From 2c3e56ed49eb0febbdc57b6a891a40c5c879ea4b Mon Sep 17 00:00:00 2001 From: Lasse Letager Hansen Date: Wed, 24 Apr 2024 18:10:39 +0200 Subject: [PATCH] Back to working, with better group trait --- ovn/proofs/ssprove/extraction/Hacspec_ovn.v | 604 +----------- .../extraction/Hacspec_ovn_Ovn_group.v | 484 ++++++++++ .../extraction/Hacspec_ovn_Ovn_secp256k1.v | 354 +++++++ .../extraction/Hacspec_ovn_Ovn_traits.v | 99 +- .../extraction/Hacspec_ovn_Ovn_z_89_.v | 121 ++- .../extraction/Hacspec_ovn_Ovn_zkgroup.v | 73 ++ .../Hacspec_ovn_Ovn_zkgroup_specific.v | 110 +++ .../ssprove/extraction/Hacspec_ovn_actual.v | 874 ++++++++++++++++++ .../ssprove/extraction/_expected_trait.v | 86 ++ ovn/src/lib.rs | 9 +- ovn/src/ovn_group.rs | 221 ++--- ovn/src/ovn_secp256k1.rs | 122 +-- ovn/src/ovn_traits.rs | 43 +- ovn/src/ovn_z_89.rs | 119 ++- ovn/src/ovn_zk_secp256k1.rs | 6 +- ovn/src/ovn_zkgroup.rs | 829 ++++++++--------- ovn/src/ovn_zkgroup_specific.rs | 457 +++++++++ ovn/tests/ovn_example.rs | 152 +-- ovn/tests/ovn_zk_example.rs | 49 +- 19 files changed, 3372 insertions(+), 1440 deletions(-) create mode 100644 ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_group.v create mode 100644 ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_secp256k1.v create mode 100644 ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_zkgroup.v create mode 100644 ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_zkgroup_specific.v create mode 100644 ovn/proofs/ssprove/extraction/Hacspec_ovn_actual.v create mode 100644 ovn/proofs/ssprove/extraction/_expected_trait.v create mode 100644 ovn/src/ovn_zkgroup_specific.rs diff --git a/ovn/proofs/ssprove/extraction/Hacspec_ovn.v b/ovn/proofs/ssprove/extraction/Hacspec_ovn.v index 8fe102e..e6bf326 100644 --- a/ovn/proofs/ssprove/extraction/Hacspec_ovn.v +++ b/ovn/proofs/ssprove/extraction/Hacspec_ovn.v @@ -4,7 +4,7 @@ From Crypt Require Import choice_type Package Prelude. Import PackageNotation. From extructures Require Import ord fset. From mathcomp Require Import word_ssrZ word. -From Jasmin Require Import word. +(* From Jasmin Require Import word. *) From Coq Require Import ZArith. From Coq Require Import Strings.String. @@ -24,610 +24,14 @@ Import choice.Choice.Exports. Obligation Tactic := (* try timeout 8 *) solve_ssprove_obligations. -Require Import Hacspec_ovn_Ovn_traits. -Export Hacspec_ovn_Ovn_traits. - (*Not implemented yet? todo(item)*) (*Not implemented yet? todo(item)*) (*Not implemented yet? todo(item)*) -Context (v_Z : choice_type) (v_G : choice_type) (v_A : choice_type). -Context {n : both (uint_size)}. -Context (v_Z_t_Sized : t_Sized (v_Z)) (v_G_t_Sized : t_Sized (v_G)) `{ t_Sized (v_A)}. -Context (v_Z_t_Z_Field : t_Z_Field (v_Z)) (v_G_v_Z_t_Group : @t_Group (v_G) (v_Z) v_Z_t_Z_Field) (v_A_t_HasActions : t_HasActions (v_A)) . - -Equations compute_group_element_for_vote (xi : both (f_field_type)) (vote : both ('bool)) (g_pow_yi : both (f_group_type)) : both (f_group_type) := - compute_group_element_for_vote xi vote g_pow_yi := - solve_lift (f_prod (f_pow g_pow_yi xi) (f_g_pow (ifb vote - then f_field_one - else f_field_zero))) : both (f_group_type). -Fail Next Obligation. - -Equations select_private_voting_key (random : both (int32)) : both (f_field_type) := - select_private_voting_key random := - solve_lift (f_random_field_elem random) : both (f_field_type). -Fail Next Obligation. - -Equations compute_g_pow_yi (i : both (uint_size)) (xis : both (nseq f_group_type (is_pure (n)))) : both (f_group_type) := - compute_g_pow_yi i xis := - letb prod1 := f_group_one in - letb prod1 := foldi_both_list (f_into_iter (Build_t_Range (f_start := ret_both (0 : uint_size)) (f_end := i))) (fun j => - ssp (fun prod1 => - solve_lift (f_prod prod1 (xis.a[j])) : both (f_group_type))) prod1 in - letb prod2 := f_group_one in - letb prod2 := foldi_both_list (f_into_iter (Build_t_Range (f_start := i .+ (ret_both (1 : uint_size))) (f_end := n))) (fun j => - ssp (fun prod2 => - solve_lift (f_prod prod2 (xis.a[j])) : both (f_group_type))) prod2 in - solve_lift (f_div prod1 prod2) : both (f_group_type). -Solve All Obligations with now intros ; destruct from_uint_size. -Fail Next Obligation. - -Equations check_commitment (g_pow_xi_yi_vi : both (f_group_type)) (commitment : both (f_field_type)) : both ('bool) := - check_commitment g_pow_xi_yi_vi commitment := - solve_lift ((f_hash (impl__into_vec (unsize (box_new (array_from_list [g_pow_xi_yi_vi]))))) =.? commitment) : both ('bool). -Fail Next Obligation. - -Equations commit_to (g_pow_xi_yi_vi : both (f_group_type)) : both (f_field_type) := - commit_to g_pow_xi_yi_vi := - solve_lift (f_hash (impl__into_vec (unsize (box_new (array_from_list [g_pow_xi_yi_vi]))))) : both (f_field_type). -Fail Next Obligation. - -Definition t_CastVoteParam : choice_type := - (int32 × f_field_type × int32 × int32 × int32 × 'bool). -Equations f_cvp_i (s : both (t_CastVoteParam)) : both (int32) := - f_cvp_i s := - bind_both s (fun x => - solve_lift (ret_both (fst (fst (fst (fst (fst x)))) : int32))) : both (int32). -Fail Next Obligation. -Equations f_cvp_xi (s : both (t_CastVoteParam)) : both (f_field_type) := - f_cvp_xi s := - bind_both s (fun x => - solve_lift (ret_both (snd (fst (fst (fst (fst x)))) : f_field_type))) : both (f_field_type). -Fail Next Obligation. -Equations f_cvp_zkp_random_w (s : both (t_CastVoteParam)) : both (int32) := - f_cvp_zkp_random_w s := - bind_both s (fun x => - solve_lift (ret_both (snd (fst (fst (fst x))) : int32))) : both (int32). -Fail Next Obligation. -Equations f_cvp_zkp_random_r (s : both (t_CastVoteParam)) : both (int32) := - f_cvp_zkp_random_r s := - bind_both s (fun x => - solve_lift (ret_both (snd (fst (fst x)) : int32))) : both (int32). -Fail Next Obligation. -Equations f_cvp_zkp_random_d (s : both (t_CastVoteParam)) : both (int32) := - f_cvp_zkp_random_d s := - bind_both s (fun x => - solve_lift (ret_both (snd (fst x) : int32))) : both (int32). -Fail Next Obligation. -Equations f_cvp_vote (s : both (t_CastVoteParam)) : both ('bool) := - f_cvp_vote s := - bind_both s (fun x => - solve_lift (ret_both (snd x : 'bool))) : both ('bool). -Fail Next Obligation. -Equations Build_t_CastVoteParam {f_cvp_i : both (int32)} {f_cvp_xi : both (f_field_type)} {f_cvp_zkp_random_w : both (int32)} {f_cvp_zkp_random_r : both (int32)} {f_cvp_zkp_random_d : both (int32)} {f_cvp_vote : both ('bool)} : both (t_CastVoteParam) := - Build_t_CastVoteParam := - bind_both f_cvp_vote (fun f_cvp_vote => - bind_both f_cvp_zkp_random_d (fun f_cvp_zkp_random_d => - bind_both f_cvp_zkp_random_r (fun f_cvp_zkp_random_r => - bind_both f_cvp_zkp_random_w (fun f_cvp_zkp_random_w => - bind_both f_cvp_xi (fun f_cvp_xi => - bind_both f_cvp_i (fun f_cvp_i => - solve_lift (ret_both ((f_cvp_i,f_cvp_xi,f_cvp_zkp_random_w,f_cvp_zkp_random_r,f_cvp_zkp_random_d,f_cvp_vote) : (t_CastVoteParam))))))))) : both (t_CastVoteParam). -Fail Next Obligation. -Notation "'Build_t_CastVoteParam' '[' x ']' '(' 'f_cvp_i' ':=' y ')'" := (Build_t_CastVoteParam (f_cvp_i := y) (f_cvp_xi := f_cvp_xi x) (f_cvp_zkp_random_w := f_cvp_zkp_random_w x) (f_cvp_zkp_random_r := f_cvp_zkp_random_r x) (f_cvp_zkp_random_d := f_cvp_zkp_random_d x) (f_cvp_vote := f_cvp_vote x)). -Notation "'Build_t_CastVoteParam' '[' x ']' '(' 'f_cvp_xi' ':=' y ')'" := (Build_t_CastVoteParam (f_cvp_i := f_cvp_i x) (f_cvp_xi := y) (f_cvp_zkp_random_w := f_cvp_zkp_random_w x) (f_cvp_zkp_random_r := f_cvp_zkp_random_r x) (f_cvp_zkp_random_d := f_cvp_zkp_random_d x) (f_cvp_vote := f_cvp_vote x)). -Notation "'Build_t_CastVoteParam' '[' x ']' '(' 'f_cvp_zkp_random_w' ':=' y ')'" := (Build_t_CastVoteParam (f_cvp_i := f_cvp_i x) (f_cvp_xi := f_cvp_xi x) (f_cvp_zkp_random_w := y) (f_cvp_zkp_random_r := f_cvp_zkp_random_r x) (f_cvp_zkp_random_d := f_cvp_zkp_random_d x) (f_cvp_vote := f_cvp_vote x)). -Notation "'Build_t_CastVoteParam' '[' x ']' '(' 'f_cvp_zkp_random_r' ':=' y ')'" := (Build_t_CastVoteParam (f_cvp_i := f_cvp_i x) (f_cvp_xi := f_cvp_xi x) (f_cvp_zkp_random_w := f_cvp_zkp_random_w x) (f_cvp_zkp_random_r := y) (f_cvp_zkp_random_d := f_cvp_zkp_random_d x) (f_cvp_vote := f_cvp_vote x)). -Notation "'Build_t_CastVoteParam' '[' x ']' '(' 'f_cvp_zkp_random_d' ':=' y ')'" := (Build_t_CastVoteParam (f_cvp_i := f_cvp_i x) (f_cvp_xi := f_cvp_xi x) (f_cvp_zkp_random_w := f_cvp_zkp_random_w x) (f_cvp_zkp_random_r := f_cvp_zkp_random_r x) (f_cvp_zkp_random_d := y) (f_cvp_vote := f_cvp_vote x)). -Notation "'Build_t_CastVoteParam' '[' x ']' '(' 'f_cvp_vote' ':=' y ')'" := (Build_t_CastVoteParam (f_cvp_i := f_cvp_i x) (f_cvp_xi := f_cvp_xi x) (f_cvp_zkp_random_w := f_cvp_zkp_random_w x) (f_cvp_zkp_random_r := f_cvp_zkp_random_r x) (f_cvp_zkp_random_d := f_cvp_zkp_random_d x) (f_cvp_vote := y)). - -Definition t_OrZKPCommit : choice_type := - (f_group_type × f_group_type × f_group_type × f_group_type × f_group_type × f_group_type × f_field_type × f_field_type × f_field_type × f_field_type × f_field_type). -Equations f_or_zkp_x (s : both (t_OrZKPCommit)) : both (f_group_type) := - f_or_zkp_x s := - bind_both s (fun x => - solve_lift (ret_both (fst (fst (fst (fst (fst (fst (fst (fst (fst (fst x))))))))) : f_group_type))) : both (f_group_type). -Fail Next Obligation. -Equations f_or_zkp_y (s : both (t_OrZKPCommit)) : both (f_group_type) := - f_or_zkp_y s := - bind_both s (fun x => - solve_lift (ret_both (snd (fst (fst (fst (fst (fst (fst (fst (fst (fst x))))))))) : f_group_type))) : both (f_group_type). -Fail Next Obligation. -Equations f_or_zkp_a1 (s : both (t_OrZKPCommit)) : both (f_group_type) := - f_or_zkp_a1 s := - bind_both s (fun x => - solve_lift (ret_both (snd (fst (fst (fst (fst (fst (fst (fst (fst x)))))))) : f_group_type))) : both (f_group_type). -Fail Next Obligation. -Equations f_or_zkp_b1 (s : both (t_OrZKPCommit)) : both (f_group_type) := - f_or_zkp_b1 s := - bind_both s (fun x => - solve_lift (ret_both (snd (fst (fst (fst (fst (fst (fst (fst x))))))) : f_group_type))) : both (f_group_type). -Fail Next Obligation. -Equations f_or_zkp_a2 (s : both (t_OrZKPCommit)) : both (f_group_type) := - f_or_zkp_a2 s := - bind_both s (fun x => - solve_lift (ret_both (snd (fst (fst (fst (fst (fst (fst x)))))) : f_group_type))) : both (f_group_type). -Fail Next Obligation. -Equations f_or_zkp_b2 (s : both (t_OrZKPCommit)) : both (f_group_type) := - f_or_zkp_b2 s := - bind_both s (fun x => - solve_lift (ret_both (snd (fst (fst (fst (fst (fst x))))) : f_group_type))) : both (f_group_type). -Fail Next Obligation. -Equations f_or_zkp_c (s : both (t_OrZKPCommit)) : both (f_field_type) := - f_or_zkp_c s := - bind_both s (fun x => - solve_lift (ret_both (snd (fst (fst (fst (fst x)))) : f_field_type))) : both (f_field_type). -Fail Next Obligation. -Equations f_or_zkp_d1 (s : both (t_OrZKPCommit)) : both (f_field_type) := - f_or_zkp_d1 s := - bind_both s (fun x => - solve_lift (ret_both (snd (fst (fst (fst x))) : f_field_type))) : both (f_field_type). -Fail Next Obligation. -Equations f_or_zkp_d2 (s : both (t_OrZKPCommit)) : both (f_field_type) := - f_or_zkp_d2 s := - bind_both s (fun x => - solve_lift (ret_both (snd (fst (fst x)) : f_field_type))) : both (f_field_type). -Fail Next Obligation. -Equations f_or_zkp_r1 (s : both (t_OrZKPCommit)) : both (f_field_type) := - f_or_zkp_r1 s := - bind_both s (fun x => - solve_lift (ret_both (snd (fst x) : f_field_type))) : both (f_field_type). -Fail Next Obligation. -Equations f_or_zkp_r2 (s : both (t_OrZKPCommit)) : both (f_field_type) := - f_or_zkp_r2 s := - bind_both s (fun x => - solve_lift (ret_both (snd x : f_field_type))) : both (f_field_type). -Fail Next Obligation. -Equations Build_t_OrZKPCommit {f_or_zkp_x : both (f_group_type)} {f_or_zkp_y : both (f_group_type)} {f_or_zkp_a1 : both (f_group_type)} {f_or_zkp_b1 : both (f_group_type)} {f_or_zkp_a2 : both (f_group_type)} {f_or_zkp_b2 : both (f_group_type)} {f_or_zkp_c : both (f_field_type)} {f_or_zkp_d1 : both (f_field_type)} {f_or_zkp_d2 : both (f_field_type)} {f_or_zkp_r1 : both (f_field_type)} {f_or_zkp_r2 : both (f_field_type)} : both (t_OrZKPCommit) := - Build_t_OrZKPCommit := - bind_both f_or_zkp_r2 (fun f_or_zkp_r2 => - bind_both f_or_zkp_r1 (fun f_or_zkp_r1 => - bind_both f_or_zkp_d2 (fun f_or_zkp_d2 => - bind_both f_or_zkp_d1 (fun f_or_zkp_d1 => - bind_both f_or_zkp_c (fun f_or_zkp_c => - bind_both f_or_zkp_b2 (fun f_or_zkp_b2 => - bind_both f_or_zkp_a2 (fun f_or_zkp_a2 => - bind_both f_or_zkp_b1 (fun f_or_zkp_b1 => - bind_both f_or_zkp_a1 (fun f_or_zkp_a1 => - bind_both f_or_zkp_y (fun f_or_zkp_y => - bind_both f_or_zkp_x (fun f_or_zkp_x => - solve_lift (ret_both ((f_or_zkp_x,f_or_zkp_y,f_or_zkp_a1,f_or_zkp_b1,f_or_zkp_a2,f_or_zkp_b2,f_or_zkp_c,f_or_zkp_d1,f_or_zkp_d2,f_or_zkp_r1,f_or_zkp_r2) : (t_OrZKPCommit)))))))))))))) : both (t_OrZKPCommit). -Fail Next Obligation. -Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_x' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := y) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). -Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_y' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := y) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). -Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_a1' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := y) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). -Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_b1' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := y) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). -Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_a2' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := y) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). -Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_b2' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := y) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). -Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_c' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := y) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). -Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_d1' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := y) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). -Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_d2' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := y) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). -Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_r1' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := y) (f_or_zkp_r2 := f_or_zkp_r2 x)). -Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_r2' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := y)). - -Definition t_RegisterParam : choice_type := - (int32 × f_field_type × int32). -Equations f_rp_i (s : both (t_RegisterParam)) : both (int32) := - f_rp_i s := - bind_both s (fun x => - solve_lift (ret_both (fst (fst x) : int32))) : both (int32). -Fail Next Obligation. -Equations f_rp_xi (s : both (t_RegisterParam)) : both (f_field_type) := - f_rp_xi s := - bind_both s (fun x => - solve_lift (ret_both (snd (fst x) : f_field_type))) : both (f_field_type). -Fail Next Obligation. -Equations f_rp_zkp_random (s : both (t_RegisterParam)) : both (int32) := - f_rp_zkp_random s := - bind_both s (fun x => - solve_lift (ret_both (snd x : int32))) : both (int32). -Fail Next Obligation. -Equations Build_t_RegisterParam {f_rp_i : both (int32)} {f_rp_xi : both (f_field_type)} {f_rp_zkp_random : both (int32)} : both (t_RegisterParam) := - Build_t_RegisterParam := - bind_both f_rp_zkp_random (fun f_rp_zkp_random => - bind_both f_rp_xi (fun f_rp_xi => - bind_both f_rp_i (fun f_rp_i => - solve_lift (ret_both ((f_rp_i,f_rp_xi,f_rp_zkp_random) : (t_RegisterParam)))))) : both (t_RegisterParam). -Fail Next Obligation. -Notation "'Build_t_RegisterParam' '[' x ']' '(' 'f_rp_i' ':=' y ')'" := (Build_t_RegisterParam (f_rp_i := y) (f_rp_xi := f_rp_xi x) (f_rp_zkp_random := f_rp_zkp_random x)). -Notation "'Build_t_RegisterParam' '[' x ']' '(' 'f_rp_xi' ':=' y ')'" := (Build_t_RegisterParam (f_rp_i := f_rp_i x) (f_rp_xi := y) (f_rp_zkp_random := f_rp_zkp_random x)). -Notation "'Build_t_RegisterParam' '[' x ']' '(' 'f_rp_zkp_random' ':=' y ')'" := (Build_t_RegisterParam (f_rp_i := f_rp_i x) (f_rp_xi := f_rp_xi x) (f_rp_zkp_random := y)). - -Definition t_SchnorrZKPCommit : choice_type := - (f_group_type × f_field_type × f_field_type). -Equations f_schnorr_zkp_u (s : both (t_SchnorrZKPCommit)) : both (f_group_type) := - f_schnorr_zkp_u s := - bind_both s (fun x => - solve_lift (ret_both (fst (fst x) : f_group_type))) : both (f_group_type). -Fail Next Obligation. -Equations f_schnorr_zkp_c (s : both (t_SchnorrZKPCommit)) : both (f_field_type) := - f_schnorr_zkp_c s := - bind_both s (fun x => - solve_lift (ret_both (snd (fst x) : f_field_type))) : both (f_field_type). -Fail Next Obligation. -Equations f_schnorr_zkp_z (s : both (t_SchnorrZKPCommit)) : both (f_field_type) := - f_schnorr_zkp_z s := - bind_both s (fun x => - solve_lift (ret_both (snd x : f_field_type))) : both (f_field_type). -Fail Next Obligation. -Equations Build_t_SchnorrZKPCommit {f_schnorr_zkp_u : both (f_group_type)} {f_schnorr_zkp_c : both (f_field_type)} {f_schnorr_zkp_z : both (f_field_type)} : both (t_SchnorrZKPCommit) := - Build_t_SchnorrZKPCommit := - bind_both f_schnorr_zkp_z (fun f_schnorr_zkp_z => - bind_both f_schnorr_zkp_c (fun f_schnorr_zkp_c => - bind_both f_schnorr_zkp_u (fun f_schnorr_zkp_u => - solve_lift (ret_both ((f_schnorr_zkp_u,f_schnorr_zkp_c,f_schnorr_zkp_z) : (t_SchnorrZKPCommit)))))) : both (t_SchnorrZKPCommit). -Fail Next Obligation. -Notation "'Build_t_SchnorrZKPCommit' '[' x ']' '(' 'f_schnorr_zkp_u' ':=' y ')'" := (Build_t_SchnorrZKPCommit (f_schnorr_zkp_u := y) (f_schnorr_zkp_c := f_schnorr_zkp_c x) (f_schnorr_zkp_z := f_schnorr_zkp_z x)). -Notation "'Build_t_SchnorrZKPCommit' '[' x ']' '(' 'f_schnorr_zkp_c' ':=' y ')'" := (Build_t_SchnorrZKPCommit (f_schnorr_zkp_u := f_schnorr_zkp_u x) (f_schnorr_zkp_c := y) (f_schnorr_zkp_z := f_schnorr_zkp_z x)). -Notation "'Build_t_SchnorrZKPCommit' '[' x ']' '(' 'f_schnorr_zkp_z' ':=' y ')'" := (Build_t_SchnorrZKPCommit (f_schnorr_zkp_u := f_schnorr_zkp_u x) (f_schnorr_zkp_c := f_schnorr_zkp_c x) (f_schnorr_zkp_z := y)). - -Definition t_TallyParameter : choice_type := - 'unit. -Equations Build_t_TallyParameter : both (t_TallyParameter) := - Build_t_TallyParameter := - solve_lift (ret_both (tt (* Empty tuple *) : (t_TallyParameter))) : both (t_TallyParameter). -Fail Next Obligation. - -Equations schnorr_zkp (random : both (int32)) (h : both (f_group_type)) (x : both (f_field_type)) : both (t_SchnorrZKPCommit) := - schnorr_zkp random h x := - solve_lift (run (letb r := f_random_field_elem random in - letb u := f_g_pow r in - letb c := f_hash (impl__into_vec (unsize (box_new (array_from_list [f_g; - h; - u])))) in - letb z := f_add r (f_mul c x) in - letm[choice_typeMonad.result_bind_code (t_SchnorrZKPCommit)] hoist1 := v_Break (Build_t_SchnorrZKPCommit (f_schnorr_zkp_u := u) (f_schnorr_zkp_c := c) (f_schnorr_zkp_z := z)) in - ControlFlow_Continue (never_to_any hoist1))) : both (t_SchnorrZKPCommit). -Fail Next Obligation. - -Equations schnorr_zkp_validate (h : both (f_group_type)) (pi : both (t_SchnorrZKPCommit)) : both ('bool) := - schnorr_zkp_validate h pi := - solve_lift (andb ((f_schnorr_zkp_c pi) =.? (f_hash (impl__into_vec (unsize (box_new (array_from_list [f_g; - h; - f_schnorr_zkp_u pi])))))) ((f_g_pow (f_schnorr_zkp_z pi)) =.? (f_prod (f_schnorr_zkp_u pi) (f_pow h (f_schnorr_zkp_c pi))))) : both ('bool). -Fail Next Obligation. - -Equations zkp_one_out_of_two (random_w : both (int32)) (random_r : both (int32)) (random_d : both (int32)) (h : both (f_group_type)) (xi : both (f_field_type)) (vi : both ('bool)) : both (t_OrZKPCommit) := - zkp_one_out_of_two random_w random_r random_d h xi vi := - letb w := f_random_field_elem random_w in - solve_lift (ifb vi - then letb r1 := f_random_field_elem random_r in - letb d1 := f_random_field_elem random_d in - letb x := f_g_pow xi in - letb y := f_prod (f_pow h xi) (f_g) in - letb a1 := f_prod (f_g_pow r1) (f_pow x d1) in - letb b1 := f_prod (f_pow h r1) (f_pow y d1) in - letb a2 := f_g_pow w in - letb b2 := f_pow h w in - letb c := f_hash (impl__into_vec (unsize (box_new (array_from_list [x; - y; - a1; - b1; - a2; - b2])))) in - letb d2 := f_sub c d1 in - letb r2 := f_sub w (f_mul xi d2) in - Build_t_OrZKPCommit (f_or_zkp_x := x) (f_or_zkp_y := y) (f_or_zkp_a1 := a1) (f_or_zkp_b1 := b1) (f_or_zkp_a2 := a2) (f_or_zkp_b2 := b2) (f_or_zkp_c := c) (f_or_zkp_d1 := d1) (f_or_zkp_d2 := d2) (f_or_zkp_r1 := r1) (f_or_zkp_r2 := r2) - else letb r2 := f_random_field_elem random_r in - letb d2 := f_random_field_elem random_d in - letb x := f_g_pow xi in - letb y := f_pow h xi in - letb a1 := f_g_pow w in - letb b1 := f_pow h w in - letb a2 := f_prod (f_g_pow r2) (f_pow x d2) in - letb b2 := f_prod (f_pow h r2) (f_pow (f_div y (f_g)) d2) in - letb c := f_hash (impl__into_vec (unsize (box_new (array_from_list [x; - y; - a1; - b1; - a2; - b2])))) in - letb d1 := f_sub c d2 in - letb r1 := f_sub w (f_mul xi d1) in - Build_t_OrZKPCommit (f_or_zkp_x := x) (f_or_zkp_y := y) (f_or_zkp_a1 := a1) (f_or_zkp_b1 := b1) (f_or_zkp_a2 := a2) (f_or_zkp_b2 := b2) (f_or_zkp_c := c) (f_or_zkp_d1 := d1) (f_or_zkp_d2 := d2) (f_or_zkp_r1 := r1) (f_or_zkp_r2 := r2)) : both (t_OrZKPCommit). -Fail Next Obligation. - -Equations zkp_one_out_of_two_validate (h : both (f_group_type)) (zkp : both (t_OrZKPCommit)) : both ('bool) := - zkp_one_out_of_two_validate h zkp := - letb c := f_hash (impl__into_vec (unsize (box_new (array_from_list [f_or_zkp_x zkp; - f_or_zkp_y zkp; - f_or_zkp_a1 zkp; - f_or_zkp_b1 zkp; - f_or_zkp_a2 zkp; - f_or_zkp_b2 zkp])))) in - solve_lift (andb (andb (andb (andb (c =.? (f_add (f_or_zkp_d1 zkp) (f_or_zkp_d2 zkp))) ((f_or_zkp_a1 zkp) =.? (f_prod (f_g_pow (f_or_zkp_r1 zkp)) (f_pow (f_or_zkp_x zkp) (f_or_zkp_d1 zkp))))) ((f_or_zkp_b1 zkp) =.? (f_prod (f_pow h (f_or_zkp_r1 zkp)) (f_pow (f_or_zkp_y zkp) (f_or_zkp_d1 zkp))))) ((f_or_zkp_a2 zkp) =.? (f_prod (f_g_pow (f_or_zkp_r2 zkp)) (f_pow (f_or_zkp_x zkp) (f_or_zkp_d2 zkp))))) ((f_or_zkp_b2 zkp) =.? (f_prod (f_pow h (f_or_zkp_r2 zkp)) (f_pow (f_div (f_or_zkp_y zkp) (f_g)) (f_or_zkp_d2 zkp))))) : both ('bool). -Fail Next Obligation. - -Definition t_OvnContractState : choice_type := - (nseq f_group_type (is_pure (n)) × nseq (t_SchnorrZKPCommit) (is_pure (n)) × nseq f_field_type (is_pure (n)) × nseq f_group_type (is_pure (n)) × nseq (t_OrZKPCommit) (is_pure (n)) × int32). -Equations f_g_pow_xis (s : both (t_OvnContractState)) : both (nseq f_group_type (is_pure (n))) := - f_g_pow_xis s := - bind_both s (fun x => - solve_lift (ret_both (fst (fst (fst (fst (fst x)))) : nseq f_group_type (is_pure (n))))) : both (nseq f_group_type (is_pure (n))). -Fail Next Obligation. -Equations f_zkp_xis (s : both (t_OvnContractState)) : both (nseq (t_SchnorrZKPCommit) (is_pure (n))) := - f_zkp_xis s := - bind_both s (fun x => - solve_lift (ret_both (snd (fst (fst (fst (fst x)))) : nseq (t_SchnorrZKPCommit) (is_pure (n))))) : both (nseq (t_SchnorrZKPCommit) (is_pure (n))). -Fail Next Obligation. -Equations f_commit_vis (s : both (t_OvnContractState)) : both (nseq f_field_type (is_pure (n))) := - f_commit_vis s := - bind_both s (fun x => - solve_lift (ret_both (snd (fst (fst (fst x))) : nseq f_field_type (is_pure (n))))) : both (nseq f_field_type (is_pure (n))). -Fail Next Obligation. -Equations f_g_pow_xi_yi_vis (s : both (t_OvnContractState)) : both (nseq f_group_type (is_pure (n))) := - f_g_pow_xi_yi_vis s := - bind_both s (fun x => - solve_lift (ret_both (snd (fst (fst x)) : nseq f_group_type (is_pure (n))))) : both (nseq f_group_type (is_pure (n))). -Fail Next Obligation. -Equations f_zkp_vis (s : both (t_OvnContractState)) : both (nseq (t_OrZKPCommit) (is_pure (n))) := - f_zkp_vis s := - bind_both s (fun x => - solve_lift (ret_both (snd (fst x) : nseq (t_OrZKPCommit) (is_pure (n))))) : both (nseq (t_OrZKPCommit) (is_pure (n))). -Fail Next Obligation. -Equations f_tally (s : both (t_OvnContractState)) : both (int32) := - f_tally s := - bind_both s (fun x => - solve_lift (ret_both (snd x : int32))) : both (int32). -Fail Next Obligation. -Equations Build_t_OvnContractState {f_g_pow_xis : both (nseq f_group_type (is_pure (n)))} {f_zkp_xis : both (nseq (t_SchnorrZKPCommit) (is_pure (n)))} {f_commit_vis : both (nseq f_field_type (is_pure (n)))} {f_g_pow_xi_yi_vis : both (nseq f_group_type (is_pure (n)))} {f_zkp_vis : both (nseq (t_OrZKPCommit) (is_pure (n)))} {f_tally : both (int32)} : both (t_OvnContractState) := - Build_t_OvnContractState := - bind_both f_tally (fun f_tally => - bind_both f_zkp_vis (fun f_zkp_vis => - bind_both f_g_pow_xi_yi_vis (fun f_g_pow_xi_yi_vis => - bind_both f_commit_vis (fun f_commit_vis => - bind_both f_zkp_xis (fun f_zkp_xis => - bind_both f_g_pow_xis (fun f_g_pow_xis => - solve_lift (ret_both ((f_g_pow_xis,f_zkp_xis,f_commit_vis,f_g_pow_xi_yi_vis,f_zkp_vis,f_tally) : (t_OvnContractState))))))))) : both (t_OvnContractState). -Fail Next Obligation. -Notation "'Build_t_OvnContractState' '[' x ']' '(' 'f_g_pow_xis' ':=' y ')'" := (Build_t_OvnContractState (f_g_pow_xis := y) (f_zkp_xis := f_zkp_xis x) (f_commit_vis := f_commit_vis x) (f_g_pow_xi_yi_vis := f_g_pow_xi_yi_vis x) (f_zkp_vis := f_zkp_vis x) (f_tally := f_tally x)). -Notation "'Build_t_OvnContractState' '[' x ']' '(' 'f_zkp_xis' ':=' y ')'" := (Build_t_OvnContractState (f_g_pow_xis := f_g_pow_xis x) (f_zkp_xis := y) (f_commit_vis := f_commit_vis x) (f_g_pow_xi_yi_vis := f_g_pow_xi_yi_vis x) (f_zkp_vis := f_zkp_vis x) (f_tally := f_tally x)). -Notation "'Build_t_OvnContractState' '[' x ']' '(' 'f_commit_vis' ':=' y ')'" := (Build_t_OvnContractState (f_g_pow_xis := f_g_pow_xis x) (f_zkp_xis := f_zkp_xis x) (f_commit_vis := y) (f_g_pow_xi_yi_vis := f_g_pow_xi_yi_vis x) (f_zkp_vis := f_zkp_vis x) (f_tally := f_tally x)). -Notation "'Build_t_OvnContractState' '[' x ']' '(' 'f_g_pow_xi_yi_vis' ':=' y ')'" := (Build_t_OvnContractState (f_g_pow_xis := f_g_pow_xis x) (f_zkp_xis := f_zkp_xis x) (f_commit_vis := f_commit_vis x) (f_g_pow_xi_yi_vis := y) (f_zkp_vis := f_zkp_vis x) (f_tally := f_tally x)). -Notation "'Build_t_OvnContractState' '[' x ']' '(' 'f_zkp_vis' ':=' y ')'" := (Build_t_OvnContractState (f_g_pow_xis := f_g_pow_xis x) (f_zkp_xis := f_zkp_xis x) (f_commit_vis := f_commit_vis x) (f_g_pow_xi_yi_vis := f_g_pow_xi_yi_vis x) (f_zkp_vis := y) (f_tally := f_tally x)). -Notation "'Build_t_OvnContractState' '[' x ']' '(' 'f_tally' ':=' y ')'" := (Build_t_OvnContractState (f_g_pow_xis := f_g_pow_xis x) (f_zkp_xis := f_zkp_xis x) (f_commit_vis := f_commit_vis x) (f_g_pow_xi_yi_vis := f_g_pow_xi_yi_vis x) (f_zkp_vis := f_zkp_vis x) (f_tally := y)). - -Equations cast_vote {impl_574521470_ : _} `{ t_Sized (impl_574521470_)} `{ t_HasReceiveContext (impl_574521470_) ('unit)} (ctx : both (impl_574521470_)) (state : both (t_OvnContractState)) : both (t_Result ((v_A × t_OvnContractState)) (t_ParseError)) := - cast_vote ctx state := - solve_lift (run (letb '(_,out) := f_get (f_parameter_cursor ctx) in - letm[choice_typeMonad.result_bind_code (t_Result ((v_A × t_OvnContractState)) (t_ParseError))] (params : t_CastVoteParam (v_Z)) := matchb out with - | Result_Ok_case x => - letb x := ret_both ((x) : _ (* (t_CastVoteParam (v_Z)) *)) in - ControlFlow_Continue (solve_lift x) - | Result_Err_case x => - letb x := ret_both ((x) : (t_ParseError)) in - letm[choice_typeMonad.result_bind_code (t_Result ((v_A × t_OvnContractState)) (t_ParseError))] hoist2 := v_Break (Result_Err (ret_both tt)) in - ControlFlow_Continue (solve_lift (never_to_any hoist2)) - end in - ControlFlow_Continue (letb g_pow_yi := compute_g_pow_yi (cast_int (WS2 := _) (f_cvp_i params)) (f_g_pow_xis state) in - letb g_pow_xi_yi_vi := compute_group_element_for_vote (f_cvp_xi params) (f_cvp_vote params) g_pow_yi in - letb zkp_vi := zkp_one_out_of_two (f_cvp_zkp_random_w params) (f_cvp_zkp_random_r params) (f_cvp_zkp_random_d params) g_pow_yi (f_cvp_xi params) (f_cvp_vote params) in - letb cast_vote_state_ret := f_clone state in - letb cast_vote_state_ret := Build_t_OvnContractState[cast_vote_state_ret] (f_g_pow_xi_yi_vis := update_at_usize (f_g_pow_xi_yi_vis cast_vote_state_ret) (cast_int (WS2 := _) (f_cvp_i params)) g_pow_xi_yi_vi) in - letb cast_vote_state_ret := Build_t_OvnContractState[cast_vote_state_ret] (f_zkp_vis := update_at_usize (f_zkp_vis cast_vote_state_ret) (cast_int (WS2 := _) (f_cvp_i params)) zkp_vi) in - Result_Ok (prod_b (f_accept,cast_vote_state_ret))))) : both (t_Result ((v_A × t_OvnContractState)) (t_ParseError)). -Fail Next Obligation. - -Equations commit_to_vote {impl_574521470_ : _} `{ t_Sized (impl_574521470_)} `{ t_HasReceiveContext (impl_574521470_) ('unit)} (ctx : both (impl_574521470_)) (state : both (t_OvnContractState)) : both (t_Result ((v_A × t_OvnContractState)) (t_ParseError)) := - commit_to_vote ctx state := - solve_lift (run (letb '(_,out) := f_get (f_parameter_cursor ctx) in - letm[choice_typeMonad.result_bind_code (t_Result ((v_A × t_OvnContractState)) (t_ParseError))] (params : t_CastVoteParam (v_Z)) := matchb out with - | Result_Ok_case x => - letb x := ret_both ((x) : _ (* (t_CastVoteParam (v_Z)) *)) in - ControlFlow_Continue (solve_lift x) - | Result_Err_case x => - letb x := ret_both ((x) : (t_ParseError)) in - letm[choice_typeMonad.result_bind_code (t_Result ((v_A × t_OvnContractState)) (t_ParseError))] hoist3 := v_Break (Result_Err (ret_both tt)) in - ControlFlow_Continue (solve_lift (never_to_any hoist3)) - end in - ControlFlow_Continue (letb _ := foldi_both_list (f_into_iter (Build_t_Range (f_start := ret_both (0 : uint_size)) (f_end := n))) (fun i => - ssp (fun _ => - solve_lift (ifb negb (schnorr_zkp_validate ((f_g_pow_xis state).a[i]) ((f_zkp_xis state).a[i])) - then letm[choice_typeMonad.result_bind_code (t_Result ((v_A × t_OvnContractState)) (t_ParseError))] hoist4 := v_Break (Result_Err (ret_both tt)) in - ControlFlow_Continue (never_to_any hoist4) - else ControlFlow_Continue (ret_both (tt : 'unit))) : both _ (* (t_ControlFlow (t_Result ((v_A × t_OvnContractState)) (t_ParseError)) ('unit)) *))) (Ok (ret_both (tt : 'unit))) in - letb g_pow_yi := compute_g_pow_yi (cast_int (WS2 := _) (f_cvp_i params)) (f_g_pow_xis state) in - letb g_pow_xi_yi_vi := compute_group_element_for_vote (f_cvp_xi params) (f_cvp_vote params) g_pow_yi in - letb commit_vi := commit_to g_pow_xi_yi_vi in - letb commit_to_vote_state_ret := f_clone state in - letb commit_to_vote_state_ret := Build_t_OvnContractState[commit_to_vote_state_ret] (f_commit_vis := update_at_usize (f_commit_vis commit_to_vote_state_ret) (cast_int (WS2 := _) (f_cvp_i params)) commit_vi) in - Result_Ok (prod_b (f_accept,commit_to_vote_state_ret))))) : both (t_Result ((v_A × t_OvnContractState)) (t_ParseError)). -Solve All Obligations with now intros ; destruct from_uint_size. -Fail Next Obligation. - -Equations init_ovn_contract (_ : both ('unit)) : both (t_Result (t_OvnContractState) (t_Reject)) := - init_ovn_contract _ := - Result_Ok (solve_lift (Build_t_OvnContractState (f_g_pow_xis := repeat (f_group_one) n) (f_zkp_xis := repeat (Build_t_SchnorrZKPCommit (f_schnorr_zkp_u := f_group_one) (f_schnorr_zkp_z := f_field_zero) (f_schnorr_zkp_c := f_field_zero)) n) (f_commit_vis := repeat (f_field_zero) n) (f_g_pow_xi_yi_vis := repeat (f_group_one) n) (f_zkp_vis := repeat (Build_t_OrZKPCommit (f_or_zkp_x := f_group_one) (f_or_zkp_y := f_group_one) (f_or_zkp_a1 := f_group_one) (f_or_zkp_b1 := f_group_one ) (f_or_zkp_a2 := f_group_one ) (f_or_zkp_b2 := f_group_one ) (f_or_zkp_c := f_field_zero ) (f_or_zkp_d1 := f_field_zero ) (f_or_zkp_d2 := f_field_zero ) (f_or_zkp_r1 := f_field_zero ) (f_or_zkp_r2 := f_field_zero )) n) (f_tally := ret_both (0 : int32)))) : both (t_Result (t_OvnContractState) (t_Reject)). -Fail Next Obligation. - -Equations register_vote {impl_574521470_ : _} `{ t_Sized (impl_574521470_)} `{ t_HasReceiveContext (impl_574521470_) ('unit)} (ctx : both (impl_574521470_)) (state : both (t_OvnContractState)) : both (t_Result ((v_A × t_OvnContractState)) (t_ParseError)) := - register_vote ctx state := - solve_lift (run (letb '(_,out) := f_get (f_parameter_cursor ctx) in - letm[choice_typeMonad.result_bind_code (t_Result ((v_A × t_OvnContractState)) (t_ParseError))] (params : t_RegisterParam (v_Z)) := matchb out with - | Result_Ok_case