/// <summary>
/// Computes the challenge used by the verifier to check the proof.
/// </summary>
/// <param name="verifier">Verifier parameters</param>
/// <returns></returns>
private FieldZqElement ComputeChallenge(VerifierEqualityParameters verifier)
{
HashFunction hash = new HashFunction(verifier.HashFunctionName);
hash.Hash(verifier.HashDigest);
hash.Hash(this.b);
return(verifier.FieldZq.GetElementFromDigest(hash.Digest));
}
/// <summary>
/// Verifies this proof for when verifier.CompareToKnownValue=true.
/// </summary>
/// <param name="verifier">Verifier parameters</param>
/// <returns></returns>
private bool VerifyProofForKnownValue(VerifierInequalityProofParameters verifier)
{
// B must not be 1.
if (this.B == verifier.Group.Identity)
{
return(false);
}
// Reconstruct DL equations from proof and verifier parameters
ClosedPedersenCommitment closedX = new ClosedPedersenCommitment(
new GroupElement[2] {
verifier.G, verifier.H
},
verifier.ClosedCommitmentX,
verifier.Group);
ClosedPedersenCommitment closedA = new ClosedPedersenCommitment(
new GroupElement[2] {
verifier.G, verifier.H
},
this.A,
verifier.Group);
ClosedDLRepOfGroupElement closedB = new ClosedDLRepOfGroupElement(
new GroupElement[1] {
verifier.G
},
this.B,
verifier.Group);
ClosedPedersenCommitment closedC = new ClosedPedersenCommitment(
new GroupElement[2] {
closedX.Value *verifier.G.Exponentiate(verifier.Value.Negate()), verifier.H
},
this.B,
verifier.Group);
ClosedDLRepOfGroupElement[] equations = new ClosedDLRepOfGroupElement[]
{
closedX,
closedA,
closedB,
closedC
};
// verify the proof
EqualityMap map = this.GetEqualityMap();
VerifierEqualityParameters eqVerifier = new VerifierEqualityParameters(equations, map, verifier);
if (!this.Proof.Verify(eqVerifier))
{
return(false);
}
return(true);
}
/// <summary>
/// Verifies a proof that two tokens share an attribute value, without revealing it.
/// </summary>
/// <param name="verifier1">Equality proof parameters for the first token.</param>
/// <param name="verifier2">Equality proof parameters for the second token.</param>
/// <param name="eQProof">The equality proof to verify.</param>
/// <exception cref="InvalidUProveArtifactException">Thrown if the proof is invalid.</exception>
public static void VerifyUProveEqualityProof(EQProofUProveVerifierData verifier1, EQProofUProveVerifierData verifier2, EqualityProof eQProof)
{
int commitmentIndex1 = ClosedPedersenCommitment.GetCommitmentIndex(verifier1.VPPP.Committed, verifier1.index);
int commitmentIndex2 = ClosedPedersenCommitment.GetCommitmentIndex(verifier2.VPPP.Committed, verifier2.index);
ClosedPedersenCommitment closedPed1 = new ClosedPedersenCommitment(verifier1.VPPP.IP, verifier1.PP, commitmentIndex1);
ClosedPedersenCommitment closedPed2 = new ClosedPedersenCommitment(verifier2.VPPP.IP, verifier2.PP, commitmentIndex2);
CryptoParameters crypto = new CryptoParameters(verifier1.VPPP.IP); // Can use prover2.IP
VerifierEqualityParameters equalityVerifier = new VerifierEqualityParameters(closedPed1, 0, closedPed2, 0, crypto);
if (!eQProof.Verify(equalityVerifier))
{
throw new InvalidUProveArtifactException("invalid equality proof");
}
}
/// <summary>
/// Checks that this bit decomposition proof is valid with respect to
/// the given verifier parameters.
