/**
* @return a random BIG in 0, ..., GROUP_ORDER-1
*/
public static BIG RandModOrder(this RAND rng)
{
BIG q = new BIG(ROM.CURVE_Order);
// Takes random element in this Zq.
return(BIG.RandomNum(q, rng));
}
public IdemixSetup(string[] attributeNames)
{
// Choose attribute names and create an issuer key pair
// this.attributeNames = new String[]{"Attribute1", "Attribute2"};
this.attributeNames = attributeNames;
key = new IdemixIssuerKey(this.attributeNames);
RAND rng = IdemixUtils.GetRand();
// Choose a user secret key and request a credential
sk = new BIG(rng.RandModOrder());
issuerNonce = new BIG(rng.RandModOrder());
idemixCredRequest = new IdemixCredRequest(sk, issuerNonce, key.Ipk); //csr
// Issue a credential
attrs = new BIG[this.attributeNames.Length];
for (int i = 0; i < this.attributeNames.Length; i++)
{
attrs[i] = new BIG(i);
}
idemixCredential = new IdemixCredential(key, idemixCredRequest, attrs); //certificate
wbbKeyPair = WeakBB.WeakBBKeyGen();
// Generate a revocation key pair
revocationKeyPair = RevocationAuthority.GenerateLongTermRevocationKey();
// Check all the generated data
CheckSetup();
}
/* get 8*MODBYTES size random number */
public static BIG random(RAND rng)
{
BIG m = new BIG(0);
int i, b, j = 0, r = 0;
/* generate random BIG */
for (i = 0; i < 8 * ROM.MODBYTES; i++)
{
if (j == 0)
{
r = rng.Byte;
}
else
{
r >>= 1;
}
b = r & 1;
m.shl(1);
m.w[0] += b; // m.inc(b);
j++;
j &= 7;
}
return(m);
}
/* Create random BIG in portable way, one bit at a time */
public static BIG RandomNum(BIG q, RAND rng)
{
DBIG d = new DBIG(0);
int i, b, j = 0, r = 0;
for (i = 0; i < 2 * q.NBits(); i++)
{
if (j == 0)
{
r = rng.Byte;
}
else
{
r >>= 1;
}
b = r & 1;
d.Shl(1);
d.w[0] += b; // m.inc(b);
j++;
j &= 7;
}
BIG m = d.Mod(q);
return(m);
}
/* One pass MPIN Client */
public static int CLIENT(int date, sbyte[] CLIENT_ID, RAND RNG, sbyte[] X, int pin, sbyte[] TOKEN, sbyte[] SEC, sbyte[] xID, sbyte[] xCID, sbyte[] PERMIT, int TimeValue, sbyte[] Y)
{
int rtn = 0;
sbyte[] pID;
if (date == 0)
{
pID = xID;
}
else
{
pID = xCID;
}
rtn = CLIENT_1(date, CLIENT_ID, RNG, X, pin, TOKEN, SEC, xID, xCID, PERMIT);
if (rtn != 0)
{
return(rtn);
}
GET_Y(TimeValue, pID, Y);
rtn = CLIENT_2(X, Y, SEC);
if (rtn != 0)
{
return(rtn);
}
return(0);
}
/* Create random BIG in portable way, one bit at a time */
public static BIG randomnum(BIG q, RAND rng)
{
DBIG d = new DBIG(0);
int i, b, j = 0, r = 0;
for (i = 0; i < 2 * ROM.MODBITS; i++)
{
if (j == 0)
{
r = rng.Byte;
}
else
{
r >>= 1;
}
b = r & 1;
d.shl(1);
d.w[0] += b; // m.inc(b);
j++;
j &= 7;
}
BIG m = d.mod(q);
return(m);
}
/*
* W=x*H(G);
* if RNG == NULL then X is passed in
* if RNG != NULL the X is passed out
* if type=0 W=x*G where G is point on the curve, else W=x*M(G), where M(G) is mapping of octet G to point on the curve
*/
public static int GET_G1_MULTIPLE(RAND rng, int type, sbyte[] X, sbyte[] G, sbyte[] W)
