charm-crypto-framework 0.61.1__cp313-cp313-macosx_10_13_universal2.whl

charm/schemes/ibenc/ibenc_waters09_z.py

@@ -0,0 +1,147 @@
+'''
+**Waters Dual System Encryption - Optimized (Waters09-Z)**
+
+*Authors:* Brent Waters
+
+| **Title:** "Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions"
+| **Published in:** CRYPTO 2009
+| **Available from:** http://eprint.iacr.org/2009/385.pdf
+| **Notes:** Fully secure IBE construction - optimized for asymmetric groups
+
+.. rubric:: Scheme Properties
+
+* **Type:** encryption (identity-based)
+* **Setting:** bilinear groups (asymmetric pairings, MNT curves)
+* **Assumption:** DLIN (Decisional Linear) and related assumptions
+
+.. rubric:: Implementation
+
+:Authors: J. Ayo Akinyele
+:Date: 03/2012
+
+:Improved by: Fan Zhang (zfwise@gwu.edu), supported by GWU computer science department
+:Date: 3/2013
+:Notes:
+    1. Works with MNT curves (asymmetric pairings).
+    2. Elements u, w, h duplicated in both G1 and G2 in public params.
+    3. Pre-calculated g2^{-alpha} and g2^b stored in msk for faster keygen.
+    4. Minimal size for public params and msk.
+    5. extract() takes mpk as additional parameter.
+'''
+from charm.toolbox.pairinggroup import PairingGroup,ZR,G1,G2,GT,pair
+from charm.toolbox.IBEnc import *
+
+debug = False
+class DSE09_z(IBEnc):
+    """
+    >>> from charm.toolbox.pairinggroup import PairingGroup, GT
+    >>> group = PairingGroup('SS512')
+    >>> ibe = DSE09_z(group)
+    >>> ID = "user2@email.com"
+    >>> (master_public_key, master_secret_key) = ibe.setup()
+    >>> secret_key = ibe.keygen(master_public_key, master_secret_key, ID)
+    >>> msg = group.random(GT)    
+    >>> cipher_text = ibe.encrypt(master_public_key, msg, ID)
+    >>> decrypted_msg = ibe.decrypt(cipher_text, secret_key)
+    >>> decrypted_msg == msg
+    True
+    """
+    def __init__(self, groupObj):
+        IBEnc.__init__(self)
+        global group, util
+        group = groupObj
+
+    def setup(self):
+        g1 = group.random(G1)
+        g2 = group.random(G2)
+        w_z, u_z, h_z, v_z, v1_z, v2_z = group.random(ZR, 6)
+        a1, a2, b, alpha = group.random(ZR, 4)
+
+        v_G1 = g1 ** v_z
+        v1_G1 = g1 ** v1_z
+        v2_G1 = g1 ** v2_z
+        v_G2 = g2 ** v_z
+        v1_G2 = g2 ** v1_z
+        v2_G2 = g2 ** v2_z
+        w_G1 = g1 ** w_z
+        w_G2 = g2 ** w_z
+        h_G1 = g1 ** h_z
+        h_G2 = g2 ** h_z
+        u_G1 = g1 ** u_z
+        u_G2 = g2 ** u_z
+        
+        tau1_G1 = v_G1 * (v1_G1 ** a1)
+        tau2_G1 = v_G1 * (v2_G1 ** a2)        
+        mpk = { 'g1':g1, 'g2':g2, 'g1^b':g1 ** b, 'g1^a1':g1 ** a1, 'g1^a2':g1 ** a2, 
+              'g1^ba1':g1 ** (b * a1), 'g1^ba2':g1 ** (b * a2), 'tau1_G1':tau1_G1,
+              'tau2_G1':tau2_G1,'tau1_G1^b':tau1_G1 ** b, 'tau2_G1^b':tau2_G1 ** b,
+              'w_G1':w_G1, 'w_G2':w_G2, 'u_G1':u_G1, 'u_G2':u_G2,'h_G1':h_G1, 'h_G2':h_G2,
+              'egg_alpha': pair(g1, g2) ** (alpha * a1 * b) }
+        msk = { 'g2^alph_a1':g2 ** (alpha * a1), 'g2^b':g2 ** b,
