|
|
# This file contains two Inner Product Argument implementations: # - Bulletproofs version: https://eprint.iacr.org/2017/1066.pdf # - Halo version: https://eprint.iacr.org/2019/1021.pdf
# IPA_bulletproofs implements the IPA version from the Bulletproofs paper: https://eprint.iacr.org/2017/1066.pdf # https://doc-internal.dalek.rs/bulletproofs/notes/inner_product_proof/index.html class IPA_bulletproofs: def __init__(self, F, E, g, d): self.g = g self.F = F self.E = E self.d = d # TODO: # Setup: self.h = E.random_element() # TMP self.gs = random_values(E, d) self.hs = random_values(E, d)
# a: aᵢ ∈ 𝔽 coefficients of p(X) # r: blinding factor def commit(self, a, b): P = inner_product_point(a, self.gs) + inner_product_point(b, self.hs) return P def evaluate(self, a, x_powers): return inner_product_field(a, x_powers)
def ipa(self, a_, b_, u, U): G = self.gs H = self.hs a = a_ b = b_
k = int(math.log(self.d, 2)) L = [None] * k R = [None] * k
for j in reversed(range(0, k)): m = len(a)/2 a_lo = a[:m] a_hi = a[m:] b_lo = b[:m] b_hi = b[m:] H_lo = H[:m] H_hi = H[m:] G_lo = G[:m] G_hi = G[m:]
# Lⱼ = <a'ₗₒ, G'ₕᵢ> + [lⱼ] H + [<a'ₗₒ, b'ₕᵢ>] U L[j] = inner_product_point(a_lo, G_hi) + inner_product_point(b_hi, H_lo) + int(inner_product_field(a_lo, b_hi)) * U # Rⱼ = <a'ₕᵢ, G'ₗₒ> + [rⱼ] H + [<a'ₕᵢ, b'ₗₒ>] U R[j] = inner_product_point(a_hi, G_lo) + inner_product_point(b_lo, H_hi) + int(inner_product_field(a_hi, b_lo)) * U
# use the random challenge uⱼ ∈ 𝕀 generated by the verifier u_ = u[j] # uⱼ u_inv = u[j]^(-1) # uⱼ⁻¹
a = vec_add(vec_scalar_mul_field(a_lo, u_), vec_scalar_mul_field(a_hi, u_inv)) b = vec_add(vec_scalar_mul_field(b_lo, u_inv), vec_scalar_mul_field(b_hi, u_)) G = vec_add(vec_scalar_mul_point(G_lo, u_inv), vec_scalar_mul_point(G_hi, u_)) H = vec_add(vec_scalar_mul_point(H_lo, u_), vec_scalar_mul_point(H_hi, u_inv))
assert len(a)==1 assert len(b)==1 assert len(G)==1 assert len(H)==1 # a, b, G have length=1 # L, R are the "cross-terms" of the inner product return a[0], b[0], G[0], H[0], L, R
def verify(self, P, a, v, x_powers, u, U, L, R, b_ipa, G_ipa, H_ipa): b = b_ipa G = G_ipa H = H_ipa
# Q_0 = P' ⋅ ∑ ( [uⱼ²] Lⱼ + [uⱼ⁻²] Rⱼ) C = P for j in range(len(L)): u_ = u[j] # uⱼ u_inv = u[j]^(-1) # uⱼ⁻²
# ∑ ( [uⱼ²] Lⱼ + [uⱼ⁻²] Rⱼ) C = C + int(u_^2) * L[j] + int(u_inv^2) * R[j]
D = int(a) * G + int(b) * H + int(a * b)*U
return C == D
# IPA_halo implements the modified IPA from the Halo paper: https://eprint.iacr.org/2019/1021.pdf class IPA_halo: def __init__(self, F, E, g, d): self.g = g self.F = F self.E = E self.d = d
self.h = E.random_element() # TMP self.gs = random_values(E, d) self.hs = random_values(E, d) # print(" h=", self.h) # print(" G=", self.gs) # print(" H=", self.hs)
