def aos_ring_signature(M, decoy_group, PK_hex, sk_hex, index_pi=-1):
M_encoded = M.encode()
index_pi = random.randint(0,
len(decoy_group)) if index_pi == -1 else index_pi
PK_pi = PK_hex
decoy_group.insert(index_pi, PK_pi)
e = [0] * len(decoy_group)
s = [0] * len(decoy_group)
u_hex = rand(0)
uG_hex = scalarmult_base(u_hex)
index_start = (index_pi + 1) % len(decoy_group)
e[index_start] = H(M_encoded + uG_hex)
s[index_start] = rand(0)
for cnt in range(1, len(decoy_group)):
i = (index_start + cnt) % len(decoy_group)
prev_i = (i - 1) % len(decoy_group)
s[i] = rand(0) if i != index_pi else 0
temp = pt_add_hex(scalarmult_base(s[prev_i]),
scalarmult(decoy_group[prev_i], e[prev_i]))
e[i] = H(M_encoded + temp)
u_int = ed25519.decodeint(binascii.unhexlify(u_hex))
e_int = ed25519.decodeint(binascii.unhexlify(e[index_pi]))
sk_int = ed25519.decodeint(binascii.unhexlify(sk_hex))
s[index_pi] = binascii.hexlify(
ed25519.encodeint((u_int - e_int * sk_int) % ed25519.l))
return e[0], s, decoy_group
def multiply_int(a_hex, b_hex):
a_int = ed25519.decodeint(binascii.unhexlify(a_hex))
b_int = ed25519.decodeint(binascii.unhexlify(b_hex))
mult_int = (a_int * b_int) % ed25519.l
mult_hex = binascii.hexlify(ed25519.encodeint(mult_int))
return mult_hex
def schnorr_signature(M, sk_hex):
alpha_hex = rand()
Q_hex = scalarmult_base(alpha_hex)
e_hex = H(M.encode() + Q_hex)
alpha_int = ed25519.decodeint(binascii.unhexlify(alpha_hex))
e_int = ed25519.decodeint(binascii.unhexlify(e_hex))
sk_int = ed25519.decodeint(binascii.unhexlify(sk_hex))
s_int = (alpha_int - e_int * sk_int) % ed25519.l
s_hex = binascii.hexlify(ed25519.encodeint(s_int))
return e_hex, s_hex
def test_curve1():
sk = b'd17f7ee37fc904cd04692a0db2a8aa003008de6865d7b0ed7c1515b9892cca03'
PK = scalarmult_base(sk)
# sk, PK = gen_keypair()
alpha_hex = rand()
print(sk)
print(PK)
print(alpha_hex)
print('------ ------ ------')
alpha_int_1 = ed25519.decodeint(binascii.unhexlify(alpha_hex))
# alpha_int_2 = ed25519.decodeint(alpha_hex)
# alpha_int_3 = int.from_hexs(alpha_hex,byteorder='big')
# print('{',alpha_int_1)
# print('{',alpha_int_2)
# print('{',alpha_int_3)
# print(':',binascii.hexlify(ed25519.encodeint(alpha_int_1)))
sk_int_1 = ed25519.decodeint(binascii.unhexlify(sk))
alphaPK_hex = scalarmult(PK, alpha_hex)
print('1: ', alphaPK_hex)
PK_pt = ed25519.decodepoint(binascii.unhexlify(PK))
alphaPK_pt = ed25519.decodepoint(binascii.unhexlify(alphaPK_hex))
print(ed25519.isoncurve(PK_pt))
print(ed25519.isoncurve(alphaPK_pt))
print('------ ------ ------')
# (alpha * sk) mod l
sk_x_alpha_int = (alpha_int_1 * sk_int_1) % ed25519.l
print(sk_x_alpha_int)
sk_x_alpha_hex = binascii.hexlify(ed25519.encodeint(sk_x_alpha_int))
print(sk_x_alpha_hex)
print(ed25519.decodeint(binascii.unhexlify(sk_x_alpha_hex)))
sk_x_alpha_x_G_hex = scalarmult_base(sk_x_alpha_hex)
print('2: ', sk_x_alpha_x_G_hex)
sk_x_alpha_x_G_pt = ed25519.decodepoint(
binascii.unhexlify(sk_x_alpha_x_G_hex))
print(ed25519.isoncurve(sk_x_alpha_x_G_pt))
print('------ ------ ------')
print(alphaPK_pt == sk_x_alpha_x_G_pt)
def test_encode_decode():
for i in range(0, 10):
x = random.randint(-ed25519.q, ed25519.q) % ed25519.l
x_encoded = ed25519.encodeint(x)
x_hexlified = binascii.hexlify(x_encoded)
x_decoded = ed25519.decodeint(x_encoded)