+              'v_G2':v_G2, 'v1_G2':v1_G2, 'v2_G2':v2_G2, 'g2^-alpha':g2 ** (-alpha) }
+        return (mpk, msk)
+    
+    def keygen(self, mpk, msk, ID):
+        r1, r2, z1, z2, tag_k = group.random(ZR, 5)
+        r = r1 + r2
+        _ID = group.hash(ID)
+        D = {}
+        D[1] = msk['g2^alph_a1'] * (msk['v_G2'] ** r)
+        D[2] = msk['g2^-alpha'] * (msk['v1_G2'] ** r) * (mpk['g2'] ** z1)
+        D[3] = msk['g2^b'] ** -z1
+        D[4] = (msk['v2_G2'] ** r) * (mpk['g2'] ** z2)
+        D[5] = msk['g2^b'] ** -z2
+        D[6] = msk['g2^b'] ** r2
+        D[7] = mpk['g2'] ** r1
+        K = ((mpk['u_G2'] ** _ID) * (mpk['w_G2'] ** tag_k) * mpk['h_G2']) ** r1
+        
+        sk = { 'ID':_ID, 'D':D, 'K':K, 'tag_k':tag_k }
+        return sk
+
+    def encrypt(self, mpk, M, ID):
+        s1, s2, t, tag_c = group.random(ZR, 4)
+        s = s1 + s2
+        _ID = group.hash(ID)
+        
+        C = {}
+        C[0] = M * (mpk['egg_alpha'] ** s2)
+        C[1] = mpk['g1^b'] ** s
+        C[2] = mpk['g1^ba1'] ** s1
+        C[3] = mpk['g1^a1'] ** s1
+        C[4] = mpk['g1^ba2'] ** s2
+        C[5] = mpk['g1^a2'] ** s2
+        C[6] = (mpk['tau1_G1'] ** s1) * (mpk['tau2_G1'] ** s2)
+        C[7] = (mpk['tau1_G1^b'] ** s1) * (mpk['tau2_G1^b'] ** s2) * (mpk['w_G1'] ** -t)
+
+        C['E1'] = ((mpk['u_G1'] ** _ID) * (mpk['w_G1'] ** tag_c) * mpk['h_G1']) ** t
+        C['E2'] = mpk['g1'] ** t
+        C['tag_c'] = tag_c
+        return C
+
+    def decrypt(self, ct, sk):
+        tag = (1 / (ct['tag_c'] - sk['tag_k']))
+        E1, E2 = ct['E1'], ct['E2']
+        C, D, K = ct, sk['D'], sk['K']
+        _ID = sk['ID']
+        # hash IDs
+        A1 = pair(C[1], D[1]) * pair(C[2], D[2]) * pair(C[3], D[3]) * pair(C[4], D[4]) * pair(C[5], D[5])
+        A2 = pair(C[6], D[6]) * pair(C[7], D[7])
+        A3 = A1 / A2
+        A4 = (pair(E1, D[7]) / pair(E2, K)) ** tag
+        return C[0] / (A3 / A4) 
+
+def main():
+    group = PairingGroup('MNT224')
+    ibe = DSE09_z(group)
+    ID = "user2@email.com"
+    (master_public_key, master_secret_key) = ibe.setup()
+    secret_key = ibe.keygen(master_public_key, master_secret_key, ID)
+    msg = group.random(GT)    
+    cipher_text = ibe.encrypt(master_public_key, msg, ID)
+    decrypted_msg = ibe.decrypt(cipher_text, secret_key)
+    print(decrypted_msg == msg)
+
+if __name__ == "__main__":
+    debug = True
+    main()
+

charm/schemes/joye_scheme.py

@@ -0,0 +1,106 @@
+'''
+**Privacy-Preserving Aggregation Scheme (JL13)**
+
+*Authors:* Marc Joye, Benoit Libert
+
+| **Title:** "A Scalable Scheme for Privacy-Preserving Aggregation of Time-Series Data"
+| **Published in:** Financial Crypto 2013
+| **Available from:** http://joye.site88.net/papers/JL13aggreg.pdf
+| **Notes:** Enables plaintext evaluation of sums from encrypted values
+
+.. rubric:: Scheme Properties
+
+* **Type:** aggregation (privacy-preserving)
+* **Setting:** integer groups
+* **Assumption:** Paillier
+
+.. rubric:: Implementation
+
+:Authors: Iraklis Leontiadis
