├── .gitignore
├── LICENCE
├── README.md
├── TIMELINE.md
├── demo.py
├── docs
    ├── ath-floss-pres.tex
    ├── gsoc-summit-pres.tex
    ├── metrics.bib
    ├── metrics.tex
    ├── pdf
    │   ├── ath-floss-pres.pdf
    │   └── metrics.pdf
    └── zeus-chart.eps
├── flz16
    ├── __init__.py
    ├── crs.py
    ├── ilin2.py
    ├── prover.py
    ├── tests
    │   ├── __init__.py
    │   ├── test_prover_verifier.py
    │   └── test_utils.py
    ├── utils.py
    └── verifier.py
├── libffpy
    ├── __init__.py
    ├── demo.py
    ├── libff_wrapper.cpp
    ├── libff_wrapper.h
    ├── libffpy.pxd
    ├── libffpy.pyx
    ├── setup.py
    └── tests
    │   ├── __init__.py
    │   ├── test_bignum.py
    │   ├── test_g1.py
    │   ├── test_g2.py
    │   └── test_gt.py
└── setup.py


/.gitignore:
--------------------------------------------------------------------------------
1 | *.swp
2 | *.pyc
3 | *.so
4 | 


--------------------------------------------------------------------------------
/LICENCE:
--------------------------------------------------------------------------------
  1 |                     GNU AFFERO GENERAL PUBLIC LICENSE
  2 |                        Version 3, 19 November 2007
  3 | 
  4 |  Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
  5 |  Everyone is permitted to copy and distribute verbatim copies
  6 |  of this license document, but changing it is not allowed.
  7 | 
  8 |                             Preamble
  9 | 
 10 |   The GNU Affero General Public License is a free, copyleft license for
 11 | software and other kinds of works, specifically designed to ensure
 12 | cooperation with the community in the case of network server software.
 13 | 
 14 |   The licenses for most software and other practical works are designed
 15 | to take away your freedom to share and change the works.  By contrast,
 16 | our General Public Licenses are intended to guarantee your freedom to
 17 | share and change all versions of a program--to make sure it remains free
 18 | software for all its users.
 19 | 
 20 |   When we speak of free software, we are referring to freedom, not
 21 | price.  Our General Public Licenses are designed to make sure that you
 22 | have the freedom to distribute copies of free software (and charge for
 23 | them if you wish), that you receive source code or can get it if you
 24 | want it, that you can change the software or use pieces of it in new
 25 | free programs, and that you know you can do these things.
 26 | 
 27 |   Developers that use our General Public Licenses protect your rights
 28 | with two steps: (1) assert copyright on the software, and (2) offer
 29 | you this License which gives you legal permission to copy, distribute
 30 | and/or modify the software.
 31 | 
 32 |   A secondary benefit of defending all users' freedom is that
 33 | improvements made in alternate versions of the program, if they
 34 | receive widespread use, become available for other developers to
 35 | incorporate.  Many developers of free software are heartened and
 36 | encouraged by the resulting cooperation.  However, in the case of
 37 | software used on network servers, this result may fail to come about.
 38 | The GNU General Public License permits making a modified version and
 39 | letting the public access it on a server without ever releasing its
 40 | source code to the public.
 41 | 
 42 |   The GNU Affero General Public License is designed specifically to
 43 | ensure that, in such cases, the modified source code becomes available
 44 | to the community.  It requires the operator of a network server to
 45 | provide the source code of the modified version running there to the
 46 | users of that server.  Therefore, public use of a modified version, on
 47 | a publicly accessible server, gives the public access to the source
 48 | code of the modified version.
 49 | 
 50 |   An older license, called the Affero General Public License and
 51 | published by Affero, was designed to accomplish similar goals.  This is
 52 | a different license, not a version of the Affero GPL, but Affero has
 53 | released a new version of the Affero GPL which permits relicensing under
 54 | this license.
 55 | 
 56 |   The precise terms and conditions for copying, distribution and
 57 | modification follow.
 58 | 
 59 |                        TERMS AND CONDITIONS
 60 | 
 61 |   0. Definitions.
 62 | 
 63 |   "This License" refers to version 3 of the GNU Affero General Public License.
 64 | 
 65 |   "Copyright" also means copyright-like laws that apply to other kinds of
 66 | works, such as semiconductor masks.
 67 | 
 68 |   "The Program" refers to any copyrightable work licensed under this
 69 | License.  Each licensee is addressed as "you".  "Licensees" and
 70 | "recipients" may be individuals or organizations.
 71 | 
 72 |   To "modify" a work means to copy from or adapt all or part of the work
 73 | in a fashion requiring copyright permission, other than the making of an
 74 | exact copy.  The resulting work is called a "modified version" of the
 75 | earlier work or a work "based on" the earlier work.
 76 | 
 77 |   A "covered work" means either the unmodified Program or a work based
 78 | on the Program.
 79 | 
 80 |   To "propagate" a work means to do anything with it that, without
 81 | permission, would make you directly or secondarily liable for
 82 | infringement under applicable copyright law, except executing it on a
 83 | computer or modifying a private copy.  Propagation includes copying,
 84 | distribution (with or without modification), making available to the
 85 | public, and in some countries other activities as well.
 86 | 
 87 |   To "convey" a work means any kind of propagation that enables other
 88 | parties to make or receive copies.  Mere interaction with a user through
 89 | a computer network, with no transfer of a copy, is not conveying.
 90 | 
 91 |   An interactive user interface displays "Appropriate Legal Notices"
 92 | to the extent that it includes a convenient and prominently visible
 93 | feature that (1) displays an appropriate copyright notice, and (2)
 94 | tells the user that there is no warranty for the work (except to the
 95 | extent that warranties are provided), that licensees may convey the
 96 | work under this License, and how to view a copy of this License.  If
 97 | the interface presents a list of user commands or options, such as a
 98 | menu, a prominent item in the list meets this criterion.
 99 | 
100 |   1. Source Code.
101 | 
102 |   The "source code" for a work means the preferred form of the work
103 | for making modifications to it.  "Object code" means any non-source
104 | form of a work.
105 | 
106 |   A "Standard Interface" means an interface that either is an official
107 | standard defined by a recognized standards body, or, in the case of
108 | interfaces specified for a particular programming language, one that
109 | is widely used among developers working in that language.
110 | 
111 |   The "System Libraries" of an executable work include anything, other
112 | than the work as a whole, that (a) is included in the normal form of
113 | packaging a Major Component, but which is not part of that Major
114 | Component, and (b) serves only to enable use of the work with that
115 | Major Component, or to implement a Standard Interface for which an
116 | implementation is available to the public in source code form.  A
117 | "Major Component", in this context, means a major essential component
118 | (kernel, window system, and so on) of the specific operating system
119 | (if any) on which the executable work runs, or a compiler used to
120 | produce the work, or an object code interpreter used to run it.
121 | 
122 |   The "Corresponding Source" for a work in object code form means all
123 | the source code needed to generate, install, and (for an executable
124 | work) run the object code and to modify the work, including scripts to
125 | control those activities.  However, it does not include the work's
126 | System Libraries, or general-purpose tools or generally available free
127 | programs which are used unmodified in performing those activities but
128 | which are not part of the work.  For example, Corresponding Source
129 | includes interface definition files associated with source files for
130 | the work, and the source code for shared libraries and dynamically
131 | linked subprograms that the work is specifically designed to require,
132 | such as by intimate data communication or control flow between those
133 | subprograms and other parts of the work.
134 | 
135 |   The Corresponding Source need not include anything that users
136 | can regenerate automatically from other parts of the Corresponding
137 | Source.
138 | 
139 |   The Corresponding Source for a work in source code form is that
140 | same work.
141 | 
142 |   2. Basic Permissions.
143 | 
144 |   All rights granted under this License are granted for the term of
145 | copyright on the Program, and are irrevocable provided the stated
146 | conditions are met.  This License explicitly affirms your unlimited
147 | permission to run the unmodified Program.  The output from running a
148 | covered work is covered by this License only if the output, given its
149 | content, constitutes a covered work.  This License acknowledges your
150 | rights of fair use or other equivalent, as provided by copyright law.
151 | 
152 |   You may make, run and propagate covered works that you do not
153 | convey, without conditions so long as your license otherwise remains
154 | in force.  You may convey covered works to others for the sole purpose
155 | of having them make modifications exclusively for you, or provide you
156 | with facilities for running those works, provided that you comply with
157 | the terms of this License in conveying all material for which you do
158 | not control copyright.  Those thus making or running the covered works
159 | for you must do so exclusively on your behalf, under your direction
160 | and control, on terms that prohibit them from making any copies of
161 | your copyrighted material outside their relationship with you.
162 | 
163 |   Conveying under any other circumstances is permitted solely under
164 | the conditions stated below.  Sublicensing is not allowed; section 10
165 | makes it unnecessary.
166 | 
167 |   3. Protecting Users' Legal Rights From Anti-Circumvention Law.
168 | 
169 |   No covered work shall be deemed part of an effective technological
170 | measure under any applicable law fulfilling obligations under article
171 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
172 | similar laws prohibiting or restricting circumvention of such
173 | measures.
174 | 
175 |   When you convey a covered work, you waive any legal power to forbid
176 | circumvention of technological measures to the extent such circumvention
177 | is effected by exercising rights under this License with respect to
178 | the covered work, and you disclaim any intention to limit operation or
179 | modification of the work as a means of enforcing, against the work's
180 | users, your or third parties' legal rights to forbid circumvention of
181 | technological measures.
182 | 
183 |   4. Conveying Verbatim Copies.
184 | 
185 |   You may convey verbatim copies of the Program's source code as you
186 | receive it, in any medium, provided that you conspicuously and
187 | appropriately publish on each copy an appropriate copyright notice;
188 | keep intact all notices stating that this License and any
189 | non-permissive terms added in accord with section 7 apply to the code;
190 | keep intact all notices of the absence of any warranty; and give all
191 | recipients a copy of this License along with the Program.
192 | 
193 |   You may charge any price or no price for each copy that you convey,
194 | and you may offer support or warranty protection for a fee.
195 | 
196 |   5. Conveying Modified Source Versions.
197 | 
198 |   You may convey a work based on the Program, or the modifications to
199 | produce it from the Program, in the form of source code under the
200 | terms of section 4, provided that you also meet all of these conditions:
201 | 
202 |     a) The work must carry prominent notices stating that you modified
203 |     it, and giving a relevant date.
204 | 
205 |     b) The work must carry prominent notices stating that it is
206 |     released under this License and any conditions added under section
207 |     7.  This requirement modifies the requirement in section 4 to
208 |     "keep intact all notices".
209 | 
210 |     c) You must license the entire work, as a whole, under this
211 |     License to anyone who comes into possession of a copy.  This
212 |     License will therefore apply, along with any applicable section 7
213 |     additional terms, to the whole of the work, and all its parts,
214 |     regardless of how they are packaged.  This License gives no
215 |     permission to license the work in any other way, but it does not
216 |     invalidate such permission if you have separately received it.
217 | 
218 |     d) If the work has interactive user interfaces, each must display
219 |     Appropriate Legal Notices; however, if the Program has interactive
220 |     interfaces that do not display Appropriate Legal Notices, your
221 |     work need not make them do so.
222 | 
223 |   A compilation of a covered work with other separate and independent
224 | works, which are not by their nature extensions of the covered work,
225 | and which are not combined with it such as to form a larger program,
226 | in or on a volume of a storage or distribution medium, is called an
227 | "aggregate" if the compilation and its resulting copyright are not
228 | used to limit the access or legal rights of the compilation's users
229 | beyond what the individual works permit.  Inclusion of a covered work
230 | in an aggregate does not cause this License to apply to the other
231 | parts of the aggregate.
232 | 
233 |   6. Conveying Non-Source Forms.
234 | 
235 |   You may convey a covered work in object code form under the terms
236 | of sections 4 and 5, provided that you also convey the
237 | machine-readable Corresponding Source under the terms of this License,
238 | in one of these ways:
239 | 
240 |     a) Convey the object code in, or embodied in, a physical product
241 |     (including a physical distribution medium), accompanied by the
242 |     Corresponding Source fixed on a durable physical medium
243 |     customarily used for software interchange.
244 | 
245 |     b) Convey the object code in, or embodied in, a physical product
246 |     (including a physical distribution medium), accompanied by a
247 |     written offer, valid for at least three years and valid for as
248 |     long as you offer spare parts or customer support for that product
249 |     model, to give anyone who possesses the object code either (1) a
250 |     copy of the Corresponding Source for all the software in the
251 |     product that is covered by this License, on a durable physical
252 |     medium customarily used for software interchange, for a price no
253 |     more than your reasonable cost of physically performing this
254 |     conveying of source, or (2) access to copy the
255 |     Corresponding Source from a network server at no charge.
256 | 
257 |     c) Convey individual copies of the object code with a copy of the
258 |     written offer to provide the Corresponding Source.  This
259 |     alternative is allowed only occasionally and noncommercially, and
260 |     only if you received the object code with such an offer, in accord
261 |     with subsection 6b.
262 | 
263 |     d) Convey the object code by offering access from a designated
264 |     place (gratis or for a charge), and offer equivalent access to the
265 |     Corresponding Source in the same way through the same place at no
266 |     further charge.  You need not require recipients to copy the
267 |     Corresponding Source along with the object code.  If the place to
268 |     copy the object code is a network server, the Corresponding Source
269 |     may be on a different server (operated by you or a third party)
270 |     that supports equivalent copying facilities, provided you maintain
271 |     clear directions next to the object code saying where to find the
272 |     Corresponding Source.  Regardless of what server hosts the
273 |     Corresponding Source, you remain obligated to ensure that it is
274 |     available for as long as needed to satisfy these requirements.
275 | 
276 |     e) Convey the object code using peer-to-peer transmission, provided
277 |     you inform other peers where the object code and Corresponding
278 |     Source of the work are being offered to the general public at no
279 |     charge under subsection 6d.
280 | 
281 |   A separable portion of the object code, whose source code is excluded
282 | from the Corresponding Source as a System Library, need not be
283 | included in conveying the object code work.
284 | 
285 |   A "User Product" is either (1) a "consumer product", which means any
286 | tangible personal property which is normally used for personal, family,
287 | or household purposes, or (2) anything designed or sold for incorporation
288 | into a dwelling.  In determining whether a product is a consumer product,
289 | doubtful cases shall be resolved in favor of coverage.  For a particular
290 | product received by a particular user, "normally used" refers to a
291 | typical or common use of that class of product, regardless of the status
292 | of the particular user or of the way in which the particular user
293 | actually uses, or expects or is expected to use, the product.  A product
294 | is a consumer product regardless of whether the product has substantial
295 | commercial, industrial or non-consumer uses, unless such uses represent
296 | the only significant mode of use of the product.
297 | 
298 |   "Installation Information" for a User Product means any methods,
299 | procedures, authorization keys, or other information required to install
300 | and execute modified versions of a covered work in that User Product from
301 | a modified version of its Corresponding Source.  The information must
302 | suffice to ensure that the continued functioning of the modified object
303 | code is in no case prevented or interfered with solely because
304 | modification has been made.
305 | 
306 |   If you convey an object code work under this section in, or with, or
307 | specifically for use in, a User Product, and the conveying occurs as
308 | part of a transaction in which the right of possession and use of the
309 | User Product is transferred to the recipient in perpetuity or for a
310 | fixed term (regardless of how the transaction is characterized), the
311 | Corresponding Source conveyed under this section must be accompanied
312 | by the Installation Information.  But this requirement does not apply
313 | if neither you nor any third party retains the ability to install
314 | modified object code on the User Product (for example, the work has
315 | been installed in ROM).
316 | 
317 |   The requirement to provide Installation Information does not include a
318 | requirement to continue to provide support service, warranty, or updates
319 | for a work that has been modified or installed by the recipient, or for
320 | the User Product in which it has been modified or installed.  Access to a
321 | network may be denied when the modification itself materially and
322 | adversely affects the operation of the network or violates the rules and
323 | protocols for communication across the network.
324 | 
325 |   Corresponding Source conveyed, and Installation Information provided,
326 | in accord with this section must be in a format that is publicly
327 | documented (and with an implementation available to the public in
328 | source code form), and must require no special password or key for
329 | unpacking, reading or copying.
330 | 
331 |   7. Additional Terms.
332 | 
333 |   "Additional permissions" are terms that supplement the terms of this
334 | License by making exceptions from one or more of its conditions.
335 | Additional permissions that are applicable to the entire Program shall
336 | be treated as though they were included in this License, to the extent
337 | that they are valid under applicable law.  If additional permissions
338 | apply only to part of the Program, that part may be used separately
339 | under those permissions, but the entire Program remains governed by
340 | this License without regard to the additional permissions.
341 | 
342 |   When you convey a copy of a covered work, you may at your option
343 | remove any additional permissions from that copy, or from any part of
344 | it.  (Additional permissions may be written to require their own
345 | removal in certain cases when you modify the work.)  You may place
346 | additional permissions on material, added by you to a covered work,
347 | for which you have or can give appropriate copyright permission.
348 | 
349 |   Notwithstanding any other provision of this License, for material you
350 | add to a covered work, you may (if authorized by the copyright holders of
351 | that material) supplement the terms of this License with terms:
352 | 
353 |     a) Disclaiming warranty or limiting liability differently from the
354 |     terms of sections 15 and 16 of this License; or
355 | 
356 |     b) Requiring preservation of specified reasonable legal notices or
357 |     author attributions in that material or in the Appropriate Legal
358 |     Notices displayed by works containing it; or
359 | 
360 |     c) Prohibiting misrepresentation of the origin of that material, or
361 |     requiring that modified versions of such material be marked in
362 |     reasonable ways as different from the original version; or
363 | 
364 |     d) Limiting the use for publicity purposes of names of licensors or
365 |     authors of the material; or
366 | 
367 |     e) Declining to grant rights under trademark law for use of some
368 |     trade names, trademarks, or service marks; or
369 | 
370 |     f) Requiring indemnification of licensors and authors of that
371 |     material by anyone who conveys the material (or modified versions of
372 |     it) with contractual assumptions of liability to the recipient, for