x => - letb x := ret_both ((x) : _ (* (t_RegisterParam (v_Z)) *)) in - ControlFlow_Continue (solve_lift x) - | Result_Err_case x => - letb x := ret_both ((x) : (t_ParseError)) in - letm[choice_typeMonad.result_bind_code (t_Result ((v_A × t_OvnContractState)) (t_ParseError))] hoist5 := v_Break (Result_Err (ret_both tt)) in - ControlFlow_Continue (solve_lift (never_to_any hoist5)) - end in - ControlFlow_Continue (letb g_pow_xi := f_g_pow (f_rp_xi params) in - letb zkp_xi := schnorr_zkp (f_rp_zkp_random params) g_pow_xi (f_rp_xi params) in - letb register_vote_state_ret := f_clone state in - letb register_vote_state_ret := Build_t_OvnContractState[register_vote_state_ret] (f_g_pow_xis := update_at_usize (f_g_pow_xis register_vote_state_ret) (cast_int (WS2 := _) (f_rp_i params)) g_pow_xi) in - letb register_vote_state_ret := Build_t_OvnContractState[register_vote_state_ret] (f_zkp_xis := update_at_usize (f_zkp_xis register_vote_state_ret) (cast_int (WS2 := _) (f_rp_i params)) zkp_xi) in - Result_Ok (prod_b (f_accept,register_vote_state_ret))))) : both (t_Result ((v_A × t_OvnContractState)) (t_ParseError)). -Fail Next Obligation. - -Equations tally_votes {impl_574521470_ : _} `{ t_Sized (impl_574521470_)} `{ t_HasReceiveContext (impl_574521470_) ('unit)} (_ : both (impl_574521470_)) (state : both (t_OvnContractState)) : both (t_Result ((v_A × t_OvnContractState)) (t_ParseError)) := - tally_votes _ state := - letb _ := foldi_both_list (f_into_iter (Build_t_Range (f_start := ret_both (0 : uint_size)) (f_end := n))) (fun i => - ssp (fun _ => - letb g_pow_yi := compute_g_pow_yi i (f_g_pow_xis state) in - letm[choice_typeMonad.result_bind_code (t_Result ((v_A × t_OvnContractState)) (t_ParseError))] _ := ControlFlow_Continue (ifb negb (zkp_one_out_of_two_validate g_pow_yi ((f_zkp_vis state).a[i])) - then letm[choice_typeMonad.result_bind_code (t_Result ((v_A × t_OvnContractState)) (t_ParseError))] hoist6 := v_Break (Result_Err (ret_both tt)) in - ControlFlow_Continue (never_to_any hoist6) - else ControlFlow_Continue (ret_both (tt : 'unit))) in - solve_lift (ifb negb (check_commitment ((f_g_pow_xi_yi_vis state).a[i]) ((f_commit_vis state).a[i])) - then letm[choice_typeMonad.result_bind_code (t_Result ((v_A × t_OvnContractState)) (t_ParseError))] hoist7 := v_Break (Result_Err (ret_both tt)) in - ControlFlow_Continue (never_to_any hoist7) - else ControlFlow_Continue (ret_both (tt : 'unit))) : both _ (* (t_ControlFlow (t_Result ((v_A × t_OvnContractState)) (t_ParseError)) ('unit)) *))) (Ok (ret_both (tt : 'unit))) in - letb vote_result := f_group_one in - letb vote_result := foldi_both_list ((* f_into_iter *) (array_to_list (f_g_pow_xi_yi_vis state))) (fun g_pow_vote => - ssp (fun vote_result => - solve_lift (f_prod vote_result g_pow_vote) : both (f_group_type))) vote_result in - letb tally := ret_both (0 : int32) in - letb curr := f_field_zero in - letb '(curr,tally) := foldi_both_list (f_into_iter (Build_t_Range (f_start := ret_both (0 : int32)) (f_end := cast_int (WS2 := _) n))) (fun i => - ssp (fun '(curr,tally) => - letb tally := ifb (f_g_pow curr) =.? vote_result - then letb tally := i in - tally - else tally in - letb curr := f_add curr (f_field_one) in - solve_lift (prod_b (curr,tally)) : both ((f_field_type × int32)))) (prod_b (curr,tally)) in - letb tally_votes_state_ret := f_clone state in - letb tally_votes_state_ret := Build_t_OvnContractState[tally_votes_state_ret] (f_tally := tally) in - Result_Ok (solve_lift (prod_b (f_accept,tally_votes_state_ret))) : both (t_Result ((v_A × t_OvnContractState)) (t_ParseError)). -Solve All Obligations with now intros ; destruct from_uint_size. -Fail Next Obligation. - -(** Concert lib part **) -From ConCert.Utils Require Import Extras. -Export Extras. -From ConCert.Utils Require Import Automation. -Export Automation. -From ConCert.Execution Require Import Serializable. -Export Serializable. -From ConCert.Execution Require Import Blockchain. -Export Blockchain. -From ConCert.Execution Require Import ContractCommon. -Export ContractCommon. -From ConCert.Execution Require Import Serializable. -Export Serializable. -From Hacspec Require Import ConCertLib. -Export ConCertLib. - -Definition state_OVN : choice_type := - t_OvnContractState. - -#[global] Program Instance t_CastVoteParam_t_HasReceiveContext : t_HasReceiveContext t_CastVoteParam 'unit := - {| f_get := (fun {Ctx : _} => (solve_lift (@ret_both (t_ParamType × t_Result Ctx t_ParseError)) (tt, inr tt)) : _)|}. -Fail Next Obligation. -#[global] Program Instance t_CastVoteParam_t_Sized : t_Sized t_CastVoteParam := - fun x => - x. -Fail Next Obligation. -Definition receive_OVN_cast_vote (ctx : both (t_CastVoteParam)) (st : both (state_OVN)) : both (t_Result ((v_A × state_OVN)) (t_ParseError)) := - cast_vote ctx st. - -(* #[global] Program Instance t_CastVoteParam_t_HasReceiveContext : t_HasReceiveContext t_CastVoteParam 'unit := *) -(* {| f_get := (fun {Ctx : _} => (solve_lift (@ret_both (t_ParamType × t_Result Ctx t_ParseError)) (tt, inr tt)) : _)|}. *) -(* Fail Next Obligation. *) -(* #[global] Program Instance t_CastVoteParam_t_Sized : t_Sized t_CastVoteParam := *) -(* fun x => *) -(* x. *) -(* Fail Next Obligation. *) -Definition receive_OVN_commit_to_vote (ctx : both (t_CastVoteParam)) (st : both (state_OVN)) : both (t_Result ((v_A × state_OVN)) (t_ParseError)) := - commit_to_vote ctx st. - -Definition init_OVN (chain : Chain) (ctx : ContractCallContext) (st : state_OVN) : ResultMonad.result (state_OVN) (t_ParseError) := - ResultMonad.Ok st. - -#[global] Program Instance t_RegisterParam_t_HasReceiveContext : t_HasReceiveContext t_RegisterParam 'unit := - {| f_get := (fun {Ctx : _} => (solve_lift (@ret_both (t_ParamType × t_Result Ctx t_ParseError)) (tt, inr tt)) : _)|}. -Fail Next Obligation. -#[global] Program Instance t_RegisterParam_t_Sized : t_Sized t_RegisterParam := - fun x => - x. -Fail Next Obligation. -Definition receive_OVN_register (ctx : both (t_RegisterParam)) (st : both (state_OVN)) : both (t_Result ((v_A × state_OVN)) (t_ParseError)) := - register_vote ctx st. - -#[global] Program Instance t_TallyParameter_t_HasReceiveContext : t_HasReceiveContext t_TallyParameter 'unit := - {| f_get := (fun {Ctx : _} => (solve_lift (@ret_both (t_ParamType × t_Result Ctx t_ParseError)) (tt, inr tt)) : _)|}. -Fail Next Obligation. -#[global] Program Instance t_TallyParameter_t_Sized : t_Sized t_TallyParameter := - fun x => - x. -Fail Next Obligation. -Definition receive_OVN_tally (ctx : both (t_TallyParameter)) (st : both (state_OVN)) : both (t_Result ((v_A × state_OVN)) (t_ParseError)) := - tally_votes ctx st. - -Inductive Msg_OVN : Type := -| msg_OVN_cast_vote : t_CastVoteParam -> Msg_OVN -| msg_OVN_commit_to_vote : t_CastVoteParam -> Msg_OVN -| msg_OVN_register : t_RegisterParam -> Msg_OVN -| msg_OVN_tally : t_TallyParameter -> Msg_OVN. -#[global] Program Instance state_OVN_t_HasReceiveContext : t_HasReceiveContext (state_OVN) 'unit := - {| f_get := (fun (Ctx : _) => (solve_lift (@ret_both (t_ParamType × t_Result Ctx t_ParseError)) (tt, inr tt)) : _)|}. -Fail Next Obligation. -#[global] Program Instance state_OVN_t_Sized : t_Sized (state_OVN) := - fun x => - x. -Fail Next Obligation. -#[global] Program Instance state_OVN_t_HasActions : t_HasActions (state_OVN). -Next Obligation. - pose (init_ovn_contract_equation_1 (ret_both tt)). - set (solve_lift _) in e. - apply b. -Defined. -Fail Next Obligation. - -Equations receive_OVN (chain : Chain) (ctx : ContractCallContext) (st : state_OVN) (msg : Datatypes.option (Msg_OVN)) : ResultMonad.result (state_OVN * list ActionBody) t_ParseError := - receive_OVN chain ctx st msg := - match msg with - | Some (msg_OVN_cast_vote val) => - match is_pure (both_prog (receive_OVN_cast_vote (ret_both val) (ret_both st))) with - | inl x => ResultMonad.Ok ((snd x), []) - | inr x => ResultMonad.Err x - end - | Some (msg_OVN_commit_to_vote val) => - match is_pure (both_prog (receive_OVN_commit_to_vote (ret_both val) (ret_both st))) with - | inl x => ResultMonad.Ok ((snd x), []) - | inr x => ResultMonad.Err x - end - | Some (msg_OVN_register val) => - match is_pure (both_prog (receive_OVN_register (ret_both val) (ret_both st))) with - | inl x => ResultMonad.Ok ((snd x), []) - | inr x => ResultMonad.Err x - end - | Some (msg_OVN_tally val) => - match (is_pure (both_prog (receive_OVN_tally (ret_both val) (ret_both st)))) with - | inl x => ResultMonad.Ok ((snd x), []) - | inr x => ResultMonad.Err x - end - | _ => - ResultMonad.Err tt - end : ResultMonad.result (state_OVN * list ActionBody) t_ParseError. -Fail Next Obligation. - -Ltac make_hacspec_serializable := - (serialize_enum ; repeat (refine nseq_serializable ; serialize_enum) - ; try ( exact f_group_type_Serializable - || exact f_field_type_Serializable - || exact hacspec_int_serializable - || exact bool_serializable - || exact unit_serializable)). - -#[global] Program Instance state_OVN_Serializable : Serializable (state_OVN) := - ltac:(make_hacspec_serializable). -Fail Next Obligation. - -#[global] Program Instance t_RegisterParam_Serializable : Serializable t_RegisterParam := - ltac:(make_hacspec_serializable). -Fail Next Obligation. - -#[global] Program Instance t_CastVoteParam_Serializable : Serializable t_TallyParameter := - ltac:(make_hacspec_serializable). -Fail Next Obligation. +(*Not implemented yet? todo(item)*) -#[global] Program Instance Msg_OVN_Serializable : Serializable Msg_OVN := - Derive Serializable Msg_OVN_rect < msg_OVN_cast_vote , msg_OVN_commit_to_vote, msg_OVN_register,msg_OVN_tally >. -Fail Next Obligation. +(*Not implemented yet? todo(item)*) -Definition contract_OVN : @Contract _ (state_OVN) (Msg_OVN) (state_OVN) (t_ParseError) state_OVN_Serializable Msg_OVN_Serializable state_OVN_Serializable _ := - build_contract init_OVN receive_OVN. +(*Not implemented yet? todo(item)*) diff --git a/ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_group.v b/ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_group.v new file mode 100644 index 0000000..32fefa8 --- /dev/null +++ b/ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_group.v @@ -0,0 +1,484 @@ +(* File automatically generated by Hacspec *) +Set Warnings "-notation-overridden,-ambiguous-paths". +From Crypt Require Import choice_type Package Prelude. +Import PackageNotation. +From extructures Require Import ord fset. +From mathcomp Require Import word_ssrZ word. +(* From Jasmin Require Import word. *) + +From Coq Require Import ZArith. +From Coq Require Import Strings.String. +Import List.ListNotations. +Open Scope list_scope. +Open Scope Z_scope. +Open Scope bool_scope. + +From Hacspec Require Import ChoiceEquality. +From Hacspec Require Import LocationUtility. +From Hacspec Require Import Hacspec_Lib_Comparable. +From Hacspec Require Import Hacspec_Lib_Pre. +From Hacspec Require Import Hacspec_Lib. + +Open Scope hacspec_scope. +Import choice.Choice.Exports. + +Obligation Tactic := (* try timeout 8 *) solve_ssprove_obligations. + +Require Import Crate_Ovn_traits. +Export Crate_Ovn_traits. + +Equations select_private_voting_key {L1 : {fset Location}} {I1 : Interface} {v_Z : _} `{ t_Sized v_Z} `{ t_Field v_Z} (random : both L1 I1 int32) : both L1 I1 v_Z := + select_private_voting_key random := + solve_lift (f_random_field_elem random) : both L1 I1 v_Z. +Fail Next Obligation. + +Equations compute_group_element_for_vote {L1 : {fset Location}} {L2 : {fset Location}} {L3 : {fset Location}} {I1 : Interface} {I2 : Interface} {I3 : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (xi : both L1 I1 f_Z) (vote : both L2 I2 'bool) (g_pow_yi : both L3 I3 v_G) : both (L1 :|: L2 :|: L3) (I1 :|: I2 :|: I3) v_G := + compute_group_element_for_vote xi vote g_pow_yi := + solve_lift (f_prod (f_pow g_pow_yi xi) (f_g_pow (ifb vote + then f_field_one (ret_both (tt : 'unit)) + else f_field_zero (ret_both (tt : 'unit))))) : both (L1 :|: L2 :|: L3) (I1 :|: I2 :|: I3) v_G. +Fail Next Obligation. + +Definition prod1_loc {v_G : _} {n : both (fset []) (fset []) uint_size} `{ t_Sized v_G} `{ t_Group v_G} : Location := + (v_G;0%nat). +Definition prod2_loc {v_G : _} {n : both (fset []) (fset []) uint_size} `{ t_Sized v_G} `{ t_Group v_G} : Location := + (v_G;1%nat). +Equations compute_g_pow_yi {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} {v_G : _} {n : both (fset []) (fset []) uint_size} `{ t_Sized v_G} `{ t_Group v_G} (i : both L1 I1 uint_size) (xis : both L2 I2 (nseq v_G (is_pure (n)))) : both (L1 :|: L2 :|: fset [prod1_loc;prod2_loc]) (I1 :|: I2) v_G := + compute_g_pow_yi i xis := + letb prod1 loc(prod1_loc) := f_group_one (ret_both (tt : 'unit)) in + letb _ := foldi_both_list (f_into_iter (Build_t_Range (f_start := ret_both (0 : uint_size)) (f_end := i))) (fun j => + ssp (fun _ => + assign todo(term) : (both (*1*)(L2:|:L1:|:fset [prod1_loc]) (I2:|:I1) 'unit))) (ret_both (tt : 'unit)) in + letb prod2 loc(prod2_loc) := f_group_one (ret_both (tt : 'unit)) in + letb _ := foldi_both_list (f_into_iter (Build_t_Range (f_start := i .+ (ret_both (1 : uint_size))) (f_end := n))) (fun j => + ssp (fun _ => + assign todo(term) : (both (*1*)(L2:|:L1:|:fset [prod2_loc]) (I2:|:I1) 'unit))) (ret_both (tt : 'unit)) in + solve_lift (f_div prod1 prod2) : both (L1 :|: L2 :|: fset [prod1_loc;prod2_loc]) (I1 :|: I2) v_G. +Fail Next Obligation. + +Equations check_commitment {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (g_pow_xi_yi_vi : both L1 I1 v_G) (commitment : both L2 I2 f_Z) : both (L1 :|: L2) (I1 :|: I2) 'bool := + check_commitment g_pow_xi_yi_vi commitment := + solve_lift ((f_hash (impl__into_vec (unsize (box_new (array_from_list [g_pow_xi_yi_vi]))))) =.? commitment) : both (L1 :|: L2) (I1 :|: I2) 'bool. +Fail Next Obligation. + +Equations commit_to {L1 : {fset Location}} {I1 : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (g_pow_xi_yi_vi : both L1 I1 v_G) : both L1 I1 f_Z := + commit_to g_pow_xi_yi_vi := + solve_lift (f_hash (impl__into_vec (unsize (box_new (array_from_list [g_pow_xi_yi_vi]))))) : both L1 I1 f_Z. +Fail Next Obligation. + +Definition t_CastVoteParam {v_Z : _} `{ t_Sized v_Z} `{ t_Field v_Z} : choice_type := + (int32 × v_Z × int32 × int32 × int32 × 'bool). +Equations f_cvp_i {L : {fset Location}} {I : Interface} {v_Z : _} `{ t_Sized v_Z} `{ t_Field v_Z} (s : both L I t_CastVoteParam) : both L I int32 := + f_cvp_i s := + bind_both s (fun x => + solve_lift (ret_both (fst (fst (fst (fst (fst x)))) : int32))) : both L I int32. +Fail Next Obligation. +Equations f_cvp_xi {L : {fset Location}} {I : Interface} {v_Z : _} `{ t_Sized v_Z} `{ t_Field v_Z} (s : both L I t_CastVoteParam) : both L I v_Z := + f_cvp_xi s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst (fst x)))) : v_Z))) : both L I v_Z. +Fail Next Obligation. +Equations f_cvp_zkp_random_w {L : {fset Location}} {I : Interface} {v_Z : _} `{ t_Sized v_Z} `{ t_Field v_Z} (s : both L I t_CastVoteParam) : both L I int32 := + f_cvp_zkp_random_w s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst x))) : int32))) : both L I int32. +Fail Next Obligation. +Equations f_cvp_zkp_random_r {L : {fset Location}} {I : Interface} {v_Z : _} `{ t_Sized v_Z} `{ t_Field v_Z} (s : both L I t_CastVoteParam) : both L I int32 := + f_cvp_zkp_random_r s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst x)) : int32))) : both L I int32. +Fail Next Obligation. +Equations f_cvp_zkp_random_d {L : {fset Location}} {I : Interface} {v_Z : _} `{ t_Sized v_Z} `{ t_Field v_Z} (s : both L I t_CastVoteParam) : both L I int32 := + f_cvp_zkp_random_d s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst x) : int32))) : both L I int32. +Fail Next Obligation. +Equations f_cvp_vote {L : {fset Location}} {I : Interface} {v_Z : _} `{ t_Sized v_Z} `{ t_Field v_Z} (s : both L I t_CastVoteParam) : both L I 'bool := + f_cvp_vote s := + bind_both s (fun x => + solve_lift (ret_both (snd x : 'bool))) : both L I 'bool. +Fail Next Obligation. +Equations Build_t_CastVoteParam {L0 : {fset Location}} {L1 : {fset Location}} {L2 : {fset Location}} {L3 : {fset Location}} {L4 : {fset Location}} {L5 : {fset Location}} {I0 : Interface} {I1 : Interface} {I2 : Interface} {I3 : Interface} {I4 : Interface} {I5 : Interface} {v_Z : _} `{ t_Sized v_Z} `{ t_Field v_Z} {f_cvp_i : both L0 I0 int32} {f_cvp_xi : both L1 I1 v_Z} {f_cvp_zkp_random_w : both L2 I2 int32} {f_cvp_zkp_random_r : both L3 I3 int32} {f_cvp_zkp_random_d : both L4 I4 int32} {f_cvp_vote : both L5 I5 'bool} : both (L0:|:L1:|:L2:|:L3:|:L4:|:L5) (I0:|:I1:|:I2:|:I3:|:I4:|:I5) (t_CastVoteParam) := + Build_t_CastVoteParam := + bind_both f_cvp_vote (fun f_cvp_vote => + bind_both f_cvp_zkp_random_d (fun f_cvp_zkp_random_d => + bind_both f_cvp_zkp_random_r (fun f_cvp_zkp_random_r => + bind_both f_cvp_zkp_random_w (fun f_cvp_zkp_random_w => + bind_both f_cvp_xi (fun f_cvp_xi => + bind_both f_cvp_i (fun f_cvp_i => + solve_lift (ret_both ((f_cvp_i,f_cvp_xi,f_cvp_zkp_random_w,f_cvp_zkp_random_r,f_cvp_zkp_random_d,f_cvp_vote) : (t_CastVoteParam))))))))) : both (L0:|:L1:|:L2:|:L3:|:L4:|:L5) (I0:|:I1:|:I2:|:I3:|:I4:|:I5) (t_CastVoteParam). +Fail Next Obligation. +Notation "'Build_t_CastVoteParam' '[' x ']' '(' 'f_cvp_i' ':=' y ')'" := (Build_t_CastVoteParam (f_cvp_i := y) (f_cvp_xi := f_cvp_xi x) (f_cvp_zkp_random_w := f_cvp_zkp_random_w x) (f_cvp_zkp_random_r := f_cvp_zkp_random_r x) (f_cvp_zkp_random_d := f_cvp_zkp_random_d x) (f_cvp_vote := f_cvp_vote x)). +Notation "'Build_t_CastVoteParam' '[' x ']' '(' 'f_cvp_xi' ':=' y ')'" := (Build_t_CastVoteParam (f_cvp_i := f_cvp_i x) (f_cvp_xi := y) (f_cvp_zkp_random_w := f_cvp_zkp_random_w x) (f_cvp_zkp_random_r := f_cvp_zkp_random_r x) (f_cvp_zkp_random_d := f_cvp_zkp_random_d x) (f_cvp_vote := f_cvp_vote x)). +Notation "'Build_t_CastVoteParam' '[' x ']' '(' 'f_cvp_zkp_random_w' ':=' y ')'" := (Build_t_CastVoteParam (f_cvp_i := f_cvp_i x) (f_cvp_xi := f_cvp_xi x) (f_cvp_zkp_random_w := y) (f_cvp_zkp_random_r := f_cvp_zkp_random_r x) (f_cvp_zkp_random_d := f_cvp_zkp_random_d x) (f_cvp_vote := f_cvp_vote x)). +Notation "'Build_t_CastVoteParam' '[' x ']' '(' 'f_cvp_zkp_random_r' ':=' y ')'" := (Build_t_CastVoteParam (f_cvp_i := f_cvp_i x) (f_cvp_xi := f_cvp_xi x) (f_cvp_zkp_random_w := f_cvp_zkp_random_w x) (f_cvp_zkp_random_r := y) (f_cvp_zkp_random_d := f_cvp_zkp_random_d x) (f_cvp_vote := f_cvp_vote x)). +Notation "'Build_t_CastVoteParam' '[' x ']' '(' 'f_cvp_zkp_random_d' ':=' y ')'" := (Build_t_CastVoteParam (f_cvp_i := f_cvp_i x) (f_cvp_xi := f_cvp_xi x) (f_cvp_zkp_random_w := f_cvp_zkp_random_w x) (f_cvp_zkp_random_r := f_cvp_zkp_random_r x) (f_cvp_zkp_random_d := y) (f_cvp_vote := f_cvp_vote x)). +Notation "'Build_t_CastVoteParam' '[' x ']' '(' 'f_cvp_vote' ':=' y ')'" := (Build_t_CastVoteParam (f_cvp_i := f_cvp_i x) (f_cvp_xi := f_cvp_xi x) (f_cvp_zkp_random_w := f_cvp_zkp_random_w x) (f_cvp_zkp_random_r := f_cvp_zkp_random_r x) (f_cvp_zkp_random_d := f_cvp_zkp_random_d x) (f_cvp_vote := y)). + +Definition t_OrZKPCommit {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} : choice_type := + (v_G × v_G × v_G × v_G × v_G × v_G × f_Z × f_Z × f_Z × f_Z × f_Z). +Equations f_or_zkp_x {L : {fset Location}} {I : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_OrZKPCommit) : both L I v_G := + f_or_zkp_x s := + bind_both s (fun x => + solve_lift (ret_both (fst (fst (fst (fst (fst (fst (fst (fst (fst (fst x))))))))) : v_G))) : both L I v_G. +Fail Next Obligation. +Equations f_or_zkp_y {L : {fset Location}} {I : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_OrZKPCommit) : both L I v_G := + f_or_zkp_y s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst (fst (fst (fst (fst (fst (fst x))))))))) : v_G))) : both L I v_G. +Fail Next Obligation. +Equations f_or_zkp_a1 {L : {fset Location}} {I : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_OrZKPCommit) : both L I v_G := + f_or_zkp_a1 s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst (fst (fst (fst (fst (fst x)))))))) : v_G))) : both L I v_G. +Fail Next Obligation. +Equations f_or_zkp_b1 {L : {fset Location}} {I : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_OrZKPCommit) : both L I v_G := + f_or_zkp_b1 s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst (fst (fst (fst (fst x))))))) : v_G))) : both L I v_G. +Fail Next Obligation. +Equations f_or_zkp_a2 {L : {fset Location}} {I : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_OrZKPCommit) : both L I v_G := + f_or_zkp_a2 s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst (fst (fst (fst x)))))) : v_G))) : both L I v_G. +Fail Next Obligation. +Equations f_or_zkp_b2 {L : {fset Location}} {I : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_OrZKPCommit) : both L I v_G := + f_or_zkp_b2 s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst (fst (fst x))))) : v_G))) : both L I v_G. +Fail Next Obligation. +Equations f_or_zkp_c {L : {fset Location}} {I : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_OrZKPCommit) : both L I f_Z := + f_or_zkp_c s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst (fst x)))) : f_Z))) : both L I f_Z. +Fail Next Obligation. +Equations f_or_zkp_d1 {L : {fset Location}} {I : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_OrZKPCommit) : both L I f_Z := + f_or_zkp_d1 s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst x))) : f_Z))) : both L I f_Z. +Fail Next Obligation. +Equations f_or_zkp_d2 {L : {fset Location}} {I : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_OrZKPCommit) : both L I f_Z := + f_or_zkp_d2 s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst x)) : f_Z))) : both L I f_Z. +Fail Next Obligation. +Equations f_or_zkp_r1 {L : {fset Location}} {I : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_OrZKPCommit) : both L I f_Z := + f_or_zkp_r1 s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst x) : f_Z))) : both L I f_Z. +Fail Next Obligation. +Equations f_or_zkp_r2 {L : {fset Location}} {I : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_OrZKPCommit) : both L I f_Z := + f_or_zkp_r2 s := + bind_both s (fun x => + solve_lift (ret_both (snd x : f_Z))) : both L I f_Z. +Fail Next Obligation. +Equations Build_t_OrZKPCommit {L0 : {fset Location}} {L1 : {fset Location}} {L2 : {fset Location}} {L3 : {fset Location}} {L4 : {fset Location}} {L5 : {fset Location}} {L6 : {fset Location}} {L7 : {fset Location}} {L8 : {fset Location}} {L9 : {fset Location}} {L10 : {fset Location}} {I0 : Interface} {I1 : Interface} {I2 : Interface} {I3 : Interface} {I4 : Interface} {I5 : Interface} {I6 : Interface} {I7 : Interface} {I8 : Interface} {I9 : Interface} {I10 : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} {f_or_zkp_x : both L0 I0 v_G} {f_or_zkp_y : both L1 I1 v_G} {f_or_zkp_a1 : both L2 I2 v_G} {f_or_zkp_b1 : both L3 I3 v_G} {f_or_zkp_a2 : both L4 I4 v_G} {f_or_zkp_b2 : both L5 I5 v_G} {f_or_zkp_c : both L6 I6 f_Z} {f_or_zkp_d1 : both L7 I7 f_Z} {f_or_zkp_d2 : both L8 I8 f_Z} {f_or_zkp_r1 : both L9 I9 f_Z} {f_or_zkp_r2 : both L10 I10 f_Z} : both (L0:|:L1:|:L2:|:L3:|:L4:|:L5:|:L6:|:L7:|:L8:|:L9:|:L10) (I0:|:I1:|:I2:|:I3:|:I4:|:I5:|:I6:|:I7:|:I8:|:I9:|:I10) (t_OrZKPCommit) := + Build_t_OrZKPCommit := + bind_both f_or_zkp_r2 (fun f_or_zkp_r2 => + bind_both f_or_zkp_r1 (fun f_or_zkp_r1 => + bind_both f_or_zkp_d2 (fun f_or_zkp_d2 => + bind_both f_or_zkp_d1 (fun f_or_zkp_d1 => + bind_both f_or_zkp_c (fun f_or_zkp_c => + bind_both f_or_zkp_b2 (fun f_or_zkp_b2 => + bind_both f_or_zkp_a2 (fun f_or_zkp_a2 => + bind_both f_or_zkp_b1 (fun f_or_zkp_b1 => + bind_both f_or_zkp_a1 (fun f_or_zkp_a1 => + bind_both f_or_zkp_y (fun f_or_zkp_y => + bind_both f_or_zkp_x (fun f_or_zkp_x => + solve_lift (ret_both ((f_or_zkp_x,f_or_zkp_y,f_or_zkp_a1,f_or_zkp_b1,f_or_zkp_a2,f_or_zkp_b2,f_or_zkp_c,f_or_zkp_d1,f_or_zkp_d2,f_or_zkp_r1,f_or_zkp_r2) : (t_OrZKPCommit)))))))))))))) : both (L0:|:L1:|:L2:|:L3:|:L4:|:L5:|:L6:|:L7:|:L8:|:L9:|:L10) (I0:|:I1:|:I2:|:I3:|:I4:|:I5:|:I6:|:I7:|:I8:|:I9:|:I10) (t_OrZKPCommit). +Fail Next Obligation. +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_x' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := y) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_y' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := y) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_a1' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := y) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_b1' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := y) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_a2' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := y) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_b2' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := y) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_c' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := y) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_d1' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := y) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_d2' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := y) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_r1' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := y) (f_or_zkp_r2 := f_or_zkp_r2 x)). +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_r2' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := y)). + +Definition t_RegisterParam {v_Z : _} `{ t_Sized v_Z} `{ t_Field v_Z} : choice_type := + (int32 × v_Z × int32). +Equations f_rp_i {L : {fset Location}} {I : Interface} {v_Z : _} `{ t_Sized v_Z} `{ t_Field v_Z} (s : both L I t_RegisterParam) : both L I int32 := + f_rp_i s := + bind_both s (fun x => + solve_lift (ret_both (fst (fst x) : int32))) : both L I int32. +Fail Next Obligation. +Equations f_rp_xi {L : {fset Location}} {I : Interface} {v_Z : _} `{ t_Sized v_Z} `{ t_Field v_Z} (s : both L I t_RegisterParam) : both L I v_Z := + f_rp_xi s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst x) : v_Z))) : both L I v_Z. +Fail Next Obligation. +Equations f_rp_zkp_random {L : {fset Location}} {I : Interface} {v_Z : _} `{ t_Sized v_Z} `{ t_Field v_Z} (s : both L I t_RegisterParam) : both L I int32 := + f_rp_zkp_random s := + bind_both s (fun x => + solve_lift (ret_both (snd x : int32))) : both L I int32. +Fail Next Obligation. +Equations Build_t_RegisterParam {L0 : {fset Location}} {L1 : {fset Location}} {L2 : {fset Location}} {I0 : Interface} {I1 : Interface} {I2 : Interface} {v_Z : _} `{ t_Sized v_Z} `{ t_Field v_Z} {f_rp_i : both L0 I0 int32} {f_rp_xi : both L1 I1 v_Z} {f_rp_zkp_random : both L2 I2 int32} : both (L0:|:L1:|:L2) (I0:|:I1:|:I2) (t_RegisterParam) := + Build_t_RegisterParam := + bind_both f_rp_zkp_random (fun f_rp_zkp_random => + bind_both f_rp_xi (fun f_rp_xi => + bind_both f_rp_i (fun f_rp_i => + solve_lift (ret_both ((f_rp_i,f_rp_xi,f_rp_zkp_random) : (t_RegisterParam)))))) : both (L0:|:L1:|:L2) (I0:|:I1:|:I2) (t_RegisterParam). +Fail Next Obligation. +Notation "'Build_t_RegisterParam' '[' x ']' '(' 'f_rp_i' ':=' y ')'" := (Build_t_RegisterParam (f_rp_i := y) (f_rp_xi := f_rp_xi x) (f_rp_zkp_random := f_rp_zkp_random x)). +Notation "'Build_t_RegisterParam' '[' x ']' '(' 'f_rp_xi' ':=' y ')'" := (Build_t_RegisterParam (f_rp_i := f_rp_i x) (f_rp_xi := y) (f_rp_zkp_random := f_rp_zkp_random x)). +Notation "'Build_t_RegisterParam' '[' x ']' '(' 'f_rp_zkp_random' ':=' y ')'" := (Build_t_RegisterParam (f_rp_i := f_rp_i x) (f_rp_xi := f_rp_xi x) (f_rp_zkp_random := y)). + +Definition t_SchnorrZKPCommit {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} : choice_type := + (v_G × f_Z × f_Z). +Equations f_schnorr_zkp_u {L : {fset Location}} {I : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_SchnorrZKPCommit) : both L I v_G := + f_schnorr_zkp_u s := + bind_both s (fun x => + solve_lift (ret_both (fst (fst x) : v_G))) : both L I v_G. +Fail Next Obligation. +Equations f_schnorr_zkp_c {L : {fset Location}} {I : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_SchnorrZKPCommit) : both L I f_Z := + f_schnorr_zkp_c s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst x) : f_Z))) : both L I f_Z. +Fail Next Obligation. +Equations f_schnorr_zkp_z {L : {fset Location}} {I : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_SchnorrZKPCommit) : both L I f_Z := + f_schnorr_zkp_z s := + bind_both s (fun x => + solve_lift (ret_both (snd x : f_Z))) : both L I f_Z. +Fail Next Obligation. +Equations Build_t_SchnorrZKPCommit {L0 : {fset Location}} {L1 : {fset Location}} {L2 : {fset Location}} {I0 : Interface} {I1 : Interface} {I2 : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} {f_schnorr_zkp_u : both L0 I0 v_G} {f_schnorr_zkp_c : both L1 I1 f_Z} {f_schnorr_zkp_z : both L2 I2 f_Z} : both (L0:|:L1:|:L2) (I0:|:I1:|:I2) (t_SchnorrZKPCommit) := + Build_t_SchnorrZKPCommit := + bind_both f_schnorr_zkp_z (fun f_schnorr_zkp_z => + bind_both f_schnorr_zkp_c (fun f_schnorr_zkp_c => + bind_both f_schnorr_zkp_u (fun f_schnorr_zkp_u => + solve_lift (ret_both ((f_schnorr_zkp_u,f_schnorr_zkp_c,f_schnorr_zkp_z) : (t_SchnorrZKPCommit)))))) : both (L0:|:L1:|:L2) (I0:|:I1:|:I2) (t_SchnorrZKPCommit). +Fail Next Obligation. +Notation "'Build_t_SchnorrZKPCommit' '[' x ']' '(' 'f_schnorr_zkp_u' ':=' y ')'" := (Build_t_SchnorrZKPCommit (f_schnorr_zkp_u := y) (f_schnorr_zkp_c := f_schnorr_zkp_c x) (f_schnorr_zkp_z := f_schnorr_zkp_z x)). +Notation "'Build_t_SchnorrZKPCommit' '[' x ']' '(' 'f_schnorr_zkp_c' ':=' y ')'" := (Build_t_SchnorrZKPCommit (f_schnorr_zkp_u := f_schnorr_zkp_u x) (f_schnorr_zkp_c := y) (f_schnorr_zkp_z := f_schnorr_zkp_z x)). +Notation "'Build_t_SchnorrZKPCommit' '[' x ']' '(' 'f_schnorr_zkp_z' ':=' y ')'" := (Build_t_SchnorrZKPCommit (f_schnorr_zkp_u := f_schnorr_zkp_u x) (f_schnorr_zkp_c := f_schnorr_zkp_c x) (f_schnorr_zkp_z := y)). + +Definition t_TallyParameter : choice_type := + 'unit. +Equations Build_t_TallyParameter : both (fset []) (fset []) (t_TallyParameter) := + Build_t_TallyParameter := + solve_lift (ret_both (tt (* Empty tuple *) : (t_TallyParameter))) : both (fset []) (fset []) (t_TallyParameter). +Fail Next Obligation. + +Equations schnorr_zkp {L1 : {fset Location}} {L2 : {fset Location}} {L3 : {fset Location}} {I1 : Interface} {I2 : Interface} {I3 : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (random : both L1 I1 int32) (h : both L2 I2 v_G) (x : both L3 I3 f_Z) : both (L1 :|: L2 :|: L3) (I1 :|: I2 :|: I3) (t_SchnorrZKPCommit v_G) := + schnorr_zkp random h x := + solve_lift (run (letb r := f_random_field_elem random in + letb u := f_g_pow r in + letb c := f_hash (impl__into_vec (unsize (box_new (array_from_list [f_g (ret_both (tt : 'unit)); + h; + u])))) in + letb z := f_add r (f_mul c x) in + letm[choice_typeMonad.result_bind_code (t_SchnorrZKPCommit v_G)] hoist1 := v_Break (Build_t_SchnorrZKPCommit (f_schnorr_zkp_u := u) (f_schnorr_zkp_c := c) (f_schnorr_zkp_z := z)) in + ControlFlow_Continue (never_to_any hoist1))) : both (L1 :|: L2 :|: L3) (I1 :|: I2 :|: I3) (t_SchnorrZKPCommit v_G). +Fail Next Obligation. + +Equations schnorr_zkp_validate {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (h : both L1 I1 v_G) (pi : both L2 I2 (t_SchnorrZKPCommit v_G)) : both (L1 :|: L2) (I1 :|: I2) 'bool := + schnorr_zkp_validate h pi := + solve_lift (andb ((f_schnorr_zkp_c pi) =.? (f_hash (impl__into_vec (unsize (box_new (array_from_list [f_g (ret_both (tt : 'unit)); + h; + f_schnorr_zkp_u pi])))))) ((f_g_pow (f_schnorr_zkp_z pi)) =.? (f_prod (f_schnorr_zkp_u pi) (f_pow h (f_schnorr_zkp_c pi))))) : both (L1 :|: L2) (I1 :|: I2) 'bool. +Fail Next Obligation. + +Equations zkp_one_out_of_two {L1 : {fset Location}} {L2 : {fset Location}} {L3 : {fset Location}} {L4 : {fset Location}} {L5 : {fset Location}} {L6 : {fset Location}} {I1 : Interface} {I2 : Interface} {I3 : Interface} {I4 : Interface} {I5 : Interface} {I6 : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (random_w : both L1 I1 int32) (random_r : both L2 I2 int32) (random_d : both L3 I3 int32) (h : both L4 I4 v_G) (xi : both L5 I5 f_Z) (vi : both L6 I6 'bool) : both (L1 :|: L2 :|: L3 :|: L4 :|: L5 :|: L6) (I1 :|: I2 :|: I3 :|: I4 :|: I5 :|: I6) (t_OrZKPCommit v_G) := + zkp_one_out_of_two random_w random_r random_d h xi vi := + letb w := f_random_field_elem random_w in + solve_lift (ifb vi + then letb r1 := f_random_field_elem random_r in + letb d1 := f_random_field_elem random_d in + letb x := f_g_pow xi in + letb y := f_prod (f_pow h xi) (f_g (ret_both (tt : 'unit))) in + letb a1 := f_prod (f_g_pow