mmarcel/derohe-miniblock-mod
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
derohe-miniblock-mod/cryptography/crypto/proof_generate.go

1225 lines
35 KiB
Go
Raw Normal View History

DERO-HE STARGATE Testnet Release35
2021-12-04 16:42:11 +00:00
// Copyright 2017-2021 DERO Project. All rights reserved.
// Use of this source code in any form is governed by RESEARCH license.
// license can be found in the LICENSE file.
// GPG: 0F39 E425 8C65 3947 702A 8234 08B2 0360 A03A 9DE8
//
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
package crypto
import "fmt"
import "math"
import "math/big"
import "bytes"
import "strconv"
//import "crypto/rand"
//import "encoding/hex"
import "github.com/deroproject/derohe/cryptography/bn256"
//import "golang.org/x/crypto/sha3"
//import "github.com/kubernetes/klog"
type Proof struct {
BA *bn256.G1
BS *bn256.G1
A *bn256.G1
B *bn256.G1
CLnG, CRnG, C_0G, DG, y_0G, gG, C_XG, y_XG []*bn256.G1
u *bn256.G1
f *FieldVector
z_A *big.Int
T_1 *bn256.G1
T_2 *bn256.G1
that *big.Int
mu *big.Int
c *big.Int
s_sk, s_r, s_b, s_tau *big.Int
ip *InnerProduct
}
type IPStatement struct {
PrimeBase *GeneratorParams
P *bn256.G1
}
type IPWitness struct {
L *FieldVector
R *FieldVector
}
// this is based on roothash, scid etc and user's secret key
// thus is the basis of protection from a number of double spending attacks
func (p *Proof) Nonce() Hash {
return Keccak256(p.u.EncodeCompressed())
}
func (p *Proof) Parity() bool {
zero := big.NewInt(0)
if zero.Cmp(p.f.Element(0)) == 0 {
return true
}
return false
}
func (p *Proof) Serialize(w *bytes.Buffer) {
if p == nil {
return
}
w.Write(p.BA.EncodeCompressed())
w.Write(p.BS.EncodeCompressed())
w.Write(p.A.EncodeCompressed())
w.Write(p.B.EncodeCompressed())
//w.WriteByte(byte(len(p.CLnG))) // we can skip this byte also, why not skip it
// fmt.Printf("CLnG byte %d\n",len(p.CLnG))
for i := 0; i < len(p.CLnG); i++ {
w.Write(p.CLnG[i].EncodeCompressed())
w.Write(p.CRnG[i].EncodeCompressed())
w.Write(p.C_0G[i].EncodeCompressed())
w.Write(p.DG[i].EncodeCompressed())
w.Write(p.y_0G[i].EncodeCompressed())
w.Write(p.gG[i].EncodeCompressed())
w.Write(p.C_XG[i].EncodeCompressed())
w.Write(p.y_XG[i].EncodeCompressed())
}
w.Write(p.u.EncodeCompressed())
if len(p.CLnG) != len(p.f.vector) {
/// panic(fmt.Sprintf("different size %d %d", len(p.CLnG), len(p.f.vector)))
}
/*if len(p.f.vector) != 2 {
panic(fmt.Sprintf("f could not be serialized length %d", len(p.CLnG), len(p.f.vector)))
}
*/
// fmt.Printf("writing %d fvector points\n", len(p.f.vector));
for i := 0; i < len(p.f.vector); i++ {
w.Write(ConvertBigIntToByte(p.f.vector[i]))
}
w.Write(ConvertBigIntToByte(p.z_A))
w.Write(p.T_1.EncodeCompressed())
w.Write(p.T_2.EncodeCompressed())
w.Write(ConvertBigIntToByte(p.that))
w.Write(ConvertBigIntToByte(p.mu))
w.Write(ConvertBigIntToByte(p.c))
w.Write(ConvertBigIntToByte(p.s_sk))
w.Write(ConvertBigIntToByte(p.s_r))
w.Write(ConvertBigIntToByte(p.s_b))
w.Write(ConvertBigIntToByte(p.s_tau))
p.ip.Serialize(w)
}
func (proof *Proof) Deserialize(r *bytes.Reader, length int) error {
var buf [32]byte
var bufp [33]byte
if n, err := r.Read(bufp[:]); n == 33 && err == nil {
var p bn256.G1
if err = p.DecodeCompressed(bufp[:]); err != nil {
return err
}
proof.BA = &p
} else {
return err
}
if n, err := r.Read(bufp[:]); n == 33 && err == nil {
var p bn256.G1
if err = p.DecodeCompressed(bufp[:]); err != nil {
return err
}
proof.BS = &p
} else {
return err
}
if n, err := r.Read(bufp[:]); n == 33 && err == nil {
var p bn256.G1
if err = p.DecodeCompressed(bufp[:]); err != nil {
return err
}
proof.A = &p
} else {
return err
}
if n, err := r.Read(bufp[:]); n == 33 && err == nil {
var p bn256.G1
if err = p.DecodeCompressed(bufp[:]); err != nil {
return err
}
proof.B = &p
} else {
return err
}
proof.CLnG = proof.CLnG[:0]
proof.CRnG = proof.CRnG[:0]
proof.C_0G = proof.C_0G[:0]
proof.DG = proof.DG[:0]
proof.y_0G = proof.y_0G[:0]
proof.gG = proof.gG[:0]
proof.C_XG = proof.C_XG[:0]
proof.y_XG = proof.y_XG[:0]
for i := 0; i < length; i++ {
if n, err := r.Read(bufp[:]); n == 33 && err == nil {
var p bn256.G1
if err = p.DecodeCompressed(bufp[:]); err != nil {
return err
}
proof.CLnG = append(proof.CLnG, &p)
} else {
return err
}
if n, err := r.Read(bufp[:]); n == 33 && err == nil {
var p bn256.G1
//fmt.Printf("CRnG point bytes2 %x\n", bufp[:])
if err = p.DecodeCompressed(bufp[:]); err != nil {
