path: root/gp-scripts/zkp.gp

\\ zero knowledge proofs

read(group);

\\ Don't use in production code!
\\ This is a very stupid implementation only used in performance evaluation.
kdf(in:vec) =
{
	prod(h=1,length(in),lift(in[h]))%q
}


zkp1_proof(G:intmod, x:int) =
{
	local(V:intmod, z:int, A:intmod, c:int, r:int);
	V = G^x;
	z = random(q);
	A = G^z;
	c = kdf([G, V, A]);
	r = (z+c*x)%q;
	[G, r, A, V]
}

zkp1_check(P:vec) =
{
	local(c:int, G:intmod, r:int, A:intmod, V:intmod);
	if (length(P) < 4, error("Proof1 too short."));
	if (type(P[1]) == "t_INTMOD", G = P[1], error("P[1] has wrong type."));
	if (type(P[2]) == "t_INT",    r = P[2], error("P[2] has wrong type."));
	if (type(P[3]) == "t_INTMOD", A = P[3], error("P[3] has wrong type."));
	if (type(P[4]) == "t_INTMOD", V = P[4], error("P[4] has wrong type."));
	c = kdf([G, V, A]);
	G^r == A*V^c
}


zkp2_proof(G1:intmod, G2:intmod, x:int) =
{
	local(V:intmod, W:intmod, z:int, A:intmod, B:intmod, c:int, r:int);
	V = G1^x;
	W = G2^x;
	z = random(q);
	A = G1^z;
	B = G2^z;
	c = kdf([G1, G2, V, W, A, B]);
	r = (z+c*x)%q;
	[G1, G2, r, A, B, V, W]
}

zkp2_check(P:vec) =
{
	local(c:int,
		G1:intmod, G2:intmod, r:int, A:intmod, B:intmod, V:intmod, W:intmod);
	if (length(P) < 7, error("Proof2 too short."));
	if (type(P[1]) == "t_INTMOD", G1 = P[1], error("P[1] has wrong type."));
	if (type(P[2]) == "t_INTMOD", G2 = P[2], error("P[2] has wrong type."));
	if (type(P[3]) == "t_INT",    r  = P[3], error("P[3] has wrong type."));
	if (type(P[4]) == "t_INTMOD", A  = P[4], error("P[4] has wrong type."));
	if (type(P[5]) == "t_INTMOD", B  = P[5], error("P[5] has wrong type."));
	if (type(P[6]) == "t_INTMOD", V  = P[6], error("P[6] has wrong type."));
	if (type(P[7]) == "t_INTMOD", W  = P[7], error("P[7] has wrong type."));
	c = kdf([G1, G2, V, W, A, B]);
	G1^r == A*V^c && G2^r == B*W^c
}


zkp3_proof(G:intmod, Y:intmod, M:intmod) =
{
	local(Alpha:intmod, Beta:intmod, A1:intmod, A2:intmod, B1:intmod, B2:intmod,
		d1:int, d2:int, r1:int, r2:int, w:int, r:int);
	r = random(q);
	Alpha = M*Y^r;
	Beta = G^r;
	if (M == Mod(1, p),
		d1 = random(q);
		r1 = random(q);
		w = random(q);
		A1 = G^r1 * Beta^d1;
		B1 = Y^r1 * (Alpha / G)^d1;
		A2 = G^w;
		B2 = Y^w;
		c = kdf([G, Alpha, Beta, A1, A2, B1, B2]);
		d2 = (c - d1) % q;
		r2 = (w - r*d2) % q;
		,
		if (M == G,
			d2 = random(q);
			r2 = random(q);
			w = random(q);
			A1 = G^w;
			B1 = Y^w;
			A2 = G^r2 * Beta^d2;
			B2 = Y^r2 * Alpha^d2;
			c = kdf([G, Alpha, Beta, A1, A2, B1, B2]);
			d1 = (c - d2) % q;
			r1 = (w - r*d1) % q;
			, error("M is neither 1 nor G")
		)
	);
	[G, Y, Alpha, Beta, A1, A2, B1, B2, d1, d2, r1, r2, r]
}

zkp3_check(P:vec) =
{
	local(c:int,
		G:intmod, Y:intmod, Alpha:intmod, Beta:intmod, A1:intmod, A2:intmod, B1:intmod, B2:intmod,
		d1:int, d2:int, r1:int, r2:int);
	if (length(P) < 12, error("Proof3 too short."));
	if (type(P[1] ) == "t_INTMOD", G      = P[1],  error("P[1]  has wrong type."));
	if (type(P[2] ) == "t_INTMOD", Y      = P[2],  error("P[2]  has wrong type."));
	if (type(P[3] ) == "t_INTMOD", Alpha  = P[3],  error("P[3]  has wrong type."));
	if (type(P[4] ) == "t_INTMOD", Beta   = P[4],  error("P[4]  has wrong type."));
	if (type(P[5] ) == "t_INTMOD", A1     = P[5],  error("P[5]  has wrong type."));
	if (type(P[6] ) == "t_INTMOD", A2     = P[6],  error("P[6]  has wrong type."));
	if (type(P[7] ) == "t_INTMOD", B1     = P[7],  error("P[7]  has wrong type."));
	if (type(P[8] ) == "t_INTMOD", B2     = P[8],  error("P[8]  has wrong type."));
	if (type(P[9] ) == "t_INT",    d1     = P[9],  error("P[9]  has wrong type."));
	if (type(P[10]) == "t_INT",    d2     = P[10], error("P[10] has wrong type."));
	if (type(P[11]) == "t_INT",    r1     = P[11], error("P[11] has wrong type."));
	if (type(P[12]) == "t_INT",    r2     = P[12], error("P[12] has wrong type."));
	c = kdf([G, Alpha, Beta, A1, A2, B1, B2]);
	c == (d1 + d2) % q &&
		A1 == G^r1 * Beta^d1 &&
		A2 == G^r2 * Beta^d2 &&
		B1 == Y^r1 * (Alpha / G)^d1 &&
		B2 == Y^r2 * Alpha^d2
}

;