From 3baeb11a8fbcfcdbc31976d421f17b85503b3ecd Mon Sep 17 00:00:00 2001 From: WuKong Date: Fri, 4 Sep 2015 09:25:34 +0200 Subject: init attribute-based encryption Change-Id: Iba1a3d722110abf747a0fba366f3ebc911d25b25 --- moon-abe/pbc-0.5.14/example/Makefile.am | 16 ++++ moon-abe/pbc-0.5.14/example/bls.c | 133 +++++++++++++++++++++++++ moon-abe/pbc-0.5.14/example/hess.c | 109 +++++++++++++++++++++ moon-abe/pbc-0.5.14/example/joux.c | 80 ++++++++++++++++ moon-abe/pbc-0.5.14/example/paterson.c | 114 ++++++++++++++++++++++ moon-abe/pbc-0.5.14/example/yuanli.c | 165 ++++++++++++++++++++++++++++++++ moon-abe/pbc-0.5.14/example/zhangkim.c | 139 +++++++++++++++++++++++++++ moon-abe/pbc-0.5.14/example/zss.c | 70 ++++++++++++++ 8 files changed, 826 insertions(+) create mode 100644 moon-abe/pbc-0.5.14/example/Makefile.am create mode 100644 moon-abe/pbc-0.5.14/example/bls.c create mode 100644 moon-abe/pbc-0.5.14/example/hess.c create mode 100644 moon-abe/pbc-0.5.14/example/joux.c create mode 100644 moon-abe/pbc-0.5.14/example/paterson.c create mode 100644 moon-abe/pbc-0.5.14/example/yuanli.c create mode 100644 moon-abe/pbc-0.5.14/example/zhangkim.c create mode 100644 moon-abe/pbc-0.5.14/example/zss.c (limited to 'moon-abe/pbc-0.5.14/example') diff --git a/moon-abe/pbc-0.5.14/example/Makefile.am b/moon-abe/pbc-0.5.14/example/Makefile.am new file mode 100644 index 00000000..a1b60dbc --- /dev/null +++ b/moon-abe/pbc-0.5.14/example/Makefile.am @@ -0,0 +1,16 @@ +CLEANFILES = *~ +maintainer-clean-local: + -rm -rf Makefile.in + +AM_CPPFLAGS = -I../include +LDADD = ../libpbc.la -lgmp + +noinst_PROGRAMS = bls hess joux paterson yuanli zhangkim zss + +bls_SOURCES = bls.c +hess_SOURCES = hess.c +joux_SOURCES = joux.c +paterson_SOURCES = paterson.c +yuanli_SOURCES = yuanli.c +zhangkim_SOURCES = zhangkim.c +zss_SOURCES = zss.c diff --git a/moon-abe/pbc-0.5.14/example/bls.c b/moon-abe/pbc-0.5.14/example/bls.c new file mode 100644 index 00000000..8b62a097 --- /dev/null +++ b/moon-abe/pbc-0.5.14/example/bls.c @@ -0,0 +1,133 @@ +// Boneh-Lynn-Shacham short signatures demo. +// +// See the PBC_sig library for a practical implementation. +// +// Ben Lynn +#include +#include + +int main(int argc, char **argv) { + pairing_t pairing; + element_t g, h; + element_t public_key, sig; + element_t secret_key; + element_t temp1, temp2; + + pbc_demo_pairing_init(pairing, argc, argv); + + element_init_G2(g, pairing); + element_init_G2(public_key, pairing); + element_init_G1(h, pairing); + element_init_G1(sig, pairing); + element_init_GT(temp1, pairing); + element_init_GT(temp2, pairing); + element_init_Zr(secret_key, pairing); + + printf("Short signature test\n"); + + //generate system parameters + element_random(g); + element_printf("system parameter g = %B\n", g); + + //generate private key + element_random(secret_key); + element_printf("private key = %B\n", secret_key); + + //compute corresponding public key + element_pow_zn(public_key, g, secret_key); + element_printf("public key = %B\n", public_key); + + //generate element from a hash + //for toy pairings, should check that pairing(g, h) != 1 + element_from_hash(h, "hashofmessage", 