charm-crypto-framework 0.61.1__cp313-cp313-macosx_10_13_universal2.whl

charm/schemes/abenc/cgw15.py

@@ -0,0 +1,277 @@
+'''
+**Improved Dual System ABE (CGW15)**
+
+*Authors:* Jie Chen, Romain Gay, Hoeteck Wee
+
+| **Title:** "Improved Dual System ABE in Prime-Order Groups via Predicate Encodings"
+| **Published in:** EUROCRYPT, 2015
+| **Available from:** http://eprint.iacr.org/2015/409
+| **Notes:** Implemented the scheme in Appendix B.2
+
+.. rubric:: Scheme Properties
+
+* **Type:** ciphertext-policy attribute-based encryption
+* **Setting:** Pairing groups (prime order)
+* **Assumption:** k-linear
+
+.. rubric:: Implementation
+
+:Authors: Shashank Agrawal
+:Date: 05/2016
+'''
+
+from charm.toolbox.pairinggroup import PairingGroup, ZR, G1, G2, GT, pair
+from charm.toolbox.ABEnc import ABEnc
+from charm.toolbox.msp import MSP
+
+debug = False
+
+
+class CGW15CPABE(ABEnc):
+    def __init__(self, groupObj, assump_size, uni_size, verbose=False):
+        ABEnc.__init__(self)
+        self.group = groupObj
+        self.assump_size = assump_size  # size of the linear assumption
+        self.uni_size = uni_size  # bound on the size of the universe of attributes
+        self.util = MSP(self.group, verbose)  
+
+    def setup(self):
+        """
+        Generates public key and master secret key.
+        """
+
+        if debug:
+            print('Setup algorithm:\n')
+
+        # generate two instances of the k-linear assumption
+        A = []
+        B = []
+        for i in range(self.assump_size):
+            A.append(self.group.random(ZR))
+            B.append(self.group.random(ZR))  # note that A, B are vectors here
+
+        # pick matrices that help to randomize basis
+        W = {}
+        for i in range(self.uni_size):
+            x = []
+            for j1 in range(self.assump_size + 1):
+                y = []
+                for j2 in range(self.assump_size + 1):
+                    y.append(self.group.random(ZR))
+                x.append(y)
+            W[i + 1] = x
+
+        V = []
+        for j1 in range(self.assump_size + 1):
+            y = []
+            for j2 in range(self.assump_size + 1):
+                y.append(self.group.random(ZR))
+            V.append(y)
+
+        # vector
+        k = []
+        for i in range(self.assump_size + 1):
+            k.append(self.group.random(ZR))
+
+        # pick a random element from the two source groups and pair them
+        g = self.group.random(G1)
+        h = self.group.random(G2)
+        e_gh = pair(g, h)
+
+        # now compute various parts of the public parameters
+
+        # compute the [A]_1 term
+        g_A = []
+        for i in range(self.assump_size):
+            g_A.append(g ** A[i])
+        g_A.append(g)
+
+        # compute the [W_1^T A]_1, [W_2^T A]_1, ...  terms
+        g_WA = {}
+        for i in range(self.uni_size):
+            x = []
+            for j1 in range(self.assump_size + 1):
+                y = []
+                for j2 in range(self.assump_size):
+                    prod = (A[j2] * W[i + 1][j2][j1]) + W[i + 1][self.assump_size][j1]
+                    y.append(g ** prod)
+                x.append(y)
+            g_WA[i + 1] = x
+
+        g_VA = []
+        for j1 in range(self.assump_size + 1):
+            y = []
+            for j2 in range(self.assump_size):
+                prod = (A[j2] * V[j2][j1]) + V[self.assump_size][j1]
+                y.append(g ** prod)
+            g_VA.append(y)
+
+        # compute the e([A]_1, [k]_2) term
+        h_k = []
+        for i in range(self.assump_size + 1):
+            h_k.append(h ** k[i])
+
+        e_gh_kA = []
+        for i in range(self.assump_size):
+            e_gh_kA.append(e_gh ** (k[i] * A[i] + k[self.assump_size]))
+
+        # the public key
+        pk = {'g_A': g_A, 'g_WA': g_WA, 'g_VA': g_VA, 'e_gh_kA': e_gh_kA}
+
+        # the master secret key
+        msk = {'h': h, 'k': k, 'B': B, 'W': W, 'V': V}
+
+        return pk, msk
+
+    def keygen(self, pk, msk, attr_list):
+        """
+        Generate a key for a set of attributes.
