charm-crypto-framework 0.61.1__cp313-cp313-macosx_10_13_universal2.whl

charm/schemes/ibenc/ibenc_sw05.py

@@ -0,0 +1,238 @@
+'''
+**Sahai-Waters Fuzzy Identity-Based Encryption (SW05)**
+
+*Authors:* Amit Sahai, Brent Waters
+
+| **Title:** "Fuzzy Identity-Based Encryption"
+| **Published in:** Eurocrypt 2005
+| **Available from:** http://eprint.iacr.org/2004/086.pdf
+| **Notes:** Original construction (Section 4) and large universe construction (Section 6)
+
+.. rubric:: Scheme Properties
+
+* **Type:** encryption (identity-based, fuzzy/attribute-based)
+* **Setting:** bilinear groups (symmetric)
+* **Assumption:** DBDH (Decisional Bilinear Diffie-Hellman)
+
+.. rubric:: Implementation
+
+:Authors: Christina Garman
+:Date: 10/2011
+'''
+
+from charm.toolbox.pairinggroup import PairingGroup,ZR,G1,G2,GT,pair
+from charm.toolbox.IBEnc import IBEnc
+from charm.toolbox.secretshare import SecretShare
+
+debug = False
+class IBE_SW05(IBEnc): 
+    """
+    >>> from charm.toolbox.pairinggroup import PairingGroup,GT
+    >>> group = PairingGroup('SS512')
+    >>> max_attributes = 6
+    >>> required_overlap = 4
+    >>> ibe = IBE_SW05_LUC(group)
+    >>> (master_public_key, master_key) = ibe.setup(max_attributes, required_overlap)
+    >>> private_identity = ['insurance', 'id=2345', 'oncology', 'doctor', 'nurse', 'JHU'] #private identity
+    >>> public_identity = ['insurance', 'id=2345', 'doctor', 'oncology', 'JHU', 'billing', 'misc'] #public identity for encrypt
+    >>> (pub_ID_hashed, secret_key) = ibe.extract(master_key, private_identity, master_public_key, required_overlap, max_attributes)
+    >>> msg = group.random(GT)
+    >>> cipher_text = ibe.encrypt(master_public_key, public_identity, msg, max_attributes)
+    >>> decrypted_msg = ibe.decrypt(master_public_key, secret_key, cipher_text, pub_ID_hashed, required_overlap)
+    >>> msg == decrypted_msg
+    True
+    """
+    def __init__(self, groupObj):
+        IBEnc.__init__(self)
+        global group, H, util
+        group = groupObj
+        H = lambda x: group.hash(('0', x), ZR)
+        util = SecretShare(group, False)
+        
+    def setup(self, n, d):
+        '''
+        :Parameters:
+           - ``n``: the maximum number of attributes in the system.
+                    OR the maximum length of an identity
+           - ``d``: the set overlap required to decrypt
+        '''
+        g = group.random(G1)
+        y = group.random(ZR)
+        Y = pair(g, g) ** y
+
+        t = [ group.random(ZR) for x in range( n )]
+        T = [ g ** i for i in t]
+        
+        pk = { 'g':g, 'Y':Y, 'T': T } 
+        mk = { 'y':y, 't':t }         # master secret
+        return (pk, mk)
+
+    def intersection_subset(self, w, wPrime, d):
+        S = []
+        for i in range(len(w)):
+            for j in range(len(wPrime)):
+                if(w[i] == wPrime[j]):
+                    S.append(w[i])
+
+        if(len(S) < d):
+            assert False, "Cannot decrypt.  w and w' do not have enough attributes in common."