13); + element_printf("message hash = %B\n", h); + + //h^secret_key is the signature + //in real life: only output the first coordinate + element_pow_zn(sig, h, secret_key); + element_printf("signature = %B\n", sig); + + { + int n = pairing_length_in_bytes_compressed_G1(pairing); + //int n = element_length_in_bytes_compressed(sig); + int i; + unsigned char *data = pbc_malloc(n); + + element_to_bytes_compressed(data, sig); + printf("compressed = "); + for (i = 0; i < n; i++) { + printf("%02X", data[i]); + } + printf("\n"); + + element_from_bytes_compressed(sig, data); + element_printf("decompressed = %B\n", sig); + + pbc_free(data); + } + + //verification part 1 + element_pairing(temp1, sig, g); + element_printf("f(sig, g) = %B\n", temp1); + + //verification part 2 + //should match above + element_pairing(temp2, h, public_key); + element_printf("f(message hash, public_key) = %B\n", temp2); + + if (!element_cmp(temp1, temp2)) { + printf("signature verifies\n"); + } else { + printf("*BUG* signature does not verify *BUG*\n"); + } + + { + int n = pairing_length_in_bytes_x_only_G1(pairing); + //int n = element_length_in_bytes_x_only(sig); + int i; + unsigned char *data = pbc_malloc(n); + + element_to_bytes_x_only(data, sig); + printf("x-coord = "); + for (i = 0; i < n; i++) { + printf("%02X", data[i]); + } + printf("\n"); + + element_from_bytes_x_only(sig, data); + element_printf("de-x-ed = %B\n", sig); + + element_pairing(temp1, sig, g); + if (!element_cmp(temp1, temp2)) { + printf("signature verifies on first guess\n"); + } else { + element_invert(temp1, temp1); + if (!element_cmp(temp1, temp2)) { + printf("signature verifies on second guess\n"); + } else { + printf("*BUG* signature does not verify *BUG*\n"); + } + } + + pbc_free(data); + } + + //a random signature shouldn't verify + element_random(sig); + element_pairing(temp1, sig, g); + if (element_cmp(temp1, temp2)) { + printf("random signature doesn't verify\n"); + } else { + printf("*BUG* random signature verifies *BUG*\n"); + } + + element_clear(sig); + element_clear(public_key); + element_clear(secret_key); + element_clear(g); + element_clear(h); + element_clear(temp1); + element_clear(temp2); + pairing_clear(pairing); + return 0; +} diff --git a/moon-abe/pbc-0.5.14/example/hess.c b/moon-abe/pbc-0.5.14/example/hess.c new file mode 100644 index 00000000..8d5a437e --- /dev/null +++ b/moon-abe/pbc-0.5.14/example/hess.c @@ -0,0 +1,109 @@ +/* + Hess ID-based signature. + Based on papers "F. Hess. Efficient Identity Based Signature Schemes Based on Pairings. SAC 2002, LNCS 2595, Springer-Verlag, 2000" + Contributed by Dmitry Kosolapov. +*/ + +#include +#include + +int main(int argc, char **argv) { + pairing_t pairing; + double time1, time2; + pbc_demo_pairing_init(pairing, argc, argv); + + element_t Qid, P, P1, Ppub, s, k, Did, r, v, u, t1, t3, t4, t5, t6, t7, t8; + mpz_t t2; + + if (!pairing_is_symmetric(pairing)) pbc_die("pairing must be