def verifiabilityProof2(ppatspk, d, m, r, b=None, u=None, t=None):
""" This ZK proof ensures that d = r*h+m*h1 is a commitment on m = 0 or 1
b,u,t are the randomness used in the proof (optional)
"""
# notations
order = ppatspk.PPATSpp.order
h = ppatspk.PPATSpp.h
h1 = ppatspk.h1
ECG = h.ECG
Jcoord = ppatspk.PPATSpp.Jcoord
# ht = oEC.toTupleEFp(ECG,h,Jcoord)
nh1t = oEC.toTupleEFp(ECG, -h1, Jcoord)
ddt = oEC.toTupleEFp(ECG, d.d, Jcoord)
# assert h*r+h1*m == d.d # commitment is well formed
assert m == 0 or m == 1 # the proof works only if m = 0 or 1
if b == None:
b = randint(1, int(order))
if u == None:
u = randint(1, int(order))
if t == None:
t = randint(1, int(order))
hbt = oEC.mul_comb2_EFp(ECG, b, ppatspk.precomp_h, Jcoord)
hb = oEC.toEFp(ECG, hbt, Jcoord)
if m == 0:
u1 = u
t1 = t
# commitment
# w0 = PPATSCommitment(h*b,self)
w0 = ppat.ppats.PPATSCommitment(hb, ppatspk)
hu1t = oEC.mul_comb2_EFp(ECG, u1, ppatspk.precomp_h, Jcoord)
s1 = oEC.addEFp(ECG, ddt, nh1t, Jcoord)
s1t1 = oEC.mulECP(ECG, s1, -t1, False, Jcoord)
w1t = oEC.addEFp(ECG, hu1t, s1t1, Jcoord)
w1v = oEC.toEFp(ECG, w1t, Jcoord)
w1 = ppat.ppats.PPATSCommitment(w1v, ppatspk)
# challenge
t0 = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1]) - t1
# response
u0 = b + r * t0
if m == 1:
u0 = u
t0 = t
# commitment
hu0t = oEC.mul_comb2_EFp(ECG, u0, ppatspk.precomp_h, Jcoord)
ddt0 = oEC.mulECP(ECG, ddt, -t0, False, Jcoord)
w0t = oEC.addEFp(ECG, hu0t, ddt0, Jcoord)
w0v = oEC.toEFp(ECG, w0t, Jcoord)
w0 = ppat.ppats.PPATSCommitment(w0v, ppatspk)
w1 = ppat.ppats.PPATSCommitment(hb, ppatspk)
# challenge
t1 = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1]) - t0
# response
u1 = b + r * t1
return [u0, u1, t0, t1]
"""
def verifiabilityProof2(ppatspk, d, m, r, b=None, u=None, t=None):
''' This ZK proof ensures that d = r*h+m*h1 is a commitment on m = 0 or 1
b,u,t are the randomness used in the proof (optional)
'''
# notations
order = ppatspk.PPATSpp.order
h = ppatspk.PPATSpp.h
h1 = ppatspk.h1
ECG = h.ECG
Jcoord = ppatspk.PPATSpp.Jcoord
#ht = oEC.toTupleEFp(ECG,h,Jcoord)
nh1t = oEC.toTupleEFp(ECG, -h1, Jcoord)
ddt = oEC.toTupleEFp(ECG, d.d, Jcoord)
#assert h*r+h1*m == d.d # commitment is well formed
assert m == 0 or m == 1 # the proof works only if m = 0 or 1
if b == None:
b = randint(1, int(order))
if u == None:
u = randint(1, int(order))
if t == None:
t = randint(1, int(order))
hbt = oEC.mul_comb2_EFp(ECG, b, ppatspk.precomp_h, Jcoord)
hb = oEC.toEFp(ECG, hbt, Jcoord)
if m == 0:
u1 = u
t1 = t
# commitment
#w0 = PPATSCommitment(h*b,self)
w0 = ppat.ppats.PPATSCommitment(hb, ppatspk)
hu1t = oEC.mul_comb2_EFp(ECG, u1, ppatspk.precomp_h, Jcoord)
s1 = oEC.addEFp(ECG, ddt, nh1t, Jcoord)
s1t1 = oEC.mulECP(ECG, s1, -t1, False, Jcoord)
