Browse Source

Make all of the arrays 0-based

In the notation of the paper, some of the arrays are 0-based, and some
are 1-based.  Previously, we adhered to the notation of the paper, and
just wasted element 0 of the 1-based arrays.  Now that everything's
working, we save that wasted element by subtracting 1 from the indices
of the formerly 1-based arrays.
Ian Goldberg 2 years ago
parent
commit
09fecd374b
1 changed files with 64 additions and 59 deletions
  1. 64 59
      gk15.go

+ 64 - 59
gk15.go

@@ -22,6 +22,16 @@ type GroupParams struct {
 	A, B, Y kyber.Point
 }
 
+// In the paper, some arrays are 0-based, and some are 1-based.  We
+// want to keep all arrays 0-based, so the following arrays (1-based in
+// the paper) have 1 subtracted from their indices whenever they are
+// used: cl, ca, cb, r, a, s, t, f, za, zb
+
+// Each array in the three structs below is of length n, where
+// n = ceil(log_2(N)), and N is the number of commitments.
+// The total proof size (PubState plus Proof) is then
+// 4*n points, plus (3*n+1) scalars.
+
 type PubState struct {
 	cl, ca, cb, cd []kyber.Point
 }
@@ -75,25 +85,19 @@ func ProofStep1(params GroupParams, c []kyber.Point, ell uint32, privkey kyber.S
 		n += 1
 		two_n *= 2
 	}
-	fmt.Printf("n = %d\n", n);
 
-	// We will keep the notation of the paper:
-	// r, a, s, t, cl, ca, cb are 1-based,
-	// c, rho, cd are 0-based.  The 1-based ones, we
-	// just allocate an extra array element, and never
-	// use element 0.
 	var pub PubState
 	var priv PrivState
-	priv.r = make([]kyber.Scalar, n+1)
-	priv.a = make([]kyber.Scalar, n+1)
-	priv.s = make([]kyber.Scalar, n+1)
-	priv.t = make([]kyber.Scalar, n+1)
+	priv.r = make([]kyber.Scalar, n)
+	priv.a = make([]kyber.Scalar, n)
+	priv.s = make([]kyber.Scalar, n)
+	priv.t = make([]kyber.Scalar, n)
 	priv.rho = make([]kyber.Scalar, n)
 	priv.ell = ell
 	priv.privkey = privkey.Clone()
-	pub.cl = make([]kyber.Point, n+1)
-	pub.ca = make([]kyber.Point, n+1)
-	pub.cb = make([]kyber.Point, n+1)
+	pub.cl = make([]kyber.Point, n)
+	pub.ca = make([]kyber.Point, n)
+	pub.cb = make([]kyber.Point, n)
 	pub.cd = make([]kyber.Point, n)
 
 	var j, k, mask uint32
@@ -102,23 +106,23 @@ func ProofStep1(params GroupParams, c []kyber.Point, ell uint32, privkey kyber.S
 	k = 0
 	mask = 1
 	for ; k < n ; {
-		priv.r[j] = group.Scalar().Pick(rand)
-		priv.a[j] = group.Scalar().Pick(rand)
-		priv.s[j] = group.Scalar().Pick(rand)
-		priv.t[j] = group.Scalar().Pick(rand)
+		priv.r[j-1] = group.Scalar().Pick(rand)
+		priv.a[j-1] = group.Scalar().Pick(rand)
+		priv.s[j-1] = group.Scalar().Pick(rand)
+		priv.t[j-1] = group.Scalar().Pick(rand)
 		priv.rho[k] = group.Scalar().Pick(rand)
 
-		pub.cl[j] = group.Point().Mul(priv.r[j], params.B)
+		pub.cl[j-1] = group.Point().Mul(priv.r[j-1], params.B)
 		if (ell & mask) != 0 {
-			pub.cl[j] = group.Point().Add(pub.cl[j], params.A)
+			pub.cl[j-1] = group.Point().Add(pub.cl[j-1], params.A)
 		}
-		pub.ca[j] = group.Point().Add(
-				group.Point().Mul(priv.a[j], params.A),
-				group.Point().Mul(priv.s[j], params.B))
-		pub.cb[j] = group.Point().Mul(priv.t[j], params.B)
+		pub.ca[j-1] = group.Point().Add(
+				group.Point().Mul(priv.a[j-1], params.A),
+				group.Point().Mul(priv.s[j-1], params.B))
+		pub.cb[j-1] = group.Point().Mul(priv.t[j-1], params.B)
 		if (ell & mask) != 0 {
-			pub.cb[j] = group.Point().Add(pub.cb[j],
-					group.Point().Mul(priv.a[j], params.A))
+			pub.cb[j-1] = group.Point().Add(pub.cb[j-1],
+					group.Point().Mul(priv.a[j-1], params.A))
 		}
 
