You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

506 lines
18KB

  1. package main
  2. //import "fmt"
  3. import "math"
  4. import "math/big"
  5. //import "crypto/rand"
  6. import "encoding/hex"
  7. import "github.com/clearmatics/bn256"
  8. //import "golang.org/x/crypto/sha3"
  9. import "github.com/kubernetes/klog"
  10. // below 2 structures form bulletproofs and many to many proofs
  11. type AnonSupport struct {
  12. v *big.Int
  13. w *big.Int
  14. vPow *big.Int
  15. wPow *big.Int
  16. f [][2]*big.Int
  17. r [][2]*big.Int
  18. temp *bn256.G1
  19. CLnR *bn256.G1
  20. CRnR *bn256.G1
  21. CR [][2]*bn256.G1
  22. yR [][2]*bn256.G1
  23. C_XR *bn256.G1
  24. y_XR *bn256.G1
  25. gR *bn256.G1
  26. DR *bn256.G1
  27. }
  28. type ProtocolSupport struct {
  29. y *big.Int
  30. ys []*big.Int
  31. z *big.Int
  32. zs []*big.Int // [z^2, z^3] // only max 2
  33. twoTimesZSquared [128]*big.Int
  34. zSum *big.Int
  35. x *big.Int
  36. t *big.Int
  37. k *big.Int
  38. tEval *bn256.G1
  39. }
  40. // sigma protocol
  41. type SigmaSupport struct {
  42. c *big.Int
  43. A_y, A_D, A_b, A_X, A_t, A_u *bn256.G1
  44. }
  45. // support structures are those which
  46. type InnerProductSupport struct {
  47. P bn256.G1
  48. u_x bn256.G1
  49. hPrimes []*bn256.G1
  50. hPrimeSum bn256.G1
  51. o *big.Int
  52. }
  53. func unmarshalpoint(input string) *bn256.G1 {
  54. d, err := hex.DecodeString(input)
  55. if err != nil {
  56. panic(err)
  57. }
  58. if len(d) != 64 {
  59. panic("wrong length")
  60. }
  61. x := new(bn256.G1)
  62. x.Unmarshal(d)
  63. return x
  64. }
  65. // verify proof
  66. // first generate supporting structures
  67. func (proof *Proof) Verify(s *Statement) bool {
  68. var anonsupport AnonSupport
  69. var protsupport ProtocolSupport
  70. var sigmasupport SigmaSupport
  71. gparams := NewGeneratorParams(128) // these can be pregenerated similarly as in DERO project
  72. if len(s.C) != len(s.Publickeylist) {
  73. return false
  74. }
  75. statementhash := s.Hash()
  76. var input []byte
  77. input = append(input, convertbiginttobyte(statementhash)...)
  78. input = append(input, proof.BA.Marshal()...)
  79. input = append(input, proof.BS.Marshal()...)
  80. input = append(input, proof.A.Marshal()...)
  81. input = append(input, proof.B.Marshal()...)
