From 4985d742c40de8795958cec322f331f8a2402fd3 Mon Sep 17 00:00:00 2001 From: Manca Bizjak Date: Thu, 2 Nov 2017 15:45:10 +0100 Subject: [PATCH] Introduce Transcript and TranscriptEC structs This commit introduces two new structs in the dlogproofs package; Transcript for modular arithmetic and TranscriptEC for elliptic curve arithmetic. This change greatly improves readability. In addition, it will allow us to easily achieve compatibility with types supported by go tools for creating language bindings. Resolves #33. Signed-off-by: Manca Bizjak --- client/pseudonymsys.go | 16 ++--- client/pseudonymsys_ec.go | 24 +++---- .../dlog_equality_blinded_transcript.go | 54 +++++++++------- .../dlog_equality_blinded_transcript_ec.go | 63 +++++++++++-------- crypto/zkp/schemes/pseudonymsys/org_issue.go | 6 +- .../zkp/schemes/pseudonymsys/org_issue_ec.go | 6 +- server/pseudonymsys.go | 25 ++++---- server/pseudonymsys_ec.go | 31 ++++----- 8 files changed, 127 insertions(+), 98 deletions(-) diff --git a/client/pseudonymsys.go b/client/pseudonymsys.go index 1781efd..adb5a77 100644 --- a/client/pseudonymsys.go +++ b/client/pseudonymsys.go @@ -248,16 +248,16 @@ func (c *PseudonymsysClient) TransferCredential(orgName string, userSecret *big. x1, x2 := equalityProver.GetProofRandomData(userSecret, nym.A, credential.SmallAToGamma) transcript1 := &pb.PseudonymsysTranscript{ - A: credential.T1[0].Bytes(), - B: credential.T1[1].Bytes(), - Hash: credential.T1[2].Bytes(), - ZAlpha: credential.T1[3].Bytes(), + A: credential.T1.A.Bytes(), + B: credential.T1.B.Bytes(), + Hash: credential.T1.Hash.Bytes(), + ZAlpha: credential.T1.ZAlpha.Bytes(), } transcript2 := &pb.PseudonymsysTranscript{ - A: credential.T2[0].Bytes(), - B: credential.T2[1].Bytes(), - Hash: credential.T2[2].Bytes(), - ZAlpha: credential.T2[3].Bytes(), + A: credential.T2.A.Bytes(), + B: credential.T2.B.Bytes(), + Hash: credential.T2.Hash.Bytes(), + ZAlpha: credential.T2.ZAlpha.Bytes(), } pbCredential := &pb.PseudonymsysCredential{ SmallAToGamma: credential.SmallAToGamma.Bytes(), diff --git a/client/pseudonymsys_ec.go b/client/pseudonymsys_ec.go index d906aea..1f82763 100644 --- a/client/pseudonymsys_ec.go +++ b/client/pseudonymsys_ec.go @@ -272,20 +272,20 @@ func (c *PseudonymsysClientEC) TransferCredential(orgName string, userSecret *bi x1, x2 := equalityProver.GetProofRandomData(userSecret, nym.A, credential.SmallAToGamma) transcript1 := &pb.PseudonymsysTranscriptEC{ - A: types.ToPbECGroupElement(types.NewECGroupElement(credential.T1[0], - credential.T1[1])), - B: types.ToPbECGroupElement(types.NewECGroupElement(credential.T1[2], - credential.T1[3])), - Hash: credential.T1[4].Bytes(), - ZAlpha: credential.T1[5].Bytes(), + A: types.ToPbECGroupElement(types.NewECGroupElement(credential.T1.Alpha_1, + credential.T1.Alpha_2)), + B: types.ToPbECGroupElement(types.NewECGroupElement(credential.T1.Beta_1, + credential.T1.Beta_2)), + Hash: credential.T1.Hash.Bytes(), + ZAlpha: credential.T1.ZAlpha.Bytes(), } transcript2 := &pb.PseudonymsysTranscriptEC{ - A: types.ToPbECGroupElement(types.NewECGroupElement(credential.T2[0], - credential.T2[1])), - B: types.ToPbECGroupElement(types.NewECGroupElement(credential.T2[2], - credential.T2[3])), - Hash: credential.T2[4].Bytes(), - ZAlpha: credential.T2[5].Bytes(), + A: types.ToPbECGroupElement(types.NewECGroupElement(credential.T2.Alpha_1, + credential.T2.Alpha_2)), + B: types.ToPbECGroupElement(types.NewECGroupElement(credential.T2.Beta_1, + credential.T2.Beta_2)), + Hash: credential.T2.Hash.Bytes(), + ZAlpha: credential.T2.ZAlpha.Bytes(), } pbCredential := &pb.PseudonymsysCredentialEC{ SmallAToGamma: types.ToPbECGroupElement(credential.SmallAToGamma), diff --git a/crypto/zkp/primitives/dlogproofs/dlog_equality_blinded_transcript.go b/crypto/zkp/primitives/dlogproofs/dlog_equality_blinded_transcript.go index 4df3e26..df64286 100644 --- a/crypto/zkp/primitives/dlogproofs/dlog_equality_blinded_transcript.go +++ b/crypto/zkp/primitives/dlogproofs/dlog_equality_blinded_transcript.go @@ -23,28 +23,44 @@ import ( "math/big" ) -// VerifyBlindedTranscript demonstrates how the prover can prove that the blinded transcript is valid. -// That means the knowledge of log_g1(t1), log_G2(T2) and log_g1(t1) = log_G2(T2). -// Note that G2 = g2^gamma, T2 = t2^gamma where gamma was chosen by verifier. -func VerifyBlindedTranscript(transcript []*big.Int, dlog *dlog.ZpDLog, g1, t1, G2, T2 *big.Int) bool { +type Transcript struct { + A *big.Int + B *big.Int + Hash *big.Int + ZAlpha *big.Int +} + +func NewTranscript(a, b, hash, zAlpha *big.Int) *Transcript { + return &Transcript{ + A: a, + B: b, + Hash: hash, + ZAlpha: zAlpha, + } +} + +// Verifies that the blinded transcript is valid. That means the knowledge of log_g1(t1), log_G2(T2) +// and log_g1(t1) = log_G2(T2). Note that G2 = g2^gamma, T2 = t2^gamma where gamma was chosen +// by verifier. +func VerifyBlindedTranscript(transcript *Transcript, dlog *dlog.ZpDLog, g1, t1, G2, T2 *big.Int) bool { // Transcript should be in the following form: [alpha1, beta1, hash(alpha1, beta1), z+alpha] // check hash: - hashNum := common.Hash(transcript[0], transcript[1]) - if hashNum.Cmp(transcript[2]) != 0 { + hashNum := common.Hash(transcript.A, transcript.B) + if hashNum.Cmp(transcript.Hash) != 0 { return false } // We need to verify (note that c-beta = hash(alpha1, beta1)) // g1^(z+alpha) = alpha1 * t1^(c-beta) // G2^(z+alpha) = beta1 * T2^(c-beta) - left1, _ := dlog.Exponentiate(g1, transcript[3]) - right1, _ := dlog.Exponentiate(t1, transcript[2]) - right1, _ = dlog.Multiply(transcript[0], right1) + left1, _ := dlog.Exponentiate(g1, transcript.ZAlpha) + right1, _ := dlog.Exponentiate(t1, transcript.Hash) + right1, _ = dlog.Multiply(transcript.A, right1) - left2, _ := dlog.Exponentiate(G2, transcript[3]) - right2, _ := dlog.Exponentiate(T2, transcript[2]) - right2, _ = dlog.Multiply(transcript[1], right2) + left2, _ := dlog.Exponentiate(G2, transcript.ZAlpha) + right2, _ := dlog.Exponentiate(T2, transcript.Hash) + right2, _ = dlog.Multiply(transcript.B, right2) if left1.Cmp(right1) == 0 && left2.Cmp(right2) == 0 { return true @@ -104,8 +120,8 @@ type DLogEqualityBTranscriptVerifier struct { x2 *big.Int t1 *big.Int