diff options
| -rw-r--r-- | nizk/stage1.go | 41 | ||||
| -rw-r--r-- | nizk/stage1_test.go | 8 | ||||
| -rw-r--r-- | nizk/stage2.go | 356 | ||||
| -rw-r--r-- | nizk/stage2_test.go | 48 |
4 files changed, 160 insertions, 293 deletions
diff --git a/nizk/stage1.go b/nizk/stage1.go index 228970b..21d63c6 100644 --- a/nizk/stage1.go +++ b/nizk/stage1.go @@ -4,7 +4,6 @@ import . "kesim.org/seal/common" type Stage struct { x *Scalar - y *Scalar r *Scalar com *StageCommitment @@ -32,44 +31,42 @@ type Stage1Proof struct { Rho [2][2]*Scalar } -func (b *Bit) stage(x, y, r *Scalar) *Stage { +func (b *Bit) stage(x, r *Scalar) *Stage { + b.Commit() // ensure non-null values for A, B, C return &Stage{ - x: x, - y: y, - r: r, - + x: x, + r: r, bit: b, } } -func (b *Bit) CommitStage1() (c *Stage, s *StageCommitment, p *Stage1Proof) { - var x [3]*Scalar - for i := range x { - x[i] = Curve.RandomScalar() - } - return b.CommitStage1FromScalars(x[0], x[1], x[2]) +func (b *Bit) CommitStage1(Xs ...*Point) (c *Stage, s *StageCommitment, p *Stage1Proof) { + x := Curve.RandomScalar() + r := Curve.RandomScalar() + return b.CommitStage1FromScalars(x, r, Xs...) } -func (b *Bit) CommitStage1FromScalars(x, y, r *Scalar) (s *Stage, c *StageCommitment, p *Stage1Proof) { - s = b.stage(x, y, r) - return s, s.commit1(), s.proof1() +func (b *Bit) CommitStage1FromScalars(x, r *Scalar, Xs ...*Point) (s *Stage, c *StageCommitment, p *Stage1Proof) { + s = b.stage(x, r) + return s, s.commit(false, Xs...), s.proof1() } -func (s *Stage) commit1() *StageCommitment { +func (s *Stage) commit(lost bool, Xs ...*Point) *StageCommitment { if s.com != nil { return s.com } - var Z *Point - if s.bit.IsSet() { + var Y, Z *Point + Y = G // TODO! BUG! THIS HAS TO BE Pj<i(X_j)/Pj>i(X_j) + if !lost && s.bit.IsSet() { Z = G.Exp(s.x.Mul(s.r)) } else { - Z = G.Exp(s.x.Mul(s.y)) + Z = Y.Exp(s.x) } s.com = &StageCommitment{ Z: Z, X: G.Exp(s.x), - Y: G.Exp(s.y), + Y: Y, R: G.Exp(s.r), } return s.com @@ -81,8 +78,8 @@ func (s *Stage) proof1() *Stage1Proof { for _, s := range []**Scalar{&r1, &r2, &ρ1, &ρ2, &ω} { *s = Curve.RandomScalar() } - c := s.commit1() - bc, _ := s.bit.Commit() + c := s.commit(false) + bc := s.bit.com if s.bit.IsSet() { ε[0][0] = G.Exp(r1).Mul(c.X.Exp(ω)) diff --git a/nizk/stage1_test.go b/nizk/stage1_test.go index 5fbf147..fd54b57 100644 --- a/nizk/stage1_test.go +++ b/nizk/stage1_test.go @@ -28,8 +28,8 @@ func TestStage1(t *testing.T) { } func TestStage1FromScalars(t *testing.T) { - var id, α, β, x, y, r *Scalar - for _, s := range []**Scalar{&id, &α, &β, &x, &y, &r} { + var id, α, β, x, r *Scalar + for _, s := range []**Scalar{&id, &α, &β, &x, &r} { *s = Curve.RandomScalar() } @@ -38,8 +38,8 @@ func TestStage1FromScalars(t *testing.T) { bc1, _ := b1.Commit() bc2, _ := b2.Commit() - _, c1, pr1 := b1.CommitStage1FromScalars(r, x, y) - _, c2, pr2 := b2.CommitStage1FromScalars(y, r, x) + _, c1, pr1 := b1.CommitStage1FromScalars(r, x) + _, c2, pr2 := b2.CommitStage1FromScalars(x, r) if !bc1.VerifyStage1(c1, pr1) { t.Fatal("Could not verify st1 with c1 and pr1, plus=true case") } diff --git a/nizk/stage2.go b/nizk/stage2.go index d791ef8..8bf94dd 100644 --- a/nizk/stage2.go +++ b/nizk/stage2.go @@ -4,127 +4,27 @@ import ( . "kesim.org/seal/common" ) -// Implements the proof and verification of a statement of the following form: +func (b *Bit) CommitStage2(lost bool, prev *Stage) (s *Stage, c *StageCommitment, p *Stage2Proof) { + x := Curve.RandomScalar() + r := Curve.RandomScalar() + return b.CommitStage2FromScalars(lost, prev, x, r) +} + +func (b *Bit) CommitStage2FromScalars(lost bool, prev *Stage, x, r *Scalar) (s *Stage, c *StageCommitment, p *Stage2Proof) { + s = b.stage(x, r) + c = s.commit(lost) + p = s.proof2(lost, prev) + return +} + +// Represents the proof of a statement of the following form: +// +// ( Z=g^(x*y) && X=g^x && Y=g^y && Z_=g^(x_*y_) && X_=g^x_ && Y_=g^y_ ) // case "none" // -// ( Z=g^(x*y) && X=g^x && Y=g^y && Z_=g^(x_*y_) && X_=g^x_ && Y_=g^y_ ) // case "none" // || ( Z=g^(x*y) && X=g^x && Y=g^y && Z_=g^(x_*r_) && X_=g^x_ && R_=g^r_ && C=g^(a*b) && A=g^a && B=g^b ) // case "unset" // || ( Z=g^(x*r) && X=g^x && R=g^r && Z_=g^(x_*r_) && X_=g^x_ && R_=g^r_ && C=g^(a*b+1) && A=g^a && B=g^b ) // case "set" // // for given A, B, C, R, X, Y, Z, R_, X_, Y_, Z_ on the curve - -type Type int - -const ( - None Type = iota - Unset - Set -) - -type Stage2 struct { - // Original Bid (except for typ, which has one more value) - typ Type - a *Scalar - b *Scalar - - // Private data from previous stage1 or stage2 - x_ *Scalar - y_ *Scalar - r_ *Scalar - - // New stage2 private data - r *Scalar - x *Scalar - y *Scalar - - com *Stage2Commitment - prf *Stage2Proof -} - -type Stage2Commitment struct { - // Original Commitment - A *Point - B *Point - C *Point - - // Previous Commitment - R_ *Point - X_ *Point - Y_ *Point - Z_ *Point - - // Stage2Commitment - R *Point - X *Point - Y *Point - Z *Point -} - -func NewStage2(typ Type) *Stage2 { - var s [8]*Scalar - for i := range s { - s[i] = Curve.RandomScalar() - } - - return NewStage2FromScalars(typ, s[0], s[1], s[2], s[3], s[4], s[5], s[6], s[7]) -} - -func NewStage2FromScalars(typ Type, a, b, r, x, y, r_, x_, y_ *Scalar) *Stage2 { - if typ > Set || typ < None { - panic("unknown type") - } - - return &Stage2{ - typ: typ, - a: a, - b: b, - r: r, - x: x, - y: y, - r_: r_, - x_: x_, - y_: y_, - } -} - -func (s *Stage2) commitment() *Stage2Commitment { - var Z, Z_ *Point - c := s.a.Mul(s.b) - - switch s.typ { - case None: - Z = G.Exp(s.x.Mul(s.y)) - Z_ = G.Exp(s.x_.Mul(s.y_)) - case Set: - Z = G.Exp(s.x.Mul(s.r)) - Z_ = G.Exp(s.x_.Mul(s.r_)) - c = c.Add(One) - case Unset: - Z = G.Exp(s.x.Mul(s.y)) - Z_ = G.Exp(s.x_.Mul(s.r_)) - default: - panic("not possible") - } - - return &Stage2Commitment{ - A: G.Exp(s.a), - B: G.Exp(s.b), - C: G.Exp(c), - R: G.Exp(s.r), - X: G.Exp(s.x), - Y: G.Exp(s.y), - Z: Z, - R_: G.Exp(s.r_), - X_: G.Exp(s.x_), - Y_: G.Exp(s.y_), - Z_: Z_, - } -} - -func (s *Stage2) Commit() (*Stage2Commitment, *Stage2Proof) { - c := s.commitment() - return c, s.proof(c) -} - type Stage2Proof struct { Ch [3]*Scalar R1 [3]*Scalar @@ -132,7 +32,7 @@ type Stage2Proof struct { R3 [2]*Scalar } -func (s *Stage2) proof(c *Stage2Commitment) *Stage2Proof { +func (s *Stage) proof2(lost bool, prev *Stage) *Stage2Proof { var ( e1, e1_ [3]Bytes e2, e2_ [3]Bytes @@ -149,81 +49,81 @@ func (s *Stage2) proof(c *Stage2Commitment) *Stage2Proof { } } - switch s.typ { - case None: + c := s.commit(lost) + bc := prev.bit.com + pc := prev.com + + if lost { e1[0] = G.Exp(r1[0]).Mul(c.X.Exp(w[0])) - e1[1] = G.Exp(r1[1]).Mul(c.X_.Exp(w[0])) - e1[2] = G.Exp(r1[2]).Mul(c.A.Exp(w[0])) + e1[1] = G.Exp(r1[1]).Mul(pc.X.Exp(w[0])) + e1[2] = G.Exp(r1[2]).Mul(bc.A.Exp(w[0])) e1_[0] = c.R.Exp(r1[0]).Mul(c.Z.Exp(w[0])) - e1_[1] = c.R_.Exp(r1[1]).Mul(c.Z_.Exp(w[0])) - e1_[2] = c.B.Exp(r1[2]).Mul(c.C.Div(G).Exp(w[0])) + e1_[1] = pc.R.Exp(r1[1]).Mul(pc.Z.Exp(w[0])) + e1_[2] = bc.B.Exp(r1[2]).Mul(bc.C.Div(G).Exp(w[0])) e2[0] = G.Exp(r2[0]).Mul(c.X.Exp(w[1])) - e2[1] = G.Exp(r2[1]).Mul(c.X_.Exp(w[1])) - e2[2] = G.Exp(r2[2]).Mul(c.A.Exp(w[1])) + e2[1] = G.Exp(r2[1]).Mul(pc.X.Exp(w[1])) + e2[2] = G.Exp(r2[2]).Mul(bc.A.Exp(w[1])) e2_[0] = c.Y.Exp(r2[0]).Mul(c.Z.Exp(w[1])) - e2_[1] = c.R_.Exp(r2[1]).Mul(c.Z_.Exp(w[1])) - e2_[2] = c.B.Exp(r2[2]).Mul(c.C.Exp(w[1])) + e2_[1] = pc.R.Exp(r2[1]).Mul(pc.Z.Exp(w[1])) + e2_[2] = bc.B.Exp(r2[2]).Mul(bc.C.Exp(w[1])) e3[0] = G.Exp(r3[0]) e3[1] = G.Exp(r3[1]) e3_[0] = c.Y.Exp(r3[0]) - e3_[1] = c.Y_.Exp(r3[1]) - - case Unset: - e1[0] = G.Exp(r1[0]).Mul(c.X.Exp(w[0])) - e1[1] = G.Exp(r1[1]).Mul(c.X_.Exp(w[0])) - e1[2] = G.Exp(r1[2]).Mul(c.A.Exp(w[0])) - - e1_[0] = c.R.Exp(r1[0]).Mul(c.Z.Exp(w[0])) - e1_[1] = c.R_.Exp(r1[1]).Mul(c.Z_.Exp(w[0])) - e1_[2] = c.B.Exp(r1[2]).Mul(c.C.Div(G).Exp(w[0])) - - e2[0] = G.Exp(r2[0]) - e2[1] = G.Exp(r2[1]) - e2[2] = G.Exp(r2[2]) - - e2_[0] = c.Y.Exp(r2[0]) - e2_[1] = c.R_.Exp(r2[1]) - e2_[2] = c.B.Exp(r2[2]) - - e3[0] = G.Exp(r3[0]).Mul(c.X.Exp(w[1])) - e3[1] = G.Exp(r3[1]).Mul(c.X_.Exp(w[1])) - - e3_[0] = c.Y.Exp(r3[0]).Mul(c.Z.Exp(w[1])) - e3_[1] = c.Y_.Exp(r3[1]).Mul(c.Z_.Exp(w[1])) - - case Set: - e1[0] = G.Exp(r1[0]) - e1[1] = G.Exp(r1[1]) - e1[2] = G.Exp(r1[2]) - - e1_[0] = c.R.Exp(r1[0]) - e1_[1] = c.R_.Exp(r1[1]) - e1_[2] = c.B.Exp(r1[2]) - - e2[0] = G.Exp(r2[0]).Mul(c.X.Exp(w[0])) - e2[1] = G.Exp(r2[1]).Mul(c.X_.Exp(w[0])) - e2[2] = G.Exp(r2[2]).Mul(c.A.Exp(w[0])) - - e2_[0] = c.Y.Exp(r2[0]).Mul(c.Z.Exp(w[0])) - e2_[1] = c.R_.Exp(r2[1]).Mul(c.Z_.Exp(w[0])) - e2_[2] = c.B.Exp(r2[2]).Mul(c.C.Exp(w[0])) - - e3[0] = G.Exp(r3[0]).Mul(c.X.Exp(w[1])) - e3[1] = G.Exp(r3[1]).Mul(c.X_.Exp(w[1])) - - e3_[0] = c.Y.Exp(r3[0]).Mul(c.Z.Exp(w[1])) - e3_[1] = c.Y_.Exp(r3[1]).Mul(c.Z_.Exp(w[1])) - - default: - panic("not possible") + e3_[1] = pc.Y.Exp(r3[1]) + } else { + if