373 |     any liability that these contractual assumptions directly impose on
374 |     those licensors and authors.
375 | 
376 |   All other non-permissive additional terms are considered "further
377 | restrictions" within the meaning of section 10.  If the Program as you
378 | received it, or any part of it, contains a notice stating that it is
379 | governed by this License along with a term that is a further
380 | restriction, you may remove that term.  If a license document contains
381 | a further restriction but permits relicensing or conveying under this
382 | License, you may add to a covered work material governed by the terms
383 | of that license document, provided that the further restriction does
384 | not survive such relicensing or conveying.
385 | 
386 |   If you add terms to a covered work in accord with this section, you
387 | must place, in the relevant source files, a statement of the
388 | additional terms that apply to those files, or a notice indicating
389 | where to find the applicable terms.
390 | 
391 |   Additional terms, permissive or non-permissive, may be stated in the
392 | form of a separately written license, or stated as exceptions;
393 | the above requirements apply either way.
394 | 
395 |   8. Termination.
396 | 
397 |   You may not propagate or modify a covered work except as expressly
398 | provided under this License.  Any attempt otherwise to propagate or
399 | modify it is void, and will automatically terminate your rights under
400 | this License (including any patent licenses granted under the third
401 | paragraph of section 11).
402 | 
403 |   However, if you cease all violation of this License, then your
404 | license from a particular copyright holder is reinstated (a)
405 | provisionally, unless and until the copyright holder explicitly and
406 | finally terminates your license, and (b) permanently, if the copyright
407 | holder fails to notify you of the violation by some reasonable means
408 | prior to 60 days after the cessation.
409 | 
410 |   Moreover, your license from a particular copyright holder is
411 | reinstated permanently if the copyright holder notifies you of the
412 | violation by some reasonable means, this is the first time you have
413 | received notice of violation of this License (for any work) from that
414 | copyright holder, and you cure the violation prior to 30 days after
415 | your receipt of the notice.
416 | 
417 |   Termination of your rights under this section does not terminate the
418 | licenses of parties who have received copies or rights from you under
419 | this License.  If your rights have been terminated and not permanently
420 | reinstated, you do not qualify to receive new licenses for the same
421 | material under section 10.
422 | 
423 |   9. Acceptance Not Required for Having Copies.
424 | 
425 |   You are not required to accept this License in order to receive or
426 | run a copy of the Program.  Ancillary propagation of a covered work
427 | occurring solely as a consequence of using peer-to-peer transmission
428 | to receive a copy likewise does not require acceptance.  However,
429 | nothing other than this License grants you permission to propagate or
430 | modify any covered work.  These actions infringe copyright if you do
431 | not accept this License.  Therefore, by modifying or propagating a
432 | covered work, you indicate your acceptance of this License to do so.
433 | 
434 |   10. Automatic Licensing of Downstream Recipients.
435 | 
436 |   Each time you convey a covered work, the recipient automatically
437 | receives a license from the original licensors, to run, modify and
438 | propagate that work, subject to this License.  You are not responsible
439 | for enforcing compliance by third parties with this License.
440 | 
441 |   An "entity transaction" is a transaction transferring control of an
442 | organization, or substantially all assets of one, or subdividing an
443 | organization, or merging organizations.  If propagation of a covered
444 | work results from an entity transaction, each party to that
445 | transaction who receives a copy of the work also receives whatever
446 | licenses to the work the party's predecessor in interest had or could
447 | give under the previous paragraph, plus a right to possession of the
448 | Corresponding Source of the work from the predecessor in interest, if
449 | the predecessor has it or can get it with reasonable efforts.
450 | 
451 |   You may not impose any further restrictions on the exercise of the
452 | rights granted or affirmed under this License.  For example, you may
453 | not impose a license fee, royalty, or other charge for exercise of
454 | rights granted under this License, and you may not initiate litigation
455 | (including a cross-claim or counterclaim in a lawsuit) alleging that
456 | any patent claim is infringed by making, using, selling, offering for
457 | sale, or importing the Program or any portion of it.
458 | 
459 |   11. Patents.
460 | 
461 |   A "contributor" is a copyright holder who authorizes use under this
462 | License of the Program or a work on which the Program is based.  The
463 | work thus licensed is called the contributor's "contributor version".
464 | 
465 |   A contributor's "essential patent claims" are all patent claims
466 | owned or controlled by the contributor, whether already acquired or
467 | hereafter acquired, that would be infringed by some manner, permitted
468 | by this License, of making, using, or selling its contributor version,
469 | but do not include claims that would be infringed only as a
470 | consequence of further modification of the contributor version.  For
471 | purposes of this definition, "control" includes the right to grant
472 | patent sublicenses in a manner consistent with the requirements of
473 | this License.
474 | 
475 |   Each contributor grants you a non-exclusive, worldwide, royalty-free
476 | patent license under the contributor's essential patent claims, to
477 | make, use, sell, offer for sale, import and otherwise run, modify and
478 | propagate the contents of its contributor version.
479 | 
480 |   In the following three paragraphs, a "patent license" is any express
481 | agreement or commitment, however denominated, not to enforce a patent
482 | (such as an express permission to practice a patent or covenant not to
483 | sue for patent infringement).  To "grant" such a patent license to a
484 | party means to make such an agreement or commitment not to enforce a
485 | patent against the party.
486 | 
487 |   If you convey a covered work, knowingly relying on a patent license,
488 | and the Corresponding Source of the work is not available for anyone
489 | to copy, free of charge and under the terms of this License, through a
490 | publicly available network server or other readily accessible means,
491 | then you must either (1) cause the Corresponding Source to be so
492 | available, or (2) arrange to deprive yourself of the benefit of the
493 | patent license for this particular work, or (3) arrange, in a manner
494 | consistent with the requirements of this License, to extend the patent
495 | license to downstream recipients.  "Knowingly relying" means you have
496 | actual knowledge that, but for the patent license, your conveying the
497 | covered work in a country, or your recipient's use of the covered work
498 | in a country, would infringe one or more identifiable patents in that
499 | country that you have reason to believe are valid.
500 | 
501 |   If, pursuant to or in connection with a single transaction or
502 | arrangement, you convey, or propagate by procuring conveyance of, a
503 | covered work, and grant a patent license to some of the parties
504 | receiving the covered work authorizing them to use, propagate, modify
505 | or convey a specific copy of the covered work, then the patent license
506 | you grant is automatically extended to all recipients of the covered
507 | work and works based on it.
508 | 
509 |   A patent license is "discriminatory" if it does not include within
510 | the scope of its coverage, prohibits the exercise of, or is
511 | conditioned on the non-exercise of one or more of the rights that are
512 | specifically granted under this License.  You may not convey a covered
513 | work if you are a party to an arrangement with a third party that is
514 | in the business of distributing software, under which you make payment
515 | to the third party based on the extent of your activity of conveying
516 | the work, and under which the third party grants, to any of the
517 | parties who would receive the covered work from you, a discriminatory
518 | patent license (a) in connection with copies of the covered work
519 | conveyed by you (or copies made from those copies), or (b) primarily
520 | for and in connection with specific products or compilations that
521 | contain the covered work, unless you entered into that arrangement,
522 | or that patent license was granted, prior to 28 March 2007.
523 | 
524 |   Nothing in this License shall be construed as excluding or limiting
525 | any implied license or other defenses to infringement that may
526 | otherwise be available to you under applicable patent law.
527 | 
528 |   12. No Surrender of Others' Freedom.
529 | 
530 |   If conditions are imposed on you (whether by court order, agreement or
531 | otherwise) that contradict the conditions of this License, they do not
532 | excuse you from the conditions of this License.  If you cannot convey a
533 | covered work so as to satisfy simultaneously your obligations under this
534 | License and any other pertinent obligations, then as a consequence you may
535 | not convey it at all.  For example, if you agree to terms that obligate you
536 | to collect a royalty for further conveying from those to whom you convey
537 | the Program, the only way you could satisfy both those terms and this
538 | License would be to refrain entirely from conveying the Program.
539 | 
540 |   13. Remote Network Interaction; Use with the GNU General Public License.
541 | 
542 |   Notwithstanding any other provision of this License, if you modify the
543 | Program, your modified version must prominently offer all users
544 | interacting with it remotely through a computer network (if your version
545 | supports such interaction) an opportunity to receive the Corresponding
546 | Source of your version by providing access to the Corresponding Source
547 | from a network server at no charge, through some standard or customary
548 | means of facilitating copying of software.  This Corresponding Source
549 | shall include the Corresponding Source for any work covered by version 3
550 | of the GNU General Public License that is incorporated pursuant to the
551 | following paragraph.
552 | 
553 |   Notwithstanding any other provision of this License, you have
554 | permission to link or combine any covered work with a work licensed
555 | under version 3 of the GNU General Public License into a single
556 | combined work, and to convey the resulting work.  The terms of this
557 | License will continue to apply to the part which is the covered work,
558 | but the work with which it is combined will remain governed by version
559 | 3 of the GNU General Public License.
560 | 
561 |   14. Revised Versions of this License.
562 | 
563 |   The Free Software Foundation may publish revised and/or new versions of
564 | the GNU Affero General Public License from time to time.  Such new versions
565 | will be similar in spirit to the present version, but may differ in detail to
566 | address new problems or concerns.
567 | 
568 |   Each version is given a distinguishing version number.  If the
569 | Program specifies that a certain numbered version of the GNU Affero General
570 | Public License "or any later version" applies to it, you have the
571 | option of following the terms and conditions either of that numbered
572 | version or of any later version published by the Free Software
573 | Foundation.  If the Program does not specify a version number of the
574 | GNU Affero General Public License, you may choose any version ever published
575 | by the Free Software Foundation.
576 | 
577 |   If the Program specifies that a proxy can decide which future
578 | versions of the GNU Affero General Public License can be used, that proxy's
579 | public statement of acceptance of a version permanently authorizes you
580 | to choose that version for the Program.
581 | 
582 |   Later license versions may give you additional or different
583 | permissions.  However, no additional obligations are imposed on any
584 | author or copyright holder as a result of your choosing to follow a
585 | later version.
586 | 
587 |   15. Disclaimer of Warranty.
588 | 
589 |   THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
590 | APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
591 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
592 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
593 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
594 | PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
595 | IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
596 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
597 | 
598 |   16. Limitation of Liability.
599 | 
600 |   IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
601 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
602 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
603 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
604 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
605 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
606 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
607 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
608 | SUCH DAMAGES.
609 | 
610 |   17. Interpretation of Sections 15 and 16.
611 | 
612 |   If the disclaimer of warranty and limitation of liability provided
613 | above cannot be given local legal effect according to their terms,
614 | reviewing courts shall apply local law that most closely approximates
615 | an absolute waiver of all civil liability in connection with the
616 | Program, unless a warranty or assumption of liability accompanies a
617 | copy of the Program in return for a fee.
618 | 
619 |                      END OF TERMS AND CONDITIONS
620 | 
621 |             How to Apply These Terms to Your New Programs
622 | 
623 |   If you develop a new program, and you want it to be of the greatest
624 | possible use to the public, the best way to achieve this is to make it
625 | free software which everyone can redistribute and change under these terms.
626 | 
627 |   To do so, attach the following notices to the program.  It is safest
628 | to attach them to the start of each source file to most effectively
629 | state the exclusion of warranty; and each file should have at least
630 | the "copyright" line and a pointer to where the full notice is found.
631 | 
632 |     <one line to give the program's name and a brief idea of what it does.>
633 |     Copyright (C) <year>  <name of author>
634 | 
635 |     This program is free software: you can redistribute it and/or modify
636 |     it under the terms of the GNU Affero General Public License as published
637 |     by the Free Software Foundation, either version 3 of the License, or
638 |     (at your option) any later version.
639 | 
640 |     This program is distributed in the hope that it will be useful,
641 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
642 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
643 |     GNU Affero General Public License for more details.
644 | 
645 |     You should have received a copy of the GNU Affero General Public License
646 |     along with this program.  If not, see <http://www.gnu.org/licenses/>.
647 | 
648 | Also add information on how to contact you by electronic and paper mail.
649 | 
650 |   If your software can interact with users remotely through a computer
651 | network, you should also make sure that it provides a way for users to
652 | get its source.  For example, if your program is a web application, its
653 | interface could display a "Source" link that leads users to an archive
654 | of the code.  There are many ways you could offer source, and different
655 | solutions will be better for different programs; see section 13 for the
656 | specific requirements.
657 | 
658 |   You should also get your employer (if you work as a programmer) or school,
659 | if any, to sign a "copyright disclaimer" for the program, if necessary.
660 | For more information on this, and how to apply and follow the GNU AGPL, see
661 | <http://www.gnu.org/licenses/>.
662 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | Implementation of a Re-Encryption Mix-Net
  2 | ======================================================
  3 | 
  4 | This module implements the re-encryption mix-net
  5 | presented by Fauzi et al. in their paper:
  6 | ["A Shuffle Argument Secure in the Generic
  7 | Model"](https://eprint.iacr.org/2016/866.pdf).
  8 | 
  9 | The motivation behind this implementation is
 10 | to replace the mix-net used by
 11 | the e-voting application, [Zeus](https://github.com/grnet/zeus)
 12 | in favor of a faster one.
 13 | However it can be used by anyone that needs a
 14 | mix-net implementation.
 15 | That is,
 16 | apart from e-voting,
 17 | the mix-net can be used for other tasks such as surveys
 18 | and the collection of data from various IoT
 19 | (Internet of Things) devices.
 20 | 
 21 | The implementation was based on an existing
 22 | [prototype](https://github.com/grnet/ac16)
 23 | of the same re-encryption mix-net.
 24 | 
 25 | 
 26 | Python
 27 | ======
 28 | 
 29 | The module requires **Python 2.7**.
 30 | 
 31 | 
 32 | Installing Dependencies
 33 | =======================
 34 | 
 35 | 1. Install [libsnark](https://github.com/scipr-lab/libsnark) following
 36 | the instructions on its GitHub page.
 37 | 2. Install [libff](https://github.com/scipr-lab/libff) following
 38 | the instructions on its GitHub page.
 39 | 3. Install package dependencies
 40 | ```
 41 |     sudo apt-get install python python-pip
 42 | ```
 43 | 4. Install Cython
 44 | ```
 45 |     pip install cython
 46 | ```
 47 | 
 48 | Dependencies Notes
 49 | ==================
 50 | 
 51 | We faced some issues while installing libff and libsnark on Ubuntu 16.04 LTS.
 52 | If the installation process doesn't work try the following:
 53 | 
 54 | - Install libsnark on `/usr/` with
 55 | ```
 56 | make install PREFIX=/usr
 57 | ```
 58 | after compiling it.
 59 | 
 60 | - After installing libff, inside the cloned repo copy
 61 | the third party libraries to the local includes.
 62 | ```
 63 | cp -R depends /usr/local/include/
 64 | ```
 65 | 
 66 | - Add to the libff library (before compiling it) the `-fPIC`
 67 |   flag on CMakeLists. Specifically on the
 68 |   `CMakeLists.txt` file add `-fPIC` to the existing flags on `CMAKE_CXX_FLAGS`
 69 |   and `CMAKE_EXE_LINKER_FLAGS`.
 70 | 
 71 | - In order to avoid libff outputting profiling info change the variables
 72 |   `inhibit_profiling_info` and `inhibit_profiling_counters` to `true` on
 73 |   `libff/common/profiling.cpp` before compiling the library.
 74 | 
 75 | Installing libffpy
 76 | ==================
 77 | 
 78 | Inside the libffpy folder run:
 79 | 
 80 | ```
 81 | python setup.py install
 82 | ```
 83 | 
 84 | Installing Package
 85 | ==================
 86 | 
 87 | On the root directory run:
 88 | 
 89 | ```
 90 | python setup.py install
 91 | ```
 92 | 
 93 | Implementation
 94 | ==============
 95 | 
 96 | libffpy
 97 | -------
 98 | 
 99 | The mix-net proposed by Fauzi et al requires elliptic curve computations.
100 | A suitable library that provides support for elliptic curve computations
101 | is [libff](https://github.com/scipr-lab/libff).
102 | 
103 | Since libff is implemented in C++ we used Cython to create a wrapper
104 | for some of the features of libff. The Cython wrapper can be found in
105 | the folder `libffpy`. While not a complete wrapper, it can be
106 | used independently by anyone that needs the features provided by
107 | libff.
108 | 
109 | The curve we used is bn128 and libff implements
110 | the [ate pairing](https://github.com/herumi/ate-pairing)
111 | for its bilinear pairing computations.
112 | 
113 | Mix-Net Module
114 | --------------
115 | 
116 | The mix-net is implemented using Python. It requires a working
117 | installation of libffpy.
118 | 
119 | 
120 | Challenges
121 | ==========
122 | 
123 | - **Elliptic Curve Multiplications**: The real bottleneck of the prototype
124 | is its performance. The prototype's
125 | performance was much slower than other implementations in C++. After some
126 | specific metrics we identified that the issue was that the multiplications
127 | on the elliptic curve elements were slow. The library implementing those
128 | multiplications was [bplib](https://github.com/gdanezis/bplib/).
129 | 
130 | - **bplip vs libff**: Since the bottleneck were the multiplications on the elliptic
131 | curve, we looked at replacements for bplib. One such replacement is libff. bplib
132 | uses libraries provided by OpenSSL for its elliptic curve computations.
133 | We defined specific metrics and compared the underlying C code of bplib
134 | with libff. The results showed that libff was indeed faster than OpenSSL,
135 | so we moved forward with the implementation of libffpy.
136 | 
137 | TODOs
138 | =====
139 | 
140 | - **CRS (Common Reference String)**: In order for the mix-net to be truly decentralized and anonymous
141 | there needs to be a mechanism to create the CRS anonymously.
142 | 
143 | - **Integration with Zeus**
144 | 
145 | Usage
146 | =====
147 | 
148 | There exists a demo in the file `demo.py` of the root directory
149 | that shows the basic workflow of the mix-net module.
150 | 
151 | Organization
152 | ============
153 | 
154 | This [project](https://summerofcode.withgoogle.com/projects/#6269134514946048)
155 | was developed as part of the [Google Summer of Code](
156 | https://summerofcode.withgoogle.com) program.
157 | 
158 | Student: Vitalis Salis
159 | 
160 | Mentors:
161 | 
162 | - [Dimitris Mitropoulos](http://dimitro.gr/)
163 | - Georgios Tsoukalas
164 | - [Panos Louridas](https://istlab.dmst.aueb.gr/content/members/m_louridas.html)
165 | 
166 | Organization: [Open Technologies Alliance - GFOSS](https://gfoss.eu/)
167 | 


