def verify(self, params, pk, m, n, sig):
"""
Verifies a signature on messages m
e(R,V) e(S,H) Pi e(M_i,W_i) == e(G,Z)
e(R,T) Pi e(U_i, N_i) == e(G,H)
"""
#print("BSPS: Verify")
R, S, T = sig
o, G, g1, g2, e = params
if (R.eq(G1Elem.inf(G)) and S.eq(G1Elem.inf(G))
and T.eq(G2Elem.inf(G))):
print("BSPS: Verify --- Error: signature null")
print("BSPS: Verify", 0)
return 0
U, W, V, Z = pk
res1 = e(R, V) * e(S, g2)
for i in range(self.msg_g1):
if i < len(m):
res1 = res1 * e(m[i], W[i])
else:
res1 = res1 * e(g1, W[i])
res2 = e(R, T)
for j in range(self.msg_g2):
if j < len(n):
res2 = res2 * e(U[j], n[j])
else:
res2 = res2 * e(U[j], g2)
return res1.eq(e(g1, Z)) and res2.eq(e(g1, g2))
def sign(self, params, sk, m, n):
"""Signs a list of group elements of G1 and G2"""
#print("BSPS: Sign")
o, G, g1, g2, _ = params
if len(m) > self.msg_g1 or len(n) > self.msg_g2:
print("BSPS: Sign --- Error: message(s) too long", len(m), ">?",
self.msg_g1, len(n), ">?", self.msg_g2)
return (G1Elem.inf(G), G1Elem.inf(G), G2Elem.inf(G))
u, w, v, z = sk
r = o.random()
R = r * g1
temp = z.mod_sub(r.mod_mul(v, o), o)
S = temp * g1
T = g2
for i in range(self.msg_g1):
if i < len(m):
S = S + w[i].int_neg() * m[i]
else:
S = S + w[i].int_neg() * g1
for j in range(self.msg_g2):
if j < len(n):
T = T + u[j].int_neg() * n[j]
else:
T = T + u[j].int_neg() * g2
return [R, S, r.mod_inverse(o) * T]
def verify_proof_credentials_petition(params,
aggr_vk,
sigma,
kappa,
nu,
zeta,
pi_petition,
UUID,
public_m=[]):
""" verify petition signature """
(G, o, g1, hs, g2, e) = params
(g2, alpha, beta) = aggr_vk
(h, s) = sigma
(c, rm, rt) = pi_petition
private_m_len = len(pi_petition[1])
assert len(public_m) + private_m_len <= len(beta)
## verify proof
# re-compute witnesses commitments
Aw = c * kappa + rt * g2 + (1 - c) * alpha + ec_sum(
[rm[i] * beta[i] for i in range(len(rm))])
Bw = c * nu + rt * h
Cw = rm[0] * G.hashG1(str(UUID)) + zeta * c
# compute the challenge prime
assert c == to_challenge([g1, g2, alpha, Aw, Bw, Cw] + hs + beta)
## verify signature
# add clear text messages
aggr = G2Elem.inf(G)
if len(public_m) != 0:
aggr = ec_sum([
public_m[i] * beta[i + private_m_len] for i in range(len(public_m))
])
# verify
return not h.isinf() and e(h, kappa + aggr) == e(s + nu, g2)
def verify_cred(params, aggr_vk, Theta, public_m=[]):
"""
Verify credentials.
Parameters:
- `params`: public parameters generated by `setup`
- `aggr_vk`: aggregated verification key
- `Theta`: credential and cryptographic material to verify them
- `public_m` [Bn]: optional, array containing the public attributes
Returns:
- `ret` (bool): whether the credential verifies
"""
(G, o, g1, hs, g2, e) = params
(g2, _, beta) = aggr_vk
(kappa, nu, sigma, pi_v) = Theta
(h, s) = sigma
private_m_len = len(pi_v[1])
assert len(public_m) + private_m_len <= len(beta)
# verify proof of correctness
assert verify_pi_v(params, aggr_vk, sigma, kappa, nu, pi_v)
# add clear text messages
aggr = G2Elem.inf(G)
if len(public_m) != 0:
aggr = ec_sum([
public_m[i] * beta[i + private_m_len] for i in range(len(public_m))
])
# verify
return not h.isinf() and e(h, kappa + aggr) == e(s + nu, g2)
def verifyEq(self, eq, x, b, a, y, c, t):
#print("verifyEq")
if eq in ["PPE", "PN1", "PC1", "PN2", "PC2"]:
#print("eq in [\"PPE\", \"PN1\", \"PC1\", \"PN2\", \"PC2\"]")
T = GTElem.zero(self.G)
for i in range(min(len(x), len(b))):
T = T * self.e(x[i]["value"], b[i]["value"])
for j in range(min(len(a), len(y))):
T = T * self.e(a[j]["value"], y[j]["value"])
for i in range(len(c)):
for j in range(len(c[i])):
T = T * self.e(c[i][j] * x[i]["value"], y[j]["value"])
return T.eq(t)
else:
#print("eq NOT in [\"PPE\", \"PN1\", \"PC1\", \"PN2\", \"PC2\"]")
T = Bn(0)
if eq in ["ME1", "MN1", "MC1", "ML1"]:
