def testDifferentKandR(self):
msg = 'some message'
pk = self.pk
sk = self.sk
p = self.params.p
signer = sk.getSigner()
sig = signer.sign(msg)
# Make sure initial verification works
assert pk.getVerifier(sig).verify(msg) == True
# Verify against a different r_hashed
verifier = pk.getVerifier(sig)
verifier.setHashedR(sig.getR() ** integer(2))
assert verifier.verify(msg) == False
# Verify against a different r in the signature
sig_mod = signer.sign(msg)
sig_mod.r = sig.getR() ** integer(42)
verifier = pk.getVerifier(sig_mod)
assert verifier.verify(msg) == False
# verify against a different s in the signature
sig_mod = signer.sign(msg)
sig_mod.s = sig.getS() ** integer(23)
verifier = pk.getVerifier(sig_mod)
assert verifier.verify(msg) == False
# verify against a different r and s in the signature
sig_mod = signer.sign(msg)
sig_mod.s = sig.getS() ** integer(23)
sig_mod.r = sig.getR() ** integer(42)
verifier = pk.getVerifier(sig_mod)
assert verifier.verify(msg) == False
def main():
p = integer(141660875619984104245410764464185421040193281776686085728248762539241852738181649330509191671665849071206347515263344232662465937366909502530516774705282764748558934610432918614104329009095808618770549804432868118610669336907161081169097403439689930233383598055540343198389409225338204714777812724565461351567)
q = integer(70830437809992052122705382232092710520096640888343042864124381269620926369090824665254595835832924535603173757631672116331232968683454751265258387352641382374279467305216459307052164504547904309385274902216434059305334668453580540584548701719844965116691799027770171599194704612669102357388906362282730675783)
cham_hash = ChamHash_Adm05(p, q)
pk, sk = cham_hash.paramgen()
if debug:
print("Paramgen...")
print("pk :=", pk)
print("sk :=", sk)
msg = 'Some message to hash'
c, r, s = cham_hash.hash(pk, msg)
if debug:
print('Hashing: ', msg)
print('Hash is: ', c)
other_msg = 'Some other message to hash, different from previous message'
assert msg != other_msg
new_c, new_r, new_s = cham_hash.find_collision(pk, sk, c, other_msg)
if debug:
print('Hashing: ', other_msg)
print('Hash is: ', new_c)
assert new_c == c, 'Could not generate collision'
if debug:
print('Generated hash collision')
def roundNumber1(self, n1):
Ro = self.pk_i['Ro']
df02_commit = CM_DF02()
pk_commit = { 'S':self.pk_i['S'], 'Z':Ro, 'N':self.pk_i['N'] }
(U, self.vPrime) = df02_commit.commit(pk_commit, self.ms, (ln + lo))
mTilde = integer(randomBits(lm + lo + lh + 1))
(Utilde, vPrimeTilde) = df02_commit.commit(pk_commit, mTilde, (lm + lo + lh + 1))
s1 = hashlib.new('sha256')
s1.update(Conversion.IP2OS(self.context))
s1.update(Conversion.IP2OS(U))
s1.update(Conversion.IP2OS(Utilde))
s1.update(Conversion.IP2OS(n1))
c = integer(s1.digest())
# Responses to challenge
vPrimeHat = vPrimeTilde + (c * self.vPrime)
sHat = mTilde + (c * self.ms)
p1 = { 'c':c, 'vPrimeHat':vPrimeHat, 'sHat':sHat, 'U':U }
n2 = integer(randomBits(lo))
return (p1, n2)
def open(message, i, e_i, s, p_1, p_2):
"""
Open position i of message
:param message: the message to open
:param i: the position of the message to open
:param e_i:
:param s:
:param p_1:
:param p_2:
:return: lamda_i
"""
assert len(message) == len(
s), 'Message and S must have same length. Found {0} vs {1}'.format(
len(message), len(s))
assert i < len(
message), 'Invalid position to open: length of message {0} {1}'.format(
len(message), i)
lamda_tmp = -1
q = len(message)
n = p_1 * p_2
for j in range(q):
if j != i:
tmp = reduce((integer(s[j]) % n)**message[j])
if lamda_tmp == -1:
lamda_tmp = tmp
else:
lamda_tmp = reduce(lamda_tmp * tmp)
phi_n = (p_1 - 1) * (p_2 - 1)
d = 1 / (integer(e_i) % phi_n)
lamda_i = reduce(lamda_tmp**reduce(d))
return int(lamda_i)
def round_1(self, n1):
Ro = self.pk_i['Ro']
df02_commit = CM_DF02()
pk_commit = {'S': self.pk_i['S'], 'Z': Ro, 'N': self.pk_i['N']}
(U, self.vPrime) = df02_commit.commit(pk_commit, self.ms, (ln + lo))
mTilde = integer(randomBits(lm + lo + lh + 1))
(Utilde, vPrimeTilde) = df02_commit.commit(pk_commit, mTilde,
(lm + lo + lh + 1))
s1 = hashlib.new('sha256')
s1.update(Conversion.IP2OS(self.context))
s1.update(Conversion.IP2OS(U))
s1.update(Conversion.IP2OS(Utilde))
s1.update(Conversion.IP2OS(n1))
c = integer(s1.digest())
# Responses to challenge
vPrimeHat = vPrimeTilde + (c * self.vPrime)
sHat = mTilde + (c * self.ms)
p1 = {'c': c, 'vPrimeHat': vPrimeHat, 'sHat': sHat, 'U': U}
n2 = integer(randomBits(lo))
return p1, n2
def setparam(self, p, q):
if p == (2 * q) + 1 and isPrime(p) and isPrime(q):
self.p = integer(p)
self.q = integer(q)
return True
else:
print("p and q are not safe primes!")
