charm-crypto-framework 0.61.1__cp313-cp313-macosx_10_13_universal2.whl

charm/schemes/abenc/abenc_dacmacs_yj14.py

@@ -0,0 +1,298 @@
+'''
+**DAC-MACS: Data Access Control for Multi-Authority Cloud Storage (YJ14)**
+
+*Authors:* Kan Yang, Xiaohua Jia
+
+| **Title:** "DAC-MACS: Effective Data Access Control for Multi-Authority Cloud Storage Systems"
+| **Published in:** Security for Cloud Storage Systems - SpringerBriefs in Computer Science, 2014
+| **Available from:** http://link.springer.com/chapter/10.1007/978-1-4614-7873-7_4
+| **Notes:** Multi-authority scheme with efficient attribute revocation
+
+.. rubric:: Scheme Properties
+
+* **Type:** ciphertext-policy attribute-based encryption (public key)
+* **Setting:** Pairing groups
+* **Assumption:** Decisional Bilinear Diffie-Hellman
+
+.. rubric:: Implementation
+
+:Authors: artjomb
+:Date: 07/2014
+'''
+
+from charm.toolbox.pairinggroup import PairingGroup,ZR,G1,GT,pair
+from charm.toolbox.secretutil import SecretUtil
+from charm.toolbox.ABEncMultiAuth import ABEncMultiAuth
+
+class DACMACS(object):
+    def __init__(self, groupObj):
+        self.util = SecretUtil(groupObj, verbose=False)  #Create Secret Sharing Scheme
+        self.group = groupObj    #:Prime order group
+    
+    def setup(self):
+        '''Global Setup (executed by CA)'''
+        #:In global setup, a bilinear group G of prime order p is chosen
+        #:The global public parameters, GP and p, and a generator g of G. A random oracle H maps global identities GID to elements of G
+    
+        #:group contains 
+        #:the prime order p is contained somewhere within the group object
+        g = self.group.random(G1)
+        #: The oracle that maps global identities GID onto elements of G
+        #:H = lambda str: g** group.hash(str)
+        H = lambda x: self.group.hash(x, G1)
+        a = self.group.random()
+        g_a = g ** a
+        GPP = {'g': g, 'g_a': g_a, 'H': H}
+        GMK = {'a': a}
+        
+        return (GPP, GMK)
+    
+    def registerUser(self, GPP):
+        '''Generate user keys (executed by the user).'''
+        g = GPP['g']
+        u = self.group.random()
+        z = self.group.random()
+        g_u = g ** u
+        g_z = g ** (1 / z)
+        
+        return ((g_u, z), { 'g_z': g_z, 'u': u }) # (private, public)
+    
+    def setupAuthority(self, GPP, authorityid, attributes, authorities):
+        '''Generate attribute authority keys (executed by attribute authority)'''
+        if authorityid not in authorities:
+            alpha = self.group.random()
+            beta = self.group.random()
+            gamma = self.group.random()
+            SK = {'alpha': alpha, 'beta': beta, 'gamma': gamma}
+            PK = {
+                'e_alpha': pair(GPP['g'], GPP['g']) ** alpha,
+                'g_beta_inv': GPP['g'] ** (1/beta),
+                'g_beta_gamma': GPP['g'] ** (gamma/beta)
+            }
+            authAttrs = {}
+            authorities[authorityid] = (SK, PK, authAttrs)
+        else:
+            SK, PK, authAttrs = authorities[authorityid]
+        for attrib in attributes:
+            if attrib in authAttrs:
+                continue
+            versionKey = self.group.random() # random or really 'choose' ?