T = G1Elem.inf(self.G)
elif eq in ["ME2", "MN2", "MC2", "ML2"]:
T = G2Elem.inf(self.G)
elif eq not in ["QE", "QC1", "QC2"]:
print("eq error", eq)
return 0
for i in range(min(len(x), len(b))):
T += x[i]["value"] * b[i]["value"]
for j in range(min(len(a), len(y))):
T += a[j]["value"] * y[j]["value"]
for i in range(len(c)):
for j in range(len(c[i])):
if c[i][j] != 0:
T += c[i][j] * x[i]["value"] * y[j]["value"]
return T.eq(t)
def blind_verify(params, aggr_vk, sigma, kappa, nu, pi_v, public_m=[]): """ Verify credentials. Parameters: - `params`: public parameters generated by `setup` - `aggr_vk` (G2Elem, G2Elem, [G2Elem]): aggregated verification key - `sigma` (G1Elem, G1Elem): credential - `kappa` (G2Elem): group element to verify the credentials - `nu` (G2Elem): group element to verify the credentials - `pi_v`: zero-knowledge proof asserting correctness of `kappa` and `nu` - `public_m` [Bn]: optional, array containing the public attributes Returns: - `ret` (bool): whether the credential verifies """ (G, o, g1, hs, g2, e) = params (g2, _, beta) = aggr_vk (h, s) = sigma private_m_len = len(pi_v[1]) assert len(public_m)+private_m_len <= len(beta) # verify proof of correctness assert verify_pi_v(params, aggr_vk, sigma, kappa, nu, pi_v) # add clear text messages aggr = G2Elem.inf(G) if len(public_m) != 0: aggr = ec_sum([public_m[i]*beta[i+private_m_len] for i in range(len(public_m))]) # verify return not h.isinf() and e(h, kappa+aggr) == e(s+nu, g2)
def test_bsps_proof():
""" create GS proof that sig verifies with the signature and all but the first message secret """
gsp = GSProof()
gsp.ExtGen()
params = gsp.P
sps = BSPS()
sk, pk = sps.keygen(params)
u, w, v, z = sk
U, W, V, Z = pk
t = Bn(7)
m1 = [gsp.g1 * t, gsp.G.hashG1(b"Hello World!")]
m2 = [Bn.from_binary(b"Hello you!") * gsp.g2]
for i in range(len(W) - len(m1)):
m1.append(G1Elem.inf(gsp.G))
for i in range(len(U) - len(m2)):
m2.append(G2Elem.inf(gsp.G))
sig = sps.sign(params, sk, m1, m2)
print("Does the signature verify?", sps.verify(params, pk, m1, m2, sig))
PK = [[], []]
for i in range(len(U)):
PK[0].append(gsp.Commit({"group": 1, "type": "pub", "value": U[i]}))
for i in range(len(W)):
PK[1].append(gsp.Commit({"group": 2, "type": "pub", "value": W[i]}))
PK.append(gsp.Commit({"group": 2, "type": "pub", "value": V}))
PK.append(gsp.Commit({"group": 2, "type": "pub", "value": Z}))
M1 = [gsp.Commit({"group": 1, "type": "bas", "value": gsp.g1})]
for i in range(len(m1) - 1):
M1.append(gsp.Commit({"group": 1, "type": "com", "value": m1[i + 1]}))
M2 = []
for i in range(len(m2)):
M2.append(gsp.Commit({"group": 2, "type": "com", "value": m2[i]}))
SIG = [
gsp.Commit({
"group": 1,
"type": "com",
"value": sig[0]
}),
gsp.Commit({
"group": 1,
"type": "com",
"value": sig[1]
}),
gsp.Commit({
"group": 2,
"type": "com",
"value": sig[2]
})
]
verify, result = proof_bsps_hidemandsig(gsp, PK, M1, M2, t, SIG)
assert verify
def CommitG1Group(self, val, x1, r, s):
c0 = r * self.v1[0] + s * self.w1[0]
c1 = x1 + r * self.v1[1] + s * self.w1[1]
val["value"] = [c0, c1]
val["committed"] = {
1: x1,
2: G2Elem.inf(self.G),
"Zp": 0,
"r": r,
"s": s
}
return val
def CommitG2Scalar(self, val, x, r):
c0 = x * self.u2[0] + r * self.v2[0]
c1 = x * self.u2[1] + r * self.v2[1]
val["value"] = [c0, c1]
val["committed"] = {
1: G1Elem.inf(self.G),
2: G2Elem.inf(self.G),
"Zp": x,
"r": r,
"s": 0
}
return val
def mix_verify(params, vk, kappa, sig, proof, m):
""" verify a signature on a mixed clear and hidden message """
(G, o, g1, h1, g2, e) = params
(g2, X, Y) = vk
(h, epsilon) = sig
hidden_m_len = len(proof[1])
assert len(m) + hidden_m_len <= len(Y)
# verify proof of correctness
assert verify_mix_show(params, vk, kappa, proof)
# add clear text messages
aggr = G2Elem.inf(G)
