meerkat
/
meerkat-java
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Starting to review and refactor mixer

mixer
Tal Moran 2016-11-01 18:03:53 +02:00
parent 63e26fdc16
commit 1baa567d8e
10 changed files with 158 additions and 162 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
mixer/src/main/java/meerkat/mixer/main/BatchHandler.java
View File

@ -5,7 +5,7 @@ import meerkat.crypto.mixnet.MixerOutput;
import meerkat.protobuf.Crypto; import meerkat.protobuf.Crypto;
import meerkat.mixer.necessary.AsyncBulletinBoardClient; import meerkat.mixer.necessary.AsyncBulletinBoardClient;
import meerkat.mixer.necessary.CompleteBatch; import meerkat.mixer.necessary.CompleteBatch;
import meerkat.mixer.verifier.VerifyTable; import meerkat.mixer.proofs.VerifyTable;
import java.util.Arrays; import java.util.Arrays;
import java.util.List; import java.util.List;

176
mixer/src/main/java/meerkat/mixer/prover/ElGamalProofOrganizer.java → mixer/src/main/java/meerkat/mixer/proofs/ECElGamalMixProof.java
View File

@ -1,4 +1,4 @@
package meerkat.mixer.prover; package meerkat.mixer.proofs;
import com.google.protobuf.ByteString; import com.google.protobuf.ByteString;
import com.google.protobuf.InvalidProtocolBufferException; import com.google.protobuf.InvalidProtocolBufferException;
@ -11,9 +11,9 @@ import org.factcenter.qilin.primitives.concrete.ECGroup;
/** /**
* use for organize the input for each ZKP * use for organize the input for each ZKP
* *
* both meerkat.mixer.prover and meerkat.mixer.verifier implantation are using it * both meerkat.mixer.proofs and meerkat.mixer.verifier implementation use it
*/ */
public class ElGamalProofOrganizer { public class ECElGamalMixProof {
private final ECGroup group; private final ECGroup group;
private final ECPoint g; private final ECPoint g;
@ -26,7 +26,7 @@ public class ElGamalProofOrganizer {
* @param g - generator of group * @param g - generator of group
* @param h - h = g ^ SecretKey * @param h - h = g ^ SecretKey
*/ */
public ElGamalProofOrganizer(ECGroup group, ECPoint g, ECPoint h){ public ECElGamalMixProof(ECGroup group, ECPoint g, ECPoint h){
this.group = group; this.group = group;
this.g = g; this.g = g;
this.h = h; this.h = h;
@ -34,20 +34,16 @@ public class ElGamalProofOrganizer {
this.hEncoded = group.encode(h); this.hEncoded = group.encode(h);
} }
public enum OrProofOrder {
first, second, third, fourth
}
public enum TrueCouple { public enum TrueCouple {
left, right, unknown left, right, unknown
} }
/** /**
* can be used by meerkat.mixer.prover only * can be used by meerkat.mixer.proofs only
* *
* call to the meerkat.mixer.main overload with flag = true * call to the meerkat.mixer.main overload with flag = true
*/ */
protected ElGamalProofInput createProofInput(Crypto.RerandomizableEncryptedMessage in1, Crypto.RerandomizableEncryptedMessage in2 protected Statement createProofInput(Crypto.RerandomizableEncryptedMessage in1, Crypto.RerandomizableEncryptedMessage in2
, Crypto.RerandomizableEncryptedMessage out1, Crypto.RerandomizableEncryptedMessage out2 , Crypto.RerandomizableEncryptedMessage out1, Crypto.RerandomizableEncryptedMessage out2
, Crypto.EncryptionRandomness r1, Crypto.EncryptionRandomness r2, boolean switched) throws InvalidProtocolBufferException { , Crypto.EncryptionRandomness r1, Crypto.EncryptionRandomness r2, boolean switched) throws InvalidProtocolBufferException {
@ -60,7 +56,7 @@ public class ElGamalProofOrganizer {
* *
* call to the meerkat.mixer.main overload with flag = false * call to the meerkat.mixer.main overload with flag = false
*/ */
public ElGamalProofInput createProofInput(Crypto.RerandomizableEncryptedMessage in1, Crypto.RerandomizableEncryptedMessage in2 public Statement createProofInput(Crypto.RerandomizableEncryptedMessage in1, Crypto.RerandomizableEncryptedMessage in2
, Crypto.RerandomizableEncryptedMessage out1, Crypto.RerandomizableEncryptedMessage out2) throws InvalidProtocolBufferException { , Crypto.RerandomizableEncryptedMessage out1, Crypto.RerandomizableEncryptedMessage out2) throws InvalidProtocolBufferException {
// flag = false; // flag = false;
@ -71,14 +67,14 @@ public class ElGamalProofOrganizer {
* inner method * inner method
* convert each encrypted message to ElGamalCiphertext * convert each encrypted message to ElGamalCiphertext
* *
* @param flag - true if called by meerkat.mixer.prover ( r1,r2,switched are known) * @param flag - true if called by meerkat.mixer.proofs ( r1,r2,switched are known)
