def test_inner_product_proof_one_known(): n = 15 a = [ZR.random() for i in range(n)] b = [ZR.random() for i in range(n)] iprod = ZR(0) for i in range(n): iprod += a[i] * b[i] comm, iprod, proof = prove_inner_product_one_known(a, b) assert verify_inner_product_one_known(comm, iprod, b, proof) comm, iprod, badproof = prove_inner_product_one_known(a, b, comm=G1.rand()) assert not verify_inner_product_one_known(comm, iprod, b, badproof)
def test_batch_inner_product_proof_one_known(): n = 13 a = [ZR.random() for i in range(n)] bs = [[ZR.random() for j in range(n)] for i in range(3 * n)] comm, iprods, proofs = prove_batch_inner_product_one_known(a, bs) assert verify_batch_inner_product_one_known(comm, iprods[2], bs[2], proofs[2]) comm, iprods, badproofs = prove_batch_inner_product_one_known( a, bs, comm=G1.rand()) assert not verify_batch_inner_product_one_known(comm, iprods[2], bs[2], badproofs[2])
def test_inner_product_proof(): n = 10 a = [ZR.random() for i in range(n)] b = [ZR.random() for i in range(n)] iprod = ZR(0) for i in range(n): iprod += a[i] * b[i] comm, iprod, proof = prove_inner_product(a, b) assert verify_inner_product(comm, iprod, proof) comm, iprod, proof2 = prove_inner_product(a, b, comm=comm) assert verify_inner_product(comm, iprod, proof2) comm, iprod, badproof = prove_inner_product(a, b, comm=G1.rand()) assert not verify_inner_product(comm, iprod, badproof)
def double_batch_create_witness(self, phis, r, n=None): t = len(phis[0].coeffs) - 1 numpolys = len(phis) if n is None: n = 3 * t + 1 numverifiers = n if len(self.y_vecs) < numverifiers: i = len(self.y_vecs) while i < numverifiers: self.y_vecs.append([ZR(i + 1)**j for j in range(t + 1)]) i += 1 # length t s_vec = [ZR.random() for _ in range(t + 1)] sy_prods = [ZR(0) for _ in range(numverifiers)] S = G1.identity() T_vec = [None] * numverifiers witnesses = [[] for _ in range(numverifiers)] for i in range(t + 1): S *= self.gs[i].pow(s_vec[i]) for j in range(numverifiers): for i in range(t + 1): sy_prods[j] += s_vec[i] * self.y_vecs[j][i] T_vec[j] = self.gs[0].pow(sy_prods[j]) rho = ZR.random() S *= self.h**rho # Fiat Shamir tree = MerkleTree() for j in range(numverifiers): tree.append(pickle.dumps(T_vec[j])) roothash = tree.get_root_hash() for j in range(numverifiers): branch = tree.get_branch(j) witnesses[j].append(roothash) witnesses[j].append(branch) challenge = ZR.hash( pickle.dumps([roothash, self.gs, self.h, self.u, S])) d_vecs = [] for i in range(len(phis)): d_vecs.append([ phis[i].coeffs[j] + s_vec[j] * challenge for j in range(t + 1) ]) Ds = [G1.identity() for _ in range(len(phis))] _ = [[ Ds[i].__imul__(self.gs[j].pow(d_vecs[i][j])) for j in range(t + 1) ] for i in range(len(phis))] mu = r + rho * challenge comms, t_hats, iproofs = prove_double_batch_inner_product_one_known_but_differenter( d_vecs, self.y_vecs, crs=[self.gs, self.u]) for j in range(numverifiers): witnesses[j] += [t, S, T_vec[j], Ds, mu, t_hats[j], iproofs[j]] return witnesses
