def testDifferentKandR(self): msg = 'some message' pk = self.pk sk = self.sk p = self.params.p signer = sk.getSigner() sig = signer.sign(msg) # Make sure initial verification works assert pk.getVerifier(sig).verify(msg) == True # Verify against a different r_hashed verifier = pk.getVerifier(sig) verifier.setHashedR(sig.getR() ** integer(2)) assert verifier.verify(msg) == False # Verify against a different r in the signature sig_mod = signer.sign(msg) sig_mod.r = sig.getR() ** integer(42) verifier = pk.getVerifier(sig_mod) assert verifier.verify(msg) == False # verify against a different s in the signature sig_mod = signer.sign(msg) sig_mod.s = sig.getS() ** integer(23) verifier = pk.getVerifier(sig_mod) assert verifier.verify(msg) == False # verify against a different r and s in the signature sig_mod = signer.sign(msg) sig_mod.s = sig.getS() ** integer(23) sig_mod.r = sig.getR() ** integer(42) verifier = pk.getVerifier(sig_mod) assert verifier.verify(msg) == False
def main(): p = integer(141660875619984104245410764464185421040193281776686085728248762539241852738181649330509191671665849071206347515263344232662465937366909502530516774705282764748558934610432918614104329009095808618770549804432868118610669336907161081169097403439689930233383598055540343198389409225338204714777812724565461351567) q = integer(70830437809992052122705382232092710520096640888343042864124381269620926369090824665254595835832924535603173757631672116331232968683454751265258387352641382374279467305216459307052164504547904309385274902216434059305334668453580540584548701719844965116691799027770171599194704612669102357388906362282730675783) cham_hash = ChamHash_Adm05(p, q) pk, sk = cham_hash.paramgen() if debug: print("Paramgen...") print("pk :=", pk) print("sk :=", sk) msg = 'Some message to hash' c, r, s = cham_hash.hash(pk, msg) if debug: print('Hashing: ', msg) print('Hash is: ', c) other_msg = 'Some other message to hash, different from previous message' assert msg != other_msg new_c, new_r, new_s = cham_hash.find_collision(pk, sk, c, other_msg) if debug: print('Hashing: ', other_msg) print('Hash is: ', new_c) assert new_c == c, 'Could not generate collision' if debug: print('Generated hash collision')
def roundNumber1(self, n1): Ro = self.pk_i['Ro'] df02_commit = CM_DF02() pk_commit = { 'S':self.pk_i['S'], 'Z':Ro, 'N':self.pk_i['N'] } (U, self.vPrime) = df02_commit.commit(pk_commit, self.ms, (ln + lo)) mTilde = integer(randomBits(lm + lo + lh + 1)) (Utilde, vPrimeTilde) = df02_commit.commit(pk_commit, mTilde, (lm + lo + lh + 1)) s1 = hashlib.new('sha256') s1.update(Conversion.IP2OS(self.context)) s1.update(Conversion.IP2OS(U)) s1.update(Conversion.IP2OS(Utilde)) s1.update(Conversion.IP2OS(n1)) c = integer(s1.digest()) # Responses to challenge vPrimeHat = vPrimeTilde + (c * self.vPrime) sHat = mTilde + (c * self.ms) p1 = { 'c':c, 'vPrimeHat':vPrimeHat, 'sHat':sHat, 'U':U } n2 = integer(randomBits(lo)) return (p1, n2)
def open(message, i, e_i, s, p_1, p_2): """ Open position i of message :param message: the message to open :param i: the position of the message to open :param e_i: :param s: :param p_1: :param p_2: :return: lamda_i """ assert len(message) == len( s), 'Message and S must have same length. Found {0} vs {1}'.format( len(message), len(s)) assert i < len( message), 'Invalid position to open: length of message {0} {1}'.format( len(message), i) lamda_tmp = -1 q = len(message) n = p_1 * p_2 for j in range(q): if j != i: tmp = reduce((integer(s[j]) % n)**message[j]) if lamda_tmp == -1: lamda_tmp = tmp else: lamda_tmp = reduce(lamda_tmp * tmp) phi_n = (p_1 - 1) * (p_2 - 1) d = 1 / (integer(e_i) % phi_n) lamda_i = reduce(lamda_tmp**reduce(d)) return int(lamda_i)
