def test_and_proof_with_complex_expression(group):
g = group.generator()
g1 = 2 * g
g2 = 5 * g
g3 = 10 * g
x1 = Secret()
x2 = Secret()
x3 = Secret()
proof = DLRep(10 * g1 + 15 * g2, x1 * g1 + x2 * g2) & DLRep(
15 * g1 + 35 * g3, x2 * g1 + x3 * g3)
prover = proof.get_prover({x1: 10, x2: 15, x3: 35})
verifier = proof.get_verifier()
assert verify(verifier, prover)
# Next, create the proof statement.
stmt = DLRep(y1, x0 * g0 + x1 * g1) \
& DLRep(y2, x0 * g2 + x2 * g3)
# This is an equivalent way to create the proof statement above.
stmt_1 = DLRep(y1, x0 * g0 + x1 * g1)
stmt_2 = DLRep(y2, x0 * g2 + x2 * g3)
equivalent_stmt = AndProofStmt(stmt_1, stmt_2)
assert stmt.get_proof_id() == equivalent_stmt.get_proof_id()
# Simulate the prover and verifier interacting.
prover = stmt.get_prover({x0: 4, x1: 5, x2: 7})
verifier = stmt.get_verifier()
commitment = prover.commit()
challenge = verifier.send_challenge(commitment)
response = prover.compute_response(challenge)
assert verifier.verify(response)
# Composition takes into account re-occuring secrets.
x0 = Secret(4)
x1 = Secret(4)
stmt = DLRep(4 * g0, x0 * g0) & DLRep(4 * g1, x1 * g1)
# NOT the same as above. Note that x1_prime is used for both clauses.
x1_prime = Secret(4)
# Create the base points on the curve.
g0 = group.hash_to_point(b"g0")
g1 = group.hash_to_point(b"g1")
# Preparing the secrets.
# In practice, they probably should be big integers (petlib.bn.Bn)
x0 = Secret()
x1 = Secret()
# Set up the proof statement.
# First, compute the value, "left-hand side".
y = 4 * g0 + 42 * g1
# Next, create the proof statement.
stmt = DLRep(y, x0 * g0 + x1 * g1)
# Simulate the prover and the verifier interacting.
prover = stmt.get_prover({x0: 4, x1: 42})
verifier = stmt.get_verifier()
commitment = prover.commit()
challenge = verifier.send_challenge(commitment)
response = prover.compute_response(challenge)
assert verifier.verify(response)
# Non-interactive proof.
nizk = stmt.prove({x0: 4, x1: 42})
stmt.verify(nizk)
from petlib.ec import EcGroup
from zksk import Secret, DLRep
group = EcGroup()
g = group.generator()
# Different way to define secrets.
x = Secret()
x = Secret(value=42)
# If secret come with values, prover will get them.
x = Secret(value=4, name="x")
y = x.value * g
stmt = DLRep(y, x * g)
prover = stmt.get_prover()
# Otherwise, a prover needs to have the values as a dictionary.
x = Secret(name="x")
value = 4
stmt = DLRep(value * g, x * g)
prover = stmt.get_prover({x: value})
# Example of a bit more complex expression.
x = Secret()
y = Secret()
g = group.hash_to_point(b"one")
h = group.hash_to_point(b"two")
expr = x * g + y * h
# Expressions can be evaluated.
stmt = DLRep(y0, x0 * g0) | DLRep(y1, x1 * g1) # Set the first clause as simulated. stmt.subproofs[0].set_simulated() # This is an equivalent way to define the proof statement above. stmt_1 = DLRep(y0, x0 * g0) stmt_2 = DLRep(y1, x1 * g1) stmt_1.set_simulated() equivalent_stmt = OrProofStmt(stmt_1, stmt_2) assert stmt.get_proof_id() == equivalent_stmt.get_proof_id() # Another equivalent way. stmt_1 = DLRep(y0, x0 * g0, simulated=True) stmt_2 = DLRep(y1, x1 * g1) equivalent_stmt = OrProofStmt(stmt_1, stmt_2) assert stmt.get_proof_id() == equivalent_stmt.get_proof_id() # Execute the protocol. prover = stmt.get_prover() verifier = stmt.get_verifier() commitment = prover.commit() challenge = verifier.send_challenge(commitment) response = prover.compute_response(challenge) assert verifier.verify(response)