/// </summary>
/// <param name="verifier">Verifier parameters.</param>
/// <returns>True if this proof is valid, false otherwise.</returns>
public bool Verify(VerifierBitDecompositionParameters verifier)
{
try
{
// check verifier parameters
if (!verifier.Verify())
{
return(false);
}
// check each set membership proof
VerifierSetMembershipParameters smParameters = new VerifierSetMembershipParameters(verifier);
FieldZqElement[] memberSet = SetOfZeroAndOne(verifier);
for (int committedBitIndex = 0; committedBitIndex < this.bitCommitmentProof.Length; ++committedBitIndex)
{
GroupElement committedBit = verifier.ClosedBitDecomposition(committedBitIndex);
smParameters.setVerifierParameters(committedBit, memberSet);
if (!this.bitCommitmentProof[committedBitIndex].Verify(smParameters))
{
return(false);
}
}
// check the composition proof
GroupElement actualComposedValue = ComposeClosedCommittedBits(verifier.ClosedBitDecomposition(), verifier);
GroupElement[] bases = new GroupElement[2] {
verifier.G, verifier.H
};
VerifierEqualityParameters veParameters = new VerifierEqualityParameters(
new ClosedDLRepOfGroupElement(bases, actualComposedValue, verifier.Group),
0,
new ClosedDLRepOfGroupElement(bases, verifier.ClosedCommitment, verifier.Group),
0,
verifier);
if (!this.compositionProof.Verify(veParameters))
{
return(false);
}
return(true);
}
catch (Exception)
{
return(false);
}
}
/// <summary>
/// Verifies this equality proof given the verifier parameters.
/// </summary>
/// <param name="verifier"></param>
/// <returns></returns>
public bool Verify(VerifierEqualityParameters verifier)
{
try
{
if (!verifier.Verify())
{
return(false);
}
FieldZqElement challenge = ComputeChallenge(verifier);
int unequalWIndex = 0;
for (int statementIndex = 0; statementIndex < verifier.Statements.Length; ++statementIndex)
{
IStatement statement = verifier.Statements[statementIndex];
FieldZqElement[] responses = new FieldZqElement[statement.RepresentationLength];
for (int baseIndex = 0; baseIndex < statement.RepresentationLength; ++baseIndex)
{
DoubleIndex di = new DoubleIndex(statementIndex, baseIndex);
int equalWIndex;
if (verifier.Map.TryRetrieveIntIndex(di, out equalWIndex))
{
responses[baseIndex] = responseEqual[equalWIndex];
}
else
{
responses[baseIndex] = responseUnequal[unequalWIndex];
++unequalWIndex;
}
}
if (!statement.Verify(b[statementIndex], challenge, responses))
{
return(false);
}
}
}
catch (Exception)
{
return(false);
}
return(true);
}
public bool Verify(VerifierPresentationProtocolParameters verifier1, int attributeIndexForVerifier1, VerifierPresentationProtocolParameters verifier2, int attributeIndexForVerifier2)
{
if (!verifier1.IP.Gq.Equals(verifier2.IP.Gq))
{
throw new ArgumentException("both verifiers must share the same group");
}
// Create ClosedUProveTokens
ClosedUProveToken token1 = new ClosedUProveToken(verifier1);
ClosedUProveToken token2 = new ClosedUProveToken(verifier2);
// Verify proof
VerifierEqualityParameters eqVerifier = new VerifierEqualityParameters(
token1,
attributeIndexForVerifier1,
token2,
attributeIndexForVerifier2,
new CryptoParameters(verifier1.IP));
return(this.Verify(eqVerifier));
}
/// <summary>
/// Verifies this proof that the committed values are valid Pedersen Commitments to token attributes.
/// </summary>
/// <param name="verifier">Array of verifier token parameters.</param>
/// <param name="attributeIndices">Target attribute in each token.</param>
/// <param name="committedValues">Array of Pedersen Commitment values.</param>
/// <returns></returns>
public bool Verify(VerifierPresentationProtocolParameters [] verifier, int [] attributeIndices)
{
if ((verifier == null) || (verifier.Length == 0))
{
throw new ArgumentException("First argument should be an array of at least one element.");
}
if (!UProveIntegrationProof.AreTokensCompatible(verifier))
{
throw new ArgumentException("All tokens must use same group.");
}
if ((attributeIndices == null) || (attributeIndices.Length != verifier.Length))
{
throw new ArgumentNullException("Second argument must be an array of the same length as first argument.");
}
if ((this.PedersenCommitmentValues == null) || (this.PedersenCommitmentValues.Length != verifier.Length))
{
throw new ArgumentNullException("Third argument must be an array of the same length as first argument.");
}
EqualityMap map = new EqualityMap();
IStatement[] statements = new IStatement[verifier.Length * 2];
ClosedUProveToken[] tokens = new ClosedUProveToken[verifier.Length];
for (int i = 0; i < tokens.Length; ++i)
{
// create uprove token and add target attribute to map
statements[2 * i] = new ClosedUProveToken(verifier[i]);
map.Add(new PrettyName("token", 2 * i), new DoubleIndex(i, attributeIndices[i]));
// add pedersen commitment to witness list, and add to map
statements[2 * i + 1] = new ClosedPedersenCommitment(verifier[i].IP, this.PedersenCommitmentValues[i]);
map.Add(new PrettyName("token", 2 * i + 1), new DoubleIndex(i, 0));
}
VerifierEqualityParameters eqVerifier = new VerifierEqualityParameters(statements, map, new CryptoParameters(verifier[0].IP));
return(this.TokenCommitmentEqualityProof.Verify(eqVerifier));
}
/// <summary>
/// Verifies the RangeProof. Returns true if it is valid, false otherwise.
