def verifiabilityProofCheck(ppatspk, d, proof):
""" Return True if the ZKP proof is correct with respect to d
meaning that d is a commitment on either 0 or 1
"""
u0, u1, t0, t1 = proof
# notations
Jcoord = ppatspk.PPATSpp.Jcoord
ECG = ppatspk.PPATSpp.h.ECG
ddt = oEC.toTupleEFp(d.d, Jcoord)
u0ht = oEC.mul_comb2_EFp(ECG, u0, ppatspk.precomp_h, Jcoord)
ddt0 = oEC.mulECP(ECG, ddt, -t0, False, Jcoord)
w0t = oEC.addEFp(ECG, u0ht, ddt0, Jcoord)
w0v = oEC.toEFp(ECG, w0t, Jcoord)
w0 = ppat.ppats.PPATSCommitment(w0v, ppatspk)
ddt1 = oEC.mulECP(ECG, ddt, -t1, False, Jcoord)
u1ht = oEC.mul_comb2_EFp(ECG, u1, ppatspk.precomp_h, Jcoord)
t1h1t = oEC.mul_comb2_EFp(ECG, t1, ppatspk.precomp_h1, Jcoord)
ad1 = oEC.addEFp(ECG, ddt1, u1ht, Jcoord)
w1t = oEC.addEFp(ECG, ad1, t1h1t, Jcoord)
w1v = oEC.toEFp(ECG, w1t, Jcoord)
w1 = ppat.ppats.PPATSCommitment(w1v, ppatspk)
return t0 + t1 == ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1])
def verifiabilityProofCheck(ppatspk, d, proof):
''' Return True if the ZKP proof is correct with respect to d
meaning that d is a commitment on either 0 or 1
'''
u0, u1, t0, t1 = proof
# notations
Jcoord = ppatspk.PPATSpp.Jcoord
ECG = ppatspk.PPATSpp.h.ECG
ddt = oEC.toTupleEFp(d.d, Jcoord)
u0ht = oEC.mul_comb2_EFp(ECG, u0, ppatspk.precomp_h, Jcoord)
ddt0 = oEC.mulECP(ECG, ddt, -t0, False, Jcoord)
w0t = oEC.addEFp(ECG, u0ht, ddt0, Jcoord)
w0v = oEC.toEFp(ECG, w0t, Jcoord)
w0 = ppat.ppats.PPATSCommitment(w0v, ppatspk)
ddt1 = oEC.mulECP(ECG, ddt, -t1, False, Jcoord)
u1ht = oEC.mul_comb2_EFp(ECG, u1, ppatspk.precomp_h, Jcoord)
t1h1t = oEC.mul_comb2_EFp(ECG, t1, ppatspk.precomp_h1, Jcoord)
ad1 = oEC.addEFp(ECG, ddt1, u1ht, Jcoord)
w1t = oEC.addEFp(ECG, ad1, t1h1t, Jcoord)
w1v = oEC.toEFp(ECG, w1t, Jcoord)
w1 = ppat.ppats.PPATSCommitment(w1v, ppatspk)
return t0 + t1 == ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1])
def verifiabilityProof2(ppatspk, d, m, r, b=None, u=None, t=None):
""" This ZK proof ensures that d = r*h+m*h1 is a commitment on m = 0 or 1
b,u,t are the randomness used in the proof (optional)
"""
# notations
order = ppatspk.PPATSpp.order
h = ppatspk.PPATSpp.h
h1 = ppatspk.h1
ECG = h.ECG
Jcoord = ppatspk.PPATSpp.Jcoord
# ht = oEC.toTupleEFp(ECG,h,Jcoord)
nh1t = oEC.toTupleEFp(ECG, -h1, Jcoord)
ddt = oEC.toTupleEFp(ECG, d.d, Jcoord)
# assert h*r+h1*m == d.d # commitment is well formed
assert m == 0 or m == 1 # the proof works only if m = 0 or 1
if b == None:
b = randint(1, int(order))
if u == None:
u = randint(1, int(order))
if t == None:
t = randint(1, int(order))
hbt = oEC.mul_comb2_EFp(ECG, b, ppatspk.precomp_h, Jcoord)
hb = oEC.toEFp(ECG, hbt, Jcoord)
if m == 0:
u1 = u
t1 = t
# commitment
# w0 = PPATSCommitment(h*b,self)
w0 = ppat.ppats.PPATSCommitment(hb, ppatspk)
