubkeys), len_msgs)) try: o = FQ12([1] + [0] * 11) for m_pubs in set(messages): # aggregate the pubs group_pub = Z1 for i in range(len_msgs): if messages[i] == m_pubs: group_pub = add(group_pub, decompress_G1(pubkeys[i])) o *= pairing(hash_to_G2(m_pubs, domain), group_pub, final_exponentiate=False) o *= pairing(decompress_G2(signature), neg(G1), final_exponentiate=False) final_exponentiation = final_exponentiate(o) return final_exponentiation == FQ12.one() except (ValidationError, ValueError, AssertionError): return False
def check_proof_multi(commitment, proof, x, ys, setup): """ Check a proof for a Kate commitment for an evaluation f(x w^i) = y_i """ n = len(ys) root_of_unity = get_root_of_unity(n) # Interpolate at a coset. Note because it is a coset, not the subgroup, we have to multiply the # polynomial coefficients by x^i interpolation_polynomial = fft(ys, MODULUS, root_of_unity, True) interpolation_polynomial = [div(c, pow(x, i, MODULUS)) for i, c in enumerate(interpolation_polynomial)] # Verify the pairing equation # # e([commitment - interpolation_polynomial(s)], [1]) = e([proof], [s^n - x^n]) # equivalent to # e([commitment - interpolation_polynomial]^(-1), [1]) * e([proof], [s^n - x^n]) = 1_T # xn_minus_yn = b.add(setup[1][n], b.multiply(b.neg(b.G2), pow(x, n, MODULUS))) commitment_minus_interpolation = b.add(commitment, b.neg(lincomb( setup[0][:len(interpolation_polynomial)], interpolation_polynomial, b.add, b.Z1))) pairing_check = b.pairing(b.G2, b.neg(commitment_minus_interpolation), False) pairing_check *= b.pairing(xn_minus_yn, proof, False) pairing = b.final_exponentiate(pairing_check) return pairing == b.FQ12.one()
def _CoreAggregateVerify(cls, PKs: Sequence[BLSPubkey], messages: Sequence[bytes], signature: BLSSignature, DST: bytes) -> bool: try: # Inputs validation for pk in PKs: assert cls._is_valid_pubkey(pk) for message in messages: assert cls._is_valid_message(message) assert len(PKs) == len(messages) assert cls._is_valid_signature(signature) # Preconditions assert len(PKs) >= 1 # Procedure signature_point = signature_to_G2(signature) if not subgroup_check(signature_point): return False aggregate = FQ12.one() for pk, message in zip(PKs, messages): assert cls.KeyValidate(pk) pubkey_point = pubkey_to_G1(pk) message_point = hash_to_G2(message, DST, cls.xmd_hash_function) aggregate *= pairing(message_point, pubkey_point, final_exponentiate=False) aggregate *= pairing(signature_point, neg(G1), final_exponentiate=False) return final_exponentiate(aggregate) == FQ12.one() except (ValidationError, ValueError, AssertionError): return False
def _CoreVerify(cls, PK: BLSPubkey, message: bytes, signature: BLSSignature, DST: bytes) -> bool: try: # Inputs validation assert cls._is_valid_pubkey(PK) assert cls._is_valid_message(message) assert cls._is_valid_signature(signature) # Procedure assert cls.KeyValidate(PK) signature_point = signature_to_G2(signature) if not subgroup_check(signature_point): return False final_exponentiation = final_exponentiate( pairing( signature_point, G1, final_exponentiate=False, ) * pairing( hash_to_G2(message, DST, cls.xmd_hash_function), neg(pubkey_to_G1(PK)), final_exponentiate=False, )) return final_exponentiation == FQ12.one() except (ValidationError, ValueError, AssertionError): return False