  82. anonsupport.v = reducedhash(input)
  83. anonsupport.w = proof.hashmash1(anonsupport.v)
  84. m := proof.f.Length() / 2
  85. N := int(math.Pow(2, float64(m)))
  86. anonsupport.f = make([][2]*big.Int, 2*m, 2*m)
  87. for i := 0; i < 2*m; i++ {
  88. anonsupport.f[i][0] = new(big.Int).Mod(new(big.Int).Sub(anonsupport.w, proof.f.vector[i]), bn256.Order)
  89. anonsupport.f[i][1] = new(big.Int).Set(proof.f.vector[i])
  90. }
  91. anonsupport.temp = new(bn256.G1)
  92. var zeroes [64]byte
  93. anonsupport.temp.Unmarshal(zeroes[:])
  94. for i := 0; i < 2*m; i++ {
  95. anonsupport.temp = new(bn256.G1).Add(anonsupport.temp, new(bn256.G1).ScalarMult(gparams.Gs.vector[i], anonsupport.f[i][1]))
  96. t := new(big.Int).Mod(new(big.Int).Sub(anonsupport.w, anonsupport.f[i][1]), bn256.Order)
  97. t = new(big.Int).Mod(new(big.Int).Mul(t, anonsupport.f[i][1]), bn256.Order)
  98. anonsupport.temp = new(bn256.G1).Add(anonsupport.temp, new(bn256.G1).ScalarMult(gparams.Gs.vector[2*m+i], t))
  99. }
  100. t0 := new(bn256.G1).ScalarMult(gparams.Gs.vector[0+4*m], new(big.Int).Mod(new(big.Int).Mul(anonsupport.f[0][1], anonsupport.f[m][1]), bn256.Order))
  101. t1 := new(bn256.G1).ScalarMult(gparams.Gs.vector[1+4*m], new(big.Int).Mod(new(big.Int).Mul(anonsupport.f[0][0], anonsupport.f[m][0]), bn256.Order))
  102. anonsupport.temp = new(bn256.G1).Add(anonsupport.temp, t0)
  103. anonsupport.temp = new(bn256.G1).Add(anonsupport.temp, t1)
  104. // check whether we successfuly recover B^w * A
  105. stored := new(bn256.G1).Add(new(bn256.G1).ScalarMult(proof.B, anonsupport.w), proof.A)
  106. computed := new(bn256.G1).Add(anonsupport.temp, new(bn256.G1).ScalarMult(gparams.H, proof.z_A))
  107. for i := range proof.f.vector {
  108. klog.V(2).Infof("proof.f %d %s\n", i, proof.f.vector[i].Text(16))
  109. }
  110. klog.V(2).Infof("anonsupport.w %s\n", anonsupport.w.Text(16))
  111. klog.V(2).Infof("proof.z_A %s\n", proof.z_A.Text(16))
  112. klog.V(2).Infof("proof.B %s\n", proof.B.String())
  113. klog.V(2).Infof("proof.A %s\n", proof.A.String())
  114. klog.V(2).Infof("gparams.H %s\n", gparams.H.String())
  115. klog.V(2).Infof("stored %s\n", stored.String())
  116. klog.V(2).Infof("computed %s\n", computed.String())
  117. if stored.String() != computed.String() { // if failed bail out
  118. klog.Warning("Recover key failed")
  119. return false
  120. }
  121. anonsupport.r = assemblepolynomials(anonsupport.f)
  122. for i := 0; i < len(anonsupport.r); i++ {
  123. klog.V(2).Infof("proof.r %d %s\n", i, anonsupport.r[i][0].Text(16))
  124. }
  125. for i := 0; i < len(anonsupport.r); i++ {
  126. klog.V(2).Infof("proof.q %d %s\n", i, anonsupport.r[i][1].Text(16))
  127. }
  128. anonsupport.CLnR = new(bn256.G1)
  129. anonsupport.CRnR = new(bn256.G1)
  130. anonsupport.CLnR.Unmarshal(zeroes[:])
  131. anonsupport.CRnR.Unmarshal(zeroes[:])
  132. for i := 0; i < N; i++ {
  133. anonsupport.CLnR = new(bn256.G1).Add(anonsupport.CLnR, new(bn256.G1).ScalarMult(s.CLn[i], anonsupport.r[i][0]))
  134. anonsupport.CRnR = new(bn256.G1).Add(anonsupport.CRnR, new(bn256.G1).ScalarMult(s.CRn[i], anonsupport.r[i][0]))
  135. }
  136. klog.V(2).Infof("qCrnR %s\n", anonsupport.CRnR.String())
  137. var p, q []*big.Int
  138. for i := 0; i < len(anonsupport.r); i++ {
  139. p = append(p, anonsupport.r[i][0])
