public void InequalityProofSerializationTest()
{
for (int i = 0; i < StaticHelperClass.ParameterArray.Length; ++i)
{
CryptoParameters crypto = StaticHelperClass.ParameterArray[i];
FieldZqElement x = crypto.FieldZq.GetElement(1000);
FieldZqElement y = crypto.FieldZq.GetElement(2000);
PedersenCommitment X = new PedersenCommitment(x, crypto);
PedersenCommitment Y = new PedersenCommitment(y, crypto);
ProverInequalityProofParameters prover = new ProverInequalityProofParameters(X, Y, crypto);
InequalityProof proof = new InequalityProof(prover);
string json = CryptoSerializer.Serialize <InequalityProof>(proof);
InequalityProof deserialized = CryptoSerializer.Deserialize <InequalityProof>(json);
Assert.IsTrue(proof.Verify(prover), "Verify proof");
Assert.AreEqual(proof.A, deserialized.A, "A");
Assert.AreEqual(proof.B, deserialized.B, "B");
prover = new ProverInequalityProofParameters(X, y, crypto);
proof = new InequalityProof(prover);
json = CryptoSerializer.Serialize <InequalityProof>(proof);
deserialized = CryptoSerializer.Deserialize <InequalityProof>(json);
Assert.IsTrue(proof.Verify(prover), "Verify proof");
Assert.AreEqual(proof.A, deserialized.A, "A");
Assert.AreEqual(proof.B, deserialized.B, "B");
}
}
public void InequalityParamUnknownValueTest()
{
CryptoParameters crypto = StaticHelperClass.ParameterArray[1];
FieldZqElement x = crypto.FieldZq.GetRandomElement(false);
FieldZqElement y = x + crypto.FieldZq.One;
// inequality does not hold
PedersenCommitment X = new PedersenCommitment(x, crypto);
PedersenCommitment Y = new PedersenCommitment(y, crypto);
PedersenCommitment badY = new PedersenCommitment(x, crypto);
ProverInequalityProofParameters badProver = new ProverInequalityProofParameters(X, badY, crypto);
Assert.IsFalse(badProver.Verify(), "x=y");
// X uses wrong bases
PedersenCommitment badX = new PedersenCommitment(crypto.H, crypto.G, x, x, crypto.Group);
badProver = new ProverInequalityProofParameters(badX, Y, crypto);
Assert.IsFalse(badProver.Verify(), "bad bases in X");
// Y uses wrong bases
badProver = new ProverInequalityProofParameters(Y, badX, crypto);
Assert.IsFalse(badProver.Verify(), "bad bases in Y");
//good parameters ok
ProverInequalityProofParameters prover = new ProverInequalityProofParameters(X, Y, crypto);
Assert.IsTrue(prover.Verify(), "prover verify");
VerifierInequalityProofParameters verifier = new VerifierInequalityProofParameters(X.Value, Y.Value, crypto);
Assert.IsTrue(verifier.Verify(), "verifier ok.");
}
public void CSDLRepArrayTestWithGroup()
{
DLRepOfGroupElement[] input = StaticHelperClass.GenerateRandomDLRepOfGroupElementArray(10, 7, this.paramIndex);
FieldZqElement[][] inputExponents = new FieldZqElement[10][];
for (int dlIndex = 0; dlIndex < 10; ++dlIndex)
{
inputExponents[dlIndex] = new FieldZqElement[7];
for (int exponentIndex = 0; exponentIndex < 7; ++exponentIndex)
{
inputExponents[dlIndex][exponentIndex] = input[dlIndex].ExponentAtIndex(exponentIndex);
}
}
string[] serializedTT = CryptoSerializer.Serialize(input, true, true);
DLRepOfGroupElement[] outputTT = CryptoSerializer.Deserialize <DLRepOfGroupElement>(serializedTT, null, null);
StaticHelperClass.AssertArraysAreEqual(input, outputTT, "outputTT");
string[] serializedNT = CryptoSerializer.Serialize(input, true, false);
GroupElement[] newBases = StaticHelperClass.GenerateRandomBases(input[0].RepresentationLength, this.paramIndex);
DLRepOfGroupElement[] outputNT = CryptoSerializer.Deserialize <DLRepOfGroupElement>(serializedNT, null, newBases);
Assert.AreEqual(input.Length, outputNT.Length, "outputNT.Length");
for (int i = 0; i < outputNT.Length; ++i)
{
DLRepOfGroupElement expected = new DLRepOfGroupElement(newBases, inputExponents[i], this.crypto.Group);
expected.Value = input[i].Value;
Assert.AreEqual(expected, outputNT[i], "outputNT " + i);
}
FieldZqElement[] commitments = StaticHelperClass.GenerateRandomExponents(10, this.paramIndex);
FieldZqElement[] openings = StaticHelperClass.GenerateRandomExponents(10, this.paramIndex);
input = PedersenCommitment.GetCommitments(this.crypto, commitments, openings);
}
public void EQEndToEndTest2()
{
int length = 20;
FieldZqElement[] committedValues = _crypto.FieldZq.GetRandomElements(length, true);
FieldZqElement[] openings = _crypto.FieldZq.GetRandomElements(length, true);
