def test_inner_product_proof_one_known():
n = 15
a = [ZR.random() for i in range(n)]
b = [ZR.random() for i in range(n)]
iprod = ZR(0)
for i in range(n):
iprod += a[i] * b[i]
comm, iprod, proof = prove_inner_product_one_known(a, b)
assert verify_inner_product_one_known(comm, iprod, b, proof)
comm, iprod, badproof = prove_inner_product_one_known(a, b, comm=G1.rand())
assert not verify_inner_product_one_known(comm, iprod, b, badproof)
def test_batch_inner_product_proof_one_known():
n = 13
a = [ZR.random() for i in range(n)]
bs = [[ZR.random() for j in range(n)] for i in range(3 * n)]
comm, iprods, proofs = prove_batch_inner_product_one_known(a, bs)
assert verify_batch_inner_product_one_known(comm, iprods[2], bs[2],
proofs[2])
comm, iprods, badproofs = prove_batch_inner_product_one_known(
a, bs, comm=G1.rand())
assert not verify_batch_inner_product_one_known(comm, iprods[2], bs[2],
badproofs[2])
def test_inner_product_proof():
n = 10
a = [ZR.random() for i in range(n)]
b = [ZR.random() for i in range(n)]
iprod = ZR(0)
for i in range(n):
iprod += a[i] * b[i]
comm, iprod, proof = prove_inner_product(a, b)
assert verify_inner_product(comm, iprod, proof)
comm, iprod, proof2 = prove_inner_product(a, b, comm=comm)
assert verify_inner_product(comm, iprod, proof2)
comm, iprod, badproof = prove_inner_product(a, b, comm=G1.rand())
assert not verify_inner_product(comm, iprod, badproof)
def double_batch_create_witness(self, phis, r, n=None):
t = len(phis[0].coeffs) - 1
numpolys = len(phis)
if n is None:
n = 3 * t + 1
numverifiers = n
if len(self.y_vecs) < numverifiers:
i = len(self.y_vecs)
while i < numverifiers:
self.y_vecs.append([ZR(i + 1)**j for j in range(t + 1)])
i += 1
# length t
s_vec = [ZR.random() for _ in range(t + 1)]
sy_prods = [ZR(0) for _ in range(numverifiers)]
S = G1.identity()
T_vec = [None] * numverifiers
witnesses = [[] for _ in range(numverifiers)]
for i in range(t + 1):
S *= self.gs[i].pow(s_vec[i])
for j in range(numverifiers):
for i in range(t + 1):
sy_prods[j] += s_vec[i] * self.y_vecs[j][i]
T_vec[j] = self.gs[0].pow(sy_prods[j])
rho = ZR.random()
S *= self.h**rho
# Fiat Shamir
tree = MerkleTree()
for j in range(numverifiers):
tree.append(pickle.dumps(T_vec[j]))
roothash = tree.get_root_hash()
for j in range(numverifiers):
branch = tree.get_branch(j)
witnesses[j].append(roothash)
witnesses[j].append(branch)
challenge = ZR.hash(
pickle.dumps([roothash, self.gs, self.h, self.u, S]))
d_vecs = []
for i in range(len(phis)):
d_vecs.append([
phis[i].coeffs[j] + s_vec[j] * challenge for j in range(t + 1)
])
Ds = [G1.identity() for _ in range(len(phis))]
_ = [[
Ds[i].__imul__(self.gs[j].pow(d_vecs[i][j])) for j in range(t + 1)
] for i in range(len(phis))]
mu = r + rho * challenge
comms, t_hats, iproofs = prove_double_batch_inner_product_one_known_but_differenter(
d_vecs, self.y_vecs, crs=[self.gs, self.u])
for j in range(numverifiers):
witnesses[j] += [t, S, T_vec[j], Ds, mu, t_hats[j], iproofs[j]]
return witnesses
async def test_HbACSS1Recoverer(test_router):
