gp-scripts: add zkp + test parameters
This commit is contained in:
parent
e66cbbe44f
commit
c50392f9df
@ -1,95 +0,0 @@
|
|||||||
\\ From: "How to obtain full privacy in auctions" (2006) by Felix Brandt pages 19-20
|
|
||||||
|
|
||||||
|
|
||||||
\\\\\\\\\\\\
|
|
||||||
\\ Adapt the following values to your needs
|
|
||||||
\\\\\\\\\\\\
|
|
||||||
|
|
||||||
\\ amount of bidders
|
|
||||||
n = 4
|
|
||||||
\\ amount of possible prices
|
|
||||||
k = 2^4
|
|
||||||
\\ randomize bids (change to something static, if you like)
|
|
||||||
bid = vector(n,i,random(k)+1)
|
|
||||||
\\bid = vector(n,i,n-i+1) \\ first bidder wins
|
|
||||||
\\bid = vector(n,i,i) \\ last bidder wins
|
|
||||||
\\bid = vector(n,i,(i+1)%2) \\ second bidder wins (with ties)
|
|
||||||
|
|
||||||
\\ prime finite field setup (result may be ambiguous if your prime is too small, 4*n*k seems to work fine)
|
|
||||||
\\q = prime(4*n*k)
|
|
||||||
\\ 2048bit prime:
|
|
||||||
\\q = 31905233907400964621684499856844075173802000556075101303613351426740101897961025481077892281365444367883091980681462491724119317344478120131982416132058173572772607966572720945691237876256074322291459510766147107539260048324345382562673904236506104922357079761457605045674628331006193183908801308817507027556440703972646885207099302085383887085776295396030033300833460743425162726394704256227108175491673135830378272029374848904772902525385997099641162537271298634032011458617811670193865244028195169383991286227040469186123958053863978710424421008752927011390777187889943940479064193231486057910586526439884046593027
|
|
||||||
\\ 3072bit prime:
|
|
||||||
q = 5175054779340588353586849786144680366505563673837334790820581054294754700842534366479020240016540005621125885927641963390708863183739793208880756653713659686139600715884857385144475261507869935694699816011948585170171332029002674283854825650901258017026965486602158722052719421343475066067509485302858041368266332080773331946039572497794442067057597327877030322029413318847025776818839927761556478107499002213648377029201340152459685610920194363099878398871001275336711869213616313858200583491913270052111910410231060407633125816386053759634073500319223989240814564691163285769745840521560940666058800931070258886096469889796899266014106833050284032035948051974659796051419431527095503586817863043771919051402039741075037010264761045992285666560487072740505566408086913711094879155498223636912657852688296081316652278801546924079650897913388978423388839346058027184069633227966507908979049369500450630036982661231208087459099
|
|
||||||
|
|
||||||
\\\\\\\\\\\\
|
|
||||||
\\ SETUP
|
|
||||||
\\\\\\\\\\\\
|
|
||||||
|
|
||||||
\\ p not needed? wat?