//fmt.Printf("CRng point bytes1 %x\n", bufp[:])
return err
}
proof.CRnG = append(proof.CRnG, &p)
} else {
return err
}
if n, err := r.Read(bufp[:]); n == 33 && err == nil {
var p bn256.G1
if err = p.DecodeCompressed(bufp[:]); err != nil {
return err
}
proof.C_0G = append(proof.C_0G, &p)
} else {
return err
}
if n, err := r.Read(bufp[:]); n == 33 && err == nil {
var p bn256.G1
if err = p.DecodeCompressed(bufp[:]); err != nil {
return err
}
proof.DG = append(proof.DG, &p)
} else {
return err
}
if n, err := r.Read(bufp[:]); n == 33 && err == nil {
var p bn256.G1
if err = p.DecodeCompressed(bufp[:]); err != nil {
return err
}
proof.y_0G = append(proof.y_0G, &p)
} else {
return err
}
if n, err := r.Read(bufp[:]); n == 33 && err == nil {
var p bn256.G1
if err = p.DecodeCompressed(bufp[:]); err != nil {
return err
}
proof.gG = append(proof.gG, &p)
} else {
return err
}
if n, err := r.Read(bufp[:]); n == 33 && err == nil {
var p bn256.G1
if err = p.DecodeCompressed(bufp[:]); err != nil {
return err
}
proof.C_XG = append(proof.C_XG, &p)
} else {
return err
}
if n, err := r.Read(bufp[:]); n == 33 && err == nil {
var p bn256.G1
if err = p.DecodeCompressed(bufp[:]); err != nil {
return err
}
proof.y_XG = append(proof.y_XG, &p)
} else {
return err
}
}
if n, err := r.Read(bufp[:]); n == 33 && err == nil {
var p bn256.G1
if err = p.DecodeCompressed(bufp[:]); err != nil {
return err
}
proof.u = &p
} else {
return err
}
proof.f = &FieldVector{}
//fmt.Printf("flen %d\n", flen )
for j := 0; j < length*2; j++ {
if n, err := r.Read(buf[:]); n == 32 && err == nil {
proof.f.vector = append(proof.f.vector, new(big.Int).SetBytes(buf[:]))
} else {
return err
}
}
if n, err := r.Read(buf[:]); n == 32 && err == nil {
proof.z_A = new(big.Int).SetBytes(buf[:])
} else {
return err
}
if n, err := r.Read(bufp[:]); n == 33 && err == nil {
var p bn256.G1
if err = p.DecodeCompressed(bufp[:]); err != nil {
return err
}
proof.T_1 = &p
} else {
return err
}
if n, err := r.Read(bufp[:]); n == 33 && err == nil {
var p bn256.G1
if err = p.DecodeCompressed(bufp[:]); err != nil {
return err
}
proof.T_2 = &p
} else {
return err
}
if n, err := r.Read(buf[:]); n == 32 && err == nil {
proof.that = new(big.Int).SetBytes(buf[:])
} else {
return err
}
if n, err := r.Read(buf[:]); n == 32 && err == nil {
proof.mu = new(big.Int).SetBytes(buf[:])
} else {
return err
}
if n, err := r.Read(buf[:]); n == 32 && err == nil {
proof.c = new(big.Int).SetBytes(buf[:])
} else {
return err
}
if n, err := r.Read(buf[:]); n == 32 && err == nil {
proof.s_sk = new(big.Int).SetBytes(buf[:])
} else {
return err
}
if n, err := r.Read(buf[:]); n == 32 && err == nil {
proof.s_r = new(big.Int).SetBytes(buf[:])
} else {
return err
}
if n, err := r.Read(buf[:]); n == 32 && err == nil {
proof.s_b = new(big.Int).SetBytes(buf[:])
} else {
return err
}
if n, err := r.Read(buf[:]); n == 32 && err == nil {
proof.s_tau = new(big.Int).SetBytes(buf[:])
} else {
return err
}
proof.ip = &InnerProduct{}
return proof.ip.Deserialize(r)
}
/*
// statement hash
func (s *Statement) Hash() *big.Int {
var input []byte
for i := range s.CLn {
input = append(input, s.CLn[i].Marshal()...)
}
for i := range s.CRn {
input = append(input, s.CRn[i].Marshal()...)
}
for i := range s.C {
input = append(input, s.C[i].Marshal()...)
}
input = append(input, s.D.Marshal()...)
for i := range s.Publickeylist {
input = append(input, s.Publickeylist[i].Marshal()...)
}
input = append(input, s.Roothash[:]...)
return reducedhash(input)
}
*/
func (p *Proof) Size() int {
size := 4*POINT_SIZE + (len(p.CLnG)+len(p.CRnG)+len(p.C_0G)+len(p.DG)+len(p.y_0G)+len(p.gG)+len(p.C_XG)+len(p.y_XG))*POINT_SIZE
size += POINT_SIZE
size += len(p.f.vector) * FIELDELEMENT_SIZE
size += FIELDELEMENT_SIZE
size += 2 * POINT_SIZE // T_1 ,T_2
size += 7 * FIELDELEMENT_SIZE
size += p.ip.Size()
return size
}
func (proof *Proof) hashmash1(v *big.Int) *big.Int {
var input []byte
input = append(input, ConvertBigIntToByte(v)...)
for i := range proof.CLnG {
input = append(input, proof.CLnG[i].Marshal()...)
}
for i := range proof.CRnG {
input = append(input, proof.CRnG[i].Marshal()...)
}
for i := range proof.C_0G {
input = append(input, proof.C_0G[i].Marshal()...)
}
for i := range proof.DG {
input = append(input, proof.DG[i].Marshal()...)
}
for i := range proof.y_0G {
input = append(input, proof.y_0G[i].Marshal()...)
