diff --git a/script/research/bulletproof-mpc/expected_p.sage b/script/research/bulletproof-mpc/expected_p.sage index de6d5d54a..527d95897 100644 --- a/script/research/bulletproof-mpc/expected_p.sage +++ b/script/research/bulletproof-mpc/expected_p.sage @@ -68,6 +68,7 @@ party_1_c_shares = [their_c_share.mul(my_c_share.d, my_c_share.e) for my_c_share party_1_c_share = [sum_shares(party_1_c_shares, source, 1)] party_1_q_c_shares = MSM(Q2, party_1_c_share, source, 1) c_shares = [party_0_c_share[0].authenticated_open(party_1_c_share[0])] +print('c: {}'.format(c_shares[0])) assert(c_shares[0] == sum([a*b for a,b in zip(party0_val, party1_val)])), 'sum: {}'.format(sum([a*b for a,b in zip(party0_val, party1_val)])) party_0_h_b_prime_shares = MSM(H1, party_0_b_prime_shares, source, 0) diff --git a/script/research/bulletproof-mpc/inner_product_proof.sage b/script/research/bulletproof-mpc/inner_product_proof.sage index d0a8d4af1..568dca1db 100644 --- a/script/research/bulletproof-mpc/inner_product_proof.sage +++ b/script/research/bulletproof-mpc/inner_product_proof.sage @@ -24,10 +24,10 @@ proof = Proof(transcript, Q, G_factors, H_factors, G, H, a, b) g_a_prime = CurvePoint.msm(G, a_prime) h_b_prime = CurvePoint.msm(H, b_prime) q_c = CurvePoint.msm(Q, c) -P_res = sum([g_a_prime, h_b_prime, q_c]) print('g_a_prime: {}'.format(g_a_prime)) print('h_b_prime: {}'.format(h_b_prime)) print('q_c: {}'.format(q_c)) +P_res = sum([g_a_prime, h_b_prime, q_c]) print('P: {}'.format(P_res)) verifier = Transcript('bulletproof') pp, p, _ = proof.verify(n, verifier, G_factors, H_factors, P_res, Q, G, H) diff --git a/script/research/bulletproof-mpc/mpc_inner_product_proof.sage b/script/research/bulletproof-mpc/mpc_inner_product_proof.sage index 3b7cb3cee..685e38b49 100644 --- a/script/research/bulletproof-mpc/mpc_inner_product_proof.sage +++ b/script/research/bulletproof-mpc/mpc_inner_product_proof.sage @@ -4,6 +4,8 @@ load('transcript.sage') load('../mpc/beaver.sage') load('proof_mpc.sage') import gc +import numpy as np + ## n = 2 #Q = to_ec_shares_list([CurvePoint.generator()]) @@ -12,28 +14,32 @@ n = 2 Q = to_ec_shares_list([CurvePoint.generator()]) Q1 = to_ec_shares_list([CurvePoint.random()]) Q2 = [q - q1 for q, q1 in zip(Q, Q1)] + H = to_ec_shares_list([CurvePoint.generator() for i in range(0,n)]) H1 = to_ec_shares_list([CurvePoint.random() for i in range(0,n)]) H2 = [h - h1 for h, h1 in zip(H, H1)] + G = to_ec_shares_list([CurvePoint.generator() for i in range(0,n)]) G1 = to_ec_shares_list([CurvePoint.random() for i in range(0,n)]) G2 = [g - g1 for g, g1 in zip(G, G1)] ## source -source = Source(p) +source = TestSource() ## alpha -party0_val = [1, 2] -party1_val = [2, 4] -party0_random = [1,1] +party0_val = [1,2] +party1_val = [2,4] +party0_random = [random.randint(0,p) for _ in range(0,n)] alpha1 = [AuthenticatedShare(party0_random[i], source, 0) for i in range(0,n)] alpha2 = [AuthenticatedShare(party0_val[i] - party0_random[i], source, 0) for i in range(0,n)] -print('alpha2: {}'.format(alpha2)) +#print('alpha2: {}'.format(alpha2)) a_shares = [alpha1, alpha2] +#print('a shares: {}'.format(a_shares)) ## beta -party1_random = [1,1] +party1_random = [random.randint(0,p) for _ in range(0,n)] beta1 = [AuthenticatedShare(party1_random[i], source, 1) for i in range(0,n)] beta2 = [AuthenticatedShare(party1_val[i] - party1_random[i], source, 1) for i in range(0,n)] b_shares = [beta1, beta2] +#print('b shares: {}'.format(b_shares)) ## c my_c_shares = [MultiplicationAuthenticatedShares(a_share, b_share, source.triplet(0), 0) for a_share, b_share in zip(a_shares[0], b_shares[0])] their_c_shares = [MultiplicationAuthenticatedShares(peer_a_share, peer_b_share, source.triplet(0), 1) for peer_a_share, peer_b_share in zip(a_shares[1], b_shares[1])] @@ -93,8 +99,89 @@ party_1_proof_c_r = party_1_proof.c_r.copy() party_0_proof_c_l = party_0_proof.c_l.copy() party_0_proof_c_r = party_0_proof.c_r.copy() +c_l_lhs = [party_0_proof_c_l_i[0].mul(party_1_proof_c_l_i[0].d, party_1_proof_c_l_i[0].e) for party_0_proof_c_l_i, party_1_proof_c_l_i in