w1t = oEC.addEFp(ECG, hu1t, s1t1, Jcoord)
w1v = oEC.toEFp(ECG, w1t, Jcoord)
w1 = ppat.ppats.PPATSCommitment(w1v, ppatspk)
# challenge
t0 = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1]) - t1
# response
u0 = b + r * t0
if m == 1:
u0 = u
t0 = t
# commitment
hu0t = oEC.mul_comb2_EFp(ECG, u0, ppatspk.precomp_h, Jcoord)
ddt0 = oEC.mulECP(ECG, ddt, -t0, False, Jcoord)
w0t = oEC.addEFp(ECG, hu0t, ddt0, Jcoord)
w0v = oEC.toEFp(ECG, w0t, Jcoord)
w0 = ppat.ppats.PPATSCommitment(w0v, ppatspk)
w1 = ppat.ppats.PPATSCommitment(hb, ppatspk)
# challenge
t1 = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1]) - t0
# response
u1 = b + r * t1
return [u0, u1, t0, t1]
"""
def addOptim(self,com):
ECG = self.PPATSpk.h1.ECG
Jcoord = self.PPATSpk.PPATSpp.Jcoord
d1 = com.d
dt = oEC.toTupleEFp(self.d,Jcoord)
d1t = oEC.toTupleEFp(d1,Jcoord)
st = oEC.addEFp(ECG,dt,d1t,Jcoord)
s = oEC.toEFp(ECG,st,Jcoord)
comp = PPATSCommitment(s,self.PPATSpk)
return comp
def multiplicationProofCheck(ppatspk, d1, d2, d3, proof):
""" d1,d2,d3 are PPATS Commitment
proof is a ZK proof that d3 commits on the
product of the message commited in d1 and d2.
the method returns True if this assertion is correct and False
otherwise
"""
# assert isinstance(d1,ppat.ppats.PPATSCommitment)
# assert isinstance(d2,ppat.ppats.PPATSCommitment)
# assert isinstance(d3,ppat.ppats.PPATSCommitment)
# Notations
ECG = ppatspk.PPATSpp.h.ECG
Jcoord = ppatspk.PPATSpp.Jcoord
nu, z1, z2, s1, s2, s3 = proof
# a1 = s1*h + z1*h1
a1c, s1 = ppatspk.commit(z1, s1)
a1 = a1c.d
# a2 = s2*h + z2*h1
a2c, s2 = ppatspk.commit(z2, s2)
a2 = a2c.d
s3ht = oEC.mul_comb2_EFp(ECG, s3, ppatspk.precomp_h, Jcoord)
d1t = oEC.toTupleEFp(d1.d, Jcoord)
z2d1t = oEC.mulECP(ECG, d1t, z2, False, Jcoord)
a3t = oEC.addEFp(ECG, s3ht, z2d1t, Jcoord)
# a3 = s3*h + z2*d1.d
d2t = oEC.toTupleEFp(d2.d, Jcoord)
d3t = oEC.toTupleEFp(d3.d, Jcoord)
mnud1t = oEC.mulECP(ECG, d1t, -nu, False, Jcoord)
mnud2t = oEC.mulECP(ECG, d2t, -nu, False, Jcoord)
mnud3t = oEC.mulECP(ECG, d3t, -nu, False, Jcoord)
a1t = oEC.toTupleEFp(a1, Jcoord)
a2t = oEC.toTupleEFp(a2, Jcoord)
e1t = oEC.addEFp(ECG, a1t, mnud1t, Jcoord)
e2t = oEC.addEFp(ECG, a2t, mnud2t, Jcoord)
e3t = oEC.addEFp(ECG, a3t, mnud3t, Jcoord)
e1 = oEC.toEFp(ECG, e1t, Jcoord)
e2 = oEC.toEFp(ECG, e2t, Jcoord)
e3 = oEC.toEFp(ECG, e3t, Jcoord)
d1p = ppat.ppats.PPATSCommitment(e1, ppatspk)
d2p = ppat.ppats.PPATSCommitment(e2, ppatspk)
d3p = ppat.ppats.PPATSCommitment(e3, ppatspk)
nup = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d1, d2, d3, d1p, d2p, d3p])
return nu == nup
def multiplicationProofCheck(ppatspk, d1, d2, d3, proof):
''' d1,d2,d3 are PPATS Commitment
proof is a ZK proof that d3 commits on the
product of the message commited in d1 and d2.
