def test_or_and_dlrne(): secrets, secret_values, secret_dict = get_secrets(4) generators = make_generators(4) lhs_values = [x * g for x, g in zip(secret_values, generators)] y3 = secret_values[2] * generators[3] p1 = DLNotEqual( [lhs_values[0], generators[0]], [lhs_values[1], generators[1]], secrets[0], bind=True, ) p2 = DLNotEqual([lhs_values[1], generators[1]], [y3, generators[3]], secrets[1], bind=True) andp_nested = AndProofStmt(p1, p2) orp = OrProofStmt(andp_nested, p1, p2) prov = orp.get_prover(secret_dict) ver = orp.get_verifier() precom = prov.precommit() ver.process_precommitment(precom) com = prov.commit() chal = ver.send_challenge(com) resp = prov.compute_response(chal) assert ver.verify(resp)
def test_or_proof_manual(params): """ TODO: Clarify what is being tested here. """ p1, p2, secrets = params orproof = OrProofStmt(p1, p2, p1, p2, p1, p2) subproofs = orproof.subproofs rep = 0 chosen = [] sims = [True] while rep < 10: sims = [] # Make random subproofs simulated. for proof in subproofs: is_simulated = random.choice([True, False]) sims.append(is_simulated) proof.set_simulated(is_simulated) if all(sims): continue for i in range(30): # Choose a subproof, look if it was a valid choice, store the result prov = orproof.get_prover(secrets) chosen.append(sims[orproof.chosen_idx] == False) rep += 1 assert all(chosen)
def test_multiple_or_proofs(group, params): p1, p2, secrets = params g = group.generator() x10 = Secret() secrets.update({x10: 13}) orproof = OrProofStmt(p1, OrProofStmt(p2, DLRep(13 * g, x10 * g))) assert verify_proof(orproof, secrets)
def test_multiple_or_proofs_composition(group, params): p1, p2, secrets = params g = group.generator() x10 = Secret() secrets.update({x10: 13}) orp1 = OrProofStmt(p2, p1) orp2 = OrProofStmt(p1, DLRep(13 * g, x10 * g)) orproof = OrProofStmt(orp1, p2, orp2) assert verify_proof(orproof, secrets)
def test_or_proof(params): p1, p2, secrets = params orproof = OrProofStmt(p1, p2, p1, p2, p1, p2) prov = orproof.get_prover(secrets) verif = orproof.get_verifier() com = prov.commit() chal = verif.send_challenge(com) resp = prov.compute_response(chal) # Here we see that some responses have an identical first element. # The only one with a different first element is the non-simulated one. assert verif.verify(resp)
def test_or_non_interactive_fails_on_wrong_secrets(group, params): p1, p2, secrets = params p = OrProofStmt(p1, p2) bad_secrets = secrets.copy() u = list(bad_secrets.keys()) bad_secrets[u[0]] = group.order().random() bad_secrets[u[1]] = group.order().random() bad_secrets[u[2]] = group.order().random() bad_secrets[u[3]] = group.order().random() message = "whatever" tr = p.prove(bad_secrets, message=message) assert not p.verify(tr, message=message)
def test_or_non_interactive_serialization(params): p1, p2, secrets = params p = OrProofStmt(p1, p2) message = "whatever" tr = p.prove(secrets, message=message) tr_enc = tr.serialize() tr_dec = NIZK.deserialize(tr_enc) assert tr_dec.challenge == tr.challenge assert len(tr_dec.responses) == len(tr.responses) for resp1, resp2 in zip(tr_dec.responses, tr.responses): assert resp1 == resp2 assert tr_dec.precommitment == tr.precommitment assert tr_dec.stmt_hash == tr.stmt_hash assert p.verify(tr_dec, message=message)
