Exemple #1
0
def verifiabilityProofCheck(ppatspk, d, proof):
    ''' Return True if the ZKP proof is correct with respect to d
    meaning that d is a commitment on either 0 or 1
    '''
    u0, u1, t0, t1 = proof
    # notations
    Jcoord = ppatspk.PPATSpp.Jcoord
    ECG = ppatspk.PPATSpp.h.ECG

    ddt = oEC.toTupleEFp(d.d, Jcoord)

    u0ht = oEC.mul_comb2_EFp(ECG, u0, ppatspk.precomp_h, Jcoord)
    ddt0 = oEC.mulECP(ECG, ddt, -t0, False, Jcoord)
    w0t = oEC.addEFp(ECG, u0ht, ddt0, Jcoord)
    w0v = oEC.toEFp(ECG, w0t, Jcoord)
    w0 = ppat.ppats.PPATSCommitment(w0v, ppatspk)

    ddt1 = oEC.mulECP(ECG, ddt, -t1, False, Jcoord)
    u1ht = oEC.mul_comb2_EFp(ECG, u1, ppatspk.precomp_h, Jcoord)
    t1h1t = oEC.mul_comb2_EFp(ECG, t1, ppatspk.precomp_h1, Jcoord)
    ad1 = oEC.addEFp(ECG, ddt1, u1ht, Jcoord)
    w1t = oEC.addEFp(ECG, ad1, t1h1t, Jcoord)
    w1v = oEC.toEFp(ECG, w1t, Jcoord)
    w1 = ppat.ppats.PPATSCommitment(w1v, ppatspk)

    return t0 + t1 == ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1])
Exemple #2
0
    def commit(self,m,r1=None,r2=None):

        q = self.PPATCpp.order
        if r1 == None:
            r1 = randint(1,int(q))
        if r2 == None:
            r2 = randint(1,int(q))

        # notations
        Jcoord = self.PPATCpp.Jcoord
        ECG1 = self.h1.ECG
        ECG2 = self.g1.ECG

        # commitment
        d11t = oEC.mul_comb2_EFp(ECG1,r1,self.precomp_h,Jcoord)
        d12t = oEC.mul_comb2_EFp(ECG1,r2,self.precomp_h1,Jcoord)
        d1t = oEC.addEFp(ECG1,d11t,d12t,Jcoord)
        d1 = oEC.toEFp(ECG1,d1t,Jcoord)
        #d1 = (r1*h)+(r2*h1)
        mp = self.encode(m)
        d21t = oEC.mul_comb2_EFp2(ECG2,r2,self.precomp_g1,Jcoord)
        d2t = oEC.addEFp2(ECG2,mp,d21t,Jcoord)
        d2 = oEC.toEFp2(ECG2,d2t,Jcoord)
        #d2 = mp + r2*g1

        return PPATCCommitment(d1,d2,self)
Exemple #3
0
def verifiabilityProofCheck(ppatspk, d, proof):
    """ Return True if the ZKP proof is correct with respect to d
    meaning that d is a commitment on either 0 or 1
    """
    u0, u1, t0, t1 = proof
    # notations
    Jcoord = ppatspk.PPATSpp.Jcoord
    ECG = ppatspk.PPATSpp.h.ECG

    ddt = oEC.toTupleEFp(d.d, Jcoord)

    u0ht = oEC.mul_comb2_EFp(ECG, u0, ppatspk.precomp_h, Jcoord)
    ddt0 = oEC.mulECP(ECG, ddt, -t0, False, Jcoord)
    w0t = oEC.addEFp(ECG, u0ht, ddt0, Jcoord)
    w0v = oEC.toEFp(ECG, w0t, Jcoord)
    w0 = ppat.ppats.PPATSCommitment(w0v, ppatspk)

    ddt1 = oEC.mulECP(ECG, ddt, -t1, False, Jcoord)
    u1ht = oEC.mul_comb2_EFp(ECG, u1, ppatspk.precomp_h, Jcoord)
    t1h1t = oEC.mul_comb2_EFp(ECG, t1, ppatspk.precomp_h1, Jcoord)
    ad1 = oEC.addEFp(ECG, ddt1, u1ht, Jcoord)
    w1t = oEC.addEFp(ECG, ad1, t1h1t, Jcoord)
    w1v = oEC.toEFp(ECG, w1t, Jcoord)
    w1 = ppat.ppats.PPATSCommitment(w1v, ppatspk)

    return t0 + t1 == ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1])
Exemple #4
0
    def commit(self, m, r1=None, r2=None):

        q = self.PPATCpp.order
        if r1 == None:
            r1 = randint(1, int(q))
        if r2 == None:
            r2 = randint(1, int(q))

