summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkus Teich <markus.teich@stusta.mhn.de>2017-01-04 17:43:24 +0100
committerMarkus Teich <markus.teich@stusta.mhn.de>2017-01-04 17:43:24 +0100
commitc50392f9df44b99263c3481b7b4dc7ae890dc4a8 (patch)
tree79a257aadd74f17555f37d0c539d03f756acc5d3
parente66cbbe44f3708e6d6a30b216035bcccfc8e7207 (diff)
gp-scripts: add zkp + test parameters
-rw-r--r--gp-scripts/firstPrice95
-rw-r--r--gp-scripts/firstPrice.gp186
-rw-r--r--gp-scripts/group.gp15
-rw-r--r--gp-scripts/smc.gp16
-rw-r--r--gp-scripts/zkp.gp129
5 files changed, 330 insertions, 111 deletions
diff --git a/gp-scripts/firstPrice b/gp-scripts/firstPrice
deleted file mode 100644
index c638f4a..0000000
--- a/gp-scripts/firstPrice
+++ /dev/null
@@ -1,95 +0,0 @@
-\\ From: "How to obtain full privacy in auctions" (2006) by Felix Brandt pages 19-20
-
-
-\\\\\\\\\\\\
-\\ Adapt the following values to your needs
-\\\\\\\\\\\\
-
-\\ amount of bidders
-n = 4
-\\ amount of possible prices
-k = 2^4
-\\ randomize bids (change to something static, if you like)
-bid = vector(n,i,random(k)+1)
-\\bid = vector(n,i,n-i+1) \\ first bidder wins
-\\bid = vector(n,i,i) \\ last bidder wins
-\\bid = vector(n,i,(i+1)%2) \\ second bidder wins (with ties)
-
-\\ prime finite field setup (result may be ambiguous if your prime is too small, 4*n*k seems to work fine)
-\\q = prime(4*n*k)
-\\ 2048bit prime:
-\\q = 31905233907400964621684499856844075173802000556075101303613351426740101897961025481077892281365444367883091980681462491724119317344478120131982416132058173572772607966572720945691237876256074322291459510766147107539260048324345382562673904236506104922357079761457605045674628331006193183908801308817507027556440703972646885207099302085383887085776295396030033300833460743425162726394704256227108175491673135830378272029374848904772902525385997099641162537271298634032011458617811670193865244028195169383991286227040469186123958053863978710424421008752927011390777187889943940479064193231486057910586526439884046593027
-\\ 3072bit prime:
-q = 5175054779340588353586849786144680366505563673837334790820581054294754700842534366479020240016540005621125885927641963390708863183739793208880756653713659686139600715884857385144475261507869935694699816011948585170171332029002674283854825650901258017026965486602158722052719421343475066067509485302858041368266332080773331946039572497794442067057597327877030322029413318847025776818839927761556478107499002213648377029201340152459685610920194363099878398871001275336711869213616313858200583491913270052111910410231060407633125816386053759634073500319223989240814564691163285769745840521560940666058800931070258886096469889796899266014106833050284032035948051974659796051419431527095503586817863043771919051402039741075037010264761045992285666560487072740505566408086913711094879155498223636912657852688296081316652278801546924079650897913388978423388839346058027184069633227966507908979049369500450630036982661231208087459099
-
-\\\\\\\\\\\\
-\\ SETUP
-\\\\\\\\\\\\
-
-\\ p not needed? wat?