+        """
+
+        if debug:
+            print('Key generation algorithm:\n')
+
+        # pick randomness
+        r = []
+        sum = 0
+        for i in range(self.assump_size):
+            rand = self.group.random(ZR)
+            r.append(rand)
+            sum += rand
+
+        # compute the [Br]_2 term
+        K_0 = []
+        Br = []
+        h = msk['h']
+        for i in range(self.assump_size):
+            prod = msk['B'][i] * r[i]
+            Br.append(prod)
+            K_0.append(h ** prod)
+        Br.append(sum)
+        K_0.append(h ** sum)
+
+        # compute the [W_i^T Br]_2 terms
+        K = {}
+        for attr in attr_list:
+            key = []
+            W_attr = msk['W'][int(attr)]
+            for j1 in range(self.assump_size + 1):
+                sum = 0
+                for j2 in range(self.assump_size + 1):
+                    sum += W_attr[j1][j2] * Br[j2]
+                key.append(h ** sum)
+            K[attr] = key
+
+        # compute the [k + VBr]_2 term
+        Kp = []
+        V = msk['V']
+        k = msk['k']
+        for j1 in range(self.assump_size + 1):
+            sum = 0
+            for j2 in range(self.assump_size + 1):
+                sum += V[j1][j2] * Br[j2]
+            Kp.append(h ** (k[j1] + sum))
+
+        return {'attr_list': attr_list, 'K_0': K_0, 'K': K, 'Kp': Kp}
+
+    def encrypt(self, pk, msg, policy_str):
+        """
+        Encrypt a message M under a policy string.
+        """
+
+        if debug:
+            print('Encryption algorithm:\n')
+
+        policy = self.util.createPolicy(policy_str)
+        mono_span_prog = self.util.convert_policy_to_msp(policy)
+        num_cols = self.util.len_longest_row
+
+        # pick randomness
+        s = []
+        sum = 0
+        for i in range(self.assump_size):
+            rand = self.group.random(ZR)
+            s.append(rand)
+            sum += rand
+        s.append(sum)
+
+        # compute the [As]_1 term
+        g_As = []
+        g_A = pk['g_A']
+        for i in range(self.assump_size + 1):
+            g_As.append(g_A[i] ** s[i])
+
+        # compute U^T_2 As, U^T_3 As by picking random matrices U_2, U_3 ...
+        UAs = {}
+        for i in range(num_cols - 1):
+            x = []
+            for j1 in range(self.assump_size + 1):
+                prod = 1
+                for j2 in range(self.assump_size + 1):
+                    prod *= g_As[j2] ** (self.group.random(ZR))
+                x.append(prod)
+            UAs[i+1] = x
+
+        # compute V^T As using VA from public key
+        VAs = []
+        g_VA = pk['g_VA']
+        for j1 in range(self.assump_size + 1):
+            prod = 1
+            for j2 in range(self.assump_size):
+                prod *= g_VA[j1][j2] ** s[j2]
+            VAs.append(prod)
+
+        # compute the [(V^T As||U^T_2 As||...||U^T_cols As) M^T_i + W^T_i As]_1 terms
+        C = {}
+        g_WA = pk['g_WA']
+        for attr, row in mono_span_prog.items():
+            attr_stripped = self.util.strip_index(attr)  # no need, re-use not allowed
+            ct = []
+            for j1 in range(self.assump_size + 1):
+                cols = len(row)
+                prod1 = VAs[j1] ** row[0]
+                for j2 in range(1, cols):
+                    prod1 *= UAs[j2][j1] ** row[j2]
+                prod2 = 1
+                for j2 in range(self.assump_size):
+                    prod2 *= g_WA[int(attr_stripped)][j1][j2] ** s[j2]
+                ct.append(prod1 * prod2)
+            C[attr] = ct
+
+        # compute the e(g, h)^(k^T As) . m term
+        Cx = 1
+        for i in range(self.assump_size):
+            Cx = Cx * (pk['e_gh_kA'][i] ** s[i])
+        Cx = Cx * msg
+
+        return {'policy': policy, 'C_0': g_As, 'C': C, 'Cx': Cx}
+
+    def decrypt(self, pk, ctxt, key):
+        """
+        Decrypt ciphertext ctxt with key key.
