/** * @return a random BIG in 0, ..., GROUP_ORDER-1 */ public static BIG RandModOrder(this RAND rng) { BIG q = new BIG(ROM.CURVE_Order); // Takes random element in this Zq. return(BIG.RandomNum(q, rng)); }
public IdemixSetup(string[] attributeNames) { // Choose attribute names and create an issuer key pair // this.attributeNames = new String[]{"Attribute1", "Attribute2"}; this.attributeNames = attributeNames; key = new IdemixIssuerKey(this.attributeNames); RAND rng = IdemixUtils.GetRand(); // Choose a user secret key and request a credential sk = new BIG(rng.RandModOrder()); issuerNonce = new BIG(rng.RandModOrder()); idemixCredRequest = new IdemixCredRequest(sk, issuerNonce, key.Ipk); //csr // Issue a credential attrs = new BIG[this.attributeNames.Length]; for (int i = 0; i < this.attributeNames.Length; i++) { attrs[i] = new BIG(i); } idemixCredential = new IdemixCredential(key, idemixCredRequest, attrs); //certificate wbbKeyPair = WeakBB.WeakBBKeyGen(); // Generate a revocation key pair revocationKeyPair = RevocationAuthority.GenerateLongTermRevocationKey(); // Check all the generated data CheckSetup(); }
/* get 8*MODBYTES size random number */ public static BIG random(RAND rng) { BIG m = new BIG(0); int i, b, j = 0, r = 0; /* generate random BIG */ for (i = 0; i < 8 * ROM.MODBYTES; i++) { if (j == 0) { r = rng.Byte; } else { r >>= 1; } b = r & 1; m.shl(1); m.w[0] += b; // m.inc(b); j++; j &= 7; } return(m); }
/* Create random BIG in portable way, one bit at a time */ public static BIG RandomNum(BIG q, RAND rng) { DBIG d = new DBIG(0); int i, b, j = 0, r = 0; for (i = 0; i < 2 * q.NBits(); i++) { if (j == 0) { r = rng.Byte; } else { r >>= 1; } b = r & 1; d.Shl(1); d.w[0] += b; // m.inc(b); j++; j &= 7; } BIG m = d.Mod(q); return(m); }
/* One pass MPIN Client */ public static int CLIENT(int date, sbyte[] CLIENT_ID, RAND RNG, sbyte[] X, int pin, sbyte[] TOKEN, sbyte[] SEC, sbyte[] xID, sbyte[] xCID, sbyte[] PERMIT, int TimeValue, sbyte[] Y) { int rtn = 0; sbyte[] pID; if (date == 0) { pID = xID; } else { pID = xCID; } rtn = CLIENT_1(date, CLIENT_ID, RNG, X, pin, TOKEN, SEC, xID, xCID, PERMIT); if (rtn != 0) { return(rtn); } GET_Y(TimeValue, pID, Y); rtn = CLIENT_2(X, Y, SEC); if (rtn != 0) { return(rtn); } return(0); }
/* Create random BIG in portable way, one bit at a time */ public static BIG randomnum(BIG q, RAND rng) { DBIG d = new DBIG(0); int i, b, j = 0, r = 0; for (i = 0; i < 2 * ROM.MODBITS; i++) { if (j == 0) { r = rng.Byte; } else { r >>= 1; } b = r & 1; d.shl(1); d.w[0] += b; // m.inc(b); j++; j &= 7; } BIG m = d.mod(q); return(m); }
/* * W=x*H(G); * if RNG == NULL then X is passed in * if RNG != NULL the X is passed out * if type=0 W=x*G where G is point on the curve, else W=x*M(G), where M(G) is mapping of octet G to point on the curve */ public static int GET_G1_MULTIPLE(RAND rng, int type, sbyte[] X, sbyte[] G, sbyte[] W) { BIG x; BIG r = new BIG(ROM.CURVE_Order); if (rng != null) { x = BIG.randomnum(r, rng); x.toBytes(X); } else { x = BIG.fromBytes(X); } ECP P; if (type == 0) { P = ECP.fromBytes(G); if (P.is_infinity()) { return(INVALID_POINT); } } else { P = mapit(G); } PAIR.G1mul(P, x).toBytes(W); return(0); }