|
|
||||||
\\p = 47
|
|
||||||
|
|
||||||
\\ get generator / primitive element for Z_q
|
|
||||||
\\ var = 'x \\ copy pasta from internet
|
|
||||||
\\ pe=ffgen(minpoly(ffprimroot(ffgen(ffinit(q,1))),var),var) \\ get primitive element
|
|
||||||
\\ 1/(fforder(pe) == q-1) \\ error out, if ord(pe) is wrong
|
|
||||||
\\ g = Mod(eval(Str(pe)), q) \\ dirty hack to convert t_FFELEM to t_INT
|
|
||||||
g = Mod(2, q)
|
|
||||||
|
|
||||||
\\\\\\\\\\\\
|
|
||||||
\\ PROLOG
|
|
||||||
\\\\\\\\\\\\
|
|
||||||
|
|
||||||
\\ private keys of agents
|
|
||||||
x = vector(n,i,random(q))
|
|
||||||
\\ public keyshares of agents
|
|
||||||
yshares = vector(n,i,g^x[i])
|
|
||||||
\\ shared public key
|
|
||||||
y = prod(X=1,n,yshares[X])
|
|
||||||
|
|
||||||
\\ first index level = owning agent id (additive share)
|
|
||||||
\\ second index level = agent id, price id
|
|
||||||
m = vector(n,i,matrix(n,k,a,b,random(q)))
|
|
||||||
|
|
||||||
\\ index = owning agent id, price id
|
|
||||||
r = matrix(n,k,i,j,random(q))
|
|
||||||
\\ bid matrix
|
|
||||||
b = matrix(n,k,i,j,g^(bid[i]==j))
|
|
||||||
|
|
||||||
\\\\\\\\\\\\
|
|
||||||
\\ ROUND1
|
|
||||||
\\\\\\\\\\\\
|
|
||||||
|
|
||||||
\\ encrypted bids
|
|
||||||
alpha = matrix(n,k,i,j, b[i,j]*y^r[i,j])
|
|
||||||
beta = matrix(n,k,i,j, g^r[i,j])
|
|
||||||
|
|
||||||
\\\\\\\\\\\\
|
|
||||||
\\ ROUND2
|
|
||||||
\\\\\\\\\\\\
|
|
||||||
|
|
||||||
\\ multiplicative shares
|
|
||||||
\\ first index level = owning agent id (multiplicative share)
|
|
||||||
\\ second index level = agent id, price id
|
|
||||||
Gamma = vector(n,a,matrix(n,k,i,j, ( prod(h=1,n,prod(d=j+1,k,alpha[h,d])) * prod(d=1,j-1,alpha[i,d]) * prod(h=1,i-1,alpha[h,j]) )^m[a][i,j] ))
|
|
||||||
Delta = vector(n,a,matrix(n,k,i,j, ( prod(h=1,n,prod(d=j+1,k, beta[h,d])) * prod(d=1,j-1, beta[i,d]) * prod(h=1,i-1, beta[h,j]) )^m[a][i,j] ))
|
|
||||||
|
|
||||||
\\\\\\\\\\\\
|
|
||||||
\\ ROUND3
|
|
||||||
\\\\\\\\\\\\
|
|
||||||
|
|
||||||
\\ multiplicative shares (decryption)
|
|
||||||
\\ first index level = owning agent id (multiplicative share)
|
|
||||||
\\ second index level = agent id, price id
|
|
||||||
Phi = vector(n,a,matrix(n,k,i,j, prod(h=1,n,Delta[h][i,j])^x[a] ))
|
|
||||||
|
|
||||||
\\\\\\\\\\\\
|
|
||||||
\\ EPILOG
|
|
||||||
\\\\\\\\\\\\
|
|
||||||
|
|
||||||
\\ winner matrix
|
|
||||||
v = matrix(n,k,a,j, prod(i=1,n,Gamma[i][a,j]) / prod(i=1,n,Phi[i][a,j]) )
|
|
||||||
vi = lift(v)
|
|
||||||
|
|
||||||
print("bids are: ", bid)
|
|
||||||
for(X=1,n, if(vecmin(vi[X,])==1, print("And the winner is ", X) ))
|
|
186
gp-scripts/firstPrice.gp
Normal file
186
gp-scripts/firstPrice.gp
Normal file
@ -0,0 +1,186 @@
|
|||||||
|
\\ From: "How to obtain full privacy in auctions" (2006) by Felix Brandt pages 19-20
|
||||||
|
|
||||||
|
|
||||||
|
\\\\\\\\\\\\
|
||||||
|
\\ Adapt the following values to your needs
|
||||||
|
\\\\\\\\\\\\
|
||||||
|
|
||||||
|
\\ amount of bidders
|
||||||
|
n = 3
|
||||||
|
\\ amount of possible prices
|
||||||
|
k = 2^2
|
||||||
|
