Home Explore Help
Sign In
epsylon
/
ecoin
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0
Tree: d5a093a6aa
Branches Tags
ecoin
/
ecoin
/
src
/
zerocoin
/
AccumulatorProofOfKnowledge.cpp

AccumulatorProofOfKnowledge.cpp 8.7 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134 
  1. // ECOin - Copyright (c) - 2014/2022 - GPLv3 - epsylon@riseup.net (https://03c8.net)
    2. 

  2. 

  3. #include "Zerocoin.h"
    4. 

  4. 

  5. namespace libzerocoin {
    6. 

  6. 

  7. AccumulatorProofOfKnowledge::AccumulatorProofOfKnowledge(const AccumulatorAndProofParams* p): params(p) {}
    8. 

  8. 

  9. AccumulatorProofOfKnowledge::AccumulatorProofOfKnowledge(const AccumulatorAndProofParams* p,
    10. 

  10.         const Commitment& commitmentToCoin, const AccumulatorWitness& witness,
    11. 

  11.         Accumulator& a): params(p) {
    12. 

  12. 

  13. 	CBigNum sg = params->accumulatorPoKCommitmentGroup.g;
    14. 

  14. 	CBigNum sh = params->accumulatorPoKCommitmentGroup.h;
    15. 

  15. 

  16. 	CBigNum g_n = params->accumulatorQRNCommitmentGroup.g;
    17. 

  17. 	CBigNum h_n = params->accumulatorQRNCommitmentGroup.h;
    18. 

  18. 

  19. 	CBigNum e = commitmentToCoin.getContents();
    20. 

  20. 	CBigNum r = commitmentToCoin.getRandomness();
    21. 

  21. 

  22. 	CBigNum r_1 = CBigNum::randBignum(params->accumulatorModulus/4);
    23. 

  23. 	CBigNum r_2 = CBigNum::randBignum(params->accumulatorModulus/4);
    24. 

  24. 	CBigNum r_3 = CBigNum::randBignum(params->accumulatorModulus/4);
    25. 

  25. 

  26. 	this->C_e = g_n.pow_mod(e, params->accumulatorModulus) * h_n.pow_mod(r_1, params->accumulatorModulus);
    27. 

  27. 	this->C_u = witness.getValue() * h_n.pow_mod(r_2, params->accumulatorModulus);
    28. 

  28. 	this->C_r = g_n.pow_mod(r_2, params->accumulatorModulus) * h_n.pow_mod(r_3, params->accumulatorModulus);
    29. 

  29. 

  30. 	CBigNum r_alpha = CBigNum::randBignum(params->maxCoinValue * CBigNum(2).pow(params->k_prime + params->k_dprime));
    31. 

  31. 	if(!(CBigNum::randBignum(CBigNum(3)) % 2)) {
    32. 

  32. 		r_alpha = 0-r_alpha;
    33. 

  33. 	}
    34. 

  34. 

  35. 	CBigNum r_gamma = CBigNum::randBignum(params->accumulatorPoKCommitmentGroup.modulus);
    36. 

  36. 	CBigNum r_phi = CBigNum::randBignum(params->accumulatorPoKCommitmentGroup.modulus);
    37. 

  37. 	CBigNum r_psi = CBigNum::randBignum(params->accumulatorPoKCommitmentGroup.modulus);
    38. 

  38. 	CBigNum r_sigma = CBigNum::randBignum(params->accumulatorPoKCommitmentGroup.modulus);
    39. 

  39. 	CBigNum r_xi = CBigNum::randBignum(params->accumulatorPoKCommitmentGroup.modulus);
    40. 

  40. 

  41. 	CBigNum r_epsilon =  CBigNum::randBignum((params->accumulatorModulus/4) * CBigNum(2).pow(params->k_prime + params->k_dprime));
    42. 

  42. 	if(!(CBigNum::randBignum(CBigNum(3)) % 2)) {
    43. 

  43. 		r_epsilon = 0-r_epsilon;
    44. 

  44. 	}
    45. 

  45. 	CBigNum r_eta = CBigNum::randBignum((params->accumulatorModulus/4) * CBigNum(2).pow(params->k_prime + params->k_dprime));
    46. 

  46. 	if(!(CBigNum::randBignum(CBigNum(3)) % 2)) {
    47. 

  47. 		r_eta = 0-r_eta;
    48. 

  48. 	}
    49. 

  49. 	CBigNum r_zeta = CBigNum::randBignum((params->accumulatorModulus/4) * CBigNum(2).pow(params->k_prime + params->k_dprime));
    50. 

  50. 	if(!(CBigNum::randBignum(CBigNum(3)) % 2)) {
    51. 

  51. 		r_zeta = 0-r_zeta;
    52. 

  52. 	}
    53. 

  53. 

  54. 	CBigNum r_beta = CBigNum::randBignum((params->accumulatorModulus/4) * params->accumulatorPoKCommitmentGroup.modulus * CBigNum(2).pow(params->k_prime + params->k_dprime));
    55. 