        # notations
        Jcoord = self.PPATCpp.Jcoord
        ECG1 = self.h1.ECG
        ECG2 = self.g1.ECG

        # commitment
        d11t = oEC.mul_comb2_EFp(ECG1, r1, self.precomp_h, Jcoord)
        d12t = oEC.mul_comb2_EFp(ECG1, r2, self.precomp_h1, Jcoord)
        d1t = oEC.addEFp(ECG1, d11t, d12t, Jcoord)
        d1 = oEC.toEFp(ECG1, d1t, Jcoord)
        #d1 = (r1*h)+(r2*h1)
        mp = self.encode(m)
        d21t = oEC.mul_comb2_EFp2(ECG2, r2, self.precomp_g1, Jcoord)
        d2t = oEC.addEFp2(ECG2, mp, d21t, Jcoord)
        d2 = oEC.toEFp2(ECG2, d2t, Jcoord)
        #d2 = mp + r2*g1

        return PPATCCommitment(d1, d2, self)
Exemple #5
0
def verifiabilityProof2(ppatspk, d, m, r, b=None, u=None, t=None):
    """ This ZK proof ensures that d = r*h+m*h1 is a commitment on m = 0 or 1
    b,u,t are the randomness used in the proof (optional)
    """
    # notations
    order = ppatspk.PPATSpp.order
    h = ppatspk.PPATSpp.h
    h1 = ppatspk.h1
    ECG = h.ECG
    Jcoord = ppatspk.PPATSpp.Jcoord
    # ht = oEC.toTupleEFp(ECG,h,Jcoord)
    nh1t = oEC.toTupleEFp(ECG, -h1, Jcoord)
    ddt = oEC.toTupleEFp(ECG, d.d, Jcoord)
    # assert h*r+h1*m == d.d # commitment is well formed
    assert m == 0 or m == 1  # the proof works only if m = 0 or 1

    if b == None:
        b = randint(1, int(order))
    if u == None:
        u = randint(1, int(order))
    if t == None:
        t = randint(1, int(order))

    hbt = oEC.mul_comb2_EFp(ECG, b, ppatspk.precomp_h, Jcoord)
    hb = oEC.toEFp(ECG, hbt, Jcoord)
    if m == 0:
        u1 = u
        t1 = t
        # commitment

        # w0 = PPATSCommitment(h*b,self)
        w0 = ppat.ppats.PPATSCommitment(hb, ppatspk)
        hu1t = oEC.mul_comb2_EFp(ECG, u1, ppatspk.precomp_h, Jcoord)
        s1 = oEC.addEFp(ECG, ddt, nh1t, Jcoord)
        s1t1 = oEC.mulECP(ECG, s1, -t1, False, Jcoord)
        w1t = oEC.addEFp(ECG, hu1t, s1t1, Jcoord)
        w1v = oEC.toEFp(ECG, w1t, Jcoord)
        w1 = ppat.ppats.PPATSCommitment(w1v, ppatspk)
        # challenge
        t0 = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1]) - t1
        # response
        u0 = b + r * t0
    if m == 1:
        u0 = u
        t0 = t
        # commitment
        hu0t = oEC.mul_comb2_EFp(ECG, u0, ppatspk.precomp_h, Jcoord)
        ddt0 = oEC.mulECP(ECG, ddt, -t0, False, Jcoord)
        w0t = oEC.addEFp(ECG, hu0t, ddt0, Jcoord)
        w0v = oEC.toEFp(ECG, w0t, Jcoord)
        w0 = ppat.ppats.PPATSCommitment(w0v, ppatspk)
        w1 = ppat.ppats.PPATSCommitment(hb, ppatspk)
        # challenge
        t1 = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1]) - t0
        # response
        u1 = b + r * t1
    return [u0, u1, t0, t1]