symmetric"); + + mpz_init(t2); + element_init_G1(P, pairing); + element_init_G1(P1, pairing); + element_init_G1(Qid, pairing); + element_init_G1(Did, pairing); + element_init_G1(Ppub, pairing); + element_init_G1(t4, pairing); + element_init_G1(t5, pairing); + element_init_G1(u, pairing); + + element_init_Zr(s, pairing); + element_init_Zr(k, pairing); + element_init_Zr(v, pairing); + element_init_Zr(t3, pairing); + element_init_Zr(t8, pairing); + + element_init_GT(r, pairing); + element_init_GT(t1, pairing); + element_init_GT(t6, pairing); + element_init_GT(t7, pairing); + + time1 = pbc_get_time(); + printf("Hess ID-based signature protocol\n"); + printf("KEYGEN\n"); + element_random(P); + element_random(s); + element_random(Qid); + element_mul_zn(Ppub, P, s); + element_mul_zn(Did, Qid, s); + element_printf("Qid = %B\n", Qid); + element_printf("P = %B\n", P); + element_printf("Ppub = %B\n", Ppub); + + printf("SIGN\n"); + element_random(P1); + element_random(k); + element_pairing(t1, P1, P); + element_pow_zn(r, t1, k); + element_to_mpz(t2, r); + + //h3=h(m)*mpz(r); + element_from_hash(t3, "Message", 7); + element_mul_mpz(v, t3, t2); + element_mul_zn(t4, Did, v); + element_mul_zn(t5, P1, k); + element_add(u, t4, t5); + printf("Signature of message \"Message\" is:\n"); + element_printf("u = %B\n", u); + element_printf("v = %B\n", v); + + printf("VERIFY\n"); + element_pairing(t6, u, P); + element_neg(Ppub, Ppub); + element_pairing(t7, Qid, Ppub); + element_pow_zn(t7, t7, v); + element_mul(r, t6, t7); + element_to_mpz(t2, r); + element_from_hash(t3, "Message", 7); + element_mul_mpz(t8, t3, t2); + element_printf("h3(m,r) = %B\n", t8); + element_printf("v = %B\n", v); + if (!element_cmp(t8, v)) { + printf("Signature is valid!\n"); + } else { + printf("Signature is invalid!\n"); + } + time2 = pbc_get_time(); + printf("All time = %fs\n", time2 - time1); + + element_clear(P); + element_clear(P1); + element_clear(Qid); + element_clear(Did); + element_clear(Ppub); + element_clear(t4); + element_clear(t5); + element_clear(u); + element_clear(s); + element_clear(k); + element_clear(v); + element_clear(t3); + element_clear(t8); + element_clear(r); + element_clear(t1); + element_clear(t6); + element_clear(t7); + pairing_clear(pairing); + + return 0; +} diff --git a/moon-abe/pbc-0.5.14/example/joux.c b/moon-abe/pbc-0.5.14/example/joux.c new file mode 100644 index 00000000..4c7a46b9 --- /dev/null +++ b/moon-abe/pbc-0.5.14/example/joux.c @@ -0,0 +1,80 @@ +/* + Joux one round protocol for tripartite Diffie-Hellman + Based on papers "A. Joux. A One Round Protocol for Tripartie Diffie-Hellman. Proceedings of ANTS 4. LNCS 1838, pp. 385-394, 2000." + Contributed by Dmitry Kosolapov. +*/ + +#include +#include + +int main(int argc, char **argv) { + pairing_t pairing; + double time1, time2; + element_t P, a, b, c, Ka, Kb, Kc, t1, t2, t3, t4, t5, t6; + pbc_demo_pairing_init(pairing, argc, argv); + if (!pairing_is_symmetric(pairing)) pbc_die("pairing must be symmetric"); + + element_init_G1(P, pairing); + element_init_G1(t1, pairing); + element_init_G1(t2, pairing); + element_init_G1(t3, pairing); + + element_init_Zr(a, pairing); + element_init_Zr(b, pairing); + element_init_Zr(c, pairing); + + element_init_GT(t4, pairing); + element_init_GT(t5, pairing); + element_init_GT(t6, pairing); + element_init_GT(Ka, pairing); + element_init_GT(Kb, pairing); + element_init_GT(Kc, pairing); + + time1 = pbc_get_time(); + printf("Joux key agreement between A, B and C.