proofChallengeCalculate function and tests added

hashcloak · Oct 10, 2024 · 4a8a8d5 · 4a8a8d5
1 parent b3e4982
commit 4a8a8d5
Show file tree

Hide file tree

Showing 3 changed files with 158 additions and 89 deletions.
diff --git a/src/bbs_verify.sol b/src/bbs_verify.sol
@@ -813,4 +813,31 @@ contract BBS_Verifier {
 
         return complementSet;
     }
+
+    function proofChallengeCalculate(
+        InitProof memory initProof,
+        uint256[] memory disclosedMsg,
+        uint8[] memory disclosedIndices
+    ) public view returns (uint256) {
+        require(disclosedMsg.length == disclosedIndices.length, "invalid length");
+
+        bytes memory serializeBytes = uint64ToBytes(disclosedIndices.length);
+
+        for (uint256 i = 0; i < disclosedMsg.length; i++) {
+            serializeBytes = abi.encodePacked(serializeBytes, uint64ToBytes(uint64(disclosedIndices[i])));
+            serializeBytes = abi.encodePacked(serializeBytes, reverseBytes(uintToBytes(disclosedMsg[i])));
+        }
+
+        for (uint256 i = 0; i < initProof.points.length; i++) {
+            serializeBytes = abi.encodePacked(serializeBytes, g1ToBytes(initProof.points[i]));
+        }
+        serializeBytes = abi.encodePacked(serializeBytes, reverseBytes(uintToBytes(initProof.scalar)));
+
+        bytes1 zeroByte = 0x00;
+        serializeBytes = abi.encodePacked(
+            serializeBytes, zeroByte, zeroByte, zeroByte, zeroByte, zeroByte, zeroByte, zeroByte, zeroByte
+        );
+
+        return BBS.hashToScalar(serializeBytes, dst);
+    }
 }
diff --git a/test/bbs_verify.t.sol b/test/bbs_verify.t.sol
@@ -66,51 +66,51 @@ contract BBS_VerifierTest is Test {
         );
 
         proof.aBar = Pairing.G1Point(
-            uint256(6405963818894633512500488485232508461378863995899784310159600027918894808450),
-            uint256(8976186955010952831213034715487042244047720417741586958901326448590421470686)
+            uint256(17705900040482640200318765868397816899423300068827258330107828571873441470719),
+            uint256(7713906401864379473036154127800301923576930562959621253303600800199073334118)
         );
         proof.bBar = Pairing.G1Point(
-            uint256(20165648201113026371430497168052996075094578039962696784870673007236807447067),
-            uint256(15010509405116757220749160832711172483289539657444644690137500000544227154801)
+            uint256(21727344193746663605105815693486793700736011477614477583899999224491814279994),
+            uint256(3107868243865832229708730395440182823160504417487161073020576660932813536129)
         );
         proof.d = Pairing.G1Point(
-            uint256(8986957979244676392051663251797981277637103251452242096971902552631567790191),
-            uint256(21120558285122285912951039627072415411354366752130407371763240496977100489948)
+            uint256(15259877521667048732653966731531866330870155623999372073511953831671978329220),
+            uint256(10346279138881905705140583326619164208036592391424952436660826945178815367429)
         );
-        proof.eCap = uint256(8675267513335268564640199227119950771150574365311777097870283344565947314651);
-        proof.r1Cap = uint256(7567563490779567628541285166340704410484294369535452470113693232508505968543);
-        proof.r3Cap = uint256(6579392919885006733769637005960889292350613654261021230838611689415221842234);
-        proof.challenge = uint256(8346917860180351912122859828930931080929880512023462426888094268487507390109);
+        proof.eCap = uint256(895560299474401253372773501875631392367182095767290314841076259590095084586);
+        proof.r1Cap = uint256(11193219439787925012791936928927829256760578552338662201715987339199095941227);
+        proof.r3Cap = uint256(15267152252107021640270952755495037380174121953972815385187286027940019996824);
+        proof.challenge = uint256(17070931957668459394149291496811547077907740596908548642717845173554837520766);
 
