def test_and_proof_with_complex_expression(group): g = group.generator() g1 = 2 * g g2 = 5 * g g3 = 10 * g x1 = Secret() x2 = Secret() x3 = Secret() proof = DLRep(10 * g1 + 15 * g2, x1 * g1 + x2 * g2) & DLRep( 15 * g1 + 35 * g3, x2 * g1 + x3 * g3) prover = proof.get_prover({x1: 10, x2: 15, x3: 35}) verifier = proof.get_verifier() assert verify(verifier, prover)
# Next, create the proof statement. stmt = DLRep(y1, x0 * g0 + x1 * g1) \ & DLRep(y2, x0 * g2 + x2 * g3) # This is an equivalent way to create the proof statement above. stmt_1 = DLRep(y1, x0 * g0 + x1 * g1) stmt_2 = DLRep(y2, x0 * g2 + x2 * g3) equivalent_stmt = AndProofStmt(stmt_1, stmt_2) assert stmt.get_proof_id() == equivalent_stmt.get_proof_id() # Simulate the prover and verifier interacting. prover = stmt.get_prover({x0: 4, x1: 5, x2: 7}) verifier = stmt.get_verifier() commitment = prover.commit() challenge = verifier.send_challenge(commitment) response = prover.compute_response(challenge) assert verifier.verify(response) # Composition takes into account re-occuring secrets. x0 = Secret(4) x1 = Secret(4) stmt = DLRep(4 * g0, x0 * g0) & DLRep(4 * g1, x1 * g1) # NOT the same as above. Note that x1_prime is used for both clauses. x1_prime = Secret(4)
# Create the base points on the curve. g0 = group.hash_to_point(b"g0") g1 = group.hash_to_point(b"g1") # Preparing the secrets. # In practice, they probably should be big integers (petlib.bn.Bn) x0 = Secret() x1 = Secret() # Set up the proof statement. # First, compute the value, "left-hand side". y = 4 * g0 + 42 * g1 # Next, create the proof statement. stmt = DLRep(y, x0 * g0 + x1 * g1) # Simulate the prover and the verifier interacting. prover = stmt.get_prover({x0: 4, x1: 42}) verifier = stmt.get_verifier() commitment = prover.commit() challenge = verifier.send_challenge(commitment) response = prover.compute_response(challenge) assert verifier.verify(response) # Non-interactive proof. nizk = stmt.prove({x0: 4, x1: 42}) stmt.verify(nizk)
from petlib.ec import EcGroup from zksk import Secret, DLRep group = EcGroup() g = group.generator() # Different way to define secrets. x = Secret() x = Secret(value=42) # If secret come with values, prover will get them. x = Secret(value=4, name="x") y = x.value * g stmt = DLRep(y, x * g) prover = stmt.get_prover() # Otherwise, a prover needs to have the values as a dictionary. x = Secret(name="x") value = 4 stmt = DLRep(value * g, x * g) prover = stmt.get_prover({x: value}) # Example of a bit more complex expression. x = Secret() y = Secret() g = group.hash_to_point(b"one") h = group.hash_to_point(b"two") expr = x * g + y * h # Expressions can be evaluated.
stmt = DLRep(y0, x0 * g0) | DLRep(y1, x1 * g1) # Set the first clause as simulated. stmt.subproofs[0].set_simulated() # This is an equivalent way to define the proof statement above. stmt_1 = DLRep(y0, x0 * g0) stmt_2 = DLRep(y1, x1 * g1) stmt_1.set_simulated() equivalent_stmt = OrProofStmt(stmt_1, stmt_2) assert stmt.get_proof_id() == equivalent_stmt.get_proof_id() # Another equivalent way. stmt_1 = DLRep(y0, x0 * g0, simulated=True) stmt_2 = DLRep(y1, x1 * g1) equivalent_stmt = OrProofStmt(stmt_1, stmt_2) assert stmt.get_proof_id() == equivalent_stmt.get_proof_id() # Execute the protocol. prover = stmt.get_prover() verifier = stmt.get_verifier() commitment = prover.commit() challenge = verifier.send_challenge(commitment) response = prover.compute_response(challenge) assert verifier.verify(response)