+
+        S_sub  = [S[k] for k in range(d)]
+        return S_sub
+    
+    def extract(self, mk, ID, pk, dOver, n):
+        w_hash = [H(x) for x in ID] # assumes ID is a list
+
+        #a d-1 degree polynomial q is generated such that q(0) = y
+        q = [group.random(ZR) for x in range(dOver)]
+        q[0] = mk['y']
+        # use secret sharing as building block
+        shares = util.genShares(mk['y'], dOver, n, q, w_hash)
+        D = {}; t_index = {};
+        for i in w_hash:       
+            j = w_hash.index(i)
+            D[i] = (pk['g'] ** (shares[j][1] / mk['t'][j]))
+            # dictionary for finding corresponding T public value when encrypting 
+            # this eliminates ordering of attribute issues
+            t_index[i] = j; 
+            
+        pk['T_index'] = t_index
+        return (w_hash, { 'D':D })
+
+    def encrypt(self, pk, w_prime, M, n):
+        '''       
+        Encryption with the public key, Wprime and the message M in G2
+        '''
+        w_prime_hash = [H(x) for x in w_prime]
+        s = group.random(ZR)
+
+        Eprime = M * (pk['Y'] ** s)
+        E = {}
+        for i in w_prime_hash:
+            k = pk['T_index'][i]
+            E[i] = pk['T'][k] ** s
+
+        return { 'wPrime':w_prime_hash, 'Eprime':Eprime, 'E':E}
+
+    def decrypt(self, pk, sk, CT, w, d):
+        '''dID must have an intersection overlap of at least d with Wprime to decrypt
+        '''
+        S = self.intersection_subset(w, CT['wPrime'], d)
+        coeffs = util.recoverCoefficients(S)
+        prod = 1
+        for i in S:            
+            prod *= pair(sk['D'][i], CT['E'][i]) ** coeffs[i]
+            
+        return CT['Eprime'] / prod
+ 
+
+'''
+Sahai-Waters Fuzzy Identity-Based Encryption, Large Universe Construction
+
+| From: "A. Sahai, B. Waters Fuzzy Identity-Based Encryption.
+| Published in: Eurocrypt 2005
+| Available from: eprint.iacr.org/2004/086.pdf
+| Notes: Original construction (Section 4) and large universe construction (Section 6). 
+
+* type:            encryption (identity-based)
+* setting:        bilinear groups
+
+:Authors:    Christina Garman
+:Date:       10/2011
+'''
+class IBE_SW05_LUC(IBEnc):    
+    def __init__(self, groupObj):
+        IBEnc.__init__(self)
+        global group, H, util
+        group = groupObj
+        H = lambda x: group.hash(('0', x), ZR)
+        util = SecretShare(group, False)
+        
+    def setup(self, n, d):
+        '''
+        :Parameters:
+           - ``n``: the maximum number of attributes in the system.
+                    OR the maximum length of an identity
+           - ``d``: the set overlap required to decrypt
+        '''
+        g = group.random(G1)
+        y = group.random(ZR)
+        g1 = g ** y
+        g2 = group.random(G1)
+        
+        t = [ group.random(G1) for x in range( n+1 )]
+        
+        pk = { 'g':g, 'g1':g1, 'g2':g2, 't':t } 
+        mk = { 'y':y }         # master secret
+        return (pk, mk)
+
+    def eval_T(self, pk, n, x):
+        N = [group.init(ZR,(x + 1)) for x in range(n + 1)]        
+        N_int = [(x + 1) for x in range(n + 1)]
+        
+        coeffs = util.recoverCoefficients(N)
+        prod_result = 1
+        for i in N_int:
+            j = group.init(ZR, i)
+            prod_result *= (pk['t'][i-1] ** coeffs[j])
+        
+        T = (pk['g2'] ** (x * n)) * prod_result
+        return T
+
+    def intersection_subset(self, w, wPrime, d):
+        S = []
+        for i in range(len(w)):
+            for j in range(len(wPrime)):
+                if(w[i] == wPrime[j]):
+                    S.append(w[i])
+
+        if(len(S) < d):
+            assert False, "Cannot decrypt.  w and w' do not have enough attributes in common."
