Merge pull request #34 from mancabizjak/transcript-as-struct

Make transcript a struct in dlogproofs package

client/pseudonymsys.go

@@ -248,16 +248,16 @@ func (c *PseudonymsysClient) TransferCredential(orgName string, userSecret *big.
 	x1, x2 := equalityProver.GetProofRandomData(userSecret, nym.A, credential.SmallAToGamma)
 
 	transcript1 := &pb.PseudonymsysTranscript{
-		A:      credential.T1[0].Bytes(),
-		B:      credential.T1[1].Bytes(),
-		Hash:   credential.T1[2].Bytes(),
-		ZAlpha: credential.T1[3].Bytes(),
+		A:      credential.T1.A.Bytes(),
+		B:      credential.T1.B.Bytes(),
+		Hash:   credential.T1.Hash.Bytes(),
+		ZAlpha: credential.T1.ZAlpha.Bytes(),
 	}
 	transcript2 := &pb.PseudonymsysTranscript{
-		A:      credential.T2[0].Bytes(),
-		B:      credential.T2[1].Bytes(),
-		Hash:   credential.T2[2].Bytes(),
-		ZAlpha: credential.T2[3].Bytes(),
+		A:      credential.T2.A.Bytes(),
+		B:      credential.T2.B.Bytes(),
+		Hash:   credential.T2.Hash.Bytes(),
+		ZAlpha: credential.T2.ZAlpha.Bytes(),
 	}
 	pbCredential := &pb.PseudonymsysCredential{
 		SmallAToGamma: credential.SmallAToGamma.Bytes(),

client/pseudonymsys_ec.go

@@ -272,20 +272,20 @@ func (c *PseudonymsysClientEC) TransferCredential(orgName string, userSecret *bi
 	x1, x2 := equalityProver.GetProofRandomData(userSecret, nym.A, credential.SmallAToGamma)
 
 	transcript1 := &pb.PseudonymsysTranscriptEC{
-		A: types.ToPbECGroupElement(types.NewECGroupElement(credential.T1[0],
-			credential.T1[1])),
-		B: types.ToPbECGroupElement(types.NewECGroupElement(credential.T1[2],
-			credential.T1[3])),
-		Hash:   credential.T1[4].Bytes(),
-		ZAlpha: credential.T1[5].Bytes(),
+		A: types.ToPbECGroupElement(types.NewECGroupElement(credential.T1.Alpha_1,
+			credential.T1.Alpha_2)),
+		B: types.ToPbECGroupElement(types.NewECGroupElement(credential.T1.Beta_1,
+			credential.T1.Beta_2)),
+		Hash:   credential.T1.Hash.Bytes(),
+		ZAlpha: credential.T1.ZAlpha.Bytes(),
 	}
 	transcript2 := &pb.PseudonymsysTranscriptEC{
-		A: types.ToPbECGroupElement(types.NewECGroupElement(credential.T2[0],
-			credential.T2[1])),
-		B: types.ToPbECGroupElement(types.NewECGroupElement(credential.T2[2],
-			credential.T2[3])),
-		Hash:   credential.T2[4].Bytes(),
-		ZAlpha: credential.T2[5].Bytes(),
+		A: types.ToPbECGroupElement(types.NewECGroupElement(credential.T2.Alpha_1,
+			credential.T2.Alpha_2)),
+		B: types.ToPbECGroupElement(types.NewECGroupElement(credential.T2.Beta_1,
+			credential.T2.Beta_2)),
+		Hash:   credential.T2.Hash.Bytes(),
+		ZAlpha: credential.T2.ZAlpha.Bytes(),
 	}
 	pbCredential := &pb.PseudonymsysCredentialEC{
 		SmallAToGamma: types.ToPbECGroupElement(credential.SmallAToGamma),

crypto/zkp/primitives/dlogproofs/dlog_equality_blinded_transcript.go

@@ -23,28 +23,44 @@ import (
 	"math/big"
 )
 