  55. 	if(!(CBigNum::randBignum(CBigNum(3)) % 2)) {
    56. 

  56. 		r_beta = 0-r_beta;
    57. 

  57. 	}
    58. 

  58. 	CBigNum r_delta = CBigNum::randBignum((params->accumulatorModulus/4) * params->accumulatorPoKCommitmentGroup.modulus * CBigNum(2).pow(params->k_prime + params->k_dprime));
    59. 

  59. 	if(!(CBigNum::randBignum(CBigNum(3)) % 2)) {
    60. 

  60. 		r_delta = 0-r_delta;
    61. 

  61. 	}
    62. 

  62. 

  63. 	this->st_1 = (sg.pow_mod(r_alpha, params->accumulatorPoKCommitmentGroup.modulus) * sh.pow_mod(r_phi, params->accumulatorPoKCommitmentGroup.modulus)) % params->accumulatorPoKCommitmentGroup.modulus;
    64. 

  64. 	this->st_2 = (((commitmentToCoin.getCommitmentValue() * sg.inverse(params->accumulatorPoKCommitmentGroup.modulus)).pow_mod(r_gamma, params->accumulatorPoKCommitmentGroup.modulus)) * sh.pow_mod(r_psi, params->accumulatorPoKCommitmentGroup.modulus)) % params->accumulatorPoKCommitmentGroup.modulus;
    65. 

  65. 	this->st_3 = ((sg * commitmentToCoin.getCommitmentValue()).pow_mod(r_sigma, params->accumulatorPoKCommitmentGroup.modulus) * sh.pow_mod(r_xi, params->accumulatorPoKCommitmentGroup.modulus)) % params->accumulatorPoKCommitmentGroup.modulus;
    66. 

  66. 

  67. 	this->t_1 = (h_n.pow_mod(r_zeta, params->accumulatorModulus) * g_n.pow_mod(r_epsilon, params->accumulatorModulus)) % params->accumulatorModulus;
    68. 

  68. 	this->t_2 = (h_n.pow_mod(r_eta, params->accumulatorModulus) * g_n.pow_mod(r_alpha, params->accumulatorModulus)) % params->accumulatorModulus;
    69. 

  69. 	this->t_3 = (C_u.pow_mod(r_alpha, params->accumulatorModulus) * ((h_n.inverse(params->accumulatorModulus)).pow_mod(r_beta, params->accumulatorModulus))) % params->accumulatorModulus;
    70. 

  70. 	this->t_4 = (C_r.pow_mod(r_alpha, params->accumulatorModulus) * ((h_n.inverse(params->accumulatorModulus)).pow_mod(r_delta, params->accumulatorModulus)) * ((g_n.inverse(params->accumulatorModulus)).pow_mod(r_beta, params->accumulatorModulus))) % params->accumulatorModulus;
    71. 

  71. 

  72. 	CHashWriter hasher(0,0);
    73. 

  73. 	hasher << *params << sg << sh << g_n << h_n << commitmentToCoin.getCommitmentValue() << C_e << C_u << C_r << st_1 << st_2 << st_3 << t_1 << t_2 << t_3 << t_4;
    74. 

  74. 

  75. 	//According to the proof, this hash should be of length k_prime bits.  It is currently greater than that, which should not be a problem, but we should check this.
    76. 

  76. 	CBigNum c = CBigNum(hasher.GetHash());
    77. 

  77. 

  78. 	this->s_alpha = r_alpha - c*e;
    79. 

  79. 	this->s_beta = r_beta - c*r_2*e;
    80. 

  80. 	this->s_zeta = r_zeta - c*r_3;
    81. 

  81. 	this->s_sigma = r_sigma - c*((e+1).inverse(params->accumulatorPoKCommitmentGroup.groupOrder));
    82. 

  82. 	this->s_eta = r_eta - c*r_1;
    83. 

  83. 	this->s_epsilon = r_epsilon - c*r_2;
    84. 

  84. 	this->s_delta = r_delta - c*r_3*e;
    85. 

  85. 	this->s_xi = r_xi + c*r*((e+1).inverse(params->accumulatorPoKCommitmentGroup.groupOrder));
    86. 

  86. 	this->s_phi = (r_phi - c*r) % params->accumulatorPoKCommitmentGroup.groupOrder;
    87. 

  87. 	this->s_gamma = r_gamma - c*((e-1).inverse(params->accumulatorPoKCommitmentGroup.groupOrder));
    88. 

  88. 	this->s_psi = r_psi + c*r*((e-1).inverse(params->accumulatorPoKCommitmentGroup.groupOrder));
    89. 

  89. }
    90. 

  90. 

  91. /** Verifies that a commitment c is accumulated in accumulator a
    92. 

  92.  */
    93. 

  93. bool AccumulatorProofOfKnowledge:: Verify(const Accumulator& a, const CBigNum& valueOfCommitmentToCoin) const {
    94. 