\\ randomize bids (change to something static, if you like)
|
||||||
|
bid = vector(n,i,random(k)+1)
|
||||||
|
\\bid = vector(n,i,n-i+1) \\ first bidder wins
|
||||||
|
\\bid = vector(n,i,i) \\ last bidder wins
|
||||||
|
\\bid = vector(n,i,(i+1)%2) \\ second bidder wins (with ties)
|
||||||
|
|
||||||
|
\\\\\\\\\\\\
|
||||||
|
\\ SETUP
|
||||||
|
\\\\\\\\\\\\
|
||||||
|
|
||||||
|
read(group)
|
||||||
|
read(zkp)
|
||||||
|
|
||||||
|
\\\\\\\\\\\\
|
||||||
|
\\ PROLOG
|
||||||
|
\\\\\\\\\\\\
|
||||||
|
|
||||||
|
\\ private keys of agents
|
||||||
|
x = vector(n,i,random(q))
|
||||||
|
\\ first index level = owning agent id (additive share)
|
||||||
|
\\ second index level = agent id, price id
|
||||||
|
m = vector(n,i,matrix(n,k,a,b,random(q)))
|
||||||
|
|
||||||
|
\\ zkp
|
||||||
|
proofs1 = vector(n,i,zkp1_proof(G, x[i]))
|
||||||
|
|
||||||
|
\\ public keyshares of agents
|
||||||
|
yshares = vector(n,i,proofs1[i][4])
|
||||||
|
\\yshares = vector(n,i,G^x[i])
|
||||||
|
|
||||||
|
\\ for performance evaluations we need to check the proofs for every bidder
|
||||||
|
\\ i := checking bidder (0 == seller)
|
||||||
|
\\ h := bidder to check
|
||||||
|
{
|
||||||
|
for(i=0,n,
|
||||||
|
for(h=1,n,
|
||||||
|
if(1 != zkp1_check(proofs1[h]),
|
||||||
|
error("zkp1 failure in round0")
|
||||||
|
)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
\\ shared public key
|
||||||
|
y = prod(X=1,n,yshares[X])
|
||||||
|
|
||||||
|
\\\\\\\\\\\\
|
||||||
|
\\ ROUND1
|
||||||
|
\\\\\\\\\\\\
|
||||||
|
|
||||||
|
\\ bid matrix
|
||||||
|
b = matrix(n,k,i,j,G^(bid[i]==j))
|
||||||
|
|
||||||
|
\\ zkp
|
||||||
|
proofs3 = matrix(n,k,i,j, zkp3_proof(G,y,G^(bid[i]==j)))
|
||||||
|
|
||||||
|
\\ index = owning agent id, price id
|
||||||
|
r = matrix(n,k,i,j,proofs3[i,j][13])
|
||||||
|
\\r = matrix(n,k,i,j,random(q))
|
||||||
|
|
||||||
|
\\ encrypted bids
|
||||||
|
Alpha = matrix(n,k,i,j, proofs3[i,j][3])
|
||||||
|
Beta = matrix(n,k,i,j, proofs3[i,j][4])
|
||||||
|
\\Alpha = matrix(n,k,i,j, b[i,j]*y^r[i,j])
|
||||||
|
\\Beta = matrix(n,k,i,j, G^r[i,j])
|
||||||
|
|
||||||
|
proofs2 = vector(n,i, zkp2_proof(y,G,sum(j=1,k, r[i,j])))
|
||||||
|
\\ i := checking bidder (0 == seller)
|
||||||
|
\\ h := bidder to check
|
||||||
|
\\ j := price index to check
|
||||||
|
{
|
||||||
|
for(i=0,n,
|
||||||
|
for(h=1,n,
|
||||||
|
for(j=1,k,
|
||||||
|
if(1 != zkp3_check(proofs3[h,j]),
|
||||||
|
error("zkp3 failure in round1")
|
||||||
|
)
|
||||||
|
);
|
||||||
|
if((prod(j=1,k,Alpha[h,j])/G) != proofs2[h][6],
|
||||||
|
error("alpha product doesn't match")
|
||||||
|
);
|
||||||
|
if(prod(j=1,k,Beta[h,j]) != proofs2[h][7],
|
||||||
|
error("beta product doesn't match")
|
||||||
|
);
|
||||||
|
if(1 != zkp2_check(proofs2[h]),
|
||||||
|
error("zkp2 failure in round1")
|
||||||
|
)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
\\\\\\\\\\\\
|
||||||
|
\\ ROUND2
|
||||||
|
\\\\\\\\\\\\
|
||||||
|
|
||||||
|
\\ multiplicative shares
|
||||||
|
\\ first index level = owning agent id (multiplicative share)