return False
def join_2(u):
print("3. User computes x_i and sends C_2 to GM")
xa = (integer(u['alpha']) * integer(u['x']) +
integer(u['beta'])) % (2**lambda_2)
u['x'] = integer(2)**lambda_1 + integer(xa)
u['C_2'] = (u['a']**u['x']) % u['n']
return {'C_2': u['C_2'], 'status': "OK"}
def setparam(self, p, q):
if p == (2 * q) + 1 and isPrime(p) and isPrime(q):
self.p = integer(p)
self.q = integer(q)
return True
else:
print("p and q are not safe primes!")
return False
def setparam(self, p, q):
if isPrime(p) and isPrime(q) and p != q:
self.p = integer(p)
self.q = integer(q)
self.n = self.p * self.q
return True
else:
print("p and q are not primes!")
return False
def setparam(self, p, q):
if isPrime(p) and isPrime(q) and p != q:
self.p = integer(p)
self.q = integer(q)
self.n = self.p * self.q
return True
else:
print("p and q are not primes!")
return False
def v2i(self,rpk): r = self.group.random(ZR) g_r = pair(self.mpk, rpk) ** r V = integer(self.group.serialize(self.pk)) ^ integer(self.group.serialize(g_r)) mPath = [str(x.value) for x in self.path] message = json.dumps(mPath) symKey = hashlib.sha256(self.group.serialize(pair(self.sk, rpk))).digest() cipherRuner = AuthenticatedCryptoAbstraction(symKey) cPath = cipherRuner.encrypt(message) return (r * self.P, V, cPath)
def file_to_issuer_sk(file):
with open(file) as f:
sk_str = json.load(f)
sk_i = {}
sk_i['p'] = integer(sk_str['p'])
sk_i['q'] = integer(sk_str['q'])
return sk_i
def strlist2modint(cls, ls: str) -> integer:
"""
Takes a JSON list and converts it into a modular integer or integer depending on the list's length.
:param ls: JSON list
:return: integer
"""
ls = json.loads(ls)
if len(ls) == 2:
return integer(int(ls[0])) % integer(int(ls[1]))
elif len(ls) == 1:
return integer(int(ls[0]))
else:
raise Exception
def roundNumber2(self, U, attr, n2):
# TODO: Adaptar IRMA
e = randomPrime(le)
vTilde = integer(randomBits(lv - 1))
vPrimePrime = (2 ** (lv - 1)) + vTilde
R = self.pk_i['R']
Cx = 1 % self.pk_i['N']
for i in range(1, len(attr) + 1):
Cx = Cx*(R[str(i)] ** attr[str(i)])
sigA = self.signAttributesLong(attr, vPrimePrime, U, e)
A = sigA['A']
Q = sigA['Q']
phi_N = (self.sk_i['p']-1)*(self.sk_i['q']-1)
e2 = e % phi_N
# The issuer creates an SPK for proving the knowledge of
# e^(-1) according to the equivalence of A and Q^{e-1}
r = randomPrime(le)
Atilde = (Q ** r) % self.pk_i['N']
s3 = hashlib.new('sha256')
s3.update(Conversion.IP2OS(self.context))
s3.update(Conversion.IP2OS(Q))
s3.update(Conversion.IP2OS(A))
s3.update(Conversion.IP2OS(n2))
s3.update(Conversion.IP2OS(Atilde))
#print "issuer Q #1", Q
#print "issuer A", A
#print "issuer n2", n2
#print "issuer Atilde", Atilde
cPrime = integer(s3.digest())
e2Prime = e2 ** - 1
Se = r - (cPrime * integer(e2Prime))
signature = { 'A':A, 'e':e, 'vPrimePrime':vPrimePrime }
P2 = { 'Se':Se, 'cPrime':cPrime }
return (signature, P2)
def roundNumber1(self, n1):
# U: as IRMA does ms and Ro only
Ro = self.pk_i['Ro']
df02_commit = CM_DF02()
pk_commit = { 'S':self.pk_i['S'], 'Z':Ro, 'N':self.pk_i['N'] }
(U, self.vPrime) = df02_commit.commit(pk_commit, self.ms, (ln + lo))
#U = (self.pk_i['S'] ** self.vPrime) * (self.pk_i['Ro'] ** self.ms)
#print "Recipient, U, round1", U
#sU = deepcopy(int(U))
#print "bakcup justo despues, sU", sU
#self.vPrime = vPrime
# P1:
mTilde = integer(randomBits(lm + lo + lh + 1))
(Utilde, vPrimeTilde) = df02_commit.commit(pk_commit, mTilde, (lm + lo + lh + 1))
# CTilde = no lo hacemos ahora, IRMA no lo hace
# Fiat-Shamir challenge, c = H(context | U | UTilde | nonce)
s1 = hashlib.new('sha256')
s1.update(Conversion.IP2OS(self.context))
s1.update(Conversion.IP2OS(U))
s1.update(Conversion.IP2OS(Utilde))
s1.update(Conversion.IP2OS(n1))
c = integer(s1.digest())
# Responses to challenge
vPrimeHat = vPrimeTilde + (c * self.vPrime)
