def test_scalar_vector_extend(self): v = ScalarVector([Scalar(0),Scalar(1)]) w = ScalarVector([Scalar(2),Scalar(3)]) v.extend(w) t = ScalarVector([Scalar(0),Scalar(1),Scalar(2),Scalar(3)]) self.assertEqual(len(v),len(t)) self.assertEqual(v.scalars,t.scalars)
def prove(data,N): clear_cache() M = len(data) # curve points G = dumb25519.G H = hash_to_point('pybullet H') Gi = PointVector([hash_to_point('pybullet Gi ' + str(i)) for i in range(M*N)]) Hi = PointVector([hash_to_point('pybullet Hi ' + str(i)) for i in range(M*N)]) # set amount commitments V = PointVector([]) aL = ScalarVector([]) for v,gamma in data: V.append((H*v + G*gamma)*inv8) mash(V[-1]) aL.extend(scalar_to_bits(v,N)) # set bit arrays aR = ScalarVector([]) for bit in aL.scalars: aR.append(bit-Scalar(1)) alpha = random_scalar() A = (Gi*aL + Hi*aR + G*alpha)*inv8 sL = ScalarVector([random_scalar()]*(M*N)) sR = ScalarVector([random_scalar()]*(M*N)) rho = random_scalar() S = (Gi*sL + Hi*sR + G*rho)*inv8 # get challenges mash(A) mash(S) y = cache y_inv = y.invert() mash('') z = cache # polynomial coefficients l0 = aL - ScalarVector([z]*(M*N)) l1 = sL # ugly sum zeros_twos = [] for i in range (M*N): zeros_twos.append(Scalar(0)) for j in range(1,M+1): temp = Scalar(0) if i >= (j-1)*N and i < j*N: temp = Scalar(2)**(i-(j-1)*N) zeros_twos[-1] += temp*(z**(1+j)) # more polynomial coefficients r0 = aR + ScalarVector([z]*(M*N)) r0 = r0*exp_scalar(y,M*N) r0 += ScalarVector(zeros_twos) r1 = exp_scalar(y,M*N)*sR # build the polynomials t0 = l0**r0 t1 = l0**r1 + l1**r0 t2 = l1**r1 tau1 = random_scalar() tau2 = random_scalar() T1 = (H*t1 + G*tau1)*inv8 T2 = (H*t2 + G*tau2)*inv8 mash(T1) mash(T2) x = cache # challenge taux = tau1*x + tau2*(x**2) for j in range(1,M+1): gamma = data[j-1][1] taux += z**(1+j)*gamma mu = x*rho+alpha l = l0 + l1*x r = r0 + r1*x t = l**r mash(taux) mash(mu) mash(t) x_ip = cache # challenge L = PointVector([]) R = PointVector([]) # initial inner product inputs data_ip = [Gi,PointVector([Hi[i]*(y_inv**i) for i in range(len(Hi))]),H*x_ip,l,r,None,None] while True: data_ip = inner_product(data_ip) # we have reached the end of the recursion if len(data_ip) == 2: return [V,A,S,T1,T2,taux,mu,L,R,data_ip[0],data_ip[1],t] # we are not done yet L.append(data_ip[-2]) R.append(data_ip[-1])
def prove(data,N): tr = transcript.Transcript('Bulletproof') M = len(data) # curve points Gi = PointVector([hash_to_point('pybullet Gi ' + str(i)) for i in range(M*N)]) Hi = PointVector([hash_to_point('pybullet Hi ' + str(i)) for i in range(M*N)]) # set amount commitments V = PointVector([]) aL = ScalarVector([]) for v,gamma in data: V.append(com(v,gamma)*inv8) tr.update(V[-1]) aL.extend(scalar_to_bits(v,N)) # set bit arrays aR = ScalarVector([]) for bit in aL.scalars: aR.append(bit-Scalar(1)) alpha = random_scalar() A = (Gi**aL + Hi**aR + Gc*alpha)*inv8 sL = ScalarVector([random_scalar()]*(M*N)) sR = ScalarVector([random_scalar()]*(M*N)) rho = random_scalar() S = (Gi**sL + Hi**sR + Gc*rho)*inv8 # get challenges tr.update(A) tr.update(S) y = tr.challenge() z = tr.challenge() y_inv = y.invert() # polynomial coefficients l0 = aL - ScalarVector([z]*(M*N)) l1 = sL # for polynomial coefficients zeros_twos = [] z_cache = z**2 for j in range(M): for i in range(N): zeros_twos.append(z_cache*2**i) z_cache *= z # more polynomial coefficients r0 = aR + ScalarVector([z]*(M*N)) r0 = r0*exp_scalar(y,M*N) r0 += ScalarVector(zeros_twos) r1 = exp_scalar(y,M*N)*sR # build the polynomials t0 = l0**r0 t1 = l0**r1 + l1**r0 t2 = l1**r1 tau1 = random_scalar() tau2 = random_scalar() T1 = com(t1,tau1)*inv8 T2 = com(t2,tau2)*inv8 tr.update(T1) tr.update(T2) x = tr.challenge() taux = tau1*x + tau2*(x**2) for j in range(1,M+1): gamma = data[j-1][1] taux += z**(1+j)*gamma mu = x*rho+alpha l = l0 + l1*x r = r0 + r1*x t = l**r tr.update(taux) tr.update(mu) tr.update(t) x_ip = tr.challenge() # initial inner product inputs data = InnerProductRound(Gi,PointVector([Hi[i]*(y_inv**i) for i in range(len(Hi))]),Hc*x_ip,l,r,tr) while True: inner_product(data) # we have reached the end of the recursion if data.done: return Bulletproof(V,A,S,T1,T2,taux,mu,data.L,data.R,data.a,data.b,t)