* @return ElGamalProofInput * @return ElGamalProofInput
* @throws InvalidProtocolBufferException - in case that at least one of the encrypted messages isn't * @throws InvalidProtocolBufferException - in case that at least one of the encrypted messages isn't
* ElGamalCiphertext * ElGamalCiphertext
*/ */
private ElGamalProofInput createProofInput(Crypto.RerandomizableEncryptedMessage in1, Crypto.RerandomizableEncryptedMessage in2 private Statement createProofInput(Crypto.RerandomizableEncryptedMessage in1, Crypto.RerandomizableEncryptedMessage in2
, Crypto.RerandomizableEncryptedMessage out1, Crypto.RerandomizableEncryptedMessage out2 , Crypto.RerandomizableEncryptedMessage out1, Crypto.RerandomizableEncryptedMessage out2
, Crypto.EncryptionRandomness r1, Crypto.EncryptionRandomness r2, boolean switched,boolean flag) , Crypto.EncryptionRandomness r1, Crypto.EncryptionRandomness r2, boolean switched, boolean flag)
throws InvalidProtocolBufferException { throws InvalidProtocolBufferException {
//convert RerandomizableEncryptedMessage to ElGamalCiphertext //convert RerandomizableEncryptedMessage to ElGamalCiphertext
@ -88,47 +84,70 @@ public class ElGamalProofOrganizer {
ConcreteCrypto.ElGamalCiphertext out2ElGamal = ECElGamalEncryption.RerandomizableEncryptedMessage2ElGamalCiphertext(out2); ConcreteCrypto.ElGamalCiphertext out2ElGamal = ECElGamalEncryption.RerandomizableEncryptedMessage2ElGamalCiphertext(out2);
if(flag) { if(flag) {
return new ElGamalProofInput(in1ElGamal, in2ElGamal, out1ElGamal, out2ElGamal, r1, r2, switched); return new Statement(in1ElGamal, in2ElGamal, out1ElGamal, out2ElGamal, r1, r2, switched);
}else { }else {
return new ElGamalProofInput(in1ElGamal, in2ElGamal, out1ElGamal, out2ElGamal); return new Statement(in1ElGamal, in2ElGamal, out1ElGamal, out2ElGamal);
} }
} }
/** /**
* can be construct by instance of organizer only by calling createProofInput method (all constructors are private) * Statement to be proved. The statement consists of the four substatements that are ORs of the DLOG equality.
* *
* in construction it use for preparing the input for prove, while avoiding double converting or calculations * This can be constructed only by calling createProofInput method on an instance of ECElGamalMixProof (all constructors are private)
*
* in construction it is used for preparing the input for proving, while avoiding double converting or calculations
* *
* use as a container for 4 OrProofInput. * use as a container for 4 OrProofInput.
*/ */
public class ElGamalProofInput { public class Statement {
private final OrStatement first;
private final OrStatement second;
private final OrStatement third;
private final OrStatement fourth;
private final OrProofInput first;
private final OrProofInput second;
private final OrProofInput third;
private final OrProofInput fourth;
private ECPoint convert2ECPoint(ByteString bs){ public OrStatement getFirst() {
return first;
}
public OrStatement getSecond() {
return second;
}
public OrStatement getThird() {
return third;
}
public OrStatement getFourth() {
return fourth;
}
/**
* Decode from the serialized representation to an {@link ECPoint} object.
* @param bs
* @return
*/
private ECPoint decodeECPoint(ByteString bs){
return group.decode(bs.toByteArray()); return group.decode(bs.toByteArray());
} }
/** /**
* @param flag - true if called by meerkat.mixer.prover ( r1,r2,switched are known) * @param proving - true if called by meerkat.mixer.proofs ( r1,r2,switched are known)
*/ */
private ElGamalProofInput(ConcreteCrypto.ElGamalCiphertext e1, ConcreteCrypto.ElGamalCiphertext e2 private Statement(ConcreteCrypto.ElGamalCiphertext e1, ConcreteCrypto.ElGamalCiphertext e2
, ConcreteCrypto.ElGamalCiphertext e1New, ConcreteCrypto.ElGamalCiphertext e2New , ConcreteCrypto.ElGamalCiphertext e1New, ConcreteCrypto.ElGamalCiphertext e2New
, Crypto.EncryptionRandomness r1, Crypto.EncryptionRandomness r2, boolean switched,boolean flag){ , Crypto.EncryptionRandomness r1, Crypto.EncryptionRandomness r2, boolean switched, boolean proving){
ECPoint e1c1 = convert2ECPoint(e1.getC1()); ECPoint e1c1 = decodeECPoint(e1.getC1());
ECPoint e1c2 = convert2ECPoint(e1.getC2()); ECPoint e1c2 = decodeECPoint(e1.getC2());
ECPoint e2c1 = convert2ECPoint(e2.getC1()); ECPoint e2c1 = decodeECPoint(e2.getC1());
ECPoint e2c2 = convert2ECPoint(e2.getC2()); ECPoint e2c2 = decodeECPoint(e2.getC2());
ECPoint e1Nc1 = convert2ECPoint(e1New.getC1()); ECPoint e1Nc1 = decodeECPoint(e1New.getC1());
