Skip to content

Commit 7a47e21

Browse files
loveshlovesh
committed
Remove some duplicated code with macros
Signed-off-by: lovesh <[email protected]>
1 parent 8a1b0b4 commit 7a47e21

File tree

2 files changed

+180
-117
lines changed

2 files changed

+180
-117
lines changed

delg_cred_cdd/src/attribute_token.rs

Lines changed: 108 additions & 75 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,8 @@ use crate::issuer::{CredChain, EvenLevelVerkey, OddLevelVerkey};
66
use amcl_wrapper::extension_field_gt::GT;
77
use amcl_wrapper::field_elem::{FieldElement, FieldElementVector};
88
use amcl_wrapper::group_elem::{GroupElement, GroupElementVector};
9-
use amcl_wrapper::group_elem_g1::{G1Vector, G1};
10-
use amcl_wrapper::group_elem_g2::{G2Vector, G2};
9+
use amcl_wrapper::group_elem_g1::{G1LookupTable, G1Vector, G1};
10+
use amcl_wrapper::group_elem_g2::{G2LookupTable, G2Vector, G2};
1111
use std::collections::{HashMap, HashSet};
1212
use std::ops::Add;
1313

@@ -371,7 +371,6 @@ impl<'a> AttributeToken<'a> {
371371
FieldElement::from_msg_hash(&bytes)
372372
}
373373

374-
// TODO: Create a verify_fast that does a single multi-pairing like verify_fast in GrothSig
375374
pub fn reconstruct_commitment(
376375
L: usize,
377376
comm: &AttributeTokenComm,
@@ -396,18 +395,21 @@ impl<'a> AttributeToken<'a> {
396395
let groth2_neg_g2 = -&setup_params_2.g2;
397396

398397
let challenge_neg = -challenge;
398+
let challenge_neg_wnaf = challenge_neg.to_wnaf(5);
399+
400+
let groth2_g1_table = G1LookupTable::from(&setup_params_2.g1);
401+
let groth1_g2_table = G2LookupTable::from(&setup_params_1.g2);
402+
let ipk_table = G2LookupTable::from(&ipk.0);
403+
399404
// g1^-c
400-
let groth2_g1_c = &setup_params_2.g1 * &challenge_neg;
405+
let groth2_g1_c = G1::wnaf_mul(&groth2_g1_table, &challenge_neg_wnaf);
401406
// g2^-c
402-
let groth1_g2_c = &setup_params_1.g2 * &challenge_neg;
407+
let groth1_g2_c = G2::wnaf_mul(&groth1_g2_table, &challenge_neg_wnaf);
403408
// ipk^-c
404-
let ipk_c = &ipk.0 * &challenge_neg;
409+
let ipk_c = G2::wnaf_mul(&ipk_table, &challenge_neg_wnaf);
410+
405411
// e(y0, g2)^{-c}
406-
let y0_g2_c = {
407-
// e(y0, g2) can be precomputed
408-
let e_1 = GT::ate_pairing(&setup_params_1.y[0], &setup_params_1.g2);
409-
GT::pow(&e_1, &challenge_neg)
410-
};
412+
let y0_g2_c = GT::ate_pairing(&setup_params_1.y[0], &groth1_g2_c);
411413
// e(g1, y0)^{-c} = e(g1^{-c}, y0)
412414
let g1_y0_c = GT::ate_pairing(&groth2_g1_c, &setup_params_2.y[0]);
413415

