Introduce Transcript and TranscriptEC structs

This commit introduces two new structs in the dlogproofs package; Transcript for modular arithmetic and TranscriptEC for elliptic curve arithmetic. This change greatly improves readability. In addition, it will allow us to easily achieve compatibility with types supported by go tools for creating language bindings. Resolves #33. Signed-off-by: Manca Bizjak <[email protected]>
xlab-si · Nov 2, 2017 · 4985d74 · 4985d74
1 parent 497fd02
commit 4985d74
Show file tree

Hide file tree

Showing 8 changed files with 127 additions and 98 deletions.
diff --git a/client/pseudonymsys.go b/client/pseudonymsys.go
@@ -248,16 +248,16 @@ func (c *PseudonymsysClient) TransferCredential(orgName string, userSecret *big.
 	x1, x2 := equalityProver.GetProofRandomData(userSecret, nym.A, credential.SmallAToGamma)
 
 	transcript1 := &pb.PseudonymsysTranscript{
-		A:      credential.T1[0].Bytes(),
-		B:      credential.T1[1].Bytes(),
-		Hash:   credential.T1[2].Bytes(),
-		ZAlpha: credential.T1[3].Bytes(),
+		A:      credential.T1.A.Bytes(),
+		B:      credential.T1.B.Bytes(),
+		Hash:   credential.T1.Hash.Bytes(),
+		ZAlpha: credential.T1.ZAlpha.Bytes(),
 	}
 	transcript2 := &pb.PseudonymsysTranscript{
-		A:      credential.T2[0].Bytes(),
-		B:      credential.T2[1].Bytes(),
-		Hash:   credential.T2[2].Bytes(),
-		ZAlpha: credential.T2[3].Bytes(),
+		A:      credential.T2.A.Bytes(),
+		B:      credential.T2.B.Bytes(),
+		Hash:   credential.T2.Hash.Bytes(),
+		ZAlpha: credential.T2.ZAlpha.Bytes(),
 	}
 	pbCredential := &pb.PseudonymsysCredential{
 		SmallAToGamma: credential.SmallAToGamma.Bytes(),

diff --git a/client/pseudonymsys_ec.go b/client/pseudonymsys_ec.go
@@ -272,20 +272,20 @@ func (c *PseudonymsysClientEC) TransferCredential(orgName string, userSecret *bi
 	x1, x2 := equalityProver.GetProofRandomData(userSecret, nym.A, credential.SmallAToGamma)
 
 	transcript1 := &pb.PseudonymsysTranscriptEC{
-		A: types.ToPbECGroupElement(types.NewECGroupElement(credential.T1[0],
-			credential.T1[1])),
-		B: types.ToPbECGroupElement(types.NewECGroupElement(credential.T1[2],
-			credential.T1[3])),
-		Hash:   credential.T1[4].Bytes(),
-		ZAlpha: credential.T1[5].Bytes(),
+		A: types.ToPbECGroupElement(types.NewECGroupElement(credential.T1.Alpha_1,
+			credential.T1.Alpha_2)),
+		B: types.ToPbECGroupElement(types.NewECGroupElement(credential.T1.Beta_1,
+			credential.T1.Beta_2)),
+		Hash:   credential.T1.Hash.Bytes(),
+		ZAlpha: credential.T1.ZAlpha.Bytes(),
 	}
 	transcript2 := &pb.PseudonymsysTranscriptEC{
-		A: types.ToPbECGroupElement(types.NewECGroupElement(credential.T2[0],
-			credential.T2[1])),
-		B: types.ToPbECGroupElement(types.NewECGroupElement(credential.T2[2],
-			credential.T2[3])),
-		Hash:   credential.T2[4].Bytes(),
-		ZAlpha: credential.T2[5].Bytes(),
+		A: types.ToPbECGroupElement(types.NewECGroupElement(credential.T2.Alpha_1,
+			credential.T2.Alpha_2)),
+		B: types.ToPbECGroupElement(types.NewECGroupElement(credential.T2.Beta_1,
+			credential.T2.Beta_2)),
+		Hash:   credential.T2.Hash.Bytes(),
+		ZAlpha: credential.T2.ZAlpha.Bytes(),
 	}
 	pbCredential := &pb.PseudonymsysCredentialEC{
 		SmallAToGamma: types.ToPbECGroupElement(credential.SmallAToGamma),

diff --git a/crypto/zkp/primitives/dlogproofs/dlog_equality_blinded_transcript.go b/crypto/zkp/primitives/dlogproofs/dlog_equality_blinded_transcript.go
@@ -23,28 +23,44 @@ import (
 	"math/big"
 )
 
