MSVC

[novacoin.git] / src / zerocoin / Commitment.cpp

/**
 * @file       Commitment.cpp
 *
 * @brief      Commitment and CommitmentProof classes for the Zerocoin library.
 *
 * @author     Ian Miers, Christina Garman and Matthew Green
 * @date       June 2013
 *
 * @copyright  Copyright 2013 Ian Miers, Christina Garman and Matthew Green
 * @license    This project is released under the MIT license.
 **/

#include <stdlib.h>
#include "Zerocoin.h"

namespace libzerocoin {

//Commitment class
Commitment::Commitment(const IntegerGroupParams* p,
                                   const Bignum& value): params(p), contents(value) {
        this->randomness = Bignum::randBignum(params->groupOrder);
        this->commitmentValue = (params->g.pow_mod(this->contents, params->modulus).mul_mod(
                                 params->h.pow_mod(this->randomness, params->modulus), params->modulus));
}

const Bignum& Commitment::getCommitmentValue() const {
        return this->commitmentValue;
}

const Bignum& Commitment::getRandomness() const {
        return this->randomness;
}

const Bignum& Commitment::getContents() const {
        return this->contents;
}

//CommitmentProofOfKnowledge class
CommitmentProofOfKnowledge::CommitmentProofOfKnowledge(const IntegerGroupParams* ap, const IntegerGroupParams* bp): ap(ap), bp(bp) {}

// TODO: get parameters from the commitment group
CommitmentProofOfKnowledge::CommitmentProofOfKnowledge(const IntegerGroupParams* aParams,
        const IntegerGroupParams* bParams, const Commitment& a, const Commitment& b):
        ap(aParams),bp(bParams)
{
        Bignum r1, r2, r3;

        // First: make sure that the two commitments have the
        // same contents.
        if (a.getContents() != b.getContents()) {
                throw std::invalid_argument("Both commitments must contain the same value");
        }

        // Select three random values "r1, r2, r3" in the range 0 to (2^l)-1 where l is:
        // length of challenge value + max(modulus 1, modulus 2, order 1, order 2) + margin.
        // We set "margin" to be a relatively generous  security parameter.
        //
        // We choose these large values to ensure statistical zero knowledge.
        uint32_t randomSize = COMMITMENT_EQUALITY_CHALLENGE_SIZE + COMMITMENT_EQUALITY_SECMARGIN +
                              std::max(std::max(this->ap->modulus.bitSize(), this->bp->modulus.bitSize()),
                                       std::max(this->ap->groupOrder.bitSize(), this->bp->groupOrder.bitSize()));
        Bignum maxRange = (Bignum(2).pow(randomSize) - Bignum(1));

        r1 = Bignum::randBignum(maxRange);
        r2 = Bignum::randBignum(maxRange);
        r3 = Bignum::randBignum(maxRange);

        // Generate two random, ephemeral commitments "T1, T2"
        // of the form:
        // T1 = g1^r1 * h1^r2 mod p1
        // T2 = g2^r1 * h2^r3 mod p2
        //
        // Where (g1, h1, p1) are from "aParams" and (g2, h2, p2) are from "bParams".
        Bignum T1 = this->ap->g.pow_mod(r1, this->ap->modulus).mul_mod((this->ap->h.pow_mod(r2, this->ap->modulus)), this->ap->modulus);
        Bignum T2 = this->bp->g.pow_mod(r1, this->bp->modulus).mul_mod((this->bp->h.pow_mod(r3, this->bp->modulus)), this->bp->modulus);

        // Now hash commitment "A" with commitment "B" as well as the
        // parameters and the two ephemeral commitments "T1, T2" we just generated
        this->challenge = calculateChallenge(a.getCommitmentValue(), b.getCommitmentValue(), T1, T2);

