From 17a3a9eab205b5e42b195ec32d35dd2e764ee8ea Mon Sep 17 00:00:00 2001 From: arnaucube Date: Sat, 2 Jul 2022 19:12:40 +0200 Subject: [PATCH] Add Inner Product Argument (IPA) implementations Add Inner Product Argument (IPA) implementations: - Bulletproofs version - Halo paper version (modified IPA) --- ipa.sage | 291 +++++++++++++++++++++++++++++++++++++++++++ ipa_test.sage | 161 ++++++++++++++++++++++++ ring-signatures.sage | 2 +- 3 files changed, 453 insertions(+), 1 deletion(-) create mode 100644 ipa.sage create mode 100644 ipa_test.sage diff --git a/ipa.sage b/ipa.sage new file mode 100644 index 0000000..d617317 --- /dev/null +++ b/ipa.sage @@ -0,0 +1,291 @@ +# This file contains two Inner Product Argument implementations: +# - Bulletproofs version: https://eprint.iacr.org/2017/1066.pdf +# - Halo version: https://eprint.iacr.org/2019/1021.pdf + + + +# IPA_bulletproofs implements the IPA version from the Bulletproofs paper: https://eprint.iacr.org/2017/1066.pdf +# https://doc-internal.dalek.rs/bulletproofs/notes/inner_product_proof/index.html +class IPA_bulletproofs(object): + def __init__(self, F, E, g, d): + self.g = g + self.F = F + self.E = E + self.d = d + # TODO: + # Setup: + self.h = E.random_element() # TMP + self.gs = random_values(E, d) + self.hs = random_values(E, d) + + # a: aᵢ ∈ 𝔽 coefficients of p(X) + # r: blinding factor + def commit(self, a, b): + P = inner_product_point(a, self.gs) + inner_product_point(b, self.hs) + return P + + def evaluate(self, a, x_powers): + return inner_product_field(a, x_powers) + + def ipa(self, a_, b_, u, U): + G = self.gs + H = self.hs + a = a_ + b = b_ + + k = int(math.log(self.d, 2)) + L = [None] * k + R = [None] * k + + for j in reversed(range(0, k)): + m = len(a)/2 + a_lo = a[:m] + a_hi = a[m:] + b_lo = b[:m] + b_hi = b[m:] + H_lo = H[:m] + H_hi = H[m:] + G_lo = G[:m] + G_hi = G[m:] + + # Lⱼ = + [lⱼ] H + [] U + L[j] = inner_product_point(a_lo, G_hi) + inner_product_point(b_hi, H_lo) + int(inner_product_field(a_lo, b_hi)) * U + # Rⱼ = + [rⱼ] H + [] U + R[j] = inner_product_point(a_hi, G_lo) + inner_product_point(b_lo, H_hi) + int(inner_product_field(a_hi, b_lo)) * U + + # use the random challenge uⱼ ∈ 𝕀 generated by the verifier + u_ = u[j] # uⱼ + u_inv = u[j]^(-1) # uⱼ⁻¹ + + a = vec_add(vec_scalar_mul_field(a_lo, u_), vec_scalar_mul_field(a_hi, u_inv)) + b = vec_add(vec_scalar_mul_field(b_lo, u_inv), vec_scalar_mul_field(b_hi, u_)) + G = vec_add(vec_scalar_mul_point(G_lo, u_inv), vec_scalar_mul_point(G_hi, u_)) + H = vec_add(vec_scalar_mul_point(H_lo, u_), vec_scalar_mul_point(H_hi, u_inv)) + + assert len(a)==1 + assert len(b)==1 + assert len(G)==1 + assert len(H)==1 + # a, b, G have length=1 + # L, R are the "cross-terms" of the inner product + return a[0], b[0], G[0], H[0], L, R + + def verify(self, P, a, v, x_powers, u, U, L, R, b_ipa, G_ipa, H_ipa): + b = b_ipa + G = G_ipa + H = H_ipa + + # Q_0 = P' ⋅ ∑ ( [uⱼ²] Lⱼ + [uⱼ⁻²] Rⱼ) + C = P + for j in range(len(L)): + u_ = u[j] # uⱼ + u_inv = u[j]^(-1) # uⱼ⁻² + + # ∑ ( [uⱼ²] Lⱼ + [uⱼ⁻²] Rⱼ) + C = C + int(u_^2) * L[j] + int(u_inv^2) * R[j] + + D = int(a) * G + int(b) * H + int(a * b)*U + + return C == D + +# IPA_halo implements the modified IPA from the Halo paper: https://eprint.iacr.org/2019/1021.pdf +class IPA_halo(object): + def __init__(self, F, E, g, d): + self.g = g + self.F = F + self.E = E + self.d = d + + self.h = E.random_element() # TMP + self.gs = random_values(E, d) + self.hs = random_values(E, d) + print(" h=", self.h) + print(" G=", self.gs) + print(" H=", self.hs) + + def commit(self, a, r): + P = inner_product_point(a, self.gs) + r * self.h + return P + + def evaluate(self, a, x_powers): + return inner_product_field(a, x_powers) + + def ipa(self, a_, x_powers, u, U): # prove + print(" method ipa():") + G = self.gs + a = a_ + b = x_powers + + k = int(math.log(self.d, 2)) + l = [None] * k + r = [None] * k + L = [None] * k + R = [None] * k + + for j in reversed(range(0, k)): + print(" j =", j) + print(" len(a) = n =", len(a)) + print(" m = n/2 =", len(a)/2) + m = len(a)/2 + a_lo = a[:m] + a_hi = a[m:] + b_lo = b[:m] + b_hi = b[m:] + G_lo = G[:m] + G_hi = G[m:] + + print(" Split into a_lo,hi b_lo,hi, G_lo,hi:") + print(" a", a) + print(" a_lo", a_lo) + print(" a_hi", a_hi) + print(" b", b) + print(" b_lo", b_lo) + print(" b_hi", b_hi) + print(" G", G) + print(" G_lo", G_lo) + print(" G_hi", G_hi) + + l[j] = self.F.random_element() # random blinding factor + r[j] = self.F.random_element() # random blinding factor + print(" random blinding factors:") + print(" l[j]", l[j]) + print(" r[j]", r[j]) + + # Lⱼ = + [lⱼ] H + [] U + L[j] = inner_product_point(a_lo, G_hi) + int(l[j]) * self.h + int(inner_product_field(a_lo, b_hi)) * U + # Rⱼ = + [rⱼ] H + [] U + R[j] = inner_product_point(a_hi, G_lo) + int(r[j]) * self.h + int(inner_product_field(a_hi, b_lo)) * U + + print(" Compute Lⱼ = + [lⱼ] H + [] U") + print(" L[j]", L[j]) + print(" Compute Rⱼ = + [rⱼ] H + [] U") + print(" R[j]", R[j]) + + # use the random challenge uⱼ ∈ 𝕀 generated by the verifier + u_ = u[j] # uⱼ + u_inv = self.F(u[j])^(-1) # uⱼ⁻¹ + print(" u_j", u_) + print(" u_j^-1", u_inv) + + a = vec_add(vec_scalar_mul_field(a_lo, u_), vec_scalar_mul_field(a_hi, u_inv)) + b = vec_add(vec_scalar_mul_field(b_lo, u_inv), vec_scalar_mul_field(b_hi, u_)) + G = vec_add(vec_scalar_mul_point(G_lo, u_inv), vec_scalar_mul_point(G_hi, u_)) + print(" new a, b, G") + print(" a =", a) + print(" b =", b) + print(" G =", G) + + assert len(a)==1 + assert len(b)==1 + assert len(G)==1 + # a, b, G have length=1 + # l, r are random blinding factors + # L, R are the "cross-terms" of the inner product + return a[0], b[0], G[0], l, r, L, R + + def verify(self, P, a, v, x_powers, r, u, U, lj, rj, L, R, b_ipa, G_ipa): + print("methid verify()") + # b = x_powers + # G = self.gs + b = b_ipa # TODO b_0 & G_0 will be computed by the client + G = G_ipa + + # k = int(math.log(self.d, 2)) + # s = build_s_from_us(u, k) + + # synthetic blinding factor + # r' = r + ∑ ( lⱼ uⱼ² + rⱼ uⱼ⁻²) + print(" synthetic blinding factor r' = r + ∑ ( lⱼ uⱼ² + rⱼ uⱼ⁻²)") + r_ = r + print(" r_ =", r_) + # Q_0 = P' ⋅ ∑ ( [uⱼ²] Lⱼ + [uⱼ⁻²] Rⱼ) + print(" Q_0 = P' ⋅ ∑ ( [uⱼ²] Lⱼ + [uⱼ⁻²] Rⱼ)") + Q_0 = P + print(" Q_0 =", Q_0) + for j in range(len(u)): + print(" j =", j) + u_ = u[j] # uⱼ + u_inv = u[j]^(-1) # uⱼ⁻² + + # ∑ ( [uⱼ²] Lⱼ + [uⱼ⁻²] Rⱼ) + Q_0 = Q_0 + int(u[j]^2) * L[j] + int(u_inv^2) * R[j] + print(" Q_0 =", Q_0) + + r_ = r_ + lj[j] * (u_^2) + rj[j] * (u_inv^2) + print(" r_ =", r_) + + Q_1 = int(a) * G + int(r_) * self.h + int(a * b)*U + print(" Q_1", Q_1) + # Q_1_ = int(a) * (G + int(b)*U) + int(r_) * self.h + + return Q_0 == Q_1 + + +# def build_s_from_us(u, k): +# s = None*k +# for i in range(k): +# e = 1 +# for j in range(k): +# e = e*u[j] +# # s[i] = +# return s + + + + +def powers_of(g, d): + r = [None] * d + for i in range(d): + r[i] = g^i + return r + + +def multiples_of(g, d): + r = [None] * d + for i in range(d): + r[i] = g*i + return r + +def random_values(G, d): + r = [None] * d + for i in range(d): + r[i] = G.random_element() + return r + +def inner_product_field(a, b): + assert len(a) == len(b) + c = 0 + for i in range(len(a)): + c = c + a[i] * b[i] + + return c + +def inner_product_point(a, b): + assert len(a) == len(b) + c = 0 + for i in range(len(a)): + c = c + int(a[i]) * b[i] + + return c + +def vec_add(a, b): + assert len(a) == len(b) + return [x + y for x, y in zip(a, b)] + +def vec_mul(a, b): + assert len(a) == len(b) + return [x * y for x, y in zip(a, b)] + +def vec_scalar_mul_field(a, n): + r = [None]*len(a) + for i in range(len(a)): + r[i] = a[i]*n + return r + +def vec_scalar_mul_point(a, n): + r = [None]*len(a) + for i in range(len(a)): + r[i] = a[i]*int(n) + return r + + diff --git a/ipa_test.sage b/ipa_test.sage new file mode 100644 index 0000000..ac7e081 --- /dev/null +++ b/ipa_test.sage @@ -0,0 +1,161 @@ +import unittest, operator +load("ipa.sage") + +# Halo paper: https://eprint.iacr.org/2019/1021.pdf +# Bulletproofs paper: https://eprint.iacr.org/2017/1066.pdf + +# Ethereum elliptic curve +p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F +a = 0 +b = 7 +Fp = GF(p) +E = EllipticCurve(Fp, [a,b]) +GX = 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798 +GY = 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8 +g = E(GX,GY) +n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 +h = 1 +q = g.order() +Fq = GF(q) + +# simplier curve values +# p = 19 +# Fp = GF(p) +# E = EllipticCurve(Fp,[0,3]) +# g = E(1, 2) +# q = g.order() +# Fq = GF(q) + +print(E) +print(Fq) +assert is_prime(p) +assert is_prime(q) +assert g * q == 0 + +class TestUtils(unittest.TestCase): + def test_vecs(self): + a = [1, 2, 3, 4, 5] + b = [1, 2, 3, 4, 5] + + c = vec_scalar_mul_field(a, 10) + assert c == [10, 20, 30, 40, 50] + + c = inner_product_field(a, b) + assert c == 55 + + # check that with b = (1, x, x^2, ..., x^{d-1}) is the same + # than evaluating p(x) with coefficients a_i, at x + a = [Fq(1), Fq(2), Fq(3), Fq(4), Fq(5), Fq(6), Fq(7), Fq(8)] + z = Fq(3) + b = powers_of(z, 8) + c = inner_product_field(a, b) + + x = PolynomialRing(Fq, 'x').gen() + px = 1 + 2*x + 3*x^2 + 4*x^3 + 5*x^4 + 6*x^5 + 