def batch_verify_eval(self, commits, i, shares, auxes, witnesses): assert (len(commits) == len(shares) and len(commits) == len(witnesses) and len(commits) == len(auxes)) commitprod = G1.one() witnessprod = G1.one() sharesum = ZR(0) auxsum = ZR(0) for j in range(len(commits)): commitprod *= commits[j] witnessprod *= witnesses[j] sharesum += shares[j] auxsum += auxes[j] lhs = pair(commitprod, self.ghats[0]) rhs = (pair(witnessprod, self.ghats[1] * self.ghats[0]**(-i)) * (self.gg**sharesum) * (self.gh**auxsum)) return lhs == rhs
def commit(self, phi): c = G1.one() phi_hat = polynomials_over(self.field).random(self.t) i = 0 for item in self.gs: c *= item**phi.coeffs[i] i += 1 i = 0 for item in self.hs: c *= item**phi_hat.coeffs[i] i += 1 # c should equal g **(phi(alpha)) h **(phi_hat(alpha)) return c, phi_hat
def create_witness(self, phi, phi_hat, i): poly = polynomials_over(self.field) div = poly([-1 * i, 1]) psi = (phi - poly([phi(i)])) / div psi_hat = (phi_hat - poly([phi_hat(i)])) / div witness = G1.one() j = 0 for item in self.gs[:-1]: witness *= item**psi.coeffs[j] j += 1 j = 0 for item in self.hs[:-1]: witness *= item**psi_hat.coeffs[j] j += 1 return witness
def verify_eval(self, cs, i, phi_at_i, witness): lhs = G1.one() for j in range(len(cs)): lhs *= pow(cs[j], pow(i, j)) rhs = pow(self.g, phi_at_i) * pow(self.h, witness) return lhs == rhs