
546 lines
18 KiB
Raw Normal View History

2019-06-14 15:14:06 -07:00
Implementation of the ZK Range Proof scheme, based on:
Efficient Protocols for Set Membership and Range Proofs
Jan Camenisch, Rafik Chaabouni, and abhi shelat
Asiacrypt 2008
extern crate pairing;
extern crate rand;
2019-06-16 13:29:48 -07:00
use rand::{thread_rng, Rng};
2019-06-14 15:14:06 -07:00
use super::*;
use cl::{KeyPair, Signature, PublicParams, setup};
2019-06-18 14:49:58 -07:00
use ped92::{CSParams, Commitment};
2019-06-16 09:27:35 -07:00
use pairing::{Engine, CurveProjective};
2019-06-14 15:14:06 -07:00
use ff::PrimeField;
2019-06-16 09:27:35 -07:00
use std::collections::HashMap;
use std::fmt::Display;
2019-06-16 12:38:07 -07:00
use std::mem::transmute;
2019-06-14 15:14:06 -07:00
paramsUL contains elements generated by the verifier, which are necessary for the prover.
This must be computed in a trusted setup.
struct ParamsUL<E: Engine> {
pub mpk: PublicParams<E>,
2019-06-16 09:27:35 -07:00
pub signatures: HashMap<String, Signature<E>>,
2019-06-18 14:49:58 -07:00
pub com: CSParams<E>,
2019-06-14 15:14:06 -07:00
kp: KeyPair<E>,
// u determines the amount of signatures we need in the public params.
// Each signature can be compressed to just 1 field element of 256 bits.
// Then the parameters have minimum size equal to 256*u bits.
u: i64,
// l determines how many pairings we need to compute, then in order to improve
// verifier`s performance we want to minize it.
// Namely, we have 2*l pairings for the prover and 3*l for the verifier.
l: i64,
proofUL contains the necessary elements for the ZK range proof.
struct ProofUL<E: Engine> {
V: Vec<(E::G1, E::G1)>,
D: E::G2,
2019-06-16 09:27:35 -07:00
comm: Commitment<E>,
2019-06-14 15:14:06 -07:00
a: Vec<E::Fqk>,
zx: Vec<E::Fr>,
2019-06-14 15:14:06 -07:00
zsig: Vec<E::Fr>,
zv: Vec<E::Fr>,
ch: E::Fr,
zr: E::Fr,
pub struct RangeProof<E: Engine> {
p1: ProofUL<E>,
p2: ProofUL<E>,
params contains elements generated by the verifier, which are necessary for the prover.
This must be computed in a trusted setup.
pub struct RPPublicParams<E: Engine> {
p: ParamsUL<E>,
a: i64,
b: i64,
2019-06-16 13:29:48 -07:00
impl<E: Engine> ParamsUL<E> {
2019-06-14 15:14:06 -07:00
setup_ul generates the signature for the interval [0,u^l).
The value of u should be roughly b/log(b), but we can choose smaller values in
order to get smaller parameters, at the cost of having worse performance.
pub fn setup_ul<R: Rng>(rng: &mut R, u: i64, l: i64) -> Self {
2019-06-16 13:29:48 -07:00
let mpk = setup(rng);
let kp = KeyPair::<E>::generate(rng, &mpk, 1);
2019-06-14 15:14:06 -07:00
2019-06-16 13:29:48 -07:00
let mut signatures: HashMap<String, Signature<E>> = HashMap::new();
for i in 0..u {
let sig_i = kp.sign(rng, &vec! {E::Fr::from_str(i.to_string().as_str()).unwrap()});
signatures.insert(i.to_string(), sig_i);
2019-06-14 15:14:06 -07:00
2019-06-18 14:49:58 -07:00
let com = CSParams::setup(rng);
2019-06-16 13:29:48 -07:00
return ParamsUL { mpk, signatures, com, kp, u, l };
2019-06-14 15:14:06 -07:00
2019-06-16 13:29:48 -07:00
2019-06-16 09:27:35 -07:00
prove_ul method is used to produce the ZKRP proof that secret x belongs to the interval [0,U^L].