ECPoint e1Nc2 = convert2ECPoint(e1New.getC2()); ECPoint e1Nc2 = decodeECPoint(e1New.getC2());
ECPoint e2Nc1 = convert2ECPoint(e2New.getC1()); ECPoint e2Nc1 = decodeECPoint(e2New.getC1());
ECPoint e2Nc2 = convert2ECPoint(e2New.getC2()); ECPoint e2Nc2 = decodeECPoint(e2New.getC2());
ECPoint c1_e1NDive1 = group.add(e1Nc1, group.negate(e1c1)); ECPoint c1_e1NDive1 = group.add(e1Nc1, group.negate(e1c1));
ECPoint c1_e2NDive1 = group.add(e2Nc1, group.negate(e1c1)); ECPoint c1_e2NDive1 = group.add(e2Nc1, group.negate(e1c1));
@ -141,14 +160,12 @@ public class ElGamalProofOrganizer {
ECPoint c2_e2NDive2 = group.add(e2Nc2, group.negate(e2c2)); ECPoint c2_e2NDive2 = group.add(e2Nc2, group.negate(e2c2));
if(!flag){ if(!proving) {
this.first = new OrStatement(c1_e1NDive1,c2_e1NDive1,c1_e1NDive2,c2_e1NDive2);
this.first = new OrProofInput(c1_e1NDive1,c2_e1NDive1,c1_e1NDive2,c2_e1NDive2); this.second = new OrStatement(c1_e1NDive1,c2_e1NDive1,c1_e2NDive1,c2_e2NDive1);
this.second = new OrProofInput(c1_e1NDive1,c2_e1NDive1,c1_e2NDive1,c2_e2NDive1); this.third = new OrStatement(c1_e1NDive2,c2_e1NDive2,c1_e2NDive2,c2_e2NDive2);
this.third = new OrProofInput(c1_e1NDive2,c2_e1NDive2,c1_e2NDive2,c2_e2NDive2); this.fourth = new OrStatement(c1_e2NDive1,c2_e2NDive1,c1_e2NDive2,c2_e2NDive2);
this.fourth = new OrProofInput(c1_e2NDive1,c2_e2NDive1,c1_e2NDive2,c2_e2NDive2); } else {
}else {
byte[] c1_e1NDive1Encoded = group.encode(c1_e1NDive1); byte[] c1_e1NDive1Encoded = group.encode(c1_e1NDive1);
byte[] c1_e2NDive1Encoded = group.encode(c1_e2NDive1); byte[] c1_e2NDive1Encoded = group.encode(c1_e2NDive1);
@ -161,29 +178,29 @@ public class ElGamalProofOrganizer {
if (!switched) { if (!switched) {
this.first = new OrProofInput(c1_e1NDive1, c2_e1NDive1, c1_e1NDive2, c2_e1NDive2 this.first = new OrStatement(c1_e1NDive1, c2_e1NDive1, c1_e1NDive2, c2_e1NDive2
, c1_e1NDive1Encoded, c2_e1NDive1Encoded, c1_e1NDive2Encoded, c2_e1NDive2Encoded , c1_e1NDive1Encoded, c2_e1NDive1Encoded, c1_e1NDive2Encoded, c2_e1NDive2Encoded
, r1, TrueCouple.left); , r1, TrueCouple.left);
this.second = new OrProofInput(c1_e1NDive1, c2_e1NDive1, c1_e2NDive1, c2_e2NDive1 this.second = new OrStatement(c1_e1NDive1, c2_e1NDive1, c1_e2NDive1, c2_e2NDive1
, c1_e1NDive1Encoded, c2_e1NDive1Encoded, c1_e2NDive1Encoded, c2_e2NDive1Encoded , c1_e1NDive1Encoded, c2_e1NDive1Encoded, c1_e2NDive1Encoded, c2_e2NDive1Encoded
, r1, TrueCouple.left); , r1, TrueCouple.left);
this.third = new OrProofInput(c1_e1NDive2, c2_e1NDive2, c1_e2NDive2, c2_e2NDive2 this.third = new OrStatement(c1_e1NDive2, c2_e1NDive2, c1_e2NDive2, c2_e2NDive2
, c1_e1NDive2Encoded, c2_e1NDive2Encoded, c1_e2NDive2Encoded, c2_e2NDive2Encoded , c1_e1NDive2Encoded, c2_e1NDive2Encoded, c1_e2NDive2Encoded, c2_e2NDive2Encoded
, r2, TrueCouple.right); , r2, TrueCouple.right);
this.fourth = new OrProofInput(c1_e2NDive1, c2_e2NDive1, c1_e2NDive2, c2_e2NDive2 this.fourth = new OrStatement(c1_e2NDive1, c2_e2NDive1, c1_e2NDive2, c2_e2NDive2
, c1_e2NDive1Encoded, c2_e2NDive1Encoded, c1_e2NDive2Encoded, c2_e2NDive2Encoded , c1_e2NDive1Encoded, c2_e2NDive1Encoded, c1_e2NDive2Encoded, c2_e2NDive2Encoded
, r2, TrueCouple.right); , r2, TrueCouple.right);
} else { } else {
this.first = new OrProofInput(c1_e1NDive1, c2_e1NDive1, c1_e1NDive2, c2_e1NDive2 this.first = new OrStatement(c1_e1NDive1, c2_e1NDive1, c1_e1NDive2, c2_e1NDive2
, c1_e1NDive1Encoded, c2_e1NDive1Encoded, c1_e1NDive2Encoded, c2_e1NDive2Encoded , c1_e1NDive1Encoded, c2_e1NDive1Encoded, c1_e1NDive2Encoded, c2_e1NDive2Encoded
, r2, TrueCouple.right); , r2, TrueCouple.right);
this.second = new OrProofInput(c1_e1NDive1, c2_e1NDive1, c1_e2NDive1, c2_e2NDive1 this.second = new OrStatement(c1_e1NDive1, c2_e1NDive1, c1_e2NDive1, c2_e2NDive1
, c1_e1NDive1Encoded, c2_e1NDive1Encoded, c1_e2NDive1Encoded, c2_e2NDive1Encoded , c1_e1NDive1Encoded, c2_e1NDive1Encoded, c1_e2NDive1Encoded, c2_e2NDive1Encoded
, r1, TrueCouple.right); , r1, TrueCouple.right);
this.third = new OrProofInput(c1_e1NDive2, c2_e1NDive2, c1_e2NDive2, c2_e2NDive2 this.third = new OrStatement(c1_e1NDive2, c2_e1NDive2, c1_e2NDive2, c2_e2NDive2
, c1_e1NDive2Encoded, c2_e1NDive2Encoded, c1_e2NDive2Encoded, c2_e2NDive2Encoded , c1_e1NDive2Encoded, c2_e1NDive2Encoded, c1_e2NDive2Encoded, c2_e2NDive2Encoded
, r2, TrueCouple.left); , r2, TrueCouple.left);
this.fourth = new OrProofInput(c1_e2NDive1, c2_e2NDive1, c1_e2NDive2, c2_e2NDive2 this.fourth = new OrStatement(c1_e2NDive1, c2_e2NDive1, c1_e2NDive2, c2_e2NDive2