--------------------------------------------------------------------------------
/TIMELINE.md:
--------------------------------------------------------------------------------
 1 | Timeline
 2 | ========
 3 | 
 4 | * Week 1 - Week 2: Experiment with the existing mix-net implementation on Zeus.
 5 |   See how the mix-net works and study related papers. Work on the
 6 |   implementation of a Common Reference String.
 7 | 
 8 | * Week 3 - Week 4: Identify which of the existing mix-net publications are fit
 9 |   to be implemented. Examine all possible candidates and after some discussion
10 |   with my mentor decide which one fits our needs.
11 | 
12 | * Week 5 - Week 10: Implement a new re-encryption mix-net prototype based on
13 |   the work of Weeks 1-4.
14 | 
15 | * Week 10 - Week 12: Test the prototype and deploy to production. Do various
16 |   checks in real-time scenarios.
17 | 


--------------------------------------------------------------------------------
/demo.py:
--------------------------------------------------------------------------------
 1 | import datetime, sys
 2 | 
 3 | from flz16.crs import CRS
 4 | from flz16.prover import Prover
 5 | from flz16.verifier import Verifier
 6 | from flz16.utils import make_s_randoms, random_permutation,\
 7 |         encrypt_messages, make_tables, decrypt_messages
 8 | 
 9 | n = int(sys.argv[1])
10 | 
11 | start = datetime.datetime.now()
12 | 
13 | crs = CRS(n)
14 | s_randoms = make_s_randoms(n, crs.order)
15 | sigma = random_permutation(n)
16 | ciphertexts = encrypt_messages(crs.order, crs.pk1, crs.pk2, list(range(n)))
17 | prover = Prover(crs)
18 | proof = prover.prove(n, ciphertexts, sigma, s_randoms)
19 | 
20 | verifier = Verifier(crs)
21 | print verifier.verify(ciphertexts, proof)
22 | 
23 | TABLES = make_tables(crs.pk1, crs.pk2, crs.n)
24 | shuffled_ms = decrypt_messages(crs.gamma, TABLES, proof['shuffled_ciphertexts'])
25 | 
26 | end = datetime.datetime.now()
27 | print "ellapsed: %s" % (end - start)
28 | 


--------------------------------------------------------------------------------
/docs/ath-floss-pres.tex:
--------------------------------------------------------------------------------
  1 | \documentclass{beamer}
  2 | 
  3 | \usepackage[utf8]{inputenc}
  4 | \usepackage{graphicx}
  5 | \usepackage{biblatex}
  6 | 
  7 | \title{Re-Encryption Mix-Net Module}
  8 | \author{Vitalis Salis}
  9 | \date{2017}
 10 | 
 11 | \begin{document}
 12 |     \frame{\titlepage}
 13 | 
 14 |     \begin{frame}
 15 |         \frametitle{Zeus}
 16 |         \begin{itemize}
 17 |             \item Web-based open-audit e-voting system.
 18 |             \item Open source.\footnote{\url{https://github.com/grnet/zeus}}
 19 |             \item Derived from Helios\footnote{
 20 |                 \url{https://github.com/benadida/helios}
 21 |             }.
 22 |             \item Uses the Sako-Kilian re-encryption mix-net for anonymity.
 23 |             \item Already used by various institutions for elections.
 24 |         \end{itemize}
 25 |     \end{frame}
 26 | 
 27 |     \begin{frame}
 28 |         \begin{figure}
 29 |             \centering
 30 |             \includegraphics[width=12cm,height=7cm,keepaspectratio]{zeus-chart.eps}
 31 |             \caption{Registered and actual voters on Zeus.}
 32 |         \end{figure}
 33 |     \end{frame}
 34 | 
 35 |     \begin{frame}
 36 |         \frametitle{The Issue}
 37 |         \begin{itemize}
 38 |             \item The re-encryption mix-net used by Zeus is impractical.
 39 |             \item It requires a lot of costly, performance wise, cryptographic.
 40 |             operations, leading to longer times to get the election results.
 41 |             \item I.e for 10,000 votes the mixnet might take up to 8 hours!
 42 |             \item Our goal is to create an open source Python module that
 43 |             implements a faster re-encryption mix-net for applications
 44 |             requiring anonymity.
 45 |         \end{itemize}
 46 |     \end{frame}
 47 | 
 48 |     \begin{frame}
 49 |         \frametitle{Faster Mix-Nets}
 50 |         \begin{itemize}
 51 |             \item In order to overcome this issue, we've been looking on new
 52 |             research about mix-nets that guarantee faster performance.
 53 |             \item The best candidate we identified is proposed by Fauzi et al,
 54 |             from the University of Tartu.\footnote{
 55 |                 \url{https://eprint.iacr.org/2016/866}
 56 |             }.
 57 |             \item The mix-net is based on elliptic curves.
 58 |         \end{itemize}
 59 |     \end{frame}
 60 | 
 61 |     \begin{frame}
 62 |         \frametitle{Existing Prototypes}
 63 |         \begin{itemize}
 64 |             \item A Python prototype that implements the mix-net proposed by
 65 |             Fauzi et al, was developed by GRNET\footnote{
 66 |                 \url{https://github.com/grnet/ac16/}
 67 |             }.
 68 |             \item Still, the prototype wasn't satisfying.
 69 |             \item The main issue we identified was that multiplications on the
 70 |             elliptic curve structure are slow.
 71 |             \item The library implementing those multiplications is OpenSSL.
 72 |             \item A good replacement for OpenSSL is a similar library,
 73 |             libff.\footnote{\url{https://github.com/scipr-lab/libff}}
 74 |         \end{itemize}
 75 |     \end{frame}
 76 | 
 77 |     \begin{frame}
 78 |         \frametitle{Metrics}
 79 |         \begin{itemize}
 80 |             \item In order to compare these libraries we have defined specific 
 81 |             metrics.
 82 |             \item Our profiling involved a test case where we performed
 83 |             thousands of multiplications from C on both libraries:\newline
 84 |             $g ^ \rho$
 85 |             where $g$ is the generator of the elliptic curve group and
 86 |             $\rho$ is a 256 bit number.
 87 |             \item libff yielded up to 6 times better performance than OpenSSL.
 88 |             \item So, we moved forward with the implementation of a libff
 89 |             wrapper for Python.
 90 |         \end{itemize}
 91 |     \end{frame}
 92 | 
 93 |     \begin{frame}
 94 |         \frametitle{Wrapping libff With Cython}
 95 |         \begin{itemize}
 96 |             \item libff is implemented in C++.
 97 |             \item So it needs to be wrapped by Python in order to be used as a
 98 |             Python module.
 99 |             \item No such wrapper exists, so we set out to create one.
100 |             \item We identified that Cython is the best candidate for wrapping
101 |             libff.
102 |             \item The wrapper exists as a separate open source module
103 |             so it can be used by other Python projects that need to use libff.
104 |         \end{itemize}
105 |     \end{frame}
106 | 
107 |     \begin{frame}
108 |         \frametitle{Comparing Wrappers}
109 |         \begin{itemize}
110 |             \item After creating the Cython wrapper for libff, in order to
111 |             verify that it is indeed better than the Python wrapper for
112 |             OpenSSL, we defined specific metrics.
113 |             \item Our profiling involved a test case where we performed
114 |             thousands of multiplications from Python on both wrappers.
115 |             \item The results validated our hypothesis, so we'll use the Cython
116 |             wrapper for the implementation of the re-encryption mix-net module.
117 |         \end{itemize}
118 |     \end{frame}
119 | 
120 |     \begin{frame}
121 |         \frametitle{Future Work}
122 |         \begin{itemize}
123 |             \item Python Module
124 |             \item Integration with Zeus
125 |             \item Testing
126 |         \end{itemize}
127 |     \end{frame}
128 |     \begin{frame}
129 |         \center{\url{https://github.com/eellak/gsoc17module-zeus}}
130 |     \end{frame}
131 | \end{document}
132 | 


--------------------------------------------------------------------------------
/docs/gsoc-summit-pres.tex:
--------------------------------------------------------------------------------
  1 | \documentclass{beamer}
  2 | 
  3 | \usepackage[utf8]{inputenc}
  4 | \usepackage{graphicx}
  5 | \usepackage{biblatex}
  6 | 
  7 | \title{Re-Encryption Mix-Net Module}
  8 | \date{2017}
  9 | 
 10 | \begin{document}
 11 |     \frame{\titlepage}
 12 | 
 13 |     \begin{frame}
 14 |         \frametitle{Zeus}
 15 |         \begin{itemize}
 16 |             \item Web-based open-audit e-voting system.
 17 |             \item Open source.\footnote{\url{https://github.com/grnet/zeus}}
 18 |             \item Derived from Helios\footnote{
 19 |                 \url{https://github.com/benadida/helios}
 20 |             }.
 21 |             \item Uses the Sako-Kilian re-encryption mix-net for anonymity.
 22 |             \item Already used by various institutions for elections.
 23 |             \item \textbf{Aim}: Implement a faster re-encryption mix-net for better
 24 |                 performance.
 25 |         \end{itemize}
 26 |     \end{frame}
 27 | 
 28 |     \begin{frame}
 29 |         \begin{figure}
 30 |             \centering
 31 |             \includegraphics[width=12cm,height=7cm,keepaspectratio]{zeus-chart.eps}
 32 |             \caption{Registered and actual voters on Zeus.}
 33 |         \end{figure}
 34 |     \end{frame}
 35 | 
 36 |     \begin{frame}
 37 |         \frametitle{The Issue}
 38 |         \begin{itemize}
 39 |             \item The re-encryption mix-net used by Zeus is impractical.
 40 |             \item It requires a lot of costly, performance wise, cryptographic.
 41 |             operations, leading to longer times to get the election results.
 42 |             \item I.e for 10,000 votes the mixnet might take up to 8 hours!
 43 |             \item Our goal is to create an open source Python module that
 44 |             implements a faster re-encryption mix-net for applications
 45 |             requiring anonymity.
 46 |         \end{itemize}
 47 |     \end{frame}
 48 | 
 49 |     \begin{frame}
 50 |         \frametitle{Faster Mix-Nets}
 51 |         \begin{itemize}
 52 |             \item In order to overcome this issue, we've been looking on new
 53 |             research about mix-nets that guarantee faster performance.
 54 |             \item The best candidate we identified is proposed by Fauzi et al,
 55 |             from the University of Tartu.\footnote{
 56 |                 \url{https://eprint.iacr.org/2016/866}
 57 |             }.
 58 |             \item The mix-net is based on elliptic curves.
 59 |         \end{itemize}
 60 |     \end{frame}
 61 | 
 62 |     \begin{frame}
 63 |         \frametitle{Existing Prototypes}
 64 |         \begin{itemize}
 65 |             \item A Python prototype that implements the mix-net proposed by
 66 |             Fauzi et al, was developed by GRNET\footnote{
 67 |                 \url{https://github.com/grnet/ac16/}
 68 |             }.
 69 |             \item Still, the prototype wasn't satisfying.
 70 |             \item The main issue we identified was that multiplications on the
 71 |             elliptic curve structure are slow.
 72 |             \item The library implementing those multiplications is OpenSSL.
 73 |             \item A good replacement for OpenSSL is a similar library,
 74 |             libff.\footnote{\url{https://github.com/scipr-lab/libff}}
 75 |         \end{itemize}
 76 |     \end{frame}
 77 | 
 78 |     \begin{frame}
 79 |         \frametitle{Metrics}
 80 |         \begin{itemize}
 81 |             \item In order to compare these libraries we have defined specific 
 82 |             metrics.
 83 |             \item Our profiling involved a test case where we performed
 84 |             thousands of multiplications from C on both libraries:\newline
 85 |             $g ^ \rho$
 86 |             where $g$ is the generator of the elliptic curve group and
 87 |             $\rho$ is a 256 bit number.
 88 |             \item libff yielded up to 6 times better performance than OpenSSL.
 89 |             \item So, we moved forward with the implementation of a libff
 90 |             wrapper for Python.
 91 |         \end{itemize}
 92 |     \end{frame}
 93 | 
 94 |     \begin{frame}
 95 |         \frametitle{Wrapping libff With Cython}
 96 |         \begin{itemize}
 97 |             \item libff is implemented in C++.
 98 |             \item So it needs to be wrapped by Python in order to be used as a
 99 |             Python module.
100 |             \item No such wrapper exists, so we set out to create one.
101 |             \item We identified that Cython is the best candidate for wrapping
102 |             libff.
103 |             \item The wrapper exists as a separate open source module
104 |             so it can be used by other Python projects that need to use libff.
105 |         \end{itemize}
106 |     \end{frame}
107 | 
108 |     \begin{frame}
109 |         \frametitle{Comparing Wrappers}
110 |         \begin{itemize}
111 |             \item After creating the Cython wrapper for libff, in order to
112 |             verify that it is indeed better than the Python wrapper for
113 |             OpenSSL, we defined specific metrics.
114 |             \item Our profiling involved a test case where we performed
115 |             thousands of multiplications from Python on both wrappers.
116 |             \item The results validated our hypothesis, so we used the Cython
117 |             wrapper for the implementation of the re-encryption mix-net module.
118 |         \end{itemize}
119 |     \end{frame}
120 | 
121 |     \begin{frame}
122 |         \center{\url{https://github.com/eellak/gsoc17module-zeus}}
123 |     \end{frame}
124 | \end{document}
125 | 


