bool CommitmentProofOfKnowledge::Verify(const Bignum& A, const Bignum& B) const { // TODO: First verify that the values // S1, S2 and S3 and "challenge" are in the correct ranges if((this->challenge < Bignum(0)) || (this->challenge > (Bignum(2).pow(256) - Bignum(1)))){ return false; } // Compute T1 = g1^S1 * h1^S2 * inverse(A^{challenge}) mod p1 Bignum T1 = A.pow_mod(this->challenge, ap->modulus).inverse(ap->modulus).mul_mod( (ap->g.pow_mod(S1, ap->modulus).mul_mod(ap->h.pow_mod(S2, ap->modulus), ap->modulus)), ap->modulus); // Compute T2 = g2^S1 * h2^S3 * inverse(B^{challenge}) mod p2 Bignum T2 = B.pow_mod(this->challenge, bp->modulus).inverse(bp->modulus).mul_mod( (bp->g.pow_mod(S1, bp->modulus).mul_mod(bp->h.pow_mod(S3, bp->modulus), bp->modulus)), bp->modulus); // Hash T1 and T2 along with all of the public parameters Bignum computedChallenge = calculateChallenge(A, B, T1, T2); // Return success if the computed challenge matches the incoming challenge if(computedChallenge == this->challenge){ return true; } // Otherwise return failure return false; }
// TODO: get parameters from the commitment group CommitmentProofOfKnowledge::CommitmentProofOfKnowledge(const IntegerGroupParams* aParams, const IntegerGroupParams* bParams, const Commitment& a, const Commitment& b): ap(aParams),bp(bParams) { CBigNum r1, r2, r3; // First: make sure that the two commitments have the // same contents. if (a.getContents() != b.getContents()) { throw std::runtime_error("Both commitments must contain the same value"); } // Select three random values "r1, r2, r3" in the range 0 to (2^l)-1 where l is: // length of challenge value + max(modulus 1, modulus 2, order 1, order 2) + margin. // We set "margin" to be a relatively generous security parameter. // // We choose these large values to ensure statistical zero knowledge. uint32_t randomSize = COMMITMENT_EQUALITY_CHALLENGE_SIZE + COMMITMENT_EQUALITY_SECMARGIN + std::max(std::max(this->ap->modulus.bitSize(), this->bp->modulus.bitSize()), std::max(this->ap->groupOrder.bitSize(), this->bp->groupOrder.bitSize())); CBigNum maxRange = (CBigNum(2).pow(randomSize) - CBigNum(1)); r1 = CBigNum::randBignum(maxRange); r2 = CBigNum::randBignum(maxRange); r3 = CBigNum::randBignum(maxRange); // Generate two random, ephemeral commitments "T1, T2" // of the form: // T1 = g1^r1 * h1^r2 mod p1 // T2 = g2^r1 * h2^r3 mod p2 // // Where (g1, h1, p1) are from "aParams" and (g2, h2, p2) are from "bParams". CBigNum T1 = this->ap->g.pow_mod(r1, this->ap->modulus).mul_mod((this->ap->h.pow_mod(r2, this->ap->modulus)), this->ap->modulus); CBigNum T2 = this->bp->g.pow_mod(r1, this->bp->modulus).mul_mod((this->bp->h.pow_mod(r3, this->bp->modulus)), this->bp->modulus); // Now hash commitment "A" with commitment "B" as well as the // parameters and the two ephemeral commitments "T1, T2" we just generated this->challenge = calculateChallenge(a.getCommitmentValue(), b.getCommitmentValue(), T1, T2); // Let "m" be the contents of the commitments "A, B". We have: // A = g1^m * h1^x mod p1 // B = g2^m * h2^y mod p2 // T1 = g1^r1 * h1^r2 mod p1 // T2 = g2^r1 * h2^r3 mod p2 // // Now compute: // S1 = r1 + (m * challenge) -- note, not modular arithmetic // S2 = r2 + (x * challenge) -- note, not modular arithmetic // S3 = r3 + (y * challenge) -- note, not modular arithmetic this->S1 = r1 + (a.getContents() * this->challenge); this->S2 = r2 + (a.getRandomness() * this->challenge); this->S3 = r3 + (b.getRandomness() * this->challenge); // We're done. The proof is S1, S2, S3 and "challenge", all of which // are stored in member variables. }