\n"); + element_random(P); + element_random(a); + element_random(b); + element_random(c); + element_mul_zn(t1, P, a); + printf("A sends B and C: aP\n"); + element_printf("aP = %B\n", t1); + element_mul_zn(t2, P, b); + printf("B sends A and C: bP\n"); + element_printf("bP = %B\n", t2); + element_mul_zn(t3, P, c); + printf("C sends A and B: cP\n"); + element_printf("cP = %B\n", t3); + + element_pairing(t4, t2, t3); + element_pow_zn(Ka, t4, a); + element_printf("Ka = %B\n", Ka); + element_pairing(t5, t1, t3); + element_pow_zn(Kb, t5, b); + element_printf("Kb = %B\n", Kb); + element_pairing(t6, t1, t2); + element_pow_zn(Kc, t6, c); + element_printf("Kc = %B\n", Kc); + + printf("Shared key K = Ka = Kb = Kc\n"); + time2 = pbc_get_time(); + printf("All time = %fs\n", time2 - time1); + + + element_clear(P); + element_clear(a); + element_clear(b); + element_clear(c); + element_clear(Ka); + element_clear(Kb); + element_clear(Kc); + element_clear(t1); + element_clear(t2); + element_clear(t3); + element_clear(t4); + element_clear(t5); + element_clear(t6); + pairing_clear(pairing); + + return 0; +} diff --git a/moon-abe/pbc-0.5.14/example/paterson.c b/moon-abe/pbc-0.5.14/example/paterson.c new file mode 100644 index 00000000..4e21fc9f --- /dev/null +++ b/moon-abe/pbc-0.5.14/example/paterson.c @@ -0,0 +1,114 @@ +/* + Paterson ID-based signature. + Based on papers "K. G. Paterson. ID-Based Signatures from Pairings on Elliptic Curvers. Electron. Lett., Vol. 38". Available at http://eprint.iacr.org/2002/004." + Contributed by Dmitry Kosolapov. +*/ + +#include +#include + +int main(int argc, char **argv) { + pairing_t pairing; + double time1, time2; + element_t Ppub, s, P, R, k, S, Did, Qid, t1, t2, t4, t5, t6, t7, t8, + t9, t10, t11; + mpz_t t3; + mpz_init(t3); + pbc_demo_pairing_init(pairing, argc, argv); + if (!pairing_is_symmetric(pairing)) pbc_die("pairing must be symmetric"); + + element_init_G1(P, pairing); + element_init_G1(Ppub, pairing); + element_init_G1(Qid, pairing); + element_init_G1(Did, pairing); + element_init_G1(R, pairing); + element_init_G1(S, pairing); + element_init_G1(t2, pairing); + element_init_G1(t4, pairing); + element_init_G1(t5, pairing); + element_init_G1(t7, pairing); + + element_init_Zr(s, pairing); + element_init_Zr(k, pairing); + element_init_Zr(t1, pairing); + + element_init_GT(t6, pairing); + element_init_GT(t8, pairing); + element_init_GT(t9, pairing); + element_init_GT(t10, pairing); + element_init_GT(t11, pairing); + + time1 = pbc_get_time(); + printf("Paterson ID-based signature.\n"); + printf("KEYGEN\n"); + element_random(P); + element_random(s); + element_mul_zn(Ppub, P, s); + element_printf("P = %B\n", P); + element_printf("Ppub = %B\n", Ppub); + element_from_hash(Qid, "ID", 2); + element_printf("Qid = %B\n", Qid); + element_mul_zn(Did, Qid, s); + + printf("SIGN\n"); + element_random(k); + element_mul_zn(R, P, k); + element_from_hash(t1, "Message", 7); + element_mul_zn(t2, P, t1); + //H3(R)=mpz(R); +// int n = element_length_in_bytes(R); +// unsigned char *data=malloc(n); +// element_to_bytes(data, R); +// printf("data = %s\n", data); + element_to_mpz(t3, R); + element_mul_mpz(t4, Did, t3); + element_add(t5, t4, t2); + element_invert(k, k); + element_mul_zn(S, t5, k); + printf("Signature of message \"Message\" is:\n"); + element_printf("R = %B\n", R); + element_printf("S = %B\n", S); + + printf("VERIFY\n"); + element_from_hash(t1, "Message", 7); + element_mul_zn(t7, P, t1); + element_pairing(t6, P, t7); + element_pairing(t8, Ppub, Qid); + element_to_mpz(t3, R); + element_pow_mpz(t9, t8, t3); + element_printf("t8 = %B\n", t8); + element_printf("t9 = %B\n", t9); + element_mul(t10, t6, t9); + element_printf("t10 = %B\n", t10); + element_pairing(t11, R, S); + element_printf("[e(P, P)^H2(M)][e(Ppub, Qid)^H3(R)] = %B\n", t10); + element_printf("e(R, S) = %B\n", t11); + if (!element_cmp(t10, t11)) { + printf("Signature is valid!\n"); + } else { + printf("Signature is invalid!\n"); + } + time2 = pbc_get_time(); + printf("All time = %fs\n", time2 - time1); + + element_clear(P); + element_clear(Ppub); + element_clear(Qid); + element_clear(Did); + element_clear(R); + element_clear(t2); + element_clear(t4); + element_clear(t5); + element_clear(s); + element_clear(k); + element_clear(t1); + element_clear(t6); + element_clear(t7); + element_clear(t8); + element_clear(t9); + element_clear(t10); + element_clear(t11); + pairing_clear(pairing); + + return 0; +} diff --git a/moon-abe/pbc-0.5.14/example/yuanli.c b/moon-abe/pbc-0.5.14/example/yuanli.c new file mode 100644 index 00000000..a3606377 --- /dev/null +++ b/moon-abe/pbc-0.5.14/example/yuanli.c @@ -0,0 +1,165 @@ +/* Contributed by Dmitry Kosolapov + * + * I haven't tested this much, and I'm personally not familiar with + * this particular cryptosystem. -Ben Lynn + */ +/* Here we represent the original Yuan-Li ID-Based Authenticated Key Agreement Protocol, 2005. + * This protocol has 2 stages: Setup and Extract. We represent them inside one code block with demo and time outputs. + */ + +/*Yuan-Li protocol description according to: +Quan Yuan and Songping Li, A New Efficient ID-Based Authenticated Key Agreement Protocol, Cryptology ePrint Archive, Report 2005/309 + +SETUP: +KGS chooses G1, G2, e: G1*G1 -> G2, P, H: {0, 1}* -> G1, s, H - some function for key calculation. +KGS calculates Ppub = s*P, publishes {G1, G2, e, P, Ppub, H1, H} and saves s as master key. + +EXTRACT: + +For the user with ID public key can be calculated with Qid = H1(ID). KGS generates bound public key Sid = s*Qid. +1. A chooses random a from Z_p*, calculates Ta = a*P. + A -> B: Ta +2. B chooses random b from Z_p*, calculates Tb = b*P. + B -> A: Tb +3. A calculates h = a*Tb = a*b*P and shared secret key Kab = e(a*Ppub + Sa, Tb + Qb) +4. B calculates h = b*Ta = a*b*P and shared secret key Kba = e(Ta + Qa, b*Ppub + Sb) +Session key is K = H(A, B, h, Kab). +H was not defined in the original article. +I've defined it as H(A, B, h, Kab)=e(h,H1(A)+H1(B))+Kab. +*/ + +#include +#include + +int main(int argc, char **argv) { + pairing_t pairing; + double t0, t1; + element_t s, a, b, P, Ppub, Qa, Qb, Sa, Sb, Ta, Tb, Kab, Kba, K, temp1, + temp2, temp3, temp4, temp5, h; + + pbc_demo_pairing_init(pairing, argc, argv); + if (!pairing_is_symmetric(pairing)) pbc_die("pairing must be symmetric"); + + element_init_Zr(s, pairing); + element_init_Zr(a, pairing); + element_init_Zr(b, pairing); + + element_init_G1(P, pairing); + element_init_G1(Ppub, pairing); + element_init_G1(Qa, pairing); + element_init_G1(Qb, pairing); + element_init_G1(Sa, pairing); + element_init_G1(Sb, pairing); + element_init_G1(Ta, pairing); + element_init_G1(Tb, pairing); + element_init_G1(temp1, pairing); + element_init_G1(temp2, pairing); + element_init_G1(temp3, pairing); + element_init_G1(h, pairing); + + element_init_GT(Kab, pairing); + element_init_GT(Kba, pairing); + element_init_GT(K, pairing); + element_init_GT(temp4, pairing); + element_init_GT(temp5, pairing); + + printf("Yuan-Li key agreement protocol\n"); + + t0 = pbc_get_time(); + +//Setup, system parameters generation + printf("SETUP STAGE\n"); + element_random(P); + element_printf("P = %B\n", P); + element_random(s); + element_mul_zn(Ppub, P, s); + element_printf("Ppub = %B\n", Ppub); + +//Extract, key calculation + printf("EXTRACT STAGE\n"); + element_from_hash(Qa, "A", 1); + element_from_hash(Qb, "B", 1); + element_mul_zn(Sa, Qa, s); + element_mul_zn(Sb, Qb, s); + element_printf("Sa = %B\n", Sa); + element_printf("Sb = %B\n", Sb); + + printf("-----1-----\n"); + + element_random(a); + element_mul_zn(Ta, P, a); + element_printf("A sends B Ta = %B\n", Ta); + + printf("-----2-----\n"); + + element_random(b); + element_mul_zn(Tb, P, b); + element_printf("B sends A Tb = %B\n", Tb); + + printf("-----3-----\n"); + + printf("A calculates h and Kab\n"); + element_mul_zn(h, Tb, a); + element_printf("h = %B\n", h); + element_mul_zn(temp1, Ppub, a); + element_add(temp1, temp1, Sa); + element_add(temp2, Tb, Qb); + element_pairing(Kab, temp1, temp2); + element_printf("Kab = %B\n", Kab); + + printf("-----4-----\n"); + + printf("B calculates h and Kba\n"); + element_mul_zn(h, Ta, b); + element_printf("h = %B\n", h); + element_add(temp1, Ta, Qa); + element_mul_zn(temp2, Ppub, b); + element_add(temp2, temp2, Sb); + element_pairing(Kba, temp1, temp2); + element_printf("Kba = %B\n", Kba); + + printf("-----FINAL-----\n"); + + element_add(temp3, Qa, Qb); + element_pairing(temp4, h, temp3); + + element_add(K, temp4, Kab); + element_printf("A has the key K = %B\n", K); + element_set(temp5, K); + + element_add(K, temp4, Kba); + element_printf("B has the key K = %B\n", K); + + if (!element_cmp(temp5, K)) + printf("The keys are the same. Start session...\n"); + else + printf("The keys aren't the same. Try again, please.\n"); + + element_clear(K); + element_clear(Kab); + element_clear(Kba); + element_clear(h); + element_clear(temp1); + element_clear(temp2); + element_clear(temp3); + element_clear(temp4); + element_clear(temp5); + element_clear(s); + element_clear(a); + element_clear(b); + element_clear(P); + element_clear(Ppub); + element_clear(Qa); + element_clear(Qb); + element_clear(Sa); + element_clear(Sb); + element_clear(Ta); + element_clear(Tb); + + t1 = pbc_get_time(); + + printf("All time = %fs\n", t1 - t0); + printf("Have a good day!