PedersenCommitment[] ped = PedersenCommitment.GetCommitments(_crypto, committedValues, openings);
EqualityMap map = new EqualityMap();
for (int i = 0; i < length; ++i)
{
map.Add(
new PrettyName("chi", i),
new DoubleIndex(i, 0)
);
}
ProverEqualityParameters prover = new ProverEqualityParameters(ped, map, _crypto);
Assert.IsTrue(prover.Verify());
EqualityProof proof = new EqualityProof(prover);
Assert.IsTrue(proof.Verify(prover));
}
public void BDSerializationTest()
{
FieldZqElement bigNum = _parameters[0].FieldZq.GetElement(2056);
PedersenCommitment bigNumCommit = new PedersenCommitment(bigNum, _parameters[0]);
int decompositionLength = 15;
ProverBitDecompositionParameters prover = new ProverBitDecompositionParameters(
bigNumCommit,
decompositionLength,
_parameters[0]);
BitDecompositionProof proof = new BitDecompositionProof(prover);
Assert.IsTrue(proof.Verify(prover), "original proof verification.");
string jsonProof = CryptoSerializer.Serialize <BitDecompositionProof>(proof);
// TODO: switch to using ip-based de-serialization; need to harmonize with U-Prove SDK code
IssuerParameters ip = new IssuerParameters();
ip.Gq = prover.Group;
BitDecompositionProof deserializedProof = ip.Deserialize <BitDecompositionProof>(jsonProof);// CryptoSerializer.Deserialize<BitDecompositionProof>(jsonProof);
Assert.IsTrue(deserializedProof.Verify(prover), "deserialized proof verfication");
string jsonProver = CryptoSerializer.Serialize <ProverBitDecompositionParameters>(prover);
ProverBitDecompositionParameters deserializedProver = CryptoSerializer.Deserialize <ProverBitDecompositionParameters>(jsonProver);
Assert.IsTrue(deserializedProof.Verify(deserializedProver), "deserialized proof with deserialized prover.");
BitDecompositionProof proof2 = new BitDecompositionProof(deserializedProver);
Assert.IsTrue(proof2.Verify(deserializedProver), "proof2.verify(deserializedProver)");
Assert.IsTrue(proof2.Verify(prover), "Proof2.verify(prover)");
}
public void SMProverParametersConstructorTest()
{
// Test1: compute commitment automatically
ProverSetMembershipParameters prover = new ProverSetMembershipParameters(_cryptoParameters);
prover.setProverParameters(ValidDaysOfTheWeek[1], ValidDaysOfTheWeek);
AssertCorrectProverParameters(prover,
_cryptoParameters,
prover.OpenCommitment, // computed open commitment automatically, so check committed value later
ValidDaysOfTheWeek);
Assert.AreEqual(ValidDaysOfTheWeek[1], prover.OpenCommitment.CommittedValue, "wrong committed value.");
// Test 2: use explicit commitment
prover = new ProverSetMembershipParameters(_cryptoParameters);
PedersenCommitment ped = new PedersenCommitment(ValidDaysOfTheWeek[4], _cryptoParameters);
prover.setProverParameters(ped, ValidDaysOfTheWeek);
AssertCorrectProverParameters(
prover,
_cryptoParameters,
ped,
ValidDaysOfTheWeek);
// Test 3: use constructor to set explicit commitment
prover = new ProverSetMembershipParameters(ped, ValidDaysOfTheWeek, _cryptoParameters);
prover.setProverParameters(ped, ValidDaysOfTheWeek);
AssertCorrectProverParameters(
prover,
_cryptoParameters,
ped,
ValidDaysOfTheWeek);
}
public void SimpleConstructorTest()
{
for (int i = 0; i < _parameters.Length; ++i)
{
FieldZqElement committedValue = _parameters[i].FieldZq.GetRandomElement(true);
GroupElement g = _parameters[i].G;
GroupElement h = _parameters[i].H;
PedersenCommitment pedCom1 = new PedersenCommitment(committedValue, _parameters[i]);
FieldZqElement opening = pedCom1.ExponentAtIndex(1);
Assert.AreEqual(g, pedCom1.BaseAtIndex(0), "pedcom1 has wrong base_0");
Assert.AreEqual(h, pedCom1.BaseAtIndex(1), "pedcom1 has wrong base_1");
Assert.AreEqual(committedValue, pedCom1.CommittedValue, "pedcom1 used wrong committed value");
GroupElement expectedCommitmentValue = g.Exponentiate(committedValue) * h.Exponentiate(opening);
Assert.AreEqual(expectedCommitmentValue, pedCom1.Value, "pedcom1 computed wrong value");
PedersenCommitment pedCom2 = new PedersenCommitment(g, h, committedValue, opening, _parameters[i].Group);
Assert.AreEqual(pedCom1, pedCom2, "pedcom1 and pedcom2 different");
FieldZqElement[] exponents = new FieldZqElement[2] {
committedValue, opening
};
GroupElement[] bases = new GroupElement[2] {
g, h
};
PedersenCommitment pedCom3 = new PedersenCommitment(bases, exponents, _parameters[i].Group);
Assert.AreEqual(pedCom1, pedCom3, "pedcom1 and pedcom3 different");