2019-06-16 13:29:48 -07:00
pub fn prove_ul<R: Rng>(&self, rng: &mut R, x: i64, r: E::Fr) -> ProofUL<E> {
//TODO: check if x in range
let decx = decompose(x, self.u, self.l);
2019-06-16 13:29:48 -07:00
let modx = E::Fr::from_str(&(x.to_string())).unwrap();
2019-06-16 09:27:35 -07:00
// Initialize variables
2019-06-16 13:29:48 -07:00
let mut v = Vec::<E::Fr>::with_capacity(self.l as usize);
let mut V = Vec::<(E::G1, E::G1)>::with_capacity(self.l as usize);
2019-06-16 13:29:48 -07:00
let mut a = Vec::<E::Fqk>::with_capacity(self.l as usize);
let mut s = Vec::<E::Fr>::with_capacity(self.l as usize);
let mut t = Vec::<E::Fr>::with_capacity(self.l as usize);
let mut tt = Vec::<E::Fr>::with_capacity(self.l as usize);
let mut zx = Vec::<E::Fr>::with_capacity(self.l as usize);
2019-06-16 13:29:48 -07:00
let mut zsig = Vec::<E::Fr>::with_capacity(self.l as usize);
let mut zv = Vec::<E::Fr>::with_capacity(self.l as usize);
let mut D = E::G2::zero();
let mut m = E::Fr::rand(rng);
2019-06-16 09:27:35 -07:00
// D = H^m
let mut hm =;
2019-06-16 13:29:48 -07:00
for i in 0..self.l as usize {
let r = E::Fr::rand(rng);
let mut A = self.signatures.get(&decx[i].to_string()).unwrap().h;
let mut B = self.signatures.get(&decx[i].to_string()).unwrap().H;
let mut Aprime = A.clone();
V.push((A, B));
2019-06-16 13:29:48 -07:00
let mut gx = E::pairing(V[i].0,;
2019-06-16 13:29:48 -07:00
let mut gy = E::pairing(V[i].0,[0]);
let mut h = E::pairing(V[i].0, self.mpk.g2);
2019-06-16 09:27:35 -07:00
2019-06-16 13:29:48 -07:00
let ui = self.u.pow(i as u32);
let mut muiti = t[i].clone();
let mut aux =;
2019-06-16 13:29:48 -07:00
2019-06-16 13:29:48 -07:00
let C =, modx, Some(r));
// Fiat-Shamir heuristic
2019-06-16 13:29:48 -07:00
let c = Hash::<E>(a.clone(), D.clone());
let mut zr = m.clone();
let mut rc = r.clone();
2019-06-16 13:29:48 -07:00
for i in 0..self.l as usize {
2019-06-16 13:29:48 -07:00
let mut dx = E::Fr::from_str(&decx[i].to_string()).unwrap();
let mut vic = v[i].clone();
return ProofUL { V, D, comm: C, a, zx, zsig, zv, ch: c, zr };
verify_ul is used to validate the ZKRP proof. It returns true iff the proof is valid.
pub fn verify_ul(&self, proof: &ProofUL<E>) -> bool {
// D == C^c.h^ zr.g^zsig ?
