def get_commitment(self):
"""Returns:
c * U + v_1 * G_1 + v_2 * G_2 + ... + v_n * G_n +
w_1 * H_1 + w_2 * H_2 + ... + w_n * H_n
"""
self.set_blinding()
self.P = ecmult(self.c, self.U, False)
for i, x in enumerate(self.a):
self.P = ecadd_pubkeys(
[self.P, ecmult(x, self.g[i], False)], False)
for i, x in enumerate(self.b):
self.P = ecadd_pubkeys(
[self.P, ecmult(x, self.h[i], False)], False)
return self.P
def inner_product_verifier(n, V, prf):
final_pc, pc2, a, b, L, R, comm1 = prf
# Simulate a challenge e, TODO: use fiat shamir later
e = hashlib.sha256(V).digest()
e = decode(e, 256)
lhs = final_pc
rhs = ecmult(e, V, False)
rhs_2 = pc2
rhs = ecadd_pubkeys([rhs, rhs_2], False)
print("**Verifying Inner product: **")
#Note that the 'a' and 'b' vectors in the following constructor are dummy
#values, they only set the length:
verifier_ipc = IPC(["\x01"] * n, ["\x02"] * n)
result = verifier_ipc.verify_proof(a, b, comm1, L, R)
print("Verification result: ", result)
if lhs == rhs:
print("Positive Number")
return True
else:
print("Negetive Number")
return False
def run_test_VPC():
rawv = raw_input("Enter a vector cseparated: ")
v = [int(x) for x in rawv.split(',')]
vpc = VPC(v, v, vtype="int")
print("Successfully created the pedersen commitment to: ", rawv)
C = vpc.get_commitment()
print("Here is the commitment: ", binascii.hexlify(C))
rawv2 = raw_input("Test homomorphism: enter second vector: ")
v2 = [int(x) for x in rawv2.split(',')]
vpc2 = VPC(v2, v2, vtype="int")
C2 = vpc2.get_commitment()
print("Here is the commitment for the second vector: ",
binascii.hexlify(C2))
assert len(v2) == len(v), "try again"
sumv = [x + y for x, y in zip(v, v2)]
print('here is sumv: ', sumv)
newc = encode((decode(vpc.c, 256) + decode(vpc2.c, 256)) % N, 256, 32)
print("here is newc len: ", len(newc))
sumvpc = VPC(sumv, sumv, vtype="int")
#reset the blinding value
sumvpc.set_blinding(c=newc)
Csum = sumvpc.get_commitment()
print("Here is the commitment to the sum: ", binascii.hexlify(Csum))
print("Here is the sum of C and C2: ",
binascii.hexlify(ecadd_pubkeys([C, C2], False)))
if Csum == ecadd_pubkeys([C, C2], False):
print("Successly verified homomorphism")
else:
print("Homomorphism failed to verify.")
exit(0)
#test out opening commitments
if not verify_opening(C, vpc.c, v, v, vtype="int"):
print("V1 did not verify")
if not verify_opening(C2, vpc2.c, v2, v2, vtype="int"):
print("V2 did not verify")
if not verify_opening(Csum, sumvpc.c, sumv, sumv, vtype="int"):
print("Vsum did not verify")
def get_commitment(self):
self.C = ecmult(self.blinding, self.h, False)
self.C = ecadd_pubkeys([self.C, ecmult(self.v, self.g, False)], False)
return self.C
def verify(self, Ap, Sp, T1p, T2p, tau_x, mu, t, proof, V):
"""Takes as input an already-deserialized rangeproof, along
with the pedersen commitment V to the value (not here known),
and checks if the proof verifies.
"""
#wipe FS state:
self.fsstate = ""
#compute the challenges to find y, z, x
self.y, self.z = self.fiat_shamir([V, Ap, Sp])
self.z2 = (self.z * self.z) % N
self.zv = Vector([self.z] * self.bitlength)
self.x_1 = self.fiat_shamir([T1p, T2p], nret=1)[0]
self.hprime = []
self.yinv = modinv(self.y, N)
for i in range(1, self.bitlength + 1):
self.hprime.append(
ecmult(pow(self.yinv, i - 1, N),
getNUMS(self.bitlength + i).serialize(), False))
#construction of verification equation (61)
#cmopute the dangling term
onen = PowerVector(1, self.bitlength)
twon = PowerVector(2, self.bitlength)
yn = PowerVector(self.y, self.bitlength)
self.k = (yn.inner_product(onen) * -self.z2) % N
self.k = (self.k - (onen.inner_product(twon) *
(pow(self.z, 3, N)))) % N
self.gexp = (self.k + self.z * onen.inner_product(yn)) % N
# this computes PC of <l,r> with t_x
self.lhs = PC(t, blinding=tau_x).get_commitment()
self.rhs = ecmult(self.gexp, getG(True), False)
self.vz2 = ecmult((self.z * self.z) % N, V, False)
self.rhs = ecadd_pubkeys([self.rhs, self.vz2], False)
self.rhs = ecadd_pubkeys(
[self.rhs, ecmult(self.x_1, T1p, False)], False)
self.rhs = ecadd_pubkeys(
[self.rhs, ecmult((self.x_1 * self.x_1) % N, T2p, False)], False)
if not self.lhs == self.rhs:
print("(61) verification check failed")
print(binascii.hexlify(self.lhs))
print(binascii.hexlify(self.rhs))
return False
#reconstruct P (62)
# standard commitment check
self.P = Ap
self.P = ecadd_pubkeys([ecmult(self.x_1, Sp, False), self.P], False)
# upto here P = A + x*S
#now add g*^(-z)
for i in range(self.bitlength):
self.P = ecadd_pubkeys([
ecmult(-self.z % N,
getNUMS(i + 1).serialize(), False), self.P
], False)
# upto here P = A + x*S - g^(-z)
#zynz22n is the exponent of hprime
self.zynz22n = yn.scalar_mult(self.z).add(
PowerVector(2, self.bitlength).scalar_mult(self.z2))
for i in range(self.bitlength):
self.P = ecadd_pubkeys(
[ecmult(self.zynz22n.v[i], self.hprime[i], False), self.P],
False)
# Here P value is computed correctly
self.uchallenge = self.fiat_shamir([tau_x, mu, t], nret=1)[0]
self.U = ecmult(self.uchallenge, getG(True), False)
self.P = ecadd_pubkeys([ecmult(t, self.U, False), self.P], False)
#P should now be : A + xS + -zG* + (zy^n+z^2.2^n)H'* + tU
#One can show algebraically (the working is omitted from the paper)
#that this will be the same as an inner product commitment to
#(lx, rx) vectors (whose inner product is t), thus the variable 'proof'
#can be passed into the IPC verify call, which should pass.
#input to inner product proof is P.h^-(mu)
self.Pprime = ecadd_pubkeys(
[self.P, ecmult(-mu % N,
getNUMS(255).serialize(), False)], False)
#Now we can verify the inner product proof
a, b, L, R = proof
#dummy vals for constructor of verifier IPC
self.iproof = IPC(["\x01"] * self.bitlength, ["\x02"] * self.bitlength,
h=self.hprime,
u=self.U)
#self.iproof.P = self.Pprime
if not self.iproof.verify_proof(a, b, self.Pprime, L, R):
return False
return True