public KeyPair() { RAND rng = IdemixUtils.GetRand(); Sk = rng.RandModOrder(); Pk = IdemixUtils.GenG2.Mul(Sk); }
/* IEEE1363 ECIES encryption. Encryption of plaintext M uses public key W and produces ciphertext V,C,T */ public static sbyte[] ECIES_ENCRYPT(sbyte[] P1, sbyte[] P2, RAND RNG, sbyte[] W, sbyte[] M, sbyte[] V, sbyte[] T) { int i; sbyte[] Z = new sbyte[EFS]; sbyte[] VZ = new sbyte[3 * EFS + 1]; sbyte[] K1 = new sbyte[EAS]; sbyte[] K2 = new sbyte[EAS]; sbyte[] U = new sbyte[EGS]; if (KEY_PAIR_GENERATE(RNG, U, V) != 0) { return(new sbyte[0]); } if (ECPSVDP_DH(U, W, Z) != 0) { return(new sbyte[0]); } for (i = 0; i < 2 * EFS + 1; i++) { VZ[i] = V[i]; } for (i = 0; i < EFS; i++) { VZ[2 * EFS + 1 + i] = Z[i]; } sbyte[] K = KDF2(VZ, P1, EFS); for (i = 0; i < EAS; i++) { K1[i] = K[i]; K2[i] = K[EAS + i]; } sbyte[] C = AES_CBC_IV0_ENCRYPT(K1, M); sbyte[] L2 = inttoBytes(P2.Length, 8); sbyte[] AC = new sbyte[C.Length + P2.Length + 8]; for (i = 0; i < C.Length; i++) { AC[i] = C[i]; } for (i = 0; i < P2.Length; i++) { AC[C.Length + i] = P2[i]; } for (i = 0; i < 8; i++) { AC[C.Length + P2.Length + i] = L2[i]; } HMAC(AC, K2, T); return(C); }
public Rain_Handler(Vector2 draw_offset) { Angle = 3f; for (int i = 0; i < sprite_count() * 2; i++) { Sprite_Locs[i] = new_sprite_loc(draw_offset, true); Sprite_Rects[i] = new Rectangle(0, 0, 8, RAND.Next(4) == 0 ? 8 : 16); } }
/** * Constructor * * @param attributeNames the names of attributes as String array (must not contain duplicates) */ public IdemixIssuerKey(string[] attributeNames) { RAND rng = IdemixUtils.GetRand(); // generate the secret key Isk = rng.RandModOrder(); // construct the corresponding public key Ipk = new IdemixIssuerPublicKey(attributeNames, Isk); }
/* create random secret S */ public static int RANDOM_GENERATE(RAND rng, sbyte[] S) { BIG s; BIG r = new BIG(ROM.CURVE_Order); s = BIG.randomnum(r, rng); s.toBytes(S); return(0); }
/* IEEE ECDSA Signature, C and D are signature on F using private key S */ public static int ECPSP_DSA(RAND RNG, sbyte[] S, sbyte[] F, sbyte[] C, sbyte[] D) { sbyte[] T = new sbyte[EFS]; BIG gx, gy, r, s, f, c, d, u, vx; ECP G, V; HASH H = new HASH(); H.process_array(F); sbyte[] B = H.hash(); gx = new BIG(ROM.CURVE_Gx); gy = new BIG(ROM.CURVE_Gy); G = new ECP(gx, gy); r = new BIG(ROM.CURVE_Order); s = BIG.fromBytes(S); f = BIG.fromBytes(B); c = new BIG(0); d = new BIG(0); V = new ECP(); do { u = BIG.randomnum(r, RNG); V.copy(G); V = V.mul(u); vx = V.X; c.copy(vx); c.mod(r); if (c.iszilch()) { continue; } u.invmodp(r); d.copy(BIG.modmul(s, c, r)); d.add(f); d.copy(BIG.modmul(u, d, r)); } while (d.iszilch()); c.toBytes(T); for (int i = 0; i < EFS; i++) { C[i] = T[i]; } d.toBytes(T); for (int i = 0; i < EFS; i++) { D[i] = T[i]; } return(0); }
/** * Constructor * * @param sk the secret key of the user * @param ipk the public key of the issuer */ public IdemixPseudonym(BIG sk, IdemixIssuerPublicKey ipk) { if (sk == null || ipk == null) { throw new ArgumentException("Cannot construct idemix pseudonym from null input"); } RAND rng = IdemixUtils.GetRand(); RandNym = rng.RandModOrder(); Nym = ipk.Hsk.Mul2(sk, ipk.HRand, RandNym); }