--------------------------------------------------------------------------------
/docs/metrics.bib:
--------------------------------------------------------------------------------
 1 | @conference{
 2 |     shufflearg,
 3 |     author="Prastudu Fauzi and Helger Lipmaa and Michal Zajac",
 4 |     title="A Shuffle Argument Secure in the Generic Model",
 5 |     url="https://eprint.iacr.org/2016/866.pdf"
 6 | }
 7 | 
 8 | @misc{
 9 |     prototype,
10 |     author="Panos Louridas and Dimitris Mitropoulos and Georgios Tsoukalas and Georgios Korfiatis",
11 |     title="Implementation of the shuffle argument",
12 |     url="https://github.com/grnet/ac16"
13 | }
14 | 
15 | @article{
16 |     numpy,
17 |     author = {Stéfan van der Walt and S. Chris Colbert and Gaël Varoquaux},
18 |     title = {The NumPy Array: A Structure for Efficient Numerical Computation},
19 |     journal = {Computing in Science \& Engineering},
20 |     volume = {13},
21 |     number = {2},
22 |     pages = {22-30},
23 |     year = {2011},
24 |     doi = {10.1109/MCSE.2011.37},
25 |     URL = { 
26 |         http://aip.scitation.org/doi/abs/10.1109/MCSE.2011.37
27 |     },
28 |     eprint = { 
29 |         http://aip.scitation.org/doi/pdf/10.1109/MCSE.2011.37
30 |     }
31 | }
32 | 
33 | @misc{
34 |     bplib,
35 |     author = "George Danezis",
36 |     title = "A bilinear pairing library for petlib",
37 |     howpublished = {\url{https://github.com/gdanezis/bplib}}
38 | }
39 | 
40 | @misc{
41 |     libsnark,
42 |     author = "SCIPR Lab",
43 |     title = "A {C}++ library for {zkSNARK} proofs",
44 |     howpublished = {\url{https://github.com/scipr-lab/libsnark}}
45 | }
46 | 
47 | @misc{libff,
48 |     author = "SCIPR Lab",
49 |     title = "libff: C++ library for Finite Fields and Elliptic Curves",
50 |     howpublished = {\url{https://github.com/scipr-lab/libff}}
51 | }
52 | 


--------------------------------------------------------------------------------
/docs/metrics.tex:
--------------------------------------------------------------------------------
  1 | \documentclass{article}
  2 | 
  3 | \usepackage{url}
  4 | \usepackage{graphicx}
  5 | \usepackage{listings}
  6 | \usepackage{todonotes}
  7 | \usepackage{algorithm}
  8 | \usepackage{algpseudocode}
  9 | 
 10 | \usepackage{minted}
 11 | 
 12 | \presetkeys{todonotes}{fancyline, color=yellow!30}{}
 13 | 
 14 | \date{}
 15 | \begin{document}
 16 | 
 17 | \title{Metrics for the AsiaCrypt16 Implementation} 
 18 | 
 19 | \author{Vitalis Salis}
 20 | 
 21 | \maketitle
 22 | \begin{abstract}
 23 |   We have computed some metrics for the prototype implementation
 24 |   \cite{prototype} of a mixnet based on the shuffle argument proposed
 25 |   by Fauzi et al \cite{shufflearg}. The goal of these metrics is to
 26 |   identify aspects of the code that are slow and find suitable
 27 |   replacements for them.
 28 | \end{abstract}
 29 | 
 30 | \section{Introduction}
 31 | 
 32 | The prototype implementation of the mixnet proposed by Fauzi et al,
 33 | produces multiple implementation difficulties. On implementations of
 34 | cryptographic protocols it is typical to use C for your cryptographic
 35 | computations. Yet the prototype is implemented using Python, so it has
 36 | to switch between Python and C for its operations. This may be a
 37 | bottleneck of the prototype and the reason some operations are slower
 38 | than they should. Another reason may be that the underlying C
 39 | cryptographic operations themselves are not efficient, and a different
 40 | C implementation might improve matters. The two reasons are not
 41 | exclusive, and one might compound the other.
 42 | 
 43 | \section{Metrics}
 44 | 
 45 | Table 1 contains a list of metrics for the various operations of the
 46 | prototype. Most of the time is taken by the prover and the verifier,
 47 | as expected, because these have the most computations that produce a
 48 | context switch between Python and C.
 49 | 
 50 | \begin{table}
 51 | \begin{tabular}{ |p{3cm}|p{5cm}|p{3cm}|  }
 52 |     \hline
 53 |     \multicolumn{3}{|c|}{Metrics}\\
 54 |     \hline
 55 |     Operation & Short Description & Time per 100 voters\\
 56 |     \hline
 57 |     Initialization & Creates the elliptic Curve and private keys & 364ms\\
 58 |     Encryption & Encrypts the votes & 674ms\\
 59 |     Random Permutations & Creates random numbers & 1ms\\
 60 |     Proof & The shuffle & 2085ms\\
 61 |     Verification & Verification of the shuffle & 2738ms\\
 62 |     Decryption & Decrypts the votes & 489ms\\
 63 |     \hline
 64 | \end{tabular}
 65 | \caption{Metrics}
 66 | \end{table}
 67 | 
 68 | The time taken by each of these operations is linear, meaning that for
 69 | 200 ciphertexts the numbers on the table are doubled.
 70 | 
 71 | \section{Context Switches}
 72 | 
 73 | A context switch happens when a Python program communicates with a C
 74 | program for various cryptographic computations. The reasoning behind
 75 | believing that a context switch may be the bottleneck of the application
 76 | is that Python needs to create a PyObject containing the
 77 | data it wants to communicate, and C also needs to create a PyObject to
 78 | return the result of the computations.
 79 | 
 80 | The prover has various steps. In order to validate our theory about
 81 | context switches we measured each of these steps. Two of those steps,
 82 | while having the same number of iterations, had a significant time
 83 | difference. In particular, \mintinline{python}{step2a} below took
 84 | 100ms, while \mintinline{python}{step3a} took 700ms.
 85 | 
 86 | \begin{minted}[breaklines]{python}
 87 | def step2a(sigma, A1, randoms, g1_poly_zero, g1rho, g1_poly_squares):
 88 |     pi_1sp = []
 89 |     inverted_sigma = inverse_perm(sigma)
 90 |     for inv_i, ri, Ai1 in zip(inverted_sigma, randoms, A1):
 91 |         g1i_poly_sq = g1_poly_squares[inv_i]
 92 |         v = (2 * ri) * (Ai1 + g1_poly_zero) - (ri * ri) * g1rho + g1i_poly_sq
 93 |         pi_1sp.append(v)
 94 |     return pi_1sp
 95 |   \end{minted}
 96 | 
 97 | \begin{minted}[breaklines]{python}
 98 | def step3a(sigma, ciphertexts, s_randoms, pk1, pk2):
 99 |     v1s_prime = []
100 |     v2s_prime = []
101 |     for perm_i, s_random in zip(sigma, s_randoms):
102 |         (v1, v2) = ciphertexts[perm_i]
103 |         v1s_prime.append(tuple_add(v1, enc(pk1, s_random[0], s_random[1], 0)))
104 |         v2s_prime.append(tuple_add(v2, enc(pk2, s_random[0], s_random[1], 0)))
105 |     return list(zip(v1s_prime, v2s_prime))
106 | \end{minted}
107 |   
108 | \noindent
109 | First we attributed the time difference to various calls to zip and to tuple
110 | creation. After removing all the calls to zip we didn't notice any significant
111 | difference. This seemed to validate the context switches theory, because the
112 | slower step contained more context switches per iteration.
113 | 
114 | But that's not the case. Using cProfile we identified the main
115 | reason behind this difference. The slower step does more multiplications on
116 | elliptic curve elements. While it is expected that multiplication will be slower
117 | than addition, the difference was enough to dismiss the context switches theory.
118 | 
119 | Multiplication on our elliptic curve elements takes 575ms per 300
120 | multiplications, while addition takes 5ms for 400 additions. If the real
121 | problem were context switches, then the addition wouldn't have such a huge
122 | difference with the multiplication, because it has more operations hence
123 | more context switches.
124 | 
125 | 
126 | \section{Comparing bplib and libsnark}
127 | 
128 | The prototype implementation uses the bplib\cite{bplib} Python module.
129 | bplib implements bilinear pairings on elliptic curves while also supporting
130 | elliptic curve operations using the openssl library.
131 | 
132 | Another implementation supporting elliptic curve computations and bilinear
133 | pairings is libsnark\cite{libsnark}.
134 | 
135 | The common characteristics of these libraries are that they both use the
136 | Ate Pairing and they use windowed exponentiation for
137 | optimization purposes.
138 | 
139 | A key difference of these implementations is that bplib uses the
140 | curve Fp254BNb, while libsnark uses bn128 which is a patch on the
141 | Fp254BNb curve. Also, libsnark supports vectorized exponentiation
142 | which boosts up its performance.
143 | 
144 | In order to compare these two libraries and validate our theory that
145 | libsnark is faster than bplib, we created two different tests
146 | using bplib and libsnark on each one. The tests did multiplications
147 | (the bottleneck of the prototype) on both elliptic curve groups.
148 | 
149 | The results validated our theory. Multiplying elements on the G2
150 | group using libsnark yielded a performance of 0.38s/1000 ciphertexts
151 | while using openssl yielded 3.22s/1000. On G1 libsnark produced
152 | 0.13s/1000 while bplib produced 0.96s/1000 multiplications.
153 | 
154 | 
155 | \section{Wrapping libsnark with Cython}
156 | 
157 | Since libsnark computes multiplications faster than the openssl
158 | implementation, the most obvious solution is to replace openssl
159 | with libsnark. The best candidate for this job is Cython, because
160 | it offers the performance aspects of C, while providing the functionality
161 | of Python. In order to validate that Cython, indeed will yield better
162 | performance we created a basic Cython application that does multiplications
163 | on the G2 group of the libsnark elliptic curve.
164 | 
165 | The results were positive. A multiplication on the G2 group using Cython
166 | takes about 0.5ms while on our prototype implementation, that uses bplib,
167 | a multiplication takes about 2ms. So that's a 4x boost in performance.
168 | 
169 | Also our Cython implementation didn't implement vectorized multiplications,
170 | so there's still room for optimizations.
171 | 
172 | 
173 | \section{Solutions}
174 | 
175 | Since the real bottleneck are the multiplications on G2 elements,
176 | the most obvious solution is to use optimizations on the multiplication
177 | process.
178 | 
179 | As mentioned, libsnark computes multiplications faster than our
180 | current implementation. Yet libsnark is written in C++ and we want to
181 | use a Python module. A Python wrapper for libsnark would be useful,
182 | for our needs and the open source community. In fact, we do not really
183 | need the full libsnark library; the Elliptic curve parts have been
184 | factored out to libff~\cite{libff}, so a Python wrapper for libff
185 | could be implemented. 
186 | 
187 | 
188 | \bibliographystyle{plain}
189 | \bibliography{metrics}
190 | 
191 | \end{document} 
192 | 


--------------------------------------------------------------------------------
/docs/pdf/ath-floss-pres.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/eellak/gsoc17module-zeus/21cf8055ff58c670e96bc197e5cadf54f6b22b45/docs/pdf/ath-floss-pres.pdf


--------------------------------------------------------------------------------
/docs/pdf/metrics.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/eellak/gsoc17module-zeus/21cf8055ff58c670e96bc197e5cadf54f6b22b45/docs/pdf/metrics.pdf


--------------------------------------------------------------------------------
/flz16/__init__.py:
--------------------------------------------------------------------------------
1 | from crs import CRS
2 | from prover import Prover
3 | from verifier import Verifier
4 | 
5 | import utils
6 | 


--------------------------------------------------------------------------------
/flz16/crs.py:
--------------------------------------------------------------------------------
  1 | from libffpy import LibffPy, BigNum
  2 | 
  3 | class CRS:
  4 |     def __init__(self, n):
  5 |         self.n = n
  6 |         self.lff = LibffPy(n)
  7 |         self.order = self.lff.order()
  8 |         self.gen1 = self.lff.gen1()
  9 |         self.gen2 = self.lff.gen2()
 10 |         self.gt = self.lff.pair(self.gen1, self.gen2)
 11 |         self.pair = self.lff.pair
 12 | 
 13 |         chi = self.order.random()
 14 |         alpha = self.order.random()
 15 |         rho = self.order.random(nonzero=True)
 16 |         beta = self.order.random(nonzero=True)
 17 |         self.gamma = self.order.random(nonorder=True)
 18 | 
 19 |         polys_all = self.generate_pis(chi, n)
 20 |         poly_zero = polys_all[0]
 21 |         polys = polys_all[1:]
 22 | 
 23 |         self.g1_polys = [poly * self.gen1 for poly in polys]
 24 |         self.g1rho = rho * self.gen1
 25 |         # init window table for g1rho
 26 |         self.g1rho.initWindowTable(n)
 27 | 
 28 |         self.g1alpha = (alpha + poly_zero) * self.gen1
 29 |         self.g1_poly_zero = poly_zero * self.gen1
 30 |         self.g1_poly_zero.initWindowTable(n)
 31 | 
 32 |         inv_rho = rho.mod_inverse()
 33 |         self.g1_poly_squares = []
 34 |         for poly in polys:
 35 |             nom = (poly + poly_zero) ** 2 - 1
 36 |             self.g1_poly_squares.append((nom * inv_rho) * self.gen1)
 37 | 
 38 |         inv_beta = beta.mod_inverse()
 39 |         g1hat = (rho * inv_beta) * self.gen1
 40 |         h1 = self.gamma * g1hat
 41 | 
 42 |         g1hat.initWindowTable(n)
 43 |         h1.initWindowTable(n)
 44 |         self.pk1 = (g1hat, h1)
 45 | 
 46 |         self.g2_polys = [poly * self.gen2 for poly in polys]
 47 |         self.g2rho = rho * self.gen2
 48 |         # init window table for g2rho
 49 |         self.g2rho.initWindowTable(n)
 50 | 
 51 |         self.g2alpha = (-alpha + poly_zero) * self.gen2
 52 |         h2 = self.gamma * self.gen2
 53 | 
 54 |         h2.initWindowTable(n)
 55 |         self.pk2 = (self.gen2, h2)
 56 | 
 57 |         self.g2beta = beta * self.gen2
 58 | 
 59 |         self.pair_alpha = self.gt ** (1 - alpha ** 2)
 60 |         poly_sum = sum([poly for poly in polys])
 61 |         self.g1_sum = poly_sum * self.gen1
 62 |         self.g2_sum = poly_sum * self.gen2
 63 | 
 64 |     def generate_pis(self, chi, n):
 65 |         if chi <= n + 1:
 66 |             raise ValueError(
 67 |                 "chi should be greater than n + 1, chi=%s n+1=%s" % (chi, n + 1)
 68 |             )
 69 | 
 70 |         pis = []
 71 | 
 72 |         prod = BigNum(1)
 73 |         # prod = (x - w_1) (x - w_2) ... (x - w_{n+1})
 74 |         for j in range(1, n + 2):
 75 |             prod = prod * (chi - j)
 76 | 
 77 |         # denoms[0] = 1 / (w_1 - w_2) (w_1 - w_3) ... (w_1 - w_{n + 1})
 78 |         # denoms[1] = 1 / (w_2 - w_1) (w_2 - w_3) ... (w_2 - w_{n + 1})
 79 |         # denoms[n] = 1 / (w_{n+1}- w_1) (w_{n+1} - w_2) ... (w_{n+1} - w_n)
 80 |         denoms = self.compute_denominators(n + 1)
 81 | 
 82 |         missing_factor = chi - (n + 1)
 83 | 
 84 |         ln_plus1 = prod * missing_factor.mod_inverse()
 85 |         ln_plus1 = ln_plus1 * denoms[n].mod_inverse()
 86 | 
 87 |         # P_0 is special
 88 |         pis.append(ln_plus1 - BigNum(1))
 89 | 
 90 |         two = BigNum(2)
 91 |         for i in range(1, n + 1):
 92 |             missing_factor = chi - i
 93 |             l_i = prod * missing_factor.mod_inverse()
 94 |             l_i = l_i * denoms[i - 1].mod_inverse()
 95 |             pis.append(two * l_i + ln_plus1)
 96 | 
 97 |         return pis
 98 | 
 99 |     def compute_denominators(self, k):
100 |         denominators = []
101 |         temp = BigNum(1)
102 |         for i in range(1, k + 1):
103 |             if i == 1:
104 |                 for j in range(2, k + 1):
105 |                     elem = i - j;
106 |                     temp = temp * elem
107 |             elif i == k:
108 |                 elem = 1 - k;
109 |                 temp = temp * elem
110 |             else:
111 |                 inverse = BigNum(i - 1 - k)
112 |                 inverse = inverse.mod_inverse()
113 |                 elem = i - 1
114 |                 temp = temp * elem
115 |                 temp = temp * inverse
116 |             denominators.append(temp)
117 | 
118 |         return denominators
119 | 