    """
Exemple #6
0
def verifiabilityProof2(ppatspk, d, m, r, b=None, u=None, t=None):
    ''' This ZK proof ensures that d = r*h+m*h1 is a commitment on m = 0 or 1
    b,u,t are the randomness used in the proof (optional)
    '''
    # notations
    order = ppatspk.PPATSpp.order
    h = ppatspk.PPATSpp.h
    h1 = ppatspk.h1
    ECG = h.ECG
    Jcoord = ppatspk.PPATSpp.Jcoord
    #ht = oEC.toTupleEFp(ECG,h,Jcoord)
    nh1t = oEC.toTupleEFp(ECG, -h1, Jcoord)
    ddt = oEC.toTupleEFp(ECG, d.d, Jcoord)
    #assert h*r+h1*m == d.d # commitment is well formed
    assert m == 0 or m == 1  # the proof works only if m = 0 or 1

    if b == None:
        b = randint(1, int(order))
    if u == None:
        u = randint(1, int(order))
    if t == None:
        t = randint(1, int(order))

    hbt = oEC.mul_comb2_EFp(ECG, b, ppatspk.precomp_h, Jcoord)
    hb = oEC.toEFp(ECG, hbt, Jcoord)
    if m == 0:
        u1 = u
        t1 = t
        # commitment

        #w0 = PPATSCommitment(h*b,self)
        w0 = ppat.ppats.PPATSCommitment(hb, ppatspk)
        hu1t = oEC.mul_comb2_EFp(ECG, u1, ppatspk.precomp_h, Jcoord)
        s1 = oEC.addEFp(ECG, ddt, nh1t, Jcoord)
        s1t1 = oEC.mulECP(ECG, s1, -t1, False, Jcoord)
        w1t = oEC.addEFp(ECG, hu1t, s1t1, Jcoord)
        w1v = oEC.toEFp(ECG, w1t, Jcoord)
        w1 = ppat.ppats.PPATSCommitment(w1v, ppatspk)
        # challenge
        t0 = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1]) - t1
        # response
        u0 = b + r * t0
    if m == 1:
        u0 = u
        t0 = t
        # commitment
        hu0t = oEC.mul_comb2_EFp(ECG, u0, ppatspk.precomp_h, Jcoord)
        ddt0 = oEC.mulECP(ECG, ddt, -t0, False, Jcoord)
        w0t = oEC.addEFp(ECG, hu0t, ddt0, Jcoord)
        w0v = oEC.toEFp(ECG, w0t, Jcoord)
        w0 = ppat.ppats.PPATSCommitment(w0v, ppatspk)
        w1 = ppat.ppats.PPATSCommitment(hb, ppatspk)
        # challenge
        t1 = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1]) - t0
        # response
        u1 = b + r * t1
    return [u0, u1, t0, t1]
    """
Exemple #7
0
 def verifyEval(self, com, b, phi_b, phiprime_b, w_b):
     '''
     Check if com is a commitment on a polynomial phi such that (b,phi_b) belongs
     to the polynomial. The verification uses the witness w_b and the evaluation
     of the polynomial phiprime at b.
     Return True if the verification succeeds.
     This method computes 3 pairings.
     '''
     EFp = self.pairing.EFp
     e = oEC.OptimAtePairing
     Pair = self.pairing
     Fp12 = Pair.Fpk
     #gamma = Pair.gamma
     #g = self.gVec[-1]
     #h = self.hVec[-1]
     gp = self.gprimeVec[-1]
     EFp2 = gp.ECG
     gp_alpha = self.gprimeVec[-2]
     