sHat = mTilde + (c * self.ms)
p1 = { 'c':c, 'vPrimeHat':vPrimeHat, 'sHat':sHat, 'U':U }
n2 = integer(randomBits(lo))
#print "Recipient, U, round1 - BEFORE RETURNING", U
#print "backup", sU
return (p1, n2)
def round_2(self, U, p1, attr, n2):
if self.__verify_p1(p1):
pass
# print "P1 verified"
else:
return None
e = randomPrime(le)
vTilde = integer(randomBits(lv - 1))
vPrimePrime = (2 ** (lv - 1)) + vTilde
R = self.pk_i['R']
Cx = 1 % self.pk_i['N']
for i in range(1, len(attr) + 1):
Cx = Cx * (R[str(i)] ** attr[str(i)])
sigA = self.signAttributesLong(attr, vPrimePrime, U, e)
A = sigA['A']
Q = sigA['Q']
phi_N = (self.sk_i['p'] - 1) * (self.sk_i['q'] - 1)
e2 = e % phi_N
r = randomPrime(le)
Atilde = (Q ** r) % self.pk_i['N']
s3 = hashlib.new('sha256')
s3.update(Conversion.IP2OS(self.context))
s3.update(Conversion.IP2OS(Q))
s3.update(Conversion.IP2OS(A))
s3.update(Conversion.IP2OS(n2))
s3.update(Conversion.IP2OS(Atilde))
cPrime = integer(s3.digest())
e2Prime = e2 ** - 1
Se = r - (cPrime * integer(e2Prime))
signature = {'A': A, 'e': e, 'vPrimePrime': vPrimePrime}
P2 = {'Se': Se, 'cPrime': cPrime}
print signature
print P2
return signature, P2
def encrypt(self, pk, m, salt=None):
octetlen = int(ceil(int(pk['N']).bit_length() / 8.0))
EM = self.paddingscheme.encode(m, octetlen, "", salt)
if debug: print("EM == >", EM)
i = Conversion.OS2IP(EM)
ip = integer(i) % pk['N'] #Convert to modular integer
return (ip ** pk['e']) % pk['N']
def join_4(u):
print("5. User verifies credentials")
lhs = integer(u['a'], u['n'])**u['x'] * u['a_0']
rhs = (u['A']**u['e']) % u['n']
print(lhs == rhs)
return lhs == rhs
def verify(self, pk, message, sig):
if debug: print("\nVERIFY\n\n")
sigma1, r, s, e = sig['sigma1'], sig['r'], sig['s'], sig['e']
K, L, c, keyLength, u, h, N = pk['K'], pk['L'], pk['c'], pk[
'length'], pk['u'], pk['h'], pk['N']
# Make sure that 0 < s < 2^{keylength/2}, else reject the signature
if not (0 < s and s < (2**(keyLength / 2))):
return False
# Compute e = H_k(s) and reject the signature if it's not prime
ei = self.HW_hash(K, c, s, keyLength) % N
if not isPrime(ei):
if debug: print("ei not prime")
return False
# Compute Y = sigma1^{2*ceil(log2(s))}
s1 = integer(2**(math.ceil(log[2](s))))
Y = (sigma1**s1) % N
# Hash the mesage using the chameleon hash with fixed randomness r
(x, r2) = self.ChameleonHash.hash(L, message, r)
lhs = (Y**ei) % N
rhs = ((u**x) * h) % N
if debug:
print("lhs =>", lhs)
print("rhs =>", rhs)
# Verify that Y^e = (u^x h) mod N. If so, accept the signature
if lhs == rhs:
return True
# Default: reject the signature
return False
def HW_hash(self, key, c, input, keyLen):
C = integer(c)
input_size = bitsize(c)
input_b = Conversion.IP2OS(input, input_size)
# Return c XOR PRF(k, input), where the output of PRF is keyLength bits
result = C ^ self.Prf.eval(key, input_b)
return result
def sign(self, pk, sk, m, v=0, u=0, e=0):
if (e == 0):
e = randomPrime(le)
lv = ln + lm + lr
if (v == 0):
v = integer(randomBits(lv))
R = pk['R']
Cx = 1 % pk['N']
for i in range(1, len(m) + 1):
Cx = Cx * (R[str(i)] ** m[str(i)])
phi_N = (sk['p']-1)*(sk['q']-1)
e2 = e % phi_N
if (u != 0):
u = u % pk['N']
Cx = Cx*u
q = pk['Z'] / (Cx*(pk['S'] ** v)) % pk['N']
a = q ** (e2 ** -1) % pk['N']
sig = { 'A':a, 'Q':q, 'e':e, 'v':v }
return sig
def encrypt(self, pk, ID,
M): # check length to make sure it is within n bits
Q_id = group.hash(ID, G1) #standard
g_id = pair(Q_id, pk['P2'])
#choose sig = {0,1}^n where n is # bits
sig = integer(randomBits(group.secparam))
r = h.hashToZr(sig, M)
enc_M = self.encodeToZn(M)
if bitsize(enc_M) <= group.messageSize():
C = {
'U': r * pk['P'],
'V': sig ^ h.hashToZn(g_id**r),
'W': enc_M ^ h.hashToZn(sig)
}
else:
print("Message cannot be encoded.")
return None
if (debug):
print('\nEncrypt...')