s.bit.IsSet() { + e1[0] = G.Exp(r1[0]) + e1[1] = G.Exp(r1[1]) + e1[2] = G.Exp(r1[2]) + + e1_[0] = c.R.Exp(r1[0]) + e1_[1] = pc.R.Exp(r1[1]) + e1_[2] = bc.B.Exp(r1[2]) + + e2[0] = G.Exp(r2[0]).Mul(c.X.Exp(w[0])) + e2[1] = G.Exp(r2[1]).Mul(pc.X.Exp(w[0])) + e2[2] = G.Exp(r2[2]).Mul(bc.A.Exp(w[0])) + + e2_[0] = c.Y.Exp(r2[0]).Mul(c.Z.Exp(w[0])) + e2_[1] = pc.R.Exp(r2[1]).Mul(pc.Z.Exp(w[0])) + e2_[2] = bc.B.Exp(r2[2]).Mul(bc.C.Exp(w[0])) + + e3[0] = G.Exp(r3[0]).Mul(c.X.Exp(w[1])) + e3[1] = G.Exp(r3[1]).Mul(pc.X.Exp(w[1])) + + e3_[0] = c.Y.Exp(r3[0]).Mul(c.Z.Exp(w[1])) + e3_[1] = pc.Y.Exp(r3[1]).Mul(pc.Z.Exp(w[1])) + } else { + e1[0] = G.Exp(r1[0]).Mul(c.X.Exp(w[0])) + e1[1] = G.Exp(r1[1]).Mul(pc.X.Exp(w[0])) + e1[2] = G.Exp(r1[2]).Mul(bc.A.Exp(w[0])) + + e1_[0] = c.R.Exp(r1[0]).Mul(c.Z.Exp(w[0])) + e1_[1] = pc.R.Exp(r1[1]).Mul(pc.Z.Exp(w[0])) + e1_[2] = bc.B.Exp(r1[2]).Mul(bc.C.Div(G).Exp(w[0])) + + e2[0] = G.Exp(r2[0]) + e2[1] = G.Exp(r2[1]) + e2[2] = G.Exp(r2[2]) + + e2_[0] = c.Y.Exp(r2[0]) + e2_[1] = pc.R.Exp(r2[1]) + e2_[2] = bc.B.Exp(r2[2]) + + e3[0] = G.Exp(r3[0]).Mul(c.X.Exp(w[1])) + e3[1] = G.Exp(r3[1]).Mul(pc.X.Exp(w[1])) + + e3_[0] = c.Y.Exp(r3[0]).Mul(c.Z.Exp(w[1])) + e3_[1] = pc.Y.Exp(r3[1]).Mul(pc.Z.Exp(w[1])) + } } - points := []Bytes{G, c.A, c.B, c.C, c.R, c.X, c.Y, c.Z, c.R_, c.X_, c.Y_, c.Z_} + points := []Bytes{G, bc.A, bc.B, bc.C, c.R, c.X, c.Y, c.Z, pc.R, pc.X, pc.Y, pc.Z} points = append(points, e1[:]...) points = append(points, e2[:]...) points = append(points, e3[:]...) @@ -234,8 +134,7 @@ func (s *Stage2) proof(c *Stage2Commitment) *Stage2Proof { ch := Challenge(points...) pr := &Stage2Proof{} - switch s.typ { - case None: + if lost { pr.Ch[0] = w[0] pr.Ch[1] = w[1] pr.Ch[2] = ch.Sub(w[0]).Sub(w[1]) @@ -249,76 +148,73 @@ func (s *Stage2) proof(c *Stage2Commitment) *Stage2Proof { pr.R2[2] = r2[2] pr.R3[0] = r3[0].Sub(s.x.Mul(pr.Ch[2])) - pr.R3[1] = r3[1].Sub(s.x_.Mul(pr.Ch[2])) - - case Unset: - pr.Ch[0] = w[0] - pr.Ch[1] = ch.Sub(w[0]).Sub(w[1]) - pr.Ch[2] = w[1] - - pr.R1[0] = r1[0] - pr.R1[1] = r1[1] - pr.R1[2] = r1[2] - - pr.R2[0] = r2[0].Sub(s.x.Mul(pr.Ch[1])) - pr.R2[1] = r2[1].Sub(s.x_.Mul(pr.Ch[1])) - pr.R2[2] = r2[2].Sub(s.a.Mul(pr.Ch[1])) - - pr.R3[0] = r3[0] - pr.R3[1] = r3[1] - - case Set: - pr.Ch[0] = ch.Sub(w[0]).Sub(w[1]) - pr.Ch[1] = w[0] - pr.Ch[2] = w[1] - - pr.R1[0] = r1[0].Sub(s.x.Mul(pr.Ch[0])) - pr.R1[1] = r1[1].Sub(s.x_.Mul(pr.Ch[0])) - pr.R1[2] = r1[2].Sub(s.a.Mul(pr.Ch[0])) - - pr.R2[0] = r2[0] - pr.R2[1] = r2[1] - pr.R2[2] = r2[2] - - pr.R3[0] = r3[0] - pr.R3[1] = r3[1] - - default: - panic("unreachable") + pr.R3[1] = r3[1].Sub(prev.x.Mul(pr.Ch[2])) + } else { + if s.bit.IsSet() { + pr.Ch[0] = ch.Sub(w[0]).Sub(w[1]) + pr.Ch[1] = w[0] + pr.Ch[2] = w[1] + + pr.R1[0] = r1[0].Sub(s.x.Mul(pr.Ch[0])) + pr.R1[1] = r1[1].Sub(prev.x.Mul(pr.Ch[0])) + pr.R1[2] = r1[2].Sub(s.bit.α.Mul(pr.Ch[0])) + + pr.R2[0] = r2[0] + pr.R2[1] = r2[1] + pr.R2[2] = r2[2] + + pr.R3[0] = r3[0] + pr.R3[1] = r3[1] + } else { + pr.Ch[0] = w[0] + pr.Ch[1] = ch.Sub(w[0]).Sub(w[1]) + pr.Ch[2] = w[1] + + pr.R1[0] = r1[0] + pr.R1[1] = r1[1] + pr.R1[2] = r1[2] + + pr.R2[0] = r2[0].Sub(s.x.Mul(pr.Ch[1])) + pr.R2[1] = r2[1].Sub(prev.x.Mul(pr.Ch[1])) + pr.R2[2] = r2[2].Sub(s.bit.α.Mul(pr.Ch[1])) + + pr.R3[0] = r3[0] + pr.R3[1] = r3[1] + } } return pr } -func (c *Stage2Commitment) Verify(p *Stage2Proof) bool { +func (c *Commitment) VerifyStage2(prev, curr *StageCommitment, p *Stage2Proof) bool { var ( e1, e1_ [3]Bytes e2, e2_ [3]Bytes e3, e3_ [2]Bytes ) - e1[0] = G.Exp(p.R1[0]).Mul(c.X.Exp(p.Ch[0])) - e1[1] = G.Exp(p.R1[1]).Mul(c.X_.Exp(p.Ch[0])) + e1[0] = G.Exp(p.R1[0]).Mul(curr.X.Exp(p.Ch[0])) + e1[1] = G.Exp(p.R1[1]).Mul(prev.X.Exp(p.Ch[0])) e1[2] = G.Exp(p.R1[2]).Mul(c.A.Exp(p.Ch[0])) - e1_[0] = c.R.Exp(p.R1[0]).Mul(c.Z.Exp(p.Ch[0])) - e1_[1] = c.R_.Exp(p.R1[1]).Mul(c.Z_.Exp(p.Ch[0])) + e1_[0] = curr.R.Exp(p.R1[0]).Mul(curr.Z.Exp(p.Ch[0])) + e1_[1] = prev.R.Exp(p.R1[1]).Mul(prev.Z.Exp(p.Ch[0])) e1_[2] = c.B.Exp(p.R1[2]).Mul(c.C.Div(G).Exp(p.Ch[0])) - e2[0] = G.Exp(p.R2[0]).Mul(c.X.Exp(p.Ch[1])) - e2[1] = G.Exp(p.R2[1]).Mul(c.X_.Exp(p.Ch[1])) + e2[0] = G.Exp(p.R2[0]).Mul(curr.X.Exp(p.Ch[1])) + e2[1] = G.Exp(p.R2[1]).Mul(prev.X.Exp(p.Ch[1])) e2[2] = G.Exp(p.R2[2]).Mul(c.A.Exp(p.Ch[1])) - e2_[0] = c.Y.Exp(p.R2[0]).Mul(c.Z.Exp(p.Ch[1])) - e2_[1] = c.R_.Exp(p.R2[1]).Mul(c.Z_.Exp(p.Ch[1])) + e2_[0] = curr.Y.Exp(p.R2[0]).Mul(curr.Z.Exp(p.Ch[1])) + e2_[1] = prev.R.Exp(p.R2[1]).Mul(prev.Z.Exp(p.Ch[1])) e2_[2] = c.B.Exp(p.R2[2]).Mul(c.C.Exp(p.Ch[1])) - e3[0] = G.Exp(p.R3[0]).Mul(c.X.Exp(p.Ch[2])) - e3[1] = G.Exp(p.R3[1]).Mul(c.X_.Exp(p.Ch[2])) + e3[0] = G.Exp(p.R3[0]).Mul(curr.X.Exp(p.Ch[2])) + e3[1] = G.Exp(p.R3[1]).Mul(prev.X.Exp(p.Ch[2])) - e3_[0] = c.Y.Exp(p.R3[0]).Mul(c.Z.Exp(p.Ch[2])) - e3_[1] = c.Y_.Exp(p.R3[1]).Mul(c.Z_.Exp(p.Ch[2])) + e3_[0] = curr.Y.Exp(p.R3[0]).Mul(curr.Z.Exp(p.Ch[2])) + e3_[1] = prev.Y.Exp(p.R3[1]).Mul(prev.Z.Exp(p.Ch[2])) - points := []Bytes{G, c.A, c.B, c.C, c.R, c.X, c.Y, c.Z, c.R_, c.X_, c.Y_, c.Z_} + points := []Bytes{G, c.A, c.B, c.C, curr.R, curr.X, curr.Y, curr.Z, prev.R, prev.X, prev.Y, prev.Z} points = append(points, e1[:]...) points = append(points, e2[:]...) points = append(points, e3[:]...) diff --git a/nizk/stage2_test.go b/nizk/stage2_test.go index 9d3ebec..7edcf80 100644 --- a/nizk/stage2_test.go +++ b/nizk/stage2_test.go @@ -6,46 +6,20 @@ import ( . "kesim.org/seal/common" ) -func TestVerification(t *testing.T) { - var st [3]*Stage2 - for i, typ := range []Type{None, Unset, Set} { - st[i] = NewStage2(typ) - c, p := st[i].Commit() - if !c.Verify(p) { - t.Fatalf("Couldn't verify proof for %v, case %d\n", typ, i) - } +func TestStage2Simple(t *testing.T) { + id := Curve.RandomScalar() + b1 := NewBit(id, false) + b2 := NewBit(id, false) + s1, c1, _ := b1.CommitStage1() + curr, _ := b2.Commit() + + _, c2, p2 := b2.CommitStage2(true, s1) + if !curr.VerifyStage2(c1, c2, p2) { + t.Fatal("Could not verify stage2") } - for _, ind := range [][2]int{{0, 1}, {1, 2}, {2, 0}} { - c1, p1 := st[ind[0]].Commit() - c2, p2 := st[ind[1]].Commit() - if c1.Verify(p2) || c2.Verify(p1) { - t.Fatalf("Shouldn't be able to verify %d with proof %d", ind[0], ind[1]) - } - } } -func TestVerificationFromScalar(t *testing.T) { - var s [8]*Scalar - var st [3]*Stage2 - - for i := range s { - s[i] = Curve.RandomScalar() - } - - for i, typ := range []Type{None, Unset, Set} { - st[i] = NewStage2FromScalars(typ, s[0], s[1], s[2], s[3], s[4], s[5], s[6], s[7]) - c, p := st[i].Commit() - if !c.Verify(p) { - t.Fatalf("Couldn't verify proof for %v, case %d\n", typ, i) - } - } +func TestStage2FromScalar(t *testing.T) { - for _, ind := range [][2]int{{0, 1}, {1, 2}, {2, 1}, {2, 0}} { - c1, p1 := st[ind[0]].Commit() - c2, p2 := st[ind[1]].Commit() - if c1.Verify(p2) || c2.Verify(p1) { - t.Fatalf("Shouldn't be able to verify %d with proof %d", ind[0], ind[1]) - } - } } |