Merge pull request #32 from miha-stopar/zkp-package

ZKPs moved into crypto/zkp.

README.md

@@ -36,9 +36,11 @@ $ go test -v test/*.go
 
 # Currently supported crypto primitives
 
-The crypto primitives and schemes (primitives combined in some more complex protocol) supported by Emmy are listed in the table below.
+The crypto primitives and schemes (schemes are primitives combined in some more complex protocol) supported by emmy are listed in the table below.
+ZKP primitives and schemes are collected in `crypto/zkp/primitives` and `crypto/zkp/schemes` respectively.
+Each of the ZKP primitives contains a function (at the beginning of the file) which demonstrates how proof should be executed. Client-server communication via gRPC which enable execution of ZKPs over the internet is in `client` and `server` packages.
 
-Note that the ones not ticked are implemented, but without client-server communication via gRPC. 
+Note that the primitives not ticked are implemented, but without client-server communication via gRPC. 
 Primitives are meant to be used in schemes (like Schnorr, DLogEquality and others in Pseudonymsys) and communication messages for primitives are implemented there 
 (different schemes might require slightly different messages).
 
@@ -244,4 +246,8 @@ On the other hand, we can provide `emmy client` with the following flags:
 
 [8] Cramer, Ronald, Ivan Damgård, and Berry Schoenmakers. "Proofs of partial knowledge and simplified design of witness hiding protocols." Advances in Cryptology—CRYPTO’94. Springer Berlin/Heidelberg, 1994.
 
-[9] Cramer, Ronald, and Ivan Damgård. "Zero-knowledge proofs for finite field arithmetic, or: Can zero-knowledge be for free?." Advances in Cryptology—CRYPTO'98. Springer Berlin/Heidelberg, 1998.
+<<<<<<< ff6d3f9efa6e71f3c011d0e7ac5bc05bf2906e1d
+[9] Cramer, Ronald, and Ivan Damgård. "Zero-knowledge proofs for finite field arithmetic, or: Can zero-knowledge be for free?." Advances in Cryptology—CRYPTO'98. Springer Berlin/Heidelberg, 1998.
+=======
+[9] Cramer, Ronald, and Ivan Damgård. "Zero-knowledge proofs for finite field arithmetic, or: Can zero-knowledge be for free?." Advances in Cryptology—CRYPTO'98. Springer Berlin/Heidelberg, 1998.
+>>>>>>> ZKPs moved to crypto/zkp.

client/pseudonymsys.go

@@ -22,8 +22,8 @@ import (
 	"github.com/xlab-si/emmy/config"
 	"github.com/xlab-si/emmy/crypto/common"
 	"github.com/xlab-si/emmy/crypto/dlog"
-	"github.com/xlab-si/emmy/crypto/dlogproofs"
-	"github.com/xlab-si/emmy/crypto/pseudonymsys"
+	"github.com/xlab-si/emmy/crypto/zkp/primitives/dlogproofs"
+	"github.com/xlab-si/emmy/crypto/zkp/schemes/pseudonymsys"
 	pb "github.com/xlab-si/emmy/protobuf"
 	"github.com/xlab-si/emmy/types"
 	"google.golang.org/grpc"

client/pseudonymsys_ca.go

@@ -19,8 +19,8 @@ package client
 
 import (
 	"github.com/xlab-si/emmy/config"
-	"github.com/xlab-si/emmy/crypto/dlogproofs"
-	"github.com/xlab-si/emmy/crypto/pseudonymsys"
+	"github.com/xlab-si/emmy/crypto/zkp/primitives/dlogproofs"
+	"github.com/xlab-si/emmy/crypto/zkp/schemes/pseudonymsys"
 	pb "github.com/xlab-si/emmy/protobuf"
 	"github.com/xlab-si/emmy/types"
 	"google.golang.org/grpc"

client/pseudonymsys_ca_ec.go

@@ -19,8 +19,8 @@ package client
 
 import (
 	"github.com/xlab-si/emmy/crypto/dlog"
-	"github.com/xlab-si/emmy/crypto/dlogproofs"
-	"github.com/xlab-si/emmy/crypto/pseudonymsys"
+	"github.com/xlab-si/emmy/crypto/zkp/primitives/dlogproofs"
+	"github.com/xlab-si/emmy/crypto/zkp/schemes/pseudonymsys"
 	pb "github.com/xlab-si/emmy/protobuf"
 	"github.com/xlab-si/emmy/types"
 	"google.golang.org/grpc"