+            h = GPP['H'](attrib)
+            pk = ((GPP['g'] ** versionKey) * h) ** SK['gamma']
+            authAttrs[attrib] = {
+                'VK': versionKey, #secret
+                'PK': pk, #public
+            }
+        return (SK, PK, authAttrs)
+     
+    def keygen(self, GPP, authority, attribute, userObj, USK = None):
+        '''Generate user keys for a specific attribute (executed on attribute authority)'''
+        if 't' not in userObj:
+            userObj['t'] = self.group.random() #private to AA
+        t = userObj['t']
+        
+        ASK, APK, authAttrs = authority
+        u = userObj
+        if USK is None:
+            USK = {}
+        if 'K' not in USK or 'L' not in USK or 'R' not in USK or 'AK' not in USK:
+            USK['K'] = \
+                (u['g_z'] ** ASK['alpha']) * \
+                (GPP['g_a'] ** u['u']) * \
+                (GPP['g_a'] ** (t / ASK['beta']))
+            USK['L'] = u['g_z'] ** (ASK['beta'] * t)
+            USK['R'] = GPP['g_a'] ** t
+            USK['AK'] = {}
+        AK = (u['g_z'] ** (ASK['beta'] * ASK['gamma'] * t)) * \
+            (authAttrs[attribute]['PK'] ** (ASK['beta'] * u['u']))
+        USK['AK'][attribute] = AK
+        return USK
+    
+    def encrypt(self, GPP, policy_str, k, authority):
+        '''Generate the cipher-text from the content(-key) and a policy (executed by the content owner)'''
+        #GPP are global parameters
+        #k is the content key (group element based on AES key)
+        #policy_str is the policy string
+        #authority is the authority tuple
+        
+        _, APK, authAttrs = authority
+        
+        policy = self.util.createPolicy(policy_str)
+        secret = self.group.random()
+        shares = self.util.calculateSharesList(secret, policy)
+        shares = dict([(x[0].getAttributeAndIndex(), x[1]) for x in shares])
+        
+        C1 = k * (APK['e_alpha'] ** secret)
+        C2 = GPP['g'] ** secret
+        C3 = APK['g_beta_inv'] ** secret
+        C = {}
+        D = {}
+        DS = {}
+        
+        for attr, s_share in shares.items():
+            k_attr = self.util.strip_index(attr)
+            r_i = self.group.random()
+            attrPK = authAttrs[attr]
+            C[attr] = (GPP['g_a'] ** s_share) * ~(attrPK['PK'] ** r_i)
+            D[attr] = APK['g_beta_inv'] ** r_i
+            DS[attr] = ~(APK['g_beta_gamma'] ** r_i)
+        
+        return {'C1': C1, 'C2': C2, 'C3': C3, 'C': C, 'D': D, 'DS': DS, 'policy': policy_str}
+    
+    def generateTK(self, GPP, CT, UASK, g_u):
+        '''Generates a token using the user's attribute secret keys to offload the decryption process (executed by cloud provider)'''
+        usr_attribs = list(UASK['AK'].keys())
+        policy = self.util.createPolicy(CT['policy'])
+        pruned = self.util.prune(policy, usr_attribs)
+        if pruned == False:
+            return False
+        coeffs = self.util.getCoefficients(policy)
+        
+        dividend = pair(CT['C2'], UASK['K']) * ~pair(UASK['R'], CT['C3'])
+        n_a = 1
+        divisor = 1
+        
+        for attr in pruned:
+            x = attr.getAttributeAndIndex()
+            y = attr.getAttribute()
+            temp = \
+                pair(CT['C'][y], g_u) * \
+                pair(CT['D'][y], UASK['AK'][y]) * \
+                pair(CT['DS'][y], UASK['L'])
+            divisor *= temp ** (coeffs[x] * n_a)
+        return dividend / divisor
+    
+    def decrypt(self, CT, TK, z):
+        '''Decrypts the content(-key) from the cipher-text using the token and the user secret key (executed by user/content consumer)'''
+        return CT['C1'] / (TK ** z)
+    
+    def ukeygen(self, GPP, authority, attribute, userObj):
+        '''Generate update keys for users and cloud provider (executed by attribute authority?)'''