}
for i := range proof.gG {
input = append(input, proof.gG[i].Marshal()...)
}
for i := range proof.C_XG {
input = append(input, proof.C_XG[i].Marshal()...)
}
for i := range proof.y_XG {
input = append(input, proof.y_XG[i].Marshal()...)
}
return reducedhash(input)
}
// function, which takes a string as
// argument and return the reverse of string.
func reverse(s string) string {
rns := []rune(s) // convert to rune
for i, j := 0, len(rns)-1; i < j; i, j = i+1, j-1 {
// swap the letters of the string,
// like first with last and so on.
rns[i], rns[j] = rns[j], rns[i]
}
// return the reversed string.
return string(rns)
}
var params = NewGeneratorParams(128) // these can be pregenerated similarly as in DERO project
func GenerateProof(scid Hash, scid_index int, s *Statement, witness *Witness, u *bn256.G1, txid Hash, burn_value uint64) *Proof {
var proof Proof
proof.u = u
statementhash := reducedhash(txid[:])
// statement should be constructed from these, however these are being simplified
var C []*ElGamal
var Cn ElGamalVector
for i := range s.C {
C = append(C, ConstructElGamal(s.C[i], s.D))
Cn.vector = append(Cn.vector, ConstructElGamal(s.CLn[i], s.CRn[i]))
}
btransfer := new(big.Int).SetInt64(int64(witness.TransferAmount)) // this should be reduced
bdiff := new(big.Int).SetInt64(int64(witness.Balance)) // this should be reduced
number := btransfer.Add(btransfer, bdiff.Lsh(bdiff, 64)) // we are placing balance and left over balance, and doing a range proof of 128 bits
number_string := reverse("0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" + number.Text(2))
number_string_left_128bits := string(number_string[0:128])
var aL, aR FieldVector // convert the amount to make sure it cannot be negative
//klog.V(2).Infof("reverse %s\n", number_string_left_128bits)
for _, b := range []byte(number_string_left_128bits) {
if b == '1' {
aL.vector = append(aL.vector, new(big.Int).SetInt64(1))
aR.vector = append(aR.vector, new(big.Int).SetInt64(0))
} else {
aL.vector = append(aL.vector, new(big.Int).SetInt64(0))
aR.vector = append(aR.vector, new(big.Int).Mod(new(big.Int).SetInt64(-1), bn256.Order))
}
}
//klog.V(2).Infof("aRa %+v\n", aRa)
proof_BA_internal := NewPedersenVectorCommitment().Commit(&aL, &aR)
proof.BA = proof_BA_internal.Result
sL := NewFieldVectorRandomFilled(len(aL.vector))
sR := NewFieldVectorRandomFilled(len(aL.vector))
proof_BS_internal := NewPedersenVectorCommitment().Commit(sL, sR)
proof.BS = proof_BS_internal.Result
//klog.V(2).Infof("Proof BA %s\n", proof.BA.String())
//klog.V(2).Infof("Proof BS %s\n", proof.BS.String())
if len(s.Publickeylist) >= 1 && len(s.Publickeylist)&(len(s.Publickeylist)-1) != 0 {
fmt.Printf("len of Publickeylist %d\n", len(s.Publickeylist))
panic("we need power of 2")
}
N := len(s.Publickeylist)
m := int(math.Log2(float64(N)))
if math.Pow(2, float64(m)) != float64(N) {
panic("log failed")
}
var aa, ba, bspecial []*big.Int
for i := 0; i < 2*m; i++ {
if i == 0 || i == m {
aa = append(aa, new(big.Int).SetUint64(0))
} else {
aa = append(aa, RandomScalarFixed())
}
}
witness_index := reverse(fmt.Sprintf("%0"+fmt.Sprintf("%db", m)+"%0"+fmt.Sprintf("%db", m), witness.Index[1], witness.Index[0]))
for _, b := range []byte(witness_index) {
if b == '1' {
ba = append(ba, new(big.Int).SetUint64(1))
bspecial = append(bspecial, new(big.Int).Mod(new(big.Int).SetInt64(-1), bn256.Order))
} else {
ba = append(ba, new(big.Int).SetUint64(0))
bspecial = append(bspecial, new(big.Int).Mod(new(big.Int).SetInt64(1), bn256.Order))
}
}
a := NewFieldVector(aa)
b := NewFieldVector(ba)
// klog.V(1).Infof("witness_index of sender/receiver %s\n", witness_index)
c := a.Hadamard(NewFieldVector(bspecial))
d := a.Hadamard(a).Negate()
// klog.V(2).Infof("d %s\n", d.vector[0].Text(16))
e := NewFieldVector([]*big.Int{new(big.Int).Mod(new(big.Int).Mul(a.vector[0], a.vector[m]), bn256.Order),
new(big.Int).Mod(new(big.Int).Mul(a.vector[0], a.vector[m]), bn256.Order)})
second := new(big.Int).Set(a.vector[b.vector[m].Uint64()*uint64(m)])
second.Neg(second)
f := NewFieldVector([]*big.Int{a.vector[b.vector[0].Uint64()*uint64(m)], new(big.Int).Mod(second, bn256.Order)})
// for i := range f.vector {
// klog.V(2).Infof("f %d %s\n", i, f.vector[i].Text(16))
// }
proof_A_internal := NewPedersenVectorCommitment().Commit(a, d.Concat(e))
proof.A = proof_A_internal.Result
proof_B_internal := NewPedersenVectorCommitment().Commit(b, c.Concat(f))
proof.B = proof_B_internal.Result
// klog.V(2).Infof("Proof A %s\n", proof.A.String())
// klog.V(2).Infof("Proof B %s\n", proof.B.String())
var v *big.Int
{ // hash mash
var input []byte
input = append(input, ConvertBigIntToByte(statementhash)...)
