diff --git a/ipa.sage b/ipa.sage
new file mode 100644
index 0000000..d617317
--- /dev/null
+++ b/ipa.sage
@@ -0,0 +1,291 @@
+# This file contains two Inner Product Argument implementations:
+# - Bulletproofs version: https://eprint.iacr.org/2017/1066.pdf
+# - Halo version: https://eprint.iacr.org/2019/1021.pdf
+
+
+
+# IPA_bulletproofs implements the IPA version from the Bulletproofs paper: https://eprint.iacr.org/2017/1066.pdf
+# https://doc-internal.dalek.rs/bulletproofs/notes/inner_product_proof/index.html
+class IPA_bulletproofs(object):
+ def __init__(self, F, E, g, d):
+ self.g = g
+ self.F = F
+ self.E = E
+ self.d = d
+ # TODO:
+ # Setup:
+ self.h = E.random_element() # TMP
+ self.gs = random_values(E, d)
+ self.hs = random_values(E, d)
+
+ # a: aᵢ ∈ 𝔽 coefficients of p(X)
+ # r: blinding factor
+ def commit(self, a, b):
+ P = inner_product_point(a, self.gs) + inner_product_point(b, self.hs)
+ return P
+
+ def evaluate(self, a, x_powers):
+ return inner_product_field(a, x_powers)
+
+ def ipa(self, a_, b_, u, U):
+ G = self.gs
+ H = self.hs
+ a = a_
+ b = b_
+
+ k = int(math.log(self.d, 2))
+ L = [None] * k
+ R = [None] * k
+
+ for j in reversed(range(0, k)):
+ m = len(a)/2
+ a_lo = a[:m]
+ a_hi = a[m:]
+ b_lo = b[:m]
+ b_hi = b[m:]
+ H_lo = H[:m]
+ H_hi = H[m:]
+ G_lo = G[:m]
+ G_hi = G[m:]
+
+ # Lⱼ = + [lⱼ] H + [] U
+ L[j] = inner_product_point(a_lo, G_hi) + inner_product_point(b_hi, H_lo) + int(inner_product_field(a_lo, b_hi)) * U
+ # Rⱼ = + [rⱼ] H + [] U
+ R[j] = inner_product_point(a_hi, G_lo) + inner_product_point(b_lo, H_hi) + int(inner_product_field(a_hi, b_lo)) * U
+
+ # use the random challenge uⱼ ∈ 𝕀 generated by the verifier
+ u_ = u[j] # uⱼ
+ u_inv = u[j]^(-1) # uⱼ⁻¹
+
+ a = vec_add(vec_scalar_mul_field(a_lo, u_), vec_scalar_mul_field(a_hi, u_inv))
+ b = vec_add(vec_scalar_mul_field(b_lo, u_inv), vec_scalar_mul_field(b_hi, u_))
+ G = vec_add(vec_scalar_mul_point(G_lo, u_inv), vec_scalar_mul_point(G_hi, u_))
+ H = vec_add(vec_scalar_mul_point(H_lo, u_), vec_scalar_mul_point(H_hi, u_inv))
+
+ assert len(a)==1
+ assert len(b)==1
+ assert len(G)==1
+ assert len(H)==1
+ # a, b, G have length=1
+ # L, R are the "cross-terms" of the inner product
+ return a[0], b[0], G[0], H[0], L, R
+
+ def verify(self, P, a, v, x_powers, u, U, L, R, b_ipa, G_ipa, H_ipa):
+ b = b_ipa
+ G = G_ipa
+ H = H_ipa
+
+ # Q_0 = P' ⋅ ∑ ( [uⱼ²] Lⱼ + [uⱼ⁻²] Rⱼ)
+ C = P
+ for j in range(len(L)):
+ u_ = u[j] # uⱼ
+ u_inv = u[j]^(-1) # uⱼ⁻²
+
+ # ∑ ( [uⱼ²] Lⱼ + [uⱼ⁻²] Rⱼ)
+ C = C + int(u_^2) * L[j] + int(u_inv^2) * R[j]
+
+ D = int(a) * G + int(b) * H + int(a * b)*U
+
+ return C == D
+
+# IPA_halo implements the modified IPA from the Halo paper: https://eprint.iacr.org/2019/1021.pdf
+class IPA_halo(object):
+ def __init__(self, F, E, g, d):
+ self.g = g
+ self.F = F
+ self.E = E
+ self.d = d
+
+ self.h = E.random_element() # TMP
+ self.gs = random_values(E, d)
+ self.hs = random_values(E, d)
