123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647 |
- #include <iostream>
- #include "base.hpp"
- extern const scalar_t bn_n;
- extern const curvepoint_fp_t bn_curvegen;
- /* These lines need to be here so these static variables are defined,
- * but in C++ putting code here doesn't actually execute
- * (or at least, with g++, whenever it would execute is not at a useful time)
- * so we have an init() function to actually put the correct values in them. */
- Curvepoint PrsonaBase::EL_GAMAL_GENERATOR = Curvepoint();
- Scalar PrsonaBase::SCALAR_N = Scalar();
- Scalar PrsonaBase::DEFAULT_TALLY = Scalar();
- Scalar PrsonaBase::DEFAULT_VOTE = Scalar();
- bool PrsonaBase::SERVER_IS_MALICIOUS = false;
- bool PrsonaBase::CLIENT_IS_MALICIOUS = false;
- size_t PrsonaBase::MAX_ALLOWED_VOTE = 2;
- // Quick and dirty function to calculate ceil(log base 2) with mpz_class
- mpz_class log2(mpz_class x)
- {
- mpz_class retval = 0;
- while (x > 0)
- {
- retval++;
- x = x >> 1;
- }
- return retval;
- }
- mpz_class bit(mpz_class x)
- {
- return x > 0 ? 1 : 0;
- }
- /********************
- * PUBLIC FUNCTIONS *
- ********************/
- /*
- * SETUP FUNCTIONS
- */
- // Must be called once before any usage of this class
- void PrsonaBase::init()
- {
- EL_GAMAL_GENERATOR = Curvepoint(bn_curvegen);
- SCALAR_N = Scalar(bn_n);
- DEFAULT_TALLY = Scalar(1);
- DEFAULT_VOTE = Scalar(1);
- }
- // Call this (once) if using malicious-security servers
- void PrsonaBase::set_server_malicious()
- {
- SERVER_IS_MALICIOUS = true;
- }
- // Call this (once) if using malicious-security clients
- void PrsonaBase::set_client_malicious()
- {
- CLIENT_IS_MALICIOUS = true;
- }
- /*
- * CONST GETTERS
- */
- size_t PrsonaBase::get_max_allowed_vote()
- {
- return MAX_ALLOWED_VOTE;
- }
- Curvepoint PrsonaBase::get_blinding_generator() const
- {
- return elGamalBlindGenerator;
- }
- Curvepoint PrsonaBase::get_blinding_generator(std::vector<Proof>& pi) const
- {
- pi = elGamalBlindGeneratorProof;
- return elGamalBlindGenerator;
- }
- /***********************
- * PROTECTED FUNCTIONS *
- ***********************/
- /*
- * PRIVATE ELEMENT SETTER
- */
- bool PrsonaBase::set_EG_blind_generator(
- const std::vector<Proof>& pi,
- const Curvepoint& currGenerator,
- size_t numServers)
- {
- if (!verify_generator_proof(pi, currGenerator, numServers))
- return false;
- elGamalBlindGeneratorProof = pi;
- elGamalBlindGenerator = currGenerator;
- return true;
- }
- /*
- * BINARY SEARCH
- */
- /* Completely normal binary search
- * There might be a standard function for this in <algorithms>?
- * But it returns an iterator, not a size_t, so less useful. */
- size_t PrsonaBase::binary_search(
- const std::vector<Curvepoint> list, const Curvepoint& index) const
- {
- size_t lo, hi;
- lo = 0;
- hi = list.size() - 1;
- while (lo < hi)
- {
- size_t mid = (lo + hi) / 2;
- if (list[mid] < index)
- lo = mid + 1;
- else if (index == list[mid])
- return mid;
- else if (mid == lo)
- return lo;
- else hi = mid - 1;
- }
- return lo;
- }
- /*
- * SCHNORR PROOFS
- */
- Proof PrsonaBase::schnorr_generation(
- const Curvepoint& generator,
- const Curvepoint& commitment,
- const Scalar& log) const
- {
- Proof retval;
- std::stringstream oracleInput;
-
- Scalar u;
- u.set_random();
-
- Curvepoint U = generator * u;
- oracleInput << generator << commitment << U;
- Scalar x = oracle(oracleInput.str());
- Scalar z = log * x + u;
- retval.challengeParts.push_back(x);
- retval.responseParts.push_back(z);
- return retval;
- }
- bool PrsonaBase::schnorr_verification(
- const Curvepoint& generator,
- const Curvepoint& commitment,
- const Scalar& x,
- const Scalar& z) const
- {
- Curvepoint U = generator * z - commitment * x;
- std::stringstream oracleInput;
- oracleInput << generator << commitment << U;
-
- return x == oracle(oracleInput.str());
- }
- /*
- * OWNERSHIP PROOFS
- */
- // Prove ownership of the short term public key
- Proof PrsonaBase::generate_ownership_proof(
- const Curvepoint& generator,
- const Curvepoint& commitment,
- const Scalar& log) const
- {
- if (!CLIENT_IS_MALICIOUS)
- {
- Proof retval;
- retval.hbc = "PROOF";
- return retval;
- }
- return schnorr_generation(generator, commitment, log);
- }
- bool PrsonaBase::verify_ownership_proof(
- const Proof& pi,
- const Curvepoint& generator,
- const Curvepoint& commitment) const
- {
- if (!CLIENT_IS_MALICIOUS)
- return pi.hbc == "PROOF";
- Scalar c = pi.challengeParts[0];
- Scalar z = pi.responseParts[0];
- return schnorr_verification(generator, commitment, c, z);
- }
- /*
- * ITERATED SCHNORR PROOFS
- */
- Proof PrsonaBase::add_to_generator_proof(
- const Curvepoint& currGenerator,
- const Scalar& seed) const
- {
- Proof retval;
- if (!CLIENT_IS_MALICIOUS)
- {
- retval.hbc = "PROOF";
- return retval;
- }
- Curvepoint nextGenerator = currGenerator * seed;
- retval = schnorr_generation(currGenerator, nextGenerator, seed);
- retval.curvepointUniversals.push_back(currGenerator);
- return retval;
- }
- bool PrsonaBase::verify_generator_proof(
- const std::vector<Proof>& pi,
- const Curvepoint& currGenerator,
- size_t numServers) const
- {
- if (pi.size() != numServers || numServers == 0)
- return false;
- bool retval = true;
- if (!SERVER_IS_MALICIOUS)
- {
- for (size_t i = 0; i < pi.size(); i++)
- retval = retval && pi[i].hbc == "PROOF";
- return retval;
- }
- if (pi[0].curvepointUniversals[0] != EL_GAMAL_GENERATOR)
- return false;
- for (size_t i = 0; i < pi.size(); i++)
- {
- Curvepoint generator = pi[i].curvepointUniversals[0];
- Curvepoint commitment = (i == pi.size() - 1 ?