+        """
+
+        if debug:
+            print('Decryption algorithm:\n')
+
+        nodes = self.util.prune(ctxt['policy'], key['attr_list'])
+        if not nodes:
+            print ("Policy not satisfied.")
+            return None
+
+        prod1_GT = 1
+        prod2_GT = 1
+        for i in range(self.assump_size + 1):
+            prod_H = 1
+            prod_G = 1
+            for node in nodes:
+                attr = node.getAttributeAndIndex()
+                attr_stripped = self.util.strip_index(attr)  # no need, re-use not allowed
+                # prod_H *= D['K'][attr_stripped][i] ** coeff[attr]
+                # prod_G *= E['C'][attr][i] ** coeff[attr]
+                prod_H *= key['K'][attr_stripped][i]
+                prod_G *= ctxt['C'][attr][i]
+            prod1_GT *= pair(ctxt['C_0'][i], key['Kp'][i] * prod_H)
+            prod2_GT *= pair(prod_G, key['K_0'][i])
+
+        return ctxt['Cx'] * prod2_GT / prod1_GT

charm/schemes/abenc/dabe_aw11.py

@@ -0,0 +1,204 @@
+'''
+**Decentralized Attribute-Based Encryption (AW11)**
+
+*Authors:* Allison Lewko, Brent Waters
+
+| **Title:** "Decentralizing Attribute-Based Encryption"
+| **Published in:** EUROCRYPT, 2011 (Appendix D)
+| **Available from:** http://eprint.iacr.org/2010/351.pdf
+| **Notes:** Decentralized multi-authority ABE construction
+
+.. rubric:: Scheme Properties
+
+* **Type:** decentralized attribute-based encryption
+* **Setting:** Bilinear groups (asymmetric)
+* **Assumption:** Decisional Bilinear Diffie-Hellman
+
+.. rubric:: Implementation
+
+:Authors: Gary Belvin
+:Date: 06/2011
+'''
+
+from charm.toolbox.pairinggroup import PairingGroup,ZR,G1,G2,GT,pair
+from charm.toolbox.secretutil import SecretUtil
+from charm.toolbox.ABEncMultiAuth import ABEncMultiAuth
+
+debug = False
+class Dabe(ABEncMultiAuth):
+    """
+    Decentralized Attribute-Based Encryption by Lewko and Waters
+
+    >>> group = PairingGroup('SS512')
+    >>> dabe = Dabe(group)
+    >>> public_parameters = dabe.setup()
+    >>> auth_attrs= ['ONE', 'TWO', 'THREE', 'FOUR'] #setup an authority
+    >>> (master_secret_key, master_public_key) = dabe.authsetup(public_parameters, auth_attrs)
+
+        Setup a user and give him some keys
+    >>> ID, secret_keys = "bob", {}
+    >>> usr_attrs = ['THREE', 'ONE', 'TWO']
+    >>> for i in usr_attrs:  dabe.keygen(public_parameters, master_secret_key, i, ID, secret_keys)
+    >>> msg = group.random(GT)
+    >>> policy = '((one or three) and (TWO or FOUR))'
+    >>> cipher_text = dabe.encrypt(public_parameters, master_public_key, msg, policy)
+    >>> decrypted_msg = dabe.decrypt(public_parameters, secret_keys, cipher_text)
+    >>> decrypted_msg == msg
+    True
+    """
+    def __init__(self, groupObj):
+        ABEncMultiAuth.__init__(self)
+        global util, group
+        util = SecretUtil(groupObj, verbose=False)  #Create Secret Sharing Scheme
+        group = groupObj    #:Prime order group        
+	#Another comment
+   
+    def setup(self):
+        '''Global Setup'''
+        #:In global setup, a bilinear group G of prime order p is chosen
+        #:The global public parameters, GP and p, and a generator g of G. A random oracle H maps global identities GID to elements of G
+    
+        #:group contains 
+        #:the prime order p is contained somewhere within the group object
+        g = group.random(G1)
+        #: The oracle that maps global identities GID onto elements of G
+        #:H = lambda str: g** group.hash(str)
+        H = lambda x: group.hash(x, G1)
+        GP = {'g':g, 'H': H}
+
+        return GP
+
+    def authsetup(self, GP, attributes):
+        '''Authority Setup for a given set of attributes'''
+        #For each attribute i belonging to the authority, the authority chooses two random exponents, 
+        #alpha_i, y_i and publishes PK={e(g,g)^alpha_i, g^y_i} for each attribute 
+        #it keeps SK = {alpha_i, y_i} as its secret key
+        SK = {} #dictionary of {s: {alpha_i, y_i}} 
+        PK = {} #dictionary of {s: {e(g,g)^alpha_i, g^y}}
+        for i in attributes:
+            #TODO: Is ZR an appropriate choice for a random element in Zp?