if len(m) != 0:
aggr = ec_sum([m[i] * Y[i + hidden_m_len] for i in range(len(m))])
# verify
return not h.isinf() and e(h, kappa + aggr) == e(epsilon, g2)
def CheckEqResult(self, eq, T):
#print("CheckEqResult")
if eq in ["PPE", "PN1", "PC1", "PN2", "PC2"]:
if T != GTElem.zero(self.G):
return 0
elif eq in ["ME1", "MN1", "MC1", "ML1"]:
if T != G1Elem.inf(self.G):
return 0
elif eq in ["ME2", "MN2", "MC2", "ML2"]:
if T != G2Elem.inf(self.G):
return 0
elif eq in ["QE", "QC1", "QC2"]:
if T != Bn(0):
return 0
return 1
def test_G2_scalar_comm():
GS = GSProof()
ck, xk, P = GS.ExtGen()
order, G, u1, v1, w1, u2, v2, w2 = ck
y = order.random()
r = order.random()
struct = {}
struct = GS.CommitG2Scalar(struct, y, r)
assert struct["value"][0] == y * GS.u2[0] + r * GS.v2[0]
assert struct["value"][1] == y * GS.u2[1] + r * GS.v2[1]
assert struct["committed"][1] == G1Elem.inf(G)
assert struct["committed"][2] == G2Elem.inf(G)
assert struct["committed"]["Zp"] == y
assert struct["committed"]["r"] == r
assert struct["committed"]["s"] == Bn(0)
def proof_pkuv(gsp, X, Y):
res = []
B = []
A = []
C = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
row.append(Bn(0))
C.append(row)
C[6][0] = Bn(1) # pk_uv
C[5][1] = Bn(-1) # - h_v^sku
success, result = gsp.Prove_aggreg("MC1", X, B, A, Y, C, G1Elem.inf(gsp.G))
verify = 0
if success:
eq_type, X, Y, C, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result
#verify = gsp.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
#if verify:
res = [C, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]]
#print("Do we successfully create a proof?", success)
#print("Does the proof successfully verify?", verify)
print("\n----pk uv")
for i in range(len(res[1])):
for j in range(2):
if type(res[1][i][j]) == G1Elem:
print(i, j, type(res[1][i][j]),
res[1][i][j].eq(G1Elem.inf(gsp.G)))
else:
print(i, j, type(res[1][i][j]),
res[1][i][j].eq(G2Elem.inf(gsp.G)))
b = challenge(result)
for i in range(len(res[0])):
for j in range(len(res[0][0])):
if res[0][i][j] != 0:
res[0][i][j] = b * res[0][i][j]
for i in range(len(res[1])):
for j in range(len(res[1][i])):
res[1][i][j] = b * res[1][i][j]
#verify = gsp.Verify("ME1", X, Y, C, res[1][0], res[1][1], res[1][2], res[1][3])
#print("Does the (aggregate) proof verify?", verify)
return res
def test_G1_group_comm():
GS = GSProof()
ck, xk, P = GS.ExtGen()
order, G, u1, v1, w1, u2, v2, w2 = ck
x1 = order.random() * G.gen1()
r = order.random()
s = order.random()
struct = {}
struct = GS.CommitG1Group(struct, x1, r, s)
assert struct["value"][0] == G1Elem.inf(G) + r * GS.v1[0] + s * GS.w1[0]
assert struct["value"][1] == x1 + r * GS.v1[1] + s * GS.w1[1]
assert struct["committed"][1] == x1
assert struct["committed"][2] == G2Elem.inf(G)
assert struct["committed"]["Zp"] == Bn(0)
assert struct["committed"]["r"] == r
assert struct["committed"]["s"] == s
def test_G2_group_comm():
GS = GSProof()
ck, xk, P = GS.ExtGen()
order, G, u1, v1, w1, u2, v2, w2 = ck
y2 = order.random() * G.gen2()
r = order.random()
s = order.random()
struct = {}
struct = GS.CommitG2Group(struct, y2, r, s)
assert struct["value"][0] == G2Elem.inf(G) + r * GS.v2[0] + s * GS.w2[0]
assert struct["value"][1] == y2 + r * GS.v2[1] + s * GS.w2[1]
assert struct["committed"][1] == G1Elem.inf(G)
assert struct["committed"][2] == y2
assert struct["committed"]["Zp"] == Bn(0)
assert struct["committed"]["r"] == r
assert struct["committed"]["s"] == s
def MakeMatrices(self, x, b, a, y, c, t):
#print("Make Matrices")
X = []
X.extend(x)
X.extend(a)
Y = []
Y.extend(y)
Y.extend(b)
C = []
for i in range(len(x) + len(a)):
row = []
for j in range(len(y) + len(b)):
if i < len(x):
if j < len(y):
temp = c[i][j]
if type(temp) != Bn:
temp = Bn(temp)
row.append(c[i][j])
elif j == len(y) + i:
