You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

804 lines
23KB

  1. package main
  2. import "fmt"
  3. import "math"
  4. import "math/big"
  5. //import "crypto/rand"
  6. //import "encoding/hex"
  7. import "github.com/clearmatics/bn256"
  8. //import "golang.org/x/crypto/sha3"
  9. import "github.com/kubernetes/klog"
  10. type Proof struct {
  11. BA *bn256.G1
  12. BS *bn256.G1
  13. A *bn256.G1
  14. B *bn256.G1
  15. CLnG, CRnG, C_0G, DG, y_0G, gG, C_XG, y_XG []*bn256.G1
  16. u *bn256.G1
  17. f *FieldVector
  18. z_A *big.Int
  19. tCommits *GeneratorVector
  20. that *big.Int
  21. mu *big.Int
  22. c *big.Int
  23. s_sk, s_r, s_b, s_tau *big.Int
  24. ip *InnerProduct
  25. }
  26. type IPStatement struct {
  27. PrimeBase *GeneratorParams
  28. P *bn256.G1
  29. }
  30. type IPWitness struct {
  31. L *FieldVector
  32. R *FieldVector
  33. }
  34. func (p *Proof) Size() int {
  35. size := 4*POINT_SIZE + (len(p.CLnG)+len(p.CRnG)+len(p.C_0G)+len(p.DG)+len(p.y_0G)+len(p.gG)+len(p.C_XG)+len(p.y_XG))*POINT_SIZE
  36. size += POINT_SIZE
  37. size += len(p.f.vector) * FIELDELEMENT_SIZE
  38. size += FIELDELEMENT_SIZE
  39. size += len(p.tCommits.vector) * POINT_SIZE
  40. size += 7 * FIELDELEMENT_SIZE
  41. size += p.ip.Size()
  42. return size
  43. }
  44. func (proof *Proof) hashmash1(v *big.Int) *big.Int {
  45. var input []byte
  46. input = append(input, convertbiginttobyte(v)...)
  47. for i := range proof.CLnG {
  48. input = append(input, proof.CLnG[i].Marshal()...)
  49. }
  50. for i := range proof.CRnG {
  51. input = append(input, proof.CRnG[i].Marshal()...)
  52. }
  53. for i := range proof.C_0G {
  54. input = append(input, proof.C_0G[i].Marshal()...)
  55. }
  56. for i := range proof.DG {
  57. input = append(input, proof.DG[i].Marshal()...)
  58. }
  59. for i := range proof.y_0G {
  60. input = append(input, proof.y_0G[i].Marshal()...)
  61. }
  62. for i := range proof.gG {
  63. input = append(input, proof.gG[i].Marshal()...)
  64. }
  65. for i := range proof.C_XG {
  66. input = append(input, proof.C_XG[i].Marshal()...)
  67. }
  68. for i := range proof.y_XG {
  69. input = append(input, proof.y_XG[i].Marshal()...)
  70. }
  71. return reducedhash(input)
  72. }
  73. // function, which takes a string as
  74. // argument and return the reverse of string.
  75. func reverse(s string) string {
  76. rns := []rune(s) // convert to rune
  77. for i, j := 0, len(rns)-1; i < j; i, j = i+1, j-1 {
  78. // swap the letters of the string,
  79. // like first with last and so on.
  80. rns[i], rns[j] = rns[j], rns[i]
  81. }
  82. // return the reversed string.