r1) (f_pow x d1) in + letb b1 := f_prod (f_pow h r1) (f_pow y d1) in + letb a2 := f_g_pow w in + letb b2 := f_pow h w in + letb c := f_hash (impl__into_vec (unsize (box_new (array_from_list [x; + y; + a1; + b1; + a2; + b2])))) in + letb d2 := f_sub c d1 in + letb r2 := f_sub w (f_mul xi d2) in + Build_t_OrZKPCommit (f_or_zkp_x := x) (f_or_zkp_y := y) (f_or_zkp_a1 := a1) (f_or_zkp_b1 := b1) (f_or_zkp_a2 := a2) (f_or_zkp_b2 := b2) (f_or_zkp_c := c) (f_or_zkp_d1 := d1) (f_or_zkp_d2 := d2) (f_or_zkp_r1 := r1) (f_or_zkp_r2 := r2) + else letb r2 := f_random_field_elem random_r in + letb d2 := f_random_field_elem random_d in + letb x := f_g_pow xi in + letb y := f_pow h xi in + letb a1 := f_g_pow w in + letb b1 := f_pow h w in + letb a2 := f_prod (f_g_pow r2) (f_pow x d2) in + letb b2 := f_prod (f_pow h r2) (f_pow (f_div y (f_g (ret_both (tt : 'unit)))) d2) in + letb c := f_hash (impl__into_vec (unsize (box_new (array_from_list [x; + y; + a1; + b1; + a2; + b2])))) in + letb d1 := f_sub c d2 in + letb r1 := f_sub w (f_mul xi d1) in + Build_t_OrZKPCommit (f_or_zkp_x := x) (f_or_zkp_y := y) (f_or_zkp_a1 := a1) (f_or_zkp_b1 := b1) (f_or_zkp_a2 := a2) (f_or_zkp_b2 := b2) (f_or_zkp_c := c) (f_or_zkp_d1 := d1) (f_or_zkp_d2 := d2) (f_or_zkp_r1 := r1) (f_or_zkp_r2 := r2)) : both (L1 :|: L2 :|: L3 :|: L4 :|: L5 :|: L6) (I1 :|: I2 :|: I3 :|: I4 :|: I5 :|: I6) (t_OrZKPCommit v_G). +Fail Next Obligation. + +Equations zkp_one_out_of_two_validate {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} {v_G : _} `{ t_Sized v_G} `{ t_Group v_G} (h : both L1 I1 v_G) (zkp : both L2 I2 (t_OrZKPCommit v_G)) : both (L1 :|: L2) (I1 :|: I2) 'bool := + zkp_one_out_of_two_validate h zkp := + letb c := f_hash (impl__into_vec (unsize (box_new (array_from_list [f_or_zkp_x zkp; + f_or_zkp_y zkp; + f_or_zkp_a1 zkp; + f_or_zkp_b1 zkp; + f_or_zkp_a2 zkp; + f_or_zkp_b2 zkp])))) in + solve_lift (andb (andb (andb (andb (c =.? (f_add (f_or_zkp_d1 zkp) (f_or_zkp_d2 zkp))) ((f_or_zkp_a1 zkp) =.? (f_prod (f_g_pow (f_or_zkp_r1 zkp)) (f_pow (f_or_zkp_x zkp) (f_or_zkp_d1 zkp))))) ((f_or_zkp_b1 zkp) =.? (f_prod (f_pow h (f_or_zkp_r1 zkp)) (f_pow (f_or_zkp_y zkp) (f_or_zkp_d1 zkp))))) ((f_or_zkp_a2 zkp) =.? (f_prod (f_g_pow (f_or_zkp_r2 zkp)) (f_pow (f_or_zkp_x zkp) (f_or_zkp_d2 zkp))))) ((f_or_zkp_b2 zkp) =.? (f_prod (f_pow h (f_or_zkp_r2 zkp)) (f_pow (f_div (f_or_zkp_y zkp) (f_g (ret_both (tt : 'unit)))) (f_or_zkp_d2 zkp))))) : both (L1 :|: L2) (I1 :|: I2) 'bool. +Fail Next Obligation. + +Definition t_OvnContractState {v_G : _} {n : both (fset []) (fset []) uint_size} `{ t_Sized v_G} `{ t_Group v_G} : choice_type := + (nseq v_G (is_pure (n)) × nseq (t_SchnorrZKPCommit v_G) (is_pure (n)) × nseq f_Z (is_pure (n)) × nseq v_G (is_pure (n)) × nseq (t_OrZKPCommit v_G) (is_pure (n)) × int32 × nseq 'bool (is_pure (n))). +Equations f_g_pow_xis {L : {fset Location}} {I : Interface} {v_G : _} {n : both (fset []) (fset []) uint_size} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_OvnContractState) : both L I (nseq v_G (is_pure (n))) := + f_g_pow_xis s := + bind_both s (fun x => + solve_lift (ret_both (fst (fst (fst (fst (fst (fst x))))) : (nseq v_G (is_pure (n)))))) : both L I (nseq v_G (is_pure (n))). +Fail Next Obligation. +Equations f_zkp_xis {L : {fset Location}} {I : Interface} {v_G : _} {n : both (fset []) (fset []) uint_size} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_OvnContractState) : both L I (nseq (t_SchnorrZKPCommit v_G) (is_pure (n))) := + f_zkp_xis s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst (fst (fst x))))) : (nseq (t_SchnorrZKPCommit v_G) (is_pure (n)))))) : both L I (nseq (t_SchnorrZKPCommit v_G) (is_pure (n))). +Fail Next Obligation. +Equations f_commit_vis {L : {fset Location}} {I : Interface} {v_G : _} {n : both (fset []) (fset []) uint_size} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_OvnContractState) : both L I (nseq f_Z (is_pure (n))) := + f_commit_vis s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst (fst x)))) : (nseq f_Z (is_pure (n)))))) : both L I (nseq f_Z (is_pure (n))). +Fail Next Obligation. +Equations f_g_pow_xi_yi_vis {L : {fset Location}} {I : Interface} {v_G : _} {n : both (fset []) (fset []) uint_size} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_OvnContractState) : both L I (nseq v_G (is_pure (n))) := + f_g_pow_xi_yi_vis s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst x))) : (nseq v_G (is_pure (n)))))) : both L I (nseq v_G (is_pure (n))). +Fail Next Obligation. +Equations f_zkp_vis {L : {fset Location}} {I : Interface} {v_G : _} {n : both (fset []) (fset []) uint_size} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_OvnContractState) : both L I (nseq (t_OrZKPCommit v_G) (is_pure (n))) := + f_zkp_vis s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst x)) : (nseq (t_OrZKPCommit v_G) (is_pure (n)))))) : both L I (nseq (t_OrZKPCommit v_G) (is_pure (n))). +Fail Next Obligation. +Equations f_tally {L : {fset Location}} {I : Interface} {v_G : _} {n : both (fset []) (fset []) uint_size} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_OvnContractState) : both L I int32 := + f_tally s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst x) : int32))) : both L I int32. +Fail Next Obligation. +Equations f_round1 {L : {fset Location}} {I : Interface} {v_G : _} {n : both (fset []) (fset []) uint_size} `{ t_Sized v_G} `{ t_Group v_G} (s : both L I t_OvnContractState) : both L I (nseq 'bool (is_pure (n))) := + f_round1 s := + bind_both s (fun x => + solve_lift (ret_both (snd x : (nseq 'bool (is_pure (n)))))) : both L I (nseq 'bool (is_pure (n))). +Fail Next Obligation. +Equations Build_t_OvnContractState {L0 : {fset Location}} {L1 : {fset Location}} {L2 : {fset Location}} {L3 : {fset Location}} {L4 : {fset Location}} {L5 : {fset Location}} {L6 : {fset Location}} {I0 : Interface} {I1 : Interface} {I2 : Interface} {I3 : Interface} {I4 : Interface} {I5 : Interface} {I6 : Interface} {v_G : _} {n : both (fset []) (fset []) uint_size} `{ t_Sized v_G} `{ t_Group v_G} {f_g_pow_xis : both L0 I0 (nseq v_G (is_pure (n)))} {f_zkp_xis : both L1 I1 (nseq (t_SchnorrZKPCommit v_G) (is_pure (n)))} {f_commit_vis : both L2 I2 (nseq f_Z (is_pure (n)))} {f_g_pow_xi_yi_vis : both L3 I3 (nseq v_G (is_pure (n)))} {f_zkp_vis : both L4 I4 (nseq (t_OrZKPCommit v_G) (is_pure (n)))} {f_tally : both L5 I5 int32} {f_round1 : both L6 I6 (nseq 'bool (is_pure (n)))} : both (L0:|:L1:|:L2:|:L3:|:L4:|:L5:|:L6) (I0:|:I1:|:I2:|:I3:|:I4:|:I5:|:I6) (t_OvnContractState) := + Build_t_OvnContractState := + bind_both f_round1 (fun f_round1 => + bind_both f_tally (fun f_tally => + bind_both f_zkp_vis (fun f_zkp_vis => + bind_both f_g_pow_xi_yi_vis (fun f_g_pow_xi_yi_vis => + bind_both f_commit_vis (fun f_commit_vis => + bind_both f_zkp_xis (fun f_zkp_xis => + bind_both f_g_pow_xis (fun f_g_pow_xis => + solve_lift (ret_both ((f_g_pow_xis,f_zkp_xis,f_commit_vis,f_g_pow_xi_yi_vis,f_zkp_vis,f_tally,f_round1) : (t_OvnContractState)))))))))) : both (L0:|:L1:|:L2:|:L3:|:L4:|:L5:|:L6) (I0:|:I1:|:I2:|:I3:|:I4:|:I5:|:I6) (t_OvnContractState). +Fail Next Obligation. +Notation "'Build_t_OvnContractState' '[' x ']' '(' 'f_g_pow_xis' ':=' y ')'" := (Build_t_OvnContractState (f_g_pow_xis := y) (f_zkp_xis := f_zkp_xis x) (f_commit_vis := f_commit_vis x) (f_g_pow_xi_yi_vis := f_g_pow_xi_yi_vis x) (f_zkp_vis := f_zkp_vis x) (f_tally := f_tally x) (f_round1 := f_round1 x)). +Notation "'Build_t_OvnContractState' '[' x ']' '(' 'f_zkp_xis' ':=' y ')'" := (Build_t_OvnContractState (f_g_pow_xis := f_g_pow_xis x) (f_zkp_xis := y) (f_commit_vis := f_commit_vis x) (f_g_pow_xi_yi_vis := f_g_pow_xi_yi_vis x) (f_zkp_vis := f_zkp_vis x) (f_tally := f_tally x) (f_round1 := f_round1 x)). +Notation "'Build_t_OvnContractState' '[' x ']' '(' 'f_commit_vis' ':=' y ')'" := (Build_t_OvnContractState (f_g_pow_xis := f_g_pow_xis x) (f_zkp_xis := f_zkp_xis x) (f_commit_vis := y) (f_g_pow_xi_yi_vis := f_g_pow_xi_yi_vis x) (f_zkp_vis := f_zkp_vis x) (f_tally := f_tally x) (f_round1 := f_round1 x)). +Notation "'Build_t_OvnContractState' '[' x ']' '(' 'f_g_pow_xi_yi_vis' ':=' y ')'" := (Build_t_OvnContractState (f_g_pow_xis := f_g_pow_xis x) (f_zkp_xis := f_zkp_xis x) (f_commit_vis := f_commit_vis x) (f_g_pow_xi_yi_vis := y) (f_zkp_vis := f_zkp_vis x) (f_tally := f_tally x) (f_round1 := f_round1 x)). +Notation "'Build_t_OvnContractState' '[' x ']' '(' 'f_zkp_vis' ':=' y ')'" := (Build_t_OvnContractState (f_g_pow_xis := f_g_pow_xis x) (f_zkp_xis := f_zkp_xis x) (f_commit_vis := f_commit_vis x) (f_g_pow_xi_yi_vis := f_g_pow_xi_yi_vis x) (f_zkp_vis := y) (f_tally := f_tally x) (f_round1 := f_round1 x)). +Notation "'Build_t_OvnContractState' '[' x ']' '(' 'f_tally' ':=' y ')'" := (Build_t_OvnContractState (f_g_pow_xis := f_g_pow_xis x) (f_zkp_xis := f_zkp_xis x) (f_commit_vis := f_commit_vis x) (f_g_pow_xi_yi_vis := f_g_pow_xi_yi_vis x) (f_zkp_vis := f_zkp_vis x) (f_tally := y) (f_round1 := f_round1 x)). +Notation "'Build_t_OvnContractState' '[' x ']' '(' 'f_round1' ':=' y ')'" := (Build_t_OvnContractState (f_g_pow_xis := f_g_pow_xis x) (f_zkp_xis := f_zkp_xis x) (f_commit_vis := f_commit_vis x) (f_g_pow_xi_yi_vis := f_g_pow_xi_yi_vis x) (f_zkp_vis := f_zkp_vis x) (f_tally := f_tally x) (f_round1 := y)). + +Definition cast_vote_state_ret_loc {v_G : _} {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_G} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_Group v_G} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} : Location := + (t_OvnContractState v_G (both (fset []) (fset []) uint_size);5%nat). +Equations cast_vote {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} {v_G : _} {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_G} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_Group v_G} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} (ctx : both L1 I1 impl_574521470_) (state : both L2 I2 (t_OvnContractState v_G (both (fset []) (fset []) uint_size))) : both (L1 :|: L2 :|: fset [cast_vote_state_ret_loc;prod1_loc;prod2_loc]) (I1 :|: I2) (t_Result (v_A × t_OvnContractState v_G (both (fset []) (fset []) uint_size)) t_ParseError) := + cast_vote ctx state := + solve_lift (run (letb '(_,out) := f_get (f_parameter_cursor ctx) in + letm[choice_typeMonad.result_bind_code t_ParseError] (params : t_CastVoteParam f_Z) := impl__map_err out f_from in + Result_Ok (letb g_pow_yi := compute_g_pow_yi (cast_int (WS2 := _) (f_cvp_i params)) (f_g_pow_xis state) in + letb g_pow_xi_yi_vi := compute_group_element_for_vote (f_cvp_xi params) (f_cvp_vote params) g_pow_yi in + letb zkp_vi := zkp_one_out_of_two (f_cvp_zkp_random_w params) (f_cvp_zkp_random_r params) (f_cvp_zkp_random_d params) g_pow_yi (f_cvp_xi params) (f_cvp_vote params) in + letb cast_vote_state_ret loc(cast_vote_state_ret_loc) := f_clone state in + letb _ := assign todo(term) in + letb _ := assign todo(term) in + Result_Ok (prod_b (f_accept (ret_both (tt : 'unit)),cast_vote_state_ret))))) : both (L1 :|: L2 :|: fset [cast_vote_state_ret_loc;prod1_loc;prod2_loc]) (I1 :|: I2) (t_Result (v_A × t_OvnContractState v_G (both (fset []) (fset []) uint_size)) t_ParseError). +Fail Next Obligation. + +Definition commit_to_vote_state_ret_loc {v_G : _} {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_G} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_Group v_G} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} : Location := + (t_OvnContractState v_G (both (fset []) (fset []) uint_size);6%nat). +Equations commit_to_vote {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} {v_G : _} {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_G} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_Group v_G} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} (ctx : both L1 I1 impl_574521470_) (state : both L2 I2 (t_OvnContractState v_G (both (fset []) (fset []) uint_size))) : both (L1 :|: L2 :|: fset [commit_to_vote_state_ret_loc;prod1_loc;prod2_loc]) (I1 :|: I2) (t_Result (v_A × t_OvnContractState v_G (both (fset []) (fset []) uint_size)) t_ParseError) := + commit_to_vote ctx state := + solve_lift (run (letb '(_,out) := f_get (f_parameter_cursor ctx) in + letm[choice_typeMonad.result_bind_code t_ParseError] (params : t_CastVoteParam f_Z) := impl__map_err out f_from in + Result_Ok (letb _ := foldi_both_list (f_into_iter (Build_t_Range (f_start := ret_both (0 : uint_size)) (f_end := n))) (fun i => + ssp (fun _ => + solve_lift (ifb orb (not (schnorr_zkp_validate ((f_g_pow_xis state).a[i]) ((f_zkp_xis state).a[i]))) (not ((f_round1 state).a[i])) + then letm[choice_typeMonad.result_bind_code (t_Result (v_A × t_OvnContractState v_G (both (fset []) (fset []) uint_size)) t_ParseError)] hoist26 := v_Break (Result_Err ParseError) in + ControlFlow_Continue (never_to_any hoist26) + else ()) : (both (*0*)(L2:|:fset []) (I2) (t_ControlFlow (t_Result (v_A × t_OvnContractState v_G (both (fset []) (fset []) uint_size)) t_ParseError) 'unit)))) (ret_both (tt : 'unit)) in + letb g_pow_yi := compute_g_pow_yi (cast_int (WS2 := _) (f_cvp_i params)) (f_g_pow_xis state) in + letb g_pow_xi_yi_vi := compute_group_element_for_vote (f_cvp_xi params) (f_cvp_vote params) g_pow_yi in + letb commit_vi := commit_to g_pow_xi_yi_vi in + letb commit_to_vote_state_ret loc(commit_to_vote_state_ret_loc) := f_clone state in + letb _ := assign todo(term) in + Result_Ok (prod_b (f_accept (ret_both (tt : 'unit)),commit_to_vote_state_ret))))) : both (L1 :|: L2 :|: fset [commit_to_vote_state_ret_loc;prod1_loc;prod2_loc]) (I1 :|: I2) (t_Result (v_A × t_OvnContractState v_G (both (fset []) (fset []) uint_size)) t_ParseError). +Fail Next Obligation. + +Equations init_ovn_contract {L1 : {fset Location}} {I1 : Interface} {v_G : _} {n : both (fset []) (fset []) uint_size} `{ t_Sized v_G} `{ t_Group v_G} (_ : both L1 I1 'unit) : both L1 I1 (t_Result (t_OvnContractState v_G (both (fset []) (fset []) uint_size)) t_Reject) := + init_ovn_contract _ := + Result_Ok (solve_lift (Build_t_OvnContractState (f_g_pow_xis := repeat (f_group_one (ret_both (tt : 'unit))) n) (f_zkp_xis := repeat (Build_t_SchnorrZKPCommit (f_schnorr_zkp_u := f_group_one (ret_both (tt : 'unit))) (f_schnorr_zkp_z := f_field_zero (ret_both (tt : 'unit))) (f_schnorr_zkp_c := f_field_zero (ret_both (tt : 'unit)))) n) (f_commit_vis := repeat (f_field_zero (ret_both (tt : 'unit))) n) (f_g_pow_xi_yi_vis := repeat (f_group_one (ret_both (tt : 'unit))) n) (f_zkp_vis := repeat (Build_t_OrZKPCommit (f_or_zkp_x := f_group_one (ret_both (tt : 'unit))) (f_or_zkp_y := f_group_one (ret_both (tt : 'unit))) (f_or_zkp_a1 := f_group_one (ret_both (tt : 'unit))) (f_or_zkp_b1 := f_group_one (ret_both (tt : 'unit))) (f_or_zkp_a2 := f_group_one (ret_both (tt : 'unit))) (f_or_zkp_b2 := f_group_one (ret_both (tt : 'unit))) (f_or_zkp_c := f_field_zero (ret_both (tt : 'unit))) (f_or_zkp_d1 := f_field_zero (ret_both (tt : 'unit))) (f_or_zkp_d2 := f_field_zero (ret_both (tt : 'unit))) (f_or_zkp_r1 := f_field_zero (ret_both (tt : 'unit))) (f_or_zkp_r2 := f_field_zero (ret_both (tt : 'unit)))) n) (f_tally := ret_both (0 : int32)) (f_round1 := repeat (ret_both (false : 'bool)) n))) : both L1 I1 (t_Result (t_OvnContractState v_G (both (fset []) (fset []) uint_size)) t_Reject). +Fail Next Obligation. + +Definition register_vote_state_ret_loc {v_G : _} {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_G} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_Group v_G} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} : Location := + (t_OvnContractState v_G (both (fset []) (fset []) uint_size);7%nat). +Equations register_vote {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} {v_G : _} {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_G} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_Group v_G} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} (ctx : both L1 I1 impl_574521470_) (state : both L2 I2 (t_OvnContractState v_G (both (fset []) (fset []) uint_size))) : both (L1 :|: L2 :|: fset [register_vote_state_ret_loc]) (I1 :|: I2) (t_Result (v_A × t_OvnContractState v_G (both (fset []) (fset []) uint_size)) t_ParseError) := + register_vote ctx state := + solve_lift (run (letb '(_,out) := f_get (f_parameter_cursor ctx) in + letm[choice_typeMonad.result_bind_code t_ParseError] (params : t_RegisterParam f_Z) := impl__map_err out f_from in + Result_Ok (letb g_pow_xi := f_g_pow (f_rp_xi params) in + letb zkp_xi := schnorr_zkp (f_rp_zkp_random params) g_pow_xi (f_rp_xi params) in + letb register_vote_state_ret loc(register_vote_state_ret_loc) := f_clone state in + letb _ := assign todo(term) in + letb _ := assign todo(term) in + letb _ := assign todo(term) in + Result_Ok (prod_b (f_accept (ret_both (tt : 'unit)),register_vote_state_ret))))) : both (L1 :|: L2 :|: fset [register_vote_state_ret_loc]) (I1 :|: I2) (t_Result (v_A × t_OvnContractState v_G (both (fset []) (fset []) uint_size)) t_ParseError). +Fail Next Obligation. + +Definition curr_loc {v_G : _} {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_G} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_Group v_G} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} : Location := + (f_Z;8%nat). +Definition tally_loc {v_G : _} {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_G} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_Group v_G} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} : Location := + (int32;9%nat). +Definition tally_votes_state_ret_loc {v_G : _} {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_G} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_Group v_G} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} : Location := + (t_OvnContractState v_G (both (fset []) (fset []) uint_size);10%nat). +Definition vote_result_loc {v_G : _} {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_G} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_Group v_G} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} : Location := + (v_G;11%nat). +Equations tally_votes {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} {v_G : _} {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_G} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_Group v_G} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} (_ : both L1 I1 impl_574521470_) (state : both L2 I2 (t_OvnContractState v_G (both (fset []) (fset []) uint_size))) : both (L1 :|: L2 :|: fset [curr_loc;tally_loc;tally_votes_state_ret_loc;vote_result_loc;prod1_loc;prod2_loc]) (I1 :|: I2) (t_Result (v_A × t_OvnContractState v_G (both (fset []) (fset []) uint_size)) t_ParseError) := + tally_votes _ state := + letb _ := foldi_both_list (f_into_iter (Build_t_Range (f_start := ret_both (0 : uint_size)) (f_end := n))) (fun i => + ssp (fun _ => + letb g_pow_yi := compute_g_pow_yi i (f_g_pow_xis state) in + letm[choice_typeMonad.result_bind_code (t_Result (v_A × t_OvnContractState v_G (both (fset []) (fset []) uint_size)) t_ParseError)] _ := ControlFlow_Continue (ifb not (zkp_one_out_of_two_validate g_pow_yi ((f_zkp_vis state).a[i])) + then letm[choice_typeMonad.result_bind_code (t_Result (v_A × t_OvnContractState v_G (both (fset []) (fset []) uint_size)) t_ParseError)] hoist27 := v_Break (Result_Err ParseError) in + ControlFlow_Continue (never_to_any hoist27) + else ()) in + solve_lift (ifb not (check_commitment ((f_g_pow_xi_yi_vis state).a[i]) ((f_commit_vis state).a[i])) + then letm[choice_typeMonad.result_bind_code (t_Result (v_A × t_OvnContractState v_G (both (fset []) (fset []) uint_size)) t_ParseError)] hoist28 := v_Break (Result_Err ParseError) in + ControlFlow_Continue (never_to_any hoist28) + else ()) : (both (*2*)(L2:|:fset [prod1_loc;prod2_loc]) (I2) (t_ControlFlow (t_Result (v_A × t_OvnContractState v_G (both (fset []) (fset []) uint_size)) t_ParseError) 'unit)))) (ret_both (tt : 'unit)) in + letb vote_result loc(vote_result_loc) := f_group_one (ret_both (tt : 'unit)) in + letb _ := foldi_both_list (f_into_iter (f_g_pow_xi_yi_vis state)) (fun g_pow_vote => + ssp (fun _ => + assign todo(term) : (both (*1*)(L2:|:fset [vote_result_loc]) (I2) 'unit))) (ret_both (tt : 'unit)) in + letb tally loc(tally_loc) := ret_both (0 : int32) in + letb curr loc(curr_loc) := f_field_zero (ret_both (tt : 'unit)) in + letb _ := foldi_both_list (f_into_iter (Build_t_Range (f_start := ret_both (0 : int32)) (f_end := cast_int (WS2 := _) n))) (fun i => + ssp (fun _ => + letb _ := ifb (f_g_pow curr) =.? vote_result + then letb _ := assign todo(term) in + ret_both (tt : 'unit) + else () in + letb _ := assign todo(term) in + solve_lift (ret_both (tt : 'unit)) : (both (*3*)(fset [curr_loc;tally_loc;vote_result_loc]) ((fset [])) 'unit))) (ret_both (tt : 'unit)) in + letb tally_votes_state_ret loc(tally_votes_state_ret_loc) := f_clone state in + letb _ := assign todo(term) in + Result_Ok (solve_lift (prod_b (f_accept (ret_both (tt : 'unit)),tally_votes_state_ret))) : both (L1 :|: L2 :|: fset [curr_loc;tally_loc;tally_votes_state_ret_loc;vote_result_loc;prod1_loc;prod2_loc]) (I1 :|: I2) (t_Result (v_A × t_OvnContractState v_G (both (fset []) (fset []) uint_size)) t_ParseError). +Fail Next Obligation. diff --git a/ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_secp256k1.v b/ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_secp256k1.v new file mode 100644 index 0000000..0ec2397 --- /dev/null +++ b/ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_secp256k1.v @@ -0,0 +1,354 @@ +(* File automatically generated by Hacspec *) +Set Warnings "-notation-overridden,-ambiguous-paths". +From Crypt Require Import choice_type Package Prelude. +Import PackageNotation. +From extructures Require Import ord fset. +From mathcomp Require Import word_ssrZ word. +(* From Jasmin Require Import word. *) + +From Coq Require Import ZArith. +From Coq Require Import Strings.String. +Import List.ListNotations. +Open Scope list_scope. +Open Scope Z_scope. +Open Scope bool_scope. + +From Hacspec Require Import ChoiceEquality. +From Hacspec Require Import LocationUtility. +From Hacspec Require Import Hacspec_Lib_Comparable. +From Hacspec Require Import Hacspec_Lib_Pre. +From Hacspec Require Import Hacspec_Lib. + +Open Scope hacspec_scope. +Import choice.Choice.Exports. + +Obligation Tactic := (* try timeout 8 *) solve_ssprove_obligations. + +Require Import Crate_Ovn_traits. +Export Crate_Ovn_traits. + +Require Import Hacspec_lib. +Export Hacspec_lib. + +Require Import Hacspec_bip_340. +Export Hacspec_bip_340. + +Definition t_Group_curve : choice_type := + (t_Point). +Equations f_val {L : {fset Location}} {I : Interface} (s : both L I t_Group_curve) : both L I t_Point := + f_val s := + bind_both s (fun x => + solve_lift (ret_both (x : t_Point))) : both L I t_Point. +Fail Next Obligation. +Equations Build_t_Group_curve {L0 : {fset Location}} {I0 : Interface} {f_val : both L0 I0 t_Point} : both L0 I0 (t_Group_curve) := + Build_t_Group_curve := + bind_both f_val (fun f_val => + solve_lift (ret_both ((f_val) : (t_Group_curve)))) : both L0 I0 (t_Group_curve). +Fail Next Obligation. +Notation "'Build_t_Group_curve' '[' x ']' '(' 'f_val' ':=' y ')'" := (Build_t_Group_curve (f_val := y)). + +#[global] Program Instance t_Group_curve_t_Deserial : t_Deserial t_Group_curve := + let f_deserial := fun {L1 : {fset Location}} {I1 : Interface} (source : both L1 I1 v_R) => solve_lift (run (letb '(tmp0,out) := f_get source in + letb _ := assign todo(term) in + letb hoist3 := out in + letb hoist4 := f_branch hoist3 in + letm[choice_typeMonad.result_bind_code (v_R × t_Result t_Group_curve t_ParseError)] (b : 'bool) := matchb hoist4 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible t_ParseError)) in + letm[choice_typeMonad.result_bind_code (v_R × t_Result t_Group_curve t_ParseError)] hoist2 := v_Break (prod_b (source,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist2)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : ('bool)) in + ControlFlow_Continue (solve_lift val) + end in + letm[choice_typeMonad.result_bind_code (v_R × t_Result t_Group_curve t_ParseError)] hax_temp_output := ifb b + then letb '(tmp0,out) := f_get source in + letb _ := assign todo(term) in + letb hoist6 := out in + letb hoist7 := f_branch hoist6 in + letm[choice_typeMonad.result_bind_code (v_R × t_Result t_Group_curve t_ParseError)] (vx : t_Vec int8 t_Global) := matchb hoist7 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible t_ParseError)) in + letm[choice_typeMonad.result_bind_code (v_R × t_Result t_Group_curve t_ParseError)] hoist5 := v_Break (prod_b (source,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist5)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : (t_Vec int8 t_Global)) in + ControlFlow_Continue (solve_lift val) + end in + letb '(tmp0,out) := f_get source in + letb _ := assign todo(term) in + letb hoist9 := out in + letb hoist10 := f_branch hoist9 in + letm[choice_typeMonad.result_bind_code (v_R × t_Result t_Group_curve t_ParseError)] (vy : t_Vec int8 t_Global) := matchb hoist10 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible t_ParseError)) in + letm[choice_typeMonad.result_bind_code (v_R × t_Result t_Group_curve t_ParseError)] hoist8 := v_Break (prod_b (source,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist8)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : (t_Vec int8 t_Global)) in + ControlFlow_Continue (solve_lift val) + end in + ControlFlow_Continue (Result_Ok (Build_t_Group_curve (f_val := Point_Affine (prod_b (impl__FieldElement__from_public_byte_seq_be (impl_52__from_vec vx),impl__FieldElement__from_public_byte_seq_be (impl_52__from_vec vy)))))) + else ControlFlow_Continue (Result_Ok (Build_t_Group_curve (f_val := Point_AtInfinity))) in + ControlFlow_Continue (prod_b (source,hax_temp_output)))) : both (L1 :|: fset []) I1 (v_R × t_Result t_Group_curve t_ParseError) in + {| f_deserial_loc := (fset [] : {fset Location}); + f_deserial := (@f_deserial)|}. +Fail Next Obligation. +Hint Unfold t_Group_curve_t_Deserial. + +Definition v_loc : Location := + (t_Vec int8 t_Global;4%nat). +#[global] Program Instance t_Group_curve_t_Serial : t_Serial t_Group_curve := + let f_serial := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (self : both L1 I1 t_Group_curve) (out : both L2 I2 v_W) => solve_lift (run (letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] _ := matchb f_val self with + | Point_Affine_case p => + letb p := ret_both ((p) : (t_FieldElement × t_FieldElement)) in + letb '(tmp0,out) := f_serial (ret_both (true : 'bool)) out in + letb _ := assign todo(term) in + letb hoist12 := out in + letb hoist13 := f_branch hoist12 in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] _ := matchb hoist13 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible f_Err)) in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] hoist11 := v_Break (prod_b (out,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist11)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : ('unit)) in + ControlFlow_Continue (solve_lift val) + end in + letb (vx : t_Vec int8 t_Global) loc(vx_loc) := impl__new (ret_both (tt : 'unit)) in + letb _ := foldi_both_list (f_into_iter (impl_41__native_slice (impl__FieldElement__to_public_byte_seq_be (x p)))) (fun x => + ssp (fun _ => + assign todo(term) : (both (*1*)(fset [vx_loc]) ((fset [])) 'unit))) (ret_both (tt : 'unit)) in + letb '(tmp0,out) := f_serial vx out in + letb _ := assign todo(term) in + letb hoist15 := out in + letb hoist16 := f_branch hoist15 in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] _ := matchb hoist16 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible f_Err)) in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] hoist14 := v_Break (prod_b (out,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist14)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : ('unit)) in + ControlFlow_Continue (solve_lift val) + end in + letb (vy : t_Vec int8 t_Global) loc(vy_loc) := impl__new (ret_both (tt : 'unit)) in + letb _ := foldi_both_list (f_into_iter (impl_41__native_slice (impl__FieldElement__to_public_byte_seq_be (y p)))) (fun y => + ssp (fun _ => + assign todo(term) : (both (*1*)(fset [vy_loc]) ((fset [])) 'unit))) (ret_both (tt : 'unit)) in + letb '(tmp0,out) := f_serial vy out in + letb _ := assign todo(term) in + letb hoist18 := out in + letb hoist19 := f_branch hoist18 in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] _ := matchb hoist19 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible f_Err)) in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] hoist17 := v_Break (prod_b (out,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist17)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : ('unit)) in + ControlFlow_Continue (solve_lift val) + end in + ControlFlow_Continue (solve_lift (ret_both (tt : 'unit))) + | Point_AtInfinity_case => + letb '(tmp0,out) := f_serial (ret_both (false : 'bool)) out in + letb _ := assign todo(term) in + letb hoist21 := out in + letb hoist22 := f_branch hoist21 in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] _ := matchb hoist22 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible f_Err)) in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] hoist20 := v_Break (prod_b (out,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist20)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : ('unit)) in + ControlFlow_Continue (solve_lift val) + end in + ControlFlow_Continue (solve_lift (ret_both (tt : 'unit))) + end in + ControlFlow_Continue (letb hax_temp_output := Result_Ok (ret_both (tt : 'unit)) in + prod_b (out,hax_temp_output)))) : both (L1 :|: L2 :|: fset [v_loc;vx_loc;vy_loc]) (I1 :|: I2) (v_W × t_Result 'unit f_Err) in + {| f_serial_loc := (fset [v_loc;vx_loc;vy_loc] : {fset Location}); + f_serial := (@f_serial)|}. +Fail Next Obligation. +Hint Unfold t_Group_curve_t_Serial. + +Definition t_Z_curve : choice_type := + (t_Scalar). +Equations f_val {L : {fset Location}} {I : Interface} (s : both L I t_Z_curve) : both L I t_Scalar := + f_val s := + bind_both s (fun x => + solve_lift (ret_both (x : t_Scalar))) : both L I t_Scalar. +Fail Next Obligation. +Equations Build_t_Z_curve {L0 : {fset Location}} {I0 : Interface} {f_val : both L0 I0 t_Scalar} : both L0 I0 (t_Z_curve) := + Build_t_Z_curve := + bind_both f_val (fun f_val => + solve_lift (ret_both ((f_val) : (t_Z_curve)))) : both L0 I0 (t_Z_curve). +Fail Next Obligation. +Notation "'Build_t_Z_curve' '[' x ']' '(' 'f_val' ':=' y ')'" := (Build_t_Z_curve (f_val := y)). + +#[global] Program Instance t_Z_curve_t_Deserial : t_Deserial t_Z_curve := + let f_deserial := fun {L1 : {fset Location}} {I1 : Interface} (source : both L1 I1 v_R) => solve_lift (run (letb '(tmp0,out) := f_get source in + letb _ := assign todo(term) in + letb hoist24 := out in + letb hoist25 := f_branch hoist24 in + letm[choice_typeMonad.result_bind_code (v_R × t_Result t_Z_curve t_ParseError)] (temp : t_Vec int8 t_Global) := matchb hoist25 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible t_ParseError)) in + letm[choice_typeMonad.result_bind_code (v_R × t_Result t_Z_curve t_ParseError)] hoist23 := v_Break (prod_b (source,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist23)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : (t_Vec int8 t_Global)) in + ControlFlow_Continue (solve_lift val) + end in + ControlFlow_Continue (letb hax_temp_output := Result_Ok (Build_t_Z_curve (f_val := impl__Scalar__from_public_byte_seq_be (impl_52__from_vec temp))) in + prod_b (source,hax_temp_output)))) : both (L1 :|: fset []) I1 (v_R × t_Result t_Z_curve t_ParseError) in + {| f_deserial_loc := (fset [] : {fset Location}); + f_deserial := (@f_deserial)|}. +Fail Next Obligation. +Hint Unfold t_Z_curve_t_Deserial. + +Definition v_loc : Location := + (t_Vec int8 t_Global;4%nat). +#[global] Program Instance t_Z_curve_t_Serial : t_Serial t_Z_curve := + let f_serial := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (self : both L1 I1 t_Z_curve) (out : both L2 I2 v_W) => letb (v : t_Vec int8 t_Global) loc(v_loc) := impl__new (ret_both (tt : 'unit)) in + letb _ := foldi_both_list (f_into_iter (impl_41__native_slice (impl__Scalar__to_public_byte_seq_be (f_val self)))) (fun x => + ssp (fun _ => + assign todo(term) : (both (*1*)(L1:|:fset [v_loc]) (I1) 'unit))) (ret_both (tt : 'unit)) in + letb '(tmp0,out) := f_serial v out in + letb _ := assign todo(term) in + letb hax_temp_output := out in + solve_lift (prod_b (out,hax_temp_output)) : both (L1 :|: L2 :|: fset [v_loc;vx_loc;vy_loc]) (I1 :|: I2) (v_W × t_Result 'unit f_Err) in + {| f_serial_loc := (fset [v_loc;vx_loc;vy_loc] : {fset Location}); + f_serial := (@f_serial)|}. +Fail Next Obligation. +Hint Unfold t_Z_curve_t_Serial. + +#[global] Program Instance t_Z_curve_t_Field : t_Field t_Z_curve := + let f_q := fun {L : {fset Location}} {I : Interface} => solve_lift (Build_t_Z_curve (f_val := impl__Scalar__from_hex (ret_both (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 : chString)))) : both (L :|: fset []) I t_Z_curve in + let f_random_field_elem := fun {L1 : {fset Location}} {I1 : Interface} (random : both L1 I1 int32) => solve_lift (Build_t_Z_curve (f_val := impl__Scalar__from_literal (cast_int (WS2 := _) random))) : both (L1 :|: fset []) I1 t_Z_curve in + let f_field_zero := fun {L : {fset Location}} {I : Interface} => solve_lift (Build_t_Z_curve (f_val := impl__Scalar__from_literal (ret_both (0 : int128)))) : both (L :|: fset []) I t_Z_curve in + let f_field_one := fun {L : {fset Location}} {I : Interface} => solve_lift (Build_t_Z_curve (f_val := impl__Scalar__from_literal (ret_both (1 : int128)))) : both (L :|: fset []) I t_Z_curve in + let f_add := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (x : both L1 I1 t_Z_curve) (y : both L2 I2 t_Z_curve) => solve_lift (Build_t_Z_curve (f_val := (f_val x) .