|
||||||
|
\\ second index level = agent id, price id
|
||||||
|
Gamma = vector(n,a,matrix(n,k,i,j, prod(h=1,n,prod(d=j+1,k,Alpha[h,d])) * prod(d=1,j-1,Alpha[i,d]) * prod(h=1,i-1,Alpha[h,j]) ))
|
||||||
|
Delta = vector(n,a,matrix(n,k,i,j, prod(h=1,n,prod(d=j+1,k, Beta[h,d])) * prod(d=1,j-1, Beta[i,d]) * prod(h=1,i-1, Beta[h,j]) ))
|
||||||
|
\\Gamma = vector(n,a,matrix(n,k,i,j, ( prod(h=1,n,prod(d=j+1,k,Alpha[h,d])) * prod(d=1,j-1,Alpha[i,d]) * prod(h=1,i-1,Alpha[h,j]) )^m[a][i,j] ))
|
||||||
|
\\Delta = vector(n,a,matrix(n,k,i,j, ( prod(h=1,n,prod(d=j+1,k, Beta[h,d])) * prod(d=1,j-1, Beta[i,d]) * prod(h=1,i-1, Beta[h,j]) )^m[a][i,j] ))
|
||||||
|
|
||||||
|
\\ random masking and zkp
|
||||||
|
proofs2 = vector(n,a,matrix(n,k,i,j, zkp2_proof(Gamma[a][i,j], Delta[a][i,j], random(q)) ))
|
||||||
|
|
||||||
|
\\ for performance evaluations we need to check the proofs for every bidder
|
||||||
|
\\ i := checking bidder (0 == seller)
|
||||||
|
\\ h := bidder to check
|
||||||
|
\\ t := target bidder (creator of the proof)
|
||||||
|
\\ j := price
|
||||||
|
{
|
||||||
|
for(t=1,n,
|
||||||
|
for(h=1,n,
|
||||||
|
for(j=1,k,
|
||||||
|
for(i=0,n,
|
||||||
|
if(1 != zkp2_check(proofs2[t][h,j]),
|
||||||
|
error("zkp2 failure in round2")
|
||||||
|
)
|
||||||
|
);
|
||||||
|
\\ use masked values generated during the zkp
|
||||||
|
Gamma[t][h,j] = proofs2[t][h,j][6];
|
||||||
|
Delta[t][h,j] = proofs2[t][h,j][7];
|
||||||
|
)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
\\\\\\\\\\\\
|
||||||
|
\\ ROUND3
|
||||||
|
\\\\\\\\\\\\
|
||||||
|
|
||||||
|
\\ multiplicative shares (decryption)
|
||||||
|
\\ first index level = owning agent id (multiplicative share)
|
||||||
|
\\ second index level = agent id, price id
|
||||||
|
Phi = vector(n,a,matrix(n,k,i,j, prod(h=1,n,Delta[h][i,j]) ))
|
||||||
|
\\Phi = vector(n,a,matrix(n,k,i,j, prod(h=1,n,Delta[h][i,j])^x[a] ))
|
||||||
|
|
||||||
|
proofs2 = vector(n,a,matrix(n,k,i,j, zkp2_proof(Phi[a][i,j], G, x[a]) ))
|
||||||
|
|
||||||
|
\\ for performance evaluations we need to check the proofs for every bidder
|
||||||
|
\\ i := checking bidder (0 == seller)
|
||||||
|
\\ h := bidder to check
|
||||||
|
\\ t := target bidder (creator of the proof)
|
||||||
|
\\ j := price
|
||||||
|
{
|
||||||
|
for(t=1,n,
|
||||||
|
for(h=1,n,
|
||||||
|
for(j=1,k,
|
||||||
|
for(i=0,n,
|
||||||
|
if(1 != zkp2_check(proofs2[t][h,j]),
|
||||||
|
error("zkp2 failure in round2")
|
||||||
|
)
|
||||||
|
);
|
||||||
|
\\ use masked values generated during the zkp
|
||||||
|
Phi[t][h,j] = proofs2[t][h,j][6];
|
||||||
|
)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
\\\\\\\\\\\\
|
||||||
|
\\ EPILOG
|
||||||
|
\\\\\\\\\\\\
|
||||||
|
|
||||||
|
\\ winner matrix
|
||||||
|
v = matrix(n,k,a,j, prod(i=1,n,Gamma[i][a,j]) / prod(i=1,n,Phi[i][a,j]) )
|
||||||
|
vi = lift(v)
|
||||||
|
|
||||||
|
print("bids are: ", bid)
|
||||||
|
for(X=1,n, if(vecmin(vi[X,])==1, print("And the winner is ", X) ))
|
||||||
|
|
||||||
|
;
|
15
gp-scripts/group.gp
Normal file