def round_1(self, n1): Ro = self.pk_i['Ro'] df02_commit = CM_DF02() pk_commit = {'S': self.pk_i['S'], 'Z': Ro, 'N': self.pk_i['N']} (U, self.vPrime) = df02_commit.commit(pk_commit, self.ms, (ln + lo)) mTilde = integer(randomBits(lm + lo + lh + 1)) (Utilde, vPrimeTilde) = df02_commit.commit(pk_commit, mTilde, (lm + lo + lh + 1)) s1 = hashlib.new('sha256') s1.update(Conversion.IP2OS(self.context)) s1.update(Conversion.IP2OS(U)) s1.update(Conversion.IP2OS(Utilde)) s1.update(Conversion.IP2OS(n1)) c = integer(s1.digest()) # Responses to challenge vPrimeHat = vPrimeTilde + (c * self.vPrime) sHat = mTilde + (c * self.ms) p1 = {'c': c, 'vPrimeHat': vPrimeHat, 'sHat': sHat, 'U': U} n2 = integer(randomBits(lo)) return p1, n2
def setparam(self, p, q): if p == (2 * q) + 1 and isPrime(p) and isPrime(q): self.p = integer(p) self.q = integer(q) return True else: print("p and q are not safe primes!") return False
def join_2(u): print("3. User computes x_i and sends C_2 to GM") xa = (integer(u['alpha']) * integer(u['x']) + integer(u['beta'])) % (2**lambda_2) u['x'] = integer(2)**lambda_1 + integer(xa) u['C_2'] = (u['a']**u['x']) % u['n'] return {'C_2': u['C_2'], 'status': "OK"}
def setparam(self, p, q): if isPrime(p) and isPrime(q) and p != q: self.p = integer(p) self.q = integer(q) self.n = self.p * self.q return True else: print("p and q are not primes!") return False
def v2i(self,rpk): r = self.group.random(ZR) g_r = pair(self.mpk, rpk) ** r V = integer(self.group.serialize(self.pk)) ^ integer(self.group.serialize(g_r)) mPath = [str(x.value) for x in self.path] message = json.dumps(mPath) symKey = hashlib.sha256(self.group.serialize(pair(self.sk, rpk))).digest() cipherRuner = AuthenticatedCryptoAbstraction(symKey) cPath = cipherRuner.encrypt(message) return (r * self.P, V, cPath)
def file_to_issuer_sk(file): with open(file) as f: sk_str = json.load(f) sk_i = {} sk_i['p'] = integer(sk_str['p']) sk_i['q'] = integer(sk_str['q']) return sk_i
def strlist2modint(cls, ls: str) -> integer: """ Takes a JSON list and converts it into a modular integer or integer depending on the list's length. :param ls: JSON list :return: integer """ ls = json.loads(ls) if len(ls) == 2: return integer(int(ls[0])) % integer(int(ls[1])) elif len(ls) == 1: return integer(int(ls[0])) else: raise Exception
def roundNumber2(self, U, attr, n2): # TODO: Adaptar IRMA e = randomPrime(le) vTilde = integer(randomBits(lv - 1)) vPrimePrime = (2 ** (lv - 1)) + vTilde R = self.pk_i['R'] Cx = 1 % self.pk_i['N'] for i in range(1, len(attr) + 1): Cx = Cx*(R[str(i)] ** attr[str(i)]) sigA = self.signAttributesLong(attr, vPrimePrime, U, e) A = sigA['A'] Q = sigA['Q'] phi_N = (self.sk_i['p']-1)*(self.sk_i['q']-1) e2 = e % phi_N # The issuer creates an SPK for proving the knowledge of # e^(-1) according to the equivalence of A and Q^{e-1} r = randomPrime(le) Atilde = (Q ** r) % self.pk_i['N'] s3 = hashlib.new('sha256') s3.update(Conversion.IP2OS(self.context)) s3.update(Conversion.IP2OS(Q)) s3.update(Conversion.IP2OS(A)) s3.update(Conversion.IP2OS(n2)) s3.update(Conversion.IP2OS(Atilde)) #print "issuer Q #1", Q #print "issuer A", A #print "issuer n2", n2 #print "issuer Atilde", Atilde cPrime = integer(s3.digest()) e2Prime = e2 ** - 1 Se = r - (cPrime * integer(e2Prime)) signature = { 'A':A, 'e':e, 'vPrimePrime':vPrimePrime } P2 = { 'Se':Se, 'cPrime':cPrime } return (signature, P2)
def roundNumber1(self, n1): # U: as IRMA does ms and Ro only Ro = self.pk_i['Ro'] df02_commit = CM_DF02() pk_commit = { 'S':self.pk_i['S'], 'Z':Ro, 'N':self.pk_i['N'] } (U, self.vPrime) = df02_commit.commit(pk_commit, self.ms, (ln + lo)) #U = (self.pk_i['S'] ** self.vPrime) * (self.pk_i['Ro'] ** self.ms) #print "Recipient, U, round1", U #sU = deepcopy(int(U)) #print "bakcup justo despues, sU", sU #self.vPrime = vPrime # P1: mTilde = integer(randomBits(lm + lo + lh + 1)) (Utilde, vPrimeTilde) = df02_commit.commit(pk_commit, mTilde, (lm + lo + lh + 1)) # CTilde = no lo hacemos ahora, IRMA no lo hace # Fiat-Shamir challenge, c = H(context | U | UTilde | nonce) s1 = hashlib.new('sha256') s1.update(Conversion.IP2OS(self.context)) s1.update(Conversion.IP2OS(U)) s1.update(Conversion.IP2OS(Utilde)) s1.update(Conversion.IP2OS(n1)) c = integer(s1.digest()) # Responses to challenge vPrimeHat = vPrimeTilde + (c * self.vPrime) sHat = mTilde + (c * self.ms) p1 = { 'c':c, 'vPrimeHat':vPrimeHat, 'sHat':sHat, 'U':U } n2 = integer(randomBits(lo)) #print "Recipient, U, round1 - BEFORE RETURNING", U #print "backup", sU return (p1, n2)