the method returns True if this assertion is correct and False
otherwise
'''
#assert isinstance(d1,ppat.ppats.PPATSCommitment)
#assert isinstance(d2,ppat.ppats.PPATSCommitment)
#assert isinstance(d3,ppat.ppats.PPATSCommitment)
# Notations
ECG = ppatspk.PPATSpp.h.ECG
Jcoord = ppatspk.PPATSpp.Jcoord
nu, z1, z2, s1, s2, s3 = proof
#a1 = s1*h + z1*h1
a1c, s1 = ppatspk.commit(z1, s1)
a1 = a1c.d
#a2 = s2*h + z2*h1
a2c, s2 = ppatspk.commit(z2, s2)
a2 = a2c.d
s3ht = oEC.mul_comb2_EFp(ECG, s3, ppatspk.precomp_h, Jcoord)
d1t = oEC.toTupleEFp(d1.d, Jcoord)
z2d1t = oEC.mulECP(ECG, d1t, z2, False, Jcoord)
a3t = oEC.addEFp(ECG, s3ht, z2d1t, Jcoord)
#a3 = s3*h + z2*d1.d
d2t = oEC.toTupleEFp(d2.d, Jcoord)
d3t = oEC.toTupleEFp(d3.d, Jcoord)
mnud1t = oEC.mulECP(ECG, d1t, -nu, False, Jcoord)
mnud2t = oEC.mulECP(ECG, d2t, -nu, False, Jcoord)
mnud3t = oEC.mulECP(ECG, d3t, -nu, False, Jcoord)
a1t = oEC.toTupleEFp(a1, Jcoord)
a2t = oEC.toTupleEFp(a2, Jcoord)
e1t = oEC.addEFp(ECG, a1t, mnud1t, Jcoord)
e2t = oEC.addEFp(ECG, a2t, mnud2t, Jcoord)
e3t = oEC.addEFp(ECG, a3t, mnud3t, Jcoord)
e1 = oEC.toEFp(ECG, e1t, Jcoord)
e2 = oEC.toEFp(ECG, e2t, Jcoord)
e3 = oEC.toEFp(ECG, e3t, Jcoord)
d1p = ppat.ppats.PPATSCommitment(e1, ppatspk)
d2p = ppat.ppats.PPATSCommitment(e2, ppatspk)
d3p = ppat.ppats.PPATSCommitment(e3, ppatspk)
nup = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d1, d2, d3, d1p, d2p, d3p])
return nu == nup
def verifiabilityProofCheck(ppatspk, d, proof):
""" Return True if the ZKP proof is correct with respect to d
meaning that d is a commitment on either 0 or 1
"""
u0, u1, t0, t1 = proof
# notations
Jcoord = ppatspk.PPATSpp.Jcoord
ECG = ppatspk.PPATSpp.h.ECG
ddt = oEC.toTupleEFp(d.d, Jcoord)
u0ht = oEC.mul_comb2_EFp(ECG, u0, ppatspk.precomp_h, Jcoord)
ddt0 = oEC.mulECP(ECG, ddt, -t0, False, Jcoord)
w0t = oEC.addEFp(ECG, u0ht, ddt0, Jcoord)
w0v = oEC.toEFp(ECG, w0t, Jcoord)
w0 = ppat.ppats.PPATSCommitment(w0v, ppatspk)
ddt1 = oEC.mulECP(ECG, ddt, -t1, False, Jcoord)
u1ht = oEC.mul_comb2_EFp(ECG, u1, ppatspk.precomp_h, Jcoord)
t1h1t = oEC.mul_comb2_EFp(ECG, t1, ppatspk.precomp_h1, Jcoord)
ad1 = oEC.addEFp(ECG, ddt1, u1ht, Jcoord)
w1t = oEC.addEFp(ECG, ad1, t1h1t, Jcoord)
w1v = oEC.toEFp(ECG, w1t, Jcoord)
w1 = ppat.ppats.PPATSCommitment(w1v, ppatspk)
return t0 + t1 == ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1])
def verifiabilityProofCheck(ppatspk, d, proof):
''' Return True if the ZKP proof is correct with respect to d
meaning that d is a commitment on either 0 or 1
'''
u0, u1, t0, t1 = proof
# notations
Jcoord = ppatspk.PPATSpp.Jcoord
ECG = ppatspk.PPATSpp.h.ECG
ddt = oEC.toTupleEFp(d.d, Jcoord)
u0ht = oEC.mul_comb2_EFp(ECG, u0, ppatspk.precomp_h, Jcoord)
