charm-crypto-framework 0.61.1__cp313-cp313-macosx_10_13_universal2.whl

charm/schemes/pksig/pksig_ps03.py

@@ -0,0 +1,119 @@
+'''
+**Pointcheval-Sanders Signature (PS16) - Committed Messages**
+
+*Authors:* D. Pointcheval, O. Sanders
+
+| **Title:** "Short Randomizable Signatures"
+| **Published in:** CT-RSA, 2016
+| **Available from:** https://eprint.iacr.org/2015/525.pdf
+| **Notes:** Section 6.1 - Signatures over committed messages.
+
+.. rubric:: Scheme Properties
+
+* **Type:** signature (public key)
+* **Setting:** bilinear groups (asymmetric)
+* **Assumption:** PS assumption
+
+.. rubric:: Implementation
+
+:Authors: Lovesh Harchandani
+:Date: 6/2018
+'''
+from functools import reduce
+
+from charm.toolbox.pairinggroup import PairingGroup, ZR, G1, G2, pair
+
+debug = False
+
+
+class PS01:
+    """
+    Signatures over committed messages, section 6.1 of the paper
+    """
+
+    def __init__(self, groupObj):
+        global group
+        group = groupObj
+
+    @staticmethod
+    def keygen(num_messages=1):
+        x = group.random(ZR)
+        g1 = group.random(G1)
+        sk = {'x': x, 'X1': g1 ** x}
+        g2 = group.random(G2)
+        ys = [group.random(ZR) for _ in range(num_messages)]
+        X2 = g2 ** x
+        y1s = [g1 ** y for y in ys]
+        y2s = [g2 ** y for y in ys]
+        pk = {'X2': X2, 'Y2': y2s, 'Y1': y1s, 'g2': g2, 'g1': g1}
+        return pk, sk
+
+    def commitment(self, pk, *messages):
+        t = group.random(ZR)
+        return t, (pk['g1'] ** t) * self.product([y1 ** group.hash(m, ZR) for (y1, m) in zip(pk['Y1'], messages)])
+
+    def sign(self, sk, pk, commitment):
+        u = group.random(ZR)
+        return pk['g1'] ** u, (sk['X1'] * commitment) ** u
+
+    @staticmethod
+    def unblind_signature(t, sig):
+        s1, s2 = sig
+        return s1, (s2 / (s1 ** t))
+
+    def verify(self, pk, sig, *messages):
+        ms = [group.hash(m, ZR) for m in messages]
+        s1, s2 = sig
+        if group.init(G1) == s1:
+            return False
+        l2 = pk['X2'] * self.product([pk['Y2'][i] ** ms[i] for i in range(len(messages))])
+        return pair(s1, l2) == pair(pk['g2'], s2)
+
+    def randomize_sig(self, sig):
+        s1, s2 = sig
+        t = group.random(ZR)
+        return s1 ** t, s2 ** t
+
+    @staticmethod
+    def product(seq):
+        return reduce(lambda x, y: x * y, seq)
+
+
+def main():
+    grp = PairingGroup('MNT224')
+    ps = PS01(grp)
+
+    messages = ['Hi there', 'Not there', 'Some message ................', 'Dont know .............']
+    (pk, sk) = ps.keygen(len(messages))
+    if debug:
+        print("Keygen...")
+        print("pk :=", pk)
+        print("sk :=", sk)
+
+    t, commitment = ps.commitment(pk, *messages)
+
+    sig = ps.sign(sk, pk, commitment)
+    if debug:
+        print("Signature: ", sig)
+
+    sig = ps.unblind_signature(t, sig)
+
+    result = ps.verify(pk, sig, *messages)
+    assert result, "INVALID signature!"
+    if debug:
+        print("Successful Verification!!!")
+
+    rand_sig = ps.randomize_sig(sig)
+    assert sig != rand_sig
+    if debug:
+        print("Randomized Signature: ", rand_sig)
+
+    result = ps.verify(pk, rand_sig, *messages)
+    assert result, "INVALID signature!"
+    if debug:
+        print("Successful Verification!!!")