-// VerifyBlindedTranscript demonstrates how the prover can prove that the blinded transcript is valid.
-// That means the knowledge of log_g1(t1), log_G2(T2) and log_g1(t1) = log_G2(T2).
-// Note that G2 = g2^gamma, T2 = t2^gamma where gamma was chosen by verifier.
-func VerifyBlindedTranscript(transcript []*big.Int, dlog *dlog.ZpDLog, g1, t1, G2, T2 *big.Int) bool {
+type Transcript struct {
+	A      *big.Int
+	B      *big.Int
+	Hash   *big.Int
+	ZAlpha *big.Int
+}
+
+func NewTranscript(a, b, hash, zAlpha *big.Int) *Transcript {
+	return &Transcript{
+		A:      a,
+		B:      b,
+		Hash:   hash,
+		ZAlpha: zAlpha,
+	}
+}
+
+// Verifies that the blinded transcript is valid. That means the knowledge of log_g1(t1), log_G2(T2)
+// and log_g1(t1) = log_G2(T2). Note that G2 = g2^gamma, T2 = t2^gamma where gamma was chosen
+// by verifier.
+func VerifyBlindedTranscript(transcript *Transcript, dlog *dlog.ZpDLog, g1, t1, G2, T2 *big.Int) bool {
 	// Transcript should be in the following form: [alpha1, beta1, hash(alpha1, beta1), z+alpha]
 
 	// check hash:
-	hashNum := common.Hash(transcript[0], transcript[1])
-	if hashNum.Cmp(transcript[2]) != 0 {
+	hashNum := common.Hash(transcript.A, transcript.B)
+	if hashNum.Cmp(transcript.Hash) != 0 {
 		return false
 	}
 
 	// We need to verify (note that c-beta = hash(alpha1, beta1))
 	// g1^(z+alpha) = alpha1 * t1^(c-beta)
 	// G2^(z+alpha) = beta1 * T2^(c-beta)
-	left1, _ := dlog.Exponentiate(g1, transcript[3])
-	right1, _ := dlog.Exponentiate(t1, transcript[2])
-	right1, _ = dlog.Multiply(transcript[0], right1)
+	left1, _ := dlog.Exponentiate(g1, transcript.ZAlpha)
+	right1, _ := dlog.Exponentiate(t1, transcript.Hash)
+	right1, _ = dlog.Multiply(transcript.A, right1)
 
-	left2, _ := dlog.Exponentiate(G2, transcript[3])
-	right2, _ := dlog.Exponentiate(T2, transcript[2])
-	right2, _ = dlog.Multiply(transcript[1], right2)
+	left2, _ := dlog.Exponentiate(G2, transcript.ZAlpha)
+	right2, _ := dlog.Exponentiate(T2, transcript.Hash)
+	right2, _ = dlog.Multiply(transcript.B, right2)
 
 	if left1.Cmp(right1) == 0 && left2.Cmp(right2) == 0 {
 		return true
@@ -104,8 +120,8 @@ type DLogEqualityBTranscriptVerifier struct {
 	x2         *big.Int
 	t1         *big.Int
 	t2         *big.Int
-	transcript []*big.Int
 	alpha      *big.Int
+	transcript *Transcript
 }
 
 func NewDLogEqualityBTranscriptVerifier(dlog *dlog.ZpDLog,
@@ -154,21 +170,17 @@ func (verifier *DLogEqualityBTranscriptVerifier) GetChallenge(g1, g2, t1, t2, x1
 	hashNum := common.Hash(alpha1, beta1)
 	challenge := new(big.Int).Add(hashNum, beta)
 	challenge.Mod(challenge, verifier.DLog.OrderOfSubgroup)
-	verifier.challenge = challenge
 