@@ -434,7 +436,7 @@ impl<'a> AttributeToken<'a> {
434436
// Then e(y[j], ipk)^-c can then be used in a multi-pairing.
435437
let com_i_s = if i == 1 {
436438
// e(resp_s_i, r'_i) * e(g1, ipk)^-c
437-
// e(g1, ipk)^-c == e(g1, ipk^-c) => e(resp_s_i, r'_i) * e(g1, ipk^-c)
439+
// e(g1, ipk)^-c = e(g1, ipk^-c) => e(resp_s_i, r'_i) * e(g1, ipk^-c)
438440
let e_1 = GT::ate_2_pairing(
439441
&resp.odd_level_resp_s[i / 2],
440442
&comm.odd_level_blinded_r[i / 2],
@@ -444,12 +446,14 @@ impl<'a> AttributeToken<'a> {
444446
// e(resp_s_i, r'_i) * ( e(g1, ipk) * e(y0, g2) )^-c
445447
GT::mul(&e_1, &y0_g2_c)
446448
} else {
449+
// e(resp_s_i, r'_i) * e(-g1, resp_vk_{i-1})
447450
let e_1 = GT::ate_2_pairing(
448451
&resp.odd_level_resp_s[i / 2],
449452
&comm.odd_level_blinded_r[i / 2],
450453
&groth1_neg_g1,
451454
&resp.even_level_resp_vk[(i / 2) - 1],
452455
);
456+
// e(resp_s_i, r'_i) * e(-g1, resp_vk_{i-1}) * e(y_0, g2)^-c
453457
GT::mul(&e_1, &y0_g2_c)
454458
};
455459
comms_s.push(com_i_s);
@@ -521,15 +525,14 @@ impl<'a> AttributeToken<'a> {
521525
(&setup_params_1.y[attr_count - 1], &ipk_c),
522526
])
523527
} else {
524-
let e_1 = GT::ate_pairing(
525-
&resp.odd_level_resp_t[i / 2][attr_count - 1],
526-
&comm.odd_level_blinded_r[i / 2],
527-
);
528-
let e_2 = GT::ate_pairing(&setup_params_1.g1, &groth1_neg_g2);
529-
let e_3 = GT::pow(&e_2, &resp.resp_csk);
530-
let e_4 = GT::mul(&e_1, &e_3);
531-
let e_5 = GT::ate_pairing(&setup_params_1.y[attr_count - 1], &ipk_c);
532-
GT::mul(&e_4, &e_5)
528+
GT::ate_multi_pairing(vec![
529+
(
530+
&resp.odd_level_resp_t[i / 2][attr_count - 1],
531+
&comm.odd_level_blinded_r[i / 2],
532+
),
533+
(&(&setup_params_1.g1 * &resp.resp_csk), &groth1_neg_g2),
534+
(&setup_params_1.y[attr_count - 1], &ipk_c),
535+
])
533536
}
534537
} else {
535538
if i != L {
@@ -545,15 +548,17 @@ impl<'a> AttributeToken<'a> {
545548
(&resp.odd_level_resp_vk[i / 2], &groth1_neg_g2),
546549
])
547550
} else {
548-
let e_1 = GT::ate_2_pairing(
549-
&resp.odd_level_resp_t[i / 2][attr_count - 1],
550-
&comm.odd_level_blinded_r[i / 2],
551-
&(-&setup_params_1.y[attr_count - 1]),
552-
&resp.even_level_resp_vk[(i / 2) - 1],
553-
);
554-
let e_2 = GT::ate_pairing(&setup_params_1.g1, &groth1_neg_g2);
555-
let e_3 = GT::pow(&e_2, &resp.resp_csk);
556-
GT::mul(&e_1, &e_3)
551+
GT::ate_multi_pairing(vec![
552+
(
553+
&resp.odd_level_resp_t[i / 2][attr_count - 1],
554+
&comm.odd_level_blinded_r[i / 2],
555+
),
556+
(
557+
&(-&setup_params_1.y[attr_count - 1]),
558+
&resp.even_level_resp_vk[(i / 2) - 1],
559+
),
560+
(&(&setup_params_1.g1 * &resp.resp_csk), &groth1_neg_g2),
561+
])
557562
}
558563
};
559564
com_t.push(com_i_vk);
@@ -639,15 +644,17 @@ impl<'a> AttributeToken<'a> {
639644
(&groth2_neg_g1, &resp.even_level_resp_vk[(i / 2) - 1]),
640645
])
641646
} else {
642-
let e_1 = GT::ate_2_pairing(
643-
&comm.even_level_blinded_r[(i / 2) - 1],
644-
&resp.even_level_resp_t[(i / 2) - 1][attr_count - 1],
645-
&resp.odd_level_resp_vk[(i / 2) - 1],
646-
&(-&setup_params_2.y[attr_count - 1]),
647-
);
648-
let e_2 = GT::ate_pairing(&groth2_neg_g1, &setup_params_2.g2);
649-
let e_3 = GT::pow(&e_2, &resp.resp_csk);
650-
GT::mul(&e_1, &e_3)
647+
GT::ate_multi_pairing(vec![
648+
(
649+
&comm.even_level_blinded_r[(i / 2) - 1],
650+
&resp.even_level_resp_t[(i / 2) - 1][attr_count - 1],
651+
),
652+
(
653+
&resp.odd_level_resp_vk[(i / 2) - 1],
654+
&(-&setup_params_2.y[attr_count - 1]),
655+
),
656+
(&(&groth2_neg_g1 * &resp.resp_csk), &setup_params_2.g2),
657+
])
651658
};
652659
com_t.push(com_i_vk);
653660
comms_t.push(com_t);
@@ -715,14 +722,13 @@ impl<'a> AttributeToken<'a> {
715722