+
+
+if __name__ == "__main__":
+    debug = True
+    main()

charm/schemes/pksig/pksig_rsa_hw09.py

@@ -0,0 +1,206 @@
+'''
+**Hohenberger-Waters RSA Stateless Signature (HW09-RSA)**
+
+*Authors:* S. Hohenberger, B. Waters
+
+| **Title:** "Realizing Hash-and-Sign Signatures under Standard Assumptions"
+| **Published in:** EUROCRYPT, 2009
+| **Available from:** http://eprint.iacr.org/2009/028.pdf
+| **Notes:** Section 3. Status: Needs improvement.
+
+.. rubric:: Scheme Properties
+
+* **Type:** signature (public key)
+* **Setting:** RSA
+* **Assumption:** RSA
+
+.. rubric:: Implementation
+
+:Authors: J. Ayo Akinyele, Christina Garman
+:Date: 12/2011
+'''
+
+from charm.core.math.integer import integer,random,randomBits,isPrime,gcd,bitsize,serialize
+from charm.toolbox.PKSig import PKSig
+from charm.schemes.chamhash_rsa_hw09 import ChamHash_HW09
+from charm.toolbox.conversion import Conversion
+from charm.toolbox.specialprimes import BlumWilliamsInteger
+import hmac, hashlib, math
+
+debug = False
+
+def SHA1(bytes1):
+  s1 = hashlib.new('sha1')  # nosec B324 - SHA1 used for historical compatibility
+  s1.update(bytes1)
+  return s1.digest()
+
+
+def randomQR(n):
+    return random(n) ** 2
+    
+class LogFunction:
+  def __init__(self, base=10):
+    self.base = base
+  
+  def __getitem__(self, base):
+    return LogFunction(base)
+  
+  def __call__(self, val):
+    return math.log(val, self.base)
+log = LogFunction()
+
+class Prf:
+  def __init__(self):
+      pass
+  
+  @classmethod
+  def keygen(self, bits):
+    return integer(randomBits(bits))
+
+  @classmethod  
+  def eval(self, k, input1): 
+    if type(k) == integer:
+        h = hmac.new(serialize(k), b'', hashlib.sha1)
+    else:
+        h = hmac.new(serialize(integer(k)), b'', hashlib.sha1)
+    
+    h.update(input1)
+    return Conversion.bytes2integer(h.hexdigest())
+
+class BlumIntegerSquareRoot:
+  def __init__(self, p, q):
+    self.raisedToThePower = 1
+    self.p = p
+    self.q = q
+    
+  def pow(self, modularInt):
+    p, q = self.p, self.q
+    result = integer(modularInt) % (p * q)
+    for repeat in range(self.raisedToThePower):
+        result = result ** (((p-1)*(q-1)+4)/8)
+    return result
+
+  def __pow__(self, power):
+    exp = BlumIntegerSquareRoot(self.p, self.q)
+    exp.raisedToThePower = power
+    return exp.pow(power)
+
+class Sig_RSA_Stateless_HW09(PKSig):
+    """
+	This scheme is probablistic and thus time consuming, so we skip it
+ 	when running doctests.
+    #doctest: +SKIP
+
+    >>> pksig = Sig_RSA_Stateless_HW09() #doctest:+SKIP
+    >>> p = integer(13075790812874903063868976368194105132206964291400106069285054021531242344673657224376055832139406140158530256050580761865568307154219348003780027259560207) #doctest:+SKIP
+    >>> q = integer(12220150399144091059083151334113293594120344494042436487743750419696868216757186059428173175925369884682105191510729093971051869295857706815002710593321543) #doctest:+SKIP
+    >>> (public_key, secret_key) = pksig.keygen(1024, p, q) #doctest:+SKIP
+    >>> msg = SHA1(b'this is the message I want to sign.') #doctest:+SKIP
+    >>> signature = pksig.sign(public_key, secret_key, msg) #doctest:+SKIP
+    >>> pksig.verify(public_key, msg, signature) #doctest:+SKIP
+    True
+    """  
+    def __init__(self, CH = ChamHash_HW09):
+        self.BWInt = BlumWilliamsInteger()
+        self.Prf = Prf()
+        self.ChameleonHash = CH()
+        
+    def keygen(self, keyLength=1024, p=0, q=0):
+        # Generate a Blum-Williams integer N of 'key_length' bits with factorization p,q
+        if p == 0 or q == 0:
+            (p, q) = self.BWInt.generatePrimes(int(keyLength/2))
+        # Generate random u,h \in QR_N and a random c \in {0,1}^|N|
+        N = p * q
+        u = randomQR(N)
+        h = randomQR(N)
+        c = randomBits(keyLength)#PRNG_generate_bits(key_length)
+
+        K = self.Prf.keygen(keyLength)
+        self.state = 0
+    
+        # Generate the Chameleon hash parameters.  We do not need the secret params.
