org.cryptimeleon.craco.protocols.arguments.sigma.partial

Class ProofOfPartialKnowledge

java.lang.Object

org.cryptimeleon.craco.protocols.arguments.sigma.partial.ProofOfPartialKnowledge

All Implemented Interfaces:

InteractiveArgument, SigmaProtocol, TwoPartyProtocol

public abstract class ProofOfPartialKnowledge
extends java.lang.Object
implements SigmaProtocol

A Sigma Protocol that composes several subprotocols in any AND/OR tree structure [CDS94].
To use this class, extend it and implement its abstract methods as documented.
The general flow of this protocol is that first the prover generates some SendFirstValue (e.g., a Pedersen commitment to some values) that is sent alongside the first message of this Sigma protocol. From this SendFirstValue, prover and verifier set up the appropriate subprotocols and tree structure (similarly to SendThenDelegateFragment). Then those subprotocols are run in a way that respects the desired AND/OR compositions.

[CDS94] Cramer, Ronald, Ivan Damgård, and Berry Schoenmakers. "Proofs of partial knowledge and simplified design of witness hiding protocols". CRYPTO 1994

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected static class	ProofOfPartialKnowledge.ProtocolTree To build, use leaf(java.lang.String, org.cryptimeleon.craco.protocols.arguments.sigma.SigmaProtocol, org.cryptimeleon.craco.protocols.CommonInput), and(org.cryptimeleon.craco.protocols.arguments.sigma.partial.ProofOfPartialKnowledge.ProtocolTree, org.cryptimeleon.craco.protocols.arguments.sigma.partial.ProofOfPartialKnowledge.ProtocolTree), and or(org.cryptimeleon.craco.protocols.arguments.sigma.partial.ProofOfPartialKnowledge.ProtocolTree, org.cryptimeleon.craco.protocols.arguments.sigma.partial.ProofOfPartialKnowledge.ProtocolTree).
static class	ProofOfPartialKnowledge.ProverSpec
static class	ProofOfPartialKnowledge.ProverSpecBuilder

Field Summary

Fields inherited from interface org.cryptimeleon.craco.protocols.arguments.InteractiveArgument

PROVER_ROLE, VERIFIER_ROLE

Constructor Summary

Constructors

Constructor and Description
ProofOfPartialKnowledge()

Method Summary

Modifier and Type	Method and Description
protected ProofOfPartialKnowledge.ProtocolTree	and(ProofOfPartialKnowledge.ProtocolTree protocol1, ProofOfPartialKnowledge.ProtocolTree protocol2) Construct a tree that AND-combines two subtrees.
org.cryptimeleon.math.expressions.bool.BooleanExpression	checkTranscriptAsExpression(CommonInput commonInput, Announcement announcement, Challenge challenge, Response response) Used by the verifier to check whether the given transcript is accepting.
void	debugProof(CommonInput commonInput, SecretInput secretInput) Checks if commonInput and secretInput are valid inputs for this protocol.
Announcement	generateAnnouncement(CommonInput commonInput, SecretInput secretInput, AnnouncementSecret announcementSecret) Used by the prover to generate an announcement (the first message sent in the protocol).
AnnouncementSecret	generateAnnouncementSecret(CommonInput commonInput, SecretInput secretInput) Used by the prover to generate a secret value that will be input for future method calls.
Response	generateResponse(CommonInput commonInput, SecretInput secretInput, Announcement announcement, AnnouncementSecret announcementSecret, Challenge challenge) Used by the prover to generate a response (the third and last message sent in the protocol).
SigmaProtocolTranscript	generateSimulatedTranscript(CommonInput commonInput, Challenge challenge) Generates a random transcript with the same distribution as an honestly generated one that contains the given Challenge.
protected ProofOfPartialKnowledge.ProtocolTree	leaf(java.lang.String name, SigmaProtocol protocol, CommonInput commonInput) Construct a tree that contains a single subprotocol to run.
protected ProofOfPartialKnowledge.ProtocolTree	or(ProofOfPartialKnowledge.ProtocolTree protocol1, ProofOfPartialKnowledge.ProtocolTree protocol2) Construct a tree that OR-combines two subtrees.
protected abstract org.cryptimeleon.math.expressions.bool.BooleanExpression	provideAdditionalCheck(CommonInput commonInput, SendFirstValue sendFirstValue) Returns true if the given sendFirstValue is well-formed and valid.
protected abstract ProofOfPartialKnowledge.ProtocolTree	provideProtocolTree(CommonInput commonInput, SendFirstValue sendFirstValue) Sets up the desired subprotocols and returns the ProofOfPartialKnowledge.ProtocolTree that encodes the AND/OR relations between them.
protected abstract ProofOfPartialKnowledge.ProverSpec	provideProverSpec(CommonInput commonInput, SecretInput secretInput, ProofOfPartialKnowledge.ProverSpecBuilder builder) Sets up the ProofOfPartialKnowledge.ProverSpec.
Announcement	restoreAnnouncement(CommonInput commonInput, org.cryptimeleon.math.serialization.Representation repr)
Response	restoreResponse(CommonInput commonInput, Announcement announcement, Challenge challenge, org.cryptimeleon.math.serialization.Representation repr)
protected abstract SendFirstValue	restoreSendFirstValue(CommonInput commonInput, org.cryptimeleon.math.serialization.Representation repr) Restores a SendFirstValue from representation.
protected abstract SendFirstValue	simulateSendFirstValue(CommonInput commonInput) Simulates the SendFirstValue, i.e.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.cryptimeleon.craco.protocols.arguments.sigma.SigmaProtocol