let r1 = self.verify_part1(&proof);
let r2 = self.verify_part2(&proof);
return r1 && r2;
fn verify_part2(&self, proof: &ProofUL<E>) -> bool {
let mut r2 = true;
for i in 0..self.l as usize {
let mut g = E::pairing(proof.V[i].1, self.mpk.g2);
g = g.inverse().unwrap();
let mut gx = E::pairing(proof.V[i].0,;
let mut gy = E::pairing(proof.V[i].0,[0]);
let mut h = E::pairing(proof.V[i].0, self.mpk.g2);
print!("{}\n", g);
print!("{}\n", proof.a[i]);
r2 = r2 && g == proof.a[i];
return r2;
fn verify_part1(&self, proof: &ProofUL<E>) -> bool {
let mut D = proof.comm.c.clone();
let mut hzr =;
for i in 0..self.l {
let ui = self.u.pow(i as u32);
let mut muizsigi = proof.zsig[i as usize];
let mut aux =;
2019-06-16 13:29:48 -07:00
return D == proof.D;
2019-06-16 09:27:35 -07:00
fn Hash<E: Engine>(a: Vec<E::Fqk>, D: E::G2) -> E::Fr {
// create a Sha256 object
let mut a_vec: Vec<u8> = Vec::new();
for a_el in a {
a_vec.extend(format!("{}", a_el).bytes());
let mut x_vec: Vec<u8> = Vec::new();
x_vec.extend(format!("{}", D).bytes());
let sha2_digest = sha512::hash(a_vec.as_slice());
let mut hash_buf: [u8; 64] = [0; 64];
2019-06-16 12:38:07 -07:00
let mut hexresult = fmt_bytes_to_int(hash_buf);
let result = E::Fr::from_str(&hexresult);
return result.unwrap();
2019-06-16 09:27:35 -07:00
2019-06-14 15:14:06 -07:00
2019-06-16 13:29:48 -07:00
Decompose receives as input an integer x and outputs an array of integers such that
x = sum(xi.u^i), i.e. it returns the decomposition of x into base u.
fn decompose(x: i64, u: i64, l: i64) -> Vec<i64> {
2019-06-16 13:29:48 -07:00
let mut result = Vec::with_capacity(l as usize);
let mut decomposer = x.clone();
for i in 0..l {
result.push(decomposer % u);
decomposer = decomposer / u;
return result;
2019-06-16 12:38:07 -07:00
fn fmt_bytes_to_int(bytearray: [u8; 64]) -> String {
let mut result: String = "".to_string();
for byte in bytearray.iter() {
// Decide if you want upper- or lowercase results,
// padding the values to two characters, spaces
// between bytes, etc.
result = result + &format!("{}", *byte as u8);
2019-06-14 15:14:06 -07:00
2019-06-16 12:38:07 -07:00
impl<E: Engine> RPPublicParams<E> {
Setup receives integers a and b, and configures the parameters for the rangeproof scheme.
pub fn setup<R: Rng>(rng: &mut R, a: i64, b: i64) -> Self {
2019-06-16 12:38:07 -07:00
// Compute optimal values for u and l
if a > b {
panic!("a must be less than or equal to b");
let p: PublicParams<E>;
let logb = (b as f64).log10();
if logb != 0.0 {
let u = b / logb as i64;
if u != 0 {
let l = (b as f64).log(u as f64).ceil() as i64;
2019-06-16 13:29:48 -07:00
let params_out: ParamsUL<E> = ParamsUL::<E>::setup_ul(rng, u, l);
2019-06-16 12:38:07 -07:00
return RPPublicParams { p: params_out, a, b };
} else {
panic!("u is zero");
2019-06-14 15:14:06 -07:00
} else {
2019-06-16 12:38:07 -07:00
panic!("log(b) is zero");
2019-06-14 15:14:06 -07:00
mod tests {
use super::*;
use pairing::bls12_381::{Bls12, G1, G2, Fq12, Fr};
2019-06-14 15:14:06 -07:00
fn setup_ul_works() {
2019-06-16 13:29:48 -07:00
let rng = &mut rand::thread_rng();
let params = ParamsUL::<Bls12>::setup_ul(rng, 2, 3);
assert_eq!(params.signatures.len(), 2);