716723
let com_i_s = if i == 1 {
717724
// e(g1, ri)^{rho_sig*rho_s}
718-
GT::pow(pairing_g1_r_i, &(&rho_sig * &rho_s))
725+
pairing_g1_r_i.pow(&(&rho_sig * &rho_s))
719726
} else {
720727
// e(g1, ri)^{rho_sig*rho_s} * e(-g1, g2)^{blindings_vk[i-2]}
721-
let e_1 = GT::pow(pairing_g1_r_i, &(&rho_sig * &rho_s));
722-
let e_2 = GT::pow(
723-
&precomp_setup.pairing_inv_groth1_g1_g2,
724-
&self.blindings_vk[i - 2],
725-
);
728+
let e_1 = pairing_g1_r_i.pow(&(&rho_sig * &rho_s));
729+
let e_2 = precomp_setup
730+
.pairing_inv_groth1_g1_g2
731+
.pow(&self.blindings_vk[i - 2]);
726732
GT::mul(&e_1, &e_2)
727733
};
728734

@@ -745,21 +751,20 @@ impl<'a> AttributeToken<'a> {
745751

746752
let mut com_i_t = if i == 1 {
747753
// e(g1, ri)^{rho_sig*rr_t}
748-
GT::pow(pairing_g1_r_i, &(&rho_sig * &rr_t))
754+
pairing_g1_r_i.pow(&(&rho_sig * &rr_t))
749755
} else {
750756
// e(g1, ri)^{rho_sig*rr_t} * e(-y1_j, g2)^{blindings_vk[i-2]}
751757
// e(-y1_j, g2) equals e(y1_j, -g2)
752-
let e_1 = GT::pow(pairing_g1_r_i, &(&rho_sig * &rr_t));
753-
let e_2 = precomp_setup.groth1_neg_y_g2[j].clone();
754-
let e_3 = GT::pow(&e_2, &self.blindings_vk[i - 2]);
755-
GT::mul(&e_1, &e_3)
758+
let e_1 = pairing_g1_r_i.pow(&(&rho_sig * &rr_t));
759+
let e_2 = precomp_setup.groth1_neg_y_g2[j].pow(&self.blindings_vk[i - 2]);
760+
GT::mul(&e_1, &e_2)
756761
};
757762

