charm-crypto-framework 0.61.1__cp313-cp313-macosx_10_13_universal2.whl

charm/schemes/chamhash_adm05.py

@@ -0,0 +1,113 @@
+'''
+**Ateniese-Medeiros Chameleon Hash (ADM05)**
+
+*Authors:* Giuseppe Ateniese, Breno de Medeiros
+
+| **Title:** "On the Key Exposure Problem in Chameleon Hashes"
+| **Published in:** SCN 2004
+| **Notes:** Section 4, Schnorr group-based construction
+
+.. rubric:: Scheme Properties
+
+* **Type:** chameleon hash function
+* **Setting:** Schnorr groups
+* **Assumption:** DL
+
+.. rubric:: Implementation
+
+:Authors: J. Ayo Akinyele
+:Date: 4/2011
+'''
+from charm.toolbox.Hash import ChamHash
+from charm.toolbox.integergroup import IntegerGroupQ
+from charm.core.math.integer import integer
+
+
+debug = False
+class ChamHash_Adm05(ChamHash):
+    """
+    >>> from charm.core.math.integer import integer
+    >>> p = integer(141660875619984104245410764464185421040193281776686085728248762539241852738181649330509191671665849071206347515263344232662465937366909502530516774705282764748558934610432918614104329009095808618770549804432868118610669336907161081169097403439689930233383598055540343198389409225338204714777812724565461351567)
+    >>> q = integer(70830437809992052122705382232092710520096640888343042864124381269620926369090824665254595835832924535603173757631672116331232968683454751265258387352641382374279467305216459307052164504547904309385274902216434059305334668453580540584548701719844965116691799027770171599194704612669102357388906362282730675783)
+    >>> chamHash = ChamHash_Adm05(p, q)
+    >>> (public_key, secret_key) = chamHash.paramgen()
+    >>> msg = "hello world this is the message"
+    >>> c = chamHash.hash(public_key, msg)
+    >>> c == chamHash.hash(public_key, msg, c[1], c[2])
+    True
+    """
+
+    def __init__(self, p=0, q=0):
+        ChamHash.__init__(self)
+        self.group = IntegerGroupQ(0)
+        # if p and q parameters have already been selected
+        self.group.p, self.group.q, self.group.r = p, q, 2
+
+    def paramgen(self, secparam=1024):
+        if self.group.p == 0 or self.group.q == 0:
+            self.group.paramgen(secparam)
+        g, x = self.group.randomGen(), self.group.random()    # g, [1,q-1]
+        y = g ** x
+
+        if debug:
+            print("Public params")
+            print("g =>", g); print("y =>", y)
+
+        pk = {'g': g, 'y': y}
+        sk = {'x': x}
+        return pk, sk
+
+    def hash(self, pk, m, r=0, s=0):
+        p, q = self.group.p, self.group.q
+        if r == 0:
+            r = self.group.random()
+        if s == 0:
+            s = self.group.random()
+        e = self.group.hash(m, r)
+
+        C = r - (((pk['y'] ** e) * (pk['g'] ** s)) % p) % q
+        return C, r, s
+
+    def find_collision(self, pk, sk, C, new_message):
+        p, q = self.group.p, self.group.q
+        k_prime = self.group.random()
+        r_prime = C + ((pk['g'] ** k_prime) % p) % q
+        e_prime = self.group.hash(new_message, r_prime)
+        s_prime = (k_prime - (e_prime * sk['x'])) % q
+        C_prime = r_prime - (((pk['y'] ** e_prime) * (pk['g'] ** s_prime)) % p) % q
+        return C_prime, r_prime, s_prime
+
+
+def main():
+    p = integer(141660875619984104245410764464185421040193281776686085728248762539241852738181649330509191671665849071206347515263344232662465937366909502530516774705282764748558934610432918614104329009095808618770549804432868118610669336907161081169097403439689930233383598055540343198389409225338204714777812724565461351567)
+    q = integer(70830437809992052122705382232092710520096640888343042864124381269620926369090824665254595835832924535603173757631672116331232968683454751265258387352641382374279467305216459307052164504547904309385274902216434059305334668453580540584548701719844965116691799027770171599194704612669102357388906362282730675783)
+    cham_hash = ChamHash_Adm05(p, q)
+    pk, sk = cham_hash.paramgen()
+    if debug:
+        print("Paramgen...")
+        print("pk :=", pk)
+        print("sk :=", sk)
+
+    msg = 'Some message to hash'
+    c, r, s = cham_hash.hash(pk, msg)
+    if debug:
+        print('Hashing: ', msg)
+        print('Hash is: ', c)
+
+    other_msg = 'Some other message to hash, different from previous message'
+    assert msg != other_msg
+    new_c, new_r, new_s = cham_hash.find_collision(pk, sk, c, other_msg)
+    if debug:
+        print('Hashing: ', other_msg)
+        print('Hash is: ', new_c)
+
+    assert new_c == c, 'Could not generate collision'
+    if debug:
+        print('Generated hash collision')
+
+
+if __name__ == "__main__":
+    debug = True
+    main()
+
+