2019-06-16 13:29:48 -07:00
for (m, s) in params.signatures {
assert_eq!(, &vec! {Fr::from_str(m.to_string().as_str()).unwrap()}, &s), true);
2019-06-14 15:14:06 -07:00
2019-06-16 13:29:48 -07:00
fn prove_ul_works() {
let rng = &mut rand::thread_rng();
let params = ParamsUL::<Bls12>::setup_ul(rng, 2, 3);
let fr = Fr::rand(rng);
let proof = params.prove_ul(rng, 10, fr);
assert_eq!(proof.a.len(), 3);
assert_eq!(proof.V.len(), 3);
assert_eq!(proof.zsig.len(), 3);
assert_eq!(proof.zv.len(), 3);
fn prove_and_verify_part1_ul_works() {
let rng = &mut rand::thread_rng();
let params = ParamsUL::<Bls12>::setup_ul(rng, 2, 4);
let fr = Fr::rand(rng);
let proof = params.prove_ul(rng, 10, fr);
assert_eq!(params.verify_part1(&proof), true);
fn prove_and_verify_part2_ul_works() {
let rng = &mut rand::thread_rng();
let params = ParamsUL::<Bls12>::setup_ul(rng, 2, 4);
let fr = Fr::rand(rng);
let proof = params.prove_ul(rng, 10, fr);
assert_eq!(params.verify_part2(&proof), true);
2019-06-16 13:29:48 -07:00
fn prove_and_verify_ul_works() {
let rng = &mut rand::thread_rng();
let params = ParamsUL::<Bls12>::setup_ul(rng, 2, 4);
let fr = Fr::rand(rng);
let proof = params.prove_ul(rng, 10, fr);
assert_eq!(params.verify_ul(&proof), true);
2019-06-16 13:29:48 -07:00
2019-06-14 15:14:06 -07:00
fn decompose_works() {
assert_eq!(decompose(25, 3, 3), vec! {1, 2, 2});
assert_eq!(decompose(336, 7, 3), vec! {0, 6, 6});
assert_eq!(decompose(285, 8, 3), vec! {5, 3, 4});
assert_eq!(decompose(125, 13, 2), vec! {8, 9});
assert_eq!(decompose(143225, 6, 7), vec! {5, 2, 0, 3, 2, 0, 3});
fn decompose_recompose_works() {
let vec1 = decompose(25, 3, 5);
let mut result = 0;
for i in 0..5 {
result += vec1[i] * 3i64.pow(i as u32);
assert_eq!(result, 25);
let vec1 = decompose(143225, 6, 7);
let mut result = 0;
for i in 0..7 {
result += vec1[i] * 6i64.pow(i as u32);
assert_eq!(result, 143225);
2019-06-14 15:14:06 -07:00
fn setup_works() {
2019-06-16 13:29:48 -07:00
let rng = &mut rand::thread_rng();
let public_params = RPPublicParams::<Bls12>::setup(rng, 2, 10);
assert_eq!(public_params.a, 2);
assert_eq!(public_params.b, 10);
assert_eq!(public_params.p.signatures.len(), 10);
assert_eq!(public_params.p.u, 10 / ((10 as f64).log10() as i64));
assert_eq!(public_params.p.l, ((10 / (10 / ((10 as f64).log10() as i64))) as f64).ceil() as i64);
2019-06-14 15:14:06 -07:00
for (m, s) in public_params.p.signatures {
assert_eq!(, &vec! {Fr::from_str(m.to_string().as_str()).unwrap()}, &s), true);
2019-06-14 15:14:06 -07:00
#[should_panic(expected = "a must be less than or equal to b")]
fn setup_wrong_a_and_b() {
2019-06-16 13:29:48 -07:00
let rng = &mut rand::thread_rng();
let public_params = RPPublicParams::<Bls12>::setup(rng, 10, 2);
2019-06-14 15:14:06 -07:00
#[should_panic(expected = "u is zero")]
fn setup_wrong_b() {
2019-06-16 13:29:48 -07:00
let rng = &mut rand::thread_rng();
let public_params = RPPublicParams::<Bls12>::setup(rng, -1, 0);
2019-06-14 15:14:06 -07:00
#[should_panic(expected = "log(b) is zero")]
fn setup_wrong_logb() {
2019-06-16 13:29:48 -07:00
let rng = &mut rand::thread_rng();
let public_params = RPPublicParams::<Bls12>::setup(rng, -1, 1);
2019-06-16 12:38:07 -07:00