+:Date: 12/2013
+'''
+ 
+from charm.toolbox.integergroup import RSAGroup 
+from charm.schemes.pkenc.pkenc_paillier99 import Pai99
+from charm.toolbox.integergroup import lcm,integer
+from charm.toolbox.PKEnc import PKEnc
+from charm.core.engine.util import *
+
+'''
+Test script for two values
+===========================
+group = RSAGroup()
+pai = Pai99(group)
+(public_key, secret_key) = pai.keygen()
+n=public_key['n']
+n2=public_key['n2']
+x1=3 #testing values for user 1
+x2=2 #testing values for user 2
+msg1 = pai.encode(n2, 1+x1*n)
+msg2 = pai.encode(n2, 1+x2*n)
+  
+prod=pai.encode(n2,msg1*msg2)
+print (integer(prod-integer(1)%n2)/n)
+'''
+class Joye():
+
+    def __init__(self,users=2):
+        global pai,group
+        group=RSAGroup()
+        pai=Pai99(group)
+        self.users=users
+        self.r=14 #this value act as the common hash output H(r) according to the protocol.
+
+    def destruction_keys(self,pk):
+        k={}
+        for i in range(self.users):
+            k['k'+str(i)]=integer(group.random(102))#exponentiation works only for small keys (needs investigation)
+        k[0]=integer(-1)*(sum(k.values())) #inverse of the sum of all user keys. Acts as annihilation for keys.
+        k[1]=(sum(k.values()))           
+        #self.ak=integer(1)/integer(self.r)**integer(k[0])
+        return k
+
+    def encrypt(self,x,pk,sk):
+        c1=self.encode(x,pk)%pk['n2']
+        c2=pai.encode(pk['n2'],integer(self.r%pk['n2'])**integer(sk%pk['n2']))
+        cipher=pai.encode(pk['n2'],c1*c2)
+        return cipher
+
+    '''def decrypt(self,c,pk,sk):
+        c=pai.encode(pk['n2'],c)
+        mul=pai.encode(pk['n2'],integer(self.r)**integer(sk))
+        inter=pai.encode(pk['n2'],c*mul)
+        result =pai.encode(pk['n'],integer(inter-integer(1)%pk['n2'])/pk['n'])
+        return result
+'''
+    def keygen(self):
+        public_key,secret_key = pai.keygen()
+        return public_key
+
+    def encode(self,x,pk):
+        return integer(pai.encode(pk['n2'], 1+integer(x)*pk['n']))
+
+    def sumfree(self,x1,x2,pk):
+        '''Tests sum evaluations without encryption'''
+        msg1 = self.encode(x1,pk)
+        msg2 = self.encode(x2,pk)
+        prod=pai.encode(pk['n2'],msg1*msg2)
+        sumres=integer(prod%pk['n2']-integer(1)%pk['n2'])/pk['n']
+        return sumres
+
+    def sum(self,x1,x2,pk,k0):
+        prod=pai.encode(pk['n2'],x1*x2)
+        inter=pai.encode(pk['n2'],integer(self.r)**integer(integer(-1)*k0))
+        inter2=(integer(prod)/integer(inter))
+        sumres=integer(inter2%pk['n2']-integer(1)%pk['n2'])/pk['n']
+        return sumres
+
+if __name__=='__main__':
+    joye = Joye()
+    pk = joye.keygen()
+    k = joye.destruction_keys(pk)
+
+    c1 = joye.encrypt(2,pk,k['k0'])
+    c2 = joye.encrypt(4,pk,k['k1'])
+    
+    print (joye.sum(c1,c2,pk,k[0]))

charm/schemes/lem_scheme.py

@@ -0,0 +1,207 @@
+'''
+**Private and Dynamic Time-Series Data Aggregation (LEM14)**
+
+*Authors:* Iraklis Leontiadis, Kaoutar Elkhiyaoui, Refik Molva
+