/* these next two functions implement elligator squared - http://eprint.iacr.org/2014/043 */ /* Elliptic curve point E in format (0x04,x,y} is converted to form {0x0-,u,v} */ /* Note that u and v are indistinguisible from random strings */ public static int ENCODING(RAND rng, sbyte[] E) { int rn, m, su, sv; sbyte[] T = new sbyte[EFS]; for (int i = 0; i < EFS; i++) { T[i] = E[i + 1]; } BIG u = BIG.fromBytes(T); for (int i = 0; i < EFS; i++) { T[i] = E[i + EFS + 1]; } BIG v = BIG.fromBytes(T); ECP P = new ECP(u, v); if (P.is_infinity()) { return(INVALID_POINT); } BIG p = new BIG(ROM.Modulus); u = BIG.randomnum(p, rng); su = rng.Byte; //if (su<0) su=-su; su %= 2; ECP W = map(u, su); P.sub(W); sv = P.S; rn = unmap(v, P); m = rng.Byte; //if (m<0) m=-m; m %= rn; v.inc(m + 1); E[0] = (sbyte)(su + 2 * sv); u.toBytes(T); for (int i = 0; i < EFS; i++) { E[i + 1] = T[i]; } v.toBytes(T); for (int i = 0; i < EFS; i++) { E[i + EFS + 1] = T[i]; } return(0); }
/* generate random x */ public void randomnum(FF p, RAND rng) { int n = length; FF d = new FF(2 * n); for (int i = 0; i < 2 * n; i++) { d.v[i].copy(BIG.random(rng)); } copy(d.dmod(p)); }
protected override Vector2 new_sprite_loc(Vector2 draw_offset, bool initial) { if (initial) { return(new Vector2(RAND.Next(Config.WINDOW_WIDTH), RAND.Next(Config.WINDOW_HEIGHT)) + draw_offset); } else { return(new Vector2(RAND.Next(Config.WINDOW_WIDTH + height_slope) - height_slope, RAND.Next(16) - 8) + draw_offset); } }
public void random(RAND rng) { int n = length; for (int i = 0; i < n; i++) { v[i].copy(BIG.random(rng)); } /* make sure top bit is 1 */ while (v[n - 1].nbits() < ROM.MODBYTES * 8) { v[n - 1].copy(BIG.random(rng)); } }
protected void reset_sprite_vel(int i) { Snow_Size size = particle_size(i); Sprite_Vels[i] = size == Snow_Size.Small ? // size == 2 new Vector2((float)(1 + (RAND.NextDouble() / 2)) / 2f, (float)(1 + (RAND.NextDouble() / 2)) / 2f) : //new Vector2((float)(1 + (RAND.NextDouble() / 2)), (float)(1 + (RAND.NextDouble() / 2))) / 2f : (size == Snow_Size.Medium ? // size == 1 new Vector2((float)(1 + RAND.NextDouble()), (float)(1 + RAND.NextDouble()) * 1.5f) : // size == 0 new Vector2((float)(1 + RAND.NextDouble()), (float)(1 + RAND.NextDouble()) * 2f)); }
/** * Returns a random number generator, amcl.RAND, * initialized with a fresh seed. * * @return a random number generator */ public static RAND GetRand() { // construct a secure seed int seedLength = FIELD_BYTES; SecureRandom random = new SecureRandom(); byte[] seed = random.GenerateSeed(seedLength); // create a new amcl.RAND and initialize it with the generated seed RAND rng = new RAND(); rng.Clean(); rng.Seed(seedLength, seed); return(rng); }
/** * Constructor creating a new credential * * @param key the issuer key pair * @param m a credential request * @param attrs an array of attribute values as BIG */ public IdemixCredential(IdemixIssuerKey key, IdemixCredRequest m, BIG[] attrs) { if (key == null || key.Ipk == null || m == null || attrs == null) { throw new ArgumentException("Cannot create idemix credential from null input"); } if (attrs.Length != key.Ipk.AttributeNames.Length) { throw new ArgumentException("Amount of attribute values does not match amount of