SchnorrFragment (craco 4.0.2 API)

All Known Implementing Classes:

DelegateFragment, LinearExponentStatementFragment, LinearStatementFragment, SendThenDelegateFragment, SetMembershipFragment, SmallerThanPowerFragment, TwoSidedRangeProof
```
public interface SchnorrFragment
```
Part of a Schnorr-style protocol, which may depend on variables (witnesses) for which another protocol is in charge of ensuring extractability. It is usually part of a larger composition of fragments that form a complete protocol.
This is motivated by the following idea: Assume we want to come up with e Schnorr-like protocol for the relation {((h1,h2),w) | h1 = g1^w ∧ h2 = g2^w}, meaning that the same witness w simultaneously fulfills the two equations.
The standard Schnorr-style protocol for this works as follows:
1. The prover chooses a random r and sends A1 = g1^r and A2 = g2^r to the verifier
2. The verifier responds with a challenge c
3. The prover responds with R = c * w + r
4. The verifier checks that g1^R = h1^c * A1 and g2^R = h2^c * A1
Thinking in fragments, we identify three parts of this protocol:
- The first fragment ensures extractability (in the sense of special soundness for SigmaProtocols) of w by sending c * w + r as the response
- The second fragment ensures that the extracted w fulfills h1 = g1^w by sending A1 = g1^r and making the verifier check {g1^R = h1^c * A1}
- The third fragment ensures that the extracted w fulfills h2 = g2^w by sending A2 = g2^r and making the verifier check {g2^R = h2^c * A2}
Note that the second and third fragment share the same w and r. This dependency is expressed in this interface: a SchnorrFragment's trascript generation may depend on variables that are outside of its own control. We call those variables "external" variables.
This approach allows for easy composition of fragments that depend on (some of) the same variables. However, this also means that SchnorrFragments are basically useless by themselves because they depend on external variables. To ultimately make use of a SchnorrFragment in an actual protocol, implement a SendThenDelegateProtocol and use the fragment as a subprotocol.
Implementing classes are usually used as follows:
1. The constructor is called with some data that contains and depends on external variables (e.g., an Expression like "h1 = g1^w", where w is a SchnorrVariable)
2. generateAnnouncementSecret(externalWitnesses) is called, where externalWitnesses is some appropriate assignment (corresponds to w in the example above)
3. generateAnnouncement(externalWitnesses, announcementSecret, externalRandom) is called, where externalRandom is a random assignment of external variables (corresponds to r in the example above)
4. generateResponse(externalWitnesses, announcementSecret, challenge) is called (challenge corresponds to c in the example above)
5. checkTranscript(announcement, challenge, response, externalResponse) is called with the data generated above and externalResponse, which is the same as externalWitness * challenge + externalRandom
This implementation shall be done such that the following protocol has all the properties of a SigmaProtocol:
- Prover generates random externalRandom
- Prover sends A = generateAnnouncement(externalWitnesses, announcementSecret, externalRandom)
- Verifier sends an appropriate challenge c
- Prover sends R = generateResponse(externalWitness, announcementSecret, challenge) and externalResponse = externalWitness * c + externalRandom
- Verifier checks checkTranscript(A, c, R, externalResponse)
using the standard (response0-response1)/(challenge0-challenge1) knowledge extractor.
Most SchnorrFragments will probably be implemented by extending DelegateFragment or SendThenDelegateFragment. To compose a bunch of SchnorrFragments into a SigmaProtocol, see DelegateProtocol or SendThenDelegateProtocol.

Method Summary

All Methods Instance Methods Abstract Methods Default Methods
Modifier and Type	Method and Description
`org.cryptimeleon.math.expressions.bool.BooleanExpression`	`checkTranscript(Announcement announcement, ZnChallenge challenge, Response response, SchnorrVariableAssignment externalResponse)` Checks whether the fragment's transcript with the addition of externalResponse is accepting.
`default org.cryptimeleon.math.serialization.Representation`	`compressTranscript(Announcement announcement, ZnChallenge challenge, Response response, SchnorrVariableAssignment externalResponse)` Returns a compressed (shorter) version of the given transcript.
`default void`	`debugFragment(SchnorrVariableAssignment externalWitness, ZnChallengeSpace challengeSpace)` Checks if the given input is a valid witness for this fragment.
`default SigmaProtocolTranscript`	`decompressTranscript(org.cryptimeleon.math.serialization.Representation compressedTranscript, ZnChallenge challenge, SchnorrVariableAssignment externalResponse)` Decompressed a transcript compressed with `compressTranscript(org.cryptimeleon.craco.protocols.arguments.sigma.Announcement, org.cryptimeleon.craco.protocols.arguments.sigma.ZnChallenge, org.cryptimeleon.craco.protocols.arguments.sigma.Response, org.cryptimeleon.craco.protocols.arguments.sigma.schnorr.variables.SchnorrVariableAssignment)` The guarantee is that if a transcript is valid, then compressing and decompressing yields the same transcript.
`Announcement`	`generateAnnouncement(SchnorrVariableAssignment externalWitnesses, AnnouncementSecret announcementSecret, SchnorrVariableAssignment externalRandom)` Generates an announcement.
`AnnouncementSecret`	`generateAnnouncementSecret(SchnorrVariableAssignment externalWitnesses)` Generates secret data that's passed in successive calls for the prover.
`Response`	`generateResponse(SchnorrVariableAssignment externalWitnesses, AnnouncementSecret announcementSecret, ZnChallenge challenge)` Generates a response.
`SigmaProtocolTranscript`	`generateSimulatedTranscript(ZnChallenge challenge, SchnorrVariableAssignment externalRandomResponse)` Generates a simulated transcript.
`Announcement`	`restoreAnnouncement(org.cryptimeleon.math.serialization.Representation repr)`
`Response`	`restoreResponse(Announcement announcement, org.cryptimeleon.math.serialization.Representation repr)`

Method Detail

generateAnnouncementSecret
```
AnnouncementSecret generateAnnouncementSecret(SchnorrVariableAssignment externalWitnesses)
```
Generates secret data that's passed in successive calls for the prover.