+| **Title:** "Private and Dynamic Time-Series Data Aggregation with Trust Relaxation"
+| **Published in:** CANS 2014
+| **Available from:** http://eprint.iacr.org/2014/256.pdf
+| **Notes:** Enables plaintext evaluation of sums from encrypted time-series values
+
+.. rubric:: Scheme Properties
+
+* **Type:** aggregation (privacy-preserving)
+* **Setting:** integer groups
+* **Assumption:** Paillier
+
+.. rubric:: Implementation
+
+:Authors: Iraklis Leontiadis
+:Date: 2/2015
+'''
+                          
+#!/usr/bin/env python3
+from charm.toolbox.integergroup import RSAGroup
+from charm.schemes.pkenc.pkenc_paillier99 import Pai99
+from charm.toolbox.integergroup import lcm,integer
+from charm.toolbox.PKEnc import PKEnc
+from charm.core.engine.util import *
+from datetime import datetime
+from time import mktime
+import hashlib , os , math, sys, random
+if sys.version_info < (3, 5):
+    from fractions import gcd
+else:
+    from math import gcd
+from timeit import default_timer as timer
+
+#This generates values of p,q,n and n2
+global n,n2
+group=RSAGroup()
+pai=Pai99(group)
+(public_key,secret_key)=pai.keygen()
+npom=public_key['n']
+n=int(npom)
+nn=public_key['n2']
+n2=int(nn)
+
+def hash():
+    '''
+        Computing hash value of time
+    '''
+    t = datetime.now()
+    d=t.strftime("%b/%d/%Y/%H:%M:%S")
+    e=d.encode('utf-8')
+    c=hashlib.sha256(e).hexdigest()
+    htp=int(c,16)
+    if htp < n2:
+        if gcd(htp,n2) == 1:
+            return htp
+        else:
+            hash()
+    else:
+        hash()
+
+def secretkey():
+    '''
+        Generating random secret key smaller than n2
+    '''
+    b=os.urandom(256)
+    ska=int.from_bytes(b, byteorder='big')
+    if ska < n2:
+        return ska
+    else:
+        secretkey()
+
+class  Aggregator():
+    '''
+        Class for computing Pka and generating Ska
+    '''
+
+    def __init__(self):
+        global pka,ht
+        ht=hash()
+        self.ska=secretkey()
+        while 1:
+            if gcd(self.ska,n2)==1:
+                break
+            else:
+                self.ska=secretkey()
+        self.pkap=pow(ht,self.ska,n2)
+        pka=self.pkap
+
+    def decrypt(self,*encarray):
+        '''
+            Decrypting the sum
+        '''
+
+        cprod=1
+        #length=len(encarray)
+        #for x in range(length):
+
+         #   cprod=(cprod*int(encarray[x]))
+         #   cprodfin=cprod%n2
+        array = map(int, encarray)
+        for x in array:
+            cprod *= x
+            cprod %= n2
+        cprodfin=cprod
+        pt=pow(cprodfin,self.ska,n2)
+        auxin=modinv(auxt,n2)
+        it=(pt*auxin)%n2-1
+        pom1=it//n
+        skapr=self.ska%n
+        pom2=modinv(skapr,n)
+        rez=(pom2*pom1)%n
+        return rez
+       
+
+def encryptfunc(a,d):
+    '''
+        Encryption of one value, where a=plaintext(number), d=ski
+    '''
+    v1=pow(ht,d,n2)
+    v2=(1+int(a)*n)%n2
+    v3=(v1*v2)%n2
+    rez=v3
+    return rez
+
+def auxiliaryfunc(b):
+    '''
+        Auxiliary information of one value, where  b=ski 