, c1_e2NDive1Encoded, c2_e2NDive1Encoded, c1_e2NDive2Encoded, c2_e2NDive2Encoded , c1_e2NDive1Encoded, c2_e2NDive1Encoded, c1_e2NDive2Encoded, c2_e2NDive2Encoded
, r1, TrueCouple.left); , r1, TrueCouple.left);
} }
@ -192,57 +209,38 @@ public class ElGamalProofOrganizer {
/** /**
* used by the meerkat.mixer.prover * used by the meerkat.mixer.proofs
* call to the meerkat.mixer.main constructor with flag = true * call to the meerkat.mixer.main constructor with proving = true
*/ */
private ElGamalProofInput(ConcreteCrypto.ElGamalCiphertext e1, ConcreteCrypto.ElGamalCiphertext e2 private Statement(ConcreteCrypto.ElGamalCiphertext e1, ConcreteCrypto.ElGamalCiphertext e2
, ConcreteCrypto.ElGamalCiphertext e1New, ConcreteCrypto.ElGamalCiphertext e2New , ConcreteCrypto.ElGamalCiphertext e1New, ConcreteCrypto.ElGamalCiphertext e2New
, Crypto.EncryptionRandomness r1, Crypto.EncryptionRandomness r2, boolean switched){ , Crypto.EncryptionRandomness r1, Crypto.EncryptionRandomness r2, boolean switched){
//flag = true; //proving = true;
this(e1,e2,e1New,e2New,r1,r2,switched,true); this(e1,e2,e1New,e2New,r1,r2,switched,true);
} }
/** /**
* used by meerkat.mixer.prover * used by meerkat.mixer.proofs
* call to the meerkat.mixer.main constructor with flag = true * call to the meerkat.mixer.main constructor with proving = false
*/ */
private ElGamalProofInput(ConcreteCrypto.ElGamalCiphertext e1, ConcreteCrypto.ElGamalCiphertext e2 private Statement(ConcreteCrypto.ElGamalCiphertext e1, ConcreteCrypto.ElGamalCiphertext e2
, ConcreteCrypto.ElGamalCiphertext e1New, ConcreteCrypto.ElGamalCiphertext e2New){ , ConcreteCrypto.ElGamalCiphertext e1New, ConcreteCrypto.ElGamalCiphertext e2New){
//flag = false; //proving = false;
this(e1,e2,e1New,e2New,null,null,false,false); this(e1,e2,e1New,e2New,null,null,false,false);
} }
/**
* getter for all 4 OrProofInputs
*
* @param orProofOrder
* @return the required OrProof
*/
public OrProofInput getOrProofInput(OrProofOrder orProofOrder) {
switch (orProofOrder) {
case first:
return this.first;
case second:
return this.second;
case third:
return this.third;
case fourth:
return this.fourth;
}
return null;
}
} }
/** /**
* can't be constructed (all constructors are private) * The statement of a single disjunction to be proved:
* Either there exists x s.t (g1 ^ x == h1 and g2 ^ x == h2) or there exists x s.t. (g1' ^ x == h1 and g2' ^ x == h2)
* *
* 4 instances will be constructed for each new ElGamalProofInput * The statement can't be constructed externally (all constructors are private)
*
* 4 instances will be constructed for each new {@link ECElGamalMixProof.Statement}
* *
* container for all meerkat.mixer.necessary inputs for single OrProof
*/ */
public class OrProofInput{ public class OrStatement {
public final ECPoint g1; public final ECPoint g1;
public final ECPoint h1; public final ECPoint h1;
public final ECPoint g2; public final ECPoint g2;
@ -252,7 +250,7 @@ public class ElGamalProofOrganizer {
public final ECPoint g2Tag; public final ECPoint g2Tag;
public final ECPoint h2Tag; public final ECPoint h2Tag;
// can be access by meerkat.mixer.prover only // can be access by meerkat.mixer.proofs only
protected final byte[] g1Encoded; protected final byte[] g1Encoded;
protected final byte[] h1Encoded; protected final byte[] h1Encoded;
protected final byte[] g2Encoded; protected final byte[] g2Encoded;
@ -265,10 +263,10 @@ public class ElGamalProofOrganizer {
protected final TrueCouple flag; protected final TrueCouple flag;
/** /**
* used by meerkat.mixer.prover only * used by meerkat.mixer.proofs only
*/ */
private OrProofInput(ECPoint h1, ECPoint h2, ECPoint h1Tag, ECPoint h2Tag private OrStatement(ECPoint h1, ECPoint h2, ECPoint h1Tag, ECPoint h2Tag
,byte[] h1Encoded, byte[] h2Encoded, byte[] h1TagEncoded, byte[] h2TagEncoded , byte[] h1Encoded, byte[] h2Encoded, byte[] h1TagEncoded, byte[] h2TagEncoded
, Crypto.EncryptionRandomness x, TrueCouple flag) { , Crypto.EncryptionRandomness x, TrueCouple flag) {
this.g1 = g; this.g1 = g;
this.h1 = h1; this.h1 = h1;
@ -296,7 +294,7 @@ public class ElGamalProofOrganizer {
/** /**
* used by meerkat.mixer.verifier * used by meerkat.mixer.verifier
*/ */
private OrProofInput(ECPoint h1, ECPoint h2, ECPoint h1Tag, ECPoint h2Tag) { private OrStatement(ECPoint h1, ECPoint h2, ECPoint h1Tag, ECPoint h2Tag) {
this(h1,h2,h1Tag,h2Tag,null,null,null,null,null,TrueCouple.unknown); this(h1,h2,h1Tag,h2Tag,null,null,null,null,null,TrueCouple.unknown);
} }
} }

