mirror of
https://source.quilibrium.com/quilibrium/ceremonyclient.git
synced 2025-01-12 16:55:18 +00:00
379 lines
9.2 KiB
Go
379 lines
9.2 KiB
Go
//
|
||
// Copyright Coinbase, Inc. All Rights Reserved.
|
||
//
|
||
// SPDX-License-Identifier: Apache-2.0
|
||
//
|
||
|
||
package accumulator
|
||
|
||
import (
|
||
"errors"
|
||
"fmt"
|
||
|
||
"git.sr.ht/~sircmpwn/go-bare"
|
||
|
||
"source.quilibrium.com/quilibrium/monorepo/nekryptology/pkg/core/curves"
|
||
)
|
||
|
||
// MembershipWitness contains the witness c and the value y respect to the accumulator state.
|
||
type MembershipWitness struct {
|
||
c curves.Point
|
||
y curves.Scalar
|
||
}
|
||
|
||
// New creates a new membership witness
|
||
func (mw *MembershipWitness) New(y Element, acc *Accumulator, sk *SecretKey) (*MembershipWitness, error) {
|
||
if acc.value == nil || acc.value.IsIdentity() {
|
||
return nil, fmt.Errorf("value of accumulator should not be nil")
|
||
}
|
||
if sk.value == nil || sk.value.IsZero() {
|
||
return nil, fmt.Errorf("secret key should not be nil")
|
||
}
|
||
if y == nil || y.IsZero() {
|
||
return nil, fmt.Errorf("y should not be nil")
|
||
}
|
||
newAcc := &Accumulator{acc.value}
|
||
_, err := newAcc.Remove(sk, y)
|
||
if err != nil {
|
||
return nil, err
|
||
}
|
||
mw.c = newAcc.value
|
||
mw.y = y.Add(y.Zero())
|
||
return mw, nil
|
||
}
|
||
|
||
// Verify the MembershipWitness mw is a valid witness as per section 4 in
|
||
// <https://eprint.iacr.org/2020/777>
|
||
func (mw MembershipWitness) Verify(pk *PublicKey, acc *Accumulator) error {
|
||
if mw.c == nil || mw.y == nil || mw.c.IsIdentity() || mw.y.IsZero() {
|
||
return fmt.Errorf("c and y should not be nil")
|
||
}
|
||
|
||
if pk.value == nil || pk.value.IsIdentity() {
|
||
return fmt.Errorf("invalid public key")
|
||
}
|
||
if acc.value == nil || acc.value.IsIdentity() {
|
||
return fmt.Errorf("accumulator value should not be nil")
|
||
}
|
||
|
||
// Set -tildeP
|
||
g2, ok := pk.value.Generator().(curves.PairingPoint)
|
||
if !ok {
|
||
return errors.New("incorrect type conversion")
|
||
}
|
||
|
||
// y*tildeP + tildeQ, tildeP is a G2 generator.