+ print(" h=", self.h)
+ print(" G=", self.gs)
+ print(" H=", self.hs)
+
+ def commit(self, a, r):
+ P = inner_product_point(a, self.gs) + r * self.h
+ return P
+
+ def evaluate(self, a, x_powers):
+ return inner_product_field(a, x_powers)
+
+ def ipa(self, a_, x_powers, u, U): # prove
+ print(" method ipa():")
+ G = self.gs
+ a = a_
+ b = x_powers
+
+ k = int(math.log(self.d, 2))
+ l = [None] * k
+ r = [None] * k
+ L = [None] * k
+ R = [None] * k
+
+ for j in reversed(range(0, k)):
+ print(" j =", j)
+ print(" len(a) = n =", len(a))
+ print(" m = n/2 =", len(a)/2)
+ m = len(a)/2
+ a_lo = a[:m]
+ a_hi = a[m:]
+ b_lo = b[:m]
+ b_hi = b[m:]
+ G_lo = G[:m]
+ G_hi = G[m:]
+
+ print(" Split into a_lo,hi b_lo,hi, G_lo,hi:")
+ print(" a", a)
+ print(" a_lo", a_lo)
+ print(" a_hi", a_hi)
+ print(" b", b)
+ print(" b_lo", b_lo)
+ print(" b_hi", b_hi)
+ print(" G", G)
+ print(" G_lo", G_lo)
+ print(" G_hi", G_hi)
+
+ l[j] = self.F.random_element() # random blinding factor
+ r[j] = self.F.random_element() # random blinding factor
+ print(" random blinding factors:")
+ print(" l[j]", l[j])
+ print(" r[j]", r[j])
+
+ # Lⱼ = + [lⱼ] H + [] U
+ L[j] = inner_product_point(a_lo, G_hi) + int(l[j]) * self.h + int(inner_product_field(a_lo, b_hi)) * U
+ # Rⱼ = + [rⱼ] H + [] U
+ R[j] = inner_product_point(a_hi, G_lo) + int(r[j]) * self.h + int(inner_product_field(a_hi, b_lo)) * U
+
+ print(" Compute Lⱼ = + [lⱼ] H + [] U")
+ print(" L[j]", L[j])
+ print(" Compute Rⱼ = + [rⱼ] H + [] U")
+ print(" R[j]", R[j])
+
+ # use the random challenge uⱼ ∈ 𝕀 generated by the verifier
+ u_ = u[j] # uⱼ
+ u_inv = self.F(u[j])^(-1) # uⱼ⁻¹
+ print(" u_j", u_)
+ print(" u_j^-1", u_inv)
+
+ a = vec_add(vec_scalar_mul_field(a_lo, u_), vec_scalar_mul_field(a_hi, u_inv))
+ b = vec_add(vec_scalar_mul_field(b_lo, u_inv), vec_scalar_mul_field(b_hi, u_))
+ G = vec_add(vec_scalar_mul_point(G_lo, u_inv), vec_scalar_mul_point(G_hi, u_))
+ print(" new a, b, G")
+ print(" a =", a)
+ print(" b =", b)
+ print(" G =", G)
+
+ assert len(a)==1
+ assert len(b)==1
+ assert len(G)==1
+ # a, b, G have length=1
+ # l, r are random blinding factors
+ # L, R are the "cross-terms" of the inner product
+ return a[0], b[0], G[0], l, r, L, R
+
+ def verify(self, P, a, v, x_powers, r, u, U, lj, rj, L, R, b_ipa, G_ipa):
+ print("methid verify()")
+ # b = x_powers
+ # G = self.gs
+ b = b_ipa # TODO b_0 & G_0 will be computed by the client
+ G = G_ipa
+
+ # k = int(math.log(self.d, 2))
+ # s = build_s_from_us(u, k)
+
+ # synthetic blinding factor
+ # r' = r + ∑ ( lⱼ uⱼ² + rⱼ uⱼ⁻²)
+ print(" synthetic blinding factor r' = r + ∑ ( lⱼ uⱼ² + rⱼ uⱼ⁻²)")
+ r_ = r
+ print(" r_ =", r_)
+ # Q_0 = P' ⋅ ∑ ( [uⱼ²] Lⱼ + [uⱼ⁻²] Rⱼ)
+ print(" Q_0 = P' ⋅ ∑ ( [uⱼ²] Lⱼ + [uⱼ⁻²] Rⱼ)")
+ Q_0 = P
+ print(" Q_0 =", Q_0)
+ for j in range(len(u)):
+ print(" j =", j)
+ u_ = u[j] # uⱼ
+ u_inv = u[j]^(-1) # uⱼ⁻²
+
+ # ∑ ( [uⱼ²] Lⱼ + [uⱼ⁻²] Rⱼ)
+ Q_0 = Q_0 + int(u[j]^2) * L[j] + int(u_inv^2) * R[j]
