sonr/crypto/bulletproof/range_verifier.go

package bulletproof

import (
	"github.com/gtank/merlin"
	"github.com/pkg/errors"

	"github.com/onsonr/sonr/crypto/core/curves"
)

// RangeVerifier is the struct used to verify RangeProofs
// It specifies which curve to use and holds precomputed generators
// See NewRangeVerifier() for verifier initialization.
type RangeVerifier struct {
	curve       curves.Curve
	generators  *ippGenerators
	ippVerifier *InnerProductVerifier
}

// NewRangeVerifier initializes a new verifier
// It uses the specified domain to generate generators for vectors of at most maxVectorLength
// A verifier can be used to verify range proofs for vectors of length less than or equal to maxVectorLength
// A verifier is defined by an explicit curve.
func NewRangeVerifier(maxVectorLength int, rangeDomain, ippDomain []byte, curve curves.Curve) (*RangeVerifier, error) {
	generators, err := getGeneratorPoints(maxVectorLength, rangeDomain, curve)
	if err != nil {
		return nil, errors.Wrap(err, "range NewRangeProver")
	}
	ippVerifier, err := NewInnerProductVerifier(maxVectorLength, ippDomain, curve)
	if err != nil {
		return nil, errors.Wrap(err, "range NewRangeProver")
	}
	return &RangeVerifier{curve: curve, generators: generators, ippVerifier: ippVerifier}, nil
}

// Verify verifies the given range proof inputs
// It implements the checking of L65 on pg 20
// It also verifies the dot product of <l,r> using the inner product proof\
// capV is a commitment to v using blinding factor gamma
// n is the power that specifies the upper bound of the range, ie. 2^n
// g, h, u are unique points used as generators for the blinding factor
// transcript is a merlin transcript to be used for the fiat shamir heuristic.
func (verifier *RangeVerifier) Verify(proof *RangeProof, capV curves.Point, proofGenerators RangeProofGenerators, n int, transcript *merlin.Transcript) (bool, error) {
	// Length of vectors must be less than the number of generators generated
	if n > len(verifier.generators.G) {
		return false, errors.New("ipp vector length must be less than maxVectorLength")
	}
	// In case where len(a) is less than number of generators precomputed by prover, trim to length
	proofG := verifier.generators.G[0:n]
	proofH := verifier.generators.H[0:n]

	// Calc y,z,x from Fiat Shamir heuristic
	y, z, err := calcyz(capV, proof.capA, proof.capS, transcript, verifier.curve)
	if err != nil {
		return false, errors.Wrap(err, "rangeproof verify")
	}

	x, err := calcx(proof.capT1, proof.capT2, transcript, verifier.curve)
	if err != nil {
		return false, errors.Wrap(err, "rangeproof verify")
	}

	wBytes := transcript.ExtractBytes([]byte("getw"), 64)
	w, err := verifier.curve.NewScalar().SetBytesWide(wBytes)
	if err != nil {
		return false, errors.Wrap(err, "rangeproof prove")
	}

	// Calc delta(y,z)
	deltayz, err := deltayz(y, z, n, verifier.curve)
	if err != nil {
		return false, errors.Wrap(err, "rangeproof verify")
	}

	// Check tHat: L65, pg20
	tHatIsValid := verifier.checktHat(proof, capV, proofGenerators.g, proofGenerators.h, deltayz, x, z)
	if !tHatIsValid {
		return false, errors.New("rangeproof verify tHat is invalid")
	}

	// Verify IPP
	hPrime, err := gethPrime(proofH, y, verifier.curve)
	if err != nil {
		return false, errors.Wrap(err, "rangeproof verify")
	}

	capPhmu, err := getPhmu(proofG, hPrime, proofGenerators.h, proof.capA, proof.capS, x, y, z, proof.mu, n, verifier.curve)
	if err != nil {
		return false, errors.Wrap(err, "rangeproof verify")
	}

	ippVerified, err := verifier.ippVerifier.VerifyFromRangeProof(proofG, hPrime, capPhmu, proofGenerators.u.Mul(w), proof.tHat, proof.ipp, transcript)
	if err != nil {
		return false, errors.Wrap(err, "rangeproof verify")
	}

	return ippVerified, nil
}

// L65, pg20.
func (*RangeVerifier) checktHat(proof *RangeProof, capV, g, h curves.Point, deltayz, x, z curves.Scalar) bool {
	// g^tHat * h^tau_x
	gtHat := g.Mul(proof.tHat)
	htaux := h.Mul(proof.taux)
	lhs := gtHat.Add(htaux)

