def test_scalar_vector_extend(self):
v = ScalarVector([Scalar(0),Scalar(1)])
w = ScalarVector([Scalar(2),Scalar(3)])
v.extend(w)
t = ScalarVector([Scalar(0),Scalar(1),Scalar(2),Scalar(3)])
self.assertEqual(len(v),len(t))
self.assertEqual(v.scalars,t.scalars)
def prove(data,N):
clear_cache()
M = len(data)
# curve points
G = dumb25519.G
H = hash_to_point('pybullet H')
Gi = PointVector([hash_to_point('pybullet Gi ' + str(i)) for i in range(M*N)])
Hi = PointVector([hash_to_point('pybullet Hi ' + str(i)) for i in range(M*N)])
# set amount commitments
V = PointVector([])
aL = ScalarVector([])
for v,gamma in data:
V.append((H*v + G*gamma)*inv8)
mash(V[-1])
aL.extend(scalar_to_bits(v,N))
# set bit arrays
aR = ScalarVector([])
for bit in aL.scalars:
aR.append(bit-Scalar(1))
alpha = random_scalar()
A = (Gi*aL + Hi*aR + G*alpha)*inv8
sL = ScalarVector([random_scalar()]*(M*N))
sR = ScalarVector([random_scalar()]*(M*N))
rho = random_scalar()
S = (Gi*sL + Hi*sR + G*rho)*inv8
# get challenges
mash(A)
mash(S)
y = cache
y_inv = y.invert()
mash('')
z = cache
# polynomial coefficients
l0 = aL - ScalarVector([z]*(M*N))
l1 = sL
# ugly sum
zeros_twos = []
for i in range (M*N):
zeros_twos.append(Scalar(0))
for j in range(1,M+1):
temp = Scalar(0)
if i >= (j-1)*N and i < j*N:
temp = Scalar(2)**(i-(j-1)*N)
zeros_twos[-1] += temp*(z**(1+j))
# more polynomial coefficients
r0 = aR + ScalarVector([z]*(M*N))
r0 = r0*exp_scalar(y,M*N)
r0 += ScalarVector(zeros_twos)
r1 = exp_scalar(y,M*N)*sR
# build the polynomials
t0 = l0**r0
t1 = l0**r1 + l1**r0
t2 = l1**r1
tau1 = random_scalar()
tau2 = random_scalar()
T1 = (H*t1 + G*tau1)*inv8
T2 = (H*t2 + G*tau2)*inv8
mash(T1)
mash(T2)
x = cache # challenge
taux = tau1*x + tau2*(x**2)
for j in range(1,M+1):
gamma = data[j-1][1]
taux += z**(1+j)*gamma
mu = x*rho+alpha
l = l0 + l1*x
r = r0 + r1*x
t = l**r
mash(taux)
mash(mu)
mash(t)
x_ip = cache # challenge
L = PointVector([])
R = PointVector([])
# initial inner product inputs
data_ip = [Gi,PointVector([Hi[i]*(y_inv**i) for i in range(len(Hi))]),H*x_ip,l,r,None,None]
while True:
data_ip = inner_product(data_ip)
# we have reached the end of the recursion
if len(data_ip) == 2:
return [V,A,S,T1,T2,taux,mu,L,R,data_ip[0],data_ip[1],t]
# we are not done yet
L.append(data_ip[-2])
R.append(data_ip[-1])
def prove(data,N):
tr = transcript.Transcript('Bulletproof')
M = len(data)
# curve points
Gi = PointVector([hash_to_point('pybullet Gi ' + str(i)) for i in range(M*N)])
Hi = PointVector([hash_to_point('pybullet Hi ' + str(i)) for i in range(M*N)])
# set amount commitments
V = PointVector([])
aL = ScalarVector([])
for v,gamma in data:
V.append(com(v,gamma)*inv8)
tr.update(V[-1])
aL.extend(scalar_to_bits(v,N))
# set bit arrays
aR = ScalarVector([])
for bit in aL.scalars:
aR.append(bit-Scalar(1))
alpha = random_scalar()
A = (Gi**aL + Hi**aR + Gc*alpha)*inv8
sL = ScalarVector([random_scalar()]*(M*N))
sR = ScalarVector([random_scalar()]*(M*N))
rho = random_scalar()
S = (Gi**sL + Hi**sR + Gc*rho)*inv8
# get challenges
tr.update(A)
tr.update(S)
y = tr.challenge()
z = tr.challenge()
y_inv = y.invert()
# polynomial coefficients
l0 = aL - ScalarVector([z]*(M*N))
l1 = sL
# for polynomial coefficients
zeros_twos = []
z_cache = z**2
for j in range(M):
for i in range(N):
zeros_twos.append(z_cache*2**i)
z_cache *= z
# more polynomial coefficients
r0 = aR + ScalarVector([z]*(M*N))
r0 = r0*exp_scalar(y,M*N)
r0 += ScalarVector(zeros_twos)
r1 = exp_scalar(y,M*N)*sR
# build the polynomials
t0 = l0**r0
t1 = l0**r1 + l1**r0
t2 = l1**r1
tau1 = random_scalar()
tau2 = random_scalar()
T1 = com(t1,tau1)*inv8
T2 = com(t2,tau2)*inv8
tr.update(T1)
tr.update(T2)
x = tr.challenge()
taux = tau1*x + tau2*(x**2)
for j in range(1,M+1):
gamma = data[j-1][1]
taux += z**(1+j)*gamma
mu = x*rho+alpha
l = l0 + l1*x
r = r0 + r1*x
t = l**r
tr.update(taux)
tr.update(mu)
tr.update(t)
x_ip = tr.challenge()
# initial inner product inputs
data = InnerProductRound(Gi,PointVector([Hi[i]*(y_inv**i) for i in range(len(Hi))]),Hc*x_ip,l,r,tr)
while True:
inner_product(data)
# we have reached the end of the recursion
if data.done:
return Bulletproof(V,A,S,T1,T2,taux,mu,data.L,data.R,data.a,data.b,t)