+ print(" Q_0 =", Q_0)
+
+ r_ = r_ + lj[j] * (u_^2) + rj[j] * (u_inv^2)
+ print(" r_ =", r_)
+
+ Q_1 = int(a) * G + int(r_) * self.h + int(a * b)*U
+ print(" Q_1", Q_1)
+ # Q_1_ = int(a) * (G + int(b)*U) + int(r_) * self.h
+
+ return Q_0 == Q_1
+
+
+# def build_s_from_us(u, k):
+# s = None*k
+# for i in range(k):
+# e = 1
+# for j in range(k):
+# e = e*u[j]
+# # s[i] =
+# return s
+
+
+
+
+def powers_of(g, d):
+ r = [None] * d
+ for i in range(d):
+ r[i] = g^i
+ return r
+
+
+def multiples_of(g, d):
+ r = [None] * d
+ for i in range(d):
+ r[i] = g*i
+ return r
+
+def random_values(G, d):
+ r = [None] * d
+ for i in range(d):
+ r[i] = G.random_element()
+ return r
+
+def inner_product_field(a, b):
+ assert len(a) == len(b)
+ c = 0
+ for i in range(len(a)):
+ c = c + a[i] * b[i]
+
+ return c
+
+def inner_product_point(a, b):
+ assert len(a) == len(b)
+ c = 0
+ for i in range(len(a)):
+ c = c + int(a[i]) * b[i]
+
+ return c
+
+def vec_add(a, b):
+ assert len(a) == len(b)
+ return [x + y for x, y in zip(a, b)]
+
+def vec_mul(a, b):
+ assert len(a) == len(b)
+ return [x * y for x, y in zip(a, b)]
+
+def vec_scalar_mul_field(a, n):
+ r = [None]*len(a)
+ for i in range(len(a)):
+ r[i] = a[i]*n
+ return r
+
+def vec_scalar_mul_point(a, n):
+ r = [None]*len(a)
+ for i in range(len(a)):
+ r[i] = a[i]*int(n)
+ return r
+
+
diff --git a/ipa_test.sage b/ipa_test.sage
new file mode 100644
index 0000000..ac7e081
--- /dev/null
+++ b/ipa_test.sage
@@ -0,0 +1,161 @@
+import unittest, operator
+load("ipa.sage")
+
+# Halo paper: https://eprint.iacr.org/2019/1021.pdf
+# Bulletproofs paper: https://eprint.iacr.org/2017/1066.pdf
+
+# Ethereum elliptic curve
+p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
+a = 0
+b = 7
+Fp = GF(p)
+E = EllipticCurve(Fp, [a,b])
+GX = 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798
+GY = 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8
+g = E(GX,GY)
+n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
+h = 1
+q = g.order()
+Fq = GF(q)
+
+# simplier curve values
+# p = 19
+# Fp = GF(p)
+# E = EllipticCurve(Fp,[0,3])
+# g = E(1, 2)
+# q = g.order()
+# Fq = GF(q)
+
+print(E)
+print(Fq)
+assert is_prime(p)
+assert is_prime(q)
+assert g * q == 0
+
+class TestUtils(unittest.TestCase):
+ def test_vecs(self):
+ a = [1, 2, 3, 4, 5]
+ b = [1, 2, 3, 4, 5]
+
+ c = vec_scalar_mul_field(a, 10)
+ assert c == [10, 20, 30, 40, 50]
+
+ c = inner_product_field(a, b)
+ assert c == 55
+
+ # check that with b = (1, x, x^2, ..., x^{d-1}) is the same
+ # than evaluating p(x) with coefficients a_i, at x
+ a = [Fq(1), Fq(2), Fq(3), Fq(4), Fq(5), Fq(6), Fq(7), Fq(8)]
+ z = Fq(3)
+ b = powers_of(z, 8)
+ c = inner_product_field(a, b)
+
+ x = PolynomialRing(Fq, 'x').gen()
+ px = 1 + 2*x + 3*x^2 + 4*x^3 + 5*x^4 + 6*x^5 + 7*x^6 + 8*x^7
+ assert c == px(x=z)
+
+
+class TestIPA_bulletproofs(unittest.TestCase):
+ def test_inner_product(self):
+ d = 8
