/// <summary> /// Constructor. Creates an inequality proof that a token attribute is not equal to some value. /// </summary> /// <param name="prover">Token description.</param> /// <param name="attributeIndexForProver">1-based attribute index in token.</param> /// <param name="attributeValue">Attribute value to compare actual token attribute.</param> /// <returns>Inequality proof.</returns> public InequalityProof(ProverPresentationProtocolParameters prover, int attributeIndexForProver, byte[] attributeValue) { // generate Pedersen Commitments to attributes ProverPresentationProtocolParameters[] provers = new ProverPresentationProtocolParameters[] { prover }; int[] attributeIndices = new int[] { attributeIndexForProver }; PedersenCommitment[] attributeCommitments = PedersenCommitment.PedersenCommmitmentsToAttributes(provers, attributeIndices); // create inequality proof using Pedersen Commitmetns FieldZqElement committedAttribute = ProtocolHelper.ComputeXi(prover.IP, attributeIndexForProver - 1, attributeValue); ProverInequalityProofParameters ieqProver = new ProverInequalityProofParameters(attributeCommitments[0], committedAttribute, new CryptoParameters(prover.IP)); ConstructorHelper(ieqProver); // add UProve Integration proof this.UPIProof = new UProveIntegrationProof(provers, attributeIndices, attributeCommitments); this.UPIProof.IsGroupSerializable = false; }
/// <summary> /// Genererates proof for when prover.CompareToKnownValue=true. /// </summary> /// <param name="prover"></param> private void CreateProofForKnownValue(ProverInequalityProofParameters prover) { // Pedersen Commitment to a random value a // A = g^a h^r FieldZqElement a = prover.FieldZq.GetRandomElement(true); FieldZqElement r = prover.FieldZq.GetRandomElement(true); PedersenCommitment openA = new PedersenCommitment(prover.G, prover.H, a, r, prover.Group); // B = g^(x-value)a DLRepOfGroupElement openB = new DLRepOfGroupElement( new GroupElement[1] { prover.G }, new FieldZqElement[1] { (prover.CommitmentX.CommittedValue - prover.Value) * a }, prover.Group ); // C = (Xg^{-value})^a h^{-ya} = B PedersenCommitment openC = new PedersenCommitment( prover.CommitmentX.Value * prover.G.Exponentiate(prover.Value.Negate()), prover.H, a, a.Negate() * prover.CommitmentX.Opening, prover.Group ); // Create DL equations DLRepOfGroupElement[] equations = new DLRepOfGroupElement[] { prover.CommitmentX, openA, openB, openC }; // generate proof EqualityMap map = this.GetEqualityMap(); ProverEqualityParameters eqProver = new ProverEqualityParameters(equations, map, prover); this.Proof = new EqualityProof(eqProver); this.A = openA.Value; this.B = openB.Value; }
/// <summary> /// Generates proof for when prover.CompareToKnownValue=false. /// Computes X/Y and generates proof for showing the committed value /// in X/Y is not equal to 0. /// </summary> /// <param name="prover">Prover parameters for comparing CommitmentX to CommitmentY</param> private void CreateProofForUnknownValue(ProverInequalityProofParameters prover) { // Compute Pedersen Commitment X/Y PedersenCommitment newOpenX = new PedersenCommitment( new GroupElement[2] { prover.G, prover.H }, new FieldZqElement[2] { prover.CommitmentX.CommittedValue - prover.CommitmentY.CommittedValue, prover.CommitmentX.Opening - prover.CommitmentY.Opening }, prover.Group); // new prover parameters ProverInequalityProofParameters newProver = new ProverInequalityProofParameters(newOpenX, prover.FieldZq.Zero, prover); // generate proof this.CreateProofForKnownValue(newProver); }
/// <summary> /// Generates a proof that two attribute values are different, without revealing them. /// </summary> /// <param name="prover1">Equality proof parameters for the first token.</param> /// <param name="prover2">Equality proof parameters for the second token.</param> /// <returns>An inequality proof.</returns> public static InequalityProof GenerateUProveInequalityProof(EQProofUProveProverData prover1, EQProofUProveProverData prover2) { if (!prover1.PPPP.IP.Gq.Equals(prover2.PPPP.IP.Gq)) { throw new ArgumentException("both provers must share the same group"); } // Create PedersenCommitments int commitmentIndex1 = ClosedPedersenCommitment.GetCommitmentIndex(prover1.PPPP.Committed, prover1.index); PedersenCommitment ped1 = new PedersenCommitment(prover1.PPPP, prover1.PP, prover1.CPV, commitmentIndex1); int commitmentIndex2 = ClosedPedersenCommitment.GetCommitmentIndex(prover2.PPPP.Committed, prover2.index); PedersenCommitment ped2 = new PedersenCommitment(prover2.PPPP, prover2.PP, prover2.CPV, commitmentIndex2); // Create EqualityProof CryptoParameters crypto = new CryptoParameters(prover1.PPPP.IP); // Can use prover2.IP ProverInequalityProofParameters inequalityProver = new ProverInequalityProofParameters(ped1, ped2, crypto); // compares committed values in ped1 and ped2 return(new InequalityProof(inequalityProver)); }
/// <summary> /// Creates an inequality proof using prover parameters. /// Throws an ArgumentException if prover parameters are invalid. /// </summary> /// <param name="prover">Prover parameters</param> private void ConstructorHelper(ProverInequalityProofParameters prover) { if (!prover.Verify()) { throw new ArgumentException("Invalid prover inequality proof parameters."); } this.Group = prover.Group; this.IsGroupSerializable = true; if (prover.CompareToKnownValue == true) { CreateProofForKnownValue(prover); } else { CreateProofForUnknownValue(prover); } this.Proof.IsGroupSerializable = false; }
/// <summary> /// Constructor. Creates an inequality proof that an attribute in one token is not equal to an attribute in another token. /// </summary> /// <param name="prover1">Token.</param> /// <param name="attributeIndexForProver1">Target attribute in first token, uses 1-based index.</param> /// <param name="prover2">Token</param> /// <param name="attributeIndexForProver2">Target attribute in second token, uses 1-based index</param> /// <returns>Proof of inequality.</returns> public InequalityProof( ProverPresentationProtocolParameters prover1, int attributeIndexForProver1, ProverPresentationProtocolParameters prover2, int attributeIndexForProver2) { // generate Pedersen Commitments to attributes ProverPresentationProtocolParameters[] provers = new ProverPresentationProtocolParameters[] { prover1, prover2 }; int [] attributeIndices = new int[] { attributeIndexForProver1, attributeIndexForProver2 }; PedersenCommitment[] attributeCommitments = PedersenCommitment.PedersenCommmitmentsToAttributes(provers, attributeIndices); // create inequality proof using Pedersen Commitmetns ProverInequalityProofParameters ieqProver = new ProverInequalityProofParameters(attributeCommitments[0], attributeCommitments[1], new CryptoParameters(prover1.IP)); ConstructorHelper(ieqProver); // add UProve Integration proof this.UPIProof = new UProveIntegrationProof(provers, attributeIndices, attributeCommitments); this.UPIProof.IsGroupSerializable = false; }
/// <summary> /// Creates an inequality proof using prover parameters. /// Throws an ArgumentException if prover parameters are invalid. /// </summary> /// <param name="prover">Prover parameters</param> public InequalityProof(ProverInequalityProofParameters prover) { ConstructorHelper(prover); }