Пример #1
0
    def verify(self, params, pk, m, n, sig):
        """
		Verifies a signature on messages m
		e(R,V) e(S,H) Pi e(M_i,W_i) == e(G,Z)
		e(R,T) Pi e(U_i, N_i) == e(G,H)
		"""
        #print("BSPS: Verify")
        R, S, T = sig
        o, G, g1, g2, e = params
        if (R.eq(G1Elem.inf(G)) and S.eq(G1Elem.inf(G))
                and T.eq(G2Elem.inf(G))):
            print("BSPS: Verify --- Error: signature null")
            print("BSPS: Verify", 0)
            return 0

        U, W, V, Z = pk

        res1 = e(R, V) * e(S, g2)
        for i in range(self.msg_g1):
            if i < len(m):
                res1 = res1 * e(m[i], W[i])
            else:
                res1 = res1 * e(g1, W[i])

        res2 = e(R, T)
        for j in range(self.msg_g2):
            if j < len(n):
                res2 = res2 * e(U[j], n[j])
            else:
                res2 = res2 * e(U[j], g2)

        return res1.eq(e(g1, Z)) and res2.eq(e(g1, g2))
Пример #2
0
    def sign(self, params, sk, m, n):
        """Signs a list of group elements of G1 and G2"""
        #print("BSPS: Sign")
        o, G, g1, g2, _ = params
        if len(m) > self.msg_g1 or len(n) > self.msg_g2:
            print("BSPS: Sign --- Error: message(s) too long", len(m), ">?",
                  self.msg_g1, len(n), ">?", self.msg_g2)
            return (G1Elem.inf(G), G1Elem.inf(G), G2Elem.inf(G))
        u, w, v, z = sk

        r = o.random()
        R = r * g1
        temp = z.mod_sub(r.mod_mul(v, o), o)
        S = temp * g1
        T = g2

        for i in range(self.msg_g1):
            if i < len(m):
                S = S + w[i].int_neg() * m[i]
            else:
                S = S + w[i].int_neg() * g1
        for j in range(self.msg_g2):
            if j < len(n):
                T = T + u[j].int_neg() * n[j]
            else:
                T = T + u[j].int_neg() * g2

        return [R, S, r.mod_inverse(o) * T]
Пример #3
0
def test_usps_proof():
    gsp = GSProof()
    gsp.ExtGen()
    params = gsp.P

    sps = USPS()
    sk, pk = sps.keygen(params)
    gz, gr = pk[0], pk[1]
    pki = pk[2:]

    m = [
        gsp.G.hashG1(b"Hello World!"),
        gsp.G.hashG1(b"Hello me!"),
        gsp.G.hashG1(b"Hello us!")
    ]

    if len(m) < len(pk) - 2:
        for i in range(len(pk) - 2 - len(m)):
            m.append(G1Elem.inf(gsp.G))
    elif len(pk) - 2 < len(m):
        return
    sig = sps.sign(params, sk, m)
    print("Does the signature verify?", sps.verify(params, pk, m, sig))

    PK = []
    for i in range(len(pk)):
        PK.append(gsp.Commit({"group": 2, "type": "com", "value": pk[i]}))
    M = [
        gsp.Commit({
            "group": 1,
            "type": "com",
            "value": m[0]
        }),
        gsp.Commit({
            "group": 1,
            "group": 1,
            "type": "pub",
            "value": m[1]
        }),
        gsp.Commit({
            "group": 1,
            "type": "pub",
            "value": m[2]
        })
    ]
    for i in range(len(pk) - 2 - len(m)):
        M.append(
            gsp.Commit({
                "group": 1,
                "type": "pub",
                "value": G1Elem.inf(gsp.G)
            }))
    SIG = []
    for i in range(len(sig)):
        SIG.append(gsp.Commit({"group": 1, "type": "com", "value": sig[i]}))

    verify, res = proof_usps_hidesigandsigner(gsp, PK, M, SIG)
    assert verify
Пример #4
0
def getsignature(self, ask, who):
    ask_s = b64decode(str(raw_input(ask)))
    s = G1Elem.from_bytes(ask_s, self.params[0])
    ask_p = b64decode(str(raw_input(who)))
    p = G2Elem.from_bytes(ask_p, self.params[0])
    assert p in self.vks
    return (s, p)
Пример #5
0
def aggr_pdf(pdfname, pdfpaths, origin_directory):
    params = setup()
    (G, o, g1, g2, e) = params

    # 从多个文件中读出所有签名
    sigs = []
    for path in pdfpaths:
        pdf = PdfReader(path + os.path.sep + pdfname)
        try:
            sig_str:str =  pdf.Info.signature
            sig_str = sig_str[1:-1]
            sig_bytes = base64.b64decode( sig_str.encode("utf-8") )
            sig_g1elem = G1Elem.from_bytes(sig_bytes,G)
        except:
            sig_g1elem = None
        sigs.append(sig_g1elem)

    print('all_sigs:',sigs)

    # 聚合所有签名
    sigma = aggregate_sigma(params, sigs)
    print('type sigma:',type(sigma))
    sigma_bytes = sigma.export()
    sigma_str = base64.b64encode(sigma_bytes).decode()