\n"); + + return 0; +} diff --git a/moon-abe/pbc-0.5.14/example/zhangkim.c b/moon-abe/pbc-0.5.14/example/zhangkim.c new file mode 100644 index 00000000..caaa0b9f --- /dev/null +++ b/moon-abe/pbc-0.5.14/example/zhangkim.c @@ -0,0 +1,139 @@ +/* + Zhang and Kim ID-based Blind Signature scheme. + Based on papers "F. Zang, K. Kim. ID-based Blind Signature and Ring Signature from Pairings. Advances in Cryptology - Asiacrypt 2002, LNCS Vol. 2510, Springer-Verlag, 2002". + Contributed by Dmitry Kosolapov. +*/ + +#include +#include + +int main(int argc, char **argv) { + pairing_t pairing; + double time1, time2; + element_t P, Ppub, s, R, Qid, Sid, a, b, r, c, S, negc, t1, t2, t3, t5, + t6, t7, t8, t9, t10, t11, t12, t14; + mpz_t t4, t13; + mpz_init(t4); + mpz_init(t13); + pbc_demo_pairing_init(pairing, argc, argv); + if (!pairing_is_symmetric(pairing)) pbc_die("pairing must be symmetric"); + element_init_G1(P, pairing); + element_init_G1(Ppub, pairing); + element_init_G1(Qid, pairing); + element_init_G1(Sid, pairing); + element_init_G1(R, pairing); + element_init_G1(S, pairing); + element_init_G1(t1, pairing); + element_init_G1(t2, pairing); + element_init_G1(t7, pairing); + element_init_G1(t8, pairing); + element_init_G1(t9, pairing); + + element_init_Zr(r, pairing); + element_init_Zr(s, pairing); + element_init_Zr(c, pairing); + element_init_Zr(a, pairing); + element_init_Zr(b, pairing); + element_init_Zr(negc, pairing); + element_init_Zr(t5, pairing); + element_init_Zr(t6, pairing); + element_init_Zr(t14, pairing); + + element_init_GT(t3, pairing); + element_init_GT(t10, pairing); + element_init_GT(t11, pairing); + element_init_GT(t12, pairing); + + time1 = pbc_get_time(); + printf("Zhang and Kim ID-based Blind Signature scheme\n"); + printf("SETUP\n"); + element_random(P); + element_random(s); + element_mul_zn(Ppub, P, s); + element_printf("P = %B\n", P); + element_printf("Ppub = %B\n", Ppub); + + printf("EXTRACT\n"); + element_from_hash(Qid, "ID", 2); + element_mul_zn(Sid, Qid, s); + element_printf("Public key Qid = %B\n", Qid); + element_printf("Private key Sid = %B\n", Sid); + + printf("BLIND SIGNATURE ISSUING PROTOCOL\n"); + element_random(r); + element_mul_zn(R, P, r); + printf("Signer sends R = rP to user\n"); + element_printf("R = %B\n", R); + printf("Blinding\n"); + element_random(a); + element_random(b); + element_mul_zn(t1, P, a); + element_add(t1, R, t1); + element_mul_zn(t2, Qid, b); + element_add(t2, t2, t1); + element_pairing(t3, t2, Ppub); + element_to_mpz(t4, t3); + element_from_hash(t5, "Message", 7); + element_mul_mpz(t6, t5, t4); + element_add(c, t6, b); + printf("User sends c to signer\n"); + element_printf("c = %B\n", c); + printf("Signing\n"); + element_mul_zn(t7, Ppub, r); + element_mul_zn(t8, Sid, c); + element_add(S, t8, t7); + printf("Signer sends S\n"); + element_printf("S = %B\n", S); + printf("Unblinding\n"); + element_mul_zn(t9, Ppub, a); + element_add(S, S, t9); + element_sub(c, c, b); + printf("Blind Signature of message \"Message\" is:\n"); + element_printf("S1 = %B\n", S); + element_printf("c1 = %B\n", c); + + printf("VERIFICATION\n"); + element_pairing(t10, Qid, Ppub); + element_neg(negc, c); + element_pow_zn(t10, t10, negc); + element_pairing(t11, S, P); + element_mul(t12, t11, t10); + element_to_mpz(t13, t12); + element_from_hash(t5, "Message", 