78
mixer/src/main/java/meerkat/mixer/prover/Prover.java → mixer/src/main/java/meerkat/mixer/proofs/Prover.java
View File

@ -1,4 +1,4 @@
package meerkat.mixer.prover; package meerkat.mixer.proofs;
import com.google.protobuf.ByteString; import com.google.protobuf.ByteString;
import com.google.protobuf.InvalidProtocolBufferException; import com.google.protobuf.InvalidProtocolBufferException;
@ -26,7 +26,7 @@ public class Prover implements Mix2ZeroKnowledgeProver {
private final ECElGamalEncryption encryptor; private final ECElGamalEncryption encryptor;
private final ECPoint g,h; private final ECPoint g,h;
private final BigInteger groupOrderUpperBound; private final BigInteger groupOrderUpperBound;
private final ElGamalProofOrganizer organizer; private final ECElGamalMixProof organizer;
/** /**
* @param rand * @param rand
@ -41,7 +41,7 @@ public class Prover implements Mix2ZeroKnowledgeProver {
this.group = this.encryptor.getGroup(); this.group = this.encryptor.getGroup();
this.g = group.getGenerator(); this.g = group.getGenerator();
this.h = this.encryptor.getElGamalPK().getPK(); this.h = this.encryptor.getElGamalPK().getPK();
this.organizer = new ElGamalProofOrganizer(group,g,h); this.organizer = new ECElGamalMixProof(group,g,h);
this.groupOrderUpperBound = group.orderUpperBound(); this.groupOrderUpperBound = group.orderUpperBound();
} }
@ -68,12 +68,12 @@ public class Prover implements Mix2ZeroKnowledgeProver {
Crypto.EncryptionRandomness r2) throws InvalidProtocolBufferException { Crypto.EncryptionRandomness r2) throws InvalidProtocolBufferException {
Mixing.ZeroKnowledgeProof.OrProof first,second,third,fourth; Mixing.ZeroKnowledgeProof.OrProof first,second,third,fourth;
ElGamalProofOrganizer.ElGamalProofInput input = organizer.createProofInput(in1,in2,out1,out2,r1,r2,sw); ECElGamalMixProof.Statement statement = organizer.createProofInput(in1,in2,out1,out2,r1,r2,sw);
first = createOrProofElGamal(input.getOrProofInput(ElGamalProofOrganizer.OrProofOrder.first)); first = createOrProofElGamal(statement.getFirst());
second = createOrProofElGamal(input.getOrProofInput(ElGamalProofOrganizer.OrProofOrder.second)); second = createOrProofElGamal(statement.getSecond());
third = createOrProofElGamal(input.getOrProofInput(ElGamalProofOrganizer.OrProofOrder.third)); third = createOrProofElGamal(statement.getThird());
fourth = createOrProofElGamal(input.getOrProofInput(ElGamalProofOrganizer.OrProofOrder.fourth)); fourth = createOrProofElGamal(statement.getFourth());
Mixing.ZeroKnowledgeProof.Location location = Mixing.ZeroKnowledgeProof.Location.newBuilder() Mixing.ZeroKnowledgeProof.Location location = Mixing.ZeroKnowledgeProof.Location.newBuilder()
.setI(i) .setI(i)
@ -94,7 +94,7 @@ public class Prover implements Mix2ZeroKnowledgeProver {
/** /**
* FiatShamir heuristic * FiatShamir heuristic
* @param input - protobuf contains all parameters from the first step of the current prove * @param input - protobuf contains all parameters from the first step of the current proof
* @param randomOracle * @param randomOracle
* @return randomOracle.hash(input) * @return randomOracle.hash(input)
*/ */
@ -105,21 +105,21 @@ public class Prover implements Mix2ZeroKnowledgeProver {
/** /**
* @param orProofInput * @param orStatement
* @return ZKP OrProof: there exists x s.t (g1 ^ x == h1 and g2 ^ x == h2) or (g1' ^ x == h1 and g2' ^ x == h2) * @return ZKP OrProof: there exists x s.t (g1 ^ x == h1 and g2 ^ x == h2) or (g1' ^ x == h1 and g2' ^ x == h2)
* assuming DLog is hard in this.group then that proves x is known for the meerkat.mixer.prover * assuming DLog is hard in this.group then that proves x is known for the meerkat.mixer.proofs
*/ */
private Mixing.ZeroKnowledgeProof.OrProof createOrProofElGamal(ElGamalProofOrganizer.OrProofInput orProofInput) { private Mixing.ZeroKnowledgeProof.OrProof createOrProofElGamal(ECElGamalMixProof.OrStatement orStatement) {
ECPoint g1 = orProofInput.g1; ECPoint g1 = orStatement.g1;
ECPoint h1 = orProofInput.h1; ECPoint h1 = orStatement.h1;
ECPoint g2 = orProofInput.g2; ECPoint g2 = orStatement.g2;
ECPoint h2 = orProofInput.h2; ECPoint h2 = orStatement.h2;
ECPoint g1Tag = orProofInput.g1Tag; ECPoint g1Tag = orStatement.g1Tag;
ECPoint h1Tag = orProofInput.h1Tag; ECPoint h1Tag = orStatement.h1Tag;
ECPoint g2Tag = orProofInput.g2Tag; ECPoint g2Tag = orStatement.g2Tag;
ECPoint h2Tag = orProofInput.h2Tag; ECPoint h2Tag = orStatement.h2Tag;
BigInteger r = encryptor.extractRandomness(encryptor.generateRandomness(rand)).mod(groupOrderUpperBound); BigInteger r = encryptor.extractRandomness(encryptor.generateRandomness(rand)).mod(groupOrderUpperBound);
BigInteger c1,c2,z,zTag; BigInteger c1,c2,z,zTag;
@ -127,7 +127,7 @@ public class Prover implements Mix2ZeroKnowledgeProver {
Mixing.ZeroKnowledgeProof.OrProof.ForRandomOracle forRandomOracle; Mixing.ZeroKnowledgeProof.OrProof.ForRandomOracle forRandomOracle;