def round_2(self, U, p1, attr, n2): if self.__verify_p1(p1): pass # print "P1 verified" else: return None e = randomPrime(le) vTilde = integer(randomBits(lv - 1)) vPrimePrime = (2 ** (lv - 1)) + vTilde R = self.pk_i['R'] Cx = 1 % self.pk_i['N'] for i in range(1, len(attr) + 1): Cx = Cx * (R[str(i)] ** attr[str(i)]) sigA = self.signAttributesLong(attr, vPrimePrime, U, e) A = sigA['A'] Q = sigA['Q'] phi_N = (self.sk_i['p'] - 1) * (self.sk_i['q'] - 1) e2 = e % phi_N r = randomPrime(le) Atilde = (Q ** r) % self.pk_i['N'] s3 = hashlib.new('sha256') s3.update(Conversion.IP2OS(self.context)) s3.update(Conversion.IP2OS(Q)) s3.update(Conversion.IP2OS(A)) s3.update(Conversion.IP2OS(n2)) s3.update(Conversion.IP2OS(Atilde)) cPrime = integer(s3.digest()) e2Prime = e2 ** - 1 Se = r - (cPrime * integer(e2Prime)) signature = {'A': A, 'e': e, 'vPrimePrime': vPrimePrime} P2 = {'Se': Se, 'cPrime': cPrime} print signature print P2 return signature, P2
def encrypt(self, pk, m, salt=None): octetlen = int(ceil(int(pk['N']).bit_length() / 8.0)) EM = self.paddingscheme.encode(m, octetlen, "", salt) if debug: print("EM == >", EM) i = Conversion.OS2IP(EM) ip = integer(i) % pk['N'] #Convert to modular integer return (ip ** pk['e']) % pk['N']
def join_4(u): print("5. User verifies credentials") lhs = integer(u['a'], u['n'])**u['x'] * u['a_0'] rhs = (u['A']**u['e']) % u['n'] print(lhs == rhs) return lhs == rhs
def verify(self, pk, message, sig): if debug: print("\nVERIFY\n\n") sigma1, r, s, e = sig['sigma1'], sig['r'], sig['s'], sig['e'] K, L, c, keyLength, u, h, N = pk['K'], pk['L'], pk['c'], pk[ 'length'], pk['u'], pk['h'], pk['N'] # Make sure that 0 < s < 2^{keylength/2}, else reject the signature if not (0 < s and s < (2**(keyLength / 2))): return False # Compute e = H_k(s) and reject the signature if it's not prime ei = self.HW_hash(K, c, s, keyLength) % N if not isPrime(ei): if debug: print("ei not prime") return False # Compute Y = sigma1^{2*ceil(log2(s))} s1 = integer(2**(math.ceil(log[2](s)))) Y = (sigma1**s1) % N # Hash the mesage using the chameleon hash with fixed randomness r (x, r2) = self.ChameleonHash.hash(L, message, r) lhs = (Y**ei) % N rhs = ((u**x) * h) % N if debug: print("lhs =>", lhs) print("rhs =>", rhs) # Verify that Y^e = (u^x h) mod N. If so, accept the signature if lhs == rhs: return True # Default: reject the signature return False
def HW_hash(self, key, c, input, keyLen): C = integer(c) input_size = bitsize(c) input_b = Conversion.IP2OS(input, input_size) # Return c XOR PRF(k, input), where the output of PRF is keyLength bits result = C ^ self.Prf.eval(key, input_b) return result
def sign(self, pk, sk, m, v=0, u=0, e=0): if (e == 0): e = randomPrime(le) lv = ln + lm + lr if (v == 0): v = integer(randomBits(lv)) R = pk['R'] Cx = 1 % pk['N'] for i in range(1, len(m) + 1): Cx = Cx * (R[str(i)] ** m[str(i)]) phi_N = (sk['p']-1)*(sk['q']-1) e2 = e % phi_N if (u != 0): u = u % pk['N'] Cx = Cx*u q = pk['Z'] / (Cx*(pk['S'] ** v)) % pk['N'] a = q ** (e2 ** -1) % pk['N'] sig = { 'A':a, 'Q':q, 'e':e, 'v':v } return sig