t2 *big.Int - transcript []*big.Int alpha *big.Int + transcript *Transcript } func NewDLogEqualityBTranscriptVerifier(dlog *dlog.ZpDLog, @@ -154,13 +170,9 @@ func (verifier *DLogEqualityBTranscriptVerifier) GetChallenge(g1, g2, t1, t2, x1 hashNum := common.Hash(alpha1, beta1) challenge := new(big.Int).Add(hashNum, beta) challenge.Mod(challenge, verifier.DLog.OrderOfSubgroup) - verifier.challenge = challenge - var transcript []*big.Int - transcript = append(transcript, alpha1) - transcript = append(transcript, beta1) - transcript = append(transcript, hashNum) - verifier.transcript = transcript + verifier.challenge = challenge + verifier.transcript = NewTranscript(alpha1, beta1, hashNum, nil) verifier.alpha = alpha return challenge @@ -168,7 +180,7 @@ func (verifier *DLogEqualityBTranscriptVerifier) GetChallenge(g1, g2, t1, t2, x1 // It receives z = r + secret * challenge. //It returns true if g1^z = g1^r * (g1^secret) ^ challenge and g2^z = g2^r * (g2^secret) ^ challenge. -func (verifier *DLogEqualityBTranscriptVerifier) Verify(z *big.Int) (bool, []*big.Int, +func (verifier *DLogEqualityBTranscriptVerifier) Verify(z *big.Int) (bool, *Transcript, *big.Int, *big.Int) { left1, _ := verifier.DLog.Exponentiate(verifier.g1, z) left2, _ := verifier.DLog.Exponentiate(verifier.g2, z) @@ -181,7 +193,7 @@ func (verifier *DLogEqualityBTranscriptVerifier) Verify(z *big.Int) (bool, []*bi // transcript [(alpha1, beta1), hash(alpha1, beta1), z+alpha] // however, we are actually returning [alpha1, beta1, hash(alpha1, beta1), z+alpha] z1 := new(big.Int).Add(z, verifier.alpha) - verifier.transcript = append(verifier.transcript, z1) + verifier.transcript.ZAlpha = z1 G2, _ := verifier.DLog.Exponentiate(verifier.g2, verifier.gamma) T2, _ := verifier.DLog.Exponentiate(verifier.t2, verifier.gamma) diff --git a/crypto/zkp/primitives/dlogproofs/dlog_equality_blinded_transcript_ec.go b/crypto/zkp/primitives/dlogproofs/dlog_equality_blinded_transcript_ec.go index 8718759..0686ff4 100644 --- a/crypto/zkp/primitives/dlogproofs/dlog_equality_blinded_transcript_ec.go +++ b/crypto/zkp/primitives/dlogproofs/dlog_equality_blinded_transcript_ec.go @@ -24,31 +24,30 @@ import ( "math/big" ) -// VerifyBlindedTranscriptEC demonstrates how the prover can prove that the blinded transcript is valid. -// That means the knowledge of log_g1(t1), log_G2(T2) and log_g1(t1) = log_G2(T2) in EC group. -// Note that G2 = g2^gamma, T2 = t2^gamma where gamma was chosen by verifier. -func VerifyBlindedTranscriptEC(transcript []*big.Int, curve dlog.Curve, +// Verifies that the blinded transcript is valid. That means the knowledge of log_g1(t1), log_G2(T2) +// and log_g1(t1) = log_G2(T2). Note that G2 = g2^gamma, T2 = t2^gamma where gamma was chosen +// by verifier. +func VerifyBlindedTranscriptEC(transcript *TranscriptEC, curve dlog.Curve, g1, t1, G2, T2 *types.ECGroupElement) bool { dlog := dlog.NewECDLog(curve) - // Transcript should be in the following form: - // [alpha11, alpha12, beta11, beta12, hash(alpha11, alpha12, beta11, beta12), z+alpha] // check hash: - hashNum := common.Hash(transcript[0], transcript[1], transcript[2], transcript[3]) - if hashNum.Cmp(transcript[4]) != 0 { + hashNum := common.Hash(transcript.Alpha_1, transcript.Alpha_2, + transcript.Beta_1, transcript.Beta_2) + if hashNum.Cmp(transcript.Hash) != 0 { return false } // We need to verify (note that c-beta = hash(alpha11, alpha12, beta11, beta12)) // g1^(z+alpha) = (alpha11, alpha12) * t1^(c-beta) // G2^(z+alpha) = (beta11, beta12) * T2^(c-beta) - left11, left12 := dlog.Exponentiate(g1.X, g1.Y, transcript[5]) - right11, right12 := dlog.Exponentiate(t1.X, t1.Y, transcript[4]) - right11, right12 = dlog.Multiply(transcript[0], transcript[1], right11, right12) + left11, left12 := dlog.Exponentiate(g1.X, g1.Y, transcript.ZAlpha) + right11, right12 := dlog.Exponentiate(t1.X, t1.Y, transcript.Hash) + right11, right12 = dlog.Multiply(transcript.Alpha_1, transcript.Alpha_2, right11, right12) - left21, left22 := dlog.Exponentiate(G2.X, G2.Y, transcript[5]) - right21, right22 := dlog.Exponentiate(T2.X, T2.Y, transcript[4]) - right21, right22 = dlog.Multiply(transcript[2], transcript[3], right21, right22) + left21, left22 := dlog.Exponentiate(G2.X, G2.Y, transcript.ZAlpha) + right21, right22 := dlog.Exponentiate(T2.X, T2.Y, transcript.Hash) + right21, right22 = dlog.Multiply(transcript.Beta_1, transcript.Beta_2, right21, right22) if left11.Cmp(right11) == 0 && left12.Cmp(right12) == 0 && left21.Cmp(right21) == 0 && left22.Cmp(right22) == 0 { @@ -58,6 +57,26 @@ func VerifyBlindedTranscriptEC(transcript []*big.Int, curve dlog.Curve, } } +type TranscriptEC struct { + Alpha_1 *big.Int + Alpha_2 *big.Int + Beta_1 *big.Int + Beta_2 *big.Int + Hash *big.Int + ZAlpha *big.Int +} + +func NewTranscriptEC(alpha_1, alpha_2, beta_1, beta_2, hash, zAlpha *big.Int) *TranscriptEC { + return &TranscriptEC{ + Alpha_1: alpha_1, + Alpha_2: alpha_2, + Beta_1: beta_1, + Beta_2: beta_2, + Hash: hash, + ZAlpha: zAlpha, + } +} + type ECDLogEqualityBTranscriptProver struct { DLog *dlog.ECDLog r *big.Int @@ -110,8 +129,8 @@ type ECDLogEqualityBTranscriptVerifier struct { x2 *types.ECGroupElement t1 *types.ECGroupElement t2 *types.ECGroupElement - transcript []*big.Int alpha *big.Int + transcript *TranscriptEC } func NewECDLogEqualityBTranscriptVerifier(curve dlog.Curve, @@ -162,15 +181,9 @@ func (verifier *ECDLogEqualityBTranscriptVerifier) GetChallenge(g1, g2, t1, t2, hashNum := common.Hash(alpha11, alpha12, beta11, beta12) challenge := new(big.Int).Add(hashNum, beta) challenge.Mod(challenge, verifier.DLog.OrderOfSubgroup) - verifier.challenge = challenge - var transcript []*big.Int - transcript = append(transcript, alpha11) - transcript = append(transcript, alpha12) - transcript = append(transcript, beta11) - transcript = append(transcript, beta12) - transcript = append(transcript, hashNum) - verifier.transcript = transcript + verifier.challenge = challenge + verifier.transcript = NewTranscriptEC(alpha11, alpha12, beta11, beta12, hashNum, nil) verifier.alpha = alpha return challenge @@ -178,7 +191,7 @@ func (verifier *ECDLogEqualityBTranscriptVerifier) GetChallenge(g1, g2, t1, t2, // It receives z = r + secret * challenge. //It