hu1t = oEC.mul_comb2_EFp(ECG, u1, ppatspk.precomp_h, Jcoord)
s1 = oEC.addEFp(ECG, ddt, nh1t, Jcoord)
s1t1 = oEC.mulECP(ECG, s1, -t1, False, Jcoord)
w1t = oEC.addEFp(ECG, hu1t, s1t1, Jcoord)
w1v = oEC.toEFp(ECG, w1t, Jcoord)
w1 = ppat.ppats.PPATSCommitment(w1v, ppatspk)
# challenge
t0 = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1]) - t1
# response
u0 = b + r * t0
if m == 1:
u0 = u
t0 = t
# commitment
hu0t = oEC.mul_comb2_EFp(ECG, u0, ppatspk.precomp_h, Jcoord)
ddt0 = oEC.mulECP(ECG, ddt, -t0, False, Jcoord)
w0t = oEC.addEFp(ECG, hu0t, ddt0, Jcoord)
w0v = oEC.toEFp(ECG, w0t, Jcoord)
w0 = ppat.ppats.PPATSCommitment(w0v, ppatspk)
w1 = ppat.ppats.PPATSCommitment(hb, ppatspk)
# challenge
t1 = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1]) - t0
# response
u1 = b + r * t1
return [u0, u1, t0, t1]
"""
def verifiabilityProof2(ppatspk, d, m, r, b=None, u=None, t=None):
''' This ZK proof ensures that d = r*h+m*h1 is a commitment on m = 0 or 1
b,u,t are the randomness used in the proof (optional)
'''
# notations
order = ppatspk.PPATSpp.order
h = ppatspk.PPATSpp.h
h1 = ppatspk.h1
ECG = h.ECG
Jcoord = ppatspk.PPATSpp.Jcoord
#ht = oEC.toTupleEFp(ECG,h,Jcoord)
nh1t = oEC.toTupleEFp(ECG, -h1, Jcoord)
ddt = oEC.toTupleEFp(ECG, d.d, Jcoord)
#assert h*r+h1*m == d.d # commitment is well formed
assert m == 0 or m == 1 # the proof works only if m = 0 or 1
if b == None:
b = randint(1, int(order))
if u == None:
u = randint(1, int(order))
if t == None:
t = randint(1, int(order))
hbt = oEC.mul_comb2_EFp(ECG, b, ppatspk.precomp_h, Jcoord)
hb = oEC.toEFp(ECG, hbt, Jcoord)
if m == 0:
u1 = u
t1 = t
# commitment
#w0 = PPATSCommitment(h*b,self)
w0 = ppat.ppats.PPATSCommitment(hb, ppatspk)
hu1t = oEC.mul_comb2_EFp(ECG, u1, ppatspk.precomp_h, Jcoord)
s1 = oEC.addEFp(ECG, ddt, nh1t, Jcoord)
s1t1 = oEC.mulECP(ECG, s1, -t1, False, Jcoord)
w1t = oEC.addEFp(ECG, hu1t, s1t1, Jcoord)
w1v = oEC.toEFp(ECG, w1t, Jcoord)
w1 = ppat.ppats.PPATSCommitment(w1v, ppatspk)
# challenge
t0 = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1]) - t1
# response
u0 = b + r * t0
if m == 1:
u0 = u
t0 = t
# commitment
hu0t = oEC.mul_comb2_EFp(ECG, u0, ppatspk.precomp_h, Jcoord)
ddt0 = oEC.mulECP(ECG, ddt, -t0, False, Jcoord)
w0t = oEC.addEFp(ECG, hu0t, ddt0, Jcoord)
w0v = oEC.toEFp(ECG, w0t, Jcoord)
w0 = ppat.ppats.PPATSCommitment(w0v, ppatspk)
w1 = ppat.ppats.PPATSCommitment(hb, ppatspk)
# challenge
t1 = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1]) - t0
# response
u1 = b + r * t1
return [u0, u1, t0, t1]
"""
def multiplicationProofCheck(ppatspk, d1, d2, d3, proof):
""" d1,d2,d3 are PPATS Commitment
proof is a ZK proof that d3 commits on the
product of the message commited in d1 and d2.