print('r => %s' % r)
print('sig => %s' % sig)
print("V' =>", g_id**r)
print('enc_M => %s' % enc_M)
group.debug(C)
return C
def verify(u, m, s):
print("VERIFY:")
print("1. Compute c'")
d_1_1 = (u['a_0']**s['c']) * s['T_1']**(s['s_1'] - s['c'] * (2**gamma_1))
d_1_2 = (u['a']**(s['s_2'] - s['c'] * (2**lambda_1))) * u['y']**s['s_3']
d_1 = (d_1_1 / d_1_2) % u['n']
d_2 = ((s['T_2']**(s['s_1'] - s['c'] *
(2**gamma_1))) / u['g']**s['s_3']) % u['n']
d_3 = (s['T_2']**s['c'] * u['g']**s['s_4']) % u['n']
d_4 = (s['T_3']**s['c'] * u['g']**(s['s_1'] - s['c'] * (2**gamma_1)) *
u['h']**s['s_4']) % u['n']
c = integer(
int(
hashlib.sha1(
serialize(u['g']) + serialize(u['h']) + serialize(u['y']) +
serialize(u['a_0']) + serialize(u['a']) + serialize(s['T_1']) +
serialize(s['T_2']) + serialize(s['T_3']) + serialize(d_1) +
serialize(d_2) + serialize(d_3) + serialize(d_4) +
m.encode()).hexdigest(), 16))
print("2. Accept if and only if c = c'")
if c == s['c']:
print("ACCEPT")
return True
else:
print("NOT ACCEPTED")
return False
def verifyAllIRMA_NYM_ONLY(self, m, input):
pAprime = input['pAprime']
pChat = input['pChat']
pEhat = input['pEhat']
mHatMs = input['mHatMs']
pVprimeHat = input['pVprimeHat']
n3 = input['n3']
NYM1 = input['NYM1']
NYM2 = input['NYM2']
Ak = 1 % self.pk_i['N']
R = self.pk_i['R']
for i in range(1, len(m) + 1):
Ak = Ak*(R[str(i)] ** m[str(i)])
That1 = (self.pk_i['Z'] / (Ak * (pAprime ** (2 ** (le - 1))))) ** ((-1 * pChat)) % self.pk_i['N']
That2 = (pAprime ** pEhat) * (self.pk_i['Ro'] ** mHatMs) * (self.pk_i['S'] ** pVprimeHat) % self.pk_i['N']
That = (That1 * That2) % self.pk_i['N']
## challenge
s6 = hashlib.new('sha256')
s6.update(Conversion.IP2OS(NYM2))
s6.update(Conversion.IP2OS(NYM1))
s6.update(Conversion.IP2OS(self.context))
s6.update(Conversion.IP2OS(pAprime))
s6.update(Conversion.IP2OS(That))
pChat2 = integer(s6.digest())
return pChat == pChat2
def HW_hash(self, key, c, input, keyLen):
C = integer(c)
input_size = bitsize(c)
input_b = Conversion.IP2OS(input, input_size)
# Return c XOR PRF(k, input), where the output of PRF is keyLength bits
result = C ^ self.Prf.eval(key, input_b)
return result
def verify(self, pk, message, sig):
if debug: print("\nVERIFY\n\n")
sigma1, r, s, e = sig['sigma1'], sig['r'], sig['s'], sig['e']
K, L, c, keyLength, u, h, N = pk['K'], pk['L'], pk['c'], pk['length'], pk['u'], pk['h'], pk['N']
# Make sure that 0 < s < 2^{keylength/2}, else reject the signature
if not (0 < s and s < (2 ** int(keyLength/2))):
return False
# Compute e = H_k(s) and reject the signature if it's not prime
ei = self.HW_hash(K, c, s, keyLength) % N
if not isPrime(ei):
if debug: print("ei not prime")
return False
# Compute Y = sigma1^{2*ceil(log2(s))}
s1 = integer(2 ** int(math.ceil(log[2](s))))
Y = (sigma1 ** s1) % N
# Hash the mesage using the chameleon hash with fixed randomness r
(x, r2) = self.ChameleonHash.hash(L, message, r)
lhs = (Y ** ei) % N
rhs = ((u ** x) * h) % N
if debug:
print("lhs =>", lhs)
print("rhs =>", rhs)
# Verify that Y^e = (u^x h) mod N. If so, accept the signature
if lhs == rhs:
return True
# Default: reject the signature
return False
def gen_challenge(secret_key, block_id):
Lf = poly(secret_key, block_id)
r = G.random()
xc = G.random()
Kf = g**(r * Lf(xc))
H = (g**r, xc, g**(r * Lf(integer(0, G.q))))
return Kf, H
def gen_proof(challenge, blocks_with_tags):
g_r, xc, g_lf0 = challenge
interpolation_set = [(integer(0, G.q), g_lf0)] + [
(message, g_r**tag) for message, tag in blocks_with_tags
]
Pf = LI_exp(xc, interpolation_set)
return Pf
def sign(self, pk, sk, m, v=0, u=0, e=0):
if (e == 0):
e = randomPrime(le)
lv = ln + lm + lr
if (v == 0):
v = integer(randomBits(lv))
R = pk['R']
Cx = 1 % pk['N']
for i in range(1, len(m) + 1):
Cx = Cx * (R[str(i)]**m[str(i)])
phi_N = (sk['p'] - 1) * (sk['q'] - 1)
e2 = e % phi_N
if (u != 0):
u = u % pk['N']
Cx = Cx * u
q = pk['Z'] / (Cx * (pk['S']**v)) % pk['N']
a = q**(e2**-1) % pk['N']
sig = {'A': a, 'Q': q, 'e': e, 'v': v}