ddt0 = oEC.mulECP(ECG, ddt, -t0, False, Jcoord)
w0t = oEC.addEFp(ECG, u0ht, ddt0, Jcoord)
w0v = oEC.toEFp(ECG, w0t, Jcoord)
w0 = ppat.ppats.PPATSCommitment(w0v, ppatspk)
ddt1 = oEC.mulECP(ECG, ddt, -t1, False, Jcoord)
u1ht = oEC.mul_comb2_EFp(ECG, u1, ppatspk.precomp_h, Jcoord)
t1h1t = oEC.mul_comb2_EFp(ECG, t1, ppatspk.precomp_h1, Jcoord)
ad1 = oEC.addEFp(ECG, ddt1, u1ht, Jcoord)
w1t = oEC.addEFp(ECG, ad1, t1h1t, Jcoord)
w1v = oEC.toEFp(ECG, w1t, Jcoord)
w1 = ppat.ppats.PPATSCommitment(w1v, ppatspk)
return t0 + t1 == ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1])
def test_MulEFp_opt(self):
_ = oEC.mulECP(EFp,
oEC.toTupleEFp(P, Jcoord=True),
r,
sq=False,
Jcoord=True)
t = time.time() - self.startTime
print "%s: %.4f" % ("EFp point multiplication -- optimized", t)
def __add__(self,b):
''' Addition between two PPATC commitments
The result is a PPATC commitment which commits
on the sum of the initial messages
'''
assert isinstance(b,PPATCCommitment)
assert self.PPATCpk == b.PPATCpk # commitments built using the same public key
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG1 = self.PPATCpk.h1.ECG
ECG2 = self.PPATCpk.g1.ECG
d1t = oEC.toTupleEFp(self.d1,Jcoord)
bd1t = oEC.toTupleEFp(b.d1,Jcoord)
nd1t = oEC.addEFp(ECG1,d1t,bd1t,Jcoord)
newd1 = oEC.toEFp(ECG1,nd1t,Jcoord)
d2t = oEC.toTupleEFp2(self.d2,Jcoord)
bd2t = oEC.toTupleEFp2(b.d2,Jcoord)
nd2t = oEC.addEFp2(ECG2,d2t,bd2t,Jcoord)
newd2 = oEC.toEFp2(ECG2,nd2t,Jcoord)
return PPATCCommitment(newd1,newd2,self.PPATCpk)
def __add__(self, b):
''' Addition between two PPATC commitments
The result is a PPATC commitment which commits
on the sum of the initial messages
'''
assert isinstance(b, PPATCCommitment)
assert self.PPATCpk == b.PPATCpk # commitments built using the same public key
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG1 = self.PPATCpk.h1.ECG
ECG2 = self.PPATCpk.g1.ECG
d1t = oEC.toTupleEFp(self.d1, Jcoord)
bd1t = oEC.toTupleEFp(b.d1, Jcoord)
nd1t = oEC.addEFp(ECG1, d1t, bd1t, Jcoord)
newd1 = oEC.toEFp(ECG1, nd1t, Jcoord)
d2t = oEC.toTupleEFp2(self.d2, Jcoord)
bd2t = oEC.toTupleEFp2(b.d2, Jcoord)
nd2t = oEC.addEFp2(ECG2, d2t, bd2t, Jcoord)
newd2 = oEC.toEFp2(ECG2, nd2t, Jcoord)
return PPATCCommitment(newd1, newd2, self.PPATCpk)
def multiplicationCommitFromTriplet(self,a1,a2,a3,m1,m2):
''' This method builds a commitment d3 based on three precomputed commitments
a1,a2,a3 such that a1 commits (m_a-m1),a2 commits on (m_b-m2) and a3 commits
on some m_a*m_b+..., the output is d3 that commits on m_a*m_b
but it does not perform any verification whatsoever
'''
Jcoord = self.PPATSpp.Jcoord
ECG = self.h1.ECG
order = self.PPATSpp.order
