From 4a8a8d5386f1f3e868a1d7b0c6df2496bd4838d8 Mon Sep 17 00:00:00 2001 From: Manish Kumar Date: Thu, 10 Oct 2024 16:17:35 +0530 Subject: [PATCH] proofChallengeCalculate function and tests added --- src/bbs_verify.sol | 27 +++++++++ test/bbs_verify.t.sol | 137 +++++++++++++++++++++++++++--------------- test_vector.txt | 83 ++++++++++++------------- 3 files changed, 158 insertions(+), 89 deletions(-) diff --git a/src/bbs_verify.sol b/src/bbs_verify.sol index e10fdc8..78159dc 100644 --- a/src/bbs_verify.sol +++ b/src/bbs_verify.sol @@ -813,4 +813,31 @@ contract BBS_Verifier { return complementSet; } + + function proofChallengeCalculate( + InitProof memory initProof, + uint256[] memory disclosedMsg, + uint8[] memory disclosedIndices + ) public view returns (uint256) { + require(disclosedMsg.length == disclosedIndices.length, "invalid length"); + + bytes memory serializeBytes = uint64ToBytes(disclosedIndices.length); + + for (uint256 i = 0; i < disclosedMsg.length; i++) { + serializeBytes = abi.encodePacked(serializeBytes, uint64ToBytes(uint64(disclosedIndices[i]))); + serializeBytes = abi.encodePacked(serializeBytes, reverseBytes(uintToBytes(disclosedMsg[i]))); + } + + for (uint256 i = 0; i < initProof.points.length; i++) { + serializeBytes = abi.encodePacked(serializeBytes, g1ToBytes(initProof.points[i])); + } + serializeBytes = abi.encodePacked(serializeBytes, reverseBytes(uintToBytes(initProof.scalar))); + + bytes1 zeroByte = 0x00; + serializeBytes = abi.encodePacked( + serializeBytes, zeroByte, zeroByte, zeroByte, zeroByte, zeroByte, zeroByte, zeroByte, zeroByte + ); + + return BBS.hashToScalar(serializeBytes, dst); + } } diff --git a/test/bbs_verify.t.sol b/test/bbs_verify.t.sol index 6795d85..e031ce0 100644 --- a/test/bbs_verify.t.sol +++ b/test/bbs_verify.t.sol @@ -66,51 +66,51 @@ contract BBS_VerifierTest is Test { ); proof.aBar = Pairing.G1Point( - uint256(6405963818894633512500488485232508461378863995899784310159600027918894808450), - uint256(8976186955010952831213034715487042244047720417741586958901326448590421470686) + uint256(17705900040482640200318765868397816899423300068827258330107828571873441470719), + uint256(7713906401864379473036154127800301923576930562959621253303600800199073334118) ); proof.bBar = Pairing.G1Point( - uint256(20165648201113026371430497168052996075094578039962696784870673007236807447067), - uint256(15010509405116757220749160832711172483289539657444644690137500000544227154801) + uint256(21727344193746663605105815693486793700736011477614477583899999224491814279994), + uint256(3107868243865832229708730395440182823160504417487161073020576660932813536129) ); proof.d = Pairing.G1Point( - uint256(8986957979244676392051663251797981277637103251452242096971902552631567790191), - uint256(21120558285122285912951039627072415411354366752130407371763240496977100489948) + uint256(15259877521667048732653966731531866330870155623999372073511953831671978329220), + uint256(10346279138881905705140583326619164208036592391424952436660826945178815367429) ); - proof.eCap = uint256(8675267513335268564640199227119950771150574365311777097870283344565947314651); - proof.r1Cap = uint256(7567563490779567628541285166340704410484294369535452470113693232508505968543); - proof.r3Cap = uint256(6579392919885006733769637005960889292350613654261021230838611689415221842234); - proof.challenge = uint256(8346917860180351912122859828930931080929880512023462426888094268487507390109); + proof.eCap = uint256(895560299474401253372773501875631392367182095767290314841076259590095084586); + proof.r1Cap = uint256(11193219439787925012791936928927829256760578552338662201715987339199095941227); + proof.r3Cap = uint256(15267152252107021640270952755495037380174121953972815385187286027940019996824); + proof.challenge = uint256(17070931957668459394149291496811547077907740596908548642717845173554837520766); proof.commitments = new