Assert.AreEqual(pedCom2, pedCom3, "pedcom2 and pedcom3 different");
}
}
public void BDBadProofTest()
{
FieldZqElement bigNum = _parameters[0].FieldZq.GetElement(30);
PedersenCommitment bigNumCommit = new PedersenCommitment(bigNum, _parameters[0]);
int decompositionLength = 8;
ProverBitDecompositionParameters proverParams = new ProverBitDecompositionParameters(
bigNumCommit,
decompositionLength,
_parameters[0]);
BitDecompositionProof proof = new BitDecompositionProof(proverParams);
PrivateObject proofAccessor = new PrivateObject(proof);
SetMembershipProof[] smProof = (SetMembershipProof[])proofAccessor.GetField("bitCommitmentProof");
SetMembershipProof[] badSmProof = smProof;
SetMembershipProof tmp = smProof[1];
badSmProof[1] = badSmProof[0];
proofAccessor.SetFieldOrProperty("bitCommitmentProof", badSmProof);
Assert.IsFalse(proof.Verify(proverParams), "bad set membeship proof.");
proofAccessor.SetFieldOrProperty("bitCommitmentProof", smProof);
smProof[1] = tmp;
Assert.IsTrue(proof.Verify(proverParams), "good set membership proof.");
EqualityProof eqProof = (EqualityProof)proofAccessor.GetField("compositionProof");
PrivateObject eqProofAccessor = new PrivateObject(eqProof);
GroupElement [] b = (GroupElement[])eqProofAccessor.GetField("b");
b[1] = b[0];
eqProofAccessor.SetField("b", b);
Assert.IsFalse(proof.Verify(proverParams), "bad equality proof");
}
public void InequalityParamsSerializationTest()
{
for (int i = 0; i < StaticHelperClass.ParameterArray.Length; ++i)
{
CryptoParameters crypto = StaticHelperClass.ParameterArray[i];
FieldZqElement x = crypto.FieldZq.GetElement(1000);
FieldZqElement y = crypto.FieldZq.GetElement(2000);
PedersenCommitment X = new PedersenCommitment(x, crypto);
PedersenCommitment Y = new PedersenCommitment(y, crypto);
VerifierInequalityProofParameters verifier = new VerifierInequalityProofParameters(X.Value, Y.Value, crypto);
string json = CryptoSerializer.Serialize <VerifierInequalityProofParameters>(verifier);
VerifierInequalityProofParameters deserialized = CryptoSerializer.Deserialize <VerifierInequalityProofParameters>(json);
StaticHelperClass.AssertProofParametersAreEqual(verifier, deserialized, "Verifier X Y");
verifier = new VerifierInequalityProofParameters(X.Value, y, crypto);
json = CryptoSerializer.Serialize <VerifierInequalityProofParameters>(verifier);
deserialized = CryptoSerializer.Deserialize <VerifierInequalityProofParameters>(json);
StaticHelperClass.AssertProofParametersAreEqual(verifier, deserialized, "Verifier X value");
ProverInequalityProofParameters prover = new ProverInequalityProofParameters(X, Y, crypto);
json = CryptoSerializer.Serialize <ProverInequalityProofParameters>(prover);
ProverInequalityProofParameters dProver = CryptoSerializer.Deserialize <ProverInequalityProofParameters>(json);
StaticHelperClass.AssertProofParametersAreEqual(dProver, prover, "Prover X Y");
prover = new ProverInequalityProofParameters(X, y, crypto);
json = CryptoSerializer.Serialize <ProverInequalityProofParameters>(prover);
dProver = CryptoSerializer.Deserialize <ProverInequalityProofParameters>(json);
StaticHelperClass.AssertProofParametersAreEqual(dProver, prover, "Prover X value");
}
}
public void EQTokenAndDLTest()
{
// In this example, the token hashes the attribute
// but example also works if hashAttributes=false
bool hashAttributes = true;
// Setting up attributes for token
byte[][] attributes = new byte[][]
{
_encoding.GetBytes("Attribute 1"),
_encoding.GetBytes("Attribute 2"),
_encoding.GetBytes("Teaching Assistant"), // this is the attribute we'll compare
_encoding.GetBytes("Attribute 4")
};
// generate token
ProverPresentationProtocolParameters prover;
VerifierPresentationProtocolParameters verifier;
StaticHelperClass.GetUProveParameters(hashAttributes, out prover, out verifier, null, attributes);
OpenUProveToken token = new OpenUProveToken(prover);
Assert.IsTrue(token.Validate(null), "validate token.");
// generate pedersen commitment to Teaching Assistant
PedersenCommitment ped = new PedersenCommitment(prover.IP, 3, _encoding.GetBytes("Teaching Assistant"));
// Verify they are equal
Assert.AreEqual(token.AttributeXI(3), ped.CommittedValue, "Token and PedersenCommitment different.");
// Create a proof that the 3rd attribute in token is equal to the committed value in ped.
