def test_statement_zk_proof() -> None:
vm = sy.VirtualMachine()
client = vm.get_root_client()
sy.load("zksk")
# third party
from zksk import DLRep
from zksk import Secret
from zksk import utils
num = 2
seed = 42
num_sy = sy.lib.python.Int(num)
seed_sy = sy.lib.python.Int(seed)
# Setup: Peggy and Victor agree on two group generators.
G, H = utils.make_generators(num=num, seed=seed)
# Setup: generate a secret randomizer.
r = Secret(utils.get_random_num(bits=128))
# This is Peggy's secret bit.
top_secret_bit = 1
# A Pedersen commitment to the secret bit.
C = top_secret_bit * G + r.value * H
# Peggy's definition of the proof statement, and proof generation.
# (The first or-clause corresponds to the secret value 0, and the second to the value 1. Because
# the real value of the bit is 1, the clause that corresponds to zero is marked as simulated.)
stmt = DLRep(C, r * H, simulated=True) | DLRep(C - G, r * H)
zk_proof = stmt.prove()
# send over the network and get back
num_ptr = num_sy.send(client)
seed_prt = seed_sy.send(client)
c_ptr = C.send(client)
zk_proof_ptr = zk_proof.send(client)
num2 = num_ptr.get().upcast()
seed2 = seed_prt.get().upcast()
C2 = c_ptr.get()
zk_proof2 = zk_proof_ptr.get()
# Setup: get the agreed group generators.
G, H = utils.make_generators(num=num2, seed=seed2)
# Setup: define a randomizer with an unknown value.
r = Secret()
stmt = DLRep(C2, r * H) | DLRep(C2 - G, r * H)
assert stmt.verify(zk_proof2)
def ZK_equality(G,H):
##Generate two El-Gamal ciphertexts (C1,C2) and (D1,D2)
# Setup: generate secret randomizers.
# m is the secret bit.
m = Secret(utils.get_random_num(bits=2))
r1 = Secret(utils.get_random_num(bits=128))
r2 = Secret(utils.get_random_num(bits=128))
C1 = r1.value*G
#print("this is C1:", C1)
C2 = r1.value * H + m.value * G
D1 = r2.value * G
D2 = r2.value * H + m.value * G
##Generate a NIZK proving equality of the plaintexts
stmt = DLRep(C1,r1*G) & DLRep(C2,r1*H+m*G) & DLRep(D1,r2*G) & DLRep(D2,r2*H+m*G)
zk_proof = stmt.prove()
#Return two ciphertexts and the proof
return (C1,C2), (D1,D2), zk_proof
def test_nizk_serde() -> None:
vm = sy.VirtualMachine()
client = vm.get_root_client()
# third party
from zksk import DLRep
from zksk import Secret
from zksk import utils
sy.load("zksk")
num = 2
seed = 42
G, H = utils.make_generators(num=num, seed=seed)
# Setup: generate a secret randomizer.
r = Secret(utils.get_random_num(bits=128))
# This is Peggy's secret bit.
top_secret_bit = 1
# A Pedersen commitment to the secret bit.
C = top_secret_bit * G + r.value * H
# Peggy's definition of the proof statement, and proof generation.
# (The first or-clause corresponds to the secret value 0, and the second to the value 1. Because
# the real value of the bit is 1, the clause that corresponds to zero is marked as simulated.)
stmt = DLRep(C, r * H, simulated=True) | DLRep(C - G, r * H)
# zksk.base.NIZK
zk_proof = stmt.prove()
# test serde
zk_proof_ptr = zk_proof.send(client)
zk_proof2 = zk_proof_ptr.get()
assert zk_proof == zk_proof2
# Create the base points on the curve.
g0 = group.hash_to_point(b"g0")
g1 = group.hash_to_point(b"g1")
# Preparing the secrets.
# In practice, they probably should be big integers (petlib.bn.Bn)
x0 = Secret()
x1 = Secret()
# Set up the proof statement.
# First, compute the value, "left-hand side".
y = 4 * g0 + 42 * g1
# Next, create the proof statement.
stmt = DLRep(y, x0 * g0 + x1 * g1)
# Simulate the prover and the verifier interacting.
prover = stmt.get_prover({x0: 4, x1: 42})
verifier = stmt.get_verifier()
commitment = prover.commit()
challenge = verifier.send_challenge(commitment)
response = prover.compute_response(challenge)
assert verifier.verify(response)
# Non-interactive proof.
nizk = stmt.prove({x0: 4, x1: 42})
stmt.verify(nizk)