+ (f_val y))) : both (L1 :|: L2 :|: fset []) (I1 :|: I2) t_Z_curve in + let f_sub := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (x : both L1 I1 t_Z_curve) (y : both L2 I2 t_Z_curve) => solve_lift (Build_t_Z_curve (f_val := (f_val x) .- (f_val y))) : both (L1 :|: L2 :|: fset []) (I1 :|: I2) t_Z_curve in + let f_mul := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (x : both L1 I1 t_Z_curve) (y : both L2 I2 t_Z_curve) => solve_lift (Build_t_Z_curve (f_val := (f_val x) .* (f_val y))) : both (L1 :|: L2 :|: fset []) (I1 :|: I2) t_Z_curve in + {| f_q_loc := (fset [] : {fset Location}); + f_q := (@f_q); + f_random_field_elem_loc := (fset [] : {fset Location}); + f_random_field_elem := (@f_random_field_elem); + f_field_zero_loc := (fset [] : {fset Location}); + f_field_zero := (@f_field_zero); + f_field_one_loc := (fset [] : {fset Location}); + f_field_one := (@f_field_one); + f_add_loc := (fset [] : {fset Location}); + f_add := (@f_add); + f_sub_loc := (fset [] : {fset Location}); + f_sub := (@f_sub); + f_mul_loc := (fset [] : {fset Location}); + f_mul := (@f_mul)|}. +Fail Next Obligation. +Hint Unfold t_Z_curve_t_Field. + +Definition result_loc : Location := + (t_g_z_89_;13%nat). +Definition res_loc : Location := + (t_z_89_;12%nat). +#[global] Program Instance t_Group_curve_t_Group : t_Group t_Group_curve := + let f_Z := t_Z_curve : choice_type in + let f_g := fun {L : {fset Location}} {I : Interface} => letb gx := PBytes32 (array_from_list [ret_both (121 : int8); + ret_both (190 : int8); + ret_both (102 : int8); + ret_both (126 : int8); + ret_both (249 : int8); + ret_both (220 : int8); + ret_both (187 : int8); + ret_both (172 : int8); + ret_both (85 : int8); + ret_both (160 : int8); + ret_both (98 : int8); + ret_both (149 : int8); + ret_both (206 : int8); + ret_both (135 : int8); + ret_both (11 : int8); + ret_both (7 : int8); + ret_both (2 : int8); + ret_both (155 : int8); + ret_both (252 : int8); + ret_both (219 : int8); + ret_both (45 : int8); + ret_both (206 : int8); + ret_both (40 : int8); + ret_both (217 : int8); + ret_both (89 : int8); + ret_both (242 : int8); + ret_both (129 : int8); + ret_both (91 : int8); + ret_both (22 : int8); + ret_both (248 : int8); + ret_both (23 : int8); + ret_both (152 : int8)]) in + letb gy := PBytes32 (array_from_list [ret_both (72 : int8); + ret_both (58 : int8); + ret_both (218 : int8); + ret_both (119 : int8); + ret_both (38 : int8); + ret_both (163 : int8); + ret_both (196 : int8); + ret_both (101 : int8); + ret_both (93 : int8); + ret_both (164 : int8); + ret_both (251 : int8); + ret_both (252 : int8); + ret_both (14 : int8); + ret_both (17 : int8); + ret_both (8 : int8); + ret_both (168 : int8); + ret_both (253 : int8); + ret_both (23 : int8); + ret_both (180 : int8); + ret_both (72 : int8); + ret_both (166 : int8); + ret_both (133 : int8); + ret_both (84 : int8); + ret_both (25 : int8); + ret_both (156 : int8); + ret_both (71 : int8); + ret_both (208 : int8); + ret_both (143 : int8); + ret_both (251 : int8); + ret_both (16 : int8); + ret_both (212 : int8); + ret_both (184 : int8)]) in + solve_lift (Build_t_Group_curve (f_val := Point_Affine (prod_b (impl__FieldElement__from_public_byte_seq_be gx,impl__FieldElement__from_public_byte_seq_be gy)))) : both (L :|: fset []) I t_Group_curve in + let f_pow := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (g : both L1 I1 t_Group_curve) (x : both L2 I2 t_Z_curve) => solve_lift (Build_t_Group_curve (f_val := point_mul (f_val x) (f_val g))) : both (L1 :|: L2 :|: fset [result_loc]) (I1 :|: I2) t_Group_curve in + let f_g_pow := fun {L1 : {fset Location}} {I1 : Interface} (x : both L1 I1 t_Z_curve) => solve_lift (Build_t_Group_curve (f_val := point_mul_base (f_val x))) : both (L1 :|: fset []) I1 t_Group_curve in + let f_group_one := fun {L : {fset Location}} {I : Interface} => solve_lift (f_g_pow (f_field_zero (ret_both (tt : 'unit)))) : both (L :|: fset []) I t_Group_curve in + let f_prod := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (x : both L1 I1 t_Group_curve) (y : both L2 I2 t_Group_curve) => solve_lift (Build_t_Group_curve (f_val := point_add (f_val x) (f_val y))) : both (L1 :|: L2 :|: fset []) (I1 :|: I2) t_Group_curve in + let f_inv := fun {L1 : {fset Location}} {I1 : Interface} (x : both L1 I1 t_Group_curve) => solve_lift (Build_t_Group_curve (f_val := matchb f_val x with + | Point_Affine_case (a,b) => + letb '(a,b) := ret_both (((a,b)) : (t_FieldElement × t_FieldElement)) in + Point_Affine (solve_lift (prod_b (a,(impl__FieldElement__from_literal (ret_both (0 : int128))) .- b))) + | Point_AtInfinity_case => + Point_AtInfinity + end)) : both (L1 :|: fset []) I1 t_Group_curve in + let f_div := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (x : both L1 I1 t_Group_curve) (y : both L2 I2 t_Group_curve) => solve_lift (f_prod x (f_inv y)) : both (L1 :|: L2 :|: fset []) (I1 :|: I2) t_Group_curve in + let f_hash := fun {L1 : {fset Location}} {I1 : Interface} (x : both L1 I1 (t_Vec t_Group_curve t_Global)) => solve_lift (f_field_one (ret_both (tt : 'unit))) : both (L1 :|: fset [res_loc]) I1 t_Z_curve in + {| f_Z := (@f_Z); + f_g_loc := (fset [] : {fset Location}); + f_g := (@f_g); + f_pow_loc := (fset [result_loc] : {fset Location}); + f_pow := (@f_pow); + f_g_pow_loc := (fset [] : {fset Location}); + f_g_pow := (@f_g_pow); + f_group_one_loc := (fset [] : {fset Location}); + f_group_one := (@f_group_one); + f_prod_loc := (fset [] : {fset Location}); + f_prod := (@f_prod); + f_inv_loc := (fset [] : {fset Location}); + f_inv := (@f_inv); + f_div_loc := (fset [] : {fset Location}); + f_div := (@f_div); + f_hash_loc := (fset [res_loc] : {fset Location}); + f_hash := (@f_hash)|}. +Fail Next Obligation. +Hint Unfold t_Group_curve_t_Group. diff --git a/ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_traits.v b/ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_traits.v index 7fe905e..19d7be1 100644 --- a/ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_traits.v +++ b/ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_traits.v @@ -4,7 +4,7 @@ From Crypt Require Import choice_type Package Prelude. Import PackageNotation. From extructures Require Import ord fset. From mathcomp Require Import word_ssrZ word. -From Jasmin Require Import word. +(* From Jasmin Require Import word. *) From Coq Require Import ZArith. From Coq Require Import Strings.String. @@ -24,46 +24,63 @@ Import choice.Choice.Exports. Obligation Tactic := (* try timeout 8 *) solve_ssprove_obligations. -From ConCert.Execution Require Import Serializable. -From Hacspec Require Import ConCertLib. - -Class t_Z_Field (Self : choice_type) := { - f_field_type : choice_type ; - f_field_type_Serializable : Serializable f_field_type; - f_field_type_t_Serialize :> (t_Serialize f_field_type) ; - f_field_type_t_Deserial :> (t_Deserial f_field_type) ; - f_field_type_t_Serial :> (t_Serial f_field_type) ; - f_field_type_t_Copy :> (t_Copy f_field_type) ; - f_field_type_t_Clone :> (t_Clone f_field_type) ; - f_field_type_t_Eq :> (t_Eq f_field_type) ; - f_field_type_t_PartialEq :> (t_PartialEq f_field_type) ; - f_field_type_t_Sized :> (t_Sized f_field_type) ; - f_q : (both f_field_type) ; - f_random_field_elem : (both int32 -> both f_field_type) ; - f_field_zero : (both f_field_type) ; - f_field_one : (both f_field_type) ; - f_add : (both f_field_type -> both f_field_type -> both f_field_type) ; - f_sub : (both f_field_type -> both f_field_type -> both f_field_type) ; - f_mul : (both f_field_type -> both f_field_type -> both f_field_type) ; +Class t_Field (Self : choice_type) := { + f_q_loc : {fset Location} ; + f_q : (forall {L1 I1}, both L1 I1 'unit -> both (L1 :|: f_q_loc) I1 v_Self) ; + f_random_field_elem_loc : {fset Location} ; + f_random_field_elem : (forall {L1 I1}, both L1 I1 int32 -> both (L1 :|: f_random_field_elem_loc) I1 v_Self) ; + f_field_zero_loc : {fset Location} ; + f_field_zero : (forall {L1 I1}, both L1 I1 'unit -> both (L1 :|: f_field_zero_loc) I1 v_Self) ; + f_field_one_loc : {fset Location} ; + f_field_one : (forall {L1 I1}, both L1 I1 'unit -> both (L1 :|: f_field_one_loc) I1 v_Self) ; + f_add_loc : {fset Location} ; + f_add : (forall {L1 L2 I1 I2}, both L1 I1 v_Self -> both L2 I2 v_Self -> both (L1 :|: L2 :|: f_add_loc) (I1 :|: I2) v_Self) ; + f_sub_loc : {fset Location} ; + f_sub : (forall {L1 L2 I1 I2}, both L1 I1 v_Self -> both L2 I2 v_Self -> both (L1 :|: L2 :|: f_sub_loc) (I1 :|: I2) v_Self) ; + f_mul_loc : {fset Location} ; + f_mul : (forall {L1 L2 I1 I2}, both L1 I1 v_Self -> both L2 I2 v_Self -> both (L1 :|: L2 :|: f_mul_loc) (I1 :|: I2) v_Self) ; }. +Hint Unfold f_q_loc. +Hint Unfold f_random_field_elem_loc. +Hint Unfold f_field_zero_loc. +Hint Unfold f_field_one_loc. +Hint Unfold f_add_loc. +Hint Unfold f_sub_loc. +Hint Unfold f_mul_loc. -Class t_Group (Self : choice_type) `{t_Z_Field} := { - f_group_type : choice_type ; - f_group_type_Serializable : Serializable f_group_type; - f_group_type_t_Serialize :> (t_Serialize f_group_type) ; - f_group_type_t_Deserial :> (t_Deserial f_group_type) ; - f_group_type_t_Serial :> (t_Serial f_group_type) ; - f_group_type_t_Copy :> (t_Copy f_group_type) ; - f_group_type_t_Clone :> (t_Clone f_group_type) ; - f_group_type_t_Eq :> (t_Eq f_group_type) ; - f_group_type_t_PartialEq :> (t_PartialEq f_group_type) ; - f_group_type_t_Sized :> (t_Sized f_group_type) ; - f_g : (both f_group_type) ; - f_g_pow : (both f_field_type -> both f_group_type) ; - f_pow : (both f_group_type -> both f_field_type -> both f_group_type) ; - f_group_one : (both f_group_type) ; - f_prod : (both f_group_type -> both f_group_type -> both f_group_type) ; - f_inv : (both f_group_type -> both f_group_type) ; - f_div : (both f_group_type -> both f_group_type -> both f_group_type) ; - f_hash : (both (t_Vec f_group_type t_Global) -> both f_field_type) ; +Class t_Group (Self : choice_type) := { + f_Z : choice_type ; + f_Z_t_Field :> (t_Field f_Z) ; + f_Z_t_Serialize :> (t_Serialize f_Z) ; + f_Z_t_Deserial :> (t_Deserial f_Z) ; + f_Z_t_Serial :> (t_Serial f_Z) ; + f_Z_t_Clone :> (t_Clone f_Z) ; + f_Z_t_Eq :> (t_Eq f_Z) ; + f_Z_t_PartialEq :> (t_PartialEq f_Z) ; + f_Z_t_Copy :> (t_Copy f_Z) ; + f_Z_t_Sized :> (t_Sized f_Z) ; + f_g_loc : {fset Location} ; + f_g : (forall {L1 I1}, both L1 I1 'unit -> both (L1 :|: f_g_loc) I1 v_Self) ; + f_g_pow_loc : {fset Location} ; + f_g_pow : (forall {L1 I1}, both L1 I1 f_Z -> both (L1 :|: f_g_pow_loc) I1 v_Self) ; + f_pow_loc : {fset Location} ; + f_pow : (forall {L1 L2 I1 I2}, both L1 I1 v_Self -> both L2 I2 f_Z -> both (L1 :|: L2 :|: f_pow_loc) (I1 :|: I2) v_Self) ; + f_group_one_loc : {fset Location} ; + f_group_one : (forall {L1 I1}, both L1 I1 'unit -> both (L1 :|: f_group_one_loc) I1 v_Self) ; + f_prod_loc : {fset Location} ; + f_prod : (forall {L1 L2 I1 I2}, both L1 I1 v_Self -> both L2 I2 v_Self -> both (L1 :|: L2 :|: f_prod_loc) (I1 :|: I2) v_Self) ; + f_inv_loc : {fset Location} ; + f_inv : (forall {L1 I1}, both L1 I1 v_Self -> both (L1 :|: f_inv_loc) I1 v_Self) ; + f_div_loc : {fset Location} ; + f_div : (forall {L1 L2 I1 I2}, both L1 I1 v_Self -> both L2 I2 v_Self -> both (L1 :|: L2 :|: f_div_loc) (I1 :|: I2) v_Self) ; + f_hash_loc : {fset Location} ; + f_hash : (forall {L1 I1}, both L1 I1 (t_Vec v_Self t_Global) -> both (L1 :|: f_hash_loc) I1 f_Z) ; }. +Hint Unfold f_g_loc. +Hint Unfold f_g_pow_loc. +Hint Unfold f_pow_loc. +Hint Unfold f_group_one_loc. +Hint Unfold f_prod_loc. +Hint Unfold f_inv_loc. +Hint Unfold f_div_loc. +Hint Unfold f_hash_loc. diff --git a/ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_z_89_.v b/ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_z_89_.v index fdb6d8d..81c5450 100644 --- a/ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_z_89_.v +++ b/ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_z_89_.v @@ -4,7 +4,7 @@ From Crypt Require Import choice_type Package Prelude. Import PackageNotation. From extructures Require Import ord fset. From mathcomp Require Import word_ssrZ word. -From Jasmin Require Import word. +(* From Jasmin Require Import word. *) From Coq Require Import ZArith. From Coq Require Import Strings.String. @@ -24,36 +24,46 @@ Import choice.Choice.Exports. Obligation Tactic := (* try timeout 8 *) solve_ssprove_obligations. -Require Import Hacspec_ovn_Ovn_traits. -Export Hacspec_ovn_Ovn_traits. +Require Import Crate_Ovn_traits. +Export Crate_Ovn_traits. Definition t_g_z_89_ : choice_type := - 'unit. -Equations Build_t_g_z_89_ : both (fset []) (fset []) (t_g_z_89_) := + (int8). +Equations f_val {L : {fset Location}} {I : Interface} (s : both L I t_g_z_89_) : both L I int8 := + f_val s := + bind_both s (fun x => + solve_lift (ret_both (x : int8))) : both L I int8. +Fail Next Obligation. +Equations Build_t_g_z_89_ {L0 : {fset Location}} {I0 : Interface} {f_val : both L0 I0 int8} : both L0 I0 (t_g_z_89_) := Build_t_g_z_89_ := - solve_lift (ret_both (tt (* Empty tuple *) : (t_g_z_89_))) : both (fset []) (fset []) (t_g_z_89_). + bind_both f_val (fun f_val => + solve_lift (ret_both ((f_val) : (t_g_z_89_)))) : both L0 I0 (t_g_z_89_). Fail Next Obligation. +Notation "'Build_t_g_z_89_' '[' x ']' '(' 'f_val' ':=' y ')'" := (Build_t_g_z_89_ (f_val := y)). Definition t_z_89_ : choice_type := - 'unit. -Equations Build_t_z_89_ : both (fset []) (fset []) (t_z_89_) := + (int8). +Equations f_val {L : {fset Location}} {I : Interface} (s : both L I t_z_89_) : both L I int8 := + f_val s := + bind_both s (fun x => + solve_lift (ret_both (x : int8))) : both L I int8. +Fail Next Obligation. +Equations Build_t_z_89_ {L0 : {fset Location}} {I0 : Interface} {f_val : both L0 I0 int8} : both L0 I0 (t_z_89_) := Build_t_z_89_ := - solve_lift (ret_both (tt (* Empty tuple *) : (t_z_89_))) : both (fset []) (fset []) (t_z_89_). + bind_both f_val (fun f_val => + solve_lift (ret_both ((f_val) : (t_z_89_)))) : both L0 I0 (t_z_89_). Fail Next Obligation. +Notation "'Build_t_z_89_' '[' x ']' '(' 'f_val' ':=' y ')'" := (Build_t_z_89_ (f_val := y)). -#[global] Program Instance t_z_89__t_Z_Field : t_Z_Field t_z_89_ := _. -Next Obligation. - refine ( - let f_field_type := int32 : choice_type in - let f_q := fun {L : {fset Location}} {I : Interface} => solve_lift (ret_both (89 : int32)) : both (L :|: fset []) I int32 in - let f_random_field_elem := fun {L1 : {fset Location}} {I1 : Interface} (random : both L1 I1 int32) => solve_lift (random .% ((f_q ) .- (ret_both (1 : int32)))) : both (L1 :|: fset []) I1 int32 in - let f_field_zero := fun {L : {fset Location}} {I : Interface} => solve_lift (ret_both (0 : int32)) : both (L :|: fset []) I int32 in - let f_field_one := fun {L : {fset Location}} {I : Interface} => solve_lift (ret_both (1 : int32)) : both (L :|: fset []) I int32 in - let f_add := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (x : both L1 I1 int32) (y : both L2 I2 int32) => solve_lift ((x .+ y) .% ((f_q ) .- (ret_both (1 : int32)))) : both (L1 :|: L2 :|: fset []) (I1 :|: I2) int32 in - let f_sub := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (x : both L1 I1 int32) (y : both L2 I2 int32) => solve_lift (((x .+ ((f_q ) .- (ret_both (1 : int32)))) .- y) .% ((f_q ) .- (ret_both (1 : int32)))) : both (L1 :|: L2 :|: fset []) (I1 :|: I2) int32 in - let f_mul := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (x : both L1 I1 int32) (y : both L2 I2 int32) => solve_lift ((x .* y) .% ((f_q ) .- (ret_both (1 : int32)))) : both (L1 :|: L2 :|: fset []) (I1 :|: I2) int32 in - {| f_field_type := (@f_field_type); - f_q_loc := (fset [] : {fset Location}); +#[global] Program Instance t_z_89__t_Field : t_Field t_z_89_ := + let f_q := fun {L : {fset Location}} {I : Interface} => solve_lift (Build_t_C_z_89_ (f_val := ret_both (89 : int8))) : both (L :|: fset []) I t_z_89_ in + let f_random_field_elem := fun {L1 : {fset Location}} {I1 : Interface} (random : both L1 I1 int32) => solve_lift (Build_t_C_z_89_ (f_val := (cast_int (WS2 := _) random) .% ((f_val (f_q (ret_both (tt : 'unit)))) .- (ret_both (1 : int8))))) : both (L1 :|: fset []) I1 t_z_89_ in + let f_field_zero := fun {L : {fset Location}} {I : Interface} => solve_lift (Build_t_C_z_89_ (f_val := ret_both (0 : int8))) : both (L :|: fset []) I t_z_89_ in + let f_field_one := fun {L : {fset Location}} {I : Interface} => solve_lift (Build_t_C_z_89_ (f_val := ret_both (1 : int8))) : both (L :|: fset []) I t_z_89_ in + let f_add := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (x : both L1 I1 t_z_89_) (y : both L2 I2 t_z_89_) => solve_lift (Build_t_C_z_89_ (f_val := ((f_val x) .+ (f_val y)) .% ((f_val (f_q (ret_both (tt : 'unit)))) .- (ret_both (1 : int8))))) : both (L1 :|: L2 :|: fset []) (I1 :|: I2) t_z_89_ in + let f_sub := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (x : both L1 I1 t_z_89_) (y : both L2 I2 t_z_89_) => solve_lift (Build_t_C_z_89_ (f_val := (((f_val x) .+ ((f_val (f_q (ret_both (tt : 'unit)))) .- (ret_both (1 : int8)))) .- (f_val y)) .% ((f_val (f_q (ret_both (tt : 'unit)))) .- (ret_both (1 : int8))))) : both (L1 :|: L2 :|: fset []) (I1 :|: I2) t_z_89_ in + let f_mul := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (x : both L1 I1 t_z_89_) (y : both L2 I2 t_z_89_) => solve_lift (Build_t_C_z_89_ (f_val := cast_int (WS2 := _) (((cast_int (WS2 := _) (f_val x)) .* (cast_int (WS2 := _) (f_val y))) .% (cast_int (WS2 := _) ((f_val (f_q (ret_both (tt : 'unit)))) .- (ret_both (1 : int8))))))) : both (L1 :|: L2 :|: fset []) (I1 :|: I2) t_z_89_ in + {| f_q_loc := (fset [] : {fset Location}); f_q := (@f_q); f_random_field_elem_loc := (fset [] : {fset Location}); f_random_field_elem := (@f_random_field_elem); @@ -66,60 +76,45 @@ Next Obligation. f_sub_loc := (fset [] : {fset Location}); f_sub := (@f_sub); f_mul_loc := (fset [] : {fset Location}); - f_mul := (@f_mul)|} - ). - easy. - easy. - easy. - easy. - easy. - exact int_eqdec. - easy. - easy. - Unshelve. - all: try normalize_fset. - all: try solve_single_fset_fsubset. - - unfold f_parameter_cursor_loc. - -Next Obligation. - unfold t_z_89__t_Z_Field_obligation_4. + f_mul := (@f_mul)|}. Fail Next Obligation. -Hint Unfold t_z_89__t_Z_Field. +Hint Unfold t_z_89__t_Field. Definition res_loc : Location := - (int32;0%nat). + (t_z_89_;12%nat). Definition result_loc : Location := - (int32;1%nat). -#[global] Program Instance t_g_z_89__t_Group : t_Group t_g_z_89_ t_z_89_ := - let f_group_type := int32 : choice_type in - let f_g := fun {L : {fset Location}} {I : Interface} => solve_lift (ret_both (3 : int32)) : both (L :|: fset []) I int32 in - let f_hash := fun {L1 : {fset Location}} {I1 : Interface} (x : both L1 I1 (t_Vec int32 t_Global)) => letb res loc(res_loc) := f_field_one (ret_both (tt : 'unit)) in + (t_g_z_89_;13%nat). +#[global] Program Instance t_g_z_89__t_Group : t_Group t_g_z_89_ := + let f_Z := t_z_89_ : choice_type in + let f_g := fun {L : {fset Location}} {I : Interface} => solve_lift (Build_t_C_g_z_89_ (f_val := ret_both (3 : int8))) : both (L :|: fset []) I t_g_z_89_ in + let f_hash := fun {L1 : {fset Location}} {I1 : Interface} (x : both L1 I1 (t_Vec t_g_z_89_ t_Global)) => letb res loc(res_loc) := f_field_one (ret_both (tt : 'unit)) in letb _ := foldi_both_list (f_into_iter x) (fun y => ssp (fun _ => assign todo(term) : (both (*1*)(L1:|:fset [res_loc]) (I1) 'unit))) (ret_both (tt : 'unit)) in - solve_lift res : both (L1 :|: fset [res_loc]) I1 int32 in - let f_g_pow := fun {L1 : {fset Location}} {I1 : Interface} (x : both L1 I1 int32) => solve_lift (f_pow (f_g (ret_both (tt : 'unit))) x) : both (L1 :|: fset []) I1 int32 in - let f_pow := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (g : both L1 I1 int32) (x : both L2 I2 int32) => letb result loc(result_loc) := f_group_one (ret_both (tt : 'unit)) in - letb _ := foldi_both_list (f_into_iter (Build_t_Range (f_start := ret_both (0 : int32)) (f_end := x .% ((f_q (ret_both (tt : 'unit))) .- (ret_both (1 : int32)))))) (fun i => + solve_lift res : both (L1 :|: fset [res_loc]) I1 t_z_89_ in + let f_g_pow := fun {L1 : {fset Location}} {I1 : Interface} (x : both L1 I1 t_z_89_) => solve_lift (f_pow (f_g (ret_both (tt : 'unit))) x) : both (L1 :|: fset []) I1 t_g_z_89_ in + let f_pow := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (g : both L1 I1 t_g_z_89_) (x : both L2 I2 t_z_89_) => letb result loc(result_loc) := f_group_one (ret_both (tt : 'unit)) in + letb _ := foldi_both_list (f_into_iter (Build_t_Range (f_start := ret_both (0 : int8)) (f_end := (f_val x) .% ((f_val (f_q (ret_both (tt : 'unit)))) .- (ret_both (1 : int8)))))) (fun _ => ssp (fun _ => assign todo(term) : (both (*1*)(L1:|:L2:|:fset [result_loc]) (I1:|:I2) 'unit))) (ret_both (tt : 'unit)) in - solve_lift result : both (L1 :|: L2 :|: fset [result_loc]) (I1 :|: I2) int32 in - let f_group_one := fun {L : {fset Location}} {I : Interface} => solve_lift (ret_both (1 : int32)) : both (L :|: fset []) I int32 in - let f_prod := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (x : both L1 I1 int32) (y : both L2 I2 int32) => solve_lift (((x .% (f_q (ret_both (tt : 'unit)))) .* (y .% (f_q (ret_both (tt : 'unit))))) .% (f_q (ret_both (tt : 'unit)))) : both (L1 :|: L2 :|: fset []) (I1 :|: I2) int32 in - let f_inv := fun {L1 : {fset Location}} {I1 : Interface} (x : both L1 I1 int32) => solve_lift (run (letb _ := foldi_both_list (f_into_iter (Build_t_Range (f_start := ret_both (0 : int32)) (f_end := ret_both (89 : int32)))) (fun j => + solve_lift result : both (L1 :|: L2 :|: fset [result_loc]) (I1 :|: I2) t_g_z_89_ in + let f_group_one := fun {L : {fset Location}} {I : Interface} => solve_lift (Build_t_C_g_z_89_ (f_val := ret_both (1 : int8))) : both (L :|: fset []) I t_g_z_89_ in + let f_prod := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (x : both L1 I1 t_g_z_89_) (y : both L2 I2 t_g_z_89_) => letb q_val := f_val (f_q (ret_both (tt : 'unit))) in + solve_lift (Build_t_C_g_z_89_ (f_val := cast_int (WS2 := _) (((cast_int (WS2 := _) ((f_val x) .% q_val)) .* (cast_int (WS2 := _) ((f_val y) .% q_val))) .% (cast_int (WS2 := _) q_val)))) : both (L1 :|: L2 :|: fset []) (I1 :|: I2) t_g_z_89_ in + let f_inv := fun {L1 : {fset Location}} {I1 : Interface} (x : both L1 I1 t_g_z_89_) => solve_lift (run (letb _ := foldi_both_list (f_into_iter (Build_t_Range (f_start := ret_both (0 : int8)) (f_end := ret_both (89 : int8)))) (fun j => ssp (fun _ => - solve_lift (ifb (f_prod x j) =.? (f_group_one (ret_both (tt : 'unit))) - then letm[choice_typeMonad.result_bind_code int32] hoist1 := v_Break j in - ControlFlow_Continue (never_to_any hoist1) - else ()) : (both (*0*)(L1:|:fset []) (I1) (t_ControlFlow int32 'unit)))) (ret_both (tt : 'unit)) in + letb value := Build_t_C_g_z_89_ (f_val := j) in + solve_lift (ifb (f_prod x value) =.? (f_group_one (ret_both (tt : 'unit))) + then letm[choice_typeMonad.result_bind_code t_g_z_89_] hoist29 := v_Break value in + ControlFlow_Continue (never_to_any hoist29) + else ()) : (both (*0*)(L1:|:fset []) (I1) (t_ControlFlow t_g_z_89_ 'unit)))) (ret_both (tt : 'unit)) in letb _ := ifb not (ret_both (false : 'bool)) then never_to_any (panic (ret_both (assertion failed: false : chString))) else () in - letm[choice_typeMonad.result_bind_code int32] hoist2 := v_Break x in - ControlFlow_Continue (never_to_any hoist2))) : both (L1 :|: fset []) I1 int32 in - let f_div := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (x : both L1 I1 int32) (y : both L2 I2 int32) => solve_lift (f_prod x (f_inv y)) : both (L1 :|: L2 :|: fset []) (I1 :|: I2) int32 in - {| f_group_type := (@f_group_type); + letm[choice_typeMonad.result_bind_code t_g_z_89_] hoist30 := v_Break x in + ControlFlow_Continue (never_to_any hoist30))) : both (L1 :|: fset []) I1 t_g_z_89_ in + let f_div := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (x : both L1 I1 t_g_z_89_) (y : both L2 I2 t_g_z_89_) => solve_lift (f_prod x (f_inv y)) : both (L1 :|: L2 :|: fset []) (I1 :|: I2) t_g_z_89_ in + {| f_Z := (@f_Z); f_g_loc := (fset [] : {fset Location}); f_g := (@f_g); f_hash_loc := (fset [res_loc] : {fset Location}); diff --git a/ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_zkgroup.v b/ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_zkgroup.v new file mode 100644 index 0000000..29734bf --- /dev/null +++ b/ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_zkgroup.v @@ -0,0 +1,73 @@ +(* File automatically generated by Hacspec *) +Set Warnings "-notation-overridden,-ambiguous-paths". +From Crypt Require Import choice_type Package Prelude. +Import PackageNotation. +From extructures Require Import ord fset. +From Coq Require Import ZArith. +From Coq Require Import Strings.String. +Import List.ListNotations. +Open Scope list_scope. +Open Scope Z_scope. +Open Scope bool_scope. + +From Crypt Require Import jasmin_word. + +From Hacspec Require Import ChoiceEquality. +From Hacspec Require Import LocationUtility. +From Hacspec Require Import Hacspec_Lib_Comparable. +From Hacspec Require Import Hacspec_Lib_Pre. +From Hacspec Require Import Hacspec_Lib. + +Open Scope hacspec_scope. +Import choice.Choice.Exports. + +Obligation Tactic := (* try timeout 8 *) solve_ssprove_obligations. + +Require Import Group. +Export Group. + +Require Import Group_Ff. +Export Group_Ff. + +Require Import Field. +Export Field. + +Require Import PrimeField. +Export PrimeField. + +Require Import Group. +Export Group. + +Class t_MGroup (Self : choice_type) := { + f_hash_loc : {fset Location} ; + f_hash : (forall {L1 I1}, both L1 I1 (t_Vec v_Self t_Global) -> both (L1 :|: f_hash_loc) I1 f_Scalar) ; +}. +Hint Unfold f_hash_loc : hacspec_hints. + +Definition t_SchnorrZKPCommit {v_G : _} `{ t_Sized v_G} `{ t_MGroup v_G} : choice_type := + (v_G × f_Scalar × f_Scalar). +Equations f_schnorr_zkp_u {L : {fset Location}} {I : Interface} {v_G : _} `{ t_Sized v_G} `{ t_MGroup v_G} (s : both L I t_SchnorrZKPCommit) : both L I v_G := + f_schnorr_zkp_u s := + bind_both s (fun x => + solve_lift (ret_both (fst (fst x) : v_G))) : both L I v_G. +Fail Next Obligation. +Equations f_schnorr_zkp_c {L : {fset Location}} {I : Interface} {v_G : _} `{ t_Sized v_G} `{ t_MGroup v_G} (s : both L I t_SchnorrZKPCommit) : both L I f_Scalar := + f_schnorr_zkp_c s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst x) : f_Scalar))) : both L I f_Scalar. +Fail Next Obligation. +Equations f_schnorr_zkp_z {L : {fset Location}} {I : Interface} {v_G : _} `{ t_Sized v_G} `{ t_MGroup v_G} (s : both L I t_SchnorrZKPCommit) : both L I f_Scalar := + f_schnorr_zkp_z s := + bind_both s (fun x => + solve_lift (ret_both (snd x : f_Scalar))) : both L I f_Scalar. +Fail Next Obligation. +Equations Build_t_SchnorrZKPCommit {L0 : {fset Location}} {L1 : {fset Location}} {L2 : {fset Location}} {I0 : Interface} {I1 : Interface} {I2 : Interface} {v_G : _} `{ t_Sized v_G} `{ t_MGroup v_G} {f_schnorr_zkp_u : both L0 I0 v_G} {f_schnorr_zkp_c : both L1 I1 f_Scalar} {f_schnorr_zkp_z : both L2 I2 f_Scalar} : both (L0:|:L1:|:L2) (I0:|:I1:|:I2) (t_SchnorrZKPCommit) := + Build_t_SchnorrZKPCommit := + bind_both f_schnorr_zkp_z (fun f_schnorr_zkp_z => + bind_both f_schnorr_zkp_c (fun f_schnorr_zkp_c => + bind_both f_schnorr_zkp_u (fun f_schnorr_zkp_u => + solve_lift (ret_both ((f_schnorr_zkp_u,f_schnorr_zkp_c,f_schnorr_zkp_z) : (t_SchnorrZKPCommit)))))) : both (L0:|:L1:|:L2) (I0:|:I1:|:I2) (t_SchnorrZKPCommit). +Fail Next Obligation. +Notation "'Build_t_SchnorrZKPCommit' '[' x ']' '(' 'f_schnorr_zkp_u' ':=' y ')'" := (Build_t_SchnorrZKPCommit (f_schnorr_zkp_u := y) (f_schnorr_zkp_c := f_schnorr_zkp_c x) (f_schnorr_zkp_z := f_schnorr_zkp_z x)). +Notation "'Build_t_SchnorrZKPCommit' '[' x ']' '(' 'f_schnorr_zkp_c' ':=' y ')'" := (Build_t_SchnorrZKPCommit (f_schnorr_zkp_u := f_schnorr_zkp_u x) (f_schnorr_zkp_c := y) (f_schnorr_zkp_z := f_schnorr_zkp_z x)). +Notation "'Build_t_SchnorrZKPCommit' '[' x ']' '(' 'f_schnorr_zkp_z' ':=' y ')'" := (Build_t_SchnorrZKPCommit (f_schnorr_zkp_u := f_schnorr_zkp_u x) (f_schnorr_zkp_c := f_schnorr_zkp_c x) (f_schnorr_zkp_z := y)). diff --git a/ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_zkgroup_specific.v b/ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_zkgroup_specific.v new file mode 100644 index 0000000..9012414 --- /dev/null +++ b/ovn/proofs/ssprove/extraction/Hacspec_ovn_Ovn_zkgroup_specific.v @@ -0,0 +1,110 @@ +(* File automatically generated by Hacspec *) +Set Warnings "-notation-overridden,-ambiguous-paths". +From Crypt Require Import choice_type Package Prelude. +Import PackageNotation. +From extructures Require Import ord fset. +From Coq Require Import ZArith. +From Coq Require Import Strings.String. +Import List.ListNotations. +Open Scope list_scope. +Open Scope Z_scope. +Open Scope bool_scope. + +From Crypt Require Import jasmin_word. + +From Hacspec Require Import ChoiceEquality. +From Hacspec Require Import LocationUtility. +From Hacspec Require Import Hacspec_Lib_Comparable. +From Hacspec Require Import Hacspec_Lib_Pre. +From Hacspec Require Import Hacspec_Lib. + +Open Scope hacspec_scope. +Import choice.Choice.Exports. + +Obligation Tactic := (* try timeout 8 *) solve_ssprove_obligations. + +Require Import Group. +Export Group. + +Require Import Group_Ff. +Export Group_Ff. + +Require Import Field. +Export Field. + +Require Import Group. +Export Group. + +Require Import Gt. +Export Gt. + +Require Import PhantomData. +Export PhantomData. + +Notation "'t_G'" := t_Gt. + +(*item error backend*) + +Equations compute_group_element_for_vote {L1 : {fset Location}} {L2 : {fset Location}} {L3 : {fset Location}} {I1 : Interface} {I2 : Interface} {I3 : Interface} (xi : both L1 I1 t_Scalar) (vote : both L2 I2 'bool) (g_pow_yi : both L3 I3 t_Gt) : both (L1 :|: L2 :|: L3) (I1 :|: I2 :|: I3) t_Gt := + compute_group_element_for_vote xi vote g_pow_yi := + solve_lift ((g_pow_yi .* xi) .+ ((f_generator (ret_both (tt : 'unit))) .