async def test_HbACSS1Recoverer(test_router): t = 2 n = 3 * t + 1 poly = polynomials_over(ZR) secrets = [ZR.random() for i in range(t + 1)] secretpolys = [poly.random(t, secrets[i]) for i in range(t + 1)] crs = gen_pc_const_dl_crs(t) pc = PolyCommitConstDL(crs) commits = [pc.commit(phi) for phi in secretpolys] #witnesses[i][j] should give the proof for party i's share of polynomial number j witnesses = [[pc.create_witness(phi, i) for phi in secretpolys] for i in range(1, n + 1)] shares = [[phi(i) for phi in secretpolys] for i in range(1, n + 1)] sends, recvs, _ = test_router(n) loop = asyncio.get_event_loop() players = [ HbACSS1Recoverer(crs, n, t, i, sends[i], recvs[i], shares[i], True, commits, witnesses[i], pc=pc) for i in range(n) ] playertasks = [loop.create_task(player._run()) for player in players] for task in playertasks: task.add_done_callback(print_exception_callback) #loop.run_forever() await asyncio.gather(*playertasks)
def test_pc_log_batch(t): pc = PolyCommitLog() phi = polynomials_over(ZR).random(t) r = ZR.random() c = pc.commit(phi, r) witnesses = pc.batch_create_witness(phi, r) assert pc.verify_eval(c, 4, phi(4), witnesses[3])
def test_inner_product_interactive_proof(): loop = asyncio.get_event_loop() pr_queue = asyncio.Queue(loop=loop) vr_queue = asyncio.Queue(loop=loop) prover = inner_product_prover(vr_queue, pr_queue) verifier = inner_product_verifier(pr_queue, vr_queue) n = 10 a = [ZR.random() for i in range(n)] b = [ZR.random() for i in range(n)] iprod = ZR(0) for i in range(n): iprod += a[i] * b[i] (comm1, iprod1, g_vec1, h_vec1, u1, a_vec1, b_vec1, n1, P1) = prover.set_up_params(a, b) (g_vec2, h_vec2, u2, n2, P2) = verifier.set_up_params(n1, P1) prover_coro = prover.recursive_prove(g_vec1, h_vec1, u1, a_vec1, b_vec1, n1, P1) verifier_coro = verifier.recursive_verify(g_vec2, h_vec2, u2, n2, P2) _, ret = loop.run_until_complete(asyncio.gather(prover_coro, verifier_coro)) assert ret == True (_, _, g_vec1, h_vec1, u1, a_vec1, b_vec1, n1, P1) = prover.set_up_params(a, b, comm=comm1) (g_vec2, h_vec2, u2, n2, P2) = verifier.set_up_params(n1, P1) prover_coro = prover.recursive_prove(g_vec1, h_vec1, u1, a_vec1, b_vec1, n1, P1) verifier_coro = verifier.recursive_verify(g_vec2, h_vec2, u2, n2, P2) _, ret = loop.run_until_complete(asyncio.gather(prover_coro, verifier_coro)) assert ret == True (comm1, iprod1, g_vec1, h_vec1, u1, a_vec1, b_vec1, n1, P1) = prover.set_up_params(a, b, comm=G1.rand()) (g_vec2, h_vec2, u2, n2, P2) = verifier.set_up_params(n1, P1) prover_coro = prover.recursive_prove(g_vec1, h_vec1, u1, a_vec1, b_vec1, n1, P1) verifier_coro = verifier.recursive_verify(g_vec2, h_vec2, u2, n2, P2) _, ret = loop.run_until_complete(asyncio.gather(prover_coro, verifier_coro)) assert ret == False loop.close()
def test_hbacss2_size_benchmark_batch_creation(benchmark, t): pc = PolyCommitLog(degree_max=t) pc.preprocess_prover(16) r = ZR.random() phis = [] for _ in range(t): phi_curr = polynomials_over(ZR).random(t) phis.append(phi_curr) benchmark(pc.double_batch_create_witness, phis, r)