  94. 	CBigNum sg = params->accumulatorPoKCommitmentGroup.g;
    95. 

  95. 	CBigNum sh = params->accumulatorPoKCommitmentGroup.h;
    96. 

  96. 

  97. 	CBigNum g_n = params->accumulatorQRNCommitmentGroup.g;
    98. 

  98. 	CBigNum h_n = params->accumulatorQRNCommitmentGroup.h;
    99. 

  99. 

  100. 	//According to the proof, this hash should be of length k_prime bits.  It is currently greater than that, which should not be a problem, but we should check this.
    101. 

  101. 	CHashWriter hasher(0,0);
    102. 

  102. 	hasher << *params << sg << sh << g_n << h_n << valueOfCommitmentToCoin << C_e << C_u << C_r << st_1 << st_2 << st_3 << t_1 << t_2 << t_3 << t_4;
    103. 

  103. 

  104. 	CBigNum c = CBigNum(hasher.GetHash()); //this hash should be of length k_prime bits
    105. 

  105. 

  106. 	CBigNum st_1_prime = (valueOfCommitmentToCoin.pow_mod(c, params->accumulatorPoKCommitmentGroup.modulus) * sg.pow_mod(s_alpha, params->accumulatorPoKCommitmentGroup.modulus) * sh.pow_mod(s_phi, params->accumulatorPoKCommitmentGroup.modulus)) % params->accumulatorPoKCommitmentGroup.modulus;
    107. 

  107. 	CBigNum st_2_prime = (sg.pow_mod(c, params->accumulatorPoKCommitmentGroup.modulus) * ((valueOfCommitmentToCoin * sg.inverse(params->accumulatorPoKCommitmentGroup.modulus)).pow_mod(s_gamma, params->accumulatorPoKCommitmentGroup.modulus)) * sh.pow_mod(s_psi, params->accumulatorPoKCommitmentGroup.modulus)) % params->accumulatorPoKCommitmentGroup.modulus;
    108. 

  108. 	CBigNum st_3_prime = (sg.pow_mod(c, params->accumulatorPoKCommitmentGroup.modulus) * (sg * valueOfCommitmentToCoin).pow_mod(s_sigma, params->accumulatorPoKCommitmentGroup.modulus) * sh.pow_mod(s_xi, params->accumulatorPoKCommitmentGroup.modulus)) % params->accumulatorPoKCommitmentGroup.modulus;
    109. 

  109. 

  110. 	CBigNum t_1_prime = (C_r.pow_mod(c, params->accumulatorModulus) * h_n.pow_mod(s_zeta, params->accumulatorModulus) * g_n.pow_mod(s_epsilon, params->accumulatorModulus)) % params->accumulatorModulus;
    111. 

  111. 	CBigNum t_2_prime = (C_e.pow_mod(c, params->accumulatorModulus) * h_n.pow_mod(s_eta, params->accumulatorModulus) * g_n.pow_mod(s_alpha, params->accumulatorModulus)) % params->accumulatorModulus;
    112. 

  112. 	CBigNum t_3_prime = ((a.getValue()).pow_mod(c, params->accumulatorModulus) * C_u.pow_mod(s_alpha, params->accumulatorModulus) * ((h_n.inverse(params->accumulatorModulus)).pow_mod(s_beta, params->accumulatorModulus))) % params->accumulatorModulus;
    113. 

  113. 	CBigNum t_4_prime = (C_r.pow_mod(s_alpha, params->accumulatorModulus) * ((h_n.inverse(params->accumulatorModulus)).pow_mod(s_delta, params->accumulatorModulus)) * ((g_n.inverse(params->accumulatorModulus)).pow_mod(s_beta, params->accumulatorModulus))) % params->accumulatorModulus;
    114. 

  114. 

  115. 	bool result = false;
    116. 

  116. 

  117. 	bool result_st1 = (st_1 == st_1_prime);
    118. 

  118. 	bool result_st2 = (st_2 == st_2_prime);
    119. 

  119. 	bool result_st3 = (st_3 == st_3_prime);
    120. 

  120. 

  121. 	bool result_t1 = (t_1 == t_1_prime);
    122. 

  122. 	bool result_t2 = (t_2 == t_2_prime);
    123. 

  123. 	bool result_t3 = (t_3 == t_3_prime);
    124. 

  124. 	bool result_t4 = (t_4 == t_4_prime);
    125. 

  125. 

  126. 	bool result_range = ((s_alpha >= -(params->maxCoinValue * CBigNum(2).pow(params->k_prime + params->k_dprime + 1))) && (s_alpha <= (params->maxCoinValue * CBigNum(2).pow(params->k_prime + params->k_dprime + 1))));
    127. 

  127. 

  128. 	result = result_st1 && result_st2 && result_st3 && result_t1 && result_t2 && result_t3 && result_t4 && result_range;
    129. 

  129. 

  130. 	return result;
    131. 

  131. }
    132. 

  132. 

  133. } /* namespace libzerocoin */
    134. 

  134.