15
gp-scripts/group.gp
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
\\ p generated by ssh-keygen from the following moduli(5) line:
|
||||||
|
\\ 20161024184335 2 6 100 3071 2 C63A6E912985E56A40FA7747D856C9FFD01B052F0BDEA89F0B17C34EC168E918FCC6121351CA0003453E96EBB5CE228D97610D0F7AA0EE1EC26124723BDA68607D0348B30A39B92DFBB4E23219DA3440756C169A4F1B929DDB487CF2C53520910C800340DE87CA65D2041FA393FD0D25019589B7ED89D0AD256764FF690B122FC868ED5E314346CA93505700B650BDD74D6395767E67AA4E29517699A2170892B572EC6050FD4F0545FE981D9583CD47411788ADFD7C60B33E6A186FCAE5ACAF8CE012B5551A3A54B15AA28D4F7C3EF37220819CA180B3BA855D816FF5D3AC0A8D2AB4E0C9D638C785F0E2707B591326A6E657F3E26D9EEDE5760E81165B0B3680ADA447AFE0A31EA9A31CC1825EB9B36AF746FB579A0A327AEF54D16B1C7A1575A241139F9B8551EA3C687E2E333ABDA9E5F491CA7F1611E478F8B4FA74E34A6771374198FE337634E8B0021BA826BF332818BB43052B6BC6D84E4E34BD1ABEC166881CC69079ED1F306C7143C5F9E341C6955DD501ED51FCE5F7F94CFA6273
|
||||||
|
\\ This is a "safe prime", see moduli(5)
|
||||||
|
\\ Therefore q = (p-1)/2 is also prime
|
||||||
|
|
||||||
|
p = 4498546982183741806042046874925230841367752610105215768946438255470120740195522849201856997179866815126313339756915558167423398334072639778026401904031844016861682960881473450120265256327641310709437833580886250441164652551031655405301329413885250587408573319621138304678094611598436119854035881555472079889364307701983275427495796082239390426306590239630071293304476993188112145295406185504400770379250448236759388051149856191572199475958274963892549036586332373555561624378385324018563641781073722121282924048194073332885386583853286835384896286468480594489851988635137146304050743119406030150457214703115428415028345445439080824905967347767410065096124691155434106090788541491301971510767072678641286317388382884979008351941634738407020421109176416998181365911697340148847292136114015951382836045342314909586957351991419538245920973429697625016569947794803114551396527414933624103391788313038751051589980762413698400281203
|
||||||
|
|
||||||
|
\\ From that we can compute the subgroup-order prime q:
|
||||||
|
q = (p-1)/2
|
||||||
|
|
||||||
|
\\ Cyclic Subgroups of Z_p must have order 1, 2, q or p-1
|
||||||
|
\\ => The generator of Subgroup Z_p^* is 3 as we can check with G^q == Mod(1, p)
|
||||||
|
G = Mod(3, p)
|
||||||
|
|
||||||
|
;
|
@ -17,19 +17,3 @@ smc_hextodec(s:str) =
|
|||||||
ret;
|
ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
smc_genbid(k:small, bid:small, g)=
|
|
||||||
{
|
|
||||||
vector(k,j,g^(bid==j));
|
|
||||||
}
|
|
||||||
|
|
||||||
smc_genalpha(k:small, b:vec, r:vec, y)=
|
|
||||||
{
|
|
||||||
vector(k, j, b[j]*y^r[j]);
|
|
||||||
}
|
|
||||||
|
|
||||||
smc_genbeta(k:small, r:vec, g)=
|
|
||||||
{
|
|
||||||
vector(k, j, g^r[j]);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
129
gp-scripts/zkp.gp
Normal file
129
gp-scripts/zkp.gp
Normal file
@ -0,0 +1,129 @@
|
|||||||
|
\\ zero knowledge proofs
|
||||||
|
|
||||||
|
read(group);
|
||||||
|
|
||||||
|
\\ Don't use in production code!
