def verifiabilityProofCheck(ppatspk, d, proof):
''' Return True if the ZKP proof is correct with respect to d
meaning that d is a commitment on either 0 or 1
'''
u0, u1, t0, t1 = proof
# notations
Jcoord = ppatspk.PPATSpp.Jcoord
ECG = ppatspk.PPATSpp.h.ECG
ddt = oEC.toTupleEFp(d.d, Jcoord)
u0ht = oEC.mul_comb2_EFp(ECG, u0, ppatspk.precomp_h, Jcoord)
ddt0 = oEC.mulECP(ECG, ddt, -t0, False, Jcoord)
w0t = oEC.addEFp(ECG, u0ht, ddt0, Jcoord)
w0v = oEC.toEFp(ECG, w0t, Jcoord)
w0 = ppat.ppats.PPATSCommitment(w0v, ppatspk)
ddt1 = oEC.mulECP(ECG, ddt, -t1, False, Jcoord)
u1ht = oEC.mul_comb2_EFp(ECG, u1, ppatspk.precomp_h, Jcoord)
t1h1t = oEC.mul_comb2_EFp(ECG, t1, ppatspk.precomp_h1, Jcoord)
ad1 = oEC.addEFp(ECG, ddt1, u1ht, Jcoord)
w1t = oEC.addEFp(ECG, ad1, t1h1t, Jcoord)
w1v = oEC.toEFp(ECG, w1t, Jcoord)
w1 = ppat.ppats.PPATSCommitment(w1v, ppatspk)
return t0 + t1 == ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1])
def commit(self,m,r1=None,r2=None):
q = self.PPATCpp.order
if r1 == None:
r1 = randint(1,int(q))
if r2 == None:
r2 = randint(1,int(q))
# notations
Jcoord = self.PPATCpp.Jcoord
ECG1 = self.h1.ECG
ECG2 = self.g1.ECG
# commitment
d11t = oEC.mul_comb2_EFp(ECG1,r1,self.precomp_h,Jcoord)
d12t = oEC.mul_comb2_EFp(ECG1,r2,self.precomp_h1,Jcoord)
d1t = oEC.addEFp(ECG1,d11t,d12t,Jcoord)
d1 = oEC.toEFp(ECG1,d1t,Jcoord)
#d1 = (r1*h)+(r2*h1)
mp = self.encode(m)
d21t = oEC.mul_comb2_EFp2(ECG2,r2,self.precomp_g1,Jcoord)
d2t = oEC.addEFp2(ECG2,mp,d21t,Jcoord)
d2 = oEC.toEFp2(ECG2,d2t,Jcoord)
#d2 = mp + r2*g1
return PPATCCommitment(d1,d2,self)
def verifiabilityProofCheck(ppatspk, d, proof):
""" Return True if the ZKP proof is correct with respect to d
meaning that d is a commitment on either 0 or 1
"""
u0, u1, t0, t1 = proof
# notations
Jcoord = ppatspk.PPATSpp.Jcoord
ECG = ppatspk.PPATSpp.h.ECG
ddt = oEC.toTupleEFp(d.d, Jcoord)
u0ht = oEC.mul_comb2_EFp(ECG, u0, ppatspk.precomp_h, Jcoord)
ddt0 = oEC.mulECP(ECG, ddt, -t0, False, Jcoord)
w0t = oEC.addEFp(ECG, u0ht, ddt0, Jcoord)
w0v = oEC.toEFp(ECG, w0t, Jcoord)
w0 = ppat.ppats.PPATSCommitment(w0v, ppatspk)
ddt1 = oEC.mulECP(ECG, ddt, -t1, False, Jcoord)
u1ht = oEC.mul_comb2_EFp(ECG, u1, ppatspk.precomp_h, Jcoord)
t1h1t = oEC.mul_comb2_EFp(ECG, t1, ppatspk.precomp_h1, Jcoord)
ad1 = oEC.addEFp(ECG, ddt1, u1ht, Jcoord)
w1t = oEC.addEFp(ECG, ad1, t1h1t, Jcoord)
w1v = oEC.toEFp(ECG, w1t, Jcoord)
w1 = ppat.ppats.PPATSCommitment(w1v, ppatspk)
return t0 + t1 == ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1])
def commit(self, m, r1=None, r2=None):
q = self.PPATCpp.order
if r1 == None:
r1 = randint(1, int(q))
if r2 == None:
r2 = randint(1, int(q))
# notations
Jcoord = self.PPATCpp.Jcoord