  83. return string(rns)
  84. }
  85. func GenerateProof(s *Statement, witness *Witness, u *bn256.G1) *Proof {
  86. var proof Proof
  87. proof.u = u
  88. params := NewGeneratorParams(128) // these can be pregenerated similarly as in DERO project
  89. statementhash := s.Hash()
  90. btransfer := new(big.Int).SetInt64(int64(witness.TransferAmount)) // this should be reduced
  91. bdiff := new(big.Int).SetInt64(int64(witness.Balance)) // this should be reduced
  92. number := btransfer.Add(btransfer, bdiff.Lsh(bdiff, 64)) // we are placing balance and left over balance, and doing a range proof of 128 bits
  93. number_string := reverse("0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" + number.Text(2))
  94. number_string_left_128bits := string(number_string[0:128])
  95. var aLa, aRa []*big.Int // convert the amount to make sure it cannot be negative
  96. klog.V(2).Infof("reverse %s\n", number_string_left_128bits)
  97. for _, b := range []byte(number_string_left_128bits) {
  98. var l, r big.Int
  99. if b == '1' {
  100. l.SetInt64(1)
  101. } else {
  102. r.Mod(new(big.Int).SetInt64(-1), bn256.Order)
  103. }
  104. aLa = append(aLa, &l)
  105. aRa = append(aRa, &r)
  106. }
  107. //klog.V(2).Infof("aRa %+v\n", aRa)
  108. aL := NewFieldVector(aLa)
  109. aR := NewFieldVector(aRa)
  110. alpha := RandomScalar()
  111. klog.V(2).Infof("alpha %s\n", alpha.Text(16))
  112. proof.BA = params.Commit(alpha, aL, aR)
  113. var sLa, sRa []*big.Int
  114. for i := 0; i < len(aLa); i++ {
  115. sLa = append(sLa, RandomScalarFixed())
  116. }
  117. for i := 0; i < len(aRa); i++ {
  118. sRa = append(sRa, RandomScalarFixed())
  119. }
  120. sL := NewFieldVector(sLa)
  121. sR := NewFieldVector(sRa)
  122. rho := RandomScalarFixed()
  123. proof.BS = params.Commit(rho, sL, sR)
  124. klog.V(2).Infof("Proof BA %s\n", proof.BA.String())
  125. klog.V(2).Infof("Proof BS %s\n", proof.BS.String())
  126. if len(s.Publickeylist) >= 1 && len(s.Publickeylist)&(len(s.Publickeylist)-1) != 0 {
  127. panic("we need power of 2")
  128. }
  129. N := len(s.Publickeylist)
  130. m := int(math.Log2(float64(N)))
  131. if math.Pow(2, float64(m)) != float64(N) {
  132. panic("log failed")
  133. }
  134. r_A := RandomScalarFixed()
  135. r_B := RandomScalarFixed()
  136. var aa, ba, bspecial []*big.Int
  137. for i := 0; i < 2*m; i++ {
  138. aa = append(aa, RandomScalarFixed())
  139. }
  140. witness_index := reverse(fmt.Sprintf("%0"+fmt.Sprintf("%db", m)+"%0"+fmt.Sprintf("%db", m), witness.index[1], witness.index[0]))
  141. for _, b := range []byte(witness_index) {
  142. var q, bs big.Int
  143. if b == '1' {
  144. q.SetInt64(1)
  145. bs.Mod(new(big.Int).SetInt64(-1), bn256.Order)
  146. } else {
  147. bs.SetInt64(1)
  148. }
  149. ba = append(ba, &q)
  150. bspecial = append(bspecial, &bs)
  151. }
  152. a := NewFieldVector(aa)
  153. b := NewFieldVector(ba)
  154. klog.V(1).Infof("witness_index of sender/receiver %s\n", witness_index)
  155. c := a.Hadamard(NewFieldVector(bspecial))
  156. d := a.Hadamard(a).Negate()
  157. klog.V(2).Infof("d %s\n", d.vector[0].Text(16))
  158. e := NewFieldVector([]*big.Int{new(big.Int).Mod(new(big.Int).Mul(a.vector[0], a.vector[m]), bn256.Order),
  159. new(big.Int).Mod(new(big.Int).Mul(a.vector[0], a.vector[m]), bn256.Order)})
  160. second := new(big.Int).Set(a.vector[b.vector[m].Uint64()*uint64(m)])
  161. second.Neg(second)
  162. proof.f = NewFieldVector([]*big.Int{a.vector[b.vector[0].Uint64()*uint64(m)], new(big.Int).Mod(second, bn256.Order)})
  163. for i := range proof.f.vector {
  164. klog.V(2).Infof("proof.f %d %s\n", i, proof.f.vector[i].Text(16))
  165. }
  166. proof.A = params.Commit(r_A, a.Concat(d).Concat(e), nil)
  167. proof.B = params.Commit(r_B, b.Concat(c).Concat(proof.f), nil)
  168. klog.V(2).Infof("Proof A %s\n", proof.A.String())
  169. klog.V(2).Infof("Proof B %s\n", proof.B.String())
  170. var v *big.Int
  171. { // hash mash
  172. var input []byte
  173. input = append(input, convertbiginttobyte(statementhash)...)
  174. input = append(input, proof.BA.Marshal()...)
  175. input = append(input, proof.BS.Marshal()...)
  176. input = append(input, proof.A.Marshal()...)
  177. input = append(input, proof.B.Marshal()...)