returns true if g1^z = g1^r * (g1^secret) ^ challenge and g2^z = g2^r * (g2^secret) ^ challenge. -func (verifier *ECDLogEqualityBTranscriptVerifier) Verify(z *big.Int) (bool, []*big.Int, +func (verifier *ECDLogEqualityBTranscriptVerifier) Verify(z *big.Int) (bool, *TranscriptEC, *types.ECGroupElement, *types.ECGroupElement) { left11, left12 := verifier.DLog.Exponentiate(verifier.g1.X, verifier.g1.Y, z) left21, left22 := verifier.DLog.Exponentiate(verifier.g2.X, verifier.g2.Y, z) @@ -192,7 +205,7 @@ func (verifier *ECDLogEqualityBTranscriptVerifier) Verify(z *big.Int) (bool, []* // however, we are actually returning: // [alpha11, alpha12, beta11, beta12, hash(alpha11, alpha12, beta11, beta12), z+alpha] z1 := new(big.Int).Add(z, verifier.alpha) - verifier.transcript = append(verifier.transcript, z1) + verifier.transcript.ZAlpha = z1 G21, G22 := verifier.DLog.Exponentiate(verifier.g2.X, verifier.g2.Y, verifier.gamma) T21, T22 := verifier.DLog.Exponentiate(verifier.t2.X, verifier.t2.Y, verifier.gamma) diff --git a/crypto/zkp/schemes/pseudonymsys/org_issue.go b/crypto/zkp/schemes/pseudonymsys/org_issue.go index 8d4d88f..56cb11c 100644 --- a/crypto/zkp/schemes/pseudonymsys/org_issue.go +++ b/crypto/zkp/schemes/pseudonymsys/org_issue.go @@ -30,12 +30,12 @@ type Credential struct { SmallBToGamma *big.Int AToGamma *big.Int BToGamma *big.Int - T1 []*big.Int - T2 []*big.Int + T1 *dlogproofs.Transcript + T2 *dlogproofs.Transcript } func NewCredential(aToGamma, bToGamma, AToGamma, BToGamma *big.Int, - t1, t2 []*big.Int) *Credential { + t1, t2 *dlogproofs.Transcript) *Credential { credential := &Credential{ SmallAToGamma: aToGamma, SmallBToGamma: bToGamma, diff --git a/crypto/zkp/schemes/pseudonymsys/org_issue_ec.go b/crypto/zkp/schemes/pseudonymsys/org_issue_ec.go index ddc9f0f..9c4f7c2 100644 --- a/crypto/zkp/schemes/pseudonymsys/org_issue_ec.go +++ b/crypto/zkp/schemes/pseudonymsys/org_issue_ec.go @@ -30,12 +30,12 @@ type CredentialEC struct { SmallBToGamma *types.ECGroupElement AToGamma *types.ECGroupElement BToGamma *types.ECGroupElement - T1 []*big.Int - T2 []*big.Int + T1 *dlogproofs.TranscriptEC + T2 *dlogproofs.TranscriptEC } func NewCredentialEC(aToGamma, bToGamma, AToGamma, BToGamma *types.ECGroupElement, - t1, t2 []*big.Int) *CredentialEC { + t1, t2 *dlogproofs.TranscriptEC) *CredentialEC { credential := &CredentialEC{ SmallAToGamma: aToGamma, SmallBToGamma: bToGamma, diff --git a/server/pseudonymsys.go b/server/pseudonymsys.go index 7c0d2fb..cf1b6d9 100644 --- a/server/pseudonymsys.go +++ b/server/pseudonymsys.go @@ -19,6 +19,7 @@ package server import ( "github.com/xlab-si/emmy/config" + "github.com/xlab-si/emmy/crypto/zkp/primitives/dlogproofs" "github.com/xlab-si/emmy/crypto/zkp/schemes/pseudonymsys" pb "github.com/xlab-si/emmy/protobuf" "math/big" @@ -178,17 +179,19 @@ func (s *Server) PseudonymsysTransferCredential(req *pb.Message, stream pb.Proto nymA := new(big.Int).SetBytes(data.NymA) nymB := new(big.Int).SetBytes(data.NymB) - t1 := make([]*big.Int, 