diff options
| author | Özgür Kesim <oec@codeblau.de> | 2024-11-13 09:17:41 +0100 |
|---|---|---|
| committer | Özgür Kesim <oec@codeblau.de> | 2024-11-13 09:17:41 +0100 |
| commit | 024098d17146547356173b2dfa739ccc1cb2e996 (patch) | |
| tree | 4f5d7f4b5aceeaee84902bcb80bf30c7d12546c8 /nizk/stage2.go | |
| parent | f5516b13fa50db2fc510584337d0641af8d21b23 (diff) | |
introduced step reveal for stage1, taking paramater for other bidders; simple tests pass
Diffstat (limited to 'nizk/stage2.go')
| -rw-r--r-- | nizk/stage2.go | 68 |
1 files changed, 39 insertions, 29 deletions
diff --git a/nizk/stage2.go b/nizk/stage2.go index 8bf94dd..efdda9c 100644 --- a/nizk/stage2.go +++ b/nizk/stage2.go @@ -52,29 +52,38 @@ func (s *Stage) proof2(lost bool, prev *Stage) *Stage2Proof { c := s.commit(lost) bc := prev.bit.com pc := prev.com + rvp := prev.rev + rev := &StageReveal{ + Y: G.Exp(Curve.RandomScalar()), // TODO! BUG! THIS HAS TO BE Pj<i(X_j)/Pj>i(X_j) + } + if s.bit.IsSet() { + rev.Z = c.R.Exp(s.x) + } else { + rev.Z = rev.Y.Exp(s.x) + } if lost { e1[0] = G.Exp(r1[0]).Mul(c.X.Exp(w[0])) e1[1] = G.Exp(r1[1]).Mul(pc.X.Exp(w[0])) e1[2] = G.Exp(r1[2]).Mul(bc.A.Exp(w[0])) - e1_[0] = c.R.Exp(r1[0]).Mul(c.Z.Exp(w[0])) - e1_[1] = pc.R.Exp(r1[1]).Mul(pc.Z.Exp(w[0])) + e1_[0] = c.R.Exp(r1[0]).Mul(rev.Z.Exp(w[0])) + e1_[1] = pc.R.Exp(r1[1]).Mul(rvp.Z.Exp(w[0])) e1_[2] = bc.B.Exp(r1[2]).Mul(bc.C.Div(G).Exp(w[0])) e2[0] = G.Exp(r2[0]).Mul(c.X.Exp(w[1])) e2[1] = G.Exp(r2[1]).Mul(pc.X.Exp(w[1])) e2[2] = G.Exp(r2[2]).Mul(bc.A.Exp(w[1])) - e2_[0] = c.Y.Exp(r2[0]).Mul(c.Z.Exp(w[1])) - e2_[1] = pc.R.Exp(r2[1]).Mul(pc.Z.Exp(w[1])) + e2_[0] = rev.Y.Exp(r2[0]).Mul(rev.Z.Exp(w[1])) + e2_[1] = pc.R.Exp(r2[1]).Mul(rvp.Z.Exp(w[1])) e2_[2] = bc.B.Exp(r2[2]).Mul(bc.C.Exp(w[1])) e3[0] = G.Exp(r3[0]) e3[1] = G.Exp(r3[1]) - e3_[0] = c.Y.Exp(r3[0]) - e3_[1] = pc.Y.Exp(r3[1]) + e3_[0] = rev.Y.Exp(r3[0]) + e3_[1] = rvp.Y.Exp(r3[1]) } else { if s.bit.IsSet() { e1[0] = G.Exp(r1[0]) @@ -89,41 +98,41 @@ func (s *Stage) proof2(lost bool, prev *Stage) *Stage2Proof { e2[1] = G.Exp(r2[1]).Mul(pc.X.Exp(w[0])) e2[2] = G.Exp(r2[2]).Mul(bc.A.Exp(w[0])) - e2_[0] = c.Y.Exp(r2[0]).Mul(c.Z.Exp(w[0])) - e2_[1] = pc.R.Exp(r2[1]).Mul(pc.Z.Exp(w[0])) + e2_[0] = rev.Y.Exp(r2[0]).Mul(rev.Z.Exp(w[0])) + e2_[1] = pc.R.Exp(r2[1]).Mul(rvp.Z.Exp(w[0])) e2_[2] = bc.B.Exp(r2[2]).Mul(bc.C.Exp(w[0])) e3[0] = G.Exp(r3[0]).Mul(c.X.Exp(w[1])) e3[1] = G.Exp(r3[1]).Mul(pc.X.Exp(w[1])) - e3_[0] = c.Y.Exp(r3[0]).Mul(c.Z.Exp(w[1])) - e3_[1] = pc.Y.Exp(r3[1]).Mul(pc.Z.Exp(w[1])) + e3_[0] = rev.Y.Exp(r3[0]).Mul(rev.Z.Exp(w[1])) + e3_[1] = rvp.Y.Exp(r3[1]).Mul(rvp.Z.Exp(w[1])) } else { e1[0] = G.Exp(r1[0]).Mul(c.X.Exp(w[0])) e1[1] = G.Exp(r1[1]).Mul(pc.X.Exp(w[0])) e1[2] = G.Exp(r1[2]).Mul(bc.A.Exp(w[0])) - e1_[0] = c.R.Exp(r1[0]).Mul(c.Z.Exp(w[0])) - e1_[1] = pc.R.Exp(r1[1]).Mul(pc.Z.Exp(w[0])) + e1_[0] = c.R.Exp(r1[0]).Mul(rev.Z.Exp(w[0])) + e1_[1] = pc.R.Exp(r1[1]).Mul(rvp.Z.Exp(w[0])) e1_[2] = bc.B.Exp(r1[2]).Mul(bc.C.Div(G).Exp(w[0])) e2[0] = G.Exp(r2[0]) e2[1] = G.Exp(r2[1]) e2[2] = G.Exp(r2[2]) - e2_[0] = c.Y.Exp(r2[0]) + e2_[0] = rev.Y.Exp(r2[0]) e2_[1] = pc.R.Exp(r2[1]) e2_[2] = bc.B.Exp(r2[2]) e3[0] = G.Exp(r3[0]).Mul(c.X.Exp(w[1])) e3[1] = G.Exp(r3[1]).Mul(pc.X.Exp(w[1])) - e3_[0] = c.Y.Exp(r3[0]).Mul(c.Z.Exp(w[1])) - e3_[1] = pc.Y.Exp(r3[1]).Mul(pc.Z.Exp(w[1])) + e3_[0] = rev.Y.Exp(r3[0]).Mul(rev.Z.Exp(w[1])) + e3_[1] = rvp.Y.Exp(r3[1]).Mul(rvp.Z.Exp(w[1])) } } - points := []Bytes{G, bc.A, bc.B, bc.C, c.R, c.X, c.Y, c.Z, pc.R, pc.X, pc.Y, pc.Z} + points := []Bytes{G, bc.A, bc.B, bc.C, c.R, c.X, rev.Y, rev.Z, pc.R, pc.X, rvp.Y, rvp.Z} points = append(points, e1[:]...) points = append(points, e2[:]...) points = append(points, e3[:]...) @@ -183,38 +192,39 @@ func (s *Stage) proof2(lost bool, prev *Stage) *Stage2Proof { } } + s.prf2 = pr return pr } -func (c *Commitment) VerifyStage2(prev, curr *StageCommitment, p *Stage2Proof) bool { +func (c *Commitment) VerifyStage2(pcom, ccom *StageCommitment, prev, crev *StageReveal, p *Stage2Proof) bool { var ( e1, e1_ [3]Bytes e2, e2_ [3]Bytes e3, e3_ [2]Bytes ) - e1[0] = G.Exp(p.R1[0]).Mul(curr.X.Exp(p.Ch[0])) - e1[1] = G.Exp(p.R1[1]).Mul(prev.X.Exp(p.Ch[0])) + e1[0] = G.Exp(p.R1[0]).Mul(ccom.X.Exp(p.Ch[0])) + e1[1] = G.Exp(p.R1[1]).Mul(pcom.X.Exp(p.Ch[0])) e1[2] = G.Exp(p.R1[2]).Mul(c.A.Exp(p.Ch[0])) - e1_[0] = curr.R.Exp(p.R1[0]).Mul(curr.Z.Exp(p.Ch[0])) - e1_[1] = prev.R.Exp(p.R1[1]).Mul(prev.Z.Exp(p.Ch[0])) + e1_[0] = ccom.R.Exp(p.R1[0]).Mul(crev.Z.Exp(p.Ch[0])) + e1_[1] = pcom.R.Exp(p.R1[1]).Mul(prev.Z.Exp(p.Ch[0])) e1_[2] = c.B.Exp(p.R1[2]).Mul(c.C.Div(G).Exp(p.Ch[0])) - e2[0] = G.Exp(p.R2[0]).Mul(curr.X.Exp(p.Ch[1])) - e2[1] = G.Exp(p.R2[1]).Mul(prev.X.Exp(p.Ch[1])) + e2[0] = G.Exp(p.R2[0]).Mul(ccom.X.Exp(p.Ch[1])) + e2[1] = G.Exp(p.R2[1]).Mul(pcom.X.Exp(p.Ch[1])) e2[2] = G.Exp(p.R2[2]).Mul(c.A.Exp(p.Ch[1])) - e2_[0] = curr.Y.Exp(p.R2[0]).Mul(curr.Z.Exp(p.Ch[1])) - e2_[1] = prev.R.Exp(p.R2[1]).Mul(prev.Z.Exp(p.Ch[1])) + e2_[0] = crev.Y.Exp(p.R2[0]).Mul(crev.Z.Exp(p.Ch[1])) + e2_[1] = pcom.R.Exp(p.R2[1]).Mul(prev.Z.Exp(p.Ch[1])) e2_[2] = c.B.Exp(p.R2[2]).Mul(c.C.Exp(p.Ch[1])) - e3[0] = G.Exp(p.R3[0]).Mul(curr.X.Exp(p.Ch[2])) - e3[1] = G.Exp(p.R3[1]).Mul(prev.X.Exp(p.Ch[2])) + e3[0] = G.Exp(p.R3[0]).Mul(ccom.X.Exp(p.Ch[2])) + e3[1] = G.Exp(p.R3[1]).Mul(pcom.X.Exp(p.Ch[2])) - e3_[0] = curr.Y.Exp(p.R3[0]).Mul(curr.Z.Exp(p.Ch[2])) + e3_[0] = crev.Y.Exp(p.R3[0]).Mul(crev.Z.Exp(p.Ch[2])) e3_[1] = prev.Y.Exp(p.R3[1]).Mul(prev.Z.Exp(p.Ch[2])) - points := []Bytes{G, c.A, c.B, c.C, curr.R, curr.X, curr.Y, curr.Z, prev.R, prev.X, prev.Y, prev.Z} + points := []Bytes{G, c.A, c.B, c.C, ccom.R, ccom.X, crev.Y, crev.Z, pcom.R, pcom.X, prev.Y, prev.Z} points = append(points, e1[:]...) points = append(points, e2[:]...) points = append(points, e3[:]...) |