/// <summary>
/// Verifies a set membership proof from U-Prove parameters.
/// </summary>
/// <param name="vppp">The verifier presentation protocol parameters.</param>
/// <param name="pProof">A presentation proof.</param>
/// <param name="smProof">A set presentation proof.</param>
/// <param name="committedIndex">Index of the committed attribute used to generate the set membership proof.</param>
/// <param name="setValues">Set values to verify against.</param>
/// <returns>True if the proof is valid, false otherwise.</returns>
public static bool Verify(VerifierPresentationProtocolParameters vppp, PresentationProof pProof, SetMembershipProof smProof, int committedIndex, byte[][] setValues)
{
// get the index of the commitment to use, given the underlying attribute's index
int commitmentIndex = ClosedPedersenCommitment.GetCommitmentIndex(vppp.Committed, committedIndex);
// verify the membership proof
ClosedDLRepOfGroupElement closedCommittedClearance = new ClosedPedersenCommitment(vppp.IP, pProof, commitmentIndex);
VerifierSetMembershipParameters setVerifier = new VerifierSetMembershipParameters(
closedCommittedClearance.Value,
VerifierSetMembershipParameters.GenerateMemberSet(vppp.IP, committedIndex, setValues),
new CryptoParameters(vppp.IP));
return(smProof.Verify(setVerifier));
}
/// <summary>
/// Generates a set membership proof from U-Prove parameters.
/// </summary>
/// <param name="pppp">The prover presentation protocol parameters.</param>
/// <param name="pp">The presentation proof.</param>
/// <param name="cpv">The commitment private values returned when generating the presentation proof.</param>
/// <param name="committedIndex">Index of the committed attribute used to generate the set membership proof.</param>
/// <param name="setValues">Set values to prove against.</param>
/// <param name="smRandom">Optional pregenerated random values, or <c>null</c>.</param>
/// <returns>A set membership proof.</returns>
public static SetMembershipProof Generate(ProverPresentationProtocolParameters pppp, PresentationProof pp, CommitmentPrivateValues cpv, int committedIndex, byte[][] setValues, SetMembershipProofGenerationRandomData smRandom = null)
{
// get the index of the commitment to use, given the underlying attribute's index
int commitmentIndex = ClosedPedersenCommitment.GetCommitmentIndex(pppp.Committed, committedIndex);
// generate the membership proof
ProverSetMembershipParameters setProver =
new ProverSetMembershipParameters(
new PedersenCommitment(pppp, pp, cpv, commitmentIndex),
VerifierSetMembershipParameters.GenerateMemberSet(pppp.IP, committedIndex, setValues),
new CryptoParameters(pppp.IP));
return(new SetMembershipProof(setProver, smRandom));
}
/// <summary>
/// Verifies a proof that two tokens share an attribute value, without revealing it.
/// </summary>
/// <param name="verifier1">Equality proof parameters for the first token.</param>
/// <param name="verifier2">Equality proof parameters for the second token.</param>
/// <param name="eQProof">The equality proof to verify.</param>
/// <exception cref="InvalidUProveArtifactException">Thrown if the proof is invalid.</exception>
public static void VerifyUProveEqualityProof(EQProofUProveVerifierData verifier1, EQProofUProveVerifierData verifier2, EqualityProof eQProof)
{
int commitmentIndex1 = ClosedPedersenCommitment.GetCommitmentIndex(verifier1.VPPP.Committed, verifier1.index);
int commitmentIndex2 = ClosedPedersenCommitment.GetCommitmentIndex(verifier2.VPPP.Committed, verifier2.index);
ClosedPedersenCommitment closedPed1 = new ClosedPedersenCommitment(verifier1.VPPP.IP, verifier1.PP, commitmentIndex1);
ClosedPedersenCommitment closedPed2 = new ClosedPedersenCommitment(verifier2.VPPP.IP, verifier2.PP, commitmentIndex2);
CryptoParameters crypto = new CryptoParameters(verifier1.VPPP.IP); // Can use prover2.IP
VerifierEqualityParameters equalityVerifier = new VerifierEqualityParameters(closedPed1, 0, closedPed2, 0, crypto);
if (!eQProof.Verify(equalityVerifier))
{
throw new InvalidUProveArtifactException("invalid equality proof");
}
}
/// <summary>
/// Generates proofs that a token attribute value is not equal to any values in the target array.