zip(party_0_proof_c_l, party_1_proof_c_l)] +c_l_rhs = [party_1_proof_c_l_i[0].mul(party_0_proof_c_l_i[0].d, party_0_proof_c_l_i[0].e) for party_1_proof_c_l_i, party_0_proof_c_l_i in zip(party_1_proof_c_l, party_0_proof_c_l)] +c_l_res = [c_l_lhs_i.authenticated_open(c_l_rhs_i) for c_l_lhs_i, c_l_rhs_i in zip(c_l_lhs, c_l_rhs)] +#print('c_l: {}'.format(c_l_res)) +c_r_lhs = [party_0_proof_c_r_i[0].mul(party_1_proof_c_r_i[0].d, party_1_proof_c_r_i[0].e) for party_0_proof_c_r_i, party_1_proof_c_r_i in zip(party_0_proof_c_r, party_1_proof_c_r)] +c_r_rhs = [party_1_proof_c_r_i[0].mul(party_0_proof_c_r_i[0].d, party_0_proof_c_r_i[0].e) for party_1_proof_c_r_i, party_0_proof_c_r_i in zip(party_1_proof_c_r, party_0_proof_c_r)] +c_r_res = [c_r_lhs_i.authenticated_open(c_r_rhs_i) for c_r_lhs_i, c_r_rhs_i in zip(c_r_lhs, c_r_rhs)] +#print('c_r: {}'.format(c_r_res)) + party_0_proof.create(party_1_proof_c_l, party_1_proof_c_r) party_1_proof.create(party_0_proof_c_l, party_0_proof_c_r) + +# validate L_gr_al_g +L_gr_al_g_truth_table = [874739451078007766457464989774322083649278607533249481151382481072868806602, 152666792071518830868575557812948353041420400780739481342941381225525861407 , 1] +L_gr_al_g_lhs = party_0_proof.L_gr_al_g_share.copy().msm(party_1_proof.L_gr_al_g_share.copy().de()) +L_gr_al_g_rhs = party_1_proof.L_gr_al_g_share.copy().msm(party_0_proof.L_gr_al_g_share.copy().de()) +L_gr_al_g = L_gr_al_g_lhs.authenticated_open(L_gr_al_g_rhs) +assert L_gr_al_g[0] == L_gr_al_g_truth_table[0] and L_gr_al_g[1] == L_gr_al_g_truth_table[1], 'L_gr_al_g: {}'.format(L_gr_al_g) + +# validate L_hl_br_h +L_hl_br_h_truth_table = [296568192680735721663075531306405401515803196637037431012739700151231900092, 2496008012906462030584867856951610048657271546413643307709739611216909709750, 1] +L_hl_br_h_lhs = party_0_proof.L_hl_br_h_share.copy().msm(party_1_proof.L_hl_br_h_share.copy().de()) +L_hl_br_h_rhs = party_1_proof.L_hl_br_h_share.copy().msm(party_0_proof.L_hl_br_h_share.copy().de()) +L_hl_br_h = L_hl_br_h_lhs.authenticated_open(L_hl_br_h_rhs) +assert L_hl_br_h[0] == L_hl_br_h_truth_table[0] and L_hl_br_h[1] == L_hl_br_h_truth_table[1], 'L_hl_br_h: {}'.format(L_hl_br_h) + +# validate L_q_cl +L_q_cl_truth_table = [296568192680735721663075531306405401515803196637037431012739700151231900092, 2496008012906462030584867856951610048657271546413643307709739611216909709750, 1] +L_q_cl_lhs = party_0_proof.L_q_cl_share.copy().msm(party_1_proof.L_q_cl_share.copy().de()) +L_q_cl_rhs = party_1_proof.L_q_cl_share.copy().msm(party_0_proof.L_q_cl_share.copy().de()) + +L_q_cl = L_q_cl_lhs.authenticated_open(L_q_cl_rhs) + +assert L_q_cl[0] == L_q_cl_truth_table[0] and L_q_cl[1] == L_q_cl_truth_table[1], 'L_q_cl: {}'.format(L_q_cl) + +#validate R_gl_ar_g +R_gl_ar_g_truth_table = [3324833730090626974525872402899302150520188025637965566623476530814354734325, 3147007486456030910661996439995670279305852583596209647900952752170983517249, 1] +R_gl_ar_g_lhs = party_0_proof.R_gl_ar_g_share.copy().msm(party_1_proof.R_gl_ar_g_share.copy().de()) +R_gl_ar_g_rhs = party_1_proof.R_gl_ar_g_share.copy().msm(party_0_proof.R_gl_ar_g_share.copy().de()) +print(R_gl_ar_g_lhs) +print(R_gl_ar_g_rhs) +R_gl_ar_g = R_gl_ar_g_lhs.authenticated_open(R_gl_ar_g_rhs) +assert R_gl_ar_g[0] == R_gl_ar_g_truth_table[0] and R_gl_ar_g[1] == R_gl_ar_g_truth_table[1], 'R_gl_ar_g: {}'.format(R_gl_ar_g) + +#validate R_hr_bl_h +R_hr_bl_h_truth_table = [3324833730090626974525872402899302150520188025637965566623476530814354734325, 3147007486456030910661996439995670279305852583596209647900952752170983517249, 1] +R_hr_bl_h_lhs = party_0_proof.R_hr_bl_h_share.copy().msm(party_1_proof.R_hr_bl_h_share.copy().de()) +R_hr_bl_h_rhs = party_1_proof.R_hr_bl_h_share.copy().msm(party_0_proof.R_hr_bl_h_share.copy().de()) +R_hr_bl_h = R_hr_bl_h_lhs.authenticated_open(R_hr_bl_h_rhs) +assert R_hr_bl_h[0] == R_hr_bl_h_truth_table[0] and R_hr_bl_h[1] == R_hr_bl_h_truth_table[1], 'R_hr_bl_h: {}'.format(R_hr_bl_h) + +#validate R_q_cr +R_q_cr_truth_table = [296568192680735721663075531306405401515803196637037431012739700151231900092, 