+            alpha_i, y_i = group.random(), group.random()
+            e_gg_alpha_i = pair(GP['g'],GP['g']) ** alpha_i
+            g_y_i = GP['g'] ** y_i
+            SK[i.upper()] = {'alpha_i': alpha_i, 'y_i': y_i}
+            PK[i.upper()] = {'e(gg)^alpha_i': e_gg_alpha_i, 'g^y_i': g_y_i}
+        
+        if(debug):
+            print("Authority Setup for %s" % attributes)
+            print("SK = {alpha_i, y_i}")
+            print(SK)
+            print("PK = {e(g,g) ^ alpha_i, g ^ y_i}")
+            print(PK)
+             
+        return (SK, PK)
+        
+    def keygen(self, gp, sk, i, gid, pkey):
+        '''Create a key for GID on attribute i belonging to authority sk
+        sk is the private key for the releveant authority
+        i is the attribute to give bob
+        pkey is bob's private key dictionary, to which the appropriate private key is added
+        '''
+        #To create a key for GID for attribute i belonging to an authority, the authority computes K_{i,GID} = g^alpha_i * H(GID)^y_
+        h = gp['H'](gid) 
+        K = (gp['g'] ** sk[i.upper()]['alpha_i']) * (h ** sk[i.upper()]['y_i'])
+        
+        pkey[i.upper()] = {'k': K}
+        pkey['gid'] = gid
+        
+        if(debug):
+            print("Key gen for %s on %s" % (gid, i))
+            print("H(GID): '%s'" % h)
+            print("K = g^alpha_i * H(GID) ^ y_i: %s" % K)
+        return None
+
+    def encrypt(self, gp, pk, M, policy_str):
+        '''Encrypt'''
+        #M is a group element
+        #pk is a dictionary with all the attributes of all authorities put together.
+        #This is legal because no attribute can be shared by more than one authority
+        #{i: {'e(gg)^alpha_i: , 'g^y_i'}
+        s = group.random()
+        w = group.init(ZR, 0)
+        egg_s = pair(gp['g'],gp['g']) ** s
+        C0 = M * egg_s
+        C1, C2, C3 = {}, {}, {}
+        
+        #Parse the policy string into a tree
+        policy = util.createPolicy(policy_str)
+        sshares = util.calculateSharesList(s, policy) #Shares of the secret 
+        wshares = util.calculateSharesList(w, policy) #Shares of 0
+        
+    
+        wshares = dict([(x[0].getAttributeAndIndex(), x[1]) for x in wshares])
+        sshares = dict([(x[0].getAttributeAndIndex(), x[1]) for x in sshares])
+        for attr, s_share in sshares.items():
+            k_attr = util.strip_index(attr)
+            w_share = wshares[attr]
+            r_x = group.random()
+            C1[attr] = (pair(gp['g'],gp['g']) ** s_share) * (pk[k_attr]['e(gg)^alpha_i'] ** r_x)
+            C2[attr] = gp['g'] ** r_x
+            C3[attr] = (pk[k_attr]['g^y_i'] ** r_x) * (gp['g'] ** w_share)
+            
+        return { 'C0':C0, 'C1':C1, 'C2':C2, 'C3':C3, 'policy':policy_str }
+
+    def decrypt(self, gp, sk, ct):
+        '''Decrypt a ciphertext
+        SK is the user's private key dictionary {attr: { xxx , xxx }}
+        ''' 
+        usr_attribs = list(sk.keys())
+        usr_attribs.remove('gid')
+        policy = util.createPolicy(ct['policy'])
+        pruned = util.prune(policy, usr_attribs)
+        if pruned == False:
+            raise Exception("Don't have the required attributes for decryption!")        