     #TODO: Optimize here # DONE
     #gprime_b = (b.val)*gp
     gprime_bt = oEC.mul_comb2_EFp2(EFp2,b.val,self.gprimeVecTab[-1],self.Jcoord)
     mgprime_bt = oEC.negEFp2(gprime_bt,self.Jcoord)
     gpat = oEC.toTupleEFp2(gp_alpha,self.Jcoord)
     t1t = oEC.addEFp2(EFp2,gpat,mgprime_bt,self.Jcoord)
     #t1 = gp_alpha-gprime_b
     #u1 = (phi_b.val)*g + (phiprime_b.val)*h
     a1 = oEC.mul_comb2_EFp(EFp,phi_b.val,self.gVecTab[-1],self.Jcoord)
     b1 = oEC.mul_comb2_EFp(EFp,phiprime_b.val,self.hVecTab[-1],self.Jcoord)
     u1t = oEC.addEFp(EFp,a1,b1,self.Jcoord)
     
     t1g = oEC.toEFp2(EFp2,t1t,self.Jcoord)
     u1g = oEC.toEFp(EFp,u1t,self.Jcoord)
     if self.Jcoord :
         t1g.toAffine()
         u1g.toAffine()
     #assert t1g == t1
     #assert u1g == u1
         
     rm = e(com.c,gp,Pair)
     lm1 = e(w_b.c,t1g,Pair)
     lm2 = e(u1g,gp,Pair)
     lm = oEC.mulFp12(Fp12,lm1,lm2)
     
     return rm == lm
Exemple #8
0
 def commit(self,phi_x,phiprime_x= None):
     '''
     Return a polynomial commitment on the polynomial phi_x eventually using phiprime_x as the randomness polynomial
     '''
     #Fp = self.pairing.Fp
     Fr = self.Fr
     EFp = self.pairing.EFp
     #order = self.pairing.r
     
     assert len(phi_x.coef) <= self.deg_pol+1
     if len(phi_x.coef) < self.deg_pol+1 :
         # Append zeros coef to phi_x if its coef list is too short (< deg_pol+1)
         diff = self.deg_pol+1 - len(phi_x.coef)
         L = [Fr.zero()]*diff
         new_phi_x = field.polynom(Fr,L+phi_x.coef)
         phi_x = new_phi_x
     
     if phiprime_x == None :
         phiprime_x = self.randomPolynomial()
         
     if len(phiprime_x.coef) < self.deg_pol+1 :
         # Append zeros coef to phiprime_x if its coef list is too short (< deg_pol+1)
         diff = self.deg_pol+1 - len(phiprime_x.coef)
         L = [Fr.zero()]*diff
         new_phiprime_x = field.polynom(Fr,L+phiprime_x.coef)
         phiprime_x = new_phiprime_x
             
     c = EFp.infty
     ct = oEC.toTupleEFp(c,self.Jcoord)
     #TODO: Optimize here # DONE
     for i in range(self.deg_pol+1):
         #c = c + (phi_x.coef[i].val)*self.gVec[i] + (phiprime_x.coef[i].val)*self.hVec[i]
         a = oEC.mul_comb2_EFp(EFp,phi_x.coef[i].val,self.gVecTab[i],self.Jcoord)
         b = oEC.mul_comb2_EFp(EFp,phiprime_x.coef[i].val,self.hVecTab[i],self.Jcoord)
         a_plus_b = oEC.addEFp(EFp, a,b,self.Jcoord)
         ct = oEC.addEFp(EFp, ct,a_plus_b,self.Jcoord)
     
     cg = oEC.toEFp(EFp,ct,self.Jcoord)
     if self.Jcoord :
         cg.toAffine()
     #assert cg == c
     #print 'cg,c',cg,c
     com = PolynomialCommitment(cg,self)
         
     return com, phiprime_x
Exemple #9
0
    def commit(self,m,r=None):
        ''' Output a commitment on m using randomness r
            Return the randomness used in the proof
        '''
        order = self.PPATSpp.order
        if r == None:
            r = randint(1,int(order))
        # notations
        h1 = self.h1
        ECG = h1.ECG
        Jcoord = self.PPATSpp.Jcoord
        m = m%order
        r = r%order