- currGenerator :
- pi[i + 1].curvepointUniversals[0]);
- Scalar c = pi[i].challengeParts[0];
- Scalar z = pi[i].responseParts[0];
- retval = retval &&
- schnorr_verification(generator, commitment, c, z);
- if (!retval)
- std::cerr << "Error in index " << i+1 << " of " << pi.size() << std::endl;
- }
-
- return retval;
- }
- /*
- * REPUTATION PROOFS
- */
- // A pretty straightforward range proof (generation)
- std::vector<Proof> PrsonaBase::generate_reputation_proof(
- const Proof& ownershipProof,
- const EGCiphertext& commitment,
- const Scalar& currentScore,
- const Scalar& threshold,
- const Scalar& inverseKey,
- size_t numClients) const
- {
- std::vector<Proof> retval;
- // Base case
- if (!CLIENT_IS_MALICIOUS)
- {
- retval.push_back(Proof("PROOF"));
- return retval;
- }
- // Don't even try if the user asks to make an illegitimate proof
- if (threshold.toInt() > (numClients * MAX_ALLOWED_VOTE))
- return retval;
- // We really have two consecutive proofs in a junction.
- // The first is to prove that we are the stpk we claim we are
- retval.push_back(ownershipProof);
- // The value we're actually using in our proof
- mpz_class proofVal = (currentScore - threshold).toInt();
- // Top of the range in our proof determined by what scores are even possible
- mpz_class proofBits =
- log2(numClients * MAX_ALLOWED_VOTE - threshold.toInt());
-
- // Don't risk a situation that would divulge our private key
- if (proofBits <= 1)
- proofBits = 2;
- // This seems weird, but remember our base is A_t^r, not g^t
- std::vector<Scalar> masksPerBit;
- masksPerBit.push_back(inverseKey);
- for (size_t i = 1; i < proofBits; i++)
- {
- Scalar currMask;
- currMask.set_random();
- masksPerBit.push_back(currMask);
- masksPerBit[0] =
- masksPerBit[0] - (currMask * Scalar(1 << i));
- }
- // Taken from Fig. 1 in https://eprint.iacr.org/2014/764.pdf
- for (size_t i = 0; i < proofBits; i++)
- {
- Proof currProof;
- Curvepoint g, h, C, C_a, C_b;
- g = commitment.mask;
- h = elGamalBlindGenerator;
-
- mpz_class currBit = bit(proofVal & (1 << i));
- Scalar a, s, t, m, r;
- a.set_random();
- s.set_random();
- t.set_random();
- m = Scalar(currBit);
- r = masksPerBit[i];
-
- C = g * r + h * m;
- currProof.curvepointUniversals.push_back(C);
- C_a = g * s + h * a;
- C_b = g * t + h * a * m;
- std::stringstream oracleInput;
- oracleInput << g << h << C << C_a << C_b;
- Scalar x = oracle(oracleInput.str());
- currProof.challengeParts.push_back(x);
- Scalar f, z_a, z_b;
- f = m * x + a;
- z_a = r * x + s;
- z_b = r * (x - f) + t;
- currProof.responseParts.push_back(f);
- currProof.responseParts.push_back(z_a);
- currProof.responseParts.push_back(z_b);
- retval.push_back(currProof);
- }
- return retval;
- }
- // A pretty straightforward range proof (verification)
- bool PrsonaBase::verify_reputation_proof(
- const std::vector<Proof>& pi,
- const Curvepoint& generator,
- const Curvepoint& owner,
- const EGCiphertext& commitment,
- const Scalar& threshold) const
- {
- // Reject outright if there's no proof to check
- if (pi.empty())
- {
- std::cerr << "Proof was empty, aborting." << std::endl;
- return false;
- }
- // If the range is so big that it wraps around mod n,
- // there's a chance the user actually made a proof for a very low reputation
- if (pi.size() > 256)
- {
- std::cerr << "Proof was too big, prover could have cheated." << std::endl;
- return false;
- }
- if (!CLIENT_IS_MALICIOUS)
- return pi[0].hbc == "PROOF";
- Scalar ownerChallenge, ownerResponse;
- ownerChallenge = pi[0].challengeParts[0];
- ownerResponse = pi[0].responseParts[0];
- // User should be able to prove they are who they say they are
- if (!schnorr_verification(generator, owner, ownerChallenge, ownerResponse))
- {
- std::cerr << "Schnorr proof failed, aborting." << std::endl;
- return false;
- }
- // X is the thing we're going to be checking in on throughout
- // to try to get our score commitment back in the end.
- Curvepoint X;
- for (size_t i = 1; i < pi.size(); i++)
- {
- Curvepoint C, g, h;
- C = pi[i].curvepointUniversals[0];
- g = commitment.mask;
- h = elGamalBlindGenerator;
- X = X + C * Scalar(1 << (i - 1));
- Scalar x, f, z_a, z_b;
- x = pi[i].challengeParts[0];
- f = pi[i].responseParts[0];
- z_a = pi[i].responseParts[1];
- z_b = pi[i].responseParts[2];
- // Taken from Fig. 1 in https://eprint.iacr.org/2014/764.pdf
- Curvepoint C_a, C_b;
- C_a = g * z_a + h * f - C * x;
- C_b = g * z_b - C * (x - f);
- std::stringstream oracleInput;
- oracleInput << g << h << C << C_a << C_b;
- if (oracle(oracleInput.str()) != x)
- {
- std::cerr << "0 or 1 proof failed at index " << i << " of " << pi.size() - 1 << ", aborting." << std::endl;
- return false;
- }
- }
- Curvepoint scoreCommitment =
- commitment.encryptedMessage +
- elGamalBlindGenerator * -threshold;
-
- return X == scoreCommitment;
- }
- /*
- * VALID VOTE PROOFS
- */
- std::vector<Proof> PrsonaBase::generate_vote_proof(
- const Proof& ownershipProof,
- const CurveBipoint& g,
- const CurveBipoint& h,
- const std::vector<bool>& replaces,
- const std::vector<CurveBipoint>& oldEncryptedVotes,
- const std::vector<CurveBipoint>& newEncryptedVotes,
- const std::vector<Scalar>& seeds,
- const std::vector<Scalar>& votes) const
- {
- std::vector<Proof> retval;
- // Base case
- if (!CLIENT_IS_MALICIOUS)
- {
- retval.push_back(Proof("PROOF"));
-
- return retval;
- }
- // The first need is to prove that we are the stpk we claim we are
- retval.push_back(ownershipProof);
- // Then, we iterate over all votes for the proofs that they are correct
- for (size_t i = 0; i < replaces.size(); i++)
- {
- std::stringstream oracleInput;
- oracleInput << g << h << oldEncryptedVotes[i] << newEncryptedVotes[i];
- Scalar m = votes[i];
- Scalar r = seeds[i];
-
- /* This proof structure is documented in my notes.
