org.cryptimeleon.craco.protocols.arguments.sigma

Interface SigmaProtocol

All Superinterfaces:

InteractiveArgument, TwoPartyProtocol

All Known Implementing Classes:

AdHocSchnorrProof, AndProof, DamgardTechnique, DelegateProtocol, OrProof, ProofOfPartialKnowledge, PSBlindSignProtocol.BlindSignProtocolInstance.OpeningProof, SendThenDelegateProtocol

public interface SigmaProtocol
extends InteractiveArgument

A three-message public coin interactive argument with the following properties.

• Completeness: honestly generated transcripts are accepting.
• Honest-verifier zero-knowledge: trascripts generated by generateSimulatedTranscript(CommonInput, Challenge) are distributed the same as honestly generated transcripts that contain the same Challenge.
• (Computational) soundness: Given CommonInput and two SigmaProtocolTranscripts with the same announcement but two different Challenges, one can efficiently compute a witness (or at least it's computationally hard to generate two transcripts for which this is not possible).
• Public-coin: the verifier actively participates only by sending random values.

A normal protocol run works as follows (see SigmaProtocolInstance):

1. Before the protocol starts, prover and verifier have the same CommonInput (through whatever prior process). The prover has some SecretInput (the witness for the protocol)
2. The prover generates an AnnouncementSecret (which will be their private input for the remainder of this process).
3. The prover generates an Announcement and sends it to the verifier.
4. The verifier generates a Challenge and sends it to the prover.
5. The prover generates a Response and sends it to the verifier.
6. The verifier checks whether they accept the transcript consisting of Announcement, Challenge, and Response.

Field Summary

Fields inherited from interface org.cryptimeleon.craco.protocols.arguments.InteractiveArgument

PROVER_ROLE, VERIFIER_ROLE

Method Summary

Modifier and Type	Method and Description
default boolean	checkTranscript(CommonInput commonInput, Announcement announcement, Challenge challenge, Response response) Used by the verifier to check whether the given transcript is accepting.
default boolean	checkTranscript(CommonInput commonInput, SigmaProtocolTranscript transcript) Used by the verifier to check whether the given transcript is accepting.
org.cryptimeleon.math.expressions.bool.BooleanExpression	checkTranscriptAsExpression(CommonInput commonInput, Announcement announcement, Challenge challenge, Response response) Used by the verifier to check whether the given transcript is accepting.
default org.cryptimeleon.math.serialization.Representation	compressTranscript(CommonInput commonInput, SigmaProtocolTranscript transcript) Returns a compressed (shorter) version of the given transcript.
default SigmaProtocolTranscript	decompressTranscript(CommonInput commonInput, Challenge challenge, org.cryptimeleon.math.serialization.Representation compressedTranscript) Decompresses a transcript compressed with compressTranscript(CommonInput, SigmaProtocolTranscript)
Announcement	generateAnnouncement(CommonInput commonInput, SecretInput secretInput, AnnouncementSecret announcementSecret) Used by the prover to generate an announcement (the first message sent in the protocol).
AnnouncementSecret	generateAnnouncementSecret(CommonInput commonInput, SecretInput secretInput) Used by the prover to generate a secret value that will be input for future method calls.
default Challenge	generateChallenge(CommonInput commonInput) Used by the verifier to generate a challenge (the second message in the protocol).
Response	generateResponse(CommonInput commonInput, SecretInput secretInput, Announcement announcement, AnnouncementSecret announcementSecret, Challenge challenge) Used by the prover to generate a response (the third and last message sent in the protocol).
SigmaProtocolTranscript	generateSimulatedTranscript(CommonInput commonInput, Challenge challenge) Generates a random transcript with the same distribution as an honestly generated one that contains the given Challenge.
ChallengeSpace	getChallengeSpace(CommonInput commonInput) Returns the challenge space used by this protocol.
default java.lang.String	getFirstMessageRole() Returns the role that sends the first message.
default SigmaProtocolProverInstance	getProverInstance(CommonInput commonInput, SecretInput secretInput)
default SigmaProtocolVerifierInstance	getVerifierInstance(CommonInput commonInput)
default InteractiveArgumentInstance	instantiateProtocol(java.lang.String role, CommonInput commonInput, SecretInput secretInput)
Announcement	restoreAnnouncement(CommonInput commonInput, org.cryptimeleon.math.serialization.Representation repr)
default Challenge	restoreChallenge(CommonInput commonInput, org.cryptimeleon.math.serialization.Representation repr)
Response	restoreResponse(CommonInput commonInput, Announcement announcement, Challenge challenge, org.cryptimeleon.math.serialization.Representation repr)
default SigmaProtocolTranscript	restoreTranscript(org.cryptimeleon.math.serialization.Representation repr, CommonInput commonInput)

Methods inherited from interface org.cryptimeleon.craco.protocols.arguments.InteractiveArgument

debugProof, getRoleNames, instantiateProver, instantiateVerifier

Methods inherited from interface org.cryptimeleon.craco.protocols.TwoPartyProtocol

runProtocolLocally

Method Detail

generateAnnouncementSecret

AnnouncementSecret generateAnnouncementSecret(CommonInput commonInput,
                                              SecretInput secretInput)

Used by the prover to generate a secret value that will be input for future method calls.