client/pseudonymsys_ec.go

@@ -21,8 +21,8 @@ import (
 	"errors"
 	"github.com/xlab-si/emmy/crypto/common"
 	"github.com/xlab-si/emmy/crypto/dlog"
-	"github.com/xlab-si/emmy/crypto/dlogproofs"
-	"github.com/xlab-si/emmy/crypto/pseudonymsys"
+	"github.com/xlab-si/emmy/crypto/zkp/primitives/dlogproofs"
+	"github.com/xlab-si/emmy/crypto/zkp/schemes/pseudonymsys"
 	pb "github.com/xlab-si/emmy/protobuf"
 	"github.com/xlab-si/emmy/types"
 	"google.golang.org/grpc"

client/qnr.go

@@ -21,7 +21,7 @@ import (
 	"errors"
 	"fmt"
 	"github.com/xlab-si/emmy/crypto/dlog"
-	"github.com/xlab-si/emmy/crypto/qrproofs"
+	"github.com/xlab-si/emmy/crypto/zkp/primitives/qrproofs"
 	pb "github.com/xlab-si/emmy/protobuf"
 	"github.com/xlab-si/emmy/types"
 	"google.golang.org/grpc"

client/qr.go

@@ -19,7 +19,7 @@ package client
 
 import (
 	"github.com/xlab-si/emmy/crypto/dlog"
-	"github.com/xlab-si/emmy/crypto/qrproofs"
+	"github.com/xlab-si/emmy/crypto/zkp/primitives/qrproofs"
 	pb "github.com/xlab-si/emmy/protobuf"
 	"google.golang.org/grpc"
 	"math/big"

client/schnorr.go

@@ -20,7 +20,7 @@ package client
 import (
 	"fmt"
 	"github.com/xlab-si/emmy/crypto/dlog"
-	"github.com/xlab-si/emmy/crypto/dlogproofs"
+	"github.com/xlab-si/emmy/crypto/zkp/primitives/dlogproofs"
 	pb "github.com/xlab-si/emmy/protobuf"
 	"github.com/xlab-si/emmy/types"
 	"google.golang.org/grpc"

client/schnorr_ec.go

@@ -20,7 +20,7 @@ package client
 import (
 	"fmt"
 	"github.com/xlab-si/emmy/crypto/dlog"
-	"github.com/xlab-si/emmy/crypto/dlogproofs"
+	"github.com/xlab-si/emmy/crypto/zkp/primitives/dlogproofs"
 	pb "github.com/xlab-si/emmy/protobuf"
 	"github.com/xlab-si/emmy/types"
 	"google.golang.org/grpc"

crypto/zkp/primitives/commitments/q_one_way_multiplication.go → crypto/zkp/primitives/commitments/rsa_based.go

@@ -19,16 +19,91 @@ package commitmentzkp
 
 import (
 	"github.com/xlab-si/emmy/crypto/common"
+	"github.com/xlab-si/emmy/crypto/commitments"
 	"github.com/xlab-si/emmy/types"
+	"github.com/xlab-si/emmy/crypto/zkp/primitives/preimage"
 	"math/big"
 )
 