        // Let "m" be the contents of the commitments "A, B". We have:
        // A =  g1^m  * h1^x  mod p1
        // B =  g2^m  * h2^y  mod p2
        // T1 = g1^r1 * h1^r2 mod p1
        // T2 = g2^r1 * h2^r3 mod p2
        //
        // Now compute:
        //  S1 = r1 + (m * challenge)   -- note, not modular arithmetic
        //  S2 = r2 + (x * challenge)   -- note, not modular arithmetic
        //  S3 = r3 + (y * challenge)   -- note, not modular arithmetic
        this->S1 = r1 + (a.getContents() * this->challenge);
        this->S2 = r2 + (a.getRandomness() * this->challenge);
        this->S3 = r3 + (b.getRandomness() * this->challenge);

        // We're done. The proof is S1, S2, S3 and "challenge", all of which
        // are stored in member variables.
}

bool CommitmentProofOfKnowledge::Verify(const Bignum& A, const Bignum& B) const
{
        // Compute the maximum range of S1, S2, S3 and verify that the given values are
        // in a correct range. This might be an unnecessary check.
        uint32_t maxSize = 64 * (COMMITMENT_EQUALITY_CHALLENGE_SIZE + COMMITMENT_EQUALITY_SECMARGIN +
                                 std::max(std::max(this->ap->modulus.bitSize(), this->bp->modulus.bitSize()),
                                          std::max(this->ap->groupOrder.bitSize(), this->bp->groupOrder.bitSize())));

        if ((uint32_t)this->S1.bitSize() > maxSize ||
                (uint32_t)this->S2.bitSize() > maxSize ||
                (uint32_t)this->S3.bitSize() > maxSize ||
                this->S1 < Bignum(0) ||
                this->S2 < Bignum(0) ||
                this->S3 < Bignum(0) ||
                this->challenge < Bignum(0) ||
                this->challenge > (Bignum(2).pow(COMMITMENT_EQUALITY_CHALLENGE_SIZE) - Bignum(1))) {
                // Invalid inputs. Reject.
                return false;
        }

        // Compute T1 = g1^S1 * h1^S2 * inverse(A^{challenge}) mod p1
        Bignum T1 = A.pow_mod(this->challenge, ap->modulus).inverse(ap->modulus).mul_mod(
                        (ap->g.pow_mod(S1, ap->modulus).mul_mod(ap->h.pow_mod(S2, ap->modulus), ap->modulus)),
                        ap->modulus);

        // Compute T2 = g2^S1 * h2^S3 * inverse(B^{challenge}) mod p2
        Bignum T2 = B.pow_mod(this->challenge, bp->modulus).inverse(bp->modulus).mul_mod(
                        (bp->g.pow_mod(S1, bp->modulus).mul_mod(bp->h.pow_mod(S3, bp->modulus), bp->modulus)),
                        bp->modulus);

        // Hash T1 and T2 along with all of the public parameters
        Bignum computedChallenge = calculateChallenge(A, B, T1, T2);

        // Return success if the computed challenge matches the incoming challenge
        if(computedChallenge == this->challenge) {
                return true;
        }

        // Otherwise return failure
        return false;
}

const Bignum CommitmentProofOfKnowledge::calculateChallenge(const Bignum& a, const Bignum& b, const Bignum &commitOne, const Bignum &commitTwo) const {
        CHashWriter hasher(0,0);

        // Hash together the following elements:
        // * A string identifying the proof
        // * Commitment A
        // * Commitment B
        // * Ephemeral commitment T1
        // * Ephemeral commitment T2
        // * A serialized instance of the commitment A parameters
        // * A serialized instance of the commitment B parameters

        hasher << std::string(ZEROCOIN_COMMITMENT_EQUALITY_PROOF);
        hasher << commitOne;
        hasher << std::string("||");
        hasher << commitTwo;
        hasher << std::string("||");
        hasher << a;
        hasher << std::string("||");
        hasher << b;
        hasher << std::string("||");
        hasher << *(this->ap);
        hasher << std::string("||");
        hasher << *(this->bp);

        // Convert the SHA256 result into a Bignum
        // Note that if we ever change the size of the hash function we will have
        // to update COMMITMENT_EQUALITY_CHALLENGE_SIZE appropriately!
        return Bignum(hasher.GetHash());
}

} /* namespace libzerocoin */