-	var transcript []*big.Int
-	transcript = append(transcript, alpha1)
-	transcript = append(transcript, beta1)
-	transcript = append(transcript, hashNum)
-	verifier.transcript = transcript
+	verifier.challenge = challenge
+	verifier.transcript = NewTranscript(alpha1, beta1, hashNum, nil)
 	verifier.alpha = alpha
 
 	return challenge
 }
 
 // It receives z = r + secret * challenge.
 //It returns true if g1^z = g1^r * (g1^secret) ^ challenge and g2^z = g2^r * (g2^secret) ^ challenge.
-func (verifier *DLogEqualityBTranscriptVerifier) Verify(z *big.Int) (bool, []*big.Int,
+func (verifier *DLogEqualityBTranscriptVerifier) Verify(z *big.Int) (bool, *Transcript,
 	*big.Int, *big.Int) {
 	left1, _ := verifier.DLog.Exponentiate(verifier.g1, z)
 	left2, _ := verifier.DLog.Exponentiate(verifier.g2, z)
@@ -181,7 +193,7 @@ func (verifier *DLogEqualityBTranscriptVerifier) Verify(z *big.Int) (bool, []*bi
 	// transcript [(alpha1, beta1), hash(alpha1, beta1), z+alpha]
 	// however, we are actually returning [alpha1, beta1, hash(alpha1, beta1), z+alpha]
 	z1 := new(big.Int).Add(z, verifier.alpha)
-	verifier.transcript = append(verifier.transcript, z1)
+	verifier.transcript.ZAlpha = z1
 
 	G2, _ := verifier.DLog.Exponentiate(verifier.g2, verifier.gamma)
 	T2, _ := verifier.DLog.Exponentiate(verifier.t2, verifier.gamma)

crypto/zkp/primitives/dlogproofs/dlog_equality_blinded_transcript_ec.go

@@ -24,31 +24,30 @@ import (
 	"math/big"
 )
 
-// VerifyBlindedTranscriptEC demonstrates how the prover can prove that the blinded transcript is valid.
-// That means the knowledge of log_g1(t1), log_G2(T2) and log_g1(t1) = log_G2(T2) in EC group.
-// Note that G2 = g2^gamma, T2 = t2^gamma where gamma was chosen by verifier.
-func VerifyBlindedTranscriptEC(transcript []*big.Int, curve dlog.Curve,
+// Verifies that the blinded transcript is valid. That means the knowledge of log_g1(t1), log_G2(T2)
+// and log_g1(t1) = log_G2(T2). Note that G2 = g2^gamma, T2 = t2^gamma where gamma was chosen
+// by verifier.
+func VerifyBlindedTranscriptEC(transcript *TranscriptEC, curve dlog.Curve,
 	g1, t1, G2, T2 *types.ECGroupElement) bool {
 	dlog := dlog.NewECDLog(curve)
-	// Transcript should be in the following form:
-	// [alpha11, alpha12, beta11, beta12, hash(alpha11, alpha12, beta11, beta12), z+alpha]
 
 	// check hash:
-	hashNum := common.Hash(transcript[0], transcript[1], transcript[2], transcript[3])
-	if hashNum.Cmp(transcript[4]) != 0 {
+	hashNum := common.Hash(transcript.Alpha_1, transcript.Alpha_2,
+		transcript.Beta_1, transcript.Beta_2)
+	if hashNum.Cmp(transcript.Hash) != 0 {
 		return false
 	}
 
 	// We need to verify (note that c-beta = hash(alpha11, alpha12, beta11, beta12))
 	// g1^(z+alpha) = (alpha11, alpha12) * t1^(c-beta)
 	// G2^(z+alpha) = (beta11, beta12) * T2^(c-beta)
-	left11, left12 := dlog.Exponentiate(g1.X, g1.Y, transcript[5])
-	right11, right12 := dlog.Exponentiate(t1.X, t1.Y, transcript[4])
-	right11, right12 = dlog.Multiply(transcript[0], transcript[1], right11, right12)
+	left11, left12 := dlog.Exponentiate(g1.X, g1.Y, transcript.ZAlpha)
+	right11, right12 := dlog.Exponentiate(t1.X, t1.Y, transcript.Hash)
+	right11, right12 = dlog.Multiply(transcript.Alpha_1, transcript.Alpha_2, right11, right12)
 