-\\p = 47
-
-\\ get generator / primitive element for Z_q
-\\ var = 'x \\ copy pasta from internet
-\\ pe=ffgen(minpoly(ffprimroot(ffgen(ffinit(q,1))),var),var) \\ get primitive element
-\\ 1/(fforder(pe) == q-1) \\ error out, if ord(pe) is wrong
-\\ g = Mod(eval(Str(pe)), q) \\ dirty hack to convert t_FFELEM to t_INT
-g = Mod(2, q)
-
-\\\\\\\\\\\\
-\\ PROLOG
-\\\\\\\\\\\\
-
-\\ private keys of agents
-x = vector(n,i,random(q))
-\\ public keyshares of agents
-yshares = vector(n,i,g^x[i])
-\\ shared public key
-y = prod(X=1,n,yshares[X])
-
-\\ first index level = owning agent id (additive share)
-\\ second index level = agent id, price id
-m = vector(n,i,matrix(n,k,a,b,random(q)))
-
-\\ index = owning agent id, price id
-r = matrix(n,k,i,j,random(q))
-\\ bid matrix
-b = matrix(n,k,i,j,g^(bid[i]==j))
-
-\\\\\\\\\\\\
-\\ ROUND1
-\\\\\\\\\\\\
-
-\\ encrypted bids
-alpha = matrix(n,k,i,j, b[i,j]*y^r[i,j])
-beta = matrix(n,k,i,j, g^r[i,j])
-
-\\\\\\\\\\\\
-\\ ROUND2
-\\\\\\\\\\\\
-
-\\ multiplicative shares
-\\ first index level = owning agent id (multiplicative share)
-\\ second index level = agent id, price id
-Gamma = vector(n,a,matrix(n,k,i,j, ( prod(h=1,n,prod(d=j+1,k,alpha[h,d])) * prod(d=1,j-1,alpha[i,d]) * prod(h=1,i-1,alpha[h,j]) )^m[a][i,j] ))
-Delta = vector(n,a,matrix(n,k,i,j, ( prod(h=1,n,prod(d=j+1,k, beta[h,d])) * prod(d=1,j-1, beta[i,d]) * prod(h=1,i-1, beta[h,j]) )^m[a][i,j] ))
-
-\\\\\\\\\\\\
-\\ ROUND3
-\\\\\\\\\\\\
-
-\\ multiplicative shares (decryption)
-\\ first index level = owning agent id (multiplicative share)
-\\ second index level = agent id, price id
-Phi = vector(n,a,matrix(n,k,i,j, prod(h=1,n,Delta[h][i,j])^x[a] ))
-
-\\\\\\\\\\\\
-\\ EPILOG
-\\\\\\\\\\\\
-
-\\ winner matrix
-v = matrix(n,k,a,j, prod(i=1,n,Gamma[i][a,j]) / prod(i=1,n,Phi[i][a,j]) )
-vi = lift(v)
-
-print("bids are: ", bid)
-for(X=1,n, if(vecmin(vi[X,])==1, print("And the winner is ", X) ))
diff --git a/gp-scripts/firstPrice.gp b/gp-scripts/firstPrice.gp
new file mode 100644
index 0000000..5642fa0
--- /dev/null
+++ b/gp-scripts/firstPrice.gp
@@ -0,0 +1,186 @@
+\\ From: "How to obtain full privacy in auctions" (2006) by Felix Brandt pages 19-20
+
+
+\\\\\\\\\\\\
+\\ Adapt the following values to your needs
+\\\\\\\\\\\\
+
+\\ amount of bidders
+n = 3
+\\ amount of possible prices
+k = 2^2
+\\ randomize bids (change to something static, if you like)
+bid = vector(n,i,random(k)+1)
+\\bid = vector(n,i,n-i+1) \\ first bidder wins
+\\bid = vector(n,i,i) \\ last bidder wins
+\\bid = vector(n,i,(i+1)%2) \\ second bidder wins (with ties)
+
+\\\\\\\\\\\\
+\\ SETUP
+\\\\\\\\\\\\
+
+read(group)
+read(zkp)
+
+\\\\\\\\\\\\
+\\ PROLOG
+\\\\\\\\\\\\
+
+\\ private keys of agents