def batch_create_witness(self, phi, r, n=None): t = len(phi.coeffs) - 1 if n is None: n = 3 * t + 1 if len(self.y_vecs) < n: i = len(self.y_vecs) while i < n: self.y_vecs.append([ZR(i + 1)**j for j in range(t + 1)]) i += 1 s_vec = [ZR.random() for _ in range(t + 1)] sy_prods = [ZR(0) for _ in range(n)] S = G1.identity() T_vec = [None] * n witnesses = [[] for _ in range(n)] for i in range(t + 1): S *= self.gs[i]**s_vec[i] for j in range(n): for i in range(t + 1): sy_prods[j] += s_vec[i] * self.y_vecs[j][i] T_vec[j] = self.gs[0]**sy_prods[j] rho = ZR.random() S *= self.h**rho # Fiat Shamir tree = MerkleTree() for j in range(n): tree.append(pickle.dumps(T_vec[j])) roothash = tree.get_root_hash() for j in range(n): branch = tree.get_branch(j) witnesses[j].append(roothash) witnesses[j].append(branch) challenge = ZR.hash( pickle.dumps([roothash, self.gs, self.h, self.u, S])) d_vec = [phi.coeffs[j] + s_vec[j] * challenge for j in range(t + 1)] D = G1.identity() for j in range(t + 1): D *= self.gs[j]**d_vec[j] mu = r + rho * challenge comm, t_hats, iproofs = prove_batch_inner_product_one_known( d_vec, self.y_vecs, crs=[self.gs, self.u]) for j in range(len(witnesses)): witnesses[j] += [S, T_vec[j], D, mu, t_hats[j], iproofs[j]] return witnesses
def test_pc_log(t): pc = PolyCommitLog() phi = polynomials_over(ZR).random(t) # ToDo: see if other polycommits return the commit randomness # rather than expecting it as arg r = ZR.random() c = pc.commit(phi, r) witness = pc.create_witness(phi, r, 3) assert pc.verify_eval(c, 3, phi(3), witness) assert not pc.verify_eval(c, 4, phi(3), witness) assert not pc.verify_eval(G1.rand(), 3, phi(3), witness)
def test_double_batch_pc_log_batch_differing_degrees(t): pc = PolyCommitLog() n = 2*t+1 phi1 = polynomials_over(ZR).random(t) phi2 = polynomials_over(ZR).random(t) r = ZR.random() c1 = pc.commit(phi1, r) c2 = pc.commit(phi2, r) witnesses = pc.double_batch_create_witness([phi1, phi2], r, n=n) assert pc.batch_verify_eval([c1,c2], 4, [phi1(4), phi2(4)], witnesses[3]) assert pc.batch_verify_eval([c1,c2], 4, [phi1(4), phi2(4)], witnesses[3], degree=t) assert not pc.batch_verify_eval([c1,c2], 4, [phi1(4), phi2(4)], witnesses[3], degree=t+1) assert not pc.batch_verify_eval([c1,c2], 4, [phi1(4), phi2(4)], witnesses[3], degree=t-1)
def create_witness(self, phi, r, i): t = len(phi.coeffs) - 1 y_vec = [ZR(i)**j for j in range(t + 1)] s_vec = [ZR.random() for _ in range(t + 1)] sy_prod = ZR(0) S = G1.identity() for j in range(t + 1): S *= self.gs[j]**s_vec[j] sy_prod += s_vec[j] * y_vec[j] T = self.gs[0]**sy_prod rho = ZR.random() S *= self.h**rho # Fiat Shamir challenge = ZR.hash(pickle.dumps([self.gs, self.h, self.u, S, T])) d_vec = [phi.coeffs[j] + s_vec[j] * challenge for j in range(t + 1)] D = G1.identity() for j in range(t + 1): D *= self.gs[j]**d_vec[j] mu = r + rho * challenge comm, t_hat, iproof = prove_inner_product_one_known( d_vec, y_vec, crs=[self.gs, self.u]) return [S, T, D, mu, t_hat, iproof]
