tapir/primitives/privacypass/dlogeq.go

package privacypass

import (
	"crypto/rand"
	"git.openprivacy.ca/cwtch.im/tapir/primitives/core"
	ristretto "github.com/gtank/ristretto255"
)

// DLEQProof encapsulates a Chaum-Pedersen DLEQ Proof
// gut In Ernest F. Brickell, editor,CRYPTO’92,volume 740 ofLNCS, pages 89–105. Springer, Heidelberg,August 1993
type DLEQProof struct {
	C *ristretto.Scalar
	S *ristretto.Scalar
}

// DiscreteLogEquivalenceProof constructs a valid DLEQProof for the given parameters and transcript
// Given  Y = kX & Q = kP
// Peggy: t := choose randomly from Zq
//
//	A := tX
//	B := tP
//	c := H(transcript(X,Y,P,Q,A,B))
//	s := (t + ck) mod q
//
// Sends c,s to Vicky
func DiscreteLogEquivalenceProof(k *ristretto.Scalar, X *ristretto.Element, Y *ristretto.Element, P *ristretto.Element, Q *ristretto.Element, transcript *core.Transcript) DLEQProof {
	private := make([]byte, 64)
	rand.Read(private)
	t, err := new(ristretto.Scalar).SetUniformBytes(private)
	if err != nil {
		return DLEQProof{ristretto.NewScalar(), ristretto.NewScalar()}
	}
	A := new(ristretto.Element).ScalarMult(t, X)
	B := new(ristretto.Element).ScalarMult(t, P)

	transcript.AddToTranscript(DLEQX, X.Bytes())
	transcript.AddToTranscript(DLEQY, Y.Bytes())
	transcript.AddToTranscript(DLEQP, P.Bytes())
	transcript.AddToTranscript(DLEQQ, Q.Bytes())
	transcript.AddToTranscript(DLEQA, A.Bytes())
	transcript.AddToTranscript(DLEQB, B.Bytes())

	c := transcript.CommitToTranscriptScalar("c")
	s := new(ristretto.Scalar).Subtract(t, new(ristretto.Scalar).Multiply(c, k))
	return DLEQProof{c, s}
}

// VerifyDiscreteLogEquivalenceProof verifies the DLEQ for the given parameters and transcript
// Given  Y = kX & Q = kP  and Proof = (c,s)
// Vicky: X' := sX
//
//	Y' := cY
//	P' := sP
//	Q' := cQ
//	A' = X'+Y' == sX + cY ?= sG + ckG == (s+ck)X == tX == A
//	B' = P'+Q' == sP + cQ ?= sP + ckP == (s+ck)P == tP == B
//	c' := H(transcript(X,Y,P,Q,A',B'))
//
// Tests c ?= c
func VerifyDiscreteLogEquivalenceProof(dleq DLEQProof, X *ristretto.Element, Y *ristretto.Element, P *ristretto.Element, Q *ristretto.Element, transcript *core.Transcript) bool {

	Xs := new(ristretto.Element).ScalarMult(dleq.S, X)
	Yc := new(ristretto.Element).ScalarMult(dleq.C, Y)
	Ps := new(ristretto.Element).ScalarMult(dleq.S, P)
	Qc := new(ristretto.Element).ScalarMult(dleq.C, Q)

	A := new(ristretto.Element).Add(Xs, Yc)
	B := new(ristretto.Element).Add(Ps, Qc)

	transcript.AddToTranscript(DLEQX, X.Bytes())
	transcript.AddToTranscript(DLEQY, Y.Bytes())
	transcript.AddToTranscript(DLEQP, P.Bytes())
	transcript.AddToTranscript(DLEQQ, Q.Bytes())
	transcript.AddToTranscript(DLEQA, A.Bytes())
	transcript.AddToTranscript(DLEQB, B.Bytes())

	return transcript.CommitToTranscriptScalar("c").Equal(dleq.C) == 1
}
-												Auditable Store

											
										
										
											2019-09-14 23:44:19 +00:00
+								package privacypass
 								import (
-												Move to ristretto255 lib

											
										
										
											2019-09-15 21:20:05 +00:00
+									"crypto/rand"
-												Remove custom url forwarding for tapir module

											
										
										
											2021-04-09 00:55:17 +00:00
+									"git.openprivacy.ca/cwtch.im/tapir/primitives/core"
-												Move to ristretto255 lib

											
										
										
											2019-09-15 21:20:05 +00:00
+									ristretto "github.com/gtank/ristretto255"
-												Auditable Store

											
										
										
											2019-09-14 23:44:19 +00:00
+								)
 								// DLEQProof encapsulates a Chaum-Pedersen DLEQ Proof
-												Formatting + go 1.17 ioutil deprecation

											
										
										
											2022-09-13 02:17:31 +00:00
+								// gut In Ernest F. Brickell, editor,CRYPTO’92,volume 740 ofLNCS, pages 89–105. Springer, Heidelberg,August 1993
-												Auditable Store

											
										
										
											2019-09-14 23:44:19 +00:00
+								type DLEQProof struct {
 									C *ristretto.Scalar
 									S *ristretto.Scalar
 								}
 								// DiscreteLogEquivalenceProof constructs a valid DLEQProof for the given parameters and transcript
-												Updates given Erinns Comments

											
										
										
											2019-11-26 21:10:09 +00:00
+								// Given  Y = kX & Q = kP
-												Auditable Store

											
										
										
											2019-09-14 23:44:19 +00:00
+								// Peggy: t := choose randomly from Zq
-												Formatting + go 1.17 ioutil deprecation