+x = vector(n,i,random(q))
+\\ first index level = owning agent id (additive share)
+\\ second index level = agent id, price id
+m = vector(n,i,matrix(n,k,a,b,random(q)))
+
+\\ zkp
+proofs1 = vector(n,i,zkp1_proof(G, x[i]))
+
+\\ public keyshares of agents
+yshares = vector(n,i,proofs1[i][4])
+\\yshares = vector(n,i,G^x[i])
+
+\\ for performance evaluations we need to check the proofs for every bidder
+\\ i := checking bidder (0 == seller)
+\\ h := bidder to check
+{
+for(i=0,n,
+ for(h=1,n,
+ if(1 != zkp1_check(proofs1[h]),
+ error("zkp1 failure in round0")
+ )
+ )
+)
+}
+
+\\ shared public key
+y = prod(X=1,n,yshares[X])
+
+\\\\\\\\\\\\
+\\ ROUND1
+\\\\\\\\\\\\
+
+\\ bid matrix
+b = matrix(n,k,i,j,G^(bid[i]==j))
+
+\\ zkp
+proofs3 = matrix(n,k,i,j, zkp3_proof(G,y,G^(bid[i]==j)))
+
+\\ index = owning agent id, price id
+r = matrix(n,k,i,j,proofs3[i,j][13])
+\\r = matrix(n,k,i,j,random(q))
+
+\\ encrypted bids
+Alpha = matrix(n,k,i,j, proofs3[i,j][3])
+Beta = matrix(n,k,i,j, proofs3[i,j][4])
+\\Alpha = matrix(n,k,i,j, b[i,j]*y^r[i,j])
+\\Beta = matrix(n,k,i,j, G^r[i,j])
+
+proofs2 = vector(n,i, zkp2_proof(y,G,sum(j=1,k, r[i,j])))
+\\ i := checking bidder (0 == seller)
+\\ h := bidder to check
+\\ j := price index to check
+{
+for(i=0,n,
+ for(h=1,n,
+ for(j=1,k,
+ if(1 != zkp3_check(proofs3[h,j]),
+ error("zkp3 failure in round1")
+ )
+ );
+ if((prod(j=1,k,Alpha[h,j])/G) != proofs2[h][6],
+ error("alpha product doesn't match")
+ );
+ if(prod(j=1,k,Beta[h,j]) != proofs2[h][7],
+ error("beta product doesn't match")
+ );
+ if(1 != zkp2_check(proofs2[h]),
+ error("zkp2 failure in round1")
+ )
+ )
+)
+}
+
+\\\\\\\\\\\\
+\\ ROUND2
+\\\\\\\\\\\\
+
+\\ multiplicative shares
+\\ first index level = owning agent id (multiplicative share)
+\\ second index level = agent id, price id
+Gamma = vector(n,a,matrix(n,k,i,j, prod(h=1,n,prod(d=j+1,k,Alpha[h,d])) * prod(d=1,j-1,Alpha[i,d]) * prod(h=1,i-1,Alpha[h,j]) ))
+Delta = vector(n,a,matrix(n,k,i,j, prod(h=1,n,prod(d=j+1,k, Beta[h,d])) * prod(d=1,j-1, Beta[i,d]) * prod(h=1,i-1, Beta[h,j]) ))
+\\Gamma = vector(n,a,matrix(n,k,i,j, ( prod(h=1,n,prod(d=j+1,k,Alpha[h,d])) * prod(d=1,j-1,Alpha[i,d]) * prod(h=1,i-1,Alpha[h,j]) )^m[a][i,j] ))
+\\Delta = vector(n,a,matrix(n,k,i,j, ( prod(h=1,n,prod(d=j+1,k, Beta[h,d])) * prod(d=1,j-1, Beta[i,d]) * prod(h=1,i-1, Beta[h,j]) )^m[a][i,j] ))
+
+\\ random masking and zkp
+proofs2 = vector(n,a,matrix(n,k,i,j, zkp2_proof(Gamma[a][i,j], Delta[a][i,j], random(q)) ))
+
+\\ for performance evaluations we need to check the proofs for every bidder
+\\ i := checking bidder (0 == seller)
+\\ h := bidder to check
+\\ t := target bidder (creator of the proof)
+\\ j := price
+{
+for(t=1,n,
+ for(h=1,n,
+ for(j=1,k,
