aboutsummaryrefslogtreecommitdiff
path: root/nizk
diff options
context:
space:
mode:
Diffstat (limited to 'nizk')
-rw-r--r--nizk/stage2.go (renamed from nizk/stage2/stage2.go)165
-rw-r--r--nizk/stage2_test.go (renamed from nizk/stage2/stage2_test.go)24
2 files changed, 95 insertions, 94 deletions
diff --git a/nizk/stage2/stage2.go b/nizk/stage2.go
index d4d2716..85081f7 100644
--- a/nizk/stage2/stage2.go
+++ b/nizk/stage2.go
@@ -1,4 +1,4 @@
-package stage2
+package nizk
import (
. "kesim.org/seal/common"
@@ -20,7 +20,7 @@ const (
Set
)
-type Statement struct {
+type Stage2 struct {
typ Type
a *Scalar
b *Scalar
@@ -30,10 +30,9 @@ type Statement struct {
r_ *Scalar
x_ *Scalar
y_ *Scalar
- *Commitment
}
-type Commitment struct {
+type Stage2Commitment struct {
A *Point
B *Point
C *Point
@@ -47,80 +46,80 @@ type Commitment struct {
Z_ *Point
}
-func NewStatement(typ Type) *Statement {
+func NewStage2(typ Type) *Stage2 {
var s [8]*Scalar
for i := range s {
s[i] = Curve.RandomScalar()
}
- return NewStatementFromScalars(typ, s[0], s[1], s[2], s[3], s[4], s[5], s[6], s[7])
+ return NewStage2FromScalars(typ, s[0], s[1], s[2], s[3], s[4], s[5], s[6], s[7])
}
-func NewStatementFromScalars(typ Type, a, b, r, x, y, r_, x_, y_ *Scalar) *Statement {
+func NewStage2FromScalars(typ Type, a, b, r, x, y, r_, x_, y_ *Scalar) *Stage2 {
if typ > Set || typ < None {
panic("unknown type")
}
- return &Statement{
- typ: typ,
- a: a,
- b: b,
- r: r,
- x: x,
- y: y,
- r_: r_,
- x_: x_,
- y_: y_,
- Commitment: commitment(typ, a, b, r, x, y, r_, x_, y_),
+ return &Stage2{
+ typ: typ,
+ a: a,
+ b: b,
+ r: r,
+ x: x,
+ y: y,
+ r_: r_,
+ x_: x_,
+ y_: y_,
}
}
-func commitment(typ Type, a, b, r, x, y, r_, x_, y_ *Scalar) *Commitment {
+func (s *Stage2) commitment() *Stage2Commitment {
var Z, Z_ *Point
- c := a.Mul(b)
+ c := s.a.Mul(s.b)
- switch typ {
+ switch s.typ {
case None:
- Z = G.Exp(x.Mul(y))
- Z_ = G.Exp(x_.Mul(y_))
+ Z = G.Exp(s.x.Mul(s.y))
+ Z_ = G.Exp(s.x_.Mul(s.y_))
case Set:
- Z = G.Exp(x.Mul(r))
- Z_ = G.Exp(x_.Mul(r_))
+ Z = G.Exp(s.x.Mul(s.r))
+ Z_ = G.Exp(s.x_.Mul(s.r_))
c = c.Add(One)
case Unset:
- Z = G.Exp(x.Mul(y))
- Z_ = G.Exp(x_.Mul(r_))
+ Z = G.Exp(s.x.Mul(s.y))
+ Z_ = G.Exp(s.x_.Mul(s.r_))
default:
panic("not possible")
}
- return &Commitment{
