diff options
Diffstat (limited to 'gp-scripts/zkp.gp')
-rw-r--r-- | gp-scripts/zkp.gp | 129 |
1 files changed, 129 insertions, 0 deletions
diff --git a/gp-scripts/zkp.gp b/gp-scripts/zkp.gp new file mode 100644 index 0000000..9bf7b7d --- /dev/null +++ b/gp-scripts/zkp.gp | |||
@@ -0,0 +1,129 @@ | |||
1 | \\ zero knowledge proofs | ||
2 | |||
3 | read(group); | ||
4 | |||
5 | \\ Don't use in production code! | ||
6 | \\ This is a very stupid implementation only used in performance evaluation. | ||
7 | kdf(in:vec) = | ||
8 | { | ||
9 | prod(h=1,length(in),lift(in[h]))%q | ||
10 | } | ||
11 | |||
12 | |||
13 | zkp1_proof(G:intmod, x:int) = | ||
14 | { | ||
15 | local(V:intmod, z:int, A:intmod, c:int, r:int); | ||
16 | V = G^x; | ||
17 | z = random(q); | ||
18 | A = G^z; | ||
19 | c = kdf([G, V, A]); | ||
20 | r = (z+c*x)%q; | ||
21 | [G, r, A, V] | ||
22 | } | ||
23 | |||
24 | zkp1_check(P:vec) = | ||
25 | { | ||
26 | local(c:int, G:intmod, r:int, A:intmod, V:intmod); | ||
27 | if (length(P) < 4, error("Proof1 too short.")); | ||
28 | if (type(P[1]) == "t_INTMOD", G = P[1], error("P[1] has wrong type.")); | ||
29 | if (type(P[2]) == "t_INT", r = P[2], error("P[2] has wrong type.")); | ||
30 | if (type(P[3]) == "t_INTMOD", A = P[3], error("P[3] has wrong type.")); | ||
31 | if (type(P[4]) == "t_INTMOD", V = P[4], error("P[4] has wrong type.")); | ||
32 | c = kdf([G, V, A]); | ||
33 | G^r == A*V^c | ||
34 | } | ||
35 | |||
36 | |||
37 | zkp2_proof(G1:intmod, G2:intmod, x:int) = | ||
38 | { | ||
39 | local(V:intmod, W:intmod, z:int, A:intmod, B:intmod, c:int, r:int); | ||
40 | V = G1^x; | ||
41 | W = G2^x; | ||
42 | z = random(q); | ||
43 | A = G1^z; | ||
44 | B = G2^z; | ||
45 | c = kdf([G1, G2, V, W, A, B]); | ||
46 | r = (z+c*x)%q; | ||
47 | [G1, G2, r, A, B, V, W] | ||
48 | } | ||
49 | |||
50 | zkp2_check(P:vec) = | ||
51 | { | ||
52 | local(c:int, | ||
53 | G1:intmod, G2:intmod, r:int, A:intmod, B:intmod, V:intmod, W:intmod); | ||
54 | if (length(P) < 7, error("Proof2 too short.")); | ||
55 | if (type(P[1]) == "t_INTMOD", G1 = P[1], error("P[1] has wrong type.")); | ||
56 | if (type(P[2]) == "t_INTMOD", G2 = P[2], error("P[2] has wrong type.")); | ||
57 | if (type(P[3]) == "t_INT", r = P[3], error("P[3] has wrong type.")); | ||
58 | if (type(P[4]) == "t_INTMOD", A = P[4], error("P[4] has wrong type.")); | ||
59 | if (type(P[5]) == "t_INTMOD", B = P[5], error("P[5] has wrong type.")); | ||
60 | if (type(P[6]) == "t_INTMOD", V = P[6], error("P[6] has wrong type.")); | ||
61 | if (type(P[7]) == "t_INTMOD", W = P[7], error("P[7] has wrong type.")); | ||
62 | c = kdf([G1, G2, V, W, A, B]); | ||
63 | G1^r == A*V^c && G2^r == B*W^c | ||