  140. q = append(q, anonsupport.r[i][1])
  141. }
  142. for i := range s.C {
  143. klog.V(2).Infof("S.c %d %s \n", i, s.C[i].String())
  144. }
  145. // share code with proof generator for better testing
  146. C_p := Convolution(NewFieldVector(p), NewGeneratorVector(s.C))
  147. C_q := Convolution(NewFieldVector(q), NewGeneratorVector(s.C))
  148. y_p := Convolution(NewFieldVector(p), NewGeneratorVector(s.Publickeylist))
  149. y_q := Convolution(NewFieldVector(q), NewGeneratorVector(s.Publickeylist))
  150. for i := range s.C {
  151. klog.V(2).Infof("S.c %d %s \n", i, s.C[i].String())
  152. }
  153. for i := range y_p.vector {
  154. klog.V(2).Infof("y_p %d %s \n", i, y_p.vector[i].String())
  155. }
  156. for i := range y_q.vector {
  157. klog.V(2).Infof("y_q %d %s \n", i, y_q.vector[i].String())
  158. }
  159. for i := range C_p.vector { // assemble back
  160. anonsupport.CR = append(anonsupport.CR, [2]*bn256.G1{C_p.vector[i], C_q.vector[i]})
  161. anonsupport.yR = append(anonsupport.yR, [2]*bn256.G1{y_p.vector[i], y_q.vector[i]})
  162. }
  163. anonsupport.vPow = new(big.Int).SetUint64(1)
  164. anonsupport.C_XR = new(bn256.G1)
  165. anonsupport.y_XR = new(bn256.G1)
  166. anonsupport.C_XR.Unmarshal(zeroes[:])
  167. anonsupport.y_XR.Unmarshal(zeroes[:])
  168. for i := 0; i < N; i++ {
  169. anonsupport.C_XR.Add(new(bn256.G1).Set(anonsupport.C_XR), new(bn256.G1).ScalarMult(anonsupport.CR[i/2][i%2], anonsupport.vPow))
  170. anonsupport.y_XR.Add(new(bn256.G1).Set(anonsupport.y_XR), new(bn256.G1).ScalarMult(anonsupport.yR[i/2][i%2], anonsupport.vPow))
  171. if i > 0 {
  172. anonsupport.vPow = new(big.Int).Mod(new(big.Int).Mul(anonsupport.vPow, anonsupport.v), bn256.Order)
  173. klog.V(2).Infof("vPow %s\n", anonsupport.vPow.Text(16))
  174. }
  175. }
  176. klog.V(2).Infof("vPow %s\n", anonsupport.vPow.Text(16))
  177. klog.V(2).Infof("v %s\n", anonsupport.v.Text(16))
  178. anonsupport.wPow = new(big.Int).SetUint64(1)
  179. anonsupport.gR = new(bn256.G1)
  180. anonsupport.gR.Unmarshal(zeroes[:])
  181. anonsupport.DR = new(bn256.G1)
  182. anonsupport.DR.Unmarshal(zeroes[:])
  183. for i := 0; i < m; i++ {
  184. wPow_neg := new(big.Int).Mod(new(big.Int).Neg(anonsupport.wPow), bn256.Order)
  185. anonsupport.CLnR.Add(new(bn256.G1).Set(anonsupport.CLnR), new(bn256.G1).ScalarMult(proof.CLnG[i], wPow_neg))
  186. anonsupport.CRnR.Add(new(bn256.G1).Set(anonsupport.CRnR), new(bn256.G1).ScalarMult(proof.CRnG[i], wPow_neg))
  187. anonsupport.CR[0][0].Add(new(bn256.G1).Set(anonsupport.CR[0][0]), new(bn256.G1).ScalarMult(proof.C_0G[i], wPow_neg))
  188. anonsupport.DR.Add(new(bn256.G1).Set(anonsupport.DR), new(bn256.G1).ScalarMult(proof.DG[i], wPow_neg))
  189. anonsupport.yR[0][0].Add(new(bn256.G1).Set(anonsupport.yR[0][0]), new(bn256.G1).ScalarMult(proof.y_0G[i], wPow_neg))
  190. anonsupport.gR.Add(new(bn256.G1).Set(anonsupport.gR), new(bn256.G1).ScalarMult(proof.gG[i], wPow_neg))
  191. anonsupport.C_XR.Add(new(bn256.G1).Set(anonsupport.C_XR), new(bn256.G1).ScalarMult(proof.C_XG[i], wPow_neg))
  192. anonsupport.y_XR.Add(new(bn256.G1).Set(anonsupport.y_XR), new(bn256.G1).ScalarMult(proof.y_XG[i], wPow_neg))
  193. anonsupport.wPow = new(big.Int).Mod(new(big.Int).Mul(anonsupport.wPow, anonsupport.w), bn256.Order)
  194. }