- * It's inspired by the proof in Fig. 1 at
- * https://eprint.iacr.org/2014/764.pdf, but adapted so that you prove
- * m(m-1)(m-2) = 0 instead of m(m-1) = 0.
- *
- * The rerandomization part is just a slight variation on an
- * ordinary Schnorr proof, so that part's less scary. */
- if (replaces[i]) // CASE: Make new vote
- {
- Proof currProof;
- Scalar x_r, z_r, a, s, t_1, t_2;
- x_r.set_random();
- z_r.set_random();
- a.set_random();
- s.set_random();
- t_1.set_random();
- t_2.set_random();
- CurveBipoint U = h * z_r +
- oldEncryptedVotes[i] * x_r -
- newEncryptedVotes[i] * x_r;
- CurveBipoint C_a = g * a + h * s;
- Scalar power = ((a + a) * m * m - (a + a + a) * m);
- CurveBipoint C_b = g * power + h * t_1;
- currProof.curveBipointUniversals.push_back(C_b);
- CurveBipoint C_c = g * (a * a * m) +
- h * t_2;
- oracleInput << U << C_a << C_b << C_c;
- Scalar x = oracle(oracleInput.str());
- Scalar x_n = x - x_r;
- currProof.challengeParts.push_back(x_r);
- currProof.challengeParts.push_back(x_n);
- Scalar f = m * x_n + a;
- Scalar z_na = r * x_n + s;
- Scalar z_nb =
- r * (f - x_n) * (x_n + x_n - f) + t_1 * x_n + t_2;
- currProof.responseParts.push_back(z_r);
- currProof.responseParts.push_back(f);
- currProof.responseParts.push_back(z_na);
- currProof.responseParts.push_back(z_nb);
- retval.push_back(currProof);
- }
- else // CASE: Rerandomize existing vote
- {
- Proof currProof;
- Scalar u, commitmentLambda_1, commitmentLambda_2,
- x_n, z_na, z_nb, f;
- u.set_random();
- commitmentLambda_1.set_random();
- commitmentLambda_2.set_random();
- x_n.set_random();
- z_na.set_random();
- z_nb.set_random();
- f.set_random();
- CurveBipoint U = h * u;
- CurveBipoint C_a = g * f +
- h * z_na -
- newEncryptedVotes[i] * x_n;
- CurveBipoint C_b = g * commitmentLambda_1 + h * commitmentLambda_2;
- currProof.curveBipointUniversals.push_back(C_b);
- CurveBipoint C_c =
- h * z_nb -
- newEncryptedVotes[i] * ((f - x_n) * (x_n + x_n - f)) -
- C_b * x_n;
- oracleInput << U << C_a << C_b << C_c;
- Scalar x = oracle(oracleInput.str());
- Scalar x_r = x - x_n;
- currProof.challengeParts.push_back(x_r);
- currProof.challengeParts.push_back(x_n);
- Scalar z_r = r * x_r + u;
- currProof.responseParts.push_back(z_r);
- currProof.responseParts.push_back(f);
- currProof.responseParts.push_back(z_na);
- currProof.responseParts.push_back(z_nb);
- retval.push_back(currProof);
- }
- }
- return retval;
- }
- bool PrsonaBase::verify_vote_proof(
- const CurveBipoint& g,
- const CurveBipoint& h,
- const std::vector<Proof>& pi,
- const std::vector<CurveBipoint>& oldEncryptedVotes,
- const std::vector<CurveBipoint>& newEncryptedVotes,
- const Curvepoint& freshGenerator,
- const Curvepoint& owner) const
- {
- // Reject outright if there's no proof to check
- if (pi.empty())
- {
- std::cerr << "Proof was empty, aborting." << std::endl;
- return false;
- }
- // Base case
- if (!CLIENT_IS_MALICIOUS)
- return pi[0].hbc == "PROOF";
- // User should be able to prove they are who they say they are
- if (!verify_ownership_proof(pi[0], freshGenerator, owner))
- {
- std::cerr << "Schnorr proof failed, aborting." << std::endl;
- return false;
- }
- /* This proof structure is documented in my notes.
- * It's inspired by the proof in Fig. 1 at
- * https://eprint.iacr.org/2014/764.pdf, but adapted so that you prove
- * m(m-1)(m-2) = 0 instead of m(m-1) = 0.