    # 将聚合后的签名写回运行路径中新建的以blockstackid命名的pdf中
    pdf = PdfReader(origin_directory + os.path.sep + pdfname)
    metadata_new = PdfDict(signature = sigma_str)
    pdf.Info.update(metadata_new)
    PdfWriter().write(pdfname, pdf)
Пример #6
0
 def verifyEq(self, eq, x, b, a, y, c, t):
     #print("verifyEq")
     if eq in ["PPE", "PN1", "PC1", "PN2", "PC2"]:
         #print("eq in [\"PPE\", \"PN1\", \"PC1\", \"PN2\", \"PC2\"]")
         T = GTElem.zero(self.G)
         for i in range(min(len(x), len(b))):
             T = T * self.e(x[i]["value"], b[i]["value"])
         for j in range(min(len(a), len(y))):
             T = T * self.e(a[j]["value"], y[j]["value"])
         for i in range(len(c)):
             for j in range(len(c[i])):
                 T = T * self.e(c[i][j] * x[i]["value"], y[j]["value"])
         return T.eq(t)
     else:
         #print("eq NOT in [\"PPE\", \"PN1\", \"PC1\", \"PN2\", \"PC2\"]")
         T = Bn(0)
         if eq in ["ME1", "MN1", "MC1", "ML1"]:
             T = G1Elem.inf(self.G)
         elif eq in ["ME2", "MN2", "MC2", "ML2"]:
             T = G2Elem.inf(self.G)
         elif eq not in ["QE", "QC1", "QC2"]:
             print("eq error", eq)
             return 0
         for i in range(min(len(x), len(b))):
             T += x[i]["value"] * b[i]["value"]
         for j in range(min(len(a), len(y))):
             T += a[j]["value"] * y[j]["value"]
         for i in range(len(c)):
             for j in range(len(c[i])):
                 if c[i][j] != 0:
                     T += c[i][j] * x[i]["value"] * y[j]["value"]
         return T.eq(t)
Пример #7
0
def test_proof():
    from bplib.bp import G1Elem
    from bplib.bp import G2Elem
    from bplib.bp import GTElem
    from petlib.bn import Bn
    from gsproof import GSProof
    gsp = GSProof()
    gsp.ExtGen()
    params = gsp.P

    sps = USPS()
    sk, pk = sps.keygen(params)
    gz, gr = pk[0], pk[1]
    pki = pk[2:]

    M = [b"Hello World!", b"Hello me!", b"Hello us!"]
    m = []
    for i in range(len(M)):
        if type(M[i]) == bytes:
            m.append(gsp.G.hashG1(M[i]))
        elif type(M[i]) == G1Elem:
            m.append(M[i])
        else:
            print("Error: wrong input, expected G1, got ", type(M[i]))
            return 0, []

    if len(m) < sps.nb_msg:
        for i in range(sps.nb_msg - len(m)):
            m.append(G1Elem.inf(gsp.G))
    elif sps.nb_msg < len(m):
        return
    sig = sps.sign(params, sk, m)

    verify, res = sps.proof_usps_hidesigandsigner(gsp, pk, M, sig)
    assert verify
Пример #8
0
def proof_pkuv(gsp, X, Y):
    res = []
    B = []
    A = []
    C = []
    for i in range(len(X)):
        row = []
        for j in range(len(Y)):
            row.append(Bn(0))
        C.append(row)
    C[6][0] = Bn(1)  # pk_uv
    C[5][1] = Bn(-1)  # - h_v^sku
    success, result = gsp.Prove_aggreg("MC1", X, B, A, Y, C, G1Elem.inf(gsp.G))
    verify = 0
    if success:
        eq_type, X, Y, C, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result
        #verify = gsp.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
        #if verify:
        res = [C, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]]
    #print("Do we successfully create a proof?", success)
    #print("Does the proof successfully verify?", verify)

    print("\n----pk uv")
    for i in range(len(res[1])):
        for j in range(2):
            if type(res[1][i][j]) == G1Elem:
                print(i, j, type(res[1][i][j]),
                      res[1][i][j].eq(G1Elem.inf(gsp.G)))
            else:
                print(i, j, type(res[1][i][j]),
                      res[1][i][j].eq(G2Elem.inf(gsp.G)))

    b = challenge(result)
    for i in range(len(res[0])):
        for j in range(len(res[0][0])):
            if res[0][i][j] != 0:
                res[0][i][j] = b * res[0][i][j]
    for i in range(len(res[1])):
        for j in range(len(res[1][i])):
            res[1][i][j] = b * res[1][i][j]

    #verify = gsp.Verify("ME1", X, Y, C, res[1][0], res[1][1], res[1][2], res[1][3])
    #print("Does the (aggregate) proof verify?", verify)

    return res
Пример #9
0
def test_bsps_proof():
    """ create GS proof that sig verifies with the signature and all but the first message secret """
    gsp = GSProof()
    gsp.ExtGen()
    params = gsp.P

    sps = BSPS()
    sk, pk = sps.keygen(params)

    u, w, v, z = sk
    U, W, V, Z = pk

    t = Bn(7)
    m1 = [gsp.g1 * t, gsp.G.hashG1(b"Hello World!")]
    m2 = [Bn.from_binary(b"Hello you!") * gsp.g2]

    for i in range(len(W) - len(m1)):
        m1.append(G1Elem.inf(gsp.G))

    for i in range(len(U) - len(m2)):
        m2.append(G2Elem.inf(gsp.G))

    sig = sps.sign(params, sk, m1, m2)
    print("Does the signature verify?", sps.verify(params, pk, m1, m2, sig))