	// V^z^2 * g^delta(y,z) * Tau_1^x * Tau_2^x^2
	capVzsquare := capV.Mul(z.Square())
	gdeltayz := g.Mul(deltayz)
	capTau1x := proof.capT1.Mul(x)
	capTau2xsquare := proof.capT2.Mul(x.Square())
	rhs := capVzsquare.Add(gdeltayz).Add(capTau1x).Add(capTau2xsquare)

	// Compare lhs =? rhs
	return lhs.Equal(rhs)
}

// gethPrime calculates new h prime generators as defined in L64 on pg20.
func gethPrime(h []curves.Point, y curves.Scalar, curve curves.Curve) ([]curves.Point, error) {
	hPrime := make([]curves.Point, len(h))
	yInv, err := y.Invert()
	yInvn := getknVector(yInv, len(h), curve)
	if err != nil {
		return nil, errors.Wrap(err, "gethPrime")
	}
	for i, hElem := range h {
		hPrime[i] = hElem.Mul(yInvn[i])
	}
	return hPrime, nil
}

// Obtain P used for IPP verification
// See L67 on pg20
// Note P on L66 includes blinding factor hmu, this method removes that factor.
func getPhmu(proofG, proofHPrime []curves.Point, h, capA, capS curves.Point, x, y, z, mu curves.Scalar, n int, curve curves.Curve) (curves.Point, error) {
	// h'^(z*y^n + z^2*2^n)
	zyn := multiplyScalarToScalarVector(z, getknVector(y, n, curve))
	zsquaretwon := multiplyScalarToScalarVector(z.Square(), get2nVector(n, curve))
	elemLastExponent, err := addPairwiseScalarVectors(zyn, zsquaretwon)
	if err != nil {
		return nil, errors.Wrap(err, "getPhmu")
	}
	lastElem := curve.Point.SumOfProducts(proofHPrime, elemLastExponent)

	// S^x
	capSx := capS.Mul(x)

	// g^-z --> -z*<1,g>
	onen := get1nVector(n, curve)
	zNeg := z.Neg()
	zinvonen := multiplyScalarToScalarVector(zNeg, onen)
	zgdotonen := curve.Point.SumOfProducts(proofG, zinvonen)

	// L66 on pg20
	P := capA.Add(capSx).Add(zgdotonen).Add(lastElem)
	hmu := h.Mul(mu)
	Phmu := P.Sub(hmu)

	return Phmu, nil
}

// Delta function for delta(y,z), See (39) on pg18.
func deltayz(y, z curves.Scalar, n int, curve curves.Curve) (curves.Scalar, error) {
	// z - z^2
	zMinuszsquare := z.Sub(z.Square())
	// 1^n
	onen := get1nVector(n, curve)
	// <1^n, y^n>
	onendotyn, err := innerProduct(onen, getknVector(y, n, curve))
	if err != nil {
		return nil, errors.Wrap(err, "deltayz")
	}
	// (z - z^2)*<1^n, y^n>
	termFirst := zMinuszsquare.Mul(onendotyn)

	// <1^n, 2^n>
	onendottwon, err := innerProduct(onen, get2nVector(n, curve))
	if err != nil {
		return nil, errors.Wrap(err, "deltayz")
	}
	// z^3*<1^n, 2^n>
	termSecond := z.Cube().Mul(onendottwon)

