def test_or_and_dlrne():
secrets, secret_values, secret_dict = get_secrets(4)
generators = make_generators(4)
lhs_values = [x * g for x, g in zip(secret_values, generators)]
y3 = secret_values[2] * generators[3]
p1 = DLNotEqual(
[lhs_values[0], generators[0]],
[lhs_values[1], generators[1]],
secrets[0],
bind=True,
)
p2 = DLNotEqual([lhs_values[1], generators[1]], [y3, generators[3]],
secrets[1],
bind=True)
andp_nested = AndProofStmt(p1, p2)
orp = OrProofStmt(andp_nested, p1, p2)
prov = orp.get_prover(secret_dict)
ver = orp.get_verifier()
precom = prov.precommit()
ver.process_precommitment(precom)
com = prov.commit()
chal = ver.send_challenge(com)
resp = prov.compute_response(chal)
assert ver.verify(resp)
def test_or_proof_manual(params):
"""
TODO: Clarify what is being tested here.
"""
p1, p2, secrets = params
orproof = OrProofStmt(p1, p2, p1, p2, p1, p2)
subproofs = orproof.subproofs
rep = 0
chosen = []
sims = [True]
while rep < 10:
sims = []
# Make random subproofs simulated.
for proof in subproofs:
is_simulated = random.choice([True, False])
sims.append(is_simulated)
proof.set_simulated(is_simulated)
if all(sims):
continue
for i in range(30):
# Choose a subproof, look if it was a valid choice, store the result
prov = orproof.get_prover(secrets)
chosen.append(sims[orproof.chosen_idx] == False)
rep += 1
assert all(chosen)
def test_multiple_or_proofs(group, params):
p1, p2, secrets = params
g = group.generator()
x10 = Secret()
secrets.update({x10: 13})
orproof = OrProofStmt(p1, OrProofStmt(p2, DLRep(13 * g, x10 * g)))
assert verify_proof(orproof, secrets)
def test_multiple_or_proofs_composition(group, params):
p1, p2, secrets = params
g = group.generator()
x10 = Secret()
secrets.update({x10: 13})
orp1 = OrProofStmt(p2, p1)
orp2 = OrProofStmt(p1, DLRep(13 * g, x10 * g))
orproof = OrProofStmt(orp1, p2, orp2)
assert verify_proof(orproof, secrets)
def test_or_proof(params):
p1, p2, secrets = params
orproof = OrProofStmt(p1, p2, p1, p2, p1, p2)
prov = orproof.get_prover(secrets)
verif = orproof.get_verifier()
com = prov.commit()
chal = verif.send_challenge(com)
resp = prov.compute_response(chal)
# Here we see that some responses have an identical first element.
# The only one with a different first element is the non-simulated one.
assert verif.verify(resp)
def test_or_non_interactive_fails_on_wrong_secrets(group, params):
p1, p2, secrets = params
p = OrProofStmt(p1, p2)
bad_secrets = secrets.copy()
u = list(bad_secrets.keys())
bad_secrets[u[0]] = group.order().random()
bad_secrets[u[1]] = group.order().random()
bad_secrets[u[2]] = group.order().random()
bad_secrets[u[3]] = group.order().random()
message = "whatever"
tr = p.prove(bad_secrets, message=message)
assert not p.verify(tr, message=message)
def test_or_non_interactive_serialization(params):
p1, p2, secrets = params
p = OrProofStmt(p1, p2)
message = "whatever"
tr = p.prove(secrets, message=message)
tr_enc = tr.serialize()
tr_dec = NIZK.deserialize(tr_enc)
assert tr_dec.challenge == tr.challenge
assert len(tr_dec.responses) == len(tr.responses)
for resp1, resp2 in zip(tr_dec.responses, tr.responses):
assert resp1 == resp2
assert tr_dec.precommitment == tr.precommitment
assert tr_dec.stmt_hash == tr.stmt_hash
assert p.verify(tr_dec, message=message)
def test_dlrep_or_rangeproof(group):
g, h = make_generators(2)
x = Secret(9)
y = Secret(42)
z = Secret(40)
c = x.value * g + y.value * h
c2 = z.value * g + y.value * h