|
||
p, ok := g2.Mul(mw.y).Add(pk.value).(curves.PairingPoint)
|
||
if !ok {
|
||
return errors.New("incorrect type conversion")
|
||
}
|
||
|
||
// Prepare
|
||
witness, ok := mw.c.(curves.PairingPoint)
|
||
if !ok {
|
||
return errors.New("incorrect type conversion")
|
||
}
|
||
v, ok := acc.value.Neg().(curves.PairingPoint)
|
||
if !ok {
|
||
return errors.New("incorrect type conversion")
|
||
}
|
||
|
||
// Check e(witness, y*tildeP + tildeQ) * e(-acc, tildeP) == Identity
|
||
result := p.MultiPairing(witness, p, v, g2)
|
||
if !result.IsOne() {
|
||
return fmt.Errorf("invalid result")
|
||
}
|
||
|
||
return nil
|
||
}
|
||
|
||
// ApplyDelta returns C' = dA(y)/dD(y)*C + 1/dD(y) * <Gamma_y, Omega>
|
||
// according to the witness update protocol described in section 4 of
|
||
// https://eprint.iacr.org/2020/777.pdf
|
||
func (mw *MembershipWitness) ApplyDelta(delta *Delta) (*MembershipWitness, error) {
|
||
if mw.c == nil || mw.y == nil || delta == nil {
|
||
return nil, fmt.Errorf("y, c or delta should not be nil")
|
||
}
|
||
|
||
// C' = dA(y)/dD(y)*C + 1/dD(y) * <Gamma_y, Omega>
|
||
mw.c = mw.c.Mul(delta.d).Add(delta.p)
|
||
return mw, nil
|
||
}
|
||
|
||
// BatchUpdate performs batch update as described in section 4
|
||
func (mw *MembershipWitness) BatchUpdate(additions []Element, deletions []Element, coefficients []Coefficient) (*MembershipWitness, error) {
|
||
delta, err := evaluateDelta(mw.y, additions, deletions, coefficients)
|
||
if err != nil {
|
||
return nil, err
|
||
}
|
||
mw, err = mw.ApplyDelta(delta)
|
||
if err != nil {
|
||
return nil, fmt.Errorf("applyDelta fails")
|
||
}
|
||
return mw, nil
|
||
}
|
||
|
||
// MultiBatchUpdate performs multi-batch update using epoch as described in section 4.2
|
||
func (mw *MembershipWitness) MultiBatchUpdate(A [][]Element, D [][]Element, C [][]Coefficient) (*MembershipWitness, error) {
|
||
delta, err := evaluateDeltas(mw.y, A, D, C)
|
||
if err != nil {
|
||
return nil, fmt.Errorf("evaluateDeltas fails")
|
||
}
|
||
mw, err = mw.ApplyDelta(delta)
|
||
if err != nil {
|
||
return nil, err
|
||
}
|
||
return mw, nil
|
||
}
|
||
|
||
// MarshalBinary converts a membership witness to bytes
|
||
func (mw MembershipWitness) MarshalBinary() ([]byte, error) {
|
||
if mw.c == nil || mw.y == nil {
|
||
return nil, fmt.Errorf("c and y value should not be nil")
|
||
}
|
||
|
||
result := append(mw.c.ToAffineCompressed(), mw.y.Bytes()...)
|
||
tv := &structMarshal{
|
||
Value: result,
|
||
Curve: mw.c.CurveName(),
|
||
}
|
||
return bare.Marshal(tv)
|
||
}
|
||
|
||
// UnmarshalBinary converts bytes into MembershipWitness
|
||
func (mw *MembershipWitness) UnmarshalBinary(data []byte) error {
|
||
if data == nil {
|
||
return fmt.Errorf("input data should not be nil")
|
||
}
|
||
tv := new(structMarshal)
|
||
err := bare.Unmarshal(data, tv)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
curve := curves.GetCurveByName(tv.Curve)
|
||
if curve == nil {
|
||
return fmt.Errorf("invalid curve")
|
||
}
|
||
|
||
ptLength := len(curve.Point.ToAffineCompressed())
|
||
scLength := len(curve.Scalar.Bytes())
|
||
expectedLength := ptLength + scLength
|
||
if len(tv.Value) != expectedLength {
|
||
return fmt.Errorf("invalid byte sequence")
|
||
}
|
||
cValue, err := curve.Point.FromAffineCompressed(tv.Value[:ptLength])
|
||
if err != nil {
|
||
return err
|
||
}
|
||
yValue, err := curve.Scalar.SetBytes(tv.Value[ptLength:])
|
||
if err != nil {
|
||
return err
|
||
}
|
||
mw.c = cValue
|
||
mw.y = yValue
|
||
return nil
|
||
}
|
||
|
||
// Delta contains values d and p, where d should be the division dA(y)/dD(y) on some value y
|
||
// p should be equal to 1/dD * <Gamma_y, Omega>
|
||
type Delta struct {
|
||
d curves.Scalar
|
||
p curves.Point
|
||
}
|
||
|
||
// MarshalBinary converts Delta into bytes
|
||
func (d *Delta) MarshalBinary() ([]byte, error) {
|
||
if d.d == nil || d.p == nil {
|
||
return nil, fmt.Errorf("d and p should not be nil")
|
||
}
|
||
var result []byte
|
||
result = append(result, d.p.ToAffineCompressed()...)