+    '''
+    rez=pow(pka,b,n2)
+    return rez
+
+def egcd(a, b):
+    '''
+        Extended Euclidian gcd function between a and b
+    '''
+    x,y, u,v = 0,1, 1,0
+    while a != 0:
+        q, r = b//a, b%a
+        m, n = x-u*q, y-v*q
+        b,a, x,y, u,v = a,r, u,v, m,n
+    gcd = b
+    return gcd, x, y
+
+
+def modinv(a, m):
+    '''
+        Finding modulo inverse of a mod m
+    '''
+    gcd, x, y = egcd(a, m)
+    if gcd != 1:
+        return None  # modular inverse does not exist
+    else:
+        return x % m
+
+
+class Users():
+    '''
+        Computing users secret keys(ski) for users list *userdata
+    '''
+
+    def __init__(self,*userdata):
+
+        self.i=len(userdata)
+        self.dat=[int(userdata[x]) for x in range(self.i)]
+        self.sk=[secretkey() for x in range(self.i)]
+
+    def encrypt(self):
+        '''
+            Encrypts all user data into a list
+        '''
+
+        encp=[encryptfunc(self.dat[x],self.sk[x]) for x in range(self.i)]
+        return encp
+
+    def auxiliary(self):
+        '''
+            Computes auxiliary for all users into a list
+        '''
+
+        array=[auxiliaryfunc(self.sk[x]) for x in range(self.i)]
+        return array
+
+class Collector():
+    '''
+        Computes auxt from list of auxiliary information from all users
+    '''
+
+    def __init__(self,*auxarray):
+
+        global auxt
+        auxtpom=1
+        #length=len(auxarray)
+        #for x in range(length):
+        #    auxtpom=(auxtpom*int(auxarray[x]))%n2
+
+        #auxt=auxtpom
+        array = map(int, auxarray)
+        for x in array:
+            auxtpom *= x
+            auxtpom %= n2
+        auxt=auxtpom
+
+

charm/schemes/pk_fre_ccv11.py

@@ -0,0 +1,107 @@
+'''
+**Collusion-Resistant Obfuscation and Functional Re-encryption (CCV11)**
+
+*Authors:* Nishanth Chandran, Melissa Chase, Vinod Vaikuntanathan
+
+| **Title:** "Collusion-Resistant Obfuscation and Functional Re-encryption"
+| **Published in:** ePrint Archive, 2011
+| **Available from:** http://eprint.iacr.org/2011/337
+| **Notes:** Status: NOT FINISHED/DOESN'T EXECUTE
+
+.. rubric:: Scheme Properties
+
+* **Type:** functional re-encryption
+* **Setting:** bilinear groups (asymmetric)
+* **Assumption:** DBDH
+
+.. rubric:: Implementation
+
+:Authors: J. Ayo Akinyele
+:Date: 03/2012
+'''
+from charm.toolbox.pairinggroup import PairingGroup,ZR,G1,G2,pair as e
+
+debug = False
+class InputEnc:
+    def __init__(self, groupObj):
+        global group, proof
+        group = groupObj
+        proof = lambda a,b,c,d: group.hash((a, b, c, d), ZR) 
+        
+    def setup(self, d):
+        a = [group.random(ZR) for i in range(d)]
+        g = group.random(G1)
+        C = [g ** a[i] for i in range(d)]
+    
+        # need to add 'crs'
+        i_pk = { 'g':g, 'C':C, 'd':d }
+        i_sk = { 'a':a }
+        return (i_pk, i_sk)
+        
+    def encrypt(self, i_pk, i, M : G1):
+        if i > i_pk['d'] or i < 0: 
+            print("i not in d. try again!")