 		j++
@@ -143,19 +147,19 @@ func ProofStep1(params GroupParams, c []kyber.Point, ell uint32, privkey kyber.S
 		for ; j <= n ; {
 			if (i & jmask) != 0 {
 				if (ell & jmask) != 0 {
-					// Multiply p_i by x + a[j]
-					polymul_xplus(group, p_i, priv.a[j])
+					// Multiply p_i by x + a[j-1]
+					polymul_xplus(group, p_i, priv.a[j-1])
 				} else {
-					// Multiply p_i by a[j]
-					polymul(group, p_i, priv.a[j])
+					// Multiply p_i by a[j-1]
+					polymul(group, p_i, priv.a[j-1])
 				}
 			} else {
-				negaj := group.Scalar().Neg(priv.a[j])
+				negaj := group.Scalar().Neg(priv.a[j-1])
 				if (ell & jmask) != 0 {
-					// Multiply p_i by -a[j]
+					// Multiply p_i by -a[j-1]
 					polymul(group, p_i, negaj)
 				} else {
-					// Multiply p_i by x - a[j]
+					// Multiply p_i by x - a[j-1]
 					polymul_xplus(group, p_i, negaj)
 				}
 			}
@@ -196,9 +200,9 @@ func ProofStep2(params GroupParams, priv PrivState, x kyber.Scalar) Proof {
 	var proof Proof
 	n := uint32(len(priv.rho))
 	group := params.group
-	proof.f = make([]kyber.Scalar, n+1)
-	proof.za = make([]kyber.Scalar, n+1)
-	proof.zb = make([]kyber.Scalar, n+1)
+	proof.f = make([]kyber.Scalar, n)
+	proof.za = make([]kyber.Scalar, n)
+	proof.zb = make([]kyber.Scalar, n)
 
 	var j, mask uint32
 	// mask = 2^(j-1)
@@ -206,17 +210,17 @@ func ProofStep2(params GroupParams, priv PrivState, x kyber.Scalar) Proof {
 	mask = 1
 	for ; j <= n ; {
 		if (priv.ell & mask) != 0 {
-			proof.f[j] = group.Scalar().Add(x, priv.a[j])
+			proof.f[j-1] = group.Scalar().Add(x, priv.a[j-1])
 		} else {
-			proof.f[j] = priv.a[j].Clone()
+			proof.f[j-1] = priv.a[j-1].Clone()
 		}
-		proof.za[j] = group.Scalar().Add(
-			group.Scalar().Mul(x, priv.r[j]), priv.s[j])
-		proof.zb[j] = group.Scalar().Add(
+		proof.za[j-1] = group.Scalar().Add(
+			group.Scalar().Mul(x, priv.r[j-1]), priv.s[j-1])
+		proof.zb[j-1] = group.Scalar().Add(
 			group.Scalar().Mul(
-				group.Scalar().Sub(x, proof.f[j]),
-				priv.r[j]),
-			priv.t[j])
+				group.Scalar().Sub(x, proof.f[j-1]),
+				priv.r[j-1]),
+			priv.t[j-1])
 
 		j++
 		mask *= 2
@@ -256,32 +260,33 @@ func Verify(params GroupParams, c []kyber.Point, pub PubState, x kyber.Scalar, p
 	}
 
 	// Check that the lengths of the arrays are correct
-	if len(pub.cl) != int(n+1) || len(pub.ca) != int(n+1) ||
-			len(pub.cb) != int(n+1) ||
-			len(pub.cd) != int(n) ||
-			len(proof.f) != int(n+1) ||
-			len(proof.za) != int(n+1) ||
-			len(proof.zb) != int(n+1) {
+	intn := int(n)
+	if len(pub.cl) != intn || len(pub.ca) != intn ||
+			len(pub.cb) != intn ||
+			len(pub.cd) != intn ||
+			len(proof.f) != intn ||
+			len(proof.za) != intn ||
+			len(proof.zb) != intn {
 		fmt.Printf("Inputs not of the correct length\n")
 		return false
 	}
 
 	for j := uint32(1) ; j <= n ; j++ {
-		lhs1 := group.Point().Add(group.Point().Mul(x, pub.cl[j]),
-			pub.ca[j])
+		lhs1 := group.Point().Add(group.Point().Mul(x, pub.cl[j-1]),
+			pub.ca[j-1])
 		rhs1 := group.Point().Add(
-			group.Point().Mul(proof.f[j], params.A),
-			group.Point().Mul(proof.za[j], params.B))
+			group.Point().Mul(proof.f[j-1], params.A),
+			group.Point().Mul(proof.za[j-1], params.B))
 		if !lhs1.Equal(rhs1) {
 			fmt.Printf("Failed equality check 1\n")
 			return false
 		}
 		lhs2 := group.Point().Add(
 			group.Point().Mul(
-				group.Scalar().Sub(x, proof.f[j]),
-				pub.cl[j]),
-			pub.cb[j])
-		rhs2 := group.Point().Mul(proof.zb[j], params.B)
+				group.Scalar().Sub(x, proof.f[j-1]),
+				pub.cl[j-1]),
+			pub.cb[j-1])
+		rhs2 := group.Point().Mul(proof.zb[j-1], params.B)
 		if !lhs2.Equal(rhs2) {
 			fmt.Printf("Failed equality check 2\n")
 			return false
@@ -297,11 +302,11 @@ func Verify(params GroupParams, c []kyber.Point, pub PubState, x kyber.Scalar, p
 		for ; j <= n ; {
 			if (i & mask) != 0 {
 				fprod = group.Scalar().Mul(fprod,
-					proof.f[j])
+					proof.f[j-1])
 			} else {
 				fprod = group.Scalar().Mul(fprod,
 					group.Scalar().Sub(x,
-						proof.f[j]))
+						proof.f[j-1]))
 			}
 			j++
 			mask *= 2