def commit(self, a, r): P = inner_product_point(a, self.gs) + r * self.h return P def evaluate(self, a, x_powers): return inner_product_field(a, x_powers)
def ipa(self, a_, x_powers, u, U): # prove print(" method ipa():") G = self.gs a = a_ b = x_powers
k = int(math.log(self.d, 2)) l = [None] * k r = [None] * k L = [None] * k R = [None] * k
for j in reversed(range(0, k)): print(" j =", j) print(" len(a) = n =", len(a)) print(" m = n/2 =", len(a)/2) m = len(a)/2 a_lo = a[:m] a_hi = a[m:] b_lo = b[:m] b_hi = b[m:] G_lo = G[:m] G_hi = G[m:]
print(" Split into a_lo,hi b_lo,hi, G_lo,hi:") print(" a", a) print(" a_lo", a_lo) print(" a_hi", a_hi) print(" b", b) print(" b_lo", b_lo) print(" b_hi", b_hi) print(" G", G) print(" G_lo", G_lo) print(" G_hi", G_hi)
l[j] = self.F.random_element() # random blinding factor r[j] = self.F.random_element() # random blinding factor print(" random blinding factors:") print(" l[j]", l[j]) print(" r[j]", r[j])
# Lⱼ = <a'ₗₒ, G'ₕᵢ> + [lⱼ] H + [<a'ₗₒ, b'ₕᵢ>] U L[j] = inner_product_point(a_lo, G_hi) + int(l[j]) * self.h + int(inner_product_field(a_lo, b_hi)) * U # Rⱼ = <a'ₕᵢ, G'ₗₒ> + [rⱼ] H + [<a'ₕᵢ, b'ₗₒ>] U R[j] = inner_product_point(a_hi, G_lo) + int(r[j]) * self.h + int(inner_product_field(a_hi, b_lo)) * U
print(" Compute Lⱼ = <a'ₗₒ, G'ₕᵢ> + [lⱼ] H + [<a'ₗₒ, b'ₕᵢ>] U") print(" L[j]", L[j]) print(" Compute Rⱼ = <a'ₕᵢ, G'ₗₒ> + [rⱼ] H + [<a'ₕᵢ, b'ₗₒ>] U") print(" R[j]", R[j])
# use the random challenge uⱼ ∈ 𝕀 generated by the verifier u_ = u[j] # uⱼ u_inv = self.F(u[j])^(-1) # uⱼ⁻¹ print(" u_j", u_) print(" u_j^-1", u_inv)
a = vec_add(vec_scalar_mul_field(a_lo, u_), vec_scalar_mul_field(a_hi, u_inv)) b = vec_add(vec_scalar_mul_field(b_lo, u_inv), vec_scalar_mul_field(b_hi, u_)) G = vec_add(vec_scalar_mul_point(G_lo, u_inv), vec_scalar_mul_point(G_hi, u_)) print(" new a, b, G") print(" a =", a) print(" b =", b) print(" G =", G)
assert len(a)==1 assert len(b)==1 assert len(G)==1 # a, b, G have length=1 # l, r are random blinding factors # L, R are the "cross-terms" of the inner product return a[0], l, r, L, R
def verify(self, P, a, v, x_powers, r, u, U, lj, rj, L, R): print("methid verify()")
# compute P' = P + [v] U P = P + int(v) * U
s = build_s_from_us(u, self.d) b = inner_product_field(s, x_powers) G = inner_product_point(s, self.gs)
