-
Notifications
You must be signed in to change notification settings - Fork 52
/
Copy pathCoinSpend.cpp
92 lines (76 loc) · 4.01 KB
/
CoinSpend.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
/**
* @file CoinSpend.cpp
*
* @brief CoinSpend class for the Zerocoin library.
*
* @author Ian Miers, Christina Garman and Matthew Green
* @date June 2013
*
* @copyright Copyright 2013 Ian Miers, Christina Garman and Matthew Green
* @license This project is released under the MIT license.
**/
#include "Zerocoin.h"
namespace libzerocoin {
CoinSpend::CoinSpend(const Params* p, const PrivateCoin& coin,
Accumulator& a, const AccumulatorWitness& witness, const SpendMetaData& m):
params(p),
denomination(coin.getPublicCoin().getDenomination()),
coinSerialNumber((coin.getSerialNumber())),
accumulatorPoK(&p->accumulatorParams),
serialNumberSoK(p),
commitmentPoK(&p->serialNumberSoKCommitmentGroup, &p->accumulatorParams.accumulatorPoKCommitmentGroup) {
// Sanity check: let's verify that the Witness is valid with respect to
// the coin and Accumulator provided.
if (!(witness.VerifyWitness(a, coin.getPublicCoin()))) {
throw ZerocoinException("Accumulator witness does not verify");
}
// The serial # needs to be within the specified range our else it can be incremented by the modulus and create another valid proof
if (!HasValidSerial()) {
throw ZerocoinException("Invalid serial # range");
}
// 1: Generate two separate commitments to the public coin (C), each under
// a different set of public parameters. We do this because the RSA accumulator
// has specific requirements for the commitment parameters that are not
// compatible with the group we use for the serial number proof.
// Specifically, our serial number proof requires the order of the commitment group
// to be the same as the modulus of the upper group. The Accumulator proof requires a
// group with a significantly larger order.
const Commitment fullCommitmentToCoinUnderSerialParams(&p->serialNumberSoKCommitmentGroup, coin.getPublicCoin().getValue());
this->serialCommitmentToCoinValue = fullCommitmentToCoinUnderSerialParams.getCommitmentValue();
const Commitment fullCommitmentToCoinUnderAccParams(&p->accumulatorParams.accumulatorPoKCommitmentGroup, coin.getPublicCoin().getValue());
this->accCommitmentToCoinValue = fullCommitmentToCoinUnderAccParams.getCommitmentValue();
// 2. Generate a ZK proof that the two commitments contain the same public coin.
this->commitmentPoK = CommitmentProofOfKnowledge(&p->serialNumberSoKCommitmentGroup, &p->accumulatorParams.accumulatorPoKCommitmentGroup, fullCommitmentToCoinUnderSerialParams, fullCommitmentToCoinUnderAccParams);
// Now generate the two core ZK proofs:
// 3. Proves that the committed public coin is in the Accumulator (PoK of "witness")
this->accumulatorPoK = AccumulatorProofOfKnowledge(&p->accumulatorParams, fullCommitmentToCoinUnderAccParams, witness, a);
// 4. Proves that the coin is correct w.r.t. serial number and hidden coin secret
// (This proof is bound to the coin 'metadata', i.e., transaction hash)
this->serialNumberSoK = SerialNumberSignatureOfKnowledge(p, coin, fullCommitmentToCoinUnderSerialParams, signatureHash(m));
}
const Bignum&
CoinSpend::getCoinSerialNumber() {
return this->coinSerialNumber;
}
const CoinDenomination
CoinSpend::getDenomination() {
return static_cast<CoinDenomination>(this->denomination);
}
bool
CoinSpend::Verify(const Accumulator& a, const SpendMetaData &m) const {
// Verify both of the sub-proofs using the given meta-data
return (a.getDenomination() == this->denomination)
&& commitmentPoK.Verify(serialCommitmentToCoinValue, accCommitmentToCoinValue)
&& accumulatorPoK.Verify(a, accCommitmentToCoinValue)
&& serialNumberSoK.Verify(coinSerialNumber, serialCommitmentToCoinValue, signatureHash(m));
}
const uint256 CoinSpend::signatureHash(const SpendMetaData &m) const {
CHashWriter h(0,0);
h << m << serialCommitmentToCoinValue << accCommitmentToCoinValue << commitmentPoK << accumulatorPoK;
return h.GetHash();
}
bool CoinSpend::HasValidSerial() const
{
return coinSerialNumber > 0 && coinSerialNumber < params->coinCommitmentGroup.groupOrder;
}
} /* namespace libzerocoin */