attributes in issuer public key"); } RAND rng = IdemixUtils.GetRand(); // Place a BBS+ signature on the user key and the attribute values // (For BBS+, see "Constant-Size Dynamic k-TAA" by Man Ho Au, Willy Susilo, Yi Mu) E = rng.RandModOrder(); S = rng.RandModOrder(); B = new ECP(); B.Copy(IdemixUtils.GenG1); B.Add(m.Nym); B.Add(key.Ipk.HRand.Mul(S)); for (int i = 0; i < attrs.Length / 2; i++) { B.Add(key.Ipk.HAttrs[2 * i].Mul2(attrs[2 * i], key.Ipk.HAttrs[2 * i + 1], attrs[2 * i + 1])); } if (attrs.Length % 2 != 0) { B.Add(key.Ipk.HAttrs[attrs.Length - 1].Mul(attrs[attrs.Length - 1])); } BIG exp = new BIG(key.Isk).Plus(E); exp.Mod(IdemixUtils.GROUP_ORDER); exp.InvModp(IdemixUtils.GROUP_ORDER); A = B.Mul(exp); Attrs = new byte[attrs.Length][]; for (int i = 0; i < attrs.Length; i++) { byte[] b = new byte[IdemixUtils.FIELD_BYTES]; attrs[i].ToBytes(b); Attrs[i] = b; } }
public static void Main(string[] args) { int i; int RFS = RSA.RFS; string message = "Hello World\n"; rsa_public_key pub = new rsa_public_key(ROM.FFLEN); rsa_private_key priv = new rsa_private_key(ROM.HFLEN); sbyte[] ML = new sbyte[RFS]; sbyte[] C = new sbyte[RFS]; sbyte[] RAW = new sbyte[100]; RAND rng = new RAND(); rng.clean(); for (i = 0; i < 100; i++) { RAW[i] = (sbyte)(i); } rng.seed(100, RAW); //for (i=0;i<10;i++) //{ Console.WriteLine("Generating public/private key pair"); RSA.KEY_PAIR(rng, 65537, priv, pub); sbyte[] M = message.GetBytes(); Console.Write("Encrypting test string\n"); sbyte[] E = RSA.OAEP_ENCODE(M, rng, null); // OAEP encode message M to E RSA.ENCRYPT(pub, E, C); // encrypt encoded message Console.Write("Ciphertext= 0x"); RSA.printBinary(C); Console.Write("Decrypting test string\n"); RSA.DECRYPT(priv, C, ML); sbyte[] MS = RSA.OAEP_DECODE(null, ML); // OAEP decode message message = StringHelperClass.NewString(MS); Console.Write(message); //} RSA.PRIVATE_KEY_KILL(priv); }
private static RedisWorkload mockRedisWorkload(int type = -1) { RedisWorkload workload = new RedisWorkload(); workload.hashId = RandomString(10); workload.key = BitConverter.GetBytes(RAND.Next(0, int.MaxValue)); workload.type = (RedisWorkloadType)(type == -1 ? RAND.Next(0, 6) : type); if (workload.type == RedisWorkloadType.HGet || workload.type == RedisWorkloadType.HGetAll || workload.type == RedisWorkloadType.HMGet) { workload.value = null; } else { workload.value = RandomBytes(32); } return(workload); }
/** * Constructor * * @param sk the secret key of the user * @param issuerNonce a nonce * @param ipk the issuer public key */ public IdemixCredRequest(BIG sk, BIG issuerNonce, IdemixIssuerPublicKey ipk) { if (sk == null) { throw new ArgumentException("Cannot create idemix credrequest from null Secret Key input"); } if (issuerNonce == null) { throw new ArgumentException("Cannot create idemix credrequest from null issuer nonce input"); } if (ipk == null) { throw new ArgumentException("Cannot create idemix credrequest from null Issuer Public Key input"); } RAND rng = IdemixUtils.GetRand(); Nym = ipk.Hsk.Mul(sk); this.issuerNonce = new BIG(issuerNonce); // Create Zero Knowledge Proof BIG rsk = rng.RandModOrder(); ECP t = ipk.Hsk.Mul(rsk); // Make proofData: total 3 elements of G1, each 