2496008012906462030584867856951610048657271546413643307709739611216909709750, 1] +R_q_cr_lhs = party_0_proof.R_q_cr_share.copy().msm(party_1_proof.R_q_cr_share.copy().de()) +R_q_cr_rhs = party_1_proof.R_q_cr_share.copy().msm(party_0_proof.R_q_cr_share.copy().de()) +R_q_cr = R_q_cr_lhs.authenticated_open(R_q_cr_rhs) +print(R_q_cr_lhs) +print(R_q_cr_rhs) +assert R_q_cr[0] == R_q_cr_truth_table[0] and R_q_cr[1] == R_q_cr_truth_table[1], 'R_q_cr: {}'.format(R_q_cr) + +# validate L,R +L_truth_table = [944745129853146482146311827146531433242387523423467361347719369673366386761, 2394221861052833782597287772330532919046009427329165562185942323334687758988, 1] +R_truth_table = [3136030469135674343172465880817263454880219855664441593466904169223571314065, 3230850854683103635133032411878658931556916918508772276704988424959453909526, 1] +L = [] +R = [] +for party_0_proof_lhs, party_1_proof_lhs in zip(party_0_proof.lhs, party_1_proof.lhs): + l_i_l = [] + for i in range(len(party_0_proof_lhs)): + l_i_l_0_lhs = party_0_proof_lhs[i].copy().msm(party_1_proof_lhs[i].de()) + l_i_l_1_rhs = party_1_proof_lhs[i].copy().msm(party_0_proof_lhs[i].de()) + l_i_l += [l_i_l_0_lhs.authenticated_open(l_i_l_1_rhs)] + L += [sum(l_i_l)] +assert L[0][0] == L_truth_table[0] and L[0][1] == L_truth_table[1], 'L: {}'.format(L) + +for party_0_proof_rhs, party_1_proof_rhs in zip(party_0_proof.rhs, party_1_proof.rhs): + r_i_l = [] + for i in range(len(party_0_proof_rhs)): + r_i_l_lhs = party_0_proof_rhs[i].copy().msm(party_1_proof_rhs[i].de()) + r_i_l_rhs = party_1_proof_rhs[i].copy().msm(party_0_proof_rhs[i].de()) + r_i_l += [r_i_l_lhs.authenticated_open(r_i_l_rhs)] + R += [sum(r_i_l)] +assert R[0][0] == R_truth_table[0] and R[0][1] == R_truth_table[1], 'R: {}'.format(R) + ## expected P expected_P = sum([g_a_prime, h_b_prime, q_c]) ## party 0 proof verification @@ -113,14 +200,14 @@ party_1_proof_rhs = [[ii.copy() for ii in i] for i in party_1_proof.rhs] party_0_proof_rhs = [[ii.copy() for ii in i] for i in party_0_proof.rhs] # verify party 1 lpr party_0_proof.open_lr(Q1, G1, H1, party_1_c_shares_de ,party_1_proof_lhs, party_1_proof_rhs) -## # verify party 0 lpr party_1_proof.open_lr(Q2, G2, H2, party_0_c_shares_de, party_0_proof_lhs, party_0_proof_rhs) -## party_0_proof_l = party_0_proof.L party_1_proof_l = party_1_proof.L - L = sum(party_0_proof_l_i.authenticated_open(party_1_proof_l_i) for party_0_proof_l_i, party_1_proof_l_i in zip(party_0_proof_l, party_1_proof_l)) party_0_proof_r = party_0_proof.R party_1_proof_r = party_1_proof.R R = sum(party_0_proof_r_i.authenticated_open(party_1_proof_r_i) for party_0_proof_r_i, party_1_proof_r_i in zip(party_0_proof_r, party_1_proof_r)) + +# validate proofs +party_0_proof.open_and_validate_P(party_1_proof.res_p, expected_P) diff --git a/script/research/bulletproof-mpc/mpc_inner_product_proof_random.sage b/script/research/bulletproof-mpc/mpc_inner_product_proof_random.sage new file mode 100644 index 000000000..d4338dc3d --- /dev/null +++ b/script/research/bulletproof-mpc/mpc_inner_product_proof_random.sage @@ -0,0 +1,142 @@ +load('../mpc/curve.sage') +load('proof.sage') +load('transcript.sage') +load('../mpc/beaver.sage') +load('proof_mpc.sage') +import gc +import numpy as np + +## +n = 2 + +#Q = to_ec_shares_list([CurvePoint.generator() for _ in range(0, int(n/2))]) +Q = to_ec_shares_list([CurvePoint.generator()]) +Q1 = to_ec_shares_list([CurvePoint.random() for _ in range(len(Q))]) +Q2 = [q - q1 for q, q1 in zip(Q, Q1)] + +H = to_ec_shares_list([CurvePoint.generator() for i in range(0,n)]) +H1 = to_ec_shares_list([CurvePoint.random() for i in range(0,n)]) +H2 = [h - h1 for h, h1 in zip(H, H1)] + +G = to_ec_shares_list([CurvePoint.generator() for i in range(0,n)]) +G1 = to_ec_shares_list([CurvePoint.random() for i in range(0,n)]) +G2 = [g - g1 for g, g1 in zip(G, G1)] + +## source +source = Source(p) +## alpha +party0_val = [random.randint(0,p) for _ in range(0,n)] +party1_val = [random.randint(0,p) for _ in range(0,n)] +party0_random = [random.randint(0,p) for _ in range(0,n)] +alpha1 = [AuthenticatedShare(party0_random[i], source, 0) for i in range(0,n)] +alpha2 = [AuthenticatedShare(party0_val[i] - party0_random[i], source, 0) for i in range(0,n)] +#print('alpha2: {}'.format(alpha2)) +a_shares = [alpha1, alpha2] +#print('a shares: {}'.format(a_shares)) +## beta +party1_random = [random.randint(0,p) for _ in range(0,n)] +beta1 = [AuthenticatedShare(party1_random[i], source, 1) for i in range(0,n)] +beta2 = [AuthenticatedShare(party1_val[i] - party1_random[i], source, 1) for i in range(0,n)] +b_shares = [beta1, beta2] +#print('b shares: {}'.format(b_shares)) +## c +my_c_shares = [MultiplicationAuthenticatedShares(a_share, b_share, source.triplet(0), 0) for a_share, b_share in zip(a_shares[0], b_shares[0])] +their_c_shares = [MultiplicationAuthenticatedShares(peer_a_share, peer_b_share, source.triplet(0), 1) for peer_a_share, peer_b_share in zip(a_shares[1], b_shares[1])] +## +party_0_c_shares = [my_c_share.mul(their_c_share.d.copy(), their_c_share.e.copy()) for my_c_share, their_c_share in zip(my_c_shares, their_c_shares)] +party_1_c_shares = [their_c_share.mul(my_c_share.d.copy(), my_c_share.e.copy()) for my_c_share, their_c_share in zip(my_c_shares, their_c_shares)] + +party_0_c_share = [sum_shares(party_0_c_shares, source, 0)] +party_1_c_share = [sum_shares(party_1_c_shares, source, 1)] + +## +y_inv = K(1) +## +G_factors = [K(1)]*n +H_factors = [y_inv**i for i in range(0,n)] +## +party_0_b_prime_shares = [b_share.mul_scalar(y) for b_share, y in zip(b_shares[0], H_factors)] +party_0_a_prime_shares = a_shares[0].copy() +## +party_1_b_prime_shares = [b_share.mul_scalar(y) for b_share, y in zip(b_shares[1], H_factors)] +party_1_a_prime_shares = a_shares[1].copy() +## +party_0_g_a_prime_shares = MSM(G1, party_0_a_prime_shares, source, 0) +party_0_h_b_prime_shares = MSM(H1, party_0_b_prime_shares, source, 0) +party_0_q_c_shares = MSM(Q1, party_0_c_share, source, 0) +## +party_1_g_a_prime_shares = MSM(G2, party_1_a_prime_shares, source, 1) +party_1_h_b_prime_shares = MSM(H2, party_1_b_prime_shares, source, 1) +party_1_q_c_shares = MSM(Q2, party_1_c_share, source, 1) +## msm multiplication shares announcement for g_a_prime_shares +party_0_g_a_prime_shares_de = [[party_0_g_a_prime_share.d, party_0_g_a_prime_share.e] for party_0_g_a_prime_share in party_0_g_a_prime_shares.point_scalars] +party_1_g_a_prime_shares_de = [[party_1_g_a_prime_share.d, party_1_g_a_prime_share.e] for party_1_g_a_prime_share in party_1_g_a_prime_shares.point_scalars] +party_0_g_a_prime_shares_lhs = party_0_g_a_prime_shares.msm(party_1_g_a_prime_shares_de) +party_1_g_a_prime_shares_rhs = party_1_g_a_prime_shares.msm(party_0_g_a_prime_shares_de) +g_a_prime = party_0_g_a_prime_shares_lhs.authenticated_open(party_1_g_a_prime_shares_rhs) +## msm multiplication shares announcement for g_b_prime_shares +party_0_h_b_prime_shares_de = [[party_0_h_b_prime_share.d, party_0_h_b_prime_share.e] for party_0_h_b_prime_share in party_0_h_b_prime_shares.point_scalars] +party_1_h_b_prime_shares_de = [[party_1_h_b_prime_share.d, party_1_h_b_prime_share.e] for party_1_h_b_prime_share in party_1_h_b_prime_shares.point_scalars] +party_0_h_b_prime_shares_lhs = party_0_h_b_prime_shares.msm(party_1_h_b_prime_shares_de) +party_1_h_b_prime_shares_rhs = party_1_h_b_prime_shares.msm(party_0_h_b_prime_shares_de) +h_b_prime = party_0_h_b_prime_shares_lhs.authenticated_open(party_1_h_b_prime_shares_rhs) +## msm multiplication shares announcement for q_c_prime_shares +party_0_q_c_shares_de = [[party_0_q_c_share.d, party_0_q_c_share.e] for party_0_q_c_share in party_0_q_c_shares.point_scalars] +party_1_q_c_shares_de = [[party_1_q_c_share.d, party_1_q_c_share.e] for party_1_q_c_share in party_1_q_c_shares.point_scalars] +party_0_q_c_shares_lhs = party_0_q_c_shares.msm(party_1_q_c_shares_de) +party_1_q_c_shares_rhs = party_1_q_c_shares.msm(party_0_q_c_shares_de) +q_c = party_0_q_c_shares_lhs.authenticated_open(party_1_q_c_shares_rhs) +## party 0 proof generation +party_0_transcript = Transcript('bulletproof') +party_0_proof = MpcProof(party_0_transcript, Q1, G_factors, H_factors, G1, H1, a_shares[0], b_shares[0], source, 0) +## party 1 proof generation +party_1_transcript = Transcript('bulletproof') +party_1_proof = MpcProof(party_1_transcript, Q2, G_factors, H_factors, G2, H2, a_shares[1], b_shares[1], source, 1) +## create proof L, R +party_1_proof_c_l = party_1_proof.c_l.copy() +party_1_proof_c_r = party_1_proof.c_r.copy() +party_0_proof_c_l = party_0_proof.c_l.copy() +party_0_proof_c_r = party_0_proof.c_r.copy() + +c_l_lhs = [party_0_proof_c_l_i[0].mul(party_1_proof_c_l_i[0].d, party_1_proof_c_l_i[0].e) for party_0_proof_c_l_i, party_1_proof_c_l_i in zip(party_0_proof_c_l, party_1_proof_c_l)] +c_l_rhs = [party_1_proof_c_l_i[0].mul(party_0_proof_c_l_i[0].d, party_0_proof_c_l_i[0].e) for party_1_proof_c_l_i, party_0_proof_c_l_i in zip(party_1_proof_c_l, party_0_proof_c_l)] +c_l_res = [c_l_lhs_i.authenticated_open(c_l_rhs_i) for c_l_lhs_i, c_l_rhs_i in zip(c_l_lhs, c_l_rhs)] +#print('c_l: {}'.format(c_l_res)) +c_r_lhs = [party_0_proof_c_r_i[0].mul(party_1_proof_c_r_i[0].d, party_1_proof_c_r_i[0].e) for party_0_proof_c_r_i, party_1_proof_c_r_i in zip(party_0_proof_c_r, party_1_proof_c_r)] +c_r_rhs = [party_1_proof_c_r_i[0].mul(party_0_proof_c_r_i[0].d, party_0_proof_c_r_i[0].e) for party_1_proof_c_r_i, party_0_proof_c_r_i in zip(party_1_proof_c_r, party_0_proof_c_r)] +c_r_res = [c_r_lhs_i.authenticated_open(c_r_rhs_i) for c_r_lhs_i, c_r_rhs_i in zip(c_r_lhs, c_r_rhs)] +#print('c_r: {}'.format(c_r_res)) + +party_0_proof.create(party_1_proof_c_l, party_1_proof_c_r) +party_1_proof.create(party_0_proof_c_l, party_0_proof_c_r) + + +## expected P +expected_P = sum([g_a_prime, h_b_prime, q_c]) +## party 0 proof verification +party_0_verifier = Transcript('bulletproof') +party_0_proof.calculate_c_shares(n, party_0_verifier, G_factors, H_factors) +## party 1 proof verification +party_1_verifier = Transcript('bulletproof') +party_1_proof.calculate_c_shares(n, party_1_verifier, G_factors, H_factors) +## +party_0_c_shares_de = [[my_c_share.d.copy(), my_c_share.e.copy()] for my_c_share in party_0_proof.my_c_shares] +party_1_c_shares_de = [[my_c_share.d.copy(), my_c_share.e.copy()] for my_c_share in party_1_proof.my_c_shares] +## +party_1_proof_lhs = [[ii.copy() for ii in i] for i in party_1_proof.lhs] +party_0_proof_lhs = [[ii.copy() for ii in i] for i in party_0_proof.lhs] +party_1_proof_rhs = [[ii.copy() for ii in i] for i in party_1_proof.rhs] +party_0_proof_rhs = [[ii.copy() for ii in i] for i in party_0_proof.rhs] +# verify party 1 lpr +party_0_proof.open_lr(Q1, G1, H1, party_1_c_shares_de ,party_1_proof_lhs, party_1_proof_rhs) +# verify party 0 lpr +party_1_proof.open_lr(Q2, G2, H2, party_0_c_shares_de, party_0_proof_lhs, party_0_proof_rhs) +party_0_proof_l = party_0_proof.L +party_1_proof_l = party_1_proof.L +L = sum(party_0_proof_l_i.authenticated_open(party_1_proof_l_i) for party_0_proof_l_i, party_1_proof_l_i in zip(party_0_proof_l, party_1_proof_l)) +party_0_proof_r = party_0_proof.R +party_1_proof_r = party_1_proof.R +R = sum(party_0_proof_r_i.authenticated_open(party_1_proof_r_i) for party_0_proof_r_i, party_1_proof_r_i in zip(party_0_proof_r, party_1_proof_r)) + +# validate proofs +party_0_proof.open_and_validate_P(party_1_proof.res_p, expected_P) diff --git a/script/research/bulletproof-mpc/proof.sage b/script/research/bulletproof-mpc/proof.sage index 812be7665..62085e197 100644 --- a/script/research/bulletproof-mpc/proof.sage +++ b/script/research/bulletproof-mpc/proof.sage @@ -26,20 +26,31 @@ class Proof(object): al_g = [al*g for al, g in zip(a_l, G_factors[n:2*n])] br_h = [br*h for br,h in zip(b_r, H_factors[0:n])] L_gr_al_g = CurvePoint.msm(G_r, al_g) + print("L_gr_al_g: {}".format(L_gr_al_g)) L_hl_br_h = CurvePoint.msm(H_l, br_h) + print("L_hl_br_h: {}".format(L_hl_br_h)) + print('C_L: {}'.format(c_l)) L_q_cl = CurvePoint.msm(Q, c_l) + print("L_q_cl: {}".format(L_q_cl)) # L, R # note that P = L*R L = [sum([L_gr_al_g, L_hl_br_h , L_q_cl])] - R = [sum([CurvePoint.msm(G_l, [ar*g for ar, g in zip(a_r, G_factors[0:n])]), CurvePoint.msm(H_r, [bl*h for bl,h in zip(b_l, H_factors[n:2*n])]), CurvePoint.msm(Q, c_r)])] + R_gl_ar_g = CurvePoint.msm(G_l, [ar*g for ar, g in zip(a_r, G_factors[0:n])]) + print("R_gl_ar_g: {}".format(R_gl_ar_g)) + R_hr_bl_h = CurvePoint.msm(H_r, [bl*h for bl,h in zip(b_l, H_factors[n:2*n])]) + print("R_hr_bl_h: {}".format(R_hr_bl_h)) + print('C_R: {}'.format(c_r)) + R_q_cr = CurvePoint.msm(Q, c_r) + print('R_q_cr: {}'.format(R_q_cr)) + R = [sum([R_gl_ar_g, R_hr_bl_h, R_q_cr])] L_l += L R_l += R # choose true random challenges u, u^{-1} - #transcript.append_message(b'L', bytes(''.join([l.