|
@@ -28,9 +28,13 @@ type PubState struct {
|
|
|
|
|
|
type PrivState struct {
|
|
|
r, a, s, t, rho []kyber.Scalar
|
|
|
+ ell uint32
|
|
|
+ privkey kyber.Scalar
|
|
|
}
|
|
|
|
|
|
type Proof struct {
|
|
|
+ f, za, zb []kyber.Scalar
|
|
|
+ zd kyber.Scalar
|
|
|
}
|
|
|
|
|
|
// Multiply a polynomial expressed as a slice of coefficients by the
|
|
@@ -85,6 +89,8 @@ func ProofStep1(params GroupParams, c []kyber.Point, ell uint32, privkey kyber.S
|
|
|
priv.s = make([]kyber.Scalar, n+1)
|
|
|
priv.t = make([]kyber.Scalar, n+1)
|
|
|
priv.rho = make([]kyber.Scalar, n)
|
|
|
+ priv.ell = ell
|
|
|
+ priv.privkey = privkey.Clone()
|
|
|
pub.cl = make([]kyber.Point, n+1)
|
|
|
pub.ca = make([]kyber.Point, n+1)
|
|
|
pub.cb = make([]kyber.Point, n+1)
|
|
@@ -182,11 +188,57 @@ func ProofStep1(params GroupParams, c []kyber.Point, ell uint32, privkey kyber.S
|
|
|
}
|
|
|
|
|
|
func GenChallenge(params GroupParams, pub PubState) kyber.Scalar {
|
|
|
- return params.group.Scalar()
|
|
|
+ // In the interactive version, just pick a random challenge.
|
|
|
+ // In the noninteractive version, this would be a hash of pub
|
|
|
+ // and a message.
|
|
|
+ rand := random.New()
|
|
|
+ return params.group.Scalar().Pick(rand)
|
|
|
}
|
|
|
|
|
|
func ProofStep2(params GroupParams, priv PrivState, x kyber.Scalar) Proof {
|
|
|
- return Proof{}
|
|
|
+ var proof Proof
|
|
|
+ n := uint32(len(priv.rho))
|
|
|
+ group := params.group
|
|
|
+ proof.f = make([]kyber.Scalar, n+1)
|
|
|
+ proof.za = make([]kyber.Scalar, n+1)
|
|
|
+ proof.zb = make([]kyber.Scalar, n+1)
|
|
|
+
|
|
|
+ var j, mask uint32
|
|
|
+ // mask = 2^(j-1)
|
|
|
+ j = 1
|
|
|
+ mask = 1
|
|
|
+ for ; j <= n ; {
|
|
|
+ if (priv.ell & mask) != 0 {
|
|
|
+ proof.f[j] = group.Scalar().Add(x, priv.a[j])
|
|
|
+ } else {
|
|
|
+ proof.f[j] = priv.a[j].Clone()
|
|
|
+ }
|
|
|
+ proof.za[j] = group.Scalar().Add(
|
|
|
+ group.Scalar().Mul(x, priv.r[j]), priv.s[j])
|
|
|
+ proof.zb[j] = group.Scalar().Add(
|
|
|
+ group.Scalar().Mul(
|
|
|
+ group.Scalar().Sub(x, proof.f[j]),
|
|
|
+ priv.r[j]),
|
|
|
+ priv.t[j])
|
|
|
+
|
|
|
+ j++
|
|
|
+ mask *= 2
|
|
|
+ }
|
|
|
+
|
|
|
+ proof.zd = group.Scalar().Zero()
|
|
|
+ k := uint32(0)
|
|
|
+ xk := group.Scalar().One() // x^k
|
|
|
+ for ; k < n ; {
|
|
|
+ proof.zd = group.Scalar().Sub(proof.zd,
|
|
|
+ group.Scalar().Mul(priv.rho[k], xk))
|
|
|
+ k++
|
|
|
+ xk = group.Scalar().Mul(xk, x)
|
|
|
+ }
|
|
|
+ // At this point, xk = x^n
|
|
|
+ proof.zd = group.Scalar().Add(proof.zd,
|
|
|
+ group.Scalar().Mul(priv.privkey, xk))
|
|
|
+
|
|
|
+ return proof
|
|
|
}
|
|
|
|
|
|
func Verify(params GroupParams, pub PubState, x kyber.Scalar, proof Proof) bool {
|