Zero-Knowledge Proof of Plaintext Equality (1-to-N). More...
#include "secp256k1_mpt.h"#include <openssl/sha.h>#include <openssl/rand.h>#include <string.h>#include <stdlib.h>
Go to the source code of this file.
Functions | |
| static int | pubkey_equal (const secp256k1_context *ctx, const secp256k1_pubkey *pk1, const secp256k1_pubkey *pk2) |
| static int | generate_random_scalar (const secp256k1_context *ctx, unsigned char *scalar) |
| static void | compute_challenge_multi (const secp256k1_context *ctx, unsigned char *e_out, size_t n, const secp256k1_pubkey *R, const secp256k1_pubkey *S, const secp256k1_pubkey *Pk, const secp256k1_pubkey *Tm, const secp256k1_pubkey *TrG, const secp256k1_pubkey *TrP, const unsigned char *tx_id) |
| size_t | secp256k1_mpt_prove_same_plaintext_multi_size (size_t n) |
| Calculates the expected proof size for a given number of ciphertexts. | |
| int | secp256k1_mpt_prove_same_plaintext_multi (const secp256k1_context *ctx, unsigned char *proof_out, size_t *proof_len, uint64_t amount_m, size_t n, const secp256k1_pubkey *R, const secp256k1_pubkey *S, const secp256k1_pubkey *Pk, const unsigned char *r_array, const unsigned char *tx_id) |
| Generates a proof that N ciphertexts encrypt the same secret amount 'm'. | |
| int | secp256k1_mpt_verify_same_plaintext_multi (const secp256k1_context *ctx, const unsigned char *proof, size_t proof_len, size_t n, const secp256k1_pubkey *R, const secp256k1_pubkey *S, const secp256k1_pubkey *Pk, const unsigned char *tx_id) |
| Verifies a proof that N ciphertexts encrypt the same secret amount. | |
Detailed Description
Zero-Knowledge Proof of Plaintext Equality (1-to-N).
This module implements a generalized multi-statement Sigma protocol to prove that \( N \) distinct ElGamal ciphertexts all encrypt the same underlying plaintext amount \( m \), using distinct randomness \( r_i \) for each.
Statement: Given \( N \) ciphertexts \( (R_i, S_i) \) encrypted under public keys \( P_i \), the prover demonstrates knowledge of scalars \( m \) and \( \{r_1, \dots, r_N\} \) such that for all \( i \in [1, N] \):
- \( R_i = r_i \cdot G \)
- \( S_i = m \cdot G + r_i \cdot P_i \)
Protocol (Shared Amount Nonce): The efficiency gain comes from reusing the random nonce for the amount ( \( k_m \)) across all \( N \) proofs, tying them mathematically to the same value \( m \).
- Commitments:
- \( T_m = k_m \cdot G \) (Shared commitment to amount nonce)
- For each \( i \):
- \( T_{r,G}^{(i)} = k_{r,i} \cdot G \)
- \( T_{r,P}^{(i)} = k_{r,i} \cdot P_i \)
- Challenge:
\[ e = H(\dots \parallel T_m \parallel \{T_{r,G}^{(i)}, T_{r,P}^{(i)}\}_{i=1}^N \parallel \dots) \]
- Responses:
- \( s_m = k_m + e \cdot m \) (Shared response for amount)
- For each \( i \): \( s_{r,i} = k_{r,i} + e \cdot r_i \)
- Verification: For each \( i \in [1, N] \), the verifier checks:
- \( s_{r,i} \cdot G \stackrel{?}{=} T_{r,G}^{(i)} + e \cdot R_i \)
- \( s_m \cdot G + s_{r,i} \cdot P_i \stackrel{?}{=} T_m + T_{r,P}^{(i)} + e \cdot S_i \)
Security Context: This is crucial for "fan-out" transactions or auditing scenarios where a single value must be proven correct against multiple encrypted destinations simultaneously, ensuring consistency without revealing the value.
- See also
- [Spec (ConfidentialMPT_20260106.pdf) Section 3.3.4] Generalization for Multiple Ciphertexts
Definition in file proof_same_plaintext_multi.c.
Function Documentation
◆ compute_challenge_multi()
|
static |
Definition at line 67 of file proof_same_plaintext_multi.c.
◆ generate_random_scalar()
|
static |
Definition at line 57 of file proof_same_plaintext_multi.c.
◆ pubkey_equal()
|
static |
Definition at line 53 of file proof_same_plaintext_multi.c.
◆ secp256k1_mpt_prove_same_plaintext_multi()
| int secp256k1_mpt_prove_same_plaintext_multi | ( | const secp256k1_context * | ctx, |
| unsigned char * | proof_out, | ||
| size_t * | proof_len, | ||
| uint64_t | amount_m, | ||
| size_t | n_ciphertexts, | ||
| const secp256k1_pubkey * | R_array, | ||
| const secp256k1_pubkey * | S_array, | ||
| const secp256k1_pubkey * | Pk_array, | ||
| const unsigned char * | r_array, | ||
| const unsigned char * | tx_context_id ) |
Generates a proof that N ciphertexts encrypt the same secret amount 'm'.
- Parameters
-
[in] ctx A pointer to a valid secp256k1 context. [out] proof_out A pointer to a buffer to store the proof. [in,out] proof_len Input: buffer size. Output: actual proof size. [in] amount_m The secret common uint64_t plaintext value 'm'. [in] n_ciphertexts The number (N) of ciphertexts. [in] R_array Array of N 'R' points (C1 components). [in] S_array Array of N 'S' points (C2 components). [in] Pk_array Array of N recipient public keys. [in] r_array Array of N 32-byte secret scalars (randomness). [in] tx_context_id 32-byte unique transaction identifier.
- Returns
- 1 on success, 0 on failure.
Definition at line 135 of file proof_same_plaintext_multi.c.
◆ secp256k1_mpt_prove_same_plaintext_multi_size()
| size_t secp256k1_mpt_prove_same_plaintext_multi_size | ( | size_t | n | ) |
Calculates the expected proof size for a given number of ciphertexts.
Definition at line 130 of file proof_same_plaintext_multi.c.
◆ secp256k1_mpt_verify_same_plaintext_multi()
| int secp256k1_mpt_verify_same_plaintext_multi | ( | const secp256k1_context * | ctx, |
| const unsigned char * | proof, | ||
| size_t | proof_len, | ||
| size_t | n, | ||
| const secp256k1_pubkey * | R, | ||
| const secp256k1_pubkey * | S, | ||
| const secp256k1_pubkey * | Pk, | ||
| const unsigned char * | tx_id ) |
Verifies a proof that N ciphertexts encrypt the same secret amount.
Definition at line 250 of file proof_same_plaintext_multi.c.