- A: G.Exp(a),
- B: G.Exp(b),
+ return &Stage2Commitment{
+ A: G.Exp(s.a),
+ B: G.Exp(s.b),
C: G.Exp(c),
- R: G.Exp(r),
- X: G.Exp(x),
- Y: G.Exp(y),
+ R: G.Exp(s.r),
+ X: G.Exp(s.x),
+ Y: G.Exp(s.y),
Z: Z,
- R_: G.Exp(r_),
- X_: G.Exp(x_),
- Y_: G.Exp(y_),
+ R_: G.Exp(s.r_),
+ X_: G.Exp(s.x_),
+ Y_: G.Exp(s.y_),
Z_: Z_,
}
}
-func (s *Statement) Commit() *Commitment {
- return s.Commitment
+func (s *Stage2) Commit() (*Stage2Commitment, *Stage2Proof) {
+ c := s.commitment()
+ return c, s.proof(c)
}
-type Proof struct {
+type Stage2Proof struct {
Ch [3]*Scalar
R1 [3]*Scalar
R2 [3]*Scalar
R3 [2]*Scalar
}
-func (s *Statement) Proof() *Proof {
+func (s *Stage2) proof(c *Stage2Commitment) *Stage2Proof {
var (
e1, e1_ [3]Bytes
e2, e2_ [3]Bytes
@@ -139,79 +138,79 @@ func (s *Statement) Proof() *Proof {
switch s.typ {
case None:
- e1[0] = G.Exp(r1[0]).Mul(s.X.Exp(w[0]))
- e1[1] = G.Exp(r1[1]).Mul(s.X_.Exp(w[0]))
- e1[2] = G.Exp(r1[2]).Mul(s.A.Exp(w[0]))
+ e1[0] = G.Exp(r1[0]).Mul(c.X.Exp(w[0]))
+ e1[1] = G.Exp(r1[1]).Mul(c.X_.Exp(w[0]))
+ e1[2] = G.Exp(r1[2]).Mul(c.A.Exp(w[0]))
- e1_[0] = s.R.Exp(r1[0]).Mul(s.Z.Exp(w[0]))
- e1_[1] = s.R_.Exp(r1[1]).Mul(s.Z_.Exp(w[0]))
- e1_[2] = s.B.Exp(r1[2]).Mul(s.C.Div(G).Exp(w[0]))
+ e1_[0] = c.R.Exp(r1[0]).Mul(c.Z.Exp(w[0]))
+ e1_[1] = c.R_.Exp(r1[1]).Mul(c.Z_.Exp(w[0]))
+ e1_[2] = c.B.Exp(r1[2]).Mul(c.C.Div(G).Exp(w[0]))
- e2[0] = G.Exp(r2[0]).Mul(s.X.Exp(w[1]))
- e2[1] = G.Exp(r2[1]).Mul(s.X_.Exp(w[1]))
- e2[2] = G.Exp(r2[2]).Mul(s.A.Exp(w[1]))
+ e2[0] = G.Exp(r2[0]).Mul(c.X.Exp(w[1]))
+ e2[1] = G.Exp(r2[1]).Mul(c.X_.Exp(w[1]))
+ e2[2] = G.Exp(r2[2]).Mul(c.A.Exp(w[1]))
- e2_[0] = s.Y.Exp(r2[0]).Mul(s.Z.Exp(w[1]))
- e2_[1] = s.R_.Exp(r2[1]).Mul(s.Z_.Exp(w[1]))
- e2_[2] = s.B.Exp(r2[2]).Mul(s.C.Exp(w[1]))
+ e2_[0] = c.Y.Exp(r2[0]).Mul(c.Z.Exp(w[1]))
+ e2_[1] = c.R_.Exp(r2[1]).Mul(c.Z_.Exp(w[1]))
+ e2_[2] = c.B.Exp(r2[2]).Mul(c.C.Exp(w[1]))
e3[0] = G.Exp(r3[0])
e3[1] = G.Exp(r3[1])
- e3_[0] = s.Y.Exp(r3[0])
- e3_[1] = s.Y_.Exp(r3[1])
+ e3_[0] = c.Y.Exp(r3[0])
+ e3_[1] = c.Y_.Exp(r3[1])
case Unset:
- e1[0] = G.Exp(r1[0]).Mul(s.X.Exp(w[0]))
- e1[1] = G.Exp(r1[1]).Mul(s.X_.Exp(w[0]))
- e1[2] = G.Exp(r1[2]).Mul(s.A.Exp(w[0]))
+ e1[0] = G.Exp(r1[0]).Mul(c.X.Exp(w[0]))
+ e1[1] = G.Exp(r1[1]).Mul(c.X_.Exp(w[0]))