2*FIELD_BYTES+1 (ECP), // plus length of String array, // plus one BIG byte[] proofData = new byte[0]; proofData = proofData.Append(CREDREQUEST_LABEL.ToBytes()); proofData = proofData.Append(t.ToBytes()); proofData = proofData.Append(ipk.Hsk.ToBytes()); proofData = proofData.Append(Nym.ToBytes()); proofData = proofData.Append(issuerNonce.ToBytes()); proofData = proofData.Append(ipk.Hash); proofC = proofData.HashModOrder(); // Compute proofS = ... proofS = BIG.ModMul(proofC, sk, IdemixUtils.GROUP_ORDER).Plus(rsk); proofS.Mod(IdemixUtils.GROUP_ORDER); }
/* Calculate a public/private EC GF(p) key pair W,S where W=S.G mod EC(p), * where S is the secret key and W is the public key * and G is fixed generator. * If RNG is NULL then the private key is provided externally in S * otherwise it is generated randomly internally */ public static int KEY_PAIR_GENERATE(RAND RNG, sbyte[] S, sbyte[] W) { BIG r, gx, gy, s; ECP G, WP; int res = 0; sbyte[] T = new sbyte[EFS]; gx = new BIG(ROM.CURVE_Gx); if (ROM.CURVETYPE != ROM.MONTGOMERY) { gy = new BIG(ROM.CURVE_Gy); G = new ECP(gx, gy); } else { G = new ECP(gx); } r = new BIG(ROM.CURVE_Order); if (RNG == null) { s = BIG.fromBytes(S); } else { s = BIG.randomnum(r, RNG); s.toBytes(T); for (int i = 0; i < EGS; i++) { S[i] = T[i]; } } WP = G.mul(s); WP.toBytes(W); return(res); }
/** * Constructor * * @param sk the secret key * @param pseudonym the pseudonym with respect to which this signature can be verified * @param ipk the issuer public key * @param msg the message to be signed */ public IdemixPseudonymSignature(BIG sk, IdemixPseudonym pseudonym, IdemixIssuerPublicKey ipk, byte[] msg) { if (sk == null || pseudonym == null || pseudonym.Nym == null || pseudonym.RandNym == null || ipk == null || msg == null) { throw new ArgumentException("Cannot create IdemixPseudonymSignature from null input"); } RAND rng = IdemixUtils.GetRand(); nonce = rng.RandModOrder(); //Construct Zero Knowledge Proof BIG rsk = rng.RandModOrder(); BIG rRNym = rng.RandModOrder(); ECP t = ipk.Hsk.Mul2(rsk, ipk.HRand, rRNym); // create array for proof data that will contain the sign label, 2 ECPs (each of length 2* FIELD_BYTES + 1), the ipk hash and the message byte[] proofData = new byte[0]; proofData = proofData.Append(NYM_SIGN_LABEL.ToBytes()); proofData = proofData.Append(t.ToBytes()); proofData = proofData.Append(pseudonym.Nym.ToBytes()); proofData = proofData.Append(ipk.Hash); proofData = proofData.Append(msg); BIG cvalue = proofData.HashModOrder(); byte[] finalProofData = new byte[0]; finalProofData = finalProofData.Append(cvalue.ToBytes()); finalProofData = finalProofData.Append(nonce.ToBytes()); proofC = finalProofData.HashModOrder(); proofSSk = new BIG(rsk); proofSSk.Add(BIG.ModMul(proofC, sk, IdemixUtils.GROUP_ORDER)); proofSSk.Mod(IdemixUtils.GROUP_ORDER); proofSRNym = new BIG(rRNym); proofSRNym.Add(BIG.ModMul(proofC, pseudonym.RandNym, IdemixUtils.GROUP_ORDER)); proofSRNym.Mod(IdemixUtils.GROUP_ORDER); }