--------------------------------------------------------------------------------
/flz16/ilin2.py:
--------------------------------------------------------------------------------
 1 | def enc(pk, s1, s2, m):
 2 |     g, h = pk
 3 |     return (s1*h, s2*(g + h), (m + s1 + s2) * g)
 4 | 
 5 | def dec(c, sk, table):
 6 |     c1, c2, c3 = c
 7 |     e1 = (-sk).mod_inverse()
 8 |     e2 = (-(sk + 1)).mod_inverse()
 9 |     v = (c3 + e2*c2 + e1*c1)
10 |     return table[v]
11 | 
12 | def make_table(g, n):
13 |     table = {}
14 |     for i in range(n):
15 |         elem = (i * g)
16 |         table[elem] = i
17 |     return table
18 | 


--------------------------------------------------------------------------------
/flz16/prover.py:
--------------------------------------------------------------------------------
  1 | from libffpy import G1Py, G2Py
  2 | from utils import inverse_perm
  3 | from ilin2 import enc
  4 | 
  5 | class Prover:
  6 |     def __init__(self, crs):
  7 |         self.crs = crs
  8 | 
  9 |     def get_infs(self):
 10 |         inf1 = G1Py.inf()
 11 |         inf2 = G2Py.inf()
 12 |         return inf1, inf2
 13 | 
 14 |     def tuple_map(self, func, tpl):
 15 |         return tuple(map(func, tpl))
 16 | 
 17 | 
 18 |     def tuple_add(self, tpl1, tpl2):
 19 |         zipped = zip(tpl1, tpl2)
 20 |         return tuple(z[0] + z[1] for z in zipped)
 21 | 
 22 |     def step1a(self, sigma):
 23 |         crs = self.crs
 24 |         randoms = [crs.order.random() for i in range(crs.n - 1)]
 25 |         inverted_sigma = inverse_perm(sigma)
 26 | 
 27 |         A1 = []
 28 |         A2 = []
 29 |         for inv_i, ri in zip(inverted_sigma, randoms):
 30 |             p1_value = crs.g1_polys[inv_i]
 31 |             p2_value = crs.g2_polys[inv_i]
 32 |             a1i = p1_value + ri * crs.g1rho
 33 |             a2i = p2_value + ri * crs.g2rho
 34 |             A1.append(a1i)
 35 |             A2.append(a2i)
 36 | 
 37 |         return randoms, A1, A2
 38 | 
 39 |     def step1b(self, randoms):
 40 |         rand_n = - sum(randoms)
 41 |         randoms.append(rand_n)
 42 |         return randoms
 43 | 
 44 |     def step1c(self, A1, A2):
 45 |         inf1, inf2 = self.get_infs()
 46 | 
 47 |         prod1 = sum(A1, inf1)
 48 |         prod2 = sum(A2, inf2)
 49 | 
 50 |         a1n = self.crs.g1_sum - prod1
 51 |         a2n = self.crs.g2_sum - prod2
 52 | 
 53 |         A1.append(a1n)
 54 |         A2.append(a2n)
 55 | 
 56 |         return A1, A2
 57 | 
 58 |     def step2a(self, sigma, A1, randoms):
 59 |         crs = self.crs
 60 | 
 61 |         pi_1sp = []
 62 |         inverted_sigma = inverse_perm(sigma)
 63 | 
 64 |         for inv_i, ri, Ai1 in zip(inverted_sigma, randoms, A1):
 65 |             g1i_poly_sq = crs.g1_poly_squares[inv_i]
 66 |             v = (2 * ri) * Ai1 + (2 * ri) * crs.g1_poly_zero - (ri * ri) * crs.g1rho + g1i_poly_sq
 67 |             pi_1sp.append(v)
 68 | 
 69 |         return pi_1sp
 70 | 
 71 |     def step3a(self, sigma, ciphertexts, s_randoms):
 72 |         crs = self.crs
 73 | 
 74 |         v1s_prime = []
 75 |         v2s_prime = []
 76 |         for perm_i, s_random in zip(sigma, s_randoms):
 77 |             (v1, v2) = ciphertexts[perm_i]
 78 |             v1s_prime.append(self.tuple_add(v1, enc(self.crs.pk1, s_random[0], s_random[1], 0)))
 79 |             v2s_prime.append(self.tuple_add(v2, enc(self.crs.pk2, s_random[0], s_random[1], 0)))
 80 | 
 81 |         return list(zip(v1s_prime, v2s_prime))
 82 | 
 83 |     def step4a(self, s_randoms):
 84 |         crs = self.crs
 85 | 
 86 |         rs = tuple([crs.order.random() for i in range(2)])
 87 |         (rs1, rs2) = rs
 88 |         pi_c1_1 = rs1 * crs.g2rho
 89 |         pi_c1_2 = rs2 * crs.g2rho
 90 |         for si, g2_polyi in zip(s_randoms, crs.g2_polys):
 91 |             si1, si2 = si
 92 |             pi_c1_1 += si1 * g2_polyi
 93 |             pi_c1_2 += si2 * g2_polyi
 94 | 
 95 |         return rs, (pi_c1_1, pi_c1_2)
 96 | 
 97 |     def step4b(self, ciphertexts, rs, randoms):
 98 |         crs = self.crs
 99 | 
100 |         pi_c2_1 = enc(crs.pk1, rs[0], rs[1], 0)
101 |         pi_c2_2 = enc(crs.pk2, rs[0], rs[1], 0)
102 |         for ciphertext, ri in zip(ciphertexts, randoms):
103 |             v1, v2 = ciphertext
104 |             pi_c2_1 = self.tuple_add(pi_c2_1, self.tuple_map(lambda x: ri * x, v1))
105 |             pi_c2_2 = self.tuple_add(pi_c2_2, self.tuple_map(lambda x: ri * x, v2))
106 | 
107 |         return pi_c2_1, pi_c2_2
108 | 
109 |     def prove(self, n, ciphertexts, sigma, s_randoms):
110 |         proof = dict.fromkeys(['shuffled_ciphertexts', 'pi_1sp', 'pi_c1_1',\
111 |                 'pi_c1_2', 'pi_c2_1', 'pi_c2_2', 'A1', 'A2'])
112 |         randoms, A1, A2 = self.step1a(sigma)
113 |         randoms = self.step1b(randoms)
114 |         A1, A2 = self.step1c(A1, A2)
115 |         proof['pi_1sp'] = self.step2a(sigma, A1, randoms)
116 |         proof['shuffled_ciphertexts'] = self.step3a(sigma, ciphertexts, s_randoms)
117 |         rs, (proof['pi_c1_1'], proof['pi_c1_2']) = self.step4a(s_randoms)
118 |         proof['pi_c2_1'], proof['pi_c2_2'] = self.step4b(ciphertexts, rs, randoms)
119 | 
120 |         proof['A1'] = A1[:-1]
121 |         proof['A2'] = A2[:-1]
122 | 
123 |         return proof
124 | 


--------------------------------------------------------------------------------
/flz16/tests/__init__.py:
--------------------------------------------------------------------------------
1 | """
2 | Tests for the re-encryption mixnet module
3 | """
4 | 
5 | from test_utils import UtilsTest
6 | from test_prover_verifier import ProverVerifierTest
7 | 


--------------------------------------------------------------------------------
/flz16/tests/test_prover_verifier.py:
--------------------------------------------------------------------------------
 1 | import unittest
 2 | 
 3 | from crs import CRS
 4 | from prover import Prover
 5 | from verifier import Verifier
 6 | from utils import make_s_randoms, random_permutation,\
 7 |         encrypt_messages, make_tables, decrypt_messages
 8 | 
 9 | class ProverVerifierTest(unittest.TestCase):
10 |     def setUp(self):
11 |         n = 10
12 | 
13 |         crs = CRS(n)
14 |         s_randoms = make_s_randoms(n, crs.order)
15 |         sigma = random_permutation(n)
16 |         ciphertexts = encrypt_messages(crs.order, crs.pk1, crs.pk2, list(range(n)))
17 |         prover = Prover(crs)
18 |         self.proof = prover.prove(n, ciphertexts, sigma, s_randoms)
19 |         self.crs = crs
20 |         self.ciphertexts = ciphertexts
21 | 
22 |     def test_verifier(self):
23 |         verifier = Verifier(self.crs)
24 | 
25 |         self.assertEqual(verifier.verify(self.ciphertexts, self.proof), (True, True, True))
26 | 
27 |         prevshuffle = self.proof['shuffled_ciphertexts']
28 |         g1 = self.crs.lff.gen1()
29 |         g2 = self.crs.lff.gen2()
30 |         self.proof['shuffled_ciphertexts'][3] = ((g1, g1, g1), (g2, g2, g2))
31 | 
32 |         self.assertEqual(verifier.verify(self.ciphertexts, self.proof), (True, False, False))
33 | 
34 |         self.proof['shuffled_ciphertexts'] = prevshuffle
35 |         self.crs.g1alpha = self.crs.g1alpha * 2
36 |         verifier = Verifier(self.crs)
37 | 
38 |         self.assertEqual(verifier.verify(self.ciphertexts, self.proof), (False, False, False))
39 | 


--------------------------------------------------------------------------------
/flz16/tests/test_utils.py:
--------------------------------------------------------------------------------
 1 | import unittest
 2 | 
 3 | from libffpy.libffpy import LibffPy, BigNum
 4 | from utils import make_tables, encrypt, decrypt
 5 | 
 6 | class UtilsTest(unittest.TestCase):
 7 |     def setUp(self):
 8 |         self.MAX = 1000
 9 |         self.lff = LibffPy(self.MAX)
10 | 
11 |     def key_gen(self, g, sk):
12 |         h = g * sk
13 |         return (g, h)
14 | 
15 |     def test_make_tables(self):
16 |         sk = BigNum.getOrder().random()
17 |         pk1 = self.key_gen(self.lff.gen1(), sk)
18 |         pk2 = self.key_gen(self.lff.gen2(), sk)
19 |         table1, table2 = make_tables(pk1, pk2, self.MAX)
20 | 
21 |         self.assertEqual(table1[666 * pk1[0]], 666)
22 |         self.assertEqual(table2[666 * pk2[0]], 666)
23 | 
24 |         self.assertNotEqual(table1[2 * pk1[0]], 666)
25 |         self.assertNotEqual(table2[3 * pk2[0]], 666)
26 | 
27 |     def test_encdec(self):
28 |         sk = BigNum.getOrder().random()
29 | 
30 |         pk1 = self.key_gen(self.lff.gen1(), sk)
31 |         pk2 = self.key_gen(self.lff.gen2(), sk)
32 | 
33 |         order = BigNum.getOrder()
34 |         c1, c2 = encrypt(order, pk1, pk2, 666)
35 | 
36 |         tables = make_tables(pk1, pk2, self.MAX)
37 |         self.assertEqual(decrypt((c1, c2), sk, tables), (666, 666))
38 | 
39 |         import random
40 |         ps = random.sample(range(self.MAX), 100)
41 |         for i in range(100):
42 |             c1, c2 = encrypt(order, pk1, pk2, ps[i])
43 |             self.assertEqual(decrypt((c1, c2), sk, tables), (ps[i], ps[i]))
44 | 


--------------------------------------------------------------------------------
/flz16/utils.py:
--------------------------------------------------------------------------------
 1 | import random
 2 | import ilin2
 3 | 
 4 | def make_s_randoms(n, order):
 5 |     return [[order.random() for j in range(2)] for i in range(n)]
 6 | 
 7 | def random_permutation(n):
 8 |     system_random = random.SystemRandom()
 9 |     s = list(range(n))
10 |     random.shuffle(s, random=system_random.random)
11 |     return s
12 | 
13 | def encrypt(order, pk1, pk2, m):
14 |     s1 = order.random()
15 |     s2 = order.random()
16 |     c1 = ilin2.enc(pk1, s1, s2, m)
17 |     c2 = ilin2.enc(pk2, s1, s2, m)
18 |     return c1, c2
19 | 
20 | def decrypt(cs, secret, tables):
21 |     m1 = ilin2.dec(cs[0], secret, tables[0])
22 |     m2 = ilin2.dec(cs[1], secret, tables[1])
23 |     return m1, m2
24 | 
25 | def encrypt_messages(order, pk1, pk2, messages):
26 |     return [encrypt(order, pk1, pk2, message) for message in messages]
27 | 
28 | def decrypt_messages(secret, tables, ciphertexts):
29 |     return [decrypt(cs, secret, tables) for cs in ciphertexts]
30 | 
31 | def make_tables(pk1, pk2, n):
32 |     table1 = ilin2.make_table(pk1[0], n)
33 |     table2 = ilin2.make_table(pk2[0], n)
34 |     return table1, table2
35 | 
36 | def inverse_perm(s):
37 |     r = [None] * len(s)
38 |     for index, value in enumerate(s):
39 |         r[value] = index
40 |     return r
41 | 