ProverEqualityParameters eqProver = new ProverEqualityParameters(
token, // token
3, // 3rd attribute is the 3rd exponent
ped, // pedersen commitment
0, // committed value is the 0th exponent
new CryptoParameters(prover.IP));
EqualityProof proof = new EqualityProof(eqProver);
// Verify proof
ClosedUProveToken closedToken = new ClosedUProveToken(verifier);
Assert.IsTrue(closedToken.AreBasesEqual(token), "token bases.");
IStatement closedPed = ped.GetStatement();
Assert.IsTrue(closedPed.AreBasesEqual(ped), "token bases.");
VerifierEqualityParameters eqVerifier = new VerifierEqualityParameters(
closedToken, // verifier token information
3, // 3rd attribute is the 3nd exponent
closedPed, // verifier information about ped
0, // committed value is the 0th exponent
new CryptoParameters(prover.IP));
Assert.IsTrue(proof.Verify(eqVerifier));
}
public void PedCommitmentBadConstructorTest()
{
int paramIndex = 6;
GroupElement[] bases = null;
FieldZqElement[] exponents = null;
Group group = _parameters[paramIndex].Group;
PedersenCommitment ped;
// null input
bool threwException = false;
try
{
ped = new PedersenCommitment(bases, exponents, group);
}
catch (Exception)
{
threwException = true;
}
Assert.IsTrue(threwException, "should throw exception on null input.");
// wrong length bases & exponent arrays
threwException = false;
bases = StaticHelperClass.GenerateRandomBases(1, paramIndex);
exponents = StaticHelperClass.GenerateRandomExponents(1, paramIndex);
try
{
ped = new PedersenCommitment(bases, exponents, group);
}
catch (Exception)
{
threwException = true;
}
Assert.IsTrue(threwException, "should throw exception when bases and exponents are arrays of length 1.");
// wrong length bases & exponent arrays
threwException = false;
bases = StaticHelperClass.GenerateRandomBases(3, paramIndex);
exponents = StaticHelperClass.GenerateRandomExponents(3, paramIndex);
try
{
ped = new PedersenCommitment(bases, exponents, group);
}
catch (Exception)
{
threwException = true;
}
Assert.IsTrue(threwException, "should throw exception when bases and exponents are arrays of length 3.");
}
public void UnknownDLRepConstructorTest()
{
for (int i = 0; i < _parameters.Length; ++i)
{
FieldZqElement committedValue = _parameters[i].FieldZq.GetRandomElement(true);
GroupElement g = _parameters[i].G;
GroupElement h = _parameters[i].H;
PedersenCommitment pedCom = new PedersenCommitment(committedValue, _parameters[i]);
IStatement udl = pedCom.GetStatement();
Assert.IsFalse(pedCom.Equals(udl), "pedCom does not equal udl due to class hierarchy");
Assert.IsTrue(PedersenCommitment.IsValidOpenClosedPair(pedCom, udl), "should be valid open closed pair.");
}
}
public ProverSetMembershipParameters GeneratePSMParameters(int indexOfCommittedValue, int memberSetLength)
{
if (indexOfCommittedValue >= memberSetLength)
{
throw new ArgumentException("indexOfCommittedValue should be less than memberSetLength");
}
FieldZq fieldZq = FieldZq.CreateFieldZq(_cryptoParameters.Group.Q);
FieldZqElement committedValue = fieldZq.GetRandomElement(true);
PedersenCommitment ped = new PedersenCommitment(committedValue, _cryptoParameters);
FieldZqElement[] memberSet = fieldZq.GetRandomElements(memberSetLength, true);
memberSet[indexOfCommittedValue] = committedValue;
return(new ProverSetMembershipParameters(ped, memberSet, _cryptoParameters));
}
public void BDBadCompositionTest()
{
PedersenCommitment[] ped = new PedersenCommitment[2];
ped[0] = new PedersenCommitment(_parameters[0].G, _parameters[0].H, _parameters[0].FieldZq.One, _parameters[0].FieldZq.One, _parameters[0].Group);
ped[1] = new PedersenCommitment(_parameters[1].G, _parameters[1].H, _parameters[1].FieldZq.One, _parameters[1].FieldZq.One, _parameters[1].Group);
PedersenCommitment composition = ped[0];
FieldZq field = _parameters[0].FieldZq;
PrivateType bdproof = new PrivateType(typeof(BitDecompositionProof));