- *
- * The rerandomization part is just a slight variation on an
- * ordinary Schnorr proof, so that part's less scary. */
- for (size_t i = 1; i < pi.size(); i++)
- {
- size_t voteIndex = i - 1;
- CurveBipoint C_b;
- C_b = pi[i].curveBipointUniversals[0];
- Scalar x_r, x_n, z_r, f, z_na, z_nb;
- x_r = pi[i].challengeParts[0];
- x_n = pi[i].challengeParts[1];
- z_r = pi[i].responseParts[0];
- f = pi[i].responseParts[1];
- z_na = pi[i].responseParts[2];
- z_nb = pi[i].responseParts[3];
- CurveBipoint U, C_a, C_c;
- U = h * z_r +
- oldEncryptedVotes[voteIndex] * x_r -
- newEncryptedVotes[voteIndex] * x_r;
- C_a = g * f + h * z_na - newEncryptedVotes[voteIndex] * x_n;
- C_c = h * z_nb -
- newEncryptedVotes[voteIndex] * ((f - x_n) * (x_n + x_n - f)) -
- C_b * x_n;
- std::stringstream oracleInput;
- oracleInput << g << h
- << oldEncryptedVotes[voteIndex] << newEncryptedVotes[voteIndex]
- << U << C_a << C_b << C_c;
- if (oracle(oracleInput.str()) != x_r + x_n)
- return false;
- }
- return true;
- }
- /*
- * NEW USER PROOFS
- */
- std::vector<Proof> PrsonaBase::generate_proof_of_added_user(
- const Scalar& twistBipointSeed,
- const Scalar& EGCiphertextSeed,
- const std::vector<Scalar>& curveBipointSelfSeeds,
- const std::vector<Scalar>& curveBipointOtherSeeds) const
- {
- std::vector<Proof> retval;
- if (!SERVER_IS_MALICIOUS)
- {
- retval.push_back(Proof("PROOF"));
- return retval;
- }
- Proof currProof;
- currProof.responseParts.push_back(twistBipointSeed);
- retval.push_back(currProof);
- currProof.responseParts.clear();
- currProof.responseParts.push_back(EGCiphertextSeed);
- retval.push_back(currProof);
- currProof.responseParts.clear();
- for (size_t i = 0; i < curveBipointSelfSeeds.size(); i++)
- currProof.responseParts.push_back(curveBipointSelfSeeds[i]);
- retval.push_back(currProof);
- currProof.responseParts.clear();
- for (size_t i = 0; i < curveBipointOtherSeeds.size(); i++)
- currProof.responseParts.push_back(curveBipointOtherSeeds[i]);
- retval.push_back(currProof);
- return retval;
- }
- bool PrsonaBase::verify_proof_of_added_user(
- const std::vector<Proof>& pi,
- const Curvepoint& currentFreshGenerator,
- const Curvepoint& shortTermPublicKey,
- const CurveBipoint& curveG,
- const CurveBipoint& curveH,
- const TwistBipoint& twistG,
- const TwistBipoint& twistH,
- size_t selfIndex,
- const EGCiphertext& userEncryptedScore,
- const TwistBipoint& serverEncryptedScore,
- const std::vector<std::vector<CurveBipoint>> encryptedVoteMatrix) const
- {
- if (pi.empty())
- {
- std::cerr << "Proof empty." << std::endl;
- return false;
- }
- if (!SERVER_IS_MALICIOUS)
- return pi[0].hbc == "PROOF";
- Scalar currSeed = pi[0].responseParts[0];
- if (serverEncryptedScore !=
- twistG * DEFAULT_TALLY + twistH * currSeed)
- {
- std::cerr << "Issue in server encrypted score." << std::endl;
- return false;
- }
- currSeed = pi[1].responseParts[0];
- if (userEncryptedScore.mask != shortTermPublicKey * currSeed)
- {
- std::cerr << "Issue in user encrypted score: mask." << std::endl;
- return false;
- }
- if (userEncryptedScore.encryptedMessage !=
- currentFreshGenerator * currSeed + elGamalBlindGenerator * DEFAULT_TALLY)
- {
- std::cerr << "Issue in user encrypted score: value." << std::endl;
- return false;
- }
-
- for (size_t i = 0; i < pi[2].responseParts.size(); i++)
- {
- CurveBipoint currVote = encryptedVoteMatrix[selfIndex][i];
- currSeed = pi[2].responseParts[i];
- if (i == selfIndex)
- {
- if (currVote !=
- curveG * Scalar(MAX_ALLOWED_VOTE) + curveH * currSeed)
- {
- std::cerr << "Issue in self vote." << std::endl;
- return false;
- }
- }
- else
- {
- if (currVote !=
- curveG * DEFAULT_VOTE + curveH * currSeed)
- {
- std::cerr << "Issue in vote by verifier for user " << i + 1
- << " of " << pi[2].responseParts.size() << "." << std::endl;
- return false;
- }
- }
- }
- for (size_t i = 0; i < pi[3].responseParts.size(); i++)
- {
- CurveBipoint currVote = encryptedVoteMatrix[i][selfIndex];
- currSeed = pi[3].responseParts[i];
- if (i != selfIndex)
- {
- if (currVote !=
- curveG * DEFAULT_VOTE + curveH * currSeed)
- {
- std::cerr << "Issue in vote for verifier by user " << i + 1
- << " of " << pi[3].responseParts.size() << "." << std::endl;
- return false;
- }
- }
- }
- return true;
- }
- /*
- * EPOCH PROOFS
- */
- std::vector<Proof> PrsonaBase::generate_valid_permutation_proof(
- const std::vector<std::vector<Scalar>>& permutations,
- const std::vector<std::vector<Scalar>>& seeds,
- const std::vector<std::vector<Curvepoint>>& commits) const
- {
- std::vector<Proof> retval;
- if (!SERVER_IS_MALICIOUS)
- {
- retval.push_back(Proof("PROOF"));
- return retval;
- }
- // Taken from Fig. 1 in https://eprint.iacr.org/2014/764.pdf
- for (size_t i = 0; i < permutations.size(); i++)
- {
- for (size_t j = 0; j < permutations[i].size(); j++)
- {
- Proof currProof;
- Curvepoint g, h, C, C_a, C_b;
- g = EL_GAMAL_GENERATOR;
- h = elGamalBlindGenerator;
-
- Scalar a, s, t, p, r;
- a.set_random();
- s.set_random();
- t.set_random();
- p = permutations[i][j];
- r = seeds[i][j];
-
- C = commits[i][j];
- C_a = g * a + h * s;
- C_b = g * a * p + h * t;
- std::stringstream oracleInput;
- oracleInput << g << h << C << C_a << C_b;
- Scalar x = oracle(oracleInput.str());
