/// <summary>
/// Constructor. Creates an inequality proof that a token attribute is not equal to some value.
/// </summary>
/// <param name="prover">Token description.</param>
/// <param name="attributeIndexForProver">1-based attribute index in token.</param>
/// <param name="attributeValue">Attribute value to compare actual token attribute.</param>
/// <returns>Inequality proof.</returns>
public InequalityProof(ProverPresentationProtocolParameters prover, int attributeIndexForProver, byte[] attributeValue)
{
// generate Pedersen Commitments to attributes
ProverPresentationProtocolParameters[] provers = new ProverPresentationProtocolParameters[] { prover };
int[] attributeIndices = new int[] { attributeIndexForProver };
PedersenCommitment[] attributeCommitments = PedersenCommitment.PedersenCommmitmentsToAttributes(provers, attributeIndices);
// create inequality proof using Pedersen Commitmetns
FieldZqElement committedAttribute = ProtocolHelper.ComputeXi(prover.IP, attributeIndexForProver - 1, attributeValue);
ProverInequalityProofParameters ieqProver = new ProverInequalityProofParameters(attributeCommitments[0], committedAttribute, new CryptoParameters(prover.IP));
ConstructorHelper(ieqProver);
// add UProve Integration proof
this.UPIProof = new UProveIntegrationProof(provers, attributeIndices, attributeCommitments);
this.UPIProof.IsGroupSerializable = false;
}
/// <summary>
/// Genererates proof for when prover.CompareToKnownValue=true.
/// </summary>
/// <param name="prover"></param>
private void CreateProofForKnownValue(ProverInequalityProofParameters prover)
{
// Pedersen Commitment to a random value a
// A = g^a h^r
FieldZqElement a = prover.FieldZq.GetRandomElement(true);
FieldZqElement r = prover.FieldZq.GetRandomElement(true);
PedersenCommitment openA = new PedersenCommitment(prover.G, prover.H, a, r, prover.Group);
// B = g^(x-value)a
DLRepOfGroupElement openB = new DLRepOfGroupElement(
new GroupElement[1] {
prover.G
},
new FieldZqElement[1] {
(prover.CommitmentX.CommittedValue - prover.Value) * a
},
prover.Group
);
// C = (Xg^{-value})^a h^{-ya} = B
PedersenCommitment openC = new PedersenCommitment(
prover.CommitmentX.Value * prover.G.Exponentiate(prover.Value.Negate()),
prover.H,
a,
a.Negate() * prover.CommitmentX.Opening,
prover.Group
);
// Create DL equations
DLRepOfGroupElement[] equations = new DLRepOfGroupElement[]
{
prover.CommitmentX,
openA,
openB,
openC
};
// generate proof
EqualityMap map = this.GetEqualityMap();
ProverEqualityParameters eqProver = new ProverEqualityParameters(equations, map, prover);
this.Proof = new EqualityProof(eqProver);
this.A = openA.Value;
this.B = openB.Value;
}
/// <summary>
/// Generates proof for when prover.CompareToKnownValue=false.
/// Computes X/Y and generates proof for showing the committed value
/// in X/Y is not equal to 0.
/// </summary>
/// <param name="prover">Prover parameters for comparing CommitmentX to CommitmentY</param>
private void CreateProofForUnknownValue(ProverInequalityProofParameters prover)
{
// Compute Pedersen Commitment X/Y
PedersenCommitment newOpenX = new PedersenCommitment(
new GroupElement[2] {
prover.G, prover.H
},
new FieldZqElement[2] {
prover.CommitmentX.CommittedValue - prover.CommitmentY.CommittedValue, prover.CommitmentX.Opening - prover.CommitmentY.Opening
},
prover.Group);
// new prover parameters
ProverInequalityProofParameters newProver = new ProverInequalityProofParameters(newOpenX, prover.FieldZq.Zero, prover);
// generate proof
this.CreateProofForKnownValue(newProver);
}
/// <summary>
/// Generates a proof that two attribute values are different, without revealing them.