64 | } | ||
65 | |||
66 | |||
67 | zkp3_proof(G:intmod, Y:intmod, M:intmod) = | ||
68 | { | ||
69 | local(Alpha:intmod, Beta:intmod, A1:intmod, A2:intmod, B1:intmod, B2:intmod, | ||
70 | d1:int, d2:int, r1:int, r2:int, w:int, r:int); | ||
71 | r = random(q); | ||
72 | Alpha = M*Y^r; | ||
73 | Beta = G^r; | ||
74 | if (M == Mod(1, p), | ||
75 | d1 = random(q); | ||
76 | r1 = random(q); | ||
77 | w = random(q); | ||
78 | A1 = G^r1 * Beta^d1; | ||
79 | B1 = Y^r1 * (Alpha / G)^d1; | ||
80 | A2 = G^w; | ||
81 | B2 = Y^w; | ||
82 | c = kdf([G, Alpha, Beta, A1, A2, B1, B2]); | ||
83 | d2 = (c - d1) % q; | ||
84 | r2 = (w - r*d2) % q; | ||
85 | , | ||
86 | if (M == G, | ||
87 | d2 = random(q); | ||
88 | r2 = random(q); | ||
89 | w = random(q); | ||
90 | A1 = G^w; | ||
91 | B1 = Y^w; | ||
92 | A2 = G^r2 * Beta^d2; | ||
93 | B2 = Y^r2 * Alpha^d2; | ||
94 | c = kdf([G, Alpha, Beta, A1, A2, B1, B2]); | ||
95 | d1 = (c - d2) % q; | ||
96 | r1 = (w - r*d1) % q; | ||
97 | , error("M is neither 1 nor G") | ||
98 | ) | ||
99 | ); | ||
100 | [G, Y, Alpha, Beta, A1, A2, B1, B2, d1, d2, r1, r2, r] | ||
101 | } | ||
102 | |||
103 | zkp3_check(P:vec) = | ||
104 | { | ||
105 | local(c:int, | ||
106 | G:intmod, Y:intmod, Alpha:intmod, Beta:intmod, A1:intmod, A2:intmod, B1:intmod, B2:intmod, | ||
107 | d1:int, d2:int, r1:int, r2:int); | ||
108 | if (length(P) < 12, error("Proof3 too short.")); | ||
109 | if (type(P[1] ) == "t_INTMOD", G = P[1], error("P[1] has wrong type.")); | ||
110 | if (type(P[2] ) == "t_INTMOD", Y = P[2], error("P[2] has wrong type.")); | ||
111 | if (type(P[3] ) == "t_INTMOD", Alpha = P[3], error("P[3] has wrong type.")); | ||
112 | if (type(P[4] ) == "t_INTMOD", Beta = P[4], error("P[4] has wrong type.")); | ||
113 | if (type(P[5] ) == "t_INTMOD", A1 = P[5], error("P[5] has wrong type.")); | ||
114 | if (type(P[6] ) == "t_INTMOD", A2 = P[6], error("P[6] has wrong type.")); | ||
115 | if (type(P[7] ) == "t_INTMOD", B1 = P[7], error("P[7] has wrong type.")); | ||
116 | if (type(P[8] ) == "t_INTMOD", B2 = P[8], error("P[8] has wrong type.")); | ||
117 | if (type(P[9] ) == "t_INT", d1 = P[9], error("P[9] has wrong type.")); | ||
118 | if (type(P[10]) == "t_INT", d2 = P[10], error("P[10] has wrong type.")); | ||
119 | if (type(P[11]) == "t_INT", r1 = P[11], error("P[11] has wrong type.")); | ||
120 | if (type(P[12]) == "t_INT", r2 = P[12], error("P[12] has wrong type.")); | ||
121 | c = kdf([G, Alpha, Beta, A1, A2, B1, B2]); | ||
122 | c == (d1 + d2) % q && | ||
123 | A1 == G^r1 * Beta^d1 && | ||
124 | A2 == G^r2 * Beta^d2 && | ||
125 | B1 == Y^r1 * (Alpha / G)^d1 && | ||
126 | B2 == Y^r2 * Alpha^d2 | ||
127 | } | ||
128 | |||
129 | ; | ||