# synthetic blinding factor # r' = r + ∑ ( lⱼ uⱼ² + rⱼ uⱼ⁻²) print(" synthetic blinding factor r' = r + ∑ ( lⱼ uⱼ² + rⱼ uⱼ⁻²)") r_ = r print(" r_ =", r_) # Q_0 = P' ⋅ ∑ ( [uⱼ²] Lⱼ + [uⱼ⁻²] Rⱼ) print(" Q_0 = P' ⋅ ∑ ( [uⱼ²] Lⱼ + [uⱼ⁻²] Rⱼ)") Q_0 = P print(" Q_0 =", Q_0) for j in range(len(u)): print(" j =", j) u_ = u[j] # uⱼ u_inv = u[j]^(-1) # uⱼ⁻²
# ∑ ( [uⱼ²] Lⱼ + [uⱼ⁻²] Rⱼ) Q_0 = Q_0 + int(u[j]^2) * L[j] + int(u_inv^2) * R[j] print(" Q_0 =", Q_0)
r_ = r_ + lj[j] * (u_^2) + rj[j] * (u_inv^2) print(" r_ =", r_)
Q_1 = int(a) * G + int(r_) * self.h + int(a * b)*U print(" Q_1", Q_1) # Q_1_ = int(a) * (G + int(b)*U) + int(r_) * self.h
return Q_0 == Q_1
# s = ( # u₁⁻¹ u₂⁻¹ … uₖ⁻¹, # u₁ u₂⁻¹ … uₖ⁻¹, # u₁⁻¹ u₂ … uₖ⁻¹, # u₁ u₂ … uₖ⁻¹, # ⋮ ⋮ ⋮ # u₁ u₂ … uₖ # ) def build_s_from_us(u, d): k = int(math.log(d, 2)) s = [1]*d t = d for j in reversed(range(k)): t = t/2 c = 0 for i in range(d): if c<t: s[i] = s[i] * u[j]^(-1) else: s[i] = s[i] * u[j] c = c+1 if c>=t*2: c=0
return s
def powers_of(g, d): r = [None] * d for i in range(d): r[i] = g^i return r
def multiples_of(g, d): r = [None] * d for i in range(d): r[i] = g*i return r
def random_values(G, d): r = [None] * d for i in range(d): r[i] = G.random_element() return r
def inner_product_field(a, b): assert len(a) == len(b) c = 0 for i in range(len(a)): c = c + a[i] * b[i]
return c
def inner_product_point(a, b): assert len(a) == len(b) c = 0 for i in range(len(a)): c = c + int(a[i]) * b[i]
return c
def vec_add(a, b): assert len(a) == len(b) return [x + y for x, y in zip(a, b)]
def vec_mul(a, b): assert len(a) == len(b) return [x * y for x, y in zip(a, b)]
def vec_scalar_mul_field(a, n): r = [None]*len(a) for i in range(len(a)): r[i] = a[i]*n return r
def vec_scalar_mul_point(a, n): r = [None]*len(a) for i in range(len(a)): r[i] = a[i]*int(n) return r
# Tests import unittest, operator
# Ethereum elliptic curve p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F a = 0 b = 7 Fp = GF(p) E = EllipticCurve(Fp, [a,b]) GX = 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798 GY = 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8 g = E(GX,GY) n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 h = 1 q = g.order() Fq = GF(q)
# simplier curve values # p = 19 # Fp = GF(p) # E = EllipticCurve(Fp,[0,3]) # g = E(1, 2) # q = g.order() # Fq = GF(q)
print(E) print(Fq) assert is_prime(p) assert is_prime(q) assert g * q == 0
class TestUtils(unittest.TestCase): def test_vecs(self): a = [1, 2, 3, 4, 5] b = [1, 2, 3, 4, 5]
c = vec_scalar_mul_field(a, 10) assert c == [10, 20, 30, 40, 50]
c = inner_product_field(a, b) assert c == 55