  178. v = reducedhash(input)
  179. }
  180. var phi, chi, psi, omega FieldVector
  181. for i := 0; i < m; i++ {
  182. phi.vector = append(phi.vector, RandomScalarFixed())
  183. chi.vector = append(chi.vector, RandomScalarFixed())
  184. psi.vector = append(psi.vector, RandomScalarFixed())
  185. omega.vector = append(omega.vector, RandomScalarFixed())
  186. }
  187. var P, Q, Pi, Qi [][]*big.Int
  188. Pi = RecursivePolynomials(Pi, NewPolynomial(nil), a.SliceRaw(0, m), b.SliceRaw(0, m))
  189. Qi = RecursivePolynomials(Qi, NewPolynomial(nil), a.SliceRaw(m, 2*m), b.SliceRaw(m, 2*m))
  190. // transpose the matrices
  191. for i := 0; i < m; i++ {
  192. P = append(P, []*big.Int{})
  193. Q = append(Q, []*big.Int{})
  194. for j := range Pi {
  195. P[i] = append(P[i], Pi[j][i])
  196. Q[i] = append(Q[i], Qi[j][i])
  197. }
  198. }
  199. for i := range P {
  200. for j := range P[i] {
  201. klog.V(2).Infof("P%d,%d %s\n", i, j, P[i][j].Text(16))
  202. }
  203. }
  204. for i := 0; i < m; i++ {
  205. { // CLnG
  206. var rightp, result bn256.G1
  207. leftp := NewGeneratorVector(s.CLn).Commit(P[i])
  208. rightp.ScalarMult(s.Publickeylist[witness.index[0]], phi.vector[i])
  209. result.Add(leftp, &rightp)
  210. proof.CLnG = append(proof.CLnG, &result)
  211. //klog.V(2).Infof("CLnG %d %s\n",i, result.String())
  212. }
  213. { // CRnG
  214. var rightp, result bn256.G1
  215. leftp := NewGeneratorVector(s.CRn).Commit(P[i])
  216. rightp.ScalarMult(params.G, phi.vector[i])
  217. result.Add(leftp, &rightp)
  218. proof.CRnG = append(proof.CRnG, &result)
  219. //klog.V(2).Infof("CRnG %d %s\n",i, result.String())
  220. }
  221. { // C_0G
  222. var rightp, result bn256.G1
  223. leftp := NewGeneratorVector(s.C).Commit(P[i])
  224. rightp.ScalarMult(s.Publickeylist[witness.index[0]], chi.vector[i])
  225. result.Add(leftp, &rightp)
  226. proof.C_0G = append(proof.C_0G, &result)
  227. }
  228. { // DG
  229. var result bn256.G1
  230. result.ScalarMult(params.G, chi.vector[i])
  231. proof.DG = append(proof.DG, &result)
  232. //klog.V(2).Infof("DG %d %s\n",i, result.String())
  233. }
  234. { // y_0G
  235. var rightp, result bn256.G1
  236. leftp := NewGeneratorVector(s.Publickeylist).Commit(P[i])
  237. rightp.ScalarMult(s.Publickeylist[witness.index[0]], psi.vector[i])
  238. result.Add(leftp, &rightp)
  239. proof.y_0G = append(proof.y_0G, &result)
  240. //klog.V(2).Infof("y_0G %d %s\n",i, result.String())
  241. }
  242. { // gG
  243. var result bn256.G1
  244. result.ScalarMult(params.G, psi.vector[i])
  245. proof.gG = append(proof.gG, &result)
  246. //klog.V(2).Infof("gG %d %s\n",i, result.String())
  247. }
  248. { // C_XG
  249. var result bn256.G1
  250. result.ScalarMult(s.D, omega.vector[i])
  251. proof.C_XG = append(proof.C_XG, &result)
  252. //klog.V(2).Infof("C_XG %d %s\n",i, result.String())
  253. }
  254. { // y_XG
  255. var result bn256.G1
  256. result.ScalarMult(params.G, omega.vector[i])
  257. proof.y_XG = append(proof.y_XG, &result)
  258. klog.V(2).Infof("y_XG %d %s\n", i, result.String())
  259. }
  260. }
  261. for i := range proof.CLnG {