object [] inputParameters = new object[3] {
ped, _parameters[0].FieldZq, composition
};
bool success = (bool)bdproof.InvokeStatic("ComposeCommitments", inputParameters);
Assert.IsFalse(success, "success");
}
public void BDProverSerializationTest()
{
FieldZqElement bigNum = _parameters[0].FieldZq.GetElement(2056);
PedersenCommitment bigNumCommit = new PedersenCommitment(bigNum, _parameters[0]);
int decompositionLength = 15;
ProverBitDecompositionParameters prover = new ProverBitDecompositionParameters(
bigNumCommit,
decompositionLength,
_parameters[0]);
string jsonString = CryptoSerializer.Serialize <ProverBitDecompositionParameters>(prover);
ProverBitDecompositionParameters deserializedProver = CryptoSerializer.Deserialize <ProverBitDecompositionParameters>(jsonString);
Assert.AreEqual(prover.Group.GroupName, deserializedProver.Group.GroupName);
StaticHelperClass.AssertArraysAreEqual(prover.PublicValues, deserializedProver.PublicValues, "PublicValues");
StaticHelperClass.AssertArraysAreEqual <DLRepOfGroupElement>(prover.Witnesses, deserializedProver.Witnesses, "Witnesses");
}
public static void AssertCorrectProverParameters(
ProverSetMembershipParameters prover,
CryptoParameters expectedCryptoParameters,
PedersenCommitment expectedOpenCommitment,
FieldZqElement [] expectedMemberSet
)
{
// check crypto parameters and everything associated with verifer
AssertCorrectVerifierParameters(prover, expectedCryptoParameters, expectedOpenCommitment.Value, expectedMemberSet);
// now check witness
Assert.AreEqual(expectedOpenCommitment, prover.OpenCommitment, "wrong open commitment.");
Assert.AreEqual(expectedCryptoParameters.G, prover.OpenCommitment.G, "G value does not match expected crypto parameters.");
Assert.AreEqual(expectedOpenCommitment.G, prover.OpenCommitment.G, "G value does not match expected Open commitment.");
Assert.AreEqual(expectedCryptoParameters.H, prover.OpenCommitment.H, "H value does not match expected crypto parameters.");
Assert.AreEqual(expectedOpenCommitment.H, prover.OpenCommitment.H, "H value does not match expected Open commitment.");
}
public void SMBadParametersTest()
{
// committed value not in memberset
ProverSetMembershipParameters prover = new ProverSetMembershipParameters(_cryptoParameters);
prover.setProverParameters(_cryptoParameters.FieldZq.One, ValidDaysOfTheWeek);
Assert.IsFalse(prover.Verify(), "Verify should fail since committed value not in memberset.");
// open commitment uses wrong base
PedersenCommitment ped = new PedersenCommitment(_cryptoParameters.H, _cryptoParameters.G, ValidDaysOfTheWeek[0], ValidDaysOfTheWeek[2], _cryptoParameters.Group);
prover.setProverParameters(ped, ValidDaysOfTheWeek);
Assert.IsFalse(prover.Verify(), "Verify should fail since commitment uses wrong bases.");
// null memberset
prover.setProverParameters(ValidDaysOfTheWeek[0], null);
Assert.IsFalse(prover.Verify(), "Verify should fail since memberset is null.");
}
public void InequalityE2ETest1()
{
CryptoParameters crypto = StaticHelperClass.ParameterArray[0];
PedersenCommitment X = new PedersenCommitment(crypto.FieldZq.GetElement(20), crypto);
ProverInequalityProofParameters prover = new ProverInequalityProofParameters(X, crypto.FieldZq.GetElement(45), crypto);
Assert.IsTrue(prover.Verify(), "prover verify");
InequalityProof proof = new InequalityProof(prover);
Assert.IsTrue(proof.Verify(prover), "proof verify(prover)");
VerifierInequalityProofParameters verifier = new VerifierInequalityProofParameters(X.Value, crypto.FieldZq.GetElement(45), crypto);
Assert.IsTrue(verifier.Verify(), "verifyer.verify()");
Assert.IsTrue(proof.Verify(verifier), "proof.verify(verifier)");
}
public void DLtoPedConstructorTest()
{
for (int paramIndex = 0; paramIndex < _parameters.Length; ++paramIndex)
{
GroupElement[] bases = StaticHelperClass.GenerateRandomBases(2, paramIndex);
FieldZqElement[] exponents = StaticHelperClass.GenerateRandomExponents(2, paramIndex);