  195. klog.V(2).Infof("qCrnR %s\n", anonsupport.CRnR.String())
  196. anonsupport.DR.Add(new(bn256.G1).Set(anonsupport.DR), new(bn256.G1).ScalarMult(s.D, anonsupport.wPow))
  197. anonsupport.gR.Add(new(bn256.G1).Set(anonsupport.gR), new(bn256.G1).ScalarMult(gparams.G, anonsupport.wPow))
  198. // at this point, these parameters are comparable with proof generator
  199. klog.V(2).Infof("CLnR %s\n", anonsupport.CLnR.String())
  200. klog.V(2).Infof("qCrnR %s\n", anonsupport.CRnR.String())
  201. klog.V(2).Infof("DR %s\n", anonsupport.DR.String())
  202. klog.V(2).Infof("gR %s\n", anonsupport.gR.String())
  203. klog.V(2).Infof("C_XR %s\n", anonsupport.C_XR.String())
  204. klog.V(2).Infof("y_XR %s\n", anonsupport.y_XR.String())
  205. protsupport.y = reducedhash(convertbiginttobyte(anonsupport.w))
  206. protsupport.ys = append(protsupport.ys, new(big.Int).SetUint64(1))
  207. protsupport.k = new(big.Int).SetUint64(1)
  208. for i := 1; i < 128; i++ {
  209. protsupport.ys = append(protsupport.ys, new(big.Int).Mod(new(big.Int).Mul(protsupport.ys[i-1], protsupport.y), bn256.Order))
  210. protsupport.k = new(big.Int).Mod(new(big.Int).Add(protsupport.k, protsupport.ys[i]), bn256.Order)
  211. }
  212. protsupport.z = reducedhash(convertbiginttobyte(protsupport.y))
  213. protsupport.zs = []*big.Int{new(big.Int).Exp(protsupport.z, new(big.Int).SetUint64(2), bn256.Order), new(big.Int).Exp(protsupport.z, new(big.Int).SetUint64(3), bn256.Order)}
  214. protsupport.zSum = new(big.Int).Mod(new(big.Int).Add(protsupport.zs[0], protsupport.zs[1]), bn256.Order)
  215. protsupport.zSum = new(big.Int).Mod(new(big.Int).Mul(new(big.Int).Set(protsupport.zSum), protsupport.z), bn256.Order)
  216. klog.V(2).Infof("zsum %s\n ", protsupport.zSum.Text(16))
  217. z_z0 := new(big.Int).Mod(new(big.Int).Sub(protsupport.z, protsupport.zs[0]), bn256.Order)
  218. protsupport.k = new(big.Int).Mod(new(big.Int).Mul(protsupport.k, z_z0), bn256.Order)
  219. proof_2_64, _ := new(big.Int).SetString("18446744073709551616", 10)
  220. zsum_pow := new(big.Int).Mod(new(big.Int).Mul(protsupport.zSum, proof_2_64), bn256.Order)
  221. zsum_pow = new(big.Int).Mod(new(big.Int).Sub(zsum_pow, protsupport.zSum), bn256.Order)
  222. protsupport.k = new(big.Int).Mod(new(big.Int).Sub(protsupport.k, zsum_pow), bn256.Order)
  223. protsupport.t = new(big.Int).Mod(new(big.Int).Sub(proof.that, protsupport.k), bn256.Order) // t = tHat - delta(y, z)
  224. klog.V(2).Infof("that %s\n ", proof.that.Text(16))
  225. klog.V(2).Infof("zk %s\n ", protsupport.k.Text(16))
  226. for i := 0; i < 64; i++ {
  227. protsupport.twoTimesZSquared[i] = new(big.Int).Mod(new(big.Int).Mul(protsupport.zs[0], new(big.Int).SetUint64(uint64(math.Pow(2, float64(i))))), bn256.Order)
  228. protsupport.twoTimesZSquared[64+i] = new(big.Int).Mod(new(big.Int).Mul(protsupport.zs[1], new(big.Int).SetUint64(uint64(math.Pow(2, float64(i))))), bn256.Order)
  229. }
  230. for i := 0; i < 128; i++ {
  231. klog.V(2).Infof("zsq %d %s\n ", i, protsupport.twoTimesZSquared[i].Text(16))
  232. }
  233. x := new(big.Int)
  234. {
  235. var input []byte
  236. input = append(input, convertbiginttobyte(protsupport.z)...) // tie intermediates/commit
  237. for j := range proof.tCommits.vector {
  238. input = append(input, proof.tCommits.vector[j].Marshal()...)