-	left21, left22 := dlog.Exponentiate(G2.X, G2.Y, transcript[5])
-	right21, right22 := dlog.Exponentiate(T2.X, T2.Y, transcript[4])
-	right21, right22 = dlog.Multiply(transcript[2], transcript[3], right21, right22)
+	left21, left22 := dlog.Exponentiate(G2.X, G2.Y, transcript.ZAlpha)
+	right21, right22 := dlog.Exponentiate(T2.X, T2.Y, transcript.Hash)
+	right21, right22 = dlog.Multiply(transcript.Beta_1, transcript.Beta_2, right21, right22)
 
 	if left11.Cmp(right11) == 0 && left12.Cmp(right12) == 0 &&
 		left21.Cmp(right21) == 0 && left22.Cmp(right22) == 0 {
@@ -58,6 +57,26 @@ func VerifyBlindedTranscriptEC(transcript []*big.Int, curve dlog.Curve,
 	}
 }
 
+type TranscriptEC struct {
+	Alpha_1 *big.Int
+	Alpha_2 *big.Int
+	Beta_1  *big.Int
+	Beta_2  *big.Int
+	Hash    *big.Int
+	ZAlpha  *big.Int
+}
+
+func NewTranscriptEC(alpha_1, alpha_2, beta_1, beta_2, hash, zAlpha *big.Int) *TranscriptEC {
+	return &TranscriptEC{
+		Alpha_1: alpha_1,
+		Alpha_2: alpha_2,
+		Beta_1:  beta_1,
+		Beta_2:  beta_2,
+		Hash:    hash,
+		ZAlpha:  zAlpha,
+	}
+}
+
 type ECDLogEqualityBTranscriptProver struct {
 	DLog   *dlog.ECDLog
 	r      *big.Int
@@ -110,8 +129,8 @@ type ECDLogEqualityBTranscriptVerifier struct {
 	x2         *types.ECGroupElement
 	t1         *types.ECGroupElement
 	t2         *types.ECGroupElement
-	transcript []*big.Int
 	alpha      *big.Int
+	transcript *TranscriptEC
 }
 
 func NewECDLogEqualityBTranscriptVerifier(curve dlog.Curve,
@@ -162,23 +181,17 @@ func (verifier *ECDLogEqualityBTranscriptVerifier) GetChallenge(g1, g2, t1, t2,
 	hashNum := common.Hash(alpha11, alpha12, beta11, beta12)
 	challenge := new(big.Int).Add(hashNum, beta)
 	challenge.Mod(challenge, verifier.DLog.OrderOfSubgroup)
-	verifier.challenge = challenge
 
-	var transcript []*big.Int
-	transcript = append(transcript, alpha11)
-	transcript = append(transcript, alpha12)
-	transcript = append(transcript, beta11)
-	transcript = append(transcript, beta12)
-	transcript = append(transcript, hashNum)
-	verifier.transcript = transcript
+	verifier.challenge = challenge
+	verifier.transcript = NewTranscriptEC(alpha11, alpha12, beta11, beta12, hashNum, nil)
 	verifier.alpha = alpha
 
 	return challenge
 }
 
 // It receives z = r + secret * challenge.
 //It returns true if g1^z = g1^r * (g1^secret) ^ challenge and g2^z = g2^r * (g2^secret) ^ challenge.
-func (verifier *ECDLogEqualityBTranscriptVerifier) Verify(z *big.Int) (bool, []*big.Int,
+func (verifier *ECDLogEqualityBTranscriptVerifier) Verify(z *big.Int) (bool, *TranscriptEC,
 	*types.ECGroupElement, *types.ECGroupElement) {
 	left11, left12 := verifier.DLog.Exponentiate(verifier.g1.X, verifier.g1.Y, z)
 	left21, left22 := verifier.DLog.Exponentiate(verifier.g2.X, verifier.g2.Y, z)
@@ -192,7 +205,7 @@ func (verifier *ECDLogEqualityBTranscriptVerifier) Verify(z *big.Int) (bool, []*
 	// however, we are actually returning:
 	// [alpha11, alpha12, beta11, beta12, hash(alpha11, alpha12, beta11, beta12), z+alpha]
 	z1 := new(big.Int).Add(z, verifier.alpha)
-	verifier.transcript = append(verifier.transcript, z1)
+	verifier.transcript.ZAlpha = z1
 