charm/schemes/chamhash_rsa_hw09.py

@@ -0,0 +1,100 @@
+'''
+**Hohenberger-Waters Chameleon Hash (HW09)**
+
+*Authors:* Susan Hohenberger, Brent Waters
+
+| **Title:** "Realizing Hash-and-Sign Signatures under Standard Assumptions"
+| **Published in:** Eurocrypt 2009
+| **Available from:** http://eprint.iacr.org/2009/028.pdf
+| **Notes:** Appendix A, based on Ateniese-de Medeiros scheme
+
+.. rubric:: Scheme Properties
+
+* **Type:** chameleon hash function
+* **Setting:** RSA
+* **Assumption:** RSA
+
+.. rubric:: Implementation
+
+:Authors: J. Ayo Akinyele
+:Date: 1/2011
+'''
+
+from charm.toolbox.Hash import ChamHash,Hash
+from charm.toolbox.integergroup import IntegerGroupQ,gcd,integer
+from charm.toolbox.conversion import Conversion
+
+debug=False
+class ChamHash_HW09(ChamHash):
+    """
+    >>> from charm.core.math.integer import integer
+    >>> p = integer(164960892556379843852747960442703555069442262500242170785496141408191025653791149960117681934982863436763270287998062485836533436731979391762052869620652382502450810563192532079839617163226459506619269739544815249458016088505187490329968102214003929285843634017082702266003694786919671197914296386150563930299)
+    >>> q = integer(82480446278189921926373980221351777534721131250121085392748070704095512826895574980058840967491431718381635143999031242918266718365989695881026434810326191251225405281596266039919808581613229753309634869772407624729008044252593745164984051107001964642921817008541351133001847393459835598957148193075281965149) 
+    >>> chamHash = ChamHash_HW09()
+    >>> (public_key, secret_key) = chamHash.paramgen(1024, p, q)
+    >>> msg = "Hello world this is the message!"
+    >>> (hash1, r) = chamHash.hash(public_key, msg)
+    >>> (hash2, r) = chamHash.hash(public_key, msg, r)
+    >>> hash1 == hash2
+    True
+    """
+    def __init__(self):
+        global group
+        group = IntegerGroupQ(0)
+    
+    def paramgen(self, secparam, p = 0, q = 0):
+        # If we're given p, q, compute N = p*q.  Otherwise select random p, q
+        if not (p == 0 or q == 0):
+            N = p * q
+            if debug: print("p :=", p)
+            if debug: print("q :=", q)
+        else:
+            group.paramgen(secparam)
+            p, q = group.p, group.q
+            N = p * q
+        
+        phi_N = (p-1)*(q-1)
+        J = group.random(N)
+
+        # Use deterministic algorithm to find coprime value instead of random search
+        # This fixes Python 3.12+ hanging issue where random values share common factors
+        # Try common RSA public exponents first, then search incrementally
+        common_exponents = [65537, 3, 5, 17, 257, 641, 6700417]
+        e = None
+
+        for candidate in common_exponents:
+            # Use isCoPrime() method which properly checks gcd == 1
+            if phi_N.isCoPrime(candidate):
+                e = integer(candidate)
+                break
+
+        # If common exponents don't work, search incrementally starting from a larger value
+        if e is None:
+            e = integer(65537)
+            max_iterations = 10000000  # Large limit for deterministic search
+
+            for iterations in range(max_iterations):
+                # Use isCoPrime() method which properly checks gcd == 1
+                if phi_N.isCoPrime(e):
+                    break
+                e += 2  # Only try odd numbers (even numbers can't be coprime with even phi_N)
+
+            # Check if we found a coprime value (either broke out of loop or on last iteration)
+            if not phi_N.isCoPrime(e):
+                raise RuntimeError(
+                    f"Could not find coprime value after {max_iterations} iterations. "
+                    f"phi_N={phi_N}, last e={e}, gcd(e, phi_N)={gcd(e, phi_N)}"
+                )
+
+        pk = { 'secparam': secparam, 'N': N, 'J': J, 'e': e }
+        sk = { 'p': p, 'q': q }
+        return (pk, sk)
+          
+    def hash(self, pk, message, r = 0):
+        N, J, e = pk['N'], pk['J'], pk['e']
+        if r == 0:
+           r = group.random(N)
+        M = Conversion.bytes2integer(message)
+        h = ((J ** M) * (r ** e)) % N
+        return (h, r)
+