def encrypt(self, pk, ID, M): # check length to make sure it is within n bits Q_id = group.hash(ID, G1) #standard g_id = pair(Q_id, pk['P2']) #choose sig = {0,1}^n where n is # bits sig = integer(randomBits(group.secparam)) r = h.hashToZr(sig, M) enc_M = self.encodeToZn(M) if bitsize(enc_M) <= group.messageSize(): C = { 'U': r * pk['P'], 'V': sig ^ h.hashToZn(g_id**r), 'W': enc_M ^ h.hashToZn(sig) } else: print("Message cannot be encoded.") return None if (debug): print('\nEncrypt...') print('r => %s' % r) print('sig => %s' % sig) print("V' =>", g_id**r) print('enc_M => %s' % enc_M) group.debug(C) return C
def verify(u, m, s): print("VERIFY:") print("1. Compute c'") d_1_1 = (u['a_0']**s['c']) * s['T_1']**(s['s_1'] - s['c'] * (2**gamma_1)) d_1_2 = (u['a']**(s['s_2'] - s['c'] * (2**lambda_1))) * u['y']**s['s_3'] d_1 = (d_1_1 / d_1_2) % u['n'] d_2 = ((s['T_2']**(s['s_1'] - s['c'] * (2**gamma_1))) / u['g']**s['s_3']) % u['n'] d_3 = (s['T_2']**s['c'] * u['g']**s['s_4']) % u['n'] d_4 = (s['T_3']**s['c'] * u['g']**(s['s_1'] - s['c'] * (2**gamma_1)) * u['h']**s['s_4']) % u['n'] c = integer( int( hashlib.sha1( serialize(u['g']) + serialize(u['h']) + serialize(u['y']) + serialize(u['a_0']) + serialize(u['a']) + serialize(s['T_1']) + serialize(s['T_2']) + serialize(s['T_3']) + serialize(d_1) + serialize(d_2) + serialize(d_3) + serialize(d_4) + m.encode()).hexdigest(), 16)) print("2. Accept if and only if c = c'") if c == s['c']: print("ACCEPT") return True else: print("NOT ACCEPTED") return False
def verifyAllIRMA_NYM_ONLY(self, m, input): pAprime = input['pAprime'] pChat = input['pChat'] pEhat = input['pEhat'] mHatMs = input['mHatMs'] pVprimeHat = input['pVprimeHat'] n3 = input['n3'] NYM1 = input['NYM1'] NYM2 = input['NYM2'] Ak = 1 % self.pk_i['N'] R = self.pk_i['R'] for i in range(1, len(m) + 1): Ak = Ak*(R[str(i)] ** m[str(i)]) That1 = (self.pk_i['Z'] / (Ak * (pAprime ** (2 ** (le - 1))))) ** ((-1 * pChat)) % self.pk_i['N'] That2 = (pAprime ** pEhat) * (self.pk_i['Ro'] ** mHatMs) * (self.pk_i['S'] ** pVprimeHat) % self.pk_i['N'] That = (That1 * That2) % self.pk_i['N'] ## challenge s6 = hashlib.new('sha256') s6.update(Conversion.IP2OS(NYM2)) s6.update(Conversion.IP2OS(NYM1)) s6.update(Conversion.IP2OS(self.context)) s6.update(Conversion.IP2OS(pAprime)) s6.update(Conversion.IP2OS(That)) pChat2 = integer(s6.digest()) return pChat == pChat2
def verify(self, pk, message, sig): if debug: print("\nVERIFY\n\n") sigma1, r, s, e = sig['sigma1'], sig['r'], sig['s'], sig['e'] K, L, c, keyLength, u, h, N = pk['K'], pk['L'], pk['c'], pk['length'], pk['u'], pk['h'], pk['N'] # Make sure that 0 < s < 2^{keylength/2}, else reject the signature if not (0 < s and s < (2 ** int(keyLength/2))): return False # Compute e = H_k(s) and reject the signature if it's not prime ei = self.HW_hash(K, c, s, keyLength) % N if not isPrime(ei): if debug: print("ei not prime") return False # Compute Y = sigma1^{2*ceil(log2(s))} s1 = integer(2 ** int(math.ceil(log[2](s)))) Y = (sigma1 ** s1) % N # Hash the mesage using the chameleon hash with fixed randomness r (x, r2) = self.ChameleonHash.hash(L, message, r) lhs = (Y ** ei) % N rhs = ((u ** x) * h) % N if debug: print("lhs =>", lhs) print("rhs =>", rhs) # Verify that Y^e = (u^x h) mod N. If so, accept the signature if lhs == rhs: return True # Default: reject the signature return False
def gen_challenge(secret_key, block_id): Lf = poly(secret_key, block_id) r = G.random() xc = G.random() Kf = g**(r * Lf(xc)) H = (g**r, xc, g**(r * Lf(integer(0, G.q)))) return Kf, H
def gen_proof(challenge, blocks_with_tags): g_r, xc, g_lf0 = challenge interpolation_set = [(integer(0, G.q), g_lf0)] + [ (message, g_r**tag) for message, tag in blocks_with_tags ] Pf = LI_exp(xc, interpolation_set) return Pf
def sign(self, pk, sk, m, v=0, u=0, e=0): if (e == 0): e = randomPrime(le) lv = ln + lm + lr if (v == 0): v = integer(randomBits(lv)) R = pk['R'] Cx = 1 % pk['N'] for i in range(1, len(m) + 1): Cx = Cx * (R[str(i)]**m[str(i)]) phi_N = (sk['p'] - 1) * (sk['q'] - 1) e2 = e % phi_N if (u != 0): u = u % pk['N'] Cx = Cx * u q = pk['Z'] / (Cx * (pk['S']**v)) % pk['N'] a = q**(e2**-1) % pk['N'] sig = {'A': a, 'Q': q, 'e': e, 'v': v} return sig