Parameters:

externalWitnesses - witnesses used by this protocol whose extractability is handled outside of this fragment. May contain some variables not relevant for this fragment.

Returns:

arbitrary data for future calls

generateAnnouncement
```
Announcement generateAnnouncement(SchnorrVariableAssignment externalWitnesses,
                                  AnnouncementSecret announcementSecret,
                                  SchnorrVariableAssignment externalRandom)
```
Generates an announcement.

Parameters:

externalWitnesses - witnesses used by this protocol whose extractability is handled outside of this fragment. May contain some variables not relevant for this fragment.

announcementSecret - the secret generated by generateAnnouncementSecret(SchnorrVariableAssignment)

externalRandom - contains an assignment of external variables to random values.

Returns:

the announcement for this fragment

generateResponse
```
Response generateResponse(SchnorrVariableAssignment externalWitnesses,
                          AnnouncementSecret announcementSecret,
                          ZnChallenge challenge)
```
Generates a response.

Parameters:

externalWitnesses - witnesses used by this protocol whose extractability is handled outside of this fragment. May contain some variables not relevant for this fragment.

announcementSecret - the secret generated by generateAnnouncementSecret(SchnorrVariableAssignment).

challenge - the challenge of a Schnorr protocol.

Returns:

the response that this fragment sends (does not contain externalResponse)

checkTranscript

org.cryptimeleon.math.expressions.bool.BooleanExpression checkTranscript(Announcement announcement,
                                                                         ZnChallenge challenge,
                                                                         Response response,
                                                                         SchnorrVariableAssignment externalResponse)

Checks whether the fragment's transcript with the addition of externalResponse is accepting.

Returns:: an expression (without variables) that evaluates to true if the transcript is accepting or to false otherwise.

generateSimulatedTranscript
```
SigmaProtocolTranscript generateSimulatedTranscript(ZnChallenge challenge,
                                                    SchnorrVariableAssignment externalRandomResponse)
```
Generates a simulated transcript.

Parameters:

challenge - challenge the transcript shall use.

externalRandomResponse - a random assignment of external variables to random values.

Returns:

a transcript with the same distribution as honest executions of this fragment that contain challenge and externalRandomResponse.

compressTranscript

default org.cryptimeleon.math.serialization.Representation compressTranscript(Announcement announcement,
                                                                              ZnChallenge challenge,
                                                                              Response response,
                                                                              SchnorrVariableAssignment externalResponse)

Returns a compressed (shorter) version of the given transcript. Useful for FiatShamirProofSystem.

decompressTranscript
```
default SigmaProtocolTranscript decompressTranscript(org.cryptimeleon.math.serialization.Representation compressedTranscript,
                                                     ZnChallenge challenge,
                                                     SchnorrVariableAssignment externalResponse)
                                              throws java.lang.IllegalArgumentException
```
Decompressed a transcript compressed with compressTranscript(org.cryptimeleon.craco.protocols.arguments.sigma.Announcement, org.cryptimeleon.craco.protocols.arguments.sigma.ZnChallenge, org.cryptimeleon.craco.protocols.arguments.sigma.Response, org.cryptimeleon.craco.protocols.arguments.sigma.schnorr.variables.SchnorrVariableAssignment) The guarantee is that if a transcript is valid, then compressing and decompressing yields the same transcript. Additionally, any transcript output by this method is valid (i.e. SigmaProtocol.checkTranscript(org.cryptimeleon.craco.protocols.CommonInput, org.cryptimeleon.craco.protocols.arguments.sigma.Announcement, org.cryptimeleon.craco.protocols.arguments.sigma.Challenge, org.cryptimeleon.craco.protocols.arguments.sigma.Response) returns true).

Throws:

java.lang.IllegalArgumentException - is the given compressedTranscript cannot be decompressed into a valid transcript.

restoreAnnouncement

Announcement restoreAnnouncement(org.cryptimeleon.math.serialization.Representation repr)

restoreResponse

Response restoreResponse(Announcement announcement,
                         org.cryptimeleon.math.serialization.Representation repr)

debugFragment

default void debugFragment(SchnorrVariableAssignment externalWitness,
                           ZnChallengeSpace challengeSpace)

Checks if the given input is a valid witness for this fragment. Use for debugging. Throws an exception if something is wrong.

Interface SchnorrFragment

Method Summary

Method Detail

generateAnnouncementSecret

generateAnnouncement

generateResponse

checkTranscript

generateSimulatedTranscript

compressTranscript

decompressTranscript

restoreAnnouncement

restoreResponse

debugFragment