+        ASK, _, authAttrs = authority
+        oldVersionKey = authAttrs[attribute]['VK']
+        newVersionKey = oldVersionKey
+        while oldVersionKey == newVersionKey:
+            newVersionKey = self.group.random()
+        authAttrs[attribute]['VK'] = newVersionKey
+        
+        u = userObj['u']
+        
+        AUK = ASK['gamma'] * (newVersionKey - oldVersionKey)
+        KUK = GPP['g'] ** (u * ASK['beta'] * AUK)
+        CUK = ASK['beta'] * AUK / ASK['gamma']
+        
+        authAttrs[attribute]['PK'] = authAttrs[attribute]['PK'] * (GPP['g'] ** AUK)
+        
+        return { 'KUK': KUK, 'CUK': CUK }
+    
+    def skupdate(self, USK, attribute, KUK):
+        '''Updates the user attribute secret key for the specified attribute (executed by non-revoked user)'''
+        USK['AK'][attribute] = USK['AK'][attribute] * KUK
+    
+    def ctupdate(self, GPP, CT, attribute, CUK):
+        '''Updates the cipher-text using the update key, because of the revoked attribute (executed by cloud provider)'''
+        CT['C'][attribute] = CT['C'][attribute] * (CT['DS'][attribute] ** CUK)
+
+def basicTest():
+    print("RUN basicTest")
+    groupObj = PairingGroup('SS512')
+    dac = DACMACS(groupObj)
+    GPP, GMK = dac.setup()
+        
+    users = {} # public user data
+    authorities = {}
+    
+    authorityAttributes = ["ONE", "TWO", "THREE", "FOUR"]
+    authority1 = "authority1"
+    
+    dac.setupAuthority(GPP, authority1, authorityAttributes, authorities)
+    
+    alice = { 'id': 'alice', 'authoritySecretKeys': {}, 'keys': None }
+    alice['keys'], users[alice['id']] = dac.registerUser(GPP)
+    
+    for attr in authorityAttributes[0:-1]:
+        dac.keygen(GPP, authorities[authority1], attr, users[alice['id']], alice['authoritySecretKeys'])
+    
+    k = groupObj.random(GT)
+    
+    policy_str = '((ONE or THREE) and (TWO or FOUR))'
+    
+    CT = dac.encrypt(GPP, policy_str, k, authorities[authority1])
+    
+    TK = dac.generateTK(GPP, CT, alice['authoritySecretKeys'], alice['keys'][0])
+    
+    PT = dac.decrypt(CT, TK, alice['keys'][1])
+    
+    # print "k", k
+    # print "PT", PT
+    
+    assert k == PT, 'FAILED DECRYPTION!'
+    print('SUCCESSFUL DECRYPTION')
+
+def revokedTest():
+    print("RUN revokedTest")
+    groupObj = PairingGroup('SS512')
+    dac = DACMACS(groupObj)
+    GPP, GMK = dac.setup()
+    
+    users = {} # public user data
+    authorities = {}
+    
+    authorityAttributes = ["ONE", "TWO", "THREE", "FOUR"]
+    authority1 = "authority1"
+    
+    dac.setupAuthority(GPP, authority1, authorityAttributes, authorities)
+    
+    alice = { 'id': 'alice', 'authoritySecretKeys': {}, 'keys': None }
+    alice['keys'], users[alice['id']] = dac.registerUser(GPP)
+    
+    bob = { 'id': 'bob', 'authoritySecretKeys': {}, 'keys': None }
+    bob['keys'], users[bob['id']] = dac.registerUser(GPP)
+    
+    for attr in authorityAttributes[0:-1]:
+        dac.keygen(GPP, authorities[authority1], attr, users[alice['id']], alice['authoritySecretKeys'])
+        dac.keygen(GPP, authorities[authority1], attr, users[bob['id']], bob['authoritySecretKeys'])
+    
+    k = groupObj.random(GT)
+    
+    policy_str = '((ONE or THREE) and (TWO or FOUR))'
+    
+    CT = dac.encrypt(GPP, policy_str, k, authorities[authority1])
+    
+    TK1a = dac.generateTK(GPP, CT, alice['authoritySecretKeys'], alice['keys'][0])
+    PT1a = dac.decrypt(CT, TK1a, alice['keys'][1])
+    TK1b = dac.generateTK(GPP, CT, bob['authoritySecretKeys'], bob['keys'][0])
+    PT1b = dac.decrypt(CT, TK1b, bob['keys'][1])
+    
+    assert k == PT1a, 'FAILED DECRYPTION (1a)!'
