zero knowledge for discrete log

Author: zhdllwyc

zk/dl/zkRDL.go

@@ -0,0 +1,89 @@
+// Reference: https://datatracker.ietf.org/doc/html/rfc8235#page-6
+// Prove the knowledge of [k] given [k]G, G and the curve where the points reside
+package zkRDL
+
+import (
+	"crypto/rand"
+
+	"github.com/cloudflare/circl/group"
+)
+
+// Input: myGroup, the group we operate in
+// Input: R = [kA]DB
+// Input: proverLabel, verifierLabel labels of prover and verifier
+// Ouptput: (V,r), the prove such that we know kA without revealing kA
+func ProveGen(myGroup group.Group, DB, R group.Element, kA group.Scalar, proverLabel, verifierLabel []byte) (group.Element, group.Scalar) {
+
+	v := myGroup.RandomNonZeroScalar(rand.Reader)
+	V := myGroup.NewElement()
+	V.Mul(DB, v)
+
+	// Hash transcript (D_B | V | R | proverLabel | verifierLabel) to get the random coin
+	DBByte, errByte := DB.MarshalBinary()
+	if errByte != nil {
+		panic(errByte)
+	}
+	VByte, errByte := V.MarshalBinary()
+	if errByte != nil {
+		panic(errByte)
+	}
+
+	RByte, errByte := R.MarshalBinary()
+	if errByte != nil {
+		panic(errByte)
+	}
+
+	hashByte := append(DBByte, VByte...)
+	hashByte = append(hashByte, RByte...)
+	hashByte = append(hashByte, proverLabel...)
+	hashByte = append(hashByte, verifierLabel...)
+
+	dst := "zeroknowledge"
+	c := myGroup.HashToScalar(hashByte, []byte(dst))
+
+	kAc := myGroup.NewScalar()
+	kAc.Mul(c, kA)
+	r := v.Copy()
+	r.Sub(r, kAc)
+
+	return V, r
+}
+
+// Input: myGroup, the group we operate in
+// Input: R = [kA]DB
+// Input: (V,r), the prove such that the prover knows kA
+// Input: proverLabel, verifierLabel labels of prover and verifier
+// Output: V ?= [r]D_B +[c]R
+func Verify(myGroup group.Group, DB, R group.Element, V group.Element, r group.Scalar, proverLabel, verifierLabel []byte) bool {
+	// Hash the transcript (D_B | V | R | proverLabel | verifierLabel) to get the random coin
+	DBByte, errByte := DB.MarshalBinary()
+	if errByte != nil {
+		panic(errByte)
+	}
+	VByte, errByte := V.MarshalBinary()
+	if errByte != nil {
+		panic(errByte)
+	}
+
+	RByte, errByte := R.MarshalBinary()
+	if errByte != nil {
+		panic(errByte)
+	}
+	hashByte := append(DBByte, VByte...)
+	hashByte = append(hashByte, RByte...)
+	hashByte = append(hashByte, proverLabel...)
+	hashByte = append(hashByte, verifierLabel...)
+
+	dst := "zeroknowledge"
+	c := myGroup.HashToScalar(hashByte, []byte(dst))
+
+	rDB := myGroup.NewElement()
+	rDB.Mul(DB, r)
+
+	cR := myGroup.NewElement()
+	cR.Mul(R, c)
+
+	rDB.Add(rDB, cR)
+
+	return V.IsEqual(rDB)
+}

zk/dl/zkRDL_test.go

@@ -0,0 +1,59 @@
+package zkRDL
+
+import (
+	"crypto/rand"
+	"testing"
+
+	"github.com/cloudflare/circl/group"
+)
+
+const TestzkRDLCount = 10
+
+func testzkRDL(t *testing.T, myGroup group.Group) {
+	kA := myGroup.RandomNonZeroScalar(rand.Reader)
+	DB := myGroup.RandomElement(rand.Reader)
+
+	R := myGroup.NewElement()
+	R.Mul(DB, kA)
+
+	V, r := ProveGen(myGroup, DB, R, kA, []byte("Prover"), []byte("Verifier"))
+
+	verify := Verify(myGroup, DB, R, V, r, []byte("Prover"), []byte("Verifier"))
+	if verify == false {
+		t.Error("zkRDL verification failed")
+	}
+
+}
+
+func testzkRDLNegative(t *testing.T, myGroup group.Group) {
+	kA := myGroup.RandomNonZeroScalar(rand.Reader)
+	DB := myGroup.RandomElement(rand.Reader)
+
+	R := myGroup.RandomElement(rand.Reader)
+
+	V, r := ProveGen(myGroup, DB, R, kA, []byte("Prover"), []byte("Verifier"))
+
+	verify := Verify(myGroup, DB, R, V, r, []byte("Prover"), []byte("Verifier"))
+	if verify == true {
+		t.Error("zkRDL verification should fail")
+	}
+
+}
+
+func TestZKRDL(t *testing.T) {
+
+	t.Run("zkRDL", func(t *testing.T) {
+		for i := 0; i < TestzkRDLCount; i++ {
+			currGroup := group.P256
+			testzkRDL(t, currGroup)
+		}
+	})
+
+	t.Run("zkRDLNegative", func(t *testing.T) {
+		for i := 0; i < TestzkRDLCount; i++ {
+			currGroup := group.P256
+			testzkRDLNegative(t, currGroup)
+		}
+	})
+
+}