fn fmt_byte_to_int_works() {
assert_eq!(fmt_bytes_to_int([12, 235, 23, 123, 13, 43, 12, 235, 23, 123, 13, 43, 12, 235, 23, 123, 13, 43, 12, 235, 23, 123, 13, 43, 12, 235, 23, 123, 13, 43, 12, 235, 23, 123, 13, 43, 12, 235, 23, 123, 13, 43, 12, 235, 23, 123, 13, 43, 12, 235, 23, 123, 13, 43, 12, 235, 23, 123, 13, 43, 12, 235, 23, 123]),
2019-06-16 12:38:07 -07:00
fn hash_works() {
2019-06-16 13:29:48 -07:00
let rng = &mut rand::thread_rng();
2019-06-16 12:38:07 -07:00
let D = G2::rand(rng);
let D2 = G2::rand(rng);
let a = vec! {Fq12::rand(rng), Fq12::rand(rng), Fq12::rand(rng)};
let a2 = vec! {Fq12::rand(rng), Fq12::rand(rng), Fq12::rand(rng)};
assert_eq!(Hash::<Bls12>(a.clone(), D.clone()).is_zero(), false);
2019-06-16 12:38:07 -07:00
assert_ne!(Hash::<Bls12>(a2.clone(), D.clone()), Hash::<Bls12>(a.clone(), D.clone()));
assert_ne!(Hash::<Bls12>(a.clone(), D2.clone()), Hash::<Bls12>(a.clone(), D.clone()));
assert_ne!(Hash::<Bls12>(a2.clone(), D2.clone()), Hash::<Bls12>(a.clone(), D.clone()));
2019-06-14 15:14:06 -07:00
fn weird_stuff_happening() {
let rng = &mut rand::thread_rng();
let g1 = G1::rand(rng);
let g2 = G2::rand(rng);
let mut g = Bls12::pairing(g1, g2);
let mut c = Fr::rand(rng);
print!("{}\n", c);
let mut gprime = Bls12::pairing(g1, g2);
// let mut cneg = c.clone();
// cneg.negate();
let mut cneg = Fr::zero();
let mut zero = cneg.clone();
assert_eq!(zero, Fr::zero());
let mut gtest = g.clone();
let ginv = g.inverse().unwrap();
//TODO: this should actually work: assert_eq!(ginv, gprime);
//TODO: instead this works:
assert_eq!(cneg, Fr::zero());
assert_eq!(gprime, g);
fn more_weird_stuff_happening() {
let rng = &mut rand::thread_rng();
let g1 = G1::rand(rng);
let g2 = G2::rand(rng);
// let mut g = Bls12::pairing(g1, g2);
let mut g = Fq12::rand(rng);
let mut c = Fr::rand(rng);
print!("{}\n", c);
let mut gprime = g.clone();
let mut gc = g.clone();
//Todo: should: assert_eq!(gprime, g);
fn test_more_weird_stuff_with_bn() {
use bn::{Fr, G1, G2, Gt, pairing, SerializableGt};
use std::ops::Add;
use std::ops::Mul;
let rng = &mut rand::thread_rng();
let g1 = G1::random(rng);
let g2 = G2::random(rng);
let mut g = pairing(g1, g2);
let mut c = Fr::random(rng);
let mut gprime = g.clone();
let mut gc = g.clone();
gc = gc.pow(c);
g = g.mul(gc);
c = c.add(Fr::one());
gprime = gprime.pow(c);
debug_gt_in_hex("", &gprime);
debug_gt_in_hex("", &g);
assert!(gprime == g);
fn test_weird_stuff_with_bn() {
use bn::{Fr, G1, G2, Gt, pairing, SerializableGt};
use std::ops::Add;
use std::ops::Sub;
use std::ops::Mul;
let rng = &mut rand::thread_rng();
let g1 = G1::random(rng);
let g2 = G2::random(rng);
let mut g = pairing(g1, g2);
let mut c = Fr::random(rng);
let mut gprime = pairing(g1, g2);
// let mut cneg = c.clone();
// cneg.negate();
let mut cneg = Fr::zero();
cneg = cneg.sub(c);
gprime = gprime.pow(cneg);
g = g.pow(c);
let mut gtest = g.clone();
let ginv = g.inverse();
debug_gt_in_hex("", &ginv);
debug_gt_in_hex("", &gprime);
assert!(gprime == ginv);
pub fn debug_gt_in_hex(prefix: &str, g: &Gt) {
let encoded: Vec<u8> = encode(&g, Infinite).unwrap();
print!("{} (hex) = 0x", prefix);
for e in encoded.iter() {
print!("{:x}", e);
2019-06-14 15:14:06 -07:00