temp = Bn(1)
if b[j - len(y)]["committed"][2] == G2Elem.inf(
self.G) and b[j - len(y)]["type"] == "pub":
temp = Bn(0)
row.append(temp)
else:
row.append(Bn(0))
else:
if i == len(x) + j:
temp = Bn(1)
if a[i - len(x)]["committed"][1] == G1Elem.inf(
self.G) and a[i - len(x)]["type"] == "pub":
temp = Bn(0)
row.append(temp)
else:
row.append(Bn(0))
C.append(row)
return X, Y, C, t
def test_all():
GS = GSProof()
ck, xk, P = GS.ExtGen()
order, G, u1, v1, w1, u2, v2, w2 = ck
for eq_type in GS.eqs.keys():
print("=============================== ", eq_type)
x = []
y = []
a = []
b = []
for xtype in GS.eqs[eq_type][1]:
for ytype in GS.eqs[eq_type][2]:
if eq_type != "PPE" or (eq_type == "PPE"
and xtype not in ["pub", "enc"]
and ytype not in ["pub", "enc"]):
rand1 = order.random()
x1 = rand1 * GS.g1
if xtype in ["bas"]:
rand1 = 1
x1 = GS.g1
if xtype in ["sca"]:
x1 = rand1
elif xtype in ["unt"]:
x1 = 1
rand2 = order.random()
y2 = rand2 * GS.g2
if ytype in ["bas"]:
rand2 = 1
y2 = GS.g2
if ytype in ["sca"]:
y2 = rand2
elif ytype in ["unt"]:
y2 = 1
#print(xtype, rand1, x1)
#print(ytype, rand2, y2)
x.append({"type": xtype, "value": x1})
a.append({"type": xtype, "value": x1})
y.append({"type": ytype, "value": y2})
b.append({"type": ytype, "value": y2})
c = []
for i in range(len(x)):
row = []
for j in range(len(y)):
if i == j:
row.append(Bn(-2))
else:
row.append(Bn(0))
c.append(row)
t = GTElem.zero(G)
if eq_type in ["ME1", "MN1", "MC1", "ML1"]:
t = G1Elem.inf(G)
if eq_type in ["ME2", "MN2", "MC2", "ML2"]:
t = G2Elem.inf(G)
if eq_type in ["QE", "QC1", "QC2"]:
t = 0
try:
success, res = GS.CommitProof_eq(eq_type, x, b, a, y, c, t)
print("success ?", success)
except Exception as e:
print(e)
else:
if success:
eq, X, Y, C, T, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = res
print(
"verify ?",
GS.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2,
pi1_w2))
assert (GS.Verify(eq_type, X, Y, C, pi2_v1, pi2_w1, pi1_v2,
pi1_w2))
def get_infs(gk):
inf1 = G1Elem.inf(gk.G)
inf2 = G2Elem.inf(gk.G)
return inf1, inf2
def proof_usps_hidesigandsigner(self,
M=[
b"Hello World!", b"Hello me!",
b"Hello us!"
]):
"""" creates GS proof that sig verifies with pk, signature and first message secret"""
#print("SPS: Prove")
self.ExtGen()
params = (self.G, self.order, self.g1, self.g2, self.e)
sps = USPS()
sk, pk = sps.keygen(params)
gz, gr, pki = pk
m = []
for i in range(len(M)):
if type(M[i]) == bytes:
m.append(self.G.hashG1(M[i]))
elif type(M[i]) == G1Elem:
m.append(M[i])
else:
return 0, []
if len(m) < sps.n:
for i in range(sps.nb_msg - len(m)):
m.append(G1Elem.inf(self.G))
elif sps.nb_msg < len(m):
return
sig = sps.sign(params, sk, m)
if sps.verify(params, pk, m, sig) == 0:
print("Signature does not verify")
return
print(len(m))
X = [{
"type": "com",
"value": sig[0]
}, {
"type": "com",
"value": sig[1]
}]
B = [{
"type": "pub",
"value": G2Elem.inf(self.G)
}, {
"type": "pub",
"value": G2Elem.inf(self.G)
}]
A = [{
"type": "pub",
"value": G1Elem.inf(self.G)
}, {
"type": "pub",
"value": G1Elem.inf(self.G)
}]
Y = [{"type": "com", "value": gz}, {"type": "com", "value": gr}]
for i in range(len(m)):
if i == 0:
X.append({"type": "pub", "value": m[i]})
else:
X.append({"type": "com", "value": m[i]})
B.append({"type": "pub", "value": G2Elem.inf(self.G)})
for j in range(len(pki)):
Y.append({"type": "com", "value": pki[j]})
A.append({"type": "pub", "value": G1Elem.inf(self.G)})
C = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
var = Bn(0)
if i == j:
var = Bn(1)
row.append(var)
C.append(row)
print(C)
success, res = self.CommitProof_eq("PPE", X, B, A, Y, C,
GTElem.zero(self.G))
verify = 0
if success:
eq_type, X1, Y1, C1, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res
pi2_v1, pi2_w1, pi1_v2, pi1_w2 = self.Randomize(
eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap)
verify = self.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2,
pi1_w2)
if verify:
res = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
[eq_type, X1, Y1, C1, T_eq]]
print(success, verify)
print()
return verify, res
def proof_bsps_hidemandsig(
self,
M1=[b"Hello World!", b"Hello me!", b"Hello us!"],
M2=[b"Hello you!"]):
""" create GS proof that sig verifies with the signature and all but the first message secret """
params = (self.G, self.order, self.g1, self.g2, self.e)
sps = BSPS()
sk, pk = sps.keygen(params)
u, w, v, z = sk
U, W, V, Z = pk
m1 = []
for i in range(len(M1)):
if type(M1[i]) == bytes:
m1.append(self.G.hashG1(M1[i]))
elif type(M1[i]) == G1Elem:
m1.append(M1[i])
else:
return 0, []
m2 = []
for j in range(len(M2)):
if type(M2[j]) == bytes:
m2.append(
Bn.from_binary(M2[j]).mod_add(Bn(0), self.order) * self.g2)
elif type(M2[j]) == G2Elem:
m2.append(M2[j])
else:
return 0, []
if len(m1) < sps.msg_g1:
for i in range(sps.msg_g1 - len(m1)):
m1.append(G1Elem.inf(self.G))
elif sps.msg_g1 < len(m1):
return 0, []
if len(m2) < sps.msg_g2:
for i in range(sps.msg_g2 - len(m2)):
m2.append(G2Elem.inf(self.G))
elif sps.msg_g2 < len(m2):
return 0, []
res = []
R, S, T = sps.sign(params, sk, m1, m2)
print("signature verifies?", sps.verify(params, pk, m1, m2, (R, S, T)))
print("first equation")
x1 = [{
"type": "com",
"value": R
}, {
"type": "com",
"value": S
}, {
"type": "bas",
"value": self.g1
}]
b1 = [{
"type": "pub",
"value": V
}, {
"type": "bas",
"value": self.g2
}, {
"type": "pub",
"value": Z * Bn(-1)
}]
a1 = []
y1 = []
#res1 = e(R,V) * e(S,g2)
#res1.eq(e(g1,Z))
for i in range(len(m1)):
if i == 0:
x1.append({"type": "pub", "value": m1[i]})
b1.append({"type": "bas", "value": W[i]})
else:
x1.append({"type": "com", "value": m1[i]})
b1.append({"type": "pub", "value": W[i]})
#res1 = res1 * e(m1[i],W[i])
c1 = []
for i in range(len(x1)):
row = []
for j in range(len(y1)):
c = Bn(0)
row.append(c)
c1.append(row)
print(c1)
success1, res1 = self.CommitProof_eq("PPE", x1, b1, a1, y1, c1,
GTElem.zero(self.G))
verify1 = 0
if success1:
eq_type, X1, Y1, C1, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res1
pi2_v1, pi2_w1, pi1_v2, pi1_w2 = self.Randomize(
eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap)
verify1 = self.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2,
pi1_w2)
if verify1:
res1 = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
[eq_type, X1, Y1, C1, T_eq]]
res.append(res1)
print(success1, verify1)
print()
print("second equation")
x2 = [{"type": "com", "value": R}, {"type": "bas", "value": self.g1}]
b2 = [{
"type": "pub",
"value": G2Elem.inf(self.G)
}, {
"type": "pub",
"value": G2Elem.inf(self.G)
}]
a2 = [{
"type": "pub",
"value": G1Elem.inf(self.G)
}, {
"type": "pub",
"value": G1Elem.inf(self.G)
}]
y2 = [{"type": "com", "value": T}, {"type": "bas", "value": self.g2}]
#res2 = e(R,T)
#res2.eq(e(g1,g2))
for j in range(len(m2)):
a2.append({"type": "pub", "value": U[j]})
y2.append({"type": "com", "value": m2[j]})
#res2 = res2 * e(U[j],m2[j])
c2 = []
for i in range(len(x2)):
row = []
for j in range(len(y2)):
c = Bn(0)
if (i == 0 and j == 0):
c = Bn(1)
if (i == 1 and j == 1):
c = Bn(-1)
row.append(c)
c2.append(row)
print(c2)
success2, res2 = self.CommitProof_eq("PPE", x2, b2, a2, y2, c2,
GTElem.zero(self.G))
verify2 = 0
if success2:
eq_type, X2, Y2, C2, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res2
pi2_v1, pi2_w1, pi1_v2, pi1_w2 = self.Randomize(
eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap)
verify2 = self.Verify(eq_type, X2, Y2, C2, pi2_v1, pi2_w1, pi1_v2,
pi1_w2)
if verify2:
res2 = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
[eq_type, X2, Y2, C2, T_eq]]