        rh = oEC.mul_comb2_EFp(ECG,r,self.precomp_h,Jcoord)
        mh1 = oEC.mul_comb2_EFp(ECG,m,self.precomp_h1,Jcoord)
        dt = oEC.addEFp(ECG,rh,mh1,Jcoord)

        d = oEC.toEFp(ECG,dt,Jcoord)


        return PPATSCommitment(d,self),r
Exemple #10
0
 def verifyPoly(self,com,phi_x,phiprime_x):
     '''
     Check that the commitment c is indeed a commitment on phi_x and phiprime_x
     return True if it is the case
     '''
     EFp = self.pairing.EFp
     
     c_prime = EFp.infty
     ct = oEC.toTupleEFp(c_prime,self.Jcoord)
     #TODO: Optimize here
     for i in range(self.deg_pol+1):
         #c_prime = c_prime + (phi_x.coef[i].val)*self.gVec[i] + (phiprime_x.coef[i].val)*self.hVec[i]
         a = oEC.mul_comb2_EFp(EFp,phi_x.coef[i].val,self.gVecTab[i],self.Jcoord)
         b = oEC.mul_comb2_EFp(EFp,phiprime_x.coef[i].val,self.hVecTab[i],self.Jcoord)
         a_plus_b = oEC.addEFp(EFp, a,b,self.Jcoord)
         ct = oEC.addEFp(EFp, ct,a_plus_b,self.Jcoord)
         
     cg = oEC.toEFp(EFp,ct,self.Jcoord)
     if self.Jcoord :
         cg.toAffine()
     #assert c_prime == cg
         
     return com.c == cg
Exemple #11
0
def multiplicationProofCheck(ppatspk, d1, d2, d3, proof):
    ''' d1,d2,d3 are PPATS Commitment
    proof is a ZK proof that d3 commits on the
    product of the message commited in d1 and d2.
    the method returns True if this assertion is correct and False
    otherwise
    '''
    #assert isinstance(d1,ppat.ppats.PPATSCommitment)
    #assert isinstance(d2,ppat.ppats.PPATSCommitment)
    #assert isinstance(d3,ppat.ppats.PPATSCommitment)
    # Notations
    ECG = ppatspk.PPATSpp.h.ECG
    Jcoord = ppatspk.PPATSpp.Jcoord

    nu, z1, z2, s1, s2, s3 = proof

    #a1 = s1*h + z1*h1
    a1c, s1 = ppatspk.commit(z1, s1)
    a1 = a1c.d
    #a2 = s2*h + z2*h1
    a2c, s2 = ppatspk.commit(z2, s2)
    a2 = a2c.d
    s3ht = oEC.mul_comb2_EFp(ECG, s3, ppatspk.precomp_h, Jcoord)
    d1t = oEC.toTupleEFp(d1.d, Jcoord)
    z2d1t = oEC.mulECP(ECG, d1t, z2, False, Jcoord)
    a3t = oEC.addEFp(ECG, s3ht, z2d1t, Jcoord)
    #a3 = s3*h + z2*d1.d
    d2t = oEC.toTupleEFp(d2.d, Jcoord)
    d3t = oEC.toTupleEFp(d3.d, Jcoord)
    mnud1t = oEC.mulECP(ECG, d1t, -nu, False, Jcoord)
    mnud2t = oEC.mulECP(ECG, d2t, -nu, False, Jcoord)
    mnud3t = oEC.mulECP(ECG, d3t, -nu, False, Jcoord)
    a1t = oEC.toTupleEFp(a1, Jcoord)
    a2t = oEC.toTupleEFp(a2, Jcoord)

    e1t = oEC.addEFp(ECG, a1t, mnud1t, Jcoord)
    e2t = oEC.addEFp(ECG, a2t, mnud2t, Jcoord)
    e3t = oEC.addEFp(ECG, a3t, mnud3t, Jcoord)
    e1 = oEC.toEFp(ECG, e1t, Jcoord)
    e2 = oEC.toEFp(ECG, e2t, Jcoord)
    e3 = oEC.toEFp(ECG, e3t, Jcoord)