input = append(input, proof.BA.Marshal()...)
input = append(input, proof.BS.Marshal()...)
input = append(input, proof.A.Marshal()...)
input = append(input, proof.B.Marshal()...)
v = reducedhash(input)
}
var P, Q, Pi, Qi [][]*big.Int
Pi = RecursivePolynomials(Pi, NewPolynomial(nil), a.SliceRaw(0, m), b.SliceRaw(0, m))
Qi = RecursivePolynomials(Qi, NewPolynomial(nil), a.SliceRaw(m, 2*m), b.SliceRaw(m, 2*m))
// transpose the matrices
for i := 0; i < m; i++ {
P = append(P, []*big.Int{})
Q = append(Q, []*big.Int{})
for j := range Pi {
P[i] = append(P[i], Pi[j][i])
Q[i] = append(Q[i], Qi[j][i])
}
}
// for i := range P {
// for j := range P[i] {
// klog.V(2).Infof("P%d,%d %s\n", i, j, P[i][j].Text(16))
// }
// }
//phi := NewFieldVectorRandomFilled(m)
//chi := NewFieldVectorRandomFilled(m)
//psi := NewFieldVectorRandomFilled(m)
var phi, chi, psi ElGamalVector
for i := 0; i < m; i++ {
phi.vector = append(phi.vector, CommitElGamal(s.Publickeylist[witness.Index[0]], new(big.Int).SetUint64(0)))
chi.vector = append(chi.vector, CommitElGamal(s.Publickeylist[witness.Index[0]], new(big.Int).SetUint64(0)))
psi.vector = append(psi.vector, CommitElGamal(s.Publickeylist[witness.Index[0]], new(big.Int).SetUint64(0)))
}
var CnG, C_0G, y_0G ElGamalVector
for i := 0; i < m; i++ {
CnG.vector = append(CnG.vector, Cn.MultiExponentiate(NewFieldVector(P[i])).Add(phi.vector[i]))
{
var pvector PointVector
for j := range C {
pvector.vector = append(pvector.vector, C[j].Left)
}
left := pvector.MultiExponentiate(NewFieldVector(P[i])) //.Add(chi.vector[i].Left)
left = new(bn256.G1).Add(new(bn256.G1).Set(left), chi.vector[i].Left)
C_0G.vector = append(C_0G.vector, ConstructElGamal(left, chi.vector[i].Right))
}
{
left := NewPointVector(s.Publickeylist).MultiExponentiate(NewFieldVector(P[i]))
left = new(bn256.G1).Add(new(bn256.G1).Set(left), psi.vector[i].Left)
y_0G.vector = append(y_0G.vector, ConstructElGamal(left, psi.vector[i].Right))
}
/*
{ // y_0G
var rightp, result bn256.G1
leftp := NewPointVector(s.Publickeylist).Commit(P[i])
rightp.ScalarMult(s.Publickeylist[witness.Index[0]], psi.vector[i])
result.Add(leftp, &rightp)
proof.y_0G = append(proof.y_0G, &result)
//klog.V(2).Infof("y_0G %d %s\n",i, result.String())
}
{ // gG
var result bn256.G1
result.ScalarMult(params.G, psi.vector[i])
proof.gG = append(proof.gG, &result)
//klog.V(2).Infof("gG %d %s\n",i, result.String())
}
*/
/*
{ // C_XG
var result bn256.G1
result.ScalarMult(s.D, omega.vector[i])
proof.C_XG = append(proof.C_XG, &result)
//klog.V(2).Infof("C_XG %d %s\n",i, result.String())
}
{ // y_XG
var result bn256.G1
result.ScalarMult(params.G, omega.vector[i])
proof.y_XG = append(proof.y_XG, &result)
klog.V(2).Infof("y_XG %d %s\n", i, result.String())
}
*/
}
/*
for i := range proof.CLnG {
klog.V(2).Infof("CLnG %d %s\n", i, proof.CLnG[i].String())
}
for i := range proof.CRnG {
klog.V(2).Infof("CRnG %d %s\n", i, proof.CRnG[i].String())
}
for i := range proof.C_0G {
klog.V(2).Infof("C_0G %d %s\n", i, proof.C_0G[i].String())
}
for i := range proof.DG {
klog.V(2).Infof("DG %d %s\n", i, proof.DG[i].String())
}
for i := range proof.y_0G {
klog.V(2).Infof("y_0G %d %s\n", i, proof.y_0G[i].String())
}
for i := range proof.gG {
klog.V(2).Infof("gG %d %s\n", i, proof.gG[i].String())
}
for i := range proof.C_XG {
klog.V(2).Infof("C_XG %d %s\n", i, proof.C_XG[i].String())
}
for i := range proof.y_XG {
klog.V(2).Infof("y_XG %d %s\n", i, proof.y_XG[i].String())
}
*/
var C_XG []*ElGamal
for i := 0; i < m; i++ {
C_XG = append(C_XG, CommitElGamal(C[0].Right, new(big.Int).SetUint64(0)))
}
vPow := new(big.Int).SetInt64(1) // doesn't need reduction, since it' alredy reduced
for i := 0; i < N; i++ {
var poly [][]*big.Int
if i%2 == 0 {
poly = P
} else {
poly = Q
}
// klog.V(2).Infof("\n\n")
// for i := range proof.C_XG {
// klog.V(2).Infof("C_XG before %d %s\n", i, proof.C_XG[i].String())
// }
// klog.V(2).Infof("loop %d pos in poly sender %d receiver %d\n", i, (witness.Index[0]+N-(i-i%2))%N, (witness.Index[1]+N-(i-i%2))%N)
for j := range C_XG {
amount := new(big.Int).SetUint64(uint64(witness.TransferAmount))
amount_neg := new(big.Int).Neg(amount)
amount_fees := new(big.Int).SetUint64(s.Fees + burn_value)
left := new(big.Int).Sub(amount_neg, amount_fees)
left = new(big.Int).Mod(new(big.Int).Mul(new(big.Int).Set(left), poly[j][(witness.Index[0]+N-(i-i%2))%N]), bn256.Order)
right := new(big.Int).Mod(new(big.Int).Mul(new(big.Int).Set(amount), poly[j][(witness.Index[1]+N-(i-i%2))%N]), bn256.Order)
joined := new(big.Int).Mod(new(big.Int).Add(left, right), bn256.Order)