    PK = [[], []]
    for i in range(len(U)):
        PK[0].append(gsp.Commit({"group": 1, "type": "pub", "value": U[i]}))
    for i in range(len(W)):
        PK[1].append(gsp.Commit({"group": 2, "type": "pub", "value": W[i]}))
    PK.append(gsp.Commit({"group": 2, "type": "pub", "value": V}))
    PK.append(gsp.Commit({"group": 2, "type": "pub", "value": Z}))
    M1 = [gsp.Commit({"group": 1, "type": "bas", "value": gsp.g1})]
    for i in range(len(m1) - 1):
        M1.append(gsp.Commit({"group": 1, "type": "com", "value": m1[i + 1]}))
    M2 = []
    for i in range(len(m2)):
        M2.append(gsp.Commit({"group": 2, "type": "com", "value": m2[i]}))
    SIG = [
        gsp.Commit({
            "group": 1,
            "type": "com",
            "value": sig[0]
        }),
        gsp.Commit({
            "group": 1,
            "type": "com",
            "value": sig[1]
        }),
        gsp.Commit({
            "group": 2,
            "type": "com",
            "value": sig[2]
        })
    ]
    verify, result = proof_bsps_hidemandsig(gsp, PK, M1, M2, t, SIG)
    assert verify
Пример #10
0
def get_sig(r, params, n, text):
    r.recvuntil("what do you want to do?")
    r.sendline(n)
    r.recvuntil("you want me to sign what?")
    r.sendline(text)
    r.recvline()
    r.recvline()
    l = r.recvline()[:-1]
    return G1Elem.from_bytes(b64decode(l), params[0])
Пример #11
0
 def CommitG2Scalar(self, val, x, r):
     c0 = x * self.u2[0] + r * self.v2[0]
     c1 = x * self.u2[1] + r * self.v2[1]
     val["value"] = [c0, c1]
     val["committed"] = {
         1: G1Elem.inf(self.G),
         2: G2Elem.inf(self.G),
         "Zp": x,
         "r": r,
         "s": 0
     }
     return val
Пример #12
0
 def CommitG2Group(self, val, x2, r, s):
     c0 = r * self.v2[0] + s * self.w2[0]
     c1 = x2 + r * self.v2[1] + s * self.w2[1]
     val["value"] = [c0, c1]
     val["committed"] = {
         1: G1Elem.inf(self.G),
         2: x2,
         "Zp": 0,
         "r": r,
         "s": s
     }
     return val
Пример #13
0
def proof_exponent_gs1_pk_public(gsp, g1, sk, pk):
    x = [{"type": "com", "value": g1}, {"type": "com", "value": pk}]
    b = [{"type": "sca", "value": Bn(0)}, {"type": "unt", "value": Bn(1)}]
    a = [{"type": "pub", "value": G1Elem.inf(gsp.G)}]
    y = [{"type": "sca", "value": sk}]
    c = [[Bn(-1)], [Bn(0)]]

    success, res = gsp.CommitProof_eq("ME1", x, b, a, y, c, G1Elem.inf(gsp.G))
    verify = 0
    if success:
        eq_type, X, Y, C, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res
        pi2_v1, pi2_w1, pi1_v2, pi1_w2 = gsp.Randomize(eq_type, pi2_v1_ap,
                                                       pi2_w1_ap, pi1_v2_ap,
                                                       pi1_w2_ap)
        verify = gsp.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
        if verify:
            res = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2], [eq_type, X, Y, C, T_eq]]
    print("Do we successfully create a first proof?", success)
    print("Does the first proof successfully verify?", verify)
    print()
    return verify, res
Пример #14
0
    def sign(self, params, sk, m):
        """Signs a list of group elements of G1"""
        #print("SPS: Sign")
        (o, G, g1, g2, e) = params
        if len(m) > self.nb_msg:
            print("Error: too many messages to sign")
            return (G1Elem.inf(G), G1Elem.inf(G))
        M = []
        for i in range(len(m)):
            if type(m[i]) == G1Elem:
                M.append(m[i])
            elif type(m[i]) == bytes:
                M.append(G.hashG1(m[i]))
            else:
                print("Error: type message")
                return -1
        sig = [sk[0][0].int_neg() * M[0], sk[0][1].int_neg() * M[0]]
        for i in range(1, len(M)):
            sig[0] = sig[0] + sk[i][0].int_neg() * M[i]
            sig[1] = sig[1] + sk[i][1].int_neg() * M[i]

        return sig
Пример #15
0
    def Calc_MSG1(self, x1, b, a1, y, c, t1):
        n = len(x1)
        m = len(y)
        if len(b) != n or len(a1) != m or len(c) != n * m or len(t1) != 1:
            return 0

        B1 = G1Elem.inf(self.G)
        for i in range(m):
            B1 += b[i] * x1[i]