  239. }
  240. x = reducedhash(input)
  241. }
  242. xsq := new(big.Int).Mod(new(big.Int).Mul(x, x), bn256.Order)
  243. protsupport.tEval = new(bn256.G1).ScalarMult(proof.tCommits.vector[0], x)
  244. protsupport.tEval.Add(new(bn256.G1).Set(protsupport.tEval), new(bn256.G1).ScalarMult(proof.tCommits.vector[1], xsq))
  245. klog.V(2).Infof("protsupport.tEval %s\n", protsupport.tEval.String())
  246. proof_c_neg := new(big.Int).Mod(new(big.Int).Neg(proof.c), bn256.Order)
  247. sigmasupport.A_y = new(bn256.G1).Add(new(bn256.G1).ScalarMult(anonsupport.gR, proof.s_sk), new(bn256.G1).ScalarMult(anonsupport.yR[0][0], proof_c_neg))
  248. sigmasupport.A_D = new(bn256.G1).Add(new(bn256.G1).ScalarMult(gparams.G, proof.s_r), new(bn256.G1).ScalarMult(s.D, proof_c_neg))
  249. zs0_neg := new(big.Int).Mod(new(big.Int).Neg(protsupport.zs[0]), bn256.Order)
  250. left := new(bn256.G1).ScalarMult(anonsupport.DR, zs0_neg)
  251. left.Add(new(bn256.G1).Set(left), new(bn256.G1).ScalarMult(anonsupport.CRnR, protsupport.zs[1]))
  252. left = new(bn256.G1).ScalarMult(new(bn256.G1).Set(left), proof.s_sk)
  253. right := new(bn256.G1).ScalarMult(anonsupport.CR[0][0], zs0_neg)
  254. right.Add(new(bn256.G1).Set(right), new(bn256.G1).ScalarMult(anonsupport.CLnR, protsupport.zs[1]))
  255. right = new(bn256.G1).ScalarMult(new(bn256.G1).Set(right), proof_c_neg)
  256. sigmasupport.A_b = new(bn256.G1).ScalarMult(gparams.G, proof.s_b)
  257. temp := new(bn256.G1).Add(left, right)
  258. sigmasupport.A_b.Add(new(bn256.G1).Set(sigmasupport.A_b), temp)
  259. sigmasupport.A_X = new(bn256.G1).Add(new(bn256.G1).ScalarMult(anonsupport.y_XR, proof.s_r), new(bn256.G1).ScalarMult(anonsupport.C_XR, proof_c_neg))
  260. proof_s_b_neg := new(big.Int).Mod(new(big.Int).Neg(proof.s_b), bn256.Order)
  261. sigmasupport.A_t = new(bn256.G1).ScalarMult(gparams.G, protsupport.t)
  262. sigmasupport.A_t.Add(new(bn256.G1).Set(sigmasupport.A_t), new(bn256.G1).Neg(protsupport.tEval))
  263. sigmasupport.A_t = new(bn256.G1).ScalarMult(sigmasupport.A_t, new(big.Int).Mod(new(big.Int).Mul(proof.c, anonsupport.wPow), bn256.Order))
  264. sigmasupport.A_t.Add(new(bn256.G1).Set(sigmasupport.A_t), new(bn256.G1).ScalarMult(gparams.H, proof.s_tau))
  265. sigmasupport.A_t.Add(new(bn256.G1).Set(sigmasupport.A_t), new(bn256.G1).ScalarMult(gparams.G, proof_s_b_neg))
  266. klog.V(2).Infof("t %s\n ", protsupport.t.Text(16))
  267. klog.V(2).Infof("protsupport.tEval %s\n", protsupport.tEval.String())
  268. {
  269. var input []byte
  270. input = append(input, []byte(PROTOCOL_CONSTANT)...)