+ for(i=0,n,
+ if(1 != zkp2_check(proofs2[t][h,j]),
+ error("zkp2 failure in round2")
+ )
+ );
+ \\ use masked values generated during the zkp
+ Gamma[t][h,j] = proofs2[t][h,j][6];
+ Delta[t][h,j] = proofs2[t][h,j][7];
+ )
+ )
+)
+}
+
+
+\\\\\\\\\\\\
+\\ ROUND3
+\\\\\\\\\\\\
+
+\\ multiplicative shares (decryption)
+\\ first index level = owning agent id (multiplicative share)
+\\ second index level = agent id, price id
+Phi = vector(n,a,matrix(n,k,i,j, prod(h=1,n,Delta[h][i,j]) ))
+\\Phi = vector(n,a,matrix(n,k,i,j, prod(h=1,n,Delta[h][i,j])^x[a] ))
+
+proofs2 = vector(n,a,matrix(n,k,i,j, zkp2_proof(Phi[a][i,j], G, x[a]) ))
+
+\\ for performance evaluations we need to check the proofs for every bidder
+\\ i := checking bidder (0 == seller)
+\\ h := bidder to check
+\\ t := target bidder (creator of the proof)
+\\ j := price
+{
+for(t=1,n,
+ for(h=1,n,
+ for(j=1,k,
+ for(i=0,n,
+ if(1 != zkp2_check(proofs2[t][h,j]),
+ error("zkp2 failure in round2")
+ )
+ );
+ \\ use masked values generated during the zkp
+ Phi[t][h,j] = proofs2[t][h,j][6];
+ )
+ )
+)
+}
+
+
+\\\\\\\\\\\\
+\\ EPILOG
+\\\\\\\\\\\\
+
+\\ winner matrix
+v = matrix(n,k,a,j, prod(i=1,n,Gamma[i][a,j]) / prod(i=1,n,Phi[i][a,j]) )
+vi = lift(v)
+
+print("bids are: ", bid)
+for(X=1,n, if(vecmin(vi[X,])==1, print("And the winner is ", X) ))
+
+;
diff --git a/gp-scripts/group.gp b/gp-scripts/group.gp
new file mode 100644
index 0000000..3f941b8
--- /dev/null
+++ b/gp-scripts/group.gp
@@ -0,0 +1,15 @@
+\\ p generated by ssh-keygen from the following moduli(5) line:
+\\ 20161024184335 2 6 100 3071 2 C63A6E912985E56A40FA7747D856C9FFD01B052F0BDEA89F0B17C34EC168E918FCC6121351CA0003453E96EBB5CE228D97610D0F7AA0EE1EC26124723BDA68607D0348B30A39B92DFBB4E23219DA3440756C169A4F1B929DDB487CF2C53520910C800340DE87CA65D2041FA393FD0D25019589B7ED89D0AD256764FF690B122FC868ED5E314346CA93505700B650BDD74D6395767E67AA4E29517699A2170892B572EC6050FD4F0545FE981D9583CD47411788ADFD7C60B33E6A186FCAE5ACAF8CE012B5551A3A54B15AA28D4F7C3EF37220819CA180B3BA855D816FF5D3AC0A8D2AB4E0C9D638C785F0E2707B591326A6E657F3E26D9EEDE5760E81165B0B3680ADA447AFE0A31EA9A31CC1825EB9B36AF746FB579A0A327AEF54D16B1C7A1575A241139F9B8551EA3C687E2E333ABDA9E5F491CA7F1611E478F8B4FA74E34A6771374198FE337634E8B0021BA826BF332818BB43052B6BC6D84E4E34BD1ABEC166881CC69079ED1F306C7143C5F9E341C6955DD501ED51FCE5F7F94CFA6273
+\\ This is a "safe prime", see moduli(5)
+\\ Therefore q = (p-1)/2 is also prime
+