mul := new(big.Int).Mod(new(big.Int).Mul(vPow, joined), bn256.Order)
C_XG[j] = C_XG[j].Plus(mul)
}
if i != 0 {
vPow.Mul(vPow, v)
vPow.Mod(vPow, bn256.Order)
}
//klog.V(2).Infof("vPow %d %s\n", i, vPow.Text(16)))
}
for i := range C_XG {
proof.C_XG = append(proof.C_XG, C_XG[i].Left)
proof.y_XG = append(proof.y_XG, C_XG[i].Right)
proof.CLnG = append(proof.CLnG, CnG.vector[i].Left)
proof.CRnG = append(proof.CRnG, CnG.vector[i].Right)
proof.C_0G = append(proof.C_0G, C_0G.vector[i].Left)
proof.DG = append(proof.DG, C_0G.vector[i].Right)
proof.y_0G = append(proof.y_0G, y_0G.vector[i].Left)
proof.gG = append(proof.gG, y_0G.vector[i].Right)
}
//klog.V(2).Infof("\n\n")
// for i := range proof.C_XG {
// klog.V(2).Infof("C_XG after %d %s\n", i, proof.C_XG[i].String())
// }
// calculate w hashmash
w := proof.hashmash1(v)
{
var input []byte
input = append(input, ConvertBigIntToByte(v)...)
for i := range proof.CLnG {
input = append(input, proof.CLnG[i].Marshal()...)
}
for i := range proof.CRnG {
input = append(input, proof.CRnG[i].Marshal()...)
}
for i := range proof.C_0G {
input = append(input, proof.C_0G[i].Marshal()...)
}
for i := range proof.DG {
input = append(input, proof.DG[i].Marshal()...)
}
for i := range proof.y_0G {
input = append(input, proof.y_0G[i].Marshal()...)
}
for i := range proof.gG {
input = append(input, proof.gG[i].Marshal()...)
}
for i := range C_XG {
input = append(input, C_XG[i].Left.Marshal()...)
}
for i := range proof.y_XG {
input = append(input, C_XG[i].Right.Marshal()...)
}
//fmt.Printf("whash %s %s\n", reducedhash(input).Text(16), w.Text(16))
}
proof.f = b.Times(w).Add(a)
// for i := range proof.f.vector {
// klog.V(2).Infof("proof.f %d %s\n", i, proof.f.vector[i].Text(16))
// }
ttttt := new(big.Int).Mod(new(big.Int).Mul(proof_B_internal.Randomness, w), bn256.Order)
proof.z_A = new(big.Int).Mod(new(big.Int).Add(ttttt, proof_A_internal.Randomness), bn256.Order)
// klog.V(2).Infof("proofz_A %s\n", proof.z_A.Text(16))
y := reducedhash(ConvertBigIntToByte(w))
// klog.V(2).Infof("yyyyyyyyyy %s\n", y.Text(16))
ys_raw := []*big.Int{new(big.Int).SetUint64(1)}
for i := 1; i < 128; i++ {
var tt big.Int
tt.Mul(ys_raw[len(ys_raw)-1], y)
tt.Mod(&tt, bn256.Order)
ys_raw = append(ys_raw, &tt)
}
ys := NewFieldVector(ys_raw)
z := reducedhash(ConvertBigIntToByte(y))
// klog.V(2).Infof("zzzzzzzzzz %s \n", z.Text(16))
zs := []*big.Int{new(big.Int).Exp(z, new(big.Int).SetUint64(2), bn256.Order), new(big.Int).Exp(z, new(big.Int).SetUint64(3), bn256.Order)}
// for i := range zs {
// klog.V(2).Infof("zs %d %s\n", i, zs[i].Text(16))
// }
twos := []*big.Int{new(big.Int).SetUint64(1)}
for i := 1; i < 64; i++ {
var tt big.Int
tt.Mul(twos[len(twos)-1], new(big.Int).SetUint64(2))
tt.Mod(&tt, bn256.Order)
twos = append(twos, &tt)
}
twoTimesZs := []*big.Int{}
for i := 0; i < 2; i++ {
for j := 0; j < 64; j++ {
var tt big.Int
tt.Mul(zs[i], twos[j])
tt.Mod(&tt, bn256.Order)
twoTimesZs = append(twoTimesZs, &tt)
// klog.V(2).Infof("twoTimesZssss ============= %d %s\n", i*32+j, twoTimesZs[i*32+j].Text(16))
}
}
tmp := aL.AddConstant(new(big.Int).Mod(new(big.Int).Neg(z), bn256.Order))
lPoly := NewFieldVectorPolynomial(tmp, sL)
//for i := range lPoly.coefficients {
// for j := range lPoly.coefficients[i].vector {
// klog.V(2).Infof("lPoly %d,%d %s\n", i, j, lPoly.coefficients[i].vector[j].Text(16))
// }
//}
rPoly := NewFieldVectorPolynomial(ys.Hadamard(aR.AddConstant(z)).Add(NewFieldVector(twoTimesZs)), sR.Hadamard(ys))
//for i := range rPoly.coefficients {
// for j := range rPoly.coefficients[i].vector {
// klog.V(2).Infof("rPoly %d,%d %s\n", i, j, rPoly.coefficients[i].vector[j].Text(16))
// }
//}
tPolyCoefficients := lPoly.InnerProduct(rPoly) // just an array of BN Reds... should be length 3
//for j := range tPolyCoefficients {
// klog.V(2).Infof("tPolyCoefficients %d,%d %s\n", 0, j, tPolyCoefficients[j].Text(16))
//}
proof_T1 := NewPedersenCommitmentNew().Commit(tPolyCoefficients[1])
proof_T2 := NewPedersenCommitmentNew().Commit(tPolyCoefficients[2])
proof.T_1 = proof_T1.Result
proof.T_2 = proof_T2.Result
//polyCommitment := NewPolyCommitment(params, tPolyCoefficients)
/*proof.tCommits = NewPointVector(polyCommitment.GetCommitments())
for j := range proof.tCommits.vector {
klog.V(2).Infof("tCommits %d %s\n", j, proof.tCommits.vector[j].String())
}
*/
x := new(big.Int)
{
var input []byte
input = append(input, ConvertBigIntToByte(z)...) // tie intermediates/commit
//for j := range proof.tCommits.vector {
// input = append(input, proof.tCommits.vector[j].Marshal()...)