+ e1[2] = G.Exp(r1[2]).Mul(c.A.Exp(w[0]))
- e1_[0] = s.R.Exp(r1[0]).Mul(s.Z.Exp(w[0]))
- e1_[1] = s.R_.Exp(r1[1]).Mul(s.Z_.Exp(w[0]))
- e1_[2] = s.B.Exp(r1[2]).Mul(s.C.Div(G).Exp(w[0]))
+ e1_[0] = c.R.Exp(r1[0]).Mul(c.Z.Exp(w[0]))
+ e1_[1] = c.R_.Exp(r1[1]).Mul(c.Z_.Exp(w[0]))
+ e1_[2] = c.B.Exp(r1[2]).Mul(c.C.Div(G).Exp(w[0]))
e2[0] = G.Exp(r2[0])
e2[1] = G.Exp(r2[1])
e2[2] = G.Exp(r2[2])
- e2_[0] = s.Y.Exp(r2[0])
- e2_[1] = s.R_.Exp(r2[1])
- e2_[2] = s.B.Exp(r2[2])
+ e2_[0] = c.Y.Exp(r2[0])
+ e2_[1] = c.R_.Exp(r2[1])
+ e2_[2] = c.B.Exp(r2[2])
- e3[0] = G.Exp(r3[0]).Mul(s.X.Exp(w[1]))
- e3[1] = G.Exp(r3[1]).Mul(s.X_.Exp(w[1]))
+ e3[0] = G.Exp(r3[0]).Mul(c.X.Exp(w[1]))
+ e3[1] = G.Exp(r3[1]).Mul(c.X_.Exp(w[1]))
- e3_[0] = s.Y.Exp(r3[0]).Mul(s.Z.Exp(w[1]))
- e3_[1] = s.Y_.Exp(r3[1]).Mul(s.Z_.Exp(w[1]))
+ e3_[0] = c.Y.Exp(r3[0]).Mul(c.Z.Exp(w[1]))
+ e3_[1] = c.Y_.Exp(r3[1]).Mul(c.Z_.Exp(w[1]))
case Set:
e1[0] = G.Exp(r1[0])
e1[1] = G.Exp(r1[1])
e1[2] = G.Exp(r1[2])
- e1_[0] = s.R.Exp(r1[0])
- e1_[1] = s.R_.Exp(r1[1])
- e1_[2] = s.B.Exp(r1[2])
+ e1_[0] = c.R.Exp(r1[0])
+ e1_[1] = c.R_.Exp(r1[1])
+ e1_[2] = c.B.Exp(r1[2])
- e2[0] = G.Exp(r2[0]).Mul(s.X.Exp(w[0]))
- e2[1] = G.Exp(r2[1]).Mul(s.X_.Exp(w[0]))
- e2[2] = G.Exp(r2[2]).Mul(s.A.Exp(w[0]))
+ e2[0] = G.Exp(r2[0]).Mul(c.X.Exp(w[0]))
+ e2[1] = G.Exp(r2[1]).Mul(c.X_.Exp(w[0]))
+ e2[2] = G.Exp(r2[2]).Mul(c.A.Exp(w[0]))
- e2_[0] = s.Y.Exp(r2[0]).Mul(s.Z.Exp(w[0]))
- e2_[1] = s.R_.Exp(r2[1]).Mul(s.Z_.Exp(w[0]))
- e2_[2] = s.B.Exp(r2[2]).Mul(s.C.Exp(w[0]))
+ e2_[0] = c.Y.Exp(r2[0]).Mul(c.Z.Exp(w[0]))
+ e2_[1] = c.R_.Exp(r2[1]).Mul(c.Z_.Exp(w[0]))
+ e2_[2] = c.B.Exp(r2[2]).Mul(c.C.Exp(w[0]))
- e3[0] = G.Exp(r3[0]).Mul(s.X.Exp(w[1]))
- e3[1] = G.Exp(r3[1]).Mul(s.X_.Exp(w[1]))
+ e3[0] = G.Exp(r3[0]).Mul(c.X.Exp(w[1]))
+ e3[1] = G.Exp(r3[1]).Mul(c.X_.Exp(w[1]))
- e3_[0] = s.Y.Exp(r3[0]).Mul(s.Z.Exp(w[1]))
- e3_[1] = s.Y_.Exp(r3[1]).Mul(s.Z_.Exp(w[1]))
+ e3_[0] = c.Y.Exp(r3[0]).Mul(c.Z.Exp(w[1]))
+ e3_[1] = c.Y_.Exp(r3[1]).Mul(c.Z_.Exp(w[1]))
default:
panic("not possible")
}
- points := []Bytes{G, s.A, s.B, s.C, s.R, s.X, s.Y, s.Z, s.R_, s.X_, s.Y_, s.Z_}
+ points := []Bytes{G, c.A, c.B, c.C, c.R, c.X, c.Y, c.Z, c.R_, c.X_, c.Y_, c.Z_}
points = append(points, e1[:]...)