-// VerifyBlindedTranscript demonstrates how the prover can prove that the blinded transcript is valid.
-// That means the knowledge of log_g1(t1), log_G2(T2) and log_g1(t1) = log_G2(T2).
-// Note that G2 = g2^gamma, T2 = t2^gamma where gamma was chosen by verifier.
-func VerifyBlindedTranscript(transcript []*big.Int, dlog *dlog.ZpDLog, g1, t1, G2, T2 *big.Int) bool {
+type Transcript struct {
+	A      *big.Int
+	B      *big.Int
+	Hash   *big.Int
+	ZAlpha *big.Int
+}
+
+func NewTranscript(a, b, hash, zAlpha *big.Int) *Transcript {
+	return &Transcript{
+		A:      a,
+		B:      b,
+		Hash:   hash,
+		ZAlpha: zAlpha,
+	}
+}
+
+// Verifies that the blinded transcript is valid. That means the knowledge of log_g1(t1), log_G2(T2)
+// and log_g1(t1) = log_G2(T2). Note that G2 = g2^gamma, T2 = t2^gamma where gamma was chosen
+// by verifier.
+func VerifyBlindedTranscript(transcript *Transcript, dlog *dlog.ZpDLog, g1, t1, G2, T2 *big.Int) bool {
 	// Transcript should be in the following form: [alpha1, beta1, hash(alpha1, beta1), z+alpha]
 
 	// check hash:
-	hashNum := common.Hash(transcript[0], transcript[1])
-	if hashNum.Cmp(transcript[2]) != 0 {
+	hashNum := common.Hash(transcript.A, transcript.B)
+	if hashNum.Cmp(transcript.Hash) != 0 {
 		return false
 	}
 
 	// We need to verify (note that c-beta = hash(alpha1, beta1))
 	// g1^(z+alpha) = alpha1 * t1^(c-beta)
 	// G2^(z+alpha) = beta1 * T2^(c-beta)
-	left1, _ := dlog.Exponentiate(g1, transcript[3])
-	right1, _ := dlog.Exponentiate(t1, transcript[2])
-	right1, _ = dlog.Multiply(transcript[0], right1)
+	left1, _ := dlog.Exponentiate(g1, transcript.ZAlpha)
+	right1, _ := dlog.Exponentiate(t1, transcript.Hash)
+	right1, _ = dlog.Multiply(transcript.A, right1)
 
-	left2, _ := dlog.Exponentiate(G2, transcript[3])
-	right2, _ := dlog.Exponentiate(T2, transcript[2])
-	right2, _ = dlog.Multiply(transcript[1], right2)
+	left2, _ := dlog.Exponentiate(G2, transcript.ZAlpha)
+	right2, _ := dlog.Exponentiate(T2, transcript.Hash)
+	right2, _ = dlog.Multiply(transcript.B, right2)
 
 	if left1.Cmp(right1) == 0 && left2.Cmp(right2) == 0 {
 		return true
@@ -104,8 +120,8 @@ type DLogEqualityBTranscriptVerifier struct {
 	x2         *big.Int
 	t1         *big.Int
 	t2         *big.Int
-	transcript []*big.Int
 	alpha      *big.Int
+	transcript *Transcript
 }
 
 func NewDLogEqualityBTranscriptVerifier(dlog *dlog.ZpDLog,
@@ -154,21 +170,17 @@ func (verifier *DLogEqualityBTranscriptVerifier) GetChallenge(g1, g2, t1, t2, x1
 	hashNum := common.Hash(alpha1, beta1)
 	challenge := new(big.Int).Add(hashNum, beta)
 	challenge.Mod(challenge, verifier.DLog.OrderOfSubgroup)
-	verifier.challenge = challenge
 