return sig
def verifyHideAllIRMA_PRIME(self, m, input):
pAprime = input['pAprime']
pChat = input['pChat']
pEhat = input['pEhat']
mHatMs = input['mHatMs']
pVprimeHat = input['pVprimeHat']
n3 = input['n3']
NYM1 = input['NYM1']
NYM2 = input['NYM2']
Ak = 1 % self.pk_i['N']
R = self.pk_i['R']
#Ak = Ak*(R['1'] ** m['1'])
That1 = (self.pk_i['Z'] / (Ak * (pAprime ** (2 ** (le - 1))))) ** ((-1 * pChat)) % self.pk_i['N']
That2 = (pAprime ** pEhat) * (self.pk_i['Ro'] ** mHatMs) * (R['1'] ** m['1']) * (self.pk_i['S'] ** pVprimeHat) % self.pk_i['N']
That = (That1 * That2) % self.pk_i['N']
s6 = hashlib.new('sha256')
s6.update(Conversion.IP2OS(NYM1))
s6.update(Conversion.IP2OS(NYM2))
s6.update(Conversion.IP2OS(self.context))
s6.update(Conversion.IP2OS(pAprime))
s6.update(Conversion.IP2OS(That))
s6.update(Conversion.IP2OS(n3))
pChat2 = integer(s6.digest())
return pChat == pChat2
def roundNumber1(self, p1, n1):
df02_commit = CM_DF02()
pk_commit = { 'S':self.pk_i['S'], 'Z':self.pk_i['Ro'], 'N':self.pk_i['N'] }
sHat = p1['sHat']
vPrimeHat = p1['vPrimeHat']
(cA, vPrimeHat) = df02_commit.commit(pk_commit, sHat, 0, vPrimeHat)
U = p1['U'] % self.pk_i['N']
c = p1['c']
Uhat = cA * (U ** (-1 * c))
# knowledge of commited values -- not done in IRMA
# verify challenge c
s2 = hashlib.new('sha256')
s2.update(Conversion.IP2OS(self.context))
s2.update(Conversion.IP2OS(U))
s2.update(Conversion.IP2OS(Uhat))
s2.update(Conversion.IP2OS(n1))
cHat = integer(s2.digest())
return c == cHat
def hashToZn(self, value):
if type(value) == pc_element:
h = hashlib.new(self.hash_type)
h.update(self.group.serialize(value))
#print "digest => %s" % h.hexdigest()
# get raw bytes of digest and hash to Zr
val = h.digest()
return integer(int(self.group.hash(val, ZR)))
# do something related to that
if type(value) == integer:
str_value = int2Bytes(value)
#print("str_value =>", str_value)
#val = self.group.hash(str_value, ZR)
#print("hash =>", val)
return integer(int(self.group.hash(str_value, ZR)))
return None
def setup(self, secparam=None, N=0):
Xz = integer(random(N))
S = randomQR(N)
Z = S ** Xz
return { 'S': S, 'Z': Z, 'N': N }
def setup(self, secparam=None, N=0):
Xz = integer(random(N))
S = randomQR(N)
Z = S**Xz
return {'S': S, 'Z': Z, 'N': N}
def encrypt(self, pk, m, salt=None):
octetlen = int(ceil(int(pk['N']).bit_length() / 8.0))
EM = self.paddingscheme.encode(m, octetlen, "", salt)
if debug: print("EM == >", EM)
i = Conversion.OS2IP(EM)
ip = integer(i) % pk['N'] #Convert to modular integer
return (ip**pk['e']) % pk['N']
def hashToZn1(self, value):
if type(value) == pc_element:
h = hashlib.new(self.hash_type)
h.update(self.group.serialize(value))
#print "digest => %s" % h.hexdigest()
# get raw bytes of digest and hash to Zr
val = h.digest()
return integer(int(unicode(self.group.hash(val, ZR))))
# do something related to that
if type(value) == integer:
str_value = int2Bytes(value)
#print("str_value =>", str_value)
#val = self.group.hash(str_value, ZR)
#print("hash =>", val)
return integer(int(unicode(self.group.hash(str_value, ZR))))
return None
def key_gen(key_size, message_elem_bit_len, vector_len):
"""
Generate keys for vector commitment
:param key_size: security key size (k in the paper)
:param message_elem_bit_len: length of message in bits (l in the paper)
:param vector_len: length of commitment vector (q in the paper)
:return:
"""
k = key_size
l = message_elem_bit_len
q = vector_len
private_key = rsa.generate_private_key(public_exponent=65537,
key_size=k,
backend=default_backend())
private_numbers = private_key.private_numbers()
n = private_numbers.public_numbers.n
p_1 = private_numbers.p
p_2 = private_numbers.q
# logger.info(p_1)
# logger.info(p_2)
phi_n = (p_1 - 1) * (p_2 - 1)
# generate list of primes [e_1,...,e_q], each has length (l+1)
e = list()
while True:
tmp_prime = reduce(randomPrime(l + 1) % n)
if isPrime(tmp_prime) and phi_n % int(tmp_prime) != 0:
e.append(int(tmp_prime))
if len(e) == q:
break