t = 2
n = 3 * t + 1
poly = polynomials_over(ZR)
secrets = [ZR.random() for i in range(t + 1)]
secretpolys = [poly.random(t, secrets[i]) for i in range(t + 1)]
crs = gen_pc_const_dl_crs(t)
pc = PolyCommitConstDL(crs)
commits = [pc.commit(phi) for phi in secretpolys]
#witnesses[i][j] should give the proof for party i's share of polynomial number j
witnesses = [[pc.create_witness(phi, i) for phi in secretpolys]
for i in range(1, n + 1)]
shares = [[phi(i) for phi in secretpolys] for i in range(1, n + 1)]
sends, recvs, _ = test_router(n)
loop = asyncio.get_event_loop()
players = [
HbACSS1Recoverer(crs,
n,
t,
i,
sends[i],
recvs[i],
shares[i],
True,
commits,
witnesses[i],
pc=pc) for i in range(n)
]
playertasks = [loop.create_task(player._run()) for player in players]
for task in playertasks:
task.add_done_callback(print_exception_callback)
#loop.run_forever()
await asyncio.gather(*playertasks)
def test_pc_log_batch(t):
pc = PolyCommitLog()
phi = polynomials_over(ZR).random(t)
r = ZR.random()
c = pc.commit(phi, r)
witnesses = pc.batch_create_witness(phi, r)
assert pc.verify_eval(c, 4, phi(4), witnesses[3])
def test_inner_product_interactive_proof():
loop = asyncio.get_event_loop()
pr_queue = asyncio.Queue(loop=loop)
vr_queue = asyncio.Queue(loop=loop)
prover = inner_product_prover(vr_queue, pr_queue)
verifier = inner_product_verifier(pr_queue, vr_queue)
n = 10
a = [ZR.random() for i in range(n)]
b = [ZR.random() for i in range(n)]
iprod = ZR(0)
for i in range(n):
iprod += a[i] * b[i]
(comm1, iprod1, g_vec1, h_vec1, u1, a_vec1, b_vec1, n1,
P1) = prover.set_up_params(a, b)
(g_vec2, h_vec2, u2, n2, P2) = verifier.set_up_params(n1, P1)
prover_coro = prover.recursive_prove(g_vec1, h_vec1, u1, a_vec1, b_vec1,
n1, P1)
verifier_coro = verifier.recursive_verify(g_vec2, h_vec2, u2, n2, P2)
_, ret = loop.run_until_complete(asyncio.gather(prover_coro,
verifier_coro))
assert ret == True
(_, _, g_vec1, h_vec1, u1, a_vec1, b_vec1, n1,
P1) = prover.set_up_params(a, b, comm=comm1)
(g_vec2, h_vec2, u2, n2, P2) = verifier.set_up_params(n1, P1)
prover_coro = prover.recursive_prove(g_vec1, h_vec1, u1, a_vec1, b_vec1,
n1, P1)
verifier_coro = verifier.recursive_verify(g_vec2, h_vec2, u2, n2, P2)
_, ret = loop.run_until_complete(asyncio.gather(prover_coro,
verifier_coro))
assert ret == True
(comm1, iprod1, g_vec1, h_vec1, u1, a_vec1, b_vec1, n1,
P1) = prover.set_up_params(a, b, comm=G1.rand())
(g_vec2, h_vec2, u2, n2, P2) = verifier.set_up_params(n1, P1)
prover_coro = prover.recursive_prove(g_vec1, h_vec1, u1, a_vec1, b_vec1,
n1, P1)
verifier_coro = verifier.recursive_verify(g_vec2, h_vec2, u2, n2, P2)
_, ret = loop.run_until_complete(asyncio.gather(prover_coro,
verifier_coro))
assert ret == False
loop.close()
def test_hbacss2_size_benchmark_batch_creation(benchmark, t):
pc = PolyCommitLog(degree_max=t)
pc.preprocess_prover(16)
r = ZR.random()
phis = []
for _ in range(t):
phi_curr = polynomials_over(ZR).random(t)
phis.append(phi_curr)