ECG1 = self.h1.ECG
ECG2 = self.g1.ECG
# commitment
d11t = oEC.mul_comb2_EFp(ECG1, r1, self.precomp_h, Jcoord)
d12t = oEC.mul_comb2_EFp(ECG1, r2, self.precomp_h1, Jcoord)
d1t = oEC.addEFp(ECG1, d11t, d12t, Jcoord)
d1 = oEC.toEFp(ECG1, d1t, Jcoord)
#d1 = (r1*h)+(r2*h1)
mp = self.encode(m)
d21t = oEC.mul_comb2_EFp2(ECG2, r2, self.precomp_g1, Jcoord)
d2t = oEC.addEFp2(ECG2, mp, d21t, Jcoord)
d2 = oEC.toEFp2(ECG2, d2t, Jcoord)
#d2 = mp + r2*g1
return PPATCCommitment(d1, d2, self)
def verifiabilityProof2(ppatspk, d, m, r, b=None, u=None, t=None):
""" This ZK proof ensures that d = r*h+m*h1 is a commitment on m = 0 or 1
b,u,t are the randomness used in the proof (optional)
"""
# notations
order = ppatspk.PPATSpp.order
h = ppatspk.PPATSpp.h
h1 = ppatspk.h1
ECG = h.ECG
Jcoord = ppatspk.PPATSpp.Jcoord
# ht = oEC.toTupleEFp(ECG,h,Jcoord)
nh1t = oEC.toTupleEFp(ECG, -h1, Jcoord)
ddt = oEC.toTupleEFp(ECG, d.d, Jcoord)
# assert h*r+h1*m == d.d # commitment is well formed
assert m == 0 or m == 1 # the proof works only if m = 0 or 1
if b == None:
b = randint(1, int(order))
if u == None:
u = randint(1, int(order))
if t == None:
t = randint(1, int(order))
hbt = oEC.mul_comb2_EFp(ECG, b, ppatspk.precomp_h, Jcoord)
hb = oEC.toEFp(ECG, hbt, Jcoord)
if m == 0:
u1 = u
t1 = t
# commitment
# w0 = PPATSCommitment(h*b,self)
w0 = ppat.ppats.PPATSCommitment(hb, ppatspk)
hu1t = oEC.mul_comb2_EFp(ECG, u1, ppatspk.precomp_h, Jcoord)
s1 = oEC.addEFp(ECG, ddt, nh1t, Jcoord)
s1t1 = oEC.mulECP(ECG, s1, -t1, False, Jcoord)
w1t = oEC.addEFp(ECG, hu1t, s1t1, Jcoord)
w1v = oEC.toEFp(ECG, w1t, Jcoord)
w1 = ppat.ppats.PPATSCommitment(w1v, ppatspk)
# challenge
t0 = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1]) - t1
# response
u0 = b + r * t0
if m == 1:
u0 = u
t0 = t
# commitment
hu0t = oEC.mul_comb2_EFp(ECG, u0, ppatspk.precomp_h, Jcoord)
ddt0 = oEC.mulECP(ECG, ddt, -t0, False, Jcoord)
w0t = oEC.addEFp(ECG, hu0t, ddt0, Jcoord)
w0v = oEC.toEFp(ECG, w0t, Jcoord)
w0 = ppat.ppats.PPATSCommitment(w0v, ppatspk)
w1 = ppat.ppats.PPATSCommitment(hb, ppatspk)
# challenge
t1 = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1]) - t0
# response
u1 = b + r * t1
return [u0, u1, t0, t1]
"""
def verifiabilityProof2(ppatspk, d, m, r, b=None, u=None, t=None):
''' This ZK proof ensures that d = r*h+m*h1 is a commitment on m = 0 or 1
b,u,t are the randomness used in the proof (optional)
'''
# notations
order = ppatspk.PPATSpp.order
h = ppatspk.PPATSpp.h
h1 = ppatspk.h1
ECG = h.ECG
Jcoord = ppatspk.PPATSpp.Jcoord
#ht = oEC.toTupleEFp(ECG,h,Jcoord)
nh1t = oEC.toTupleEFp(ECG, -h1, Jcoord)
ddt = oEC.toTupleEFp(ECG, d.d, Jcoord)
#assert h*r+h1*m == d.d # commitment is well formed