//}
input = append(input, proof_T1.Result.Marshal()...)
input = append(input, proof_T2.Result.Marshal()...)
x = reducedhash(input)
}
//klog.V(2).Infof("x %s\n", x.Text(16))
//evalCommit := polyCommitment.Evaluate(x)
//klog.V(2).Infof("evalCommit.X %s\n", j, evalCommit.X.Text(16))
//klog.V(2).Infof("evalCommit.R %s\n", j, evalCommit.R.Text(16))
//proof.that = evalCommit.X
xsquare := new(big.Int).Mod(new(big.Int).Mul(x, x), bn256.Order)
proof.that = tPolyCoefficients[0]
proof.that = new(big.Int).Mod(new(big.Int).Add(proof.that, new(big.Int).Mod(new(big.Int).Mul(tPolyCoefficients[1], x), bn256.Order)), bn256.Order)
proof.that = new(big.Int).Mod(new(big.Int).Add(proof.that, new(big.Int).Mod(new(big.Int).Mul(tPolyCoefficients[2], xsquare), bn256.Order)), bn256.Order)
/*
accumulator := new(big.Int).Set(x)
for i := 1; i < 3; i++ {
tmp := new(big.Int).Set(accumulator)
proof.that = proof.that.Add(new(bn256.G1).Set(proof.that), tPolyCoefficients[i].Times(accumulator))
accumulator.Mod(new(big.Int).Mul(tmp, x), bn256.Order)
}
*/
//klog.V(2).Infof("evalCommit.that %s\n", proof.that.Text(16))
//tauX := evalCommit.R
tauX_left := new(big.Int).Mod(new(big.Int).Mul(proof_T1.Randomness, x), bn256.Order)
tauX_right := new(big.Int).Mod(new(big.Int).Mul(proof_T2.Randomness, xsquare), bn256.Order)
tauX := new(big.Int).Mod(new(big.Int).Add(tauX_left, tauX_right), bn256.Order)
proof.mu = new(big.Int).Mod(new(big.Int).Mul(proof_BS_internal.Randomness, x), bn256.Order)
proof.mu.Add(proof.mu, proof_BA_internal.Randomness)
proof.mu.Mod(proof.mu, bn256.Order)
//klog.V(2).Infof("proof.mu %s\n", proof.mu.Text(16))
var CrnR, y_0R, y_XR bn256.G1
// var gR bn256.G1
CrnR.ScalarMult(params.G, new(big.Int))
y_0R.ScalarMult(params.G, new(big.Int))
y_XR.ScalarMult(params.G, new(big.Int))
//DR.ScalarMult(params.G, new(big.Int))
//gR.ScalarMult(params.G, new(big.Int))
CnR := ConstructElGamal(nil, ElGamal_ZERO) // only right side is needer
chi_bigint := new(big.Int).SetUint64(0)
psi_bigint := new(big.Int).SetUint64(0)
C_XR := ConstructElGamal(nil, ElGamal_ZERO) // only right side is needer
var p_, q_ []*big.Int
for i := 0; i < N; i++ {
p_ = append(p_, new(big.Int))
q_ = append(q_, new(big.Int))
}
p := NewFieldVector(p_)
q := NewFieldVector(q_)
wPow := new(big.Int).SetUint64(1) // already reduced
for i := 0; i < m; i++ {
{
CnR = CnR.Add(phi.vector[i].Neg().Mul(wPow))
}
{
mm := new(big.Int).Mod(new(big.Int).Mul(chi.vector[i].Randomness, wPow), bn256.Order)
chi_bigint = new(big.Int).Mod(new(big.Int).Add(chi_bigint, mm), bn256.Order)
}
{
mm := new(big.Int).Mod(new(big.Int).Mul(psi.vector[i].Randomness, wPow), bn256.Order)
psi_bigint = new(big.Int).Mod(new(big.Int).Add(psi_bigint, mm), bn256.Order)
}
/* {
tmp := new(bn256.G1)
mm := new(big.Int).Mod(new(big.Int).Neg(chi.vector[i]), bn256.Order)
mm = mm.Mod(new(big.Int).Mul(mm, wPow), bn256.Order)
tmp.ScalarMult(params.G, mm)
DR.Add(new(bn256.G1).Set(&DR), tmp)
}
{
tmp := new(bn256.G1)
mm := new(big.Int).Mod(new(big.Int).Neg(psi.vector[i]), bn256.Order)
mm = mm.Mod(new(big.Int).Mul(mm, wPow), bn256.Order)
tmp.ScalarMult(s.Publickeylist[witness.Index[0]], mm)
y_0R.Add(new(bn256.G1).Set(&y_0R), tmp)
}
*/
/*
{
tmp := new(bn256.G1)
mm := new(big.Int).Mod(new(big.Int).Neg(psi.vector[i]), bn256.Order)
mm = mm.Mod(new(big.Int).Mul(mm, wPow), bn256.Order)
tmp.ScalarMult(params.G, mm)
gR.Add(new(bn256.G1).Set(&gR), tmp)
}
{
tmp := new(bn256.G1)
tmp.ScalarMult(proof.y_XG[i], new(big.Int).Neg(wPow))
y_XR.Add(new(bn256.G1).Set(&y_XR), tmp)
}
*/
{
C_XR = C_XR.Add(C_XG[i].Neg().Mul(wPow))
}
//fmt.Printf("y_XG[%d] %s\n",i, proof.y_XG[i].String())