--------------------------------------------------------------------------------
/flz16/verifier.py:
--------------------------------------------------------------------------------
  1 | from prover import Prover
  2 | 
  3 | from libffpy import GTPy
  4 | 
  5 | class Verifier:
  6 |     def __init__(self, crs):
  7 |         self.crs = crs
  8 | 
  9 |     def get_infT(self):
 10 |         return GTPy.one()
 11 | 
 12 |     def step1(self, prover, A1, A2):
 13 |         return prover.step1c(A1, A2)
 14 | 
 15 |     def step2(self):
 16 |         crs = self.crs
 17 | 
 18 |         p1 = [crs.order.random() for i in range(crs.n)]
 19 |         p2 = [crs.order.random() for j in range(3)]
 20 |         p3 = [[crs.order.random() for j in range(3)]
 21 |               for i in range(crs.n)]
 22 |         p4 = [crs.order.random() for j in range(3)]
 23 |         return p1, p2, p3, p4
 24 | 
 25 |     def step3(self, prover, A1, A2, p1, pi_1sp):
 26 |         crs = self.crs
 27 | 
 28 |         inf1, inf2 = prover.get_infs()
 29 |         infT = self.get_infT()
 30 |         prodT = infT
 31 |         prod1 = inf1
 32 |         sum_p = 0
 33 |         for (Ai1, Ai2, p1i, pi_1spi) in zip(A1, A2, p1, pi_1sp):
 34 |             prodT *= crs.pair(p1i * (Ai1 + crs.g1alpha), Ai2 + crs.g2alpha)
 35 |             prod1 += p1i * pi_1spi
 36 |             sum_p = sum_p + p1i
 37 |         right = crs.pair(prod1, crs.g2rho) * (crs.pair_alpha ** sum_p)
 38 |         return prodT == right
 39 | 
 40 |     def step4(self, prover, p2, p3, pi_c2_1, pi_c2_2, v_primes):
 41 |         crs = self.crs
 42 | 
 43 |         inf1, inf2 = prover.get_infs()
 44 | 
 45 |         def pi_c_prod(inf, pi_c2_):
 46 |             prod_c2_ = inf
 47 |             for (p2j, pi_c2_j) in zip(p2, pi_c2_):
 48 |                 prod_c2_ += p2j * pi_c2_j
 49 |             return prod_c2_
 50 | 
 51 |         def nested_prods(inf, flag):
 52 |             outer_prod = inf
 53 |             for vi_prime, p3i in zip(v_primes, p3):
 54 |                 inner_prod = inf
 55 |                 vi_f_prime = vi_prime[flag]
 56 |                 for (vi_f_prime_j, p3ij) in zip(vi_f_prime, p3i):
 57 |                     inner_prod += p3ij * vi_f_prime_j
 58 |                 outer_prod += inner_prod
 59 |             return outer_prod
 60 | 
 61 |         left = crs.pair(crs.g1rho, pi_c_prod(inf2, pi_c2_2) + nested_prods(inf2, 1))
 62 |         right = crs.pair(pi_c_prod(inf1, pi_c2_1) + nested_prods(inf1, 0), crs.g2beta)
 63 |         return left == right
 64 | 
 65 |     def step5(self, prover, pi_c1_1, pi_c1_2, pi_c2_1, p4):
 66 |         crs = self.crs
 67 | 
 68 |         inf1, _ = prover.get_infs()
 69 |         g1hat, h1 = crs.pk1
 70 |         pair1 = crs.pair(g1hat, p4[1] * pi_c1_2 + p4[2] * (pi_c1_1 + pi_c1_2))
 71 |         pair2 = crs.pair(h1, p4[0] * pi_c1_1 + p4[1] * pi_c1_2)
 72 |         prod = inf1
 73 |         for (p4j, pi_c2_1j) in zip(p4, pi_c2_1):
 74 |             prod += p4j * pi_c2_1j
 75 |         pair3 = crs.pair(prod, crs.g2rho)
 76 |         return pair1 * pair2 * pair3.inv()
 77 | 
 78 |     def step6(self, prover, ciphertexts, v_primes, A2, p4, R):
 79 |         crs = self.crs
 80 |         def do_inner(vi):
 81 |             vi1 = vi[0]
 82 |             inf1, _ = prover.get_infs()
 83 |             inner_prod = inf1
 84 |             for (p4j, vi1j) in zip(p4, vi1):
 85 |                 inner_prod += p4j * vi1j
 86 |             return inner_prod
 87 | 
 88 |         infT = self.get_infT()
 89 |         outer_numer = infT
 90 |         for (vi_prime, g2_poly_i) in zip(v_primes, crs.g2_polys):
 91 |             outer_numer *= crs.pair(do_inner(vi_prime), g2_poly_i)
 92 | 
 93 |         outer_denom = infT
 94 |         for (vi, Ai2) in zip(ciphertexts, A2):
 95 |             outer_denom *= crs.pair(do_inner(vi), Ai2)
 96 | 
 97 |         return outer_numer * outer_denom.inv() == R
 98 | 
 99 |     def verify(self, ciphertexts, proof):
100 |         prover = Prover(self.crs)
101 | 
102 |         A1, A2 = self.step1(prover, proof['A1'], proof['A2'])
103 |         p1, p2, p3, p4 = self.step2()
104 |         perm_ok = self.step3(prover, A1, A2, p1, proof['pi_1sp'])
105 |         valid = self.step4(prover, p2, p3, proof['pi_c2_1'],\
106 |                 proof['pi_c2_2'], proof['shuffled_ciphertexts'])
107 |         R = self.step5(prover, proof['pi_c1_1'], proof['pi_c1_2'], proof['pi_c2_1'], p4)
108 |         consistent = self.step6(prover, ciphertexts,\
109 |                 proof['shuffled_ciphertexts'], A2, p4, R)
110 |         return perm_ok, valid, consistent
111 | 


--------------------------------------------------------------------------------
/libffpy/__init__.py:
--------------------------------------------------------------------------------
1 | from libffpy import *
2 | 


--------------------------------------------------------------------------------
/libffpy/demo.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import datetime
 3 | from libffpy import LibffPy, BigNum
 4 | 
 5 | n = int(sys.argv[1])
 6 | 
 7 | l = LibffPy(n)
 8 | g2 = l.gen2()
 9 | g1 = l.gen1()
10 | 
11 | 
12 | start = datetime.datetime.now()
13 | bg = [BigNum() for _ in xrange(n - 1)]
14 | end = datetime.datetime.now()
15 | print "BigNum creation ellapsed: %s" % (end - start)
16 | 
17 | 
18 | s = reduce((lambda x,y: x + y), bg)
19 | 
20 | bg.append(bg[0].getOrder() + 1 - s)
21 | 
22 | 
23 | start = datetime.datetime.now()
24 | res = [g2 * e for e in bg]
25 | end = datetime.datetime.now()
26 | print "G2 Multiplication ellapsed: %s" % (end - start)
27 | 
28 | s = reduce((lambda x,y: x+ y), res)
29 | print "Test passed: %s" % (s == g2)
30 | 
31 | start = datetime.datetime.now()
32 | res = [g1 * e for e in bg]
33 | end = datetime.datetime.now()
34 | print "G1 multiplication ellapsed: %s" % (end - start)
35 | 


--------------------------------------------------------------------------------
/libffpy/libff_wrapper.cpp:
--------------------------------------------------------------------------------
 1 | #include "libff_wrapper.h"
 2 | 
 3 | size_t get_g2_exp_window_size(size_t g2_exp_count) {
 4 |     return get_exp_window_size<G2<curve>>(g2_exp_count);
 5 | }
 6 | 
 7 | window_table<G2<curve>> get_g2_window_table(size_t window_size, G2<curve> elem) {
 8 |     return get_window_table(Fr<curve>::size_in_bits(), window_size, elem);
 9 | }
10 | 
11 | G2<curve> g2_mul(size_t window_size, window_table<G2<curve>> *g2_table, Fr<curve> other) {
12 |     return windowed_exp(Fr<curve>::size_in_bits(), window_size, *g2_table, other);
13 | }
14 | 
15 | size_t get_g1_exp_window_size(size_t g1_exp_count) {
16 |     return get_exp_window_size<G1<curve>>(g1_exp_count);
17 | }
18 | 
19 | window_table<G1<curve>> get_g1_window_table(size_t window_size, G1<curve> elem) {
20 |     return get_window_table(Fr<curve>::size_in_bits(), window_size, elem);
21 | }
22 | 
23 | G1<curve> g1_mul(size_t window_size, window_table<G1<curve>> *g1_table, Fr<curve> other) {
24 |     return windowed_exp(Fr<curve>::size_in_bits(), window_size, *g1_table, other);
25 | }
26 | 
27 | Fr<curve> Fr_get_random_nonzero() {
28 |     Fr<curve> elem = Fr<curve>::random_element();
29 |     while (elem == Fr<curve>::zero()) {
30 |         elem = Fr<curve>::random_element();
31 |     }
32 |     return elem;
33 | }
34 | 
35 | Fr<curve> Fr_get_random_nonorder() {
36 |     Fr<curve> elem = Fr<curve>::random_element();
37 |     while (elem == Fr<curve>::zero() && elem != Fr<curve>::one()) {
38 |         elem = Fr<curve>::random_element();
39 |     }
40 |     return elem;
41 | }
42 | 


--------------------------------------------------------------------------------
/libffpy/libff_wrapper.h:
--------------------------------------------------------------------------------
 1 | #include <vector>
 2 | #include "gmp.h"
 3 | #include "algebra/fields/bigint.hpp"
 4 | #include "algebra/curves/public_params.hpp"
 5 | #include "algebra/curves/bn128/bn128_pp.hpp"
 6 | #include "algebra/scalar_multiplication/multiexp.hpp"
 7 | 
 8 | using namespace libff;
 9 | 
10 | typedef bn128_pp curve;
11 | 
12 | size_t get_g2_exp_window_size(size_t g2_exp_count);
13 | window_table<G2<curve>> get_g2_window_table(size_t window_size, G2<curve> elem);
14 | G2<curve> g2_mul(size_t window_size, window_table<G2<curve>> *g2_table, Fr<curve> other);
15 | 
16 | size_t get_g1_exp_window_size(size_t g1_exp_count);
17 | window_table<G1<curve>> get_g1_window_table(size_t window_size, G1<curve> elem);
18 | G1<curve> g1_mul(size_t window_size, window_table<G1<curve>> *g1_table, Fr<curve> other);
19 | 
20 | Fr<curve> Fr_get_random_nonzero();
21 | Fr<curve> Fr_get_random_nonorder();
22 | 


--------------------------------------------------------------------------------
/libffpy/libffpy.pxd:
--------------------------------------------------------------------------------
 1 | from libcpp cimport bool, string
 2 | 
 3 | 
 4 | cdef extern from "libff_wrapper.h":
 5 |     cdef cppclass curve:
 6 |         pass
 7 | 
 8 |     cdef cppclass bignum:
 9 |         pass
10 | 
11 |     cdef cppclass fp1"bn::Fp":
12 |         string.string toString(int)
13 | 
14 |     cdef cppclass fp2"bn::Fp2":
15 |         string.string toString(int)
16 | 
17 |     cdef cppclass window_table[G]:
18 |         window_table() except +
19 |         window_table(window_table f) except +
20 | 
21 |     cdef void init_public_params "curve::init_public_params"()
22 | 
23 |     cdef cppclass Fr[curve]:
24 |         Fr() except +
25 |         Fr(Fr[curve] f) except +
26 |         Fr(long long n) except +
27 |         Fr(bignum b) except +
28 | 
29 |         Fr[curve] operator+(Fr[curve] other) except +
30 |         Fr[curve] operator+(long long int other) except +
31 |         Fr[curve] operator-(Fr[curve] other) except +
32 |         Fr[curve] operator-(long long int other) except +
33 |         Fr[curve] operator-() except +
34 |         Fr[curve] operator*(Fr[curve] other) except +
35 |         Fr[curve] operator*(long long other) except +
36 |         Fr[curve] operator^(unsigned long other) except +
37 |         bool operator==(Fr[curve] other) except +
38 |         Fr[curve] inverse() except +
39 |         void cprint"print"() except +
40 | 
41 |     cdef cppclass G2[curve]:
42 |         G2() except +
43 |         G2(G2[curve] g) except +
44 | 
45 |         G2[curve] operator+(G2[curve] other) except +
46 |         G2[curve] operator-(G2[curve] other) except +
47 |         bool operator==(G2[curve] other) except +
48 |         void cprint"print"() except +
49 |         void to_affine_coordinates() except +
50 |         fp2 *coord
51 | 
52 |     cdef cppclass G1[curve]:
53 |         G1() except +
54 |         G1(G1[curve] g) except +
55 | 
56 |         G1[curve] operator+(G1[curve] other) except +
57 |         G1[curve] operator-(G1[curve] other) except +
58 |         bool operator==(G1 other) except +
59 |         void cprint"print"() except +
60 |         void to_affine_coordinates() except +
61 |         fp1 *coord
62 | 
63 |     cdef cppclass GT[curve]:
64 |         GT() except +
65 |         GT(GT[curve] g) except +
66 | 
67 |         GT[curve] operator^(Fr[curve] fr) except +
68 |         GT[curve] operator*(GT[curve] other) except +
69 |         GT[curve] unitary_inverse() except +
70 |         bool operator==(GT other) except +
71 |         void cprint"print"() except +
72 | 
73 |     G1[curve] operator*(Fr[curve], G1[curve]) except +
74 |     G2[curve] operator*(Fr[curve], G2[curve]) except +
75 | 
76 |     cdef size_t get_g2_exp_window_size(size_t g2_exp_count)
77 |     cdef G2[curve] g2_mul(size_t window_size, window_table[G2[curve]] *g2_table, Fr[curve] other)
78 |     cdef window_table[G2[curve]] get_g2_window_table(size_t window_size, G2[curve] elem)
79 | 
80 |     cdef size_t get_g1_exp_window_size(size_t g1_exp_count)
81 |     cdef G1[curve] g1_mul(size_t window_size, window_table[G1[curve]] *g1_table, Fr[curve] other)
82 |     cdef window_table[G1[curve]] get_g1_window_table(size_t window_size, G1[curve] elem)
83 |     cdef GT[curve] reduced_pairing "curve::reduced_pairing"(G1[curve] g1, G2[curve] g2)
84 | 
85 |     cdef bignum get_order "Fr<curve>::field_char"()
86 |     cdef Fr[curve] Fr_get_random "Fr<curve>::random_element"()
87 |     cdef Fr[curve] Fr_get_random_nonzero()
88 |     cdef Fr[curve] Fr_get_random_nonorder()
89 | 
90 |     cdef G1[curve] get_g1_gen "G1<curve>::one"()
91 |     cdef G2[curve] get_g2_gen "G2<curve>::one"()
92 | 
93 |     cdef G1[curve] get_g1_zero "G1<curve>::zero"()
94 |     cdef G2[curve] get_g2_zero "G2<curve>::zero"()
95 | 
96 |     cdef GT[curve] get_gt_one "GT<curve>::one"()
97 | 


