Zero-Knowledge Proof of Knowledge of Plaintext and Randomness. More...
#include "secp256k1_mpt.h"#include <openssl/sha.h>#include <openssl/rand.h>#include <string.h>#include <stdlib.h>
Go to the source code of this file.
Functions | |
| static int | pubkey_equal (const secp256k1_context *ctx, const secp256k1_pubkey *pk1, const secp256k1_pubkey *pk2) |
| static int | generate_random_scalar (const secp256k1_context *ctx, unsigned char *scalar) |
| static int | compute_amount_point (const secp256k1_context *ctx, secp256k1_pubkey *mG, uint64_t amount) |
| static void | compute_challenge_equality (const secp256k1_context *ctx, unsigned char *e_out, const secp256k1_pubkey *c1, const secp256k1_pubkey *c2, const secp256k1_pubkey *pk, const secp256k1_pubkey *mG, const secp256k1_pubkey *T1, const secp256k1_pubkey *T2, const unsigned char *tx_context_id) |
| int | secp256k1_equality_plaintext_prove (const secp256k1_context *ctx, unsigned char *proof, const secp256k1_pubkey *c1, const secp256k1_pubkey *c2, const secp256k1_pubkey *pk_recipient, uint64_t amount, const unsigned char *randomness_r, const unsigned char *tx_context_id) |
| Generates a proof that an ElGamal ciphertext correctly encrypts a known plaintext m and that the prover knows the randomness r. | |
| int | secp256k1_equality_plaintext_verify (const secp256k1_context *ctx, const unsigned char *proof, const secp256k1_pubkey *c1, const secp256k1_pubkey *c2, const secp256k1_pubkey *pk_recipient, uint64_t amount, const unsigned char *tx_context_id) |
| Verifies a proof of knowledge of plaintext and randomness. | |
Detailed Description
Zero-Knowledge Proof of Knowledge of Plaintext and Randomness.
This module implements a Sigma protocol (Chaum-Pedersen style) to prove that an ElGamal ciphertext \( (C_1, C_2) \) encrypts a specific known plaintext \( m \) under a public key \( P \), and that the prover knows the randomness \( r \) used in the encryption.
Statement: The prover demonstrates knowledge of \( r \in \mathbb{Z}_q \) such that:
\[ C_1 = r \cdot G \]
\[ C_2 = m \cdot G + r \cdot P \]
Protocol:
- Commitment: Prover samples \( t \leftarrow \mathbb{Z}_q \) and computes:
\[ T_1 = t \cdot G \]
\[ T_2 = t \cdot P \]
- Challenge:
\[ e = H(\text{"MPT_POK_PLAINTEXT_PROOF"} \parallel C_1 \parallel C_2 \parallel P \parallel T_1 \parallel T_2 \parallel \dots) \]
- Response:
\[ s = t + e \cdot r \pmod{q} \]
- Verification: Verifier checks:
\[ s \cdot G \stackrel{?}{=} T_1 + e \cdot C_1 \]
\[ s \cdot P \stackrel{?}{=} T_2 + e \cdot (C_2 - m \cdot G) \]
Context: This proof is used in ConfidentialMPTConvert (explicit randomness verification) and ConfidentialMPTClawback (where the issuer proves the ciphertext matches a revealed amount using their secret key, a variant of this logic).
- See also
- [Spec (ConfidentialMPT_20260201.pdf) Section 3.3.3] Optimized Ciphertext-Amount Consistency Protocol
Definition in file equality_proof.c.
Function Documentation
◆ compute_amount_point()
|
static |
◆ compute_challenge_equality()
|
static |
Streaming Hash Builder (Avoids large stack buffers)
Definition at line 72 of file equality_proof.c.
◆ generate_random_scalar()
|
static |
◆ pubkey_equal()
|
static |
◆ secp256k1_equality_plaintext_prove()
| int secp256k1_equality_plaintext_prove | ( | const secp256k1_context * | ctx, |
| unsigned char * | proof, | ||
| const secp256k1_pubkey * | c1, | ||
| const secp256k1_pubkey * | c2, | ||
| const secp256k1_pubkey * | pk_recipient, | ||
| uint64_t | amount, | ||
| const unsigned char * | randomness_r, | ||
| const unsigned char * | tx_context_id ) |
Generates a proof that an ElGamal ciphertext correctly encrypts a known plaintext m and that the prover knows the randomness r.
- Parameters
-
[in] ctx A pointer to a valid secp256k1 context object, initialized for signing. [out] proof A pointer to a 98-byte buffer to store the proof (T1 [33 bytes] || T2 [33 bytes] || s [32 bytes]). [in] c1 The C1 component of the ciphertext (r*G). [in] c2 The C2 component of the ciphertext (m*G + r*Pk). [in] pk_recipient The public key used for encryption. [in] amount The known plaintext value m. [in] randomness_r The 32-byte secret random scalar r used in encryption. [in] tx_context_id A 32-byte unique identifier for the transaction context.
- Returns
- 1 on success, 0 on failure.
Definition at line 115 of file equality_proof.c.
◆ secp256k1_equality_plaintext_verify()
| int secp256k1_equality_plaintext_verify | ( | const secp256k1_context * | ctx, |
| const unsigned char * | proof, | ||
| const secp256k1_pubkey * | c1, | ||
| const secp256k1_pubkey * | c2, | ||
| const secp256k1_pubkey * | pk_recipient, | ||
| uint64_t | amount, | ||
| const unsigned char * | tx_context_id ) |
Verifies a proof of knowledge of plaintext and randomness.
Checks if the proof correctly demonstrates that (C1, C2) encrypts m under pk_recipient.
- Parameters
-
[in] ctx A pointer to a valid secp256k1 context object, initialized for verification. [in] proof A pointer to the 98-byte proof to verify. [in] c1 The C1 component of the ciphertext. [in] c2 The C2 component of the ciphertext. [in] pk_recipient The public key used for encryption. [in] amount The known plaintext value m. [in] tx_context_id A 32-byte unique identifier for the transaction context.
- Returns
- 1 if the proof is valid, 0 otherwise.
Definition at line 181 of file equality_proof.c.