def verifyHideAllIRMA_PRIME(self, m, input): pAprime = input['pAprime'] pChat = input['pChat'] pEhat = input['pEhat'] mHatMs = input['mHatMs'] pVprimeHat = input['pVprimeHat'] n3 = input['n3'] NYM1 = input['NYM1'] NYM2 = input['NYM2'] Ak = 1 % self.pk_i['N'] R = self.pk_i['R'] #Ak = Ak*(R['1'] ** m['1']) That1 = (self.pk_i['Z'] / (Ak * (pAprime ** (2 ** (le - 1))))) ** ((-1 * pChat)) % self.pk_i['N'] That2 = (pAprime ** pEhat) * (self.pk_i['Ro'] ** mHatMs) * (R['1'] ** m['1']) * (self.pk_i['S'] ** pVprimeHat) % self.pk_i['N'] That = (That1 * That2) % self.pk_i['N'] s6 = hashlib.new('sha256') s6.update(Conversion.IP2OS(NYM1)) s6.update(Conversion.IP2OS(NYM2)) s6.update(Conversion.IP2OS(self.context)) s6.update(Conversion.IP2OS(pAprime)) s6.update(Conversion.IP2OS(That)) s6.update(Conversion.IP2OS(n3)) pChat2 = integer(s6.digest()) return pChat == pChat2
def roundNumber1(self, p1, n1): df02_commit = CM_DF02() pk_commit = { 'S':self.pk_i['S'], 'Z':self.pk_i['Ro'], 'N':self.pk_i['N'] } sHat = p1['sHat'] vPrimeHat = p1['vPrimeHat'] (cA, vPrimeHat) = df02_commit.commit(pk_commit, sHat, 0, vPrimeHat) U = p1['U'] % self.pk_i['N'] c = p1['c'] Uhat = cA * (U ** (-1 * c)) # knowledge of commited values -- not done in IRMA # verify challenge c s2 = hashlib.new('sha256') s2.update(Conversion.IP2OS(self.context)) s2.update(Conversion.IP2OS(U)) s2.update(Conversion.IP2OS(Uhat)) s2.update(Conversion.IP2OS(n1)) cHat = integer(s2.digest()) return c == cHat
def hashToZn(self, value): if type(value) == pc_element: h = hashlib.new(self.hash_type) h.update(self.group.serialize(value)) #print "digest => %s" % h.hexdigest() # get raw bytes of digest and hash to Zr val = h.digest() return integer(int(self.group.hash(val, ZR))) # do something related to that if type(value) == integer: str_value = int2Bytes(value) #print("str_value =>", str_value) #val = self.group.hash(str_value, ZR) #print("hash =>", val) return integer(int(self.group.hash(str_value, ZR))) return None
def setup(self, secparam=None, N=0): Xz = integer(random(N)) S = randomQR(N) Z = S ** Xz return { 'S': S, 'Z': Z, 'N': N }
def setup(self, secparam=None, N=0): Xz = integer(random(N)) S = randomQR(N) Z = S**Xz return {'S': S, 'Z': Z, 'N': N}
def encrypt(self, pk, m, salt=None): octetlen = int(ceil(int(pk['N']).bit_length() / 8.0)) EM = self.paddingscheme.encode(m, octetlen, "", salt) if debug: print("EM == >", EM) i = Conversion.OS2IP(EM) ip = integer(i) % pk['N'] #Convert to modular integer return (ip**pk['e']) % pk['N']
def hashToZn1(self, value): if type(value) == pc_element: h = hashlib.new(self.hash_type) h.update(self.group.serialize(value)) #print "digest => %s" % h.hexdigest() # get raw bytes of digest and hash to Zr val = h.digest() return integer(int(unicode(self.group.hash(val, ZR)))) # do something related to that if type(value) == integer: str_value = int2Bytes(value) #print("str_value =>", str_value) #val = self.group.hash(str_value, ZR) #print("hash =>", val) return integer(int(unicode(self.group.hash(str_value, ZR)))) return None
def key_gen(key_size, message_elem_bit_len, vector_len): """ Generate keys for vector commitment :param key_size: security key size (k in the paper) :param message_elem_bit_len: length of message in bits (l in the paper) :param vector_len: length of commitment vector (q in the paper) :return: """ k = key_size l = message_elem_bit_len q = vector_len private_key = rsa.generate_private_key(public_exponent=65537, key_size=k, backend=default_backend()) private_numbers = private_key.private_numbers() n = private_numbers.public_numbers.n p_1 = private_numbers.p p_2 = private_numbers.q # logger.info(p_1) # logger.info(p_2) phi_n = (p_1 - 1) * (p_2 - 1) # generate list of primes [e_1,...,e_q], each has length (l+1) e = list() while True: tmp_prime = reduce(randomPrime(l + 1) % n) if isPrime(tmp_prime) and phi_n % int(tmp_prime) != 0: e.append(int(tmp_prime)) if len(e) == q: break a = random(n) s = list() for i in range(q): tmp_exponent = integer(1) % n for j in range(q): if j != i: tmp_exponent = reduce(tmp_exponent * (integer(e[j]) % n)) s_i = reduce(a**tmp_exponent) s.append(int(s_i)) return n, int(a), s, e, p_1, p_2