|
||
result = append(result, d.d.Bytes()...)
|
||
tv := &structMarshal{
|
||
Value: result,
|
||
Curve: d.p.CurveName(),
|
||
}
|
||
return bare.Marshal(tv)
|
||
}
|
||
|
||
// UnmarshalBinary converts data into Delta
|
||
func (d *Delta) UnmarshalBinary(data []byte) error {
|
||
if data == nil {
|
||
return fmt.Errorf("expected non-zero byte sequence")
|
||
}
|
||
|
||
tv := new(structMarshal)
|
||
err := bare.Unmarshal(data, tv)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
curve := curves.GetCurveByName(tv.Curve)
|
||
if curve == nil {
|
||
return fmt.Errorf("invalid curve")
|
||
}
|
||
|
||
ptLength := len(curve.Point.ToAffineCompressed())
|
||
scLength := len(curve.Scalar.Bytes())
|
||
expectedLength := ptLength + scLength
|
||
if len(tv.Value) != expectedLength {
|
||
return fmt.Errorf("invalid byte sequence")
|
||
}
|
||
pValue, err := curve.NewIdentityPoint().FromAffineCompressed(tv.Value[:ptLength])
|
||
if err != nil {
|
||
return err
|
||
}
|
||
dValue, err := curve.NewScalar().SetBytes(tv.Value[ptLength:])
|
||
if err != nil {
|
||
return err
|
||
}
|
||
if err != nil {
|
||
return err
|
||
}
|
||
d.d = dValue
|
||
d.p = pValue
|
||
return nil
|
||
}
|
||
|
||
// evaluateDeltas compute values used for membership witness batch update with epoch
|
||
// as described in section 4.2, page 11 of https://eprint.iacr.org/2020/777.pdf
|
||
func evaluateDeltas(y Element, A [][]Element, D [][]Element, C [][]Coefficient) (*Delta, error) {
|
||
if len(A) != len(D) || len(A) != len(C) {
|
||
return nil, fmt.Errorf("a, d, c should have same length")
|
||
}
|
||
|
||
one := y.One()
|
||
size := len(A)
|
||
|
||
// dA(x) = ∏ 1..n (yA_i - x)
|
||
aa := make([]curves.Scalar, 0)
|
||
// dD(x) = ∏ 1..m (yD_i - x)
|
||
dd := make([]curves.Scalar, 0)
|
||
|
||
a := one
|
||
d := one
|
||
|
||
// dA_{a->b}(y) = ∏ a..b dAs(y)
|
||
// dD_{a->b}(y) = ∏ a..b dDs(y)
|
||
for i := 0; i < size; i++ {
|
||
adds := A[i]
|
||
dels := D[i]
|
||
|
||
// ta = dAs(y)
|
||
ta, err := dad(adds, y)
|
||
if err != nil {
|
||
return nil, fmt.Errorf("dad on additions fails")
|
||
}
|
||
// td = dDs(y)
|
||
td, err := dad(dels, y)
|
||
if err != nil {
|
||
return nil, fmt.Errorf("dad on deletions fails")
|
||
}
|
||
// ∏ a..b dAs(y)
|
||
a = a.Mul(ta)
|
||
// ∏ a..b dDs(y)
|
||
d = d.Mul(td)
|
||
|
||
aa = append(aa, ta)
|
||
dd = append(dd, td)
|
||
}
|
||
|
||
// If this fails, then this value was removed.