the method returns True if this assertion is correct and False
otherwise
"""
# assert isinstance(d1,ppat.ppats.PPATSCommitment)
# assert isinstance(d2,ppat.ppats.PPATSCommitment)
# assert isinstance(d3,ppat.ppats.PPATSCommitment)
# Notations
ECG = ppatspk.PPATSpp.h.ECG
Jcoord = ppatspk.PPATSpp.Jcoord
nu, z1, z2, s1, s2, s3 = proof
# a1 = s1*h + z1*h1
a1c, s1 = ppatspk.commit(z1, s1)
a1 = a1c.d
# a2 = s2*h + z2*h1
a2c, s2 = ppatspk.commit(z2, s2)
a2 = a2c.d
s3ht = oEC.mul_comb2_EFp(ECG, s3, ppatspk.precomp_h, Jcoord)
d1t = oEC.toTupleEFp(d1.d, Jcoord)
z2d1t = oEC.mulECP(ECG, d1t, z2, False, Jcoord)
a3t = oEC.addEFp(ECG, s3ht, z2d1t, Jcoord)
# a3 = s3*h + z2*d1.d
d2t = oEC.toTupleEFp(d2.d, Jcoord)
d3t = oEC.toTupleEFp(d3.d, Jcoord)
mnud1t = oEC.mulECP(ECG, d1t, -nu, False, Jcoord)
mnud2t = oEC.mulECP(ECG, d2t, -nu, False, Jcoord)
mnud3t = oEC.mulECP(ECG, d3t, -nu, False, Jcoord)
a1t = oEC.toTupleEFp(a1, Jcoord)
a2t = oEC.toTupleEFp(a2, Jcoord)
e1t = oEC.addEFp(ECG, a1t, mnud1t, Jcoord)
e2t = oEC.addEFp(ECG, a2t, mnud2t, Jcoord)
e3t = oEC.addEFp(ECG, a3t, mnud3t, Jcoord)
e1 = oEC.toEFp(ECG, e1t, Jcoord)
e2 = oEC.toEFp(ECG, e2t, Jcoord)
e3 = oEC.toEFp(ECG, e3t, Jcoord)
d1p = ppat.ppats.PPATSCommitment(e1, ppatspk)
d2p = ppat.ppats.PPATSCommitment(e2, ppatspk)
d3p = ppat.ppats.PPATSCommitment(e3, ppatspk)
nup = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d1, d2, d3, d1p, d2p, d3p])
return nu == nup
def multiplicationProofCheck(ppatspk, d1, d2, d3, proof):
''' d1,d2,d3 are PPATS Commitment
proof is a ZK proof that d3 commits on the
product of the message commited in d1 and d2.
