def test_and_proof_with_complex_expression(group):
g = group.generator()
g1 = 2 * g
g2 = 5 * g
g3 = 10 * g
x1 = Secret()
x2 = Secret()
x3 = Secret()
proof = DLRep(10 * g1 + 15 * g2, x1 * g1 + x2 * g2) & DLRep(
15 * g1 + 35 * g3, x2 * g1 + x3 * g3)
prover = proof.get_prover({x1: 10, x2: 15, x3: 35})
verifier = proof.get_verifier()
assert verify(verifier, prover)
# Next, create the proof statement.
stmt = DLRep(y1, x0 * g0 + x1 * g1) \
& DLRep(y2, x0 * g2 + x2 * g3)
# This is an equivalent way to create the proof statement above.
stmt_1 = DLRep(y1, x0 * g0 + x1 * g1)
stmt_2 = DLRep(y2, x0 * g2 + x2 * g3)
equivalent_stmt = AndProofStmt(stmt_1, stmt_2)
assert stmt.get_proof_id() == equivalent_stmt.get_proof_id()
# Simulate the prover and verifier interacting.
prover = stmt.get_prover({x0: 4, x1: 5, x2: 7})
verifier = stmt.get_verifier()
commitment = prover.commit()
challenge = verifier.send_challenge(commitment)
response = prover.compute_response(challenge)
assert verifier.verify(response)
# Composition takes into account re-occuring secrets.
x0 = Secret(4)
x1 = Secret(4)
stmt = DLRep(4 * g0, x0 * g0) & DLRep(4 * g1, x1 * g1)
# NOT the same as above. Note that x1_prime is used for both clauses.
x1_prime = Secret(4)
another_stmt = DLRep(4 * g0, x1_prime * g0) & DLRep(4 * g1, x1_prime * g1)