switch (orProofInput.flag) { switch (orStatement.flag) {
case left: case left:
c2 = encryptor.extractRandomness(encryptor.generateRandomness(rand)).mod(groupOrderUpperBound); c2 = encryptor.extractRandomness(encryptor.generateRandomness(rand)).mod(groupOrderUpperBound);
zTag = encryptor.extractRandomness(encryptor.generateRandomness(rand)).mod(groupOrderUpperBound); zTag = encryptor.extractRandomness(encryptor.generateRandomness(rand)).mod(groupOrderUpperBound);
@ -140,14 +140,14 @@ public class Prover implements Mix2ZeroKnowledgeProver {
// c1 = (hash(input + step1) + group size - c2)% group size // c1 = (hash(input + step1) + group size - c2)% group size
forRandomOracle = forRandomOracle =
Mixing.ZeroKnowledgeProof.OrProof.ForRandomOracle.newBuilder() Mixing.ZeroKnowledgeProof.OrProof.ForRandomOracle.newBuilder()
.setG1(ByteString.copyFrom(orProofInput.g1Encoded)) .setG1(ByteString.copyFrom(orStatement.g1Encoded))
.setH1(ByteString.copyFrom(orProofInput.h1Encoded)) .setH1(ByteString.copyFrom(orStatement.h1Encoded))
.setG2(ByteString.copyFrom(orProofInput.g2Encoded)) .setG2(ByteString.copyFrom(orStatement.g2Encoded))
.setH2(ByteString.copyFrom(orProofInput.h2Encoded)) .setH2(ByteString.copyFrom(orStatement.h2Encoded))
.setG1Tag(ByteString.copyFrom(orProofInput.g1TagEncoded)) .setG1Tag(ByteString.copyFrom(orStatement.g1TagEncoded))
.setH1Tag(ByteString.copyFrom(orProofInput.h1TagEncoded)) .setH1Tag(ByteString.copyFrom(orStatement.h1TagEncoded))
.setG2Tag(ByteString.copyFrom(orProofInput.g2TagEncoded)) .setG2Tag(ByteString.copyFrom(orStatement.g2TagEncoded))
.setH2Tag(ByteString.copyFrom(orProofInput.h2TagEncoded)) .setH2Tag(ByteString.copyFrom(orStatement.h2TagEncoded))
.setU(ByteString.copyFrom(group.encode(u))) .setU(ByteString.copyFrom(group.encode(u)))
.setV(ByteString.copyFrom(group.encode(v))) .setV(ByteString.copyFrom(group.encode(v)))
.setUTag(ByteString.copyFrom(group.encode(uTag))) .setUTag(ByteString.copyFrom(group.encode(uTag)))
@ -156,7 +156,7 @@ public class Prover implements Mix2ZeroKnowledgeProver {
c1 = hash(forRandomOracle,randomOracle).add(group.orderUpperBound().subtract(c2)).mod(groupOrderUpperBound); c1 = hash(forRandomOracle,randomOracle).add(group.orderUpperBound().subtract(c2)).mod(groupOrderUpperBound);
//step 3 //step 3
//z = (r + c1 * x) % group size; //z = (r + c1 * x) % group size;
z = r.add(c1.multiply(encryptor.extractRandomness(orProofInput.x))).mod(groupOrderUpperBound); z = r.add(c1.multiply(encryptor.extractRandomness(orStatement.x))).mod(groupOrderUpperBound);
break; break;
case right: case right:
c1 = encryptor.extractRandomness(encryptor.generateRandomness(rand)).mod(groupOrderUpperBound); c1 = encryptor.extractRandomness(encryptor.generateRandomness(rand)).mod(groupOrderUpperBound);
@ -170,14 +170,14 @@ public class Prover implements Mix2ZeroKnowledgeProver {
// c1 = (hash(input + step1) + group size - c1)% group size // c1 = (hash(input + step1) + group size - c1)% group size
forRandomOracle = forRandomOracle =
Mixing.ZeroKnowledgeProof.OrProof.ForRandomOracle.newBuilder() Mixing.ZeroKnowledgeProof.OrProof.ForRandomOracle.newBuilder()
.setG1(ByteString.copyFrom(orProofInput.g1Encoded)) .setG1(ByteString.copyFrom(orStatement.g1Encoded))
.setH1(ByteString.copyFrom(orProofInput.h1Encoded)) .setH1(ByteString.copyFrom(orStatement.h1Encoded))
.setG2(ByteString.copyFrom(orProofInput.g2Encoded)) .setG2(ByteString.copyFrom(orStatement.g2Encoded))
.setH2(ByteString.copyFrom(orProofInput.h2Encoded)) .setH2(ByteString.copyFrom(orStatement.h2Encoded))
.setG1Tag(ByteString.copyFrom(orProofInput.g1TagEncoded)) .setG1Tag(ByteString.copyFrom(orStatement.g1TagEncoded))
.setH1Tag(ByteString.copyFrom(orProofInput.h1TagEncoded)) .setH1Tag(ByteString.copyFrom(orStatement.h1TagEncoded))
.setG2Tag(ByteString.copyFrom(orProofInput.g2TagEncoded)) .setG2Tag(ByteString.copyFrom(orStatement.g2TagEncoded))
.setH2Tag(ByteString.copyFrom(orProofInput.h2TagEncoded)) .setH2Tag(ByteString.copyFrom(orStatement.h2TagEncoded))
.setU(ByteString.copyFrom(group.encode(u))) .setU(ByteString.copyFrom(group.encode(u)))
.setV(ByteString.copyFrom(group.encode(v))) .setV(ByteString.copyFrom(group.encode(v)))
.setUTag(ByteString.copyFrom(group.encode(uTag))) .setUTag(ByteString.copyFrom(group.encode(uTag)))
@ -186,7 +186,7 @@ public class Prover implements Mix2ZeroKnowledgeProver {
c2 = hash(forRandomOracle,randomOracle).add(group.orderUpperBound().subtract(c1)).mod(groupOrderUpperBound); c2 = hash(forRandomOracle,randomOracle).add(group.orderUpperBound().subtract(c1)).mod(groupOrderUpperBound);
//step 3 //step 3
//zTag = (r + c2 * x) % group size; //zTag = (r + c2 * x) % group size;
zTag = r.add(c2.multiply(encryptor.extractRandomness(orProofInput.x))).mod(groupOrderUpperBound); zTag = r.add(c2.multiply(encryptor.extractRandomness(orStatement.x))).mod(groupOrderUpperBound);
break; break;
default: default:
return null; return null;