    d1p = ppat.ppats.PPATSCommitment(e1, ppatspk)
    d2p = ppat.ppats.PPATSCommitment(e2, ppatspk)
    d3p = ppat.ppats.PPATSCommitment(e3, ppatspk)

    nup = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d1, d2, d3, d1p, d2p, d3p])

    return nu == nup
Exemple #12
0
def multiplicationProofCheck(ppatspk, d1, d2, d3, proof):
    """ d1,d2,d3 are PPATS Commitment
    proof is a ZK proof that d3 commits on the
    product of the message commited in d1 and d2.
    the method returns True if this assertion is correct and False
    otherwise
    """
    # assert isinstance(d1,ppat.ppats.PPATSCommitment)
    # assert isinstance(d2,ppat.ppats.PPATSCommitment)
    # assert isinstance(d3,ppat.ppats.PPATSCommitment)
    # Notations
    ECG = ppatspk.PPATSpp.h.ECG
    Jcoord = ppatspk.PPATSpp.Jcoord

    nu, z1, z2, s1, s2, s3 = proof

    # a1 = s1*h + z1*h1
    a1c, s1 = ppatspk.commit(z1, s1)
    a1 = a1c.d
    # a2 = s2*h + z2*h1
    a2c, s2 = ppatspk.commit(z2, s2)
    a2 = a2c.d
    s3ht = oEC.mul_comb2_EFp(ECG, s3, ppatspk.precomp_h, Jcoord)
    d1t = oEC.toTupleEFp(d1.d, Jcoord)
    z2d1t = oEC.mulECP(ECG, d1t, z2, False, Jcoord)
    a3t = oEC.addEFp(ECG, s3ht, z2d1t, Jcoord)
    # a3 = s3*h + z2*d1.d
    d2t = oEC.toTupleEFp(d2.d, Jcoord)
    d3t = oEC.toTupleEFp(d3.d, Jcoord)
    mnud1t = oEC.mulECP(ECG, d1t, -nu, False, Jcoord)
    mnud2t = oEC.mulECP(ECG, d2t, -nu, False, Jcoord)
    mnud3t = oEC.mulECP(ECG, d3t, -nu, False, Jcoord)
    a1t = oEC.toTupleEFp(a1, Jcoord)
    a2t = oEC.toTupleEFp(a2, Jcoord)

    e1t = oEC.addEFp(ECG, a1t, mnud1t, Jcoord)
    e2t = oEC.addEFp(ECG, a2t, mnud2t, Jcoord)
    e3t = oEC.addEFp(ECG, a3t, mnud3t, Jcoord)
    e1 = oEC.toEFp(ECG, e1t, Jcoord)
    e2 = oEC.toEFp(ECG, e2t, Jcoord)
    e3 = oEC.toEFp(ECG, e3t, Jcoord)

    d1p = ppat.ppats.PPATSCommitment(e1, ppatspk)
    d2p = ppat.ppats.PPATSCommitment(e2, ppatspk)
    d3p = ppat.ppats.PPATSCommitment(e3, ppatspk)

    nup = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d1, d2, d3, d1p, d2p, d3p])

    return nu == nup
Exemple #13
0
 def queryZKS(self, com, phi_x, phiprime_x, b, b_is_root_of_phi_x, khi_x = None, khiprime_x = None):
     '''
     Returns a non-interactive zero-knowledge proof of knowledge that phi(b)
     = 0 or phi(b) != 0 where phi is the polynomial commited to in com.
     '''
     EFp = self.pairing.EFp
     
     b, phi_b_eval, phiprime_b_eval, w_b = self.createWitness(phi_x,phiprime_x,b)
     if b_is_root_of_phi_x :
         assert phi_b_eval.iszero()
         return b, w_b, phiprime_b_eval, None
     else :
         #TODO: Optimize here #DONE
         #z_j = phi_b_eval.val*self.gVec[-1] + phiprime_b_eval.val*self.hVec[-1]
         a = oEC.mul_comb2_EFp(EFp, phi_b_eval.val, self.gVecTab[-1],self.Jcoord)
         b = oEC.mul_comb2_EFp(EFp, phiprime_b_eval.val, self.hVecTab[-1],self.Jcoord)
         z_jt = oEC.addEFp(EFp,a,b,self.Jcoord)
         z_jg = oEC.toEFp(EFp,z_jt,self.Jcoord)
         if self.Jcoord :
             z_jg.toAffine()
         