{
BIG x;
BIG r = new BIG(ROM.CURVE_Order);
if (rng != null)
{
x = BIG.randomnum(r, rng);
x.toBytes(X);
}
else
{
x = BIG.fromBytes(X);
}
ECP P;
if (type == 0)
{
P = ECP.fromBytes(G);
if (P.is_infinity())
{
return(INVALID_POINT);
}
}
else
{
P = mapit(G);
}
PAIR.G1mul(P, x).toBytes(W);
return(0);
}
public KeyPair()
{
RAND rng = IdemixUtils.GetRand();
Sk = rng.RandModOrder();
Pk = IdemixUtils.GenG2.Mul(Sk);
}
/* IEEE1363 ECIES encryption. Encryption of plaintext M uses public key W and produces ciphertext V,C,T */
public static sbyte[] ECIES_ENCRYPT(sbyte[] P1, sbyte[] P2, RAND RNG, sbyte[] W, sbyte[] M, sbyte[] V, sbyte[] T)
{
int i;
sbyte[] Z = new sbyte[EFS];
sbyte[] VZ = new sbyte[3 * EFS + 1];
sbyte[] K1 = new sbyte[EAS];
sbyte[] K2 = new sbyte[EAS];
sbyte[] U = new sbyte[EGS];
if (KEY_PAIR_GENERATE(RNG, U, V) != 0)
{
return(new sbyte[0]);
}
if (ECPSVDP_DH(U, W, Z) != 0)
{
return(new sbyte[0]);
}
for (i = 0; i < 2 * EFS + 1; i++)
{
VZ[i] = V[i];
}
for (i = 0; i < EFS; i++)
{
VZ[2 * EFS + 1 + i] = Z[i];
}
sbyte[] K = KDF2(VZ, P1, EFS);
for (i = 0; i < EAS; i++)
{
K1[i] = K[i];
K2[i] = K[EAS + i];
}
sbyte[] C = AES_CBC_IV0_ENCRYPT(K1, M);
sbyte[] L2 = inttoBytes(P2.Length, 8);
sbyte[] AC = new sbyte[C.Length + P2.Length + 8];
for (i = 0; i < C.Length; i++)
{
AC[i] = C[i];
}
for (i = 0; i < P2.Length; i++)
{
AC[C.Length + i] = P2[i];
}
for (i = 0; i < 8; i++)
{
AC[C.Length + P2.Length + i] = L2[i];
}
HMAC(AC, K2, T);
return(C);
}
public Rain_Handler(Vector2 draw_offset)
{
Angle = 3f;
for (int i = 0; i < sprite_count() * 2; i++)
{
Sprite_Locs[i] = new_sprite_loc(draw_offset, true);
Sprite_Rects[i] = new Rectangle(0, 0, 8, RAND.Next(4) == 0 ? 8 : 16);
}
}
/**
* Constructor
*
* @param attributeNames the names of attributes as String array (must not contain duplicates)
*/
public IdemixIssuerKey(string[] attributeNames)
{
RAND rng = IdemixUtils.GetRand();
// generate the secret key
Isk = rng.RandModOrder();
// construct the corresponding public key
Ipk = new IdemixIssuerPublicKey(attributeNames, Isk);
}
/* create random secret S */
public static int RANDOM_GENERATE(RAND rng, sbyte[] S)
{
BIG s;
BIG r = new BIG(ROM.CURVE_Order);
s = BIG.randomnum(r, rng);
s.toBytes(S);
return(0);
}
/* IEEE ECDSA Signature, C and D are signature on F using private key S */
public static int ECPSP_DSA(RAND RNG, sbyte[] S, sbyte[] F, sbyte[] C, sbyte[] D)
{
sbyte[] T = new sbyte[EFS];
BIG gx, gy, r, s, f, c, d, u, vx;
ECP G, V;
HASH H = new HASH();
H.process_array(F);
sbyte[] B = H.hash();
gx = new BIG(ROM.CURVE_Gx);
gy = new BIG(ROM.CURVE_Gy);
G = new ECP(gx, gy);
r = new BIG(ROM.CURVE_Order);
s = BIG.fromBytes(S);
f = BIG.fromBytes(B);
c = new BIG(0);
d = new BIG(0);
V = new ECP();
do
{
u = BIG.randomnum(r, RNG);
V.copy(G);
V = V.mul(u);
vx = V.X;
c.copy(vx);
c.mod(r);
if (c.iszilch())
{
continue;
}
u.invmodp(r);
d.copy(BIG.modmul(s, c, r));
d.add(f);