-	var transcript []*big.Int
-	transcript = append(transcript, alpha1)
-	transcript = append(transcript, beta1)
-	transcript = append(transcript, hashNum)
-	verifier.transcript = transcript
+	verifier.challenge = challenge
+	verifier.transcript = NewTranscript(alpha1, beta1, hashNum, nil)
 	verifier.alpha = alpha
 
 	return challenge
 }
 
 // It receives z = r + secret * challenge.
 //It returns true if g1^z = g1^r * (g1^secret) ^ challenge and g2^z = g2^r * (g2^secret) ^ challenge.
-func (verifier *DLogEqualityBTranscriptVerifier) Verify(z *big.Int) (bool, []*big.Int,
+func (verifier *DLogEqualityBTranscriptVerifier) Verify(z *big.Int) (bool, *Transcript,
 	*big.Int, *big.Int) {
 	left1, _ := verifier.DLog.Exponentiate(verifier.g1, z)
 	left2, _ := verifier.DLog.Exponentiate(verifier.g2, z)
@@ -181,7 +193,7 @@ func (verifier *DLogEqualityBTranscriptVerifier) Verify(z *big.Int) (bool, []*bi
 	// transcript [(alpha1, beta1), hash(alpha1, beta1), z+alpha]
 	// however, we are actually returning [alpha1, beta1, hash(alpha1, beta1), z+alpha]
 	z1 := new(big.Int).Add(z, verifier.alpha)
-	verifier.transcript = append(verifier.transcript, z1)
+	verifier.transcript.ZAlpha = z1
 
 	G2, _ := verifier.DLog.Exponentiate(verifier.g2, verifier.gamma)
 	T2, _ := verifier.DLog.Exponentiate(verifier.t2, verifier.gamma)

diff --git a/crypto/zkp/primitives/dlogproofs/dlog_equality_blinded_transcript_ec.go b/crypto/zkp/primitives/dlogproofs/dlog_equality_blinded_transcript_ec.go
@@ -24,31 +24,30 @@ import (
 	"math/big"
 )
 
-// VerifyBlindedTranscriptEC demonstrates how the prover can prove that the blinded transcript is valid.
-// That means the knowledge of log_g1(t1), log_G2(T2) and log_g1(t1) = log_G2(T2) in EC group.
-// Note that G2 = g2^gamma, T2 = t2^gamma where gamma was chosen by verifier.
-func VerifyBlindedTranscriptEC(transcript []*big.Int, curve dlog.Curve,
+// Verifies that the blinded transcript is valid. That means the knowledge of log_g1(t1), log_G2(T2)
+// and log_g1(t1) = log_G2(T2). Note that G2 = g2^gamma, T2 = t2^gamma where gamma was chosen
+// by verifier.
+func VerifyBlindedTranscriptEC(transcript *TranscriptEC, curve dlog.Curve,
 	g1, t1, G2, T2 *types.ECGroupElement) bool {
 	dlog := dlog.NewECDLog(curve)
-	// Transcript should be in the following form:
-	// [alpha11, alpha12, beta11, beta12, hash(alpha11, alpha12, beta11, beta12), z+alpha]
 
 	// check hash:
-	hashNum := common.Hash(transcript[0], transcript[1], transcript[2], transcript[3])
-	if hashNum.Cmp(transcript[4]) != 0 {
+	hashNum := common.Hash(transcript.Alpha_1, transcript.Alpha_2,
+		transcript.Beta_1, transcript.Beta_2)
+	if hashNum.Cmp(transcript.Hash) != 0 {
 		return false
 	}
 
 	// We need to verify (note that c-beta = hash(alpha11, alpha12, beta11, beta12))
 	// g1^(z+alpha) = (alpha11, alpha12) * t1^(c-beta)
 	// G2^(z+alpha) = (beta11, beta12) * T2^(c-beta)
-	left11, left12 := dlog.Exponentiate(g1.X, g1.Y, transcript[5])
-	right11, right12 := dlog.Exponentiate(t1.X, t1.Y, transcript[4])
-	right11, right12 = dlog.Multiply(transcript[0], transcript[1], right11, right12)
+	left11, left12 := dlog.Exponentiate(g1.X, g1.Y, transcript.ZAlpha)
+	right11, right12 := dlog.Exponentiate(t1.X, t1.Y, transcript.Hash)
+	right11, right12 = dlog.Multiply(transcript.Alpha_1, transcript.Alpha_2, right11, right12)
 