/// </summary>
/// <param name="prover">Inequality proof parameters for the token.</param>
/// <param name="target">Target values array.</param>
/// <returns>An inequality proof.</returns>
public static InequalityProof[] GenerateUProveInequalityProofs(EQProofUProveProverData prover, byte[][] target)
{
// Create PedersenCommitments
int commitmentIndex = ClosedPedersenCommitment.GetCommitmentIndex(prover.PPPP.Committed, prover.index);
PedersenCommitment ped = new PedersenCommitment(prover.PPPP, prover.PP, prover.CPV, commitmentIndex);
// Create EqualityProof
CryptoParameters crypto = new CryptoParameters(prover.PPPP.IP);
InequalityProof[] proofs = new InequalityProof[target.Length];
for (int i = 0; i < target.Length; i++)
{
FieldZqElement targetValue = ProtocolHelper.ComputeXi(prover.PPPP.IP, prover.index - 1, target[i]);
proofs[i] = new InequalityProof(new ProverInequalityProofParameters(ped, targetValue, crypto));
}
return(proofs);
}
/// <summary>
/// Generates a proof that two attribute values are different, without revealing them.
/// </summary>
/// <param name="prover1">Equality proof parameters for the first token.</param>
/// <param name="prover2">Equality proof parameters for the second token.</param>
/// <returns>An inequality proof.</returns>
public static InequalityProof GenerateUProveInequalityProof(EQProofUProveProverData prover1, EQProofUProveProverData prover2)
{
if (!prover1.PPPP.IP.Gq.Equals(prover2.PPPP.IP.Gq))
{
throw new ArgumentException("both provers must share the same group");
}
// Create PedersenCommitments
int commitmentIndex1 = ClosedPedersenCommitment.GetCommitmentIndex(prover1.PPPP.Committed, prover1.index);
PedersenCommitment ped1 = new PedersenCommitment(prover1.PPPP, prover1.PP, prover1.CPV, commitmentIndex1);
int commitmentIndex2 = ClosedPedersenCommitment.GetCommitmentIndex(prover2.PPPP.Committed, prover2.index);
PedersenCommitment ped2 = new PedersenCommitment(prover2.PPPP, prover2.PP, prover2.CPV, commitmentIndex2);
// Create EqualityProof
CryptoParameters crypto = new CryptoParameters(prover1.PPPP.IP); // Can use prover2.IP
ProverInequalityProofParameters inequalityProver = new ProverInequalityProofParameters(ped1, ped2, crypto); // compares committed values in ped1 and ped2
return(new InequalityProof(inequalityProver));
}
/// <summary>
/// Verifies proofs that a token attribute value is not equal to a any of the target values.
/// </summary>
/// <param name="verifier">Equality proof parameters for the token.</param>
/// <param name="target">Target values.</param>
/// <param name="eQProof">The inequality proofs to verify.</param>
/// <exception cref="InvalidUProveArtifactException">Thrown if a proof is invalid.</exception>
public static void VerifyUProveEqualityProofs(EQProofUProveVerifierData verifier, byte[][] target, InequalityProof[] iNeqProof)
{
if (target == null || iNeqProof == null || target.Length != iNeqProof.Length)
{
throw new ArgumentException("target and iNeqProof must have the same length");
}
int commitmentIndex = ClosedPedersenCommitment.GetCommitmentIndex(verifier.VPPP.Committed, verifier.index);
ClosedPedersenCommitment closedPed = new ClosedPedersenCommitment(verifier.VPPP.IP, verifier.PP, commitmentIndex);
CryptoParameters crypto = new CryptoParameters(verifier.VPPP.IP);
for (int i = 0; i < target.Length; i++)
{
FieldZqElement targetValue = ProtocolHelper.ComputeXi(verifier.VPPP.IP, verifier.index - 1, target[i]);
if (!iNeqProof[i].Verify(new VerifierInequalityProofParameters(closedPed.Value, targetValue, crypto)))
{
throw new InvalidUProveArtifactException("invalid equality proof");
}
}
}