# First, compute the values, "left-hand side". y1 = 4 * g0 + 5 * g1 y2 = 4 * g2 + 7 * g3 # Next, create the proof statement. stmt = DLRep(y1, x0 * g0 + x1 * g1) \ & DLRep(y2, x0 * g2 + x2 * g3) # This is an equivalent way to create the proof statement above. stmt_1 = DLRep(y1, x0 * g0 + x1 * g1) stmt_2 = DLRep(y2, x0 * g2 + x2 * g3) equivalent_stmt = AndProofStmt(stmt_1, stmt_2) assert stmt.get_proof_id() == equivalent_stmt.get_proof_id() # Simulate the prover and verifier interacting. prover = stmt.get_prover({x0: 4, x1: 5, x2: 7}) verifier = stmt.get_verifier() commitment = prover.commit() challenge = verifier.send_challenge(commitment) response = prover.compute_response(challenge) assert verifier.verify(response) # Composition takes into account re-occuring secrets. x0 = Secret(4) x1 = Secret(4)
y1 = x1.value * g1 # Next, create the proof statement. stmt = DLRep(y0, x0 * g0) | DLRep(y1, x1 * g1) # Set the first clause as simulated. stmt.subproofs[0].set_simulated() # This is an equivalent way to define the proof statement above. stmt_1 = DLRep(y0, x0 * g0) stmt_2 = DLRep(y1, x1 * g1) stmt_1.set_simulated() equivalent_stmt = OrProofStmt(stmt_1, stmt_2) assert stmt.get_proof_id() == equivalent_stmt.get_proof_id() # Another equivalent way. stmt_1 = DLRep(y0, x0 * g0, simulated=True) stmt_2 = DLRep(y1, x1 * g1) equivalent_stmt = OrProofStmt(stmt_1, stmt_2) assert stmt.get_proof_id() == equivalent_stmt.get_proof_id() # Execute the protocol. prover = stmt.get_prover() verifier = stmt.get_verifier() commitment = prover.commit() challenge = verifier.send_challenge(commitment)