-	left21, left22 := dlog.Exponentiate(G2.X, G2.Y, transcript[5])
-	right21, right22 := dlog.Exponentiate(T2.X, T2.Y, transcript[4])
-	right21, right22 = dlog.Multiply(transcript[2], transcript[3], right21, right22)
+	left21, left22 := dlog.Exponentiate(G2.X, G2.Y, transcript.ZAlpha)
+	right21, right22 := dlog.Exponentiate(T2.X, T2.Y, transcript.Hash)
+	right21, right22 = dlog.Multiply(transcript.Beta_1, transcript.Beta_2, right21, right22)
 
 	if left11.Cmp(right11) == 0 && left12.Cmp(right12) == 0 &&
 		left21.Cmp(right21) == 0 && left22.Cmp(right22) == 0 {
@@ -58,6 +57,26 @@ func VerifyBlindedTranscriptEC(transcript []*big.Int, curve dlog.Curve,
 	}
 }
 
+type TranscriptEC struct {
+	Alpha_1 *big.Int
+	Alpha_2 *big.Int
+	Beta_1  *big.Int
+	Beta_2  *big.Int
+	Hash    *big.Int
+	ZAlpha  *big.Int
+}
+
+func NewTranscriptEC(alpha_1, alpha_2, beta_1, beta_2, hash, zAlpha *big.Int) *TranscriptEC {
+	return &TranscriptEC{
+		Alpha_1: alpha_1,
+		Alpha_2: alpha_2,
+		Beta_1:  beta_1,
+		Beta_2:  beta_2,
+		Hash:    hash,
+		ZAlpha:  zAlpha,
+	}
+}
+
 type ECDLogEqualityBTranscriptProver struct {
 	DLog   *dlog.ECDLog
 	r      *big.Int
@@ -110,8 +129,8 @@ type ECDLogEqualityBTranscriptVerifier struct {
 	x2         *types.ECGroupElement
 	t1         *types.ECGroupElement
 	t2         *types.ECGroupElement
-	transcript []*big.Int
 	alpha      *big.Int
+	transcript *TranscriptEC
 }
 
 func NewECDLogEqualityBTranscriptVerifier(curve dlog.Curve,
@@ -162,23 +181,17 @@ func (verifier *ECDLogEqualityBTranscriptVerifier) GetChallenge(g1, g2, t1, t2,
 	hashNum := common.Hash(alpha11, alpha12, beta11, beta12)
 	challenge := new(big.Int).Add(hashNum, beta)
 	challenge.Mod(challenge, verifier.DLog.OrderOfSubgroup)
-	verifier.challenge = challenge
 
-	var transcript []*big.Int
-	transcript = append(transcript, alpha11)
-	transcript = append(transcript, alpha12)
-	transcript = append(transcript, beta11)
-	transcript = append(transcript, beta12)
-	transcript = append(transcript, hashNum)
-	verifier.transcript = transcript
+	verifier.challenge = challenge
+	verifier.transcript = NewTranscriptEC(alpha11, alpha12, beta11, beta12, hashNum, nil)
 	verifier.alpha = alpha
 