checkTranscript, checkTranscript, compressTranscript, decompressTranscript, generateChallenge, getChallengeSpace, getFirstMessageRole, getProverInstance, getVerifierInstance, instantiateProtocol, restoreChallenge, restoreTranscript

Methods inherited from interface org.cryptimeleon.craco.protocols.arguments.InteractiveArgument

getRoleNames, instantiateProver, instantiateVerifier

Methods inherited from interface org.cryptimeleon.craco.protocols.TwoPartyProtocol

runProtocolLocally

Constructor Detail

ProofOfPartialKnowledge

public ProofOfPartialKnowledge()

Method Detail

provideProtocolTree

protected abstract ProofOfPartialKnowledge.ProtocolTree provideProtocolTree(CommonInput commonInput,
                                                                            SendFirstValue sendFirstValue)

Sets up the desired subprotocols and returns the ProofOfPartialKnowledge.ProtocolTree that encodes the AND/OR relations between them. Implementors should build the ProofOfPartialKnowledge.ProtocolTree using leaf(java.lang.String, org.cryptimeleon.craco.protocols.arguments.sigma.SigmaProtocol, org.cryptimeleon.craco.protocols.CommonInput), and(org.cryptimeleon.craco.protocols.arguments.sigma.partial.ProofOfPartialKnowledge.ProtocolTree, org.cryptimeleon.craco.protocols.arguments.sigma.partial.ProofOfPartialKnowledge.ProtocolTree), and or(org.cryptimeleon.craco.protocols.arguments.sigma.partial.ProofOfPartialKnowledge.ProtocolTree, org.cryptimeleon.craco.protocols.arguments.sigma.partial.ProofOfPartialKnowledge.ProtocolTree).

Parameters:

commonInput - the public input to this ProofOfPartialKnowledge (can be anything appropriate for the concrete protocol implemented).

sendFirstValue - the value sent by the prover before the subprotocols start running.

Returns:

a tree of subprotocols that defines what subprotocols are composed in what way.

provideProverSpec

protected abstract ProofOfPartialKnowledge.ProverSpec provideProverSpec(CommonInput commonInput,
                                                                        SecretInput secretInput,
                                                                        ProofOfPartialKnowledge.ProverSpecBuilder builder)

Sets up the ProofOfPartialKnowledge.ProverSpec.
Implementors shall use the provided builder to set up

1. the SendFirstValue the prover wants to send (can be SendFirstValue.EmptySendFirstValue.
2. the witnesses to use for the subprotocols. If for some subprotocol you don't have a witness, simply don't call ProofOfPartialKnowledge.ProverSpecBuilder.putSecretInput(String, SecretInput) for it.
   Obviously, you'll have to provide sufficiently many witnesses for subprotocols to satisfy the AND/OR connections of subprotocols encoded in the tree returned by provideProtocolTree(CommonInput, SendFirstValue).

Parameters:

commonInput - the public input to this ProofOfPartialKnowledge (can be anything appropriate for the concrete protocol implemented).

secretInput - the secret input to this ProofOfPartialKnowledge (can be anything appropriate for the concrete protocol implemented).

builder - an object to use to build the ProofOfPartialKnowledge.ProverSpec.