the method returns True if this assertion is correct and False
otherwise
'''
#assert isinstance(d1,ppat.ppats.PPATSCommitment)
#assert isinstance(d2,ppat.ppats.PPATSCommitment)
#assert isinstance(d3,ppat.ppats.PPATSCommitment)
# Notations
ECG = ppatspk.PPATSpp.h.ECG
Jcoord = ppatspk.PPATSpp.Jcoord
nu, z1, z2, s1, s2, s3 = proof
#a1 = s1*h + z1*h1
a1c, s1 = ppatspk.commit(z1, s1)
a1 = a1c.d
#a2 = s2*h + z2*h1
a2c, s2 = ppatspk.commit(z2, s2)
a2 = a2c.d
s3ht = oEC.mul_comb2_EFp(ECG, s3, ppatspk.precomp_h, Jcoord)
d1t = oEC.toTupleEFp(d1.d, Jcoord)
z2d1t = oEC.mulECP(ECG, d1t, z2, False, Jcoord)
a3t = oEC.addEFp(ECG, s3ht, z2d1t, Jcoord)
#a3 = s3*h + z2*d1.d
d2t = oEC.toTupleEFp(d2.d, Jcoord)
d3t = oEC.toTupleEFp(d3.d, Jcoord)
mnud1t = oEC.mulECP(ECG, d1t, -nu, False, Jcoord)
mnud2t = oEC.mulECP(ECG, d2t, -nu, False, Jcoord)
mnud3t = oEC.mulECP(ECG, d3t, -nu, False, Jcoord)
a1t = oEC.toTupleEFp(a1, Jcoord)
a2t = oEC.toTupleEFp(a2, Jcoord)
e1t = oEC.addEFp(ECG, a1t, mnud1t, Jcoord)
e2t = oEC.addEFp(ECG, a2t, mnud2t, Jcoord)
e3t = oEC.addEFp(ECG, a3t, mnud3t, Jcoord)
e1 = oEC.toEFp(ECG, e1t, Jcoord)
e2 = oEC.toEFp(ECG, e2t, Jcoord)
e3 = oEC.toEFp(ECG, e3t, Jcoord)
d1p = ppat.ppats.PPATSCommitment(e1, ppatspk)
d2p = ppat.ppats.PPATSCommitment(e2, ppatspk)
d3p = ppat.ppats.PPATSCommitment(e3, ppatspk)
nup = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d1, d2, d3, d1p, d2p, d3p])
return nu == nup
def test_MulEFp_opt(self):
_ = oEC.mulECP(EFp,
oEC.toTupleEFp(P, Jcoord=True),
r,
sq=False,
Jcoord=True)
t = time.time() - self.startTime
print "%s: %.4f" % ("EFp point multiplication -- optimized", t)
def __mul__(self,a):
'''multiplication by a scalar a
The result is a PPATC Commitment which encrypts and commits on a*m
'''
m = gmpy.mpz(1)
if not isinstance(a, int) and not isinstance(a, long) and not type(a)==type(m):
raise Exception("Multiplication of a PPATC Commitment by a non integer, long or mpz")
else :
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG1 = self.PPATCpk.h1.ECG
ECG2 = self.PPATCpk.g1.ECG
d1t = oEC.toTupleEFp(self.d1,Jcoord)
nd1t = oEC.mulECP(ECG1,d1t,a,sq=False,Jcoord=Jcoord)
newd1 = oEC.toEFp(ECG1,nd1t,Jcoord)
d2t = oEC.toTupleEFp2(self.d2,Jcoord)
nd2t = oEC.mulECP(ECG2,d2t,a,sq=True,Jcoord=Jcoord)
newd2 = oEC.toEFp2(ECG2,nd2t,Jcoord)
return PPATCCommitment(newd1,newd2,self.PPATCpk)
def __mul__(self,a):
'''multiplication by a scalar
The result is a PPATC Ciphertext which encrypts and commits on e*m
'''
m = gmpy.mpz(1)