 	return challenge
 }
 
 // It receives z = r + secret * challenge.
 //It returns true if g1^z = g1^r * (g1^secret) ^ challenge and g2^z = g2^r * (g2^secret) ^ challenge.
-func (verifier *ECDLogEqualityBTranscriptVerifier) Verify(z *big.Int) (bool, []*big.Int,
+func (verifier *ECDLogEqualityBTranscriptVerifier) Verify(z *big.Int) (bool, *TranscriptEC,
 	*types.ECGroupElement, *types.ECGroupElement) {
 	left11, left12 := verifier.DLog.Exponentiate(verifier.g1.X, verifier.g1.Y, z)
 	left21, left22 := verifier.DLog.Exponentiate(verifier.g2.X, verifier.g2.Y, z)
@@ -192,7 +205,7 @@ func (verifier *ECDLogEqualityBTranscriptVerifier) Verify(z *big.Int) (bool, []*
 	// however, we are actually returning:
 	// [alpha11, alpha12, beta11, beta12, hash(alpha11, alpha12, beta11, beta12), z+alpha]
 	z1 := new(big.Int).Add(z, verifier.alpha)
-	verifier.transcript = append(verifier.transcript, z1)
+	verifier.transcript.ZAlpha = z1
 
 	G21, G22 := verifier.DLog.Exponentiate(verifier.g2.X, verifier.g2.Y, verifier.gamma)
 	T21, T22 := verifier.DLog.Exponentiate(verifier.t2.X, verifier.t2.Y, verifier.gamma)

diff --git a/crypto/zkp/schemes/pseudonymsys/org_issue.go b/crypto/zkp/schemes/pseudonymsys/org_issue.go
@@ -30,12 +30,12 @@ type Credential struct {
 	SmallBToGamma *big.Int
 	AToGamma      *big.Int
 	BToGamma      *big.Int
-	T1            []*big.Int
-	T2            []*big.Int
+	T1            *dlogproofs.Transcript
+	T2            *dlogproofs.Transcript
 }
 
 func NewCredential(aToGamma, bToGamma, AToGamma, BToGamma *big.Int,
-	t1, t2 []*big.Int) *Credential {
+	t1, t2 *dlogproofs.Transcript) *Credential {
 	credential := &Credential{
 		SmallAToGamma: aToGamma,
 		SmallBToGamma: bToGamma,

diff --git a/crypto/zkp/schemes/pseudonymsys/org_issue_ec.go b/crypto/zkp/schemes/pseudonymsys/org_issue_ec.go
@@ -30,12 +30,12 @@ type CredentialEC struct {
 	SmallBToGamma *types.ECGroupElement
 	AToGamma      *types.ECGroupElement
 	BToGamma      *types.ECGroupElement
-	T1            []*big.Int
-	T2            []*big.Int
+	T1            *dlogproofs.TranscriptEC
+	T2            *dlogproofs.TranscriptEC
 }
 
 func NewCredentialEC(aToGamma, bToGamma, AToGamma, BToGamma *types.ECGroupElement,
-	t1, t2 []*big.Int) *CredentialEC {
+	t1, t2 *dlogproofs.TranscriptEC) *CredentialEC {
 	credential := &CredentialEC{
 		SmallAToGamma: aToGamma,
 		SmallBToGamma: bToGamma,

diff --git a/server/pseudonymsys.go b/server/pseudonymsys.go
@@ -19,6 +19,7 @@ package server
 
 import (
 	"github.com/xlab-si/emmy/config"
+	"github.com/xlab-si/emmy/crypto/zkp/primitives/dlogproofs"
 	"github.com/xlab-si/emmy/crypto/zkp/schemes/pseudonymsys"
 	pb "github.com/xlab-si/emmy/protobuf"
 	"math/big"
@@ -178,17 +179,19 @@ func (s *Server) PseudonymsysTransferCredential(req *pb.Message, stream pb.Proto
 	nymA := new(big.Int).SetBytes(data.NymA)
 	nymB := new(big.Int).SetBytes(data.NymB)
 
