stage2: proof and verification implemented and tested

3 files changed, 162 insertions, 6 deletions

diff --git a/nizk/nizk.go b/nizk/nizk.go
index 7ea6d8a..84e7db4 100644
--- a/nizk/nizk.go
+++ b/nizk/nizk.go
@@ -6,7 +6,7 @@ import (
 	"kesim.org/seal/curve"
 )
 
-// Common functions for the various proof
+// Common functions for the various proofs
 
 type Scalar = curve.Curve25519Scalar
 type Point = curve.Curve25519Point
diff --git a/nizk/stage2/stage2.go b/nizk/stage2/stage2.go
index 699e994..42f69e5 100644
--- a/nizk/stage2/stage2.go
+++ b/nizk/stage2/stage2.go
@@ -88,6 +88,7 @@ func commitment(typ Type, a, b, x, y, r, x_, y_, r_ *Scalar) *Commitment {
 		X:  G.Exp(x),
 		Y:  G.Exp(y),
 		Z:  Z,
+		R_: G.Exp(r_),
 		X_: G.Exp(x_),
 		Y_: G.Exp(y_),
 		Z_: Z_,
@@ -110,9 +111,91 @@ func (s *Statement) Proof() *Proof {
 		e1, e1_ [3]*Point
 		e2, e2_ [3]*Point
 		e3, e3_ [2]*Point
+
+		r1, r2 [3]*Scalar
+		r3     [2]*Scalar
+		w      [2]*Scalar
 	)
 
-	// TODO
+	for _, scs := range [][]*Scalar{r1[:], r2[:], r3[:], w[:]} {
+		for i := range scs {
+			scs[i] = Curve.RandomScalar()
+		}
+	}
+
+	switch s.typ {
+	case None:
+		e1[0] = G.Exp(r1[0]).Mul(s.X.Exp(w[0]))
+		e1[1] = G.Exp(r1[1]).Mul(s.X_.Exp(w[0]))
+		e1[2] = G.Exp(r1[2]).Mul(s.A.Exp(w[0]))
+
+		e1_[0] = s.R.Exp(r1[0]).Mul(s.Z.Exp(w[0]))
+		e1_[1] = s.R_.Exp(r1[1]).Mul(s.Z_.Exp(w[0]))
+		e1_[2] = s.B.Exp(r1[2]).Mul(s.C.Div(G).Exp(w[0]))
+
+		e2[0] = G.Exp(r2[0]).Mul(s.X.Exp(w[1]))
+		e2[1] = G.Exp(r2[1]).Mul(s.X_.Exp(w[1]))
+		e2[2] = G.Exp(r2[2]).Mul(s.A.Exp(w[1]))
+
+		e2_[0] = s.Y.Exp(r2[0]).Mul(s.Z.Exp(w[1]))
+		e2_[1] = s.R_.Exp(r2[1]).Mul(s.Z_.Exp(w[1]))
+		e2_[2] = s.B.Exp(r2[2]).Mul(s.C.Exp(w[1]))
+
+		e3[0] = G.Exp(r3[0])
+		e3[1] = G.Exp(r3[1])
+
+		e3_[0] = s.Y.Exp(r3[0])
+		e3_[1] = s.Y_.Exp(r3[1])
+
+	case Unset:
+		e1[0] = G.Exp(r1[0]).Mul(s.X.Exp(w[0]))
+		e1[1] = G.Exp(r1[1]).Mul(s.X_.Exp(w[0]))
+		e1[2] = G.Exp(r1[2]).Mul(s.A.Exp(w[0]))
+
+		e1_[0] = s.R.Exp(r1[0]).Mul(s.Z.Exp(w[0]))
+		e1_[1] = s.R_.Exp(r1[1]).Mul(s.Z_.Exp(w[0]))
+		e1_[2] = s.B.Exp(r1[2]).Mul(s.C.Div(G).Exp(w[0]))
+
+		e2[0] = G.Exp(r2[0])
+		e2[1] = G.Exp(r2[1])
+		e2[2] = G.Exp(r2[2])
+
+		e2_[0] = s.Y.Exp(r2[0])
+		e2_[1] = s.R_.Exp(r2[1])
+		e2_[2] = s.B.Exp(r2[2])
+
+		e3[0] = G.Exp(r3[0]).Mul(s.X.Exp(w[1]))
+		e3[1] = G.Exp(r3[1]).Mul(s.X_.Exp(w[1]))
+
+		e3_[0] = s.Y.Exp(r3[0]).Mul(s.Z.Exp(w[1]))
+		e3_[1] = s.Y_.Exp(r3[1]).Mul(s.Z_.Exp(w[1]))
+
+	case Set:
+		e1[0] = G.Exp(r1[0])
+		e1[1] = G.Exp(r1[1])
+		e1[2] = G.Exp(r1[2])
+
+		e1_[0] = s.R.Exp(r1[0])
+		e1_[1] = s.R_.Exp(r1[1])
+		e1_[2] = s.B.Exp(r1[2])
+
+		e2[0] = G.Exp(r2[0]).Mul(s.X.Exp(w[0]))
+		e2[1] = G.Exp(r2[1]).Mul(s.X_.Exp(w[0]))
+		e2[2] = G.Exp(r2[2]).Mul(s.A.Exp(w[0]))
+
+		e2_[0] = s.Y.Exp(r2[0]).Mul(s.Z.Exp(w[0]))
+		e2_[1] = s.R_.Exp(r2[1]).Mul(s.Z_.Exp(w[0]))
+		e2_[2] = s.B.Exp(r2[2]).Mul(s.C.Exp(w[0]))
+
+		e3[0] = G.Exp(r3[0]).Mul(s.X.Exp(w[1]))
+		e3[1] = G.Exp(r3[1]).Mul(s.X_.Exp(w[1]))
+
+		e3_[0] = s.Y.Exp(r3[0]).Mul(s.Z.Exp(w[1]))
+		e3_[1] = s.Y_.Exp(r3[1]).Mul(s.Z_.Exp(w[1]))
+
+	default:
+		panic("not possible")
+	}
 
