# Sigma (Schnorr) Identification Protocol
## A ZKP interactive protocol
### Python implementation

## Run in browser using " $ jupyter lab " !
This is an interactive execution that works in browser 

https://en.wikipedia.org/wiki/Proof_of_knowledge

## The Prover and Verifier agree on the following:
### A cyclic group *G* of order *p* (a big prime number) with generator (primitive root) *g*.

#### We can use *<ins>openssl</ins>* to generate a random prime at a given bits size, and a generator

In [1]:
# The output is in the file 'dhparams' at the same path
!openssl dhparam -text -out dhparams 512

Generating DH parameters, 512 bit long safe prime
..+.................+..............................+.........+...++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*


#### Convert the hexadecimal to decimal: <br />
https://www.mobilefish.com/services/big_number/big_number.php <br />
<br />
11835969984353354216691437291006245763846242542829548494585386007353171784095072175673343062339173975526279362680161974682108208645413677644629654572794703<br />

512 bits size.<br />

Can verify the size on:<br />
https://planetcalc.com/8985/<br />

## Python implementation

In [2]:
from random import SystemRandom

In [9]:
# Globals

# Cryptography Public Parameters

# Generator of the finite group
g = 2

# Order of the finite group. A big prime number.
p = 11835969984353354216691437291006245763846242542829548494585386007353171784095072175673343062339173975526279362680161974682108208645413677644629654572794703

# The encrypted secret, will be set by a 3rd party. 
# Its preimage, which the prover needs to prove that she knows, is not accessible to both the prover and verifier.
k = None

# These parameters will be set in further proving steps and passed between the prover and verifier.
a = c = z = None

In [10]:
def secret_knowledge(w):
    """
    Gets the witness (secret), and encrypts it.
    The plaintext witness never stored.
    """
    global k
    k = pow(g,w,p)         
    print('\n'+'The secret has been created.'+ '\n' +
    'Neither Peggy nor Victor can read it since it\'s discarded and' + '\n' +
    'only its encryption is publicly known.' '\n' +
    'If Peggy hasn\'t learned the secret from another source, \nshe won\'t be able to prove to Victor that she knows the secret.''\n')

In [11]:
class Prover:

    def __init__(self, secret):
        self.s = secret
        self.r = SystemRandom().randrange(p)    
        print('Peggy claims she knows the secret and will now prove this claim.','\n')

    def prove_step1(self):            
        global a
        a = pow(g,self.r,p) 
        print('Peggy:')
        print('Random number r = ',self.r) 
        print('a = g^r(mod p) = ',a,'\na -----> Victor','\n')
            
    def prove_step2(self):
        global z
        z = self.r + c * self.s
        print('Peggy:')
        print('z = r + cw = ',a,'\nz -----> Victor','\n') 

In [12]:
class Verifier:

    def __init__(self):        
        return        

    def verify_step1(self):
        global c
        c = SystemRandom().randrange(p)
        print('Victor:')
        print('Random challenge c = ',c,'\nc -----> Peggy','\n') 

    def verify_step2(self):
        print('Victor:'+'\n'+'Checking if g^z == a·k^c(mod p):')
        
        if pow(g,z,p) == (a * pow(k,c,p)) % p:
            print("Peggy's proof Accepted!","\n")
        else:
            print("Peggy's proof Rejected!","\n")

In [14]:
# main    

print('\n'+'-------- Sigma ZKP protocol example --------'+'\n')

secret_knowledge(w = int(input("Enter the secret knowledge (Intger):")))
prover = Prover(secret = int(input("Enter Peggy's knowledge (Intger) :")))
verifier = Verifier()

prover.prove_step1()
verifier.verify_step1()
prover.prove_step2()
verifier.verify_step2()



-------- Sigma ZKP protocol example --------



Enter the secret knowledge (Intger): 74902



The secret has been created.
Neither Peggy nor Victor can read it since it's discarded and
only its encryption is publicly known.
If Peggy hasn't learned the secret from another source, 
she won't be able to prove to Victor that she knows the secret.



Enter Peggy's knowledge (Intger) : 74901


Peggy claims she knows the secret and will now prove this claim. 

Peggy:
Random number r =  3091384699548446727954724362536644450856748301545165580144967350111907153660597093630979027328215814858690372307960546085072594531867766486788926691718814
a = g^r(mod p) =  9836338144440602794614965707032256348771067724108654867084890327270354772063256804357563229223563407249561587634088131338860994818220598702660440986741882 
a -----> Victor 

Victor:
Random challenge c =  4779036006892927942102310736207533120011416016876233347377957178840013309397648599966224496981679982222225620655389936121125729421880240347551985889637218 
c -----> Peggy 

Peggy:
z = r + cw =  9836338144440602794614965707032256348771067724108654867084890327270354772063256804357563229223563407249561587634088131338860994818220598702660440986741882 
z -----> Victor 

Victor:
Checking if g^z == a·k^c(mod p):
Peggy's proof Rejected! 



## Math

### Prime & Generator (primitive root)

A unit $g \in {Z^*}_n$ is called a generator or primitive root of ${Z^*}_n$ if for every $a \in {Z^*}_n$ we have $g^k = a$ for some integer *k*. In other words, if we start with *g*, and keep multiplying by *g* eventually we see every element.

https://crypto.stanford.edu/pbc/notes/numbertheory/gen.html

#### Big integers:
Depending on what the programming language decides, it can:
- roll it over to -9,223,372,036,854,775,808
- convert it from a 64 int to a BigInt, an arbitrary precision format that users more storage as integer size increases
- convert it to a floating point value, losing precision