        A1 = G1Elem.inf(self.G)
        for j in range(n):
            A1 += y[j] * a1[j]

        C1 = G1Elem.inf(self.G)
        for i in range(n):
            for j in range(m):
                C1 += (c[i][j] * y[j]) * x1[i]

        validate = 0
        if A1 + B1 + C1 == t1:
            validate = 1
        return A1 + B1 + C1, t1, validate
Пример #16
0
    def verify(self, params, pk, m, sig):
        """
		Verifies a signature on messages m
		e(z, g_z) e(r, g_r) Pi e(M_i, g_i) == e(g1, g2)
		"""
        #print("SPS: Verify")
        (o, G, g1, g2, e) = params
        s0, s1 = sig
        if (s0 == G1Elem.inf(G) and s1 == G1Elem.inf(G)):
            print("USPS: Verify --- Error: signature null")
            print("SPS: Verify", 0)
            return 0

        M = []
        for i in range(len(m)):
            if type(m[i]) == G1Elem:
                M.append(m[i])
            elif type(m[i]) == bytes:
                M.append(G.hashG1(m[i]))
            else:
                print("Error: type message")
                return -1

        ctr = 0
        for i in range(len(M)):
            if M[i] == G1Elem.inf(G):
                ctr += 1
        if ctr == len(M):
            print("USPS: Verify --- Error: message null")
            print("SPS: Verify", 0)
            return 0
        gz, gr = pk[0], pk[1]
        pki = pk[2:]
        res = e(s0, gz) * e(s1, gr)
        for i in range(len(M)):
            res = res * e(M[i], pki[i])
        return res.eq(GTElem.one(G))
Пример #17
0
    def CheckEqResult(self, eq, T):
        #print("CheckEqResult")
        if eq in ["PPE", "PN1", "PC1", "PN2", "PC2"]:
            if T != GTElem.zero(self.G):
                return 0
        elif eq in ["ME1", "MN1", "MC1", "ML1"]:
            if T != G1Elem.inf(self.G):
                return 0
        elif eq in ["ME2", "MN2", "MC2", "ML2"]:
            if T != G2Elem.inf(self.G):
                return 0
        elif eq in ["QE", "QC1", "QC2"]:
            if T != Bn(0):
                return 0

        return 1
Пример #18
0
def test_G2_scalar_comm():
    GS = GSProof()
    ck, xk, P = GS.ExtGen()
    order, G, u1, v1, w1, u2, v2, w2 = ck
    y = order.random()
    r = order.random()
    struct = {}
    struct = GS.CommitG2Scalar(struct, y, r)

    assert struct["value"][0] == y * GS.u2[0] + r * GS.v2[0]
    assert struct["value"][1] == y * GS.u2[1] + r * GS.v2[1]

    assert struct["committed"][1] == G1Elem.inf(G)
    assert struct["committed"][2] == G2Elem.inf(G)
    assert struct["committed"]["Zp"] == y
    assert struct["committed"]["r"] == r
    assert struct["committed"]["s"] == Bn(0)
Пример #19
0
def test_G1_group_comm():
    GS = GSProof()
    ck, xk, P = GS.ExtGen()
    order, G, u1, v1, w1, u2, v2, w2 = ck
    x1 = order.random() * G.gen1()
    r = order.random()
    s = order.random()
    struct = {}
    struct = GS.CommitG1Group(struct, x1, r, s)

    assert struct["value"][0] == G1Elem.inf(G) + r * GS.v1[0] + s * GS.w1[0]
    assert struct["value"][1] == x1 + r * GS.v1[1] + s * GS.w1[1]

    assert struct["committed"][1] == x1
    assert struct["committed"][2] == G2Elem.inf(G)
    assert struct["committed"]["Zp"] == Bn(0)
    assert struct["committed"]["r"] == r
    assert struct["committed"]["s"] == s
Пример #20
0
def test_G2_group_comm():
    GS = GSProof()
    ck, xk, P = GS.ExtGen()
    order, G, u1, v1, w1, u2, v2, w2 = ck
    y2 = order.random() * G.gen2()
    r = order.random()
    s = order.random()
    struct = {}
    struct = GS.CommitG2Group(struct, y2, r, s)

    assert struct["value"][0] == G2Elem.inf(G) + r * GS.v2[0] + s * GS.w2[0]
    assert struct["value"][1] == y2 + r * GS.v2[1] + s * GS.w2[1]

    assert struct["committed"][1] == G1Elem.inf(G)
    assert struct["committed"][2] == y2
    assert struct["committed"]["Zp"] == Bn(0)
    assert struct["committed"]["r"] == r
    assert struct["committed"]["s"] == s
Пример #21
0
def proof_exponent(gsp, pk_i, pk_ui, sku):
    x = [pk_i, pk_ui]
    b = []
    a = []
    y = [sku, gsp.Commit({"group": 2, "type": "unt", "value": 1})]
    c = [[1, 0], [0, -1]]

    eq = "MC1"
    if pk_ui["type"] == "com":
        eq = "ME1"
    success, res = gsp.Prove_eq(eq, x, b, a, y, c, G1Elem.inf(gsp.G))
    verify = 0
    if success:
        eq_type, X, Y, C, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = res
        verify = gsp.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
        if verify:
            res = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2], [eq_type, X, Y, C, T_eq]]
    print("Do we successfully create a proof?", success)
    print("Does the proof successfully verify?", verify)
    print()
    return verify, res
Пример #22
0
    def MakeMatrices(self, x, b, a, y, c, t):
        #print("Make Matrices")
        X = []
        X.extend(x)
        X.extend(a)