	// (z - z^2)*<1^n, y^n> - z^3*<1^n, 2^n>
	out := termFirst.Sub(termSecond)

	return out, nil
}
feature/1114 implement account interface (#1167) - refactor: move session-related code to middleware package - refactor: update PKL build process and adjust related configurations - feat: integrate base.cosmos.v1 Genesis module - refactor: pass session context to modal rendering functions - refactor: move nebula package to app directory and update templ version - refactor: Move home section video view to dedicated directory - refactor: remove unused views file - refactor: move styles and UI components to global scope - refactor: Rename images.go to cdn.go - feat: Add Empty State Illustrations - refactor: Consolidate Vault Index Logic - fix: References to App.wasm and remove Vault Directory embedded CDN files - refactor: Move CDN types to Models - fix: Correct line numbers in templ error messages for arch_templ.go - refactor: use common types for peer roles - refactor: move common types and ORM to a shared package - fix: Config import dwn - refactor: move nebula directory to app - feat: Rebuild nebula - fix: correct file paths in panels templates - feat: Remove duplicate types - refactor: Move dwn to pkg/core - refactor: Binary Structure - feat: Introduce Crypto Pkg - fix: Broken Process Start - *feat: Update pkg/ structure - feat: Refactor PKL Structure - build: update pkl build process - chore: Remove Empty Files - refactor: remove unused macaroon package - feat: Add WebAwesome Components - refactor: consolidate build and generation tasks into a single taskfile, remove redundant makefile targets - refactor: refactor server and move components to pkg/core/dwn - build: update go modules - refactor: move gateway logic into dedicated hway command - feat: Add KSS (Krawczyk-Song-Song) MPC cryptography module - feat: Implement MPC-based JWT signing and UCAN token generation - feat: add support for MPC-based JWT signing - feat: Implement MPC-based UCAN capabilities for smart accounts - feat: add address field to keyshareSource - feat: Add comprehensive MPC test suite for keyshares, UCAN tokens, and token attenuations - refactor: improve MPC keyshare management and signing process - feat: enhance MPC capability hierarchy documentation - refactor: rename GenerateKeyshares function to NewKeyshareSource for clarity - refactor: remove unused Ethereum address computation - feat: Add HasHandle and IsAuthenticated methods to HTTPContext - refactor: Add context.Context support to session HTTPContext - refactor: Resolve context interface conflicts in HTTPContext - feat: Add session ID context key and helper functions - feat: Update WebApp Page Rendering - refactor: Simplify context management by using single HTTPContext key - refactor: Simplify HTTPContext creation and context management in session middleware - refactor: refactor session middleware to use a single data structure - refactor: Simplify HTTPContext implementation and session data handling - refactor: Improve session context handling and prevent nil pointer errors - refactor: Improve session context handling with nil safety and type support - refactor: improve session data injection - feat: add full-screen modal component and update registration flow - chore: add .air.toml to .gitignore - feat: add Air to devbox and update dependencies** 2024-11-23 01:28:58 -05:00			`package bulletproof`