+            return None        
+        r, r_pr = group.random(ZR, 2)
+
+        C   = [ i_pk['C'][i] ** r for i in range(i_pk['d']) ] 
+        Cpr = [ i_pk['C'][i] ** r_pr for i in range(i_pk['d']) ]
+        D = (i_pk['g'] ** r) * M
+        Dpr = i_pk['g'] ** r_pr
+        E   = { 'C':C, 'D':D }
+        Epr = { 'Cpr':Cpr, 'Dpr':Dpr }
+        
+        # is this correct?
+        pi = None
+#        pi = proof(C, D, Cpr, Dpr) # group.hash((C, D, Cpr, Dpr), ZR)
+        return (E, Epr, pi)
+    
+    def decrypt(self, i_sk, ct, M : [G1]):
+        E, Epr, pi = ct
+        C, D = E['C'], E['D']
+        a = i_sk['a']
+#        if pi != proof(C, D, Epr['Cpr'], Epr['Dpr']):
+#            print("proof did not verify.")
+#            return False
+        result = {}
+        for i in range(len(a)):
+            result[i] = D * ~(C ** (1 / a[i]))
+        
+        m = result[0]
+        for i in range(1, len(result)):
+            if m != result[i]: return False        
+        return m
+    
+
+class OutputEnc:
+    def __init__(self, groupObj):
+        global group
+        group = groupObj
+    
+    def setup(self):
+        h = group.random(G2)
+        a = group.random(ZR)
+        
+        o_pk = { 'h':h, 'pk':h ** a }
+        o_sk = a 
+        return (o_pk, o_sk)
+    
+    def encrypt(self, i_pk, o_pk, M : G1):        
+        r, s = group.random(ZR, 2)
+        Y = o_pk['pk'] ** r
+        W = o_pk['h'] ** r
+        S = i_pk['g'] ** s
+        
+        F = e(S, Y)
+        H = o_pk['h'] ** s
+        G = e(S, W) * e(M, H)
+        return { 'F':F, 'G':G, 'H':H }
+    
+    def decrypt(self, a, ct, M : [G1]):
+        F, G, H = ct['F'], ct['G'], ct['H']
+        Q = G * (F ** -(1 / a))
+        
+        for m in M:
+            if e(m, H) == Q: return m
+        return False
+        

charm/schemes/pk_vrf.py

@@ -0,0 +1,127 @@
+'''
+**Verifiable Random Functions with Large Input Spaces (HW10)**
+
+*Authors:* Susan Hohenberger, Brent Waters
+
+| **Title:** "Constructing Verifiable Random Functions with Large Input Spaces"
+| **Published in:** ePrint Archive, 2010
+| **Available from:** http://eprint.iacr.org/2010/102.pdf
+| **Notes:** Applications to resettable ZK proofs, micropayment schemes, updatable ZK DBs
+
+.. rubric:: Scheme Properties
+
+* **Type:** verifiable random function (VRF)
+* **Setting:** bilinear groups (pairing-based)
+* **Assumption:** q-DBDHI
+
+.. rubric:: Implementation
+
+:Authors: J. Ayo Akinyele
+:Date: 1/2012
+'''
+from charm.toolbox.pairinggroup import PairingGroup,ZR,G1,G2,pair
+from charm.toolbox.iterate import dotprod 
+
+debug = False
+class VRF10:
+    """
+    >>> from charm.toolbox.pairinggroup import PairingGroup
+    >>> group = PairingGroup('MNT224')
+    >>> vrf = VRF10(group)
+    >>> statement = [0, 1, 1, 0, 1, 0, 1, 0]
+    >>> n = len(statement) 
+    >>> (public_key, secret_key) = vrf.setup(n)
+    >>> witness = vrf.prove(secret_key, statement)
+    >>> vrf.verify(public_key, statement, witness)
+    True
+    """
+    """Definition in paper: behave as Pseudo Random Functions (PRFs) with an additional property that party
+    holding the seed will publish a commitment to the function and is able to non-interactively convince
+    a verifier that a given evaluation is correct (matches pub commitment) without sacrificing pseudo-
+    randomness property on other inputs."""