def sign(u, m): print("SIGN:") print("1. Generate random value w") w = random(2**l_p) T_1 = (u['A'] * u['y']**w) % u['n'] T_2 = (u['g']**w) % u['n'] T_3 = ((u['g']**u['e']) * (u['h']**w)) % u['n'] print("2. Randomly choose r_1, r_2, r_3, and r_4") r_1 = random(2**(eps * (gamma_2 + k))) r_2 = random(2**(eps * (lambda_2 + k))) r_3 = random(2**(eps * (gamma_1 + 2 * l_p + k + 1))) r_4 = random(2**(eps * (2 * l_p + k))) print("(a) d_1, d_2, d_3, d_4") d_1 = ((T_1**r_1) / ((u['a']**r_2) * (u['y']**r_3))) % u['n'] d_2 = ((T_2**r_1) / (u['g']**r_3)) % u['n'] d_3 = (u['g']**r_4) % u['n'] d_4 = ((u['g']**r_1) * (u['h']**r_4)) % u['n'] print("(b) c = HASH()") c = integer( int( hashlib.sha1( serialize(u['g']) + serialize(u['h']) + serialize(u['y']) + serialize(u['a_0']) + serialize(u['a']) + serialize(T_1) + serialize(T_2) + serialize(T_3) + serialize(d_1) + serialize(d_2) + serialize(d_3) + serialize(d_4) + m.encode()).hexdigest(), 16)) print("(c) s_1, s_2, s_3, s_4") s_1 = integer(r_1) - c * (integer(u['e']) - 2**gamma_1) s_2 = integer(r_2) - c * (integer(u['x']) - 2**lambda_1) s_3 = integer(r_3) - c * integer(u['e']) * integer(w) s_4 = integer(r_4) - c * integer(w) print("3. Output signature") return { "c": c, "s_1": s_1, "s_2": s_2, "s_3": s_3, "s_4": s_4, "T_1": T_1, "T_2": T_2, "T_3": T_3 }
def eval(self, k, input1): if type(k) == integer: h = hmac.new(serialize(k), b'', hashlib.sha1) else: h = hmac.new(serialize(integer(k)), b'', hashlib.sha1) h.update(input1) return Conversion.bytes2integer(h.hexdigest())
def rkGen(self, params, skid, IDsrc, IDdest): N = integer(randomBits(group.secparam)) K = pair(skid['skid'], group.hash(IDdest, G1)) if(debug): print("\nRe-encryption key for id1 => '%s' to id2 => '%s'" % (IDsrc,IDdest)) group.debug(skid) print('N => %s' % N) print('K => %s' % K) return {'N':N, 'R':group.hash((K, IDsrc, IDdest, N), G1) * skid['skid']}
def selfTest(self): mt = {} for i in range(1, self.l + 1): mt[str(i)] = integer(randomBits(lm)) % self.pk_i['N'] signature = self.pksig.sign(self.pk_i, self.sk_i, mt) return self.verifySignature(mt, signature)
def verifyEqAll2_IRMA_FORTUNA(self, cred1, cred2, is_pk1, is_pk2, proof): pAprime1 = proof['pAprime1'] pAprime2 = proof['pAprime2'] c = proof['c'] pEhat1 = proof['pEhat1'] pEhat2 = proof['pEhat2'] ms_eq = proof['ms_eq'] pVprimeHat1 = proof['pVprimeHat1'] pVprimeHat2 = proof['pVprimeHat2'] n32 = proof['n32'] # cred1 Ak = 1 % is_pk1['N'] R = is_pk1['R'] for i in range(1, len(cred1['m']) + 1): Ak = Ak*(R[str(i)] ** cred1['m'][str(i)]) That1 = (is_pk1['Z'] / (Ak * (pAprime1 ** (2 ** (le - 1))))) ** ((-1 * c)) % is_pk1['N'] That2 = (pAprime1 ** pEhat1) * (is_pk1['Ro'] ** ms_eq) * (is_pk1['S'] ** pVprimeHat1) % is_pk1['N'] ThatCred1 = (That1 * That2) % is_pk1['N'] # cred2 Ak = 1 % is_pk2['N'] R = is_pk2['R'] for i in range(1, len(cred2['m']) + 1): Ak = Ak*(R[str(i)] ** cred2['m'][str(i)]) That1 = (is_pk2['Z'] / (Ak * (pAprime2 ** (2 ** (le - 1))))) ** ((-1 * c)) % is_pk2['N'] That2 = (pAprime2 ** pEhat2) * (is_pk2['Ro'] ** ms_eq) * (is_pk2['S'] ** pVprimeHat2) % is_pk2['N'] ThatCred2 = (That1 * That2) % is_pk2['N'] s6 = hashlib.new('sha256') s6.update(Conversion.IP2OS(self.context)) s6.update(Conversion.IP2OS(pAprime1)) s6.update(Conversion.IP2OS(ThatCred1)) s6.update(Conversion.IP2OS(pAprime2)) s6.update(Conversion.IP2OS(ThatCred2)) s6.update(Conversion.IP2OS(n32)) cPrime = integer(s6.digest()) return (c == cPrime)
