# First, compute the values, "left-hand side".
y1 = 4 * g0 + 5 * g1
y2 = 4 * g2 + 7 * g3
# Next, create the proof statement.
stmt = DLRep(y1, x0 * g0 + x1 * g1) \
& DLRep(y2, x0 * g2 + x2 * g3)
# This is an equivalent way to create the proof statement above.
stmt_1 = DLRep(y1, x0 * g0 + x1 * g1)
stmt_2 = DLRep(y2, x0 * g2 + x2 * g3)
equivalent_stmt = AndProofStmt(stmt_1, stmt_2)
assert stmt.get_proof_id() == equivalent_stmt.get_proof_id()
# Simulate the prover and verifier interacting.
prover = stmt.get_prover({x0: 4, x1: 5, x2: 7})
verifier = stmt.get_verifier()
commitment = prover.commit()
challenge = verifier.send_challenge(commitment)
response = prover.compute_response(challenge)
assert verifier.verify(response)
# Composition takes into account re-occuring secrets.
x0 = Secret(4)
x1 = Secret(4)
y1 = x1.value * g1 # Next, create the proof statement. stmt = DLRep(y0, x0 * g0) | DLRep(y1, x1 * g1) # Set the first clause as simulated. stmt.subproofs[0].set_simulated() # This is an equivalent way to define the proof statement above. stmt_1 = DLRep(y0, x0 * g0) stmt_2 = DLRep(y1, x1 * g1) stmt_1.set_simulated() equivalent_stmt = OrProofStmt(stmt_1, stmt_2) assert stmt.get_proof_id() == equivalent_stmt.get_proof_id() # Another equivalent way. stmt_1 = DLRep(y0, x0 * g0, simulated=True) stmt_2 = DLRep(y1, x1 * g1) equivalent_stmt = OrProofStmt(stmt_1, stmt_2) assert stmt.get_proof_id() == equivalent_stmt.get_proof_id() # Execute the protocol. prover = stmt.get_prover() verifier = stmt.get_verifier() commitment = prover.commit() challenge = verifier.send_challenge(commitment)