         proof.commitments = new uint256[](28);
-        proof.commitments[0] = uint256(2702212026708064668680820999991819119461144522549944570848881264924467265370);
-        proof.commitments[1] = uint256(9951093828808715651455795452755499666553659710387634719962899685546746257812);
-        proof.commitments[2] = uint256(10466473285505616592863382050828925783491498080204645291749684543922647188359);
-        proof.commitments[3] = uint256(11647411734432345603687929919718097401384913900793335744335975335617836941396);
-        proof.commitments[4] = uint256(889819536473615921284543703458474494418655513103839422287234270915254427082);
-        proof.commitments[5] = uint256(14809770328189882521243594516411309928620411911591523774115223885658772468350);
-        proof.commitments[6] = uint256(20827374717310709384196104411147304205881827420653807527774691616991165323775);
-        proof.commitments[7] = uint256(20430498204175443137065871938691889899807209606593258682388622664306592738519);
-        proof.commitments[8] = uint256(8440047075924652272217920567758220876907505122526506623639333860278579028807);
-        proof.commitments[9] = uint256(10331272704373571494424124761352004081813570247859708340977111866603298152006);
-        proof.commitments[10] = uint256(4424643989958915777531494388391369392418771555609501248316886177866621444281);
-        proof.commitments[11] = uint256(14342612567722663968404054250182249086021657201522936963314232636815885211754);
-        proof.commitments[12] = uint256(19502957182375035057804027914696251295218916055867868398404116245497505502969);
-        proof.commitments[13] = uint256(20000770782156659477874298727837229601899236556542299299938037866478435375587);
-        proof.commitments[14] = uint256(5255336896708911438653474127365619748367522378591322723484646696848992213292);
-        proof.commitments[15] = uint256(17414891979291727307071999526973202091218538875465302903840250298283414903362);
-        proof.commitments[16] = uint256(9600540485590321058770353731278707803707681892696919432191533747652742054515);
-        proof.commitments[17] = uint256(16486071762460512779493206924454849372151732219743856809986864954172148634836);
-        proof.commitments[18] = uint256(1926617413971009252731283527687644753066744497192535884461181846306258010129);
-        proof.commitments[19] = uint256(2262062394931760163151954900833180864498508712076710706034466878828711333901);
-        proof.commitments[20] = uint256(20371538334959871318633549377207376271498356467712435292202616825263726667621);
-        proof.commitments[21] = uint256(20369629430137390878137334804812733625345401736661711344876745604654980637311);
-        proof.commitments[22] = uint256(6916439658839487731895113824684631674521127493094818665157808992827131001738);
-        proof.commitments[23] = uint256(21588973014781210848662068436493273480831067525772880555083280778410975311779);
-        proof.commitments[24] = uint256(15896818343906752017216463585162535310986673909098312069355752066312700293640);
-        proof.commitments[25] = uint256(1512771494487729598501533498739421069638607180348389572136370284135009303676);
-        proof.commitments[26] = uint256(20468515975599440828862099187772373806433851030235132129499407412237086546704);
-        proof.commitments[27] = uint256(19433568231418556091277674380881556156275713380717029637629952481624104051955);
+        proof.commitments[0] = uint256(19095727655211535891907424632625597788660896504069139787113033189477200901164);
+        proof.commitments[1] = uint256(19376086836081848875356199522059787747649523185103503820918546873546803656837);
+        proof.commitments[2] = uint256(294630661519046963443548105138813757424736295965011860489516719425258301868);
+        proof.commitments[3] = uint256(2669991038723578516998124743106790553264755193437596445025159197580315246913);
+        proof.commitments[4] = uint256(9347384312453102707431895387088312145715418559983462799650963982682084827252);
+        proof.commitments[5] = uint256(10423402888507524428295410032922396350307052955495214158940561611559586857682);
+        proof.commitments[6] = uint256(21667666739487631443855567302732869873626852318523924021971922974064015548203);
+        proof.commitments[7] = uint256(2391574914373737044908304675905879726184592881619003159020770247137231086890);
+        proof.commitments[8] = uint256(6278153666110445575600940082413845807068412500507616321015839605239269964481);
+        proof.commitments[9] = uint256(17407116680557453084774309595190475554418201715886488721842472385513811947490);
+        proof.commitments[10] = uint256(8501318769770573792305740921919152496772914721536223890699332307683117426648);
+        proof.commitments[11] = uint256(10051701914974888853862296233599397109887353152719520271166239879253384300084);
+        proof.commitments[12] = uint256(4629893339370850175540759987958849789651933707400277961494579665229717132314);
+        proof.commitments[13] = uint256(19733193495966317727151773873301557383437837661981698399123721056474042649121);
+        proof.commitments[14] = uint256(16581440502746205531254170374821787090797536920805429488227888885103068899696);
+        proof.commitments[15] = uint256(4648351001408854396093087060766510007903087217506064759222363505293687917509);
+        proof.commitments[16] = uint256(5232978090956285957326199431497654863020266920439885149705611444557525841377);
+        proof.commitments[17] = uint256(10378971376370607204122093933171648619962601242767826857548254941729314144779);
+        proof.commitments[18] = uint256(10636096558455749185044536222842024797504005940994930068820626467354940043941);
+        proof.commitments[19] = uint256(13014117807481833912707217404666717118061234026083047800320547313575178119938);
+        proof.commitments[20] = uint256(9468061149785714375845841584548255079305964111362932915002031399165874890540);
+        proof.commitments[21] = uint256(12080296571110568157656356440360410776064799132442611756186811013992503842789);
+        proof.commitments[22] = uint256(8406199401805359744205934469936213843102959323070335564794326616494411213164);
+        proof.commitments[23] = uint256(13146762841746050965674929823955906169083360848059985425714661251008235930384);
+        proof.commitments[24] = uint256(18062184243758250054044805146678460481140799371280738494887026946927689738624);
+        proof.commitments[25] = uint256(4689669766214571146361709842956272925578589085257066757670840626355289827344);
+        proof.commitments[26] = uint256(19717012933748023731747259246552232456988022985282562051094427191782572854304);
+        proof.commitments[27] = uint256(19403246504848923420955727303103540860884754495247099508968984133479080201474);
     }
 
     function test_verify() public {
@@ -136,24 +136,24 @@ contract BBS_VerifierTest is Test {
 