/// <summary> /// Creates instance from char array. /// </summary> /// <param name="chars">Char array to be encrypted.</param> /// <param name="password">Password to generate key to encrypt and decrypt.</param> /// <param name="saltLenght">Salt length to generate key.</param> /// <param name="iterationCount">Iteration count to generate key.</param> /// <param name="keySize">Key size in bit.</param> /// <param name="cipherMode"><see cref="CipherMode"/>.</param> /// <param name="paddingMode"><see cref="PaddingMode"/>.</param> /// <returns>PBEProtectedString instance.</returns> public static PBEProtectedString FromChars(char[] chars, byte[] password, int saltLenght = 128, int iterationCount = 4096, int keySize = 256, CipherMode cipherMode = CipherMode.CBC, PaddingMode paddingMode = PaddingMode.PKCS7) { var ps = new PBEProtectedString(keySize, cipherMode, paddingMode); if (saltLenght > 0) { ps.Salt = RAND.NextBytes(saltLenght); } ps.generateKey(password, iterationCount, BLOCK_SIZE); using (var aes = Aes.Create()) { aes.KeySize = ps.keySize; aes.BlockSize = BLOCK_SIZE; aes.Mode = ps.cipherMode; aes.Padding = ps.paddingMode; aes.Key = ps.key; aes.IV = ps.iv; using (var memory = new MemoryStream()) { using (var encryptor = aes.CreateEncryptor()) using (var stream = new CryptoStream(memory, encryptor, CryptoStreamMode.Write)) using (var writer = new StreamWriter(stream, ENCODING)) { writer.Write(chars); } ps.EncryptedData = memory.ToArray(); } } return(ps); }
public override void update(Vector2 draw_offset) { for (int i = 0; i < sprite_count() * 2; i++) { Sprite_Locs[i] += new Vector2(4) * new Vector2(1, Angle); // If fell off the screen if (Sprite_Locs[i].Y > (Config.WINDOW_HEIGHT + draw_offset.Y) || // If went off the right edge Sprite_Locs[i].X > (Config.WINDOW_WIDTH + 16 + draw_offset.X)) { Sprite_Locs[i] = new_sprite_loc(draw_offset, false); Sprite_Rects[i] = new Rectangle(0, 0, 8, RAND.Next(4) == 0 ? 8 : 16); } // If off the top of the screen due to scrolling else if (Sprite_Locs[i].Y + Sprite_Rects[i].Y < draw_offset.Y) { Sprite_Locs[i] += new Vector2(0, Config.WINDOW_HEIGHT); } // If off the left of the screen due to scrolling //else if (Sprite_Locs[i].X + Sprite_Rects[i].X < -16 + draw_offset.X) //Debug // Sprite_Locs[i] += new Vector2(Config.WINDOW_WIDTH + 32, 0); } base.update(draw_offset); }
public static void Main(string[] args) { int i, j = 0, res; int result; string pp = "M0ng00se"; int EGS = ECDH.EGS; int EFS = ECDH.EFS; int EAS = AES.KS; sbyte[] S1 = new sbyte[EGS]; sbyte[] W0 = new sbyte[2 * EFS + 1]; sbyte[] W1 = new sbyte[2 * EFS + 1]; sbyte[] Z0 = new sbyte[EFS]; sbyte[] Z1 = new sbyte[EFS]; sbyte[] RAW = new sbyte[100]; sbyte[] SALT = new sbyte[8]; RAND rng = new RAND(); rng.clean(); for (i = 0; i < 100; i++) { RAW[i] = (sbyte)(i); } rng.seed(100, RAW); //for (j=0;j<100;j++) //{ for (i = 0; i < 8; i++) { SALT[i] = (sbyte)(i + 1); // set Salt } Console.WriteLine("Alice's Passphrase= " + pp); sbyte[] PW = pp.GetBytes(); /* private key S0 of size EGS bytes derived from Password and Salt */ sbyte[] S0 = ECDH.PBKDF2(PW, SALT, 1000, EGS); Console.Write("Alice's private key= 0x"); printBinary(S0); /* Generate Key pair S/W */ ECDH.KEY_PAIR_GENERATE(null, S0, W0); Console.Write("Alice's public key= 0x"); printBinary(W0); res = ECDH.PUBLIC_KEY_VALIDATE(true, W0); if (res != 0) { Console.WriteLine("Alice's public Key is invalid!