7*x^6 + 8*x^7 + assert c == px(x=z) + + +class TestIPA_bulletproofs(unittest.TestCase): + def test_inner_product(self): + d = 8 + ipa = IPA_bulletproofs(Fq, E, g, d) + + # prover + # p(x) = 1 + 2x + 3x² + 4x³ + 5x⁴ + 6x⁵ + 7x⁶ + 8x⁷ + a = [ipa.F(1), ipa.F(2), ipa.F(3), ipa.F(4), ipa.F(5), ipa.F(6), ipa.F(7), ipa.F(8)] + x = ipa.F(3) + b = powers_of(x, ipa.d) # = b + + # prover + P = ipa.commit(a, b) + print("commit", P) + v = ipa.evaluate(a, b) + print("v", v) + + # verifier + # r = int(ipa.F.random_element()) + + # verifier generate random challenges {uᵢ} ∈ 𝕀 and U ∈ 𝔾 + U = ipa.E.random_element() + k = int(math.log(d, 2)) + u = [None] * k + for j in reversed(range(0, k)): + u[j] = ipa.F.random_element() + while (u[j] == 0): # prevent u[j] from being 0 + u[j] = ipa.F.random_element() + + P = P + int(inner_product_field(a, b)) * U + + # prover + a_ipa, b_ipa, G_ipa, H_ipa, L, R = ipa.ipa(a, b, u, U) + + # verifier + print("P", P) + print("a_ipa", a_ipa) + verif = ipa.verify(P, a_ipa, v, b, u, U, L, R, b_ipa, G_ipa, H_ipa) + print("Verification:", verif) + assert verif == True + + +class TestIPA_halo(unittest.TestCase): + def test_homomorphic_property(self): + ipa = IPA_halo(Fq, E, g, 5) + + a = [1, 2, 3, 4, 5] + b = [1, 2, 3, 4, 5] + c = vec_add(a, b) + assert c == [2,4,6,8,10] + + r = int(ipa.F.random_element()) + s = int(ipa.F.random_element()) + vc_a = ipa.commit(a, r) + vc_b = ipa.commit(b, s) + + # com(a, r) + com(b, s) == com(a+b, r+s) + expected_vc_c = ipa.commit(vec_add(a, b), r+s) + vc_c = vc_a + vc_b + assert vc_c == expected_vc_c + + def test_inner_product(self): + d = 8 + ipa = IPA_halo(Fq, E, g, d) + + # prover + # p(x) = 1 + 2x + 3x² + 4x³ + 5x⁴ + 6x⁵ + 7x⁶ + 8x⁷ + a = [ipa.F(1), ipa.F(2), ipa.F(3), ipa.F(4), ipa.F(5), ipa.F(6), ipa.F(7), ipa.F(8)] + x = ipa.F(3) + x_powers = powers_of(x, ipa.d) # = b + + # verifier + r = int(ipa.F.random_element()) + + # prover + P = ipa.commit(a, r) + print("commit", P) + v = ipa.evaluate(a, x_powers) + print("v", v) + + # verifier generate random challenges {uᵢ} ∈ 𝕀 and U ∈ 𝔾 + U = ipa.E.random_element() + k = int(math.log(ipa.d, 2)) + u = [None] * k + for j in reversed(range(0, k)): + u[j] = ipa.F.random_element() + while (u[j] == 0): # prevent u[j] from being 0 + u[j] = ipa.F.random_element() + + P = P + int(v) * U + + # prover + a_ipa, b_ipa, G_ipa, lj, rj, L, R = ipa.ipa(a, x_powers, u, U) + + # verifier + print("P", P) + print("a_ipa", a_ipa) + print("\n Verify:") + verif = ipa.verify(P, a_ipa, v, x_powers, r, u, U, lj, rj, L, R, b_ipa, G_ipa) + assert verif == True + + +if __name__ == '__main__': + unittest.main() diff --git a/ring-signatures.sage b/ring-signatures.sage index b32acbc..7d8c988 100644 --- a/ring-signatures.sage +++ b/ring-signatures.sage @@ -80,7 +80,7 @@ def verify(g, R, m, key_image, sig): assert len(R) == len(r) # check that key_image \in G (EC), by l * key_image == 0 - assert q * key_image == 0 # in sage 0 EC point is interpreted as (0:1:0) + assert q * key_image == 0 # in sage 0 EC point is represented as (0:1:0) # for i \in 1,2,...,n