  262. klog.V(2).Infof("CLnG %d %s\n", i, proof.CLnG[i].String())
  263. }
  264. for i := range proof.CRnG {
  265. klog.V(2).Infof("CRnG %d %s\n", i, proof.CRnG[i].String())
  266. }
  267. for i := range proof.C_0G {
  268. klog.V(2).Infof("C_0G %d %s\n", i, proof.C_0G[i].String())
  269. }
  270. for i := range proof.DG {
  271. klog.V(2).Infof("DG %d %s\n", i, proof.DG[i].String())
  272. }
  273. for i := range proof.y_0G {
  274. klog.V(2).Infof("y_0G %d %s\n", i, proof.y_0G[i].String())
  275. }
  276. for i := range proof.gG {
  277. klog.V(2).Infof("gG %d %s\n", i, proof.gG[i].String())
  278. }
  279. for i := range proof.C_XG {
  280. klog.V(2).Infof("C_XG %d %s\n", i, proof.C_XG[i].String())
  281. }
  282. for i := range proof.y_XG {
  283. klog.V(2).Infof("y_XG %d %s\n", i, proof.y_XG[i].String())
  284. }
  285. vPow := new(big.Int).SetInt64(1) // doesn't need reduction, since it' alredy reduced
  286. for i := 0; i < N; i++ {
  287. var temp bn256.G1
  288. temp.ScalarMult(params.G, new(big.Int).Mod(new(big.Int).Mul(new(big.Int).SetUint64(uint64(witness.TransferAmount)), vPow), bn256.Order))
  289. var poly [][]*big.Int
  290. if i%2 == 0 {
  291. poly = P
  292. } else {
  293. poly = Q
  294. }
  295. klog.V(2).Infof("\n\n")
  296. for i := range proof.C_XG {
  297. klog.V(2).Infof("C_XG before %d %s\n", i, proof.C_XG[i].String())
  298. }
  299. for j := range proof.C_XG {
  300. var copy1, tmpmul bn256.G1
  301. copy1.Set(proof.C_XG[j])
  302. part1 := new(big.Int).Mod(poly[j][(witness.index[0]+N-(i-i%2))%N], bn256.Order)
  303. part1 = new(big.Int).Mod(new(big.Int).Add(new(big.Int).Mod(part1.Neg(part1), bn256.Order), poly[j][(witness.index[1]+N-(i-i%2))%N]), bn256.Order)
  304. tmpmul.ScalarMult(&temp, part1)
  305. proof.C_XG[j].Add(&copy1, &tmpmul)
  306. }
  307. if i != 0 {
  308. vPow.Mul(vPow, v)
  309. vPow.Mod(vPow, bn256.Order)
  310. }
  311. //klog.V(2).Infof("vPow %d %s\n", i, vPow.Text(16)))
  312. }
  313. klog.V(2).Infof("\n\n")
  314. for i := range proof.C_XG {
  315. klog.V(2).Infof("C_XG after %d %s\n", i, proof.C_XG[i].String())
  316. }
  317. // for i:= range C_XG {
  318. // klog.V(2).Infof("C_XG %d %s\n", i, C_XG[i].String())
  319. //}
  320. // calculate w hashmash
  321. w := proof.hashmash1(v)
  322. {
  323. var input []byte
  324. input = append(input, convertbiginttobyte(v)...)
  325. for i := range proof.CLnG {
  326. input = append(input, proof.CLnG[i].Marshal()...)
  327. }
  328. for i := range proof.CRnG {
  329. input = append(input, proof.CRnG[i].Marshal()...)
  330. }
  331. for i := range proof.C_0G {
  332. input = append(input, proof.C_0G[i].Marshal()...)
  333. }
  334. for i := range proof.DG {
  335. input = append(input, proof.DG[i].Marshal()...)
  336. }
  337. for i := range proof.y_0G {
  338. input = append(input, proof.y_0G[i].Marshal()...)
  339. }
  340. for i := range proof.gG {
  341. input = append(input, proof.gG[i].Marshal()...)
  342. }
  343. for i := range proof.C_XG {
  344. input = append(input, proof.C_XG[i].Marshal()...)
  345. }
  346. for i := range proof.y_XG {
  347. input = append(input, proof.y_XG[i].Marshal()...)