charm/schemes/commit/commit_gs08.py

@@ -0,0 +1,77 @@
+'''
+**Groth-Sahai Commitment (GS08)**
+
+*Authors:* Jens Groth, Amit Sahai
+
+| **Title:** "Efficient Non-interactive Proof Systems for Bilinear Groups"
+| **Published in:** Eurocrypt 2008
+| **Available from:** http://www.cs.ucl.ac.uk/staff/J.Groth/WImoduleFull.pdf
+| **Notes:** Implements only the SXDH and DLIN instantiations, in prime-order groups
+
+.. rubric:: Scheme Properties
+
+* **Type:** commitment scheme
+* **Setting:** bilinear groups
+* **Assumption:** SXDH or DLIN
+
+.. rubric:: Implementation
+
+:Authors: Matthew Green
+:Date: 6/2011
+'''
+
+from charm.toolbox.pairinggroup import PairingGroup,ZR,G1,G2,GT,pair
+from charm.toolbox.Commit import *
+
+debug=False
+class Commitment_GS08(Commitment):
+    """
+    >>> group = PairingGroup('SS512')
+    >>> alg = Commitment_GS08(group)
+    >>> public_key = alg.setup()
+    >>> msg = group.random(G1)
+    >>> (commit, decommit) = alg.commit(public_key, msg)
+    >>> alg.decommit(public_key, commit, decommit, msg)
+    True
+    """
+    def __init__(self, groupObj, setting='SXDH'):
+        Commitment.__init__(self)
+        #Commitment.setProperty(self, secdef='CM_PHCB', assumption=['SXDH','DLIN'], message_space=[G1, 'KEM'], secmodel='SM')
+        global group
+        group = groupObj
+    
+    # Generates commitment parameters for either G1 or G2 (specified by groupChoice).
+    # By default this generates the binding commitment parameters.  Set commitType to 'hiding'
+    # in order to generate hiding parameters.
+    def setup(self, secparam=None, groupChoice=G1, commitType='binding'):
+        g1, h1 = group.random(groupChoice), group.random(groupChoice)
+        s, t = group.random(ZR), group.random(ZR)
+        if (commitType == 'binding'):
+            g2, h2 = g1 ** s, h1 ** s
+        else:
+            g2, h2 = g1 ** s, h1 ** t
+        
+        return (g1, g2, h1, h2)
+    # msg => ZR    
+    def commit(self, params, msg):
+        # TODO: check that the message is in the same group as the params
+        (g1, g2, h1, h2) = params
+        r1, r2 = group.random(ZR), group.random(ZR)
+        
+        c1 = (g1 ** r1) * (h1 ** r2)
+        c2 = msg * (g2 ** r1) * (h2 ** r2)
+        
+        return ({ 'c1':c1, 'c2':c2 }, { 'r1':r1, 'r2':r2 })
+        
+    def decommit(self, params, c, d, msg):
+        # TODO: check that the message is in the same group as the params
+        (g1, g2, h1, h2) = params
+        
+        if (not (c['c1'] == ((g1 ** d['r1']) * (h1 ** d['r2'])))):
+            return False
+        
+        if (not ((c['c2'] / msg) == ((g2 ** d['r1']) * (h2 ** d['r2'])))):
+            return False
+        
+        return True
+