d.copy(BIG.modmul(u, d, r));
} while (d.iszilch());
c.toBytes(T);
for (int i = 0; i < EFS; i++)
{
C[i] = T[i];
}
d.toBytes(T);
for (int i = 0; i < EFS; i++)
{
D[i] = T[i];
}
return(0);
}
/**
* Constructor
*
* @param sk the secret key of the user
* @param ipk the public key of the issuer
*/
public IdemixPseudonym(BIG sk, IdemixIssuerPublicKey ipk)
{
if (sk == null || ipk == null)
{
throw new ArgumentException("Cannot construct idemix pseudonym from null input");
}
RAND rng = IdemixUtils.GetRand();
RandNym = rng.RandModOrder();
Nym = ipk.Hsk.Mul2(sk, ipk.HRand, RandNym);
}
/* these next two functions implement elligator squared - http://eprint.iacr.org/2014/043 */
/* Elliptic curve point E in format (0x04,x,y} is converted to form {0x0-,u,v} */
/* Note that u and v are indistinguisible from random strings */
public static int ENCODING(RAND rng, sbyte[] E)
{
int rn, m, su, sv;
sbyte[] T = new sbyte[EFS];
for (int i = 0; i < EFS; i++)
{
T[i] = E[i + 1];
}
BIG u = BIG.fromBytes(T);
for (int i = 0; i < EFS; i++)
{
T[i] = E[i + EFS + 1];
}
BIG v = BIG.fromBytes(T);
ECP P = new ECP(u, v);
if (P.is_infinity())
{
return(INVALID_POINT);
}
BIG p = new BIG(ROM.Modulus);
u = BIG.randomnum(p, rng);
su = rng.Byte; //if (su<0) su=-su;
su %= 2;
ECP W = map(u, su);
P.sub(W);
sv = P.S;
rn = unmap(v, P);
m = rng.Byte; //if (m<0) m=-m;
m %= rn;
v.inc(m + 1);
E[0] = (sbyte)(su + 2 * sv);
u.toBytes(T);
for (int i = 0; i < EFS; i++)
{
E[i + 1] = T[i];
}
v.toBytes(T);
for (int i = 0; i < EFS; i++)
{
E[i + EFS + 1] = T[i];
}
return(0);
}
/* generate random x */
public void randomnum(FF p, RAND rng)
{
int n = length;
FF d = new FF(2 * n);
for (int i = 0; i < 2 * n; i++)
{
d.v[i].copy(BIG.random(rng));
}
copy(d.dmod(p));
}
protected override Vector2 new_sprite_loc(Vector2 draw_offset, bool initial)
{
if (initial)
{
return(new Vector2(RAND.Next(Config.WINDOW_WIDTH), RAND.Next(Config.WINDOW_HEIGHT)) + draw_offset);
}
else
{
return(new Vector2(RAND.Next(Config.WINDOW_WIDTH + height_slope) - height_slope,
RAND.Next(16) - 8) + draw_offset);
}
}
public void random(RAND rng)
{
int n = length;
for (int i = 0; i < n; i++)
{
v[i].copy(BIG.random(rng));
}
/* make sure top bit is 1 */
while (v[n - 1].nbits() < ROM.MODBYTES * 8)
{
v[n - 1].copy(BIG.random(rng));
}
}
protected void reset_sprite_vel(int i)
{
Snow_Size size = particle_size(i);
Sprite_Vels[i] = size == Snow_Size.Small ?
// size == 2
new Vector2((float)(1 + (RAND.NextDouble() / 2)) / 2f, (float)(1 + (RAND.NextDouble() / 2)) / 2f) :
//new Vector2((float)(1 + (RAND.NextDouble() / 2)), (float)(1 + (RAND.NextDouble() / 2))) / 2f :
(size == Snow_Size.Medium ?
// size == 1
new Vector2((float)(1 + RAND.NextDouble()), (float)(1 + RAND.NextDouble()) * 1.5f) :
// size == 0
new Vector2((float)(1 + RAND.NextDouble()), (float)(1 + RAND.NextDouble()) * 2f));
}
/**
* Returns a random number generator, amcl.RAND,
* initialized with a fresh seed.