\n"); return; } /* Random private key for other party */ ECDH.KEY_PAIR_GENERATE(rng, S1, W1); Console.Write("Servers private key= 0x"); printBinary(S1); Console.Write("Servers public key= 0x"); printBinary(W1); res = ECDH.PUBLIC_KEY_VALIDATE(true, W1); if (res != 0) { Console.Write("Server's public Key is invalid!\n"); return; } /* Calculate common key using DH - IEEE 1363 method */ ECDH.ECPSVDP_DH(S0, W1, Z0); ECDH.ECPSVDP_DH(S1, W0, Z1); bool same = true; for (i = 0; i < EFS; i++) { if (Z0[i] != Z1[i]) { same = false; } } if (!same) { Console.WriteLine("*** ECPSVDP-DH Failed"); return; } sbyte[] KEY = ECDH.KDF1(Z0, EAS); Console.Write("Alice's DH Key= 0x"); printBinary(KEY); Console.Write("Servers DH Key= 0x"); printBinary(KEY); //} //System.out.println("Test Completed Successfully"); }
/** * Create a new IdemixSignature by proving knowledge of a credential * * @param c the credential used to create an idemix signature * @param sk the signer's secret key * @param pseudonym a pseudonym of the signer * @param ipk the issuer public key * @param disclosure a bool-array that steers the disclosure of attributes * @param msg the message to be signed * @param rhIndex the index of the attribute that represents the revocation handle * @param cri the credential revocation information that allows the signer to prove non-revocation */ public IdemixSignature(IdemixCredential c, BIG sk, IdemixPseudonym pseudonym, IdemixIssuerPublicKey ipk, bool[] disclosure, byte[] msg, int rhIndex, CredentialRevocationInformation cri) { if (c == null || sk == null || pseudonym == null || pseudonym.Nym == null || pseudonym.RandNym == null || ipk == null || disclosure == null || msg == null || cri == null) { throw new ArgumentException("Cannot construct idemix signature from null input"); } if (disclosure.Length != c.Attrs.Length) { throw new ArgumentException("Disclosure length must be the same as the number of attributes"); } if (cri.RevocationAlg >= Enum.GetValues(typeof(RevocationAlgorithm)).Length) { throw new ArgumentException("CRI specifies unknown revocation algorithm"); } if (cri.RevocationAlg != (int)RevocationAlgorithm.ALG_NO_REVOCATION && disclosure[rhIndex]) { throw new ArgumentException("Attribute " + rhIndex + " is disclosed but also used a revocation handle attribute, which should remain hidden"); } RevocationAlgorithm revocationAlgorithm = (RevocationAlgorithm)cri.RevocationAlg; int[] hiddenIndices = HiddenIndices(disclosure); RAND rng = IdemixUtils.GetRand(); // Start signature BIG r1 = rng.RandModOrder(); BIG r2 = rng.RandModOrder(); BIG r3 = new BIG(r1); r3.InvModp(IdemixUtils.GROUP_ORDER); nonce = rng.RandModOrder(); aPrime = PAIR.G1Mul(c.A, r1); aBar = PAIR.G1Mul(c.B, r1); aBar.Sub(PAIR.G1Mul(aPrime, c.E)); bPrime = PAIR.G1Mul(c.B, r1); bPrime.Sub(PAIR.G1Mul(ipk.HRand, r2)); BIG sPrime = new BIG(c.S); sPrime.Add(BIG.ModNeg(BIG.ModMul(r2, r3, IdemixUtils.GROUP_ORDER), IdemixUtils.GROUP_ORDER)); sPrime.Mod(IdemixUtils.GROUP_ORDER); //Construct Zero Knowledge Proof BIG rsk = rng.RandModOrder(); BIG re = rng.RandModOrder(); BIG rR2 = rng.RandModOrder(); BIG rR3 = rng.RandModOrder(); BIG rSPrime = rng.RandModOrder(); BIG rRNym = rng.RandModOrder(); BIG[] rAttrs = new