charm-crypto-framework 0.61.1__cp313-cp313-macosx_10_13_universal2.whl

charm/schemes/abenc/abenc_yllc15.py

@@ -0,0 +1,178 @@
+'''
+**Extended Proxy-Assisted Revocable CP-ABE (YLLC15)**
+
+*Authors:* Yanjiang Yang, Joseph K Liu, Kaitai Liang, Kim Kwang Raymond Choo, Jianying Zhou
+
+| **Title:** "Extended Proxy-Assisted Approach: Achieving Revocable Fine-Grained Encryption of Cloud Data"
+| **Published in:** 2015
+| **Available from:** N/A
+| **Notes:** Adapted from BSW07, provides revocable fine-grained encryption for cloud data
+
+.. rubric:: Scheme Properties
+
+* **Type:** ciphertext-policy attribute-based encryption
+* **Setting:** Pairing groups
+* **Assumption:** Decisional Bilinear Diffie-Hellman
+
+.. rubric:: Implementation
+
+:Authors: Douglas Hellinger
+:Date: 11/2018
+'''
+
+from charm.toolbox.ABEnc import ABEnc, Output
+from charm.toolbox.pairinggroup import ZR, G1, G2, GT, pair
+from charm.toolbox.schemebase import Input
+from charm.toolbox.secretutil import SecretUtil
+
+# type annotations
+params_t = {'g': G1, 'g2': G2, 'h': G1, 'e_gg_alpha': GT}
+msk_t = {'beta': ZR, 'alpha': ZR}
+pku_t = G2
+sku_t = ZR
+pxku_t = {'k': G2, 'k_prime': G2, 'k_attrs': dict}
+ct_t = {'policy_str': str,
+        'C': GT,
+        'C_prime': G1,
+        'C_prime_prime': G1,
+        'c_attrs': dict
+        }
+v_t = {'C': GT,
+       'e_term': GT}
+
+
+class YLLC15(ABEnc):
+    """
+    Possibly a subclass of BSW07?
+    """
+    def __init__(self, group):
+        ABEnc.__init__(self)
+        self.group = group
+        self.util = SecretUtil(self.group)
+
+    @Output(params_t, msk_t)
+    def setup(self):
+        g, gp = self.group.random(G1), self.group.random(G2)
+        alpha, beta = self.group.random(ZR), self.group.random(ZR)
+        # initialize pre-processing for generators
+        g.initPP()
+        gp.initPP()
+
+        h = g ** beta
+        e_gg_alpha = pair(g, gp ** alpha)
+
+        params = {'g': g, 'g2': gp, 'h': h, 'e_gg_alpha': e_gg_alpha}
+        msk = {'beta': beta, 'alpha': alpha}
+        return params, msk
+
+    @Input(params_t)
+    @Output(pku_t, sku_t)
+    def ukgen(self, params):
+        g2 = params['g2']
+        x = self.group.random(ZR)
+        pku = g2 ** x
+        sku = x
+        return pku, sku
+
+    @Input(params_t, msk_t, pku_t, pku_t, [str])
+    # @Output(pxku_t)
+    def proxy_keygen(self, params, msk, pkcs, pku, attribute_list):
+        """
+        attributes specified in the `attribute_list` are converted to uppercase
+        """
+        r1 = self.group.random(ZR)
+        r2 = self.group.random(ZR)
+        g = params['g']
+        g2 = params['g2']
+
+        k = ((pkcs ** r1) * (pku ** msk['alpha']) * (g2 ** r2)) ** ~msk['beta']
+        k_prime = g2 ** r1
+        k_attrs = {}
+        for attr in attribute_list:
+            attr_caps = attr.upper()
+            r_attr = self.group.random(ZR)
+            k_attr1 = (g2 ** r2) * (self.group.hash(str(attr_caps), G2) ** r_attr)
+            k_attr2 = g ** r_attr
+            k_attrs[attr_caps] = (k_attr1, k_attr2)
+
+        proxy_key_user = {'k': k, 'k_prime': k_prime, 'k_attrs': k_attrs}
+        return proxy_key_user
+
+    @Input(params_t, GT, str)
+    # @Output(ct_t)
+    def encrypt(self, params, msg, policy_str):
+        """
+         Encrypt a message M under a policy string.