if x != x_decoded:
print('---NOT MATCH--- x=', x)
print(x_encoded)
print(x_hexlified)
print(x_decoded)
if i % 7 == 0:
print(x_encoded)
print(x_hexlified)
print(str(x).encode())
print(x_decoded)
def scalarmult(P_hex, k_hex):
a = ed25519.decodeint(binascii.unhexlify(k_hex))
P = ed25519.decodepoint(binascii.unhexlify(P_hex))
A = ed25519.scalarmult(P, a)
return binascii.hexlify(ed25519.encodepoint(A))
def borromean_ring_signature(M, PK_matrix, PK_vector, sk_vector, index_pi=-1):
M_encoded = M.encode()
index_pi = [0] * len(PK_matrix)
u_hex = [0] * len(PK_matrix)
uG_hex = [0] * len(PK_matrix)
R = [0] * len(PK_matrix)
e = [None] * len(PK_matrix)
s = [None] * len(PK_matrix)
# temp_s = [None]*len(PK_matrix)
for row in range(0, len(PK_matrix)):
# set index_pi
index_pi[row] = random.randint(0, len(
PK_matrix[row])) if index_pi == -1 else index_pi[row]
# insert pk
PK_matrix[row].insert(index_pi[row], PK_vector[row])
e_row = [0] * (len(PK_matrix[row]))
s_row = [0] * (len(PK_matrix[row]))
# temp_s_row = ['None']*(len(PK_matrix[row]))
# for connecting point
u_hex[row] = rand(0)
uG_hex[row] = scalarmult_base(u_hex[row])
index_start = (index_pi[row] + 1) % len(PK_matrix[row])
### case B1: [0,...,0,pi,st]
if index_start == len(PK_matrix[row]) - 1:
e_row[index_start] = H(M_encoded + uG_hex[row])
s_row[index_start] = rand(0)
R[row] = pt_add_hex(
scalarmult_base(s_row[index_start]),
scalarmult(PK_matrix[row][index_start], e_row[index_start]))
### case B2: [0,...,pi,st,...,0]
elif index_start > 0:
e_row[index_start] = H(M_encoded + uG_hex[row])
s_row[index_start] = rand(0)
for i in range(index_start + 1, len(PK_matrix[row])):
temp = pt_add_hex(
scalarmult_base(s_row[i - 1]),
scalarmult(PK_matrix[row][i - 1], e_row[i - 1]))
e_row[i] = H(M_encoded + temp)
s_row[i] = rand(0)
if i == len(PK_matrix[row]) - 1:
R[row] = pt_add_hex(
scalarmult_base(s_row[i]),
scalarmult(PK_matrix[row][i], e_row[i]))
### case B3: [st,0,0,...,0,pi]
else:
R[row] = uG_hex[row]
e[row] = e_row
s[row] = s_row
R_sum = b''
for i in range(0, len(R)):
R_sum += R[i]
# set common e0
e0 = H(M_encoded + R_sum)
for row in range(0, len(PK_matrix)):
e[row][0] = e0
s[row][0] = rand(0)
### case C1: [pi,st,0,...]
if index_pi[row] == 0:
u_int = ed25519.decodeint(binascii.unhexlify(u_hex[row]))
e_int = ed25519.decodeint(binascii.unhexlify(e0))
sk_int = ed25519.decodeint(binascii.unhexlify(sk_vector[row]))
s[row][0] = binascii.hexlify(
ed25519.encodeint((u_int - e_int * sk_int) % ed25519.l))
### case C2: [0,pi,st,0,...] or [st,0,0,...,0,pi]
else:
# i up to pi (inclusive)
for i in range(1, index_pi[row] + 1):
prev_i = i - 1
s[row][i] = rand(0)
temp = pt_add_hex(
scalarmult_base(s[row][prev_i]),
scalarmult(PK_matrix[row][prev_i], e[row][prev_i]))
e[row][i] = H(M_encoded + temp)
u_int = ed25519.decodeint(binascii.unhexlify(u_hex[row]))
e_int = ed25519.decodeint(binascii.unhexlify(
e[row][index_pi[row]]))
sk_int = ed25519.decodeint(binascii.unhexlify(sk_vector[row]))
s[row][index_pi[row]] = binascii.hexlify(
ed25519.encodeint((u_int - e_int * sk_int) % ed25519.l))
return e0, s, PK_matrix
def scalarmult_base(k_hex):
a = ed25519.decodeint(binascii.unhexlify(k_hex))
A = ed25519.scalarmult(ed25519.B, a)
return binascii.hexlify(ed25519.encodepoint(A))