+
+        S_sub  = [S[k] for k in range(d)]
+        return S_sub
+    
+    def extract(self, mk, ID, pk, dOver, n):
+        w_hash = [H(x) for x in ID] # assumes ID is a list
+
+        r = group.random(ZR)
+        #a d-1 degree polynomial q is generated such that q(0) = y
+        q = [group.random(ZR) for x in range(dOver)]
+        q[0] = mk['y']
+        shares = util.genShares(mk['y'], dOver, n, q, w_hash)
+        D = {}
+        d = {}
+        for i in w_hash:       
+            j = w_hash.index(i)
+            D[i] = (pk['g2'] ** shares[j][1]) * (self.eval_T(pk, n, i) ** r)
+            d[i] = pk['g'] ** r
+
+        return (w_hash, { 'D':D, 'd':d })
+
+    def encrypt(self, pk, w_prime, M, n):
+        '''       
+        Encryption with the public key, Wprime and the message M in G2
+        '''
+        w_prime_hash = [H(x) for x in w_prime]
+        s = group.random(ZR)
+
+        Eprime = M * (pair(pk['g1'], pk['g2']) ** s)
+        Eprimeprime = pk['g'] ** s
+        
+        E = {}
+        for i in w_prime_hash:
+            E[i] = self.eval_T(pk, n, i) ** s
+
+        return { 'wPrime':w_prime_hash, 'Eprime':Eprime, 'Eprimeprime':Eprimeprime,'E':E}
+
+    def decrypt(self, pk, sk, CT, w, d):
+        '''dID must have an intersection overlap of at least d with Wprime to decrypt
+        '''
+        S = self.intersection_subset(w, CT['wPrime'], d)
+        #print("S :=", S)
+        coeffs = util.recoverCoefficients(S)
+        prod = 1
+        for i in S:
+            prod *= (pair(sk['d'][i], CT['E'][i]) / pair(sk['D'][i], CT['Eprimeprime'])) ** coeffs[i]
+            
+        return CT['Eprime'] * prod

charm/schemes/ibenc/ibenc_waters05.py

@@ -0,0 +1,144 @@
+'''
+**Waters Identity-Based Encryption (Waters05)**
+
+*Authors:* Brent Waters
+
+| **Title:** "Efficient Identity-Based Encryption Without Random Oracles"
+| **Published in:** Eurocrypt 2005
+| **Available from:** http://eprint.iacr.org/2005/369.pdf
+| **Notes:** Section 4 - Secure and practical IBE without random oracles
+
+.. rubric:: Scheme Properties
+
+* **Type:** encryption (identity-based)
+* **Setting:** bilinear groups (asymmetric)
+* **Assumption:** DBDH (Decisional Bilinear Diffie-Hellman)
+
+.. rubric:: Implementation
+
+:Authors: Gary Belvin
+:Date: 06/2011
+'''
+
+from charm.toolbox.pairinggroup import PairingGroup,ZR,G1,G2,GT,pair
+from charm.toolbox.IBEnc import *
+from charm.toolbox.bitstring import Bytes
+from charm.toolbox.hash_module import Waters
+import hashlib, math
+
+debug = False
+class IBE_N04(IBEnc):
+    """
+    >>> from charm.toolbox.pairinggroup import PairingGroup,GT
+    >>> from charm.toolbox.hash_module import Waters
+    >>> group = PairingGroup('SS512')
+    >>> waters_hash = Waters(group)
+    >>> ibe = IBE_N04(group)
+    >>> (master_public_key, master_key) = ibe.setup()
+    >>> ID = "bob@mail.com"
+    >>> kID = waters_hash.hash(ID)
+    >>> secret_key = ibe.extract(master_key, kID)
+    >>> msg = group.random(GT)
+    >>> cipher_text = ibe.encrypt(master_public_key, kID, msg)
+    >>> decrypted_msg = ibe.decrypt(master_public_key, secret_key, cipher_text)