+
+         attributes specified in policy_str are converted to uppercase
+         policy_str must use parentheses e.g. (A) and (B)
+        """
+        policy = self.util.createPolicy(policy_str)
+        s = self.group.random(ZR)
+        shares = self.util.calculateSharesDict(s, policy)
+
+        C = (params['e_gg_alpha'] ** s) * msg
+        c_prime = params['h'] ** s
+        c_prime_prime = params['g'] ** s
+
+        c_attrs = {}
+        for attr in shares.keys():
+            attr_stripped = self.util.strip_index(attr)
+            c_i1 = params['g'] ** shares[attr]
+            c_i2 = self.group.hash(attr_stripped, G1) ** shares[attr]
+            c_attrs[attr] = (c_i1, c_i2)
+
+        ciphertext = {'policy_str': policy_str,
+                      'C': C,
+                      'C_prime': c_prime,
+                      'C_prime_prime': c_prime_prime,
+                      'c_attrs': c_attrs}
+        return ciphertext
+
+    # @Input(sku_t, pxku_t, ct_t)
+    @Output(v_t)
+    def proxy_decrypt(self, skcs, proxy_key_user, ciphertext):
+        policy_root_node = ciphertext['policy_str']
+        k = proxy_key_user['k']
+        k_prime = proxy_key_user['k_prime']
+        c_prime = ciphertext['C_prime']
+        c_prime_prime = ciphertext['C_prime_prime']
+        c_attrs = ciphertext['c_attrs']
+        k_attrs = proxy_key_user['k_attrs']
+
+        policy = self.util.createPolicy(policy_root_node)
+        attributes = proxy_key_user['k_attrs'].keys()
+        pruned_list = self.util.prune(policy, attributes)
+        if not pruned_list:
+            return None
+        z = self.util.getCoefficients(policy)
+        # reconstitute the policy random secret (A) which was used to encrypt the message
+        A = 1
+        for i in pruned_list:
+            attr_idx = i.getAttributeAndIndex()
+            attr = i.getAttribute()
+            A *= (pair(c_attrs[attr_idx][0], k_attrs[attr][0]) / pair(k_attrs[attr][1], c_attrs[attr_idx][1])) ** z[attr_idx]
+
+        e_k_c_prime = pair(k, c_prime)
+        denominator = (pair(k_prime, c_prime_prime) ** skcs) * A
+        encrypted_element_for_user_pkenc_scheme = e_k_c_prime / denominator
+
+        intermediate_value = {'C': ciphertext['C'],
+                              'e_term': encrypted_element_for_user_pkenc_scheme}
+
+        return intermediate_value
+
+    @Input(type(None), sku_t, v_t)
+    @Output(GT)
+    def decrypt(self, params, sku, intermediate_value):
+        """
+        :param params: Not required - pass None instead. For interface compatibility only.
+        :param sku: the secret key of the user as generated by `ukgen()`.
+        :param intermediate_value: the partially decrypted ciphertext returned by `proxy_decrypt()`.
+        :return: the plaintext message
+        """
+        ciphertext = intermediate_value['C']
+        e_term = intermediate_value['e_term']
+        denominator = e_term ** (sku ** -1)
+        msg = ciphertext / denominator
+        return msg

charm/schemes/abenc/ac17.py

@@ -0,0 +1,248 @@
+'''
+**FAME: Fast Attribute-based Message Encryption (AC17)**
+
+*Authors:* Shashank Agrawal, Melissa Chase
+
+| **Title:** "FAME: Fast Attribute-based Message Encryption"
+| **Published in:** ACM CCS, 2017
+| **Available from:** https://eprint.iacr.org/2017/807
+| **Notes:** Implemented the scheme in Section 3; fast and practical ABE
+
+.. rubric:: Scheme Properties
+
+* **Type:** ciphertext-policy attribute-based encryption
+* **Setting:** Pairing groups
+* **Assumption:** Variant of k-linear (k >= 2)
+
+.. rubric:: Implementation
+
+:Authors: Shashank Agrawal
+:Date: 05/2016
+'''
+
+from charm.toolbox.pairinggroup import PairingGroup, ZR, G1, G2, GT, pair
+from charm.toolbox.ABEnc import ABEnc
+from charm.toolbox.msp import MSP
+
+debug = False
+
+
+class AC17CPABE(ABEnc):
+    def __init__(self, group_obj, assump_size, verbose=False):
+        ABEnc.__init__(self)
+        self.group = group_obj
+        self.assump_size = assump_size  # size of linear assumption, at least 2
+        self.util = MSP(self.group, verbose)
+
+    def setup(self):
+        """
+        Generates public key and master secret key.