+        (L, secret) = self.ChameleonHash.paramgen(keyLength, p, q);
+    
+        # Assemble the public and secret keys
+        pk = { 'length': keyLength, 'N': N, 'u': u, 'h': h, 'c': c, 'K': K, 'L': L }
+        sk = { 'p': p, 'q': q }
+        return (pk, sk);
+    
+    def sign(self, pk, sk, message, s=0):
+        if debug: print("Sign...")
+        L, K, c, keyLength, u, h, N = pk['L'], pk['K'], pk['c'], pk['length'], pk['u'], pk['h'], pk['N']
+        p, q = sk['p'], sk['q']
+        # Use internal state counter if none was provided
+        if (s == 0):
+          s = self.state
+          self.state += 1
+          s += 1
+
+        # Hash the message using the chameleon hash under params L to obtain (x, r)
+        (x, r) = self.ChameleonHash.hash(L, message);
+        # Compute e = H_k(s) and check whether it's prime. If not, increment s and repeat.
+        phi_N = (p-1)*(q-1)
+        e = self.HW_hash(K, c, s, keyLength)
+        e1 = e % phi_N
+        e2 = e % N
+        
+        while (not (isPrime(e2))) or (not gcd(e1, phi_N) == 1):
+            s += 1
+            e = self.HW_hash(K, c, s, keyLength)
+            e1 = e % phi_N
+            e2 = e % N
+        e = e1
+
+        # Compute B = SQRT(u^x * h)^ceil(log_2(s)) mod N
+        # Note that SQRT requires the factorization p, q
+        temp = ((u ** x) * h) % N
+        power = ((((p-1)*(q-1))+4)/8) ** (math.ceil(log[2](s)))
+        B = temp ** power
+        sigma1 = (B ** (e ** -1)) % N
+
+        # Update internal state counter and return sig = (sigma1, r, s)
+        self.state = s
+        return { 'sigma1':sigma1, 'r': r, 's': s, 'e':e }
+
+
+    def verify(self, pk, message, sig):
+        if debug: print("\nVERIFY\n\n")
+        sigma1, r, s, e = sig['sigma1'], sig['r'], sig['s'], sig['e']
+        K, L, c, keyLength, u, h, N = pk['K'], pk['L'], pk['c'], pk['length'], pk['u'], pk['h'], pk['N']
+    
+        # Make sure that 0 < s < 2^{keylength/2}, else reject the signature
+        if not (0 < s and s < (2 ** (keyLength/2))):
+            return False
+
+        # Compute e = H_k(s) and reject the signature if it's not prime
+        ei = self.HW_hash(K, c, s, keyLength) % N
+        if not isPrime(ei):
+            if debug: print("ei not prime")
+            return False
+        
+        # Compute Y = sigma1^{2*ceil(log2(s))}
+        s1 = integer(2 ** (math.ceil(log[2](s))))
+        Y = (sigma1 ** s1) % N
+        
+        # Hash the mesage using the chameleon hash with fixed randomness r
+        (x, r2) = self.ChameleonHash.hash(L, message, r)
+
+        lhs = (Y ** ei) % N
+        rhs = ((u ** x) * h) % N
+        if debug:
+            print("lhs =>", lhs)
+            print("rhs =>", rhs)
+        # Verify that Y^e = (u^x h) mod N.  If so, accept the signature
+        if lhs == rhs:
+            return True
+        # Default: reject the signature
+        return False
+    
+    def HW_hash(self, key, c, input, keyLen):
+        C = integer(c)
+        input_size = bitsize(c)
+        input_b = Conversion.IP2OS(input, input_size)
+        # Return c XOR PRF(k, input), where the output of PRF is keyLength bits
+        result = C ^ self.Prf.eval(key, input_b)
+        return result
+        

charm/schemes/pksig/pksig_schnorr91.py

@@ -0,0 +1,77 @@
+'''
+**Schnorr Signature (Schnorr91)**
+
+*Authors:* C. P. Schnorr
+
+| **Title:** "Efficient Signature Generation by Smart Cards"
+| **Published in:** Journal of Cryptology, 1991
+| **Available from:** https://link.springer.com/article/10.1007/BF00196725