if not isinstance(a, int) and not isinstance(a, long) and not type(a)==type(m):
raise Exception("Multiplication of a PPATC Ciphertext by a non integer, long or mpz")
else :
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG = self.PPATCpk.g1.ECG
c1t = oEC.toTupleEFp2(self.c1,Jcoord)
nc1t = oEC.mulECP(ECG,c1t,a,sq=True,Jcoord=Jcoord)
newc1 = oEC.toEFp2(ECG,nc1t,Jcoord)
c2t = oEC.toTupleEFp2(self.c2,Jcoord)
nc2t = oEC.mulECP(ECG,c2t,a,sq=True,Jcoord=Jcoord)
newc2 = oEC.toEFp2(ECG,nc2t,Jcoord)
c3t = oEC.toTupleEFp2(self.c3,Jcoord)
nc3t = oEC.mulECP(ECG,c3t,a,sq=True,Jcoord=Jcoord)
newc3 = oEC.toEFp2(ECG,nc3t,Jcoord)
return PPATCCiphertext(a*self.d,newc1,newc2,newc3,self.PPATCpk)
def __mul__(self, a):
'''multiplication by a scalar a
The result is a PPATC Commitment which encrypts and commits on a*m
'''
m = gmpy.mpz(1)
if not isinstance(a, int) and not isinstance(
a, long) and not type(a) == type(m):
raise Exception(
"Multiplication of a PPATC Commitment by a non integer, long or mpz"
)
else:
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG1 = self.PPATCpk.h1.ECG
ECG2 = self.PPATCpk.g1.ECG
d1t = oEC.toTupleEFp(self.d1, Jcoord)
nd1t = oEC.mulECP(ECG1, d1t, a, sq=False, Jcoord=Jcoord)
newd1 = oEC.toEFp(ECG1, nd1t, Jcoord)
d2t = oEC.toTupleEFp2(self.d2, Jcoord)
nd2t = oEC.mulECP(ECG2, d2t, a, sq=True, Jcoord=Jcoord)
newd2 = oEC.toEFp2(ECG2, nd2t, Jcoord)
return PPATCCommitment(newd1, newd2, self.PPATCpk)
def multiplicationCommitFromTriplet(self,a1,a2,a3,m1,m2):
''' This method builds a commitment d3 based on three precomputed commitments
a1,a2,a3 such that a1 commits (m_a-m1),a2 commits on (m_b-m2) and a3 commits
on some m_a*m_b+..., the output is d3 that commits on m_a*m_b
but it does not perform any verification whatsoever
'''
Jcoord = self.PPATSpp.Jcoord
ECG = self.h1.ECG
order = self.PPATSpp.order
a1dt = oEC.toTupleEFp(a1.d,Jcoord)
a2dt = oEC.toTupleEFp(a2.d,Jcoord)
a3dt = oEC.toTupleEFp(a3.d,Jcoord)
m2a1dt = oEC.mulECP(ECG,a1dt,m2,False,Jcoord)
m1a2dt = oEC.mulECP(ECG,a2dt,m1,False,Jcoord)
m1m2h1t = oEC.mul_comb2_EFp(ECG,(m1*m2)%order,self.precomp_h1,Jcoord)
a1t = oEC.addEFp(ECG,m2a1dt,m1a2dt,Jcoord)
a2t = oEC.addEFp(ECG,a1t,a3dt,Jcoord)
d3t = oEC.addEFp(ECG,a2t,m1m2h1t,Jcoord)
d3 = oEC.toEFp(ECG,d3t,Jcoord)
#d3p = (m2*a1.d)+(m1*a2.d)+a3.d+((m1*m2)*h1)
#assert d3 == d3p
return PPATSCommitment(d3,self)
def __mul__(self, a):
'''multiplication by a scalar
The result is a PPATC Ciphertext which encrypts and commits on e*m
'''
m = gmpy.mpz(1)
