/
dleq.rs
108 lines (85 loc) · 2.81 KB
/
dleq.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
use crate::hash::Hasher;
use ark_ec::CurveGroup;
use ark_ff::PrimeField;
use ark_std::marker::PhantomData;
use ark_std::rand::Rng;
use ark_std::UniformRand;
use digest::Digest;
pub struct Proof<C: CurveGroup, D> {
pub challenge: C::ScalarField,
pub claim: C::ScalarField,
_digest: PhantomData<D>,
}
impl<C, D> Proof<C, D>
where
C: CurveGroup,
D: Digest,
{
pub fn new<R: Rng>(secret: &C::ScalarField, g1: C::Affine, g2: C::Affine, rng: &mut R) -> Self {
let rand = C::ScalarField::rand(rng);
let k1 = g1 * rand;
let k2 = g2 * rand;
let h1 = g1 * secret;
let h2 = g2 * secret;
let mut hasher = Hasher::<D>::new();
hasher.update(&k1);
hasher.update(&k2);
hasher.update(&h1);
hasher.update(&h2);
let hash_output = hasher.finalize();
let challenge = C::ScalarField::from_le_bytes_mod_order(&hash_output);
let claim = rand - challenge * secret;
Self {
challenge,
claim,
_digest: PhantomData,
}
}
pub fn verify(&self, g1: C::Affine, h1: C, g2: C::Affine, h2: C) -> bool {
let k1 = g1 * self.claim + h1 * self.challenge;
let k2 = g2 * self.claim + h2 * self.challenge;
let mut hasher = Hasher::<D>::new();
hasher.update(&k1);
hasher.update(&k2);
hasher.update(&h1);
hasher.update(&h2);
let hash_output = hasher.finalize();
let challenge = C::ScalarField::from_le_bytes_mod_order(&hash_output);
challenge == self.challenge
}
}
#[cfg(test)]
mod test {
use super::*;
use crate::tests::{G1Affine, Scalar, TestCurve, TestHash};
use ark_ec::pairing::Pairing;
use ark_ec::{AffineRepr, CurveGroup};
use ark_std::{test_rng, UniformRand};
type DleqProof = Proof<<TestCurve as Pairing>::G1, TestHash>;
#[test]
fn completeness() {
let rng = &mut test_rng();
let g1 = G1Affine::generator();
let g2 = (G1Affine::generator() * Scalar::rand(rng)).into_affine();
let secret = Scalar::rand(rng);
let h1 = g1 * secret;
let h2 = g2 * secret;
let proof = DleqProof::new(&secret, g1, g2, rng);
assert!(proof.verify(g1, h1, g2, h2));
}
#[test]
fn soundness() {
let rng = &mut test_rng();
let g1 = G1Affine::generator();
let g2 = (G1Affine::generator() * Scalar::rand(rng)).into_affine();
let secret = Scalar::rand(rng);
let h1 = g1 * secret;
let h2 = g2 * secret;
// invalid secret
let proof = DleqProof::new(&(secret * Scalar::from(2)), g1, g2, rng);
assert!(!proof.verify(g1, h1, g2, h2));
// invalid point
let proof = DleqProof::new(&secret, g1, g2, rng);
assert!(!proof.verify(g1, h1, g1, h1));
}
}