nizk: add proof of knowledge of committed values
This commit is contained in:
parent
074d5aa1ae
commit
30f9916a42
48
src/nizk.rs
48
src/nizk.rs
|
@ -15,12 +15,14 @@ struct Proof<E: Engine> {
|
|||
sig: Signature<E>,
|
||||
sigProof: SignatureProof<E>,
|
||||
T: E::G2,
|
||||
D: E::G2,
|
||||
z: Vec<E::Fr>,
|
||||
}
|
||||
|
||||
fn prove<R: Rng, E: Engine>(rng: &mut R, comParams: &CSMultiParams<E>, com1: &Commitment<E>, com2: &Commitment<E>, oldWallet: Vec<E::Fr>, r: E::Fr,
|
||||
newWallet: Vec<E::Fr>, rPrime: E::Fr, paymentToken: &Signature<E>,
|
||||
mpk: &PublicParams<E>, kp: &BlindKeyPair<E>) -> Proof<E> {
|
||||
//Commitment phase
|
||||
let mut T = comParams.pub_bases[2].clone();
|
||||
let t1 = E::Fr::rand(rng);
|
||||
T.mul_assign(t1);
|
||||
|
@ -29,23 +31,48 @@ fn prove<R: Rng, E: Engine>(rng: &mut R, comParams: &CSMultiParams<E>, com1: &Co
|
|||
h.mul_assign(t2);
|
||||
T.add_assign(&h);
|
||||
let proofState = kp.prove_commitment(rng, &mpk, &paymentToken);
|
||||
let challenge = hash::<E>(proofState.a, T);
|
||||
|
||||
let mut D = E::G2::zero();
|
||||
let mut t = Vec::<E::Fr>::with_capacity(comParams.pub_bases.len() - 1);
|
||||
for g in comParams.pub_bases.clone() {
|
||||
let ti = E::Fr::rand(rng);
|
||||
t.push(ti);
|
||||
let mut gt = g.clone();
|
||||
gt.mul_assign(ti.into_repr());
|
||||
D.add_assign(>);
|
||||
}
|
||||
|
||||
//Compute challenge
|
||||
let challenge = hash::<E>(proofState.a, T, D);
|
||||
|
||||
//Response phase
|
||||
let sigProof = kp.prove_response(&proofState, challenge, &mut vec! {hash_g2_to_fr::<E>(&com1.c)});
|
||||
|
||||
let mut z = Vec::<E::Fr>::with_capacity(t.len() + 2);
|
||||
let mut z1 = newWallet[2].clone();
|
||||
z1.negate();
|
||||
z1.mul_assign(&challenge);
|
||||
z1.add_assign(&t1);
|
||||
z.push(z1);
|
||||
let mut z2 = r.clone();
|
||||
z2.sub_assign(&rPrime.clone());
|
||||
z2.mul_assign(&challenge);
|
||||
z2.add_assign(&t2);
|
||||
Proof { sig: proofState.blindSig, sigProof, T, z: vec! {z1, z2} }
|
||||
z.push(z2);
|
||||
|
||||
for i in 0..t.len() {
|
||||
let mut zi = newWallet[i].clone();
|
||||
zi.mul_assign(&challenge);
|
||||
zi.add_assign(&t[i]);
|
||||
z.push(zi);
|
||||
}
|
||||
|
||||
Proof { sig: proofState.blindSig, sigProof, T, D, z }
|
||||
}
|
||||
|
||||
fn verify<E: Engine>(proof: Proof<E>, epsilon: E::Fr, com1: &Commitment<E>, com2: &Commitment<E>,
|
||||
paymentToken: &Signature<E>, wpk: E::Fr, comParams: &CSMultiParams<E>, mpk: &PublicParams<E>, pk: &BlindPublicKey<E>) -> bool {
|
||||
let challenge = hash::<E>(proof.sigProof.a, proof.T);
|
||||
let challenge = hash::<E>(proof.sigProof.a, proof.T, proof.D);
|
||||
|
||||
let mut gWpk = comParams.pub_bases[2].clone();
|
||||
let mut minWpk = wpk.clone();
|
||||
|
@ -75,13 +102,24 @@ fn verify<E: Engine>(proof: Proof<E>, epsilon: E::Fr, com1: &Commitment<E>, com2
|
|||
|
||||
let r = pk.verify_proof(&mpk, proof.sig, proof.sigProof, challenge);
|
||||
|
||||
r && commitment == g2
|
||||
let mut comc = com2.c.clone();
|
||||
comc.mul_assign(challenge.into_repr());
|
||||
comc.add_assign(&proof.D.clone());
|
||||
let mut x = E::G2::zero();
|
||||
for i in 2..proof.z.len() {
|
||||
let mut base = comParams.pub_bases[i - 2].clone();
|
||||
base.mul_assign(proof.z[i].into_repr());
|
||||
x.add_assign(&base);
|
||||
}
|
||||
|
||||
r && commitment == g2 && x == comc
|
||||
}
|
||||
|
||||
fn hash<E: Engine>(a: E::Fqk, T: E::G2) -> E::Fr {
|
||||
fn hash<E: Engine>(a: E::Fqk, T: E::G2, D: E::G2) -> E::Fr {
|
||||
let mut x_vec: Vec<u8> = Vec::new();
|
||||
x_vec.extend(format!("{}", a).bytes());
|
||||
x_vec.extend(format!("{}", T).bytes());
|
||||
x_vec.extend(format!("{}", D).bytes());
|
||||
|
||||
util::hash_to_fr::<E>(x_vec)
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue