diff --git a/kzg.sage b/kzg.sage new file mode 100644 index 0000000..4496b12 --- /dev/null +++ b/kzg.sage @@ -0,0 +1,82 @@ +# toy implementation of BLS signatures in Sage +# +# Scheme overview: https://arnaucube.com/blog/kzg-commitments.html +# Go implementation: https://github.com/arnaucube/kzg-commitments-study + +load("bls12-381.sage") + +e = Pairing() + +def new_ts(l): + Fr = GF(e.r) + s = Fr.random_element() + print("s", s) + tauG1 = [None] * l + tauG2 = [None] * l + for i in range(0, l): # TODO probably duplicate G1 & G2 instead of first powering s^i and then * G_j + sPow = Integer(s)^i + tauG1[i] = sPow * e.G1 + tauG2[i] = sPow * e.G2 + + return (tauG1, tauG2) + +def commit(taus, p): + return evaluate_at_tau(p, taus) + +# evaluates p at tau +def evaluate_at_tau(p, taus): + e = 0 + for i in range(0, len(p.list())): + e = e + p[i] * taus[i] + return e + +def evaluation_proof(tau, p, z, y): + # (p - y) + n = p - y + # (t - z) + d = (t-z) + # q, rem = n / d + q = n / d + print("q", q) + q = q.numerator() + den = q.denominator() + print("q", q) + print("den", den) + # check that den = 1 + assert(den==1) # rem=0 + # proof: e = [q(t)]₁ + return evaluate_at_tau(q, tau) + +def verify(tau, c, proof, z, y): + # [t]₂ - [z]₂ + sz = tau[1] - z*e.G2 + + # c - [y]₁ + cy = c - y*e.G1 + + print("proof", proof) + print("sz", sz) + print("cy", cy) + lhs = e.pair(proof, sz) + rhs = e.pair(cy, e.G2) + print("lhs", lhs) + print("rhs", rhs) + return lhs == rhs + + +(tauG1, tauG2) = new_ts(5) + +R. = PolynomialRing(e.F1) +p = t^3 + t + 5 + +c = commit(tauG1, p) + +z = 3 +y = p(z) # = 35 + +proof = evaluation_proof(tauG1, p, z, y) +print("proof", proof) + +v = verify(tauG2, c, proof, z, y) +print(v) +assert(v)