DLRepOfGroupElement dl = new DLRepOfGroupElement(bases, exponents, _parameters[paramIndex].Group);
PedersenCommitment ped = new PedersenCommitment(dl);
Assert.IsTrue(ped.Validate(), "ped should be a valid pedersen commitment.");
Assert.AreEqual(bases[0], ped.G, "Wrong G value.");
Assert.AreEqual(bases[1], ped.H, "Wrong H value.");
Assert.AreEqual(exponents[0], ped.CommittedValue, "wrong committed value.");
Assert.AreEqual(exponents[1], ped.Opening, "wrong opening.");
GroupElement expectedValue = _parameters[paramIndex].Group.MultiExponentiate(bases, exponents);
Assert.AreEqual(expectedValue, ped.Value, "wrong value.");
}
}
public void PresentationProofConstructorTest()
{
// generate array of commitments using PresentationProof
CommitmentPrivateValues cpv;
Assert.IsNotNull(_proverParams, "prover params null");
PresentationProof proof = PresentationProof.Generate(_proverParams, out cpv);
Assert.IsNotNull(proof.Commitments, "proof failed to generate commitments");
Assert.IsNotNull(cpv, "failed to output cpv");
Assert.IsNotNull(cpv.TildeO, "cpv.TildeO is null");
CommitmentValues [] expectedCommitmentValues = proof.Commitments;
// generate array of commitments using Pedersen Commitment constructor
PedersenCommitment [] proverCommitments = PedersenCommitment.ArrayOfPedersenCommitments(_proverParams, proof, cpv);
// compare values
GroupElement expectedG = _proverParams.IP.Gq.G;
GroupElement expectedH = _proverParams.IP.G[1];
for (int commitIndex = 0; commitIndex < expectedCommitmentValues.Length; ++commitIndex)
{
int attributeIndex = _proverParams.Committed[commitIndex] - 1;
FieldZqElement expectedCommittedValue = ProtocolHelper.ComputeXi(_proverParams.IP, attributeIndex, _proverParams.Attributes[attributeIndex]);
Assert.AreEqual(expectedCommittedValue, proverCommitments[commitIndex].CommittedValue, "wrong committed value");
Assert.AreEqual(cpv.TildeO[commitIndex], proverCommitments[commitIndex].Opening, "opening does not match tildeO");
Assert.AreEqual(expectedG, proverCommitments[commitIndex].G, "base g wrong");
Assert.AreEqual(expectedH, proverCommitments[commitIndex].H, "base h wrong");
Assert.AreEqual(expectedCommitmentValues[commitIndex].TildeC, proverCommitments[commitIndex].Value, "wrong value");
}
// generate array of closed pedersen commitments
ClosedPedersenCommitment[] verifierCommitments = ClosedPedersenCommitment.ArrayOfClosedPedersenCommitments(_verifierParams.IP, proof);
// compare bases and values to actualCommitments
Assert.IsTrue(ClosedPedersenCommitment.AreBasesEqual(verifierCommitments), "all closed commitments should have same bases.");
Assert.IsTrue(verifierCommitments[0].AreBasesEqual(proverCommitments[0]), "all closed commitments should have same bases as open commitments");
Assert.AreEqual(proverCommitments.Length, verifierCommitments.Length, "should be as many open and closed commitments");
for (int i = 0; i < verifierCommitments.Length; ++i)
{
Assert.AreEqual(verifierCommitments[i].Value, proverCommitments[i].Value, "open and closed commitments should be equal.");
}
}
public void EQEndToEndTest3()
{
int length = 20;
FieldZqElement[] committedValues = _crypto.FieldZq.GetRandomElements(length, true);
FieldZqElement[] openings1 = _crypto.FieldZq.GetRandomElements(length, true);
FieldZqElement[] openings2 = _crypto.FieldZq.GetRandomElements(length, true);
PedersenCommitment[] ped1 = PedersenCommitment.GetCommitments(_crypto, committedValues, openings1);
PedersenCommitment[] ped2 = PedersenCommitment.GetCommitments(_crypto, committedValues, openings2);
// combine all commitments into allPed
PedersenCommitment[] allPed = new PedersenCommitment[2 * length];
for (int i = 0; i < length; ++i)
{
allPed[i] = ped1[i];
allPed[i + length] = ped2[i];
}
// create equality map
EqualityMap map = new EqualityMap();
for (int i = 0; i < length; ++i)
{
map.Add(
new PrettyName("chi", i),