+    >>> decrypted_msg == msg
+    True
+    """
+    
+    """Implementation of David Naccahe Identity Based Encryption"""
+    def __init__(self, groupObj):
+        IBEnc.__init__(self)
+        IBEnc.setProperty(self, secDef=IND_ID_CPA, assumption=DBDH, secModel=SM, id=ZR, messageSpace=[GT, 'KEM'])
+        global group
+        group = groupObj
+
+    def setup(self, l=32):
+        """l is the security parameter
+        with l = 32, and the hash function at 256 bits = n * l with n = 8"""
+        global waters
+        g = group.random(G1)      # generator for group G of prime order p
+
+        sha2_byte_len = 32
+        hLen = sha2_byte_len * 8
+        n = int(math.floor(hLen / l))
+        waters = Waters(group, n, l, 'sha256')
+                
+        alpha = group.random()  #from Zp
+        g1    = g ** alpha      # G1
+        g2    = group.random(G2)    #G2
+        uprime = group.random(G2)
+        U = [group.random() for x in range(n)]
+        
+        pk = {'g':g, 'g1':g1, 'g2': g2, 'uPrime':uprime, 'U': U, 
+              'n':n, 'l':l}
+        
+        mk = pk.copy()
+        mk['g2^alpha'] = g2 ** alpha #master secret
+        if debug: 
+            print(mk)
+        
+        return (pk, mk)
+        
+    def extract(self, mk, v):
+        '''v = (v1, .., vn) is an identity'''
+        r = group.random()
+        
+        d1 = mk['uPrime']
+        for i in range(mk['n']):
+            d1 *= mk['U'][i] ** v[i]
+            
+        d1 = mk['g2^alpha'] * (d1 ** r)
+        d2 = mk['g'] ** r
+        
+        if debug:
+            print("D1    =>", d1)
+            print("D2    =>", d2)
+        return {'d1': d1, 'd2':d2}
+
+    def encrypt(self, pk, ID, M): # M:GT
+        t = group.random()
+        c1 = (pair(pk['g1'], pk['g2']) ** t) * M
+        c2 = pk['g'] ** t
+        c3 = pk['uPrime']
+        for i in range(pk['n']):
+            c3 *= pk['U'][i] ** ID[i]
+        c3 = c3 ** t
+        
+        if debug:
+            print("Encrypting")
+            print("C1    =>", c1)
+            print("C2    =>", c2)
+            print("C3    =>", c3)
+        return {'c1':c1, 'c2': c2, 'c3':c3}
+
+    def decrypt(self, pk, sID, ct):
+        num = pair(sID['d2'], ct['c3'])
+        dem = pair(ct['c2'], sID['d1'])
+        if debug:
+            print("Decrypting")    
+            print("arg1    =>", sID['d2'].type)
+            print("arg2    =>", ct['c3'].type)
+            print("Num:    =>", num)
+            print("Dem:    =>", dem)
+            
+        return ct['c1'] *  num / dem
+
+def main():
+    group = PairingGroup('SS512')
+    waters_hash = Waters(group)
+    ibe = IBE_N04(group)
+    (master_public_key, master_key) = ibe.setup()
+
+    ID = "bob@mail.com"
+    kID = waters_hash.hash(ID)
+    secret_key = ibe.extract(master_key, kID)
+    msg = group.random(GT)
+    cipher_text = ibe.encrypt(master_public_key, kID, msg)
+    decrypted_msg = ibe.decrypt(master_public_key, secret_key, cipher_text)
+    assert msg == decrypted_msg, "invalid decryption"
+    if debug: print("Successful Decryption!")
