charm-crypto-framework 0.61.1__cp313-cp313-macosx_10_13_universal2.whl

charm/zkp_compiler/schnorr_proof.py

@@ -0,0 +1,273 @@
+"""
+Schnorr's Zero-Knowledge Proof implementation without exec().
+
+This module provides a direct implementation of Schnorr's ZKP protocol
+for proving knowledge of discrete logarithm.
+"""
+
+from typing import Any
+
+from charm.toolbox.pairinggroup import PairingGroup, ZR, G1
+from charm.core.engine.util import objectToBytes, bytesToObject
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+class Proof:
+    """Simple container for ZKP proof data."""
+
+    def __init__(self, commitment: Any, challenge: Any, response: Any, proof_type: str = 'schnorr') -> None:
+        """
+        Initialize a proof.
+
+        Args:
+            commitment: The prover's commitment (u = g^r)
+            challenge: The challenge value (c)
+            response: The response value (z = r + c*x)
+            proof_type: Type identifier for the proof
+        """
+        self.commitment = commitment
+        self.challenge = challenge
+        self.response = response
+        self.proof_type = proof_type
+
+
+class SchnorrProof:
+    """
+    Schnorr's Zero-Knowledge Proof of Knowledge of Discrete Logarithm.
+
+    Proves knowledge of x such that h = g^x without revealing x.
+
+    Supports both interactive and non-interactive (Fiat-Shamir) modes.
+    """
+
+    class Prover:
+        """Prover for Schnorr protocol."""
+
+        def __init__(self, secret_x, group):
+            """
+            Initialize prover with secret x.
+
+            Args:
+                secret_x: The secret discrete log value
+                group: The pairing group object
+            """
+            self._r = None  # Random commitment value (private)
+            self.group = group
+            self._x = secret_x  # Secret (private)
+
+        def create_commitment(self, g):
+            """
+            Create prover's commitment: u = g^r.
+
+            Args:
+                g: The generator element
+
+            Returns:
+                The commitment u = g^r
+            """
+            self._r = self.group.random(ZR)
+            u = g ** self._r
+            logger.debug("Prover created commitment")
+            return u
+
+        def create_response(self, challenge):
+            """
+            Create response to verifier's challenge: z = r + c*x.
+
+            Args:
+                challenge: The challenge value c from verifier
+
+            Returns:
+                The response z = r + c*x
+            """
+            if self._r is None:
+                raise ValueError("Must call create_commitment before create_response")
+            z = self._r + challenge * self._x
+            logger.debug("Prover created response")
+            return z
+
+    class Verifier:
+        """Verifier for Schnorr protocol."""
+
+        def __init__(self, group):
+            """
+            Initialize verifier.
+
+            Args:
+                group: The pairing group object
+            """
+            self.group = group
+            self._c = None  # Challenge (stored for verification)
+
+        def create_challenge(self):
+            """
+            Create random challenge c.
+
+            Returns:
+                Random challenge c in ZR
+            """
+            self._c = self.group.random(ZR)
+            logger.debug("Verifier created challenge")
+            return self._c
+
+        def verify(self, g, h, commitment, response):
+            """
+            Verify proof: g^z == u * h^c.
+
+            Args:
+                g: The generator element
+                h: The public value h = g^x
+                commitment: The prover's commitment u
+                response: The prover's response z
+
+            Returns:
+                True if proof is valid, False otherwise
+            """
+            if self._c is None:
+                raise ValueError("Must call create_challenge before verify")
+            lhs = g ** response
+            rhs = commitment * (h ** self._c)
+            result = lhs == rhs
+            logger.debug("Verification result: %s", result)
+            return result
+
+    @classmethod
+    def _compute_challenge_hash(cls, group, g, h, commitment):
+        """
+        Compute Fiat-Shamir challenge as hash of public values.
+
+        Args:
+            group: The pairing group
+            g: Generator
+            h: Public value h = g^x
+            commitment: The commitment u = g^r
+
+        Returns:
+            Challenge c as element of ZR
+        """
+        # Serialize elements and concatenate for hashing
+        data = objectToBytes(g, group) + objectToBytes(h, group) + objectToBytes(commitment, group)
+        return group.hash(data, ZR)
+
+    @classmethod
+    def prove_non_interactive(cls, group: PairingGroup, g: Any, h: Any, x: Any) -> Proof:
+        """
+        Generate non-interactive proof using Fiat-Shamir heuristic.