        Y = []
        Y.extend(y)
        Y.extend(b)

        C = []
        for i in range(len(x) + len(a)):
            row = []
            for j in range(len(y) + len(b)):
                if i < len(x):
                    if j < len(y):
                        temp = c[i][j]
                        if type(temp) != Bn:
                            temp = Bn(temp)
                        row.append(c[i][j])
                    elif j == len(y) + i:
                        temp = Bn(1)
                        if b[j - len(y)]["committed"][2] == G2Elem.inf(
                                self.G) and b[j - len(y)]["type"] == "pub":
                            temp = Bn(0)
                        row.append(temp)
                    else:
                        row.append(Bn(0))
                else:
                    if i == len(x) + j:
                        temp = Bn(1)
                        if a[i - len(x)]["committed"][1] == G1Elem.inf(
                                self.G) and a[i - len(x)]["type"] == "pub":
                            temp = Bn(0)
                        row.append(temp)
                    else:
                        row.append(Bn(0))
            C.append(row)

        return X, Y, C, t
Пример #23
0
    return b64encode(x.export())


params = setup()

# ask_p = b64decode(str(raw_input("P0")))
p0 = G2Elem.from_bytes(p0, params[0])

# ask_p = b64decode(str(raw_input("P1")))
p1 = G2Elem.from_bytes(p1, params[0])

# ask_p = b64decode(str(raw_input("P2")))
p2 = G2Elem.from_bytes(p2, params[0])

# ask_s = b64decode(str(raw_input("S0")))
s0 = G1Elem.from_bytes(s0, params[0])

# ask_s = b64decode(str(raw_input("S2")))
s2 = G1Elem.from_bytes(s2, params[0])

(G, o, g1, g2, e) = params
t = 3
l = [lagrange_basis(t, o, i, 0) for i in range(1, t + 1)]
t = 2
l2 = [lagrange_basis(t, o, i, 0) for i in range(1, t + 1)]

deetv = [p0, p1, p2 * l2[0] + (p0 * l[0]).neg() + (p1 * l[1]).neg()]
deets = [s0 * l2[1] + s2, (s0 * l2[0]).neg()]
verif = aggregate_vk(params, deetv, threshold=True)

for i in deets:
Пример #24
0
params = setup()

publics = []
r.recvlines(3)
publics.append(G2Elem.from_bytes(b64decode(r.recvline()), params[0]))
r.recvline()
publics.append(G2Elem.from_bytes(b64decode(r.recvline()), params[0]))
r.recvline()
publics.append(G2Elem.from_bytes(b64decode(r.recvline()), params[0]))

r.recvline()
r.sendline('3')
r.recvline()
r.sendline('this stuff')
r.recvline()
s = G1Elem.from_bytes(b64decode(r.recvline()), params[0])

r.recvline()
r.sendline('4')
r.recvline()

r.recvline()
r.sendline(b64encode(s.export()))
r.recvline()
r.sendline(b64encode(publics[2].export()))

r.recvline()
r.sendline(b64encode((2 * s).export()))
r.recvline()
r.sendline(b64encode(publics[1].export()))
Пример #25
0
# signature of p3 for message "this stuff"
s3 = io.recvline()

io.recv()
io.sendline("4")
io.recvline()
io.recvline()

# generating a new public key
b = 3
pk = b * g2
m = "this stuff"
# signature of my key for message "this stuff"
sm = sign(params, b, m)

p3_point = G2Elem.from_bytes(b64decode(p3), G)
s3_point = G1Elem.from_bytes(b64decode(s3), G)

io.sendline(b64encode(sm.export()))
io.recv()
io.sendline(b64encode(p3_point.export()))
io.recv()
io.sendline(b64encode(s3_point.export()))
io.recv()
io.sendline(b64encode(p3_point.export()))
io.recv()
io.sendline(b64encode((pk + pk - p3_point).export()))

print(io.recv())
io.close()
Пример #26
0
def prepare_proofs(auth, vkI, pki, pkv, m, sig_t, t, pk_ui, pk_uv, sku, cipher,
                   ek, r):
    print("Prepare proof")
    print("Prepare proof: Commit")

    import time

    tc = time.time()
    U, W, V, Z = vkI
    cm_U = []
    for i in range(len(U)):
        cm_U.append(auth.GS.Commit({"group": 1, "type": "pub", "value": U[i]}))
    cm_W = []
    for i in range(len(W)):
        cm_W.append(auth.GS.Commit({"group": 2, "type": "pub", "value": W[i]}))
    cm_V = auth.GS.Commit({"group": 2, "type": "pub", "value": V})
    cm_Z = auth.GS.Commit({"group": 2, "type": "pub", "value": Z})
    cm_vkI = [cm_U, cm_W, cm_V, cm_Z]

