-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
proof.go
66 lines (59 loc) · 2.45 KB
/
proof.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
package vrfkey
import (
"fmt"
"math/big"
"go.dedis.ch/kyber/v3"
"github.com/smartcontractkit/chainlink/v2/core/chains/evm/utils"
"github.com/smartcontractkit/chainlink/v2/core/services/signatures/secp256k1"
bm "github.com/smartcontractkit/chainlink/v2/core/utils/big_math"
)
// Proof represents a proof that Gamma was constructed from the Seed
// according to the process mandated by the PublicKey.
//
// N.B.: The kyber.Point fields must contain secp256k1.secp256k1Point values, C,
// S and Seed must be secp256k1Point, and Output must be at
// most 256 bits. See Proof.WellFormed.
type Proof struct {
PublicKey kyber.Point // secp256k1 public key of private key used in proof
Gamma kyber.Point
C *big.Int
S *big.Int
Seed *big.Int // Seed input to verifiable random function
Output *big.Int // verifiable random function output;, uniform uint256 sample
}
func (p *Proof) String() string {
return fmt.Sprintf(
"vrf.Proof{PublicKey: %s, Gamma: %s, C: %x, S: %x, Seed: %x, Output: %x}",
p.PublicKey, p.Gamma, p.C, p.S, p.Seed, p.Output)
}
// WellFormed is true iff p's attributes satisfy basic domain checks
func (p *Proof) WellFormed() bool {
return (secp256k1.ValidPublicKey(p.PublicKey) &&
secp256k1.ValidPublicKey(p.Gamma) && secp256k1.RepresentsScalar(p.C) &&
secp256k1.RepresentsScalar(p.S) && p.Output.BitLen() <= 256)
}
// VerifyProof is true iff gamma was generated in the mandated way from the
// given publicKey and seed, and no error was encountered
func (p *Proof) VerifyVRFProof() (bool, error) {
if !p.WellFormed() {
return false, fmt.Errorf("badly-formatted proof")
}
h, err := HashToCurve(p.PublicKey, p.Seed, func(*big.Int) {})
if err != nil {
return false, err
}
err = checkCGammaNotEqualToSHash(p.C, p.Gamma, p.S, h)
if err != nil {
return false, fmt.Errorf("c*γ = s*hash (disallowed in solidity verifier)")
}
// publicKey = secretKey*Generator. See GenerateProof for u, v, m, s
// c*secretKey*Generator + (m - c*secretKey)*Generator = m*Generator = u
uPrime := linearCombination(p.C, p.PublicKey, p.S, Generator)
// c*secretKey*h + (m - c*secretKey)*h = m*h = v
vPrime := linearCombination(p.C, p.Gamma, p.S, h)
uWitness := secp256k1.EthereumAddress(uPrime)
cPrime := ScalarFromCurvePoints(h, p.PublicKey, p.Gamma, uWitness, vPrime)
output := utils.MustHash(string(append(
RandomOutputHashPrefix, secp256k1.LongMarshal(p.Gamma)...)))
return bm.Equal(p.C, cPrime) && bm.Equal(p.Output, output.Big()), nil
}