|
||||||
|
\\ This is a very stupid implementation only used in performance evaluation.
|
||||||
|
kdf(in:vec) =
|
||||||
|
{
|
||||||
|
prod(h=1,length(in),lift(in[h]))%q
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
zkp1_proof(G:intmod, x:int) =
|
||||||
|
{
|
||||||
|
local(V:intmod, z:int, A:intmod, c:int, r:int);
|
||||||
|
V = G^x;
|
||||||
|
z = random(q);
|
||||||
|
A = G^z;
|
||||||
|
c = kdf([G, V, A]);
|
||||||
|
r = (z+c*x)%q;
|
||||||
|
[G, r, A, V]
|
||||||
|
}
|
||||||
|
|
||||||
|
zkp1_check(P:vec) =
|
||||||
|
{
|
||||||
|
local(c:int, G:intmod, r:int, A:intmod, V:intmod);
|
||||||
|
if (length(P) < 4, error("Proof1 too short."));
|
||||||
|
if (type(P[1]) == "t_INTMOD", G = P[1], error("P[1] has wrong type."));
|
||||||
|
if (type(P[2]) == "t_INT", r = P[2], error("P[2] has wrong type."));
|
||||||
|
if (type(P[3]) == "t_INTMOD", A = P[3], error("P[3] has wrong type."));
|
||||||
|
if (type(P[4]) == "t_INTMOD", V = P[4], error("P[4] has wrong type."));
|
||||||
|
c = kdf([G, V, A]);
|
||||||
|
G^r == A*V^c
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
zkp2_proof(G1:intmod, G2:intmod, x:int) =
|
||||||
|
{
|
||||||
|
local(V:intmod, W:intmod, z:int, A:intmod, B:intmod, c:int, r:int);
|
||||||
|
V = G1^x;
|
||||||
|
W = G2^x;
|
||||||
|
z = random(q);
|
||||||
|
A = G1^z;
|
||||||
|
B = G2^z;
|
||||||
|
c = kdf([G1, G2, V, W, A, B]);
|
||||||
|
r = (z+c*x)%q;
|
||||||
|
[G1, G2, r, A, B, V, W]
|
||||||
|
}
|
||||||
|
|
||||||
|
zkp2_check(P:vec) =
|
||||||
|
{
|
||||||
|
local(c:int,
|
||||||
|
G1:intmod, G2:intmod, r:int, A:intmod, B:intmod, V:intmod, W:intmod);
|
||||||
|
if (length(P) < 7, error("Proof2 too short."));
|
||||||
|
if (type(P[1]) == "t_INTMOD", G1 = P[1], error("P[1] has wrong type."));
|
||||||
|
if (type(P[2]) == "t_INTMOD", G2 = P[2], error("P[2] has wrong type."));
|
||||||
|
if (type(P[3]) == "t_INT", r = P[3], error("P[3] has wrong type."));
|
||||||
|
if (type(P[4]) == "t_INTMOD", A = P[4], error("P[4] has wrong type."));
|
||||||
|
if (type(P[5]) == "t_INTMOD", B = P[5], error("P[5] has wrong type."));
|
||||||
|
if (type(P[6]) == "t_INTMOD", V = P[6], error("P[6] has wrong type."));
|
||||||
|
if (type(P[7]) == "t_INTMOD", W = P[7], error("P[7] has wrong type."));
|
||||||
|
c = kdf([G1, G2, V, W, A, B]);
|
||||||
|
G1^r == A*V^c && G2^r == B*W^c
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
zkp3_proof(G:intmod, Y:intmod, M:intmod) =
|
||||||
|
{
|
||||||
|
local(Alpha:intmod, Beta:intmod, A1:intmod, A2:intmod, B1:intmod, B2:intmod,
|
||||||
|
