# Schnorr's Protocol: Proof of Knowledge of Discrete Log

In [2]:
import random

import galois

# Define our field
GF = galois.GF(2**8)
G = GF.primitive_element


def rand_scalar():
    return random.randint(0, GF.order - 1)


# Prover generates a commitment to a secret `x`: `public_key`
x = rand_scalar()
public_key = G**x

# Prover generates a random nonce `a` and computes `commitment`
a = rand_scalar()
commitment = G**a

# Verifier generates a random challenge beta
beta = rand_scalar()

# Honest Prover computes a proof of knowledge: `gamma`
gamma = beta * x + a

# Verifier checks `gamma`
is_ok = public_key**beta * commitment == G**gamma
assert is_ok, "Honest Prover sends a valid proof of knowledge of x"

# Dishonest Prover cheats by forging a bad proof of knowledge: `bad_gamma`
bad_x = rand_scalar()
bad_gamma = beta * bad_x + a

# Notice that because `bad_x` is random it won't match the `public_key` commitment made with the original, valid `x`

# Verifier checks `bad_gamma`
is_bad_ok = public_key**beta * commitment == G**bad_gamma
assert not is_bad_ok, "Dishonest Prover sends an invalid proof of knowledge of x"

print("Done")

Done