--------------------------------------------------------------------------------
/libffpy/libffpy.pyx:
--------------------------------------------------------------------------------
  1 | cimport libffpy
  2 | 
  3 | from libcpp.string cimport string
  4 | 
  5 | cdef class BigNum:
  6 |     cdef Fr[curve] *_thisptr
  7 | 
  8 |     def __cinit__(self, num=None, init=True):
  9 |         if init:
 10 |             if num is not None and (isinstance(num, int) or isinstance(num, long)):
 11 |                 self._thisptr = new Fr[curve](<long long>num)
 12 |             else:
 13 |                 self._thisptr = new Fr[curve](Fr_get_random())
 14 | 
 15 |     def __dealloc__(self):
 16 |         self.free()
 17 | 
 18 |     def free(self):
 19 |         if self._thisptr != NULL:
 20 |             del self._thisptr
 21 | 
 22 |     @staticmethod
 23 |     def getOrder():
 24 |         cdef Fr[curve] *newptr
 25 |         cdef BigNum res = BigNum(init=False)
 26 | 
 27 |         newptr = new Fr[curve](get_order())
 28 |         res.setElem(newptr)
 29 | 
 30 |         return res
 31 | 
 32 |     cdef setElem(self, Fr[curve] *b):
 33 |         self.free()
 34 |         self._thisptr = b
 35 | 
 36 |     cdef Fr[curve] *getElemRef(self):
 37 |         return self._thisptr
 38 | 
 39 |     cdef BigNum createElem(self, Fr[curve]* b):
 40 |         cdef BigNum bg = BigNum(init=False)
 41 |         bg.setElem(b)
 42 |         return bg
 43 | 
 44 |     cpdef BigNum add(self, BigNum other):
 45 |         cdef Fr[curve] *newptr
 46 |         newptr = new Fr[curve](self.getElemRef()[0] + other.getElemRef()[0])
 47 |         return self.createElem(newptr)
 48 | 
 49 |     cpdef BigNum addInt(self, long long other):
 50 |         cdef Fr[curve] *newptr
 51 |         newptr = new Fr[curve](self.getElemRef()[0] + other)
 52 |         return self.createElem(newptr)
 53 | 
 54 |     cpdef BigNum subInt(self, long long other, neg=False):
 55 |         cdef Fr[curve] *newptr
 56 |         if neg:
 57 |             newptr = new Fr[curve](-self.getElemRef()[0] + other)
 58 |         else:
 59 |             newptr = new Fr[curve](self.getElemRef()[0] - other)
 60 | 
 61 |         return self.createElem(newptr)
 62 | 
 63 |     cpdef BigNum sub(self, BigNum other):
 64 |         cdef Fr[curve] *newptr
 65 |         newptr = new Fr[curve](self.getElemRef()[0] - other.getElemRef()[0])
 66 |         return self.createElem(newptr)
 67 | 
 68 |     cpdef eq(self, BigNum other):
 69 |         return self.getElemRef()[0] == other.getElemRef()[0]
 70 | 
 71 |     cpdef BigNum pow(self, unsigned long p):
 72 |         cdef Fr[curve] *newptr
 73 |         newptr = new Fr[curve](self.getElemRef()[0] ^ p)
 74 |         return self.createElem(newptr)
 75 | 
 76 |     cpdef BigNum mod_inverse(self):
 77 |         cdef Fr[curve] *newptr
 78 |         newptr = new Fr[curve](self.getElemRef()[0].inverse())
 79 |         return self.createElem(newptr)
 80 | 
 81 |     cpdef BigNum random(self, nonzero=False, nonorder=False):
 82 |         cdef Fr[curve] *newptr
 83 |         if nonzero:
 84 |             newptr = new Fr[curve](Fr_get_random_nonzero())
 85 |         elif nonorder:
 86 |             newptr = new Fr[curve](Fr_get_random_nonorder())
 87 |         else:
 88 |             newptr = new Fr[curve](Fr_get_random())
 89 |         return self.createElem(newptr)
 90 | 
 91 |     def __add__(x, y):
 92 |         cdef BigNum bgleft, bgright
 93 |         cdef long long intright
 94 | 
 95 |         if not (isinstance(x, BigNum) or isinstance(y, BigNum)):
 96 |             return NotImplemented
 97 | 
 98 |         if isinstance(x, BigNum):
 99 |             if isinstance(y, BigNum):
100 |                 bgleft = <BigNum>x
101 |                 bgright = <BigNum>y
102 |                 return bgleft.add(bgright)
103 |             elif isinstance(y, int) or isinstance(y, long):
104 |                 bgleft = <BigNum>x
105 |                 intright = <long long>y
106 |                 return bgleft.addInt(intright)
107 |             else:
108 |                 return NotImplemented
109 | 
110 |         # y is bignum
111 |         if isinstance(x, int) or isinstance(x, long):
112 |             bgleft = <BigNum>y
113 |             intright = <long long>x
114 |             return bgleft.addInt(intright)
115 | 
116 |         return NotImplemented
117 | 
118 | 
119 |     def __sub__(x, y):
120 |         cdef BigNum bgleft, bgright
121 |         cdef long long intright
122 | 
123 |         if not (isinstance(x, BigNum) or isinstance(y, BigNum)):
124 |             return NotImplemented
125 | 
126 |         if isinstance(x, BigNum):
127 |             if isinstance(y, BigNum):
128 |                 bgleft = <BigNum>x
129 |                 bgright = <BigNum>y
130 |                 return bgleft.sub(bgright)
131 |             elif isinstance(y, int) or isinstance(y, long):
132 |                 bgleft = <BigNum>x
133 |                 intright = <long long>y
134 |                 return bgleft.subInt(intright)
135 |             else:
136 |                 return NotImplemented
137 | 
138 |         # y is bignum
139 |         if isinstance(x, int) or isinstance(x, long):
140 |             bgleft = <BigNum>y
141 |             intright = <long long>x
142 |             return bgleft.subInt(intright, neg=True)
143 | 
144 |         return NotImplemented
145 | 
146 |     cpdef BigNum mul(self, BigNum other):
147 |         cdef Fr[curve] *newptr
148 |         newptr = new Fr[curve](self.getElemRef()[0] * other.getElemRef()[0])
149 |         return self.createElem(newptr)
150 | 
151 |     cpdef BigNum mulInt(self, long long other):
152 |         cdef Fr[curve] *newptr
153 |         newptr = new Fr[curve](self.getElemRef()[0] * other)
154 |         return self.createElem(newptr)
155 | 
156 |     def __mul__(x, y):
157 |         cdef BigNum left, right
158 |         cdef long long intright
159 |         if not (isinstance(x, BigNum) or isinstance(y, BigNum)):
160 |             return NotImplemented
161 | 
162 |         if isinstance(x, BigNum):
163 |             left = <BigNum>x
164 |             if isinstance(y, BigNum):
165 |                 right = <BigNum>y
166 |                 return left.mul(right)
167 | 
168 |             if isinstance(y, int) or isinstance(y, long):
169 |                 intright = <long long>y
170 |                 return left.mulInt(intright)
171 | 
172 |         left = <BigNum>y
173 |         if isinstance(x, int):
174 |             intright = <long long>x
175 |             return left.mulInt(intright)
176 | 
177 |         return NotImplemented
178 | 
179 | 
180 |     def __pow__(x, y, z):
181 |         cdef BigNum bg
182 |         cdef unsigned long p
183 |         if not isinstance(x, BigNum):
184 |             return NotImplemented
185 | 
186 |         if not (isinstance(y, int) or isinstance(y, long)):
187 |             return NotImplemented
188 | 
189 |         bg = <BigNum>x
190 |         p = <unsigned long>y
191 | 
192 |         return bg.pow(p)
193 | 
194 |     def __richcmp__(x, y, int op):
195 |         cdef BigNum left, right
196 | 
197 |         if op != 2:
198 |             # not ==
199 |             return NotImplemented
200 | 
201 |         if not (isinstance(x, BigNum) and isinstance(y, BigNum)):
202 |             return NotImplemented
203 | 
204 |         left = <BigNum>x
205 |         right = <BigNum>y
206 | 
207 |         return left.eq(right)
208 | 
209 |     def __neg__(self):
210 |         cdef Fr[curve] *newptr
211 |         newptr = new Fr[curve](-self.getElemRef()[0])
212 |         return self.createElem(newptr)
213 | 
214 |     cpdef pyprint(self):
215 |         self.getElemRef()[0].cprint()
216 | 
217 | 
218 | cdef class G1Py:
219 |     cdef G1[curve] *_thisptr
220 |     cdef size_t g1_exp_count
221 |     cdef size_t g1_window_size
222 |     cdef window_table[G1[curve]] *g1_table
223 | 
224 |     def __cinit__(self, init=True):
225 |         if init:
226 |             self._thisptr = new G1[curve](get_g1_gen())
227 | 
228 |     def __dealloc__(self):
229 |         self.free()
230 |         if self.g1_table != NULL:
231 |             del self.g1_table
232 | 
233 |     def initWindowTable(self, int n):
234 |         self.g1_exp_count = 4 * n + 7;
235 |         self.g1_window_size = get_g1_exp_window_size(self.g1_exp_count)
236 |         self.g1_table = new window_table[G1[curve]](get_g1_window_table(self.g1_window_size, self.getElemRef()[0]))
237 | 
238 |     @staticmethod
239 |     def inf():
240 |         cdef G1[curve] *newptr
241 |         cdef G1Py g = G1Py(init=False)
242 |         newptr = new G1[curve](get_g1_zero())
243 |         g.setElem(newptr)
244 |         return g
245 | 
246 |     def free(self):
247 |         if self._thisptr != NULL:
248 |             del self._thisptr
249 | 
250 |     cdef setElem(self, G1[curve] *g):
251 |         self.free()
252 |         self._thisptr = g
253 | 
254 |     cdef G1[curve] *getElemRef(self):
255 |         return self._thisptr
256 | 
257 |     cdef G1Py createElem(self, G1[curve] *g):
258 |         cdef G1Py g1 = G1Py(init=False)
259 |         g1.setElem(g)
260 |         return g1
261 | 
262 |     cpdef G1Py mul(self, BigNum bgpy):
263 |         cdef G1[curve] *newptr
264 | 
265 |         cdef Fr[curve] bg = bgpy.getElemRef()[0]
266 |         cdef G1Py elem
267 |         if self.g1_table != NULL:
268 |             newptr = new G1[curve](g1_mul(self.g1_window_size, self.g1_table, bg))
269 |         else:
270 |             newptr = new G1[curve](bg * self.getElemRef()[0])
271 | 
272 |         return self.createElem(newptr)
273 | 
274 | 
275 |     cpdef G1Py add(self, G1Py other):
276 |         cdef G1[curve] *newptr
277 |         newptr = new G1[curve](self.getElemRef()[0] + other.getElemRef()[0])
278 |         return self.createElem(newptr)
279 | 
280 |     cpdef G1Py sub(self, G1Py other):
281 |         cdef G1[curve] *newptr
282 |         newptr = new G1[curve](self.getElemRef()[0] - other.getElemRef()[0])
283 |         return self.createElem(newptr)
284 | 
285 |     cpdef eq(self, G1Py other):
286 |         return self.getElemRef()[0] == other.getElemRef()[0]
287 | 
288 |     def __mul__(x, y):
289 |         cdef G1Py g1
290 |         cdef BigNum bg
291 |         cdef Fr[curve] *fr
292 | 
293 |         if not (isinstance(x, G1Py) or isinstance(y, G1Py)):
294 |             return NotImplemented
295 | 
296 |         if isinstance(x, G1Py):
297 |             g1 = <G1Py>x
298 |             if isinstance(y, BigNum):
299 |                 bg = <BigNum>y
300 |             elif isinstance(y, int) or isinstance(y, long):
301 |                 bg = BigNum(<long long>y)
302 |             else:
303 |                 return NotImplemented
304 |         else:
305 |             g1 = <G1Py>y
306 |             if isinstance(x, BigNum):
307 |                 bg = <BigNum>x
308 |             elif isinstance(x, int) or isinstance(x, long):
309 |                 bg = BigNum(<long long>x)
310 |             else:
311 |                 return NotImplemented
312 | 
313 |         return g1.mul(bg)
314 | 
315 |     def __hash__(self):
316 |         cdef G1[curve] *elem = new G1[curve](self.getElemRef()[0])
317 | 
318 |         elem[0].to_affine_coordinates()
319 | 
320 |         cdef string mystr = elem[0].coord[0].toString(10) + \
321 |             elem[0].coord[1].toString(10) + \
322 |             elem[0].coord[2].toString(10)
323 | 
324 |         return hash(mystr)
325 | 
326 |     def __add__(x, y):
327 |         cdef G1Py left, right
328 | 
329 |         if not (isinstance(x, G1Py) and isinstance(y, G1Py)):
330 |             return NotImplemented
331 | 
332 |         left = <G1Py>x
333 |         right = <G1Py>y
334 | 
335 |         return left.add(right)
336 | 
337 |     def __sub__(x, y):
338 |         cdef G1Py left, right
339 | 
340 |         if not (isinstance(x, G1Py) and isinstance(y, G1Py)):
341 |             return NotImplemented
342 | 
343 |         left = <G1Py>x
344 |         right = <G1Py>y
345 | 
346 |         return left.sub(right)
347 | 
348 |     def __richcmp__(x, y, int op):
349 |         cdef G1Py left, right
350 | 
351 |         if op != 2:
352 |             # not ==
353 |             return NotImplemented
354 | 
355 |         if not (isinstance(x, G1Py) and isinstance(y, G1Py)):
356 |             return NotImplemented
357 | 
358 |         left = <G1Py>x
359 |         right = <G1Py>y
360 | 
361 |         return left.eq(right)
362 | 
363 |     cpdef pyprint(self):
364 |         self.getElemRef()[0].cprint()
365 | 
366 | 
367 | cdef class G2Py:
368 |     cdef G2[curve] *_thisptr
369 |     cdef size_t g2_exp_count
370 |     cdef size_t g2_window_size
371 |     cdef window_table[G2[curve]] *g2_table
372 | 
373 |     def __cinit__(self, init=True):
374 |         if init:
375 |             self._thisptr = new G2[curve](get_g2_gen())
376 | 
377 |     def __dealloc__(self):
378 |         self.free()
379 |         if self.g2_table != NULL:
380 |             del self.g2_table
381 | 
382 |     def initWindowTable(self, int n):
383 |         self.g2_exp_count = n + 6
384 |         self.g2_window_size = get_g2_exp_window_size(self.g2_exp_count)
385 |         self.g2_table = new window_table[G2[curve]](get_g2_window_table(self.g2_window_size, self.getElemRef()[0]))
386 | 
387 |     @staticmethod
388 |     def inf():
389 |         cdef G2[curve] *newptr
390 |         cdef G2Py g = G2Py(init=False)
391 |         newptr = new G2[curve](get_g2_zero())
392 |         g.setElem(newptr)
393 |         return g
394 | 
395 |     def free(self):
396 |         if self._thisptr != NULL:
397 |             del self._thisptr
398 | 
399 |     cdef setElem(self, G2[curve] *g):
400 |         self.free()
401 |         self._thisptr = g
402 | 
403 |     cdef G2[curve] *getElemRef(self):
404 |         return self._thisptr
405 | 
406 |     cdef createElem(self, G2[curve] *g):
407 |         cdef G2Py g2 = G2Py(init=False)
408 |         g2.setElem(g)
409 |         return g2
410 | 
411 |     cpdef G2Py mul(self, BigNum bgpy):
412 |         cdef G2[curve] *newptr
413 |         cdef Fr[curve] bg = bgpy.getElemRef()[0]
414 | 
415 |         if self.g2_table != NULL:
416 |             newptr = new G2[curve](g2_mul(self.g2_window_size, self.g2_table, bg))
417 |         else:
418 |             newptr = new G2[curve](bg * self.getElemRef()[0])
419 | 
420 |         return self.createElem(newptr)
421 | 
422 |     cpdef G2Py add(self, G2Py other):
423 |         cdef G2[curve] *newptr
424 |         newptr = new G2[curve](self.getElemRef()[0] + other.getElemRef()[0])
425 |         return self.createElem(newptr)
426 | 
427 |     cpdef G2Py sub(self, G2Py other):
428 |         cdef G2[curve] *newptr
429 |         newptr = new G2[curve](self.getElemRef()[0] - other.getElemRef()[0])
430 |         return self.createElem(newptr)
431 | 
432 |     cpdef eq(self, G2Py other):
433 |         return self.getElemRef()[0] == other.getElemRef()[0]
434 | 
435 |     def __mul__(x, y):
436 |         cdef G2Py g2
437 |         cdef BigNum bg
438 |         cdef Fr[curve] *fr
439 | 
440 |         if not (isinstance(x, G2Py) or isinstance(y, G2Py)):
441 |             return NotImplemented
442 | 
443 |         if isinstance(x, G2Py):
444 |             if isinstance(y, BigNum):
445 |                 bg = <BigNum>y
446 |             elif isinstance(y, int):
447 |                 fr = new Fr[curve](<int>y)
448 |                 bg = BigNum(init=False)
449 |                 bg.setElem(fr)
450 |             else:
451 |                 return NotImplemented
452 |             g2 = <G2Py>x
453 |         elif isinstance(x, BigNum):
454 |             g2 = <G2Py>y
455 |             bg = <BigNum>x
456 |         elif isinstance(x, int):
457 |             g2 = <G2Py>y
458 |             fr = new Fr[curve](<int>x)
459 |             bg = BigNum(init=False)
460 |             bg.setElem(fr)
461 |         else:
462 |             return NotImplemented
463 | 
464 |         return g2.mul(bg)
465 | 
466 |     def __hash__(self):
467 |         cdef G2[curve] *elem = new G2[curve](self.getElemRef()[0])
468 | 
469 |         elem[0].to_affine_coordinates()
470 | 
471 |         cdef string mystr = elem[0].coord[0].toString(10) + \
472 |             elem[0].coord[1].toString(10) + \
473 |             elem[0].coord[2].toString(10)
474 | 
475 |         return hash(mystr)
476 | 
477 |     def __add__(x, y):
478 |         cdef G2Py left, right
479 | 
480 |         if not (isinstance(x, G2Py) and isinstance(y, G2Py)):
481 |             return NotImplemented
482 | 
483 |         left = <G2Py>x
484 |         right = <G2Py>y
485 | 
486 |         return left.add(right)
487 | 
488 |     def __sub__(x, y):
489 |         cdef G2Py left, right
490 | 
491 |         if not (isinstance(x, G2Py) and isinstance(y, G2Py)):
492 |             return NotImplemented
493 | 
494 |         left = <G2Py>x
495 |         right = <G2Py>y
496 | 
497 |         return left.sub(right)
498 | 
499 |     def __richcmp__(x, y, op):
500 |         cdef G2Py left, right
501 | 
502 |         if op != 2:
503 |             # not ==
504 |             return NotImplemented
505 | 
506 |         if not (isinstance(x, G2Py) and isinstance(y, G2Py)):
507 |             return NotImplemented
508 | 
509 |         left = <G2Py>x
510 |         right = <G2Py>y
511 | 
512 |         return left.eq(right)
513 | 
514 |     cpdef pyprint(self):
515 |         self.getElemRef()[0].cprint()
516 | 
517 | 
518 | cdef class GTPy:
519 |     cdef GT[curve] *_thisptr
520 | 
521 |     def __cinit__(self, init=True):
522 |         if init:
523 |             self._thisptr = new GT[curve]()
524 | 
525 |     def __dealloc__(self):
526 |         self.free()
527 | 
528 |     def free(self):
529 |         if self._thisptr != NULL:
530 |             del self._thisptr
531 | 
532 |     def __mul__(x, y):
533 |         cdef GTPy left, right
534 | 
535 |         if not (isinstance(x, GTPy) and isinstance(y, GTPy)):
536 |             return NotImplemented
537 | 
538 |         left = <GTPy>x
539 |         right = <GTPy>y
540 | 
541 |         return left.mul(right)
542 | 
543 |     def __pow__(x, y, z):
544 |         cdef GTPy gt
545 |         cdef BigNum bg
546 | 
547 |         if not (isinstance(x, GTPy) and isinstance(y, BigNum)):
548 |             return NotImplemented
549 | 
550 |         gt = <GTPy>x
551 |         bg = <BigNum>y
552 | 
553 |         return gt.pow(bg)
554 | 
555 |     def __richcmp__(x, y, op):
556 |         cdef GTPy left, right
557 |         if op != 2 or not(isinstance(x, GTPy) and isinstance(y, GTPy)):
558 |             return NotImplemented
559 | 
560 |         left = <GTPy>x
561 |         right = <GTPy>y
562 | 
563 |         return left.eq(right)
564 | 
565 |     cpdef GTPy inv(self):
566 |         cdef GT[curve] *newptr
567 |         newptr = new GT[curve](self.getElemRef()[0].unitary_inverse())
568 |         return self.createElem(newptr)
569 | 
570 |     cdef GT[curve]* getElemRef(self):
571 |         return self._thisptr
572 | 
573 |     cdef setElem(self, GT[curve] *g):
574 |         self.free()
575 |         self._thisptr = g
576 | 
577 |     cdef GTPy createElem(self, GT[curve] *g):
578 |         cdef GTPy gt = GTPy(init=False)
579 |         gt.setElem(g)
580 |         return gt
581 | 
582 |     cpdef GTPy mul(self, GTPy other):
583 |         cdef GT[curve] *newptr
584 |         newptr = new GT[curve](self.getElemRef()[0] * other.getElemRef()[0])
585 |         return self.createElem(newptr)
586 | 
587 |     cpdef GTPy pow(self, BigNum bg):
588 |         cdef GT[curve] *newptr
589 |         cdef Fr[curve] fr = bg.getElemRef()[0]
590 |         newptr = new GT[curve](self.getElemRef()[0] ^ fr)
591 |         return self.createElem(newptr)
592 | 
593 |     cpdef bool eq(self, GTPy other):
594 |         return self.getElemRef()[0] == other.getElemRef()[0]
595 | 
596 |     @staticmethod
597 |     def one():
598 |         cdef GTPy gt = GTPy(init=False)
599 |         cdef GT[curve] *newptr
600 |         newptr = new GT[curve](get_gt_one())
601 |         gt.setElem(newptr)
602 |         return gt
603 | 
604 |     @staticmethod
605 |     def pair(G1Py g1, G2Py g2):
606 |         cdef GTPy gt = GTPy(init=False)
607 |         cdef GT[curve] *newptr
608 |         newptr = new GT[curve](reduced_pairing(g1.getElemRef()[0], g2.getElemRef()[0]))
609 |         gt.setElem(newptr)
610 |         return gt
611 | 
612 |     cpdef pyprint(self):
613 |         self.getElemRef()[0].cprint()
614 | 
615 | 
616 | cdef class LibffPy:
617 |     cdef G1Py g1
618 |     cdef G2Py g2
619 | 
620 |     def __init__(self, int n):
621 |         init_public_params()
622 |         self.g1 = G1Py()
623 |         self.g2 = G2Py()
624 | 
625 |         self.g1.initWindowTable(n)
626 |         self.g2.initWindowTable(n)
627 | 
628 |     def order(self):
629 |         return BigNum.getOrder()
630 | 
631 |     def gen1(self):
632 |         return self.g1
633 | 
634 |     def gen2(self):
635 |         return self.g2
636 | 
637 |     def pair(self, G1Py g1, G2Py g2):
638 |         gt = GTPy.pair(g1, g2)
639 |         return gt
640 | 