stmt1 = DLRep(c, x * g + y * h) & RangeStmt(c, g, h, 0, 50, x, y)
stmt2 = DLRep(c2, z * g + y * h) & RangeStmt(c2, g, h, 0, 50, z, y)
stmt1.set_simulated()
or_stmt = OrProofStmt(stmt1, stmt2)
nizk = or_stmt.prove()
assert or_stmt.verify(nizk)
def test_or_and_proof_composition(params):
p1, p2, secrets = params
andp = AndProofStmt(p1, p2)
g1 = 7 * p1.bases[0]
g2 = 8 * p1.bases[0]
xb = Secret(name="xb")
xa = Secret(name="xa")
p0 = DLRep(7 * g1 + 18 * g2, xb * g1 + xa * g2)
secrets[xa] = 7
secrets[Secret(name="xc")] = 18
orproof = OrProofStmt(p0, andp)
prover = orproof.get_prover(secrets)
verifier = orproof.get_verifier()
assert verify(verifier, prover)
def test_or_signature_non_interactive():
mG = BilinearGroupPair()
keypair = BBSPlusKeypair.generate(mG, 9)
messages = [Bn(30), Bn(31), Bn(32)]
pk, sk = keypair.pk, keypair.sk
generators, h0 = keypair.generators, keypair.h0
creator = BBSPlusSignatureCreator(pk)
lhs = creator.commit(messages)
presignature = sk.sign(lhs.com_message)
signature = creator.obtain_signature(presignature)
e, s, m1, m2, m3 = (Secret() for _ in range(5))
secret_dict = {
e: signature.e,
s: signature.s,
m1: messages[0],
m2: messages[1],
m3: messages[2],
}
sigproof = BBSPlusSignatureStmt([e, s, m1, m2, m3], pk, signature)
creator = BBSPlusSignatureCreator(pk)
lhs = creator.commit(messages)
presignature2 = sk.sign(lhs.com_message)
signature2 = creator.obtain_signature(presignature2)
e1, s1 = (Secret() for _ in range(2))
secret_dict2 = {
e1: signature2.e,
s1: signature2.s,
m1: messages[0],
m2: messages[1],
}
sigproof1 = BBSPlusSignatureStmt([e1, s1, m1, m2, m3], pk, signature2)
secret_dict.update(secret_dict2)
andp = sigproof | sigproof1
orp = OrProofStmt(andp, sigproof)
tr = orp.prove(secret_dict)
assert orp.verify(tr)
def test_and_or_proof_composition(params):
p1, p2, secrets = params
g1 = 7 * p1.bases[0]
g2 = 8 * p1.bases[0]
xb = Secret(name="xb")
xa = Secret(name="xa")
p0 = DLRep(7 * g1 + 18 * g2, xb * g1 + xa * g2)
secrets[xb] = 7
secrets[xa] = 18
orproof = OrProofStmt(p1, p2)
andp = AndProofStmt(orproof, p0)
andp = AndProofStmt(andp, DLRep(15 * p1.bases[0], Secret(value=15) * p1.bases[0]))
prover = andp.get_prover(secrets)
verifier = andp.get_verifier()
assert verify(verifier, prover)
def test_or_non_interactive(params):
p1, p2, secrets = params
p = OrProofStmt(p1, p2)
message = "whatever"
tr = p.prove(secrets, message=message)
assert p.verify(tr, message=message)
def test_or_proof_simulation(params):
p1, p2, secrets = params
first_or = OrProofStmt(p1, p2)
tr = first_or.simulate()
assert first_or.verify_simulation_consistency(tr)
assert not first_or.verify(tr)
# First, compute the values, "left-hand side". y0 = x0.value * g0 y1 = x1.value * g1 # Next, create the proof statement. stmt = DLRep(y0, x0 * g0) | DLRep(y1, x1 * g1) # Set the first clause as simulated. stmt.subproofs[0].set_simulated() # This is an equivalent way to define the proof statement above. stmt_1 = DLRep(y0, x0 * g0) stmt_2 = DLRep(y1, x1 * g1) stmt_1.set_simulated() equivalent_stmt = OrProofStmt(stmt_1, stmt_2) assert stmt.get_proof_id() == equivalent_stmt.get_proof_id() # Another equivalent way. stmt_1 = DLRep(y0, x0 * g0, simulated=True) stmt_2 = DLRep(y1, x1 * g1) equivalent_stmt = OrProofStmt(stmt_1, stmt_2) assert stmt.get_proof_id() == equivalent_stmt.get_proof_id() # Execute the protocol. prover = stmt.get_prover() verifier = stmt.get_verifier()