+
+if __name__ == "__main__":
+    debug = True
+    main()
+

charm/schemes/ibenc/ibenc_waters05_z.py

@@ -0,0 +1,164 @@
+r'''
+**Waters Identity-Based Encryption - Optimized (Waters05-Z)**
+
+*Authors:* Brent Waters
+
+| **Title:** "Efficient Identity-Based Encryption Without Random Oracles"
+| **Published in:** Eurocrypt 2005
+| **Available from:** http://eprint.iacr.org/2005/369.pdf
+| **Notes:** Section 4 - Optimized implementation for asymmetric groups
+
+.. rubric:: Scheme Properties
+
+* **Type:** encryption (identity-based)
+* **Setting:** bilinear groups (asymmetric)
+* **Assumption:** DBDH (Decisional Bilinear Diffie-Hellman)
+
+.. rubric:: Implementation
+
+:Authors: Gary Belvin
+:Date: 06/2011
+
+:Improved by: Fan Zhang (zfwise@gwu.edu), supported by GWU computer science department
+:Date: 3/2013
+:Notes:
+    1. e(g_1, g_2) is pre-calculated as part of public parameters.
+    2. Fixed exponentiation by using omega vector in Z_q with u = g^omega.
+    3. Stored omega in msk to speed up extract() by computing exponent first.
+    4. Works with asymmetric groups (MNT curves).
+    5. All sk_id elements in G2 and ct_id elements in G1.
+'''
+from __future__ import print_function
+from charm.toolbox.pairinggroup import PairingGroup,ZR,G1,G2,GT,pair
+from charm.toolbox.IBEnc import IBEnc
+from charm.toolbox.hash_module import Waters
+import math, string, random
+
+def randomStringGen(size=30, chars=string.ascii_uppercase + string.digits):
+    return ''.join(random.choice(chars) for x in range(size))
+
+debug = False
+class IBE_N04_z(IBEnc):
+    """
+    >>> from charm.toolbox.pairinggroup import PairingGroup,GT
+    >>> from charm.toolbox.hash_module import Waters
+    >>> group = PairingGroup('SS512')
+    >>> waters_hash = Waters(group)
+    >>> ibe = IBE_N04_z(group)
+    >>> (master_public_key, master_key) = ibe.setup()
+    >>> ID = "bob@mail.com"
+    >>> kID = waters_hash.hash(ID)
+    >>> secret_key = ibe.extract(master_key, ID)
+    >>> msg = group.random(GT)
+    >>> cipher_text = ibe.encrypt(master_public_key, ID, msg)
+    >>> decrypted_msg = ibe.decrypt(master_public_key, secret_key, cipher_text)
+    >>> decrypted_msg == msg
+    True
+    """
+    
+    """Implementation of David Naccahe Identity Based Encryption"""
+    def __init__(self, groupObj):
+        IBEnc.__init__(self)
+        #IBEnc.setProperty(self, secdef='IND_ID_CPA', assumption='DBDH', secmodel='Standard')
+        #, other={'id':ZR}
+        #message_space=[GT, 'KEM']
+        global group
+        group = groupObj
+        global waters_hash
+        waters_hash = Waters(group)
+
+    def setup(self, l=32):
+        '''l is the security parameter
+        with l = 32, and the hash function at 160 bits = n * l with n = 5'''
+        global waters
+        g = group.random(G1)      # generator for group G of prime order p
+        
+        sha2_byte_len = 32
+        hLen = sha2_byte_len * 8
+        n = int(math.floor(hLen / l))
+        waters = Waters(group, n, l, 'sha256')
+
+        alpha = group.random(ZR)  #from Zp
+        g1    = g ** alpha      # G1
+        g2    = group.random(G2)    #G2