__str__() for l in L]), encoding='utf-8')) - #transcript.append_message(b'R', bytes(''.join([r.__str__() for r in R]), encoding='utf-8')) - #u = K(transcript.challenge_bytes(b'u')) - u = K(1) + transcript.append_message(b'L', bytes(''.join([l.__str__() for l in L]), encoding='utf-8')) + transcript.append_message(b'R', bytes(''.join([r.__str__() for r in R]), encoding='utf-8')) + u = K(transcript.challenge_bytes(b'u')) + #u = K(1) u_inv = 1/u for i in range(n): @@ -75,11 +86,11 @@ class Proof(object): R_l += R # choose true random challenges u, u^{-1]} - #transcript.append_message(b'L', bytes(''.join([l.__str__() for l in L]), encoding='utf-8')) - #transcript.append_message(b'R', bytes(''.join([r.__str__() for r in R]), encoding='utf-8')) + transcript.append_message(b'L', bytes(''.join([l.__str__() for l in L]), encoding='utf-8')) + transcript.append_message(b'R', bytes(''.join([r.__str__() for r in R]), encoding='utf-8')) - #u = K(transcript.challenge_bytes(b'u')) - u = K(1) + u = K(transcript.challenge_bytes(b'u')) + #u = K(1) u_inv = 1/u for i in range(n): # u * a_prime_l + u^{-1} * a_prime_r @@ -99,6 +110,8 @@ class Proof(object): self.rhs = R_l self.a = a[0] self.b = b[0] + print("L: {}".format(self.lhs)) + print('R: {}'.format(self.rhs)) def challenges(self, n, verifier): challenges = [] @@ -145,10 +158,8 @@ class Proof(object): ## h^{h_factor_b_s} res_p_3 = CurvePoint.msm(H, h_times_b_div_s) # L^(u^2) - print("L: {}".format(self.lhs)) res_p_4 = CurvePoint.msm(self.lhs, neg_u_sq) # R^(u^-2) - print('R: {}'.format(self.rhs)) res_p_5 = CurvePoint.msm(self.rhs, neg_u_inv_sq) # P prime = L^{u^2} * P * R^{u^{-1}} print('p_1: {}'.format(res_p_1)) diff --git a/script/research/bulletproof-mpc/proof_mpc.sage b/script/research/bulletproof-mpc/proof_mpc.sage index 16a717350..e3a0825d7 100644 --- a/script/research/bulletproof-mpc/proof_mpc.sage +++ b/script/research/bulletproof-mpc/proof_mpc.sage @@ -8,7 +8,7 @@ load('../mpc/beaver.sage') load('utils.sage') class MpcProof(object): - def __init__(self, transcript, Q, G_factors, H_factors, G, H, a_shares, b_shares, source, party_id): + def __init__(self, transcript, Q_generator, G_factors, H_factors, G, H, a_shares, b_shares, source, party_id): ''' create inner product proof ''' @@ -17,7 +17,7 @@ class MpcProof(object): assert (self.n == len(H) == len(H_factors) == len(a_shares) == len(b_shares)) self.source = source self.party_id=party_id - self.Q = Q + self.Q = Q_generator self.G = G self.H = H self.G_factors = G_factors @@ -37,23 +37,25 @@ class MpcProof(object): self.H_hist = [] if self.n!=1: self.n /=2 - a_shares_l, a_shares_r = a_shares[0:self.n], a_shares[self.n:] - b_shares_l, b_shares_r = b_shares[0:self.n], b_shares[self.n:] + a_shares_l, a_shares_r = a_shares[0:self.n].copy(), a_shares[self.n:].copy() + b_shares_l, b_shares_r = b_shares[0:self.n].copy(), b_shares[self.n:].copy() self.a_shares_l += [a_shares_l.copy()] self.a_shares_r += [a_shares_r.copy()] self.b_shares_l += [b_shares_l.copy()] self.b_shares_r += [b_shares_r.copy()] - G_l, G_r = G[0:self.n], G[self.n:] - H_l, H_r = H[0:self.n], H[self.n:] - self.G_hist+=[[G_l, G_r]] - self.H_hist+=[[H_l, H_r]] + G_l, G_r = G[0:self.n].copy(), G[self.n:].copy() + H_l, H_r = H[0:self.n].copy(), H[self.n:].copy() + self.G_hist+=[[G_l.copy(), G_r.copy()]] + self.H_hist+=[[H_l.copy(), H_r.copy()]] # authenticated inner product - #TODO multiplication - c_shares_l = [MultiplicationAuthenticatedShares(a_share, b_share, self.source.triplet(self.party_id), self.party_id) for