def params(group):
n1 = 3
n2 = 4
generators1 = make_generators(n1)
generators2 = make_generators(n2)
x0 = Secret()
x1 = Secret()
x2 = Secret()
x3 = Secret()
x4 = Secret()
x5 = Secret()
secrets = [x0, x1, x2, x3, x4, x5]
secrets_dict = dict([
(x0, Bn(1)),
(x1, Bn(2)),
(x2, Bn(5)),
(x3, Bn(100)),
(x4, Bn(43)),
(x5, Bn(10)),
])
sum_1 = group.wsum([secrets_dict[x0], secrets_dict[x1], secrets_dict[x2]],
generators1)
secrets_2 = [secrets_dict[x0]]
for i in range(3, 6):
secrets_2.append(secrets_dict[secrets[i]])
sum_2 = group.wsum(secrets_2, generators2)
p1 = DLRep(sum_1, wsum_secrets([x0, x1, x2], generators1))
p2 = DLRep(sum_2, wsum_secrets([x0, x3, x4, x5], generators2))
return p1, p2, secrets_dict
def test_and_proof_simulation_2(group):
n = 3
secret_values = [Bn(i) for i in range(n)]
secrets = [Secret() for _ in range(n)]
generators = make_generators(n, group)
lhs = group.wsum(secret_values, generators)
subproof1 = DLRep(lhs, wsum_secrets(secrets, generators))
subproof2 = DLRep(lhs, wsum_secrets(secrets, generators))
andp = AndProofStmt(subproof1, subproof2)
tr = andp.simulate()
assert andp.verify_simulation_consistency(tr)
assert not andp.verify(tr)
def test_and_proof_simulation_1(group):
n = 3
secret_values = [Bn(i) for i in range(n)]
secrets = [Secret() for _ in range(n)]
generators = make_generators(n, group)
lhs = group.wsum(secret_values, generators)
subproof1 = DLRep(lhs, wsum_secrets(secrets, generators))
subproof2 = DLRep(lhs, wsum_secrets(secrets, generators))
andp = AndProofStmt(subproof1, subproof2)
andv = andp.get_verifier()
tr = andp.simulate_proof()
tr.stmt_hash = andp.prehash_statement().digest()
assert not andv.verify_nizk(tr)
def commit(self, messages, zkp=True):
"""
Construct the product of messages and optionaly a Pedersen commitment and its proof.
Args:
messages: Messages (attributes) to commit to
zkp (bool): Whether to construct a Pedersen commitment and proof the knowledge of the
messages for this commitment.
Returns:
:py:class:`UserCommitmentMessage`: user's packed commitment.
"""
lhs = self.pk.generators[0].group.wsum(
messages, self.pk.generators[2 : len(messages) + 2]
)
com_nizk_proof = None
if zkp:
self.s1 = self.pk.generators[0].group.order().random()
lhs = self.s1 * self.pk.generators[1] + lhs
# TODO: Extract into a separate ExtendedProofStmt.
secret_vars = [Secret() for _ in range(len(messages) + 1)]
secrets = [self.s1] + messages
rhs = wsum_secrets(secret_vars, self.pk.generators[1 : len(messages) + 2])
com_stmt = DLRep(lhs, rhs)
com_nizk_proof = com_stmt.prove(
{s: v for s, v in zip(secret_vars, secrets)}
)
return UserCommitmentMessage(com_message=lhs, com_nizk_proof=com_nizk_proof)
def construct_stmt(self, precommitment):
r"""
Proof of knowledge of a signature.
This is an implementation of a proof :math:`\Pi_5` detailed on page 7 of the `Constant-Size
Dynamick-TAA` paper.