* (ifb vote + then f_ONE + else f_ZERO))) : both (L1 :|: L2 :|: L3) (I1 :|: I2 :|: I3) t_Gt. +Fail Next Obligation. + +Equations hash {L1 : {fset Location}} {I1 : Interface} (v__inp : both L1 I1 (t_Vec t_Gt t_Global)) : both L1 I1 t_Scalar := + hash v__inp := + solve_lift (impl__Scalar__one (ret_both (tt : 'unit))) : both L1 I1 t_Scalar. +Fail Next Obligation. + +(*item error backend*) + +(*item error backend*) + +(*item error backend*) + +(*item error backend*) + +(*item error backend*) + +(*item error backend*) + +(*item error backend*) + +(*item error backend*) + +(*item error backend*) + +(*item error backend*) + +(*item error backend*) + +Definition t_TallyParameter : choice_type := + 'unit. +Equations Build_t_TallyParameter : both (fset []) (fset []) (t_TallyParameter) := + Build_t_TallyParameter := + solve_lift (ret_both (tt (* Empty tuple *) : (t_TallyParameter))) : both (fset []) (fset []) (t_TallyParameter). +Fail Next Obligation. + +(*item error backend*) + +(*item error backend*) + +(*item error backend*) + +(*item error backend*) + +(*item error backend*) + +(*item error backend*) + +(*item error backend*) + +Equations init_ovn_contract {L1 : {fset Location}} {I1 : Interface} {n : both (fset []) (fset []) uint_size} (_ : both L1 I1 'unit) : both L1 I1 (t_Result (t_OvnContractState (both (fset []) (fset []) uint_size)) t_Reject) := + init_ovn_contract _ := + Result_Ok (solve_lift (Build_t_OvnContractState (f_g_pow_xis := repeat (f_identity (ret_both (tt : 'unit))) n) (f_zkp_xis := repeat (Build_t_SchnorrZKPCommit (f_schnorr_zkp_u := f_identity (ret_both (tt : 'unit))) (f_schnorr_zkp_z := f_ZERO) (f_schnorr_zkp_c := f_ZERO)) n) (f_commit_vis := repeat f_ZERO n) (f_g_pow_xi_yi_vis := repeat (f_identity (ret_both (tt : 'unit))) n) (f_zkp_vis := repeat (Build_t_OrZKPCommit (f_or_zkp_x := f_identity (ret_both (tt : 'unit))) (f_or_zkp_y := f_identity (ret_both (tt : 'unit))) (f_or_zkp_a1 := f_identity (ret_both (tt : 'unit))) (f_or_zkp_b1 := f_identity (ret_both (tt : 'unit))) (f_or_zkp_a2 := f_identity (ret_both (tt : 'unit))) (f_or_zkp_b2 := f_identity (ret_both (tt : 'unit))) (f_or_zkp_c := f_ZERO) (f_or_zkp_d1 := f_ZERO) (f_or_zkp_d2 := f_ZERO) (f_or_zkp_r1 := f_ZERO) (f_or_zkp_r2 := f_ZERO)) n) (f_tally := ret_both (0 : int32)))) : both L1 I1 (t_Result (t_OvnContractState (both (fset []) (fset []) uint_size)) t_Reject). +Fail Next Obligation. + +(*item error backend*) + +(*item error backend*) diff --git a/ovn/proofs/ssprove/extraction/Hacspec_ovn_actual.v b/ovn/proofs/ssprove/extraction/Hacspec_ovn_actual.v new file mode 100644 index 0000000..59ae1dd --- /dev/null +++ b/ovn/proofs/ssprove/extraction/Hacspec_ovn_actual.v @@ -0,0 +1,874 @@ +(* File automatically generated by Hacspec *) +Set Warnings "-notation-overridden,-ambiguous-paths". +From Crypt Require Import choice_type Package Prelude. +Import PackageNotation. +From extructures Require Import ord fset. +From Coq Require Import ZArith. +From Coq Require Import Strings.String. +Import List.ListNotations. +Open Scope list_scope. +Open Scope Z_scope. +Open Scope bool_scope. + +From Crypt Require Import jasmin_word. + +From Hacspec Require Import ChoiceEquality. +From Hacspec Require Import LocationUtility. +From Hacspec Require Import Hacspec_Lib_Comparable. +From Hacspec Require Import Hacspec_Lib_Pre. +From Hacspec Require Import Hacspec_Lib. + +Open Scope hacspec_scope. +Import choice.Choice.Exports. + +Obligation Tactic := (* try timeout 8 *) solve_ssprove_obligations. + +(* Require Import Group. *) +(* Export Group. *) + +(* Require Import Group_Ff. *) +(* Export Group_Ff. *) + +(* Require Import Field. *) +(* Export Field. *) + +(* Require Import Group. *) +(* Export Group. *) + +(* Require Import Gt. *) +(* Export Gt. *) + +(* Require Import PhantomData. *) +(* Export PhantomData. *) + +Axiom rng_core : choice_type. +Axiom t_Choice : choice_type. (* ~ chOption *) + +Class t_Scalar (v_Self : choice_type) := { + t_Scalar_t_Add :> (t_Add v_Self v_Self) ; + t_Scalar_t_Mul :> (t_Mul v_Self v_Self) ; + f_ZERO_loc : {fset Location} ; + f_ZERO : (forall {L1 I1}, both (L1 :|: f_ZERO_loc) I1 v_Self) ; + f_ONE_loc : {fset Location} ; + f_ONE : (forall {L1 I1}, both (L1 :|: f_ONE_loc) I1 v_Self) ; + }. +Hint Unfold f_ZERO_loc : hacspec_hints. +Hint Unfold f_ONE_loc : hacspec_hints. + +Class t_Group (v_Self : choice_type) := { + f_Scalar : choice_type ; + f_Scalar_t_Scalar :> (t_Scalar f_Scalar) ; + f_Scalar_t_Sized :> (t_Sized f_Scalar) ; + t_Group_t_Add :> (t_Add v_Self v_Self) ; + t_Group_t_Mul :> (t_Mul v_Self f_Scalar) ; + f_random_loc : {fset Location} ; + f_random : (forall {L1 I1}, both L1 I1 rng_core -> both (L1 :|: f_random_loc) I1 v_Self) ; + f_identity_loc : {fset Location} ; + f_identity : (forall {L1 I1}, both L1 I1 'unit -> both (L1 :|: f_identity_loc) I1 v_Self) ; + f_generator_loc : {fset Location} ; + f_generator : (forall {L1 I1}, both L1 I1 'unit -> both (L1 :|: f_generator_loc) I1 v_Self) ; + f_is_identity_loc : {fset Location} ; + f_is_identity : (forall {L1 I1}, both L1 I1 v_Self -> both (L1 :|: f_is_identity_loc) I1 t_Choice) ; + f_double_loc : {fset Location} ; + f_double : (forall {L1 I1}, both L1 I1 v_Self -> both (L1 :|: f_double_loc) I1 v_Self) ; +}. +Hint Unfold f_random_loc : hacspec_hints. +Hint Unfold f_identity_loc : hacspec_hints. +Hint Unfold f_generator_loc : hacspec_hints. +Hint Unfold f_is_identity_loc : hacspec_hints. +Hint Unfold f_double_loc : hacspec_hints. + +Axiom t_Gt_Scalar : choice_type. +Axiom t_Gt : choice_type. +Program Instance f_Scalar_t_Add : t_Add t_Gt_Scalar t_Gt_Scalar := { f_Output := t_Gt_Scalar; f_add_loc := fset [] ; }. +Admit Obligations. +Program Instance f_Scalar_t_Mul : t_Mul t_Gt_Scalar t_Gt_Scalar := { f_Output := t_Gt_Scalar; f_mul_loc := fset [] ; }. +Admit Obligations. +Program Instance f_Group_t_Add : t_Add t_Gt t_Gt := { f_Output := t_Gt; f_add_loc := fset [] ; }. +Admit Obligations. +Program Instance f_Group_t_Mul : t_Mul t_Gt t_Gt_Scalar := { f_Output := t_Gt; f_mul_loc := fset [] ; }. +Admit Obligations. +Program Instance t_Scalar_t_Scalar : t_Scalar t_Gt_Scalar := { + f_ZERO_loc := fset [] ; + f_ONE_loc := fset [] ; + t_Scalar_t_Add := f_Scalar_t_Add ; + t_Scalar_t_Mul := f_Scalar_t_Mul ; + }. +Admit Obligations. +Program Instance t_Gt_Group : t_Group t_Gt := { + f_Scalar := t_Gt_Scalar ; + f_Scalar_t_Scalar := t_Scalar_t_Scalar ; + t_Group_t_Add := f_Group_t_Add ; + t_Group_t_Mul := f_Group_t_Mul ; + f_random_loc := fset [] ; + f_identity_loc := fset [] ; + f_generator_loc := fset [] ; + f_is_identity_loc := fset [] ; + f_double_loc := fset [] ; + }. +Admit Obligations. +Notation "'t_G'" := t_Gt. + +Notation "'t_Z'" := (f_Scalar (t_Group := t_Gt_Group)). + +(*Not implemented yet? todo(item)*) + +(*Not implemented yet? todo(item)*) +Check (f_add (t_Add := t_Group_t_Add (t_Group := t_Gt_Group)) _ _) : both _ _ t_Gt. +Check (f_mul (t_Mul := t_Group_t_Mul (t_Group := t_Gt_Group)) (_ : both _ _ t_Gt) (_ : both _ _ t_Gt_Scalar)) : both _ _ t_Gt. +Check ((_ : both _ _ int32) .+ _) : both _ _ int32. +Check ((_ : both _ _ t_Gt) .+ _) : both _ _ t_Gt. +Check ((_ : both _ _ t_Gt) .* (_ : both _ _ t_Gt_Scalar) : both _ _ t_Gt) .+ _ : both _ _ t_Gt. +Check (ret_both 1 :of0: int32) .+ (ret_both 4 :of0: int32) : both _ _ int32. + +Ltac solve_ssprove_obligations := + repeat ( + intros ; autounfold with hacspec_hints ; autounfold ; normalize_fset ; + solve [solve_match || now (apply fsubsetxx || apply fsub0set) + | solve_in_mem (* TODO: add match goal *) + | fset_equality (* TODO: add match goal *) + | solve_in_fset (* TODO: add match goal *) + | ssprove_valid'_2 ; (Tactics.program_simpl; fail)]). + +Obligation Tactic := simpl ; solve_ssprove_obligations. + +Equations compute_group_element_for_vote {L1 : {fset Location}} {L2 : {fset Location}} {L3 : {fset Location}} {I1 : Interface} {I2 : Interface} {I3 : Interface} (xi : both L1 I1 (f_Scalar (t_Group := t_Gt_Group))) (vote : both L2 I2 'bool) (g_pow_yi : both L3 I3 t_Gt) : both (L1 :|: L2 :|: L3) (I1 :|: I2 :|: I3) t_Gt := + compute_group_element_for_vote xi vote g_pow_yi := + solve_lift ( + ((g_pow_yi .* xi : both _ _ t_Gt) + .+ + ( + (f_generator (ret_both (tt : 'unit)) : both _ _ t_Gt) .* + (ifb vote + then f_ONE + else f_ZERO : both _ _ t_Gt_Scalar) : both _ _ t_Gt)) : both _ _ t_Gt) : + both (L1 :|: L2 :|: L3) (I1 :|: I2 :|: I3) t_Gt. +Fail Next Obligation. + +Obligation Tactic := solve_ssprove_obligations. + + +Equations hash {L1 : {fset Location}} {I1 : Interface} (v__inp : both L1 I1 (t_Vec t_Gt t_Global)) : both L1 I1 (f_Scalar) := + hash v__inp := + solve_lift (f_ONE) : both L1 I1 f_Scalar. +Fail Next Obligation. + +Definition prod1_loc {n : both (fset []) (fset []) uint_size} : Location := + (t_Gt;0%nat). +Definition prod2_loc {n : both (fset []) (fset []) uint_size} : Location := + (t_Gt;1%nat). +Equations compute_g_pow_yi {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} {n : both (fset []) (fset []) uint_size} (i : both L1 I1 uint_size) (xis : both L2 I2 (nseq t_Gt (is_pure (n)))) : both (L1 :|: L2 :|: fset [prod1_loc (n := n);prod2_loc (n := n)]) (I1 :|: I2) t_Gt := + compute_g_pow_yi i xis := + letb prod1 loc(prod1_loc) := f_identity (ret_both (tt : 'unit)) in + letb _ := foldi_both_list (f_into_iter (Build_t_Range (f_start := ret_both (0 : uint_size)) (f_end := i))) (fun j => + ssp (fun _ => + assignb _ loc( prod1_loc ) := _ ; : (both (*1*)(L2:|:L1:|:fset [prod1_loc]) (I2:|:I1) 'unit))) (ret_both (tt : 'unit)) in + letb prod2 loc(prod2_loc) := f_identity (ret_both (tt : 'unit)) in + letb _ := foldi_both_list (f_into_iter (Build_t_Range (f_start := i .+ (ret_both (1 : uint_size))) (f_end := n))) (fun j => + ssp (fun _ => + assignb _ loc( prod2_loc ) := _ ; : (both (*1*)(L2:|:L1:|:fset [prod2_loc]) (I2:|:I1) 'unit))) (ret_both (tt : 'unit)) in + solve_lift (prod1 .- prod2) : both (L1 :|: L2 :|: fset [prod1_loc;prod2_loc]) (I1 :|: I2) t_Gt. +Fail Next Obligation. + +Equations check_commitment {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (g_pow_xi_yi_vi : both L1 I1 t_Gt) (commitment : both L2 I2 t_Scalar) : both (L1 :|: L2) (I1 :|: I2) 'bool := + check_commitment g_pow_xi_yi_vi commitment := + solve_lift ((hash (impl__into_vec (unsize (box_new (array_from_list [g_pow_xi_yi_vi]))))) =.? commitment) : both (L1 :|: L2) (I1 :|: I2) 'bool. +Fail Next Obligation. + +Equations commit_to {L1 : {fset Location}} {I1 : Interface} (g_pow_xi_yi_vi : both L1 I1 t_Gt) : both L1 I1 t_Scalar := + commit_to g_pow_xi_yi_vi := + solve_lift (hash (impl__into_vec (unsize (box_new (array_from_list [g_pow_xi_yi_vi]))))) : both L1 I1 t_Scalar. +Fail Next Obligation. + +Definition t_CastVoteParam {v_S : _} `{ t_Sized v_S} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} : choice_type := + (int32 × f_Scalar × f_Scalar × f_Scalar × f_Scalar × 'bool × t_PhantomData v_S). +Equations f_cvp_i {L : {fset Location}} {I : Interface} {v_S : _} `{ t_Sized v_S} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} (s : both L I t_CastVoteParam) : both L I int32 := + f_cvp_i s := + bind_both s (fun x => + solve_lift (ret_both (fst (fst (fst (fst (fst (fst x))))) : int32))) : both L I int32. +Fail Next Obligation. +Equations f_cvp_xi {L : {fset Location}} {I : Interface} {v_S : _} `{ t_Sized v_S} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} (s : both L I t_CastVoteParam) : both L I f_Scalar := + f_cvp_xi s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst (fst (fst x))))) : f_Scalar))) : both L I f_Scalar. +Fail Next Obligation. +Equations f_cvp_zkp_random_w {L : {fset Location}} {I : Interface} {v_S : _} `{ t_Sized v_S} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} (s : both L I t_CastVoteParam) : both L I f_Scalar := + f_cvp_zkp_random_w s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst (fst x)))) : f_Scalar))) : both L I f_Scalar. +Fail Next Obligation. +Equations f_cvp_zkp_random_r {L : {fset Location}} {I : Interface} {v_S : _} `{ t_Sized v_S} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} (s : both L I t_CastVoteParam) : both L I f_Scalar := + f_cvp_zkp_random_r s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst x))) : f_Scalar))) : both L I f_Scalar. +Fail Next Obligation. +Equations f_cvp_zkp_random_d {L : {fset Location}} {I : Interface} {v_S : _} `{ t_Sized v_S} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} (s : both L I t_CastVoteParam) : both L I f_Scalar := + f_cvp_zkp_random_d s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst x)) : f_Scalar))) : both L I f_Scalar. +Fail Next Obligation. +Equations f_cvp_vote {L : {fset Location}} {I : Interface} {v_S : _} `{ t_Sized v_S} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} (s : both L I t_CastVoteParam) : both L I 'bool := + f_cvp_vote s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst x) : 'bool))) : both L I 'bool. +Fail Next Obligation. +Equations f_phantom {L : {fset Location}} {I : Interface} {v_S : _} `{ t_Sized v_S} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} (s : both L I t_CastVoteParam) : both L I (t_PhantomData v_S) := + f_phantom s := + bind_both s (fun x => + solve_lift (ret_both (snd x : (t_PhantomData v_S)))) : both L I (t_PhantomData v_S). +Fail Next Obligation. +Equations Build_t_CastVoteParam {L0 : {fset Location}} {L1 : {fset Location}} {L2 : {fset Location}} {L3 : {fset Location}} {L4 : {fset Location}} {L5 : {fset Location}} {L6 : {fset Location}} {I0 : Interface} {I1 : Interface} {I2 : Interface} {I3 : Interface} {I4 : Interface} {I5 : Interface} {I6 : Interface} {v_S : _} `{ t_Sized v_S} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} {f_cvp_i : both L0 I0 int32} {f_cvp_xi : both L1 I1 f_Scalar} {f_cvp_zkp_random_w : both L2 I2 f_Scalar} {f_cvp_zkp_random_r : both L3 I3 f_Scalar} {f_cvp_zkp_random_d : both L4 I4 f_Scalar} {f_cvp_vote : both L5 I5 'bool} {f_phantom : both L6 I6 (t_PhantomData v_S)} : both (L0:|:L1:|:L2:|:L3:|:L4:|:L5:|:L6) (I0:|:I1:|:I2:|:I3:|:I4:|:I5:|:I6) (t_CastVoteParam) := + Build_t_CastVoteParam := + bind_both f_phantom (fun f_phantom => + bind_both f_cvp_vote (fun f_cvp_vote => + bind_both f_cvp_zkp_random_d (fun f_cvp_zkp_random_d => + bind_both f_cvp_zkp_random_r (fun f_cvp_zkp_random_r => + bind_both f_cvp_zkp_random_w (fun f_cvp_zkp_random_w => + bind_both f_cvp_xi (fun f_cvp_xi => + bind_both f_cvp_i (fun f_cvp_i => + solve_lift (ret_both ((f_cvp_i,f_cvp_xi,f_cvp_zkp_random_w,f_cvp_zkp_random_r,f_cvp_zkp_random_d,f_cvp_vote,f_phantom) : (t_CastVoteParam)))))))))) : both (L0:|:L1:|:L2:|:L3:|:L4:|:L5:|:L6) (I0:|:I1:|:I2:|:I3:|:I4:|:I5:|:I6) (t_CastVoteParam). +Fail Next Obligation. +Notation "'Build_t_CastVoteParam' '[' x ']' '(' 'f_cvp_i' ':=' y ')'" := (Build_t_CastVoteParam (f_cvp_i := y) (f_cvp_xi := f_cvp_xi x) (f_cvp_zkp_random_w := f_cvp_zkp_random_w x) (f_cvp_zkp_random_r := f_cvp_zkp_random_r x) (f_cvp_zkp_random_d := f_cvp_zkp_random_d x) (f_cvp_vote := f_cvp_vote x) (f_phantom := f_phantom x)). +Notation "'Build_t_CastVoteParam' '[' x ']' '(' 'f_cvp_xi' ':=' y ')'" := (Build_t_CastVoteParam (f_cvp_i := f_cvp_i x) (f_cvp_xi := y) (f_cvp_zkp_random_w := f_cvp_zkp_random_w x) (f_cvp_zkp_random_r := f_cvp_zkp_random_r x) (f_cvp_zkp_random_d := f_cvp_zkp_random_d x) (f_cvp_vote := f_cvp_vote x) (f_phantom := f_phantom x)). +Notation "'Build_t_CastVoteParam' '[' x ']' '(' 'f_cvp_zkp_random_w' ':=' y ')'" := (Build_t_CastVoteParam (f_cvp_i := f_cvp_i x) (f_cvp_xi := f_cvp_xi x) (f_cvp_zkp_random_w := y) (f_cvp_zkp_random_r := f_cvp_zkp_random_r x) (f_cvp_zkp_random_d := f_cvp_zkp_random_d x) (f_cvp_vote := f_cvp_vote x) (f_phantom := f_phantom x)). +Notation "'Build_t_CastVoteParam' '[' x ']' '(' 'f_cvp_zkp_random_r' ':=' y ')'" := (Build_t_CastVoteParam (f_cvp_i := f_cvp_i x) (f_cvp_xi := f_cvp_xi x) (f_cvp_zkp_random_w := f_cvp_zkp_random_w x) (f_cvp_zkp_random_r := y) (f_cvp_zkp_random_d := f_cvp_zkp_random_d x) (f_cvp_vote := f_cvp_vote x) (f_phantom := f_phantom x)). +Notation "'Build_t_CastVoteParam' '[' x ']' '(' 'f_cvp_zkp_random_d' ':=' y ')'" := (Build_t_CastVoteParam (f_cvp_i := f_cvp_i x) (f_cvp_xi := f_cvp_xi x) (f_cvp_zkp_random_w := f_cvp_zkp_random_w x) (f_cvp_zkp_random_r := f_cvp_zkp_random_r x) (f_cvp_zkp_random_d := y) (f_cvp_vote := f_cvp_vote x) (f_phantom := f_phantom x)). +Notation "'Build_t_CastVoteParam' '[' x ']' '(' 'f_cvp_vote' ':=' y ')'" := (Build_t_CastVoteParam (f_cvp_i := f_cvp_i x) (f_cvp_xi := f_cvp_xi x) (f_cvp_zkp_random_w := f_cvp_zkp_random_w x) (f_cvp_zkp_random_r := f_cvp_zkp_random_r x) (f_cvp_zkp_random_d := f_cvp_zkp_random_d x) (f_cvp_vote := y) (f_phantom := f_phantom x)). +Notation "'Build_t_CastVoteParam' '[' x ']' '(' 'f_phantom' ':=' y ')'" := (Build_t_CastVoteParam (f_cvp_i := f_cvp_i x) (f_cvp_xi := f_cvp_xi x) (f_cvp_zkp_random_w := f_cvp_zkp_random_w x) (f_cvp_zkp_random_r := f_cvp_zkp_random_r x) (f_cvp_zkp_random_d := f_cvp_zkp_random_d x) (f_cvp_vote := f_cvp_vote x) (f_phantom := y)). + +#[global] Program Instance t_CastVoteParam v_S_t_Serial {v_S : _} `{ t_Sized v_S} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} : t_Serial (t_CastVoteParam v_S) := + let f_serial := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (self : both L1 I1 (t_CastVoteParam v_S)) (w : both L2 I2 v_W) => solve_lift (run (letb '(tmp0,out) := f_serial (f_cvp_i self) w in + letb _ := assign todo(term) in + letb hoist2 := out in + letb hoist3 := f_branch hoist2 in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] _ := matchb hoist3 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible f_Err)) in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] hoist1 := ControlFlow_Break (prod_b (w,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist1)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : ('unit)) in + ControlFlow_Continue (solve_lift val) + end in + letb '(tmp0,out) := f_serial (f_from (f_cvp_xi self)) w in + letb _ := assign todo(term) in + letb hoist5 := out in + letb hoist6 := f_branch hoist5 in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] _ := matchb hoist6 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible f_Err)) in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] hoist4 := ControlFlow_Break (prod_b (w,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist4)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : ('unit)) in + ControlFlow_Continue (solve_lift val) + end in + letb '(tmp0,out) := f_serial (f_from (f_cvp_zkp_random_w self)) w in + letb _ := assign todo(term) in + letb hoist8 := out in + letb hoist9 := f_branch hoist8 in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] _ := matchb hoist9 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible f_Err)) in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] hoist7 := ControlFlow_Break (prod_b (w,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist7)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : ('unit)) in + ControlFlow_Continue (solve_lift val) + end in + letb '(tmp0,out) := f_serial (f_from (f_cvp_zkp_random_r self)) w in + letb _ := assign todo(term) in + letb hoist11 := out in + letb hoist12 := f_branch hoist11 in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] _ := matchb hoist12 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible f_Err)) in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] hoist10 := ControlFlow_Break (prod_b (w,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist10)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : ('unit)) in + ControlFlow_Continue (solve_lift val) + end in + letb '(tmp0,out) := f_serial (f_from (f_cvp_zkp_random_d self)) w in + letb _ := assign todo(term) in + letb hoist14 := out in + letb hoist15 := f_branch hoist14 in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] _ := matchb hoist15 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible f_Err)) in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] hoist13 := ControlFlow_Break (prod_b (w,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist13)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : ('unit)) in + ControlFlow_Continue (solve_lift val) + end in + letb '(tmp0,out) := f_serial (f_cvp_vote self) w in + letb _ := assign todo(term) in + letb hoist17 := out in + letb hoist18 := f_branch hoist17 in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] _ := matchb hoist18 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible f_Err)) in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] hoist16 := ControlFlow_Break (prod_b (w,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist16)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : ('unit)) in + ControlFlow_Continue (solve_lift val) + end in + ControlFlow_Continue (letb hax_temp_output := Result_Ok (ret_both (tt : 'unit)) in + prod_b (w,hax_temp_output)))) : both (L1 :|: L2 :|: fset []) (I1 :|: I2) (v_W × t_Result 'unit f_Err) in + {| f_serial_loc := (fset [] : {fset Location}); + f_serial := (@f_serial)|}. +Fail Next Obligation. +Hint Unfold t_CastVoteParam v_S_t_Serial. + +#[global] Program Instance t_CastVoteParam v_S_t_Deserial {v_S : _} `{ t_Sized v_S} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} : t_Deserial (t_CastVoteParam v_S) := + let f_deserial := fun {L1 : {fset Location}} {I1 : Interface} (r : both L1 I1 v_R) => solve_lift (run (letb '(tmp0,out) := f_get r in + letb _ := assign todo(term) in + letb hoist20 := out in + letb hoist21 := f_branch hoist20 in + letm[choice_typeMonad.result_bind_code (v_R × t_Result (t_CastVoteParam v_S) t_ParseError)] (cvp_i : both _ _ int32) := matchb hoist21 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible t_ParseError)) in + letm[choice_typeMonad.result_bind_code (v_R × t_Result (t_CastVoteParam v_S) t_ParseError)] hoist19 := ControlFlow_Break (prod_b (r,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist19)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : (int32)) in + ControlFlow_Continue (solve_lift val) + end in + letb '(tmp0,out) := f_get r in + letb _ := assign todo(term) in + letb hoist23 := out in + letb hoist24 := f_branch hoist23 in + letm[choice_typeMonad.result_bind_code (v_R × t_Result (t_CastVoteParam v_S) t_ParseError)] hoist25 := matchb hoist24 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible t_ParseError)) in + letm[choice_typeMonad.result_bind_code (v_R × t_Result (t_CastVoteParam v_S) t_ParseError)] hoist22 := ControlFlow_Break (prod_b (r,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist22)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : (v_S)) in + ControlFlow_Continue (solve_lift val) + end in + letb (cvp_xi : both _ _ t_Scalar) := f_into hoist25 in + letb '(tmp0,out) := f_get r in + letb _ := assign todo(term) in + letb hoist27 := out in + letb hoist28 := f_branch hoist27 in + letm[choice_typeMonad.result_bind_code (v_R × t_Result (t_CastVoteParam v_S) t_ParseError)] hoist29 := matchb hoist28 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible t_ParseError)) in + letm[choice_typeMonad.result_bind_code (v_R × t_Result (t_CastVoteParam v_S) t_ParseError)] hoist26 := ControlFlow_Break (prod_b (r,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist26)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : (v_S)) in + ControlFlow_Continue (solve_lift val) + end in + letb (cvp_zkp_random_w : both _ _ t_Scalar) := f_into hoist29 in + letb '(tmp0,out) := f_get r in + letb _ := assign todo(term) in + letb hoist31 := out in + letb hoist32 := f_branch hoist31 in + letm[choice_typeMonad.result_bind_code (v_R × t_Result (t_CastVoteParam v_S) t_ParseError)] hoist33 := matchb hoist32 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible t_ParseError)) in + letm[choice_typeMonad.result_bind_code (v_R × t_Result (t_CastVoteParam v_S) t_ParseError)] hoist30 := ControlFlow_Break (prod_b (r,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist30)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : (v_S)) in + ControlFlow_Continue (solve_lift val) + end in + letb (cvp_zkp_random_r : both _ _ t_Scalar) := f_into hoist33 in + letb '(tmp0,out) := f_get r in + letb _ := assign todo(term) in + letb hoist35 := out in + letb hoist36 := f_branch hoist35 in + letm[choice_typeMonad.result_bind_code (v_R × t_Result (t_CastVoteParam v_S) t_ParseError)] hoist37 := matchb hoist36 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible t_ParseError)) in + letm[choice_typeMonad.result_bind_code (v_R × t_Result (t_CastVoteParam v_S) t_ParseError)] hoist34 := ControlFlow_Break (prod_b (r,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist34)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : (v_S)) in + ControlFlow_Continue (solve_lift val) + end in + letb (cvp_zkp_random_d : both _ _ t_Scalar) := f_into hoist37 in + letb '(tmp0,out) := f_get r in + letb _ := assign todo(term) in + letb hoist39 := out in + letb hoist40 := f_branch hoist39 in + letm[choice_typeMonad.result_bind_code (v_R × t_Result (t_CastVoteParam v_S) t_ParseError)] (cvp_vote : both _ _ 'bool) := matchb hoist40 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible t_ParseError)) in + letm[choice_typeMonad.result_bind_code (v_R × t_Result (t_CastVoteParam v_S) t_ParseError)] hoist38 := ControlFlow_Break (prod_b (r,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist38)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : ('bool)) in + ControlFlow_Continue (solve_lift val) + end in + ControlFlow_Continue (letb hax_temp_output := Result_Ok (Build_t_CastVoteParam (f_cvp_i := cvp_i) (f_cvp_xi := cvp_xi) (f_cvp_zkp_random_w := cvp_zkp_random_w) (f_cvp_zkp_random_r := cvp_zkp_random_r) (f_cvp_zkp_random_d := cvp_zkp_random_d) (f_cvp_vote := cvp_vote) (f_phantom := PhantomData)) in + prod_b (r,hax_temp_output)))) : both (L1 :|: fset []) I1 (v_R × t_Result (t_CastVoteParam v_S) t_ParseError) in + {| f_deserial_loc := (fset [] : {fset Location}); + f_deserial := (@f_deserial)|}. +Fail Next Obligation. +Hint Unfold t_CastVoteParam v_S_t_Deserial. + +Definition t_OrZKPCommit : choice_type := + (t_Gt × t_Gt × t_Gt × t_Gt × t_Gt × t_Gt × f_Scalar × f_Scalar × f_Scalar × f_Scalar × f_Scalar). +Equations f_or_zkp_x {L : {fset Location}} {I : Interface} (s : both L I t_OrZKPCommit) : both L I t_Gt := + f_or_zkp_x s := + bind_both s (fun x => + solve_lift (ret_both (fst (fst (fst (fst (fst (fst (fst (fst (fst (fst x))))))))) : t_Gt))) : both L I t_Gt. +Fail Next Obligation. +Equations f_or_zkp_y {L : {fset Location}} {I : Interface} (s : both L I t_OrZKPCommit) : both L I t_Gt := + f_or_zkp_y s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst (fst (fst (fst (fst (fst (fst x))))))))) : t_Gt))) : both L I t_Gt. +Fail Next Obligation. +Equations f_or_zkp_a1 {L : {fset Location}} {I : Interface} (s : both L I t_OrZKPCommit) : both L I t_Gt := + f_or_zkp_a1 s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst (fst (fst (fst (fst (fst x)))))))) : t_Gt))) : both L I t_Gt. +Fail Next Obligation. +Equations f_or_zkp_b1 {L : {fset Location}} {I : Interface} (s : both L I t_OrZKPCommit) : both L I t_Gt := + f_or_zkp_b1 s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst (fst (fst (fst (fst x))))))) : t_Gt))) : both L I t_Gt. +Fail Next Obligation. +Equations f_or_zkp_a2 {L : {fset Location}} {I : Interface} (s : both L I t_OrZKPCommit) : both L I t_Gt := + f_or_zkp_a2 s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst (fst (fst (fst x)))))) : t_Gt))) : both L I t_Gt. +Fail Next Obligation. +Equations f_or_zkp_b2 {L : {fset Location}} {I : Interface} (s : both L I t_OrZKPCommit) : both L I t_Gt := + f_or_zkp_b2 s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst (fst (fst x))))) : t_Gt))) : both L I t_Gt. +Fail Next Obligation. +Equations f_or_zkp_c {L : {fset Location}} {I : Interface} (s : both L I t_OrZKPCommit) : both L I f_Scalar := + f_or_zkp_c s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst (fst x)))) : f_Scalar))) : both L I f_Scalar. +Fail Next Obligation. +Equations f_or_zkp_d1 {L : {fset Location}} {I : Interface} (s : both L I t_OrZKPCommit) : both L I f_Scalar := + f_or_zkp_d1 s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst x))) : f_Scalar))) : both L I f_Scalar. +Fail Next Obligation. +Equations f_or_zkp_d2 {L : {fset Location}} {I : Interface} (s : both L I t_OrZKPCommit) : both L I f_Scalar := + f_or_zkp_d2 s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst x)) : f_Scalar))) : both L I f_Scalar. +Fail Next Obligation. +Equations f_or_zkp_r1 {L : {fset Location}} {I : Interface} (s : both L I t_OrZKPCommit) : both L I f_Scalar := + f_or_zkp_r1 s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst x) : f_Scalar))) : both L I f_Scalar. +Fail Next Obligation. +Equations f_or_zkp_r2 {L : {fset Location}} {I : Interface} (s : both L I t_OrZKPCommit) : both L I f_Scalar := + f_or_zkp_r2 s := + bind_both s (fun x => + solve_lift (ret_both (snd x : f_Scalar))) : both L I f_Scalar. +Fail Next Obligation. +Equations Build_t_OrZKPCommit {L0 : {fset Location}} {L1 : {fset Location}} {L2 : {fset Location}} {L3 : {fset Location}} {L4 : {fset Location}} {L5 : {fset Location}} {L6 : {fset Location}} {L7 : {fset Location}} {L8 : {fset Location}} {L9 : {fset Location}} {L10 : {fset Location}} {I0 : Interface} {I1 : Interface} {I2 : Interface} {I3 : Interface} {I4 : Interface} {I5 : Interface} {I6 : Interface} {I7 : Interface} {I8 : Interface} {I9 : Interface} {I10 : Interface} {f_or_zkp_x : both L0 I0 t_Gt} {f_or_zkp_y : both L1 I1 t_Gt} {f_or_zkp_a1 : both L2 I2 t_Gt} {f_or_zkp_b1 : both L3 I3 t_Gt} {f_or_zkp_a2 : both L4 I4 t_Gt} {f_or_zkp_b2 : both L5 I5 t_Gt} {f_or_zkp_c : both L6 I6 f_Scalar} {f_or_zkp_d1 : both L7 I7 f_Scalar} {f_or_zkp_d2 : both L8 I8 f_Scalar} {f_or_zkp_r1 : both L9 I9 f_Scalar} {f_or_zkp_r2 : both L10 I10 f_Scalar} : both (L0:|:L1:|:L2:|:L3:|:L4:|:L5:|:L6:|:L7:|:L8:|:L9:|:L10) (I0:|:I1:|:I2:|:I3:|:I4:|:I5:|:I6:|:I7:|:I8:|:I9:|:I10) (t_OrZKPCommit) := + Build_t_OrZKPCommit := + bind_both f_or_zkp_r2 (fun f_or_zkp_r2 => + bind_both f_or_zkp_r1 (fun f_or_zkp_r1 => + bind_both f_or_zkp_d2 (fun f_or_zkp_d2 => + bind_both f_or_zkp_d1 (fun f_or_zkp_d1 => + bind_both f_or_zkp_c (fun f_or_zkp_c => + bind_both f_or_zkp_b2 (fun f_or_zkp_b2 => + bind_both f_or_zkp_a2 (fun f_or_zkp_a2 => + bind_both f_or_zkp_b1 (fun f_or_zkp_b1 => + bind_both f_or_zkp_a1 (fun f_or_zkp_a1 => + bind_both f_or_zkp_y (fun f_or_zkp_y => + bind_both f_or_zkp_x (fun f_or_zkp_x => + solve_lift (ret_both ((f_or_zkp_x,f_or_zkp_y,f_or_zkp_a1,f_or_zkp_b1,f_or_zkp_a2,f_or_zkp_b2,f_or_zkp_c,f_or_zkp_d1,f_or_zkp_d2,f_or_zkp_r1,f_or_zkp_r2) : (t_OrZKPCommit)))))))))))))) : both (L0:|:L1:|:L2:|:L3:|:L4:|:L5:|:L6:|:L7:|:L8:|:L9:|:L10) (I0:|:I1:|:I2:|:I3:|:I4:|:I5:|:I6:|:I7:|:I8:|:I9:|:I10) (t_OrZKPCommit). +Fail Next Obligation. +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_x' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := y) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_y' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := y) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_a1' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := y) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_b1' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := y) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_a2' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := y) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_b2' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := y) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_c' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := y) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_d1' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := y) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_d2' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := y) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := f_or_zkp_r2 x)). +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_r1' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := y) (f_or_zkp_r2 := f_or_zkp_r2 x)). +Notation "'Build_t_OrZKPCommit' '[' x ']' '(' 'f_or_zkp_r2' ':=' y ')'" := (Build_t_OrZKPCommit (f_or_zkp_x := f_or_zkp_x x) (f_or_zkp_y := f_or_zkp_y x) (f_or_zkp_a1 := f_or_zkp_a1 x) (f_or_zkp_b1 := f_or_zkp_b1 x) (f_or_zkp_a2 := f_or_zkp_a2 x) (f_or_zkp_b2 := f_or_zkp_b2 x) (f_or_zkp_c := f_or_zkp_c x) (f_or_zkp_d1 := f_or_zkp_d1 x) (f_or_zkp_d2 := f_or_zkp_d2 x) (f_or_zkp_r1 := f_or_zkp_r1 x) (f_or_zkp_r2 := y)). + +Definition t_RegisterParam {v_S : _} `{ t_Sized v_S} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} : choice_type := + (int32 × f_Scalar × f_Scalar × t_PhantomData v_S). +Equations f_rp_i {L : {fset Location}} {I : Interface} {v_S : _} `{ t_Sized v_S} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} (s : both L I t_RegisterParam) : both L I int32 := + f_rp_i s := + bind_both s (fun x => + solve_lift (ret_both (fst (fst (fst x)) : int32))) : both L I int32. +Fail Next Obligation. +Equations f_rp_xi {L : {fset Location}} {I : Interface} {v_S : _} `{ t_Sized v_S} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} (s : both L I t_RegisterParam) : both L I f_Scalar := + f_rp_xi s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst x)) : f_Scalar))) : both L I f_Scalar. +Fail Next Obligation. +Equations f_rp_zkp_random {L : {fset Location}} {I : Interface} {v_S : _} `{ t_Sized v_S} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} (s : both L I t_RegisterParam) : both L I f_Scalar := + f_rp_zkp_random s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst x) : f_Scalar))) : both L I f_Scalar. +Fail Next Obligation. +Equations f_phantom {L : {fset