  271. input = append(input, convertbiginttobyte(s.roothash)...)
  272. point := HashToPoint(HashtoNumber(input))
  273. sigmasupport.A_u = new(bn256.G1).ScalarMult(point, proof.s_sk)
  274. sigmasupport.A_u.Add(new(bn256.G1).Set(sigmasupport.A_u), new(bn256.G1).ScalarMult(proof.u, proof_c_neg))
  275. }
  276. klog.V(2).Infof("A_y %s\n", sigmasupport.A_y.String())
  277. klog.V(2).Infof("A_D %s\n", sigmasupport.A_D.String())
  278. klog.V(2).Infof("A_b %s\n", sigmasupport.A_b.String())
  279. klog.V(2).Infof("A_X %s\n", sigmasupport.A_X.String())
  280. klog.V(2).Infof("A_t %s\n", sigmasupport.A_t.String())
  281. klog.V(2).Infof("A_u %s\n", sigmasupport.A_u.String())
  282. {
  283. var input []byte
  284. input = append(input, convertbiginttobyte(x)...)
  285. input = append(input, sigmasupport.A_y.Marshal()...)
  286. input = append(input, sigmasupport.A_D.Marshal()...)
  287. input = append(input, sigmasupport.A_b.Marshal()...)
  288. input = append(input, sigmasupport.A_X.Marshal()...)
  289. input = append(input, sigmasupport.A_t.Marshal()...)
  290. input = append(input, sigmasupport.A_u.Marshal()...)
  291. if reducedhash(input).Text(16) != proof.c.Text(16) { // we must fail here
  292. //panic("C calculation failed")
  293. klog.Warning("C calculation failed")
  294. return false
  295. }
  296. }
  297. o := reducedhash(convertbiginttobyte(proof.c))
  298. u_x := new(bn256.G1).ScalarMult(gparams.G, o)
  299. var hPrimes []*bn256.G1
  300. hPrimeSum := new(bn256.G1)
  301. hPrimeSum.Unmarshal(zeroes[:])
  302. for i := 0; i < 128; i++ {
  303. hPrimes = append(hPrimes, new(bn256.G1).ScalarMult(gparams.Hs.vector[i], new(big.Int).ModInverse(protsupport.ys[i], bn256.Order)))
  304. klog.V(2).Infof("hPrimes %d %s\n", i, hPrimes[i].String())
  305. tmp := new(big.Int).Mod(new(big.Int).Mul(protsupport.ys[i], protsupport.z), bn256.Order)
  306. tmp = new(big.Int).Mod(new(big.Int).Add(tmp, protsupport.twoTimesZSquared[i]), bn256.Order)
  307. hPrimeSum = new(bn256.G1).Add(hPrimeSum, new(bn256.G1).ScalarMult(hPrimes[i], tmp))
  308. }
  309. P := new(bn256.G1).Add(proof.BA, new(bn256.G1).ScalarMult(proof.BS, x))
  310. P = new(bn256.G1).Add(P, new(bn256.G1).ScalarMult(gparams.GSUM, new(big.Int).Mod(new(big.Int).Neg(protsupport.z), bn256.Order)))
  311. P = new(bn256.G1).Add(P, hPrimeSum)
  312. P = new(bn256.G1).Add(P, new(bn256.G1).ScalarMult(gparams.H, new(big.Int).Mod(new(big.Int).Neg(proof.mu), bn256.Order)))
  313. P = new(bn256.G1).Add(P, new(bn256.G1).ScalarMult(u_x, new(big.Int).Mod(new(big.Int).Set(proof.that), bn256.Order)))
  314. klog.V(2).Infof("P %s\n", P.String())
  315. if !proof.ip.Verify(hPrimes, u_x, P, o, gparams) {
  316. klog.Warning("inner proof failed")
  317. return false
  318. }
  319. // klog.V(2).Infof("proof %s\n", proof.String())
  320. // panic("proof successful")
  321. klog.V(2).Infof("Proof successful verified\n")
  322. return true
