Procházet zdrojové kódy

Factor out verify to match the paper

Ian Goldberg před 11 měsíci
rodič
revize
b59f86e1cc
1 změnil soubory, kde provedl 56 přidání a 18 odebrání
  1. 56 18
      src/shine.rs

+ 56 - 18
src/shine.rs

@@ -147,50 +147,88 @@ pub fn commit(evaluation: &Scalar) -> RistrettoPoint {
     evaluation * &dalek_constants::RISTRETTO_BASEPOINT_TABLE
 }
 
-// Combine commitments using precomputed Lagrange polynomials.  Return
-// None if the commitments are not consistent with the given t.  You
-// must pass at least 2t-1 commitments, and the same number of
-// lag_polys.
-pub fn combinecomm_polys(
+// Verify that a set of commitments are consistent with a given t, using
+// precomputed Lagrange polynomials.  Return false if the commitments
+// are not consistent with the given t, or true if they are. You must
+// pass at least 2t-1 commitments, and the same number of lag_polys.
+pub fn verify_polys(
     t: u32,
     lag_polys: &[ScalarPoly],
     commitments: &[RistrettoPoint],
-) -> Option<RistrettoPoint> {
+) -> bool {
     // Check if the commitments are consistent: when interpolating the
     // polys in the exponent, the low t coefficients can be non-0 but
     // the ones above that must be 0
 
-    let mu = commitments.len();
+    let coalition_size = commitments.len();
     assert!(t >= 1);
-    assert!(mu >= 2 * (t as usize) - 1);
-    assert!(mu == lag_polys.len());
-    assert!(mu == lag_polys[0].coeffs.len());
+    assert!(coalition_size >= 2 * (t as usize) - 1);
+    assert!(coalition_size == lag_polys.len());
+    assert!(coalition_size == lag_polys[0].coeffs.len());
 
     // Use this to compute the multiscalar multiplications
     let multiscalar = VartimeRistrettoPrecomputation::new(Vec::<RistrettoPoint>::new());
 
-    // Compute the B_i for i from t to mu-1.  All of them should be the
-    // identity, so if any of them is not, then the commitments are
-    // inconsistents, and we will return None
-    if ((t as usize)..mu)
+    // Compute the B_i for i from t to coalition_size-1.  All of them
+    // should be the identity; otherwise, the commitments are
+    // inconsistent.
+    ((t as usize)..coalition_size)
         .map(|i| {
             // B_i = \sum_j lag_polys[j].coeffs[i] * commitments[j]
             multiscalar.vartime_mixed_multiscalar_mul(
                 &Vec::<Scalar>::new(),
-                (0..mu).map(|j| lag_polys[j].coeffs[i]),
+                (0..coalition_size).map(|j| lag_polys[j].coeffs[i]),
                 commitments,
             )
         })
-        .any(|bi: RistrettoPoint| bi != RistrettoPoint::identity())
-    {
+        .all(|bi: RistrettoPoint| bi == RistrettoPoint::identity())
+}
+
+// Verify that a set of commitments are consistent with a given t.
+// Return false if the commitments are not consistent with the given t,
+// or true if they are. You must pass at least 2t-1 commitments, and the
+// same number of lag_polys.
+pub fn verify(
+    t: u32,
+    coalition: &[u32],
+    commitments: &[RistrettoPoint],
+) -> bool {
+    let polys = lagrange_polys(coalition);
+    verify_polys(t, &polys, commitments)
+}
+
+// Combine commitments using precomputed Lagrange polynomials.  Return
+// None if the commitments are not consistent with the given t.  You
+// must pass at least 2t-1 commitments, and the same number of
+// lag_polys.
+pub fn combinecomm_polys(
+    t: u32,
+    lag_polys: &[ScalarPoly],
+    commitments: &[RistrettoPoint],
+) -> Option<RistrettoPoint> {
+    let coalition_size = commitments.len();
+    assert!(t >= 1);
+    assert!(coalition_size >= 2 * (t as usize) - 1);
+    assert!(coalition_size == lag_polys.len());
+    assert!(coalition_size == lag_polys[0].coeffs.len());
+
+    // Check if the commitments are consistent: when interpolating the
+    // polys in the exponent, the low t coefficients can be non-0 but
+    // the ones above that must be 0
+
+    if ! verify_polys(t, lag_polys, commitments) {
         return None;
     }
 
+     // Use this to compute the multiscalar multiplications
+     let multiscalar = VartimeRistrettoPrecomputation::new(Vec::<RistrettoPoint>
+::new());
+
     // Compute B_0 (which is the combined commitment) and return
     // Some(B_0)
     Some(multiscalar.vartime_mixed_multiscalar_mul(
         &Vec::<Scalar>::new(),
-        (0..mu).map(|j| lag_polys[j].coeffs[0]),
+        (0..coalition_size).map(|j| lag_polys[j].coeffs[0]),
         commitments,
     ))
 }