For example, for an implementation of the original Schnorr protocol, the announcement secret would be a random exponent r.

Parameters:

commonInput - input to the overall protocol that both prover and verifier use

secretInput - input to the overall protocol that only the prover gets

Returns:

a secret (internal) value used for generating announcements and responses

generateAnnouncement

Announcement generateAnnouncement(CommonInput commonInput,
                                  SecretInput secretInput,
                                  AnnouncementSecret announcementSecret)

Used by the prover to generate an announcement (the first message sent in the protocol).

generateChallenge

default Challenge generateChallenge(CommonInput commonInput)

Used by the verifier to generate a challenge (the second message in the protocol).

getChallengeSpace

ChallengeSpace getChallengeSpace(CommonInput commonInput)

Returns the challenge space used by this protocol.

generateResponse

Response generateResponse(CommonInput commonInput,
                          SecretInput secretInput,
                          Announcement announcement,
                          AnnouncementSecret announcementSecret,
                          Challenge challenge)

Used by the prover to generate a response (the third and last message sent in the protocol).

checkTranscript

default boolean checkTranscript(CommonInput commonInput,
                                Announcement announcement,
                                Challenge challenge,
                                Response response)

Used by the verifier to check whether the given transcript is accepting.

checkTranscriptAsExpression

org.cryptimeleon.math.expressions.bool.BooleanExpression checkTranscriptAsExpression(CommonInput commonInput,
                                                                                     Announcement announcement,
                                                                                     Challenge challenge,
                                                                                     Response response)

Used by the verifier to check whether the given transcript is accepting. The result is a BooleanExpression, which makes it easier to provide optimization for composed protocols.

Returns:

a BooleanExpression without variables that evaluates to true (for accepting transcripts) or false.

checkTranscript

default boolean checkTranscript(CommonInput commonInput,
                                SigmaProtocolTranscript transcript)

Used by the verifier to check whether the given transcript is accepting.

See Also:

checkTranscript(CommonInput, Announcement, Challenge, Response)

compressTranscript

default org.cryptimeleon.math.serialization.Representation compressTranscript(CommonInput commonInput,
                                                                              SigmaProtocolTranscript transcript)

Returns a compressed (shorter) version of the given transcript.

Useful for FiatShamirProofSystem. Compressed transcript does not necessarily contain the challenge (see decompressTranscript(CommonInput, Challenge, Representation))

decompressTranscript

default SigmaProtocolTranscript decompressTranscript(CommonInput commonInput,
                                                     Challenge challenge,
                                                     org.cryptimeleon.math.serialization.Representation compressedTranscript)
                                              throws java.lang.IllegalArgumentException

Decompresses a transcript compressed with compressTranscript(CommonInput, SigmaProtocolTranscript)

The guarantee is that if a transcript is valid, then compressing and decompressing yields the same transcript. Additionally, any transcript output by this method is valid (i.e. checkTranscript(CommonInput, SigmaProtocolTranscript) returns true).

Throws:

java.lang.IllegalArgumentException - is the given compressedTranscript cannot be decompressed into a valid transcript.

generateSimulatedTranscript

SigmaProtocolTranscript generateSimulatedTranscript(CommonInput commonInput,
                                                    Challenge challenge)

Generates a random transcript with the same distribution as an honestly generated one that contains the given Challenge.

restoreAnnouncement

Announcement restoreAnnouncement(CommonInput commonInput,
                                 org.cryptimeleon.math.serialization.Representation repr)

restoreChallenge

default Challenge restoreChallenge(CommonInput commonInput,
                                   org.cryptimeleon.math.serialization.Representation repr)

restoreResponse

Response restoreResponse(CommonInput commonInput,
                         Announcement announcement,
                         Challenge challenge,
                         org.cryptimeleon.math.serialization.Representation repr)

restoreTranscript

default SigmaProtocolTranscript restoreTranscript(org.cryptimeleon.math.serialization.Representation repr,
                                                  CommonInput commonInput)

getFirstMessageRole

default java.lang.String getFirstMessageRole()

Description copied from interface: TwoPartyProtocol

Returns the role that sends the first message.

Specified by:

getFirstMessageRole in interface TwoPartyProtocol

instantiateProtocol

default InteractiveArgumentInstance instantiateProtocol(java.lang.String role,
                                                        CommonInput commonInput,
                                                        SecretInput secretInput)

Specified by:

instantiateProtocol in interface InteractiveArgument

Specified by:

instantiateProtocol in interface TwoPartyProtocol

getProverInstance

default SigmaProtocolProverInstance getProverInstance(CommonInput commonInput,
                                                      SecretInput secretInput)

getVerifierInstance

default SigmaProtocolVerifierInstance getVerifierInstance(CommonInput commonInput)