+    assert k == PT1b, 'FAILED DECRYPTION (1b)!'
+    print('SUCCESSFUL DECRYPTION 1')
+    
+    # revoke bob on "ONE"
+    attribute = "ONE"
+    UK = dac.ukeygen(GPP, authorities[authority1], attribute, users[alice['id']])
+    dac.skupdate(alice['authoritySecretKeys'], attribute, UK['KUK'])
+    dac.ctupdate(GPP, CT, attribute, UK['CUK'])
+    
+    TK2a = dac.generateTK(GPP, CT, alice['authoritySecretKeys'], alice['keys'][0])
+    PT2a = dac.decrypt(CT, TK2a, alice['keys'][1])
+    TK2b = dac.generateTK(GPP, CT, bob['authoritySecretKeys'], bob['keys'][0])
+    PT2b = dac.decrypt(CT, TK2b, bob['keys'][1])
+    
+    assert k == PT2a, 'FAILED DECRYPTION (2a)!'
+    assert k != PT2b, 'SUCCESSFUL DECRYPTION (2b)!'
+    print('SUCCESSFUL DECRYPTION 2')
+
+def test():
+    groupObj = PairingGroup('SS512')
+    # k = groupObj.random()
+    #print "k", k, ~k, k * ~k
+    # g = groupObj.random(G1)
+    # print "g", g, pair(g, g)
+    # gt = groupObj.random(GT)
+    # print "gt", gt
+
+if __name__ == '__main__':
+    basicTest()
+    revokedTest()
+    # test()

charm/schemes/abenc/abenc_lsw08.py

@@ -0,0 +1,159 @@
+'''
+**Key-Policy Attribute-Based Encryption (LSW08)**
+
+*Authors:* Allison Lewko, Amit Sahai, Brent Waters
+
+| **Title:** "Revocation Systems with Very Small Private Keys"
+| **Published in:** IEEE Symposium on Security and Privacy, 2010
+| **Available from:** http://eprint.iacr.org/2008/309.pdf
+| **Notes:** Large Universe Construction
+
+.. rubric:: Scheme Properties
+
+* **Type:** key-policy attribute-based encryption (public key)
+* **Setting:** Pairing groups
+* **Assumption:** Decisional Bilinear Diffie-Hellman
+
+.. rubric:: Implementation
+
+:Authors: J. Ayo Akinyele
+:Date: 12/2010
+'''
+
+from charm.toolbox.pairinggroup import PairingGroup,ZR,G1,G2,GT,pair
+from charm.toolbox.secretutil import SecretUtil
+from charm.toolbox.ABEnc import ABEnc
+
+debug = False
+class KPabe(ABEnc):
+    """
+    >>> from charm.toolbox.pairinggroup import PairingGroup,GT
+    >>> group = PairingGroup('MNT224')
+    >>> kpabe = KPabe(group)
+    >>> (master_public_key, master_key) = kpabe.setup()
+    >>> policy = '(ONE or THREE) and (THREE or TWO)'
+    >>> attributes = [ 'ONE', 'TWO', 'THREE', 'FOUR' ]
+    >>> secret_key = kpabe.keygen(master_public_key, master_key, policy)
+    >>> msg=group.random(GT)
+    >>> cipher_text = kpabe.encrypt(master_public_key, msg, attributes)
+    >>> decrypted_msg = kpabe.decrypt(cipher_text, secret_key)