"""
self.A1, self.A2 = precommitment["A1"], precommitment["A2"]
g0, g1, g2 = self.bases[0], self.bases[1], self.bases[2]
dl1 = DLRep(self.A1, self.r1 * g1 + self.r2 * g2)
dl2 = DLRep(
g0.group.infinite(),
self.delta1 * g1 + self.delta2 * g2 + self.secret_vars[0] * (-1 * self.A1),
)
self.pair_lhs = self.A2.pair(self.pk.w) + (-1 * self.pk.gen_pairs[0])
bases = [
-1 * (self.A2.pair(self.pk.h0)),
self.bases[2].pair(self.pk.w),
self.pk.gen_pairs[2],
]
bases.extend(self.pk.gen_pairs[1 : len(self.bases)])
# Build secret names [e, r1, delta1, s, m_i]
new_secret_vars = (
self.secret_vars[:1] + [self.r1, self.delta1] + self.secret_vars[1:]
)
pairings_stmt = DLRep(self.pair_lhs, wsum_secrets(new_secret_vars, bases))
constructed_stmt = AndProofStmt(dl1, dl2, pairings_stmt)
constructed_stmt.lhs = [p.lhs for p in constructed_stmt.subproofs]
return constructed_stmt
def test_expr_repr(group, num):
secrets = [Secret() for _ in range(num)]
generators = make_generators(num, group)
expr = wsum_secrets(secrets, generators)
expected_repr = " + ".join("Expression({}, {})".format(x, g)
for x, g in zip(secrets, generators))
assert expected_repr == repr(expr)
def test_same_random_values_in_commitments(group):
(g, ) = make_generators(1, group)
generators = [g, g, g]
pub = group.wsum([Bn(100), Bn(100), Bn(100)], generators)
x = Secret()
p = DLRep(pub, wsum_secrets([x, x, x], generators))
prover = p.get_prover({x: 100})
commitments = prover.commit()
def test_get_many_different_provers(group, num):
generators = make_generators(num, group)
secrets = [Secret(name="secret_%i" % i) for i in range(num)]
secrets_vals = [Bn(i) for i in range(num)]
secret_dict = {secret: val for secret, val in zip(secrets, secrets_vals)}
p = DLRep(group.wsum(secrets_vals, generators),
wsum_secrets(secrets, generators))
prover = p.get_prover(secret_dict)
_, commitment = prover.commit()
assert isinstance(commitment, EcPt)
def test_and_proof_fails_when_bases_belong_to_different_groups(group):
"""
An alien EcPt is inserted in the generators
"""
g1 = group.generator()
other_group = EcGroup(706)
assert group != other_group
g2 = other_group.generator()
x = Secret(value=Bn(42))
y1 = group.wsum([x.value], [g1])
y2 = other_group.wsum([x.value], [g2])
p1 = DLRep(y1, wsum_secrets([x], [g1]))
p2 = DLRep(y2, wsum_secrets([x], [g2]))
and_proof = AndProofStmt(p1, p2)
prover = and_proof.get_prover()
verifier = and_proof.get_verifier()
# An exception should be raised because of a shared secrets linked to two different groups
with pytest.raises(GroupMismatchError):
verify(verifier, prover)
def verify_blinding(self, pk):
"""
Verify the NIZK proof for Pedersen commitment.
"""
if self.com_nizk_proof is None:
raise ValueError("No proof to verify")
# TODO: Extract into a separate ExtendedProofStmt.
lhs = self.com_message
generators = pk.generators[1 : len(self.com_nizk_proof.responses) + 1]
secret_vars = [Secret() for _ in self.com_nizk_proof.responses]
proof = DLRep(lhs, wsum_secrets(secret_vars, generators))
return proof.verify(self.com_nizk_proof)
def test_generators_sharing_a_secret(group, num):
generators = make_generators(num, group)
unique_secret = 4
x = Secret()
secret_vals = [Bn(unique_secret) for _ in range(num)]
lhs = group.wsum(secret_vals, generators)
rhs = wsum_secrets([x] * num, generators)
p = DLRep(lhs, rhs)
prover = p.get_prover({x: unique_secret})
assert isinstance(prover, DLRepProver)
_, commitment = prover.commit()
assert isinstance(commitment, EcPt)