--- /dev/null
+/**
+* @file Params.h
+*
+* @brief Parameter classes for Zerocoin.
+*
+* @author Ian Miers, Christina Garman and Matthew Green
+* @date June 2013
+*
+* @copyright Copyright 2013 Ian Miers, Christina Garman and Matthew Green
+* @license This project is released under the MIT license.
+**/
+#ifndef PARAMS_H_
+#define PARAMS_H_
+
+namespace libzerocoin {
+
+class IntegerGroupParams {
+public:
+ /** @brief Integer group class, default constructor
+ *
+ * Allocates an empty (uninitialized) set of parameters.
+ **/
+ IntegerGroupParams();
+
+ /**
+ * Generates a random group element
+ * @return a random element in the group.
+ */
+ Bignum randomElement() const;
+ bool initialized;
+
+ /**
+ * A generator for the group.
+ */
+ Bignum g;
+
+ /**
+ * A second generator for the group.
+ * Note log_g(h) and log_h(g) must
+ * be unknown.
+ */
+ Bignum h;
+
+ /**
+ * The modulus for the group.
+ */
+ Bignum modulus;
+
+ /**
+ * The order of the group
+ */
+ Bignum groupOrder;
+
+ IMPLEMENT_SERIALIZE
+ (
+ READWRITE(initialized);
+ READWRITE(g);
+ READWRITE(h);
+ READWRITE(modulus);
+ READWRITE(groupOrder);
+ )
+};
+
+class AccumulatorAndProofParams {
+public:
+ /** @brief Construct a set of Zerocoin parameters from a modulus "N".
+ * @param N A trusted RSA modulus
+ * @param securityLevel A security level expressed in symmetric bits (default 80)
+ *
+ * Allocates and derives a set of Zerocoin parameters from
+ * a trustworthy RSA modulus "N". This routine calculates all
+ * of the remaining parameters (group descriptions etc.) from N
+ * using a verifiable, deterministic procedure.
+ *
+ * Note: this constructor makes the fundamental assumption that "N"
+ * encodes a valid RSA-style modulus of the form "e1 * e2" where
+ * "e1" and "e2" are safe primes. The factors "e1", "e2" MUST NOT
+ * be known to any party, or the security of Zerocoin is
+ * compromised. The integer "N" must be a MINIMUM of 1024
+ * in length. 3072 bits is strongly recommended.
+ **/
+ AccumulatorAndProofParams();
+
+ //AccumulatorAndProofParams(Bignum accumulatorModulus);
+
+ bool initialized;
+
+ /**
+ * Modulus used for the accumulator.
+ * Product of two safe primes who's factorization is unknown.
+ */
+ Bignum accumulatorModulus;
+
+ /**
+ * The initial value for the accumulator
+ * A random Quadratic residue mod n thats not 1
+ */
+ Bignum accumulatorBase;
+
+ /**
+ * Lower bound on the value for committed coin.
+ * Required by the accumulator proof.
+ */
+ Bignum minCoinValue;
+
+ /**
+ * Upper bound on the value for a comitted coin.
+ * Required by the accumulator proof.
+ */
+ Bignum maxCoinValue;
+
+ /**
+ * The second of two groups used to form a commitment to
+ * a coin (which it self is a commitment to a serial number).
+ * This one differs from serialNumberSokCommitment due to
+ * restrictions from Camenisch and Lysyanskaya's paper.
+ */
+ IntegerGroupParams accumulatorPoKCommitmentGroup;
+
+ /**
+ * Hidden order quadratic residue group mod N.
+ * Used in the accumulator proof.
+ */
+ IntegerGroupParams accumulatorQRNCommitmentGroup;
+
+ /**
+ * Security parameter.
+ * Bit length of the challenges used in the accumulator proof.
+ */
+ uint32_t k_prime;
+
+ /**
+ * Security parameter.
+ * The statistical zero-knowledgeness of the accumulator proof.
+ */
+ uint32_t k_dprime;
+
+ IMPLEMENT_SERIALIZE
+ (
+ READWRITE(initialized);
+ READWRITE(accumulatorModulus);
+ READWRITE(accumulatorBase);
+ READWRITE(accumulatorPoKCommitmentGroup);
+ READWRITE(accumulatorQRNCommitmentGroup);
+ READWRITE(minCoinValue);
+ READWRITE(maxCoinValue);
+ READWRITE(k_prime);
+ READWRITE(k_dprime);
+ )
+};
+
+class Params {
+public:
+ /** @brief Construct a set of Zerocoin parameters from a modulus "N".
+ * @param N A trusted RSA modulus
+ * @param securityLevel A security level expressed in symmetric bits (default 80)
+ *
+ * Allocates and derives a set of Zerocoin parameters from
+ * a trustworthy RSA modulus "N". This routine calculates all
+ * of the remaining parameters (group descriptions etc.) from N
+ * using a verifiable, deterministic procedure.
+ *
+ * Note: this constructor makes the fundamental assumption that "N"
+ * encodes a valid RSA-style modulus of the form "e1 * e2" where
+ * "e1" and "e2" are safe primes. The factors "e1", "e2" MUST NOT
+ * be known to any party, or the security of Zerocoin is
+ * compromised. The integer "N" must be a MINIMUM of 1024
+ * in length. 3072 bits is strongly recommended.
+ **/
+ Params(Bignum accumulatorModulus,
+ uint32_t securityLevel = ZEROCOIN_DEFAULT_SECURITYLEVEL);
+
+ bool initialized;
+
+ AccumulatorAndProofParams accumulatorParams;
+
+ /**
+ * The Quadratic Residue group from which we form
+ * a coin as a commitment to a serial number.
+ */
+ IntegerGroupParams coinCommitmentGroup;
+
+ /**
+ * One of two groups used to form a commitment to
+ * a coin (which it self is a commitment to a serial number).
+ * This is the one used in the serial number poof.
+ * It's order must be equal to the modulus of coinCommitmentGroup.
+ */
+ IntegerGroupParams serialNumberSoKCommitmentGroup;
+
+ /**
+ * The number of iterations to use in the serial
+ * number proof.
+ */
+ uint32_t zkp_iterations;
+
+ /**
+ * The amount of the hash function we use for
+ * proofs.
+ */
+ uint32_t zkp_hash_len;
+
+ IMPLEMENT_SERIALIZE
+ (
+ READWRITE(initialized);
+ READWRITE(accumulatorParams);
+ READWRITE(coinCommitmentGroup);
+ READWRITE(serialNumberSoKCommitmentGroup);
+ READWRITE(zkp_iterations);
+ READWRITE(zkp_hash_len);
+ )
+};
+
+} /* namespace libzerocoin */
+
+#endif /* PARAMS_H_ */