assert m == 0 or m == 1 # the proof works only if m = 0 or 1
if b == None:
b = randint(1, int(order))
if u == None:
u = randint(1, int(order))
if t == None:
t = randint(1, int(order))
hbt = oEC.mul_comb2_EFp(ECG, b, ppatspk.precomp_h, Jcoord)
hb = oEC.toEFp(ECG, hbt, Jcoord)
if m == 0:
u1 = u
t1 = t
# commitment
#w0 = PPATSCommitment(h*b,self)
w0 = ppat.ppats.PPATSCommitment(hb, ppatspk)
hu1t = oEC.mul_comb2_EFp(ECG, u1, ppatspk.precomp_h, Jcoord)
s1 = oEC.addEFp(ECG, ddt, nh1t, Jcoord)
s1t1 = oEC.mulECP(ECG, s1, -t1, False, Jcoord)
w1t = oEC.addEFp(ECG, hu1t, s1t1, Jcoord)
w1v = oEC.toEFp(ECG, w1t, Jcoord)
w1 = ppat.ppats.PPATSCommitment(w1v, ppatspk)
# challenge
t0 = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1]) - t1
# response
u0 = b + r * t0
if m == 1:
u0 = u
t0 = t
# commitment
hu0t = oEC.mul_comb2_EFp(ECG, u0, ppatspk.precomp_h, Jcoord)
ddt0 = oEC.mulECP(ECG, ddt, -t0, False, Jcoord)
w0t = oEC.addEFp(ECG, hu0t, ddt0, Jcoord)
w0v = oEC.toEFp(ECG, w0t, Jcoord)
w0 = ppat.ppats.PPATSCommitment(w0v, ppatspk)
w1 = ppat.ppats.PPATSCommitment(hb, ppatspk)
# challenge
t1 = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d, w0, w1]) - t0
# response
u1 = b + r * t1
return [u0, u1, t0, t1]
"""
def verifyEval(self, com, b, phi_b, phiprime_b, w_b):
'''
Check if com is a commitment on a polynomial phi such that (b,phi_b) belongs
to the polynomial. The verification uses the witness w_b and the evaluation
of the polynomial phiprime at b.
Return True if the verification succeeds.
This method computes 3 pairings.
'''
EFp = self.pairing.EFp
e = oEC.OptimAtePairing
Pair = self.pairing
Fp12 = Pair.Fpk
#gamma = Pair.gamma
#g = self.gVec[-1]
#h = self.hVec[-1]
gp = self.gprimeVec[-1]
EFp2 = gp.ECG
gp_alpha = self.gprimeVec[-2]
#TODO: Optimize here # DONE
#gprime_b = (b.val)*gp
gprime_bt = oEC.mul_comb2_EFp2(EFp2,b.val,self.gprimeVecTab[-1],self.Jcoord)
mgprime_bt = oEC.negEFp2(gprime_bt,self.Jcoord)
gpat = oEC.toTupleEFp2(gp_alpha,self.Jcoord)
t1t = oEC.addEFp2(EFp2,gpat,mgprime_bt,self.Jcoord)
#t1 = gp_alpha-gprime_b
#u1 = (phi_b.val)*g + (phiprime_b.val)*h
a1 = oEC.mul_comb2_EFp(EFp,phi_b.val,self.gVecTab[-1],self.Jcoord)
b1 = oEC.mul_comb2_EFp(EFp,phiprime_b.val,self.hVecTab[-1],self.Jcoord)
u1t = oEC.addEFp(EFp,a1,b1,self.Jcoord)
t1g = oEC.toEFp2(EFp2,t1t,self.Jcoord)
u1g = oEC.toEFp(EFp,u1t,self.Jcoord)
if self.Jcoord :
t1g.toAffine()
u1g.toAffine()
#assert t1g == t1
#assert u1g == u1
rm = e(com.c,gp,Pair)
lm1 = e(w_b.c,t1g,Pair)
lm2 = e(u1g,gp,Pair)
lm = oEC.mulFp12(Fp12,lm1,lm2)
return rm == lm
def commit(self,phi_x,phiprime_x= None):
'''
Return a polynomial commitment on the polynomial phi_x eventually using phiprime_x as the randomness polynomial
