Pedersen Commitment¶
Pedersen commitment:¶
\(Gen(1^\lambda) \rightarrow ck\)
\(Com_{ck}(m) \rightarrow c\)
[18]:
from klefki.types.algebra.concrete import EllipticCurveGroupSecp256k1 as Curve
from klefki.types.algebra.concrete import FiniteFieldCyclicSecp256k1 as CF
from klefki.types.algebra.concrete import FiniteFieldSecp256k1 as F
from klefki.types.algebra.utils import randfield
from klefki.utils import to_sha256int
import hashlib
G = Curve.G
s = bytes.fromhex("0479be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8")
x = int(hashlib.sha256(s).hexdigest(),16)
H = Curve.lift_x(F(x))
\(\Sigma\)-protocol¶
Consider a commitment \(A\) opening to m to be part of the statement. The prover computes a random commitment \(B = Com_{ck}(m; s)\) and sends it to the verifier, which answer with a random challenge \(x\). The prover then sends opening information \(z\) to the verifier, which checks the commitment \(A^x B\) opens to m using randomness \(z\).
\(s \leftarrow \mathbb{Z}_p\) \(B=Com_{ck}(m;s)\)
[6]:
m = randfield(CF)
r = randfield(CF)
A = G ** m + H ** r
[7]:
s = randfield(CF)
B = G ** s * H ** r
\(x \leftarrow \mathbb{Z}_p\)
[8]:
e = randfield(CF)
\(z = me + s; x = re + r\)
[9]:
z = m*e + s
x = r*e + r
Accept \(\iff\) \(B \in \mathbf{G}, z \in \mathbb{Z}_p\)
[10]:
G ** z * H ** x == A ** e * B
[10]:
True
Implementation¶
[19]:
from klefki.zkp.pedersen import PedersonCommitment
[20]:
#priv = randfield(CF)
secret = CF(73570390403507240989674623545632060650466613362119649500108200592951986722161)
r = randfield(CF)
P = PedersonCommitment(G, G@x, secret, r)
[21]:
m = randfield(CF)
s = randfield(CF)
P.commit(m, s)
[21]:
EllipticCurveGroupSecp256k1::(FiniteFieldSecp256k1::76201704871179190780475307638115978518301654908825034157386315651276262400510, FiniteFieldSecp256k1::77268800855390143539124184346541682025370673032906278995802703732885034967010)
[22]:
e = randfield(CF)
P.challenge(e)
[22]:
(FiniteFieldCyclicSecp256k1::89447814369209904756588252129833606768839036881297533466290775855388358949321,
FiniteFieldCyclicSecp256k1::44683317883183669291202167938139287483071112847656724484292910426096615830465)
[23]:
P.proof()
[23]:
True
[16]:
m1 = randfield(CF)
P.trapdoor(m1, x)
[17]:
P.challenge(e)
P.proof()
[17]:
True
NIZK¶
[1]:
from klefki.zkp.schnorr import NIZKSchnoor
[2]:
NIZKSchnoor.verify(*NIZKSchnoor.proof(42))
[2]:
True
Ref:¶
Efficient Zero-Knowledge Proof Systems, Jonathan Bottle, …, UCL
Zero-Knowledge Proof and Cryptographic Commitment https://www.cs.purdue.edu/homes/ninghui/courses/555_Spring12/handouts/555_Spring12_topic23.pdf