/// </summary>
/// <param name="prover1">Equality proof parameters for the first token.</param>
/// <param name="prover2">Equality proof parameters for the second token.</param>
/// <returns>An inequality proof.</returns>
public static InequalityProof GenerateUProveInequalityProof(EQProofUProveProverData prover1, EQProofUProveProverData prover2)
{
if (!prover1.PPPP.IP.Gq.Equals(prover2.PPPP.IP.Gq))
{
throw new ArgumentException("both provers must share the same group");
}
// Create PedersenCommitments
int commitmentIndex1 = ClosedPedersenCommitment.GetCommitmentIndex(prover1.PPPP.Committed, prover1.index);
PedersenCommitment ped1 = new PedersenCommitment(prover1.PPPP, prover1.PP, prover1.CPV, commitmentIndex1);
int commitmentIndex2 = ClosedPedersenCommitment.GetCommitmentIndex(prover2.PPPP.Committed, prover2.index);
PedersenCommitment ped2 = new PedersenCommitment(prover2.PPPP, prover2.PP, prover2.CPV, commitmentIndex2);
// Create EqualityProof
CryptoParameters crypto = new CryptoParameters(prover1.PPPP.IP); // Can use prover2.IP
ProverInequalityProofParameters inequalityProver = new ProverInequalityProofParameters(ped1, ped2, crypto); // compares committed values in ped1 and ped2
return(new InequalityProof(inequalityProver));
}
/// <summary>
/// Creates an inequality proof using prover parameters.
/// Throws an ArgumentException if prover parameters are invalid.
/// </summary>
/// <param name="prover">Prover parameters</param>
private void ConstructorHelper(ProverInequalityProofParameters prover)
{
if (!prover.Verify())
{
throw new ArgumentException("Invalid prover inequality proof parameters.");
}
this.Group = prover.Group;
this.IsGroupSerializable = true;
if (prover.CompareToKnownValue == true)
{
CreateProofForKnownValue(prover);
}
else
{
CreateProofForUnknownValue(prover);
}
this.Proof.IsGroupSerializable = false;
}
/// <summary>
/// Constructor. Creates an inequality proof that an attribute in one token is not equal to an attribute in another token.
/// </summary>
/// <param name="prover1">Token.</param>
/// <param name="attributeIndexForProver1">Target attribute in first token, uses 1-based index.</param>
/// <param name="prover2">Token</param>
/// <param name="attributeIndexForProver2">Target attribute in second token, uses 1-based index</param>
/// <returns>Proof of inequality.</returns>
public InequalityProof(
ProverPresentationProtocolParameters prover1,
int attributeIndexForProver1,
ProverPresentationProtocolParameters prover2,
int attributeIndexForProver2)
{
// generate Pedersen Commitments to attributes
ProverPresentationProtocolParameters[] provers = new ProverPresentationProtocolParameters[] { prover1, prover2 };
int [] attributeIndices = new int[] { attributeIndexForProver1, attributeIndexForProver2 };
PedersenCommitment[] attributeCommitments = PedersenCommitment.PedersenCommmitmentsToAttributes(provers, attributeIndices);
// create inequality proof using Pedersen Commitmetns
ProverInequalityProofParameters ieqProver = new ProverInequalityProofParameters(attributeCommitments[0], attributeCommitments[1], new CryptoParameters(prover1.IP));
ConstructorHelper(ieqProver);
// add UProve Integration proof
this.UPIProof = new UProveIntegrationProof(provers, attributeIndices, attributeCommitments);
this.UPIProof.IsGroupSerializable = false;
}
/// <summary>
/// Creates an inequality proof using prover parameters.
/// Throws an ArgumentException if prover parameters are invalid.
/// </summary>
/// <param name="prover">Prover parameters</param>
public InequalityProof(ProverInequalityProofParameters prover)
{
ConstructorHelper(prover);
}