'''
#Fp = self.pairing.Fp
Fr = self.Fr
EFp = self.pairing.EFp
#order = self.pairing.r
assert len(phi_x.coef) <= self.deg_pol+1
if len(phi_x.coef) < self.deg_pol+1 :
# Append zeros coef to phi_x if its coef list is too short (< deg_pol+1)
diff = self.deg_pol+1 - len(phi_x.coef)
L = [Fr.zero()]*diff
new_phi_x = field.polynom(Fr,L+phi_x.coef)
phi_x = new_phi_x
if phiprime_x == None :
phiprime_x = self.randomPolynomial()
if len(phiprime_x.coef) < self.deg_pol+1 :
# Append zeros coef to phiprime_x if its coef list is too short (< deg_pol+1)
diff = self.deg_pol+1 - len(phiprime_x.coef)
L = [Fr.zero()]*diff
new_phiprime_x = field.polynom(Fr,L+phiprime_x.coef)
phiprime_x = new_phiprime_x
c = EFp.infty
ct = oEC.toTupleEFp(c,self.Jcoord)
#TODO: Optimize here # DONE
for i in range(self.deg_pol+1):
#c = c + (phi_x.coef[i].val)*self.gVec[i] + (phiprime_x.coef[i].val)*self.hVec[i]
a = oEC.mul_comb2_EFp(EFp,phi_x.coef[i].val,self.gVecTab[i],self.Jcoord)
b = oEC.mul_comb2_EFp(EFp,phiprime_x.coef[i].val,self.hVecTab[i],self.Jcoord)
a_plus_b = oEC.addEFp(EFp, a,b,self.Jcoord)
ct = oEC.addEFp(EFp, ct,a_plus_b,self.Jcoord)
cg = oEC.toEFp(EFp,ct,self.Jcoord)
if self.Jcoord :
cg.toAffine()
#assert cg == c
#print 'cg,c',cg,c
com = PolynomialCommitment(cg,self)
return com, phiprime_x
def commit(self,m,r=None):
''' Output a commitment on m using randomness r
Return the randomness used in the proof
'''
order = self.PPATSpp.order
if r == None:
r = randint(1,int(order))
# notations
h1 = self.h1
ECG = h1.ECG
Jcoord = self.PPATSpp.Jcoord
m = m%order
r = r%order
rh = oEC.mul_comb2_EFp(ECG,r,self.precomp_h,Jcoord)
mh1 = oEC.mul_comb2_EFp(ECG,m,self.precomp_h1,Jcoord)
dt = oEC.addEFp(ECG,rh,mh1,Jcoord)
d = oEC.toEFp(ECG,dt,Jcoord)
return PPATSCommitment(d,self),r
def verifyPoly(self,com,phi_x,phiprime_x):
'''
Check that the commitment c is indeed a commitment on phi_x and phiprime_x
return True if it is the case
'''
EFp = self.pairing.EFp
c_prime = EFp.infty
ct = oEC.toTupleEFp(c_prime,self.Jcoord)
#TODO: Optimize here
for i in range(self.deg_pol+1):
#c_prime = c_prime + (phi_x.coef[i].val)*self.gVec[i] + (phiprime_x.coef[i].val)*self.hVec[i]
a = oEC.mul_comb2_EFp(EFp,phi_x.coef[i].val,self.gVecTab[i],self.Jcoord)
b = oEC.mul_comb2_EFp(EFp,phiprime_x.coef[i].val,self.hVecTab[i],self.Jcoord)
a_plus_b = oEC.addEFp(EFp, a,b,self.Jcoord)
ct = oEC.addEFp(EFp, ct,a_plus_b,self.Jcoord)
cg = oEC.toEFp(EFp,ct,self.Jcoord)
if self.Jcoord :
cg.toAffine()
#assert c_prime == cg
return com.c == cg
def multiplicationProofCheck(ppatspk, d1, d2, d3, proof):
''' d1,d2,d3 are PPATS Commitment
proof is a ZK proof that d3 commits on the
product of the message commited in d1 and d2.