Returns:

a prover spec returned by the builder.

restoreSendFirstValue

protected abstract SendFirstValue restoreSendFirstValue(CommonInput commonInput,
                                                        org.cryptimeleon.math.serialization.Representation repr)

Restores a SendFirstValue from representation.

simulateSendFirstValue

protected abstract SendFirstValue simulateSendFirstValue(CommonInput commonInput)

Simulates the SendFirstValue, i.e. returns one with a distribution that indistinguishable from an honest prover's.

provideAdditionalCheck

protected abstract org.cryptimeleon.math.expressions.bool.BooleanExpression provideAdditionalCheck(CommonInput commonInput,
                                                                                                   SendFirstValue sendFirstValue)

Returns true if the given sendFirstValue is well-formed and valid. If the returned expression evaluates to false, the transcript containing SendFirstValue will be rejected by the verifier. Typical examples of such checks would be something like "the sent group element must not be the neutral element".
The implementation for this can simply be return BooleanExpression.TRUE if no additional checks are needed.

leaf

protected final ProofOfPartialKnowledge.ProtocolTree leaf(java.lang.String name,
                                                          SigmaProtocol protocol,
                                                          CommonInput commonInput)

Construct a tree that contains a single subprotocol to run.

Parameters:

name - name of the protocol (must be unique, i.e. don't call leaf() twice with the same name in the same execution of provideProtocolTree(org.cryptimeleon.craco.protocols.CommonInput, org.cryptimeleon.craco.protocols.arguments.sigma.schnorr.SendFirstValue)).

protocol - the subprotocol

commonInput - the common input for the subprotocol.

and

protected final ProofOfPartialKnowledge.ProtocolTree and(ProofOfPartialKnowledge.ProtocolTree protocol1,
                                                         ProofOfPartialKnowledge.ProtocolTree protocol2)

Construct a tree that AND-combines two subtrees.

or

protected final ProofOfPartialKnowledge.ProtocolTree or(ProofOfPartialKnowledge.ProtocolTree protocol1,
                                                        ProofOfPartialKnowledge.ProtocolTree protocol2)

Construct a tree that OR-combines two subtrees.

generateAnnouncementSecret

public AnnouncementSecret generateAnnouncementSecret(CommonInput commonInput,
                                                     SecretInput secretInput)

Description copied from interface: SigmaProtocol

Used by the prover to generate a secret value that will be input for future method calls.

For example, for an implementation of the original Schnorr protocol, the announcement secret would be a random exponent r.

Specified by:

generateAnnouncementSecret in interface SigmaProtocol

Parameters:

commonInput - input to the overall protocol that both prover and verifier use

secretInput - input to the overall protocol that only the prover gets

Returns:

a secret (internal) value used for generating announcements and responses

generateAnnouncement

public Announcement generateAnnouncement(CommonInput commonInput,
                                         SecretInput secretInput,
                                         AnnouncementSecret announcementSecret)

Description copied from interface: SigmaProtocol

Used by the prover to generate an announcement (the first message sent in the protocol).

Specified by:

generateAnnouncement in interface SigmaProtocol

generateResponse

public Response generateResponse(CommonInput commonInput,
                                 SecretInput secretInput,
                                 Announcement announcement,
                                 AnnouncementSecret announcementSecret,
                                 Challenge challenge)

Description copied from interface: SigmaProtocol

Used by the prover to generate a response (the third and last message sent in the protocol).

Specified by:

generateResponse in interface SigmaProtocol

checkTranscriptAsExpression

public org.cryptimeleon.math.expressions.bool.BooleanExpression checkTranscriptAsExpression(CommonInput commonInput,
                                                                                            Announcement announcement,
                                                                                            Challenge challenge,
                                                                                            Response response)

Description copied from interface: SigmaProtocol

Used by the verifier to check whether the given transcript is accepting. The result is a BooleanExpression, which makes it easier to provide optimization for composed protocols.

Specified by:

checkTranscriptAsExpression in interface SigmaProtocol

Returns:

a BooleanExpression without variables that evaluates to true (for accepting transcripts) or false.

generateSimulatedTranscript

public SigmaProtocolTranscript generateSimulatedTranscript(CommonInput commonInput,
                                                           Challenge challenge)

Description copied from interface: SigmaProtocol

Generates a random transcript with the same distribution as an honestly generated one that contains the given Challenge.

Specified by:

generateSimulatedTranscript in interface SigmaProtocol

restoreAnnouncement

public Announcement restoreAnnouncement(CommonInput commonInput,
                                        org.cryptimeleon.math.serialization.Representation repr)

Specified by:

restoreAnnouncement in interface SigmaProtocol

restoreResponse

public Response restoreResponse(CommonInput commonInput,
                                Announcement announcement,
                                Challenge challenge,
                                org.cryptimeleon.math.serialization.Representation repr)

Specified by:

restoreResponse in interface SigmaProtocol

debugProof

public void debugProof(CommonInput commonInput,
                       SecretInput secretInput)

Description copied from interface: InteractiveArgument

Checks if commonInput and secretInput are valid inputs for this protocol. Use for debugging. Throws an exception if something is wrong.

Specified by:

debugProof in interface InteractiveArgument