+    >>> decrypted_msg == msg
+    True
+    """
+
+    def __init__(self, groupObj, verbose=False):
+        ABEnc.__init__(self)
+        global group, util
+        group = groupObj
+        util = SecretUtil(group, verbose)        
+
+    def setup(self):
+        # pick random exponents
+        alpha1, alpha2, b = group.random(ZR), group.random(ZR), group.random(ZR)
+        
+        alpha = alpha1 * alpha2
+        g_G1, g_G2 = group.random(G1), group.random(G2) # PK 1,2        
+        h_G1, h_G2 = group.random(G1), group.random(G2) # PK 3
+        g1b = g_G1 ** b        
+        e_gg_alpha = pair(g_G1,g_G2) ** alpha
+        
+        #public parameters # 'g_G2^b':(g_G2 ** b), 'g_G2^b2':g_G2 ** (b * b),
+        pk = { 'g_G1':g_G1, 'g_G2':g_G2, 'g_G1_b':g1b,
+              'g_G1_b2':g1b ** b, 'h_G1_b':h_G1 ** b, 'e(gg)_alpha':e_gg_alpha }
+        #secret parameters
+        mk = { 'alpha1':alpha1, 'alpha2':alpha2, 'b':b, 'h_G1':h_G1, 'h_G2':h_G2 }
+        return (pk, mk)
+    
+    def keygen(self, pk, mk, policy_str):
+        policy = util.createPolicy(policy_str)
+        attr_list = util.getAttributeList(policy)
+        
+        s = mk['alpha1']; secret = s
+        shares = util.calculateSharesDict(secret, policy)
+        
+        D = { 'policy': policy_str }
+        for x in attr_list:
+            y = util.strip_index(x)
+            d = []; r = group.random(ZR)
+            if not self.negatedAttr(x): # meaning positive
+                d.append((pk['g_G1'] ** (mk['alpha2'] * shares[x])) * (group.hash(y, G1) ** r))   # compute D1 for attribute x
+                d.append((pk['g_G2'] ** r))  # compute D2 for attribute x
+            #else:
+                #d.append((pk['g2_G1'] ** shares[x]) * (pk['g_G1_b2'] ** r)) # compute D3
+                #d.append((pk['g_G1_b'] ** (r * group.hash(x))) * (pk['h_G1'] ** r)) # compute D4
+                #d.append(pk['g_G1'] ** -r) # compute D5
+            D[x] = d
+        if debug: print("Access Policy for key: %s" % policy)
+        if debug: print("Attribute list: %s" % attr_list)
+        return D
+    
+    def negatedAttr(self, attribute):
+        if type(attribute) != str: attr = attribute.getAttribute()
+        else: attr = attribute
+        if attr[0] == '!':
+            if debug: print("Checking... => %s" % attr[0])
+            return True
+        return False    
+    
+    def encrypt(self, pk, M, attr_list):   
+        if debug: print('Encryption Algorithm...')    