if not isinstance(a, int) and not isinstance(
a, long) and not type(a) == type(m):
raise Exception(
"Multiplication of a PPATC Ciphertext by a non integer, long or mpz"
)
else:
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG = self.PPATCpk.g1.ECG
c1t = oEC.toTupleEFp2(self.c1, Jcoord)
nc1t = oEC.mulECP(ECG, c1t, a, sq=True, Jcoord=Jcoord)
newc1 = oEC.toEFp2(ECG, nc1t, Jcoord)
c2t = oEC.toTupleEFp2(self.c2, Jcoord)
nc2t = oEC.mulECP(ECG, c2t, a, sq=True, Jcoord=Jcoord)
newc2 = oEC.toEFp2(ECG, nc2t, Jcoord)
c3t = oEC.toTupleEFp2(self.c3, Jcoord)
nc3t = oEC.mulECP(ECG, c3t, a, sq=True, Jcoord=Jcoord)
newc3 = oEC.toEFp2(ECG, nc3t, Jcoord)
return PPATCCiphertext(a * self.d, newc1, newc2, newc3,
self.PPATCpk)
def opens(self,c):
assert isinstance(c,PPATCCiphertext)
#notations
Jcoord = self.PPATCpp.Jcoord
ECG = self.PPATCpp.g.ECG
c2 = c.c2
c3 = c.c3
c2t = oEC.toTupleEFp2(c2,Jcoord)
c3t = oEC.toTupleEFp2(c3,Jcoord)
c2x2t = oEC.mulECP(ECG,c2t,-self.x2,sq= True, Jcoord = Jcoord)
c3c2x2t = oEC.addEFp2(ECG,c3t,c2x2t,Jcoord)
ope = oEC.toEFp2(ECG,c3c2x2t,Jcoord)
# ope = c3-(self.x2*c2)
return ope
def decrypt(self, c):
assert isinstance(c, PPATCCiphertext)
#notations
Jcoord = self.PPATCpp.Jcoord
ECG = self.PPATCpp.g.ECG
d2 = c.d.d2
d2t = oEC.toTupleEFp2(d2, Jcoord)
c1 = c.c1
c1t = oEC.toTupleEFp2(c1, Jcoord)
c1x1t = oEC.mulECP(ECG, c1t, -self.x1, sq=True, Jcoord=Jcoord)
d2c1x1t = oEC.addEFp2(ECG, d2t, c1x1t, Jcoord)
dec = oEC.toEFp2(ECG, d2c1x1t, Jcoord)
# dec = d2 - (self.x1*c1)
return dec
def opens(self, c):
assert isinstance(c, PPATCCiphertext)
#notations
Jcoord = self.PPATCpp.Jcoord
ECG = self.PPATCpp.g.ECG
c2 = c.c2
c3 = c.c3
c2t = oEC.toTupleEFp2(c2, Jcoord)
c3t = oEC.toTupleEFp2(c3, Jcoord)
c2x2t = oEC.mulECP(ECG, c2t, -self.x2, sq=True, Jcoord=Jcoord)
c3c2x2t = oEC.addEFp2(ECG, c3t, c2x2t, Jcoord)
ope = oEC.toEFp2(ECG, c3c2x2t, Jcoord)
# ope = c3-(self.x2*c2)
return ope
def decrypt(self,c):
assert isinstance(c,PPATCCiphertext)
#notations
Jcoord = self.PPATCpp.Jcoord
ECG = self.PPATCpp.g.ECG
d2 = c.d.d2
d2t = oEC.toTupleEFp2(d2,Jcoord)
c1 = c.c1
c1t = oEC.toTupleEFp2(c1,Jcoord)
c1x1t = oEC.mulECP(ECG,c1t,-self.x1,sq= True, Jcoord = Jcoord)
d2c1x1t = oEC.addEFp2(ECG,d2t,c1x1t,Jcoord)
dec = oEC.toEFp2(ECG,d2c1x1t,Jcoord)
# dec = d2 - (self.x1*c1)
return dec
def test_MulEFp2_opt(self):
_ = oEC.mulECP(EFp2, oEC.toTupleEFp2(Q), r, sq=True)
t = time.time() - self.startTime
print "%s: %.4f" % ("EFp2 point multiplication -- optimized", t)