+
+        Args:
+            group: The pairing group
+            g: The generator element
+            h: The public value h = g^x
+            x: The secret discrete log
+
+        Returns:
+            Proof object containing commitment, challenge, and response
+        """
+        # 1. Generate random r
+        r = group.random(ZR)
+
+        # 2. Compute commitment u = g^r
+        commitment = g ** r
+
+        # 3. Compute challenge c = hash(g, h, u)
+        challenge = cls._compute_challenge_hash(group, g, h, commitment)
+
+        # 4. Compute response z = r + c*x
+        response = r + challenge * x
+
+        logger.debug("Generated non-interactive proof")
+        return Proof(commitment=commitment, challenge=challenge, response=response, proof_type='schnorr')
+
+    @classmethod
+    def verify_non_interactive(cls, group: PairingGroup, g: Any, h: Any, proof: Proof) -> bool:
+        """
+        Verify non-interactive proof.
+
+        Args:
+            group: The pairing group
+            g: The generator element
+            h: The public value h = g^x
+            proof: Proof object containing commitment, challenge, and response
+
+        Returns:
+            True if proof is valid, False otherwise
+
+        Security Notes:
+            - Validates proof structure before verification
+            - Checks for identity element attacks
+            - Recomputes Fiat-Shamir challenge for consistency
+        """
+        # Security: Validate proof structure
+        required_attrs = ['commitment', 'challenge', 'response']
+        for attr in required_attrs:
+            if not hasattr(proof, attr):
+                logger.warning("Invalid Schnorr proof structure: missing '%s'. Ensure proof was created with SchnorrProof.prove_non_interactive()", attr)
+                return False
+
+        # Security: Check for identity element (potential attack vector)
+        # The identity element would make the verification equation trivially true
+        try:
+            identity = group.init(G1, 1)
+            if proof.commitment == identity:
+                logger.warning("Security: Schnorr proof commitment is identity element (possible attack). Proof rejected.")
+                return False
+        except Exception:
+            pass  # Some groups may not support identity check
+
+        # Recompute challenge c = hash(g, h, commitment)
+        expected_challenge = cls._compute_challenge_hash(group, g, h, proof.commitment)
+
+        # Verify challenge matches
+        if expected_challenge != proof.challenge:
+            logger.debug("Challenge mismatch in non-interactive verification")
+            return False
+
+        # Check g^z == commitment * h^c
+        lhs = g ** proof.response
+        rhs = proof.commitment * (h ** proof.challenge)
+        result = lhs == rhs
+        logger.debug("Non-interactive verification result: %s", result)
+        return result
+
+    @classmethod
+    def serialize_proof(cls, proof: Proof, group: PairingGroup) -> bytes:
+        """
+        Serialize proof to bytes using Charm utilities.
+
+        Args:
+            proof: Proof object to serialize
+            group: The pairing group
+
+        Returns:
+            Bytes representation of the proof
+        """
+        proof_dict = {
+            'commitment': proof.commitment,
+            'challenge': proof.challenge,
+            'response': proof.response,
+            'proof_type': proof.proof_type
+        }
+        return objectToBytes(proof_dict, group)
+
+    @classmethod
+    def deserialize_proof(cls, data: bytes, group: PairingGroup) -> Proof:
+        """
+        Deserialize bytes to proof.
+
+        Args:
+            data: Bytes to deserialize
+            group: The pairing group
+
+        Returns:
+            Proof object
+        """
+        proof_dict = bytesToObject(data, group)
+        return Proof(
+            commitment=proof_dict['commitment'],
+            challenge=proof_dict['challenge'],
+            response=proof_dict['response'],
+            proof_type=proof_dict.get('proof_type', 'schnorr')
+        )
+

charm/zkp_compiler/thread_safe.py

@@ -0,0 +1,150 @@
+"""
+Thread-safe wrappers for ZKP proof classes.
+
+This module provides thread-safe versions of the ZKP proof classes for use
+in multi-threaded applications. The non-interactive proof methods are already
+thread-safe (they use only local variables), but the interactive Prover and
+Verifier classes maintain state that requires synchronization.