// TODO: get parameters from the commitment group CommitmentProofOfKnowledge::CommitmentProofOfKnowledge(const IntegerGroupParams* aParams, const IntegerGroupParams* bParams, const Commitment& a, const Commitment& b): ap(aParams),bp(bParams) { Bignum r1; // First: make sure that the two commitments have the // same contents. if(a.getContents() != b.getContents()){ throw std::invalid_argument("Both commitments must contain the same value"); } // In order to ensure statistical zero knowledge, we pick "r1" out of the // largest possible range. In this case, the smaller of the two group orders. if(this->ap->groupOrder < this->bp->groupOrder){ r1 = Bignum::randBignum(ap->groupOrder); }else{ r1 = Bignum::randBignum(bp->groupOrder); } // Generate two random, ephemeral commitments "T1, T2" to "r1" under the two different // sets of commitment parameters. Commitment t1(aParams, r1); Commitment t2(bParams, r1); Bignum T1 = t1.getCommitmentValue(); Bignum T2 = t2.getCommitmentValue(); // Now hash commitment "A" with commitment "B" as well as the // parameters and the two ephemeral commitments "T1, T2" we just generated this->challenge = calculateChallenge(a.getCommitmentValue(), b.getCommitmentValue(), T1, T2); // Let "m" be the contents of the commitments. We'll implicitly define // A = g1^m * h1^x mod p1 // B = g2^m * h2^y mod p2 // T1 = g1^r1 * h1^r2 mod p1 // T2 = g2^r1 * h2^r3 mod p2 // // Now compute: // S1 = r1 + (m * challenge) // S2 = r2 + (x * challenge) // S3 = r3 + (y * challenge) S1 = t1.getContents() + (a.getContents() * challenge); S2 = t1.getRandomness() + (a.getRandomness() * challenge); S3 = t2.getRandomness() + (b.getRandomness() * challenge); // We're done. The proof is S1, S2, S3 and "challenge". }
bool CommitmentProofOfKnowledge::Verify(const CBigNum& A, const CBigNum& B) const { // Compute the maximum range of S1, S2, S3 and verify that the given values are // in a correct range. This might be an unnecessary check. uint32_t maxSize = 64 * (COMMITMENT_EQUALITY_CHALLENGE_SIZE + COMMITMENT_EQUALITY_SECMARGIN + std::max(std::max(this->ap->modulus.bitSize(), this->bp->modulus.bitSize()), std::max(this->ap->groupOrder.bitSize(), this->bp->groupOrder.bitSize()))); if ((uint32_t)this->S1.bitSize() > maxSize || (uint32_t)this->S2.bitSize() > maxSize || (uint32_t)this->S3.bitSize() > maxSize || this->S1 < CBigNum(0) || this->S2 < CBigNum(0) || this->S3 < CBigNum(0) || this->challenge < CBigNum(0) || this->challenge > (CBigNum(2).pow(COMMITMENT_EQUALITY_CHALLENGE_SIZE) - CBigNum(1))) { // Invalid inputs. Reject. return false; } // Compute T1 = g1^S1 * h1^S2 * inverse(A^{challenge}) mod p1 CBigNum T1 = A.pow_mod(this->challenge, ap->modulus).inverse(ap->modulus).mul_mod( (ap->g.pow_mod(S1, ap->modulus).mul_mod(ap->h.pow_mod(S2, ap->modulus), ap->modulus)), ap->modulus); // Compute T2 = g2^S1 * h2^S3 * inverse(B^{challenge}) mod p2 CBigNum T2 = B.pow_mod(this->challenge, bp->modulus).inverse(bp->modulus).mul_mod( (bp->g.pow_mod(S1, bp->modulus).mul_mod(bp->h.pow_mod(S3, bp->modulus), bp->modulus)), bp->modulus); // Hash T1 and T2 along with all of the public parameters CBigNum computedChallenge = calculateChallenge(A, B, T1, T2); // Return success if the computed challenge matches the incoming challenge return computedChallenge == this->challenge; }