def params(group):
    n1 = 3
    n2 = 4
    generators1 = make_generators(n1)
    generators2 = make_generators(n2)
    x0 = Secret()
    x1 = Secret()
    x2 = Secret()
    x3 = Secret()
    x4 = Secret()
    x5 = Secret()
    secrets = [x0, x1, x2, x3, x4, x5]
    secrets_dict = dict([
        (x0, Bn(1)),
        (x1, Bn(2)),
        (x2, Bn(5)),
        (x3, Bn(100)),
        (x4, Bn(43)),
        (x5, Bn(10)),
    ])

    sum_1 = group.wsum([secrets_dict[x0], secrets_dict[x1], secrets_dict[x2]],
                       generators1)
    secrets_2 = [secrets_dict[x0]]
    for i in range(3, 6):
        secrets_2.append(secrets_dict[secrets[i]])

    sum_2 = group.wsum(secrets_2, generators2)
    p1 = DLRep(sum_1, wsum_secrets([x0, x1, x2], generators1))

    p2 = DLRep(sum_2, wsum_secrets([x0, x3, x4, x5], generators2))
    return p1, p2, secrets_dict
def test_and_proof_simulation_2(group):
    n = 3
    secret_values = [Bn(i) for i in range(n)]
    secrets = [Secret() for _ in range(n)]
    generators = make_generators(n, group)
    lhs = group.wsum(secret_values, generators)

    subproof1 = DLRep(lhs, wsum_secrets(secrets, generators))
    subproof2 = DLRep(lhs, wsum_secrets(secrets, generators))
    andp = AndProofStmt(subproof1, subproof2)
    tr = andp.simulate()
    assert andp.verify_simulation_consistency(tr)
    assert not andp.verify(tr)
def test_and_proof_simulation_1(group):
    n = 3
    secret_values = [Bn(i) for i in range(n)]
    secrets = [Secret() for _ in range(n)]
    generators = make_generators(n, group)
    lhs = group.wsum(secret_values, generators)

    subproof1 = DLRep(lhs, wsum_secrets(secrets, generators))
    subproof2 = DLRep(lhs, wsum_secrets(secrets, generators))
    andp = AndProofStmt(subproof1, subproof2)
    andv = andp.get_verifier()
    tr = andp.simulate_proof()
    tr.stmt_hash = andp.prehash_statement().digest()
    assert not andv.verify_nizk(tr)
Exemplo n.º 4
0
    def commit(self, messages, zkp=True):
        """
        Construct the product of messages and optionaly a Pedersen commitment and its proof.

        Args:
            messages: Messages (attributes) to commit to
            zkp (bool): Whether to construct a Pedersen commitment and proof the knowledge of the
                messages for this commitment.

        Returns:
            :py:class:`UserCommitmentMessage`: user's packed commitment.
        """
        lhs = self.pk.generators[0].group.wsum(
            messages, self.pk.generators[2 : len(messages) + 2]
        )
        com_nizk_proof = None
        if zkp:
            self.s1 = self.pk.generators[0].group.order().random()
            lhs = self.s1 * self.pk.generators[1] + lhs

            # TODO: Extract into a separate ExtendedProofStmt.
            secret_vars = [Secret() for _ in range(len(messages) + 1)]
            secrets = [self.s1] + messages
            rhs = wsum_secrets(secret_vars, self.pk.generators[1 : len(messages) + 2])
            com_stmt = DLRep(lhs, rhs)
            com_nizk_proof = com_stmt.prove(
                {s: v for s, v in zip(secret_vars, secrets)}
            )

        return UserCommitmentMessage(com_message=lhs, com_nizk_proof=com_nizk_proof)
Exemplo n.º 5
0
    def construct_stmt(self, precommitment):
        r"""
        Proof of knowledge of a signature.