         #assert z_j == z_jg
         proof_z_j = self.openingNIZKPOK(com,phi_x,phiprime_x,khi_x,khiprime_x)
         return b, w_b, None, (z_jg, proof_z_j)
Exemple #14
0
    def multiplicationCommitFromTriplet(self,a1,a2,a3,m1,m2):
        ''' This method builds a commitment d3 based on three precomputed commitments
        a1,a2,a3 such that a1 commits (m_a-m1),a2 commits on (m_b-m2) and a3 commits
        on some m_a*m_b+..., the output is d3 that commits on m_a*m_b
        but it does not perform any verification whatsoever
        '''
        Jcoord = self.PPATSpp.Jcoord
        ECG = self.h1.ECG
        order = self.PPATSpp.order
        a1dt = oEC.toTupleEFp(a1.d,Jcoord)
        a2dt = oEC.toTupleEFp(a2.d,Jcoord)
        a3dt = oEC.toTupleEFp(a3.d,Jcoord)
        m2a1dt = oEC.mulECP(ECG,a1dt,m2,False,Jcoord)
        m1a2dt = oEC.mulECP(ECG,a2dt,m1,False,Jcoord)
        m1m2h1t = oEC.mul_comb2_EFp(ECG,(m1*m2)%order,self.precomp_h1,Jcoord)

        a1t = oEC.addEFp(ECG,m2a1dt,m1a2dt,Jcoord)
        a2t = oEC.addEFp(ECG,a1t,a3dt,Jcoord)
        d3t = oEC.addEFp(ECG,a2t,m1m2h1t,Jcoord)
        d3 = oEC.toEFp(ECG,d3t,Jcoord)
        #d3p = (m2*a1.d)+(m1*a2.d)+a3.d+((m1*m2)*h1)
        #assert d3 == d3p
        return PPATSCommitment(d3,self)
Exemple #15
0
    def verifyOpening(self,com,m,a):
        ''' The method verifies that the commitment com commits on m with respect
            to the opening a.
        '''
        # notoations
        g = self.PPATSpp.g
        h = self.PPATSpp.h
        ECG = h.ECG
        Jcoord = self.PPATSpp.Jcoord
        order = self.PPATSpp.order
        e = self.PPATSpp.e
        Pair = self.PPATSpp.Pair

        psi = self.PPATSpp.psi

        psia = psi(a)
        psig = psi(g)
        comdt = oEC.toTupleEFp(com.d,Jcoord)
        mmh1t = oEC.mul_comb2_EFp(ECG,(-m)%order,self.precomp_h1,Jcoord)
        ddt = oEC.addEFp(ECG,comdt,mmh1t,Jcoord)
        dd = oEC.toEFp(ECG,ddt,Jcoord)
        #dd = com.d-(m*h1)
        return e(h,psia,Pair) == e(dd,psig,Pair)
Exemple #16
0
 def rerandomize(self,com,phiprime_x,phisecond_x=None):
     '''
     Return a polynomial commitment with a new randomness polynomial
     '''
     EFp = self.pairing.EFp
     if phisecond_x == None :
         phisecond_x = self.randomPolynomial()
         
     c = com.c
     ct = oEC.toTupleEFp(c,self.Jcoord)
     #TODO: Optimize here #DONE
     for i in range(self.deg_pol+1):
         #c = c + (phisecond_x.coef[i].val)*self.hVec[i]
         b = oEC.mul_comb2_EFp(EFp,phisecond_x.coef[i].val,self.hVecTab[i],self.Jcoord)
         ct = oEC.addEFp(EFp, ct,b,self.Jcoord)
     
     cg = oEC.toEFp(EFp,ct,self.Jcoord)
     if self.Jcoord :
         cg.toAffine()
     #assert c == cg
         
     rerand_com =  PolynomialCommitment(cg, self)
     
     return rerand_com, phiprime_x+phisecond_x