- currProof.challengeParts.push_back(x);
- Scalar f, z_a, z_b;
- f = p * x + a;
- z_a = r * x + s;
- z_b = r * (x - f) + t;
- currProof.responseParts.push_back(f);
- currProof.responseParts.push_back(z_a);
- currProof.responseParts.push_back(z_b);
- retval.push_back(currProof);
- }
- }
- return retval;
- }
- bool PrsonaBase::verify_valid_permutation_proof(
- const std::vector<Proof>& pi,
- const std::vector<std::vector<Curvepoint>>& commits) const
- {
- // Reject outright if there's no proof to check
- if (pi.empty())
- {
- std::cerr << "Proof was empty, aborting." << std::endl;
- return false;
- }
- if (!SERVER_IS_MALICIOUS)
- return pi[0].hbc == "PROOF";
- Curvepoint g, h;
- g = EL_GAMAL_GENERATOR;
- h = elGamalBlindGenerator;
- for (size_t i = 0; i < commits.size(); i++)
- {
- for (size_t j = 0; j < commits[i].size(); j++)
- {
- size_t piIndex = i * commits.size() + j;
- Curvepoint C, C_a, C_b;
- C = commits[i][j];
- Scalar x, f, z_a, z_b;
- x = pi[piIndex].challengeParts[0];
- f = pi[piIndex].responseParts[0];
- z_a = pi[piIndex].responseParts[1];
- z_b = pi[piIndex].responseParts[2];
- // Taken from Fig. 1 in https://eprint.iacr.org/2014/764.pdf
- C_a = g * f + h * z_a - C * x;
- C_b = h * z_b - C * (x - f);
- std::stringstream oracleInput;
- oracleInput << g << h << C << C_a << C_b;
- if (oracle(oracleInput.str()) != x)
- {
- std::cerr << "0 or 1 proof failed at index " << i << " of " << pi.size() - 1 << ", aborting." << std::endl;
- return false;
- }
- }
- }
- for (size_t i = 0; i < commits.size(); i++)
- {
- Curvepoint sum = commits[i][0];
- for (size_t j = 1; j < commits[i].size(); j++)
- sum = sum + commits[i][j];
- if (sum != g)
- {
- std::cerr << "Commits did not sum to g, aborting." << std::endl;
- return false;
- }
- }
- return true;
- }
- std::vector<Proof> PrsonaBase::generate_proof_of_reordering_plus_power(
- const std::vector<std::vector<Scalar>>& permutations,
- const Scalar& power,
- const std::vector<std::vector<Scalar>>& permutationSeeds,
- const std::vector<std::vector<Scalar>>& productSeeds,
- const std::vector<Curvepoint>& oldValues,
- const std::vector<std::vector<Curvepoint>>& permutationCommits,
- const std::vector<std::vector<Curvepoint>>& productCommits,
- const std::vector<std::vector<Curvepoint>>& seedCommits) const
- {
- std::vector<Proof> retval;
- if (!SERVER_IS_MALICIOUS)
- {
- retval.push_back(Proof("PROOF"));
- return retval;
- }
- Proof first;
- retval.push_back(first);
-
- Curvepoint g = EL_GAMAL_GENERATOR;
- Curvepoint h = elGamalBlindGenerator;
- std::stringstream oracleInput;
- oracleInput << g << h;
- for (size_t i = 0; i < permutationCommits.size(); i++)
- for (size_t j = 0; j < permutationCommits[i].size(); j++)
- oracleInput << permutationCommits[i][j];
- for (size_t i = 0; i < productCommits.size(); i++)
- for (size_t j = 0; j < productCommits[i].size(); j++)
- oracleInput << productCommits[i][j];
- for (size_t i = 0; i < seedCommits.size(); i++)
- for (size_t j = 0; j < seedCommits[i].size(); j++)
- oracleInput << seedCommits[i][j];
- std::cout << "Pre: " << oracle(oracleInput.str()) << std::endl;
- Scalar b1;
- b1.set_random();
- std::vector<std::vector<Scalar>> b2;
- std::vector<std::vector<Scalar>> t1;
- std::vector<std::vector<Scalar>> t2;
- for (size_t i = 0; i < permutationCommits.size(); i++)
- {
- std::vector<Scalar> currb2Row;
- std::vector<Scalar> currt1Row;
- std::vector<Scalar> currt2Row;
- for (size_t j = 0; j < permutationCommits[i].size(); j++)
- {
- Proof currProof;
- Scalar currb2;
- Scalar currt1;
- Scalar currt2;
- Curvepoint U1, U2, U3, U4;
- currb2.set_random();
- currt1.set_random();
- currt2.set_random();
- // Permutations go in weird order because of
- // matrix multiplication stuff
- U1 = g * currb2 + h * currt1;
- U2 = oldValues[i] *
- (b1 * permutations[j][i] + currb2 * power);
- U3 = oldValues[i] * b1 * currb2 + h * currt2;
- U4 = g * currt2;
- currProof.curvepointUniversals.push_back(U2);
- oracleInput << U1 << U2 << U3 << U4;
- std::cout << i * permutationCommits.size() + j + 1 << ": " << oracle(oracleInput.str()) << std::endl;
- std::stringstream out1, out2, out3, out4;
- out1 << U1;
- out2 << U2;
- out3 << U3;
- out4 << U4;
- std::cout << "U1: " << oracle(out1.str()) << std::endl;
- std::cout << "U2: " << oracle(out2.str()) << std::endl;
- std::cout << "U3: " << oracle(out3.str()) << std::endl;
- std::cout << "U4: " << oracle(out4.str()) << std::endl;
- currb2Row.push_back(currb2);
- currt1Row.push_back(currt1);
- currt2Row.push_back(currt2);
- retval.push_back(currProof);
- }
- b2.push_back(currb2Row);
- t1.push_back(currt1Row);
- t2.push_back(currt2Row);
- }
- Scalar x = oracle(oracleInput.str());
- retval[0].challengeParts.push_back(x);
- Scalar f1 = power * x + b1;
- retval[0].responseParts.push_back(f1);
- for (size_t i = 0; i < permutationCommits.size(); i++)
- {
- for (size_t j = 0; j < permutationCommits[i].size(); j++)
- {
- size_t piIndex = i * permutationCommits.size() + j + 1;
- // Permutations go in weird order because of
- // matrix multiplication stuff
- Scalar f2 = permutations[j][i] * x + b2[i][j];
- Scalar z1 = permutationSeeds[j][i] * x + t1[i][j];
- Scalar z2 = productSeeds[i][j] * x * x + t2[i][j];