  323. }
  324. func (proof *Proof) String() string {
  325. klog.V(1).Infof("proof BA %s\n", proof.BA.String())
  326. klog.V(1).Infof("proof BS %s\n", proof.BS.String())
  327. klog.V(1).Infof("proof A %s\n", proof.A.String())
  328. klog.V(1).Infof("proof B %s\n", proof.B.String())
  329. for i := range proof.CLnG {
  330. klog.V(1).Infof("CLnG %d %s \n", i, proof.CLnG[i].String())
  331. }
  332. for i := range proof.CRnG {
  333. klog.V(1).Infof("CRnG %d %s \n", i, proof.CRnG[i].String())
  334. }
  335. for i := range proof.C_0G {
  336. klog.V(1).Infof("C_0G %d %s \n", i, proof.C_0G[i].String())
  337. }
  338. for i := range proof.DG {
  339. klog.V(1).Infof("DG %d %s \n", i, proof.DG[i].String())
  340. }
  341. for i := range proof.y_0G {
  342. klog.V(1).Infof("y_0G %d %s \n", i, proof.y_0G[i].String())
  343. }
  344. for i := range proof.gG {
  345. klog.V(1).Infof("gG %d %s \n", i, proof.gG[i].String())
  346. }
  347. for i := range proof.C_XG {
  348. klog.V(1).Infof("C_XG %d %s \n", i, proof.C_XG[i].String())
  349. }
  350. for i := range proof.y_XG {
  351. klog.V(1).Infof("y_XG %d %s \n", i, proof.y_XG[i].String())
  352. }
  353. for i := range proof.tCommits.vector {
  354. klog.V(1).Infof("tCommits %d %s \n", i, proof.tCommits.vector[i].String())
  355. }
  356. klog.V(1).Infof("proof z_A %s\n", proof.z_A.Text(16))
  357. klog.V(1).Infof("proof that %s\n", proof.that.Text(16))
  358. klog.V(1).Infof("proof mu %s\n", proof.mu.Text(16))
  359. klog.V(1).Infof("proof C %s\n", proof.c.Text(16))
  360. klog.V(1).Infof("proof s_sk %s\n", proof.s_sk.Text(16))
  361. klog.V(1).Infof("proof s_r %s\n", proof.s_r.Text(16))
  362. klog.V(1).Infof("proof s_b %s\n", proof.s_b.Text(16))
  363. klog.V(1).Infof("proof s_tau %s\n", proof.s_tau.Text(16))
  364. return ""
  365. }
  366. func assemblepolynomials(f [][2]*big.Int) [][2]*big.Int {
  367. m := len(f) / 2
  368. N := int(math.Pow(2, float64(m)))
  369. result := make([][2]*big.Int, N, N)
  370. for i := 0; i < 2; i++ {
  371. half := recursivepolynomials(i*m, (i+1)*m, new(big.Int).SetInt64(1), f)
  372. for j := 0; j < N; j++ {
  373. result[j][i] = half[j]
  374. }
  375. }
  376. return result
  377. }
  378. func recursivepolynomials(baseline, current int, accum *big.Int, f [][2]*big.Int) []*big.Int {
  379. size := int(math.Pow(2, float64(current-baseline)))
  380. result := make([]*big.Int, size, size)
  381. if current == baseline {
  382. result[0] = accum
  383. return result
  384. }
  385. current--
  386. left := recursivepolynomials(baseline, current, new(big.Int).Mod(new(big.Int).Mul(accum, f[current][0]), bn256.Order), f)
  387. right := recursivepolynomials(baseline, current, new(big.Int).Mod(new(big.Int).Mul(accum, f[current][1]), bn256.Order), f)
  388. for i := 0; i < size/2; i++ {
  389. result[i] = left[i]
  390. result[i+size/2] = right[i]
  391. }
  392. return result
  393. }