def test_double_batch_pc_log_batch_prove_and_verify(t): pc = PolyCommitLog() phi1 = polynomials_over(ZR).random(t) phi2 = polynomials_over(ZR).random(t) phi3 = polynomials_over(ZR).random(t) r = ZR.random() c1 = pc.commit(phi1, r) c2 = pc.commit(phi2, r) witnesses = pc.double_batch_create_witness([phi1, phi2], r) assert pc.batch_verify_eval([c1,c2], 4, [phi1(4), phi2(4)], witnesses[3]) assert not pc.batch_verify_eval([c1,c2], 3, [phi1(4), phi2(4)], witnesses[3]) assert not pc.batch_verify_eval([c1,c2], 4, [phi1(4), phi2(4)], witnesses[2]) assert not pc.batch_verify_eval([c1,c1], 4, [phi1(4), phi2(4)], witnesses[3])
def test_hbacss2_size_benchmark_batch_verify(benchmark, t): pc = PolyCommitLog(degree_max=t) pc.preprocess_verifier(16) phis = [] r = ZR.random() cs = [] for _ in range(t): phi_curr = polynomials_over(ZR).random(t) phis.append(phi_curr) c_curr = pc.commit(phi_curr, r) cs.append(c_curr) witnesses = pc.double_batch_create_witness(phis, r) i = 4 phis_at_4 = [] for j in range(len(phis)): phis_at_4.append(phis[j](i)) benchmark(pc.batch_verify_eval, cs, i, phis_at_4, witnesses[i - 1])
def gen_pc_const_dl_crs(t, alpha=None, g=None, ghat=None, ZR=ZR, G1=G1, G2=G2): nonetype = type(None) assert type(t) is int assert type(alpha) in (ZR, int, nonetype) assert type(g) in (G1, nonetype) assert type(ghat) in (G2, nonetype) if alpha is None: alpha = ZR.random() if g is None: g = G1.rand() if ghat is None: ghat = G2.rand() (gs, ghats) = ([], []) for i in range(t + 1): gs.append(g**(alpha**i)) for i in range(2): ghats.append(ghat**(alpha**i)) crs = [gs, ghats] return crs
async def recursive_verify(self, g_vec, h_vec, u, n, P): if n == 1: [a, b] = await self.receive_queue.get() return P == g_vec[0]**a * h_vec[0]**b * u**(a * b) if n % 2 == 1: [na, nb, L, R] = await self.receive_queue.get() P *= g_vec[-1]**(na) * h_vec[-1]**(nb) * u**(-na * nb) else: [L, R] = await self.receive_queue.get() x = ZR.random() await self.send_queue.put(x) xi = x**-1 n_p = n // 2 g_vec_p = [] h_vec_p = [] for i in range(n_p): g_vec_p.append(g_vec[:n_p][i]**xi * g_vec[n_p:][i]**x) h_vec_p.append(h_vec[:n_p][i]**x * h_vec[n_p:][i]**xi) P_p = L**(x * x) * P * R**(xi * xi) ret = await self.recursive_verify(g_vec_p, h_vec_p, u, n_p, P_p) return ret
if alpha is None: alpha = ZR.random() if g is None: g = G1.rand() if ghat is None: ghat = G2.rand() (gs, ghats) = ([], []) for i in range(t + 1): gs.append(g**(alpha**i)) for i in range(2): ghats.append(ghat**(alpha**i)) crs = [gs, ghats] return crs #todo make an actual test file if __name__ == "__main__": #from honeybadgermpc.poly_commit_const_dl import * #from honeybadgermpc.polynomial import polynomials_over #from pypairing import ZR t = 3 crs = gen_pc_const_dl_crs(t) poly = polynomials_over(ZR) s = ZR.random() phi = poly.random(t, s) pc = PolyCommitConstDL(crs) c = pc.commit(phi) w = pc.create_witness(phi, 2) assert pc.verify_eval(c, 2, phi(2), w) assert not pc.verify_eval(c, 3, phi(2), w) print("success!")