 	G21, G22 := verifier.DLog.Exponentiate(verifier.g2.X, verifier.g2.Y, verifier.gamma)
 	T21, T22 := verifier.DLog.Exponentiate(verifier.t2.X, verifier.t2.Y, verifier.gamma)

crypto/zkp/schemes/pseudonymsys/org_issue.go

@@ -30,12 +30,12 @@ type Credential struct {
 	SmallBToGamma *big.Int
 	AToGamma      *big.Int
 	BToGamma      *big.Int
-	T1            []*big.Int
-	T2            []*big.Int
+	T1            *dlogproofs.Transcript
+	T2            *dlogproofs.Transcript
 }
 
 func NewCredential(aToGamma, bToGamma, AToGamma, BToGamma *big.Int,
-	t1, t2 []*big.Int) *Credential {
+	t1, t2 *dlogproofs.Transcript) *Credential {
 	credential := &Credential{
 		SmallAToGamma: aToGamma,
 		SmallBToGamma: bToGamma,

crypto/zkp/schemes/pseudonymsys/org_issue_ec.go

@@ -30,12 +30,12 @@ type CredentialEC struct {
 	SmallBToGamma *types.ECGroupElement
 	AToGamma      *types.ECGroupElement
 	BToGamma      *types.ECGroupElement
-	T1            []*big.Int
-	T2            []*big.Int
+	T1            *dlogproofs.TranscriptEC
+	T2            *dlogproofs.TranscriptEC
 }
 
 func NewCredentialEC(aToGamma, bToGamma, AToGamma, BToGamma *types.ECGroupElement,
-	t1, t2 []*big.Int) *CredentialEC {
+	t1, t2 *dlogproofs.TranscriptEC) *CredentialEC {
 	credential := &CredentialEC{
 		SmallAToGamma: aToGamma,
 		SmallBToGamma: bToGamma,

server/pseudonymsys.go

@@ -19,6 +19,7 @@ package server
 
 import (
 	"github.com/xlab-si/emmy/config"
+	"github.com/xlab-si/emmy/crypto/zkp/primitives/dlogproofs"
 	"github.com/xlab-si/emmy/crypto/zkp/schemes/pseudonymsys"
 	pb "github.com/xlab-si/emmy/protobuf"
 	"math/big"
@@ -178,17 +179,19 @@ func (s *Server) PseudonymsysTransferCredential(req *pb.Message, stream pb.Proto
 	nymA := new(big.Int).SetBytes(data.NymA)
 	nymB := new(big.Int).SetBytes(data.NymB)
 
-	t1 := make([]*big.Int, 4)
-	t1[0] = new(big.Int).SetBytes(data.Credential.T1.A)
-	t1[1] = new(big.Int).SetBytes(data.Credential.T1.B)
-	t1[2] = new(big.Int).SetBytes(data.Credential.T1.Hash)
-	t1[3] = new(big.Int).SetBytes(data.Credential.T1.ZAlpha)
-
-	t2 := make([]*big.Int, 4)
-	t2[0] = new(big.Int).SetBytes(data.Credential.T2.A)
-	t2[1] = new(big.Int).SetBytes(data.Credential.T2.B)
-	t2[2] = new(big.Int).SetBytes(data.Credential.T2.Hash)
-	t2[3] = new(big.Int).SetBytes(data.Credential.T2.ZAlpha)
+	t1 := dlogproofs.NewTranscript(
+		new(big.Int).SetBytes(data.Credential.T1.A),
+		new(big.Int).SetBytes(data.Credential.T1.B),
+		new(big.Int).SetBytes(data.Credential.T1.Hash),
+		new(big.Int).SetBytes(data.Credential.T1.ZAlpha),
+	)
+
+	t2 := dlogproofs.NewTranscript(
+		new(big.Int).SetBytes(data.Credential.T2.A),
+		new(big.Int).SetBytes(data.Credential.T2.B),
+		new(big.Int).SetBytes(data.Credential.T2.Hash),
+		new(big.Int).SetBytes(data.Credential.T2.ZAlpha),
+	)
 