a = random(n)
s = list()
for i in range(q):
tmp_exponent = integer(1) % n
for j in range(q):
if j != i:
tmp_exponent = reduce(tmp_exponent * (integer(e[j]) % n))
s_i = reduce(a**tmp_exponent)
s.append(int(s_i))
return n, int(a), s, e, p_1, p_2
def sign(u, m):
print("SIGN:")
print("1. Generate random value w")
w = random(2**l_p)
T_1 = (u['A'] * u['y']**w) % u['n']
T_2 = (u['g']**w) % u['n']
T_3 = ((u['g']**u['e']) * (u['h']**w)) % u['n']
print("2. Randomly choose r_1, r_2, r_3, and r_4")
r_1 = random(2**(eps * (gamma_2 + k)))
r_2 = random(2**(eps * (lambda_2 + k)))
r_3 = random(2**(eps * (gamma_1 + 2 * l_p + k + 1)))
r_4 = random(2**(eps * (2 * l_p + k)))
print("(a) d_1, d_2, d_3, d_4")
d_1 = ((T_1**r_1) / ((u['a']**r_2) * (u['y']**r_3))) % u['n']
d_2 = ((T_2**r_1) / (u['g']**r_3)) % u['n']
d_3 = (u['g']**r_4) % u['n']
d_4 = ((u['g']**r_1) * (u['h']**r_4)) % u['n']
print("(b) c = HASH()")
c = integer(
int(
hashlib.sha1(
serialize(u['g']) + serialize(u['h']) + serialize(u['y']) +
serialize(u['a_0']) + serialize(u['a']) + serialize(T_1) +
serialize(T_2) + serialize(T_3) + serialize(d_1) +
serialize(d_2) + serialize(d_3) + serialize(d_4) +
m.encode()).hexdigest(), 16))
print("(c) s_1, s_2, s_3, s_4")
s_1 = integer(r_1) - c * (integer(u['e']) - 2**gamma_1)
s_2 = integer(r_2) - c * (integer(u['x']) - 2**lambda_1)
s_3 = integer(r_3) - c * integer(u['e']) * integer(w)
s_4 = integer(r_4) - c * integer(w)
print("3. Output signature")
return {
"c": c,
"s_1": s_1,
"s_2": s_2,
"s_3": s_3,
"s_4": s_4,
"T_1": T_1,
"T_2": T_2,
"T_3": T_3
}
def eval(self, k, input1):
if type(k) == integer:
h = hmac.new(serialize(k), b'', hashlib.sha1)
else:
h = hmac.new(serialize(integer(k)), b'', hashlib.sha1)
h.update(input1)
return Conversion.bytes2integer(h.hexdigest())
def eval(self, k, input1):
if type(k) == integer:
h = hmac.new(serialize(k), b'', hashlib.sha1)
else:
h = hmac.new(serialize(integer(k)), b'', hashlib.sha1)
h.update(input1)
return Conversion.bytes2integer(h.hexdigest())
def rkGen(self, params, skid, IDsrc, IDdest):
N = integer(randomBits(group.secparam))
K = pair(skid['skid'], group.hash(IDdest, G1))
if(debug):
print("\nRe-encryption key for id1 => '%s' to id2 => '%s'" % (IDsrc,IDdest))
group.debug(skid)
print('N => %s' % N)
print('K => %s' % K)
return {'N':N, 'R':group.hash((K, IDsrc, IDdest, N), G1) * skid['skid']}
def selfTest(self):
mt = {}
for i in range(1, self.l + 1):
mt[str(i)] = integer(randomBits(lm)) % self.pk_i['N']
signature = self.pksig.sign(self.pk_i, self.sk_i, mt)
return self.verifySignature(mt, signature)
def rkGen(self, params, skid, IDsrc, IDdest):
N = integer(randomBits(group.secparam))
K = pair(skid['skid'], group.hash(IDdest, G1))
if(debug):
print("\nRe-encryption key for id1 => '%s' to id2 => '%s'" % (IDsrc,IDdest))
group.debug(skid)
print('N => %s' % N)
print('K => %s' % K)
return {'N':N, 'R':group.hash((K, IDsrc, IDdest, N), G1) * skid['skid']}
def verifyEqAll2_IRMA_FORTUNA(self, cred1, cred2, is_pk1, is_pk2, proof):
pAprime1 = proof['pAprime1']
pAprime2 = proof['pAprime2']
c = proof['c']
pEhat1 = proof['pEhat1']
pEhat2 = proof['pEhat2']
ms_eq = proof['ms_eq']
pVprimeHat1 = proof['pVprimeHat1']
pVprimeHat2 = proof['pVprimeHat2']
n32 = proof['n32']
# cred1
Ak = 1 % is_pk1['N']
R = is_pk1['R']
for i in range(1, len(cred1['m']) + 1):
Ak = Ak*(R[str(i)] ** cred1['m'][str(i)])
That1 = (is_pk1['Z'] / (Ak * (pAprime1 ** (2 ** (le - 1))))) ** ((-1 * c)) % is_pk1['N']
That2 = (pAprime1 ** pEhat1) * (is_pk1['Ro'] ** ms_eq) * (is_pk1['S'] ** pVprimeHat1) % is_pk1['N']
ThatCred1 = (That1 * That2) % is_pk1['N']
# cred2
Ak = 1 % is_pk2['N']
R = is_pk2['R']
for i in range(1, len(cred2['m']) + 1):
Ak = Ak*(R[str(i)] ** cred2['m'][str(i)])
That1 = (is_pk2['Z'] / (Ak * (pAprime2 ** (2 ** (le - 1))))) ** ((-1 * c)) % is_pk2['N']
That2 = (pAprime2 ** pEhat2) * (is_pk2['Ro'] ** ms_eq) * (is_pk2['S'] ** pVprimeHat2) % is_pk2['N']
ThatCred2 = (That1 * That2) % is_pk2['N']