charm/schemes/commit/commit_pedersen92.py

@@ -0,0 +1,53 @@
+'''
+**Pedersen Commitment (Ped92)**
+
+*Authors:* Torben P. Pedersen
+
+| **Title:** "Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing"
+| **Published in:** CRYPTO 1991
+| **Available from:** https://link.springer.com/chapter/10.1007/3-540-46766-1_9
+| **Notes:** Unconditionally hiding and computationally binding commitment scheme
+
+.. rubric:: Scheme Properties
+
+* **Type:** commitment scheme
+* **Setting:** elliptic curve groups
+* **Assumption:** discrete logarithm
+
+.. rubric:: Implementation
+
+:Authors: Charm Crypto
+:Date: N/A
+'''
+
+from charm.toolbox.ecgroup import ECGroup,ZR,G
+from charm.toolbox.Commit import Commitment
+
+debug = False
+class CM_Ped92(Commitment):
+    """
+    >>> group = ECGroup(410)
+    >>> alg = CM_Ped92(group)
+    >>> public_key = alg.setup()
+    >>> msg = group.random(ZR)
+    >>> (commit, decommit) = alg.commit(public_key, msg)
+    >>> alg.decommit(public_key, commit, decommit, msg)
+    True
+    """
+    def __init__(self, groupObj):
+        Commitment.__init__(self)
+        global group
+        group = groupObj
+
+    def setup(self, secparam=None):
+        return {'g': group.random(G), 'h':group.random(G)}
+
+    def commit(self, pk, msg):
+        r = group.random(ZR)
+        c = (pk['g'] ** msg) * (pk['h'] ** r)
+        d = r
+        return (c,d)
+
+    def decommit(self, pk, c, d, msg):
+        return c == (pk['g'] ** msg) * (pk['h'] ** d)
+

charm/schemes/encap_bchk05.py

@@ -0,0 +1,62 @@
+'''
+**Key Encapsulation Mechanism (BCHK05)**
+
+*Authors:* Based on commitment scheme constructions
+
+| **Title:** "Key Encapsulation from Commitment Schemes"
+| **Notes:** Simple hash-based encapsulation scheme
+
+.. rubric:: Scheme Properties
+
+* **Type:** key encapsulation mechanism (KEM)
+* **Setting:** hash-based
+* **Assumption:** random oracle
+
+.. rubric:: Implementation
+
+:Authors: Charm Developers
+:Date: Unknown
+'''
+
+
+from charm.core.math.integer import randomBits
+import hashlib
+
+debug = False
+class EncapBCHK():
+    """
+    >>> encap = EncapBCHK()
+    >>> hout = encap.setup()
+    >>> (r, com, dec) = encap.S(hout)
+    >>> rout = encap.R(hout, com, dec)
+    >>> r == rout
+    True
+    """
+    def __init__(self):
+        global H
+        H = hashlib.sha1()  # nosec B324 - SHA1 used for historical compatibility
+
+    def setup(self):
+        pub = hashlib.sha256()
+        return pub
+
+    def S(self, pub):
+        x = randomBits(448)
+        x = str(x).zfill(135)
+
+        r = hashlib.sha256(x.encode('utf-8')).digest()
+
+        com = hashlib.sha1(x.encode('utf-8')).digest()[:128]  # nosec B324
+
+        dec = x
+
+        return (r, com, dec)
+
+    def R(self, pub, com, dec):
+        x = hashlib.sha1(str(dec).encode('utf-8')).digest()[:128]  # nosec B324
+
+        if(x == com):
+            m = hashlib.sha256(str(dec).encode('utf-8')).digest()
+            return m
+        else:
+            return b'FALSE'