         BBS_Verifier.InitProof memory initProof;
         initProof.points[0] = Pairing.G1Point(
-            uint256(6405963818894633512500488485232508461378863995899784310159600027918894808450),
-            uint256(8976186955010952831213034715487042244047720417741586958901326448590421470686)
+            uint256(17705900040482640200318765868397816899423300068827258330107828571873441470719),
+            uint256(7713906401864379473036154127800301923576930562959621253303600800199073334118)
         );
         initProof.points[1] = Pairing.G1Point(
-            uint256(20165648201113026371430497168052996075094578039962696784870673007236807447067),
-            uint256(15010509405116757220749160832711172483289539657444644690137500000544227154801)
+            uint256(21727344193746663605105815693486793700736011477614477583899999224491814279994),
+            uint256(3107868243865832229708730395440182823160504417487161073020576660932813536129)
         );
         initProof.points[2] = Pairing.G1Point(
-            uint256(8986957979244676392051663251797981277637103251452242096971902552631567790191),
-            uint256(21120558285122285912951039627072415411354366752130407371763240496977100489948)
+            uint256(15259877521667048732653966731531866330870155623999372073511953831671978329220),
+            uint256(10346279138881905705140583326619164208036592391424952436660826945178815367429)
         );
         initProof.points[3] = Pairing.G1Point(
-            uint256(10221517336427972967325634662943840604738151939735544266952774190214659671333),
-            uint256(13984121971721795091087156416346121756648495155789225939028887459631915872143)
+            uint256(9450541227839351281812164523351865265510569098677555890572077252104786626690),
+            uint256(9197258858130081208441965628507147760561818479091872534935021928583764617680)
         );
         initProof.points[4] = Pairing.G1Point(
-            uint256(1268252398698990105054652648653643548517694847305359088485160879175965022590),
-            uint256(5758202331860613259065935441803511633962840631799737908661333197365656104405)
+            uint256(5816804290213296793101908964222774752394739247046217083058295650122051844227),
+            uint256(1590091680226237410825658942611263221992039739303345139797440692938537664171)
         );
         initProof.scalar = uint256(4661402122534330745222086575742781481159552639583525480514127238648290568236);
 
@@ -165,6 +165,47 @@ contract BBS_VerifierTest is Test {
         assert(initProof.points[4].X == init_output.points[4].X);
         assert(initProof.points[4].Y == init_output.points[4].Y);
     }
+
+    function testProofChallengeCalculate() public {
+        BBS_Verifier verifier;
+        verifier = new BBS_Verifier();
+        uint256[] memory disclosed_msg = new uint256[](3);
+        disclosed_msg[0] = 2266124219189018131;
+        disclosed_msg[1] = 15553430782966677989;
+        disclosed_msg[2] = 4743228516788447402;
+
+        uint8[] memory disclosed_indices = new uint8[](3);
+        disclosed_indices[0] = 0;
+        disclosed_indices[1] = 1;
+        disclosed_indices[2] = 5;
+
+        BBS_Verifier.InitProof memory initProof;
+        initProof.points[0] = Pairing.G1Point(
+            uint256(17705900040482640200318765868397816899423300068827258330107828571873441470719),
+            uint256(7713906401864379473036154127800301923576930562959621253303600800199073334118)
+        );
+        initProof.points[1] = Pairing.G1Point(
+            uint256(21727344193746663605105815693486793700736011477614477583899999224491814279994),
+            uint256(3107868243865832229708730395440182823160504417487161073020576660932813536129)
+        );
+        initProof.points[2] = Pairing.G1Point(
+            uint256(15259877521667048732653966731531866330870155623999372073511953831671978329220),
+            uint256(10346279138881905705140583326619164208036592391424952436660826945178815367429)
+        );
+        initProof.points[3] = Pairing.G1Point(
+            uint256(9450541227839351281812164523351865265510569098677555890572077252104786626690),
+            uint256(9197258858130081208441965628507147760561818479091872534935021928583764617680)
+        );
+        initProof.points[4] = Pairing.G1Point(
+            uint256(5816804290213296793101908964222774752394739247046217083058295650122051844227),
+            uint256(1590091680226237410825658942611263221992039739303345139797440692938537664171)
+        );
+        initProof.scalar = uint256(4661402122534330745222086575742781481159552639583525480514127238648290568236);
+
+        uint256 challenge = verifier.proofChallengeCalculate(initProof, disclosed_msg, disclosed_indices);
+
+        assert(challenge == uint256(17070931957668459394149291496811547077907740596908548642717845173554837520766));
+    }
 }
 
 contract hashToCurve is Test {