*
* @return a random number generator
*/
public static RAND GetRand()
{
// construct a secure seed
int seedLength = FIELD_BYTES;
SecureRandom random = new SecureRandom();
byte[] seed = random.GenerateSeed(seedLength);
// create a new amcl.RAND and initialize it with the generated seed
RAND rng = new RAND();
rng.Clean();
rng.Seed(seedLength, seed);
return(rng);
}
/**
* Constructor creating a new credential
*
* @param key the issuer key pair
* @param m a credential request
* @param attrs an array of attribute values as BIG
*/
public IdemixCredential(IdemixIssuerKey key, IdemixCredRequest m, BIG[] attrs)
{
if (key == null || key.Ipk == null || m == null || attrs == null)
{
throw new ArgumentException("Cannot create idemix credential from null input");
}
if (attrs.Length != key.Ipk.AttributeNames.Length)
{
throw new ArgumentException("Amount of attribute values does not match amount of attributes in issuer public key");
}
RAND rng = IdemixUtils.GetRand();
// Place a BBS+ signature on the user key and the attribute values
// (For BBS+, see "Constant-Size Dynamic k-TAA" by Man Ho Au, Willy Susilo, Yi Mu)
E = rng.RandModOrder();
S = rng.RandModOrder();
B = new ECP();
B.Copy(IdemixUtils.GenG1);
B.Add(m.Nym);
B.Add(key.Ipk.HRand.Mul(S));
for (int i = 0; i < attrs.Length / 2; i++)
{
B.Add(key.Ipk.HAttrs[2 * i].Mul2(attrs[2 * i], key.Ipk.HAttrs[2 * i + 1], attrs[2 * i + 1]));
}
if (attrs.Length % 2 != 0)
{
B.Add(key.Ipk.HAttrs[attrs.Length - 1].Mul(attrs[attrs.Length - 1]));
}
BIG exp = new BIG(key.Isk).Plus(E);
exp.Mod(IdemixUtils.GROUP_ORDER);
exp.InvModp(IdemixUtils.GROUP_ORDER);
A = B.Mul(exp);
Attrs = new byte[attrs.Length][];
for (int i = 0; i < attrs.Length; i++)
{
byte[] b = new byte[IdemixUtils.FIELD_BYTES];
attrs[i].ToBytes(b);
Attrs[i] = b;
}
}
public static void Main(string[] args)
{
int i;
int RFS = RSA.RFS;
string message = "Hello World\n";
rsa_public_key pub = new rsa_public_key(ROM.FFLEN);
rsa_private_key priv = new rsa_private_key(ROM.HFLEN);
sbyte[] ML = new sbyte[RFS];
sbyte[] C = new sbyte[RFS];
sbyte[] RAW = new sbyte[100];
RAND rng = new RAND();
rng.clean();
for (i = 0; i < 100; i++)
{
RAW[i] = (sbyte)(i);
}
rng.seed(100, RAW);
//for (i=0;i<10;i++)
//{
Console.WriteLine("Generating public/private key pair");
RSA.KEY_PAIR(rng, 65537, priv, pub);
sbyte[] M = message.GetBytes();
Console.Write("Encrypting test string\n");
sbyte[] E = RSA.OAEP_ENCODE(M, rng, null); // OAEP encode message M to E
RSA.ENCRYPT(pub, E, C); // encrypt encoded message
Console.Write("Ciphertext= 0x");
RSA.printBinary(C);
Console.Write("Decrypting test string\n");
RSA.DECRYPT(priv, C, ML);
sbyte[] MS = RSA.OAEP_DECODE(null, ML); // OAEP decode message
message = StringHelperClass.NewString(MS);
Console.Write(message);
//}
RSA.PRIVATE_KEY_KILL(priv);
}
private static RedisWorkload mockRedisWorkload(int type = -1)
{
RedisWorkload workload = new RedisWorkload();
workload.hashId = RandomString(10);
workload.key = BitConverter.GetBytes(RAND.Next(0, int.MaxValue));
workload.type = (RedisWorkloadType)(type == -1 ? RAND.Next(0, 6) : type);
if (workload.type == RedisWorkloadType.HGet ||
workload.type == RedisWorkloadType.HGetAll ||
workload.type == RedisWorkloadType.HMGet)
{
workload.value = null;
}
else
{
workload.value = RandomBytes(32);
}
return(workload);
}
/**
* Constructor
*
* @param sk the secret key of the user
* @param issuerNonce a nonce
* @param ipk the issuer public key
*/
public IdemixCredRequest(BIG sk, BIG issuerNonce, IdemixIssuerPublicKey ipk)
{
if (sk == null)
{
throw new ArgumentException("Cannot create idemix credrequest from null Secret Key input");
}
if (issuerNonce == null)
{
throw new ArgumentException("Cannot create idemix credrequest from null issuer nonce input");
}
if (ipk == null)
{
throw new ArgumentException("Cannot create idemix credrequest from null Issuer Public Key input");
}
RAND rng = IdemixUtils.GetRand();
Nym = ipk.Hsk.Mul(sk);
this.issuerNonce = new BIG(issuerNonce);
// Create Zero Knowledge Proof
BIG rsk = rng.RandModOrder();
ECP t = ipk.Hsk.Mul(rsk);
// Make proofData: total 3 elements of G1, each 2*FIELD_BYTES+1 (ECP),
// plus length of String array,
// plus one BIG
byte[] proofData = new byte[0];
proofData = proofData.Append(CREDREQUEST_LABEL.ToBytes());
proofData = proofData.Append(t.ToBytes());
proofData = proofData.Append(ipk.Hsk.ToBytes());
proofData = proofData.Append(Nym.ToBytes());
proofData = proofData.Append(issuerNonce.ToBytes());
proofData = proofData.Append(ipk.Hash);
proofC = proofData.HashModOrder();
// Compute proofS = ...