benchmark(pc.double_batch_create_witness, phis, r)
def batch_create_witness(self, phi, r, n=None):
t = len(phi.coeffs) - 1
if n is None:
n = 3 * t + 1
if len(self.y_vecs) < n:
i = len(self.y_vecs)
while i < n:
self.y_vecs.append([ZR(i + 1)**j for j in range(t + 1)])
i += 1
s_vec = [ZR.random() for _ in range(t + 1)]
sy_prods = [ZR(0) for _ in range(n)]
S = G1.identity()
T_vec = [None] * n
witnesses = [[] for _ in range(n)]
for i in range(t + 1):
S *= self.gs[i]**s_vec[i]
for j in range(n):
for i in range(t + 1):
sy_prods[j] += s_vec[i] * self.y_vecs[j][i]
T_vec[j] = self.gs[0]**sy_prods[j]
rho = ZR.random()
S *= self.h**rho
# Fiat Shamir
tree = MerkleTree()
for j in range(n):
tree.append(pickle.dumps(T_vec[j]))
roothash = tree.get_root_hash()
for j in range(n):
branch = tree.get_branch(j)
witnesses[j].append(roothash)
witnesses[j].append(branch)
challenge = ZR.hash(
pickle.dumps([roothash, self.gs, self.h, self.u, S]))
d_vec = [phi.coeffs[j] + s_vec[j] * challenge for j in range(t + 1)]
D = G1.identity()
for j in range(t + 1):
D *= self.gs[j]**d_vec[j]
mu = r + rho * challenge
comm, t_hats, iproofs = prove_batch_inner_product_one_known(
d_vec, self.y_vecs, crs=[self.gs, self.u])
for j in range(len(witnesses)):
witnesses[j] += [S, T_vec[j], D, mu, t_hats[j], iproofs[j]]
return witnesses
def test_pc_log(t):
pc = PolyCommitLog()
phi = polynomials_over(ZR).random(t)
# ToDo: see if other polycommits return the commit randomness
# rather than expecting it as arg
r = ZR.random()
c = pc.commit(phi, r)
witness = pc.create_witness(phi, r, 3)
assert pc.verify_eval(c, 3, phi(3), witness)
assert not pc.verify_eval(c, 4, phi(3), witness)
assert not pc.verify_eval(G1.rand(), 3, phi(3), witness)
def test_double_batch_pc_log_batch_differing_degrees(t):
pc = PolyCommitLog()
n = 2*t+1
phi1 = polynomials_over(ZR).random(t)
phi2 = polynomials_over(ZR).random(t)
r = ZR.random()
c1 = pc.commit(phi1, r)
c2 = pc.commit(phi2, r)
witnesses = pc.double_batch_create_witness([phi1, phi2], r, n=n)
assert pc.batch_verify_eval([c1,c2], 4, [phi1(4), phi2(4)], witnesses[3])
assert pc.batch_verify_eval([c1,c2], 4, [phi1(4), phi2(4)], witnesses[3], degree=t)
assert not pc.batch_verify_eval([c1,c2], 4, [phi1(4), phi2(4)], witnesses[3], degree=t+1)
assert not pc.batch_verify_eval([c1,c2], 4, [phi1(4), phi2(4)], witnesses[3], degree=t-1)
def create_witness(self, phi, r, i):
t = len(phi.coeffs) - 1
y_vec = [ZR(i)**j for j in range(t + 1)]
s_vec = [ZR.random() for _ in range(t + 1)]
sy_prod = ZR(0)
S = G1.identity()
for j in range(t + 1):
S *= self.gs[j]**s_vec[j]
sy_prod += s_vec[j] * y_vec[j]
T = self.gs[0]**sy_prod
rho = ZR.random()
S *= self.h**rho
# Fiat Shamir
challenge = ZR.hash(pickle.dumps([self.gs, self.h, self.u, S, T]))
d_vec = [phi.coeffs[j] + s_vec[j] * challenge for j in range(t + 1)]
D = G1.identity()
for j in range(t + 1):
D *= self.gs[j]**d_vec[j]
mu = r + rho * challenge
comm, t_hat, iproof = prove_inner_product_one_known(
d_vec, y_vec, crs=[self.gs, self.u])