res.append(res2)
print(success2, verify2)
print()
print("success?", success1, success2)
print("verify?", verify1, verify2)
return verify1 * verify2, res
def MakeProof(self, X, Y, C):
#print("MakeProof")
pi2_v1 = [G2Elem.inf(self.G), G2Elem.inf(self.G)]
pi2_w1 = [G2Elem.inf(self.G), G2Elem.inf(self.G)]
pi1_v2 = [G1Elem.inf(self.G), G1Elem.inf(self.G)]
pi1_w2 = [G1Elem.inf(self.G), G1Elem.inf(self.G)]
#count_exp_g1 = 0
#count_add_g1 = -1
#count_exp_g2 = 0
#count_add_g2 = -1
for i in range(len(X)):
xi = X[i]["value"]
xr = 0
xs = 0
if "committed" in X[i]:
xr = X[i]["committed"]["r"]
xs = X[i]["committed"]["s"]
for j in range(len(Y)):
yj = Y[j]["value"]
yr = 0
ys = 0
if "committed" in Y[j]:
yr = Y[j]["committed"]["r"]
ys = Y[j]["committed"]["s"]
cij = C[i][j]
if cij != 0:
for vec in range(2):
""" We need to work on the commitment of x|y and not on the value of x|y not to make any assumption on the type of x|y"""
if xr != 0:
pi2_v1[vec] += (xr * cij) * yj[vec]
#count_exp_g1 += 1
#count_add_g1 += 1
if xs != 0:
pi2_w1[vec] += (xs * cij) * yj[vec]
#count_exp_g1 += 1
#count_add_g1 += 1
if yr != 0:
temp = xi[vec]
if xr != 0:
temp = temp - self.v1[vec] * xr
#count_exp_g2 += 1
#count_add_g2 += 1
if xs != 0:
temp = temp - self.w1[vec] * xs
#count_exp_g2 += 1
#count_add_g2 += 1
pi1_v2[vec] += temp * (cij * yr)
#count_exp_g2 += 1
#count_add_g2 += 1
if ys != 0:
temp = xi[vec]
if xr != 0:
temp = temp - self.v1[vec] * xr
#count_exp_g2 += 1
#count_add_g2 += 1
if xs != 0:
temp = temp - self.w1[vec] * xs
#count_exp_g2 += 1
#count_add_g2 += 1
pi1_w2[vec] += temp * (cij * ys)
#count_exp_g2 += 1
#count_add_g2 += 1
#print("Exp in G1", count_exp_g1)
#print("Exp in G2", count_exp_g2)
#print("Add in G1", count_add_g1)
#print("Add in G2", count_add_g2)
return pi2_v1, pi2_w1, pi1_v2, pi1_w2
def CheckEqType(self, eq, X, Y, C):
#print("CheckEqType")
if eq in ["PPE", "PN1", "PC1", "PN2", "PC2"]:
for x in X:
if type(x["value"][0]) != G1Elem:
print("element in C not from G1", x)
return 0
if "committed" in x:
if x["committed"][2] != G2Elem.inf(
self.G) or x["committed"]["Zp"] != 0:
print("not a commitment of G1")
return 0
for y in Y:
if type(y["value"][0]) != G2Elem:
print("element in D not from G2")
return 0
if "committed" in y:
if y["committed"][1] != G1Elem.inf(
self.G) or y["committed"]["Zp"] != 0:
print("not a commitment of G2")
return 0
elif eq in ["ME1", "MN1", "MC1", "ML1"]:
for x in X:
if type(x["value"][0]) != G1Elem:
print("element in C not from G1", type(x["value"][0]))
return 0
if "committed" in x:
if x["committed"][2] != G2Elem.inf(
self.G) or x["committed"]["Zp"] != 0:
print("not a commitment of G1")
return 0
for y in Y:
if type(y["value"][0]) != G2Elem:
print("element in D not from Zp", type(y["value"][0]))
return 0
if "committed" in y:
if y["committed"][1] != G1Elem.inf(
self.G) or y["committed"][2] != G2Elem.inf(self.G):
print("not a commitment of Zp")
return 0
elif eq in ["ME2", "MN2", "MC2", "ML2"]:
for x in X:
if type(x["value"][0]) != G1Elem:
print("element in C not from G1", type(x["value"][0]))
return 0
if "committed" in x:
if x["committed"][1] != G1Elem.inf(
self.G) or x["committed"][2] != G2Elem.inf(self.G):
print("not a commitment of Zp")
return 0
for y in Y:
if type(y["value"][0]) != G2Elem:
print("element in D not from G2", type(y["value"][0]))
return 0
if "committed" in y:
if y["committed"][1] != G1Elem.inf(
self.G) or y["committed"]["Zp"] != 0:
print("not a commitment of G2")
return 0
elif eq in ["QE", "QC1", "QC2"]:
for x in X:
if type(x["value"][0]) != G1Elem:
print("element in C not from Zp", type(x["value"][0]))
return 0
if "committed" in x:
if x["committed"][1] != G1Elem.inf(
self.G) or x["committed"][2] != G2Elem.inf(self.G):
print("not a commitment of Zp")
return 0
for y in Y:
