def spend(withdrawal_keys, deposit_keys, tx, mu):
witness = prepare_witness(withdrawal_keys, deposit_keys)
witness_list = [
witness.d_ijk, witness.x_i, witness.a_in, witness.a_ij, witness.r_in,
witness.r_out
] # this is so we can flatten for commitment
t = dumb25519.random_scalar()
C = dumb25519.pedersen_commit(dumb25519.flatten(witness_list), t)
s = dumb25519.hash_to_scalar(str(C) + str(tx) + str(mu))
def verify(proofs,N):
# determine the length of the longest proof
max_MN = 2**max([len(proof[7]) for proof in proofs])
# curve points
Z = dumb25519.Z
G = dumb25519.G
H = dumb25519.H
Gi = PointVector([hash_to_point('pybullet Gi ' + str(i)) for i in range(max_MN)])
Hi = PointVector([hash_to_point('pybullet Hi ' + str(i)) for i in range(max_MN)])
# verify that all points are in the correct subgroup
for item in dumb25519.flatten(proofs):
if not isinstance(item,Point):
continue
if not item*Scalar(dumb25519.l) == Z:
raise ArithmeticError
# set up weighted aggregates
y0 = Scalar(0)
y1 = Scalar(0)
Y2 = Z
Y3 = Z
Y4 = Z
Z0 = Z
z1 = Scalar(0)
Z2 = Z
z3 = Scalar(0)
z4 = [Scalar(0)]*max_MN
z5 = [Scalar(0)]*max_MN
# run through each proof
for proof in proofs:
clear_cache()
V,A,S,T1,T2,taux,mu,L,R,a,b,t = proof
# get size information
M = 2**len(L)/N
# weighting factor for batching
w = random_scalar()
# reconstruct all challenges
for v in V:
mash(v)
mash(A)
mash(S)
y = cache
mash('')
z = cache
mash(T1)
mash(T2)
x = cache
mash(taux)
mash(mu)
mash(t)
x_ip = cache
y0 += taux*w
k = (z-z**2)*sum_scalar(y,M*N)
for j in range(1,M+1):
k -= (z**(j+2))*sum_scalar(Scalar(2),N)
y1 += (t-k)*w
Temp = Z
for j in range(M):
Temp += V[j]*(z**(j+2)*Scalar(8))
Y2 += Temp*w
Y3 += T1*(x*w*Scalar(8))
Y4 += T2*((x**2)*w*Scalar(8))
Z0 += (A*Scalar(8)+S*(x*Scalar(8)))*w
# inner product
W = []
for i in range(len(L)):
mash(L[i])
mash(R[i])
W.append(cache)
for i in range(M*N):
index = i
g = a
h = b*((y.invert())**i)
for j in range(len(L)-1,-1,-1):
J = len(W)-j-1
base_power = 2**j
if index/base_power == 0:
g *= W[J].invert()
h *= W[J]
else:
g *= W[J]
h *= W[J].invert()
index -= base_power
g += z
h -= (z*(y**i) + (z**(2+i/N))*(Scalar(2)**(i%N)))*((y.invert())**i)
z4[i] += g*w
z5[i] += h*w
z1 += mu*w
Multiexp = []
for i in range(len(L)):
Multiexp.append([L[i],Scalar(8)*(W[i]**2)])
Multiexp.append([R[i],Scalar(8)*(W[i].invert()**2)])
Z2 += dumb25519.multiexp(Multiexp)*w
z3 += (t-a*b)*x_ip*w
# now check all proofs together
if not G*y0 + H*y1 - Y2 - Y3 - Y4 == Z:
raise ArithmeticError('Bad y check!')
Multiexp = [[Z0,Scalar(1)],[G,-z1],[Z2,Scalar(1)],[H,z3]]
for i in range(max_MN):
Multiexp.append([Gi[i],-z4[i]])
Multiexp.append([Hi[i],-z5[i]])
if not dumb25519.multiexp(Multiexp) == Z:
raise ArithmeticError('Bad z check!')
return True
def test_flatten(self):
L = [0,[[1],2,3],[4,5,6],[[[7,8],9],10,11],12]
self.assertEqual(dumb25519.flatten(L),range(13))