s6 = hashlib.new('sha256')
s6.update(Conversion.IP2OS(self.context))
s6.update(Conversion.IP2OS(pAprime1))
s6.update(Conversion.IP2OS(ThatCred1))
s6.update(Conversion.IP2OS(pAprime2))
s6.update(Conversion.IP2OS(ThatCred2))
s6.update(Conversion.IP2OS(n32))
cPrime = integer(s6.digest())
return (c == cPrime)
def selfTest(self):
mt = {}
for i in range(1, self.l+1):
mt[str(i)] = integer(randomBits(lm)) % self.pk_i['N']
signature = self.pksig.sign(self.pk_i, self.sk_i, mt)
return self.verifySignature(mt, signature)
def verify(c, m, i, s, lamda_i, e, n, message_elem_bit_len):
"""
Verify the value at position i is m
:param n:
:param c: ciphertext
:param m: value m
:param i: position
:param s:
:param lamda_i:
:param e:
:param message_elem_bit_len: max bit length of m
:return: whether the value at position i of ciphertext is m
"""
if m.bit_length() <= message_elem_bit_len:
return c == int(
reduce((integer(s[i]) % n)**m) * reduce(
(integer(lamda_i) % n)**e[i]))
return False
def randomize(self, pk, sig):
rA = integer(randomBits(ln + lo))
aP = (sig['A'] * (pk['S'] ** rA)) % pk['N']
vP = sig['v'] - (sig['e'] * rA)
eP = sig['e'] - (2 ** (le - 1))
sigP = { 'A':aP, 'e':eP, 'v':vP }
return sigP
def gen_context(apdu):
n3 = integer(randomBits(256))
n3 = int(n3)
n3_hex = int2hex(n3)
if apdu == 1:
return map(ord, n3_hex)
else:
return n3_hex
def main(): # Receiver has alpha. alpha = G.random() # Sender has polynomial P. P = Poly([G.random() for _ in range(d_p + 1)]) # Sender generates random masking poly P_x P_x = Poly([G.random() for _ in range(d + 1)]) P_x[0] = integer(0, G.q) # To hold assumption that P_x(0) == 0 # Sender defines bivariate polynomial Q(x, y). # deg(Q) == deg(P_x) == d == d_p * k Q = lambda x, y: reduce_modulus(P_x(x) + P(y)) # Receiver hides alpha in a univariate polynomial. # deg(S) == k S = Poly([G.random() for _ in range(k + 1)]) S[0] = alpha # The receiver sets n = dR + 1 = d + 1 = kdP + 1 and chooses N = nm distinct random # values x1, . . . , xN ∈ F, all different from 0. n = k * d_p + 1 N = n * m X = [G.random() for _ in range(N)] # The receiver chooses a random set T of n indices 1 ≤ i1, i2, . . . , in ≤ N. T = list(range(N)) random.shuffle(T) T = T[:n] # Receiver defines N values yi, for 1 ≤ i ≤ N. The value yi is defined as # S(xi) if i is in T, and is a random value if F otherwise. # The receiver sends the N points (Y) to the sender Y = [(x, S(x) if i in T else G.random()) for i, x in enumerate(X)] Qs = [(x, Q(x, y)) for x, y in Y] # Receiver calculates values. R_values = [v for i, v in enumerate(Qs) if i in T] R_0 = LI(integer(0, G.q), R_values) P_alpha = P(alpha) assert R_0 == P_alpha
def gen_nonce(len_nonce, apdu):
n3 = integer(randomBits(len_nonce))
n3 = int(n3)
n3_hex = int2hex(n3)
if apdu == 1:
return map(ord, n3_hex)
else:
return n3_hex
def randomize(self, pk, sig):
rA = integer(randomBits(ln + lo))
aP = (sig['A'] * (pk['S']**rA)) % pk['N']
vP = sig['v'] - (sig['e'] * rA)
eP = sig['e'] - (2**(le - 1))
sigP = {'A': aP, 'e': eP, 'v': vP}
return sigP
def verifyEqAll2_IRMA_H(self, cred1, cred2, is_pk1, is_pk2, proof):
pAprime1 = proof['pAprime1']
pAprime2 = proof['pAprime2']
c = proof['c']
pEhat1 = proof['pEhat1']
pEhat2 = proof['pEhat2']
mHatMs1 = proof['mHatMs1']
mHatMs2 = proof['mHatMs2']
pVprimeHat1 = proof['pVprimeHat1']
pVprimeHat2 = proof['pVprimeHat2']
n31 = proof['n31']
n32 = proof['n32']
# cred1
Ak = 1 % is_pk1['N']
R = is_pk1['R']
Ak = Ak*(R['1'] ** cred1['m']['1'])
That1 = (is_pk1['Z'] / (Ak * (pAprime1 ** (2 ** (le - 1))))) ** ((-1 * c)) % is_pk1['N']
That2 = (pAprime1 ** pEhat1) * (is_pk1['Ro'] ** mHatMs1) * (R['2'] ** cred1['m']['2']) * (R['3'] ** cred1['m']['3']) * (R['4'] ** cred1['m']['4']) * (R['5'] ** cred1['m']['5']) * (is_pk1['S'] ** pVprimeHat1) % is_pk1['N']
ThatCred1 = (That1 * That2) % is_pk1['N']
# cred2
Ak = 1 % is_pk2['N']
R = is_pk2['R']
Ak = Ak*(R['1'] ** cred2['m']['1'])
That1 = (is_pk2['Z'] / (Ak * (pAprime2 ** (2 ** (le - 1))))) ** ((-1 * c)) % is_pk2['N']