			`import (`
			`"github.com/gtank/merlin"`
			`"github.com/pkg/errors"`

feature/1121 implement ucan validation (#1176) - refactor: remove unused auth components - refactor: improve devbox configuration and deployment process - refactor: improve devnet and testnet setup - fix: update templ version to v0.2.778 - refactor: rename pkl/net.matrix to pkl/matrix.net - refactor: migrate webapp components to nebula - refactor: protobuf types - chore: update dependencies for improved security and stability - feat: implement landing page and vault gateway servers - refactor: Migrate data models to new module structure and update related files - feature/1121-implement-ucan-validation - refactor: Replace hardcoded constants with model types in attns.go - feature/1121-implement-ucan-validation - chore: add origin Host struct and update main function to handle multiple hosts - build: remove unused static files from dwn module - build: remove unused static files from dwn module - refactor: Move DWN models to common package - refactor: move models to pkg/common - refactor: move vault web app assets to embed module - refactor: update session middleware import path - chore: configure port labels and auto-forwarding behavior - feat: enhance devcontainer configuration - feat: Add UCAN middleware for Echo with flexible token validation - feat: add JWT middleware for UCAN authentication - refactor: update package URI and versioning in PklProject files - fix: correct sonr.pkl import path - refactor: move JWT related code to auth package - feat: introduce vault configuration retrieval and management - refactor: Move vault components to gateway module and update file paths - refactor: remove Dexie and SQLite database implementations - feat: enhance frontend with PWA features and WASM integration - feat: add Devbox features and streamline Dockerfile - chore: update dependencies to include TigerBeetle - chore(deps): update go version to 1.23 - feat: enhance devnet setup with PATH environment variable and updated PWA manifest - fix: upgrade tigerbeetle-go dependency and remove indirect dependency - feat: add PostgreSQL support to devnet and testnet deployments - refactor: rename keyshare cookie to token cookie - feat: upgrade Go version to 1.23.3 and update dependencies - refactor: update devnet and testnet configurations - feat: add IPFS configuration for devnet - I'll help you update the ipfs.config.pkl to include all the peers from the shell script. Here's the updated configuration: - refactor: move mpc package to crypto directory - feat: add BIP32 support for various cryptocurrencies - feat: enhance ATN.pkl with additional capabilities - refactor: simplify smart account and vault attenuation creation - feat: add new capabilities to the Attenuation type - refactor: Rename MPC files for clarity and consistency - feat: add DIDKey support for cryptographic operations - feat: add devnet and testnet deployment configurations - fix: correct key derivation in bip32 package - refactor: rename crypto/bip32 package to crypto/accaddr - fix: remove duplicate indirect dependency - refactor: move vault package to root directory - refactor: update routes for gateway and vault - refactor: remove obsolete web configuration file - refactor: remove unused TigerBeetle imports and update host configuration - refactor: adjust styles directory path - feat: add broadcastTx and simulateTx functions to gateway - feat: add PinVault handler 2024-12-02 14:27:18 -05:00			`"github.com/onsonr/sonr/crypto/core/curves"`
feature/1114 implement account interface (#1167) - refactor: move session-related code to middleware package - refactor: update PKL build process and adjust related configurations - feat: integrate base.cosmos.v1 Genesis module - refactor: pass session context to modal rendering functions - refactor: move nebula package to app directory and update templ version - refactor: Move home section video view to dedicated directory - refactor: remove unused views file - refactor: move styles and UI components to global scope - refactor: Rename images.go to cdn.go - feat: Add Empty State Illustrations - refactor: Consolidate Vault Index Logic - fix: References to App.wasm and remove Vault Directory embedded CDN files - refactor: Move CDN types to Models - fix: Correct line numbers in templ error messages for arch_templ.go - refactor: use common types for peer roles - refactor: move common types and ORM to a shared package - fix: Config import dwn - refactor: move nebula directory to app - feat: Rebuild nebula - fix: correct file paths in panels templates - feat: Remove duplicate types - refactor: Move dwn to pkg/core - refactor: Binary Structure - feat: Introduce Crypto Pkg - fix: Broken Process Start - *feat: Update pkg/ structure - feat: Refactor PKL Structure - build: update pkl build process - chore: Remove Empty Files - refactor: remove unused macaroon package - feat: Add WebAwesome Components - refactor: consolidate build and generation tasks into a single taskfile, remove redundant makefile targets - refactor: refactor server and move components to pkg/core/dwn - build: update go modules - refactor: move gateway logic into dedicated hway command - feat: Add KSS (Krawczyk-Song-Song) MPC cryptography module - feat: Implement MPC-based JWT signing and UCAN token generation - feat: add support for MPC-based JWT signing - feat: Implement MPC-based UCAN capabilities for smart accounts - feat: add address field to keyshareSource - feat: Add comprehensive MPC test suite for keyshares, UCAN tokens, and token attenuations - refactor: improve MPC keyshare management and signing process - feat: enhance MPC capability hierarchy documentation - refactor: rename GenerateKeyshares function to NewKeyshareSource for clarity - refactor: remove unused Ethereum address computation - feat: Add HasHandle and IsAuthenticated methods to HTTPContext - refactor: Add context.Context support to session HTTPContext - refactor: Resolve context interface conflicts in HTTPContext - feat: Add session ID context key and helper functions - feat: Update WebApp Page Rendering - refactor: Simplify context management by using single HTTPContext key - refactor: Simplify HTTPContext creation and context management in session middleware - refactor: refactor session middleware to use a single data structure - refactor: Simplify HTTPContext implementation and session data handling - refactor: Improve session context handling and prevent nil pointer errors - refactor: Improve session context handling with nil safety and type support - refactor: improve session data injection - feat: add full-screen modal component and update registration flow - chore: add .air.toml to .gitignore - feat: add Air to devbox and update dependencies** 2024-11-23 01:28:58 -05:00			`)`