uint256[](28); - proof.commitments[0] = uint256(2702212026708064668680820999991819119461144522549944570848881264924467265370); - proof.commitments[1] = uint256(9951093828808715651455795452755499666553659710387634719962899685546746257812); - proof.commitments[2] = uint256(10466473285505616592863382050828925783491498080204645291749684543922647188359); - proof.commitments[3] = uint256(11647411734432345603687929919718097401384913900793335744335975335617836941396); - proof.commitments[4] = uint256(889819536473615921284543703458474494418655513103839422287234270915254427082); - proof.commitments[5] = uint256(14809770328189882521243594516411309928620411911591523774115223885658772468350); - proof.commitments[6] = uint256(20827374717310709384196104411147304205881827420653807527774691616991165323775); - proof.commitments[7] = uint256(20430498204175443137065871938691889899807209606593258682388622664306592738519); - proof.commitments[8] = uint256(8440047075924652272217920567758220876907505122526506623639333860278579028807); - proof.commitments[9] = uint256(10331272704373571494424124761352004081813570247859708340977111866603298152006); - proof.commitments[10] = uint256(4424643989958915777531494388391369392418771555609501248316886177866621444281); - proof.commitments[11] = uint256(14342612567722663968404054250182249086021657201522936963314232636815885211754); - proof.commitments[12] = uint256(19502957182375035057804027914696251295218916055867868398404116245497505502969); - proof.commitments[13] = uint256(20000770782156659477874298727837229601899236556542299299938037866478435375587); - proof.commitments[14] = uint256(5255336896708911438653474127365619748367522378591322723484646696848992213292); - proof.commitments[15] = uint256(17414891979291727307071999526973202091218538875465302903840250298283414903362); - proof.commitments[16] = uint256(9600540485590321058770353731278707803707681892696919432191533747652742054515); - proof.commitments[17] = uint256(16486071762460512779493206924454849372151732219743856809986864954172148634836); - proof.commitments[18] = uint256(1926617413971009252731283527687644753066744497192535884461181846306258010129); - proof.commitments[19] = uint256(2262062394931760163151954900833180864498508712076710706034466878828711333901); - proof.commitments[20] = uint256(20371538334959871318633549377207376271498356467712435292202616825263726667621); - proof.commitments[21] = uint256(20369629430137390878137334804812733625345401736661711344876745604654980637311); - proof.commitments[22] = uint256(6916439658839487731895113824684631674521127493094818665157808992827131001738); - proof.commitments[23] = uint256(21588973014781210848662068436493273480831067525772880555083280778410975311779); - proof.commitments[24] = uint256(15896818343906752017216463585162535310986673909098312069355752066312700293640); - proof.commitments[25] = uint256(1512771494487729598501533498739421069638607180348389572136370284135009303676); - proof.commitments[26] = uint256(20468515975599440828862099187772373806433851030235132129499407412237086546704); - proof.commitments[27] = uint256(19433568231418556091277674380881556156275713380717029637629952481624104051955); + proof.commitments[0] = uint256(19095727655211535891907424632625597788660896504069139787113033189477200901164); + proof.commitments[1] = uint256(19376086836081848875356199522059787747649523185103503820918546873546803656837); + proof.commitments[2] = uint256(294630661519046963443548105138813757424736295965011860489516719425258301868); + proof.commitments[3] = uint256(2669991038723578516998124743106790553264755193437596445025159197580315246913); + proof.commitments[4] = uint256(9347384312453102707431895387088312145715418559983462799650963982682084827252); + proof.commitments[5] = uint256(10423402888507524428295410032922396350307052955495214158940561611559586857682); + proof.commitments[6] = uint256(21667666739487631443855567302732869873626852318523924021971922974064015548203); + proof.commitments[7] = uint256(2391574914373737044908304675905879726184592881619003159020770247137231086890); + proof.commitments[8] = uint256(6278153666110445575600940082413845807068412500507616321015839605239269964481); + proof.commitments[9] = uint256(17407116680557453084774309595190475554418201715886488721842472385513811947490); + proof.commitments[10] = uint256(8501318769770573792305740921919152496772914721536223890699332307683117426648); + proof.commitments[11] = uint256(10051701914974888853862296233599397109887353152719520271166239879253384300084); + proof.commitments[12] = uint256(4629893339370850175540759987958849789651933707400277961494579665229717132314); + proof.commitments[13] = uint256(19733193495966317727151773873301557383437837661981698399123721056474042649121); + proof.commitments[14] = uint256(16581440502746205531254170374821787090797536920805429488227888885103068899696); + proof.commitments[15] = uint256(4648351001408854396093087060766510007903087217506064759222363505293687917509); + proof.commitments[16] = uint256(5232978090956285957326199431497654863020266920439885149705611444557525841377); + proof.commitments[17] = uint256(10378971376370607204122093933171648619962601242767826857548254941729314144779); + proof.commitments[18] = uint256(10636096558455749185044536222842024797504005940994930068820626467354940043941); + proof.commitments[19] = uint256(13014117807481833912707217404666717118061234026083047800320547313575178119938); + proof.commitments[20] = uint256(9468061149785714375845841584548255079305964111362932915002031399165874890540); + proof.commitments[21] = uint256(12080296571110568157656356440360410776064799132442611756186811013992503842789); + proof.commitments[22] = uint256(8406199401805359744205934469936213843102959323070335564794326616494411213164); + proof.commitments[23] = uint256(13146762841746050965674929823955906169083360848059985425714661251008235930384); + proof.commitments[24] = uint256(18062184243758250054044805146678460481140799371280738494887026946927689738624); + proof.commitments[25] = uint256(4689669766214571146361709842956272925578589085257066757670840626355289827344); + proof.commitments[26] = uint256(19717012933748023731747259246552232456988022985282562051094427191782572854304); + proof.commitments[27] = uint256(19403246504848923420955727303103540860884754495247099508968984133479080201474); } function test_verify() public { @@ -136,24 +136,24 @@ contract BBS_VerifierTest is Test { BBS_Verifier.InitProof memory initProof; initProof.points[0] = Pairing.G1Point( - uint256(6405963818894633512500488485232508461378863995899784310159600027918894808450), - uint256(8976186955010952831213034715487042244047720417741586958901326448590421470686) + uint256(17705900040482640200318765868397816899423300068827258330107828571873441470719), + uint256(7713906401864379473036154127800301923576930562959621253303600800199073334118) ); initProof.points[1] = Pairing.G1Point( - uint256(20165648201113026371430497168052996075094578039962696784870673007236807447067), - uint256(15010509405116757220749160832711172483289539657444644690137500000544227154801) + uint256(21727344193746663605105815693486793700736011477614477583899999224491814279994), + uint256(3107868243865832229708730395440182823160504417487161073020576660932813536129) ); initProof.points[2] = Pairing.G1Point( - uint256(8986957979244676392051663251797981277637103251452242096971902552631567790191), - uint256(21120558285122285912951039627072415411354366752130407371763240496977100489948) + uint256(15259877521667048732653966731531866330870155623999372073511953831671978329220), + uint256(10346279138881905705140583326619164208036592391424952436660826945178815367429) ); initProof.points[3] = Pairing.G1Point( - uint256(10221517336427972967325634662943840604738151939735544266952774190214659671333), - uint256(13984121971721795091087156416346121756648495155789225939028887459631915872143) + uint256(9450541227839351281812164523351865265510569098677555890572077252104786626690), + uint256(9197258858130081208441965628507147760561818479091872534935021928583764617680) ); initProof.points[4] = Pairing.G1Point( - uint256(1268252398698990105054652648653643548517694847305359088485160879175965022590), - uint256(5758202331860613259065935441803511633962840631799737908661333197365656104405) + uint256(5816804290213296793101908964222774752394739247046217083058295650122051844227), + uint256(1590091680226237410825658942611263221992039739303345139797440692938537664171) ); initProof.scalar = uint256(4661402122534330745222086575742781481159552639583525480514127238648290568236); @@ -165,6 +165,47 @@ contract BBS_VerifierTest is Test { assert(initProof.points[4].X == init_output.points[4].X); assert(initProof.points[4].Y == init_output.points[4].Y); } + + function testProofChallengeCalculate() public { + BBS_Verifier verifier; + verifier = new BBS_Verifier(); + uint256[] memory disclosed_msg = new uint256[](3); + disclosed_msg[0] = 2266124219189018131; + disclosed_msg[1] = 15553430782966677989; + disclosed_msg[2] = 4743228516788447402; + + uint8[] memory disclosed_indices = new uint8[](3); + disclosed_indices[0] = 0; + disclosed_indices[1] = 1; + disclosed_indices[2] = 5; + + BBS_Verifier.InitProof memory initProof; + initProof.points[0] = Pairing.G1Point( + uint256(17705900040482640200318765868397816899423300068827258330107828571873441470719), + uint256(7713906401864379473036154127800301923576930562959621253303600800199073334118) + ); + initProof.points[1] = Pairing.G1Point( + uint256(21727344193746663605105815693486793700736011477614477583899999224491814279994), + uint256(3107868243865832229708730395440182823160504417487161073020576660932813536129) + ); + initProof.points[2] = Pairing.G1Point( + uint256(15259877521667048732653966731531866330870155623999372073511953831671978329220), + uint256(10346279138881905705140583326619164208036592391424952436660826945178815367429) + ); + initProof.points[3] = Pairing.G1Point( + uint256(9450541227839351281812164523351865265510569098677555890572077252104786626690), + uint256(9197258858130081208441965628507147760561818479091872534935021928583764617680) + ); + initProof.points[4] = Pairing.G1Point( + uint256(5816804290213296793101908964222774752394739247046217083058295650122051844227), + uint256(1590091680226237410825658942611263221992039739303345139797440692938537664171) + ); + initProof.scalar = uint256(4661402122534330745222086575742781481159552639583525480514127238648290568236); + + uint256 challenge = verifier.proofChallengeCalculate(initProof, disclosed_msg, disclosed_indices); + + assert(challenge == uint256(17070931957668459394149291496811547077907740596908548642717845173554837520766)); + } } contract hashToCurve is Test { diff --git a/test_vector.txt b/test_vector.txt index 6619d21..366d4e9 100644 --- a/test_vector.txt +++ b/test_vector.txt @@ -68,44 +68,45 @@ generator : "(584960847164189693268905025930726582389627207235179506559053131103 generator : "(393432175667211108483070939793661330735615114668362658763611056763370352241, 19985271941600432926866508116673625261827724078554764982827712024353220929168)" signature.A : "(16605941458272293469898459593559962462499885703597334825353004900710945536242, 15276896411257112930580737499920866088375905247814230771366087132031781450435)" signature.E : "20145301027381071188604537375435971326340204640470956156185142406370688319043" -proof.a : "(6405963818894633512500488485232508461378863995899784310159600027918894808450, 8976186955010952831213034715487042244047720417741586958901326448590421470686)" -proof.b : "(20165648201113026371430497168052996075094578039962696784870673007236807447067, 15010509405116757220749160832711172483289539657444644690137500000544227154801)" -proof.d : "(8986957979244676392051663251797981277637103251452242096971902552631567790191, 21120558285122285912951039627072415411354366752130407371763240496977100489948)" -proof.eCap : "8675267513335268564640199227119950771150574365311777097870283344565947314651" -proof.r1Cap : "7567563490779567628541285166340704410484294369535452470113693232508505968543" -proof.r3Cap : "6579392919885006733769637005960889292350613654261021230838611689415221842234" -proof.challenge : "8346917860180351912122859828930931080929880512023462426888094268487507390109" -proof.commitments[0] : "2702212026708064668680820999991819119461144522549944570848881264924467265370" -proof.commitments[1] : "9951093828808715651455795452755499666553659710387634719962899685546746257812" -proof.commitments[2] : "10466473285505616592863382050828925783491498080204645291749684543922647188359" -proof.commitments[3] : "11647411734432345603687929919718097401384913900793335744335975335617836941396" -proof.commitments[4] : "889819536473615921284543703458474494418655513103839422287234270915254427082" -proof.commitments[5] : "14809770328189882521243594516411309928620411911591523774115223885658772468350" -proof.commitments[6] : "20827374717310709384196104411147304205881827420653807527774691616991165323775" -proof.commitments[7] : "20430498204175443137065871938691889899807209606593258682388622664306592738519" -proof.commitments[8] : "8440047075924652272217920567758220876907505122526506623639333860278579028807" -proof.commitments[9] : "10331272704373571494424124761352004081813570247859708340977111866603298152006" -proof.commitments[10] : "4424643989958915777531494388391369392418771555609501248316886177866621444281" -proof.commitments[11] : "14342612567722663968404054250182249086021657201522936963314232636815885211754" -proof.commitments[12] : "19502957182375035057804027914696251295218916055867868398404116245497505502969" -proof.commitments[13] : "20000770782156659477874298727837229601899236556542299299938037866478435375587" -proof.commitments[14] : "5255336896708911438653474127365619748367522378591322723484646696848992213292" -proof.commitments[15] : "17414891979291727307071999526973202091218538875465302903840250298283414903362" -proof.commitments[16] : "9600540485590321058770353731278707803707681892696919432191533747652742054515" -proof.commitments[17] : "16486071762460512779493206924454849372151732219743856809986864954172148634836" -proof.commitments[18] : "1926617413971009252731283527687644753066744497192535884461181846306258010129" -proof.commitments[19] : "2262062394931760163151954900833180864498508712076710706034466878828711333901" -proof.commitments[20] : "20371538334959871318633549377207376271498356467712435292202616825263726667621" -proof.commitments[21] : "20369629430137390878137334804812733625345401736661711344876745604654980637311" -proof.commitments[22] : "6916439658839487731895113824684631674521127493094818665157808992827131001738" -proof.commitments[23] : "21588973014781210848662068436493273480831067525772880555083280778410975311779" -proof.commitments[24] : "15896818343906752017216463585162535310986673909098312069355752066312700293640" -proof.commitments[25] : "1512771494487729598501533498739421069638607180348389572136370284135009303676" -proof.commitments[26] : "20468515975599440828862099187772373806433851030235132129499407412237086546704" -proof.commitments[27] : "19433568231418556091277674380881556156275713380717029637629952481624104051955" -points[0] : "(6405963818894633512500488485232508461378863995899784310159600027918894808450, 8976186955010952831213034715487042244047720417741586958901326448590421470686)" -points[1] : "(20165648201113026371430497168052996075094578039962696784870673007236807447067, 15010509405116757220749160832711172483289539657444644690137500000544227154801)" -points[2] : "(8986957979244676392051663251797981277637103251452242096971902552631567790191, 21120558285122285912951039627072415411354366752130407371763240496977100489948)" -points[3] : "(10221517336427972967325634662943840604738151939735544266952774190214659671333, 13984121971721795091087156416346121756648495155789225939028887459631915872143)" -points[4] : "(1268252398698990105054652648653643548517694847305359088485160879175965022590, 5758202331860613259065935441803511633962840631799737908661333197365656104405)" -scalar : "4661402122534330745222086575742781481159552639583525480514127238648290568236" \ No newline at end of file +proof.a : "(17705900040482640200318765868397816899423300068827258330107828571873441470719, 7713906401864379473036154127800301923576930562959621253303600800199073334118)" +proof.b : "(21727344193746663605105815693486793700736011477614477583899999224491814279994, 3107868243865832229708730395440182823160504417487161073020576660932813536129)" +proof.d : "(15259877521667048732653966731531866330870155623999372073511953831671978329220, 10346279138881905705140583326619164208036592391424952436660826945178815367429)" +proof.eCap : "895560299474401253372773501875631392367182095767290314841076259590095084586" +proof.r1Cap : "11193219439787925012791936928927829256760578552338662201715987339199095941227" +proof.r3Cap : "15267152252107021640270952755495037380174121953972815385187286027940019996824" +proof.challenge : "17070931957668459394149291496811547077907740596908548642717845173554837520766" +proof.commitments[0] : "19095727655211535891907424632625597788660896504069139787113033189477200901164" +proof.commitments[1] : "19376086836081848875356199522059787747649523185103503820918546873546803656837" +proof.commitments[2] : "294630661519046963443548105138813757424736295965011860489516719425258301868" +proof.commitments[3] : "2669991038723578516998124743106790553264755193437596445025159197580315246913" +proof.commitments[4] : "9347384312453102707431895387088312145715418559983462799650963982682084827252" +proof.commitments[5] : "10423402888507524428295410032922396350307052955495214158940561611559586857682" +proof.commitments[6] : "21667666739487631443855567302732869873626852318523924021971922974064015548203" +proof.commitments[7] : "2391574914373737044908304675905879726184592881619003159020770247137231086890" +proof.commitments[8] : "6278153666110445575600940082413845807068412500507616321015839605239269964481" +proof.commitments[9] : "17407116680557453084774309595190475554418201715886488721842472385513811947490" +proof.commitments[10] : "8501318769770573792305740921919152496772914721536223890699332307683117426648" +proof.commitments[11] : "10051701914974888853862296233599397109887353152719520271166239879253384300084" +proof.commitments[12] : "4629893339370850175540759987958849789651933707400277961494579665229717132314" +proof.commitments[13] : "19733193495966317727151773873301557383437837661981698399123721056474042649121" +proof.commitments[14] : "16581440502746205531254170374821787090797536920805429488227888885103068899696" +proof.commitments[15] : "4648351001408854396093087060766510007903087217506064759222363505293687917509" +proof.commitments[16] : "5232978090956285957326199431497654863020266920439885149705611444557525841377" +proof.commitments[17] : "10378971376370607204122093933171648619962601242767826857548254941729314144779" +proof.commitments[18] : "10636096558455749185044536222842024797504005940994930068820626467354940043941" +proof.commitments[19] : "13014117807481833912707217404666717118061234026083047800320547313575178119938" +proof.commitments[20] : "9468061149785714375845841584548255079305964111362932915002031399165874890540" +proof.commitments[21] : "12080296571110568157656356440360410776064799132442611756186811013992503842789" +proof.commitments[22] : "8406199401805359744205934469936213843102959323070335564794326616494411213164" +proof.commitments[23] : "13146762841746050965674929823955906169083360848059985425714661251008235930384" +proof.commitments[24] : "18062184243758250054044805146678460481140799371280738494887026946927689738624" +proof.commitments[25] : "4689669766214571146361709842956272925578589085257066757670840626355289827344" +proof.commitments[26] : "19717012933748023731747259246552232456988022985282562051094427191782572854304" +proof.commitments[27] : "19403246504848923420955727303103540860884754495247099508968984133479080201474" +points[0] : "(17705900040482640200318765868397816899423300068827258330107828571873441470719, 7713906401864379473036154127800301923576930562959621253303600800199073334118)" +points[1] : "(21727344193746663605105815693486793700736011477614477583899999224491814279994, 3107868243865832229708730395440182823160504417487161073020576660932813536129)" +points[2] : "(15259877521667048732653966731531866330870155623999372073511953831671978329220, 10346279138881905705140583326619164208036592391424952436660826945178815367429)" +points[3] : "(9450541227839351281812164523351865265510569098677555890572077252104786626690, 9197258858130081208441965628507147760561818479091872534935021928583764617680)" +points[4] : "(5816804290213296793101908964222774752394739247046217083058295650122051844227, 1590091680226237410825658942611263221992039739303345139797440692938537664171)" +scalar : "4661402122534330745222086575742781481159552639583525480514127238648290568236" +challenge : "17070931957668459394149291496811547077907740596908548642717845173554837520766" \ No newline at end of file