That2 = (pAprime2 ** pEhat2) * (is_pk2['Ro'] ** mHatMs2) * (R['2'] ** cred2['m']['2']) * (R['3'] ** cred2['m']['3']) * (R['4'] ** cred2['m']['4']) * (R['5'] ** cred2['m']['5']) * (is_pk2['S'] ** pVprimeHat2) % is_pk2['N']
ThatCred2 = (That1 * That2) % is_pk2['N']
s6 = hashlib.new('sha256')
s6.update(Conversion.IP2OS(self.context))
s6.update(Conversion.IP2OS(pAprime1))
s6.update(Conversion.IP2OS(ThatCred1))
s6.update(Conversion.IP2OS(pAprime2))
s6.update(Conversion.IP2OS(ThatCred2))
s6.update(Conversion.IP2OS(n32))
cPrime = integer(s6.digest())
return (c == cPrime)
def sign(self, sk, M, salt=None):
#apply encoding
while True:
octetlen = int(ceil(int(sk['N']).bit_length() / 8.0))
em = self.paddingscheme.encode(M, octetlen, "", salt)
m = Conversion.OS2IP(em)
m = integer(m) % sk['N'] #ERRROR m is larger than N
p = sk['p']
q = sk['q']
yp = sk['yp']
yq = sk['yq']
mp = (m**((p + 1) / 4)) % p
mq = (m**((q + 1) / 4)) % q
r1 = ((int(yp) * int(p) * int(mq)) +
((int(yq) * int(q) * int(mp)))) % int(sk['N'])
r2 = int(sk['N']) - int(r1)
s1 = (int(yp) * int(p) * int(mq) -
int(yq) * int(q) * int(mp)) % int(sk['N'])
s2 = int(sk['N']) - int(s1)
if (((int((integer(r1)**2) % sk['N'] - m)) == 0)
or ((int((integer(r2)**2) % sk['N'] - m)) == 0)
or ((int((integer(s1)**2) % sk['N'] - m)) == 0)
or ((int((integer(s2)**2) % sk['N'] - m)) == 0)):
break
S = {'s1': r1, 's2': r2, 's3': s1, 's4': s2}
if debug:
print("Signing")
print("m =>", m)
print("em =>", em)
print("S =>", S)
return S
def file_to_issuer_pk(file):
with open(file) as f:
pk_str = json.load(f)
pk_i = {}
R = {}
R_str = pk_str['R']
pk_i['N'] = integer(pk_str['N'])
for i in range(1, len(R_str) + 1):
R[str(i)] = integer(R_str[str(i)]) % pk_i['N']
pk_i['R'] = R
pk_i['S'] = integer(pk_str['S']) % pk_i['N']
pk_i['Z'] = integer(pk_str['Z']) % pk_i['N']
pk_i['Ro'] = integer(pk_str['Ro']) % pk_i['N']
return pk_i
def commit(self, pk, msg, lr, ri=0):
S = pk['S']
Z = pk['Z']
if (lr == 0):
r = ri
else:
r = integer(randomBits(lr))
c = ((Z ** msg) * (S ** r)) % pk['N']
d = r
return (c, d)
def setupBlock(self, secparam=None, N=0, l=16):
Xr = {}
for i in range(1, l + 1):
Xr[str(i)] = integer(random(N))
S = randomQR(N)
R = {}
for i in range(1, l + 1):
R[str(i)] = S ** Xr[str(i)]
return { 'S': S, 'R': R, 'N': N }
def keygen(self, p, q):
N = p * q
Xz = integer(random(N))
Xr = {}
for i in range(1, l + 1):
Xr[str(i)] = integer(random(N))
S = randomQR(N)
Z = S ** Xz
R = {}
for i in range(1, l + 1):
R[str(i)] = S ** Xr[str(i)]
pk = { 'N':N, 'R':R,'S':S, 'Z':Z }
sk = { 'p':p, 'q':q }
return (pk, sk)
def prove(self, pk_i, credential, cl_predicate, m, m_tilde, ms=None, c=None):
if not c:
r_a = integer(randomBits(ln + lo))
A_prime = (credential['signature']['A'] * (pk_i['S'] ** r_a)) % pk_i['N']
v_prime = credential['signature']['v'] - (credential['signature']['e'] * r_a)
e_prime = credential['signature']['e'] - (2 ** (le - 1))
e_tilde = integer(randomBits(lePrime + lo + lh))
v_prime_tilde = integer(randomBits(lv + lo + lh))
R_tot = 1 % pk_i['N']
for id in credential['attributes']:
if id not in cl_predicate:
R_tot = R_tot * (pk_i['R'][id] ** m_tilde[id])
R_tot = R_tot * (pk_i['Ro'] ** m_tilde['0'])
Z_tilde1 = A_prime ** e_tilde
Z_tilde3 = pk_i['S'] ** v_prime_tilde
Z_tilde = (Z_tilde1 * R_tot * Z_tilde3) % pk_i['N']
self.e_tilde = e_tilde
self.e_prime = e_prime
self.v_prime_tilde = v_prime_tilde
self.v_prime = v_prime
return Z_tilde, A_prime
else:
e_hat = self.e_tilde + (c * self.e_prime)
v_prime_hat = self.v_prime_tilde + (c * self.v_prime)
m_hat = {}
for id in credential['attributes']: # TODO: not in Ar (not revealed!)
if id not in cl_predicate:
m_hat[id] = m_tilde[id] + (c * m[id])
m_hat['0'] = m_tilde['0'] + (c * ms)
return {'e_hat': e_hat, 'v_prime_hat': v_prime_hat, 'm_hat': m_hat}
def commit(self, pk, msg, lr, ri=0):
S = pk['S']
Z = pk['Z']
if (lr == 0):
r = ri
else:
r = integer(randomBits(lr))
c = ((Z**msg) * (S**r)) % pk['N']
d = r
return (c, d)
