arnaucube
/
math
mirror of https://github.com/arnaucube/math.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
53 Commits
2 Branches
0 Tags
23 MiB
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
math/sigma.sage

344 lines
9.2 KiB
Raw Permalink Normal View History

Add sage impl of Sigma protocol & OR proofs
2 years ago
Add ring signatures sage implementation (bLSAG)
2 years ago
Add sage impl of Sigma protocol & OR proofs
2 years ago
paper-notes: Add modified IPA (from Halo)
1 year ago
Add sage impl of Sigma protocol & OR proofs
2 years ago
paper-notes: Add modified IPA (from Halo)
1 year ago
Add sage impl of Sigma protocol & OR proofs
2 years ago
paper-notes: Add modified IPA (from Halo)
1 year ago
Add sage impl of Sigma protocol & OR proofs
2 years ago
paper-notes: Add modified IPA (from Halo)
1 year ago
Add sage impl of Sigma protocol & OR proofs
2 years ago
paper-notes: Add modified IPA (from Halo)
1 year ago
Add sage impl of Sigma protocol & OR proofs
2 years ago
paper-notes: Add modified IPA (from Halo)
1 year ago
Add sage impl of Sigma protocol & OR proofs
2 years ago
paper-notes: Add modified IPA (from Halo)
1 year ago
Add sage impl of Sigma protocol & OR proofs
2 years ago
paper-notes: Add modified IPA (from Halo)
1 year ago
Add sage impl of Sigma protocol & OR proofs
2 years ago
paper-notes: Add modified IPA (from Halo)
1 year ago
Add sage impl of Sigma protocol & OR proofs
2 years ago
paper-notes: Add modified IPA (from Halo)
1 year ago
Add sage impl of Sigma protocol & OR proofs
2 years ago
Sage impls single-files code&tests
1 year ago
add typos.toml config and fix typos
1 month ago
Sage impls single-files code&tests
1 year ago
  1. from hashlib import sha256
  3. # Implementation of Sigma protocol & OR proofs
  6. def hash_two_points(a, b):
  7. h = sha256((str(a)+str(b)).encode('utf-8'))
  8. return int(h.hexdigest(), 16)
  10. def generic_verify(g, X, A, c, z):
  11. return g * int(z) == X * int(c) + A
  13. ###
  14. # Sigma protocol interactive
  15. ###
  17. class Prover_interactive:
  18. def __init__(self, F, g):
  19. self.F = F # Z_q
  20. self.g = g # elliptic curve generator
  22. def new_key(self):
  23. self.w = self.F.random_element()
  24. X = self.g * int(self.w)
  25. return X
  27. def new_commitment(self):
  28. self.a = self.F.random_element()
  29. A = self.g * int(self.a)
  30. return A
  32. def gen_proof(self, c):
  33. return int(self.a) + int(c) * int(self.w)
  35. class Verifier_interactive:
  36. def __init__(self, F, g):
  37. self.F = F
  38. self.g = g
  40. def new_challenge(self, A):
  41. self.A = A
  42. self.c = self.F.random_element()
  43. return self.c
  45. def verify(self, X, z):
  46. return self.g * int(z) == X * int(self.c) + self.A
  49. ###
  50. # Sigma protocol non-interactive
  51. ###
  52. class Prover:
  53. def __init__(self, F, g):
  54. self.F = F # Z_p
  55. self.g = g # elliptic curve generator
  57. def new_key(self):
  58. self.w = self.F.random_element()
  59. X = self.g * int(self.w)
  60. return X
  62. def gen_proof(self, X):
  63. a = self.F.random_element()
  64. A = self.g * int(a)
  65. c = hash_two_points(A, X)
  66. z = int(a) + c * int(self.w)
  67. return A, z
  70. class Verifier:
  71. def __init__(self, F, g):
  72. self.F = F
  73. self.g = g
  75. def verify(self, X, A, z):
  76. c = hash_two_points(A, X)
  77. return self.g * int(z) == X * c + A
  79. class Simulator:
  80. def __init__(self, F, g):
  81. self.F = F
  82. self.g = g