4) - t1[0] = new(big.Int).SetBytes(data.Credential.T1.A) - t1[1] = new(big.Int).SetBytes(data.Credential.T1.B) - t1[2] = new(big.Int).SetBytes(data.Credential.T1.Hash) - t1[3] = new(big.Int).SetBytes(data.Credential.T1.ZAlpha) - - t2 := make([]*big.Int, 4) - t2[0] = new(big.Int).SetBytes(data.Credential.T2.A) - t2[1] = new(big.Int).SetBytes(data.Credential.T2.B) - t2[2] = new(big.Int).SetBytes(data.Credential.T2.Hash) - t2[3] = new(big.Int).SetBytes(data.Credential.T2.ZAlpha) + t1 := dlogproofs.NewTranscript( + new(big.Int).SetBytes(data.Credential.T1.A), + new(big.Int).SetBytes(data.Credential.T1.B), + new(big.Int).SetBytes(data.Credential.T1.Hash), + new(big.Int).SetBytes(data.Credential.T1.ZAlpha), + ) + + t2 := dlogproofs.NewTranscript( + new(big.Int).SetBytes(data.Credential.T2.A), + new(big.Int).SetBytes(data.Credential.T2.B), + new(big.Int).SetBytes(data.Credential.T2.Hash), + new(big.Int).SetBytes(data.Credential.T2.ZAlpha), + ) credential := pseudonymsys.NewCredential( new(big.Int).SetBytes(data.Credential.SmallAToGamma), diff --git a/server/pseudonymsys_ec.go b/server/pseudonymsys_ec.go index 9576bf7..f5b4911 100644 --- a/server/pseudonymsys_ec.go +++ b/server/pseudonymsys_ec.go @@ -20,6 +20,7 @@ package server import ( "github.com/xlab-si/emmy/config" "github.com/xlab-si/emmy/crypto/dlog" + "github.com/xlab-si/emmy/crypto/zkp/primitives/dlogproofs" "github.com/xlab-si/emmy/crypto/zkp/schemes/pseudonymsys" pb "github.com/xlab-si/emmy/protobuf" "github.com/xlab-si/emmy/types" @@ -181,21 +182,21 @@ func (s *Server) PseudonymsysTransferCredentialEC(curveType dlog.Curve, req *pb. nymA := types.ToECGroupElement(data.NymA) nymB := types.ToECGroupElement(data.NymB) - t1 := make([]*big.Int, 6) - t1[0] = new(big.Int).SetBytes(data.Credential.T1.A.X) - t1[1] = new(big.Int).SetBytes(data.Credential.T1.A.Y) - t1[2] = new(big.Int).SetBytes(data.Credential.T1.B.X) - t1[3] = new(big.Int).SetBytes(data.Credential.T1.B.Y) - t1[4] = new(big.Int).SetBytes(data.Credential.T1.Hash) - t1[5] = new(big.Int).SetBytes(data.Credential.T1.ZAlpha) - - t2 := make([]*big.Int, 6) - t2[0] = new(big.Int).SetBytes(data.Credential.T2.A.X) - t2[1] = new(big.Int).SetBytes(data.Credential.T2.A.Y) - t2[2] = new(big.Int).SetBytes(data.Credential.T2.B.X) - t2[3] = new(big.Int).SetBytes(data.Credential.T2.B.Y) - t2[4] = new(big.Int).SetBytes(data.Credential.T2.Hash) - t2[5] = new(big.Int).SetBytes(data.Credential.T2.ZAlpha) + t1 := dlogproofs.NewTranscriptEC( + new(big.Int).SetBytes(data.Credential.T1.A.X), + new(big.Int).SetBytes(data.Credential.T1.A.Y), + new(big.Int).SetBytes(data.Credential.T1.B.X), + new(big.Int).SetBytes(data.Credential.T1.B.Y), + new(big.Int).SetBytes(data.Credential.T1.Hash), + new(big.Int).SetBytes(data.Credential.T1.ZAlpha)) + + t2 := dlogproofs.NewTranscriptEC( + new(big.Int).SetBytes(data.Credential.T2.A.X), + new(big.Int).SetBytes(data.Credential.T2.A.Y), + new(big.Int).SetBytes(data.Credential.T2.B.X), + new(big.Int).SetBytes(data.Credential.T2.B.Y), + new(big.Int).SetBytes(data.Credential.T2.Hash), + new(big.Int).SetBytes(data.Credential.T2.ZAlpha)) credential := pseudonymsys.NewCredentialEC( types.ToECGroupElement(data.Credential.SmallAToGamma),