- retval[piIndex].responseParts.push_back(f2);
- retval[piIndex].responseParts.push_back(z1);
- retval[piIndex].responseParts.push_back(z2);
- }
- }
- return retval;
- }
- bool PrsonaBase::verify_proof_of_reordering_plus_power(
- const std::vector<Proof>& pi,
- const std::vector<Curvepoint>& oldValues,
- const std::vector<std::vector<Curvepoint>>& permutationCommits,
- const std::vector<std::vector<Curvepoint>>& productCommits,
- const std::vector<std::vector<Curvepoint>>& seedCommits) const
- {
- if (pi.empty())
- return false;
- if (!SERVER_IS_MALICIOUS)
- return pi[0].hbc == "PROOF";
-
- Curvepoint g = EL_GAMAL_GENERATOR;
- Curvepoint h = elGamalBlindGenerator;
- std::stringstream oracleInput;
- oracleInput << g << h;
- for (size_t i = 0; i < permutationCommits.size(); i++)
- for (size_t j = 0; j < permutationCommits[i].size(); j++)
- oracleInput << permutationCommits[i][j];
- for (size_t i = 0; i < productCommits.size(); i++)
- for (size_t j = 0; j < productCommits[i].size(); j++)
- oracleInput << productCommits[i][j];
- for (size_t i = 0; i < seedCommits.size(); i++)
- for (size_t j = 0; j < seedCommits[i].size(); j++)
- oracleInput << seedCommits[i][j];
- std::cout << "Pre: " << oracle(oracleInput.str()) << std::endl;
- Scalar x = pi[0].challengeParts[0];
- Scalar f1 = pi[0].responseParts[0];
- for (size_t i = 0; i < permutationCommits.size(); i++)
- {
- for (size_t j = 0; j < permutationCommits[i].size(); j++)
- {
- size_t piIndex = i * permutationCommits.size() + j + 1;
- Curvepoint U1, U2, U3, U4;
- U2 = pi[piIndex].curvepointUniversals[0];
- Scalar f2 = pi[piIndex].responseParts[0];
- Scalar z1 = pi[piIndex].responseParts[1];
- Scalar z2 = pi[piIndex].responseParts[2];
- // Permutations go in weird order because of
- // matrix multiplication stuff
- U1 = g * f2 + h * z1 - permutationCommits[j][i] * x;
-
- U3 = oldValues[i] * f1 * f2 +
- h * z2 -
- productCommits[i][j] * x * x -
- U2 * x;
- U4 = g * z2 - seedCommits[i][j] * x * x;
- oracleInput << U1 << U2 << U3 << U4;
- std::cout << i * permutationCommits.size() + j + 1 << ": " << oracle(oracleInput.str()) << std::endl;
- std::stringstream out1, out2, out3, out4;
- out1 << U1;
- out2 << U2;
- out3 << U3;
- out4 << U4;
- std::cout << "U1: " << oracle(out1.str()) << std::endl;
- std::cout << "U2: " << oracle(out2.str()) << std::endl;
- std::cout << "U3: " << oracle(out3.str()) << std::endl;
- std::cout << "U4: " << oracle(out4.str()) << std::endl;
- }
- }
- if (x != oracle(oracleInput.str()))
- {
- std::cerr << "Fresh pseudonyms not generated by permutation matrix." << std::endl;
- return false;
- }
- for (size_t i = 0; i < seedCommits.size(); i++)
- {
- Curvepoint sum = seedCommits[i][0];
- for (size_t j = 1; j < seedCommits[i].size(); j++)
- sum = sum + seedCommits[i][j];
- if (sum != Curvepoint())
- {
- std::cerr << "seed commits did not sum to 0, aborting." << std::endl;
- return false;
- }
- }
- return true;
- }
- template <typename T>
- std::vector<Proof> PrsonaBase::generate_proof_of_reordering(
- const std::vector<std::vector<Scalar>>& permutations,
- const std::vector<std::vector<Scalar>>& permutationSeeds,
- const std::vector<std::vector<Scalar>>& productSeeds,
- const std::vector<T>& oldValues,
- const std::vector<std::vector<Curvepoint>>& permutationCommits,
- const std::vector<std::vector<T>>& productCommits,
- const T& otherG,
- const T& otherH,
- bool inverted) const
- {
- std::vector<Proof> retval;
- if (!SERVER_IS_MALICIOUS)
- {
- retval.push_back(Proof("PROOF"));
- return retval;
- }
- Proof first;
- retval.push_back(first);
- Curvepoint g = EL_GAMAL_GENERATOR;
- Curvepoint h = elGamalBlindGenerator;
- std::stringstream oracleInput;
- oracleInput << g << h << otherG << otherH;
- for (size_t i = 0; i < permutationCommits.size(); i++)
- for (size_t j = 0; j < permutationCommits[i].size(); j++)
- oracleInput << permutationCommits[i][j];
- for (size_t i = 0; i < productCommits.size(); i++)
- for (size_t j = 0; j < productCommits[i].size(); j++)
- oracleInput << productCommits[i][j];
- std::vector<std::vector<Scalar>> a;
- std::vector<std::vector<Scalar>> t1;
- std::vector<std::vector<Scalar>> t2;
- for (size_t i = 0; i < permutationCommits.size(); i++)
- {
- std::vector<Scalar> curraRow;
- std::vector<Scalar> currt1Row;
- std::vector<Scalar> currt2Row;
- for (size_t j = 0; j < permutationCommits[i].size(); j++)
- {
- Proof currProof;
- Scalar curra;
- Scalar currt1;
- Scalar currt2;
- Curvepoint U1;
- T U2;
- curra.set_random();
- currt1.set_random();
- currt2.set_random();
- U1 = g * curra + h * currt1;
- U2 = oldValues[i] * curra + otherH * currt2;
- oracleInput << U1 << U2;
- curraRow.push_back(curra);
- currt1Row.push_back(currt1);
- currt2Row.push_back(currt2);
- retval.push_back(currProof);
- }
- a.push_back(curraRow);
- t1.push_back(currt1Row);
- t2.push_back(currt2Row);
- }
- Scalar x = oracle(oracleInput.str());
- retval[0].challengeParts.push_back(x);
- for (size_t i = 0; i < permutationCommits.size(); i++)
- {
- for (size_t j = 0; j < permutationCommits[i].size(); j++)
- {
- size_t piIndex = i * permutationCommits.size() + j + 1;
- size_t permI, permJ;
- // Permutations normally go in weird order because of
- // matrix multiplication stuff
