Zero-Knowledge Proof of Plaintext Equality (1-to-N, Shared Randomness). More...

#include "secp256k1_mpt.h"
#include <openssl/sha.h>
#include <openssl/rand.h>
#include <string.h>
#include <stdlib.h>

Include dependency graph for proof_same_plaintext_multi_shared_r.c:

Go to the source code of this file.

Functions
static int	pubkey_equal (const secp256k1_context ctx, const secp256k1_pubkey pk1, const secp256k1_pubkey *pk2)
static int	generate_random_scalar (const secp256k1_context ctx, unsigned char scalar)
size_t	secp256k1_mpt_proof_equality_shared_r_size (size_t n_recipients)
static void	compute_challenge_equality_shared_r (const secp256k1_context ctx, unsigned char e_out, size_t n, const secp256k1_pubkey C1, const secp256k1_pubkey C2_vec, const secp256k1_pubkey Pk_vec, const secp256k1_pubkey Tr, const secp256k1_pubkey Tm_vec, const unsigned char context_id)
int	secp256k1_mpt_prove_equality_shared_r (const secp256k1_context ctx, unsigned char proof_out, uint64_t amount, const unsigned char r_shared, size_t n, const secp256k1_pubkey C1, const secp256k1_pubkey C2_vec, const secp256k1_pubkey Pk_vec, const unsigned char *context_id)
int	secp256k1_mpt_verify_equality_shared_r (const secp256k1_context ctx, const unsigned char proof, size_t n, const secp256k1_pubkey C1, const secp256k1_pubkey C2_vec, const secp256k1_pubkey Pk_vec, const unsigned char context_id)

Detailed Description

Zero-Knowledge Proof of Plaintext Equality (1-to-N, Shared Randomness).

This module implements an optimized multi-recipient Sigma protocol to prove that \( N \) distinct ElGamal ciphertexts encrypt the same plaintext amount \( m \) using the same randomness \( r \), but under different public keys.

Statement: Given a shared ephemeral key \( C_1 = r \cdot G \) and \( N \) components \( C_{2,i} = m \cdot G + r \cdot P_i \) (where \( P_i \) is the public key for recipient \( i \)), the prover demonstrates knowledge of scalars \( m, r \) such that all equations hold.

Optimization: Unlike the general "Multi-Statement" proof (where \( r_i \) varies), this variant enforces \( r_1 = r_2 = \dots = r_N = r \). This reduces the proof size significantly because we only need one response scalar \( s_r \) for the randomness, rather than \( N \).

Protocol:

Commitments:

\( T_r = k_r \cdot G \) (Commitment to shared randomness nonce)
\( T_{m,i} = k_m \cdot G + k_r \cdot P_i \) (Commitment for each recipient)

Challenge: \( e = H(\dots \parallel C_1 \parallel \{C_{2,i}, P_i\} \parallel T_r \parallel \{T_{m,i}\} \dots) \)
Responses:

\( s_m = k_m + e \cdot m \)
\( s_r = k_r + e \cdot r \)

Verification:

\( s_r \cdot G \stackrel{?}{=} T_r + e \cdot C_1 \)
For each \( i \): \( s_m \cdot G + s_r \cdot P_i \stackrel{?}{=} T_{m,i} + e \cdot C_{2,i} \)

Security Context: This is used for broadcast-style transactions where the sender wants to prove to multiple auditors or recipients that they are all receiving the exact same message/amount, efficiently.

See also: [Spec (ConfidentialMPT_20260201.pdf) Section 3.3.4] Proof of Equality of Plaintexts with Shared Randomness

Definition in file proof_same_plaintext_multi_shared_r.c.

Function Documentation

◆ compute_challenge_equality_shared_r()

void compute_challenge_equality_shared_r	(	const secp256k1_context *	ctx,
		unsigned char *	e_out,
		size_t	n,
		const secp256k1_pubkey *	C1,
		const secp256k1_pubkey *	C2_vec,
		const secp256k1_pubkey *	Pk_vec,
		const secp256k1_pubkey *	Tr,
		const secp256k1_pubkey *	Tm_vec,
		const unsigned char *	context_id )

static

Definition at line 69 of file proof_same_plaintext_multi_shared_r.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ generate_random_scalar()

int generate_random_scalar	(	const secp256k1_context *	ctx,
		unsigned char *	scalar )

static

Definition at line 54 of file proof_same_plaintext_multi_shared_r.c.

Here is the caller graph for this function:

◆ pubkey_equal()

int pubkey_equal	(	const secp256k1_context *	ctx,
		const secp256k1_pubkey *	pk1,
		const secp256k1_pubkey *	pk2 )

static

Definition at line 50 of file proof_same_plaintext_multi_shared_r.c.

Here is the caller graph for this function:

◆ secp256k1_mpt_proof_equality_shared_r_size()

size_t secp256k1_mpt_proof_equality_shared_r_size ( size_t n )

Returns the size of the serialized proof for N recipients. Size: (1 + N) * 33 bytes for points + 2 * 32 bytes for scalars.

Definition at line 61 of file proof_same_plaintext_multi_shared_r.c.

Here is the caller graph for this function:

◆ secp256k1_mpt_prove_equality_shared_r()

int secp256k1_mpt_prove_equality_shared_r	(	const secp256k1_context *	ctx,
		unsigned char *	proof_out,
		uint64_t	amount,
		const unsigned char *	r_shared,
		size_t	n,
		const secp256k1_pubkey *	C1,
		const secp256k1_pubkey *	C2_vec,
		const secp256k1_pubkey *	Pk_vec,
		const unsigned char *	context_id )

Generates a proof that multiple ciphertexts encrypt the same amount m using the SAME shared randomness r.

Definition at line 123 of file proof_same_plaintext_multi_shared_r.c.

Here is the call graph for this function:

◆ secp256k1_mpt_verify_equality_shared_r()

int secp256k1_mpt_verify_equality_shared_r	(	const secp256k1_context *	ctx,
		const unsigned char *	proof,
		size_t	n,
		const secp256k1_pubkey *	C1,
		const secp256k1_pubkey *	C2_vec,
		const secp256k1_pubkey *	Pk_vec,
		const unsigned char *	context_id )

Verifies the proof of equality with shared randomness.

Definition at line 234 of file proof_same_plaintext_multi_shared_r.c.

Here is the call graph for this function:

Functions

Detailed Description

Function Documentation

◆ compute_challenge_equality_shared_r()

◆ generate_random_scalar()

◆ pubkey_equal()

◆ secp256k1_mpt_proof_equality_shared_r_size()

◆ secp256k1_mpt_prove_equality_shared_r()

◆ secp256k1_mpt_verify_equality_shared_r()