        This is an implementation of a proof :math:`\Pi_5` detailed on page 7 of the `Constant-Size
        Dynamick-TAA` paper.
        """

        self.A1, self.A2 = precommitment["A1"], precommitment["A2"]
        g0, g1, g2 = self.bases[0], self.bases[1], self.bases[2]

        dl1 = DLRep(self.A1, self.r1 * g1 + self.r2 * g2)
        dl2 = DLRep(
            g0.group.infinite(),
            self.delta1 * g1 + self.delta2 * g2 + self.secret_vars[0] * (-1 * self.A1),
        )

        self.pair_lhs = self.A2.pair(self.pk.w) + (-1 * self.pk.gen_pairs[0])
        bases = [
            -1 * (self.A2.pair(self.pk.h0)),
            self.bases[2].pair(self.pk.w),
            self.pk.gen_pairs[2],
        ]
        bases.extend(self.pk.gen_pairs[1 : len(self.bases)])

        # Build secret names [e, r1, delta1, s, m_i]
        new_secret_vars = (
            self.secret_vars[:1] + [self.r1, self.delta1] + self.secret_vars[1:]
        )
        pairings_stmt = DLRep(self.pair_lhs, wsum_secrets(new_secret_vars, bases))

        constructed_stmt = AndProofStmt(dl1, dl2, pairings_stmt)
        constructed_stmt.lhs = [p.lhs for p in constructed_stmt.subproofs]
        return constructed_stmt
Exemplo n.º 6
0
def test_expr_repr(group, num):
    secrets = [Secret() for _ in range(num)]
    generators = make_generators(num, group)
    expr = wsum_secrets(secrets, generators)

    expected_repr = " + ".join("Expression({}, {})".format(x, g)
                               for x, g in zip(secrets, generators))
    assert expected_repr == repr(expr)
Exemplo n.º 7
0
def test_same_random_values_in_commitments(group):
    (g, ) = make_generators(1, group)
    generators = [g, g, g]

    pub = group.wsum([Bn(100), Bn(100), Bn(100)], generators)
    x = Secret()
    p = DLRep(pub, wsum_secrets([x, x, x], generators))
    prover = p.get_prover({x: 100})
    commitments = prover.commit()
Exemplo n.º 8
0
def test_get_many_different_provers(group, num):
    generators = make_generators(num, group)

    secrets = [Secret(name="secret_%i" % i) for i in range(num)]
    secrets_vals = [Bn(i) for i in range(num)]
    secret_dict = {secret: val for secret, val in zip(secrets, secrets_vals)}

    p = DLRep(group.wsum(secrets_vals, generators),
              wsum_secrets(secrets, generators))
    prover = p.get_prover(secret_dict)
    _, commitment = prover.commit()
    assert isinstance(commitment, EcPt)
def test_and_proof_fails_when_bases_belong_to_different_groups(group):
    """
    An alien EcPt is inserted in the generators
    """
    g1 = group.generator()
    other_group = EcGroup(706)
    assert group != other_group
    g2 = other_group.generator()

    x = Secret(value=Bn(42))
    y1 = group.wsum([x.value], [g1])
    y2 = other_group.wsum([x.value], [g2])

    p1 = DLRep(y1, wsum_secrets([x], [g1]))
    p2 = DLRep(y2, wsum_secrets([x], [g2]))

    and_proof = AndProofStmt(p1, p2)
    prover = and_proof.get_prover()
    verifier = and_proof.get_verifier()

    # An exception should be raised because of a shared secrets linked to two different groups
    with pytest.raises(GroupMismatchError):
        verify(verifier, prover)
Exemplo n.º 10
0
    def verify_blinding(self, pk):
        """
        Verify the NIZK proof for Pedersen commitment.
        """
        if self.com_nizk_proof is None:
            raise ValueError("No proof to verify")

        # TODO: Extract into a separate ExtendedProofStmt.
        lhs = self.com_message
        generators = pk.generators[1 : len(self.com_nizk_proof.responses) + 1]
        secret_vars = [Secret() for _ in self.com_nizk_proof.responses]
        proof = DLRep(lhs, wsum_secrets(secret_vars, generators))

        return proof.verify(self.com_nizk_proof)
Exemplo n.º 11
0
def test_generators_sharing_a_secret(group, num):
    generators = make_generators(num, group)
    unique_secret = 4

    x = Secret()
    secret_vals = [Bn(unique_secret) for _ in range(num)]
    lhs = group.wsum(secret_vals, generators)
    rhs = wsum_secrets([x] * num, generators)

    p = DLRep(lhs, rhs)
    prover = p.get_prover({x: unique_secret})
    assert isinstance(prover, DLRepProver)

    _, commitment = prover.commit()
    assert isinstance(commitment, EcPt)