42
mixer/src/main/java/meerkat/mixer/verifier/Verifier.java → mixer/src/main/java/meerkat/mixer/proofs/Verifier.java
View File

@ -1,4 +1,4 @@
package meerkat.mixer.verifier; package meerkat.mixer.proofs;
import com.google.protobuf.InvalidProtocolBufferException; import com.google.protobuf.InvalidProtocolBufferException;
import meerkat.crypto.concrete.ECElGamalEncryption; import meerkat.crypto.concrete.ECElGamalEncryption;
@ -6,8 +6,6 @@ import meerkat.crypto.mixnet.Mix2ZeroKnowledgeVerifier;
import meerkat.protobuf.Crypto; import meerkat.protobuf.Crypto;
import meerkat.protobuf.Mixing; import meerkat.protobuf.Mixing;
import org.bouncycastle.math.ec.ECPoint; import org.bouncycastle.math.ec.ECPoint;
import meerkat.mixer.prover.ElGamalProofOrganizer;
import meerkat.mixer.prover.Prover;
import org.factcenter.qilin.primitives.RandomOracle; import org.factcenter.qilin.primitives.RandomOracle;
import org.factcenter.qilin.primitives.concrete.ECGroup; import org.factcenter.qilin.primitives.concrete.ECGroup;
@ -20,20 +18,20 @@ public class Verifier implements Mix2ZeroKnowledgeVerifier {
private final ECGroup group; private final ECGroup group;
private final RandomOracle randomOracle; private final RandomOracle randomOracle;
private final ECPoint g,h; private final ECPoint g,h;
private final ElGamalProofOrganizer organizer; private final ECElGamalMixProof organizer;
private final ZeroKnowledgeOrProofParser parser; private final ZeroKnowledgeOrProofParser parser;
/** /**
* constructor * constructor
* @param encryptor should be as the encryptor used by meerkat.mixer.prover * @param encryptor should be as the encryptor used by meerkat.mixer.proofs
* @param randomOracle should be as the random oracle used by meerkat.mixer.prover * @param randomOracle should be as the random oracle used by meerkat.mixer.proofs
*/ */
public Verifier(ECElGamalEncryption encryptor, RandomOracle randomOracle) { public Verifier(ECElGamalEncryption encryptor, RandomOracle randomOracle) {
this.group = encryptor.getGroup(); this.group = encryptor.getGroup();
this.g = group.getGenerator(); this.g = group.getGenerator();
this.h = encryptor.getElGamalPK().getPK(); this.h = encryptor.getElGamalPK().getPK();
this.randomOracle = randomOracle; this.randomOracle = randomOracle;
this.organizer = new ElGamalProofOrganizer(group,g,h); this.organizer = new ECElGamalMixProof(group,g,h);
this.parser = new ZeroKnowledgeOrProofParser(group); this.parser = new ZeroKnowledgeOrProofParser(group);
} }
@ -54,32 +52,32 @@ public class Verifier implements Mix2ZeroKnowledgeVerifier {
Crypto.RerandomizableEncryptedMessage out1, Crypto.RerandomizableEncryptedMessage out1,
Crypto.RerandomizableEncryptedMessage out2, Crypto.RerandomizableEncryptedMessage out2,
Mixing.ZeroKnowledgeProof proof) throws InvalidProtocolBufferException { Mixing.ZeroKnowledgeProof proof) throws InvalidProtocolBufferException {
ElGamalProofOrganizer.ElGamalProofInput input = organizer.createProofInput(in1,in2,out1,out2); ECElGamalMixProof.Statement statement = organizer.createProofInput(in1,in2,out1,out2);
return verifyElGamaOrProof(input.getOrProofInput(ElGamalProofOrganizer.OrProofOrder.first), proof.getFirst())&& return verifyElGamaOrProof(statement.getFirst(), proof.getFirst())&&
verifyElGamaOrProof(input.getOrProofInput(ElGamalProofOrganizer.OrProofOrder.second), proof.getSecond())&& verifyElGamaOrProof(statement.getSecond(), proof.getSecond())&&
verifyElGamaOrProof(input.getOrProofInput(ElGamalProofOrganizer.OrProofOrder.third), proof.getThird())&& verifyElGamaOrProof(statement.getThird(), proof.getThird())&&
verifyElGamaOrProof(input.getOrProofInput(ElGamalProofOrganizer.OrProofOrder.fourth), proof.getFourth()); verifyElGamaOrProof(statement.getFourth(), proof.getFourth());
} }
/** /**
* *
* @param orProofInput * @param orStatement
* @param orProof * @param orProof
* @return verify single or proof * @return verify single or proof
*/ */
private boolean verifyElGamaOrProof(ElGamalProofOrganizer.OrProofInput orProofInput, private boolean verifyElGamaOrProof(ECElGamalMixProof.OrStatement orStatement,
Mixing.ZeroKnowledgeProof.OrProof orProof) { Mixing.ZeroKnowledgeProof.OrProof orProof) {
ZeroKnowledgeOrProofParser.ZeroKnowledgeOrProofContainer container = parser.parseOrProof(orProof); ZeroKnowledgeOrProofParser.ZeroKnowledgeOrProofContainer container = parser.parseOrProof(orProof);
return container.g1.equals(orProofInput.g1) && return container.g1.equals(orStatement.g1) &&
container.h1.equals(orProofInput.h1) && container.h1.equals(orStatement.h1) &&
container.g2.equals(orProofInput.g2) && container.g2.equals(orStatement.g2) &&
container.h2.equals(orProofInput.h2) && container.h2.equals(orStatement.h2) &&
container.g1Tag.equals(orProofInput.g1Tag) && container.g1Tag.equals(orStatement.g1Tag) &&
container.h1Tag.equals(orProofInput.h1Tag) && container.h1Tag.equals(orStatement.h1Tag) &&
container.g2Tag.equals(orProofInput.g2Tag) && container.g2Tag.equals(orStatement.g2Tag) &&
container.h2Tag.equals(orProofInput.h2Tag) && container.h2Tag.equals(orStatement.h2Tag) &&
container.c1.add(container.c2).mod(group.orderUpperBound()) container.c1.add(container.c2).mod(group.orderUpperBound())
.equals(Prover.hash(container.forRandomOracle,randomOracle).mod(group.orderUpperBound())) && .equals(Prover.hash(container.forRandomOracle,randomOracle).mod(group.orderUpperBound())) &&
group.multiply(container.g1, container.z) group.multiply(container.g1, container.z)