-	t1 := make([]*big.Int, 4)
-	t1[0] = new(big.Int).SetBytes(data.Credential.T1.A)
-	t1[1] = new(big.Int).SetBytes(data.Credential.T1.B)
-	t1[2] = new(big.Int).SetBytes(data.Credential.T1.Hash)
-	t1[3] = new(big.Int).SetBytes(data.Credential.T1.ZAlpha)
-
-	t2 := make([]*big.Int, 4)
-	t2[0] = new(big.Int).SetBytes(data.Credential.T2.A)
-	t2[1] = new(big.Int).SetBytes(data.Credential.T2.B)
-	t2[2] = new(big.Int).SetBytes(data.Credential.T2.Hash)
-	t2[3] = new(big.Int).SetBytes(data.Credential.T2.ZAlpha)
+	t1 := dlogproofs.NewTranscript(
+		new(big.Int).SetBytes(data.Credential.T1.A),
+		new(big.Int).SetBytes(data.Credential.T1.B),
+		new(big.Int).SetBytes(data.Credential.T1.Hash),
+		new(big.Int).SetBytes(data.Credential.T1.ZAlpha),
+	)
+
+	t2 := dlogproofs.NewTranscript(
+		new(big.Int).SetBytes(data.Credential.T2.A),
+		new(big.Int).SetBytes(data.Credential.T2.B),
+		new(big.Int).SetBytes(data.Credential.T2.Hash),
+		new(big.Int).SetBytes(data.Credential.T2.ZAlpha),
+	)
 
 	credential := pseudonymsys.NewCredential(
 		new(big.Int).SetBytes(data.Credential.SmallAToGamma),

diff --git a/server/pseudonymsys_ec.go b/server/pseudonymsys_ec.go
@@ -20,6 +20,7 @@ package server
 import (
 	"github.com/xlab-si/emmy/config"
 	"github.com/xlab-si/emmy/crypto/dlog"
+	"github.com/xlab-si/emmy/crypto/zkp/primitives/dlogproofs"
 	"github.com/xlab-si/emmy/crypto/zkp/schemes/pseudonymsys"
 	pb "github.com/xlab-si/emmy/protobuf"
 	"github.com/xlab-si/emmy/types"
@@ -181,21 +182,21 @@ func (s *Server) PseudonymsysTransferCredentialEC(curveType dlog.Curve, req *pb.
 	nymA := types.ToECGroupElement(data.NymA)
 	nymB := types.ToECGroupElement(data.NymB)
 
-	t1 := make([]*big.Int, 6)
-	t1[0] = new(big.Int).SetBytes(data.Credential.T1.A.X)
-	t1[1] = new(big.Int).SetBytes(data.Credential.T1.A.Y)
-	t1[2] = new(big.Int).SetBytes(data.Credential.T1.B.X)
-	t1[3] = new(big.Int).SetBytes(data.Credential.T1.B.Y)
-	t1[4] = new(big.Int).SetBytes(data.Credential.T1.Hash)
-	t1[5] = new(big.Int).SetBytes(data.Credential.T1.ZAlpha)
-
-	t2 := make([]*big.Int, 6)
-	t2[0] = new(big.Int).SetBytes(data.Credential.T2.A.X)
-	t2[1] = new(big.Int).SetBytes(data.Credential.T2.A.Y)
-	t2[2] = new(big.Int).SetBytes(data.Credential.T2.B.X)
-	t2[3] = new(big.Int).SetBytes(data.Credential.T2.B.Y)
-	t2[4] = new(big.Int).SetBytes(data.Credential.T2.Hash)
-	t2[5] = new(big.Int).SetBytes(data.Credential.T2.ZAlpha)
+	t1 := dlogproofs.NewTranscriptEC(
+		new(big.Int).SetBytes(data.Credential.T1.A.X),
+		new(big.Int).SetBytes(data.Credential.T1.A.Y),
+		new(big.Int).SetBytes(data.Credential.T1.B.X),
+		new(big.Int).SetBytes(data.Credential.T1.B.Y),
+		new(big.Int).SetBytes(data.Credential.T1.Hash),
+		new(big.Int).SetBytes(data.Credential.T1.ZAlpha))
+
+	t2 := dlogproofs.NewTranscriptEC(
+		new(big.Int).SetBytes(data.Credential.T2.A.X),
+		new(big.Int).SetBytes(data.Credential.T2.A.Y),
+		new(big.Int).SetBytes(data.Credential.T2.B.X),
+		new(big.Int).SetBytes(data.Credential.T2.B.Y),
+		new(big.Int).SetBytes(data.Credential.T2.Hash),
+		new(big.Int).SetBytes(data.Credential.T2.ZAlpha))
 
 	credential := pseudonymsys.NewCredentialEC(
 		types.ToECGroupElement(data.Credential.SmallAToGamma),