  348. }
  349. klog.V(2).Infof("whash %s %s\n", reducedhash(input).Text(16), w.Text(16))
  350. }
  351. proof.f = b.Times(w).Add(a)
  352. for i := range proof.f.vector {
  353. klog.V(2).Infof("proof.f %d %s\n", i, proof.f.vector[i].Text(16))
  354. }
  355. ttttt := new(big.Int).Mod(new(big.Int).Mul(r_B, w), bn256.Order)
  356. proof.z_A = new(big.Int).Mod(new(big.Int).Add(ttttt, r_A), bn256.Order)
  357. klog.V(2).Infof("proofz_A %s\n", proof.z_A.Text(16))
  358. y := reducedhash(convertbiginttobyte(w))
  359. klog.V(2).Infof("yyyyyyyyyy %s\n", y.Text(16))
  360. ys_raw := []*big.Int{new(big.Int).SetUint64(1)}
  361. for i := 1; i < 128; i++ {
  362. var tt big.Int
  363. tt.Mul(ys_raw[len(ys_raw)-1], y)
  364. tt.Mod(&tt, bn256.Order)
  365. ys_raw = append(ys_raw, &tt)
  366. }
  367. ys := NewFieldVector(ys_raw)
  368. z := reducedhash(convertbiginttobyte(y))
  369. klog.V(2).Infof("zzzzzzzzzz %s %s\n", z.Text(16))
  370. zs := []*big.Int{new(big.Int).Exp(z, new(big.Int).SetUint64(2), bn256.Order), new(big.Int).Exp(z, new(big.Int).SetUint64(3), bn256.Order)}
  371. for i := range zs {
  372. klog.V(2).Infof("zs %d %s\n", i, zs[i].Text(16))
  373. }
  374. twos := []*big.Int{new(big.Int).SetUint64(1)}
  375. for i := 1; i < 64; i++ {
  376. var tt big.Int
  377. tt.Mul(twos[len(twos)-1], new(big.Int).SetUint64(2))
  378. tt.Mod(&tt, bn256.Order)
  379. twos = append(twos, &tt)
  380. }
  381. twoTimesZs := []*big.Int{}
  382. for i := 0; i < 2; i++ {
  383. for j := 0; j < 64; j++ {
  384. var tt big.Int
  385. tt.Mul(zs[i], twos[j])
  386. tt.Mod(&tt, bn256.Order)
  387. twoTimesZs = append(twoTimesZs, &tt)
  388. klog.V(2).Infof("twoTimesZssss ============= %d %s\n", i*32+j, twoTimesZs[i*32+j].Text(16))
  389. }
  390. }
  391. tmp := aL.AddConstant(new(big.Int).Mod(new(big.Int).Neg(z), bn256.Order))
  392. lPoly := NewFieldVectorPolynomial(tmp, sL)
  393. for i := range lPoly.coefficients {
  394. for j := range lPoly.coefficients[i].vector {
  395. //klog.V(2).Infof("tmp %d,%d %s\n", i,j, tmp.vector[j].Text(16))
  396. klog.V(2).Infof("lPoly %d,%d %s\n", i, j, lPoly.coefficients[i].vector[j].Text(16))
  397. }
  398. }
  399. rPoly := NewFieldVectorPolynomial(ys.Hadamard(aR.AddConstant(z)).Add(NewFieldVector(twoTimesZs)), sR.Hadamard(ys))
  400. for i := range rPoly.coefficients {
  401. for j := range rPoly.coefficients[i].vector {
  402. //klog.V(2).Infof("tmp %d,%d %s\n", i,j, tmp.vector[j].Text(16))
  403. klog.V(2).Infof("rPoly %d,%d %s\n", i, j, rPoly.coefficients[i].vector[j].Text(16))
  404. }
  405. }
  406. tPolyCoefficients := lPoly.InnerProduct(rPoly) // just an array of BN Reds... should be length 3
  407. for j := range tPolyCoefficients {
  408. klog.V(2).Infof("tPolyCoefficients %d,%d %s\n", 0, j, tPolyCoefficients[j].Text(16))
  409. }
  410. polyCommitment := NewPolyCommitment(params, tPolyCoefficients)
  411. proof.tCommits = NewGeneratorVector(polyCommitment.GetCommitments())
  412. for j := range proof.tCommits.vector {
  413. klog.V(2).Infof("tCommits %d %s\n", j, proof.tCommits.vector[j].String())
  414. }
  415. x := new(big.Int)
  416. {
  417. var input []byte
  418. input = append(input, convertbiginttobyte(z)...) // tie intermediates/commit
  419. for j := range proof.tCommits.vector {
  420. input = append(input, proof.tCommits.vector[j].Marshal()...)