def _CoreAggregateVerify(cls, PKs: Sequence[BLSPubkey], messages: Sequence[bytes], signature: BLSSignature, DST: bytes) -> bool: try: if len(PKs) != len(messages): raise ValidationError( 'len(PKs) != len(messages): got len(PKs)=%s, len(messages)=%s' % (len(PKs), len(messages))) if len(PKs) < 1: raise ValidationError( 'Insufficient number of PKs: should be greater than' ' or equal to 1, got %d' % len(PKs)) signature_point = signature_to_G2(signature) aggregate = FQ12.one() for pk, message in zip(PKs, messages): pubkey_point = pubkey_to_G1(pk) message_point = hash_to_G2(message, DST, cls.xmd_hash_function) aggregate *= pairing(message_point, pubkey_point, final_exponentiate=False) aggregate *= pairing(signature_point, neg(G1), final_exponentiate=False) return final_exponentiate(aggregate) == FQ12.one() except (ValidationError, ValueError, AssertionError): return False
def verify(message: bytes, pubkey: int, signature: bytes, domain: int) -> bool: try: final_exponentiation = final_exponentiate( pairing( FQP_point_to_FQ2_point(decompress_G2(signature)), G1, final_exponentiate=False, ) * pairing( FQP_point_to_FQ2_point(hash_to_G2(message, domain)), neg(decompress_G1(pubkey)), final_exponentiate=False, )) return final_exponentiation == FQ12.one() except (ValidationError, ValueError, AssertionError): return False
def verify(message_hash: Hash32, pubkey: BLSPubkey, signature: BLSSignature, domain: int) -> bool: try: final_exponentiation = final_exponentiate( pairing( signature_to_G2(signature), G1, final_exponentiate=False, ) * pairing( hash_to_G2(message_hash, domain), neg(pubkey_to_G1(pubkey)), final_exponentiate=False, )) return final_exponentiation == FQ12.one() except (ValidationError, ValueError, AssertionError): return False
def _CoreVerify(PK: BLSPubkey, message: bytes, signature: BLSSignature, DST: bytes) -> bool: try: signature_point = signature_to_G2(signature) final_exponentiation = final_exponentiate( pairing( signature_point, G1, final_exponentiate=False, ) * pairing( hash_to_G2(message, DST), neg(pubkey_to_G1(PK)), final_exponentiate=False, )) return final_exponentiation == FQ12.one() except (ValidationError, ValueError, AssertionError): return False
def _CoreVerify(cls, PK: BLSPubkey, message: bytes, signature: BLSSignature, DST: bytes) -> bool: try: assert BaseG2Ciphersuite.KeyValidate(PK) signature_point = signature_to_G2(signature) final_exponentiation = final_exponentiate( pairing( signature_point, G1, final_exponentiate=False, ) * pairing( hash_to_G2(message, DST, cls.xmd_hash_function), neg(pubkey_to_G1(PK)), final_exponentiate=False, )) return final_exponentiation == FQ12.one() except (ValidationError, ValueError, AssertionError): return False
def _CoreAggregateVerify(pairs: Sequence[Tuple[BLSPubkey, bytes]], signature: BLSSignature, DST: bytes) -> bool: try: signature_point = signature_to_G2(signature) accumulator = FQ12.one() for pk, message in pairs: pubkey_point = pubkey_to_G1(pk) message_point = hash_to_G2(message, DST) accumulator *= pairing(message_point, pubkey_point, final_exponentiate=False) accumulator *= pairing(signature_point, neg(G1), final_exponentiate=False) return final_exponentiate(accumulator) == FQ12.one() except (ValidationError, ValueError, AssertionError): return False
def check_proof_single(commitment, proof, x, y, setup): """ Check a proof for a Kate commitment for an evaluation f(x) = y """ # Verify the pairing equation # # e([commitment - y], [1]) = e([proof], [s - x]) # equivalent to # e([commitment - y]^(-1), [1]) * e([proof], [s - x]) = 1_T # s_minus_x = b.add(setup[1][1], b.multiply(b.neg(b.G2), x)) commitment_minus_y = b.add(commitment, b.multiply(b.neg(b.G1), y)) pairing_check = b.pairing(b.G2, b.neg(commitment_minus_y), False) pairing_check *= b.pairing(s_minus_x, proof, False) pairing = b.final_exponentiate(pairing_check) return pairing == b.FQ12.one()