d1:int, d2:int, r1:int, r2:int, w:int, r:int);
|
||||||
|
r = random(q);
|
||||||
|
Alpha = M*Y^r;
|
||||||
|
Beta = G^r;
|
||||||
|
if (M == Mod(1, p),
|
||||||
|
d1 = random(q);
|
||||||
|
r1 = random(q);
|
||||||
|
w = random(q);
|
||||||
|
A1 = G^r1 * Beta^d1;
|
||||||
|
B1 = Y^r1 * (Alpha / G)^d1;
|
||||||
|
A2 = G^w;
|
||||||
|
B2 = Y^w;
|
||||||
|
c = kdf([G, Alpha, Beta, A1, A2, B1, B2]);
|
||||||
|
d2 = (c - d1) % q;
|
||||||
|
r2 = (w - r*d2) % q;
|
||||||
|
,
|
||||||
|
if (M == G,
|
||||||
|
d2 = random(q);
|
||||||
|
r2 = random(q);
|
||||||
|
w = random(q);
|
||||||
|
A1 = G^w;
|
||||||
|
B1 = Y^w;
|
||||||
|
A2 = G^r2 * Beta^d2;
|
||||||
|
B2 = Y^r2 * Alpha^d2;
|
||||||
|
c = kdf([G, Alpha, Beta, A1, A2, B1, B2]);
|
||||||
|
d1 = (c - d2) % q;
|
||||||
|
r1 = (w - r*d1) % q;
|
||||||
|
, error("M is neither 1 nor G")
|
||||||
|
)
|
||||||
|
);
|
||||||
|
[G, Y, Alpha, Beta, A1, A2, B1, B2, d1, d2, r1, r2, r]
|
||||||
|
}
|
||||||
|
|
||||||
|
zkp3_check(P:vec) =
|
||||||
|
{
|
||||||
|
local(c:int,
|
||||||
|
G:intmod, Y:intmod, Alpha:intmod, Beta:intmod, A1:intmod, A2:intmod, B1:intmod, B2:intmod,
|
||||||
|
d1:int, d2:int, r1:int, r2:int);
|
||||||
|
if (length(P) < 12, error("Proof3 too short."));
|
||||||
|
if (type(P[1] ) == "t_INTMOD", G = P[1], error("P[1] has wrong type."));
|
||||||
|
if (type(P[2] ) == "t_INTMOD", Y = P[2], error("P[2] has wrong type."));
|
||||||
|
if (type(P[3] ) == "t_INTMOD", Alpha = P[3], error("P[3] has wrong type."));
|
||||||
|
if (type(P[4] ) == "t_INTMOD", Beta = P[4], error("P[4] has wrong type."));
|
||||||
|
if (type(P[5] ) == "t_INTMOD", A1 = P[5], error("P[5] has wrong type."));
|
||||||
|
if (type(P[6] ) == "t_INTMOD", A2 = P[6], error("P[6] has wrong type."));
|
||||||
|
if (type(P[7] ) == "t_INTMOD", B1 = P[7], error("P[7] has wrong type."));
|
||||||
|
if (type(P[8] ) == "t_INTMOD", B2 = P[8], error("P[8] has wrong type."));
|
||||||
|
if (type(P[9] ) == "t_INT", d1 = P[9], error("P[9] has wrong type."));
|
||||||
|
if (type(P[10]) == "t_INT", d2 = P[10], error("P[10] has wrong type."));
|
||||||
|
if (type(P[11]) == "t_INT", r1 = P[11], error("P[11] has wrong type."));
|
||||||
|
if (type(P[12]) == "t_INT", r2 = P[12], error("P[12] has wrong type."));
|
||||||
|
c = kdf([G, Alpha, Beta, A1, A2, B1, B2]);
|
||||||
|
c == (d1 + d2) % q &&
|
||||||
|
A1 == G^r1 * Beta^d1 &&
|
||||||
|
A2 == G^r2 * Beta^d2 &&
|
||||||
|
B1 == Y^r1 * (Alpha / G)^d1 &&
|
||||||
|
B2 == Y^r2 * Alpha^d2
|
||||||
|
}
|
||||||
|
|
||||||
|
;
|
Loading…
Reference in New Issue
Block a user