+| **Notes:**
+
+.. rubric:: Scheme Properties
+
+* **Type:** signature (public key)
+* **Setting:** integer groups
+* **Assumption:** Discrete Logarithm
+
+.. rubric:: Implementation
+
+:Authors: Charm Developers
+:Date: 2011
+'''
+from charm.toolbox.integergroup import IntegerGroupQ
+from charm.toolbox.PKSig import PKSig
+
+debug = False
+class SchnorrSig(PKSig):
+    """
+    >>> from charm.core.math.integer import integer
+    >>> p = integer(156816585111264668689583680968857341596876961491501655859473581156994765485015490912709775771877391134974110808285244016265856659644360836326566918061490651852930016078015163968109160397122004869749553669499102243382571334855815358562585736488447912605222780091120196023676916968821094827532746274593222577067)
+    >>> q = integer(78408292555632334344791840484428670798438480745750827929736790578497382742507745456354887885938695567487055404142622008132928329822180418163283459030745325926465008039007581984054580198561002434874776834749551121691285667427907679281292868244223956302611390045560098011838458484410547413766373137296611288533)    
+    >>> pksig = SchnorrSig()
+    >>> pksig.params(p, q)
+    >>> (public_key, secret_key) = pksig.keygen()
+    >>> msg = "hello world."
+    >>> signature = pksig.sign(public_key, secret_key, msg)
+    >>> pksig.verify(public_key, signature, msg)
+    True
+    """
+    def __init__(self):
+        PKSig.__init__(self)
+        
+    def params(self, p=0, q=0, bits=1024):
+        global group
+        group = IntegerGroupQ(0)
+        if p == 0 or q == 0:
+            group.paramgen(bits)
+        else:
+            group.p, group.q, group.r = p, q, 2
+    
+    def keygen(self):
+        p = group.p
+        x, g = group.random(), group.randomGen()
+        y = (g ** x)
+        return ({'y':y, 'g':g}, x)
+    
+    def sign(self, pk, x, M):
+        p,q = group.p, group.q
+        k = group.random()
+        r = (pk['g'] ** k) % p
+        e = group.hash(M, r)
+        s = (k - x*e) % q
+
+        return {'e':e, 's':s }
+    
+    def verify(self, pk, sig, M):
+        p = group.p
+        r = ((pk['g'] ** sig['s']) * (pk['y'] ** sig['e'])) % p
+        if debug: print("Verifying...")
+        e = group.hash(M, r)
+        if debug: print("e => %s" % e)
+        if debug: print("r => %s" % r)
+        if e == sig['e']:
+            return True
+        else:
+            return False
+        return None
+    

charm/schemes/pksig/pksig_waters.py

@@ -0,0 +1,115 @@
+'''
+**Waters Identity-Based Signature (Waters05)**
+
+*Authors:* B. Waters
+
+| **Title:** "Efficient Identity-Based Encryption Without Random Oracles"
+| **Published in:** EUROCRYPT, 2005
+| **Available from:** LNCS Vol. 3494, pages 320-329
+| **Notes:**
+
+.. rubric:: Scheme Properties
+
+* **Type:** signature (identity-based)
+* **Setting:** bilinear groups (asymmetric)
+* **Assumption:** DBDH
+
+.. rubric:: Implementation
+
+:Authors: J. Ayo Akinyele
+:Date: 11/2011
+'''
+from charm.toolbox.pairinggroup import PairingGroup,ZR,G1,G2,pair
+from charm.toolbox.iterate import dotprod
+from charm.toolbox.hash_module import Waters
+
+debug = False
+class WatersSig:
+    """
+    >>> from charm.toolbox.pairinggroup import PairingGroup
+    >>> group = PairingGroup('SS512')
+    >>> water = WatersSig(group)
+    >>> (master_public_key, master_secret_key) = water.setup(5)
+    >>> ID = 'janedoe@email.com'
+    >>> secret_key = water.keygen(master_public_key, master_secret_key, ID)  
+    >>> msg = 'please sign this new message!'