758763
if !revealed[i - 1].contains(&j) {
759764
// Unrevealed attribute
760765
// e(-g1, g2)^rr_a
761766
let rr_a = FieldElement::random();
762-
let e = GT::pow(&precomp_setup.pairing_inv_groth1_g1_g2, &rr_a);
767+
let e = precomp_setup.pairing_inv_groth1_g1_g2.pow(&rr_a);
763768
// e(g1, ri)^{rho_sig*rr_t} * e(y1_j, g2)^{blindings_vk[i-2]} * e(-g1, g2)^rr_a
764769
com_i_t = GT::mul(&com_i_t, &e);
765770
r_a.push(rr_a);
@@ -776,17 +781,17 @@ impl<'a> AttributeToken<'a> {
776781
let rr_t = FieldElement::random();
777782
let mut com_i_vk = {
778783
// e(g1, ri)^{rho_sig*rr_t} * e(-g1, g2)^rr_a
779-
let e_1 = GT::pow(pairing_g1_r_i, &(&rho_sig * &rr_t));
780-
let e_2 = GT::pow(&precomp_setup.pairing_inv_groth1_g1_g2, &rho_vk);
784+
let e_1 = pairing_g1_r_i.pow(&(&rho_sig * &rr_t));
785+
let e_2 = precomp_setup.pairing_inv_groth1_g1_g2.pow(&rho_vk);
781786
GT::mul(&e_1, &e_2)
782787
};
783788
if i != 1 {
784789
// Different from paper here, paper uses e(y1_j, g2) but e(-y1_j, g2) should be used and e(-y1_j, g2) equals e(y1_j, -g2)
785790
// e(y1_j, -g2)^{blindings_vk[i-2]}
786-
let e_1 = precomp_setup.groth1_neg_y_g2[link.attribute_count() - 1].clone();
787-
let e_2 = GT::pow(&e_1, &self.blindings_vk[i - 2]);
791+
let e = precomp_setup.groth1_neg_y_g2[link.attribute_count() - 1]
792+
.pow(&self.blindings_vk[i - 2]);
788793
// e(g1, ri)^{rho_sig*rr_t} * e(-g1, g2)^rr_a * e(y1_j, g2)^{blindings_vk[i-2]}
789-
com_i_vk = GT::mul(&com_i_vk, &e_2);
794+
com_i_vk = GT::mul(&com_i_vk, &e);
790795
}
791796
com_t.push(com_i_vk);
792797
r_t.push(rr_t);
@@ -804,11 +809,10 @@ impl<'a> AttributeToken<'a> {
804809
let pairing_r_i_g2 = &precomp_chain.pairing_g_r[i - 1];
805810

806811
// e(ri, g2)^{rho_sig*rho_s} * e(-g1, g2)^{blindings_vk[i-2]}
807-
let e_1 = GT::pow(pairing_r_i_g2, &(&rho_sig * &rho_s));
808-
let e_2 = GT::pow(
809-
&precomp_setup.pairing_inv_groth2_g1_g2,
810-
&self.blindings_vk[i - 2],
811-
);
812+
let e_1 = pairing_r_i_g2.pow(&(&rho_sig * &rho_s));
813+
let e_2 = precomp_setup
814+
.pairing_inv_groth2_g1_g2
815+
.pow(&self.blindings_vk[i - 2]);
812816
let com_i_s = GT::mul(&e_1, &e_2);
813817

814818
if revealed[i - 1].len() > self.setup_params_2.y.len() {
@@ -830,10 +834,9 @@ impl<'a> AttributeToken<'a> {
830834

831835
// e(ri, g2)^{rho_sig*rr_t} * e(g1, -y2_j)^{blindings_vk[i-2]}.
832836
// e(g1, -y2_j) equals e(-g1, y2_j)
833-
let e_1 = GT::pow(pairing_r_i_g2, &(&rho_sig * &rr_t));
834-
let e_2 = precomp_setup.groth2_neg_g1_y[j].clone();
835-
let e_3 = GT::pow(&e_2, &self.blindings_vk[i - 2]);
836-
let mut com_i_t = GT::mul(&e_1, &e_3);
837+
let e_1 = pairing_r_i_g2.pow(&(&rho_sig * &rr_t));
838+
let e_2 = precomp_setup.groth2_neg_g1_y[j].pow(&self.blindings_vk[i - 2]);
839+
let mut com_i_t = GT::mul(&e_1, &e_2);
837840

838841
if !revealed[i - 1].contains(&j) {
839842
// Unrevealed attribute
@@ -858,9 +861,9 @@ impl<'a> AttributeToken<'a> {
858861
// In above, replace e(g1, -y2_j)^{blindings_vk[i-2]} with e(-g1, y2_j)^{blindings_vk[i-2]}
859862
let e_1 = GT::pow(pairing_r_i_g2, &(&rho_sig * &rr_t));
860863
let e_2 = GT::pow(&precomp_setup.pairing_inv_groth2_g1_g2, &rho_vk);
861-
let e_3 = precomp_setup.groth2_neg_g1_y[link.attribute_count() - 1].clone();
862-
let e_4 = GT::pow(&e_3, &self.blindings_vk[i - 2]);
863-
let com_i_vk = GT::mul(&GT::mul(&e_1, &e_2), &e_4);
864+
let e_3 = precomp_setup.groth2_neg_g1_y[link.attribute_count() - 1]
865+
.pow(&self.blindings_vk[i - 2]);
866+
let com_i_vk = GT::mul(&GT::mul(&e_1, &e_2), &e_3);
864867

