def __init__(self, valid_tuple, invalid_tuple, x):
self.lhs = [valid_tuple[0], invalid_tuple[0]]
self.generators = [valid_tuple[1], invalid_tuple[1]]
self.x = x
# The internal ZK proof uses two constructed secrets
self.alpha, self.beta = Secret(), Secret()
def test_expr_eval_no_values_specified(group):
g = group.generator()
g1 = 2 * g
g2 = 5 * g
rhs = Secret(name="x1") * g1 + Secret(name="x2") * g2
with pytest.raises(IncompleteValuesError):
rhs.eval()
def commit(self, messages, zkp=True):
"""
Construct the product of messages and optionaly a Pedersen commitment and its proof.
Args:
messages: Messages (attributes) to commit to
zkp (bool): Whether to construct a Pedersen commitment and proof the knowledge of the
messages for this commitment.
Returns:
:py:class:`UserCommitmentMessage`: user's packed commitment.
"""
lhs = self.pk.generators[0].group.wsum(
messages, self.pk.generators[2 : len(messages) + 2]
)
com_nizk_proof = None
if zkp:
self.s1 = self.pk.generators[0].group.order().random()
lhs = self.s1 * self.pk.generators[1] + lhs
# TODO: Extract into a separate ExtendedProofStmt.
secret_vars = [Secret() for _ in range(len(messages) + 1)]
secrets = [self.s1] + messages
rhs = wsum_secrets(secret_vars, self.pk.generators[1 : len(messages) + 2])
com_stmt = DLRep(lhs, rhs)
com_nizk_proof = com_stmt.prove(
{s: v for s, v in zip(secret_vars, secrets)}
)
return UserCommitmentMessage(com_message=lhs, com_nizk_proof=com_nizk_proof)
def test_expr_repr(group, num):
secrets = [Secret() for _ in range(num)]
generators = make_generators(num, group)
expr = wsum_secrets(secrets, generators)
expected_repr = " + ".join("Expression({}, {})".format(x, g)
for x, g in zip(secrets, generators))
assert expected_repr == repr(expr)
def __init__(self,
valid_pair,
invalid_pair,
x,
bind=False,
simulated=False):
if len(valid_pair) != 2 or len(invalid_pair) != 2:
raise TypeException(
"The valid_pair and invalid_pair must be pairs")
self.x = x
# The internal ZK proof uses two constructed secrets
self.alpha, self.beta = Secret(), Secret()
self.lhs = [valid_pair[0], invalid_pair[0]]
self.g = valid_pair[1]
self.h = invalid_pair[1]
self.bind = bind
self.set_simulated(simulated)
def __init__(self, secret_vars, pk, signature=None, binding=True, simulated=False):
self.pk = pk
self.signature = signature
if not binding:
# We add two Secret slots for e and s if necessary
secret_vars = [Secret(), Secret()] + secret_vars
# We need L+1 generators for L messages. secret_vars are messages plus 'e' and 's'
self.bases = pk.generators[: len(secret_vars)]
self.order = self.bases[0].group.order()
# The prover will compute the following secrets:
self.r1, self.r2, self.delta1, self.delta2 = (
Secret(),
Secret(),
Secret(),
Secret(),
)
# Below is boilerplate
self.secret_vars = secret_vars
if signature is not None:
# Digest the signature parameters
self.secret_vars[0].value = signature.e
self.secret_vars[1].value = signature.s
self.set_simulated(simulated)
def verify_blinding(self, pk):
"""
Verify the NIZK proof for Pedersen commitment.
"""
if self.com_nizk_proof is None:
raise ValueError("No proof to verify")
# TODO: Extract into a separate ExtendedProofStmt.
lhs = self.com_message
generators = pk.generators[1 : len(self.com_nizk_proof.responses) + 1]
secret_vars = [Secret() for _ in self.com_nizk_proof.responses]
proof = DLRep(lhs, wsum_secrets(secret_vars, generators))
return proof.verify(self.com_nizk_proof)
def test_expr_invalid_expression(group, other):
g = group.generator()
expr = Secret() * g
with pytest.raises(InvalidExpression):
expr + other
def test_expr_2(group):
g = group.generator()
x = Secret()
expr = x * g
assert expr.bases == (g, )
assert expr.secrets == (x, )
def test_expr_1(group):
g = group.generator()
x = Secret()
expr = Expression(x, g)
assert expr.bases == (g, )
assert expr.secrets == (x, )
def test_secret_different_anonymous_secrets():
x, y = Secret(), Secret()
assert x.name != y.name
assert hash(x) != hash(y)
assert x != y
def test_secret_same_names_different_values():
x, y = Secret(name="same"), Secret(name="same", value=100)
assert x.name == y.name
assert hash(x) == hash(y)
assert x != y
def test_secret_same_names():
x, y = Secret(name="same"), Secret(name="same")
assert x.name == y.name
assert hash(x) == hash(y)
assert x == y
def test_secret_named():
x = Secret(name="x")
assert x.name == "x"
assert x.name == y.name
assert hash(x) == hash(y)
assert x != y
def test_secret_different_anonymous_secrets():
x, y = Secret(), Secret()
assert x.name != y.name
assert hash(x) != hash(y)
assert x != y
@pytest.mark.parametrize(
"x,pattern",
[
(Secret(), r"Secret\(name='.+'\)"),
(Secret(name="x"), r"Secret\(name='x'\)"),
(Secret(value=42), r"Secret\(42, '.+'\)"),
(Secret(value=42, name="x"), r"Secret\(42, 'x'\)"),
],
)
def test_secret_repr(x, pattern):
assert re.match(pattern, repr(x)) is not None
def test_expr_1(group):
g = group.generator()
x = Secret()
expr = Expression(x, g)
assert expr.bases == (g, )
assert expr.secrets == (x, )
precommitment = blinder * (self.x.value * self.generators[1] -
self.lhs[1])
return precommitment
def construct_stmt(self, precommitment):
infty = self.generators[0].group.infinite()
p1 = DLRep(infty,
self.alpha * self.generators[0] + self.beta * self.lhs[0])
p2 = DLRep(precommitment,
self.alpha * self.generators[1] + self.beta * self.lhs[1])
return p1 & p2
def validate(self, precommitment):
if precommitment == self.generators[0].group.infinite():
raise ValidationError("Invalid precommitment")
def simulate_precommit(self):
group = self.generators[0].group
precommitment = group.order().random() * group.generator()
return precommitment
g, h = make_generators(2)
x = Secret(value=42)
a = 42 * g
b = 41 * h
stmt = DLNotEqual((a, g), (b, h), x)
nizk = stmt.prove()
stmt.verify(nizk)