1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
package commit
import (
. "kesim.org/seal/nizk"
)
// This is a construction of a proof of a statement of the form
// σ == [(Φ = g^(αβ)) && (A = g^α) && (Β = g^β)]
// || [(Φ = g^(αβ+1)) && (A = g^α) && (Β = g^β)]
// for given Φ, A and B
type Statement struct {
α *Scalar
β *Scalar
plus bool
*Commitment
}
type Commitment struct {
Φ *Point
A *Point
B *Point
}
func NewStatement(α, β *Scalar, plus bool) *Statement {
return &Statement{
α: α,
β: β,
plus: plus,
Commitment: commitment(α, β, plus),
}
}
func commitment(α, β *Scalar, plus bool) *Commitment {
var Φ *Point
φ := α.Mul(β)
if plus {
Φ = G.Exp(φ.Add(One))
} else {
Φ = G.Exp(φ)
}
return &Commitment{
Φ: Φ,
A: G.Exp(α),
B: G.Exp(β),
}
}
func (s *Statement) Commit() *Commitment {
return s.Commitment
}
type Proof struct {
Ch [2]*Scalar
Rho [2]*Scalar
}
func (s *Statement) Proof() *Proof {
var ε [2][2]*Point
var r1, r2, ω *Scalar
r1 = Curve.RandomScalar()
r2 = Curve.RandomScalar()
ω = Curve.RandomScalar()
if s.plus {
ε[0][0] = G.Exp(r1)
ε[0][1] = s.B.Exp(r1).Mul(G.Exp(ω))
ε[1][0] = G.Exp(r2)
ε[1][1] = s.B.Exp(r2)
} else {
ε[0][0] = G.Exp(r1)
ε[0][1] = s.B.Exp(r1)
ε[1][0] = G.Exp(r2).Mul(s.A.Exp(ω))
ε[1][1] = s.B.Exp(r2).Mul(s.Φ.Div(G).Exp(ω))
}
ch := Challenge(G, s.Φ, s.A, s.B, ε[0][0], ε[0][1], ε[1][0], ε[1][1])
pr := &Proof{}
if s.plus {
pr.Ch[0] = ω
pr.Ch[1] = ch.Sub(ω)
pr.Rho[0] = r1.Sub(s.α.Mul(pr.Ch[0]))
pr.Rho[1] = r2.Sub(s.α.Mul(pr.Ch[1]))
} else {
pr.Ch[0] = ch.Sub(ω)
pr.Ch[1] = ω
pr.Rho[0] = r1.Sub(s.α.Mul(pr.Ch[0]))
pr.Rho[1] = r2
}
return pr
}
func (c *Commitment) Verify(p *Proof) bool {
var ε [2][2]*Point
ε[0][0] = G.Exp(p.Rho[0]).Mul(c.A.Exp(p.Ch[0]))
ε[0][1] = c.B.Exp(p.Rho[0]).Mul(c.Φ.Exp(p.Ch[0]))
ε[1][0] = G.Exp(p.Rho[1]).Mul(c.A.Exp(p.Ch[1]))
ε[1][1] = c.B.Exp(p.Rho[1]).Mul(c.Φ.Div(G).Exp(p.Ch[1]))
ch := Challenge(G, c.Φ, c.A, c.B, ε[0][0], ε[0][1], ε[1][0], ε[1][1])
return p.Ch[0].Add(p.Ch[1]).Equal(ch)
}
|