new DoubleIndex(i, 0)
);
map.Add(
new PrettyName("chi", i),
new DoubleIndex(length + i, 0)
);
}
ProverEqualityParameters prover = new ProverEqualityParameters(allPed, map, _crypto);
Assert.IsTrue(prover.Verify());
EqualityProof proof = new EqualityProof(prover);
Assert.IsTrue(proof.Verify(prover));
}
public void BDEndToEnd()
{
FieldZqElement bigNum = _parameters[0].FieldZq.GetElement(2056);
PedersenCommitment bigNumCommit = new PedersenCommitment(bigNum, _parameters[0]);
int decompositionLength = 15;
ProverBitDecompositionParameters proverParams = new ProverBitDecompositionParameters(
bigNumCommit,
decompositionLength,
_parameters[0]);
BitDecompositionProof proof = new BitDecompositionProof(proverParams);
Assert.IsTrue(proof.Verify(proverParams), "could not verify proof with prover params");
VerifierBitDecompositionParameters verifierParams = new VerifierBitDecompositionParameters(
proverParams.ClosedCommitment,
proverParams.ClosedBitDecomposition(),
proverParams);
Assert.IsTrue(proof.Verify(verifierParams), "could not verify proof with verifier parameters");
}
public void BDConstructorCastTest()
{
FieldZqElement bigNum = _parameters[0].FieldZq.GetElement(129);
PedersenCommitment bigNumCommit = new PedersenCommitment(bigNum, _parameters[0]);
int decompositionLength = 15;
ProverBitDecompositionParameters proverParams = new ProverBitDecompositionParameters(
bigNumCommit,
decompositionLength,
_parameters[0]);
Assert.IsInstanceOfType(proverParams.OpenCommitment, typeof(PedersenCommitment), "OpenCommitment wrong type");
Assert.IsInstanceOfType(proverParams.ClosedCommitment, typeof(GroupElement), "ClosedCommitment wrong type");
Assert.IsInstanceOfType(proverParams.OpenCommitment, typeof(PedersenCommitment), "OpenCommitment wrong type");
Assert.IsInstanceOfType(proverParams.ClosedCommitment, typeof(GroupElement), "ClosedCommitment wrong type");
for (int i = 0; i < proverParams.DecompositionLength; ++i)
{
Assert.IsInstanceOfType(proverParams.OpenBitDecomposition(i), typeof(PedersenCommitment), "OpenBitDecomposition(i) returned wrong type");
Assert.IsInstanceOfType(proverParams.ClosedBitDecomposition(i), typeof(GroupElement), "ClosedBitDecomposition returned wrong type");
}
}
public void InequalityTokenIntegration2Test()
{
// In this example, the token hashes the attribute
// but example also works if hashAttributes=false
bool hashAttributes = true;
// Setting up attributes for token
byte[][] attributes = new byte[][]
{
_encoding.GetBytes("Attribute 1"),
_encoding.GetBytes("Attribute 2"),
_encoding.GetBytes("Teaching Assistant"), // this is the attribute we'll compare
_encoding.GetBytes("Attribute 4")
};
// generate token
ProverPresentationProtocolParameters prover;
VerifierPresentationProtocolParameters verifier;
StaticHelperClass.GetUProveParameters(hashAttributes, out prover, out verifier, null, attributes);
CommitmentPrivateValues cpv;
PresentationProof proof = PresentationProof.Generate(prover, out cpv);
// computing target constant - "Student"
byte[] targetAttribute = _encoding.GetBytes("Student");
int targetAttributeIndex = 3 - 1; // We will compare "Student" to the third token attribute.
FieldZqElement targetValue = ProtocolHelper.ComputeXi(prover.IP, targetAttributeIndex, targetAttribute); // this is what "Student" would be encoded as if it was the third token attribute
// Create PedersenCommitments
// The prover and verifier have a map Committed that contains the relationship between
// token attributes and CommitmentPrivateValues.
int commitmentIndex = ClosedPedersenCommitment.GetCommitmentIndex(prover.Committed, 3); // attribute 3 from prover1
PedersenCommitment ped = new PedersenCommitment(prover, proof, cpv, commitmentIndex);
Assert.AreNotEqual(targetValue, ped.CommittedValue, "Committed value is not Student.");
// Check that "Teaching Assistant" is the commited value of the pedesen commitment.
