refactor: make Bit and Stage1 more composable

author: Özgür Kesim <oec@codeblau.de> 2024-11-12 13:24:51 +0100
committer: Özgür Kesim <oec@codeblau.de> 2024-11-12 13:24:51 +0100
commit: e71b7a107b5441e7fa05366bf866cf223c649e7a (patch)
tree: a85301a4f22c8834e8d7892c92b0603565df840b /nizk/commit.go
parent: 023e460a8729e28bb398948f3279c58e38712cb8 (diff)
1 files changed, 67 insertions, 41 deletions
diff --git a/nizk/commit.go b/nizk/commit.go
index 5b703d9..957e4a9 100644
--- a/nizk/commit.go
+++ b/nizk/commit.go
@@ -5,71 +5,97 @@ import (
 	"kesim.org/seal/nizk/schnorr"
 )
 
-// This is a construction of a proof of a statement of the form
-//    [(C = g^(αβ))   && (A = g^α) && (Β = g^β)]
-// || [(C = g^(αβ+1)) && (A = g^α) && (Β = g^β)]
-//
-// for given C, A and B
-
 type Bit struct {
-	bitSet bool
-	α      *Scalar
-	β      *Scalar
+	id  Bytes
+	bit bool
+	α   *Scalar
+	β   *Scalar
+
+	com *Commitment
+	prf *Proof
 }
 
 type Commitment struct {
 	A *Point // g^α
 	B *Point // g^β
-	C *Point // g^(ab)g^(bitSet)
+	C *Point // g^(ab)g^(bit)
+}
+
+// This is a construction of a proof of a statement of the form
+//
+//	[(C = g^(αβ))   && (A = g^α) && (Β = g^β)]
+//	 || [(C = g^(αβ+1)) && (A = g^α) && (Β = g^β)]
+//
+// for given C, A and B
+type Proof struct {
+	A *schnorr.Proof // Proof for knowledge of α in A = G^α
+	B *schnorr.Proof // Proof for knowledge of β in B = G^β
+	C struct {       // Proof for knowledge of statement above
+		Ch [2]*Scalar
+		R  [2]*Scalar
+	}
 }
 
-func NewBit(bitSet bool) *Bit {
+func NewBit(id Bytes, bit bool) *Bit {
 	α, β := Curve.RandomScalar(), Curve.RandomScalar()
-	return NewBitFromScalars(bitSet, α, β)
+	return NewBitFromScalars(id, bit, α, β)
 }
 
-func NewBitFromScalars(bitSet bool, α, β *Scalar) *Bit {
+func NewBitFromScalars(id Bytes, bit bool, α, β *Scalar) *Bit {
 	return &Bit{
-		α:      α,
-		β:      β,
-		bitSet: bitSet,
+		id:  id,
+		bit: bit,
+		α:   α,
+		β:   β,
 	}
 }
 
-func (b *Bit) commitment() *Commitment {
+func (b *Bit) IsSet() bool {
+	return b.bit
+}
+
+func (b *Bit) Id() Bytes {
+	return b.id
+}
+
+func (b *Bit) Scalars() (α *Scalar, β *Scalar) {
+	return b.α, b.β
+}
+
+func (b *Bit) commit() *Commitment {
+	if b.com != nil {
+		return b.com
+	}
+
 	var C *Point
 	c := b.α.Mul(b.β)
 
-	if b.bitSet {
+	if b.bit {
 		C = G.Exp(c.Add(One))
 	} else {
 		C = G.Exp(c)
 	}
-	return &Commitment{
+	b.com = &Commitment{
 		C: C,
 		A: G.Exp(b.α),
 		B: G.Exp(b.β),
 	}
+	return b.com
 }
 
-type Proof struct {
-	Id Bytes
-	A  *schnorr.Proof // Proof for knowledge of α in A = G^α
-	B  *schnorr.Proof // Proof for knowledge of β in B = G^β
-	C  struct {       // Proof for knowledge of statement above
-		Ch [2]*Scalar
-		R  [2]*Scalar
+func (s *Bit) proof() *Proof {
+	if s.prf != nil {
+		return s.prf
 	}
-}
 