a1dt = oEC.toTupleEFp(a1.d,Jcoord)
a2dt = oEC.toTupleEFp(a2.d,Jcoord)
a3dt = oEC.toTupleEFp(a3.d,Jcoord)
m2a1dt = oEC.mulECP(ECG,a1dt,m2,False,Jcoord)
m1a2dt = oEC.mulECP(ECG,a2dt,m1,False,Jcoord)
m1m2h1t = oEC.mul_comb2_EFp(ECG,(m1*m2)%order,self.precomp_h1,Jcoord)
a1t = oEC.addEFp(ECG,m2a1dt,m1a2dt,Jcoord)
a2t = oEC.addEFp(ECG,a1t,a3dt,Jcoord)
d3t = oEC.addEFp(ECG,a2t,m1m2h1t,Jcoord)
d3 = oEC.toEFp(ECG,d3t,Jcoord)
#d3p = (m2*a1.d)+(m1*a2.d)+a3.d+((m1*m2)*h1)
#assert d3 == d3p
return PPATSCommitment(d3,self)
def commit(self,phi_x,phiprime_x= None):
'''
Return a polynomial commitment on the polynomial phi_x eventually using phiprime_x as the randomness polynomial
'''
#Fp = self.pairing.Fp
Fr = self.Fr
EFp = self.pairing.EFp
#order = self.pairing.r
assert len(phi_x.coef) <= self.deg_pol+1
if len(phi_x.coef) < self.deg_pol+1 :
# Append zeros coef to phi_x if its coef list is too short (< deg_pol+1)
diff = self.deg_pol+1 - len(phi_x.coef)
L = [Fr.zero()]*diff
new_phi_x = field.polynom(Fr,L+phi_x.coef)
phi_x = new_phi_x
if phiprime_x == None :
phiprime_x = self.randomPolynomial()
if len(phiprime_x.coef) < self.deg_pol+1 :
# Append zeros coef to phiprime_x if its coef list is too short (< deg_pol+1)
diff = self.deg_pol+1 - len(phiprime_x.coef)
L = [Fr.zero()]*diff
new_phiprime_x = field.polynom(Fr,L+phiprime_x.coef)
phiprime_x = new_phiprime_x
c = EFp.infty
ct = oEC.toTupleEFp(c,self.Jcoord)
#TODO: Optimize here # DONE
for i in range(self.deg_pol+1):
#c = c + (phi_x.coef[i].val)*self.gVec[i] + (phiprime_x.coef[i].val)*self.hVec[i]
a = oEC.mul_comb2_EFp(EFp,phi_x.coef[i].val,self.gVecTab[i],self.Jcoord)
b = oEC.mul_comb2_EFp(EFp,phiprime_x.coef[i].val,self.hVecTab[i],self.Jcoord)
a_plus_b = oEC.addEFp(EFp, a,b,self.Jcoord)
ct = oEC.addEFp(EFp, ct,a_plus_b,self.Jcoord)
cg = oEC.toEFp(EFp,ct,self.Jcoord)
if self.Jcoord :
cg.toAffine()
#assert cg == c
#print 'cg,c',cg,c
com = PolynomialCommitment(cg,self)
return com, phiprime_x
def __mul__(self,a):
'''multiplication by a scalar a
The result is a PPATC Commitment which encrypts and commits on a*m
'''
m = gmpy.mpz(1)
if not isinstance(a, int) and not isinstance(a, long) and not type(a)==type(m):
raise Exception("Multiplication of a PPATC Commitment by a non integer, long or mpz")
else :
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG1 = self.PPATCpk.h1.ECG
ECG2 = self.PPATCpk.g1.ECG
d1t = oEC.toTupleEFp(self.d1,Jcoord)
nd1t = oEC.mulECP(ECG1,d1t,a,sq=False,Jcoord=Jcoord)
newd1 = oEC.toEFp(ECG1,nd1t,Jcoord)
d2t = oEC.toTupleEFp2(self.d2,Jcoord)
nd2t = oEC.mulECP(ECG2,d2t,a,sq=True,Jcoord=Jcoord)
newd2 = oEC.toEFp2(ECG2,nd2t,Jcoord)
return PPATCCommitment(newd1,newd2,self.PPATCpk)
def __mul__(self, a):