proofS = BIG.ModMul(proofC, sk, IdemixUtils.GROUP_ORDER).Plus(rsk);
proofS.Mod(IdemixUtils.GROUP_ORDER);
}
/* Calculate a public/private EC GF(p) key pair W,S where W=S.G mod EC(p),
* where S is the secret key and W is the public key
* and G is fixed generator.
* If RNG is NULL then the private key is provided externally in S
* otherwise it is generated randomly internally */
public static int KEY_PAIR_GENERATE(RAND RNG, sbyte[] S, sbyte[] W)
{
BIG r, gx, gy, s;
ECP G, WP;
int res = 0;
sbyte[] T = new sbyte[EFS];
gx = new BIG(ROM.CURVE_Gx);
if (ROM.CURVETYPE != ROM.MONTGOMERY)
{
gy = new BIG(ROM.CURVE_Gy);
G = new ECP(gx, gy);
}
else
{
G = new ECP(gx);
}
r = new BIG(ROM.CURVE_Order);
if (RNG == null)
{
s = BIG.fromBytes(S);
}
else
{
s = BIG.randomnum(r, RNG);
s.toBytes(T);
for (int i = 0; i < EGS; i++)
{
S[i] = T[i];
}
}
WP = G.mul(s);
WP.toBytes(W);
return(res);
}
/**
* Constructor
*
* @param sk the secret key
* @param pseudonym the pseudonym with respect to which this signature can be verified
* @param ipk the issuer public key
* @param msg the message to be signed
*/
public IdemixPseudonymSignature(BIG sk, IdemixPseudonym pseudonym, IdemixIssuerPublicKey ipk, byte[] msg)
{
if (sk == null || pseudonym == null || pseudonym.Nym == null || pseudonym.RandNym == null || ipk == null || msg == null)
{
throw new ArgumentException("Cannot create IdemixPseudonymSignature from null input");
}
RAND rng = IdemixUtils.GetRand();
nonce = rng.RandModOrder();
//Construct Zero Knowledge Proof
BIG rsk = rng.RandModOrder();
BIG rRNym = rng.RandModOrder();
ECP t = ipk.Hsk.Mul2(rsk, ipk.HRand, rRNym);
// create array for proof data that will contain the sign label, 2 ECPs (each of length 2* FIELD_BYTES + 1), the ipk hash and the message
byte[] proofData = new byte[0];
proofData = proofData.Append(NYM_SIGN_LABEL.ToBytes());
proofData = proofData.Append(t.ToBytes());
proofData = proofData.Append(pseudonym.Nym.ToBytes());
proofData = proofData.Append(ipk.Hash);
proofData = proofData.Append(msg);
BIG cvalue = proofData.HashModOrder();
byte[] finalProofData = new byte[0];
finalProofData = finalProofData.Append(cvalue.ToBytes());
finalProofData = finalProofData.Append(nonce.ToBytes());
proofC = finalProofData.HashModOrder();
proofSSk = new BIG(rsk);
proofSSk.Add(BIG.ModMul(proofC, sk, IdemixUtils.GROUP_ORDER));
proofSSk.Mod(IdemixUtils.GROUP_ORDER);
proofSRNym = new BIG(rRNym);
proofSRNym.Add(BIG.ModMul(proofC, pseudonym.RandNym, IdemixUtils.GROUP_ORDER));
proofSRNym.Mod(IdemixUtils.GROUP_ORDER);
}
/// <summary>
/// Creates instance from char array.