def verify_proof(proof, commitment_root, indices, values, setup): # Regenerate the same r value as above r = int.from_bytes( hash(str([commitment_root[0].n] + indices).encode('utf-8')), 'big') % b.curve_order #print("r", r) commitments, witness = proof # We're making a big pairing check that essentially checks the equation: # sum [(P_i - y_i) * r_i * Z(everything except x_i)] = w * Z(everything) = sum [Q_i * r_i * Z(everything)] # where Z(set) = product: (X - s) for s in set pairing_check = b.FQ12.one() for i, (c, index, v) in enumerate(zip(commitments, indices, values)): for d in range(DEPTH): rfactor = pow(r, i * DEPTH + d, MODULUS) position_of_leaf = index // WIDTH**(DEPTH - d - 1) # Position of this leaf in the data sub_index = position_of_leaf % WIDTH #print('d', d, 'i', index, 'rfactor', rfactor, 'pos', position_of_leaf) # P_i comm = c[d - 1] if d else commitment_root comm = (comm[0], comm[1], b.FQ.one()) leaf = hash_point_to_field(c[d]) if d < DEPTH - 1 else v #print('comm', comm, 'subindex', sub_index, 'leaf', leaf) # (P_i - y_i) * r_i comm_minus_leaf_times_r = b.multiply( b.add(comm, b.multiply(b.G1, MODULUS - leaf)), rfactor) # Z(everything except x_i) Z_comm = b.multiply(setup[3][sub_index], field.inv(LAGRANGE_POLYS[sub_index][-1])) # Add the product into the pairing pairing_check *= b.pairing(Z_comm, comm_minus_leaf_times_r, False) # Z(everything) global_Z_comm = b.add(setup[1][WIDTH], b.neg(setup[1][0])) # Subtract out sum [Q_i * r_i * Z(everything)] pairing_check *= b.pairing(b.neg(global_Z_comm), (witness[0], witness[1], b.FQ.one()), False) o = b.final_exponentiate(pairing_check) assert o == b.FQ12.one(), o return o == b.FQ12.one()
def execute(cls, stack: 'MichelsonStack', stdout: List[str], context: AbstractContext): points = cast(ListType, stack.pop1()) points.assert_type_equal( ListType.create_type(args=[ PairType.create_type(args=[BLS12_381_G1Type, BLS12_381_G2Type]) ])) prod = FQ12.one() for pair in points: g1, g2 = tuple( iter(pair)) # type: BLS12_381_G1Type, BLS12_381_G2Type prod = prod * bls12_381.pairing(g2.to_point(), g1.to_point()) res = BoolType.from_value(FQ12.one() == prod) stack.push(res) stdout.append(format_stdout(cls.prim, [points], [res])) return cls()
def pair(self, other): t1 = bls12_381.pairing(self.m2, other.m1) # t2 = bls12_381.pairing(other.m2, self.m1) # assert t1 == t2 return t1
def verify(message: bytes, pubkey: int, signature: bytes, domain: int) -> bool: final_exponentiation = final_exponentiate( pairing(FQP_point_to_FQ2_point(decompress_G2(signature)), G1, False) * pairing(FQP_point_to_FQ2_point(hash_to_G2(message, domain)), neg(decompress_G1(pubkey)), False)) return final_exponentiation == FQ12.one()
def pairing_check(points: Iterable[Tuple[G1Point, G2Point]]) -> bool: prod = FQ12.one() for g1_point, g2_point in points: prod = prod * bls12_381.pairing(g2_point, g1_point) return FQ12.one() == prod
def pairing(G1: "G1", G2: "G2", final_exponentiate: bool = True) -> "FQ12": return pairing(G2.py_ecc_object, G1.py_ecc_object, final_exponentiate)
def in_group(self): return (bls12_381.pairing(self.m2, bls12_381.G1) == bls12_381.pairing( bls12_381.G2, self.m1))
def singlechecker(agg_pk, agg_sig, msg): final_exp = final_exponentiate( pairing(agg_sig, G1, final_exponentiate=False) * pairing( multiply(G2, hasher(msg)), neg(agg_pk), final_exponentiate=False)) isok = (final_exp == FQ12.one()) return isok