//fmt.Printf("C_XG[%d] %s\n",i, C_XG[i].Right.String())
//fmt.Printf("G %s\n",G.String())
//fmt.Printf("elgamalG %s\n",C_XG[0].G.String())
p = p.Add(NewFieldVector(P[i]).Times(wPow))
q = q.Add(NewFieldVector(Q[i]).Times(wPow))
wPow = new(big.Int).Mod(new(big.Int).Mul(wPow, w), bn256.Order)
// klog.V(2).Infof("wPow %s\n", wPow.Text(16))
}
CnR = CnR.Add(Cn.vector[witness.Index[0]].Mul(wPow))
//for i := range CnR{
// proof.CLnG = append(proof.CLnG, CnR[i].Left)
// proof.CRnG = append(proof.CRnG, CnR[i].Right)
//}
//CrnR.Add(new(bn256.G1).Set(&CrnR), new(bn256.G1).ScalarMult(s.CRn[witness.Index[0]], wPow))
//y_0R.Add(new(bn256.G1).Set(&y_0R), new(bn256.G1).ScalarMult(s.Publickeylist[witness.Index[0]], wPow))
//DR.Add(new(bn256.G1).Set(&DR), new(bn256.G1).ScalarMult(s.D, wPow))
DR := new(bn256.G1).ScalarMult(C[0].Right, wPow)
DR = new(bn256.G1).Add(new(bn256.G1).Set(DR), new(bn256.G1).ScalarMult(global_pedersen_values.G, new(big.Int).Mod(new(big.Int).Neg(chi_bigint), bn256.Order)))
gR := new(bn256.G1).ScalarMult(global_pedersen_values.G, new(big.Int).Mod(new(big.Int).Sub(wPow, psi_bigint), bn256.Order))
//gR.Add(new(bn256.G1).Set(&gR), new(bn256.G1).ScalarMult(params.G, wPow))
var p__, q__ []*big.Int
for i := 0; i < N; i++ {
if i == witness.Index[0] {
p__ = append(p__, new(big.Int).Set(wPow))
} else {
p__ = append(p__, new(big.Int))
}
if i == witness.Index[1] {
q__ = append(q__, new(big.Int).Set(wPow))
} else {
q__ = append(q__, new(big.Int))
}
}
p = p.Add(NewFieldVector(p__))
q = q.Add(NewFieldVector(q__))
// klog.V(2).Infof("CrnR %s\n", CrnR.String())
// klog.V(2).Infof("DR %s\n", DR.String())
// klog.V(2).Infof("y_0R %s\n", y_0R.String())
// klog.V(2).Infof("gR %s\n", gR.String())
// klog.V(2).Infof("y_XR %s\n", y_XR.String())
// for i := range p.vector {
// klog.V(2).Infof("p %d %s \n", i, p.vector[i].Text(16))
// }
// for i := range q.vector {
// klog.V(2).Infof("q %d %s \n", i, q.vector[i].Text(16))
// }
y_p := Convolution(p, NewPointVector(s.Publickeylist))
y_q := Convolution(q, NewPointVector(s.Publickeylist))
// for i := range y_p.vector {
// klog.V(2).Infof("y_p %d %s \n", i, y_p.vector[i].String())
// }
// for i := range y_q.vector {
// klog.V(2).Infof("y_q %d %s \n", i, y_q.vector[i].String())
// }
vPow = new(big.Int).SetUint64(1) // already reduced
for i := 0; i < N; i++ {
ypoly := y_p
if i%2 == 1 {
ypoly = y_q
}
y_XR.Add(new(bn256.G1).Set(&y_XR), new(bn256.G1).ScalarMult(ypoly.vector[i/2], vPow))
C_XR = C_XR.Add(ConstructElGamal(nil, new(bn256.G1).ScalarMult(ypoly.vector[i/2], vPow)))
//fmt.Printf("y_XR[%d] %s\n",i, y_XR.String())
//fmt.Printf("C_XR[%d] %s\n",i, C_XR.Right.String())
if i > 0 {
vPow = new(big.Int).Mod(new(big.Int).Mul(vPow, v), bn256.Order)
}
}
// klog.V(2).Infof("y_XR %s\n", y_XR.String())
// klog.V(2).Infof("vPow %s\n", vPow.Text(16))
// klog.V(2).Infof("v %s\n", v.Text(16))
k_sk := RandomScalarFixed()
k_r := RandomScalarFixed()
k_b := RandomScalarFixed()
k_tau := RandomScalarFixed()
A_y := new(bn256.G1).ScalarMult(gR, k_sk)
A_D := new(bn256.G1).ScalarMult(params.G, k_r)
A_b := new(bn256.G1).ScalarMult(params.G, k_b)
t1 := new(bn256.G1).ScalarMult(CnR.Right, zs[1])
d1 := new(bn256.G1).ScalarMult(DR, new(big.Int).Mod(new(big.Int).Neg(zs[0]), bn256.Order))
d1 = new(bn256.G1).Add(d1, t1)
d1 = new(bn256.G1).ScalarMult(d1, k_sk)
A_b = new(bn256.G1).Add(A_b, d1)
A_X := new(bn256.G1).ScalarMult(C_XR.Right, k_r)
A_t := new(bn256.G1).ScalarMult(params.G, new(big.Int).Mod(new(big.Int).Neg(k_b), bn256.Order))
A_t = new(bn256.G1).Add(A_t, new(bn256.G1).ScalarMult(params.H, k_tau))
A_u := new(bn256.G1)
{
var input []byte
input = append(input, []byte(PROTOCOL_CONSTANT)...)