			`// RangeVerifier is the struct used to verify RangeProofs`
			`// It specifies which curve to use and holds precomputed generators`
			`// See NewRangeVerifier() for verifier initialization.`
			`type RangeVerifier struct {`
			`curve curves.Curve`
			`generators *ippGenerators`
			`ippVerifier *InnerProductVerifier`
			`}`

			`// NewRangeVerifier initializes a new verifier`
			`// It uses the specified domain to generate generators for vectors of at most maxVectorLength`
			`// A verifier can be used to verify range proofs for vectors of length less than or equal to maxVectorLength`
			`// A verifier is defined by an explicit curve.`
			`func NewRangeVerifier(maxVectorLength int, rangeDomain, ippDomain []byte, curve curves.Curve) (*RangeVerifier, error) {`
			`generators, err := getGeneratorPoints(maxVectorLength, rangeDomain, curve)`
			`if err != nil {`
			`return nil, errors.Wrap(err, "range NewRangeProver")`
			`}`
			`ippVerifier, err := NewInnerProductVerifier(maxVectorLength, ippDomain, curve)`
			`if err != nil {`
			`return nil, errors.Wrap(err, "range NewRangeProver")`
			`}`
			`return &RangeVerifier{curve: curve, generators: generators, ippVerifier: ippVerifier}, nil`
			`}`

			`// Verify verifies the given range proof inputs`
			`// It implements the checking of L65 on pg 20`
			`// It also verifies the dot product of <l,r> using the inner product proof\`
			`// capV is a commitment to v using blinding factor gamma`
			`// n is the power that specifies the upper bound of the range, ie. 2^n`
			`// g, h, u are unique points used as generators for the blinding factor`
			`// transcript is a merlin transcript to be used for the fiat shamir heuristic.`
			`func (verifier RangeVerifier) Verify(proof RangeProof, capV curves.Point, proofGenerators RangeProofGenerators, n int, transcript *merlin.Transcript) (bool, error) {`
			`// Length of vectors must be less than the number of generators generated`
			`if n > len(verifier.generators.G) {`
			`return false, errors.New("ipp vector length must be less than maxVectorLength")`
			`}`
			`// In case where len(a) is less than number of generators precomputed by prover, trim to length`
			`proofG := verifier.generators.G[0:n]`
			`proofH := verifier.generators.H[0:n]`

			`// Calc y,z,x from Fiat Shamir heuristic`
			`y, z, err := calcyz(capV, proof.capA, proof.capS, transcript, verifier.curve)`
			`if err != nil {`
			`return false, errors.Wrap(err, "rangeproof verify")`
			`}`

			`x, err := calcx(proof.capT1, proof.capT2, transcript, verifier.curve)`
			`if err != nil {`
			`return false, errors.Wrap(err, "rangeproof verify")`
			`}`

			`wBytes := transcript.ExtractBytes([]byte("getw"), 64)`
			`w, err := verifier.curve.NewScalar().SetBytesWide(wBytes)`
			`if err != nil {`
			`return false, errors.Wrap(err, "rangeproof prove")`
			`}`

			`// Calc delta(y,z)`
			`deltayz, err := deltayz(y, z, n, verifier.curve)`
			`if err != nil {`
			`return false, errors.Wrap(err, "rangeproof verify")`
			`}`

			`// Check tHat: L65, pg20`
			`tHatIsValid := verifier.checktHat(proof, capV, proofGenerators.g, proofGenerators.h, deltayz, x, z)`
			`if !tHatIsValid {`
			`return false, errors.New("rangeproof verify tHat is invalid")`
			`}`

			`// Verify IPP`
			`hPrime, err := gethPrime(proofH, y, verifier.curve)`
			`if err != nil {`
			`return false, errors.Wrap(err, "rangeproof verify")`
			`}`

			`capPhmu, err := getPhmu(proofG, hPrime, proofGenerators.h, proof.capA, proof.capS, x, y, z, proof.mu, n, verifier.curve)`
			`if err != nil {`
			`return false, errors.Wrap(err, "rangeproof verify")`
			`}`

			`ippVerified, err := verifier.ippVerifier.VerifyFromRangeProof(proofG, hPrime, capPhmu, proofGenerators.u.Mul(w), proof.tHat, proof.ipp, transcript)`
			`if err != nil {`
			`return false, errors.Wrap(err, "rangeproof verify")`
			`}`

