4 * @brief Parameter classes for Zerocoin.
6 * @author Ian Miers, Christina Garman and Matthew Green
9 * @copyright Copyright 2013 Ian Miers, Christina Garman and Matthew Green
10 * @license This project is released under the MIT license.
15 namespace libzerocoin {
17 class IntegerGroupParams {
19 /** @brief Integer group class, default constructor
21 * Allocates an empty (uninitialized) set of parameters.
26 * Generates a random group element
27 * @return a random element in the group.
29 Bignum randomElement() const;
33 * A generator for the group.
38 * A second generator for the group.
39 * Note log_g(h) and log_h(g) must
45 * The modulus for the group.
50 * The order of the group
56 READWRITE(initialized);
60 READWRITE(groupOrder);
64 class AccumulatorAndProofParams {
66 /** @brief Construct a set of Zerocoin parameters from a modulus "N".
67 * @param N A trusted RSA modulus
68 * @param securityLevel A security level expressed in symmetric bits (default 80)
70 * Allocates and derives a set of Zerocoin parameters from
71 * a trustworthy RSA modulus "N". This routine calculates all
72 * of the remaining parameters (group descriptions etc.) from N
73 * using a verifiable, deterministic procedure.
75 * Note: this constructor makes the fundamental assumption that "N"
76 * encodes a valid RSA-style modulus of the form "e1 * e2" where
77 * "e1" and "e2" are safe primes. The factors "e1", "e2" MUST NOT
78 * be known to any party, or the security of Zerocoin is
79 * compromised. The integer "N" must be a MINIMUM of 1024
80 * in length. 3072 bits is strongly recommended.
82 AccumulatorAndProofParams();
84 //AccumulatorAndProofParams(Bignum accumulatorModulus);
89 * Modulus used for the accumulator.
90 * Product of two safe primes who's factorization is unknown.
92 Bignum accumulatorModulus;
95 * The initial value for the accumulator
96 * A random Quadratic residue mod n thats not 1
98 Bignum accumulatorBase;
101 * Lower bound on the value for committed coin.
102 * Required by the accumulator proof.
107 * Upper bound on the value for a comitted coin.
108 * Required by the accumulator proof.
113 * The second of two groups used to form a commitment to
114 * a coin (which it self is a commitment to a serial number).
115 * This one differs from serialNumberSokCommitment due to
116 * restrictions from Camenisch and Lysyanskaya's paper.
118 IntegerGroupParams accumulatorPoKCommitmentGroup;
121 * Hidden order quadratic residue group mod N.
122 * Used in the accumulator proof.
124 IntegerGroupParams accumulatorQRNCommitmentGroup;
127 * Security parameter.
128 * Bit length of the challenges used in the accumulator proof.
133 * Security parameter.
134 * The statistical zero-knowledgeness of the accumulator proof.
140 READWRITE(initialized);
141 READWRITE(accumulatorModulus);
142 READWRITE(accumulatorBase);
143 READWRITE(accumulatorPoKCommitmentGroup);
144 READWRITE(accumulatorQRNCommitmentGroup);
145 READWRITE(minCoinValue);
146 READWRITE(maxCoinValue);
154 /** @brief Construct a set of Zerocoin parameters from a modulus "N".
155 * @param N A trusted RSA modulus
156 * @param securityLevel A security level expressed in symmetric bits (default 80)
158 * Allocates and derives a set of Zerocoin parameters from
159 * a trustworthy RSA modulus "N". This routine calculates all
160 * of the remaining parameters (group descriptions etc.) from N
161 * using a verifiable, deterministic procedure.
163 * Note: this constructor makes the fundamental assumption that "N"
164 * encodes a valid RSA-style modulus of the form "e1 * e2" where
165 * "e1" and "e2" are safe primes. The factors "e1", "e2" MUST NOT
166 * be known to any party, or the security of Zerocoin is
167 * compromised. The integer "N" must be a MINIMUM of 1024
168 * in length. 3072 bits is strongly recommended.
170 Params(Bignum accumulatorModulus,
171 uint32_t securityLevel = ZEROCOIN_DEFAULT_SECURITYLEVEL);
175 AccumulatorAndProofParams accumulatorParams;
178 * The Quadratic Residue group from which we form
179 * a coin as a commitment to a serial number.
181 IntegerGroupParams coinCommitmentGroup;
184 * One of two groups used to form a commitment to
185 * a coin (which it self is a commitment to a serial number).
186 * This is the one used in the serial number poof.
187 * It's order must be equal to the modulus of coinCommitmentGroup.
189 IntegerGroupParams serialNumberSoKCommitmentGroup;
192 * The number of iterations to use in the serial
195 uint32_t zkp_iterations;
198 * The amount of the hash function we use for
201 uint32_t zkp_hash_len;
205 READWRITE(initialized);
206 READWRITE(accumulatorParams);
207 READWRITE(coinCommitmentGroup);
208 READWRITE(serialNumberSoKCommitmentGroup);
209 READWRITE(zkp_iterations);
210 READWRITE(zkp_hash_len);
214 } /* namespace libzerocoin */
216 #endif /* PARAMS_H_ */