proofofshuffleofcommitments.cpp
Go to the documentation of this file.
1 
12 #include "proofofshuffleofcommitments.hpp"
13 
14 
15 
16 using namespace proofs;
17 
18 
19 ProofOfShuffleOfCommitments::ProofOfShuffleOfCommitments(
20  bool &readingWasOK,
21  XmlConfig * config,
22  std::vector<uint8_t> prefix,
23  unsigned int nZero,
24  arithm::ArrayOfElmts pedersen,
25  verifierUtils::ByteTree * commitmentFSproof,
26  verifierUtils::ByteTree * replyFSproof) :
27  Verification(config,prefix,nZero)
28 {
29  readingWasOK = true;
30 
31  u = pedersen;
32  if (u.size() != n0)
33  {
34  std::cout<<"ERROR: in ProofOfShuffleOfCommitments:"
35  <<"u is not of the correct size."
36  <<"u->getSize()="<<u.size()
37  <<"n0="<<n0<<std::endl;
38  readingWasOK = false;;
39  }
40 
41  tau = commitmentFSproof;
42  if ((tau->size()<5) || (!tau->isNode()))
43  {
44  std::cout<<"ERROR: in ProofOfShuffleOfCommitments:"
45  <<"tau is not valid.\ntau="<<std::endl;
46  tau->prettyPrint("");
47  std::cout<<std::endl;
48  readingWasOK = false;
49  }
50 
51  sigma = replyFSproof;
52  if ((sigma->size()<5) || (!sigma->isNode())
53  || (!sigma->getChild(0)->isLeaf())
54  || (!sigma->getChild(1)->isNode()) || (sigma->getChild(1)->size() != n0)
55  || (!sigma->getChild(2)->isLeaf())
56  || (!sigma->getChild(3)->isLeaf())
57  || (!sigma->getChild(4)->isNode()) || (sigma->getChild(4)->size() != n0)
58  )
59  {
60  std::cout<<"ERROR: in ProofOfShuffleOfCommitments:"
61  <<"sigma is not valid.\nsigma="<<std::endl;
62  sigma->prettyPrint("");
63  std::cout<<std::endl;
64  readingWasOK = false;;
65  }
66 }
67 
68 
69 bool ProofOfShuffleOfCommitments::isEverythingOK()
70 {
71  // 1-a Initializing the G_q elements from tau
72  arithm::Elmt
73  Aprime = gq->getElmt(tau->getChild(1)),
74  Cprime = gq->getElmt(tau->getChild(3)),
75  Dprime = gq->getElmt(tau->getChild(4));
76  arithm::ArrayOfElmts
77  B = gq->getArray(tau->getChild(0)),
78  Bprime = gq->getArray(tau->getChild(2));
79 
80 
81  // 1-b Initializing the elements of zq from sigma
82  arithm::Elmt
83  kA = zq->getElmt(sigma->getChild(0)),
84  kC = zq->getElmt(sigma->getChild(2)),
85  kD = zq->getElmt(sigma->getChild(3));
86  arithm::ArrayOfElmts
87  kB = zq->getArray(sigma->getChild(1)),
88  kE = zq->getArray(sigma->getChild(4));
89 
90 
91  // 2- computing a seed
92  std::vector<uint8_t> s;
93  verifierUtils::ByteTree * bts = new verifierUtils::Node();
94  bts->addChild(gq->getGenerator().toByteTree());
95  bts->addChild(h.toByteTree());
96  bts->addChild(u.toByteTree());
97  arithm::ArrayOfElmts e = randomExponents(bts,s);
98 
99 
100  // 3- computing A
101  arithm::Elmt A = gq->expProduct(u,e);
102 
103 
104  // 4- computing a challenge
105  arithm::Elmt v = getChallenge(s);
106 
107 
108  // 5- Compute C and D
109  arithm::Elmt
110  C = gq->multiplication(
111  gq->product(u),
112  gq->multInverse(gq->product(h))
113  ),
114  D = gq->multiplication(
115  B.getElmt(n0-1),
116  gq->multInverse(
117  gq->exponentiation(
118  h.getElmt(0),
119  zq->product(e)))
120  );
121 
122  // First verification (on A and the likes)
123  arithm::Elmt
124  lhs = gq->multiplication(
125  gq->exponentiation(A,v),
126  Aprime
127  ),
128  rhs = gq->multiplication(
129  gq->exponentiation(gq->getGenerator(),kA),
130  gq->expProduct(h,kE)
131  );
132  if (! gq->compare(lhs,rhs) )
133  {
134  std::cout<<"In ProofOfShuffleOfCommitments, $A^vA'$ "
135  <<"does not equal $h_0\\prod_{i=1}^{N_0-1}"
136  <<"h_i^{k_{E,i}}$."<<std::endl;
137  return false;
138  }
139 
140 
141  // Second verification (on B and the likes)
142  for (unsigned int i=0; i<n0; i++)
143  {
144  rhs = gq->multiplication(
145  gq->exponentiation(B.getElmt(i),v),
146  Bprime.getElmt(i)
147  );
148  arithm::Elmt BMinusOne = (i==0) ?
149  h.getElmt(0) : B.getElmt(i-1);
150  lhs = gq->multiplication(
151  gq->exponentiation(
152  gq->getGenerator(),
153  kB.getElmt(i)
154  ),
155  gq->exponentiation(
156  BMinusOne,
157  kE.getElmt(i)
158  )
159  );
160  if (! gq->compare(lhs, rhs) )
161  {
162  std::cout<<"In ProofOfShuffleOfCommitments, $B_"<<i
163  <<"^vB_"<<i<<"'$ does not equal $g^{k_{B,"<<i
164  <<"}}B_{"<<i<<"-1}^"<<"{k_{E,"<<i<<"}}$."
165  <<std::endl;
166  return false;
167  }
168  }
169 
170  // Third verification (on C and the likes)
171  lhs = gq->multiplication(
172  gq->exponentiation(C,v),
173  Cprime
174  );
175  rhs = gq->exponentiation(
176  gq->getGenerator(),
177  kC);
178  if (! gq->compare(lhs, rhs) )
179  {
180  std::cout<<"In ProofOfShuffleOfCommitments, $C^vC'$ "
181  <<"does not equal $g^{k_C}$" <<std::endl;
182  return false;
183  }
184 
185  // Fourth verification (on D and the likes)
186  lhs = gq->multiplication(
187  gq->exponentiation(D,v),
188  Dprime
189  );
190  rhs = gq->exponentiation(
191  gq->getGenerator(),
192  kD);
193  if (! gq->compare(lhs, rhs) )
194  {
195  std::cout<<"In ProofOfShuffleOfCommitments, $D^vD'$ "
196  <<"does not equal $g^{k_D}$" <<std::endl;
197  return false;
198  }
199 
200  // if this point is reached, then the proof is valid
201  return true;
202 }
Generated on Sun Sep 30 2012 15:28:21 for VerificatumVerifier by doxygen 1.8.1.2