def selfTest(self): mt = {} for i in range(1, self.l+1): mt[str(i)] = integer(randomBits(lm)) % self.pk_i['N'] signature = self.pksig.sign(self.pk_i, self.sk_i, mt) return self.verifySignature(mt, signature)
def verify(c, m, i, s, lamda_i, e, n, message_elem_bit_len): """ Verify the value at position i is m :param n: :param c: ciphertext :param m: value m :param i: position :param s: :param lamda_i: :param e: :param message_elem_bit_len: max bit length of m :return: whether the value at position i of ciphertext is m """ if m.bit_length() <= message_elem_bit_len: return c == int( reduce((integer(s[i]) % n)**m) * reduce( (integer(lamda_i) % n)**e[i])) return False
def randomize(self, pk, sig): rA = integer(randomBits(ln + lo)) aP = (sig['A'] * (pk['S'] ** rA)) % pk['N'] vP = sig['v'] - (sig['e'] * rA) eP = sig['e'] - (2 ** (le - 1)) sigP = { 'A':aP, 'e':eP, 'v':vP } return sigP
def gen_context(apdu): n3 = integer(randomBits(256)) n3 = int(n3) n3_hex = int2hex(n3) if apdu == 1: return map(ord, n3_hex) else: return n3_hex
def main(): # Receiver has alpha. alpha = G.random() # Sender has polynomial P. P = Poly([G.random() for _ in range(d_p + 1)]) # Sender generates random masking poly P_x P_x = Poly([G.random() for _ in range(d + 1)]) P_x[0] = integer(0, G.q) # To hold assumption that P_x(0) == 0 # Sender defines bivariate polynomial Q(x, y). # deg(Q) == deg(P_x) == d == d_p * k Q = lambda x, y: reduce_modulus(P_x(x) + P(y)) # Receiver hides alpha in a univariate polynomial. # deg(S) == k S = Poly([G.random() for _ in range(k + 1)]) S[0] = alpha # The receiver sets n = dR + 1 = d + 1 = kdP + 1 and chooses N = nm distinct random # values x1, . . . , xN ∈ F, all different from 0. n = k * d_p + 1 N = n * m X = [G.random() for _ in range(N)] # The receiver chooses a random set T of n indices 1 ≤ i1, i2, . . . , in ≤ N. T = list(range(N)) random.shuffle(T) T = T[:n] # Receiver defines N values yi, for 1 ≤ i ≤ N. The value yi is defined as # S(xi) if i is in T, and is a random value if F otherwise. # The receiver sends the N points (Y) to the sender Y = [(x, S(x) if i in T else G.random()) for i, x in enumerate(X)] Qs = [(x, Q(x, y)) for x, y in Y] # Receiver calculates values. R_values = [v for i, v in enumerate(Qs) if i in T] R_0 = LI(integer(0, G.q), R_values) P_alpha = P(alpha) assert R_0 == P_alpha
def gen_nonce(len_nonce, apdu): n3 = integer(randomBits(len_nonce)) n3 = int(n3) n3_hex = int2hex(n3) if apdu == 1: return map(ord, n3_hex) else: return n3_hex
def randomize(self, pk, sig): rA = integer(randomBits(ln + lo)) aP = (sig['A'] * (pk['S']**rA)) % pk['N'] vP = sig['v'] - (sig['e'] * rA) eP = sig['e'] - (2**(le - 1)) sigP = {'A': aP, 'e': eP, 'v': vP} return sigP
def verifyEqAll2_IRMA_H(self, cred1, cred2, is_pk1, is_pk2, proof): pAprime1 = proof['pAprime1'] pAprime2 = proof['pAprime2'] c = proof['c'] pEhat1 = proof['pEhat1'] pEhat2 = proof['pEhat2'] mHatMs1 = proof['mHatMs1'] mHatMs2 = proof['mHatMs2'] pVprimeHat1 = proof['pVprimeHat1'] pVprimeHat2 = proof['pVprimeHat2'] n31 = proof['n31'] n32 = proof['n32'] # cred1 Ak = 1 % is_pk1['N'] R = is_pk1['R'] Ak = Ak*(R['1'] ** cred1['m']['1']) That1 = (is_pk1['Z'] / (Ak * (pAprime1 ** (2 ** (le - 1))))) ** ((-1 * c)) % is_pk1['N'] That2 = (pAprime1 ** pEhat1) * (is_pk1['Ro'] ** mHatMs1) * (R['2'] ** cred1['m']['2']) * (R['3'] ** cred1['m']['3']) * (R['4'] ** cred1['m']['4']) * (R['5'] ** cred1['m']['5']) * (is_pk1['S'] ** pVprimeHat1) % is_pk1['N'] ThatCred1 = (That1 * That2) % is_pk1['N'] # cred2 Ak = 1 % is_pk2['N'] R = is_pk2['R'] Ak = Ak*(R['1'] ** cred2['m']['1']) That1 = (is_pk2['Z'] / (Ak * (pAprime2 ** (2 ** (le - 1))))) ** ((-1 * c)) % is_pk2['N'] That2 = (pAprime2 ** pEhat2) * (is_pk2['Ro'] ** mHatMs2) * (R['2'] ** cred2['m']['2']) * (R['3'] ** cred2['m']['3']) * (R['4'] ** cred2['m']['4']) * (R['5'] ** cred2['m']['5']) * (is_pk2['S'] ** pVprimeHat2) % is_pk2['N'] ThatCred2 = (That1 * That2) % is_pk2['N'] s6 = hashlib.new('sha256') s6.update(Conversion.IP2OS(self.context)) s6.update(Conversion.IP2OS(pAprime1)) s6.update(Conversion.IP2OS(ThatCred1)) s6.update(Conversion.IP2OS(pAprime2)) s6.update(Conversion.IP2OS(ThatCred2)) s6.update(Conversion.IP2OS(n32)) cPrime = integer(s6.digest()) return (c == cPrime)