points = append(points, e2[:]...)
points = append(points, e3[:]...)
@@ -220,7 +219,7 @@ func (s *Statement) Proof() *Proof {
points = append(points, e3_[:]...)
ch := Challenge(points...)
- pr := &Proof{}
+ pr := &Stage2Proof{}
switch s.typ {
case None:
@@ -278,7 +277,7 @@ func (s *Statement) Proof() *Proof {
return pr
}
-func (c *Commitment) Verify(p *Proof) bool {
+func (c *Stage2Commitment) Verify(p *Stage2Proof) bool {
var (
e1, e1_ [3]Bytes
e2, e2_ [3]Bytes
diff --git a/nizk/stage2/stage2_test.go b/nizk/stage2_test.go
index fadcc45..9d3ebec 100644
--- a/nizk/stage2/stage2_test.go
+++ b/nizk/stage2_test.go
@@ -1,4 +1,4 @@
-package stage2
+package nizk
import (
"testing"
@@ -7,18 +7,19 @@ import (
)
func TestVerification(t *testing.T) {
- var st [3]*Statement
+ var st [3]*Stage2
for i, typ := range []Type{None, Unset, Set} {
- st[i] = NewStatement(typ)
- c, p := st[i].Commit(), st[i].Proof()
+ st[i] = NewStage2(typ)
+ c, p := st[i].Commit()
if !c.Verify(p) {
t.Fatalf("Couldn't verify proof for %v, case %d\n", typ, i)
}
}
for _, ind := range [][2]int{{0, 1}, {1, 2}, {2, 0}} {
- c, p := st[ind[0]].Commit(), st[ind[1]].Proof()
- if c.Verify(p) {
+ c1, p1 := st[ind[0]].Commit()
+ c2, p2 := st[ind[1]].Commit()
+ if c1.Verify(p2) || c2.Verify(p1) {
t.Fatalf("Shouldn't be able to verify %d with proof %d", ind[0], ind[1])
}
}
@@ -26,23 +27,24 @@ func TestVerification(t *testing.T) {
func TestVerificationFromScalar(t *testing.T) {
var s [8]*Scalar
- var st [3]*Statement
+ var st [3]*Stage2
for i := range s {
s[i] = Curve.RandomScalar()
}
for i, typ := range []Type{None, Unset, Set} {
- st[i] = NewStatementFromScalars(typ, s[0], s[1], s[2], s[3], s[4], s[5], s[6], s[7])
- c, p := st[i].Commit(), st[i].Proof()
+ st[i] = NewStage2FromScalars(typ, s[0], s[1], s[2], s[3], s[4], s[5], s[6], s[7])
+ c, p := st[i].Commit()
if !c.Verify(p) {
t.Fatalf("Couldn't verify proof for %v, case %d\n", typ, i)
}
}
for _, ind := range [][2]int{{0, 1}, {1, 2}, {2, 1}, {2, 0}} {
- c, p := st[ind[0]].Commit(), st[ind[1]].Proof()
- if c.Verify(p) {
+ c1, p1 := st[ind[0]].Commit()
+ c2, p2 := st[ind[1]].Commit()
+ if c1.Verify(p2) || c2.Verify(p1) {
t.Fatalf("Shouldn't be able to verify %d with proof %d", ind[0], ind[1])
}
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-09-11 13:11:17 +0000