2
mixer/src/main/java/meerkat/mixer/verifier/VerifyTable.java → mixer/src/main/java/meerkat/mixer/proofs/VerifyTable.java
View File

@ -1,4 +1,4 @@
package meerkat.mixer.verifier; package meerkat.mixer.proofs;
import com.google.protobuf.InvalidProtocolBufferException; import com.google.protobuf.InvalidProtocolBufferException;
import meerkat.crypto.mixnet.Mix2ZeroKnowledgeVerifier; import meerkat.crypto.mixnet.Mix2ZeroKnowledgeVerifier;

2
mixer/src/main/java/meerkat/mixer/verifier/ZeroKnowledgeOrProofParser.java → mixer/src/main/java/meerkat/mixer/proofs/ZeroKnowledgeOrProofParser.java
View File

@ -1,4 +1,4 @@
package meerkat.mixer.verifier; package meerkat.mixer.proofs;
import com.google.protobuf.ByteString; import com.google.protobuf.ByteString;
import meerkat.protobuf.Mixing; import meerkat.protobuf.Mixing;

6
mixer/src/test/java/meerkat/mixer/CreateTestVector.java
View File

@ -5,9 +5,9 @@ import meerkat.crypto.mixnet.Mix2ZeroKnowledgeProver;
import meerkat.crypto.mixnet.Mix2ZeroKnowledgeVerifier; import meerkat.crypto.mixnet.Mix2ZeroKnowledgeVerifier;
import meerkat.mixer.mixing.Mixer; import meerkat.mixer.mixing.Mixer;
import meerkat.mixer.mixing.MixerOutput; import meerkat.mixer.mixing.MixerOutput;
import meerkat.mixer.prover.Prover; import meerkat.mixer.proofs.Prover;
import meerkat.mixer.verifier.Verifier; import meerkat.mixer.proofs.Verifier;
import meerkat.mixer.verifier.VerifyTable; import meerkat.mixer.proofs.VerifyTable;
import meerkat.protobuf.Crypto; import meerkat.protobuf.Crypto;
import meerkat.protobuf.Voting; import meerkat.protobuf.Voting;
import org.factcenter.qilin.primitives.RandomOracle; import org.factcenter.qilin.primitives.RandomOracle;

6
mixer/src/test/java/meerkat/mixer/MixingTest.java
View File

@ -8,9 +8,9 @@ import com.google.protobuf.InvalidProtocolBufferException;
import meerkat.crypto.concrete.ECElGamalEncryption; import meerkat.crypto.concrete.ECElGamalEncryption;
import meerkat.crypto.mixnet.Mix2ZeroKnowledgeVerifier; import meerkat.crypto.mixnet.Mix2ZeroKnowledgeVerifier;
import meerkat.mixer.mixing.Mixer; import meerkat.mixer.mixing.Mixer;
import meerkat.mixer.prover.Prover; import meerkat.mixer.proofs.Prover;
import meerkat.mixer.verifier.Verifier; import meerkat.mixer.proofs.Verifier;
import meerkat.mixer.verifier.VerifyTable; import meerkat.mixer.proofs.VerifyTable;
import meerkat.protobuf.Crypto; import meerkat.protobuf.Crypto;
import meerkat.protobuf.Voting; import meerkat.protobuf.Voting;
import org.factcenter.qilin.primitives.RandomOracle; import org.factcenter.qilin.primitives.RandomOracle;

4
mixer/src/test/java/meerkat/mixer/ZeroKnowledgeProofTest.java
View File

@ -5,8 +5,8 @@ import com.google.protobuf.InvalidProtocolBufferException;
import meerkat.crypto.concrete.ECElGamalEncryption; import meerkat.crypto.concrete.ECElGamalEncryption;
import meerkat.crypto.mixnet.Mix2ZeroKnowledgeProver; import meerkat.crypto.mixnet.Mix2ZeroKnowledgeProver;
import meerkat.crypto.mixnet.Mix2ZeroKnowledgeVerifier; import meerkat.crypto.mixnet.Mix2ZeroKnowledgeVerifier;
import meerkat.mixer.prover.Prover; import meerkat.mixer.proofs.Prover;
import meerkat.mixer.verifier.Verifier; import meerkat.mixer.proofs.Verifier;
import meerkat.protobuf.ConcreteCrypto; import meerkat.protobuf.ConcreteCrypto;
import meerkat.protobuf.Crypto; import meerkat.protobuf.Crypto;
import meerkat.protobuf.Voting; import meerkat.protobuf.Voting;

2
mixer/src/test/java/profiling/ZeroKnowledgeProof.java
View File

@ -4,7 +4,7 @@ import com.google.protobuf.ByteString;
import com.google.protobuf.InvalidProtocolBufferException; import com.google.protobuf.InvalidProtocolBufferException;
import meerkat.crypto.concrete.ECElGamalEncryption; import meerkat.crypto.concrete.ECElGamalEncryption;
import meerkat.crypto.mixnet.Mix2ZeroKnowledgeProver; import meerkat.crypto.mixnet.Mix2ZeroKnowledgeProver;
import meerkat.mixer.prover.Prover; import meerkat.mixer.proofs.Prover;
import meerkat.protobuf.ConcreteCrypto; import meerkat.protobuf.ConcreteCrypto;
import meerkat.protobuf.Crypto; import meerkat.protobuf.Crypto;
import meerkat.protobuf.Voting; import meerkat.protobuf.Voting;