    h_i, vk_i, sig0_i = pki
    cm_h_i = auth.GS.Commit({"group": 1, "type": "com", "value": h_i})
    cm_vk_i = []
    for i in range(len(vk_i)):
        cm_vk_i.append(
            auth.GS.Commit({
                "group": 2,
                "type": "com",
                "value": vk_i[i]
            }))
    cm_sig0_i = []
    for i in range(len(sig0_i)):
        cm_sig0_i.append(
            auth.GS.Commit({
                "group": max(i, 1),
                "type": "com",
                "value": sig0_i[i]
            }))

    h_v, vk_v, sig0_v = pkv
    cm_h_v = auth.GS.Commit({"group": 1, "type": "pub", "value": h_v})

    cm_m = []
    for i in range(len(m)):
        cm_m.append(auth.GS.Commit({"group": 1, "type": "pub", "value": m[i]}))

    sig_i, c_it = sig_t
    cm_sig_i = []
    for i in range(len(sig_i)):
        cm_sig_i.append(
            auth.GS.Commit({
                "group": 1,
                "type": "com",
                "value": sig_i[i]
            }))
    _, sigt_i = c_it
    cm_sigt_i = []
    for i in range(len(sigt_i)):
        cm_sigt_i.append(
            auth.GS.Commit({
                "group": max(i, 1),
                "type": "com",
                "value": sigt_i[i]
            }))

    #t: used as public scalar constraint (gamma_ij)

    cm_pk_ui = auth.GS.Commit({"group": 1, "type": "com", "value": pk_ui})

    cm_pk_uv = auth.GS.Commit({"group": 1, "type": "pub", "value": pk_uv})

    cm_sku = auth.GS.Commit({"group": 2, "type": "sca", "value": sku})

    cm_cipher = []
    for i in range(len(cipher)):
        cm_cipher.append(
            auth.GS.Commit({
                "group": 1,
                "type": "pub",
                "value": cipher[i]
            }))
    cm_r = r
    cm_r[0] = auth.GS.Commit({"group": 2, "type": "sca", "value": r[0]})

    cm_ek = []
    for i in range(len(ek)):
        cm_ek.append(
            auth.GS.Commit({
                "group": 1,
                "type": "pub",
                "value": ek[i]
            }))
    cm_da = auth.GS.Commit({
        "group": 1,
        "type": "pub",
        "value": auth.ek[1] * r[1]
    })

    cm_params_enc = []
    cm_params_enc.append(
        auth.GS.Commit({
            "group": 1,
            "type": "pub",
            "value": auth.GS.v1[0]
        }))
    cm_params_enc.append(
        auth.GS.Commit({
            "group": 1,
            "type": "pub",
            "value": auth.GS.v1[1]
        }))

    cm_g1 = auth.GS.Commit({"group": 1, "type": "bas", "value": auth.GS.g1})
    cm_g2 = auth.GS.Commit({"group": 2, "type": "bas", "value": auth.GS.g2})
    cm_1 = auth.GS.Commit({"group": 2, "type": "unt", "value": 1})

    tcnd = time.time()
    print("--- Commitment time:", tcnd - tc)

    print("Prepare proof: Prove")
    tp = time.time()
    print("--- enc proof")
    verify_enc, res_enc = enc_proof(auth.GS, cm_params_enc, cm_ek, cm_da,
                                    cm_h_i, cm_cipher, cm_r)

    print("--- sigi proof")
    cm_msg = [cm_pk_ui]
    cm_msg.extend(cm_m)
    for i in range(len(cm_vk_i) - 2 - len(cm_msg)):
        cm_msg.append(
            auth.GS.Commit({
                "group": 1,
                "type": "pub",
                "value": G1Elem.inf(auth.GS.G)
            }))
    verify_sigi, res_sigi = proof_usps_hidesigandsigner(
        auth.GS, cm_vk_i, cm_msg, cm_sig_i)

    print("--- sigi0 proof")
    cm_msg1 = [cm_g1, cm_h_i]
    cm_msg2 = cm_vk_i
    verify_sigi0, res_sigi0 = proof_bsps_hidemandsig(auth.GS, cm_vkI, cm_msg1,
                                                     cm_msg2, Bn(0), cm_sig0_i)

    print("--- sigit proof")
    verify_sigit, res_sigit = proof_bsps_hidemandsig(auth.GS, cm_vkI, cm_msg1,
                                                     cm_msg2, t, cm_sigt_i)

    print("--- exponent proofs")
    verify_pkui, res_pkui = proof_exponent(auth.GS, cm_h_i, cm_pk_ui, cm_sku)
    verify_pkuv, res_pkuv = proof_exponent(auth.GS, cm_h_v, cm_pk_uv, cm_sku)

    tpend = time.time()
    print("--- Proving time:", tp - tpend)

    verify = verify_enc * verify_sigi * verify_sigi0 * verify_sigit * verify_pkui * verify_pkuv
    res = []
    res.extend(res_enc)
    res.append(res_pkui)
    res.append(res_pkuv)
    res.append(res_sigi)
    res.extend(res_sigi0)
    res.extend(res_sigit)
    print(
        "Do all the proofs verify?", verify_enc * verify_sigi * verify_sigi0 *
        verify_sigit * verify_pkui * verify_pkuv)