  84. def simulate(self, X):
  85. c = self.F.random_element()
  86. z = self.F.random_element()
  87. # A = g * int(z) + X*(-int(c))
  88. A = g * int(z) - X * int(c)
  89. return A, c, z
  91. ###
  92. # OR proof (with 2 parties)
  93. ###
  95. class ORProver_2parties:
  96. def __init__(self, F, g):
  97. self.F = F # Z_p
  98. self.g = g # elliptic curve generator
  100. def new_key(self):
  101. self.w = self.F.random_element()
  102. X = self.g * int(self.w)
  103. return X
  105. def gen_commitments(self, xs):
  106. # gen commitment A
  107. self.a = self.F.random_element()
  108. A = self.g * int(self.a)
  110. # run the simulator for 1-b
  111. sim = Simulator(self.F, self.g)
  112. A_1, c_1, z_1 = sim.simulate(xs[1])
  114. self.A_1 = A_1
  115. self.c_1 = c_1
  116. self.z_1 = z_1
  118. return [A, A_1]
  120. def gen_proof(self, s):
  121. # split the challenge s = c xor c_1
  122. c = int(s) ^^ int(self.c_1)
  123. # compute z
  124. z = int(self.a) + int(c) * int(self.w)
  125. # note, here the order of the returned elements is always the same, in
  126. # a real-world implementation would be shuffled
  127. return [c, self.c_1], [z, self.z_1]
  129. class ORVerifier_2parties:
  130. def __init__(self, F, g):
  131. self.F = F
  132. self.g = g
  134. def new_challenge(self, As):
  135. self.As = As
  136. self.s = self.F.random_element()
  137. return self.s
  139. def verify(self, Xs, cs, zs):
  140. assert self.s == int(cs[0]) ^^ int(cs[1])
  141. assert self.g * int(zs[0]) == Xs[0] * int(cs[0]) + self.As[0]
  142. assert self.g * int(zs[1]) == Xs[1] * int(cs[1]) + self.As[1]
  144. ###
  145. # OR proof (with n parties)
  146. ###
  148. class ORProver:
  149. def __init__(self, F, g):
  150. self.F = F # Z_p
  151. self.g = g # elliptic curve generator
  153. def new_key(self):
  154. self.w = self.F.random_element()
  155. X = self.g * int(self.w)
  156. return X
  158. def gen_commitments(self, xs):
  159. # gen commitment A
  160. self.a = self.F.random_element()
  161. A = self.g * int(self.a)
  162. self.As = [A]
  165. # run the simulator for the rest of Xs
  166. sim = Simulator(self.F, self.g)
  167. self.cs = []
  168. self.zs = []
  169. for i in range(1, len(xs)):
  170. A_1, c_1, z_1 = sim.simulate(xs[i])
  171. self.As.append(A_1)
  172. self.cs.append(c_1)
  173. self.zs.append(z_1)
  175. return self.As
  177. def gen_proof(self, s):
  178. # split the challenge s = c xor c_1 xor c_2 xor ... xor c_n
  179. c = int(s)
  180. for i in range(len(self.cs)):
  181. c = c ^^ int(self.cs[i])
  183. self.cs.insert(0, c) # add c at the beginning of cs array
  185. # compute z
  186. z = int(self.a) + int(c) * int(self.w)
  187. self.zs.insert(0, z) # add z at the beginning of zs array
  189. # note, here the order of the returned elements is always the same, in
  190. # a real-world implementation would be shuffled
  191. return self.cs, self.zs
  193. class ORVerifier:
  194. def __init__(self, F, g):
  195. self.F = F
  196. self.g = g
  198. def new_challenge(self, As):
  199. self.As = As
  200. self.s = self.F.random_element()
  201. return self.s
  203. def verify(self, Xs, cs, zs):
  204. # check s == c_0 xor c_1 xor c_2 xor ... xor c_n
  205. computed_s = int(cs[0])
  206. for i in range(1, len(cs)):
  207. computed_s = computed_s ^^ int(cs[i])
  209. assert self.s == computed_s
  211. # check g*z == X*c + A (in multiplicative notation would g^z ==X^c * A)
  212. for i in range(len(Xs)):