+        coeffs = util.getCoefficients(policy)
+    
+        h_gid = gp['H'](sk['gid'])  #find H(GID)
+        egg_s = 1
+        for i in pruned:
+            x = i.getAttributeAndIndex()
+            y = i.getAttribute()
+            num = ct['C1'][x] * pair(h_gid, ct['C3'][x])
+            dem = pair(sk[y]['k'], ct['C2'][x])
+            egg_s *= ( (num / dem) ** coeffs[x] )
+   
+        if(debug): print("e(gg)^s: %s" % egg_s)
+
+        return ct['C0'] / egg_s
+
+def main():
+    groupObj = PairingGroup('SS512')
+
+    dabe = Dabe(groupObj)
+    GP = dabe.setup()
+
+    #Setup an authority
+    auth_attrs= ['ONE', 'TWO', 'THREE', 'FOUR']
+    (SK, PK) = dabe.authsetup(GP, auth_attrs)
+    if debug: print("Authority SK")
+    if debug: print(SK)
+
+    #Setup a user and give him some keys
+    gid, K = "bob", {}
+    usr_attrs = ['THREE', 'ONE', 'TWO']
+    for i in usr_attrs: dabe.keygen(GP, SK, i, gid, K)
+    if debug: print('User credential list: %s' % usr_attrs)
+    if debug: print("\nSecret key:")
+    if debug: groupObj.debug(K)
+
+    #Encrypt a random element in GT
+    m = groupObj.random(GT)
+    policy = '((one or three) and (TWO or FOUR))'
+    if debug: print('Acces Policy: %s' % policy)
+    CT = dabe.encrypt(GP, PK, m, policy)
+    if debug: print("\nCiphertext...")
+    if debug: groupObj.debug(CT)
+
+    orig_m = dabe.decrypt(GP, K, CT)
+
+    assert m == orig_m, 'FAILED Decryption!!!'
+    if debug: print('Successful Decryption!')
+
+if __name__ == '__main__':
+    debug = True
+    main()

charm/schemes/abenc/dfa_fe12.py

@@ -0,0 +1,144 @@
+'''
+**Functional Encryption for Regular Languages (FE12)**
+
+*Authors:* Brent Waters
+
+| **Title:** "Functional Encryption for Regular Languages"
+| **Published in:** CRYPTO, 2012
+| **Available from:** http://eprint.iacr.org/2012/384
+| **Notes:** DFA-based functional encryption with public index
+
+.. rubric:: Scheme Properties
+
+* **Type:** functional encryption (public index)
+* **Setting:** Pairing groups
+* **Assumption:** Decisional Linear
+
+.. rubric:: Implementation
+
+:Authors: J. Ayo Akinyele
+:Date: 12/2012
+'''
+from charm.toolbox.pairinggroup import PairingGroup,ZR,G1,G2,GT,pair
+from charm.toolbox.DFA import DFA
+
+debug = False
+class FE_DFA:
+    def __init__(self, _groupObj, _dfaObj):
+        global group, dfaObj
+        group = _groupObj
+        dfaObj = _dfaObj
+        
+    def setup(self, alphabet):
+        g, z, h_start, h_end = group.random(G1, 4)
+        h = {'start':h_start, 'end':h_end }
+        for sigma in alphabet:
+            h[str(sigma)] = group.random(G1)
+        alpha = group.random(ZR)
+        
+        msk = g ** -alpha
+        mpk = {'egg':pair(g, g) ** alpha, 'g':g, 'z':z, 'h':h }
+        return (mpk, msk)
+    
+    def keygen(self, mpk, msk, dfaM):
+        Q, S, T, q0, F = dfaM
+        q = len(Q)
+        # associate D_i with each state q_i in Q
+        D = group.random(G1, q+1) # [0, q] including q-th index
+        r_start = group.random(ZR)
+        K = {}
+        K['start1'] = D[0] * (mpk['h']['start'] ** r_start)