											
										
										
											2022-09-13 02:17:31 +00:00
+								//
 								//	A := tX
 								//	B := tP
 								//	c := H(transcript(X,Y,P,Q,A,B))
 								//	s := (t + ck) mod q
-												Auditable Store

											
										
										
											2019-09-14 23:44:19 +00:00
+								//
 								// Sends c,s to Vicky
-												Move to ristretto255 lib

											
										
										
											2019-09-15 21:20:05 +00:00
+								func DiscreteLogEquivalenceProof(k *ristretto.Scalar, X *ristretto.Element, Y *ristretto.Element, P *ristretto.Element, Q *ristretto.Element, transcript *core.Transcript) DLEQProof {
 									private := make([]byte, 64)
 									rand.Read(private)
-												Upgrade Dependencies

											
										
										
											2022-08-29 03:12:14 +00:00
+									t, err := new(ristretto.Scalar).SetUniformBytes(private)
 									if err != nil {
 										return DLEQProof{ristretto.NewScalar(), ristretto.NewScalar()}
 									}
-												Move to ristretto255 lib

											
										
										
											2019-09-15 21:20:05 +00:00
+									A := new(ristretto.Element).ScalarMult(t, X)
 									B := new(ristretto.Element).ScalarMult(t, P)
-												Auditable Store

											
										
										
											2019-09-14 23:44:19 +00:00
-												Upgrade Dependencies

											
										
										
											2022-08-29 03:12:14 +00:00
+									transcript.AddToTranscript(DLEQX, X.Bytes())
 									transcript.AddToTranscript(DLEQY, Y.Bytes())
 									transcript.AddToTranscript(DLEQP, P.Bytes())
 									transcript.AddToTranscript(DLEQQ, Q.Bytes())
 									transcript.AddToTranscript(DLEQA, A.Bytes())
 									transcript.AddToTranscript(DLEQB, B.Bytes())
-												Auditable Store

											
										
										
											2019-09-14 23:44:19 +00:00
 									c := transcript.CommitToTranscriptScalar("c")
-												Move to ristretto255 lib

											
										
										
											2019-09-15 21:20:05 +00:00
+									s := new(ristretto.Scalar).Subtract(t, new(ristretto.Scalar).Multiply(c, k))
-												Auditable Store

											
										
										
											2019-09-14 23:44:19 +00:00
+									return DLEQProof{c, s}
 								}
 								// VerifyDiscreteLogEquivalenceProof verifies the DLEQ for the given parameters and transcript
-												Updates given Erinns Comments

											
										
										
											2019-11-26 21:10:09 +00:00
+								// Given  Y = kX & Q = kP  and Proof = (c,s)
-												Auditable Store

											
										
										
											2019-09-14 23:44:19 +00:00
+								// Vicky: X' := sX
-												Formatting + go 1.17 ioutil deprecation

											
										
										
											2022-09-13 02:17:31 +00:00
+								//
 								//	Y' := cY
 								//	P' := sP
 								//	Q' := cQ
 								//	A' = X'+Y' == sX + cY ?= sG + ckG == (s+ck)X == tX == A
 								//	B' = P'+Q' == sP + cQ ?= sP + ckP == (s+ck)P == tP == B
 								//	c' := H(transcript(X,Y,P,Q,A',B'))
 								//
-												Auditable Store

											
										
										
											2019-09-14 23:44:19 +00:00
+								// Tests c ?= c
-												Move to ristretto255 lib

											
										
										
											2019-09-15 21:20:05 +00:00
+								func VerifyDiscreteLogEquivalenceProof(dleq DLEQProof, X *ristretto.Element, Y *ristretto.Element, P *ristretto.Element, Q *ristretto.Element, transcript *core.Transcript) bool {
-												Auditable Store

											
										
										
											2019-09-14 23:44:19 +00:00
-												Move to ristretto255 lib

											
										
										
											2019-09-15 21:20:05 +00:00
+									Xs := new(ristretto.Element).ScalarMult(dleq.S, X)
 									Yc := new(ristretto.Element).ScalarMult(dleq.C, Y)
 									Ps := new(ristretto.Element).ScalarMult(dleq.S, P)
 									Qc := new(ristretto.Element).ScalarMult(dleq.C, Q)
-												Auditable Store

											
										
										
											2019-09-14 23:44:19 +00:00
-												Move to ristretto255 lib

											
										
										
											2019-09-15 21:20:05 +00:00
+									A := new(ristretto.Element).Add(Xs, Yc)
 									B := new(ristretto.Element).Add(Ps, Qc)
-												Auditable Store

											
										
										
											2019-09-14 23:44:19 +00:00
-												Upgrade Dependencies

											
										
										
											2022-08-29 03:12:14 +00:00
+									transcript.AddToTranscript(DLEQX, X.Bytes())
 									transcript.AddToTranscript(DLEQY, Y.Bytes())
 									transcript.AddToTranscript(DLEQP, P.Bytes())
 									transcript.AddToTranscript(DLEQQ, Q.Bytes())
 									transcript.AddToTranscript(DLEQA, A.Bytes())
 									transcript.AddToTranscript(DLEQB, B.Bytes())
-												Auditable Store

											
										
										
											2019-09-14 23:44:19 +00:00
-												Move to ristretto255 lib

											
										
										
											2019-09-15 21:20:05 +00:00
+									return transcript.CommitToTranscriptScalar("c").Equal(dleq.C) == 1
-												Auditable Store

											
										
										
											2019-09-14 23:44:19 +00:00
+								}