  421. }
  422. x = reducedhash(input)
  423. }
  424. klog.V(2).Infof("x %s\n", x.Text(16))
  425. evalCommit := polyCommitment.Evaluate(x)
  426. //klog.V(2).Infof("evalCommit.X %s\n", j, evalCommit.X.Text(16))
  427. //klog.V(2).Infof("evalCommit.R %s\n", j, evalCommit.R.Text(16))
  428. proof.that = evalCommit.X
  429. klog.V(2).Infof("evalCommit.that %s\n", proof.that.Text(16))
  430. tauX := evalCommit.R
  431. proof.mu = new(big.Int).Mod(new(big.Int).Mul(rho, x), bn256.Order)
  432. proof.mu.Add(proof.mu, alpha)
  433. proof.mu.Mod(proof.mu, bn256.Order)
  434. klog.V(2).Infof("proof.mu %s\n", proof.mu.Text(16))
  435. var CrnR, y_0R, y_XR, DR, gR bn256.G1
  436. CrnR.ScalarMult(params.G, new(big.Int))
  437. y_0R.ScalarMult(params.G, new(big.Int))
  438. y_XR.ScalarMult(params.G, new(big.Int))
  439. DR.ScalarMult(params.G, new(big.Int))
  440. gR.ScalarMult(params.G, new(big.Int))
  441. var p_, q_ []*big.Int
  442. for i := 0; i < N; i++ {
  443. p_ = append(p_, new(big.Int))
  444. q_ = append(q_, new(big.Int))
  445. }
  446. p := NewFieldVector(p_)
  447. q := NewFieldVector(q_)
  448. wPow := new(big.Int).SetUint64(1) // already reduced
  449. for i := 0; i < m; i++ {
  450. {
  451. tmp := new(bn256.G1)
  452. mm := new(big.Int).Mod(new(big.Int).Neg(phi.vector[i]), bn256.Order)
  453. mm = mm.Mod(new(big.Int).Mul(mm, wPow), bn256.Order)
  454. tmp.ScalarMult(params.G, mm)
  455. CrnR.Add(new(bn256.G1).Set(&CrnR), tmp)
  456. }
  457. {
  458. tmp := new(bn256.G1)
  459. mm := new(big.Int).Mod(new(big.Int).Neg(chi.vector[i]), bn256.Order)
  460. mm = mm.Mod(new(big.Int).Mul(mm, wPow), bn256.Order)
  461. tmp.ScalarMult(params.G, mm)
  462. DR.Add(new(bn256.G1).Set(&DR), tmp)
  463. }
  464. {
  465. tmp := new(bn256.G1)
  466. mm := new(big.Int).Mod(new(big.Int).Neg(psi.vector[i]), bn256.Order)
  467. mm = mm.Mod(new(big.Int).Mul(mm, wPow), bn256.Order)
  468. tmp.ScalarMult(s.Publickeylist[witness.index[0]], mm)
  469. y_0R.Add(new(bn256.G1).Set(&y_0R), tmp)
  470. }
  471. {
  472. tmp := new(bn256.G1)
  473. mm := new(big.Int).Mod(new(big.Int).Neg(psi.vector[i]), bn256.Order)
  474. mm = mm.Mod(new(big.Int).Mul(mm, wPow), bn256.Order)
  475. tmp.ScalarMult(params.G, mm)
  476. gR.Add(new(bn256.G1).Set(&gR), tmp)
  477. }
  478. {
  479. tmp := new(bn256.G1)
  480. tmp.ScalarMult(proof.y_XG[i], new(big.Int).Neg(wPow))
  481. y_XR.Add(new(bn256.G1).Set(&y_XR), tmp)
  482. }
  483. p = p.Add(NewFieldVector(P[i]).Times(wPow))
  484. q = q.Add(NewFieldVector(Q[i]).Times(wPow))
  485. wPow = new(big.Int).Mod(new(big.Int).Mul(wPow, w), bn256.Order)
  486. klog.V(2).Infof("wPow %s\n", wPow.Text(16))
  487. }
  488. CrnR.Add(new(bn256.G1).Set(&CrnR), new(bn256.G1).ScalarMult(s.CRn[witness.index[0]], wPow))
  489. y_0R.Add(new(bn256.G1).Set(&y_0R), new(bn256.G1).ScalarMult(s.Publickeylist[witness.index[0]], wPow))
  490. DR.Add(new(bn256.G1).Set(&DR), new(bn256.G1).ScalarMult(s.D, wPow))
  491. gR.Add(new(bn256.G1).Set(&gR), new(bn256.G1).ScalarMult(params.G, wPow))
  492. var p__, q__ []*big.Int
  493. for i := 0; i < N; i++ {
  494. if i == witness.index[0] {
  495. p__ = append(p__, new(big.Int).Set(wPow))
  496. } else {
  497. p__ = append(p__, new(big.Int))
  498. }
  499. if i == witness.index[1] {