/// </summary>
/// <param name="chars">Char array to be encrypted.</param>
/// <param name="password">Password to generate key to encrypt and decrypt.</param>
/// <param name="saltLenght">Salt length to generate key.</param>
/// <param name="iterationCount">Iteration count to generate key.</param>
/// <param name="keySize">Key size in bit.</param>
/// <param name="cipherMode"><see cref="CipherMode"/>.</param>
/// <param name="paddingMode"><see cref="PaddingMode"/>.</param>
/// <returns>PBEProtectedString instance.</returns>
public static PBEProtectedString FromChars(char[] chars, byte[] password, int saltLenght = 128, int iterationCount = 4096, int keySize = 256, CipherMode cipherMode = CipherMode.CBC, PaddingMode paddingMode = PaddingMode.PKCS7)
{
var ps = new PBEProtectedString(keySize, cipherMode, paddingMode);
if (saltLenght > 0)
{
ps.Salt = RAND.NextBytes(saltLenght);
}
ps.generateKey(password, iterationCount, BLOCK_SIZE);
using (var aes = Aes.Create())
{
aes.KeySize = ps.keySize;
aes.BlockSize = BLOCK_SIZE;
aes.Mode = ps.cipherMode;
aes.Padding = ps.paddingMode;
aes.Key = ps.key;
aes.IV = ps.iv;
using (var memory = new MemoryStream())
{
using (var encryptor = aes.CreateEncryptor())
using (var stream = new CryptoStream(memory, encryptor, CryptoStreamMode.Write))
using (var writer = new StreamWriter(stream, ENCODING))
{
writer.Write(chars);
}
ps.EncryptedData = memory.ToArray();
}
}
return(ps);
}
public override void update(Vector2 draw_offset)
{
for (int i = 0; i < sprite_count() * 2; i++)
{
Sprite_Locs[i] += new Vector2(4) * new Vector2(1, Angle);
// If fell off the screen
if (Sprite_Locs[i].Y > (Config.WINDOW_HEIGHT + draw_offset.Y) ||
// If went off the right edge
Sprite_Locs[i].X > (Config.WINDOW_WIDTH + 16 + draw_offset.X))
{
Sprite_Locs[i] = new_sprite_loc(draw_offset, false);
Sprite_Rects[i] = new Rectangle(0, 0, 8, RAND.Next(4) == 0 ? 8 : 16);
}
// If off the top of the screen due to scrolling
else if (Sprite_Locs[i].Y + Sprite_Rects[i].Y < draw_offset.Y)
{
Sprite_Locs[i] += new Vector2(0, Config.WINDOW_HEIGHT);
}
// If off the left of the screen due to scrolling
//else if (Sprite_Locs[i].X + Sprite_Rects[i].X < -16 + draw_offset.X) //Debug
// Sprite_Locs[i] += new Vector2(Config.WINDOW_WIDTH + 32, 0);
}
base.update(draw_offset);
}
public static void Main(string[] args)
{
int i, j = 0, res;
int result;
string pp = "M0ng00se";
int EGS = ECDH.EGS;
int EFS = ECDH.EFS;
int EAS = AES.KS;
sbyte[] S1 = new sbyte[EGS];
sbyte[] W0 = new sbyte[2 * EFS + 1];
sbyte[] W1 = new sbyte[2 * EFS + 1];
sbyte[] Z0 = new sbyte[EFS];
sbyte[] Z1 = new sbyte[EFS];
sbyte[] RAW = new sbyte[100];
sbyte[] SALT = new sbyte[8];
RAND rng = new RAND();
rng.clean();
for (i = 0; i < 100; i++)
{
RAW[i] = (sbyte)(i);
}
rng.seed(100, RAW);
//for (j=0;j<100;j++)
//{
for (i = 0; i < 8; i++)
{
SALT[i] = (sbyte)(i + 1); // set Salt
}
Console.WriteLine("Alice's Passphrase= " + pp);
sbyte[] PW = pp.GetBytes();
/* private key S0 of size EGS bytes derived from Password and Salt */
sbyte[] S0 = ECDH.PBKDF2(PW, SALT, 1000, EGS);
Console.Write("Alice's private key= 0x");
printBinary(S0);
/* Generate Key pair S/W */
ECDH.KEY_PAIR_GENERATE(null, S0, W0);
Console.Write("Alice's public key= 0x");
printBinary(W0);