+    def __init__(self, groupObj):
+        global group, lam_func
+        group = groupObj
+        lam_func = lambda i,a,b: a[i] ** b[i]
+        
+    def setup(self, n):
+        """n = bit length of inputs"""
+        g1 = group.random(G1)
+        g2, h = group.random(G2), group.random(G2)
+        u_t = group.random(ZR)
+        u = [group.random(ZR) for i in range(n+1)]
+        U_t = g2 ** u_t
+        U1 = [g1 ** u[i] for i in range(0, n)]
+        U2 = [g2 ** u[i] for i in range(0, n)]
+        
+        pk = { 'U1':U1, 'U2':U2,'U_t':U_t, 'g1':g1, 'g2':g2, 'h':h,'n':n   }
+        sk = { 'u':u, 'u_t':u_t, 'g1':g1, 'h':h,'n':n }
+        return (pk, sk)
+    
+    def F(self, sk, x):
+        result = dotprod(1, -1, sk['n'], lam_func, sk['u'], x) 
+        return pair(sk['g1'] ** (sk['u_t'] * sk['u'][0] * result), sk['h'])
+    
+    def prove(self, sk, x):
+        pi = {} # [i for i in range(sk['n'])]
+        for i in range(0, sk['n']):
+            dotProd0 = dotprod(1, -1, i+1, lam_func, sk['u'], x) 
+            pi[i+1] = sk['g1'] ** (sk['u_t'] * dotProd0)
+        
+        dotProd1 = dotprod(1, -1, sk['n'], lam_func, sk['u'], x)
+        pi[0] = sk['g1'] ** (sk['u_t'] * sk['u'][0] * dotProd1)
+        y = self.F(sk, x)
+        return { 'y':y, 'pi':pi } #, 'pi0':pi_0 }
+                
+    def verify(self, pk, x, st):
+        n, y, pi = pk['n'], st['y'], st['pi']
+        # check first index 
+        check1 = pair(pi[1], pk['g2'])
+        if x[0] == 0 and check1 == pair(pk['g1'], pk['U_t']):
+            if debug: print("Verify: check 0 successful!\t\tcase:", x[0])
+        elif x[0] == 1 and check1 == pair(pk['U1'][0], pk['U_t']):
+            if debug: print("Verify: check 0 successful!\t\tcase:", x[0])            
+        else: 
+            if debug: print("Verify: check 0 FAILURE!\t\t failed case:", x[0])            
+            return False
+        
+        for i in range(2, n+1):
+            check2 = pair(pi[i], pk['g2'])
+            if x[i-1] == 0 and check2 == pair(pi[i-1], pk['g2']):
+                if debug: print("Verify: check", i-1 ,"successful!\t\tcase:", x[i-1])
+            elif x[i-1] == 1 and check2 == pair(pi[i-1], pk['U2'][i-1]):
+                if debug: print("Verify: check", i-1 ,"successful!\t\tcase:", x[i-1])
+            else:
+                if debug: print("Verify: check", i-1 ,"FAILURE!\t\tcase:", x[i-1])
+                return False
+        
+        if pair(pi[0], pk['g2'] * pk['h']) == (pair(pi[n], pk['U2'][0]) * y): #and pair(pi_0, pk['h']) == y:
+            if debug: print("Verify: all and final check successful!!!")
+            return True
+        else:
+            return False
+        
+def main():
+    grp = PairingGroup('MNT224')
+    
+    # bits
+    x1 = [0, 1, 1, 0, 1, 0, 1, 0]
+    #x2 = [1, 1, 1, 0, 1, 0, 1, 0]
+    # block of bits
+    n = 8 
+    
+    vrf = VRF10(grp)
+    
+    # setup the VRF to accept input blocks of 8-bits 
+    (pk, sk) = vrf.setup(n)
+    
+    # generate proof over block x (using sk)
+    st = vrf.prove(sk, x1)
+    
+    # verify bits using pk and proof
+    assert vrf.verify(pk, x1, st), "VRF failed verification"
+    #assert vrf.verify(pk, x2, st), "VRF should FAIL verification!!!"
+    
+if __name__ == "__main__":
+    debug = True
+    main()