  500. q__ = append(q__, new(big.Int).Set(wPow))
  501. } else {
  502. q__ = append(q__, new(big.Int))
  503. }
  504. }
  505. p = p.Add(NewFieldVector(p__))
  506. q = q.Add(NewFieldVector(q__))
  507. klog.V(2).Infof("CrnR %s\n", CrnR.String())
  508. klog.V(2).Infof("DR %s\n", DR.String())
  509. klog.V(2).Infof("y_0R %s\n", y_0R.String())
  510. klog.V(2).Infof("gR %s\n", gR.String())
  511. klog.V(2).Infof("y_XR %s\n", y_XR.String())
  512. for i := range p.vector {
  513. klog.V(2).Infof("p %d %s \n", i, p.vector[i].Text(16))
  514. }
  515. for i := range q.vector {
  516. klog.V(2).Infof("q %d %s \n", i, q.vector[i].Text(16))
  517. }
  518. y_p := Convolution(p, NewGeneratorVector(s.Publickeylist))
  519. y_q := Convolution(q, NewGeneratorVector(s.Publickeylist))
  520. for i := range y_p.vector {
  521. klog.V(2).Infof("y_p %d %s \n", i, y_p.vector[i].String())
  522. }
  523. for i := range y_q.vector {
  524. klog.V(2).Infof("y_q %d %s \n", i, y_q.vector[i].String())
  525. }
  526. vPow = new(big.Int).SetUint64(1) // already reduced
  527. for i := 0; i < N; i++ {
  528. ypoly := y_p
  529. if i%2 == 1 {
  530. ypoly = y_q
  531. }
  532. y_XR.Add(new(bn256.G1).Set(&y_XR), new(bn256.G1).ScalarMult(ypoly.vector[i/2], vPow))
  533. if i > 0 {
  534. vPow = new(big.Int).Mod(new(big.Int).Mul(vPow, v), bn256.Order)
  535. }
  536. }
  537. klog.V(2).Infof("y_XR %s\n", y_XR.String())
  538. klog.V(2).Infof("vPow %s\n", vPow.Text(16))
  539. klog.V(2).Infof("v %s\n", v.Text(16))
  540. k_sk := RandomScalarFixed()
  541. k_r := RandomScalarFixed()
  542. k_b := RandomScalarFixed()
  543. k_tau := RandomScalarFixed()
  544. A_y := new(bn256.G1).ScalarMult(&gR, k_sk)
  545. A_D := new(bn256.G1).ScalarMult(params.G, k_r)
  546. A_b := new(bn256.G1).ScalarMult(params.G, k_b)
  547. t1 := new(bn256.G1).ScalarMult(&CrnR, zs[1])
  548. d1 := new(bn256.G1).ScalarMult(&DR, new(big.Int).Mod(new(big.Int).Neg(zs[0]), bn256.Order))
  549. d1 = new(bn256.G1).Add(d1, t1)
  550. d1 = new(bn256.G1).ScalarMult(d1, k_sk)
  551. A_b = new(bn256.G1).Add(A_b, d1)
  552. A_X := new(bn256.G1).ScalarMult(&y_XR, k_r)
  553. A_t := new(bn256.G1).ScalarMult(params.G, new(big.Int).Mod(new(big.Int).Neg(k_b), bn256.Order))
  554. A_t = new(bn256.G1).Add(A_t, new(bn256.G1).ScalarMult(params.H, k_tau))
  555. A_u := new(bn256.G1)
  556. {
  557. var input []byte
  558. input = append(input, []byte(PROTOCOL_CONSTANT)...)
  559. input = append(input, convertbiginttobyte(s.roothash)...)
  560. point := HashToPoint(HashtoNumber(input))
  561. A_u = new(bn256.G1).ScalarMult(point, k_sk)
  562. }
  563. klog.V(2).Infof("A_y %s\n", A_y.String())
  564. klog.V(2).Infof("A_D %s\n", A_D.String())
  565. klog.V(2).Infof("A_b %s\n", A_b.String())
  566. klog.V(2).Infof("A_X %s\n", A_X.String())
  567. klog.V(2).Infof("A_t %s\n", A_t.String())
  568. klog.V(2).Infof("A_u %s\n", A_u.String())
  569. {
  570. var input []byte
  571. input = append(input, convertbiginttobyte(x)...)
  572. input = append(input, A_y.Marshal()...)
  573. input = append(input, A_D.Marshal()...)
  574. input = append(input, A_b.Marshal()...)
  575. input = append(input, A_X.Marshal()...)
  576. input = append(input, A_t.Marshal()...)
  577. input = append(input, A_u.Marshal()...)