'''multiplication by a scalar a
The result is a PPATC Commitment which encrypts and commits on a*m
'''
m = gmpy.mpz(1)
if not isinstance(a, int) and not isinstance(
a, long) and not type(a) == type(m):
raise Exception(
"Multiplication of a PPATC Commitment by a non integer, long or mpz"
)
else:
Jcoord = self.PPATCpk.PPATCpp.Jcoord
ECG1 = self.PPATCpk.h1.ECG
ECG2 = self.PPATCpk.g1.ECG
d1t = oEC.toTupleEFp(self.d1, Jcoord)
nd1t = oEC.mulECP(ECG1, d1t, a, sq=False, Jcoord=Jcoord)
newd1 = oEC.toEFp(ECG1, nd1t, Jcoord)
d2t = oEC.toTupleEFp2(self.d2, Jcoord)
nd2t = oEC.mulECP(ECG2, d2t, a, sq=True, Jcoord=Jcoord)
newd2 = oEC.toEFp2(ECG2, nd2t, Jcoord)
return PPATCCommitment(newd1, newd2, self.PPATCpk)
def verifyPoly(self,com,phi_x,phiprime_x):
'''
Check that the commitment c is indeed a commitment on phi_x and phiprime_x
return True if it is the case
'''
EFp = self.pairing.EFp
c_prime = EFp.infty
ct = oEC.toTupleEFp(c_prime,self.Jcoord)
#TODO: Optimize here
for i in range(self.deg_pol+1):
#c_prime = c_prime + (phi_x.coef[i].val)*self.gVec[i] + (phiprime_x.coef[i].val)*self.hVec[i]
a = oEC.mul_comb2_EFp(EFp,phi_x.coef[i].val,self.gVecTab[i],self.Jcoord)
b = oEC.mul_comb2_EFp(EFp,phiprime_x.coef[i].val,self.hVecTab[i],self.Jcoord)
a_plus_b = oEC.addEFp(EFp, a,b,self.Jcoord)
ct = oEC.addEFp(EFp, ct,a_plus_b,self.Jcoord)
cg = oEC.toEFp(EFp,ct,self.Jcoord)
if self.Jcoord :
cg.toAffine()
#assert c_prime == cg
return com.c == cg
def verifyOpening(self,com,m,a):
''' The method verifies that the commitment com commits on m with respect
to the opening a.
'''
# notoations
g = self.PPATSpp.g
h = self.PPATSpp.h
ECG = h.ECG
Jcoord = self.PPATSpp.Jcoord
order = self.PPATSpp.order
e = self.PPATSpp.e
Pair = self.PPATSpp.Pair
psi = self.PPATSpp.psi
psia = psi(a)
psig = psi(g)
comdt = oEC.toTupleEFp(com.d,Jcoord)
mmh1t = oEC.mul_comb2_EFp(ECG,(-m)%order,self.precomp_h1,Jcoord)
ddt = oEC.addEFp(ECG,comdt,mmh1t,Jcoord)
dd = oEC.toEFp(ECG,ddt,Jcoord)
#dd = com.d-(m*h1)
return e(h,psia,Pair) == e(dd,psig,Pair)
def rerandomize(self,com,phiprime_x,phisecond_x=None):
'''
Return a polynomial commitment with a new randomness polynomial
'''
EFp = self.pairing.EFp
if phisecond_x == None :
phisecond_x = self.randomPolynomial()
c = com.c
ct = oEC.toTupleEFp(c,self.Jcoord)
#TODO: Optimize here #DONE
for i in range(self.deg_pol+1):
#c = c + (phisecond_x.coef[i].val)*self.hVec[i]
b = oEC.mul_comb2_EFp(EFp,phisecond_x.coef[i].val,self.hVecTab[i],self.Jcoord)
ct = oEC.addEFp(EFp, ct,b,self.Jcoord)
cg = oEC.toEFp(EFp,ct,self.Jcoord)
if self.Jcoord :
cg.toAffine()
#assert c == cg
rerand_com = PolynomialCommitment(cg, self)
return rerand_com, phiprime_x+phisecond_x