+ ipa = IPA_bulletproofs(Fq, E, g, d)
+
+ # prover
+ # p(x) = 1 + 2x + 3x² + 4x³ + 5x⁴ + 6x⁵ + 7x⁶ + 8x⁷
+ a = [ipa.F(1), ipa.F(2), ipa.F(3), ipa.F(4), ipa.F(5), ipa.F(6), ipa.F(7), ipa.F(8)]
+ x = ipa.F(3)
+ b = powers_of(x, ipa.d) # = b
+
+ # prover
+ P = ipa.commit(a, b)
+ print("commit", P)
+ v = ipa.evaluate(a, b)
+ print("v", v)
+
+ # verifier
+ # r = int(ipa.F.random_element())
+
+ # verifier generate random challenges {uᵢ} ∈ 𝕀 and U ∈ 𝔾
+ U = ipa.E.random_element()
+ k = int(math.log(d, 2))
+ u = [None] * k
+ for j in reversed(range(0, k)):
+ u[j] = ipa.F.random_element()
+ while (u[j] == 0): # prevent u[j] from being 0
+ u[j] = ipa.F.random_element()
+
+ P = P + int(inner_product_field(a, b)) * U
+
+ # prover
+ a_ipa, b_ipa, G_ipa, H_ipa, L, R = ipa.ipa(a, b, u, U)
+
+ # verifier
+ print("P", P)
+ print("a_ipa", a_ipa)
+ verif = ipa.verify(P, a_ipa, v, b, u, U, L, R, b_ipa, G_ipa, H_ipa)
+ print("Verification:", verif)
+ assert verif == True
+
+
+class TestIPA_halo(unittest.TestCase):
+ def test_homomorphic_property(self):
+ ipa = IPA_halo(Fq, E, g, 5)
+
+ a = [1, 2, 3, 4, 5]
+ b = [1, 2, 3, 4, 5]
+ c = vec_add(a, b)
+ assert c == [2,4,6,8,10]
+
+ r = int(ipa.F.random_element())
+ s = int(ipa.F.random_element())
+ vc_a = ipa.commit(a, r)
+ vc_b = ipa.commit(b, s)
+
+ # com(a, r) + com(b, s) == com(a+b, r+s)
+ expected_vc_c = ipa.commit(vec_add(a, b), r+s)
+ vc_c = vc_a + vc_b
+ assert vc_c == expected_vc_c
+
+ def test_inner_product(self):
+ d = 8
+ ipa = IPA_halo(Fq, E, g, d)
+
+ # prover
+ # p(x) = 1 + 2x + 3x² + 4x³ + 5x⁴ + 6x⁵ + 7x⁶ + 8x⁷
+ a = [ipa.F(1), ipa.F(2), ipa.F(3), ipa.F(4), ipa.F(5), ipa.F(6), ipa.F(7), ipa.F(8)]
+ x = ipa.F(3)
+ x_powers = powers_of(x, ipa.d) # = b
+
+ # verifier
+ r = int(ipa.F.random_element())
+
+ # prover
+ P = ipa.commit(a, r)
+ print("commit", P)
+ v = ipa.evaluate(a, x_powers)
+ print("v", v)
+
+ # verifier generate random challenges {uᵢ} ∈ 𝕀 and U ∈ 𝔾
+ U = ipa.E.random_element()
+ k = int(math.log(ipa.d, 2))
+ u = [None] * k
+ for j in reversed(range(0, k)):
+ u[j] = ipa.F.random_element()
+ while (u[j] == 0): # prevent u[j] from being 0
+ u[j] = ipa.F.random_element()
+
+ P = P + int(v) * U
+
+ # prover
+ a_ipa, b_ipa, G_ipa, lj, rj, L, R = ipa.ipa(a, x_powers, u, U)
+
+ # verifier
+ print("P", P)
+ print("a_ipa", a_ipa)
+ print("\n Verify:")
+ verif = ipa.verify(P, a_ipa, v, x_powers, r, u, U, lj, rj, L, R, b_ipa, G_ipa)
+ assert verif == True
+
+
+if __name__ == '__main__':
+ unittest.main()
diff --git a/ring-signatures.sage b/ring-signatures.sage
index b32acbc..7d8c988 100644
--- a/ring-signatures.sage
+++ b/ring-signatures.sage
@@ -80,7 +80,7 @@ def verify(g, R, m, key_image, sig):
assert len(R) == len(r)
# check that key_image \in G (EC), by l * key_image == 0
- assert q * key_image == 0 # in sage 0 EC point is interpreted as (0:1:0)
+ assert q * key_image == 0 # in sage 0 EC point is represented as (0:1:0)
# for i \in 1,2,...,n