+    >>> signature = water.sign(master_public_key, secret_key, msg)
+    >>> water.verify(master_public_key, ID, msg, signature)
+    True
+    """
+    def __init__(self, groupObj):
+        global group,lam_func
+        group = groupObj
+        lam_func = lambda i,a,b: a[i] ** b[i]
+
+    def setup(self, z, l=32):
+        global waters
+        waters = Waters(group, z, l)
+        alpha, h = group.random(ZR), group.random(G1)
+        g1, g2 = group.random(G1), group.random(G2)
+        A = pair(h, g2) ** alpha
+        y = [group.random(ZR) for i in range(z)]
+        y1t,y2t = group.random(ZR), group.random(ZR)
+
+        u1t = g1 ** y1t; u2t = g1 ** y2t
+        u = [g1 ** y[i] for i in range(z)]
+
+        u1b = g2 ** y1t; u2b = g2 ** y2t
+        ub =[g2 ** y[i] for i in range(z)]
+
+        msk = h ** alpha
+        mpk = {'g1':g1, 'g2':g2, 'A':A, 'u1t':u1t, 'u2t':u2t, 'u':u, 'u1b':u1b, 'u2b':u2b, 'ub':ub, 'z':z, 'l':l } 
+        return (mpk, msk) 
+
+    def keygen(self, mpk, msk, ID):
+        if debug: print("Keygen alg...")
+        k = waters.hash(ID) # return list from k1,...,kz
+        if debug: print("k =>", k)
+        r = group.random(ZR)
+        k1 = msk * ((mpk['u1t'] * dotprod(1, -1, mpk['z'], lam_func, mpk['u'], k)) ** r)  
+        k2 = mpk['g1'] ** -r
+        return (k1, k2)
+    
+    def sign(self, mpk, sk, M):
+        if debug: print("Sign alg...")
+        m = waters.hash(M) # return list from m1,...,mz
+        if debug: print("m =>", m)
+        (k1, k2) = sk
+        s  = group.random(ZR)
+        S1 = k1 * ((mpk['u2t'] * dotprod(1, -1, mpk['z'], lam_func, mpk['u'], m)) ** s)
+        S2 = k2
+        S3 = mpk['g1'] ** -s
+        return {'S1':S1, 'S2':S2, 'S3':S3}
+    
+    def verify(self, mpk, ID, M, sig):
+        if debug: print("Verify...")
+        k = waters.hash(ID)
+        m = waters.hash(M)
+        (S1, S2, S3) = sig['S1'], sig['S2'], sig['S3']
+        A, g2 = mpk['A'], mpk['g2']
+        comp1 = dotprod(1, -1, mpk['z'], lam_func, mpk['ub'], k)
+        comp2 = dotprod(1, -1, mpk['z'], lam_func, mpk['ub'], m)
+        lhs = (pair(S1, g2) * pair(S2, mpk['u1b'] * comp1) * pair(S3, mpk['u2b'] * comp2)) 
+        #if ((pair(S1, g2) * pair(S2, mpk['u1b'] * comp1) * pair(S3, mpk['u2b'] * comp2)) == A): 
+        if lhs == A:
+            return True
+        return False
+
+def main():
+    groupObj = PairingGroup('SS512')
+    wat = WatersSig(groupObj)
+    (master_public_key, master_secret_key) = wat.setup(5)
+    ID = 'janedoe@email.com'
+    secret_key = wat.keygen(master_public_key, master_secret_key, ID)  
+    msg = 'please sign this new message!'
+
+    sig = wat.sign(master_public_key, secret_key, msg)
+
+    assert wat.verify(master_public_key, ID, msg, sig), "invalid signature"
+    if debug: print("Successful Verification!")
+
+if __name__ == "__main__":
+    debug = True
+    main()
+
+   

charm/schemes/pksig/pksig_waters05.py

@@ -0,0 +1,121 @@
+'''
+**Naccache Identity-Based Signature (N04)**
+
+*Authors:* D. Naccache
+
+| **Title:** "Secure and Practical Identity-Based Encryption"
+| **Published in:** IET Information Security, 2005
+| **Available from:** http://eprint.iacr.org/2005/369.pdf
+| **Notes:** Section 4. Optimized with pre-computed pairings and swapped g1/g2.