+
+Thread Safety Analysis:
+=======================
+
+1. Non-Interactive Methods (ALREADY THREAD-SAFE):
+   - SchnorrProof.prove_non_interactive()
+   - SchnorrProof.verify_non_interactive()
+   - DLEQProof.prove_non_interactive()
+   - DLEQProof.verify_non_interactive()
+   - RepresentationProof.prove_non_interactive()
+   - RepresentationProof.verify_non_interactive()
+   
+   These methods use only local variables and class methods, so they are
+   inherently thread-safe. Multiple threads can call them concurrently.
+
+2. Interactive Classes (REQUIRE SYNCHRONIZATION):
+   - SchnorrProof.Prover / SchnorrProof.Verifier
+   - DLEQProof.Prover / DLEQProof.Verifier
+   - RepresentationProof.Prover / RepresentationProof.Verifier
+   
+   These classes maintain internal state (_r, _c, etc.) that must not be
+   accessed concurrently. Each thread should create its own Prover/Verifier
+   instance, OR use the thread-safe wrappers provided here.
+
+Usage:
+    # For non-interactive proofs, just use the regular classes:
+    proof = SchnorrProof.prove_non_interactive(group, g, h, x)  # Thread-safe
+    
+    # For interactive proofs in multi-threaded code, use thread-safe wrappers:
+    prover = ThreadSafeProver(SchnorrProof.Prover(x, group))
+    with prover:
+        commitment = prover.create_commitment(g)
+        response = prover.create_response(challenge)
+"""
+
+import threading
+from contextlib import contextmanager
+from functools import wraps
+
+
+class ThreadSafeProver:
+    """
+    Thread-safe wrapper for interactive Prover classes.
+    
+    Wraps a Prover instance with a lock to ensure thread-safe access.
+    Use as a context manager for automatic lock management.
+    
+    Example:
+        prover = ThreadSafeProver(SchnorrProof.Prover(x, group))
+        with prover:
+            commitment = prover.create_commitment(g)
+            response = prover.create_response(challenge)
+    """
+    
+    def __init__(self, prover):
+        """
+        Initialize thread-safe prover wrapper.
+        
+        Args:
+            prover: The underlying Prover instance to wrap
+        """
+        self._prover = prover
+        self._lock = threading.RLock()
+    
+    def __enter__(self):
+        """Acquire lock when entering context."""
+        self._lock.acquire()
+        return self
+    
+    def __exit__(self, exc_type, exc_val, exc_tb):
+        """Release lock when exiting context."""
+        self._lock.release()
+        return False
+    
+    def create_commitment(self, *args, **kwargs):
+        """Thread-safe commitment creation."""
+        with self._lock:
+            return self._prover.create_commitment(*args, **kwargs)
+    
+    def create_response(self, *args, **kwargs):
+        """Thread-safe response creation."""
+        with self._lock:
+            return self._prover.create_response(*args, **kwargs)
+
+
+class ThreadSafeVerifier:
+    """
+    Thread-safe wrapper for interactive Verifier classes.
+    
+    Wraps a Verifier instance with a lock to ensure thread-safe access.
+    Use as a context manager for automatic lock management.
+    
+    Example:
+        verifier = ThreadSafeVerifier(SchnorrProof.Verifier(group))
+        with verifier:
+            challenge = verifier.create_challenge()
+            result = verifier.verify(g, h, commitment, response)
+    """
+    
+    def __init__(self, verifier):
+        """
+        Initialize thread-safe verifier wrapper.
+        
+        Args:
+            verifier: The underlying Verifier instance to wrap
+        """
+        self._verifier = verifier
+        self._lock = threading.RLock()
+    
+    def __enter__(self):
+        """Acquire lock when entering context."""
+        self._lock.acquire()
+        return self
+    
+    def __exit__(self, exc_type, exc_val, exc_tb):
+        """Release lock when exiting context."""
+        self._lock.release()
+        return False
+    
+    def create_challenge(self, *args, **kwargs):
+        """Thread-safe challenge creation."""
+        with self._lock:
+            return self._verifier.create_challenge(*args, **kwargs)
+    
+    def verify(self, *args, **kwargs):
+        """Thread-safe verification."""
+        with self._lock:
+            return self._verifier.verify(*args, **kwargs)
+
+
+def thread_safe_proof(func):
+    """
+    Decorator to make a proof function thread-safe.
+    
+    This is mainly for documentation purposes since the non-interactive
+    proof methods are already thread-safe by design.
+    """
+    @wraps(func)
+    def wrapper(*args, **kwargs):
+        return func(*args, **kwargs)
+    wrapper._thread_safe = True
+    return wrapper
+