the method returns True if this assertion is correct and False
otherwise
'''
#assert isinstance(d1,ppat.ppats.PPATSCommitment)
#assert isinstance(d2,ppat.ppats.PPATSCommitment)
#assert isinstance(d3,ppat.ppats.PPATSCommitment)
# Notations
ECG = ppatspk.PPATSpp.h.ECG
Jcoord = ppatspk.PPATSpp.Jcoord
nu, z1, z2, s1, s2, s3 = proof
#a1 = s1*h + z1*h1
a1c, s1 = ppatspk.commit(z1, s1)
a1 = a1c.d
#a2 = s2*h + z2*h1
a2c, s2 = ppatspk.commit(z2, s2)
a2 = a2c.d
s3ht = oEC.mul_comb2_EFp(ECG, s3, ppatspk.precomp_h, Jcoord)
d1t = oEC.toTupleEFp(d1.d, Jcoord)
z2d1t = oEC.mulECP(ECG, d1t, z2, False, Jcoord)
a3t = oEC.addEFp(ECG, s3ht, z2d1t, Jcoord)
#a3 = s3*h + z2*d1.d
d2t = oEC.toTupleEFp(d2.d, Jcoord)
d3t = oEC.toTupleEFp(d3.d, Jcoord)
mnud1t = oEC.mulECP(ECG, d1t, -nu, False, Jcoord)
mnud2t = oEC.mulECP(ECG, d2t, -nu, False, Jcoord)
mnud3t = oEC.mulECP(ECG, d3t, -nu, False, Jcoord)
a1t = oEC.toTupleEFp(a1, Jcoord)
a2t = oEC.toTupleEFp(a2, Jcoord)
e1t = oEC.addEFp(ECG, a1t, mnud1t, Jcoord)
e2t = oEC.addEFp(ECG, a2t, mnud2t, Jcoord)
e3t = oEC.addEFp(ECG, a3t, mnud3t, Jcoord)
e1 = oEC.toEFp(ECG, e1t, Jcoord)
e2 = oEC.toEFp(ECG, e2t, Jcoord)
e3 = oEC.toEFp(ECG, e3t, Jcoord)
d1p = ppat.ppats.PPATSCommitment(e1, ppatspk)
d2p = ppat.ppats.PPATSCommitment(e2, ppatspk)
d3p = ppat.ppats.PPATSCommitment(e3, ppatspk)
nup = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d1, d2, d3, d1p, d2p, d3p])
return nu == nup
def multiplicationProofCheck(ppatspk, d1, d2, d3, proof):
""" d1,d2,d3 are PPATS Commitment
proof is a ZK proof that d3 commits on the
product of the message commited in d1 and d2.
the method returns True if this assertion is correct and False
otherwise
"""
# assert isinstance(d1,ppat.ppats.PPATSCommitment)
# assert isinstance(d2,ppat.ppats.PPATSCommitment)
# assert isinstance(d3,ppat.ppats.PPATSCommitment)
# Notations
ECG = ppatspk.PPATSpp.h.ECG
Jcoord = ppatspk.PPATSpp.Jcoord
nu, z1, z2, s1, s2, s3 = proof
# a1 = s1*h + z1*h1
a1c, s1 = ppatspk.commit(z1, s1)
a1 = a1c.d
# a2 = s2*h + z2*h1
a2c, s2 = ppatspk.commit(z2, s2)
a2 = a2c.d
s3ht = oEC.mul_comb2_EFp(ECG, s3, ppatspk.precomp_h, Jcoord)
d1t = oEC.toTupleEFp(d1.d, Jcoord)
z2d1t = oEC.mulECP(ECG, d1t, z2, False, Jcoord)
a3t = oEC.addEFp(ECG, s3ht, z2d1t, Jcoord)
# a3 = s3*h + z2*d1.d
d2t = oEC.toTupleEFp(d2.d, Jcoord)
d3t = oEC.toTupleEFp(d3.d, Jcoord)
mnud1t = oEC.mulECP(ECG, d1t, -nu, False, Jcoord)
mnud2t = oEC.mulECP(ECG, d2t, -nu, False, Jcoord)
mnud3t = oEC.mulECP(ECG, d3t, -nu, False, Jcoord)
a1t = oEC.toTupleEFp(a1, Jcoord)
a2t = oEC.toTupleEFp(a2, Jcoord)
e1t = oEC.addEFp(ECG, a1t, mnud1t, Jcoord)
e2t = oEC.addEFp(ECG, a2t, mnud2t, Jcoord)
e3t = oEC.addEFp(ECG, a3t, mnud3t, Jcoord)
e1 = oEC.toEFp(ECG, e1t, Jcoord)
e2 = oEC.toEFp(ECG, e2t, Jcoord)
e3 = oEC.toEFp(ECG, e3t, Jcoord)
d1p = ppat.ppats.PPATSCommitment(e1, ppatspk)
d2p = ppat.ppats.PPATSCommitment(e2, ppatspk)
d3p = ppat.ppats.PPATSCommitment(e3, ppatspk)
nup = ppatspk.hashf([ppatspk.PPATSpp, ppatspk, d1, d2, d3, d1p, d2p, d3p])
return nu == nup
def queryZKS(self, com, phi_x, phiprime_x, b, b_is_root_of_phi_x, khi_x = None, khiprime_x = None):
'''
Returns a non-interactive zero-knowledge proof of knowledge that phi(b)
= 0 or phi(b) != 0 where phi is the polynomial commited to in com.