+        # s will hold secret
+        t = group.init(ZR, 0)
+        s = group.random(); sx = [s]
+        for i in range(len(attr_list)):
+            sx.append(group.random(ZR))
+            sx[0] -= sx[i]
+            
+        E3 = {}
+        #E4, E5 = {}, {}
+        for i in range(len(attr_list)):
+            attr = attr_list[i]
+            E3[attr] = group.hash(attr, G1) ** s
+            #E4[attr] = pk['g_G1_b'] ** sx[i]
+            #E5[attr] = (pk['g_G1_b2'] ** (sx[i] * group.hash(attr))) * (pk['h_G1_b'] ** sx[i])
+        
+        E1 = (pk['e(gg)_alpha'] ** s) * M
+        E2 = pk['g_G2'] ** s
+        return {'E1':E1, 'E2':E2, 'E3':E3, 'attributes':attr_list }
+    
+    def decrypt(self, E, D):
+        policy = util.createPolicy(D['policy'])
+        attrs = util.prune(policy, E['attributes'])
+        if attrs == False:
+            return False              
+        coeff = util.getCoefficients(policy)
+        
+        Z = {}; prodT = 1
+        for i in range(len(attrs)):
+            x = attrs[i].getAttribute()
+            y = attrs[i].getAttributeAndIndex()
+            if not self.negatedAttr(y):
+                 Z[y] = pair(D[y][0], E['E2']) / pair(E['E3'][x], D[y][1])
+                 prodT *= Z[y] ** coeff[y] 
+       
+        return E['E1'] / prodT 
+
+def main():
+    groupObj = PairingGroup('MNT224')
+    kpabe = KPabe(groupObj)
+
+    (pk, mk) = kpabe.setup()
+
+    policy = '(ONE or THREE) and (THREE or TWO)'
+    attributes = [ 'ONE', 'TWO', 'THREE', 'FOUR' ]
+    msg = groupObj.random(GT)
+
+    mykey = kpabe.keygen(pk, mk, policy)
+
+    if debug: print("Encrypt under these attributes: ", attributes)
+    ciphertext = kpabe.encrypt(pk, msg, attributes)
+    if debug: print(ciphertext)
+
+    rec_msg = kpabe.decrypt(ciphertext, mykey)
+
+    assert msg == rec_msg
+    if debug: print("Successful Decryption!")
+
+if __name__ == "__main__":
+    debug = True
+    main()

charm/schemes/abenc/abenc_maabe_rw15.py

@@ -0,0 +1,236 @@
+'''
+**Multi-Authority Attribute-Based Encryption (RW15)**
+
+*Authors:* Yannis Rouselakis, Brent Waters
+
+| **Title:** "Efficient Statically-Secure Large-Universe Multi-Authority Attribute-Based Encryption"
+| **Published in:** Financial Cryptography and Data Security, 2015
+| **Available from:** http://eprint.iacr.org/2015/016.pdf
+| **Notes:** Implementation based on maabe_rw12.py (https://sites.google.com/site/yannisrouselakis/rwabe)
+
+.. rubric:: Scheme Properties
+
+* **Type:** multi-authority attribute-based encryption (public key)
+* **Setting:** Bilinear pairing group of prime order
+* **Assumption:** Complex q-type assumption
+
+.. rubric:: Implementation
+
+:Authors: Yannis Rouselakis
+:Date: 11/2012
+'''
+
+from charm.toolbox.pairinggroup import *
+from charm.toolbox.secretutil import SecretUtil
+from charm.toolbox.ABEncMultiAuth import ABEncMultiAuth
+import re
+
+debug = False
+
+
+def merge_dicts(*dict_args):
+    """
+    Given any number of dicts, shallow copy and merge into a new dict,
+    precedence goes to key value pairs in latter dicts.