-func (s *Bit) proof(id Bytes, c *Commitment) *Proof {
 	var e [2][2]*Point
 	var r1, r2, w *Scalar
 	r1 = Curve.RandomScalar()
 	r2 = Curve.RandomScalar()
 	w = Curve.RandomScalar()
+	c := s.commit()
 
-	if s.bitSet {
+	if s.bit {
 		e[0][0] = G.Exp(r1)
 		e[0][1] = c.B.Exp(r1).Mul(G.Exp(w))
 		e[1][0] = G.Exp(r2)
@@ -81,10 +107,10 @@ func (s *Bit) proof(id Bytes, c *Commitment) *Proof {
 		e[1][1] = c.B.Exp(r2).Mul(c.C.Div(G).Exp(w))
 	}
 
-	ch := Challenge(G, c.C, c.A, c.B, e[0][0], e[0][1], e[1][0], e[1][1], id)
-	pr := &Proof{Id: id}
+	ch := Challenge(G, c.C, c.A, c.B, e[0][0], e[0][1], e[1][0], e[1][1], s.id)
+	pr := &Proof{}
 
-	if s.bitSet {
+	if s.bit {
 		pr.C.Ch[0] = w
 		pr.C.Ch[1] = ch.Sub(w)
 		pr.C.R[0] = r1.Sub(s.α.Mul(pr.C.Ch[0]))
@@ -95,26 +121,26 @@ func (s *Bit) proof(id Bytes, c *Commitment) *Proof {
 		pr.C.R[0] = r1.Sub(s.α.Mul(pr.C.Ch[0]))
 		pr.C.R[1] = r2
 	}
-	pr.A = (*schnorr.Statement)(s.α).Proof(id)
-	pr.B = (*schnorr.Statement)(s.β).Proof(id)
+	pr.A = (*schnorr.Statement)(s.α).Proof(s.id)
+	pr.B = (*schnorr.Statement)(s.β).Proof(s.id)
 
+	s.prf = pr
 	return pr
 }
 
-func (s *Bit) Commit(id Bytes) (*Commitment, *Proof) {
-	c := s.commitment()
-	return c, s.proof(id, c)
+func (s *Bit) Commit() (*Commitment, *Proof) {
+	return s.commit(), s.proof()
 }
 
-func (c *Commitment) Verify(p *Proof) bool {
+func (c *Commitment) Verify(id Bytes, p *Proof) bool {
 	var e [2][2]*Point
 
 	e[0][0] = G.Exp(p.C.R[0]).Mul(c.A.Exp(p.C.Ch[0]))
 	e[0][1] = c.B.Exp(p.C.R[0]).Mul(c.C.Exp(p.C.Ch[0]))
 	e[1][0] = G.Exp(p.C.R[1]).Mul(c.A.Exp(p.C.Ch[1]))
 	e[1][1] = c.B.Exp(p.C.R[1]).Mul(c.C.Div(G).Exp(p.C.Ch[1]))
-	ch := Challenge(G, c.C, c.A, c.B, e[0][0], e[0][1], e[1][0], e[1][1], p.Id)
+	ch := Challenge(G, c.C, c.A, c.B, e[0][0], e[0][1], e[1][0], e[1][1], id)
 	return p.C.Ch[0].Add(p.C.Ch[1]).Equal(ch) &&
-		(*schnorr.Commitment)(c.A).Verify(p.A, p.Id) &&
-		(*schnorr.Commitment)(c.B).Verify(p.B, p.Id)
+		(*schnorr.Commitment)(c.A).Verify(p.A, id) &&
+		(*schnorr.Commitment)(c.B).Verify(p.B, id)
 }
author	Özgür Kesim <oec@codeblau.de>	2024-11-12 13:24:51 +0100
committer	Özgür Kesim <oec@codeblau.de>	2024-11-12 13:24:51 +0100
commit	e71b7a107b5441e7fa05366bf866cf223c649e7a (patch)
tree	a85301a4f22c8834e8d7892c92b0603565df840b /nizk/commit.go
parent	023e460a8729e28bb398948f3279c58e38712cb8 (diff)