def sign(self, sk, M, salt=None): #apply encoding while True: octetlen = int(ceil(int(sk['N']).bit_length() / 8.0)) em = self.paddingscheme.encode(M, octetlen, "", salt) m = Conversion.OS2IP(em) m = integer(m) % sk['N'] #ERRROR m is larger than N p = sk['p'] q = sk['q'] yp = sk['yp'] yq = sk['yq'] mp = (m**((p + 1) / 4)) % p mq = (m**((q + 1) / 4)) % q r1 = ((int(yp) * int(p) * int(mq)) + ((int(yq) * int(q) * int(mp)))) % int(sk['N']) r2 = int(sk['N']) - int(r1) s1 = (int(yp) * int(p) * int(mq) - int(yq) * int(q) * int(mp)) % int(sk['N']) s2 = int(sk['N']) - int(s1) if (((int((integer(r1)**2) % sk['N'] - m)) == 0) or ((int((integer(r2)**2) % sk['N'] - m)) == 0) or ((int((integer(s1)**2) % sk['N'] - m)) == 0) or ((int((integer(s2)**2) % sk['N'] - m)) == 0)): break S = {'s1': r1, 's2': r2, 's3': s1, 's4': s2} if debug: print("Signing") print("m =>", m) print("em =>", em) print("S =>", S) return S
def file_to_issuer_pk(file): with open(file) as f: pk_str = json.load(f) pk_i = {} R = {} R_str = pk_str['R'] pk_i['N'] = integer(pk_str['N']) for i in range(1, len(R_str) + 1): R[str(i)] = integer(R_str[str(i)]) % pk_i['N'] pk_i['R'] = R pk_i['S'] = integer(pk_str['S']) % pk_i['N'] pk_i['Z'] = integer(pk_str['Z']) % pk_i['N'] pk_i['Ro'] = integer(pk_str['Ro']) % pk_i['N'] return pk_i
def commit(self, pk, msg, lr, ri=0): S = pk['S'] Z = pk['Z'] if (lr == 0): r = ri else: r = integer(randomBits(lr)) c = ((Z ** msg) * (S ** r)) % pk['N'] d = r return (c, d)
def setupBlock(self, secparam=None, N=0, l=16): Xr = {} for i in range(1, l + 1): Xr[str(i)] = integer(random(N)) S = randomQR(N) R = {} for i in range(1, l + 1): R[str(i)] = S ** Xr[str(i)] return { 'S': S, 'R': R, 'N': N }
def keygen(self, p, q): N = p * q Xz = integer(random(N)) Xr = {} for i in range(1, l + 1): Xr[str(i)] = integer(random(N)) S = randomQR(N) Z = S ** Xz R = {} for i in range(1, l + 1): R[str(i)] = S ** Xr[str(i)] pk = { 'N':N, 'R':R,'S':S, 'Z':Z } sk = { 'p':p, 'q':q } return (pk, sk)
def prove(self, pk_i, credential, cl_predicate, m, m_tilde, ms=None, c=None): if not c: r_a = integer(randomBits(ln + lo)) A_prime = (credential['signature']['A'] * (pk_i['S'] ** r_a)) % pk_i['N'] v_prime = credential['signature']['v'] - (credential['signature']['e'] * r_a) e_prime = credential['signature']['e'] - (2 ** (le - 1)) e_tilde = integer(randomBits(lePrime + lo + lh)) v_prime_tilde = integer(randomBits(lv + lo + lh)) R_tot = 1 % pk_i['N'] for id in credential['attributes']: if id not in cl_predicate: R_tot = R_tot * (pk_i['R'][id] ** m_tilde[id]) R_tot = R_tot * (pk_i['Ro'] ** m_tilde['0']) Z_tilde1 = A_prime ** e_tilde Z_tilde3 = pk_i['S'] ** v_prime_tilde Z_tilde = (Z_tilde1 * R_tot * Z_tilde3) % pk_i['N'] self.e_tilde = e_tilde self.e_prime = e_prime self.v_prime_tilde = v_prime_tilde self.v_prime = v_prime return Z_tilde, A_prime else: e_hat = self.e_tilde + (c * self.e_prime) v_prime_hat = self.v_prime_tilde + (c * self.v_prime) m_hat = {} for id in credential['attributes']: # TODO: not in Ar (not revealed!) if id not in cl_predicate: m_hat[id] = m_tilde[id] + (c * m[id]) m_hat['0'] = m_tilde['0'] + (c * ms) return {'e_hat': e_hat, 'v_prime_hat': v_prime_hat, 'm_hat': m_hat}
def commit(self, pk, msg, lr, ri=0): S = pk['S'] Z = pk['Z'] if (lr == 0): r = ri else: r = integer(randomBits(lr)) c = ((Z**msg) * (S**r)) % pk['N'] d = r return (c, d)