res = ECDH.PUBLIC_KEY_VALIDATE(true, W0);
if (res != 0)
{
Console.WriteLine("Alice's public Key is invalid!\n");
return;
}
/* Random private key for other party */
ECDH.KEY_PAIR_GENERATE(rng, S1, W1);
Console.Write("Servers private key= 0x");
printBinary(S1);
Console.Write("Servers public key= 0x");
printBinary(W1);
res = ECDH.PUBLIC_KEY_VALIDATE(true, W1);
if (res != 0)
{
Console.Write("Server's public Key is invalid!\n");
return;
}
/* Calculate common key using DH - IEEE 1363 method */
ECDH.ECPSVDP_DH(S0, W1, Z0);
ECDH.ECPSVDP_DH(S1, W0, Z1);
bool same = true;
for (i = 0; i < EFS; i++)
{
if (Z0[i] != Z1[i])
{
same = false;
}
}
if (!same)
{
Console.WriteLine("*** ECPSVDP-DH Failed");
return;
}
sbyte[] KEY = ECDH.KDF1(Z0, EAS);
Console.Write("Alice's DH Key= 0x");
printBinary(KEY);
Console.Write("Servers DH Key= 0x");
printBinary(KEY);
//}
//System.out.println("Test Completed Successfully");
}
/**
* Create a new IdemixSignature by proving knowledge of a credential
*
* @param c the credential used to create an idemix signature
* @param sk the signer's secret key
* @param pseudonym a pseudonym of the signer
* @param ipk the issuer public key
* @param disclosure a bool-array that steers the disclosure of attributes
* @param msg the message to be signed
* @param rhIndex the index of the attribute that represents the revocation handle
* @param cri the credential revocation information that allows the signer to prove non-revocation
*/
public IdemixSignature(IdemixCredential c, BIG sk, IdemixPseudonym pseudonym, IdemixIssuerPublicKey ipk, bool[] disclosure, byte[] msg, int rhIndex, CredentialRevocationInformation cri)
{
if (c == null || sk == null || pseudonym == null || pseudonym.Nym == null || pseudonym.RandNym == null || ipk == null || disclosure == null || msg == null || cri == null)
{
throw new ArgumentException("Cannot construct idemix signature from null input");
}
if (disclosure.Length != c.Attrs.Length)
{
throw new ArgumentException("Disclosure length must be the same as the number of attributes");
}
if (cri.RevocationAlg >= Enum.GetValues(typeof(RevocationAlgorithm)).Length)
{
throw new ArgumentException("CRI specifies unknown revocation algorithm");
}
if (cri.RevocationAlg != (int)RevocationAlgorithm.ALG_NO_REVOCATION && disclosure[rhIndex])
{
throw new ArgumentException("Attribute " + rhIndex + " is disclosed but also used a revocation handle attribute, which should remain hidden");
}
RevocationAlgorithm revocationAlgorithm = (RevocationAlgorithm)cri.RevocationAlg;
int[] hiddenIndices = HiddenIndices(disclosure);
RAND rng = IdemixUtils.GetRand();
// Start signature
BIG r1 = rng.RandModOrder();
BIG r2 = rng.RandModOrder();
BIG r3 = new BIG(r1);
r3.InvModp(IdemixUtils.GROUP_ORDER);
nonce = rng.RandModOrder();
aPrime = PAIR.G1Mul(c.A, r1);
aBar = PAIR.G1Mul(c.B, r1);
aBar.Sub(PAIR.G1Mul(aPrime, c.E));
bPrime = PAIR.G1Mul(c.B, r1);
bPrime.Sub(PAIR.G1Mul(ipk.HRand, r2));
BIG sPrime = new BIG(c.S);
sPrime.Add(BIG.ModNeg(BIG.ModMul(r2, r3, IdemixUtils.GROUP_ORDER), IdemixUtils.GROUP_ORDER));
sPrime.Mod(IdemixUtils.GROUP_ORDER);
//Construct Zero Knowledge Proof
BIG rsk = rng.RandModOrder();
BIG re = rng.RandModOrder();
BIG rR2 = rng.RandModOrder();
BIG rR3 = rng.RandModOrder();
BIG rSPrime = rng.RandModOrder();