charm/schemes/grpsig/groupsig_bgls04.py

@@ -0,0 +1,114 @@
+'''
+**Short Group Signatures (BBS04)**
+
+*Authors:* Dan Boneh, Xavier Boyen, Hovav Shacham
+
+| **Title:** "Short Group Signatures"
+| **Published in:** CRYPTO 2004
+| **Available from:** n/a
+| **Notes:** An extended abstract of this paper appeared in Advances in Cryptology (2004)
+
+.. rubric:: Scheme Properties
+
+* **Type:** group signature
+* **Setting:** Pairing groups
+* **Assumption:** Strong Diffie-Hellman (SDH) and Decision Linear
+
+.. rubric:: Implementation
+
+:Authors: J. Ayo Akinyele
+:Date: 12/2010
+'''
+from charm.toolbox.pairinggroup import PairingGroup,ZR,G1,G2,GT,pair
+from charm.toolbox.PKSig import PKSig
+
+debug=False
+class ShortSig(PKSig):
+    """
+    >>> group = PairingGroup('MNT224')
+    >>> n = 3    # how manu users are in the group
+    >>> user = 1 # which user's key we will sign a message with
+    >>> shortSig = ShortSig(group)
+    >>> (global_public_key, global_master_secret_key, user_secret_keys) = shortSig.keygen(n)
+    >>> msg = 'Hello World this is a message!'
+    >>> signature = shortSig.sign(global_public_key, user_secret_keys[user], msg)
+    >>> shortSig.verify(global_public_key, msg, signature)
+    True
+    """
+    def __init__(self, groupObj):
+        PKSig.__init__(self)
+        global group
+        group = groupObj
+        
+    def keygen(self, n):
+        g1, g2 = group.random(G1), group.random(G2)
+        h = group.random(G1)
+        xi1, xi2 = group.random(), group.random()
+
+        u,v = h ** ~xi1, h ** ~xi2
+        gamma = group.random(ZR)
+        w = g2 ** gamma
+        gpk = { 'g1':g1, 'g2':g2, 'h':h, 'u':u, 'v':v, 'w':w }
+        gmsk = { 'xi1':xi1, 'xi2':xi2 }
+                
+        x = [group.random(ZR) for i in range(n)]
+        A = [gpk['g1'] ** ~(gamma + x[i]) for i in range(n)]
+        gsk = {}
+        if debug: print("\nSecret keys...")
+        for i in range(n):
+            if debug: print("User %d: A = %s, x = %s" % (i, A[i], x[i]))
+            gsk[i] = (A[i], x[i]) 
+        return (gpk, gmsk, gsk)
+    
+    def sign(self, gpk, gsk, M):
+        alpha, beta = group.random(), group.random()
+        A, x = gsk[0], gsk[1]
+        T1 = gpk['u'] ** alpha
+        T2 = gpk['v'] ** beta
+        T3 = A * (gpk['h'] ** (alpha + beta))
+        
+        delta1 = x * alpha
+        delta2 = x * beta
+        r = [group.random() for i in range(5)]
+         
+        R1 = gpk['u'] ** r[0]
+        R2 = gpk['v'] ** r[1]
+        R3 = (pair(T3, gpk['g2']) ** r[2]) * (pair(gpk['h'], gpk['w']) ** (-r[0] - r[1])) * (pair(gpk['h'], gpk['g2']) ** (-r[3] - r[4]))
+        R4 = (T1 ** r[2]) * (gpk['u'] ** -r[3])
+        R5 = (T2 ** r[2]) * (gpk['v'] ** -r[4])
+        
+        c = group.hash((M, T1, T2, T3, R1, R2, R3, R4, R5), ZR)
+        s1, s2 = r[0] + c * alpha, r[1] + c * beta
+        s3, s4 = r[2] + c * x, r[3] + c * delta1
+        s5 = r[4] + c * delta2
+        return {'T1':T1, 'T2':T2, 'T3':T3, 'c':c, 's_alpha':s1, 's_beta':s2, 's_x':s3, 's_delta1':s4, 's_delta2':s5}
+    
+    def verify(self, gpk, M, sigma):
+        validSignature = False
+        
+        c, t1, t2, t3 = sigma['c'], sigma['T1'], sigma['T2'], sigma['T3']
+        s_alpha, s_beta = sigma['s_alpha'], sigma['s_beta']
+        s_x, s_delta1, s_delta2 = sigma['s_x'], sigma['s_delta1'], sigma['s_delta2']
+        
+        R1_ = (gpk['u'] ** s_alpha) * (t1 ** -c)
+        R2_ = (gpk['v'] ** s_beta) * (t2 ** -c)
+        R3_ = (pair(t3, gpk['g2']) ** s_x) * (pair(gpk['h'],gpk['w']) ** (-s_alpha - s_beta)) * (pair(gpk['h'], gpk['g2']) ** (-s_delta1 - s_delta2)) * ((pair(t3, gpk['w']) / pair(gpk['g1'], gpk['g2'])) ** c)
+        R4_ = (t1 ** s_x) * (gpk['u'] ** -s_delta1)
+        R5_ = (t2 ** s_x) * (gpk['v'] ** -s_delta2)
+        
+        c_prime = group.hash((M, t1, t2, t3, R1_, R2_, R3_, R4_, R5_), ZR)
+        
+        if c == c_prime:
+            if debug: print("c => '%s'" % c)
+            if debug: print("Valid Group Signature for message: '%s'" % M)
+            validSignature = True
+        else:
+            if debug: print("Not a valid signature for message!!!")
+        return validSignature
+    
+    def open(self, gpk, gmsk, M, sigma):
+        t1, t2, t3, xi1, xi2 = sigma['T1'], sigma['T2'], sigma['T3'], gmsk['xi1'], gmsk['xi2']
+        
+        A_prime = t3 / ((t1 ** xi1) * (t2 ** xi2))
+        return A_prime
+        