- if (inverted)
- {
- permI = i;
- permJ = j;
- }
- else
- {
- permI = j;
- permJ = i;
- }
- Scalar f = permutations[permI][permJ] * x + a[i][j];
- Scalar z1 = permutationSeeds[permI][permJ] * x + t1[i][j];
- Scalar z2 = productSeeds[i][j] * x + t2[i][j];
- retval[piIndex].responseParts.push_back(f);
- retval[piIndex].responseParts.push_back(z1);
- retval[piIndex].responseParts.push_back(z2);
- }
- }
- return retval;
- }
- template <typename T>
- bool PrsonaBase::verify_proof_of_reordering(
- const std::vector<Proof>& pi,
- const std::vector<T>& oldValues,
- const std::vector<std::vector<Curvepoint>>& permutationCommits,
- const std::vector<std::vector<T>>& productCommits,
- const T& otherG,
- const T& otherH,
- bool inverted) const
- {
- if (pi.empty())
- return false;
- if (!SERVER_IS_MALICIOUS)
- return pi[0].hbc == "PROOF";
- Curvepoint g = EL_GAMAL_GENERATOR;
- Curvepoint h = elGamalBlindGenerator;
- std::stringstream oracleInput;
- oracleInput << g << h << otherG << otherH;
- for (size_t i = 0; i < permutationCommits.size(); i++)
- for (size_t j = 0; j < permutationCommits[i].size(); j++)
- oracleInput << permutationCommits[i][j];
- for (size_t i = 0; i < productCommits.size(); i++)
- for (size_t j = 0; j < productCommits[i].size(); j++)
- oracleInput << productCommits[i][j];
- Scalar x = pi[0].challengeParts[0];
- for (size_t i = 0; i < permutationCommits.size(); i++)
- {
- for (size_t j = 0; j < permutationCommits[i].size(); j++)
- {
- size_t piIndex = i * permutationCommits.size() + j + 1;
- Curvepoint U1;
- T U2;
- Scalar f = pi[piIndex].responseParts[0];
- Scalar z1 = pi[piIndex].responseParts[1];
- Scalar z2 = pi[piIndex].responseParts[2];
- size_t permI, permJ;
- // Permutations normally go in weird order because of
- // matrix multiplication stuff
- if (inverted)
- {
- permI = i;
- permJ = j;
- }
- else
- {
- permI = j;
- permJ = i;
- }
- U1 = g * f + h * z1 -
- permutationCommits[permI][permJ] * x;
-
- U2 = oldValues[i] * f + otherH * z2 -
- productCommits[i][j] * x;
- oracleInput << U1 << U2;
- }
- }
- if (x != oracle(oracleInput.str()))
- {
- std::cerr << "Fresh pseudonyms not generated by permutation matrix." << std::endl;
- return false;
- }
- return true;
- }
- /*
- * SERVER AGREEMENT PROOFS
- */
- Proof PrsonaBase::generate_valid_vote_row_proof(
- const std::vector<CurveBipoint>& commitment) const
- {
- Proof retval;
- if (!SERVER_IS_MALICIOUS)
- {
- retval.hbc = "PROOF";
- return retval;
- }
- std::stringstream oracleInput;
- for (size_t i = 0; i < commitment.size(); i++)
- oracleInput << commitment[i];
- Scalar val = oracle(oracleInput.str());
- retval.responseParts.push_back(val);
- return retval;
- }
- Proof PrsonaBase::generate_valid_vote_matrix_proof(
- const std::vector<std::vector<CurveBipoint>>& commitment) const
- {
- Proof retval;
- if (!SERVER_IS_MALICIOUS)
- {
- retval.hbc = "PROOF";
- return retval;
- }
- std::stringstream oracleInput;
- for (size_t i = 0; i < commitment.size(); i++)
- for (size_t j = 0; j < commitment[i].size(); j++)
- oracleInput << commitment[i][j];
- Scalar val = oracle(oracleInput.str());
- retval.responseParts.push_back(val);
- return retval;
- }
- Proof PrsonaBase::generate_valid_user_tally_proof(
- const EGCiphertext& commitment) const
- {
- Proof retval;
- if (!SERVER_IS_MALICIOUS)
- {
- retval.hbc = "PROOF";
- return retval;
- }
- std::stringstream oracleInput;
- oracleInput << commitment;
- Scalar val = oracle(oracleInput.str());
- retval.responseParts.push_back(val);
- return retval;
- }
- Proof PrsonaBase::generate_valid_server_tally_proof(
- const TwistBipoint& commitment) const
- {
- Proof retval;
- if (!SERVER_IS_MALICIOUS)
- {
- retval.hbc = "PROOF";
- return retval;
- }
- std::stringstream oracleInput;
- oracleInput << commitment;
- Scalar val = oracle(oracleInput.str());
- retval.responseParts.push_back(val);
- return retval;
- }
- Proof PrsonaBase::generate_valid_pseudonyms_proof(
- const std::vector<Curvepoint>& commitment) const
- {
- Proof retval;
- if (!SERVER_IS_MALICIOUS)
- {
- retval.hbc = "PROOF";
- return retval;
- }
- std::stringstream oracleInput;
- for (size_t i = 0; i < commitment.size(); i++)
- oracleInput << commitment[i];
- Scalar val = oracle(oracleInput.str());
- retval.responseParts.push_back(val);
- return retval;
- }
- bool PrsonaBase::verify_valid_vote_row_proof(
- const std::vector<Proof>& pi,
- const std::vector<CurveBipoint>& commitment) const
- {
- if (pi.empty())
- return false;
- if (!SERVER_IS_MALICIOUS)
- return pi[0].hbc == "PROOF";
- Scalar comparison = pi[0].responseParts[0];
- std::stringstream oracleInput;
- for (size_t i = 0; i < commitment.size(); i++)
- oracleInput << commitment[i];
- if (oracle(oracleInput.str()) != comparison)
- {
- std::cerr << "Server's claimed value doesn't match their own commitment." << std::endl;
- return false;
- }
- size_t agreement = 1;
- for (size_t i = 1; i < pi.size(); i++)
- if (comparison == pi[i].responseParts[0])
- agreement++;
- return agreement * 2 > pi.size();
- }
- bool PrsonaBase::verify_valid_vote_matrix_proof(
- const std::vector<Proof>& pi,
- const std::vector<std::vector<CurveBipoint>>& commitment) const
- {
- if (pi.empty())
- return false;
- if (!SERVER_IS_MALICIOUS)