/// </summary>
/// <param name="verifier">Verifier parameters.</param>
/// <returns></returns>
public bool Verify(VerifierRangeProofParameters verifier)
{
try
{
// Verify parameters
if (!verifier.Verify())
{
return(false);
}
// verify bit decomposition proofs
if (!VerifyBitDecompositionProofs(verifier, this.A, this.B, ProofBitDecompositionOfA, ProofBitDecompositionOfB))
{
return(false);
}
// verify FullRangeProof
GroupElement[] closedAdivB = ComputeClosedAdivB(verifier, this.A, this.B);
this.D[0] = closedAdivB[0];
ClosedDLRepOfGroupElement[] closedX = ComputeClosedX(verifier, this.X, closedAdivB);
ClosedDLRepOfGroupElement[] closedE = ComputeClosedE(verifier, this.X, this.D, closedAdivB);
ClosedDLRepOfGroupElement[] allClosedDL = CombineAllClosedDLReps(this.D, closedAdivB, closedX, closedE, verifier);
EqualityMap map = ComputeEqualityMap(verifier, A.Length);
VerifierEqualityParameters veParameters = new VerifierEqualityParameters(
allClosedDL,
map,
verifier);
bool success = this.FullRangeProof.Verify(veParameters);
if (!success)
{
return(false);
}
// verify additional proof based on proof type
GroupElement LastD = this.D[this.D.Length - 1];
switch (verifier.RangeProofType)
{
case VerifierRangeProofParameters.ProofType.GREATER_THAN:
ClosedDLRepOfGroupElement gtEquation = new ClosedDLRepOfGroupElement(
new GroupElement[1] {
verifier.H
},
LastD * verifier.G.Exponentiate(verifier.FieldZq.One.Negate()),
verifier.Group);
VerifierEqualityParameters greaterThanVerifier = new VerifierEqualityParameters(
gtEquation,
verifier);
return(StrictlyThanProof.Verify(greaterThanVerifier));
case VerifierRangeProofParameters.ProofType.LESS_THAN:
ClosedDLRepOfGroupElement ltEquation = new ClosedDLRepOfGroupElement(
new GroupElement[1] {
verifier.H
},
LastD * verifier.G,
verifier.Group);
VerifierEqualityParameters lessThanVerifier = new VerifierEqualityParameters(
ltEquation,
verifier);
return(StrictlyThanProof.Verify(lessThanVerifier));
case VerifierRangeProofParameters.ProofType.GREATER_THAN_OR_EQUAL_TO:
VerifierSetMembershipParameters greaterEqualVerifier = new VerifierSetMembershipParameters(
LastD,
new FieldZqElement[] { verifier.FieldZq.Zero, verifier.FieldZq.One },
verifier);
return(this.OrEqualToProof.Verify(greaterEqualVerifier));
case VerifierRangeProofParameters.ProofType.LESS_THAN_OR_EQUAL_TO:
VerifierSetMembershipParameters lessEqualProver = new VerifierSetMembershipParameters(
LastD,
new FieldZqElement[] { verifier.FieldZq.Zero, verifier.FieldZq.One.Negate() },
verifier);
return(this.OrEqualToProof.Verify(lessEqualProver));
}
}
catch (Exception)
{
}
return(false);
}