 	credential := pseudonymsys.NewCredential(
 		new(big.Int).SetBytes(data.Credential.SmallAToGamma),

server/pseudonymsys_ec.go

@@ -20,6 +20,7 @@ package server
 import (
 	"github.com/xlab-si/emmy/config"
 	"github.com/xlab-si/emmy/crypto/dlog"
+	"github.com/xlab-si/emmy/crypto/zkp/primitives/dlogproofs"
 	"github.com/xlab-si/emmy/crypto/zkp/schemes/pseudonymsys"
 	pb "github.com/xlab-si/emmy/protobuf"
 	"github.com/xlab-si/emmy/types"
@@ -181,21 +182,21 @@ func (s *Server) PseudonymsysTransferCredentialEC(curveType dlog.Curve, req *pb.
 	nymA := types.ToECGroupElement(data.NymA)
 	nymB := types.ToECGroupElement(data.NymB)
 
-	t1 := make([]*big.Int, 6)
-	t1[0] = new(big.Int).SetBytes(data.Credential.T1.A.X)
-	t1[1] = new(big.Int).SetBytes(data.Credential.T1.A.Y)
-	t1[2] = new(big.Int).SetBytes(data.Credential.T1.B.X)
-	t1[3] = new(big.Int).SetBytes(data.Credential.T1.B.Y)
-	t1[4] = new(big.Int).SetBytes(data.Credential.T1.Hash)
-	t1[5] = new(big.Int).SetBytes(data.Credential.T1.ZAlpha)
-
-	t2 := make([]*big.Int, 6)
-	t2[0] = new(big.Int).SetBytes(data.Credential.T2.A.X)
-	t2[1] = new(big.Int).SetBytes(data.Credential.T2.A.Y)
-	t2[2] = new(big.Int).SetBytes(data.Credential.T2.B.X)
-	t2[3] = new(big.Int).SetBytes(data.Credential.T2.B.Y)
-	t2[4] = new(big.Int).SetBytes(data.Credential.T2.Hash)
-	t2[5] = new(big.Int).SetBytes(data.Credential.T2.ZAlpha)
+	t1 := dlogproofs.NewTranscriptEC(
+		new(big.Int).SetBytes(data.Credential.T1.A.X),
+		new(big.Int).SetBytes(data.Credential.T1.A.Y),
+		new(big.Int).SetBytes(data.Credential.T1.B.X),
+		new(big.Int).SetBytes(data.Credential.T1.B.Y),
+		new(big.Int).SetBytes(data.Credential.T1.Hash),
+		new(big.Int).SetBytes(data.Credential.T1.ZAlpha))
+
+	t2 := dlogproofs.NewTranscriptEC(
+		new(big.Int).SetBytes(data.Credential.T2.A.X),
+		new(big.Int).SetBytes(data.Credential.T2.A.Y),
+		new(big.Int).SetBytes(data.Credential.T2.B.X),
+		new(big.Int).SetBytes(data.Credential.T2.B.Y),
+		new(big.Int).SetBytes(data.Credential.T2.Hash),
+		new(big.Int).SetBytes(data.Credential.T2.ZAlpha))
 
 	credential := pseudonymsys.NewCredentialEC(
 		types.ToECGroupElement(data.Credential.SmallAToGamma),