# check that <a, b> with b = (1, x, x^2, ..., x^{d-1}) is the same # than evaluating p(x) with coefficients a_i, at x a = [Fq(1), Fq(2), Fq(3), Fq(4), Fq(5), Fq(6), Fq(7), Fq(8)] z = Fq(3) b = powers_of(z, 8) c = inner_product_field(a, b)
x = PolynomialRing(Fq, 'x').gen() px = 1 + 2*x + 3*x^2 + 4*x^3 + 5*x^4 + 6*x^5 + 7*x^6 + 8*x^7 assert c == px(x=z)
class TestIPA_bulletproofs(unittest.TestCase): def test_inner_product_argument(self): d = 8 ipa = IPA_bulletproofs(Fq, E, g, d)
# prover # p(x) = 1 + 2x + 3x² + 4x³ + 5x⁴ + 6x⁵ + 7x⁶ + 8x⁷ a = [ipa.F(1), ipa.F(2), ipa.F(3), ipa.F(4), ipa.F(5), ipa.F(6), ipa.F(7), ipa.F(8)] x = ipa.F(3) b = powers_of(x, ipa.d) # = b # prover P = ipa.commit(a, b) print("commit", P) v = ipa.evaluate(a, b) print("v", v)
# verifier generate random challenges {uᵢ} ∈ 𝕀 and U ∈ 𝔾 U = ipa.E.random_element() k = int(math.log(d, 2)) u = [None] * k for j in reversed(range(0, k)): u[j] = ipa.F.random_element() while (u[j] == 0): # prevent u[j] from being 0 u[j] = ipa.F.random_element()
P = P + int(inner_product_field(a, b)) * U
# prover a_ipa, b_ipa, G_ipa, H_ipa, L, R = ipa.ipa(a, b, u, U)
# verifier print("P", P) print("a_ipa", a_ipa) verif = ipa.verify(P, a_ipa, v, b, u, U, L, R, b_ipa, G_ipa, H_ipa) print("Verification:", verif) assert verif == True
class TestIPA_halo(unittest.TestCase): def test_homomorphic_property(self): ipa = IPA_halo(Fq, E, g, 5) a = [1, 2, 3, 4, 5] b = [1, 2, 3, 4, 5] c = vec_add(a, b) assert c == [2,4,6,8,10]
r = int(ipa.F.random_element()) s = int(ipa.F.random_element()) vc_a = ipa.commit(a, r) vc_b = ipa.commit(b, s) # com(a, r) + com(b, s) == com(a+b, r+s) expected_vc_c = ipa.commit(vec_add(a, b), r+s) vc_c = vc_a + vc_b assert vc_c == expected_vc_c
def test_inner_product_argument(self): d = 8 ipa = IPA_halo(Fq, E, g, d)
# prover # p(x) = 1 + 2x + 3x² + 4x³ + 5x⁴ + 6x⁵ + 7x⁶ + 8x⁷ a = [ipa.F(1), ipa.F(2), ipa.F(3), ipa.F(4), ipa.F(5), ipa.F(6), ipa.F(7), ipa.F(8)] x = ipa.F(3) x_powers = powers_of(x, ipa.d) # = b # blinding factor r = int(ipa.F.random_element())
# prover P = ipa.commit(a, r) print("commit", P) v = ipa.evaluate(a, x_powers) print("v", v)
# verifier generate random challenges {uᵢ} ∈ 𝕀 and U ∈ 𝔾 # This might be obtained from the hash of the transcript # (Fiat-Shamir heuristic for non-interactive version) U = ipa.E.random_element() k = int(math.log(ipa.d, 2)) u = [None] * k for j in reversed(range(0, k)): u[j] = ipa.F.random_element() while (u[j] == 0): # prevent u[j] from being 0 u[j] = ipa.F.random_element()
# prover a_ipa, lj, rj, L, R = ipa.ipa(a, x_powers, u, U)
# verifier print("P", P) print("a_ipa", a_ipa) print("\n Verify:") verif = ipa.verify(P, a_ipa, v, x_powers, r, u, U, lj, rj, L, R) assert verif == True
if __name__ == '__main__': unittest.main()
|