FieldZqElement expectedCommittedValue = ProtocolHelper.ComputeXi(prover.IP, targetAttributeIndex, _encoding.GetBytes("Teaching Assistant"));
Assert.AreEqual(expectedCommittedValue, ped.CommittedValue, "Committed value is Teaching Assistant.");
// Create InequalityProof
CryptoParameters crypto = new CryptoParameters(prover.IP); // Can use prover2.IP
ProverInequalityProofParameters inequalityProver = new ProverInequalityProofParameters(ped, targetValue, crypto); // compares committed values in ped1 and ped2
InequalityProof ineQproof = new InequalityProof(inequalityProver);
// Verify InequalityProof
commitmentIndex = ClosedPedersenCommitment.GetCommitmentIndex(verifier.Committed, 3); // attribute 3 from prover
ClosedPedersenCommitment closedPed = new ClosedPedersenCommitment(verifier.IP, proof, commitmentIndex);
VerifierInequalityProofParameters inequalityVerifier = new VerifierInequalityProofParameters(closedPed.Value, targetValue, crypto);
Assert.IsTrue(ineQproof.Verify(inequalityVerifier));
// test U-Prove wrapper
InequalityProof ineQProof2 = InequalityProof.GenerateUProveInequalityProof(
new EQProofUProveProverData(prover, cpv, proof, 3), targetAttribute);
InequalityProof.VerifyUProveEqualityProof(
new EQProofUProveVerifierData(verifier, proof, 3), targetAttribute, ineQProof2);
}
public void InequalityTokenIntegrationTest()
{
// Both tokens will hash attributes
// but example also works if hashAttributes=false
bool hashAttributes = true;
// Setting up IssuerParameters for token1
byte[] uidP1 = new byte[] { 1, 1, 2, 3, 5, 8 };
byte[] tokenInformation1 = new byte[] { 1, 2, 3, 4, 5, 6, 7 };
byte[][] attributes1 = new byte[][]
{
_encoding.GetBytes("Attribute 1"),
_encoding.GetBytes("Attribute 2"),
_encoding.GetBytes("Teaching Assistant"), // this is the attribute we'll compare
_encoding.GetBytes("Attribute 4")
};
// Setting up IssuerParameters for token2
byte[] tokenInformation2 = new byte[] { 12, 13, 14, 15, 0, 10 };
byte[] uidP2 = new byte[] { 3, 1, 4, 1, 5 };
byte[][] attributes2 = new byte[][]
{
_encoding.GetBytes("Student"), // this is the attribute we'll compare
_encoding.GetBytes("Attribute 2"),
_encoding.GetBytes("Attribute 3"),
_encoding.GetBytes("Attribute 4")
};
// generate tokens
ProverPresentationProtocolParameters prover1, prover2;
VerifierPresentationProtocolParameters verifier1, verifier2;
StaticHelperClass.GetUProveParameters(hashAttributes, out prover1, out verifier1, tokenInformation1, attributes1, null, uidP1);
StaticHelperClass.GetUProveParameters(hashAttributes, out prover2, out verifier2, tokenInformation2, attributes2, null, uidP2);
CommitmentPrivateValues cpv1, cpv2;
PresentationProof proof1 = PresentationProof.Generate(prover1, out cpv1);
PresentationProof proof2 = PresentationProof.Generate(prover2, out cpv2);
// Create PedersenCommitments
// The prover and verifier have a map Committed that contains the relationship between
// token attributes and CommitmentPrivateValues.
int commitmentIndex1 = ClosedPedersenCommitment.GetCommitmentIndex(prover1.Committed, 3); // attribute 3 from prover1
PedersenCommitment ped1 = new PedersenCommitment(prover1, proof1, cpv1, commitmentIndex1);
int commitmentIndex2 = ClosedPedersenCommitment.GetCommitmentIndex(prover2.Committed, 1); // attribute 1 from prover2
PedersenCommitment ped2 = new PedersenCommitment(prover2, proof2, cpv2, commitmentIndex2);
// Create InequalityProof
CryptoParameters crypto = new CryptoParameters(prover1.IP); // Can use prover2.IP
ProverInequalityProofParameters inequalityProver = new ProverInequalityProofParameters(ped1, ped2, crypto); // compares committed values in ped1 and ped2
InequalityProof ineQProof = new InequalityProof(inequalityProver);
// Verify InequalityProof
commitmentIndex1 = ClosedPedersenCommitment.GetCommitmentIndex(verifier1.Committed, 3); // attribute 3 from prover1
commitmentIndex2 = ClosedPedersenCommitment.GetCommitmentIndex(verifier2.Committed, 1); // attribute 1 from prover2
ClosedPedersenCommitment closedPed1 = new ClosedPedersenCommitment(verifier1.IP, proof1, commitmentIndex1);
ClosedPedersenCommitment closedPed2 = new ClosedPedersenCommitment(verifier2.IP, proof2, commitmentIndex2);
VerifierInequalityProofParameters inequalityVerifier = new VerifierInequalityProofParameters(closedPed1.Value, closedPed2.Value, crypto);
Assert.IsTrue(ineQProof.Verify(inequalityVerifier));
// test U-Prove wrapper
InequalityProof ineQProof2 = InequalityProof.GenerateUProveInequalityProof(
new EQProofUProveProverData(prover1, cpv1, proof1, 3),
new EQProofUProveProverData(prover2, cpv2, proof2, 1));
InequalityProof.VerifyUProveEqualityProof(
new EQProofUProveVerifierData(verifier1, proof1, 3),
new EQProofUProveVerifierData(verifier2, proof2, 1),
ineQProof2);
}
