-
Notifications
You must be signed in to change notification settings - Fork 156
/
Copy pathdl.go
86 lines (70 loc) · 2.26 KB
/
dl.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
// Reference: https://datatracker.ietf.org/doc/html/rfc8235#page-6
// Prove the knowledge of [k] given [k]G, G and the curve where the points reside
package dl
import (
"io"
"github.com/cloudflare/circl/group"
)
// Input: myGroup, the group we operate in
// Input: R = [kA]DB
// Input: proverLabel, verifierLabel labels of prover and verifier
// Ouptput: (V,r), the prove such that we know kA without revealing kA
func ProveGen(myGroup group.Group, DB, R group.Element, kA group.Scalar, proverLabel, verifierLabel, dst []byte, rnd io.Reader) (group.Element, group.Scalar) {
v := myGroup.RandomNonZeroScalar(rnd)
V := myGroup.NewElement()
V.Mul(DB, v)
// Hash transcript (D_B | V | R | proverLabel | verifierLabel) to get the random coin
DBByte, errByte := DB.MarshalBinary()
if errByte != nil {
panic(errByte)
}
VByte, errByte := V.MarshalBinary()
if errByte != nil {
panic(errByte)
}
RByte, errByte := R.MarshalBinary()
if errByte != nil {
panic(errByte)
}
hashByte := append(DBByte, VByte...)
hashByte = append(hashByte, RByte...)
hashByte = append(hashByte, proverLabel...)
hashByte = append(hashByte, verifierLabel...)
c := myGroup.HashToScalar(hashByte, dst)
kAc := myGroup.NewScalar()
kAc.Mul(c, kA)
r := v.Copy()
r.Sub(r, kAc)
return V, r
}
// Input: myGroup, the group we operate in
// Input: R = [kA]DB
// Input: (V,r), the prove such that the prover knows kA
// Input: proverLabel, verifierLabel labels of prover and verifier
// Output: V ?= [r]D_B +[c]R
func Verify(myGroup group.Group, DB, R group.Element, V group.Element, r group.Scalar, proverLabel, verifierLabel, dst []byte) bool {
// Hash the transcript (D_B | V | R | proverLabel | verifierLabel) to get the random coin
DBByte, errByte := DB.MarshalBinary()
if errByte != nil {
panic(errByte)
}
VByte, errByte := V.MarshalBinary()
if errByte != nil {
panic(errByte)
}
RByte, errByte := R.MarshalBinary()
if errByte != nil {
panic(errByte)
}
hashByte := append(DBByte, VByte...)
hashByte = append(hashByte, RByte...)
hashByte = append(hashByte, proverLabel...)
hashByte = append(hashByte, verifierLabel...)
c := myGroup.HashToScalar(hashByte, dst)
rDB := myGroup.NewElement()
rDB.Mul(DB, r)
cR := myGroup.NewElement()
cR.Mul(R, c)
rDB.Add(rDB, cR)
return V.IsEqual(rDB)
}