+        """
+
+        if debug:
+            print('\nSetup algorithm:\n')
+
+        # generate two instances of the k-linear assumption
+        A = []
+        B = []
+        for i in range(self.assump_size):
+            A.append(self.group.random(ZR))
+            B.append(self.group.random(ZR))  # note that A, B are vectors here
+
+        # vector
+        k = []
+        for i in range(self.assump_size + 1):
+            k.append(self.group.random(ZR))
+
+        # pick a random element from the two source groups and pair them
+        g = self.group.random(G1)
+        h = self.group.random(G2)
+        e_gh = pair(g, h)
+
+        # now compute various parts of the public parameters
+
+        # compute the [A]_2 term
+        h_A = []
+        for i in range(self.assump_size):
+            h_A.append(h ** A[i])
+        h_A.append(h)
+
+        # compute the e([k]_1, [A]_2) term
+        g_k = []
+        for i in range(self.assump_size + 1):
+            g_k.append(g ** k[i])
+
+        e_gh_kA = []
+        for i in range(self.assump_size):
+            e_gh_kA.append(e_gh ** (k[i] * A[i] + k[self.assump_size]))
+
+        # the public key
+        pk = {'h_A': h_A, 'e_gh_kA': e_gh_kA}
+
+        # the master secret key
+        msk = {'g': g, 'h': h, 'g_k': g_k, 'A': A, 'B': B}
+
+        return pk, msk
+
+    def keygen(self, pk, msk, attr_list):
+        """
+        Generate a key for a list of attributes.
+        """
+
+        if debug:
+            print('\nKey generation algorithm:\n')
+
+        # pick randomness
+        r = []
+        sum = 0
+        for i in range(self.assump_size):
+            rand = self.group.random(ZR)
+            r.append(rand)
+            sum += rand
+
+        # compute the [Br]_2 term
+
+        # first compute just Br as it will be used later too
+        Br = []
+        for i in range(self.assump_size):
+            Br.append(msk['B'][i] * r[i])
+        Br.append(sum)
+
+        # now compute [Br]_2
+        K_0 = []
+        for i in range(self.assump_size + 1):
+            K_0.append(msk['h'] ** Br[i])
+
+        # compute [W_1 Br]_1, ...
+        K = {}
+        A = msk['A']
+        g = msk['g']
+        for attr in attr_list:
+            key = []
+            sigma_attr = self.group.random(ZR)
+            for t in range(self.assump_size):
+                prod = 1
+                a_t = A[t]
+                for l in range(self.assump_size + 1):
+                    input_for_hash = attr + str(l) + str(t)
+                    prod *= (self.group.hash(input_for_hash, G1) ** (Br[l]/a_t))
+                prod *= (g ** (sigma_attr/a_t))
+                key.append(prod)
+            key.append(g ** (-sigma_attr))
+            K[attr] = key
+
+        # compute [k + VBr]_1
+        Kp = []
+        g_k = msk['g_k']
+        sigma = self.group.random(ZR)
+        for t in range(self.assump_size):
+            prod = g_k[t]
+            a_t = A[t]
+            for l in range(self.assump_size + 1):
+                input_for_hash = '01' + str(l) + str(t)
+                prod *= (self.group.hash(input_for_hash, G1) ** (Br[l] / a_t))
+            prod *= (g ** (sigma / a_t))
+            Kp.append(prod)
+        Kp.append(g_k[self.assump_size] * (g ** (-sigma)))
+
+        return {'attr_list': attr_list, 'K_0': K_0, 'K': K, 'Kp': Kp}
+
+    def encrypt(self, pk, msg, policy_str):
+        """
+        Encrypt a message msg under a policy string.