    return verify, res
Пример #27
0
def enc_proof(gsp, params, pub, da, m, cipher, rand):

    g1enc, g2enc = params
    c, d, h = pub
    u1, u2, e, v = cipher
    r, a = rand

    res = []
    #print("--- first equation")
    x1 = [e, m, h]
    a1 = []
    y1 = [gsp.Commit({"group": 2, "type": "unt", "value": 1}), r]
    b1 = []
    c1 = [[-1, 0], [1, 0], [0, 1]]

    success1, res1 = gsp.Prove_eq("ME1", x1, b1, a1, y1, c1, G1Elem.inf(gsp.G))
    verify1 = 0
    if success1:
        eq_type, X1, Y1, C1, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = res1
        verify1 = gsp.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2,
                             pi1_w2)
        if verify1:
            res1 = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
                    [eq_type, X1, Y1, C1, T_eq]]
            res.append(res1)
    #print("Do we successfully create a first proof?", success1)
    #print("Does the first proof successfully verify?", verify1)

    #print("--- second equation")
    x2 = [g1enc, u1]
    b2 = []
    a2 = []
    y2 = [r, gsp.Commit({"group": 2, "type": "unt", "value": 1})]
    c2 = [[-1, 0], [0, 1]]
    success2, res2 = gsp.Prove_eq("MC1", x2, b2, a2, y2, c2, G1Elem.inf(gsp.G))
    verify2 = 0
    if success2:
        eq_type, X2, Y2, C2, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = res2
        verify2 = gsp.Verify(eq_type, X2, Y2, C2, pi2_v1, pi2_w1, pi1_v2,
                             pi1_w2)
        if verify2:
            res2 = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
                    [eq_type, X2, Y2, C2, T_eq]]
            res.append(res2)
    #print("Do we successfully create a second proof?", success2)
    #print("Does the second proof successfully verify?", verify2)

    #print("--- third equation")
    x3 = [g2enc, u2]
    b3 = []
    a3 = []
    y3 = [r, gsp.Commit({"group": 2, "type": "unt", "value": 1})]
    c3 = [[-1, 0], [0, 1]]
    success3, res3 = gsp.Prove_eq("MC1", x3, b3, a3, y3, c3, G1Elem.inf(gsp.G))
    verify3 = 0
    if success3:
        eq_type, X3, Y3, C3, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = res3
        verify3 = gsp.Verify(eq_type, X3, Y3, C3, pi2_v1, pi2_w1, pi1_v2,
                             pi1_w2)
        if verify3:
            res3 = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
                    [eq_type, X3, Y3, C3, T_eq]]
            res.append(res3)
    #print("Do we successfully create a third proof?", success3)
    #print("Does the third proof successfully verify?", verify3)

    #print("--- intermediary equation")
    x_int = [da, d]
    b_int = []
    a_int = []
    y_int = [gsp.Commit({"group": 2, "type": "unt", "value": 1})]
    c_int = [[-1], [a]]
    success_int, res_int = gsp.Prove_eq("MC1", x_int, b_int, a_int, y_int,
                                        c_int, G1Elem.inf(gsp.G))
    verify_int = 0
    if success_int:
        eq_type, X_int, Y_int, C_int, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = res_int
        verify_int = gsp.Verify(eq_type, X_int, Y_int, C_int, pi2_v1, pi2_w1,
                                pi1_v2, pi1_w2)
        if verify_int:
            res_int = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
                       [eq_type, X_int, Y_int, C_int, T_eq]]
            res.append(res_int)
    #print("Do we successfully create an int. proof?", success_int)
    #print("Does the int. proof successfully verify?", verify_int)

    #print("--- fourth equation")
    x4 = [c, da, v]
    b4 = []
    a4 = []
    y4 = [r, gsp.Commit({"group": 2, "type": "unt", "value": 1})]
    c4 = [[1, 0], [1, 0], [0, -1]]
    success4, res4 = gsp.Prove_eq("MC1", x4, b4, a4, y4, c4, G1Elem.inf(gsp.G))
    verify4 = 0
    if success4:
        eq_type, X4, Y4, C4, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = res4
        verify4 = gsp.Verify(eq_type, X4, Y4, C4, pi2_v1, pi2_w1, pi1_v2,
                             pi1_w2)
        if verify4:
            res4 = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
                    [eq_type, X4, Y4, C4, T_eq]]
            res.append(res4)
    #print("Do we successfully create a fourth proof?", success4)
    #print("Does the fourth proof successfully verify?", verify4)

    print("Do we successfully create all the proofs?",
          success1 * success2 * success3 * success4 * success_int)
    print("Do all the proofs successfully verify?",
          verify1 * verify2 * verify3 * verify_int * verify4)
    return verify1 * verify2 * verify3 * verify_int * verify4, res
Пример #28
0
    def proof_usps_hidesigandsigner(self,
                                    M=[
                                        b"Hello World!", b"Hello me!",
                                        b"Hello us!"
                                    ]):
        """" creates GS proof that sig verifies with pk, signature and first message secret"""
        #print("SPS: Prove")

        self.ExtGen()
        params = (self.G, self.order, self.g1, self.g2, self.e)