input = append(input, s.Roothash[:]...)
scid_index_str := strconv.Itoa(scid_index)
input = append(input, scid[:]...)
input = append(input, scid_index_str...)
point := HashToPoint(HashtoNumber(input))
A_u = new(bn256.G1).ScalarMult(point, k_sk)
}
// klog.V(2).Infof("A_y %s\n", A_y.String())
// klog.V(2).Infof("A_D %s\n", A_D.String())
// klog.V(2).Infof("A_b %s\n", A_b.String())
// klog.V(2).Infof("A_X %s\n", A_X.String())
// klog.V(2).Infof("A_t %s\n", A_t.String())
// klog.V(2).Infof("A_u %s\n", A_u.String())
{
var input []byte
input = append(input, ConvertBigIntToByte(x)...)
input = append(input, A_y.Marshal()...)
input = append(input, A_D.Marshal()...)
input = append(input, A_b.Marshal()...)
input = append(input, A_X.Marshal()...)
input = append(input, A_t.Marshal()...)
input = append(input, A_u.Marshal()...)
proof.c = reducedhash(input)
}
proof.s_sk = new(big.Int).Mod(new(big.Int).Mul(proof.c, witness.SecretKey), bn256.Order)
proof.s_sk = new(big.Int).Mod(new(big.Int).Add(proof.s_sk, k_sk), bn256.Order)
proof.s_r = new(big.Int).Mod(new(big.Int).Mul(proof.c, witness.R), bn256.Order)
proof.s_r = new(big.Int).Mod(new(big.Int).Add(proof.s_r, k_r), bn256.Order)
// proof_c_neg := new(big.Int).Mod(new(big.Int).Neg(proof.c), bn256.Order)
// dummyA_X := new(bn256.G1).ScalarMult(&y_XR, proof.s_r) //, new(bn256.G1).ScalarMult(anonsupport.C_XR, proof_c_neg) )
// klog.V(2).Infof("dummyA_X %s\n", dummyA_X.String())
// klog.V(2).Infof("s_r %s\n", proof.s_r.Text(16))
// klog.V(2).Infof("C %s\n", proof.c.Text(16))
// klog.V(2).Infof("C_neg %s\n", proof_c_neg.Text(16))
w_transfer := new(big.Int).Mod(new(big.Int).Mul(new(big.Int).SetUint64(uint64(witness.TransferAmount)), zs[0]), bn256.Order)
w_balance := new(big.Int).Mod(new(big.Int).Mul(new(big.Int).SetUint64(uint64(witness.Balance)), zs[1]), bn256.Order)
w_tmp := new(big.Int).Mod(new(big.Int).Add(w_transfer, w_balance), bn256.Order)
w_tmp = new(big.Int).Mod(new(big.Int).Mul(w_tmp, wPow), bn256.Order)
w_tmp = new(big.Int).Mod(new(big.Int).Mul(w_tmp, proof.c), bn256.Order)
proof.s_b = new(big.Int).Mod(new(big.Int).Add(w_tmp, k_b), bn256.Order)
proof.s_tau = new(big.Int).Mod(new(big.Int).Mul(tauX, wPow), bn256.Order)
proof.s_tau = new(big.Int).Mod(new(big.Int).Mul(proof.s_tau, proof.c), bn256.Order)
proof.s_tau = new(big.Int).Mod(new(big.Int).Add(proof.s_tau, k_tau), bn256.Order)
// klog.V(2).Infof("proof.c %s\n", proof.c.Text(16))
// klog.V(2).Infof("proof.s_sk %s\n", proof.s_sk.Text(16))
// klog.V(2).Infof("proof.s_r %s\n", proof.s_r.Text(16))
// klog.V(2).Infof("proof.s_b %s\n", proof.s_b.Text(16))
// klog.V(2).Infof("proof.s_tau %s\n", proof.s_tau.Text(16))
o := reducedhash(ConvertBigIntToByte(proof.c))
pvector := NewPedersenVectorCommitment()
pvector.H = new(bn256.G1).ScalarMult(pvector.H, o)
pvector.Hs = pvector.Hs.Hadamard(ys.Invert().vector)
pvector.gvalues = lPoly.Evaluate(x)
pvector.hvalues = rPoly.Evaluate(x)
proof.ip = NewInnerProductProofNew(pvector, o)
/*
u_x := new(bn256.G1).ScalarMult(params.G, o)
P1 = new(bn256.G1).Add(P1, new(bn256.G1).ScalarMult(u_x, proof.that))
klog.V(2).Infof("o %s\n", o.Text(16))
klog.V(2).Infof("x %s\n", x.Text(16))
klog.V(2).Infof("u_x %s\n", u_x.String())
klog.V(2).Infof("p %s\n", P1.String())
klog.V(2).Infof("hPrimes length %d\n", len(hPrimes.vector))
primebase := NewGeneratorParams3(u_x, params.Gs, hPrimes) // trigger sigma protocol
ipstatement := &IPStatement{PrimeBase: primebase, P: P1}
ipwitness := &IPWitness{L: lPoly.Evaluate(x), R: rPoly.Evaluate(x)}
for i := range ipwitness.L.vector {
klog.V(2).Infof("L %d %s \n", i, ipwitness.L.vector[i].Text(16))
}
for i := range ipwitness.R.vector {
klog.V(2).Infof("R %d %s \n", i, ipwitness.R.vector[i].Text(16))
}
proof.ip = NewInnerProductProof(ipstatement, ipwitness, o)
*/
return &proof
}
Reference in New Issue Copy Permalink