/// <summary> /// Computes the challenge used by the verifier to check the proof. /// </summary> /// <param name="verifier">Verifier parameters</param> /// <returns></returns> private FieldZqElement ComputeChallenge(VerifierEqualityParameters verifier) { HashFunction hash = new HashFunction(verifier.HashFunctionName); hash.Hash(verifier.HashDigest); hash.Hash(this.b); return(verifier.FieldZq.GetElementFromDigest(hash.Digest)); }
/// <summary> /// Verifies this proof for when verifier.CompareToKnownValue=true. /// </summary> /// <param name="verifier">Verifier parameters</param> /// <returns></returns> private bool VerifyProofForKnownValue(VerifierInequalityProofParameters verifier) { // B must not be 1. if (this.B == verifier.Group.Identity) { return(false); } // Reconstruct DL equations from proof and verifier parameters ClosedPedersenCommitment closedX = new ClosedPedersenCommitment( new GroupElement[2] { verifier.G, verifier.H }, verifier.ClosedCommitmentX, verifier.Group); ClosedPedersenCommitment closedA = new ClosedPedersenCommitment( new GroupElement[2] { verifier.G, verifier.H }, this.A, verifier.Group); ClosedDLRepOfGroupElement closedB = new ClosedDLRepOfGroupElement( new GroupElement[1] { verifier.G }, this.B, verifier.Group); ClosedPedersenCommitment closedC = new ClosedPedersenCommitment( new GroupElement[2] { closedX.Value *verifier.G.Exponentiate(verifier.Value.Negate()), verifier.H }, this.B, verifier.Group); ClosedDLRepOfGroupElement[] equations = new ClosedDLRepOfGroupElement[] { closedX, closedA, closedB, closedC }; // verify the proof EqualityMap map = this.GetEqualityMap(); VerifierEqualityParameters eqVerifier = new VerifierEqualityParameters(equations, map, verifier); if (!this.Proof.Verify(eqVerifier)) { return(false); } return(true); }
/// <summary> /// Verifies a proof that two tokens share an attribute value, without revealing it. /// </summary> /// <param name="verifier1">Equality proof parameters for the first token.</param> /// <param name="verifier2">Equality proof parameters for the second token.</param> /// <param name="eQProof">The equality proof to verify.</param> /// <exception cref="InvalidUProveArtifactException">Thrown if the proof is invalid.</exception> public static void VerifyUProveEqualityProof(EQProofUProveVerifierData verifier1, EQProofUProveVerifierData verifier2, EqualityProof eQProof) { int commitmentIndex1 = ClosedPedersenCommitment.GetCommitmentIndex(verifier1.VPPP.Committed, verifier1.index); int commitmentIndex2 = ClosedPedersenCommitment.GetCommitmentIndex(verifier2.VPPP.Committed, verifier2.index); ClosedPedersenCommitment closedPed1 = new ClosedPedersenCommitment(verifier1.VPPP.IP, verifier1.PP, commitmentIndex1); ClosedPedersenCommitment closedPed2 = new ClosedPedersenCommitment(verifier2.VPPP.IP, verifier2.PP, commitmentIndex2); CryptoParameters crypto = new CryptoParameters(verifier1.VPPP.IP); // Can use prover2.IP VerifierEqualityParameters equalityVerifier = new VerifierEqualityParameters(closedPed1, 0, closedPed2, 0, crypto); if (!eQProof.Verify(equalityVerifier)) { throw new InvalidUProveArtifactException("invalid equality proof"); } }
