# Linked transactions through decryption mixnet

### Message generation

The client generates a linkage param $l2 = Enc_{pk_{reg}}(l1)$.

In [1]:
from elgamal import ElGamal, ElGamalHashed
from point import Point
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
from sage.all_cmdline import *
from hybrid import Hybrid
import secrets
from binascii import hexlify
import utils
from secret_sharing import SecretSharing

[1775524039981011121495462682941865724623036169135601256440520905908882632749, 33608594915289454623283872481390628515059737529704737859716988752784396505849, 7681735830421877674634795165573785109936726005552580758703968436089064298067, 10762168147482095265489545761490920162048005927697042119888083433626942738833, 8864636379641307987985582655993892125665954886639156314962949313547533029400547411406265429646812064672002946472067268869633225969806321590557478802774207323884570485379928282206644760402266682209472353879853329746198198569849041406744710452509092720132913649736125756874630207470]
25


In [2]:
q = Integer(8864636379641307987985582655993892125665954886639156314962949313547533029400547411406265429646812064672002946472067268869633225969806321590557478802774207323884570485379928282206644760402266682209472353933681352679372637254752717498141909964176598352222875644485687285283916382943)
Fq = GF(q)

### Generate Regulator's ElGamal keys

In [3]:
regHenc = ElGamalHashed()
regPK = regHenc.getPublicKey()
print('Regulator public key: {}'.format(regPK))

Regulator public key: (19819832094496099866928375340255747902151251946611037565488298661426499872897:11933007389734686118209142080198374538789847479047464803660873982737628468054)


### Generate Alice's parameters

Alice computes $l1$ and sends $Tx_1(l1)$ to the mixer.

In [4]:
address = secrets.randbits(160).to_bytes(20, 'little')
l1 = secrets.randbits(256)

Compute $l2 = Enc_{regPK}(l1)$

In [5]:
aliceHenc = ElGamalHashed(regPK)
l2_C1p, l2_c2 = aliceHenc.encrypt(l1)

Format data as $m = (addr || l2_{C1}.x || l2_{C1}.y || l2_{c2})$.
Note that $l2_{C1}$ is a point in the curve. The message $m$ will be sent (encrypted) to the mixnet, and the mixer will send $Tx_2(addr, l2)$.

In [6]:
l2_C1p_x = int(l2_C1p.x).to_bytes(32, 'little')
l2_C1p_y = int(l2_C1p.y).to_bytes(32, 'little')
    
m = address + l2_C1p_x + l2_C1p_y + l2_c2
print(len(address))
print(len(l2_C1p_x))
print(len(l2_C1p_y))
print(len(l2_c2))
print(len(m))

20
32
32
32
116


In [7]:
print('--address: \n   {}'.format(hexlify(address)))
print('--l1: \n   {}'.format(hexlify(l1.to_bytes(32, 'little'))))
print('--l2_C1p: \n   {}'.format(l2_C1p))
print('--l2_c2: \n   {}'.format(hexlify(l2_c2)))
print('--m: \n   {}'.format(hexlify(m)))

--address: 
   b'9241f88242c5a108d4c185a1e09ee2860cefe55d'
--l1: 
   b'e0bb778a79d6f7411cc22565039ef77006ae30fd1e061de37233e0785825e5af'
--l2_C1p: 
   (15468368586536123710241135122682120371962103144701054432153941122156310330803:5861468849881430319581420247830155066358613738265151679594953630018747310484)
--l2_c2: 
   b'd82220dcf5311d91693ec9e966a6b0b3c278d8d97ed81c1ddc4f71f19ff8081c'
--m: 
   b'9241f88242c5a108d4c185a1e09ee2860cefe55db37de45f3504cd56d06055da67a58aab74b9996f3fee33542b25d6054fc932229421fd91f3d21ba168f7db1263ddf6f8a466c953a02faeb694bbb5194b79f50cd82220dcf5311d91693ec9e966a6b0b3c278d8d97ed81c1ddc4f71f19ff8081c'


### Compute the MAC for verification

$MAC = m \cdot k$

In [13]:
k = secrets.randbits(256)
m_int = int.from_bytes(m, 'little')
print(m_int)
print(len(m))
mac = Fq(m_int)*Fq(k)
print("MAC:\n {}".format(mac))

248483324236906315691874659933815625105823077552441985305614174132724800629146737909991381904409606511385444424482850347653549614529710157333242255274882963354211765462306906079675006970829223536769659152855933940465534218880955125377947135121990891316508263250225999971037495698
116
MAC:
 6391737893821567098698775451419632036989970354851313254585358849958701397819785556819053194586725572099816852101282002546275203184038370342884055981995748943766724252933083797537886901643028304494106818095004955996960923103272711116137969131633771885456151537728535359443149800226


### Secret share m

In [16]:
ss_m = SecretSharing(Fq(m_int), 5)
ss_k = SecretSharing(Fq(k), 5)
m_shared = ss_m.share()
k_shared = ss_k.share()
print("Shares of m:\n")
for i in range(0, len(m_shared)): print("   m({}) {}".format(i, m_shared[i]))
print("Shares of k:\n")
for i in range(0, len(k_shared)): print("   k({}) {}".format(i, k_shared[i]))

Shares of m:

   1123657260650773913692831718406488539412802127088136985210309071092249811333
   56539447573140586917012779578989424664345979958640866259734755157582080626120
   11091273845204910005822397293229381557648728745471763888393542788641133869630
   23985705365204750736538044171482744249093333691309431663291352473300323552213
   248483324236906315691874659933815625105823077552441985305614174132724800629146737909991381904409606511385444424482850347653549614529710157333242255274882963354211765462306906079675006970829223536769659060115849896264512645814902363269908124621146368806309466620266509355249636402
Shares of k:

   41788539494004787008418772900580471569963767180811603599294435007971754629450
   25292545357664235587899041815746616931895640068286800088968514897516106876442
   36864151019490659110690970948237743876751821804914137835457112592525092264731
   40474416069148220741778783933067662551690349396006975131829829910521524795509
   886463637964130798798558265599389212566