- return pi[0].hbc == "PROOF";
- Scalar comparison = pi[0].responseParts[0];
- std::stringstream oracleInput;
- for (size_t i = 0; i < commitment.size(); i++)
- for (size_t j = 0; j < commitment[i].size(); j++)
- oracleInput << commitment[i][j];
- if (oracle(oracleInput.str()) != comparison)
- {
- std::cerr << "Server's claimed value doesn't match their own commitment." << std::endl;
- return false;
- }
- size_t agreement = 1;
- for (size_t i = 1; i < pi.size(); i++)
- if (comparison == pi[i].responseParts[0])
- agreement++;
- return agreement * 2 > pi.size();
- }
- bool PrsonaBase::verify_valid_user_tally_proof(
- const std::vector<Proof>& pi,
- const EGCiphertext& commitment) const
- {
- if (pi.empty())
- return false;
- if (!SERVER_IS_MALICIOUS)
- return pi[0].hbc == "PROOF";
- Scalar comparison = pi[0].responseParts[0];
- std::stringstream oracleInput;
- oracleInput << commitment;
- if (oracle(oracleInput.str()) != comparison)
- {
- std::cerr << "Server's claimed value doesn't match their own commitment." << std::endl;
- return false;
- }
- size_t agreement = 1;
- for (size_t i = 1; i < pi.size(); i++)
- if (comparison == pi[i].responseParts[0])
- agreement++;
- return agreement * 2 > pi.size();
- }
- bool PrsonaBase::verify_valid_server_tally_proof(
- const std::vector<Proof>& pi,
- const TwistBipoint& commitment) const
- {
- if (pi.empty())
- return false;
- if (!SERVER_IS_MALICIOUS)
- return pi[0].hbc == "PROOF";
- Scalar comparison = pi[0].responseParts[0];
- std::stringstream oracleInput;
- oracleInput << commitment;
- if (oracle(oracleInput.str()) != comparison)
- {
- std::cerr << "Server's claimed value doesn't match their own commitment." << std::endl;
- return false;
- }
- size_t agreement = 1;
- for (size_t i = 1; i < pi.size(); i++)
- if (comparison == pi[i].responseParts[0])
- agreement++;
- return agreement * 2 > pi.size();
- }
- bool PrsonaBase::verify_valid_pseudonyms_proof(
- const std::vector<Proof>& pi,
- const std::vector<Curvepoint>& commitment) const
- {
- if (pi.empty())
- return false;
- if (!SERVER_IS_MALICIOUS)
- return pi[0].hbc == "PROOF";
- Scalar comparison = pi[0].responseParts[0];
- std::stringstream oracleInput;
- for (size_t i = 0; i < commitment.size(); i++)
- oracleInput << commitment[i];
- if (oracle(oracleInput.str()) != comparison)
- {
- std::cerr << "Server's claimed value doesn't match their own commitment." << std::endl;
- return false;
- }
- size_t agreement = 1;
- for (size_t i = 1; i < pi.size(); i++)
- if (comparison == pi[i].responseParts[0])
- agreement++;
- return agreement * 2 > pi.size();
- }
- template std::vector<Proof> PrsonaBase::generate_proof_of_reordering<Curvepoint>(
- const std::vector<std::vector<Scalar>>& permutations,
- const std::vector<std::vector<Scalar>>& permutationSeeds,
- const std::vector<std::vector<Scalar>>& productSeeds,
- const std::vector<Curvepoint>& oldValues,
- const std::vector<std::vector<Curvepoint>>& permutationCommits,
- const std::vector<std::vector<Curvepoint>>& productCommits,
- const Curvepoint& otherG,
- const Curvepoint& otherH,
- bool inverted) const;
- template std::vector<Proof> PrsonaBase::generate_proof_of_reordering<CurveBipoint>(
- const std::vector<std::vector<Scalar>>& permutations,
- const std::vector<std::vector<Scalar>>& permutationSeeds,
- const std::vector<std::vector<Scalar>>& productSeeds,
- const std::vector<CurveBipoint>& oldValues,
- const std::vector<std::vector<Curvepoint>>& permutationCommits,
- const std::vector<std::vector<CurveBipoint>>& productCommits,
- const CurveBipoint& otherG,
- const CurveBipoint& otherH,
- bool inverted) const;
- template std::vector<Proof> PrsonaBase::generate_proof_of_reordering<TwistBipoint>(
- const std::vector<std::vector<Scalar>>& permutations,
- const std::vector<std::vector<Scalar>>& permutationSeeds,
- const std::vector<std::vector<Scalar>>& productSeeds,
- const std::vector<TwistBipoint>& oldValues,
- const std::vector<std::vector<Curvepoint>>& permutationCommits,
- const std::vector<std::vector<TwistBipoint>>& productCommits,
- const TwistBipoint& otherG,
- const TwistBipoint& otherH,
- bool inverted) const;
- template bool PrsonaBase::verify_proof_of_reordering<Curvepoint>(
- const std::vector<Proof>& pi,
- const std::vector<Curvepoint>& oldValues,
- const std::vector<std::vector<Curvepoint>>& permutationCommits,
- const std::vector<std::vector<Curvepoint>>& productCommits,
- const Curvepoint& otherG,
- const Curvepoint& otherH,
- bool inverted) const;
- template bool PrsonaBase::verify_proof_of_reordering<CurveBipoint>(
- const std::vector<Proof>& pi,
- const std::vector<CurveBipoint>& oldValues,
- const std::vector<std::vector<Curvepoint>>& permutationCommits,
- const std::vector<std::vector<CurveBipoint>>& productCommits,
- const CurveBipoint& otherG,
- const CurveBipoint& otherH,
- bool inverted) const;
- template bool PrsonaBase::verify_proof_of_reordering<TwistBipoint>(
- const std::vector<Proof>& pi,
- const std::vector<TwistBipoint>& oldValues,
- const std::vector<std::vector<Curvepoint>>& permutationCommits,
- const std::vector<std::vector<TwistBipoint>>& productCommits,
- const TwistBipoint& otherG,
- const TwistBipoint& otherH,
- bool inverted) const;
|