/// <summary> /// Checks that this bit decomposition proof is valid with respect to /// the given verifier parameters. /// </summary> /// <param name="verifier">Verifier parameters.</param> /// <returns>True if this proof is valid, false otherwise.</returns> public bool Verify(VerifierBitDecompositionParameters verifier) { try { // check verifier parameters if (!verifier.Verify()) { return(false); } // check each set membership proof VerifierSetMembershipParameters smParameters = new VerifierSetMembershipParameters(verifier); FieldZqElement[] memberSet = SetOfZeroAndOne(verifier); for (int committedBitIndex = 0; committedBitIndex < this.bitCommitmentProof.Length; ++committedBitIndex) { GroupElement committedBit = verifier.ClosedBitDecomposition(committedBitIndex); smParameters.setVerifierParameters(committedBit, memberSet); if (!this.bitCommitmentProof[committedBitIndex].Verify(smParameters)) { return(false); } } // check the composition proof GroupElement actualComposedValue = ComposeClosedCommittedBits(verifier.ClosedBitDecomposition(), verifier); GroupElement[] bases = new GroupElement[2] { verifier.G, verifier.H }; VerifierEqualityParameters veParameters = new VerifierEqualityParameters( new ClosedDLRepOfGroupElement(bases, actualComposedValue, verifier.Group), 0, new ClosedDLRepOfGroupElement(bases, verifier.ClosedCommitment, verifier.Group), 0, verifier); if (!this.compositionProof.Verify(veParameters)) { return(false); } return(true); } catch (Exception) { return(false); } }
/// <summary> /// Verifies this equality proof given the verifier parameters. /// </summary> /// <param name="verifier"></param> /// <returns></returns> public bool Verify(VerifierEqualityParameters verifier) { try { if (!verifier.Verify()) { return(false); } FieldZqElement challenge = ComputeChallenge(verifier); int unequalWIndex = 0; for (int statementIndex = 0; statementIndex < verifier.Statements.Length; ++statementIndex) { IStatement statement = verifier.Statements[statementIndex]; FieldZqElement[] responses = new FieldZqElement[statement.RepresentationLength]; for (int baseIndex = 0; baseIndex < statement.RepresentationLength; ++baseIndex) { DoubleIndex di = new DoubleIndex(statementIndex, baseIndex); int equalWIndex; if (verifier.Map.TryRetrieveIntIndex(di, out equalWIndex)) { responses[baseIndex] = responseEqual[equalWIndex]; } else { responses[baseIndex] = responseUnequal[unequalWIndex]; ++unequalWIndex; } } if (!statement.Verify(b[statementIndex], challenge, responses)) { return(false); } } } catch (Exception) { return(false); } return(true); }
public bool Verify(VerifierPresentationProtocolParameters verifier1, int attributeIndexForVerifier1, VerifierPresentationProtocolParameters verifier2, int attributeIndexForVerifier2) { if (!verifier1.IP.Gq.Equals(verifier2.IP.Gq)) { throw new ArgumentException("both verifiers must share the same group"); } // Create ClosedUProveTokens ClosedUProveToken token1 = new ClosedUProveToken(verifier1); ClosedUProveToken token2 = new ClosedUProveToken(verifier2); // Verify proof VerifierEqualityParameters eqVerifier = new VerifierEqualityParameters( token1, attributeIndexForVerifier1, token2, attributeIndexForVerifier2, new CryptoParameters(verifier1.IP)); return(this.Verify(eqVerifier)); }
/// <summary> /// Verifies this proof that the committed values are valid Pedersen Commitments to token attributes. /// </summary> /// <param name="verifier">Array of verifier token parameters.</param> /// <param name="attributeIndices">Target attribute in each token.</param> /// <param name="committedValues">Array of Pedersen Commitment values.</param> /// <returns></returns> public bool Verify(VerifierPresentationProtocolParameters [] verifier, int [] attributeIndices) { if ((verifier == null) || (verifier.Length == 0)) { throw new ArgumentException("First argument should be an array of at least one element."); } if (!UProveIntegrationProof.AreTokensCompatible(verifier)) { throw new ArgumentException("All tokens must use same group."); } if ((attributeIndices == null) || (attributeIndices.Length != verifier.Length)) { throw new ArgumentNullException("Second argument must be an array of the same length as first argument."); } if ((this.PedersenCommitmentValues == null) || (this.PedersenCommitmentValues.Length != verifier.Length)) { throw new ArgumentNullException("Third argument must be an array of the same length as first argument."); } EqualityMap map = new EqualityMap(); IStatement[] statements = new IStatement[verifier.Length * 2]; ClosedUProveToken[] tokens = new ClosedUProveToken[verifier.Length]; for (int i = 0; i < tokens.Length; ++i) { // create uprove token and add target attribute to map statements[2 * i] = new ClosedUProveToken(verifier[i]); map.Add(new PrettyName("token", 2 * i), new DoubleIndex(i, attributeIndices[i])); // add pedersen commitment to witness list, and add to map statements[2 * i + 1] = new ClosedPedersenCommitment(verifier[i].IP, this.PedersenCommitmentValues[i]); map.Add(new PrettyName("token", 2 * i + 1), new DoubleIndex(i, 0)); } VerifierEqualityParameters eqVerifier = new VerifierEqualityParameters(statements, map, new CryptoParameters(verifier[0].IP)); return(this.TokenCommitmentEqualityProof.Verify(eqVerifier)); }
/// <summary> /// Verifies the RangeProof. Returns true if it is valid, false otherwise. /// </summary> /// <param name="verifier">Verifier parameters.</param> /// <returns></returns> public bool Verify(VerifierRangeProofParameters verifier) { try { // Verify parameters if (!verifier.Verify()) { return(false); } // verify bit decomposition proofs if (!VerifyBitDecompositionProofs(verifier, this.A, this.B, ProofBitDecompositionOfA, ProofBitDecompositionOfB)) { return(false); } // verify FullRangeProof GroupElement[] closedAdivB = ComputeClosedAdivB(verifier, this.A, this.B); this.D[0] = closedAdivB[0]; ClosedDLRepOfGroupElement[] closedX = ComputeClosedX(verifier, this.X, closedAdivB); ClosedDLRepOfGroupElement[] closedE = ComputeClosedE(verifier, this.X, this.D, closedAdivB); ClosedDLRepOfGroupElement[] allClosedDL = CombineAllClosedDLReps(this.D, closedAdivB, closedX, closedE, verifier); EqualityMap map = ComputeEqualityMap(verifier, A.Length); VerifierEqualityParameters veParameters = new VerifierEqualityParameters( allClosedDL, map, verifier); bool success = this.FullRangeProof.Verify(veParameters); if (!success) { return(false); } // verify additional proof based on proof type GroupElement LastD = this.D[this.D.Length - 1]; switch (verifier.RangeProofType) { case VerifierRangeProofParameters.ProofType.GREATER_THAN: ClosedDLRepOfGroupElement gtEquation = new ClosedDLRepOfGroupElement( new GroupElement[1] { verifier.H }, LastD * verifier.G.Exponentiate(verifier.FieldZq.One.Negate()), verifier.Group); VerifierEqualityParameters greaterThanVerifier = new VerifierEqualityParameters( gtEquation, verifier); return(StrictlyThanProof.Verify(greaterThanVerifier)); case VerifierRangeProofParameters.ProofType.LESS_THAN: ClosedDLRepOfGroupElement ltEquation = new ClosedDLRepOfGroupElement( new GroupElement[1] { verifier.H }, LastD * verifier.G, verifier.Group); VerifierEqualityParameters lessThanVerifier = new VerifierEqualityParameters( ltEquation, verifier); return(StrictlyThanProof.Verify(lessThanVerifier)); case VerifierRangeProofParameters.ProofType.GREATER_THAN_OR_EQUAL_TO: VerifierSetMembershipParameters greaterEqualVerifier = new VerifierSetMembershipParameters( LastD, new FieldZqElement[] { verifier.FieldZq.Zero, verifier.FieldZq.One }, verifier); return(this.OrEqualToProof.Verify(greaterEqualVerifier)); case VerifierRangeProofParameters.ProofType.LESS_THAN_OR_EQUAL_TO: VerifierSetMembershipParameters lessEqualProver = new VerifierSetMembershipParameters( LastD, new FieldZqElement[] { verifier.FieldZq.Zero, verifier.FieldZq.One.Negate() }, verifier); return(this.OrEqualToProof.Verify(lessEqualProver)); } } catch (Exception) { } return(false); }