def test_dlrep_or_rangeproof(group): g, h = make_generators(2) x = Secret(9) y = Secret(42) z = Secret(40) c = x.value * g + y.value * h c2 = z.value * g + y.value * h stmt1 = DLRep(c, x * g + y * h) & RangeStmt(c, g, h, 0, 50, x, y) stmt2 = DLRep(c2, z * g + y * h) & RangeStmt(c2, g, h, 0, 50, z, y) stmt1.set_simulated() or_stmt = OrProofStmt(stmt1, stmt2) nizk = or_stmt.prove() assert or_stmt.verify(nizk)
def test_or_and_proof_composition(params): p1, p2, secrets = params andp = AndProofStmt(p1, p2) g1 = 7 * p1.bases[0] g2 = 8 * p1.bases[0] xb = Secret(name="xb") xa = Secret(name="xa") p0 = DLRep(7 * g1 + 18 * g2, xb * g1 + xa * g2) secrets[xa] = 7 secrets[Secret(name="xc")] = 18 orproof = OrProofStmt(p0, andp) prover = orproof.get_prover(secrets) verifier = orproof.get_verifier() assert verify(verifier, prover)
def test_or_signature_non_interactive(): mG = BilinearGroupPair() keypair = BBSPlusKeypair.generate(mG, 9) messages = [Bn(30), Bn(31), Bn(32)] pk, sk = keypair.pk, keypair.sk generators, h0 = keypair.generators, keypair.h0 creator = BBSPlusSignatureCreator(pk) lhs = creator.commit(messages) presignature = sk.sign(lhs.com_message) signature = creator.obtain_signature(presignature) e, s, m1, m2, m3 = (Secret() for _ in range(5)) secret_dict = { e: signature.e, s: signature.s, m1: messages[0], m2: messages[1], m3: messages[2], } sigproof = BBSPlusSignatureStmt([e, s, m1, m2, m3], pk, signature) creator = BBSPlusSignatureCreator(pk) lhs = creator.commit(messages) presignature2 = sk.sign(lhs.com_message) signature2 = creator.obtain_signature(presignature2) e1, s1 = (Secret() for _ in range(2)) secret_dict2 = { e1: signature2.e, s1: signature2.s, m1: messages[0], m2: messages[1], } sigproof1 = BBSPlusSignatureStmt([e1, s1, m1, m2, m3], pk, signature2) secret_dict.update(secret_dict2) andp = sigproof | sigproof1 orp = OrProofStmt(andp, sigproof) tr = orp.prove(secret_dict) assert orp.verify(tr)
def test_and_or_proof_composition(params): p1, p2, secrets = params g1 = 7 * p1.bases[0] g2 = 8 * p1.bases[0] xb = Secret(name="xb") xa = Secret(name="xa") p0 = DLRep(7 * g1 + 18 * g2, xb * g1 + xa * g2) secrets[xb] = 7 secrets[xa] = 18 orproof = OrProofStmt(p1, p2) andp = AndProofStmt(orproof, p0) andp = AndProofStmt(andp, DLRep(15 * p1.bases[0], Secret(value=15) * p1.bases[0])) prover = andp.get_prover(secrets) verifier = andp.get_verifier() assert verify(verifier, prover)
def test_or_non_interactive(params): p1, p2, secrets = params p = OrProofStmt(p1, p2) message = "whatever" tr = p.prove(secrets, message=message) assert p.verify(tr, message=message)
def test_or_proof_simulation(params): p1, p2, secrets = params first_or = OrProofStmt(p1, p2) tr = first_or.simulate() assert first_or.verify_simulation_consistency(tr) assert not first_or.verify(tr)
# First, compute the values, "left-hand side". y0 = x0.value * g0 y1 = x1.value * g1 # Next, create the proof statement. stmt = DLRep(y0, x0 * g0) | DLRep(y1, x1 * g1) # Set the first clause as simulated. stmt.subproofs[0].set_simulated() # This is an equivalent way to define the proof statement above. stmt_1 = DLRep(y0, x0 * g0) stmt_2 = DLRep(y1, x1 * g1) stmt_1.set_simulated() equivalent_stmt = OrProofStmt(stmt_1, stmt_2) assert stmt.get_proof_id() == equivalent_stmt.get_proof_id() # Another equivalent way. stmt_1 = DLRep(y0, x0 * g0, simulated=True) stmt_2 = DLRep(y1, x1 * g1) equivalent_stmt = OrProofStmt(stmt_1, stmt_2) assert stmt.get_proof_id() == equivalent_stmt.get_proof_id() # Execute the protocol. prover = stmt.get_prover() verifier = stmt.get_verifier()