BIG[hiddenIndices.Length]; for (int i = 0; i < hiddenIndices.Length; i++) { rAttrs[i] = rng.RandModOrder(); } // Compute non-revoked proof INonRevocationProver prover = NonRevocationProver.GetNonRevocationProver(revocationAlgorithm); int hiddenRHIndex = Array.IndexOf(hiddenIndices, rhIndex); if (hiddenRHIndex < 0) { // rhIndex is not present, set to last index position hiddenRHIndex = hiddenIndices.Length; } byte[] nonRevokedProofHashData = prover.GetFSContribution(BIG.FromBytes(c.Attrs[rhIndex]), rAttrs[hiddenRHIndex], cri); if (nonRevokedProofHashData == null) { throw new Exception("Failed to compute non-revoked proof"); } ECP t1 = aPrime.Mul2(re, ipk.HRand, rR2); ECP t2 = PAIR.G1Mul(ipk.HRand, rSPrime); t2.Add(bPrime.Mul2(rR3, ipk.Hsk, rsk)); for (int i = 0; i < hiddenIndices.Length / 2; i++) { t2.Add(ipk.HAttrs[hiddenIndices[2 * i]].Mul2(rAttrs[2 * i], ipk.HAttrs[hiddenIndices[2 * i + 1]], rAttrs[2 * i + 1])); } if (hiddenIndices.Length % 2 != 0) { t2.Add(PAIR.G1Mul(ipk.HAttrs[hiddenIndices[hiddenIndices.Length - 1]], rAttrs[hiddenIndices.Length - 1])); } ECP t3 = ipk.Hsk.Mul2(rsk, ipk.HRand, rRNym); // create proofData such that it can contain the sign label, 7 elements in G1 (each of size 2*FIELD_BYTES+1), // the ipk hash, the disclosure array, and the message byte[] proofData = new byte[0]; proofData = proofData.Append(SIGN_LABEL.ToBytes()); proofData = proofData.Append(t1.ToBytes()); proofData = proofData.Append(t2.ToBytes()); proofData = proofData.Append(t3.ToBytes()); proofData = proofData.Append(aPrime.ToBytes()); proofData = proofData.Append(aBar.ToBytes()); proofData = proofData.Append(bPrime.ToBytes()); proofData = proofData.Append(pseudonym.Nym.ToBytes()); proofData = proofData.Append(ipk.Hash); proofData = proofData.Append(disclosure); proofData = proofData.Append(msg); BIG cvalue = proofData.HashModOrder(); byte[] finalProofData = new byte[0]; finalProofData = finalProofData.Append(cvalue.ToBytes()); finalProofData = finalProofData.Append(nonce.ToBytes()); proofC = finalProofData.HashModOrder(); proofSSk = rsk.ModAdd(BIG.ModMul(proofC, sk, IdemixUtils.GROUP_ORDER), IdemixUtils.GROUP_ORDER); proofSE = re.ModSub(BIG.ModMul(proofC, c.E, IdemixUtils.GROUP_ORDER), IdemixUtils.GROUP_ORDER); proofSR2 = rR2.ModAdd(BIG.ModMul(proofC, r2, IdemixUtils.GROUP_ORDER), IdemixUtils.GROUP_ORDER); proofSR3 = rR3.ModSub(BIG.ModMul(proofC, r3, IdemixUtils.GROUP_ORDER), IdemixUtils.GROUP_ORDER); proofSSPrime = rSPrime.ModAdd(BIG.ModMul(proofC, sPrime, IdemixUtils.GROUP_ORDER), IdemixUtils.GROUP_ORDER); proofSRNym = rRNym.ModAdd(BIG.ModMul(proofC, pseudonym.RandNym, IdemixUtils.GROUP_ORDER), IdemixUtils.GROUP_ORDER); nym = new ECP(); nym.Copy(pseudonym.Nym); proofSAttrs = new BIG[hiddenIndices.Length]; for (int i = 0; i < hiddenIndices.Length; i++) { proofSAttrs[i] = new BIG(rAttrs[i]); proofSAttrs[i].Add(BIG.ModMul(proofC, BIG.FromBytes(c.Attrs[hiddenIndices[i]]), IdemixUtils.GROUP_ORDER)); proofSAttrs[i].Mod(IdemixUtils.GROUP_ORDER); } // include non-revocation proof in signature revocationPk = cri.EpochPk; revocationPKSig = cri.EpochPkSig.ToByteArray(); epoch = cri.Epoch; nonRevocationProof = prover.GetNonRevocationProof(proofC); }