+        K['start2'] = mpk['g'] ** r_start
+        
+        for t in T: # for each tuple, t in transition list
+            r = group.random(ZR)
+            (x, y, sigma) = t
+            K[str(t)] = {}
+            K[str(t)][1] = (D[x] ** -1) * (mpk['z'] ** r)
+            K[str(t)][2] = mpk['g'] ** r
+            K[str(t)][3] = D[y] * ((mpk['h'][str(sigma)]) ** r)
+        
+        # for each accept state in the set of all accept states
+        K['end'] = {}
+        for x in F:
+            rx = group.random(ZR)
+            K['end'][str(x)] = {}
+            K['end'][str(x)][1] = msk * D[x] * (mpk['h']['end'] ** rx)
+            K['end'][str(x)][2] = mpk['g'] ** rx
+            
+        sk = {'K':K, 'dfaM':dfaM }
+        return sk
+    
+    def encrypt(self, mpk, w, M):
+        l = len(w) # symbols of string        
+        s = group.random(ZR, l+1) # l+1 b/c it includes 'l'-th index
+        C = {}
+        C['m'] = M * (mpk['egg'] ** s[l])
+        
+        C[0] = {}
+        C[0][1] = mpk['g'] ** s[0]
+        C[0][2] = mpk['h']['start'] ** s[0]
+        
+        for i in range(1, l+1):
+            C[i] = {}
+            C[i][1] = mpk['g'] ** s[i]
+            C[i][2] = (mpk['h'][ str(w[i]) ] ** s[i]) * (mpk['z'] ** s[i-1])
+        
+        C['end1'] = mpk['g'] ** s[l]
+        C['end2'] = mpk['h']['end'] ** s[l]        
+        ct = {'C':C, 'w':w}
+        return ct
+    
+    def decrypt(self, sk, ct):
+        K, dfaM = sk['K'], sk['dfaM']
+        C, w = ct['C'], ct['w']
+        l = len(w)
+        B = {}
+        # if DFA does not accept string, return immediately
+        if not dfaObj.accept(dfaM, w):
+            print("DFA rejects: ", w)
+            return False
+        
+        Ti = dfaObj.getTransitions(dfaM, w) # returns a tuple of transitions 
+        B[0] = pair(C[0][1],  K['start1']) * (pair(C[0][2], K['start2']) ** -1)
+        for i in range(1, l+1):
+            ti = Ti[i]
+            if debug: print("transition: ", ti)
+            B[i] = B[i-1] * pair(C[i-1][1], K[str(ti)][1]) * (pair(C[i][2], K[str(ti)][2]) ** -1) * pair(C[i][1], K[str(ti)][3])
+        
+        x = dfaObj.getAcceptState(Ti) # retrieve accept state
+        Bend = B[l] * (pair(C['end1'], K['end'][str(x)][1]) ** -1) * pair(C['end2'], K['end'][str(x)][2]) 
+        M = C['m'] / Bend  
+        return M
+    
+def main():
+    global group
+    group = PairingGroup("SS512")
+    
+    alphabet = {'a', 'b'}
+    dfa = DFA("ab*a", alphabet)
+    dfaM = dfa.constructDFA()
+    
+    fe = FE_DFA(group, dfa)
+    
+    (mpk, msk) = fe.setup(alphabet)
+    if debug: print("mpk :=>", mpk, "\n\n")
+    
+    sk = fe.keygen(mpk, msk, dfaM)
+    if debug: print("sk :=>", sk)
+    
+    w = dfa.getSymbols("abba")
+    M = group.random(GT)
+    ct = fe.encrypt(mpk, w, M)
+    
+    origM = fe.decrypt(sk, ct)
+    assert M == origM, "failed decryption!"
+    if debug: print("Successful Decryption!!!!!")
+    
+if __name__ == "__main__":
+    debug = True
+    main()
+    
+    
+    
+