  213. assert self.g * int(zs[i]) == Xs[i] * int(cs[i]) + self.As[i]
  217. # Tests
  218. import unittest, operator
  220. # ethereum elliptic curve
  221. p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
  222. a = 0
  223. b = 7
  224. F = GF(p)
  225. E = EllipticCurve(F, [a,b])
  226. GX = 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798
  227. GY = 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8
  228. g = E(GX,GY)
  229. n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
  230. h = 1
  231. q = g.order()
  232. assert is_prime(p)
  233. assert is_prime(q)
  235. class TestSigmaProtocol(unittest.TestCase):
  236. def test_interactive(self):
  237. alice = Prover_interactive(F, g)
  239. # Alice generates witness w & statement X
  240. X = alice.new_key()
  241. assert X == alice.g * int(alice.w)
  243. # Alice generates the commitment A
  244. A = alice.new_commitment()
  245. assert A == alice.g * int(alice.a)
  247. # Bob generates the challenge (and stores A)
  248. bob = Verifier_interactive(F, g)
  249. c = bob.new_challenge(A)
  251. # Alice generates the proof
  252. z = alice.gen_proof(c)
  254. # Bob verifies the proof
  255. assert bob.verify(X, z)
  257. # check with the generic_verify function
  258. assert generic_verify(g, X, A, c, z)
  260. def test_non_interactive(self):
  261. alice = Prover(F, g)
  263. # Alice generates witness w & statement X
  264. X = alice.new_key()
  265. assert X == alice.g * int(alice.w)
  267. # Alice generates the proof
  268. A, z = alice.gen_proof(X)
  270. # Bob generates the challenge
  271. bob = Verifier(F, g)
  273. # Bob verifies the proof
  274. assert bob.verify(X, A, z)
  276. # check with the generic_verify function
  277. c = hash_two_points(A, X)
  278. assert generic_verify(g, X, A, c, z)
  280. def test_simulator(self):
  281. sim = Simulator(F, g)
  283. # set a public key X, for which we don't know w
  284. unknown_w = 3
  285. X = g * unknown_w
  287. # simulate for X
  288. A, c, z = sim.simulate(X)
  290. # verify the simulated proof
  291. assert generic_verify(g, X, A, c, z)
  293. class TestORProof(unittest.TestCase):
  294. def test_2_parties(self):
  295. # set a public key X, for which we don't know w
  296. unknown_w = 3
  297. X_1 = g * unknown_w
  299. alice = ORProver_2parties(F, g)
  301. # Alice generates key pair
  302. X = alice.new_key()
  303. Xs = [X, X_1]
  304. # Alice generates commitments (internally running the simulator)
  305. As = alice.gen_commitments(Xs)
  307. # Bob generates the challenge (and stores As)
  308. bob = ORVerifier_2parties(F, g)
  309. s = bob.new_challenge(As)
  311. # Alice generates the ORproof
  312. cs, zs = alice.gen_proof(s)
  314. # Bob verifies the proofs
  315. bob.verify(Xs, cs, zs)
  317. def test_n_parties(self):
  318. # set n public keys X, for which we don't know w
  319. Xs = []
  320. for i in range(10):
  321. X_i = g * i
  322. Xs.append(X_i)
  324. alice = ORProver(F, g)
  326. # Alice generates key pair
  327. X = alice.new_key()
  328. Xs.insert(0, X) # add X at the beginning of Xs array
  330. # Alice generates commitments (internally running the simulator)
  331. As = alice.gen_commitments(Xs)
  333. # Bob generates the challenge (and stores As)
  334. bob = ORVerifier(F, g)
  335. s = bob.new_challenge(As)
  337. # Alice generates the ORproof
  338. cs, zs = alice.gen_proof(s)
  340. # Bob verifies the proofs
  341. bob.verify(Xs, cs, zs)
  343. if __name__ == '__main__':
  344. unittest.main()