+// ProveBitCommitment demonstrates how committer can prove that a commitment contains
+// 0 or 1. This is achieved by using PartialPreimageProver.
+func ProveBitCommitment() (bool, error) {
+	receiver, err := commitments.NewRSABasedCommitReceiver(1024)
+	if err != nil {
+		return false, err
+	}
+
+	committer, err := commitments.NewRSABasedCommitter(receiver.Homomorphism, receiver.HomomorphismInv,
+		receiver.H, receiver.Q, receiver.Y)
+	if err != nil {
+		return false, err
+	}
+
+	u1, _ := committer.GetCommitMsg(big.NewInt(0))
+	// commitment contains 0: u1 = commitment(0)
+	// if we would like to have a commitment that contains 1, we
+	// need to use u1 = Y^(-1) * c where c is committer.GetCommitMsg(big.NewInt(1))
+	_, v1 := committer.GetDecommitMsg() // v1 is a random r used in commitment: c = Y^a * r^q mod N
+
+	// receiver.RSA.E is Q
+	u2 := committer.H.GetRandomElement()
+
+	prover := preimage.NewPartialPreimageProver(committer.Homomorphism, committer.H,
+		committer.Q, v1, u1, u2)
+	verifier := preimage.NewPartialPreimageVerifier(receiver.Homomorphism, receiver.H,
+		receiver.Q)
+
+	pair1, pair2 := prover.GetProofRandomData()
+
+	verifier.SetProofRandomData(pair1, pair2)
+	challenge := verifier.GetChallenge()
+
+	c1, z1, c2, z2 := prover.GetProofData(challenge)
+	verified := verifier.Verify(c1, z1, c2, z2)
+
+	return verified, nil
+}
+
 // ProveCommitmentMultiplication demonstrates how, given commitments A, B, C, prover can
-// prove that C = A * B. Note that commitments need to be based on q-one-way homomorphism
-// (see RSABasedCommitter which is q-one-way homomorphism based).
-func ProveCommitmentMultiplication(homomorphism func(*big.Int) *big.Int, homomorphismInv func(*big.Int) *big.Int,
-	H common.Group, Q *big.Int, Y *big.Int, commitments *types.Triple, committedValues *types.Pair,
-	randomValues *types.Triple, t *big.Int) bool {
+// prove that C = A * B. Note that the proof should work also for other commitments that are based
+// on q-one-way homomorphism, not only for RSABasedCommitter.
+func ProveCommitmentMultiplication() (bool, error) {
+		receiver, err := commitments.NewRSABasedCommitReceiver(1024)
+	if err != nil {
+		return false, err
+	}
+
+	committer, err := commitments.NewRSABasedCommitter(receiver.Homomorphism, receiver.HomomorphismInv,
+		receiver.H, receiver.Q, receiver.Y)
+	if err != nil {
+		return false, err
+	}
+
+	a := common.GetRandomInt(committer.Q)
+	b := common.GetRandomInt(committer.Q)
+	A, err1 := committer.GetCommitMsg(a)
+	_, r := committer.GetDecommitMsg()
+	B, err2 := committer.GetCommitMsg(b)
+	_, u := committer.GetDecommitMsg()
+	// this management of commitments and decommitments is awkward,
+	// see TODO in pedersen.go about refactoring commitment schemes API
+
+	c := new(big.Int).Mul(a, b)
+	c.Mod(c, committer.Q) // c = a * b mod Q
+	C, o, t := committer.GetCommitmentToMultiplication(a, b, u)
+	if err1 != nil || err2 != nil {
+		return false, err
+	}
+
+	homomorphism := committer.Homomorphism
+	homomorphismInv := receiver.HomomorphismInv
+	H := committer.H
+	Q := committer.Q
+	Y := committer.Y
+	commitments := types.NewTriple(A, B, C)
+	committedValues := types.NewPair(a, b)
+	randomValues := types.NewTriple(r, u, o)
+
 	prover := NewQOneWayMultiplicationProver(homomorphism, homomorphismInv, H, Q, Y,
 		commitments, committedValues, randomValues, t)
 	verifier := NewQOneWayMultiplicationVerifier(homomorphism, H, Q, Y, commitments)
@@ -40,7 +115,7 @@ func ProveCommitmentMultiplication(homomorphism func(*big.Int) *big.Int, homomor
 	z1, w1, w2, z2, w3 := prover.GetProofData(challenge)
 	proved := verifier.Verify(z1, w1, w2, z2, w3)
 
-	return proved
+	return proved, nil
 }
 
 type QOneWayMultiplicationProver struct {

crypto/dlogproofs/dlog_equality.go → crypto/zkp/primitives/dlogproofs/dlog_equality.go

@@ -23,8 +23,9 @@ import (
 	"math/big"
 )
 
-func RunDLogEquality(secret, g1, g2, t1, t2 *big.Int, dlog *dlog.ZpDLog) bool {
-	// no wrappers at the moment, because messages handling will be refactored
+// ProveDLogEquality demonstrates how prover can prove the knowledge of log_g1(t1), log_g2(t2) and
+// that log_g1(t1) = log_g2(t2).
+func ProveDLogEquality(secret, g1, g2, t1, t2 *big.Int, dlog *dlog.ZpDLog) bool {
 	eProver := NewDLogEqualityProver(dlog)
 	eVerifier := NewDLogEqualityVerifier(dlog)
 

crypto/dlogproofs/dlog_equality_blinded_transcript.go → crypto/zkp/primitives/dlogproofs/dlog_equality_blinded_transcript.go

@@ -23,9 +23,9 @@ import (
 	"math/big"
 )
 
-// Verifies that the blinded transcript is valid. That means the knowledge of log_g1(t1), log_G2(T2)
-// and log_g1(t1) = log_G2(T2). Note that G2 = g2^gamma, T2 = t2^gamma where gamma was chosen
-// by verifier.
+// VerifyBlindedTranscript demonstrates how the prover can prove that the blinded transcript is valid.
+// That means the knowledge of log_g1(t1), log_G2(T2) and log_g1(t1) = log_G2(T2).
+// Note that G2 = g2^gamma, T2 = t2^gamma where gamma was chosen by verifier.
 func VerifyBlindedTranscript(transcript []*big.Int, dlog *dlog.ZpDLog, g1, t1, G2, T2 *big.Int) bool {
 	// Transcript should be in the following form: [alpha1, beta1, hash(alpha1, beta1), z+alpha]
 

crypto/dlogproofs/dlog_equality_blinded_transcript_ec.go → crypto/zkp/primitives/dlogproofs/dlog_equality_blinded_transcript_ec.go