+
+.. rubric:: Scheme Properties
+
+* **Type:** signature (identity-based)
+* **Setting:** bilinear groups (asymmetric)
+* **Assumption:** DBDH
+
+.. rubric:: Implementation
+
+:Authors: Gary Belvin (original), Fan Zhang (improvements)
+:Date: 06/2011 (original), 3/2013 (improvements)
+'''
+
+from charm.toolbox.pairinggroup import PairingGroup,ZR,G1,G2,GT,pair
+from charm.toolbox.PKSig import PKSig
+from charm.toolbox.enum import Enum
+from charm.toolbox.hash_module import Waters
+import math
+
+debug = False
+class IBE_N04_Sig(PKSig):
+    """
+    >>> from charm.toolbox.pairinggroup import PairingGroup
+    >>> group = PairingGroup('SS512')
+    >>> waters = Waters(group)
+    >>> ibe = IBE_N04_Sig(group)
+    >>> (public_key, secret_key) = ibe.keygen()
+    >>> ID = "bob@example.com"
+    >>> msg = waters.hash("This is a test.")    
+    >>> signature = ibe.sign(public_key, secret_key, msg)
+    >>> ibe.verify(public_key, msg, signature)
+    True
+    """
+    """Implementation of David Naccahe Identity Based Encryption"""
+    def __init__(self, groupObj):
+        PKSig.__init__(self)
+        #PKSig.setProperty(self, secdef='IND_ID_CPA', assumption='DBDH', secmodel='Standard')
+        #, other={'id':ZR}
+        #message_space=[GT, 'KEM']
+        global group 
+        group = groupObj        
+        
+    def keygen(self, l=32):
+        """l is the security parameter
+        with l = 32, and the hash function at 256 bits = n * l with n = 8"""
+        global waters
+        g = group.random(G2)      # generator for group G of prime order p
+        
+        #hLen = sha1_len * 8
+        #int(math.floor(hLen / l))
+        sha2_byte_len = 32
+        hLen = sha2_byte_len * 8
+        n = int(math.floor(hLen / l))
+        waters = Waters(group, n, l, 'sha256')
+        
+        alpha = group.random(ZR)  #from Zp
+        g2    = g ** alpha      
+        g1    = group.random(G1)   
+        u = group.random(ZR)
+        uprime = g ** u
+        U_z = [group.random(ZR) for x in range(n)]
+        U = [g ** x  for x in U_z]
+        
+        pk = {'g':g, 'g1':g1, 'g2': g2, 'uPrime':uprime, 'U': U,
+              'n':n, 'l':l, 'egg': pair(g1, g2) }
+        
+        mk = {'g1^alpha':g1 ** alpha, 'U_z':U_z, 'u':u} #master secret
+        if debug: 
+            print(mk)
+        
+        return (pk, mk)
+    
+    def sign(self, pk, sk, m):
+        """v = (v1, .., vn) is an identity"""
+        r = group.random(ZR)
+        u = sk['u']
+        for i in range(pk['n']):
+            u += sk['U_z'][i] * m[i]
+            
+        d1 = sk['g1^alpha'] * (pk['g1'] ** (u * r))
+        d2 = pk['g1'] ** r
+        return {'d1': d1, 'd2':d2}
+
+    def verify(self, pk, msg, sig):
+        c3 = pk['uPrime']
+        for i in range(pk['n']):
+            c3 *= pk['U'][i] ** msg[i]
+        
+        return pk['egg'] == (pair(sig['d1'], pk['g']) / pair(sig['d2'], c3))
+
+
+def main():
+    groupObj = PairingGroup('SS512')
+    ibe = IBE_N04_Sig(groupObj)
+    waters = Waters(group)
+    (pk, sk) = ibe.keygen()
+
+    # represents public identity
+    M = "bob@example.com"
+    msg = waters.hash("This is a test.")    
+    sig = ibe.sign(pk, sk, msg)
+    if debug:
+        print("original msg => '%s'" % M)
+        print("msg => '%s'" % msg)
+        print("sig => '%s'" % sig)
+
+    assert ibe.verify(pk, msg, sig), "Failed verification!"
+    if debug: print("Successful Verification!!! msg => '%s'" % msg)
+
+if __name__ == '__main__':
+    debug = True
+    main()