Location}} {I : Interface} {v_S : _} `{ t_Sized v_S} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} (s : both L I t_RegisterParam) : both L I (t_PhantomData v_S) := + f_phantom s := + bind_both s (fun x => + solve_lift (ret_both (snd x : (t_PhantomData v_S)))) : both L I (t_PhantomData v_S). +Fail Next Obligation. +Equations Build_t_RegisterParam {L0 : {fset Location}} {L1 : {fset Location}} {L2 : {fset Location}} {L3 : {fset Location}} {I0 : Interface} {I1 : Interface} {I2 : Interface} {I3 : Interface} {v_S : _} `{ t_Sized v_S} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} {f_rp_i : both L0 I0 int32} {f_rp_xi : both L1 I1 f_Scalar} {f_rp_zkp_random : both L2 I2 f_Scalar} {f_phantom : both L3 I3 (t_PhantomData v_S)} : both (L0:|:L1:|:L2:|:L3) (I0:|:I1:|:I2:|:I3) (t_RegisterParam) := + Build_t_RegisterParam := + bind_both f_phantom (fun f_phantom => + bind_both f_rp_zkp_random (fun f_rp_zkp_random => + bind_both f_rp_xi (fun f_rp_xi => + bind_both f_rp_i (fun f_rp_i => + solve_lift (ret_both ((f_rp_i,f_rp_xi,f_rp_zkp_random,f_phantom) : (t_RegisterParam))))))) : both (L0:|:L1:|:L2:|:L3) (I0:|:I1:|:I2:|:I3) (t_RegisterParam). +Fail Next Obligation. +Notation "'Build_t_RegisterParam' '[' x ']' '(' 'f_rp_i' ':=' y ')'" := (Build_t_RegisterParam (f_rp_i := y) (f_rp_xi := f_rp_xi x) (f_rp_zkp_random := f_rp_zkp_random x) (f_phantom := f_phantom x)). +Notation "'Build_t_RegisterParam' '[' x ']' '(' 'f_rp_xi' ':=' y ')'" := (Build_t_RegisterParam (f_rp_i := f_rp_i x) (f_rp_xi := y) (f_rp_zkp_random := f_rp_zkp_random x) (f_phantom := f_phantom x)). +Notation "'Build_t_RegisterParam' '[' x ']' '(' 'f_rp_zkp_random' ':=' y ')'" := (Build_t_RegisterParam (f_rp_i := f_rp_i x) (f_rp_xi := f_rp_xi x) (f_rp_zkp_random := y) (f_phantom := f_phantom x)). +Notation "'Build_t_RegisterParam' '[' x ']' '(' 'f_phantom' ':=' y ')'" := (Build_t_RegisterParam (f_rp_i := f_rp_i x) (f_rp_xi := f_rp_xi x) (f_rp_zkp_random := f_rp_zkp_random x) (f_phantom := y)). + +#[global] Program Instance t_RegisterParam v_S_t_Serial {v_S : _} `{ t_Sized v_S} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} : t_Serial (t_RegisterParam v_S) := + let f_serial := fun {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (self : both L1 I1 (t_RegisterParam v_S)) (w : both L2 I2 v_W) => solve_lift (run (letb '(tmp0,out) := f_serial (f_rp_i self) w in + letb _ := assign todo(term) in + letb hoist42 := out in + letb hoist43 := f_branch hoist42 in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] _ := matchb hoist43 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible f_Err)) in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] hoist41 := ControlFlow_Break (prod_b (w,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist41)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : ('unit)) in + ControlFlow_Continue (solve_lift val) + end in + letb '(tmp0,out) := f_serial (f_from (f_rp_xi self)) w in + letb _ := assign todo(term) in + letb hoist45 := out in + letb hoist46 := f_branch hoist45 in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] _ := matchb hoist46 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible f_Err)) in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] hoist44 := ControlFlow_Break (prod_b (w,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist44)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : ('unit)) in + ControlFlow_Continue (solve_lift val) + end in + letb '(tmp0,out) := f_serial (f_from (f_rp_zkp_random self)) w in + letb _ := assign todo(term) in + letb hoist48 := out in + letb hoist49 := f_branch hoist48 in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] _ := matchb hoist49 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible f_Err)) in + letm[choice_typeMonad.result_bind_code (v_W × t_Result 'unit f_Err)] hoist47 := ControlFlow_Break (prod_b (w,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist47)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : ('unit)) in + ControlFlow_Continue (solve_lift val) + end in + ControlFlow_Continue (letb hax_temp_output := Result_Ok (ret_both (tt : 'unit)) in + prod_b (w,hax_temp_output)))) : both (L1 :|: L2 :|: fset []) (I1 :|: I2) (v_W × t_Result 'unit f_Err) in + {| f_serial_loc := (fset [] : {fset Location}); + f_serial := (@f_serial)|}. +Fail Next Obligation. +Hint Unfold t_RegisterParam v_S_t_Serial. + +#[global] Program Instance t_RegisterParam v_S_t_Deserial {v_S : _} `{ t_Sized v_S} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} : t_Deserial (t_RegisterParam v_S) := + let f_deserial := fun {L1 : {fset Location}} {I1 : Interface} (r : both L1 I1 v_R) => solve_lift (run (letb '(tmp0,out) := f_get r in + letb _ := assign todo(term) in + letb hoist51 := out in + letb hoist52 := f_branch hoist51 in + letm[choice_typeMonad.result_bind_code (v_R × t_Result (t_RegisterParam v_S) t_ParseError)] (rp_i : both _ _ int32) := matchb hoist52 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible t_ParseError)) in + letm[choice_typeMonad.result_bind_code (v_R × t_Result (t_RegisterParam v_S) t_ParseError)] hoist50 := ControlFlow_Break (prod_b (r,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist50)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : (int32)) in + ControlFlow_Continue (solve_lift val) + end in + letb '(tmp0,out) := f_get r in + letb _ := assign todo(term) in + letb hoist54 := out in + letb hoist55 := f_branch hoist54 in + letm[choice_typeMonad.result_bind_code (v_R × t_Result (t_RegisterParam v_S) t_ParseError)] hoist56 := matchb hoist55 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible t_ParseError)) in + letm[choice_typeMonad.result_bind_code (v_R × t_Result (t_RegisterParam v_S) t_ParseError)] hoist53 := ControlFlow_Break (prod_b (r,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist53)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : (v_S)) in + ControlFlow_Continue (solve_lift val) + end in + letb (rp_xi : both _ _ t_Scalar) := f_into hoist56 in + letb '(tmp0,out) := f_get r in + letb _ := assign todo(term) in + letb hoist58 := out in + letb hoist59 := f_branch hoist58 in + letm[choice_typeMonad.result_bind_code (v_R × t_Result (t_RegisterParam v_S) t_ParseError)] hoist60 := matchb hoist59 with + | ControlFlow_Break_case residual => + letb residual := ret_both ((residual) : (t_Result t_Infallible t_ParseError)) in + letm[choice_typeMonad.result_bind_code (v_R × t_Result (t_RegisterParam v_S) t_ParseError)] hoist57 := ControlFlow_Break (prod_b (r,f_from_residual residual)) in + ControlFlow_Continue (solve_lift (never_to_any hoist57)) + | ControlFlow_Continue_case val => + letb val := ret_both ((val) : (v_S)) in + ControlFlow_Continue (solve_lift val) + end in + ControlFlow_Continue (letb (rp_zkp_random : both _ _ t_Scalar) := f_into hoist60 in + letb hax_temp_output := Result_Ok (Build_t_RegisterParam (f_rp_i := rp_i) (f_rp_xi := rp_xi) (f_rp_zkp_random := rp_zkp_random) (f_phantom := PhantomData)) in + prod_b (r,hax_temp_output)))) : both (L1 :|: fset []) I1 (v_R × t_Result (t_RegisterParam v_S) t_ParseError) in + {| f_deserial_loc := (fset [] : {fset Location}); + f_deserial := (@f_deserial)|}. +Fail Next Obligation. +Hint Unfold t_RegisterParam v_S_t_Deserial. + +Definition t_SchnorrZKPCommit : choice_type := + (t_Gt × f_Scalar × f_Scalar). +Equations f_schnorr_zkp_u {L : {fset Location}} {I : Interface} (s : both L I t_SchnorrZKPCommit) : both L I t_Gt := + f_schnorr_zkp_u s := + bind_both s (fun x => + solve_lift (ret_both (fst (fst x) : t_Gt))) : both L I t_Gt. +Fail Next Obligation. +Equations f_schnorr_zkp_c {L : {fset Location}} {I : Interface} (s : both L I t_SchnorrZKPCommit) : both L I f_Scalar := + f_schnorr_zkp_c s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst x) : f_Scalar))) : both L I f_Scalar. +Fail Next Obligation. +Equations f_schnorr_zkp_z {L : {fset Location}} {I : Interface} (s : both L I t_SchnorrZKPCommit) : both L I f_Scalar := + f_schnorr_zkp_z s := + bind_both s (fun x => + solve_lift (ret_both (snd x : f_Scalar))) : both L I f_Scalar. +Fail Next Obligation. +Equations Build_t_SchnorrZKPCommit {L0 : {fset Location}} {L1 : {fset Location}} {L2 : {fset Location}} {I0 : Interface} {I1 : Interface} {I2 : Interface} {f_schnorr_zkp_u : both L0 I0 t_Gt} {f_schnorr_zkp_c : both L1 I1 f_Scalar} {f_schnorr_zkp_z : both L2 I2 f_Scalar} : both (L0:|:L1:|:L2) (I0:|:I1:|:I2) (t_SchnorrZKPCommit) := + Build_t_SchnorrZKPCommit := + bind_both f_schnorr_zkp_z (fun f_schnorr_zkp_z => + bind_both f_schnorr_zkp_c (fun f_schnorr_zkp_c => + bind_both f_schnorr_zkp_u (fun f_schnorr_zkp_u => + solve_lift (ret_both ((f_schnorr_zkp_u,f_schnorr_zkp_c,f_schnorr_zkp_z) : (t_SchnorrZKPCommit)))))) : both (L0:|:L1:|:L2) (I0:|:I1:|:I2) (t_SchnorrZKPCommit). +Fail Next Obligation. +Notation "'Build_t_SchnorrZKPCommit' '[' x ']' '(' 'f_schnorr_zkp_u' ':=' y ')'" := (Build_t_SchnorrZKPCommit (f_schnorr_zkp_u := y) (f_schnorr_zkp_c := f_schnorr_zkp_c x) (f_schnorr_zkp_z := f_schnorr_zkp_z x)). +Notation "'Build_t_SchnorrZKPCommit' '[' x ']' '(' 'f_schnorr_zkp_c' ':=' y ')'" := (Build_t_SchnorrZKPCommit (f_schnorr_zkp_u := f_schnorr_zkp_u x) (f_schnorr_zkp_c := y) (f_schnorr_zkp_z := f_schnorr_zkp_z x)). +Notation "'Build_t_SchnorrZKPCommit' '[' x ']' '(' 'f_schnorr_zkp_z' ':=' y ')'" := (Build_t_SchnorrZKPCommit (f_schnorr_zkp_u := f_schnorr_zkp_u x) (f_schnorr_zkp_c := f_schnorr_zkp_c x) (f_schnorr_zkp_z := y)). + +Definition t_TallyParameter : choice_type := + 'unit. +Equations Build_t_TallyParameter : both (fset []) (fset []) (t_TallyParameter) := + Build_t_TallyParameter := + solve_lift (ret_both (tt (* Empty tuple *) : (t_TallyParameter))) : both (fset []) (fset []) (t_TallyParameter). +Fail Next Obligation. + +Equations schnorr_zkp {L1 : {fset Location}} {L2 : {fset Location}} {L3 : {fset Location}} {I1 : Interface} {I2 : Interface} {I3 : Interface} (r : both L1 I1 t_Scalar) (h : both L2 I2 t_Gt) (x : both L3 I3 t_Scalar) : both (L1 :|: L2 :|: L3) (I1 :|: I2 :|: I3) t_SchnorrZKPCommit := + schnorr_zkp r h x := + solve_lift (run (letb u := (f_generator (ret_both (tt : 'unit))) .* r in + letb c := hash (impl__into_vec (unsize (box_new (array_from_list [f_generator (ret_both (tt : 'unit)); + h; + u])))) in + letb z := r .+ (c .* x) in + letm[choice_typeMonad.result_bind_code t_SchnorrZKPCommit] hoist61 := ControlFlow_Break (Build_t_SchnorrZKPCommit (f_schnorr_zkp_u := u) (f_schnorr_zkp_c := c) (f_schnorr_zkp_z := z)) in + ControlFlow_Continue (never_to_any hoist61))) : both (L1 :|: L2 :|: L3) (I1 :|: I2 :|: I3) t_SchnorrZKPCommit. +Fail Next Obligation. + +Equations schnorr_zkp_validate {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (h : both L1 I1 t_Gt) (pi : both L2 I2 t_SchnorrZKPCommit) : both (L1 :|: L2) (I1 :|: I2) 'bool := + schnorr_zkp_validate h pi := + solve_lift (andb ((f_schnorr_zkp_c pi) =.? (hash (impl__into_vec (unsize (box_new (array_from_list [f_generator (ret_both (tt : 'unit)); + h; + f_schnorr_zkp_u pi])))))) (((f_generator (ret_both (tt : 'unit))) .* (f_schnorr_zkp_z pi)) =.? ((f_schnorr_zkp_u pi) .+ (h .* (f_schnorr_zkp_c pi))))) : both (L1 :|: L2) (I1 :|: I2) 'bool. +Fail Next Obligation. + +Equations zkp_one_out_of_two {L1 : {fset Location}} {L2 : {fset Location}} {L3 : {fset Location}} {L4 : {fset Location}} {L5 : {fset Location}} {L6 : {fset Location}} {I1 : Interface} {I2 : Interface} {I3 : Interface} {I4 : Interface} {I5 : Interface} {I6 : Interface} (w : both L1 I1 t_Scalar) (rand_r : both L2 I2 t_Scalar) (rand_d : both L3 I3 t_Scalar) (h : both L4 I4 t_Gt) (xi : both L5 I5 t_Scalar) (vi : both L6 I6 'bool) : both (L1 :|: L2 :|: L3 :|: L4 :|: L5 :|: L6) (I1 :|: I2 :|: I3 :|: I4 :|: I5 :|: I6) t_OrZKPCommit := + zkp_one_out_of_two w rand_r rand_d h xi vi := + solve_lift (ifb vi + then letb r1 := rand_r in + letb d1 := rand_d in + letb x := (f_generator (ret_both (tt : 'unit))) .* xi in + letb y := (h .* xi) .+ (f_generator (ret_both (tt : 'unit))) in + letb a1 := ((f_generator (ret_both (tt : 'unit))) .* r1) .+ (x .* d1) in + letb b1 := (h .* r1) .+ (y .* d1) in + letb a2 := (f_generator (ret_both (tt : 'unit))) .* w in + letb b2 := h .* w in + letb c := hash (impl__into_vec (unsize (box_new (array_from_list [x; + y; + a1; + b1; + a2; + b2])))) in + letb d2 := c .- d1 in + letb r2 := w .- (xi .* d2) in + Build_t_OrZKPCommit (f_or_zkp_x := x) (f_or_zkp_y := y) (f_or_zkp_a1 := a1) (f_or_zkp_b1 := b1) (f_or_zkp_a2 := a2) (f_or_zkp_b2 := b2) (f_or_zkp_c := c) (f_or_zkp_d1 := d1) (f_or_zkp_d2 := d2) (f_or_zkp_r1 := r1) (f_or_zkp_r2 := r2) + else letb r2 := rand_r in + letb d2 := rand_d in + letb x := (f_generator (ret_both (tt : 'unit))) .* xi in + letb y := h .* xi in + letb a1 := (f_generator (ret_both (tt : 'unit))) .* w in + letb b1 := h .* w in + letb a2 := ((f_generator (ret_both (tt : 'unit))) .* r2) .+ (x .* d2) in + letb b2 := (h .* r2) .+ ((y .- (f_generator (ret_both (tt : 'unit)))) .* d2) in + letb c := hash (impl__into_vec (unsize (box_new (array_from_list [x; + y; + a1; + b1; + a2; + b2])))) in + letb d1 := c .- d2 in + letb r1 := w .- (xi .* d1) in + Build_t_OrZKPCommit (f_or_zkp_x := x) (f_or_zkp_y := y) (f_or_zkp_a1 := a1) (f_or_zkp_b1 := b1) (f_or_zkp_a2 := a2) (f_or_zkp_b2 := b2) (f_or_zkp_c := c) (f_or_zkp_d1 := d1) (f_or_zkp_d2 := d2) (f_or_zkp_r1 := r1) (f_or_zkp_r2 := r2)) : both (L1 :|: L2 :|: L3 :|: L4 :|: L5 :|: L6) (I1 :|: I2 :|: I3 :|: I4 :|: I5 :|: I6) t_OrZKPCommit. +Fail Next Obligation. + +Equations zkp_one_out_of_two_validate {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} (h : both L1 I1 t_Gt) (zkp : both L2 I2 t_OrZKPCommit) : both (L1 :|: L2) (I1 :|: I2) 'bool := + zkp_one_out_of_two_validate h zkp := + letb c := hash (impl__into_vec (unsize (box_new (array_from_list [f_or_zkp_x zkp; + f_or_zkp_y zkp; + f_or_zkp_a1 zkp; + f_or_zkp_b1 zkp; + f_or_zkp_a2 zkp; + f_or_zkp_b2 zkp])))) in + solve_lift (andb (andb (andb (andb (c =.? ((f_or_zkp_d1 zkp) .+ (f_or_zkp_d2 zkp))) ((f_or_zkp_a1 zkp) =.? (((f_generator (ret_both (tt : 'unit))) .* (f_or_zkp_r1 zkp)) .+ ((f_or_zkp_x zkp) .* (f_or_zkp_d1 zkp))))) ((f_or_zkp_b1 zkp) =.? ((h .* (f_or_zkp_r1 zkp)) .+ ((f_or_zkp_y zkp) .* (f_or_zkp_d1 zkp))))) ((f_or_zkp_a2 zkp) =.? (((f_generator (ret_both (tt : 'unit))) .* (f_or_zkp_r2 zkp)) .+ ((f_or_zkp_x zkp) .* (f_or_zkp_d2 zkp))))) ((f_or_zkp_b2 zkp) =.? ((h .* (f_or_zkp_r2 zkp)) .+ (((f_or_zkp_y zkp) .- (f_generator (ret_both (tt : 'unit)))) .* (f_or_zkp_d2 zkp))))) : both (L1 :|: L2) (I1 :|: I2) 'bool. +Fail Next Obligation. + +Definition t_OvnContractState {n : both (fset []) (fset []) uint_size} : choice_type := + (nseq t_Gt (is_pure (n)) × nseq t_SchnorrZKPCommit (is_pure (n)) × nseq f_Scalar (is_pure (n)) × nseq t_Gt (is_pure (n)) × nseq t_OrZKPCommit (is_pure (n)) × int32). +Equations f_g_pow_xis {L : {fset Location}} {I : Interface} {n : both (fset []) (fset []) uint_size} (s : both L I t_OvnContractState) : both L I (nseq t_Gt (is_pure (n))) := + f_g_pow_xis s := + bind_both s (fun x => + solve_lift (ret_both (fst (fst (fst (fst (fst x)))) : (nseq t_Gt (is_pure (n)))))) : both L I (nseq t_Gt (is_pure (n))). +Fail Next Obligation. +Equations f_zkp_xis {L : {fset Location}} {I : Interface} {n : both (fset []) (fset []) uint_size} (s : both L I t_OvnContractState) : both L I (nseq t_SchnorrZKPCommit (is_pure (n))) := + f_zkp_xis s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst (fst x)))) : (nseq t_SchnorrZKPCommit (is_pure (n)))))) : both L I (nseq t_SchnorrZKPCommit (is_pure (n))). +Fail Next Obligation. +Equations f_commit_vis {L : {fset Location}} {I : Interface} {n : both (fset []) (fset []) uint_size} (s : both L I t_OvnContractState) : both L I (nseq f_Scalar (is_pure (n))) := + f_commit_vis s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst (fst x))) : (nseq f_Scalar (is_pure (n)))))) : both L I (nseq f_Scalar (is_pure (n))). +Fail Next Obligation. +Equations f_g_pow_xi_yi_vis {L : {fset Location}} {I : Interface} {n : both (fset []) (fset []) uint_size} (s : both L I t_OvnContractState) : both L I (nseq t_Gt (is_pure (n))) := + f_g_pow_xi_yi_vis s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst (fst x)) : (nseq t_Gt (is_pure (n)))))) : both L I (nseq t_Gt (is_pure (n))). +Fail Next Obligation. +Equations f_zkp_vis {L : {fset Location}} {I : Interface} {n : both (fset []) (fset []) uint_size} (s : both L I t_OvnContractState) : both L I (nseq t_OrZKPCommit (is_pure (n))) := + f_zkp_vis s := + bind_both s (fun x => + solve_lift (ret_both (snd (fst x) : (nseq t_OrZKPCommit (is_pure (n)))))) : both L I (nseq t_OrZKPCommit (is_pure (n))). +Fail Next Obligation. +Equations f_tally {L : {fset Location}} {I : Interface} {n : both (fset []) (fset []) uint_size} (s : both L I t_OvnContractState) : both L I int32 := + f_tally s := + bind_both s (fun x => + solve_lift (ret_both (snd x : int32))) : both L I int32. +Fail Next Obligation. +Equations Build_t_OvnContractState {L0 : {fset Location}} {L1 : {fset Location}} {L2 : {fset Location}} {L3 : {fset Location}} {L4 : {fset Location}} {L5 : {fset Location}} {I0 : Interface} {I1 : Interface} {I2 : Interface} {I3 : Interface} {I4 : Interface} {I5 : Interface} {n : both (fset []) (fset []) uint_size} {f_g_pow_xis : both L0 I0 (nseq t_Gt (is_pure (n)))} {f_zkp_xis : both L1 I1 (nseq t_SchnorrZKPCommit (is_pure (n)))} {f_commit_vis : both L2 I2 (nseq f_Scalar (is_pure (n)))} {f_g_pow_xi_yi_vis : both L3 I3 (nseq t_Gt (is_pure (n)))} {f_zkp_vis : both L4 I4 (nseq t_OrZKPCommit (is_pure (n)))} {f_tally : both L5 I5 int32} : both (L0:|:L1:|:L2:|:L3:|:L4:|:L5) (I0:|:I1:|:I2:|:I3:|:I4:|:I5) (t_OvnContractState) := + Build_t_OvnContractState := + bind_both f_tally (fun f_tally => + bind_both f_zkp_vis (fun f_zkp_vis => + bind_both f_g_pow_xi_yi_vis (fun f_g_pow_xi_yi_vis => + bind_both f_commit_vis (fun f_commit_vis => + bind_both f_zkp_xis (fun f_zkp_xis => + bind_both f_g_pow_xis (fun f_g_pow_xis => + solve_lift (ret_both ((f_g_pow_xis,f_zkp_xis,f_commit_vis,f_g_pow_xi_yi_vis,f_zkp_vis,f_tally) : (t_OvnContractState))))))))) : both (L0:|:L1:|:L2:|:L3:|:L4:|:L5) (I0:|:I1:|:I2:|:I3:|:I4:|:I5) (t_OvnContractState). +Fail Next Obligation. +Notation "'Build_t_OvnContractState' '[' x ']' '(' 'f_g_pow_xis' ':=' y ')'" := (Build_t_OvnContractState (f_g_pow_xis := y) (f_zkp_xis := f_zkp_xis x) (f_commit_vis := f_commit_vis x) (f_g_pow_xi_yi_vis := f_g_pow_xi_yi_vis x) (f_zkp_vis := f_zkp_vis x) (f_tally := f_tally x)). +Notation "'Build_t_OvnContractState' '[' x ']' '(' 'f_zkp_xis' ':=' y ')'" := (Build_t_OvnContractState (f_g_pow_xis := f_g_pow_xis x) (f_zkp_xis := y) (f_commit_vis := f_commit_vis x) (f_g_pow_xi_yi_vis := f_g_pow_xi_yi_vis x) (f_zkp_vis := f_zkp_vis x) (f_tally := f_tally x)). +Notation "'Build_t_OvnContractState' '[' x ']' '(' 'f_commit_vis' ':=' y ')'" := (Build_t_OvnContractState (f_g_pow_xis := f_g_pow_xis x) (f_zkp_xis := f_zkp_xis x) (f_commit_vis := y) (f_g_pow_xi_yi_vis := f_g_pow_xi_yi_vis x) (f_zkp_vis := f_zkp_vis x) (f_tally := f_tally x)). +Notation "'Build_t_OvnContractState' '[' x ']' '(' 'f_g_pow_xi_yi_vis' ':=' y ')'" := (Build_t_OvnContractState (f_g_pow_xis := f_g_pow_xis x) (f_zkp_xis := f_zkp_xis x) (f_commit_vis := f_commit_vis x) (f_g_pow_xi_yi_vis := y) (f_zkp_vis := f_zkp_vis x) (f_tally := f_tally x)). +Notation "'Build_t_OvnContractState' '[' x ']' '(' 'f_zkp_vis' ':=' y ')'" := (Build_t_OvnContractState (f_g_pow_xis := f_g_pow_xis x) (f_zkp_xis := f_zkp_xis x) (f_commit_vis := f_commit_vis x) (f_g_pow_xi_yi_vis := f_g_pow_xi_yi_vis x) (f_zkp_vis := y) (f_tally := f_tally x)). +Notation "'Build_t_OvnContractState' '[' x ']' '(' 'f_tally' ':=' y ')'" := (Build_t_OvnContractState (f_g_pow_xis := f_g_pow_xis x) (f_zkp_xis := f_zkp_xis x) (f_commit_vis := f_commit_vis x) (f_g_pow_xi_yi_vis := f_g_pow_xi_yi_vis x) (f_zkp_vis := f_zkp_vis x) (f_tally := y)). + +Definition cast_vote_state_ret_loc {v_S : _} {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_S} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} : Location := + (t_OvnContractState (both (fset []) (fset []) uint_size);2%nat). +Equations cast_vote {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} {v_S : _} {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_S} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} (ctx : both L1 I1 impl_574521470_) (state : both L2 I2 (t_OvnContractState (both (fset []) (fset []) uint_size))) : both (L1 :|: L2 :|: fset [cast_vote_state_ret_loc;prod1_loc;prod2_loc]) (I1 :|: I2) (t_Result (v_A × t_OvnContractState (both (fset []) (fset []) uint_size)) t_ParseError) := + cast_vote ctx state := + solve_lift (run (letb '(_,out) := f_get (f_parameter_cursor ctx) in + letm[choice_typeMonad.result_bind_code t_ParseError] (params : both _ _ (t_CastVoteParam v_S)) := out in + Result_Ok (letb g_pow_yi := compute_g_pow_yi (cast (B := uint_size) (f_cvp_i params)) (f_g_pow_xis state) in + letb g_pow_xi_yi_vi := compute_group_element_for_vote (f_cvp_xi params) (f_cvp_vote params) g_pow_yi in + letb zkp_vi := zkp_one_out_of_two (f_cvp_zkp_random_w params) (f_cvp_zkp_random_r params) (f_cvp_zkp_random_d params) g_pow_yi (f_cvp_xi params) (f_cvp_vote params) in + letb cast_vote_state_ret loc(cast_vote_state_ret_loc) := f_clone state in + letb _ := assign todo(term) in + letb _ := assign todo(term) in + Result_Ok (prod_b (f_accept (ret_both (tt : 'unit)),cast_vote_state_ret))))) : both (L1 :|: L2 :|: fset [cast_vote_state_ret_loc;prod1_loc;prod2_loc]) (I1 :|: I2) (t_Result (v_A × t_OvnContractState (both (fset []) (fset []) uint_size)) t_ParseError). +Fail Next Obligation. + +Definition commit_to_vote_state_ret_loc {v_S : _} {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_S} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} : Location := + (t_OvnContractState (both (fset []) (fset []) uint_size);3%nat). +Equations commit_to_vote {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} {v_S : _} {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_S} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} (ctx : both L1 I1 impl_574521470_) (state : both L2 I2 (t_OvnContractState (both (fset []) (fset []) uint_size))) : both (L1 :|: L2 :|: fset [commit_to_vote_state_ret_loc;prod1_loc;prod2_loc]) (I1 :|: I2) (t_Result (v_A × t_OvnContractState (both (fset []) (fset []) uint_size)) t_ParseError) := + commit_to_vote ctx state := + solve_lift (run (letb '(_,out) := f_get (f_parameter_cursor ctx) in + letm[choice_typeMonad.result_bind_code t_ParseError] (params : both _ _ (t_CastVoteParam v_S)) := out in + Result_Ok (letb _ := foldi_both_list (f_into_iter (Build_t_Range (f_start := ret_both (0 : uint_size)) (f_end := n))) (fun i => + ssp (fun _ => + solve_lift (ifb not (schnorr_zkp_validate ((f_g_pow_xis state).a[i]) ((f_zkp_xis state).a[i])) + then letm[choice_typeMonad.result_bind_code (t_Result (v_A × t_OvnContractState (both (fset []) (fset []) uint_size)) t_ParseError)] hoist62 := ControlFlow_Break (Result_Err ParseError) in + ControlFlow_Continue (never_to_any hoist62) + else ()) : (both (*0*)(L2:|:fset []) (I2) (t_ControlFlow (t_Result (v_A × t_OvnContractState (both (fset []) (fset []) uint_size)) t_ParseError) 'unit)))) (ret_both (tt : 'unit)) in + letb g_pow_yi := compute_g_pow_yi (cast (B := uint_size) (f_cvp_i params)) (f_g_pow_xis state) in + letb g_pow_xi_yi_vi := compute_group_element_for_vote (f_cvp_xi params) (f_cvp_vote params) g_pow_yi in + letb commit_vi := commit_to g_pow_xi_yi_vi in + letb commit_to_vote_state_ret loc(commit_to_vote_state_ret_loc) := f_clone state in + letb _ := assign todo(term) in + Result_Ok (prod_b (f_accept (ret_both (tt : 'unit)),commit_to_vote_state_ret))))) : both (L1 :|: L2 :|: fset [commit_to_vote_state_ret_loc;prod1_loc;prod2_loc]) (I1 :|: I2) (t_Result (v_A × t_OvnContractState (both (fset []) (fset []) uint_size)) t_ParseError). +Fail Next Obligation. + +Equations init_ovn_contract {L1 : {fset Location}} {I1 : Interface} {n : both (fset []) (fset []) uint_size} (_ : both L1 I1 'unit) : both L1 I1 (t_Result (t_OvnContractState (both (fset []) (fset []) uint_size)) t_Reject) := + init_ovn_contract _ := + Result_Ok (solve_lift (Build_t_OvnContractState (f_g_pow_xis := repeat (f_identity (ret_both (tt : 'unit))) n) (f_zkp_xis := repeat (Build_t_SchnorrZKPCommit (f_schnorr_zkp_u := f_identity (ret_both (tt : 'unit))) (f_schnorr_zkp_z := f_ZERO) (f_schnorr_zkp_c := f_ZERO)) n) (f_commit_vis := repeat f_ZERO n) (f_g_pow_xi_yi_vis := repeat (f_identity (ret_both (tt : 'unit))) n) (f_zkp_vis := repeat (Build_t_OrZKPCommit (f_or_zkp_x := f_identity (ret_both (tt : 'unit))) (f_or_zkp_y := f_identity (ret_both (tt : 'unit))) (f_or_zkp_a1 := f_identity (ret_both (tt : 'unit))) (f_or_zkp_b1 := f_identity (ret_both (tt : 'unit))) (f_or_zkp_a2 := f_identity (ret_both (tt : 'unit))) (f_or_zkp_b2 := f_identity (ret_both (tt : 'unit))) (f_or_zkp_c := f_ZERO) (f_or_zkp_d1 := f_ZERO) (f_or_zkp_d2 := f_ZERO) (f_or_zkp_r1 := f_ZERO) (f_or_zkp_r2 := f_ZERO)) n) (f_tally := ret_both (0 : int32)))) : both L1 I1 (t_Result (t_OvnContractState (both (fset []) (fset []) uint_size)) t_Reject). +Fail Next Obligation. + +Definition register_vote_state_ret_loc {v_S : _} {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_S} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} : Location := + (t_OvnContractState (both (fset []) (fset []) uint_size);4%nat). +Equations register_vote {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} {v_S : _} {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_S} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_Serialize v_S} `{ t_From v_S f_Scalar} `{ t_Into v_S f_Scalar} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} (ctx : both L1 I1 impl_574521470_) (state : both L2 I2 (t_OvnContractState (both (fset []) (fset []) uint_size))) : both (L1 :|: L2 :|: fset [register_vote_state_ret_loc]) (I1 :|: I2) (t_Result (v_A × t_OvnContractState (both (fset []) (fset []) uint_size)) t_ParseError) := + register_vote ctx state := + solve_lift (run (letb '(_,out) := f_get (f_parameter_cursor ctx) in + letm[choice_typeMonad.result_bind_code t_ParseError] (params : both _ _ (t_RegisterParam v_S)) := out in + Result_Ok (letb g_pow_xi := (f_generator (ret_both (tt : 'unit))) .* (f_rp_xi params) in + letb zkp_xi := schnorr_zkp (f_rp_zkp_random params) g_pow_xi (f_rp_xi params) in + letb register_vote_state_ret loc(register_vote_state_ret_loc) := f_clone state in + letb _ := assign todo(term) in + letb _ := assign todo(term) in + Result_Ok (prod_b (f_accept (ret_both (tt : 'unit)),register_vote_state_ret))))) : both (L1 :|: L2 :|: fset [register_vote_state_ret_loc]) (I1 :|: I2) (t_Result (v_A × t_OvnContractState (both (fset []) (fset []) uint_size)) t_ParseError). +Fail Next Obligation. + +Definition curr_loc {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} : Location := + (t_Scalar;5%nat). +Definition tally_loc {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} : Location := + (int32;6%nat). +Definition tally_votes_state_ret_loc {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} : Location := + (t_OvnContractState (both (fset []) (fset []) uint_size);7%nat). +Definition vote_result_loc {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} : Location := + (t_Gt;8%nat). +Equations tally_votes {L1 : {fset Location}} {L2 : {fset Location}} {I1 : Interface} {I2 : Interface} {n : both (fset []) (fset []) uint_size} {v_A : _} {impl_574521470_ : _} `{ t_Sized v_A} `{ t_Sized impl_574521470_} `{ t_HasActions v_A} `{ t_HasReceiveContext impl_574521470_ 'unit} (_ : both L1 I1 impl_574521470_) (state : both L2 I2 (t_OvnContractState (both (fset []) (fset []) uint_size))) : both (L1 :|: L2 :|: fset [curr_loc;tally_loc;tally_votes_state_ret_loc;vote_result_loc;prod1_loc;prod2_loc]) (I1 :|: I2) (t_Result (v_A × t_OvnContractState (both (fset []) (fset []) uint_size)) t_ParseError) := + tally_votes _ state := + letb _ := foldi_both_list (f_into_iter (Build_t_Range (f_start := ret_both (0 : uint_size)) (f_end := n))) (fun i => + ssp (fun _ => + letb g_pow_yi := compute_g_pow_yi i (f_g_pow_xis state) in + letm[choice_typeMonad.result_bind_code (t_Result (v_A × t_OvnContractState (both (fset []) (fset []) uint_size)) t_ParseError)] _ := ControlFlow_Continue (ifb not (zkp_one_out_of_two_validate g_pow_yi ((f_zkp_vis state).a[i])) + then letm[choice_typeMonad.result_bind_code (t_Result (v_A × t_OvnContractState (both (fset []) (fset []) uint_size)) t_ParseError)] hoist63 := ControlFlow_Break (Result_Err ParseError) in + ControlFlow_Continue (never_to_any hoist63) + else ()) in + solve_lift (ifb not (check_commitment ((f_g_pow_xi_yi_vis state).a[i]) ((f_commit_vis state).a[i])) + then letm[choice_typeMonad.result_bind_code (t_Result (v_A × t_OvnContractState (both (fset []) (fset []) uint_size)) t_ParseError)] hoist64 := ControlFlow_Break (Result_Err ParseError) in + ControlFlow_Continue (never_to_any hoist64) + else ()) : (both (*2*)(L2:|:fset [prod1_loc;prod2_loc]) (I2) (t_ControlFlow (t_Result (v_A × t_OvnContractState (both (fset []) (fset []) uint_size)) t_ParseError) 'unit)))) (ret_both (tt : 'unit)) in + letb vote_result loc(vote_result_loc) := f_identity (ret_both (tt : 'unit)) in + letb _ := foldi_both_list (f_into_iter (f_g_pow_xi_yi_vis state)) (fun g_pow_vote => + ssp (fun _ => + assign todo(term) : (both (*1*)(L2:|:fset [vote_result_loc]) (I2) 'unit))) (ret_both (tt : 'unit)) in + letb tally loc(tally_loc) := ret_both (0 : int32) in + letb curr loc(curr_loc) := f_ZERO in + letb _ := foldi_both_list (f_into_iter (Build_t_Range (f_start := ret_both (0 : int32)) (f_end := cast (B := int32) n))) (fun i => + ssp (fun _ => + letb _ := ifb ((f_generator (ret_both (tt : 'unit))) .