|
||
d, err := d.Invert()
|
||
if err != nil {
|
||
return nil, fmt.Errorf("no inverse exists")
|
||
}
|
||
|
||
// <Gamma_y, Omega>
|
||
p := make(polynomialPoint, 0, size)
|
||
|
||
// Ωi->j+1 = ∑ 1..t (dAt * dDt-1) · Ω
|
||
for i := 0; i < size; i++ {
|
||
// t = i+1
|
||
// ∏^(t-1)_(h=i+1)
|
||
ddh := one
|
||
|
||
// dDi→t−1 (y)
|
||
for h := 0; h < i; h++ {
|
||
ddh = ddh.Mul(dd[h])
|
||
}
|
||
|
||
// ∏^(j+1)_(k=t+1)
|
||
dak := one
|
||
// dAt->j(y)
|
||
for k := i + 1; k < size; k++ {
|
||
dak = dak.Mul(aa[k])
|
||
}
|
||
|
||
// dDi->t-1(y) * dAt->j(y)
|
||
dak = dak.Mul(ddh)
|
||
pp := make(polynomialPoint, len(C[i]))
|
||
for j := 0; j < len(pp); j++ {
|
||
pp[j] = C[i][j]
|
||
}
|
||
|
||
// dDi->t-1(y) * dAt->j(y) · Ω
|
||
pp, err := pp.Mul(dak)
|
||
if err != nil {
|
||
return nil, fmt.Errorf("pp.Mul fails")
|
||
}
|
||
|
||
p, err = p.Add(pp)
|
||
if err != nil {
|
||
return nil, fmt.Errorf("pp.Add fails")
|
||
}
|
||
}
|
||
// dAi->j(y)/dDi->j(y)
|
||
a = a.Mul(d)
|
||
|
||
// Ωi->j(y)
|
||
v, err := p.evaluate(y)
|
||
if err != nil {
|
||
return nil, fmt.Errorf("p.evaluate fails")
|
||
}
|
||
|
||
// (1/dDi->j(y)) * Ωi->j(y)
|
||
v = v.Mul(d)
|
||
|
||
// return
|
||
return &Delta{d: a, p: v}, nil
|
||
}
|
||
|
||
// evaluateDelta computes values used for membership witness batch update
|
||
// as described in section 4.1 of https://eprint.iacr.org/2020/777.pdf
|
||
func evaluateDelta(y Element, additions []Element, deletions []Element, coefficients []Coefficient) (*Delta, error) {
|
||
// dD(y) = ∏ 1..m (yD_i - y), d = 1/dD(y)
|
||
var err error
|
||
d, err := dad(deletions, y)
|
||
if err != nil {
|
||
return nil, fmt.Errorf("dad fails on deletions")
|
||
}
|
||
d, err = d.Invert()
|
||
if err != nil {
|
||
return nil, fmt.Errorf("no inverse exists")
|
||
}
|
||
|
||
//dA(y) = ∏ 1..n (yA_i - y)
|
||
a, err := dad(additions, y)
|
||
if err != nil {
|
||
return nil, fmt.Errorf("dad fails on additions")
|
||
}
|
||
// dA(y)/dD(y)
|
||
a = a.Mul(d)
|
||
|
||
// Create a PolynomialG1 from coefficients
|
||
p := make(polynomialPoint, len(coefficients))
|
||
for i := 0; i < len(coefficients); i++ {
|
||
p[i] = coefficients[i]
|
||
}
|
||
|
||
// <Gamma_y, Omega>
|
||
v, err := p.evaluate(y)
|
||
if err != nil {
|
||
return nil, fmt.Errorf("p.evaluate fails")
|
||
}
|
||
// 1/dD * <Gamma_y, Omega>
|
||
v = v.Mul(d)
|
||
|
||
return &Delta{d: a, p: v}, nil
|
||
}
|