示例#1
0
文件: pair.go 项目: LegoShrimp/crypto
// Verifier for ElGamal Pair Shuffle proofs.
func (ps *PairShuffle) Verify(
	g, h abstract.Point, X, Y, Xbar, Ybar []abstract.Point,
	ctx proof.VerifierContext) error {

	// Validate all vector lengths
	grp := ps.grp
	k := ps.k
	if len(X) != k || len(Y) != k || len(Xbar) != k || len(Ybar) != k {
		panic("mismatched vector lengths")
	}

	// P step 1
	p1 := &ps.p1
	if err := ctx.Get(p1); err != nil {
		return err
	}

	// V step 2
	v2 := &ps.v2
	if err := ctx.PubRand(v2); err != nil {
		return err
	}
	B := make([]abstract.Point, k)
	for i := 0; i < k; i++ {
		P := grp.Point().Mul(g, v2.Zrho[i])
		B[i] = P.Sub(P, p1.U[i])
	}

	// P step 3
	p3 := &ps.p3
	if err := ctx.Get(p3); err != nil {
		return err
	}

	// V step 4
	v4 := &ps.v4
	if err := ctx.PubRand(v4); err != nil {
		return err
	}

	// P step 5
	p5 := &ps.p5
	if err := ctx.Get(p5); err != nil {
		return err
	}

	// P,V step 6: simple k-shuffle
	if err := ps.pv6.Verify(g, p1.Gamma, ctx); err != nil {
		return err
	}

	// V step 7
	Phi1 := grp.Point().Null()
	Phi2 := grp.Point().Null()
	P := grp.Point() // scratch
	Q := grp.Point() // scratch
	for i := 0; i < k; i++ {
		Phi1 = Phi1.Add(Phi1, P.Mul(Xbar[i], p5.Zsigma[i])) // (31)
		Phi1 = Phi1.Sub(Phi1, P.Mul(X[i], v2.Zrho[i]))
		Phi2 = Phi2.Add(Phi2, P.Mul(Ybar[i], p5.Zsigma[i])) // (32)
		Phi2 = Phi2.Sub(Phi2, P.Mul(Y[i], v2.Zrho[i]))
		//		println("i",i)
		if !P.Mul(p1.Gamma, p5.Zsigma[i]).Equal( // (33)
			Q.Add(p1.W[i], p3.D[i])) {
			return errors.New("invalid PairShuffleProof")
		}
	}
	//	println("last")
	//	println("Phi1",Phi1.String());
	//	println("Phi2",Phi2.String());
	//	println("1",P.Add(p1.Lambda1,Q.Mul(g,p5.Ztau)).String());
	//	println("2",P.Add(p1.Lambda2,Q.Mul(h,p5.Ztau)).String());
	if !P.Add(p1.Lambda1, Q.Mul(g, p5.Ztau)).Equal(Phi1) || // (34)
		!P.Add(p1.Lambda2, Q.Mul(h, p5.Ztau)).Equal(Phi2) { // (35)
		return errors.New("invalid PairShuffleProof")
	}

	return nil
}
示例#2
0
// Verifier for Neff simple k-shuffle proofs.
func (ss *SimpleShuffle) Verify(G, Gamma abstract.Point,
	ctx proof.VerifierContext) error {

	grp := ss.grp

	// extract proof transcript
	X := ss.p0.X
	Y := ss.p0.Y
	Theta := ss.p2.Theta
	alpha := ss.p4.Zalpha

	// Validate all vector lengths
	k := len(Y)
	thlen := 2*k - 1
	if k <= 1 || len(Y) != k || len(Theta) != thlen+1 ||
		len(alpha) != thlen {
		return errors.New("malformed SimpleShuffleProof")
	}

	// check verifiable challenges (usually by reproducing a hash)
	if err := ctx.Get(ss.p0); err != nil {
		return err
	}
	if err := ctx.PubRand(&ss.v1); err != nil { // fills in v1
		return err
	}
	t := ss.v1.Zt
	if err := ctx.Get(ss.p2); err != nil {
		return err
	}
	if err := ctx.PubRand(&ss.v3); err != nil { // fills in v3
		return err
	}
	c := ss.v3.Zc
	if err := ctx.Get(ss.p4); err != nil {
		return err
	}

	// Verifier step 5
	negt := grp.Scalar().Neg(t)
	U := grp.Point().Mul(G, negt)
	W := grp.Point().Mul(Gamma, negt)
	Xhat := make([]abstract.Point, k)
	Yhat := make([]abstract.Point, k)
	for i := 0; i < k; i++ {
		Xhat[i] = grp.Point().Add(X[i], U)
		Yhat[i] = grp.Point().Add(Y[i], W)
	}
	P := grp.Point() // scratch variables
	Q := grp.Point()
	s := grp.Scalar()
	good := true
	good = good && thver(Xhat[0], Yhat[0], Theta[0], P, Q, c, alpha[0], s)
	for i := 1; i < k; i++ {
		good = good && thver(Xhat[i], Yhat[i], Theta[i], P, Q,
			alpha[i-1], alpha[i], s)
	}
	for i := k; i < thlen; i++ {
		good = good && thver(Gamma, G, Theta[i], P, Q,
			alpha[i-1], alpha[i], s)
	}
	good = good && thver(Gamma, G, Theta[thlen], P, Q,
		alpha[thlen-1], c, s)
	if !good {
		return errors.New("incorrect SimpleShuffleProof")
	}

	return nil
}