charm/schemes/grpsig/groupsig_bgls04_var.py

@@ -0,0 +1,115 @@
+'''
+**Short Group Signatures - Batch Verification Variant (BBS04-Var)**
+
+*Authors:* Dan Boneh, Xavier Boyen, Hovav Shacham
+
+| **Title:** "Short Group Signatures"
+| **Published in:** CRYPTO 2004
+| **Available from:** n/a
+| **Notes:** Variant with alternative verification check that allows batch verification
+
+.. rubric:: Scheme Properties
+
+* **Type:** group signature
+* **Setting:** Pairing groups
+* **Assumption:** Strong Diffie-Hellman (SDH) and Decision Linear
+
+.. rubric:: Implementation
+
+:Authors: J. Ayo Akinyele
+:Date: 12/2010
+'''
+from charm.toolbox.pairinggroup import PairingGroup,ZR,G1,G2,GT,pair
+from charm.toolbox.PKSig import PKSig
+
+debug=False
+class ShortSig(PKSig):
+    """
+    >>> group = PairingGroup('MNT224')
+    >>> n = 3    # how manu users in the group
+    >>> user = 1 # which user's key to sign a message with
+    >>> shortSig = ShortSig(group)
+    >>> (global_public_key, global_master_secret_key, user_secret_keys) = shortSig.keygen(n)
+    >>> msg = 'Hello World this is a message!'
+    >>> signature = shortSig.sign(global_public_key, user_secret_keys[user], msg)
+    >>> shortSig.verify(global_public_key, msg, signature)
+    True
+    """
+    def __init__(self, groupObj):
+        PKSig.__init__(self)
+        global group
+        group = groupObj
+        
+    def keygen(self, n):
+        g1, g2 = group.random(G1), group.random(G2)
+        h = group.random(G1)
+        xi1, xi2 = group.random(), group.random()
+
+        u,v = h ** ~xi1, h ** ~xi2
+        gamma = group.random(ZR)
+        w = g2 ** gamma
+        gpk = { 'g1':g1, 'g2':g2, 'h':h, 'u':u, 'v':v, 'w':w }
+        gmsk = { 'xi1':xi1, 'xi2':xi2 }
+                
+        x = [group.random(ZR) for i in range(n)]
+        A = [gpk['g1'] ** ~(gamma + x[i]) for i in range(n)]
+        gsk = {}
+        if debug: print("\nSecret keys...")
+        for i in range(n):
+            if debug: print("User %d: A = %s, x = %s" % (i, A[i], x[i]))
+            gsk[i] = (A[i], x[i]) 
+        return (gpk, gmsk, gsk)
+    
+    def sign(self, gpk, gsk, M):
+        alpha, beta = group.random(), group.random()
+        A, x = gsk[0], gsk[1]
+        T1 = gpk['u'] ** alpha