  578. proof.c = reducedhash(input)
  579. }
  580. proof.s_sk = new(big.Int).Mod(new(big.Int).Mul(proof.c, witness.SecretKey), bn256.Order)
  581. proof.s_sk = new(big.Int).Mod(new(big.Int).Add(proof.s_sk, k_sk), bn256.Order)
  582. proof.s_r = new(big.Int).Mod(new(big.Int).Mul(proof.c, witness.R), bn256.Order)
  583. proof.s_r = new(big.Int).Mod(new(big.Int).Add(proof.s_r, k_r), bn256.Order)
  584. proof_c_neg := new(big.Int).Mod(new(big.Int).Neg(proof.c), bn256.Order)
  585. dummyA_X := new(bn256.G1).ScalarMult(&y_XR, proof.s_r) //, new(bn256.G1).ScalarMult(anonsupport.C_XR, proof_c_neg) )
  586. klog.V(2).Infof("dummyA_X %s\n", dummyA_X.String())
  587. klog.V(2).Infof("s_r %s\n", proof.s_r.Text(16))
  588. // klog.V(2).Infof("C_XR %s\n", anonsupport.C_XR.String())
  589. klog.V(2).Infof("C %s\n", proof.c.Text(16))
  590. klog.V(2).Infof("C_neg %s\n", proof_c_neg.Text(16))
  591. // klog.V(2).Infof("A_X %s\n", sigmasupport.A_X.String())
  592. w_transfer := new(big.Int).Mod(new(big.Int).Mul(new(big.Int).SetUint64(uint64(witness.TransferAmount)), zs[0]), bn256.Order)
  593. w_balance := new(big.Int).Mod(new(big.Int).Mul(new(big.Int).SetUint64(uint64(witness.Balance)), zs[1]), bn256.Order)
  594. w_tmp := new(big.Int).Mod(new(big.Int).Add(w_transfer, w_balance), bn256.Order)
  595. w_tmp = new(big.Int).Mod(new(big.Int).Mul(w_tmp, wPow), bn256.Order)
  596. w_tmp = new(big.Int).Mod(new(big.Int).Mul(w_tmp, proof.c), bn256.Order)
  597. proof.s_b = new(big.Int).Mod(new(big.Int).Add(w_tmp, k_b), bn256.Order)
  598. proof.s_tau = new(big.Int).Mod(new(big.Int).Mul(tauX, wPow), bn256.Order)
  599. proof.s_tau = new(big.Int).Mod(new(big.Int).Mul(proof.s_tau, proof.c), bn256.Order)
  600. proof.s_tau = new(big.Int).Mod(new(big.Int).Add(proof.s_tau, k_tau), bn256.Order)
  601. klog.V(2).Infof("proof.c %s\n", proof.c.Text(16))
  602. klog.V(2).Infof("proof.s_sk %s\n", proof.s_sk.Text(16))
  603. klog.V(2).Infof("proof.s_r %s\n", proof.s_r.Text(16))
  604. klog.V(2).Infof("proof.s_b %s\n", proof.s_b.Text(16))
  605. klog.V(2).Infof("proof.s_tau %s\n", proof.s_tau.Text(16))
  606. hPrimes := params.Hs.Hadamard(ys.Invert().vector)
  607. hExp := ys.Times(z).Add(NewFieldVector(twoTimesZs))
  608. P1 := new(bn256.G1).Add(proof.BA, new(bn256.G1).ScalarMult(proof.BS, x))
  609. z_neg := new(big.Int).Mod(new(big.Int).Neg(z), bn256.Order)
  610. P1 = new(bn256.G1).Add(P1, new(bn256.G1).ScalarMult(params.Gs.Sum(), z_neg))
  611. P1 = new(bn256.G1).Add(P1, hPrimes.Commit(hExp.vector))
  612. P1 = new(bn256.G1).Add(P1, new(bn256.G1).ScalarMult(params.H, new(big.Int).Mod(new(big.Int).Neg(proof.mu), bn256.Order)))
  613. o := reducedhash(convertbiginttobyte(proof.c))
  614. u_x := new(bn256.G1).ScalarMult(params.G, o)
  615. P1 = new(bn256.G1).Add(P1, new(bn256.G1).ScalarMult(u_x, proof.that))
  616. klog.V(2).Infof("o %s\n", o.Text(16))
  617. klog.V(2).Infof("x %s\n", x.Text(16))
  618. klog.V(2).Infof("u_x %s\n", u_x.String())
  619. klog.V(2).Infof("p %s\n", P1.String())
  620. klog.V(2).Infof("hPrimes length %d\n", len(hPrimes.vector))
  621. primebase := NewGeneratorParams3(u_x, params.Gs, hPrimes) // trigger sigma protocol
  622. ipstatement := &IPStatement{PrimeBase: primebase, P: P1}
  623. ipwitness := &IPWitness{L: lPoly.Evaluate(x), R: rPoly.Evaluate(x)}
  624. for i := range ipwitness.L.vector {
  625. klog.V(2).Infof("L %d %s \n", i, ipwitness.L.vector[i].Text(16))
  626. }
  627. for i := range ipwitness.R.vector {
  628. klog.V(2).Infof("R %d %s \n", i, ipwitness.R.vector[i].Text(16))
  629. }
  630. proof.ip = NewInnerProductProof(ipstatement, ipwitness, o)
  631. return &proof
  632. }