if type(y["value"][0]) != G2Elem:
print("element in D not from Zp", type(y["value"][0]))
return 0
if "committed" in y:
if y["committed"][1] != G1Elem.inf(
self.G) or y["committed"][2] != G2Elem.inf(self.G):
print("not a commitment of Zp")
return 0
else:
print("ERROR: unknown eq", eq)
return 0
for i in range(len(X)):
for j in range(len(Y)):
if type(C[i][j]) != Bn and type(C[i][j]) != int:
print("element in Gamma not from Zp", i, j, C[i][j],
type(C[i][j]))
return 0
return 1
def enc_proof(gsp, X, Y, a):
res = []
#print("--- first equation")
# e = h_i + h*r
res1 = []
A1 = []
B1 = []
C1 = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
row.append(Bn(0))
C1.append(row)
C1[12][0] = Bn(-1) # - e
C1[7][0] = Bn(1) # + h_i
C1[4][2] = Bn(1) # + h*r
success1, result1 = gsp.Prove_aggreg("ME1", X, B1, A1, Y, C1,
G1Elem.inf(gsp.G))
verify1 = 0
if success1:
eq_type, X1, Y1, C1, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result1
#verify1 = gsp.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
#if verify1:
res1 = [C1, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]]
res.append(res1)
#print("Do we successfully create a first proof?", success1)
#print("Does the first proof successfully verify?", verify1)
#print("--- second equation")
#u1 = g1_enc*r
res2 = []
B2 = []
A2 = []
C2 = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
row.append(Bn(0))
C2.append(row)
C2[0][2] = Bn(-1) # - g1enc*r
C2[10][0] = Bn(1) # + u1
success2, result2 = gsp.Prove_aggreg("MC1", X, B2, A2, Y, C2,
G1Elem.inf(gsp.G))
verify2 = 0
if success2:
eq_type, X2, Y2, C2, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result2
#verify2 = gsp.Verify(eq_type, X2, Y2, C2, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
#if verify2:
res2 = [C2, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]]
res.append(res2)
#print("Do we successfully create a second proof?", success2)
#print("Does the second proof successfully verify?", verify2)
#print("--- third equation")
#u2 = g2_enc*r
res3 = []
B3 = []
A3 = []
C3 = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
row.append(Bn(0))
C3.append(row)
C3[1][2] = Bn(-1) # - g2_enc * r
C3[11][0] = Bn(1) # + u2
success3, result3 = gsp.Prove_aggreg("ME1", X, B3, A3, Y, C3,
G1Elem.inf(gsp.G))
verify3 = 0
if success3:
eq_type, X3, Y3, C3, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result3
#verify3 = gsp.Verify(eq_type, X3, Y3, C3, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
#if verify3:
res3 = [C3, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]]
res.append(res3)
#print("Do we successfully create a third proof?", success3)
#print("Does the third proof successfully verify?", verify3)
""" We perform this check with a hash
#print("--- fourth equation")
# da = d*a
res4 = []
B4 = []
A4 = []
C4 = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
row.append(Bn(0))
C4.append(row)
C4[9][0] = Bn(-1) # - da
C4[3][0] = a # + d*a
success4, result4 = gsp.Prove_aggreg("ME1", X, B4, A4, Y, C4, G1Elem.inf(gsp.G))
verify4 = 0
if success4:
eq_type, X4, Y4, C4, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result4
#verify4 = gsp.Verify(eq_type, X4, Y4, C4, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
#if verify4:
res4 = [C4, [pi2_v1, pi2_w1, pi1_v2, pi1_w2] ]
res.append(res4)
#print("Do we successfully create an fourth proof?", success4)
#print("Does the fourth proof successfully verify?", verify4)
"""
#print("--- fifth equation")
#v = c*r + d*(a*r) = c*r + da*r
res5 = []
B5 = []
A5 = []
C5 = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
row.append(Bn(0))
C5.append(row)
C5[2][2] = Bn(1) # + c*r
C5[9][2] = Bn(1) # + da*r
C5[13][0] = Bn(-1) # - v
success5, result5 = gsp.Prove_aggreg("MC1", X, B5, A5, Y, C5,
G1Elem.inf(gsp.G))