+        T2 = gpk['v'] ** beta
+        T3 = A * (gpk['h'] ** (alpha + beta))
+        
+        gamma1 = x * alpha
+        gamma2 = x * beta
+        r = [group.random() for i in range(5)]
+         
+        R1 = gpk['u'] ** r[0]
+        R2 = gpk['v'] ** r[1]
+        R3 = (pair(T3, gpk['g2']) ** r[2]) * (pair(gpk['h'], gpk['w']) ** (-r[0] - r[1])) * (pair(gpk['h'], gpk['g2']) ** (-r[3] - r[4]))
+        R4 = (T1 ** r[2]) * (gpk['u'] ** -r[3])
+        R5 = (T2 ** r[2]) * (gpk['v'] ** -r[4])
+        
+        c = group.hash((M, T1, T2, T3, R1, R2, R3, R4, R5), ZR)
+        s1, s2 = r[0] + c * alpha, r[1] + c * beta
+        s3, s4 = r[2] + c * x, r[3] + c * gamma1
+        s5 = r[4] + c * gamma2
+        return { 'T1':T1, 'T2':T2, 'T3':T3, 'R3':R3,'c':c, 's_alpha':s1, 's_beta':s2, 's_x':s3, 's_gamma1':s4, 's_gamma2':s5 }
+    
+    def verify(self, gpk, M, sigma):        
+        """alternative verification check for BGLS04 which allows it to be batched"""
+        c, T1, T2, T3 = sigma['c'], sigma['T1'], sigma['T2'], sigma['T3']
+        s_alpha, s_beta = sigma['s_alpha'], sigma['s_beta']
+        s_x, s_gamma1, s_gamma2 = sigma['s_x'], sigma['s_gamma1'], sigma['s_gamma2']
+        R3 = sigma['R3']
+        
+        R1 = (gpk['u'] ** s_alpha) * (T1 ** -c)
+        R2 = (gpk['v'] ** s_beta) * (T2 ** -c)
+        R4 = (T1 ** s_x) * (gpk['u'] ** -s_gamma1)
+        R5 = (T2 ** s_x) * (gpk['v'] ** -s_gamma2)
+        if c == group.hash((M, T1, T2, T3, R1, R2, R3, R4, R5), ZR):
+            if debug: print("c => '%s'" % c)
+            if debug: print("Valid Group Signature for message: '%s'" % M)
+            pass
+        else:
+            if debug: print("Not a valid signature for message!!!")
+            return False
+        
+        if ((pair(T3, gpk['g2']) ** s_x) * (pair(gpk['h'],gpk['w']) ** (-s_alpha - s_beta)) * (pair(gpk['h'], gpk['g2']) ** (-s_gamma1 - s_gamma2)) * (pair(T3, gpk['w']) ** c) * (pair(gpk['g1'], gpk['g2']) ** -c) ) == R3: 
+            return True
+        else:
+            return False
+    
+    def open(self, gpk, gmsk, M, sigma):
+        t1, t2, t3, xi1, xi2 = sigma['T1'], sigma['T2'], sigma['T3'], gmsk['xi1'], gmsk['xi2']
+        
+        A_prime = t3 / ((t1 ** xi1) * (t2 ** xi2))
+        return A_prime
+