7); + element_mul_mpz(t14, t5, t13); + element_printf("c1 = %B\n", c); + element_printf("H(m, [e(S1, P)][e(Qid, Ppub)^(-c1)]) = %B\n", t14); + + if (!element_cmp(t14, c)) printf("Signature is valid\n"); + else printf("Signature is invalid\n"); + time2 = pbc_get_time(); + printf("All time = %fs\n", time2 - time1); + + element_clear(P); + element_clear(Ppub); + element_clear(Qid); + element_clear(Sid); + element_clear(R); + element_clear(S); + element_clear(r); + element_clear(s); + element_clear(c); + element_clear(a); + element_clear(b); + element_clear(negc); + element_clear(t1); + element_clear(t2); + element_clear(t3); + element_clear(t5); + element_clear(t6); + element_clear(t14); + element_clear(t7); + element_clear(t8); + element_clear(t9); + element_clear(t10); + element_clear(t11); + element_clear(t12); + pairing_clear(pairing); + + return 0; +} diff --git a/moon-abe/pbc-0.5.14/example/zss.c b/moon-abe/pbc-0.5.14/example/zss.c new file mode 100644 index 00000000..5020a3a6 --- /dev/null +++ b/moon-abe/pbc-0.5.14/example/zss.c @@ -0,0 +1,70 @@ +/* + ZSS Short Signature Scheme from Bilinear Pairing. + Based on papers "F. Zhang, R. Safavi-Naini and W. Susilo. An Efficient Signature Scheme from Bilinear Pairings and it's Applications. PKC 2004". + Contributed by Dmitry Kosolapov. +*/ + +#include +#include + +int main(int argc, char **argv) { + pairing_t pairing; + pbc_demo_pairing_init(pairing, argc, argv); + if (!pairing_is_symmetric(pairing)) pbc_die("pairing must be symmetric"); + double time1, time2; + element_t P, Ppub, x, S, H, t1, t2, t3, t4; + element_init_Zr(x, pairing); + element_init_Zr(H, pairing); + element_init_Zr(t1, pairing); + + element_init_G1(S, pairing); + element_init_G1(P, pairing); + element_init_G1(Ppub, pairing); + element_init_G1(t2, pairing); + + element_init_GT(t3, pairing); + element_init_GT(t4, pairing); + + printf("ZSS short signature schema\n"); + printf("KEYGEN\n"); + time1 = pbc_get_time(); + element_random(x); + element_random(P); + element_mul_zn(Ppub, P, x); + element_printf("P = %B\n", P); + element_printf("x = %B\n", x); + element_printf("Ppub = %B\n", Ppub); + + printf("SIGN\n"); + element_from_hash(H, "Message", 7); + element_add(t1, H, x); + element_invert(t1, t1); + element_mul_zn(S, P, t1); + printf("Signature of message \"Message\" is:\n"); + element_printf("S = %B\n", S); + + printf("VERIFY\n"); + element_from_hash(H, "Message", 7); + element_mul_zn(t2, P, H); + element_add(t2, t2, Ppub); + element_pairing(t3, t2, S); + element_pairing(t4, P, P); + element_printf("e(H(m)P + Ppub, S) = %B\n", t3); + element_printf("e(P, P) = %B\n", t4); + if (!element_cmp(t3, t4)) printf("Signature is valid\n"); + else printf("Signature is invalid\n"); + time2 = pbc_get_time(); + printf("All time = %fs\n", time2 - time1); + element_clear(P); + element_clear(Ppub); + element_clear(x); + element_clear(S); + element_clear(H); + element_clear(t1); + element_clear(t2); + element_clear(t3); + element_clear(t4); + pairing_clear(pairing); + + return 0; +} -- cgit 1.2.3-korg