--------------------------------------------------------------------------------
/libffpy/setup.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | from distutils.core import setup
 3 | from distutils.extension import Extension
 4 | from Cython.Build import cythonize
 5 | 
 6 | from Cython.Distutils import build_ext
 7 | 
 8 | 
 9 | os.environ["CC"] = "g++"
10 | os.environ["CXX"] = "g++"
11 | 
12 | setup(
13 |     name='libffpy',
14 |     ext_modules=cythonize(
15 |         Extension(
16 |             "libffpy",
17 |             sources=["libffpy.pyx", "libff_wrapper.cpp"],
18 |             language="c++",
19 |             include_dirs=["/usr/local/include/libff"],
20 |             library_dirs = ["/usr/local/lib"],
21 |             extra_compile_args = ["-std=c++11", "-fPIC", "-shared", "-w", "-static"],
22 |             extra_link_args = ["-lgmp", "-lff", "-lsnark", "-lcrypto", "-fopenmp", "-g"]
23 |         )
24 |     ),
25 |     cmdclass = {'build_ext': build_ext}
26 | )
27 | 


--------------------------------------------------------------------------------
/libffpy/tests/__init__.py:
--------------------------------------------------------------------------------
1 | """
2 | Tests for the libff wrapper
3 | """
4 | 
5 | 


--------------------------------------------------------------------------------
/libffpy/tests/test_bignum.py:
--------------------------------------------------------------------------------
 1 | from libffpy import LibffPy, BigNum
 2 | 
 3 | import unittest
 4 | 
 5 | MAX = 100
 6 | 
 7 | class BigNumTest(unittest.TestCase):
 8 |     def setUp(self):
 9 |         l = LibffPy(MAX)
10 | 
11 |     def test_get_order(self):
12 |         order = BigNum(num=0)
13 |         self.assertEqual(BigNum.getOrder(), order)
14 | 
15 |     def test_add(self):
16 |         first = 100
17 |         second = 337
18 |         bg1 = BigNum(first)
19 |         bg2 = BigNum(second)
20 | 
21 |         self.assertEqual(bg1 + bg2, BigNum(first + second))
22 | 
23 |     def test_add_int(self):
24 |         first = 100
25 |         second = 337
26 | 
27 |         bg1 = BigNum(first)
28 |         self.assertEqual(bg1 + second, BigNum(first + second))
29 | 
30 |     def test_sub(self):
31 |         first = 100
32 |         second = 337
33 |         bg1 = BigNum(first)
34 |         bg2 = BigNum(second)
35 | 
36 |         self.assertEqual(bg1 - bg2, BigNum(first - second))
37 |         self.assertEqual(bg2 - bg1, BigNum(second - first))
38 | 
39 |     def test_sub_int(self):
40 |         first = 100
41 |         second = 337
42 |         bg1 = BigNum(first)
43 | 
44 |         self.assertEqual(bg1 - second, BigNum(first - second))
45 |         self.assertEqual(second - bg1, BigNum(second - first))
46 | 
47 |     def test_eq(self):
48 |         first = 100
49 |         second = 337
50 |         bg1 = BigNum(first)
51 |         bg2 = BigNum(second)
52 | 
53 |         self.assertEqual(bg1, BigNum(first))
54 |         self.assertNotEqual(bg1, bg2)
55 | 
56 |     def test_pow(self):
57 |         num = 2
58 |         p = 2
59 |         bg = BigNum(num) ** p
60 | 
61 |         self.assertEqual(bg, BigNum(num ** p))
62 | 
63 |     def test_mod_inverse(self):
64 |         bg = BigNum()
65 | 
66 |         self.assertEqual(bg * bg.mod_inverse(), BigNum(1))
67 | 
68 |     def test_mul(self):
69 |         first = 10
70 |         second = 20
71 | 
72 |         bg1 = BigNum(first)
73 |         bg2 = BigNum(second)
74 | 
75 |         self.assertEqual(bg1 * bg2, BigNum(first * second))
76 | 
77 |     def test_mul_int(self):
78 |         first = 10
79 |         second = 20
80 | 
81 |         bg = BigNum(first)
82 | 
83 |         self.assertEqual(bg * second, BigNum(first * second))
84 | 
85 |     def test_neg(self):
86 |         num = 10
87 | 
88 |         bg = BigNum(num)
89 | 
90 |         self.assertEqual(-bg, BigNum(-num))
91 | 
92 | 
93 | if __name__ == '__main__':
94 |     unittest.main()
95 | 


--------------------------------------------------------------------------------
/libffpy/tests/test_g1.py:
--------------------------------------------------------------------------------
 1 | from libffpy import LibffPy, G1Py, BigNum
 2 | 
 3 | import unittest
 4 | 
 5 | MAX = 100
 6 | class G1Test(unittest.TestCase):
 7 |     def setUp(self):
 8 |         LibffPy(MAX)
 9 | 
10 |     def test_inf(self):
11 |         inf = G1Py.inf()
12 |         elem = G1Py()
13 |         elem2 = elem * 10
14 | 
15 |         self.assertEqual(inf + elem, elem)
16 |         self.assertEqual(inf + elem2, elem2)
17 | 
18 |     def mul_test(self, g1):
19 |         # create N - 1 BigNum
20 |         bg = [BigNum() for _ in xrange(MAX - 1)]
21 |         # get the sum of the BigNums
22 |         s = reduce((lambda x, y: x + y), bg)
23 |         # Nth element of bg is order + 1 - s, so sum(bg) = order + 1
24 |         # so g1 * bg[0] + g1 * bg[1] + ... + g1 * bg[N] == g1 * sum(bg) ==
25 |         # == g1 * (order + 1) == g1
26 |         bg.append(bg[0].getOrder() + 1 - s)
27 | 
28 |         res = [g1 * e for e in bg]
29 |         s = reduce((lambda x, y: x + y), res)
30 | 
31 |         self.assertEqual(s, g1)
32 | 
33 |     def test_mul_without_window_table(self):
34 |         # get generator
35 |         g1 = G1Py()
36 | 
37 |         self.mul_test(g1)
38 | 
39 |     def test_mul_with_window_table(self):
40 |         g1 = G1Py()
41 |         g1.initWindowTable(MAX)
42 | 
43 |         self.mul_test(g1)
44 | 
45 |     def test_mul_with_int(self):
46 |         g1 = G1Py()
47 |         g2 = G1Py()
48 | 
49 |         self.assertEqual(g1 * 2, g2 * 2)
50 | 
51 |     def test_addition(self):
52 |         g1 = G1Py()
53 |         g2 = G1Py()
54 | 
55 |         self.assertEqual(g1 + g1, g2 + g2)
56 | 
57 |         self.assertNotEqual(g1, g2 + g2)
58 | 
59 |     def test_sub(self):
60 |         g1 = G1Py()
61 |         g2 = G1Py()
62 |         g3 = g1 * 2 # == g2 * 2
63 | 
64 |         self.assertEqual(g3 - g1, g3 - g2)
65 |         self.assertEqual(g1 - g3, g2 - g3)
66 |         self.assertNotEqual(g3 - g1, g2)
67 | 
68 |     def test_hash(self):
69 |         g1 = G1Py()
70 |         g2 = G1Py()
71 |         g3 = g1 * 2
72 | 
73 |         self.assertEqual(hash(g1), hash(g2))
74 | 
75 |         self.assertNotEqual(hash(g1), hash(g3))
76 | 
77 | 
78 | if __name__ == '__main__':
79 |     unittest.main()
80 | 


--------------------------------------------------------------------------------
/libffpy/tests/test_g2.py:
--------------------------------------------------------------------------------
 1 | from libffpy import LibffPy, G2Py, BigNum
 2 | 
 3 | import unittest
 4 | 
 5 | MAX = 100
 6 | 
 7 | class G1Test(unittest.TestCase):
 8 |     def setUp(self):
 9 |         LibffPy(MAX)
10 | 
11 |     def test_inf(self):
12 |         inf = G2Py.inf()
13 |         elem = G2Py()
14 |         elem2 = elem * 10
15 | 
16 |         self.assertEqual(inf + elem, elem)
17 |         self.assertEqual(inf + elem2, elem2)
18 | 
19 |     def mul_test(self, g1):
20 |         # create N - 1 BigNum
21 |         bg = [BigNum() for _ in xrange(MAX - 1)]
22 |         # get the sum of the BigNums
23 |         s = reduce((lambda x, y: x + y), bg)
24 |         # Nth element of bg is order + 1 - s, so sum(bg) = order + 1
25 |         # so g1 * bg[0] + g1 * bg[1] + ... + g1 * bg[N] == g1 * sum(bg) ==
26 |         # == g1 * (order + 1) == g1
27 |         bg.append(bg[0].getOrder() + 1 - s)
28 | 
29 |         res = [g1 * e for e in bg]
30 |         s = reduce((lambda x, y: x + y), res)
31 | 
32 |         self.assertEqual(s, g1)
33 | 
34 |     def test_mul_without_window_table(self):
35 |         # get generator
36 |         g1 = G2Py()
37 | 
38 |         self.mul_test(g1)
39 | 
40 |     def test_mul_with_window_table(self):
41 |         g1 = G2Py()
42 |         g1.initWindowTable(MAX)
43 | 
44 |         self.mul_test(g1)
45 | 
46 |     def test_mul_with_int(self):
47 |         g1 = G2Py()
48 |         g2 = G2Py()
49 | 
50 |         self.assertEqual(g1 * 2, g2 * 2)
51 | 
52 |         self.assertNotEqual(g1 * 2, g2 * 3)
53 | 
54 |     def test_addition(self):
55 |         g1 = G2Py()
56 |         g2 = G2Py()
57 | 
58 |         self.assertEqual(g1 + g1, g2 + g2)
59 | 
60 |         self.assertNotEqual(g1, g2 + g2)
61 | 
62 |     def test_sub(self):
63 |         g1 = G2Py()
64 |         g2 = G2Py()
65 |         g3 = g1 * 2 # == g2 * 2
66 | 
67 |         self.assertEqual(g3 - g1, g3 - g2)
68 |         self.assertEqual(g1 - g3, g2 - g3)
69 |         self.assertNotEqual(g3 - g1, g2)
70 | 
71 |     def test_hash(self):
72 |         g1 = G2Py()
73 |         g2 = G2Py()
74 |         g3 = g1 * 3
75 | 
76 |         self.assertEqual(hash(g1), hash(g2))
77 | 
78 |         self.assertNotEqual(hash(g1), hash(g3))
79 | 
80 | 
81 | if __name__ == '__main__':
82 |     unittest.main()
83 | 


--------------------------------------------------------------------------------
/libffpy/tests/test_gt.py:
--------------------------------------------------------------------------------
 1 | from libffpy import LibffPy, BigNum, GTPy
 2 | 
 3 | import unittest
 4 | 
 5 | MAX = 100
 6 | 
 7 | class BigNumTest(unittest.TestCase):
 8 |     def setUp(self):
 9 |         self.libff = LibffPy(MAX)
10 |         self.g1 = self.libff.gen1()
11 |         self.g2 = self.libff.gen2()
12 | 
13 |     def test_pair(self):
14 |         gt1 = self.libff.pair(self.g1, self.g2)
15 |         gt2= self.libff.pair(self.g1, self.g2)
16 |         gt3= self.libff.pair(self.g1, self.g2 * 2)
17 | 
18 |         self.assertEqual(gt1, gt2)
19 |         self.assertNotEqual(gt1, gt3)
20 | 
21 |     def test_pow(self):
22 |         gt = self.libff.pair(self.g1, self.g2)
23 |         bg = BigNum(3)
24 | 
25 |         self.assertEqual(gt ** bg, gt * gt * gt)
26 | 
27 | 
28 | if __name__ == '__main__':
29 |     unittest.main()
30 | 


--------------------------------------------------------------------------------
/setup.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | 
 3 | from setuptools import setup, find_packages
 4 | from distutils.extension import Extension
 5 | 
 6 | from subprocess import call
 7 | 
 8 | def get_long_desc():
 9 |     with open("README.md", "r") as readme:
10 |         desc = readme.read()
11 | 
12 |     return desc
13 | 
14 | 
15 | def setup_package():
16 |     setup(
17 |         name='flz16',
18 |         version='0.0.1',
19 |         description='An implementation of a re-encryption mix-net',
20 |         long_description=get_long_desc(),
21 |         url='https://github.com/eellak/gsoc17module-zeus',
22 |         license='AGPL-3.0',
23 |         packages = find_packages(exclude=["*.libffpy", "*.libffpy.*", "libffpy.*", "libffpy"]),
24 |         install_requires=[]
25 |     )
26 | 
27 | if __name__ == '__main__':
28 |     setup_package()
29 | 


--------------------------------------------------------------------------------