+    """
+    result = {}
+    for dictionary in dict_args:
+        result.update(dictionary)
+    return result
+
+
+class MaabeRW15(ABEncMultiAuth):
+    """
+    Efficient Statically-Secure Large-Universe Multi-Authority Attribute-Based Encryption
+    Rouselakis - Waters
+
+    >>> group = PairingGroup('SS512')
+    >>> maabe = MaabeRW15(group)
+    >>> public_parameters = maabe.setup()
+
+        Setup the attribute authorities
+    >>> attributes1 = ['ONE', 'TWO']
+    >>> attributes2 = ['THREE', 'FOUR']
+    >>> (public_key1, secret_key1) = maabe.authsetup(public_parameters, 'UT')
+    >>> (public_key2, secret_key2) = maabe.authsetup(public_parameters, 'OU')
+    >>> public_keys = {'UT': public_key1, 'OU': public_key2}
+
+        Setup a user and give him some keys
+    >>> gid = "bob"
+    >>> user_attributes1 = ['STUDENT@UT', 'PHD@UT']
+    >>> user_attributes2 = ['STUDENT@OU']
+    >>> user_keys1 = maabe.multiple_attributes_keygen(public_parameters, secret_key1, gid, user_attributes1)
+    >>> user_keys2 = maabe.multiple_attributes_keygen(public_parameters, secret_key2, gid, user_attributes2)
+    >>> user_keys = {'GID': gid, 'keys': merge_dicts(user_keys1, user_keys2)}
+
+        Create a random message
+    >>> message = group.random(GT)
+
+        Encrypt the message
+    >>> access_policy = '(STUDENT@UT or PROFESSOR@OU) and (STUDENT@UT or MASTERS@OU)'
+    >>> cipher_text = maabe.encrypt(public_parameters, public_keys, message, access_policy)
+
+        Decrypt the message
+    >>> decrypted_message = maabe.decrypt(public_parameters, user_keys, cipher_text)
+    >>> decrypted_message == message
+    True
+    """
+
+    def __init__(self, group, verbose=False):
+        ABEncMultiAuth.__init__(self)
+        self.group = group
+        self.util = SecretUtil(group, verbose)
+
+    def setup(self):
+        g1 = self.group.random(G1)
+        g2 = self.group.random(G2)
+        egg = pair(g1, g2)
+        H = lambda x: self.group.hash(x, G2)
+        F = lambda x: self.group.hash(x, G2)
+        gp = {'g1': g1, 'g2': g2, 'egg': egg, 'H': H, 'F': F}
+        if debug:
+            print("Setup")
+            print(gp)
+        return gp
+
+    def unpack_attribute(self, attribute):
+        """
+        Unpacks an attribute in attribute name, authority name and index
+        :param attribute: The attribute to unpack
+        :return: The attribute name, authority name and the attribute index, if present.
+
+        >>> group = PairingGroup('SS512')
+        >>> maabe = MaabeRW15(group)
+        >>> maabe.unpack_attribute('STUDENT@UT')
+        ('STUDENT', 'UT', None)
+        >>> maabe.unpack_attribute('STUDENT@UT_2')
+        ('STUDENT', 'UT', '2')
+        """
+        parts = re.split(r"[@_]", attribute)
+        assert len(parts) > 1, "No @ char in [attribute@authority] name"
+        return parts[0], parts[1], None if len(parts) < 3 else parts[2]
+
+    def authsetup(self, gp, name):
+        """
+        Setup an attribute authority.
+        :param gp: The global parameters
+        :param name: The name of the authority
+        :return: The public and private key of the authority
+        """
+        alpha, y = self.group.random(), self.group.random()
+        egga = gp['egg'] ** alpha
+        gy = gp['g1'] ** y
+        pk = {'name': name, 'egga': egga, 'gy': gy}
+        sk = {'name': name, 'alpha': alpha, 'y': y}
+        if debug:
+            print("Authsetup: %s" % name)
+            print(pk)
+            print(sk)
+        return pk, sk
+
+    def keygen(self, gp, sk, gid, attribute):
+        """
+        Generate a user secret key for the attribute.
+        :param gp: The global parameters.
+        :param sk: The secret key of the attribute authority.
+        :param gid: The global user identifier.
+        :param attribute: The attribute.
+        :return: The secret key for the attribute for the user with identifier gid.
+        """
+        _, auth, _ = self.unpack_attribute(attribute)
+        assert sk['name'] == auth, "Attribute %s does not belong to authority %s" % (attribute, sk['name'])
+
+        t = self.group.random()
+        K = gp['g2'] ** sk['alpha'] * gp['H'](gid) ** sk['y'] * gp['F'](attribute) ** t
+        KP = gp['g1'] ** t
+        if debug:
+            print("Keygen")
+            print("User: %s, Attribute: %s" % (gid, attribute))
+            print({'K': K, 'KP': KP})
+        return {'K': K, 'KP': KP}
+
+    def multiple_attributes_keygen(self, gp, sk, gid, attributes):
+        """
+        Generate a dictionary of secret keys for a user for a list of attributes.