			`return ippVerified, nil`
			`}`

			`// L65, pg20.`
			`func (RangeVerifier) checktHat(proof RangeProof, capV, g, h curves.Point, deltayz, x, z curves.Scalar) bool {`
			`// g^tHat * h^tau_x`
			`gtHat := g.Mul(proof.tHat)`
			`htaux := h.Mul(proof.taux)`
			`lhs := gtHat.Add(htaux)`

			`// V^z^2 * g^delta(y,z) * Tau_1^x * Tau_2^x^2`
			`capVzsquare := capV.Mul(z.Square())`
			`gdeltayz := g.Mul(deltayz)`
			`capTau1x := proof.capT1.Mul(x)`
			`capTau2xsquare := proof.capT2.Mul(x.Square())`
			`rhs := capVzsquare.Add(gdeltayz).Add(capTau1x).Add(capTau2xsquare)`

			`// Compare lhs =? rhs`
			`return lhs.Equal(rhs)`
			`}`

			`// gethPrime calculates new h prime generators as defined in L64 on pg20.`
			`func gethPrime(h []curves.Point, y curves.Scalar, curve curves.Curve) ([]curves.Point, error) {`
			`hPrime := make([]curves.Point, len(h))`
			`yInv, err := y.Invert()`
			`yInvn := getknVector(yInv, len(h), curve)`
			`if err != nil {`
			`return nil, errors.Wrap(err, "gethPrime")`
			`}`
			`for i, hElem := range h {`
			`hPrime[i] = hElem.Mul(yInvn[i])`
			`}`
			`return hPrime, nil`
			`}`

			`// Obtain P used for IPP verification`
			`// See L67 on pg20`
			`// Note P on L66 includes blinding factor hmu, this method removes that factor.`
			`func getPhmu(proofG, proofHPrime []curves.Point, h, capA, capS curves.Point, x, y, z, mu curves.Scalar, n int, curve curves.Curve) (curves.Point, error) {`
			`// h'^(zy^n + z^22^n)`
			`zyn := multiplyScalarToScalarVector(z, getknVector(y, n, curve))`
			`zsquaretwon := multiplyScalarToScalarVector(z.Square(), get2nVector(n, curve))`
			`elemLastExponent, err := addPairwiseScalarVectors(zyn, zsquaretwon)`
			`if err != nil {`
			`return nil, errors.Wrap(err, "getPhmu")`
			`}`
			`lastElem := curve.Point.SumOfProducts(proofHPrime, elemLastExponent)`

			`// S^x`
			`capSx := capS.Mul(x)`

			`// g^-z --> -z*<1,g>`
			`onen := get1nVector(n, curve)`
			`zNeg := z.Neg()`
			`zinvonen := multiplyScalarToScalarVector(zNeg, onen)`
			`zgdotonen := curve.Point.SumOfProducts(proofG, zinvonen)`

			`// L66 on pg20`
			`P := capA.Add(capSx).Add(zgdotonen).Add(lastElem)`
			`hmu := h.Mul(mu)`
			`Phmu := P.Sub(hmu)`

			`return Phmu, nil`
			`}`

			`// Delta function for delta(y,z), See (39) on pg18.`
			`func deltayz(y, z curves.Scalar, n int, curve curves.Curve) (curves.Scalar, error) {`
			`// z - z^2`
			`zMinuszsquare := z.Sub(z.Square())`
			`// 1^n`
			`onen := get1nVector(n, curve)`
			`// <1^n, y^n>`
			`onendotyn, err := innerProduct(onen, getknVector(y, n, curve))`
			`if err != nil {`
			`return nil, errors.Wrap(err, "deltayz")`
			`}`
			`// (z - z^2)*<1^n, y^n>`
			`termFirst := zMinuszsquare.Mul(onendotyn)`

			`// <1^n, 2^n>`
			`onendottwon, err := innerProduct(onen, get2nVector(n, curve))`
			`if err != nil {`
			`return nil, errors.Wrap(err, "deltayz")`
			`}`
			`// z^3*<1^n, 2^n>`
			`termSecond := z.Cube().Mul(onendottwon)`

			`// (z - z^2)<1^n, y^n> - z^3<1^n, 2^n>`
			`out := termFirst.Sub(termSecond)`

			`return out, nil`
			`}`