@@ -24,9 +24,9 @@ import (
 	"math/big"
 )
 
-// Verifies that the blinded transcript is valid. That means the knowledge of log_g1(t1), log_G2(T2)
-// and log_g1(t1) = log_G2(T2). Note that G2 = g2^gamma, T2 = t2^gamma where gamma was chosen
-// by verifier.
+// VerifyBlindedTranscriptEC demonstrates how the prover can prove that the blinded transcript is valid.
+// That means the knowledge of log_g1(t1), log_G2(T2) and log_g1(t1) = log_G2(T2) in EC group.
+// Note that G2 = g2^gamma, T2 = t2^gamma where gamma was chosen by verifier.
 func VerifyBlindedTranscriptEC(transcript []*big.Int, curve dlog.Curve,
 	g1, t1, G2, T2 *types.ECGroupElement) bool {
 	dlog := dlog.NewECDLog(curve)

crypto/dlogproofs/dlog_equality_ec.go → crypto/zkp/primitives/dlogproofs/dlog_equality_ec.go

@@ -24,7 +24,9 @@ import (
 	"math/big"
 )
 
-func RunECDLogEquality(secret *big.Int, g1, g2, t1, t2 *types.ECGroupElement,
+// ProveECDLogEquality demonstrates how prover can prove the knowledge of log_g1(t1), log_g2(t2) and
+// that log_g1(t1) = log_g2(t2) in EC group.
+func ProveECDLogEquality(secret *big.Int, g1, g2, t1, t2 *types.ECGroupElement,
 	curve dlog.Curve) bool {
 	eProver := NewECDLogEqualityProver(curve)
 	eVerifier := NewECDLogEqualityVerifier(curve)

crypto/dlogproofs/partial_dlog_knowledge_ec.go → crypto/zkp/primitives/dlogproofs/partial_dlog_knowledge_ec.go

@@ -24,6 +24,8 @@ import (
 	"math/big"
 )
 
+// ProvePartialECDLogKnowledge demonstrates how prover can prove that he knows dlog_a2(b2) and
+// the verifier does not know whether knowledge of dlog_a1(b1) or knowledge of dlog_a2(b2) was proved.
 func ProvePartialECDLogKnowledge(dlog *dlog.ECDLog, secret1 *big.Int,
 	a1, a2, b2 *types.ECGroupElement) bool {
 	prover := NewPartialECDLogProver(dlog)

crypto/dlogproofs/schnorr.go → crypto/zkp/primitives/dlogproofs/schnorr.go

@@ -25,6 +25,23 @@ import (
 	"math/big"
 )
 
+// ProveDLogKnowledge demonstrates how prover can prove the knowledge of log_g1(t1) - that
+// means g1^secret = t1.
+func ProveDLogKnowledge(secret, g1, t1 *big.Int, dlog *dlog.ZpDLog) bool {
+	prover := NewSchnorrProver(dlog, types.Sigma)
+	verifier := NewSchnorrVerifier(dlog, types.Sigma)
+
+	x := prover.GetProofRandomData(secret, g1)
+	verifier.SetProofRandomData(x, g1, t1)
+
+	challenge, _ := verifier.GetChallenge()
+	z, _ := prover.GetProofData(challenge)
+	verified := verifier.Verify(z, nil)
+	return verified
+}
+
+// TODO: demonstrator for ZKP and ZKPOK
+
 // Proving that it knows w such that g^w = h (mod p).
 type SchnorrProver struct {
 	DLog             *dlog.ZpDLog

crypto/dlogproofs/schnorr_ec.go → crypto/zkp/primitives/dlogproofs/schnorr_ec.go

@@ -25,6 +25,27 @@ import (
 	"math/big"
 )
 
+// ProveECDLogKnowledge demonstrates how prover can prove the knowledge of log_g1(t1) - that
+// means g1^secret = t1 in EC group.
+func ProveECDLogKnowledge(secret *big.Int, g1, t1 *types.ECGroupElement, curve dlog.Curve) (bool, error) {
+	prover, err := NewSchnorrECProver(curve, types.Sigma)
+	if err != nil {
+		return false, err
+	}
+	verifier := NewSchnorrECVerifier(curve, types.Sigma)
+
+	x := prover.GetProofRandomData(secret, g1)
+	verifier.SetProofRandomData(x, g1, t1)
+
+	challenge, _ := verifier.GetChallenge()
+	z, _ := prover.GetProofData(challenge)
+	verified := verifier.Verify(z, nil)
+	return verified, nil
+}
+
+// TODO: demonstrator for ZKP and ZKPOK
+
+
 // Note that this is zero knowledge proof (contructed from sigma protocol) -
 // this is protocol 6.5.1 from Hazay-Lindell.
 //