return [S, T, D, mu, t_hat, iproof]
def test_double_batch_pc_log_batch_prove_and_verify(t):
pc = PolyCommitLog()
phi1 = polynomials_over(ZR).random(t)
phi2 = polynomials_over(ZR).random(t)
phi3 = polynomials_over(ZR).random(t)
r = ZR.random()
c1 = pc.commit(phi1, r)
c2 = pc.commit(phi2, r)
witnesses = pc.double_batch_create_witness([phi1, phi2], r)
assert pc.batch_verify_eval([c1,c2], 4, [phi1(4), phi2(4)], witnesses[3])
assert not pc.batch_verify_eval([c1,c2], 3, [phi1(4), phi2(4)], witnesses[3])
assert not pc.batch_verify_eval([c1,c2], 4, [phi1(4), phi2(4)], witnesses[2])
assert not pc.batch_verify_eval([c1,c1], 4, [phi1(4), phi2(4)], witnesses[3])
def test_hbacss2_size_benchmark_batch_verify(benchmark, t):
pc = PolyCommitLog(degree_max=t)
pc.preprocess_verifier(16)
phis = []
r = ZR.random()
cs = []
for _ in range(t):
phi_curr = polynomials_over(ZR).random(t)
phis.append(phi_curr)
c_curr = pc.commit(phi_curr, r)
cs.append(c_curr)
witnesses = pc.double_batch_create_witness(phis, r)
i = 4
phis_at_4 = []
for j in range(len(phis)):
phis_at_4.append(phis[j](i))
benchmark(pc.batch_verify_eval, cs, i, phis_at_4, witnesses[i - 1])
def gen_pc_const_dl_crs(t, alpha=None, g=None, ghat=None, ZR=ZR, G1=G1, G2=G2):
nonetype = type(None)
assert type(t) is int
assert type(alpha) in (ZR, int, nonetype)
assert type(g) in (G1, nonetype)
assert type(ghat) in (G2, nonetype)
if alpha is None:
alpha = ZR.random()
if g is None:
g = G1.rand()
if ghat is None:
ghat = G2.rand()
(gs, ghats) = ([], [])
for i in range(t + 1):
gs.append(g**(alpha**i))
for i in range(2):
ghats.append(ghat**(alpha**i))
crs = [gs, ghats]
return crs
async def recursive_verify(self, g_vec, h_vec, u, n, P):
if n == 1:
[a, b] = await self.receive_queue.get()
return P == g_vec[0]**a * h_vec[0]**b * u**(a * b)
if n % 2 == 1:
[na, nb, L, R] = await self.receive_queue.get()
P *= g_vec[-1]**(na) * h_vec[-1]**(nb) * u**(-na * nb)
else:
[L, R] = await self.receive_queue.get()
x = ZR.random()
await self.send_queue.put(x)
xi = x**-1
n_p = n // 2
g_vec_p = []
h_vec_p = []
for i in range(n_p):
g_vec_p.append(g_vec[:n_p][i]**xi * g_vec[n_p:][i]**x)
h_vec_p.append(h_vec[:n_p][i]**x * h_vec[n_p:][i]**xi)
P_p = L**(x * x) * P * R**(xi * xi)
ret = await self.recursive_verify(g_vec_p, h_vec_p, u, n_p, P_p)
return ret
if alpha is None:
alpha = ZR.random()
if g is None:
g = G1.rand()
if ghat is None:
ghat = G2.rand()
(gs, ghats) = ([], [])
for i in range(t + 1):
gs.append(g**(alpha**i))
for i in range(2):
ghats.append(ghat**(alpha**i))
crs = [gs, ghats]
return crs
#todo make an actual test file
if __name__ == "__main__":
#from honeybadgermpc.poly_commit_const_dl import *
#from honeybadgermpc.polynomial import polynomials_over
#from pypairing import ZR
t = 3
crs = gen_pc_const_dl_crs(t)
poly = polynomials_over(ZR)
s = ZR.random()
phi = poly.random(t, s)
pc = PolyCommitConstDL(crs)
c = pc.commit(phi)
w = pc.create_witness(phi, 2)
assert pc.verify_eval(c, 2, phi(2), w)
assert not pc.verify_eval(c, 3, phi(2), w)
print("success!")