BIG rRNym = rng.RandModOrder();
BIG[] rAttrs = new BIG[hiddenIndices.Length];
for (int i = 0; i < hiddenIndices.Length; i++)
{
rAttrs[i] = rng.RandModOrder();
}
// Compute non-revoked proof
INonRevocationProver prover = NonRevocationProver.GetNonRevocationProver(revocationAlgorithm);
int hiddenRHIndex = Array.IndexOf(hiddenIndices, rhIndex);
if (hiddenRHIndex < 0)
{
// rhIndex is not present, set to last index position
hiddenRHIndex = hiddenIndices.Length;
}
byte[] nonRevokedProofHashData = prover.GetFSContribution(BIG.FromBytes(c.Attrs[rhIndex]), rAttrs[hiddenRHIndex], cri);
if (nonRevokedProofHashData == null)
{
throw new Exception("Failed to compute non-revoked proof");
}
ECP t1 = aPrime.Mul2(re, ipk.HRand, rR2);
ECP t2 = PAIR.G1Mul(ipk.HRand, rSPrime);
t2.Add(bPrime.Mul2(rR3, ipk.Hsk, rsk));
for (int i = 0; i < hiddenIndices.Length / 2; i++)
{
t2.Add(ipk.HAttrs[hiddenIndices[2 * i]].Mul2(rAttrs[2 * i], ipk.HAttrs[hiddenIndices[2 * i + 1]], rAttrs[2 * i + 1]));
}
if (hiddenIndices.Length % 2 != 0)
{
t2.Add(PAIR.G1Mul(ipk.HAttrs[hiddenIndices[hiddenIndices.Length - 1]], rAttrs[hiddenIndices.Length - 1]));
}
ECP t3 = ipk.Hsk.Mul2(rsk, ipk.HRand, rRNym);
// create proofData such that it can contain the sign label, 7 elements in G1 (each of size 2*FIELD_BYTES+1),
// the ipk hash, the disclosure array, and the message
byte[] proofData = new byte[0];
proofData = proofData.Append(SIGN_LABEL.ToBytes());
proofData = proofData.Append(t1.ToBytes());
proofData = proofData.Append(t2.ToBytes());
proofData = proofData.Append(t3.ToBytes());
proofData = proofData.Append(aPrime.ToBytes());
proofData = proofData.Append(aBar.ToBytes());
proofData = proofData.Append(bPrime.ToBytes());
proofData = proofData.Append(pseudonym.Nym.ToBytes());
proofData = proofData.Append(ipk.Hash);
proofData = proofData.Append(disclosure);
proofData = proofData.Append(msg);
BIG cvalue = proofData.HashModOrder();
byte[] finalProofData = new byte[0];
finalProofData = finalProofData.Append(cvalue.ToBytes());
finalProofData = finalProofData.Append(nonce.ToBytes());
proofC = finalProofData.HashModOrder();
proofSSk = rsk.ModAdd(BIG.ModMul(proofC, sk, IdemixUtils.GROUP_ORDER), IdemixUtils.GROUP_ORDER);
proofSE = re.ModSub(BIG.ModMul(proofC, c.E, IdemixUtils.GROUP_ORDER), IdemixUtils.GROUP_ORDER);
proofSR2 = rR2.ModAdd(BIG.ModMul(proofC, r2, IdemixUtils.GROUP_ORDER), IdemixUtils.GROUP_ORDER);
proofSR3 = rR3.ModSub(BIG.ModMul(proofC, r3, IdemixUtils.GROUP_ORDER), IdemixUtils.GROUP_ORDER);
proofSSPrime = rSPrime.ModAdd(BIG.ModMul(proofC, sPrime, IdemixUtils.GROUP_ORDER), IdemixUtils.GROUP_ORDER);
proofSRNym = rRNym.ModAdd(BIG.ModMul(proofC, pseudonym.RandNym, IdemixUtils.GROUP_ORDER), IdemixUtils.GROUP_ORDER);
nym = new ECP();
nym.Copy(pseudonym.Nym);
proofSAttrs = new BIG[hiddenIndices.Length];
for (int i = 0; i < hiddenIndices.Length; i++)
{
proofSAttrs[i] = new BIG(rAttrs[i]);
proofSAttrs[i].Add(BIG.ModMul(proofC, BIG.FromBytes(c.Attrs[hiddenIndices[i]]), IdemixUtils.GROUP_ORDER));
proofSAttrs[i].Mod(IdemixUtils.GROUP_ORDER);
}
// include non-revocation proof in signature
revocationPk = cri.EpochPk;
revocationPKSig = cri.EpochPkSig.ToByteArray();
epoch = cri.Epoch;
nonRevocationProof = prover.GetNonRevocationProof(proofC);
}
