From fa69707614ecc7924ad9405fb977454271061419 Mon Sep 17 00:00:00 2001 From: Gijs Van Laer Date: Fri, 12 Jul 2019 10:46:25 -0400 Subject: [PATCH] nizk: flip commitment to group 1 --- src/ccs08.rs | 26 +++++++------- src/cl.rs | 11 +++--- src/nizk.rs | 36 +++++++++---------- src/ped92.rs | 100 ++++++++++++++++++--------------------------------- 4 files changed, 69 insertions(+), 104 deletions(-) diff --git a/src/ccs08.rs b/src/ccs08.rs index 201fb74..d68e90a 100644 --- a/src/ccs08.rs +++ b/src/ccs08.rs @@ -44,7 +44,7 @@ proofUL contains the necessary elements for the ZK range proof with range [0,u^l #[derive(Clone)] struct ProofUL { V: Vec>, - D: E::G2, + D: E::G1, comm: Commitment, sigProofs: Vec>, ch: E::Fr, @@ -105,11 +105,11 @@ impl ParamsUL { let mut proofStates = Vec::>::with_capacity(self.l as usize); let mut sigProofs = Vec::>::with_capacity(self.l as usize); let mut V = Vec::>::with_capacity(self.l as usize); - let mut D = E::G2::zero(); + let mut D = E::G1::zero(); let m = E::Fr::rand(rng); // D = H^m - let mut hm = self.com.h2.clone(); + let mut hm = self.com.h.clone(); hm.mul_assign(m); for i in 0..self.l as usize { let signature = self.signatures.get(&decx[i].to_string()).unwrap(); @@ -119,8 +119,8 @@ impl ParamsUL { proofStates.push(proofState); let ui = self.u.pow(i as u32); - let mut aux = self.com.g2.clone(); - for j in 0..self.kp.public.Y2.len() { + let mut aux = self.com.g.clone(); + for j in 0..self.kp.public.Y1.len() { let mut muiti = proofStates[i].t[j].clone(); muiti.mul_assign(&E::Fr::from_str(&ui.to_string()).unwrap()); aux.mul_assign(muiti); @@ -183,16 +183,16 @@ impl ParamsUL { } fn verify_part1(&self, proof: &ProofUL) -> bool { - let mut D = proof.comm.c2.clone(); + let mut D = proof.comm.c.clone(); D.mul_assign(proof.ch); D.negate(); - let mut hzr = self.com.h2.clone(); + let mut hzr = self.com.h.clone(); hzr.mul_assign(proof.zr); D.add_assign(&hzr); for i in 0..self.l as usize { let ui = self.u.pow(i as u32); - let mut aux = self.com.g2.clone(); - for j in 0..self.kp.public.Y2.len() { + let mut aux = self.com.g.clone(); + for j in 0..self.kp.public.Y1.len() { let mut muizsigi = proof.sigProofs[i].zsig[j]; muizsigi.mul_assign(&E::Fr::from_str(&ui.to_string()).unwrap()); aux.mul_assign(muizsigi); @@ -203,7 +203,7 @@ impl ParamsUL { } } -fn hash(a: Vec, D: E::G2) -> E::Fr { +fn hash(a: Vec, D: E::G1) -> E::Fr { // create a Sha256 object let mut a_vec: Vec = Vec::new(); for a_el in a { @@ -291,7 +291,7 @@ impl RPPublicParams { #[cfg(test)] mod tests { use super::*; - use pairing::bls12_381::{Bls12, G1, G2, Fq12, Fr}; + use pairing::bls12_381::{Bls12, G1, Fq12, Fr}; use time::PreciseTime; use std::ops::Add; use core::mem; @@ -462,8 +462,8 @@ mod tests { #[test] fn hash_works() { let rng = &mut rand::thread_rng(); - let D = G2::rand(rng); - let D2 = G2::rand(rng); + let D = G1::rand(rng); + let D2 = G1::rand(rng); let params = setup::(rng); let kp = BlindKeyPair::generate(rng, ¶ms, 2); let m1 = Fr::rand(rng); diff --git a/src/cl.rs b/src/cl.rs index c3c8983..117b43e 100644 --- a/src/cl.rs +++ b/src/cl.rs @@ -311,13 +311,10 @@ impl BlindKeyPair { } pub fn generate_cs_multi_params(&self, mpk: &PublicParams) -> CSMultiParams { - let mut com_bases1 = vec! {mpk.g1}; - com_bases1.append(&mut self.public.Y1.clone()); + let mut com_bases = vec! {mpk.g1}; + com_bases.append(&mut self.public.Y1.clone()); - let mut com_bases2 = vec! {mpk.g2}; - com_bases2.append(&mut self.public.Y2.clone()); - - CSMultiParams { pub_bases1: com_bases1, pub_bases2: com_bases2} + CSMultiParams { pub_bases: com_bases} } /// extract unblinded public key @@ -336,7 +333,7 @@ impl BlindKeyPair { let mut h1 = mpk.g1; h1.mul_assign(u); // g1 ^ u - let mut com1 = com.c1.clone(); + let mut com1 = com.c.clone(); let mut H1 = self.public.X1.clone(); H1.add_assign(&com1); // (X * com) H1.mul_assign(u); // (X * com) ^ u (blinding factor) diff --git a/src/nizk.rs b/src/nizk.rs index a483079..8e793f6 100644 --- a/src/nizk.rs +++ b/src/nizk.rs @@ -14,8 +14,8 @@ use commit_scheme::commit; struct Proof { sig: Signature, sigProof: SignatureProof, - T: E::G2, - D: E::G2, + T: E::G1, + D: E::G1, z: Vec, } @@ -24,10 +24,10 @@ fn prove(rng: &mut R, comParams: &CSMultiParams, com1: &Co mpk: &PublicParams, kp: &BlindKeyPair) -> Proof { //Commitment phase //Commit linear relationship - let mut T = comParams.pub_bases2[2].clone(); + let mut T = comParams.pub_bases[2].clone(); let t1 = E::Fr::rand(rng); T.mul_assign(t1); - let mut h = comParams.pub_bases2[0].clone(); + let mut h = comParams.pub_bases[0].clone(); let t2 = E::Fr::rand(rng); h.mul_assign(t2); T.add_assign(&h); @@ -36,9 +36,9 @@ fn prove(rng: &mut R, comParams: &CSMultiParams, com1: &Co let proofState = kp.prove_commitment(rng, &mpk, &paymentToken); //commit commitment - let mut D = E::G2::zero(); - let mut t = Vec::::with_capacity(comParams.pub_bases2.len() - 1); - for g in comParams.pub_bases2.clone() { + let mut D = E::G1::zero(); + let mut t = Vec::::with_capacity(comParams.pub_bases.len() - 1); + for g in comParams.pub_bases.clone() { let ti = E::Fr::rand(rng); t.push(ti); let mut gt = g.clone(); @@ -87,28 +87,28 @@ fn verify(proof: Proof, epsilon: E::Fr, com1: &Commitment, com2 let challenge = hash::(proof.sigProof.a, proof.T, proof.D); //verify linear relationship - let mut gWpk = comParams.pub_bases2[2].clone(); + let mut gWpk = comParams.pub_bases[2].clone(); let mut minWpk = wpk.clone(); minWpk.negate(); gWpk.mul_assign(minWpk.into_repr()); - let mut gEps = comParams.pub_bases2[4].clone(); + let mut gEps = comParams.pub_bases[4].clone(); gEps.mul_assign(epsilon.into_repr()); - let mut gMinEps = comParams.pub_bases2[3].clone(); + let mut gMinEps = comParams.pub_bases[3].clone(); let mut mineps = epsilon.clone(); mineps.negate(); gMinEps.mul_assign(mineps.into_repr()); - let mut commitment = com1.c2.clone(); - commitment.sub_assign(&com2.c2.clone()); + let mut commitment = com1.c.clone(); + commitment.sub_assign(&com2.c.clone()); commitment.add_assign(&gWpk); commitment.add_assign(&gEps); commitment.add_assign(&gMinEps); commitment.mul_assign(challenge.into_repr()); commitment.add_assign(&proof.T); - let mut g2 = comParams.pub_bases2[2].clone(); + let mut g2 = comParams.pub_bases[2].clone(); g2.mul_assign(proof.z[0].into_repr()); - let mut h = comParams.pub_bases2[0].clone(); + let mut h = comParams.pub_bases[0].clone(); h.mul_assign(proof.z[1].into_repr()); g2.add_assign(&h); let r = commitment == g2; @@ -117,12 +117,12 @@ fn verify(proof: Proof, epsilon: E::Fr, com1: &Commitment, com2 let r1 = pk.verify_proof(&mpk, proof.sig, proof.sigProof, challenge); //verify knowledge of commitment - let mut comc = com2.c2.clone(); + let mut comc = com2.c.clone(); comc.mul_assign(challenge.into_repr()); comc.add_assign(&proof.D.clone()); - let mut x = E::G2::zero(); + let mut x = E::G1::zero(); for i in 2..proof.z.len() { - let mut base = comParams.pub_bases2[i - 2].clone(); + let mut base = comParams.pub_bases[i - 2].clone(); base.mul_assign(proof.z[i].into_repr()); x.add_assign(&base); } @@ -131,7 +131,7 @@ fn verify(proof: Proof, epsilon: E::Fr, com1: &Commitment, com2 r && r1 && r3 } -fn hash(a: E::Fqk, T: E::G2, D: E::G2) -> E::Fr { +fn hash(a: E::Fqk, T: E::G1, D: E::G1) -> E::Fr { let mut x_vec: Vec = Vec::new(); x_vec.extend(format!("{}", a).bytes()); x_vec.extend(format!