+        """
+
+        if debug:
+            print('\nEncryption algorithm:\n')
+
+        policy = self.util.createPolicy(policy_str)
+        mono_span_prog = self.util.convert_policy_to_msp(policy)
+        num_cols = self.util.len_longest_row
+
+        # pick randomness
+        s = []
+        sum = 0
+        for i in range(self.assump_size):
+            rand = self.group.random(ZR)
+            s.append(rand)
+            sum += rand
+
+        # compute the [As]_2 term
+        C_0 = []
+        h_A = pk['h_A']
+        for i in range(self.assump_size):
+            C_0.append(h_A[i] ** s[i])
+        C_0.append(h_A[self.assump_size] ** sum)
+
+        # compute the [(V^T As||U^T_2 As||...) M^T_i + W^T_i As]_1 terms
+
+        # pre-compute hashes
+        hash_table = []
+        for j in range(num_cols):
+            x = []
+            input_for_hash1 = '0' + str(j + 1)
+            for l in range(self.assump_size + 1):
+                y = []
+                input_for_hash2 = input_for_hash1 + str(l)
+                for t in range(self.assump_size):
+                    input_for_hash3 = input_for_hash2 + str(t)
+                    hashed_value = self.group.hash(input_for_hash3, G1)
+                    y.append(hashed_value)
+                    # if debug: print ('Hash of', i+2, ',', j2, ',', j1, 'is', hashed_value)
+                x.append(y)
+            hash_table.append(x)
+
+        C = {}
+        for attr, row in mono_span_prog.items():
+            ct = []
+            attr_stripped = self.util.strip_index(attr)  # no need, re-use not allowed
+            for l in range(self.assump_size + 1):
+                prod = 1
+                cols = len(row)
+                for t in range(self.assump_size):
+                    input_for_hash = attr_stripped + str(l) + str(t)
+                    prod1 = self.group.hash(input_for_hash, G1)
+                    for j in range(cols):
+                        # input_for_hash = '0' + str(j+1) + str(l) + str(t)
+                        prod1 *= (hash_table[j][l][t] ** row[j])
+                    prod *= (prod1 ** s[t])
+                ct.append(prod)
+            C[attr] = ct
+
+        # compute the e(g, h)^(k^T As) . m term
+        Cp = 1
+        for i in range(self.assump_size):
+            Cp = Cp * (pk['e_gh_kA'][i] ** s[i])
+        Cp = Cp * msg
+
+        return {'policy': policy, 'C_0': C_0, 'C': C, 'Cp': Cp}
+
+    def decrypt(self, pk, ctxt, key):
+        """
+        Decrypt ciphertext ctxt with key key.
+        """
+
+        if debug:
+            print('\nDecryption algorithm:\n')
+
+        nodes = self.util.prune(ctxt['policy'], key['attr_list'])
+        if not nodes:
+            print ("Policy not satisfied.")
+            return None
+
+        prod1_GT = 1
+        prod2_GT = 1
+        for i in range(self.assump_size + 1):
+            prod_H = 1
+            prod_G = 1
+            for node in nodes:
+                attr = node.getAttributeAndIndex()
+                attr_stripped = self.util.strip_index(attr)  # no need, re-use not allowed
+                # prod_H *= key['K'][attr_stripped][i] ** coeff[attr]
+                # prod_G *= ctxt['C'][attr][i] ** coeff[attr]
+                prod_H *= key['K'][attr_stripped][i]
+                prod_G *= ctxt['C'][attr][i]
+            prod1_GT *= pair(key['Kp'][i] * prod_H, ctxt['C_0'][i])
+            prod2_GT *= pair(prod_G, key['K_0'][i])
+
+        return ctxt['Cp'] * prod2_GT / prod1_GT

charm/schemes/abenc/bsw07.py

@@ -0,0 +1,141 @@
+'''
+**Ciphertext-Policy Attribute-Based Encryption (BSW07) - Asymmetric**
+
+*Authors:* John Bethencourt, Amit Sahai, Brent Waters
+
+| **Title:** "Ciphertext-Policy Attribute-Based Encryption"
+| **Published in:** IEEE Symposium on Security and Privacy, 2007
+| **Available from:** https://doi.org/10.1109/SP.2007.11
+| **Notes:** Asymmetric version of the scheme in Section 4.2
+
+.. rubric:: Scheme Properties
+
+* **Type:** ciphertext-policy attribute-based encryption
+* **Setting:** Pairing groups
+* **Assumption:** Generic group model
+
+.. rubric:: Implementation
+
+:Authors: Shashank Agrawal
+:Date: 05/2016
+'''
+
+from charm.toolbox.pairinggroup import PairingGroup, ZR, G1, G2, GT, pair
+from charm.toolbox.ABEnc import ABEnc
+from charm.toolbox.msp import MSP
+
+debug = False
+
+
+class BSW07(ABEnc):
+
+    def __init__(self, group_obj, verbose=False):
+        ABEnc.__init__(self)
+        self.group = group_obj
+        self.util = MSP(self.group, verbose)
+
+    def setup(self):
+        """
+        Generates public key and master secret key.
+        """
+
+        if debug:
+            print('Setup algorithm:\n')
+
+        # pick a random element each from two source groups
+        g1 = self.group.random(G1)
+        g2 = self.group.random(G2)
+
+        beta = self.group.random(ZR)
+        h = g2 ** beta
+        f = g2 ** (1/beta)
+
+        alpha = self.group.random(ZR)
+        g1_alpha = g1 ** alpha
+        e_gg_alpha = pair (g1_alpha, g2)
+
+        pk = {'g1': g1, 'g2': g2, 'h': h, 'f': f, 'e_gg_alpha': e_gg_alpha}
+        msk = {'beta': beta, 'g1_alpha': g1_alpha}
+        return pk, msk
+
+    def keygen(self, pk, msk, attr_list):
+        """
+        Generate a key for a set of attributes.
+        """
+
+        if debug:
+            print('Key generation algorithm:\n')
+
+        r = self.group.random(ZR)
+        g1_r = pk['g1'] ** r
+        beta_inverse = 1 / msk['beta']
+        k0 = (msk['g1_alpha'] * g1_r) ** beta_inverse
+
+        K = {}
+        for attr in attr_list:
+            r_attr = self.group.random(ZR)
+            k_attr1 = g1_r * (self.group.hash(str(attr), G1) ** r_attr)
+            k_attr2 = pk['g2'] ** r_attr
+            K[attr] = (k_attr1, k_attr2)
+
+        return {'attr_list': attr_list, 'k0': k0, 'K': K}
+
+    def encrypt(self, pk, msg, policy_str):
+        """
+         Encrypt a message M under a policy string.
+        """
+
+        if debug:
+            print('Encryption algorithm:\n')
+
+        policy = self.util.createPolicy(policy_str)
+        mono_span_prog = self.util.convert_policy_to_msp(policy)
+        num_cols = self.util.len_longest_row
+
+        # pick randomness
+        u = []
+        for i in range(num_cols):
+            rand = self.group.random(ZR)
+            u.append(rand)
+        s = u[0]    # shared secret
+
+        c0 = pk['h'] ** s
+
+        C = {}
+        for attr, row in mono_span_prog.items():
+            cols = len(row)
+            sum = 0
+            for i in range(cols):
+                sum += row[i] * u[i]
+            attr_stripped = self.util.strip_index(attr)
+            c_i1 = pk['g2'] ** sum
+            c_i2 = self.group.hash(str(attr_stripped), G1) ** sum
+            C[attr] = (c_i1, c_i2)
+
+        c_m = (pk['e_gg_alpha'] ** s) * msg
+
+        return {'policy': policy, 'c0': c0, 'C': C, 'c_m': c_m}
+
+    def decrypt(self, pk, ctxt, key):
+        """
+         Decrypt ciphertext ctxt with key key.
+        """
+
+        if debug:
+            print('Decryption algorithm:\n')
+
+        nodes = self.util.prune(ctxt['policy'], key['attr_list'])
+        if not nodes:
+            print ("Policy not satisfied.")
+            return None
+
+        prod = 1
+
+        for node in nodes:
+            attr = node.getAttributeAndIndex()
+            attr_stripped = self.util.strip_index(attr)
+            (c_attr1, c_attr2) = ctxt['C'][attr]
+            (k_attr1, k_attr2) = key['K'][attr_stripped]
+            prod *= (pair(k_attr1, c_attr1) / pair(c_attr2, k_attr2))
+
+        return (ctxt['c_m'] * prod) / (pair(key['k0'], ctxt['c0']))