 	points := []*Point{G, s.A, s.B, s.C, s.R, s.X, s.Y, s.Z, s.R_, s.X_, s.Y_, s.Z_}
 	points = append(points, e1[:]...)
@@ -122,11 +205,63 @@ func (s *Statement) Proof() *Proof {
 	points = append(points, e2_[:]...)
 	points = append(points, e3_[:]...)
 
-	_ = Challenge(points...)
+	ch := Challenge(points...)
+	pr := &Proof{}
+
+	switch s.typ {
+	case None:
+		pr.Ch[0] = w[0]
+		pr.Ch[1] = w[1]
+		pr.Ch[2] = ch.Sub(w[0]).Sub(w[1])
+
+		pr.R1[0] = r1[0]
+		pr.R1[1] = r1[1]
+		pr.R1[2] = r1[2]
+
+		pr.R2[0] = r2[0]
+		pr.R2[1] = r2[1]
+		pr.R2[2] = r2[2]
+
+		pr.R3[0] = r3[0].Sub(s.x.Mul(pr.Ch[2]))
+		pr.R3[1] = r3[1].Sub(s.x_.Mul(pr.Ch[2]))
+
+	case Unset:
+		pr.Ch[0] = w[0]
+		pr.Ch[1] = ch.Sub(w[0]).Sub(w[1])
+		pr.Ch[2] = w[1]
 
-	// TODO
+		pr.R1[0] = r1[0]
+		pr.R1[1] = r1[1]
+		pr.R1[2] = r1[2]
 
-	return nil
+		pr.R2[0] = r2[0].Sub(s.x.Mul(pr.Ch[1]))
+		pr.R2[1] = r2[1].Sub(s.x_.Mul(pr.Ch[1]))
+		pr.R2[2] = r2[2].Sub(s.a.Mul(pr.Ch[1]))
+
+		pr.R3[0] = r3[0]
+		pr.R3[1] = r3[1]
+
+	case Set:
+		pr.Ch[0] = ch.Sub(w[0]).Sub(w[1])
+		pr.Ch[1] = w[0]
+		pr.Ch[2] = w[1]
+
+		pr.R1[0] = r1[0].Sub(s.x.Mul(pr.Ch[0]))
+		pr.R1[1] = r1[1].Sub(s.x_.Mul(pr.Ch[0]))
+		pr.R1[2] = r1[2].Sub(s.a.Mul(pr.Ch[0]))
+
+		pr.R2[0] = r2[0]
+		pr.R2[1] = r2[1]
+		pr.R2[2] = r2[2]
+
+		pr.R3[0] = r3[0]
+		pr.R3[1] = r3[1]
+
+	default:
+		panic("unreachable")
+	}
+
+	return pr
 }
 
 func (c *Commitment) Verify(p *Proof) bool {
@@ -168,5 +303,4 @@ func (c *Commitment) Verify(p *Proof) bool {
 	ch := Challenge(points...)
 
 	return p.Ch[0].Add(p.Ch[1]).Add(p.Ch[2]).Equal(ch)
-
 }
diff --git a/nizk/stage2/stage2_test.go b/nizk/stage2/stage2_test.go
new file mode 100644
index 0000000..e4e6e5c
--- /dev/null
+++ b/nizk/stage2/stage2_test.go
@@ -0,0 +1,22 @@
+package stage2
+
+import (
+	"testing"
+
+	. "kesim.org/seal/nizk"
+)
+
+func TestVerification(t *testing.T) {
+	var s [8]*Scalar
+	for i := range s {
+		s[i] = Curve.RandomScalar()
+	}
+
+	for i, typ := range []Type{None, Unset, Set} {
+		st := NewStatement(typ, s[0], s[1], s[2], s[3], s[4], s[5], s[6], s[7])
+		c, p := st.Commit(), st.Proof()
+		if !c.Verify(p) {
+			t.Fatalf("Couldn't verify proof for %v, case %d\n", typ, i)
+		}
+	}
+}
\ No newline at end of file