1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
// Proof of knowledge of a for given A = G^a
package schnorr
import (
. "kesim.org/seal/common"
)
type Statement Scalar
type Commitment Point
// A Schnorr signature to prove knowledge of v for given g^v.
// Choosing a scalar v randomly, the signature consists of (V, r) with
//
// V := g^v, with randomly chosen v
// r := (v - x*h), with h := H(g, g^v, g^x, i), where i is given by the context.
//
// Verification of the signature is by comparing V =?= g^r * g^(x*h)
type Proof struct {
V *Point `json:"V"`
R *Scalar `json:"r"`
}
// Generates a commitment
// Generates the proof, aka Schnorr signature, for given priv and i.
// Choosing a scalar v randomly, the signature consists of (V, r) with
//
// V := g^v, with randomly chosen v
// r := (v - x*h), with h := H(g, g^v, g^x, i), where i is given by the context.
//
// Verification of the signature is by comparing V =?= g^r * g^(x*h)
func (s *Statement) Proof(id Bytes) (pr *Proof) {
x := (*Scalar)(s)
// choose random v
v := Curve.RandomScalar()
pr = &Proof{}
// calculate g^v
pr.V = Curve.Exp(v)
// calculate g^x
gx := G.Exp(x)
// calculate h := H(g, g^v, g^x, i)
h := Challenge(pr.V, gx, id)
// Calculate r := v - x*h
xh := x.Mul(h)
r := v.Sub(xh)
pr.R = r
return pr
}
// Verifies that g^v == g^r*g^(x*h)
func (c *Commitment) Verify(p *Proof, id Bytes) bool {
Gx := (*Point)(c)
// Calculate h = H(g, g^v, g^x, id)
h := Challenge(p.V, Gx, id)
// Calculate g^(x*h) = (g^x)^h
gxh := Gx.Exp(h)
// Calculate g^r
gr := G.Exp(p.R)
// Calculate g^r*g^(x*h)
grgxh := gr.Mul(gxh)
// Return true if g^v == g^r*g^(x*h)
return p.V.Equal(grgxh)
}
|