+        u = group.random(ZR)
+        uprime = g ** u
+        U_z = [group.random(ZR) for x in range(n)]
+        U = [g ** x  for x in U_z]
+        
+        pk = {'g':g, 'g1':g1, 'g2': g2, 'uPrime':uprime, 'U': U, 
+            'n':n, 'l':l, 'eg1g2':pair(g1, g2)}
+
+        mk = {'g1':g1, 'g2': g2, 'n':n, 'g2^alpha': g2 ** alpha, 'U_z':U_z, 'u':u} #master secret
+        if debug: 
+            print(mk)
+        
+        return (pk, mk)
+        
+    def extract(self, mk, ID):
+        '''v = (v1, .., vn) is an identity'''
+
+        v = waters_hash.hash(ID)
+        r = group.random(ZR)
+        
+        u = mk['u']
+
+        for i in range(mk['n']):
+            u += mk['U_z'][i] * v[i]    
+        d1 = mk['g2^alpha'] * (mk['g2'] ** (u * r) )
+        d2 = mk['g2'] ** r
+        
+        if debug:
+            print("D1    =>", d1)
+            print("D2    =>", d2)
+        return {'d1': d1, 'd2':d2}
+
+    def encrypt(self, pk, ID, M): # M:GT
+
+        v = waters_hash.hash(ID)
+        t = group.random(ZR)
+        c1 = (pk['eg1g2'] ** t) * M
+        c2 = pk['g'] ** t
+        c3 = pk['uPrime']
+
+        for i in range(pk['n']):
+            c3 *= pk['U'][i] ** v[i]
+        c3 = c3 ** t
+        
+        if debug:
+            print("Encrypting")
+            print("C1    =>", c1)
+            print("C2    =>", c2)
+            print("C3    =>", c3)
+        return {'c1':c1, 'c2': c2, 'c3':c3}
+
+    def decrypt(self, pk, sID, ct):
+        num = pair(ct['c3'], sID['d2'])
+        dem = pair(ct['c2'], sID['d1'])
+        if debug:
+            print("Decrypting")    
+            print("arg1    =>", sID['d2'].type)
+            print("arg2    =>", ct['c3'].type)
+            print("Num:    =>", num)
+            print("Dem:    =>", dem)
+            
+        return ct['c1'] *  num / dem
+
+def main():
+    group = PairingGroup('MNT224')
+    waters_hash = Waters(group)
+    ibe = IBE_N04_z(group)
+    (master_public_key, master_key) = ibe.setup()
+
+    ID = "bob@mail.com"
+    secret_key = ibe.extract(master_key, ID)
+    msg = group.random(GT)
+    cipher_text = ibe.encrypt(master_public_key, ID, msg)
+    decrypted_msg = ibe.decrypt(master_public_key, secret_key, cipher_text)
+    assert msg == decrypted_msg, "invalid decryption"
+    if debug: print("Successful Decryption!")
+
+if __name__ == "__main__":
+    debug = True
+    main()
+

charm/schemes/ibenc/ibenc_waters09.py

@@ -0,0 +1,107 @@
+'''
+**Waters Dual System Encryption (Waters09)**
+
+*Authors:* Brent Waters
+
+| **Title:** "Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions"
+| **Published in:** CRYPTO 2009
+| **Available from:** http://eprint.iacr.org/2009/385.pdf
+| **Notes:** Fully secure IBE construction using dual system encryption
+
+.. rubric:: Scheme Properties
+
+* **Type:** encryption (identity-based)
+* **Setting:** bilinear groups (symmetric pairings)
+* **Assumption:** DLIN (Decisional Linear) and related assumptions
+
+.. rubric:: Implementation
+
+:Authors: J. Ayo Akinyele
+:Date: 03/2012
+'''
+from charm.toolbox.pairinggroup import ZR,G1,pair