        sps = USPS()
        sk, pk = sps.keygen(params)
        gz, gr, pki = pk

        m = []
        for i in range(len(M)):
            if type(M[i]) == bytes:
                m.append(self.G.hashG1(M[i]))
            elif type(M[i]) == G1Elem:
                m.append(M[i])
            else:
                return 0, []

        if len(m) < sps.n:
            for i in range(sps.nb_msg - len(m)):
                m.append(G1Elem.inf(self.G))
        elif sps.nb_msg < len(m):
            return
        sig = sps.sign(params, sk, m)

        if sps.verify(params, pk, m, sig) == 0:
            print("Signature does not verify")
            return

        print(len(m))
        X = [{
            "type": "com",
            "value": sig[0]
        }, {
            "type": "com",
            "value": sig[1]
        }]
        B = [{
            "type": "pub",
            "value": G2Elem.inf(self.G)
        }, {
            "type": "pub",
            "value": G2Elem.inf(self.G)
        }]

        A = [{
            "type": "pub",
            "value": G1Elem.inf(self.G)
        }, {
            "type": "pub",
            "value": G1Elem.inf(self.G)
        }]
        Y = [{"type": "com", "value": gz}, {"type": "com", "value": gr}]

        for i in range(len(m)):
            if i == 0:
                X.append({"type": "pub", "value": m[i]})
            else:
                X.append({"type": "com", "value": m[i]})
            B.append({"type": "pub", "value": G2Elem.inf(self.G)})

        for j in range(len(pki)):
            Y.append({"type": "com", "value": pki[j]})
            A.append({"type": "pub", "value": G1Elem.inf(self.G)})

        C = []
        for i in range(len(X)):
            row = []
            for j in range(len(Y)):
                var = Bn(0)
                if i == j:
                    var = Bn(1)
                row.append(var)
            C.append(row)
        print(C)

        success, res = self.CommitProof_eq("PPE", X, B, A, Y, C,
                                           GTElem.zero(self.G))
        verify = 0
        if success:
            eq_type, X1, Y1, C1, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res
            pi2_v1, pi2_w1, pi1_v2, pi1_w2 = self.Randomize(
                eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap)
            verify = self.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2,
                                 pi1_w2)
            if verify:
                res = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
                       [eq_type, X1, Y1, C1, T_eq]]
        print(success, verify)
        print()

        return verify, res
Пример #29
0
def sig(x):
    return G1Elem.from_bytes(b64decode(x), G)
Пример #30
0
    def MakeProof(self, X, Y, C):
        #print("MakeProof")
        pi2_v1 = [G2Elem.inf(self.G), G2Elem.inf(self.G)]
        pi2_w1 = [G2Elem.inf(self.G), G2Elem.inf(self.G)]

        pi1_v2 = [G1Elem.inf(self.G), G1Elem.inf(self.G)]
        pi1_w2 = [G1Elem.inf(self.G), G1Elem.inf(self.G)]

        #count_exp_g1 = 0
        #count_add_g1 = -1
        #count_exp_g2 = 0
        #count_add_g2 = -1

        for i in range(len(X)):
            xi = X[i]["value"]
            xr = 0
            xs = 0
            if "committed" in X[i]:
                xr = X[i]["committed"]["r"]
                xs = X[i]["committed"]["s"]
            for j in range(len(Y)):
                yj = Y[j]["value"]
                yr = 0
                ys = 0
                if "committed" in Y[j]:
                    yr = Y[j]["committed"]["r"]
                    ys = Y[j]["committed"]["s"]

                cij = C[i][j]

                if cij != 0:
                    for vec in range(2):
                        """ We need to work on the commitment of x|y and not on the value of x|y not to make any assumption on the type of x|y"""
                        if xr != 0:
                            pi2_v1[vec] += (xr * cij) * yj[vec]
                            #count_exp_g1 += 1
                            #count_add_g1 += 1
                        if xs != 0:
                            pi2_w1[vec] += (xs * cij) * yj[vec]
                            #count_exp_g1 += 1
                            #count_add_g1 += 1
                        if yr != 0:
                            temp = xi[vec]
                            if xr != 0:
                                temp = temp - self.v1[vec] * xr
                                #count_exp_g2 += 1
                                #count_add_g2 += 1
                            if xs != 0:
                                temp = temp - self.w1[vec] * xs
                                #count_exp_g2 += 1
                                #count_add_g2 += 1
                            pi1_v2[vec] += temp * (cij * yr)
                            #count_exp_g2 += 1
                            #count_add_g2 += 1
                        if ys != 0:
                            temp = xi[vec]
                            if xr != 0:
                                temp = temp - self.v1[vec] * xr
                                #count_exp_g2 += 1
                                #count_add_g2 += 1
                            if xs != 0:
                                temp = temp - self.w1[vec] * xs
                                #count_exp_g2 += 1
                                #count_add_g2 += 1
                            pi1_w2[vec] += temp * (cij * ys)
                            #count_exp_g2 += 1
                            #count_add_g2 += 1
        #print("Exp in G1", count_exp_g1)
        #print("Exp in G2", count_exp_g2)
        #print("Add in G1", count_add_g1)
        #print("Add in G2", count_add_g2)
        return pi2_v1, pi2_w1, pi1_v2, pi1_w2