1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
package commit
import (
. "kesim.org/seal/nizk"
"kesim.org/seal/nizk/schnorr"
)
// This is a construction of a proof of a statement of the form
// [(C = g^(αβ)) && (A = g^α) && (Β = g^β)]
// || [(C = g^(αβ+1)) && (A = g^α) && (Β = g^β)]
//
// for given C, A and B
type Bid struct {
bitSet bool
α *Scalar
β *Scalar
Commitment
}
type Commitment struct {
A *Point // g^α
B *Point // g^β
C *Point // g^(ab)g^(bitSet)
}
func NewBid(bitSet bool) *Bid {
α, β := Curve.RandomScalar(), Curve.RandomScalar()
return NewBidFromScalars(bitSet, α, β)
}
func NewBidFromScalars(bitSet bool, α, β *Scalar) *Bid {
return &Bid{
α: α,
β: β,
bitSet: bitSet,
Commitment: commitment(α, β, bitSet),
}
}
func commitment(α, β *Scalar, bitSet bool) Commitment {
var C *Point
c := α.Mul(β)
if bitSet {
C = G.Exp(c.Add(One))
} else {
C = G.Exp(c)
}
return Commitment{
C: C,
A: G.Exp(α),
B: G.Exp(β),
}
}
func (s *Bid) Commit(id Bytes) (*Commitment, *Proof) {
return &s.Commitment, s.Proof(id)
}
type Proof struct {
Id Bytes
A *schnorr.Proof // Proof for knowledge of α in A = G^α
B *schnorr.Proof // Proof for knowledge of β in B = G^β
C struct { // Proof for knowledge of statement above
Ch [2]*Scalar
R [2]*Scalar
}
}
func (s *Bid) Proof(id Bytes) *Proof {
var e [2][2]*Point
var r1, r2, w *Scalar
r1 = Curve.RandomScalar()
r2 = Curve.RandomScalar()
w = Curve.RandomScalar()
if s.bitSet {
e[0][0] = G.Exp(r1)
e[0][1] = s.B.Exp(r1).Mul(G.Exp(w))
e[1][0] = G.Exp(r2)
e[1][1] = s.B.Exp(r2)
} else {
e[0][0] = G.Exp(r1)
e[0][1] = s.B.Exp(r1)
e[1][0] = G.Exp(r2).Mul(s.A.Exp(w))
e[1][1] = s.B.Exp(r2).Mul(s.C.Div(G).Exp(w))
}
ch := Challenge(G, s.C, s.A, s.B, e[0][0], e[0][1], e[1][0], e[1][1], id)
pr := &Proof{Id: id}
if s.bitSet {
pr.C.Ch[0] = w
pr.C.Ch[1] = ch.Sub(w)
pr.C.R[0] = r1.Sub(s.α.Mul(pr.C.Ch[0]))
pr.C.R[1] = r2.Sub(s.α.Mul(pr.C.Ch[1]))
} else {
pr.C.Ch[0] = ch.Sub(w)
pr.C.Ch[1] = w
pr.C.R[0] = r1.Sub(s.α.Mul(pr.C.Ch[0]))
pr.C.R[1] = r2
}
pr.A = (*schnorr.Statement)(s.α).Proof(id)
pr.B = (*schnorr.Statement)(s.β).Proof(id)
return pr
}
func (c *Commitment) Verify(p *Proof) bool {
var e [2][2]*Point
e[0][0] = G.Exp(p.C.R[0]).Mul(c.A.Exp(p.C.Ch[0]))
e[0][1] = c.B.Exp(p.C.R[0]).Mul(c.C.Exp(p.C.Ch[0]))
e[1][0] = G.Exp(p.C.R[1]).Mul(c.A.Exp(p.C.Ch[1]))
e[1][1] = c.B.Exp(p.C.R[1]).Mul(c.C.Div(G).Exp(p.C.Ch[1]))
ch := Challenge(G, c.C, c.A, c.B, e[0][0], e[0][1], e[1][0], e[1][1], p.Id)
return p.C.Ch[0].Add(p.C.Ch[1]).Equal(ch) &&
(*schnorr.Commitment)(c.A).Verify(p.A, p.Id) &&
(*schnorr.Commitment)(c.B).Verify(p.B, p.Id)
}
|