+p = 4498546982183741806042046874925230841367752610105215768946438255470120740195522849201856997179866815126313339756915558167423398334072639778026401904031844016861682960881473450120265256327641310709437833580886250441164652551031655405301329413885250587408573319621138304678094611598436119854035881555472079889364307701983275427495796082239390426306590239630071293304476993188112145295406185504400770379250448236759388051149856191572199475958274963892549036586332373555561624378385324018563641781073722121282924048194073332885386583853286835384896286468480594489851988635137146304050743119406030150457214703115428415028345445439080824905967347767410065096124691155434106090788541491301971510767072678641286317388382884979008351941634738407020421109176416998181365911697340148847292136114015951382836045342314909586957351991419538245920973429697625016569947794803114551396527414933624103391788313038751051589980762413698400281203
+
+\\ From that we can compute the subgroup-order prime q:
+q = (p-1)/2
+
+\\ Cyclic Subgroups of Z_p must have order 1, 2, q or p-1
+\\ => The generator of Subgroup Z_p^* is 3 as we can check with G^q == Mod(1, p)
+G = Mod(3, p)
+
+;
diff --git a/gp-scripts/smc.gp b/gp-scripts/smc.gp
index 2b7e188..f32f5f2 100644
--- a/gp-scripts/smc.gp
+++ b/gp-scripts/smc.gp
@@ -17,19 +17,3 @@ smc_hextodec(s:str) =
ret;
}
-smc_genbid(k:small, bid:small, g)=
-{
- vector(k,j,g^(bid==j));
-}
-
-smc_genalpha(k:small, b:vec, r:vec, y)=
-{
- vector(k, j, b[j]*y^r[j]);
-}
-
-smc_genbeta(k:small, r:vec, g)=
-{
- vector(k, j, g^r[j]);
-}
-
-
diff --git a/gp-scripts/zkp.gp b/gp-scripts/zkp.gp
new file mode 100644
index 0000000..9bf7b7d
--- /dev/null
+++ b/gp-scripts/zkp.gp
@@ -0,0 +1,129 @@
+\\ zero knowledge proofs
+
+read(group);
+
+\\ Don't use in production code!
+\\ This is a very stupid implementation only used in performance evaluation.
+kdf(in:vec) =
+{
+ prod(h=1,length(in),lift(in[h]))%q
+}
+
+
+zkp1_proof(G:intmod, x:int) =
+{
+ local(V:intmod, z:int, A:intmod, c:int, r:int);
+ V = G^x;
+ z = random(q);
+ A = G^z;
+ c = kdf([G, V, A]);
+ r = (z+c*x)%q;
+ [G, r, A, V]
+}
+
+zkp1_check(P:vec) =
+{
+ local(c:int, G:intmod, r:int, A:intmod, V:intmod);
+ if (length(P) < 4, error("Proof1 too short."));
+ if (type(P[1]) == "t_INTMOD", G = P[1], error("P[1] has wrong type."));
+ if (type(P[2]) == "t_INT", r = P[2], error("P[2] has wrong type."));
+ if (type(P[3]) == "t_INTMOD", A = P[3], error("P[3] has wrong type."));
+ if (type(P[4]) == "t_INTMOD", V = P[4], error("P[4] has wrong type."));
+ c = kdf([G, V, A]);
+ G^r == A*V^c
+}
+
+
+zkp2_proof(G1:intmod, G2:intmod, x:int) =
+{
+ local(V:intmod, W:intmod, z:int, A:intmod, B:intmod, c:int, r:int);
+ V = G1^x;
+ W = G2^x;
+ z = random(q);
+ A = G1^z;
+ B = G2^z;
+ c = kdf([G1, G2, V, W, A, B]);
+ r = (z+c*x)%q;
+ [G1, G2, r, A, B, V, W]
+}
+
+zkp2_check(P:vec) =
+{
+ local(c:int,
+ G1:intmod, G2:intmod, r:int, A:intmod, B:intmod, V:intmod, W:intmod);
+ if (length(P) < 7, error("Proof2 too short."));