verify5 = 0
if success5:
eq_type, X5, Y5, C5, T_eq, pi2_v1, pi2_w1, pi1_v2, pi1_w2 = result5
#verify5 = gsp.Verify(eq_type, X5, Y5, C5, pi2_v1, pi2_w1, pi1_v2, pi1_w2)
#if verify5:
res5 = [C5, [pi2_v1, pi2_w1, pi1_v2, pi1_w2]]
res.append(res5)
#print("Do we successfully create a fifth proof?", success5)
#print("Does the fifth proof successfully verify?", verify5)
#print("Do we successfully create all the proofs?", success1*success2*success3*success4*success5)
#print("Do all the proofs successfully verify?", verify1*verify2*verify3*verify4*verify5)
b1 = challenge(result1)
b2 = challenge(result2)
b3 = challenge(result3)
#b4 = challenge(result4)
b5 = challenge(result5)
C = []
for i in range(len(C1)):
row = []
for j in range(len(C1[0])):
cij = Bn(0)
if C1[i][j] != 0:
cij += b1 * C1[i][j]
if C2[i][j] != 0:
cij += b2 * C2[i][j]
if C3[i][j] != 0:
cij += b3 * C3[i][j]
#if C4[i][j] != 0:
# cij += b4*C4[i][j]
if C5[i][j] != 0:
cij += b5 * C5[i][j]
row.append(cij)
C.append(row)
pi = []
for i in range(len(res1[1])):
pi_i = []
for j in range(len(res1[1][0])):
pi_ij = b1 * res1[1][i][j] + b2 * res2[1][i][j] + b3 * res3[1][i][
j] + b5 * res5[1][i][j] # + b4*res4[1][i][j]
pi_i.append(pi_ij)
pi.append(pi_i)
print("\n--- enc")
for i in range(len(res)):
print("proof #" + str(i))
for j in range(4):
for k in range(2):
if type(res[i][1][j][k]) == G1Elem:
print(i, j, k, type(res[i][1][j][k]),
res[i][1][j][k].eq(G1Elem.inf(gsp.G)))
else:
print(i, j, k, type(res[i][1][j][k]),
res[i][1][j][k].eq(G2Elem.inf(gsp.G)))
#verify = gsp.Verify("ME1", X, Y, C, pi[0], pi[1], pi[2], pi[3])
#print("Does the (aggregate) proof verify?", verify)
return C, pi, res
def proof_usps_hidesigandsigner(self, gsp, pk, M, sig):
"""" creates GS proof that a USPS signature verifies
with the verifying key, the signature and the first message secret"""
#print("SPS: Prove")
from bplib.bp import G1Elem
from bplib.bp import G2Elem
from bplib.bp import GTElem
from petlib.bn import Bn
params = gsp.P
sps = USPS()
gz, gr = pk[0], pk[1]
pki = pk[2:]
m = []
for i in range(len(M)):
if type(M[i]) == bytes:
m.append(gsp.G.hashG1(M[i]))
elif type(M[i]) == G1Elem:
m.append(M[i])
else:
print("Error: wrong input, expected G1, got ", type(M[i]))
return 0, []
if len(m) < sps.nb_msg:
for i in range(sps.nb_msg - len(m)):
m.append(G1Elem.inf(gsp.G))
if sps.verify(params, pk, m, sig) == 0:
print("Signature does not verify")
return
X = [{
"type": "com",
"value": sig[0]
}, {
"type": "com",
"value": sig[1]
}]
B = [{
"type": "pub",
"value": G2Elem.inf(gsp.G)
}, {
"type": "pub",
"value": G2Elem.inf(gsp.G)
}]
A = [{
"type": "pub",
"value": G1Elem.inf(gsp.G)
}, {
"type": "pub",
"value": G1Elem.inf(gsp.G)
}]
Y = [{"type": "com", "value": gz}, {"type": "com", "value": gr}]
for i in range(len(m)):
if i == 0:
X.append({"type": "pub", "value": m[i]})
else:
X.append({"type": "com", "value": m[i]})
B.append({"type": "pub", "value": G2Elem.inf(gsp.G)})
for j in range(len(pki)):
Y.append({"type": "com", "value": pki[j]})
A.append({"type": "pub", "value": G1Elem.inf(gsp.G)})
C = []
for i in range(len(X)):
row = []
for j in range(len(Y)):
var = Bn(0)
if i == j:
var = Bn(1)
row.append(var)
C.append(row)
success, res = gsp.CommitProof_eq("PPE", X, B, A, Y, C,
GTElem.zero(gsp.G))
verify = 0
if success:
eq_type, X1, Y1, C1, T_eq, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap = res
pi2_v1, pi2_w1, pi1_v2, pi1_w2 = gsp.Randomize(
eq_type, pi2_v1_ap, pi2_w1_ap, pi1_v2_ap, pi1_w2_ap)
verify = gsp.Verify(eq_type, X1, Y1, C1, pi2_v1, pi2_w1, pi1_v2,
pi1_w2)
if verify:
res = [[pi2_v1, pi2_w1, pi1_v2, pi1_w2],
[eq_type, X1, Y1, C1, T_eq]]
print("Do we successfully create a proof?", success)
print("Does the proof successfully verify?", verify)
print()
return verify, res