+from charm.toolbox.IBEnc import *
+
+debug = False
+class DSE09(IBEnc):
+    """
+    >>> from charm.toolbox.pairinggroup import PairingGroup, GT
+    >>> group = PairingGroup('SS512')
+    >>> ibe = DSE09(group)
+    >>> ID = "user2@email.com"
+    >>> (master_public_key, master_secret_key) = ibe.setup()
+    >>> secret_key = ibe.keygen(master_public_key, master_secret_key, ID)
+    >>> msg = group.random(GT)    
+    >>> cipher_text = ibe.encrypt(master_public_key, msg, ID)
+    >>> decrypted_msg = ibe.decrypt(cipher_text, secret_key)
+    >>> decrypted_msg == msg
+    True
+    """
+    def __init__(self, groupObj):
+        IBEnc.__init__(self)
+        global group, util
+        group = groupObj
+
+    def setup(self):
+        g, w, u, h, v, v1, v2 = group.random(G1, 7)
+        a1, a2, b, alpha = group.random(ZR, 4)
+        
+        tau1 = v * (v1 ** a1)
+        tau2 = v * (v2 ** a2)        
+        mpk = { 'g':g, 'g^b':g ** b, 'g^a1':g ** a1, 'g^a2':g ** a2, 
+              'g^ba1':g ** (b * a1), 'g^ba2':g ** (b * a2), 'tau1':tau1, 'tau2':tau2, 
+              'tau1^b':tau1 ** b, 'tau2^b':tau2 ** b, 'w':w, 'u':u,'h':h,
+              'egg_alpha': pair(g, g) ** (alpha * a1 * b) }
+        msk = { 'g^alph':g ** alpha, 'g^alph_a1':g ** (alpha * a1),
+              'v':v, 'v1':v1, 'v2':v2, 'alpha':alpha }
+        return (mpk, msk)
+    
+    def keygen(self, mpk, msk, ID):
+        r1, r2, z1, z2, tag_k = group.random(ZR, 5)
+        r = r1 + r2
+        _ID = group.hash(ID)
+        D = {}
+        D[1] = msk['g^alph_a1'] * (msk['v'] ** r)
+        D[2] = (mpk['g'] ** -msk['alpha']) * (msk['v1'] ** r) * (mpk['g'] ** z1)
+        D[3] = mpk['g^b'] ** -z1
+        D[4] = (msk['v2'] ** r) * (mpk['g'] ** z2)
+        D[5] = mpk['g^b'] ** -z2
+        D[6] = mpk['g^b'] ** r2
+        D[7] = mpk['g'] ** r1
+        K = ((mpk['u'] ** _ID) * (mpk['w'] ** tag_k) * mpk['h']) ** r1
+        
+        sk = { 'ID':_ID, 'D':D, 'K':K, 'tag_k':tag_k }
+        return sk
+
+    def encrypt(self, mpk, M, ID):
+        s1, s2, t, tag_c = group.random(ZR, 4)
+        s = s1 + s2
+        _ID = group.hash(ID)
+        
+        C = {}
+        C[0] = M * (mpk['egg_alpha'] ** s2)
+        C[1] = mpk['g^b'] ** s
+        C[2] = mpk['g^ba1'] ** s1
+        C[3] = mpk['g^a1'] ** s1
+        C[4] = mpk['g^ba2'] ** s2
+        C[5] = mpk['g^a2'] ** s2
+        C[6] = (mpk['tau1'] ** s1) * (mpk['tau2'] ** s2)
+        C[7] = (mpk['tau1^b'] ** s1) * (mpk['tau2^b'] ** s2) * (mpk['w'] ** -t)
+
+        C['E1'] = ((mpk['u'] ** _ID) * (mpk['w'] ** tag_c) * mpk['h']) ** t
+        C['E2'] = mpk['g'] ** t
+        C['tag_c'] = tag_c
+        return C
+
+    def decrypt(self, ct, sk):
+        tag = (1 / (ct['tag_c'] - sk['tag_k']))
+        E1, E2 = ct['E1'], ct['E2']
+        C, D, K = ct, sk['D'], sk['K']
+        _ID = sk['ID']
+        # hash IDs
+        A1 = pair(C[1], D[1]) * pair(C[2], D[2]) * pair(C[3], D[3]) * pair(C[4], D[4]) * pair(C[5], D[5])
+        A2 = pair(C[6], D[6]) * pair(C[7], D[7])
+        A3 = A1 / A2
+        A4 = (pair(E1, D[7]) / pair(E2, K)) ** tag
+        return C[0] / (A3 / A4) 
+