+ if (type(P[1]) == "t_INTMOD", G1 = P[1], error("P[1] has wrong type."));
+ if (type(P[2]) == "t_INTMOD", G2 = P[2], error("P[2] has wrong type."));
+ if (type(P[3]) == "t_INT", r = P[3], error("P[3] has wrong type."));
+ if (type(P[4]) == "t_INTMOD", A = P[4], error("P[4] has wrong type."));
+ if (type(P[5]) == "t_INTMOD", B = P[5], error("P[5] has wrong type."));
+ if (type(P[6]) == "t_INTMOD", V = P[6], error("P[6] has wrong type."));
+ if (type(P[7]) == "t_INTMOD", W = P[7], error("P[7] has wrong type."));
+ c = kdf([G1, G2, V, W, A, B]);
+ G1^r == A*V^c && G2^r == B*W^c
+}
+
+
+zkp3_proof(G:intmod, Y:intmod, M:intmod) =
+{
+ local(Alpha:intmod, Beta:intmod, A1:intmod, A2:intmod, B1:intmod, B2:intmod,
+ d1:int, d2:int, r1:int, r2:int, w:int, r:int);
+ r = random(q);
+ Alpha = M*Y^r;
+ Beta = G^r;
+ if (M == Mod(1, p),
+ d1 = random(q);
+ r1 = random(q);
+ w = random(q);
+ A1 = G^r1 * Beta^d1;
+ B1 = Y^r1 * (Alpha / G)^d1;
+ A2 = G^w;
+ B2 = Y^w;
+ c = kdf([G, Alpha, Beta, A1, A2, B1, B2]);
+ d2 = (c - d1) % q;
+ r2 = (w - r*d2) % q;
+ ,
+ if (M == G,
+ d2 = random(q);
+ r2 = random(q);
+ w = random(q);
+ A1 = G^w;
+ B1 = Y^w;
+ A2 = G^r2 * Beta^d2;
+ B2 = Y^r2 * Alpha^d2;
+ c = kdf([G, Alpha, Beta, A1, A2, B1, B2]);
+ d1 = (c - d2) % q;
+ r1 = (w - r*d1) % q;
+ , error("M is neither 1 nor G")
+ )
+ );
+ [G, Y, Alpha, Beta, A1, A2, B1, B2, d1, d2, r1, r2, r]
+}
+
+zkp3_check(P:vec) =
+{
+ local(c:int,
+ G:intmod, Y:intmod, Alpha:intmod, Beta:intmod, A1:intmod, A2:intmod, B1:intmod, B2:intmod,
+ d1:int, d2:int, r1:int, r2:int);
+ if (length(P) < 12, error("Proof3 too short."));
+ if (type(P[1] ) == "t_INTMOD", G = P[1], error("P[1] has wrong type."));
+ if (type(P[2] ) == "t_INTMOD", Y = P[2], error("P[2] has wrong type."));
+ if (type(P[3] ) == "t_INTMOD", Alpha = P[3], error("P[3] has wrong type."));
+ if (type(P[4] ) == "t_INTMOD", Beta = P[4], error("P[4] has wrong type."));
+ if (type(P[5] ) == "t_INTMOD", A1 = P[5], error("P[5] has wrong type."));
+ if (type(P[6] ) == "t_INTMOD", A2 = P[6], error("P[6] has wrong type."));
+ if (type(P[7] ) == "t_INTMOD", B1 = P[7], error("P[7] has wrong type."));
+ if (type(P[8] ) == "t_INTMOD", B2 = P[8], error("P[8] has wrong type."));
+ if (type(P[9] ) == "t_INT", d1 = P[9], error("P[9] has wrong type."));
+ if (type(P[10]) == "t_INT", d2 = P[10], error("P[10] has wrong type."));
+ if (type(P[11]) == "t_INT", r1 = P[11], error("P[11] has wrong type."));
+ if (type(P[12]) == "t_INT", r2 = P[12], error("P[12] has wrong type."));
+ c = kdf([G, Alpha, Beta, A1, A2, B1, B2]);
+ c == (d1 + d2) % q &&
+ A1 == G^r1 * Beta^d1 &&
+ A2 == G^r2 * Beta^d2 &&
+ B1 == Y^r1 * (Alpha / G)^d1 &&
+ B2 == Y^r2 * Alpha^d2
+}
+
+;