a_share, b_share in zip(a_shares_l, b_shares_r)] - c_shares_r = [MultiplicationAuthenticatedShares(a_share, b_share, self.source.triplet(self.party_id), self.party_id) for a_share, b_share in zip(a_shares_r, b_shares_l)] + c_shares_l = [MultiplicationAuthenticatedShares(a_share, b_share, self.source.triplet(self.party_id), self.party_id) for a_share, b_share in zip(a_shares_l, b_shares_r)].copy() + c_shares_r = [MultiplicationAuthenticatedShares(a_share, b_share, self.source.triplet(self.party_id), self.party_id) for a_share, b_share in zip(a_shares_r, b_shares_l)].copy() self.c_l += [c_shares_l] self.c_r += [c_shares_r] - u = K(1) + #verifier.append_message(b'L', bytes(''.join([l.__str__() for l in [self.L]]), encoding='utf-8')) + #verifier.append_message(b'R', bytes(''.join([r.__str__() for r in [self.R]]), encoding='utf-8')) + #u = K(verifier.challenge_bytes(b'u')) + u = K(1) #for testing purpose u_inv = 1/u for i in range(self.n): @@ -82,13 +84,16 @@ class MpcProof(object): self.b_shares_r += [b_shares_r.copy()] G_l, G_r = G[0:self.n], G[self.n:] # G_prime_l, G_prime_r H_l, H_r = H[0:self.n], H[self.n:] # H_prime_l, H_prime_r - self.G_hist+=[[G_l, G_r]] - self.H_hist+=[[H_l, H_r]] + self.G_hist += [[G_l, G_r]] + self.H_hist += [[H_l, H_r]] c_shares_l = [MultiplicationAuthenticatedShares(a_share, b_share, self.source.triplet(self.party_id), self.party_id) for (a_share,b_share) in zip(a_shares_l, b_shares_r)] # c_prime_l c_shares_r = [MultiplicationAuthenticatedShares(a_share, b_share, self.source.triplet(self.party_id), self.party_id) for (a_share,b_share) in zip(a_shares_r, b_shares_l)] # c_prime_r self.c_l += [c_shares_l] self.c_r += [c_shares_r] - u = K(1) + #verifier.append_message(b'L', bytes(''.join([l.__str__() for l in [self.L]]), encoding='utf-8')) + #verifier.append_message(b'R', bytes(''.join([r.__str__() for r in [self.R]]), encoding='utf-8')) + #u = K(verifier.challenge_bytes(b'u')) + u = K(1) # for testing purpose u_inv = 1/u for i in range(self.n): # u * a_prime_l + u^{-1} * a_prime_r @@ -116,9 +121,6 @@ class MpcProof(object): self.c_l = [[my_c_l[i].mul(their_c_l[i].d, their_c_l[i].e) for i in range(len(my_c_l))] for my_c_l, their_c_l in zip(self.c_l, their_c_l_shares)] self.c_r = [[my_c_r[i].mul(their_c_r[i].d, their_c_r[i].e) for i in range(len(my_c_r))] for my_c_r, their_c_r in zip(self.c_r, their_c_r_shares)] - print('c_l: {}'.format(self.c_l)) - print('c_r: {}'.format(self.c_r)) - print('c: {}'.format(sum([c_l[i].authenticated_open(c_r[i]) for i in range(len(self.c_l[0])) for c_l, c_r in zip(self.c_l, self.c_r)]))) # create L,R for proof validation L_l = [] R_l = [] @@ -127,24 +129,29 @@ class MpcProof(object): self.m /= 2 al_share_g = [al_share.mul_scalar(g) for al_share, g in zip(self.a_shares_l[counter], self.G_factors[self.m:2*self.m])] br_share_h = [br_share.mul_scalar(h) for br_share, h in zip(self.b_shares_r[counter], self.H_factors[0:self.m])] - L_gr_al_g_share = MSM(self.G_hist[counter][1], al_share_g, self.source, self.party_id) - L_hl_br_h_share = MSM(self.H_hist[counter][0], br_share_h, self.source, self.party_id) - L_q_cl_share = MSM(self.Q, self.c_l[counter], self.source, self.party_id) + self.L_gr_al_g_share = MSM(self.G_hist[counter][1], al_share_g, self.source, self.party_id) + self.L_hl_br_h_share = MSM(self.H_hist[counter][0], br_share_h, self.source, self.party_id) + + + self.L_q_cl_share = MSM(self.Q, self.c_l[counter], self.source, self.party_id) + #self.L_q_cl_share = self.L_hl_br_h_share.copy() # L, R # note that P = L*R - L_shares = [L_gr_al_g_share, L_hl_br_h_share , L_q_cl_share] + L_shares = [self.L_gr_al_g_share, self.L_hl_br_h_share , self.L_q_cl_share] ar_share_g = [ar_share.mul_scalar(g) for ar_share, g in zip(self.a_shares_r[counter], G_factors[0:self.m])] - bl_share_g = [bl_share.mul_scalar(h) for bl_share, h in zip(self.b_shares_l[counter], H_factors[self.m:2*self.m])] - R_gl_ar_g_share = MSM(self.G_hist[counter][0], ar_share_g, self.source, self.party_id) - R_hr_bl_h_share = MSM(self.H_hist[counter][1], bl_share_g, self.source, self.party_id) - R_q_cr_share = MSM(Q, self.c_r[counter], self.source, self.party_id) - R_shares = [R_gl_ar_g_share, R_hr_bl_h_share, R_q_cr_share] + bl_share_h = [bl_share.mul_scalar(h) for bl_share, h in zip(self.b_shares_l[counter], H_factors[self.m:2*self.m])] + self.R_gl_ar_g_share = MSM(self.G_hist[counter][0], ar_share_g, self.source, self.party_id) + self.R_hr_bl_h_share = MSM(self.H_hist[counter][1], bl_share_h, self.source, self.party_id) + self.R_q_cr_share = MSM(self.Q, self.c_r[counter], self.source, self.party_id) + R_shares = [self.R_gl_ar_g_share, self.R_hr_bl_h_share, self.R_q_cr_share] L_l += [L_shares] R_l += [R_shares] counter +=1 while self.m!=1: + #TODO + assert(False) self.m /=2 # L_prime L_gr_al_share = MSM(self.G_hist[counter][1], self.a_shares_l[counter], self.source, self.party_id) @@ -155,7 +162,7 @@ class MpcProof(object): # R_prime R_gl_ar_share = MSM(self.G_hist[counter][0], a_shares_r, self.source, self.party_id) R_hr_bl_share = MSM(self.H_hist[counter][1], b_shares_l, self.source, self.party_id) - R_q_cr_share = MSM(Q, self.c_r[counter], self.source, self.party_id) + R_q_cr_share = MSM(self.Q, self.c_r[counter], self.source, self.party_id) R_shares = [R_gl_ar_share, R_hr_bl_share, R_q_cr_share] L_l += [L_shares] @@ -174,7 +181,7 @@ class MpcProof(object): #verifier.append_message(b'L', bytes(''.join([l.__str__() for l in [L]]), encoding='utf-8')) #verifier.append_message(b'R', bytes(''.join([r.__str__() for r in [R]]), encoding='utf-8')) #u = K(verifier.challenge_bytes(b'u')) - u = K(1) + u = K(1) # for testing purpose u_inv = 1/u challenges += [u] challenges_inv += [u_inv] @@ -200,7 +207,6 @@ class MpcProof(object): # inverse of count is reverse self.inv_s = reversed(self.s) self.hbs_shares = [self.b_shares.mul_scalar(s_i_inv * h_i) for h_i, s_i_inv in zip(H_factors, self.inv_s)] - #TODO (fix) this should be shares, this is fake shares! self.neg_u_sq = [i*K(-1) for i in self.u_sq] self.neg_u_inv_sq = [i*K(-1) for i in self.u_inv_sq] # P @@ -220,16 +226,9 @@ class MpcProof(object): L_triad = [] for my_lhs_i, their_lhs_i in zip(my_lhs, their_lhs): my_lhs_i_de = [[ps.d, ps.e] for ps in my_lhs_i.point_scalars] - #print("lhs point scalars: {}".format(their_lhs_i.point_scalars)) their_lhs_i_de = [[ps.d, ps.e] for ps in their_lhs_i.point_scalars] - #my_lhs_i_share = my_lhs_i.msm(their_lhs_i_de) - #their_rhs_i_share = their_lhs_i.msm(my_lhs_i_de) - #L_triad += [ECAuthenticatedShare(my_lhs_i_share.authenticated_open(their_rhs_i_share))] - #L_triad += [lhs_i] lhs_i_share = my_lhs_i.msm(their_lhs_i_de) - #L_triad += [ECAuthenticatedShare(my_lhs_i_share.authenticated_open(their_rhs_i_share))] L_triad += [lhs_i_share] - #L += [sum_shares(L_triad, self.source, self.party_id)] self.L += [sum_shares(L_triad, self.source, self.party_id)] ## R for my_rhs, their_rhs in zip(self.rhs, peer_rhs): @@ -237,16 +236,10 @@ class MpcProof(object): for my_rhs_i, their_rhs_i in zip(my_rhs, their_rhs): my_rhs_i_de = [[ps.d, ps.e] for ps in my_rhs_i.point_scalars] their_rhs_i_de = [[ps.d, ps.e] for ps in their_rhs_i.point_scalars] - #my_rhs_i_share = my_rhs_i.msm(their_rhs_i_de) - #their_rhs_i_share = their_rhs_i.msm(my_rhs_i_de) - #R_triad += [ECAuthenticatedShare(my_lhs_i_share.authenticated_open(their_rhs_i_share))] rhs_i_share = my_rhs_i.msm(their_rhs_i_de) R_triad += [rhs_i_share] - #R_triad += [rhs_i] - #R += [sum_shares(R_triad, self.source, self.party_id)] self.R += [sum_shares(R_triad, self.source, self.party_id)] # L^(u^2) - #temp = K(random.randint(0,p)) temp = K(0) self.res_p_4 = MSM(self.L, [AuthenticatedShare(temp, self.source, self.party_id) if self.party_id==0 else AuthenticatedShare(neg_u_sq_i-temp, self.source, self.party_id) for neg_u_sq_i in self.neg_u_sq], self.source, self.party_id) # R^(u^-2) @@ -262,7 +255,6 @@ class MpcProof(object): lhs = my_res_p.msm(their_res_de) rhs = their_res_p.msm(my_res_de) p_part = lhs.authenticated_open(rhs) - print('p_part: {}'.format(p_part)) P_msm_parts += [p_part] # P prime == H(u^{-1} * a_prime_r, u * a_prime_l, u * b_prime_r, u ^ {-1} * b_prime_l, c_prime)