fixing valid permutation matrix proofs so that only one challenge is used, not one per element

prsona/src/base.cpp

@@ -1,4 +1,5 @@
 #include <iostream>
+#include <fstream>
 
 #include "base.hpp"
 
@@ -799,44 +800,78 @@ std::vector<Proof> PrsonaBase::generate_valid_permutation_proof(
         return retval;
     }
 
+    Curvepoint g, h;
+    g = EL_GAMAL_GENERATOR;
+    h = elGamalBlindGenerator;
+
+    std::stringstream oracleInput;
+    oracleInput << g << h;
+
+    retval.push_back(Proof());
+    std::vector<std::vector<Scalar>> a, s, t;
+
+    for (size_t i = 0; i < commits.size(); i++)
+    {
+        std::vector<Scalar> currA, currS, currT;
+        for (size_t j = 0; j < commits[i].size(); j++)
+        {
+            oracleInput << commits[i][j];
+
+            currA.push_back(Scalar());
+            currS.push_back(Scalar());
+            currT.push_back(Scalar());
+
+            retval.push_back(Proof());
+        }
+
+        a.push_back(currA);
+        s.push_back(currS);
+        t.push_back(currT);
+    }
+
     // Taken from Fig. 1 in https://eprint.iacr.org/2014/764.pdf
     for (size_t i = 0; i < permutations.size(); i++)
     {
         for (size_t j = 0; j < permutations[i].size(); j++)
         {
-            Proof currProof;
-            Curvepoint g, h, C, C_a, C_b;
-            g = EL_GAMAL_GENERATOR;
-            h = elGamalBlindGenerator;
+            Curvepoint C, C_a, C_b;
         
-            Scalar a, s, t, p, r;
-            a.set_random();
-            s.set_random();
-            t.set_random();
+            Scalar p, r;
+            a[i][j].set_random();
+            s[i][j].set_random();
+            t[i][j].set_random();
             p = permutations[i][j];
             r = seeds[i][j];
             
             C = commits[i][j];
 
-            C_a = g * a + h * s;
-            C_b = g * a * p + h * t;
+            C_a = g * a[i][j] + h * s[i][j];
+            C_b = g * a[i][j] * p + h * t[i][j];
 
-            std::stringstream oracleInput;
-            oracleInput << g << h << C << C_a << C_b;
+            oracleInput << C << C_a << C_b;
+        }
+    }
 
-            Scalar x = oracle(oracleInput.str());
-            currProof.challengeParts.push_back(x);
+    Scalar x = oracle(oracleInput.str());
+    retval[0].challengeParts.push_back(x);
 
-            Scalar f, z_a, z_b;
-            f = p * x + a;
-            z_a = r * x + s;
-            z_b = r * (x - f) + t;
+    for (size_t i = 0; i < permutations.size(); i++)
+    {
+        for (size_t j = 0; j < permutations[i].size(); j++)
+        {
+            size_t piIndex = i * permutations.size() + j + 1;
 
-            currProof.responseParts.push_back(f);
-            currProof.responseParts.push_back(z_a);
-            currProof.responseParts.push_back(z_b);
+            Scalar f, z_a, z_b, p, r;
+            p = permutations[i][j];
+            r = seeds[i][j];
 
-            retval.push_back(currProof);
+            f = p * x + a[i][j];
+            z_a = r * x + s[i][j];
+            z_b = r * (x - f) + t[i][j];
+
+            retval[piIndex].responseParts.push_back(f);
+            retval[piIndex].responseParts.push_back(z_a);
+            retval[piIndex].responseParts.push_back(z_b);
         }
     }
 
@@ -861,18 +896,26 @@ bool PrsonaBase::verify_valid_permutation_proof(
     g = EL_GAMAL_GENERATOR;
     h = elGamalBlindGenerator;
 
+    std::stringstream oracleInput;
+    oracleInput << g << h;
+
+    for (size_t i = 0; i < commits.size(); i++)
+        for (size_t j = 0; j < commits[i].size(); j++)
+            oracleInput << commits[i][j];
+
+    Scalar x = pi[0].challengeParts[0];
+
     for (size_t i = 0; i < commits.size(); i++)
     {
         for (size_t j = 0; j < commits[i].size(); j++)
         {
-            size_t piIndex = i * commits.size() + j;
+            size_t piIndex = i * commits.size() + j + 1;
 
             Curvepoint C, C_a, C_b;
 
             C = commits[i][j];
 
-            Scalar x, f, z_a, z_b;
-            x = pi[piIndex].challengeParts[0];
+            Scalar f, z_a, z_b;
             f = pi[piIndex].responseParts[0];
             z_a = pi[piIndex].responseParts[1];
             z_b = pi[piIndex].responseParts[2];
@@ -881,17 +924,16 @@ bool PrsonaBase::verify_valid_permutation_proof(
             C_a = g * f + h * z_a - C * x;
             C_b = h * z_b - C * (x - f);
 
-            std::stringstream oracleInput;
-            oracleInput << g << h << C << C_a << C_b;
-
-            if (oracle(oracleInput.str()) != x)
-            {
-                std::cerr << "0 or 1 proof failed at index " << i << " of " << pi.size() - 1 << ", aborting." << std::endl;
-                return false;
-            }
+            oracleInput << C << C_a << C_b;
         }
     }
 
+    if (oracle(oracleInput.str()) != x)
+    {
+        std::cerr << "0 or 1 proof failed, aborting." << std::endl;
+        return false;
+    }
+
     for (size_t i = 0; i < commits.size(); i++)
     {
         Curvepoint sum = commits[i][0];
@@ -1435,6 +1477,10 @@ std::vector<Proof> PrsonaBase::generate_proof_of_reordering(
 
             oracleInput << U1 << U2;
 
+            std::stringstream out1, out2;
+            out1 << U1;
+            out2 << U2;
+
             curraRow.push_back(curra);
             currt1Row.push_back(currt1);
             currt2Row.push_back(currt2);
@@ -1523,6 +1569,10 @@ bool PrsonaBase::verify_proof_of_reordering(
                 productCommits[i][j] * x;
 
             oracleInput << U1 << U2;
+
+            std::stringstream out1, out2;
+            out1 << U1;
+            out2 << U2;
         }
     }