+        :param gp: The global parameters.
+        :param sk: The secret key of the attribute authority.
+        :param gid: The global user identifier.
+        :param attributes: The list of attributes.
+        :return: A dictionary with attribute names as keys, and secret keys for the attributes as values.
+        """
+        uk = {}
+        for attribute in attributes:
+            uk[attribute] = self.keygen(gp, sk, gid, attribute)
+        return uk
+
+    def encrypt(self, gp, pks, message, policy_str):
+        """
+        Encrypt a message under an access policy
+        :param gp: The global parameters.
+        :param pks: The public keys of the relevant attribute authorities, as dict from authority name to public key.
+        :param message: The message to encrypt.
+        :param policy_str: The access policy to use.
+        :return: The encrypted message.
+        """
+        s = self.group.random()  # secret to be shared
+        w = self.group.init(ZR, 0)  # 0 to be shared
+
+        policy = self.util.createPolicy(policy_str)
+        attribute_list = self.util.getAttributeList(policy)
+
+        secret_shares = self.util.calculateSharesDict(s, policy)  # These are correctly set to be exponents in Z_p
+        zero_shares = self.util.calculateSharesDict(w, policy)
+
+        C0 = message * (gp['egg'] ** s)
+        C1, C2, C3, C4 = {}, {}, {}, {}
+        for i in attribute_list:
+            attribute_name, auth, _ = self.unpack_attribute(i)
+            attr = "%s@%s" % (attribute_name, auth)
+            tx = self.group.random()
+            C1[i] = gp['egg'] ** secret_shares[i] * pks[auth]['egga'] ** tx
+            C2[i] = gp['g1'] ** (-tx)
+            C3[i] = pks[auth]['gy'] ** tx * gp['g1'] ** zero_shares[i]
+            C4[i] = gp['F'](attr) ** tx
+        if debug:
+            print("Encrypt")
+            print(message)
+            print({'policy': policy_str, 'C0': C0, 'C1': C1, 'C2': C2, 'C3': C3, 'C4': C4})
+        return {'policy': policy_str, 'C0': C0, 'C1': C1, 'C2': C2, 'C3': C3, 'C4': C4}
+
+    def decrypt(self, gp, sk, ct):
+        """
+        Decrypt the ciphertext using the secret keys of the user.
+        :param gp: The global parameters.
+        :param sk: The secret keys of the user.
+        :param ct: The ciphertext to decrypt.
+        :return: The decrypted message.
+        :raise Exception: When the access policy can not be satisfied with the user's attributes.
+        """
+        policy = self.util.createPolicy(ct['policy'])
+        coefficients = self.util.getCoefficients(policy)
+        pruned_list = self.util.prune(policy, sk['keys'].keys())
+
+        if not pruned_list:
+            raise Exception("You don't have the required attributes for decryption!")
+
+        B = self.group.init(GT, 1)
+        for i in range(len(pruned_list)):
+            x = pruned_list[i].getAttribute()  # without the underscore
+            y = pruned_list[i].getAttributeAndIndex()  # with the underscore
+            B *= (ct['C1'][y] * pair(ct['C2'][y], sk['keys'][x]['K']) * pair(ct['C3'][y], gp['H'](sk['GID'])) * pair(
+                sk['keys'][x]['KP'], ct['C4'][y])) ** coefficients[y]
+        if debug:
+            print("Decrypt")
+            print("SK:")
+            print(sk)
+            print("Decrypted Message:")
+            print(ct['C0'] / B)
+        return ct['C0'] / B
+
+
+if __name__ == '__main__':
+    debug = True
+
+    import doctest
+
+    doctest.testmod()