("{}", T).bytes()); diff --git a/src/ped92.rs b/src/ped92.rs index 46c6918..9ef90bd 100644 --- a/src/ped92.rs +++ b/src/ped92.rs @@ -5,22 +5,18 @@ use ff::Rand; #[derive(Clone)] pub struct CSParams { - pub g1: E::G1, - pub g2: E::G2, - pub h1: E::G1, - pub h2: E::G2, + pub g: E::G1, + pub h: E::G1, } #[derive(Clone)] pub struct Commitment { - pub c1: E::G1, - pub c2: E::G2 + pub c: E::G1, } #[derive(Clone)] pub struct CSMultiParams { - pub pub_bases1: Vec, - pub pub_bases2: Vec + pub pub_bases: Vec, } //impl fmt::Display for CSParams { @@ -63,12 +59,9 @@ impl CSParams { Implements the setup algorithm for the Pedersen92 commitment scheme */ pub fn setup(rng: &mut R) -> Self { - let g1 = E::G1::rand(rng); - let g2 = E::G2::rand(rng); - let h1 = E::G1::rand(rng); - let h2 = E::G2::rand(rng); - let csp = CSParams { g1, g2, h1, h2 }; - return csp; + let g = E::G1::rand(rng); + let h = E::G1::rand(rng); + CSParams { g, h } } /* @@ -81,20 +74,13 @@ commit(pk, msg) -> cm where let r = R.unwrap_or(E::Fr::rand(rng)); // c = g^m * h^r - let mut c1 = self.g1.clone(); - c1.mul_assign(m.clone()); - let mut h1 = self.h1.clone(); - h1.mul_assign(r.clone()); - c1.add_assign(&h1); + let mut c = self.g.clone(); + c.mul_assign(m.clone()); + let mut h = self.h.clone(); + h.mul_assign(r.clone()); + c.add_assign(&h); - // c = g^m * h^r - let mut c2 = self.g2.clone(); - c2.mul_assign(m); - let mut h2 = self.h2.clone(); - h2.mul_assign(r); - c2.add_assign(&h2); - - Commitment { c1, c2 } + Commitment { c } } /* @@ -104,18 +90,12 @@ decommit(csp, cm, msg) -> bool where - outputs T/F for whether the cm is a valid commitment to the msg */ pub fn decommit(&self, cm: &Commitment, m: &E::Fr, r: &E::Fr) -> bool { - let mut dm1 = self.g1.clone(); - dm1.mul_assign(m.clone()); - let mut h1 = self.h1.clone(); - h1.mul_assign(r.clone()); - dm1.add_assign(&h1); - - let mut dm2 = self.g2.clone(); - dm2.mul_assign(m.clone()); - let mut h2 = self.h2.clone(); - h2.mul_assign(r.clone()); - dm2.add_assign(&h2); - return dm2 == cm.c2 && dm1 == cm.c1; + let mut dm = self.g.clone(); + dm.mul_assign(m.clone()); + let mut h = self.h.clone(); + h.mul_assign(r.clone()); + dm.add_assign(&h); + dm == cm.c } } @@ -126,49 +106,37 @@ impl CSMultiParams { a vector of messages of length len. */ pub fn setup_gen_params(rng: &mut R, len: usize) -> Self { - let mut p1: Vec = Vec::new(); - let mut p2: Vec = Vec::new(); + let mut p: Vec = Vec::new(); // 1 extra base element for the random parameter for i in 0..len + 1 { - p1.push(E::G1::rand(rng)); - p2.push(E::G2::rand(rng)); + p.push(E::G1::rand(rng)); } - return CSMultiParams { pub_bases1: p1, pub_bases2: p2 }; + CSMultiParams { pub_bases: p } } pub fn commit(&self, x: &Vec, r: &E::Fr) -> Commitment { // c = g1^m1 * ... * gn^mn * h^r - let mut c1 = self.pub_bases1[0].clone(); - let mut c2 = self.pub_bases2[0].clone(); - c1.mul_assign(r.clone()); - c2.mul_assign(r.clone()); + let mut c = self.pub_bases[0].clone(); + c.mul_assign(r.clone()); for i in 0..x.len() { - let mut basis1 = self.pub_bases1[i+1]; - basis1.mul_assign(x[i]); - c1.add_assign(&basis1); - let mut basis2 = self.pub_bases2[i+1]; - basis2.mul_assign(x[i]); - c2.add_assign(&basis2); + let mut basis = self.pub_bases[i+1]; + basis.mul_assign(x[i]); + c.add_assign(&basis); } - Commitment { c1, c2 } + Commitment { c } } pub fn decommit(&self, cm: &Commitment, x: &Vec, r: &E::Fr) -> bool { let l = x.len(); // pub_base[0] => h, x[0] => r - let mut dc1 = self.pub_bases1[0].clone(); - let mut dc2 = self.pub_bases2[0].clone(); - dc1.mul_assign(r.clone()); - dc2.mul_assign(r.clone()); + let mut dc = self.pub_bases[0].clone(); + dc.mul_assign(r.clone()); for i in 0..l { - let mut basis1 = self.pub_bases1[i+1]; - basis1.mul_assign(x[i]); - dc1.add_assign(&basis1); - let mut basis2 = self.pub_bases2[i+1]; - basis2.mul_assign(x[i]); - dc2.add_assign(&basis2); + let mut basis = self.pub_bases[i+1]; + basis.mul_assign(x[i]); + dc.add_assign(&basis); } - return dc2 == cm.c2 && dc1 == cm.c1; + return dc == cm.c; } }