'''
EFp = self.pairing.EFp
b, phi_b_eval, phiprime_b_eval, w_b = self.createWitness(phi_x,phiprime_x,b)
if b_is_root_of_phi_x :
assert phi_b_eval.iszero()
return b, w_b, phiprime_b_eval, None
else :
#TODO: Optimize here #DONE
#z_j = phi_b_eval.val*self.gVec[-1] + phiprime_b_eval.val*self.hVec[-1]
a = oEC.mul_comb2_EFp(EFp, phi_b_eval.val, self.gVecTab[-1],self.Jcoord)
b = oEC.mul_comb2_EFp(EFp, phiprime_b_eval.val, self.hVecTab[-1],self.Jcoord)
z_jt = oEC.addEFp(EFp,a,b,self.Jcoord)
z_jg = oEC.toEFp(EFp,z_jt,self.Jcoord)
if self.Jcoord :
z_jg.toAffine()
#assert z_j == z_jg
proof_z_j = self.openingNIZKPOK(com,phi_x,phiprime_x,khi_x,khiprime_x)
return b, w_b, None, (z_jg, proof_z_j)
def multiplicationCommitFromTriplet(self,a1,a2,a3,m1,m2):
''' This method builds a commitment d3 based on three precomputed commitments
a1,a2,a3 such that a1 commits (m_a-m1),a2 commits on (m_b-m2) and a3 commits
on some m_a*m_b+..., the output is d3 that commits on m_a*m_b
but it does not perform any verification whatsoever
'''
Jcoord = self.PPATSpp.Jcoord
ECG = self.h1.ECG
order = self.PPATSpp.order
a1dt = oEC.toTupleEFp(a1.d,Jcoord)
a2dt = oEC.toTupleEFp(a2.d,Jcoord)
a3dt = oEC.toTupleEFp(a3.d,Jcoord)
m2a1dt = oEC.mulECP(ECG,a1dt,m2,False,Jcoord)
m1a2dt = oEC.mulECP(ECG,a2dt,m1,False,Jcoord)
m1m2h1t = oEC.mul_comb2_EFp(ECG,(m1*m2)%order,self.precomp_h1,Jcoord)
a1t = oEC.addEFp(ECG,m2a1dt,m1a2dt,Jcoord)
a2t = oEC.addEFp(ECG,a1t,a3dt,Jcoord)
d3t = oEC.addEFp(ECG,a2t,m1m2h1t,Jcoord)
d3 = oEC.toEFp(ECG,d3t,Jcoord)
#d3p = (m2*a1.d)+(m1*a2.d)+a3.d+((m1*m2)*h1)
#assert d3 == d3p
return PPATSCommitment(d3,self)
def verifyOpening(self,com,m,a):
''' The method verifies that the commitment com commits on m with respect
to the opening a.
'''
# notoations
g = self.PPATSpp.g
h = self.PPATSpp.h
ECG = h.ECG
Jcoord = self.PPATSpp.Jcoord
order = self.PPATSpp.order
e = self.PPATSpp.e
Pair = self.PPATSpp.Pair
psi = self.PPATSpp.psi
psia = psi(a)
psig = psi(g)
comdt = oEC.toTupleEFp(com.d,Jcoord)
mmh1t = oEC.mul_comb2_EFp(ECG,(-m)%order,self.precomp_h1,Jcoord)
ddt = oEC.addEFp(ECG,comdt,mmh1t,Jcoord)
dd = oEC.toEFp(ECG,ddt,Jcoord)
#dd = com.d-(m*h1)
return e(h,psia,Pair) == e(dd,psig,Pair)
def rerandomize(self,com,phiprime_x,phisecond_x=None):
'''
Return a polynomial commitment with a new randomness polynomial
'''
EFp = self.pairing.EFp
if phisecond_x == None :
phisecond_x = self.randomPolynomial()
c = com.c
ct = oEC.toTupleEFp(c,self.Jcoord)
#TODO: Optimize here #DONE
for i in range(self.deg_pol+1):
#c = c + (phisecond_x.coef[i].val)*self.hVec[i]
b = oEC.mul_comb2_EFp(EFp,phisecond_x.coef[i].val,self.hVecTab[i],self.Jcoord)
ct = oEC.addEFp(EFp, ct,b,self.Jcoord)
cg = oEC.toEFp(EFp,ct,self.Jcoord)
if self.Jcoord :
cg.toAffine()
#assert c == cg
rerand_com = PolynomialCommitment(cg, self)
return rerand_com, phiprime_x+phisecond_x