865868
com_t.push(com_i_vk);
866869
r_t.push(rr_t);
@@ -931,9 +934,9 @@ impl<'a> AttributeToken<'a> {
931934
// ipk^-c
932935
let ipk_c = &ipk.0 * &challenge_neg;
933936
// e(y0, g2)^{-c}
934-
let y0_g2_c = GT::pow(&precomputed.groth1_y0_g2, &challenge_neg);
937+
let y0_g2_c = precomputed.groth1_y0_g2.pow(&challenge_neg);
935938
// e(g1, y0)^{-c}
936-
let g1_y0_c = GT::pow(&precomputed.groth2_g1_y0, &challenge_neg);
939+
let g1_y0_c = &precomputed.groth2_g1_y0.pow(&challenge_neg);
937940

938941
for i in 1..=L {
939942
if i % 2 == 1 {
@@ -2352,28 +2355,58 @@ mod tests {
23522355

23532356
let mut morphed_commitment = com_1.clone();
23542357
// Adding an element of comms_s to increase its size
2355-
morphed_commitment.comms_s.push(morphed_commitment.comms_s[0].clone());
2358+
morphed_commitment
2359+
.comms_s
2360+
.push(morphed_commitment.comms_s[0].clone());
23562361
assert!(at_1
2357-
.response(&morphed_commitment, &l_1_issuer_sk.0, &c_1, vec![], vec![&l_1_issuer_vk]).is_err());
2362+
.response(
2363+
&morphed_commitment,
2364+
&l_1_issuer_sk.0,
2365+
&c_1,
2366+
vec![],
2367+
vec![&l_1_issuer_vk]
2368+
)
2369+
.is_err());
23582370
// Remove the added element
23592371
morphed_commitment.comms_s.pop().unwrap();
23602372

23612373
// Adding an element of comms_t to increase its size
23622374
morphed_commitment.comms_t.push(vec![]);
23632375
assert!(at_1
2364-
.response(&morphed_commitment, &l_1_issuer_sk.0, &c_1, vec![], vec![&l_1_issuer_vk]).is_err());
2376+
.response(
2377+
&morphed_commitment,
2378+
&l_1_issuer_sk.0,
2379+
&c_1,
2380+
vec![],
2381+
vec![&l_1_issuer_vk]
2382+
)
2383+
.is_err());
23652384
// Remove the added element
23662385
morphed_commitment.comms_t.pop().unwrap();
23672386

23682387
// Decrease size of comms_s
23692388
morphed_commitment.comms_s.pop().unwrap();
23702389
assert!(at_1
2371-
.response(&morphed_commitment, &l_1_issuer_sk.0, &c_1, vec![], vec![&l_1_issuer_vk]).is_err());
2390+
.response(
2391+
&morphed_commitment,
2392+
&l_1_issuer_sk.0,
2393+
&c_1,
2394+
vec![],
2395+
vec![&l_1_issuer_vk]
2396+
)
2397+
.is_err());
23722398

23732399
// Decrease size of comms_t
23742400
morphed_commitment.comms_t.pop().unwrap();
23752401
assert!(at_1
2376-
.response(&morphed_commitment, &l_1_issuer_sk.0, &c_1, vec![], vec![&l_1_issuer_vk]).is_err());
2402+
.response(
2403+
&morphed_commitment,
2404+
&l_1_issuer_sk.0,
2405+
&c_1,
2406+
vec![],
2407+
vec![&l_1_issuer_vk]
2408+
)
2409+
.is_err());
23772410

23782411
let resp_1 = at_1
23792412
.response(&com_1, &l_1_issuer_sk.0, &c_1, vec![], vec![&l_1_issuer_vk])

0 commit comments

Comments
 (0)