// GetUserPredicate gets the predicate for the proof of correctness of user ciphertexts:
// ( R_i = r_i*g-hat AND (C_{i,l} = r_i*g_l AND ...) OR Y = y*g )
// Here R_i = \sum_{j} R_{ij}; same for r_i; C_{i,l} is the l-th ciphertext;
// g_l is the l-th base point and Y is the slot owner public key
func GetUserPredicate(amount int) proof.Predicate {
preds := make([]proof.Predicate, amount+1)
preds[0] = proof.Rep("R_i", "r_i", "g_hat")
for l := 0; l < amount; l++ {
preds[l+1] = proof.Rep("C_i,"+strconv.Itoa(l), "r_i", "g_"+strconv.Itoa(l))
}
return proof.Or(proof.And(preds...), proof.Rep("Y", "y", "g"))
}
func bifflePred() proof.Predicate {
// Branch 0 of either/or proof (for bit=0)
rep000 := proof.Rep("Xbar0-X0", "beta0", "G")
rep001 := proof.Rep("Ybar0-Y0", "beta0", "H")
rep010 := proof.Rep("Xbar1-X1", "beta1", "G")
rep011 := proof.Rep("Ybar1-Y1", "beta1", "H")
// Branch 1 of either/or proof (for bit=1)
rep100 := proof.Rep("Xbar0-X1", "beta1", "G")
rep101 := proof.Rep("Ybar0-Y1", "beta1", "H")
rep110 := proof.Rep("Xbar1-X0", "beta0", "G")
rep111 := proof.Rep("Ybar1-Y0", "beta0", "H")
and0 := proof.And(rep000, rep001, rep010, rep011)
and1 := proof.And(rep100, rep101, rep110, rep111)
or := proof.Or(and0, and1)
return or
}