* curr) =.? vote_result + then letb _ := assign todo(term) in + ret_both (tt : 'unit) + else () in + letb _ := assign todo(term) in + solve_lift (ret_both (tt : 'unit)) : (both (*3*)(fset [curr_loc;tally_loc;vote_result_loc]) ((fset [])) 'unit))) (ret_both (tt : 'unit)) in + letb tally_votes_state_ret loc(tally_votes_state_ret_loc) := f_clone state in + letb _ := assign todo(term) in + Result_Ok (solve_lift (prod_b (f_accept (ret_both (tt : 'unit)),tally_votes_state_ret))) : both (L1 :|: L2 :|: fset [curr_loc;tally_loc;tally_votes_state_ret_loc;vote_result_loc;prod1_loc;prod2_loc]) (I1 :|: I2) (t_Result (v_A × t_OvnContractState (both (fset []) (fset []) uint_size)) t_ParseError). +Fail Next Obligation. diff --git a/ovn/proofs/ssprove/extraction/_expected_trait.v b/ovn/proofs/ssprove/extraction/_expected_trait.v new file mode 100644 index 0000000..2690ced --- /dev/null +++ b/ovn/proofs/ssprove/extraction/_expected_trait.v @@ -0,0 +1,86 @@ +(* File automatically generated by Hacspec *) +Set Warnings "-notation-overridden,-ambiguous-paths". +From Crypt Require Import choice_type Package Prelude. +Import PackageNotation. +From extructures Require Import ord fset. +From mathcomp Require Import word_ssrZ word. +(* From Jasmin Require Import word. *) + +From Coq Require Import ZArith. +From Coq Require Import Strings.String. +Import List.ListNotations. +Open Scope list_scope. +Open Scope Z_scope. +Open Scope bool_scope. + +From Hacspec Require Import ChoiceEquality. +From Hacspec Require Import LocationUtility. +From Hacspec Require Import Hacspec_Lib_Comparable. +From Hacspec Require Import Hacspec_Lib_Pre. +From Hacspec Require Import Hacspec_Lib. + +Open Scope hacspec_scope. +Import choice.Choice.Exports. + +Obligation Tactic := (* try timeout 8 *) solve_ssprove_obligations. + +Class t_Field (v_Self : choice_type) := { + f_q_loc : {fset Location} ; + f_q : (both 'unit -> both v_Self) ; + f_random_field_elem_loc : {fset Location} ; + f_random_field_elem : (both int32 -> both v_Self) ; + f_field_zero_loc : {fset Location} ; + f_field_zero : (both 'unit -> both v_Self) ; + f_field_one_loc : {fset Location} ; + f_field_one : (both 'unit -> both v_Self) ; + f_add_loc : {fset Location} ; + f_add : (both v_Self -> both v_Self -> both v_Self) ; + f_sub_loc : {fset Location} ; + f_sub : (both v_Self -> both v_Self -> both v_Self) ; + f_mul_loc : {fset Location} ; + f_mul : (both v_Self -> both v_Self -> both v_Self) ; +}. +Hint Unfold f_q_loc. +Hint Unfold f_random_field_elem_loc. +Hint Unfold f_field_zero_loc. +Hint Unfold f_field_one_loc. +Hint Unfold f_add_loc. +Hint Unfold f_sub_loc. +Hint Unfold f_mul_loc. + +Class t_Group (v_Self : choice_type) := { + f_Z : choice_type ; + f_Z_t_Field :> (t_Field f_Z) ; + f_Z_t_Serialize :> (t_Serialize f_Z) ; + f_Z_t_Deserial :> (t_Deserial f_Z) ; + f_Z_t_Serial :> (t_Serial f_Z) ; + f_Z_t_Clone :> (t_Clone f_Z) ; + f_Z_t_Eq :> (t_Eq f_Z) ; + f_Z_t_PartialEq :> (t_PartialEq f_Z) ; + f_Z_t_Copy :> (t_Copy f_Z) ; + f_Z_t_Sized :> (t_Sized f_Z) ; + f_g_loc : {fset Location} ; + f_g : (both 'unit -> both v_Self) ; + f_g_pow_loc : {fset Location} ; + f_g_pow : (both f_Z -> both v_Self) ; + f_pow_loc : {fset Location} ; + f_pow : (both v_Self -> both f_Z -> both v_Self) ; + f_group_one_loc : {fset Location} ; + f_group_one : (both 'unit -> both v_Self) ; + f_prod_loc : {fset Location} ; + f_prod : (both v_Self -> both v_Self -> both v_Self) ; + f_inv_loc : {fset Location} ; + f_inv : (both v_Self -> both v_Self) ; + f_div_loc : {fset Location} ; + f_div : (both v_Self -> both v_Self -> both v_Self) ; + f_hash_loc : {fset Location} ; + f_hash : (both (t_Vec v_Self t_Global) -> both f_Z) ; +}. +Hint Unfold f_g_loc. +Hint Unfold f_g_pow_loc. +Hint Unfold f_pow_loc. +Hint Unfold f_group_one_loc. +Hint Unfold f_prod_loc. +Hint Unfold f_inv_loc. +Hint Unfold f_div_loc. +Hint Unfold f_hash_loc. diff --git a/ovn/src/lib.rs b/ovn/src/lib.rs index cf056c5..018a7ce 100644 --- a/ovn/src/lib.rs +++ b/ovn/src/lib.rs @@ -5,10 +5,11 @@ pub mod ovn_traits; -pub mod ovn_group; pub mod ovn_secp256k1; pub mod ovn_z_89; +pub mod ovn_group; -pub mod ovn_zk_z_89; -pub mod ovn_zk_secp256k1; -pub mod ovn_zkgroup; +// pub mod ovn_zk_secp256k1; +// pub mod ovn_zk_z_89; +// pub mod ovn_zkgroup; +// pub mod ovn_zkgroup_specific; diff --git a/ovn/src/ovn_group.rs b/ovn/src/ovn_group.rs index 3d9b641..4b4f88e 100644 --- a/ovn/src/ovn_group.rs +++ b/ovn/src/ovn_group.rs @@ -13,24 +13,24 @@ pub use crate::ovn_traits::*; //////////////////// #[derive(Serialize, SchemaType, Clone, Copy)] -pub struct SchnorrZKPCommit> { - pub schnorr_zkp_u: G::group_type, - pub schnorr_zkp_c: Z::field_type, - pub schnorr_zkp_z: Z::field_type, +pub struct SchnorrZKPCommit { + pub schnorr_zkp_u: G, + pub schnorr_zkp_c: G::Z, + pub schnorr_zkp_z: G::Z, } /** Non-interactive Schnorr proof using Fiat-Shamir heuristics (RFC 8235) */ // https://www.rfc-editor.org/rfc/rfc8235 // https://crypto.stanford.edu/cs355/19sp/lec5.pdf -pub fn schnorr_zkp>( +pub fn schnorr_zkp( random: u32, - h: G::group_type, - x: Z::field_type, -) -> SchnorrZKPCommit { - let r = Z::random_field_elem(random); + h: G, + x: G::Z, +) -> SchnorrZKPCommit { + let r = G::Z::random_field_elem(random); let u = G::g_pow(r); let c = G::hash(vec![G::g(), h, u]); - let z = Z::add(r, Z::mul(c, x)); + let z = G::Z::add(r, G::Z::mul(c, x)); return SchnorrZKPCommit { schnorr_zkp_u: u, @@ -40,46 +40,46 @@ pub fn schnorr_zkp>( } // https://crypto.stanford.edu/cs355/19sp/lec5.pdf -pub fn schnorr_zkp_validate>( - h: G::group_type, - pi: SchnorrZKPCommit, +pub fn schnorr_zkp_validate( + h: G, + pi: SchnorrZKPCommit, ) -> bool { pi.schnorr_zkp_c == G::hash(vec![G::g(), h, pi.schnorr_zkp_u]) && G::g_pow(pi.schnorr_zkp_z) == G::prod(pi.schnorr_zkp_u, G::pow(h, pi.schnorr_zkp_c)) } #[derive(Serialize, SchemaType, Clone, Copy)] -pub struct OrZKPCommit> { - pub or_zkp_x: G::group_type, - pub or_zkp_y: G::group_type, - pub or_zkp_a1: G::group_type, - pub or_zkp_b1: G::group_type, - pub or_zkp_a2: G::group_type, - pub or_zkp_b2: G::group_type, +pub struct OrZKPCommit { + pub or_zkp_x: G, + pub or_zkp_y: G, + pub or_zkp_a1: G, + pub or_zkp_b1: G, + pub or_zkp_a2: G, + pub or_zkp_b2: G, - pub or_zkp_c: Z::field_type, + pub or_zkp_c: G::Z, - pub or_zkp_d1: Z::field_type, - pub or_zkp_d2: Z::field_type, + pub or_zkp_d1: G::Z, + pub or_zkp_d2: G::Z, - pub or_zkp_r1: Z::field_type, - pub or_zkp_r2: Z::field_type, + pub or_zkp_r1: G::Z, + pub or_zkp_r2: G::Z, } /** Cramer, Damgård and Schoenmakers (CDS) technique */ -pub fn zkp_one_out_of_two>( +pub fn zkp_one_out_of_two( random_w: u32, random_r: u32, random_d: u32, - h: G::group_type, - xi: Z::field_type, + h: G, + xi: G::Z, vi: bool, -) -> OrZKPCommit { - let w = Z::random_field_elem(random_w); +) -> OrZKPCommit { + let w = G::Z::random_field_elem(random_w); if vi { - let r1 = Z::random_field_elem(random_r); - let d1 = Z::random_field_elem(random_d); + let r1 = G::Z::random_field_elem(random_r); + let d1 = G::Z::random_field_elem(random_d); let x = G::g_pow(xi); let y = G::prod(G::pow(h, xi), G::g()); @@ -92,8 +92,8 @@ pub fn zkp_one_out_of_two>( let c = G::hash(vec![x, y, a1, b1, a2, b2]); - let d2 = Z::sub(c, d1); - let r2 = Z::sub(w, Z::mul(xi, d2)); + let d2 = G::Z::sub(c, d1); + let r2 = G::Z::sub(w, G::Z::mul(xi, d2)); OrZKPCommit { or_zkp_x: x, @@ -109,8 +109,8 @@ pub fn zkp_one_out_of_two>( or_zkp_r2: r2, } } else { - let r2 = Z::random_field_elem(random_r); - let d2 = Z::random_field_elem(random_d); + let r2 = G::Z::random_field_elem(random_r); + let d2 = G::Z::random_field_elem(random_d); let x = G::g_pow(xi); let y = G::pow(h, xi); @@ -123,8 +123,8 @@ pub fn zkp_one_out_of_two>( let c = G::hash(vec![x, y, a1, b1, a2, b2]); - let d1 = Z::sub(c, d2); - let r1 = Z::sub(w, Z::mul(xi, d1)); + let d1 = G::Z::sub(c, d2); + let r1 = G::Z::sub(w, G::Z::mul(xi, d1)); OrZKPCommit { or_zkp_x: x, @@ -143,9 +143,9 @@ pub fn zkp_one_out_of_two>( } // Anonymous voting by two-round public discussion -pub fn zkp_one_out_of_two_validate>( - h: G::group_type, - zkp: OrZKPCommit, +pub fn zkp_one_out_of_two_validate( + h: G, + zkp: OrZKPCommit, ) -> bool { let c = G::hash(vec![ zkp.or_zkp_x, @@ -156,7 +156,7 @@ pub fn zkp_one_out_of_two_validate>( zkp.or_zkp_b2, ]); // TODO: add i - (c == Z::add(zkp.or_zkp_d1, zkp.or_zkp_d2) + (c == G::Z::add(zkp.or_zkp_d1, zkp.or_zkp_d2) && zkp.or_zkp_a1 == G::prod(G::g_pow(zkp.or_zkp_r1), G::pow(zkp.or_zkp_x, zkp.or_zkp_d1)) && zkp.or_zkp_b1 == G::prod( @@ -171,13 +171,13 @@ pub fn zkp_one_out_of_two_validate>( )) } -pub fn commit_to>(g_pow_xi_yi_vi: G::group_type) -> Z::field_type { +pub fn commit_to(g_pow_xi_yi_vi: G) -> G::Z { G::hash(vec![g_pow_xi_yi_vi]) } -pub fn check_commitment>( - g_pow_xi_yi_vi: G::group_type, - commitment: Z::field_type, +pub fn check_commitment( + g_pow_xi_yi_vi: G, + commitment: G::Z, ) -> bool { G::hash(vec![g_pow_xi_yi_vi]) == commitment } @@ -185,34 +185,36 @@ pub fn check_commitment>( #[hax::contract_state(contract = "OVN")] // #[cfg_attr(not(feature = "hax_compilation"), contract_state(contract = "OVN"))] #[derive(Serialize, SchemaType, Clone, Copy)] -pub struct OvnContractState, const n: usize> { - pub g_pow_xis: [G::group_type; n], - pub zkp_xis: [SchnorrZKPCommit; n], +pub struct OvnContractState { + pub g_pow_xis: [G; n], + pub zkp_xis: [SchnorrZKPCommit; n], - pub commit_vis: [Z::field_type; n], + pub commit_vis: [G::Z; n], - pub g_pow_xi_yi_vis: [G::group_type; n], - pub zkp_vis: [OrZKPCommit; n], + pub g_pow_xi_yi_vis: [G; n], + pub zkp_vis: [OrZKPCommit; n], pub tally: u32, + + pub round1 : [bool; n], } #[hax::init(contract = "OVN")] // #[cfg_attr(not(feature = "hax_compilation"), init(contract = "OVN"))] -pub fn init_ovn_contract, const n: usize>(// _: &impl HasInitContext, -) -> InitResult> { - Ok(OvnContractState:: { +pub fn init_ovn_contract(// _: &impl HasInitContext, +) -> InitResult> { + Ok(OvnContractState:: { g_pow_xis: [G::group_one(); n], - zkp_xis: [SchnorrZKPCommit:: { + zkp_xis: [SchnorrZKPCommit:: { schnorr_zkp_u: G::group_one(), - schnorr_zkp_z: Z::field_zero(), - schnorr_zkp_c: Z::field_zero(), + schnorr_zkp_z: G::Z::field_zero(), + schnorr_zkp_c: G::Z::field_zero(), }; n], - commit_vis: [Z::field_zero(); n], + commit_vis: [G::Z::field_zero(); n], g_pow_xi_yi_vis: [G::group_one(); n], - zkp_vis: [OrZKPCommit:: { + zkp_vis: [OrZKPCommit:: { or_zkp_x: G::group_one(), or_zkp_y: G::group_one(), or_zkp_a1: G::group_one(), @@ -220,64 +222,67 @@ pub fn init_ovn_contract, const n: usize>(// _: &impl Ha or_zkp_a2: G::group_one(), or_zkp_b2: G::group_one(), - or_zkp_c: Z::field_zero(), + or_zkp_c: G::Z::field_zero(), - or_zkp_d1: Z::field_zero(), - or_zkp_d2: Z::field_zero(), + or_zkp_d1: G::Z::field_zero(), + or_zkp_d2: G::Z::field_zero(), - or_zkp_r1: Z::field_zero(), - or_zkp_r2: Z::field_zero(), + or_zkp_r1: G::Z::field_zero(), + or_zkp_r2: G::Z::field_zero(), }; n], tally: 0, - }) + + round1: [false; n], + }) } /** Currently randomness needs to be injected */ -pub fn select_private_voting_key(random: u32) -> Z::field_type { +pub fn select_private_voting_key(random: u32) -> Z { Z::random_field_elem(random) } #[derive(Serialize, SchemaType)] -pub struct RegisterParam { +pub struct RegisterParam { pub rp_i: u32, - pub rp_xi: Z::field_type, + pub rp_xi: Z, pub rp_zkp_random: u32, } /** Primary function in round 1 */ #[hax::receive(contract = "OVN", name = "register", parameter = "RegisterParam")] // #[cfg_attr(not(feature = "hax_compilation"), receive(contract = "OVN", name = "register", parameter = "RegisterParam"))] -pub fn register_vote, const n: usize, A: HasActions>( +pub fn register_vote( ctx: impl HasReceiveContext, - state: OvnContractState, -) -> Result<(A, OvnContractState), ParseError> { - let params: RegisterParam = ctx.parameter_cursor().get()?; + state: OvnContractState, +) -> Result<(A, OvnContractState), ParseError> { + let params: RegisterParam = ctx.parameter_cursor().get()?; let g_pow_xi = G::g_pow(params.rp_xi); - let zkp_xi = schnorr_zkp::(params.rp_zkp_random, g_pow_xi, params.rp_xi); + let zkp_xi = schnorr_zkp::(params.rp_zkp_random, g_pow_xi, params.rp_xi); let mut register_vote_state_ret = state.clone(); register_vote_state_ret.g_pow_xis[params.rp_i as usize] = g_pow_xi; register_vote_state_ret.zkp_xis[params.rp_i as usize] = zkp_xi; + register_vote_state_ret.round1[params.rp_i as usize] = true; Ok((A::accept(), register_vote_state_ret)) } #[derive(Serialize, SchemaType)] -pub struct CastVoteParam { +pub struct CastVoteParam { pub cvp_i: u32, - pub cvp_xi: Z::field_type, + pub cvp_xi: Z, pub cvp_zkp_random_w: u32, pub cvp_zkp_random_r: u32, pub cvp_zkp_random_d: u32, pub cvp_vote: bool, } -pub fn compute_g_pow_yi, const n: usize>( +pub fn compute_g_pow_yi( i: usize, - xis: [G::group_type; n], -) -> G::group_type { + xis: [G; n], +) -> G { let mut prod1 = G::group_one(); for j in 0..i { prod1 = G::prod(prod1, xis[j]); @@ -293,17 +298,17 @@ pub fn compute_g_pow_yi, const n: usize>( g_pow_yi } -pub fn compute_group_element_for_vote>( - xi: Z::field_type, +pub fn compute_group_element_for_vote( + xi: G::Z, vote: bool, - g_pow_yi: G::group_type, -) -> G::group_type { + g_pow_yi: G, +) -> G { G::prod( G::pow(g_pow_yi, xi), G::g_pow(if vote { - Z::field_one() + G::Z::field_one() } else { - Z::field_zero() + G::Z::field_zero() }), ) } @@ -311,22 +316,22 @@ pub fn compute_group_element_for_vote>( /** Commitment before round 2 */ #[hax::receive(contract = "OVN", name = "commit_to_vote", parameter = "CastVoteParam")] // #[cfg_attr(not(feature = "hax_compilation"), receive(contract = "OVN", name = "commit_to_vote", parameter = "CastVoteParam"))] -pub fn commit_to_vote, const n: usize, A: HasActions>( +pub fn commit_to_vote( ctx: impl HasReceiveContext, - state: OvnContractState, -) -> Result<(A, OvnContractState), ParseError> { - let params: CastVoteParam = ctx.parameter_cursor().get()?; + state: OvnContractState, +) -> Result<(A, OvnContractState), ParseError> { + let params: CastVoteParam = ctx.parameter_cursor().get()?; for i in 0..n { - if !schnorr_zkp_validate(state.g_pow_xis[i], state.zkp_xis[i]) { + if !schnorr_zkp_validate(state.g_pow_xis[i], state.zkp_xis[i]) || !state.round1[i] { return Err(ParseError {}); } } - let g_pow_yi = compute_g_pow_yi::(params.cvp_i as usize, state.g_pow_xis); + let g_pow_yi = compute_g_pow_yi::(params.cvp_i as usize, state.g_pow_xis); let g_pow_xi_yi_vi = - compute_group_element_for_vote::(params.cvp_xi, params.cvp_vote, g_pow_yi); - let commit_vi = commit_to::(g_pow_xi_yi_vi); + compute_group_element_for_vote::(params.cvp_xi, params.cvp_vote, g_pow_yi); + let commit_vi = commit_to::(g_pow_xi_yi_vi); let mut commit_to_vote_state_ret = state.clone(); commit_to_vote_state_ret.commit_vis[params.cvp_i as usize] = commit_vi; @@ -336,17 +341,17 @@ pub fn commit_to_vote, const n: usize, A: HasActions>( /** Primary function in round 2, also opens commitment */ #[hax::receive(contract = "OVN", name = "cast_vote", parameter = "CastVoteParam")] // #[cfg_attr(not(feature = "hax_compilation"), receive(contract = "OVN", name = "cast_vote", parameter = "CastVoteParam"))] -pub fn cast_vote, const n: usize, A: HasActions>( +pub fn cast_vote( ctx: impl HasReceiveContext, - state: OvnContractState, -) -> Result<(A, OvnContractState), ParseError> { - let params: CastVoteParam = ctx.parameter_cursor().get()?; + state: OvnContractState, +) -> Result<(A, OvnContractState), ParseError> { + let params: CastVoteParam = ctx.parameter_cursor().get()?; - let g_pow_yi = compute_g_pow_yi::(params.cvp_i as usize, state.g_pow_xis); + let g_pow_yi = compute_g_pow_yi::(params.cvp_i as usize, state.g_pow_xis); let g_pow_xi_yi_vi = - compute_group_element_for_vote::(params.cvp_xi, params.cvp_vote, g_pow_yi); + compute_group_element_for_vote::(params.cvp_xi, params.cvp_vote, g_pow_yi); - let zkp_vi = zkp_one_out_of_two::( + let zkp_vi = zkp_one_out_of_two::( params.cvp_zkp_random_w, params.cvp_zkp_random_r, params.cvp_zkp_random_d, @@ -367,16 +372,16 @@ pub struct TallyParameter {} #[hax::receive(contract = "OVN", name = "tally", parameter = "TallyParameter")] // #[cfg_attr(not(feature = "hax_compilation"), receive(contract = "OVN", name = "tally", parameter = "TallyParameter"))] /** Anyone can tally the votes */ -pub fn tally_votes, const n: usize, A: HasActions>( +pub fn tally_votes( _: impl HasReceiveContext, - state: OvnContractState, -) -> Result<(A, OvnContractState), ParseError> { + state: OvnContractState, +) -> Result<(A, OvnContractState), ParseError> { for i in 0..n { - let g_pow_yi = compute_g_pow_yi::(i as usize, state.g_pow_xis); - if !zkp_one_out_of_two_validate::(g_pow_yi, state.zkp_vis[i]) { + let g_pow_yi = compute_g_pow_yi::(i as usize, state.g_pow_xis); + if !zkp_one_out_of_two_validate::(g_pow_yi, state.zkp_vis[i]) { return Err(ParseError {}); } - if !check_commitment::(state.g_pow_xi_yi_vis[i], state.commit_vis[i]) { + if !check_commitment::(state.g_pow_xi_yi_vis[i], state.commit_vis[i]) { return Err(ParseError {}); } } @@ -387,14 +392,14 @@ pub fn tally_votes, const n: usize, A: HasActions>( } let mut tally = 0; - let mut curr = Z::field_zero(); + let mut curr = G::Z::field_zero(); for i in 0..n as u32 { // Should be while, but is bounded by n anyways! if G::g_pow(curr) == vote_result { tally = i; } - curr = Z::add(curr, Z::field_one()); + curr = G::Z::add(curr, G::Z::field_one()); } let mut tally_votes_state_ret = state.clone(); diff --git a/ovn/src/ovn_secp256k1.rs b/ovn/src/ovn_secp256k1.rs index 28379d7..b6da6a3 100644 --- a/ovn/src/ovn_secp256k1.rs +++ b/ovn/src/ovn_secp256k1.rs @@ -16,9 +16,9 @@ use hacspec_concordium_derive::*; pub use crate::ovn_traits::*; // // pub use create::ovn_traits::*; -// use create::Z_Field; +// use create::Field; // use create::Group; -// use create::Z_Field; +// use create::Field; use hacspec_lib::*; @@ -34,63 +34,61 @@ pub struct Z_curve { } impl hacspec_concordium::Deserial for Z_curve { - // TODO: - fn deserial(_source: &mut R) -> ParseResult { - let buffer: &mut [u8] = &mut []; - let _ = _source.read(buffer)?; + fn deserial(source: &mut R) -> ParseResult { + let temp : Vec = source.get()?; Ok(Z_curve { - val: Scalar::from_public_byte_seq_be(Seq::::from_native_slice(buffer)), + val: Scalar::from_public_byte_seq_be(Seq::::from_vec(temp)), }) } } impl hacspec_concordium::Serial for Z_curve { - // TODO: - fn serial(&self, _out: &mut W) -> Result<(), W::Err> { - let _ = _out.write(self.val.to_public_byte_seq_be().native_slice()); - Ok(()) + fn serial(&self, out: &mut W) -> Result<(), W::Err> { + let mut v : Vec = Vec::new(); + for x in self.val.to_public_byte_seq_be().native_slice() { + v.push(x.clone()); + } + v.serial(out) } } -impl Z_Field for Z_curve { - type field_type = Z_curve; - - fn q() -> Self::field_type { +impl Field for Z_curve { + fn q() -> Self { Z_curve { val: Scalar::from_hex( "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141", ), - } // TODO: Scalar::modulo_value; + } } - fn random_field_elem(random: u32) -> Self::field_type { + fn random_field_elem(random: u32) -> Self { Z_curve { val: Scalar::from_literal(random as u128), } } - fn field_zero() -> Self::field_type { + fn field_zero() -> Self { Z_curve { val: Scalar::from_literal(0u128), } // Scalar::ZERO() } - fn field_one() -> Self::field_type { + fn field_one() -> Self { Z_curve { val: Scalar::from_literal(1u128), } // Scalar::ONE() } - fn add(x: Self::field_type, y: Self::field_type) -> Self::field_type { + fn add(x: Self, y: Self) -> Self { Z_curve { val: x.val + y.val } } - fn sub(x: Self::field_type, y: Self::field_type) -> Self::field_type { + fn sub(x: Self, y: Self) -> Self { Z_curve { val: x.val - y.val } } - fn mul(x: Self::field_type, y: Self::field_type) -> Self::field_type { + fn mul(x: Self, y: Self) -> Self { Z_curve { val: x.val * y.val } } } @@ -101,47 +99,55 @@ pub struct Group_curve { } impl hacspec_concordium::Deserial for Group_curve { - // TODO: - fn deserial(_source: &mut R) -> ParseResult { - let buffer: &mut [u8] = &mut []; - let _ = _source.read(buffer)?; - if let [0] = buffer { - return Ok(Group_curve { - val: Point::AtInfinity, - }); + fn deserial(source: &mut R) -> ParseResult { + let b : bool = source.get()?; + if b { + let vx : Vec = source.get()?; + let vy : Vec = source.get()?; + + Ok(Group_curve { + val: Point::Affine(( + FieldElement::from_public_byte_seq_be(Seq::::from_vec(vx)), + FieldElement::from_public_byte_seq_be(Seq::::from_vec(vy)), + )), + }) + } else { + Ok(Group_curve { val: Point::AtInfinity }) } - - let buffer_y: &mut [u8] = &mut []; - let _ = _source.read(buffer_y)?; - - Ok(Group_curve { - val: Point::Affine(( - FieldElement::from_public_byte_seq_be(Seq::::from_native_slice(buffer)), - FieldElement::from_public_byte_seq_be(Seq::::from_native_slice(buffer_y)), - )), - }) } } impl hacspec_concordium::Serial for Group_curve { - // TODO: - fn serial(&self, _out: &mut W) -> Result<(), W::Err> { + fn serial(&self, out: &mut W) -> Result<(), W::Err> { match self.val { Point::Affine(p) => { - _out.write(x(p).to_public_byte_seq_be().native_slice()); - _out.write(y(p).to_public_byte_seq_be().native_slice()) + true.serial(out)?; + + let mut vx : Vec = Vec::new(); + for x in x(p).to_public_byte_seq_be().native_slice() { + vx.push(x.clone()); + } + let _ = vx.serial(out)?; + + let mut vy : Vec = Vec::new(); + for y in y(p).to_public_byte_seq_be().native_slice() { + vy.push(y.clone()); + } + let _ = vy.serial(out)?; } - Point::AtInfinity => _out.write(&[0]), + Point::AtInfinity => { + let _ = false.serial(out)?; + }, }; Ok(()) } } -impl Group for Group_curve { - type group_type = Group_curve; +impl Group for Group_curve { + type Z = Z_curve; // https://eips.ethereum.org/EIPS/eip-2333 - fn g() -> Self::group_type { + fn g() -> Self { #[rustfmt::skip] let gx = PBytes32([ 0x79u8, 0xBEu8, 0x66u8, 0x7Eu8, 0xF9u8, 0xDCu8, 0xBBu8, 0xACu8, @@ -162,45 +168,45 @@ impl Group for Group_curve { FieldElement::from_public_byte_seq_be(gy), )), } - } // TODO + } - fn pow(g: Self::group_type, x: ::field_type) -> Self::group_type { + fn pow(g: Self, x: Z_curve) -> Self { Group_curve { val: point_mul(x.val, g.val), } } - fn g_pow(x: ::field_type) -> Self::group_type { + fn g_pow(x: Z_curve) -> Self { Group_curve { val: point_mul_base(x.val), } // Self::pow(Self::g(), x) } - fn group_one() -> Self::group_type { - Self::g_pow(::field_zero()) + fn group_one() -> Self { + Self::g_pow(::field_zero()) } - fn prod(x: Self::group_type, y: Self::group_type) -> Self::group_type { + fn prod(x: Self, y: Self) -> Self { Group_curve { val: point_add(x.val, y.val), } } - fn inv(x: Self::group_type) -> Self::group_type { + fn inv(x: Self) -> Self { Group_curve { val: match x.val { Point::Affine((a, b)) => Point::Affine((a, FieldElement::from_literal(0u128) - b)), - Point::AtInfinity => Point::AtInfinity, // TODO? + Point::AtInfinity => Point::AtInfinity, }, } } - fn div(x: Self::group_type, y: Self::group_type) -> Self::group_type { + fn div(x: Self, y: Self) -> Self { Self::prod(x, Self::inv(y)) } - fn hash(x: Vec) -> ::field_type { + fn hash(x: Vec) -> Z_curve { // fp_hash_to_field Z_curve::field_one() // TODO: bls12-381 hash to curve? } diff --git a/ovn/src/ovn_traits.rs b/ovn/src/ovn_traits.rs index cee0a93..46e1853 100644 --- a/ovn/src/ovn_traits.rs +++ b/ovn/src/ovn_traits.rs @@ -10,40 +10,39 @@ use hax_lib_macros::*; #[exclude] use hacspec_concordium::*; -#[exclude] -use hacspec_concordium_derive::*; + //////////// // Traits // //////////// -pub trait Z_Field: core::marker::Copy { - type field_type: PartialEq + Eq + Clone + Copy + hacspec_concordium::Serialize; +/** Interface for field implementation */ +pub trait Field: core::marker::Copy + PartialEq + Eq + Clone + Copy + hacspec_concordium::Serialize { + fn q() -> Self; - fn q() -> Self::field_type; + fn random_field_elem(random: u32) -> Self; - fn random_field_elem(random: u32) -> Self::field_type; + fn field_zero() -> Self; + fn field_one() -> Self; - fn field_zero() -> Self::field_type; - fn field_one() -> Self::field_type; - - fn add(x: Self::field_type, y: Self::field_type) -> Self::field_type; - fn sub(x: Self::field_type, y: Self::field_type) -> Self::field_type; - fn mul(x: Self::field_type, y: Self::field_type) -> Self::field_type; + fn add(x: Self, y: Self) -> Self; + fn sub(x: Self, y: Self) -> Self; + fn mul(x: Self, y: Self) -> Self; } /** Interface for group implementation */ -pub trait Group: core::marker::Copy { - type group_type: PartialEq + Eq + Clone + Copy + hacspec_concordium::Serialize; +pub trait Group: core::marker::Copy + PartialEq + Eq + Clone + Copy + hacspec_concordium::Serialize { + type Z : Field; - fn g() -> Self::group_type; // Generator (elemnent of group) + fn g() -> Self; // Generator (elemnent of group) - fn g_pow(x: Z::field_type) -> Self::group_type; - fn pow(g: Self::group_type, x: Z::field_type) -> Self::group_type; // TODO: Link with q - fn group_one() -> Self::group_type; - fn prod(x: Self::group_type, y: Self::group_type) -> Self::group_type; - fn inv(x: Self::group_type) -> Self::group_type; - fn div(x: Self::group_type, y: Self::group_type) -> Self::group_type; + fn g_pow(x: Self::Z) -> Self; + fn pow(g: Self, x: Self::Z) -> Self; // TODO: Link with q + fn group_one() -> Self; + fn prod(x: Self, y: Self) -> Self; + fn inv(x: Self) -> Self; + fn div(x: Self, y: Self) -> Self; - fn hash(x: Vec) -> Z::field_type; + fn hash(x: Vec) -> Self::Z; } + diff --git a/ovn/src/ovn_z_89.rs b/ovn/src/ovn_z_89.rs index cb22b6d..2fd59ee 100644 --- a/ovn/src/ovn_z_89.rs +++ b/ovn/src/ovn_z_89.rs @@ -16,95 +16,134 @@ use hacspec_concordium_derive::*; pub use crate::ovn_traits::*; // // pub use create::ovn_traits::*; -// use create::Z_Field; +// use create::Field; // use create::Group; -// use create::Z_Field; +// use create::Field; //////////////////// // Impl for Z/89Z // //////////////////// -#[derive(Clone, Copy)] -pub struct z_89 {} -impl Z_Field for z_89 { - type field_type = u32; - fn q() -> Self::field_type { - 89u32 +#[derive(Clone, Copy, PartialEq, Eq, hacspec_concordium::Serial, hacspec_concordium::Deserial)] +pub struct z_89 { val : u8 } + +// impl hacspec_concordium::Deserial for z_89 { +// // TODO: +// fn deserial(source: &mut R) -> ParseResult { +// let v : u8 = source.get()?; +// Ok(z_89 { +// val: v, +// }) +// } +// } + +// impl hacspec_concordium::Serial for z_89 { +// // TODO: +// fn serial(&self, out: &mut W) -> Result<(), W::Err> { +// self.val.serial(out) +// } +// } + +impl Field for z_89 { + fn q() -> Self { + z_89{ val: 89u8} } // Prime order - fn random_field_elem(random: u32) -> Self::field_type { - random % (Self::q() - 1) + fn random_field_elem(random: u32) -> Self { + z_89{ val: random as u8 % (Self::q().val - 1) } } - fn field_zero() -> Self::field_type { - 0u32 + fn field_zero() -> Self { + z_89{ val: 0u8 } } - fn field_one() -> Self::field_type { - 1u32 + fn field_one() -> Self { + z_89{ val: 1u8 } } - fn add(x: Self::field_type, y: Self::field_type) -> Self::field_type { - (x + y) % (Self::q() - 1) + fn add(x: Self, y: Self) -> Self { + z_89{ val: (x.val + y.val) % (Self::q().val - 1) } } - fn sub(x: Self::field_type, y: Self::field_type) -> Self::field_type { - (x + (Self::q() - 1) - y) % (Self::q() - 1) + fn sub(x: Self, y: Self) -> Self { + z_89{ val: (x.val + (Self::q().val - 1) - y.val) % (Self::q().val - 1) } } - fn mul(x: Self::field_type, y: Self::field_type) -> Self::field_type { - (x * y) % (Self::q() - 1) + fn mul(x: Self, y: Self) -> Self { + z_89{ val: (((x.val as u16) * (y.val as u16)) % ((Self::q().val - 1) as u16)) as u8 } } } -#[derive(Clone, Copy)] -pub struct g_z_89 {} -impl Group for g_z_89 { - type group_type = u32; - - fn g() -> Self::group_type { - 3u32 +#[derive(Clone, Copy, PartialEq, Eq, hacspec_concordium::Serial, hacspec_concordium::Deserial)] +pub struct g_z_89 { val : u8 } + +// impl hacspec_concordium::Deserial for g_z_89 { +// // TODO: +// fn deserial(source: &mut R) -> ParseResult { +// let v : u8 = source.get()?; + +// Ok(g_z_89 { +// val: v, +// }) +// } +// } + +// impl hacspec_concordium::Serial for g_z_89 { +// // TODO: +// fn serial(&self, out: &mut W) -> Result<(), W::Err> { +// self.val.serial(out) +// } +// } + + +impl Group for g_z_89 { + type Z = z_89; + + fn g() -> Self { + g_z_89 { val: 3u8 } } // Generator (elemnent of group) - fn hash(x: Vec) -> ::field_type { + fn hash(x: Vec) -> z_89 { let mut res = z_89::field_one(); for y in x { - res = z_89::mul(y, res); + res = z_89::mul(z_89{val: y.val}, res); } res // TODO } - fn g_pow(x: ::field_type) -> Self::group_type { + fn g_pow(x: z_89) -> Self { Self::pow(Self::g(), x) } // TODO: use repeated squaring instead! - fn pow(g: Self::group_type, x: ::field_type) -> Self::group_type { + fn pow(g: Self, x: z_89) -> Self { let mut result = Self::group_one(); - for i in 0..(x % (z_89::q() - 1)) { + for _ in 0..(x.val % (z_89::q().val - 1)) { result = Self::prod(result, g); } result } - fn group_one() -> Self::group_type { - 1 + fn group_one() -> Self { + g_z_89 { val: 1 } } - fn prod(x: Self::group_type, y: Self::group_type) -> Self::group_type { - ((x % z_89::q()) * (y % z_89::q())) % z_89::q() + fn prod(x: Self, y: Self) -> Self { + let q_val = z_89::q().val; + g_z_89 { val: ((((x.val % q_val) as u16) * ((y.val % q_val) as u16)) % (q_val as u16)) as u8 } } - fn inv(x: Self::group_type) -> Self::group_type { + fn inv(x: Self) -> Self { for j in 0..89 { - if Self::prod(x, j) == Self::group_one() { - return j; + let value = g_z_89 {val: j}; + if Self::prod(x, value) == Self::group_one() { + return value; } } assert!(false); return x; } - fn div(x: Self::group_type, y: Self::group_type) -> Self::group_type { + fn div(x: Self, y: Self) -> Self { Self::prod(x, Self::inv(y)) } } diff --git a/ovn/src/ovn_zk_secp256k1.rs b/ovn/src/ovn_zk_secp256k1.rs index fc47c43..3e58993 100644 --- a/ovn/src/ovn_zk_secp256k1.rs +++ b/ovn/src/ovn_zk_secp256k1.rs @@ -6,14 +6,14 @@ use hacspec_concordium::*; #[exclude] use hacspec_concordium_derive::*; -pub use group::{ff::Field, Group}; pub use crate::ovn_zkgroup::*; +pub use group::{ff::Field, Group}; use hacspec_bip_340::{GroupTrait::*, Point, *}; impl MGroup for Point { fn hash(inp: Vec) -> Self::Scalar { - return Self::Scalar::ONE // TODO + return Self::Scalar::ONE; // TODO } } @@ -21,7 +21,7 @@ use bls12_381::*; impl MGroup for Gt { fn hash(inp: Vec) -> Self::Scalar { - return Self::Scalar::ONE // TODO + return Self::Scalar::ONE; // TODO } } // hacspec_concordium::Serial + hacspec_concordium::Deserial, diff --git a/ovn/src/ovn_zkgroup.rs b/ovn/src/ovn_zkgroup.rs index 067a8ec..4f253ae 100644 --- a/ovn/src/ovn_zkgroup.rs +++ b/ovn/src/ovn_zkgroup.rs @@ -10,28 +10,16 @@ use group::{ ff::{Field, PrimeField}, Group, }; -use rand_core::RngCore; - -pub trait MGroup: Group { - fn pow(p: Self, exp: Self::Scalar) -> Self { - p * exp - } - - fn g_pow(n: Self::Scalar) -> Self { - Self::generator() * n - } +pub trait MGroup : Group { fn hash(inp: Vec) -> Self::Scalar; - fn div(x: Self, y: Self) -> Self { - x - y - } } //////////////////// // Implementation // //////////////////// -#[derive(SchemaType, Clone, Copy)] +#[derive(SchemaType)] // , Clone, Copy pub struct SchnorrZKPCommit { pub schnorr_zkp_u: G, pub schnorr_zkp_c: G::Scalar, @@ -46,7 +34,7 @@ pub fn schnorr_zkp( h: G, x: G::Scalar, ) -> SchnorrZKPCommit { - let u = G::g_pow(r); + let u = G::generator() * r; // g ^ r let c = G::hash(vec![G::generator(), h, u]); let z = r + (c * x); @@ -57,407 +45,410 @@ pub fn schnorr_zkp( }; } -// https://crypto.stanford.edu/cs355/19sp/lec5.pdf -pub fn schnorr_zkp_validate(h: G, pi: SchnorrZKPCommit) -> bool { - pi.schnorr_zkp_c == G::hash(vec![G::generator(), h, pi.schnorr_zkp_u]) - && (G::g_pow(pi.schnorr_zkp_z) == (pi.schnorr_zkp_u + G::pow(h, pi.schnorr_zkp_c))) -} - -#[derive(SchemaType, Clone, Copy)] -pub struct OrZKPCommit { - pub or_zkp_x: G, - pub or_zkp_y: G, - pub or_zkp_a1: G, - pub or_zkp_b1: G, - pub or_zkp_a2: G, - pub or_zkp_b2: G, - - pub or_zkp_c: G::Scalar, - - pub or_zkp_d1: G::Scalar, - pub or_zkp_d2: G::Scalar, - - pub or_zkp_r1: G::Scalar, - pub or_zkp_r2: G::Scalar, -} - -/** Cramer, Damgård and Schoenmakers (CDS) technique */ -pub fn zkp_one_out_of_two( - w: G::Scalar, // random - rand_r: G::Scalar, - rand_d: G::Scalar, - h: G, - xi: G::Scalar, - vi: bool, -) -> OrZKPCommit { - if vi { - let r1 = rand_r; - let d1 = rand_d; - - let x = G::g_pow(xi); - let y = G::pow(h, xi) + G::generator(); - - let a1 = G::g_pow(r1) + G::pow(x, d1); - let b1 = G::pow(h, r1) + G::pow(y, d1); - - let a2 = G::g_pow(w); - let b2 = G::pow(h, w); - - let c = G::hash(vec![x, y, a1, b1, a2, b2]); - - let d2 = c - d1; - let r2 = w - xi * d2; - - OrZKPCommit { - or_zkp_x: x, - or_zkp_y: y, - or_zkp_a1: a1, - or_zkp_b1: b1, - or_zkp_a2: a2, - or_zkp_b2: b2, - or_zkp_c: c, - or_zkp_d1: d1, - or_zkp_d2: d2, - or_zkp_r1: r1, - or_zkp_r2: r2, - } - } else { - let r2 = rand_r; - let d2 = rand_d; - - let x = G::g_pow(xi); - let y = G::pow(h, xi); - - let a1 = G::g_pow(w); - let b1 = G::pow(h, w); - - let a2 = G::g_pow(r2) + G::pow(x, d2); - let b2 = G::pow(h, r2) + G::pow(G::div(y, G::generator()), d2); - - let c = G::hash(vec![x, y, a1, b1, a2, b2]); - - let d1 = c - d2; - let r1 = w - xi * d1; - - OrZKPCommit { - or_zkp_x: x, - or_zkp_y: y, - or_zkp_a1: a1, - or_zkp_b1: b1, - or_zkp_a2: a2, - or_zkp_b2: b2, - or_zkp_c: c, - or_zkp_d1: d1, - or_zkp_d2: d2, - or_zkp_r1: r1, - or_zkp_r2: r2, - } - } -} - -// Anonymous voting by two-round public discussion -pub fn zkp_one_out_of_two_validate(h: G, zkp: OrZKPCommit) -> bool { - let c = G::hash(vec![ - zkp.or_zkp_x, - zkp.or_zkp_y, - zkp.or_zkp_a1, - zkp.or_zkp_b1, - zkp.or_zkp_a2, - zkp.or_zkp_b2, - ]); // TODO: add i - - (c == zkp.or_zkp_d1 + zkp.or_zkp_d2 - && zkp.or_zkp_a1 == G::g_pow(zkp.or_zkp_r1) + G::pow(zkp.or_zkp_x, zkp.or_zkp_d1) - && zkp.or_zkp_b1 == G::pow(h, zkp.or_zkp_r1) + G::pow(zkp.or_zkp_y, zkp.or_zkp_d1) - && zkp.or_zkp_a2 == G::g_pow(zkp.or_zkp_r2) + G::pow(zkp.or_zkp_x, zkp.or_zkp_d2) - && zkp.or_zkp_b2 - == G::pow(h, zkp.or_zkp_r2) - + G::pow(G::div(zkp.or_zkp_y, G::generator()), zkp.or_zkp_d2)) -} - -pub fn commit_to(g_pow_xi_yi_vi: G) -> G::Scalar { - G::hash(vec![g_pow_xi_yi_vi]) -} - -pub fn check_commitment(g_pow_xi_yi_vi: G, commitment: G::Scalar) -> bool { - G::hash(vec![g_pow_xi_yi_vi]) == commitment -} - -#[hax::contract_state(contract = "OVN")] -// #[cfg_attr(not(feature = "hax_compilation"), contract_state(contract = "OVN"))] -#[derive(SchemaType, Clone, Copy)] -pub struct OvnContractState { - pub g_pow_xis: [G; n], - pub zkp_xis: [SchnorrZKPCommit; n], - - pub commit_vis: [G::Scalar; n], - - pub g_pow_xi_yi_vis: [G; n], - pub zkp_vis: [OrZKPCommit; n], - - pub tally: u32, -} - -#[hax::init(contract = "OVN")] -// #[cfg_attr(not(feature = "hax_compilation"), init(contract = "OVN"))] -pub fn init_ovn_contract(// _: &impl HasInitContext, -) -> InitResult> { - Ok(OvnContractState:: { - g_pow_xis: [G::identity(); n], - zkp_xis: [SchnorrZKPCommit:: { - schnorr_zkp_u: G::identity(), - schnorr_zkp_z: G::Scalar::ZERO, - schnorr_zkp_c: G::Scalar::ZERO, - }; n], - - commit_vis: [G::Scalar::ZERO; n], - - g_pow_xi_yi_vis: [G::identity(); n], - zkp_vis: [OrZKPCommit:: { - or_zkp_x: G::identity(), - or_zkp_y: G::identity(), - or_zkp_a1: G::identity(), - or_zkp_b1: G::identity(), - or_zkp_a2: G::identity(), - or_zkp_b2: G::identity(), - - or_zkp_c: G::Scalar::ZERO, - - or_zkp_d1: G::Scalar::ZERO, - or_zkp_d2: G::Scalar::ZERO, - - or_zkp_r1: G::Scalar::ZERO, - or_zkp_r2: G::Scalar::ZERO, - }; n], - - tally: 0, - }) -} - -use core::marker::PhantomData; -#[derive(SchemaType)] -pub struct RegisterParam + Into> { - pub rp_i: u32, - pub rp_xi: Z, - pub rp_zkp_random: Z, - pub phantom: PhantomData, -} - -impl + Into> Serial for RegisterParam { - fn serial(&self, w: &mut W) -> Result<(), ::Err> { - self.rp_i.serial(w)?; - >::from(self.rp_xi).serial(w)?; - >::from(self.rp_zkp_random).serial(w)?; - Ok(()) - } -} - -impl + Into> Deserial for RegisterParam { - fn deserial(r: &mut R) -> Result { - let rp_i: u32 = r.get()?; - let rp_xi: Z = >::into(r.get()?); - let rp_zkp_random: Z = >::into(r.get()?); - Ok(RegisterParam { - rp_i, - rp_xi, - rp_zkp_random, - phantom: PhantomData, - }) - } -} - -/** Primary function in round 1 */ -#[hax::receive(contract = "OVN", name = "register", parameter = "RegisterParam")] -// #[cfg_attr(not(feature = "hax_compilation"), receive(contract = "OVN", name = "register", parameter = "RegisterParam"))] -pub fn register_vote< - G: MGroup, - S: Serialize + From + Into, - const n: usize, - A: HasActions, ->( - ctx: impl HasReceiveContext, - state: OvnContractState, -) -> Result<(A, OvnContractState), ParseError> { - let params: RegisterParam = ctx.parameter_cursor().get()?; - let g_pow_xi = G::g_pow(params.rp_xi); - - let zkp_xi = schnorr_zkp::(params.rp_zkp_random, g_pow_xi, params.rp_xi); - - let mut register_vote_state_ret = state.clone(); - register_vote_state_ret.g_pow_xis[params.rp_i as usize] = g_pow_xi; - register_vote_state_ret.zkp_xis[params.rp_i as usize] = zkp_xi; - - Ok((A::accept(), register_vote_state_ret)) -} - -#[derive(SchemaType)] -pub struct CastVoteParam + Into> { - pub cvp_i: u32, - pub cvp_xi: Z, - pub cvp_zkp_random_w: Z, - pub cvp_zkp_random_r: Z, - pub cvp_zkp_random_d: Z, - pub cvp_vote: bool, - pub phantom: PhantomData, -} - -impl + Into> Serial for CastVoteParam { - fn serial(&self, w: &mut W) -> Result<(), ::Err> { - self.cvp_i.serial(w)?; - >::from(self.cvp_xi).serial(w)?; - >::from(self.cvp_zkp_random_w).serial(w)?; - >::from(self.cvp_zkp_random_r).serial(w)?; - >::from(self.cvp_zkp_random_d).serial(w)?; - self.cvp_vote.serial(w)?; - Ok(()) - } -} - -impl + Into> Deserial for CastVoteParam { - fn deserial(r: &mut R) -> Result { - let cvp_i: u32 = r.get()?; - let cvp_xi: Z = >::into(r.get()?); - let cvp_zkp_random_w: Z = >::into(r.get()?); - let cvp_zkp_random_r: Z = >::into(r.get()?); - let cvp_zkp_random_d: Z = >::into(r.get()?); - let cvp_vote: bool = r.get()?; - Ok(CastVoteParam { - cvp_i, - cvp_xi, - cvp_zkp_random_w, - cvp_zkp_random_r, - cvp_zkp_random_d, - cvp_vote, - phantom: PhantomData, - }) - } -} - -pub fn compute_g_pow_yi(i: usize, xis: [G; n]) -> G { - let mut prod1 = G::identity(); - for j in 0..i { - prod1 = prod1 + xis[j]; - } - - let mut prod2 = G::identity(); - for j in (i + 1)..n { - prod2 = prod2 + xis[j]; - } - - // implicitly: Y_i = g^y_i - let g_pow_yi = G::div(prod1, prod2); - g_pow_yi -} - -pub fn compute_group_element_for_vote(xi: G::Scalar, vote: bool, g_pow_yi: G) -> G { - G::pow(g_pow_yi, xi) - + G::g_pow(if vote { - G::Scalar::ONE - } else { - G::Scalar::ZERO - }) -} - -/** Commitment before round 2 */ -#[hax::receive(contract = "OVN", name = "commit_to_vote", parameter = "CastVoteParam")] -// #[cfg_attr(not(feature = "hax_compilation"), receive(contract = "OVN", name = "commit_to_vote", parameter = "CastVoteParam"))] -pub fn commit_to_vote< - G: MGroup, - S: Serialize + From + Into, - const n: usize, - A: HasActions, ->( - ctx: impl HasReceiveContext, - state: OvnContractState, -) -> Result<(A, OvnContractState), ParseError> { - let params: CastVoteParam = ctx.parameter_cursor().get()?; - - for i in 0..n { - if !schnorr_zkp_validate(state.g_pow_xis[i], state.zkp_xis[i]) { - return Err(ParseError {}); - } - } - - let g_pow_yi = compute_g_pow_yi::(params.cvp_i as usize, state.g_pow_xis); - let g_pow_xi_yi_vi = - compute_group_element_for_vote::(params.cvp_xi, params.cvp_vote, g_pow_yi); - let commit_vi = commit_to::(g_pow_xi_yi_vi); - - let mut commit_to_vote_state_ret = state.clone(); - commit_to_vote_state_ret.commit_vis[params.cvp_i as usize] = commit_vi; - Ok((A::accept(), commit_to_vote_state_ret)) -} - -/** Primary function in round 2, also opens commitment */ -#[hax::receive(contract = "OVN", name = "cast_vote", parameter = "CastVoteParam")] -// #[cfg_attr(not(feature = "hax_compilation"), receive(contract = "OVN", name = "cast_vote", parameter = "CastVoteParam"))] -pub fn cast_vote + Into, const n: usize, A: HasActions>( - ctx: impl HasReceiveContext, - state: OvnContractState, -) -> Result<(A, OvnContractState), ParseError> -{ - let params: CastVoteParam = ctx.parameter_cursor().get()?; - - let g_pow_yi = compute_g_pow_yi::(params.cvp_i as usize, state.g_pow_xis); - let g_pow_xi_yi_vi = - compute_group_element_for_vote::(params.cvp_xi, params.cvp_vote, g_pow_yi); - - let zkp_vi = zkp_one_out_of_two::( - params.cvp_zkp_random_w, - params.cvp_zkp_random_r, - params.cvp_zkp_random_d, - g_pow_yi, - params.cvp_xi, - params.cvp_vote, - ); - let mut cast_vote_state_ret = state.clone(); - cast_vote_state_ret.g_pow_xi_yi_vis[params.cvp_i as usize] = g_pow_xi_yi_vi; - cast_vote_state_ret.zkp_vis[params.cvp_i as usize] = zkp_vi; - - Ok((A::accept(), cast_vote_state_ret)) -} - -#[derive(Serialize, SchemaType)] -pub struct TallyParameter {} - -#[hax::receive(contract = "OVN", name = "tally", parameter = "TallyParameter")] -// #[cfg_attr(not(feature = "hax_compilation"), receive(contract = "OVN", name = "tally", parameter = "TallyParameter"))] -/** Anyone can tally the votes */ -pub fn tally_votes( - _: impl HasReceiveContext, - state: OvnContractState, -) -> Result<(A, OvnContractState), ParseError> -{ - for i in 0..n { - let g_pow_yi = compute_g_pow_yi::(i as usize, state.g_pow_xis); - if !zkp_one_out_of_two_validate::(g_pow_yi, state.zkp_vis[i]) { - return Err(ParseError {}); - } - if !check_commitment::(state.g_pow_xi_yi_vis[i], state.commit_vis[i]) { - return Err(ParseError {}); - } - } - - let mut vote_result = G::identity(); - for g_pow_vote in state.g_pow_xi_yi_vis { - vote_result = vote_result + g_pow_vote; - } - - let mut tally = 0; - let mut curr = G::Scalar::ZERO; - for i in 0..n as u32 { - // Should be while, but is bounded by n anyways! - if G::g_pow(curr) == vote_result { - tally = i; - } - - curr = curr + G::Scalar::ONE; - } - - let mut tally_votes_state_ret = state.clone(); - tally_votes_state_ret.tally = tally; - - Ok((A::accept(), tally_votes_state_ret)) -} - -// https://github.com/stonecoldpat/anonymousvoting +// // https://crypto.stanford.edu/cs355/19sp/lec5.pdf +// pub fn schnorr_zkp_validate(h: G, pi: SchnorrZKPCommit) -> bool { +// pi.schnorr_zkp_c == G::hash(vec![G::generator(), h, pi.schnorr_zkp_u]) +// && (G::g_pow(pi.schnorr_zkp_z) == (pi.schnorr_zkp_u + G::pow(h, pi.schnorr_zkp_c))) +// } + +// // #[derive(SchemaType, Clone, Copy)] +// // pub struct OrZKPCommit { +// // pub or_zkp_x: G, +// // pub or_zkp_y: G, +// // pub or_zkp_a1: G, +// // pub or_zkp_b1: G, +// // pub or_zkp_a2: G, +// // pub or_zkp_b2: G, + +// // pub or_zkp_c: G::Scalar, + +// // pub or_zkp_d1: G::Scalar, +// // pub or_zkp_d2: G::Scalar, + +// // pub or_zkp_r1: G::Scalar, +// // pub or_zkp_r2: G::Scalar, +// // } + +// // /** Cramer, Damgård and Schoenmakers (CDS) technique */ +// // pub fn zkp_one_out_of_two( +// // w: G::Scalar, // random +// // rand_r: G::Scalar, +// // rand_d: G::Scalar, +// // h: G, +// // xi: G::Scalar, +// // vi: bool, +// // ) -> OrZKPCommit { +// // if vi { +// // let r1 = rand_r; +// // let d1 = rand_d; + +// // let x = G::g_pow(xi); +// // let y = G::pow(h, xi) + G::generator(); + +// // let a1 = G::g_pow(r1) + G::pow(x, d1); +// // let b1 = G::pow(h, r1) + G::pow(y, d1); + +// // let a2 = G::g_pow(w); +// // let b2 = G::pow(h, w); + +// // let c = G::hash(vec![x, y, a1, b1, a2, b2]); + +// // let d2 = c - d1; +// // let r2 = w - xi * d2; + +// // OrZKPCommit { +// // or_zkp_x: x, +// // or_zkp_y: y, +// // or_zkp_a1: a1, +// // or_zkp_b1: b1, +// // or_zkp_a2: a2, +// // or_zkp_b2: b2, +// // or_zkp_c: c, +// // or_zkp_d1: d1, +// // or_zkp_d2: d2, +// // or_zkp_r1: r1, +// // or_zkp_r2: r2, +// // } +// // } else { +// // let r2 = rand_r; +// // let d2 = rand_d; + +// // let x = G::g_pow(xi); +// // let y = G::pow(h, xi); + +// // let a1 = G::g_pow(w); +// // let b1 = G::pow(h, w); + +// // let a2 = G::g_pow(r2) + G::pow(x, d2); +// // let b2 = G::pow(h, r2) + G::pow(G::div(y, G::generator()), d2); + +// // let c = G::hash(vec![x, y, a1, b1, a2, b2]); + +// // let d1 = c - d2; +// // let r1 = w - xi * d1; + +// // OrZKPCommit { +// // or_zkp_x: x, +// // or_zkp_y: y, +// // or_zkp_a1: a1, +// // or_zkp_b1: b1, +// // or_zkp_a2: a2, +// // or_zkp_b2: b2, +// // or_zkp_c: c, +// // or_zkp_d1: d1, +// // or_zkp_d2: d2, +// // or_zkp_r1: r1, +// // or_zkp_r2: r2, +// // } +// // } +// // } + +// // // Anonymous voting by two-round public discussion +// // pub fn zkp_one_out_of_two_validate(h: G, zkp: OrZKPCommit) -> bool { +// // let c = G::hash(vec![ +// // zkp.or_zkp_x, +// // zkp.or_zkp_y, +// // zkp.or_zkp_a1, +// // zkp.or_zkp_b1, +// // zkp.or_zkp_a2, +// // zkp.or_zkp_b2, +// // ]); // TODO: add i + +// // c == zkp.or_zkp_d1 + zkp.or_zkp_d2 +// // && zkp.or_zkp_a1 == G::g_pow(zkp.or_zkp_r1) + G::pow(zkp.or_zkp_x, zkp.or_zkp_d1) +// // && zkp.or_zkp_b1 == G::pow(h, zkp.or_zkp_r1) + G::pow(zkp.or_zkp_y, zkp.or_zkp_d1) +// // && zkp.or_zkp_a2 == G::g_pow(zkp.or_zkp_r2) + G::pow(zkp.or_zkp_x, zkp.or_zkp_d2) +// // && zkp.or_zkp_b2 +// // == G::pow(h, zkp.or_zkp_r2) +// // + G::pow(G::div(zkp.or_zkp_y, G::generator()), zkp.or_zkp_d2) +// // } + +// // pub fn commit_to(g_pow_xi_yi_vi: G) -> G::Scalar { +// // G::hash(vec![g_pow_xi_yi_vi]) +// // } + +// // pub fn check_commitment(g_pow_xi_yi_vi: G, commitment: G::Scalar) -> bool { +// // G::hash(vec![g_pow_xi_yi_vi]) == commitment +// // } + +// // #[hax::contract_state(contract = "OVN")] +// // // #[cfg_attr(not(feature = "hax_compilation"), contract_state(contract = "OVN"))] +// // #[derive(SchemaType, Clone, Copy)] +// // pub struct OvnContractState { +// // pub g_pow_xis: [G; n], +// // pub zkp_xis: [SchnorrZKPCommit; n], + +// // pub commit_vis: [G::Scalar; n], + +// // pub g_pow_xi_yi_vis: [G; n], +// // pub zkp_vis: [OrZKPCommit; n], + +// // pub tally: u32, +// // } + +// // #[hax::init(contract = "OVN")] +// // // #[cfg_attr(not(feature = "hax_compilation"), init(contract = "OVN"))] +// // pub fn init_ovn_contract(// _: &impl HasInitContext, +// // ) -> InitResult> { +// // Ok(OvnContractState:: { +// // g_pow_xis: [G::identity(); n], +// // zkp_xis: [SchnorrZKPCommit:: { +// // schnorr_zkp_u: G::identity(), +// // schnorr_zkp_z: G::Scalar::ZERO, +// // schnorr_zkp_c: G::Scalar::ZERO, +// // }; n], + +// // commit_vis: [G::Scalar::ZERO; n], + +// // g_pow_xi_yi_vis: [G::identity(); n], +// // zkp_vis: [OrZKPCommit:: { +// // or_zkp_x: G::identity(), +// // or_zkp_y: G::identity(), +// // or_zkp_a1: G::identity(), +// // or_zkp_b1: G::identity(), +// // or_zkp_a2: G::identity(), +// // or_zkp_b2: G::identity(), + +// // or_zkp_c: G::Scalar::ZERO, + +// // or_zkp_d1: G::Scalar::ZERO, +// // or_zkp_d2: G::Scalar::ZERO, + +// // or_zkp_r1: G::Scalar::ZERO, +// // or_zkp_r2: G::Scalar::ZERO, +// // }; n], + +// // tally: 0, +// // }) +// // } + +// // use core::marker::PhantomData; +// // #[derive(SchemaType)] +// // pub struct RegisterParam + Into> { +// // pub rp_i: u32, +// // pub rp_xi: Z, +// // pub rp_zkp_random: Z, +// // pub phantom: PhantomData, +// // } + +// // impl + Into> Serial for RegisterParam { +// // fn serial(&self, w: &mut W) -> Result<(), ::Err> { +// // self.rp_i.serial(w)?; +// // >::from(self.rp_xi).serial(w)?; +// // >::from(self.rp_zkp_random).serial(w)?; +// // Ok(()) +// // } +// // } + +// // impl + Into> Deserial for RegisterParam { +// // fn deserial(r: &mut R) -> Result { +// // let rp_i: u32 = r.get()?; +// // let rp_xi: Z = >::into(r.get()?); +// // let rp_zkp_random: Z = >::into(r.get()?); +// // Ok(RegisterParam { +// // rp_i, +// // rp_xi, +// // rp_zkp_random, +// // phantom: PhantomData, +// // }) +// // } +// // } + +// // /** Primary function in round 1 */ +// // #[hax::receive(contract = "OVN", name = "register", parameter = "RegisterParam")] +// // // #[cfg_attr(not(feature = "hax_compilation"), receive(contract = "OVN", name = "register", parameter = "RegisterParam"))] +// // pub fn register_vote< +// // G: MGroup, +// // S: Serialize + From + Into, +// // const n: usize, +// // A: HasActions, +// // >( +// // ctx: impl HasReceiveContext, +// // state: OvnContractState, +// // ) -> Result<(A, OvnContractState), ParseError> { +// // let params: RegisterParam = ctx.parameter_cursor().get()?; +// // let g_pow_xi = G::g_pow(params.rp_xi); + +// // let zkp_xi = schnorr_zkp::(params.rp_zkp_random, g_pow_xi, params.rp_xi); + +// // let mut register_vote_state_ret = state.clone(); +// // register_vote_state_ret.g_pow_xis[params.rp_i as usize] = g_pow_xi; +// // register_vote_state_ret.zkp_xis[params.rp_i as usize] = zkp_xi; + +// // Ok((A::accept(), register_vote_state_ret)) +// // } + +// // #[derive(SchemaType)] +// // pub struct CastVoteParam + Into> { +// // pub cvp_i: u32, +// // pub cvp_xi: Z, +// // pub cvp_zkp_random_w: Z, +// // pub cvp_zkp_random_r: Z, +// // pub cvp_zkp_random_d: Z, +// // pub cvp_vote: bool, +// // pub phantom: PhantomData, +// // } + +// // impl + Into> Serial for CastVoteParam { +// // fn serial(&self, w: &mut W) -> Result<(), ::Err> { +// // self.cvp_i.serial(w)?; +// // >::from(self.cvp_xi).serial(w)?; +// // >::from(self.cvp_zkp_random_w).serial(w)?; +// // >::from(self.cvp_zkp_random_r).serial(w)?; +// // >::from(self.cvp_zkp_random_d).serial(w)?; +// // self.cvp_vote.serial(w)?; +// // Ok(()) +// // } +// // } + +// // impl + Into> Deserial for CastVoteParam { +// // fn deserial(r: &mut R) -> Result { +// // let cvp_i: u32 = r.get()?; +// // let cvp_xi: Z = >::into(r.get()?); +// // let cvp_zkp_random_w: Z = >::into(r.get()?); +// // let cvp_zkp_random_r: Z = >::into(r.get()?); +// // let cvp_zkp_random_d: Z = >::into(r.get()?); +// // let cvp_vote: bool = r.get()?; +// // Ok(CastVoteParam { +// // cvp_i, +// // cvp_xi, +// // cvp_zkp_random_w, +// // cvp_zkp_random_r, +// // cvp_zkp_random_d, +// // cvp_vote, +// // phantom: PhantomData, +// // }) +// // } +// // } + +// // pub fn compute_g_pow_yi(i: usize, xis: [G; n]) -> G { +// // let mut prod1 = G::identity(); +// // for j in 0..i { +// // prod1 = prod1 + xis[j]; +// // } + +// // let mut prod2 = G::identity(); +// // for j in (i + 1)..n { +// // prod2 = prod2 + xis[j]; +// // } + +// // // implicitly: Y_i = g^y_i +// // let g_pow_yi = G::div(prod1, prod2); +// // g_pow_yi +// // } + +// // pub fn compute_group_element_for_vote(xi: G::Scalar, vote: bool, g_pow_yi: G) -> G { +// // G::pow(g_pow_yi, xi) +// // + G::g_pow(if vote { +// // G::Scalar::ONE +// // } else { +// // G::Scalar::ZERO +// // }) +// // } + +// // /** Commitment before round 2 */ +// // #[hax::receive(contract = "OVN", name = "commit_to_vote", parameter = "CastVoteParam")] +// // // #[cfg_attr(not(feature = "hax_compilation"), receive(contract = "OVN", name = "commit_to_vote", parameter = "CastVoteParam"))] +// // pub fn commit_to_vote< +// // G: MGroup, +// // S: Serialize + From + Into, +// // const n: usize, +// // A: HasActions, +// // >( +// // ctx: impl HasReceiveContext, +// // state: OvnContractState, +// // ) -> Result<(A, OvnContractState), ParseError> { +// // let params: CastVoteParam = ctx.parameter_cursor().get()?; + +// // for i in 0..n { +// // if !schnorr_zkp_validate(state.g_pow_xis[i], state.zkp_xis[i]) { +// // return Err(ParseError {}); +// // } +// // } + +// // let g_pow_yi = compute_g_pow_yi::(params.cvp_i as usize, state.g_pow_xis); +// // let g_pow_xi_yi_vi = +// // compute_group_element_for_vote::(params.cvp_xi, params.cvp_vote, g_pow_yi); +// // let commit_vi = commit_to::(g_pow_xi_yi_vi); + +// // let mut commit_to_vote_state_ret = state.clone(); +// // commit_to_vote_state_ret.commit_vis[params.cvp_i as usize] = commit_vi; +// // Ok((A::accept(), commit_to_vote_state_ret)) +// // } + +// // /** Primary function in round 2, also opens commitment */ +// // #[hax::receive(contract = "OVN", name = "cast_vote", parameter = "CastVoteParam")] +// // // #[cfg_attr(not(feature = "hax_compilation"), receive(contract = "OVN", name = "cast_vote", parameter = "CastVoteParam"))] +// // pub fn cast_vote< +// // G: MGroup, +// // S: Serialize + From + Into, +// // const n: usize, +// // A: HasActions, +// // >( +// // ctx: impl HasReceiveContext, +// // state: OvnContractState, +// // ) -> Result<(A, OvnContractState), ParseError> { +// // let params: CastVoteParam = ctx.parameter_cursor().get()?; + +// // let g_pow_yi = compute_g_pow_yi::(params.cvp_i as usize, state.g_pow_xis); +// // let g_pow_xi_yi_vi = +// // compute_group_element_for_vote::(params.cvp_xi, params.cvp_vote, g_pow_yi); + +// // let zkp_vi = zkp_one_out_of_two::( +// // params.cvp_zkp_random_w, +// // params.cvp_zkp_random_r, +// // params.cvp_zkp_random_d, +// // g_pow_yi, +// // params.cvp_xi, +// // params.cvp_vote, +// // ); +// // let mut cast_vote_state_ret = state.clone(); +// // cast_vote_state_ret.g_pow_xi_yi_vis[params.cvp_i as usize] = g_pow_xi_yi_vi; +// // cast_vote_state_ret.zkp_vis[params.cvp_i as usize] = zkp_vi; + +// // Ok((A::accept(), cast_vote_state_ret)) +// // } + +// // #[derive(Serialize, SchemaType)] +// // pub struct TallyParameter {} + +// // #[hax::receive(contract = "OVN", name = "tally", parameter = "TallyParameter")] +// // // #[cfg_attr(not(feature = "hax_compilation"), receive(contract = "OVN", name = "tally", parameter = "TallyParameter"))] +// // /** Anyone can tally the votes */ +// // pub fn tally_votes( +// // _: impl HasReceiveContext, +// // state: OvnContractState, +// // ) -> Result<(A, OvnContractState), ParseError> { +// // for i in 0..n { +// // let g_pow_yi = compute_g_pow_yi::(i as usize, state.g_pow_xis); +// // if !zkp_one_out_of_two_validate::(g_pow_yi, state.zkp_vis[i]) { +// // return Err(ParseError {}); +// // } +// // if !check_commitment::(state.g_pow_xi_yi_vis[i], state.commit_vis[i]) { +// // return Err(ParseError {}); +// // } +// // } + +// // let mut vote_result = G::identity(); +// // for g_pow_vote in state.g_pow_xi_yi_vis { +// // vote_result = vote_result + g_pow_vote; +// // } + +// // let mut tally = 0; +// // let mut curr = G::Scalar::ZERO; +// // for i in 0..n as u32 { +// // // Should be while, but is bounded by n anyways! +// // if G::g_pow(curr) == vote_result { +// // tally = i; +// // } + +// // curr = curr + G::Scalar::ONE; +// // } + +// // let mut tally_votes_state_ret = state.clone(); +// // tally_votes_state_ret.tally = tally; + +// // Ok((A::accept(), tally_votes_state_ret)) +// // } + +// // // https://github.com/stonecoldpat/anonymousvoting diff --git a/ovn/src/ovn_zkgroup_specific.rs b/ovn/src/ovn_zkgroup_specific.rs new file mode 100644 index 0000000..c9ac40e --- /dev/null +++ b/ovn/src/ovn_zkgroup_specific.rs @@ -0,0 +1,457 @@ +#[hax_lib_macros::exclude] +use hax_lib_macros::*; + +#[exclude] +use hacspec_concordium::*; +#[exclude] +use hacspec_concordium_derive::*; + +use group::{ + ff::{Field}, + Group, +}; + + +use bls12_381::Gt; +type G = Gt; +type Z = ::Scalar; + +pub fn hash(_inp: Vec) -> Z { + Z::one() +} + +//////////////////// +// Implementation // +//////////////////// + +#[derive(SchemaType, Clone, Copy)] +pub struct SchnorrZKPCommit { + pub schnorr_zkp_u: G, + pub schnorr_zkp_c: Z, + pub schnorr_zkp_z: Z, +} + +/** Non-interactive Schnorr proof using Fiat-Shamir heuristics (RFC 8235) */ +// https://www.rfc-editor.org/rfc/rfc8235 +// https://crypto.stanford.edu/cs355/19sp/lec5.pdf +pub fn schnorr_zkp( + r: Z, // random + h: G, + x: Z, +) -> SchnorrZKPCommit { + let u = ::generator() * r; // g ^ r + let c = hash(vec![::generator(), h, u]); + let z = r + (c * x); + + return SchnorrZKPCommit { + schnorr_zkp_u: u, + schnorr_zkp_c: c, + schnorr_zkp_z: z, + }; +} + +// https://crypto.stanford.edu/cs355/19sp/lec5.pdf +pub fn schnorr_zkp_validate(h: G, pi: SchnorrZKPCommit) -> bool { + pi.schnorr_zkp_c == hash(vec![::generator(), h, pi.schnorr_zkp_u]) + && (::generator() * pi.schnorr_zkp_z + == (pi.schnorr_zkp_u + (h * pi.schnorr_zkp_c))) +} + +#[derive(SchemaType, Clone, Copy)] +pub struct OrZKPCommit { + pub or_zkp_x: G, + pub or_zkp_y: G, + pub or_zkp_a1: G, + pub or_zkp_b1: G, + pub or_zkp_a2: G, + pub or_zkp_b2: G, + + pub or_zkp_c: Z, + + pub or_zkp_d1: Z, + pub or_zkp_d2: Z, + + pub or_zkp_r1: Z, + pub or_zkp_r2: Z, +} + +/** Cramer, Damgård and Schoenmakers (CDS) technique */ +pub fn zkp_one_out_of_two( + w: Z, // random + rand_r: Z, + rand_d: Z, + h: G, + xi: Z, + vi: bool, +) -> OrZKPCommit { + if vi { + let r1 = rand_r; + let d1 = rand_d; + + let x = ::generator() * (xi); + let y = (h * xi) + ::generator(); + + let a1 = ::generator() * (r1) + (x * d1); + let b1 = (h * r1) + (y * d1); + + let a2 = ::generator() * (w); + let b2 = h * w; + + let c = hash(vec![x, y, a1, b1, a2, b2]); + + let d2 = c - d1; + let r2 = w - xi * d2; + + OrZKPCommit { + or_zkp_x: x, + or_zkp_y: y, + or_zkp_a1: a1, + or_zkp_b1: b1, + or_zkp_a2: a2, + or_zkp_b2: b2, + or_zkp_c: c, + or_zkp_d1: d1, + or_zkp_d2: d2, + or_zkp_r1: r1, + or_zkp_r2: r2, + } + } else { + let r2 = rand_r; + let d2 = rand_d; + + let x = ::generator() * (xi); + let y = h * xi; + + let a1 = ::generator() * (w); + let b1 = h * w; + + let a2 = ::generator() * (r2) + (x * d2); + let b2 = (h * r2) + ((y - ::generator()) * d2); + + let c = hash(vec![x, y, a1, b1, a2, b2]); + + let d1 = c - d2; + let r1 = w - xi * d1; + + OrZKPCommit { + or_zkp_x: x, + or_zkp_y: y, + or_zkp_a1: a1, + or_zkp_b1: b1, + or_zkp_a2: a2, + or_zkp_b2: b2, + or_zkp_c: c, + or_zkp_d1: d1, + or_zkp_d2: d2, + or_zkp_r1: r1, + or_zkp_r2: r2, + } + } +} + +// Anonymous voting by two-round public discussion +pub fn zkp_one_out_of_two_validate(h: G, zkp: OrZKPCommit) -> bool { + let c = hash(vec![ + zkp.or_zkp_x, + zkp.or_zkp_y, + zkp.or_zkp_a1, + zkp.or_zkp_b1, + zkp.or_zkp_a2, + zkp.or_zkp_b2, + ]); // TODO: add i + + c == zkp.or_zkp_d1 + zkp.or_zkp_d2 + && zkp.or_zkp_a1 + == ::generator() * (zkp.or_zkp_r1) + (zkp.or_zkp_x * zkp.or_zkp_d1) + && zkp.or_zkp_b1 == (h * zkp.or_zkp_r1) + (zkp.or_zkp_y * zkp.or_zkp_d1) + && zkp.or_zkp_a2 + == ::generator() * (zkp.or_zkp_r2) + (zkp.or_zkp_x * zkp.or_zkp_d2) + && zkp.or_zkp_b2 + == (h * zkp.or_zkp_r2) + ((zkp.or_zkp_y - ::generator()) * zkp.or_zkp_d2) +} + +pub fn commit_to(g_pow_xi_yi_vi: G) -> Z { + hash(vec![g_pow_xi_yi_vi]) +} + +pub fn check_commitment(g_pow_xi_yi_vi: G, commitment: Z) -> bool { + hash(vec![g_pow_xi_yi_vi]) == commitment +} + +#[hax::contract_state(contract = "OVN")] +// #[cfg_attr(not(feature = "hax_compilation"), contract_state(contract = "OVN"))] +#[derive(SchemaType, Clone, Copy)] +pub struct OvnContractState { + pub g_pow_xis: [G; n], + pub zkp_xis: [SchnorrZKPCommit; n], + + pub commit_vis: [Z; n], + + pub g_pow_xi_yi_vis: [G; n], + pub zkp_vis: [OrZKPCommit; n], + + pub tally: u32, +} + +#[hax::init(contract = "OVN")] +// #[cfg_attr(not(feature = "hax_compilation"), init(contract = "OVN"))] +pub fn init_ovn_contract(// _: &impl HasInitContext, +) -> InitResult> { + Ok(OvnContractState:: { + g_pow_xis: [::identity(); n], + zkp_xis: [SchnorrZKPCommit { + schnorr_zkp_u: ::identity(), + schnorr_zkp_z: Z::ZERO, + schnorr_zkp_c: Z::ZERO, + }; n], + + commit_vis: [Z::ZERO; n], + + g_pow_xi_yi_vis: [::identity(); n], + zkp_vis: [OrZKPCommit { + or_zkp_x: ::identity(), + or_zkp_y: ::identity(), + or_zkp_a1: ::identity(), + or_zkp_b1: ::identity(), + or_zkp_a2: ::identity(), + or_zkp_b2: ::identity(), + + or_zkp_c: Z::ZERO, + + or_zkp_d1: Z::ZERO, + or_zkp_d2: Z::ZERO, + + or_zkp_r1: Z::ZERO, + or_zkp_r2: Z::ZERO, + }; n], + + tally: 0, + }) +} + +use core::marker::PhantomData; +#[derive(SchemaType)] +pub struct RegisterParam + Into> { + pub rp_i: u32, + pub rp_xi: Z, + pub rp_zkp_random: Z, + pub phantom: PhantomData, +} + +impl + Into> Serial for RegisterParam { + fn serial(&self, w: &mut W) -> Result<(), ::Err> { + self.rp_i.serial(w)?; + >::from(self.rp_xi).serial(w)?; + >::from(self.rp_zkp_random).serial(w)?; + Ok(()) + } +} + +impl + Into> Deserial for RegisterParam { + fn deserial(r: &mut R) -> Result { + let rp_i: u32 = r.get()?; + let rp_xi: Z = >::into(r.get()?); + let rp_zkp_random: Z = >::into(r.get()?); + Ok(RegisterParam { + rp_i, + rp_xi, + rp_zkp_random, + phantom: PhantomData, + }) + } +} + +/** Primary function in round 1 */ +#[hax::receive(contract = "OVN", name = "register", parameter = "RegisterParam")] +// #[cfg_attr(not(feature = "hax_compilation"), receive(contract = "OVN", name = "register", parameter = "RegisterParam"))] +pub fn register_vote< + S: Serialize + From + Into, + const n: usize, + A: HasActions, +>( + ctx: impl HasReceiveContext, + state: OvnContractState, +) -> Result<(A, OvnContractState), ParseError> { + let params: RegisterParam = ctx.parameter_cursor().get()?; + let g_pow_xi = ::generator() * (params.rp_xi); + + let zkp_xi = schnorr_zkp(params.rp_zkp_random, g_pow_xi, params.rp_xi); + + let mut register_vote_state_ret = state.clone(); + register_vote_state_ret.g_pow_xis[params.rp_i as usize] = g_pow_xi; + register_vote_state_ret.zkp_xis[params.rp_i as usize] = zkp_xi; + + Ok((A::accept(), register_vote_state_ret)) +} + +#[derive(SchemaType)] +pub struct CastVoteParam + Into> { + pub cvp_i: u32, + pub cvp_xi: Z, + pub cvp_zkp_random_w: Z, + pub cvp_zkp_random_r: Z, + pub cvp_zkp_random_d: Z, + pub cvp_vote: bool, + pub phantom: PhantomData, +} + +impl + Into> Serial for CastVoteParam { + fn serial(&self, w: &mut W) -> Result<(), ::Err> { + self.cvp_i.serial(w)?; + >::from(self.cvp_xi).serial(w)?; + >::from(self.cvp_zkp_random_w).serial(w)?; + >::from(self.cvp_zkp_random_r).serial(w)?; + >::from(self.cvp_zkp_random_d).serial(w)?; + self.cvp_vote.serial(w)?; + Ok(()) + } +} + +impl + Into> Deserial for CastVoteParam { + fn deserial(r: &mut R) -> Result { + let cvp_i: u32 = r.get()?; + let cvp_xi: Z = >::into(r.get()?); + let cvp_zkp_random_w: Z = >::into(r.get()?); + let cvp_zkp_random_r: Z = >::into(r.get()?); + let cvp_zkp_random_d: Z = >::into(r.get()?); + let cvp_vote: bool = r.get()?; + Ok(CastVoteParam { + cvp_i, + cvp_xi, + cvp_zkp_random_w, + cvp_zkp_random_r, + cvp_zkp_random_d, + cvp_vote, + phantom: PhantomData, + }) + } +} + +pub fn compute_g_pow_yi(i: usize, xis: [G; n]) -> G { + let mut prod1 = ::identity(); + for j in 0..i { + prod1 = prod1 + xis[j]; + } + + let mut prod2 = ::identity(); + for j in (i + 1)..n { + prod2 = prod2 + xis[j]; + } + + // implicitly: Y_i = g^y_i + let g_pow_yi = prod1 - prod2; + g_pow_yi +} + +pub fn compute_group_element_for_vote(xi: Z, vote: bool, g_pow_yi: G) -> G { + (g_pow_yi * xi) + + ::generator() + * (if vote { + Z::ONE + } else { + Z::ZERO + }) +} + +/** Commitment before round 2 */ +#[hax::receive(contract = "OVN", name = "commit_to_vote", parameter = "CastVoteParam")] +// #[cfg_attr(not(feature = "hax_compilation"), receive(contract = "OVN", name = "commit_to_vote", parameter = "CastVoteParam"))] +pub fn commit_to_vote< + S: Serialize + From + Into, + const n: usize, + A: HasActions, +>( + ctx: impl HasReceiveContext, + state: OvnContractState, +) -> Result<(A, OvnContractState), ParseError> { + let params: CastVoteParam = ctx.parameter_cursor().get()?; + + for i in 0..n { + if !schnorr_zkp_validate(state.g_pow_xis[i], state.zkp_xis[i]) { + return Err(ParseError {}); + } + } + + let g_pow_yi = compute_g_pow_yi::(params.cvp_i as usize, state.g_pow_xis); + let g_pow_xi_yi_vi = compute_group_element_for_vote(params.cvp_xi, params.cvp_vote, g_pow_yi); + let commit_vi = commit_to(g_pow_xi_yi_vi); + + let mut commit_to_vote_state_ret = state.clone(); + commit_to_vote_state_ret.commit_vis[params.cvp_i as usize] = commit_vi; + Ok((A::accept(), commit_to_vote_state_ret)) +} + +/** Primary function in round 2, also opens commitment */ +#[hax::receive(contract = "OVN", name = "cast_vote", parameter = "CastVoteParam")] +// #[cfg_attr(not(feature = "hax_compilation"), receive(contract = "OVN", name = "cast_vote", parameter = "CastVoteParam"))] +pub fn cast_vote< + S: Serialize + From + Into, + const n: usize, + A: HasActions, +>( + ctx: impl HasReceiveContext, + state: OvnContractState, +) -> Result<(A, OvnContractState), ParseError> { + let params: CastVoteParam = ctx.parameter_cursor().get()?; + + let g_pow_yi = compute_g_pow_yi::(params.cvp_i as usize, state.g_pow_xis); + let g_pow_xi_yi_vi = compute_group_element_for_vote(params.cvp_xi, params.cvp_vote, g_pow_yi); + + let zkp_vi = zkp_one_out_of_two( + params.cvp_zkp_random_w, + params.cvp_zkp_random_r, + params.cvp_zkp_random_d, + g_pow_yi, + params.cvp_xi, + params.cvp_vote, + ); + let mut cast_vote_state_ret = state.clone(); + cast_vote_state_ret.g_pow_xi_yi_vis[params.cvp_i as usize] = g_pow_xi_yi_vi; + cast_vote_state_ret.zkp_vis[params.cvp_i as usize] = zkp_vi; + + Ok((A::accept(), cast_vote_state_ret)) +} + +#[derive(Serialize, SchemaType)] +pub struct TallyParameter {} + +#[hax::receive(contract = "OVN", name = "tally", parameter = "TallyParameter")] +// #[cfg_attr(not(feature = "hax_compilation"), receive(contract = "OVN", name = "tally", parameter = "TallyParameter"))] +/** Anyone can tally the votes */ +pub fn tally_votes( + _: impl HasReceiveContext, + state: OvnContractState, +) -> Result<(A, OvnContractState), ParseError> { + for i in 0..n { + let g_pow_yi = compute_g_pow_yi::(i as usize, state.g_pow_xis); + if !zkp_one_out_of_two_validate(g_pow_yi, state.zkp_vis[i]) { + return Err(ParseError {}); + } + if !check_commitment(state.g_pow_xi_yi_vis[i], state.commit_vis[i]) { + return Err(ParseError {}); + } + } + + let mut vote_result = ::identity(); + for g_pow_vote in state.g_pow_xi_yi_vis { + vote_result = vote_result + g_pow_vote; + } + + let mut tally = 0; + let mut curr = Z::ZERO; + for i in 0..n as u32 { + // Should be while, but is bounded by n anyways! + if ::generator() * (curr) == vote_result { + tally = i; + } + + curr = curr + Z::ONE; + } + + let mut tally_votes_state_ret = state.clone(); + tally_votes_state_ret.tally = tally; + + Ok((A::accept(), tally_votes_state_ret)) +} + +// https://github.com/stonecoldpat/anonymousvoting diff --git a/ovn/tests/ovn_example.rs b/ovn/tests/ovn_example.rs index d95a014..fb0aabb 100644 --- a/ovn/tests/ovn_example.rs +++ b/ovn/tests/ovn_example.rs @@ -26,48 +26,32 @@ pub use hacspec_ovn::ovn_group::*; pub use hacspec_ovn::ovn_secp256k1::*; pub use hacspec_ovn::ovn_z_89::*; -#[test] -pub fn schorr_zkp_correctness() { - fn test(random_x: u32, random_r: u32) -> bool { - type Z = z_89; - type G = g_z_89; - - let x: u32 = Z::random_field_elem(random_x); +#[cfg(test)] +pub fn schnorr_zkp_correctness(random_x: u32, random_r: u32) -> bool { + let x: G::Z = G::Z::random_field_elem(random_x); let pow_x = G::g_pow(x); - let pi: SchnorrZKPCommit = schnorr_zkp(random_r, pow_x, x); + let pi: SchnorrZKPCommit = schnorr_zkp(random_r, pow_x, x); - let valid = schnorr_zkp_validate::(pow_x, pi); + let valid = schnorr_zkp_validate::(pow_x, pi); valid - } +} +pub fn schnorr_zkp_z_89_correctness() { QuickCheck::new() .tests(10000) - .quickcheck(test as fn(u32, u32) -> bool) + .quickcheck(schnorr_zkp_correctness:: as fn(u32, u32) -> bool) } #[test] pub fn schorr_zkp_secp256k1_correctness() { - fn test(random_x: u32, random_r: u32) -> bool { - type Z = Z_curve; - type G = Group_curve; - - let x: Z_curve = Z::random_field_elem(random_x); - let pow_x = G::g_pow(x); - - let pi: SchnorrZKPCommit = schnorr_zkp(random_r, pow_x, x); - - let valid = schnorr_zkp_validate::(pow_x, pi); - valid - } - QuickCheck::new() .tests(10) - .quickcheck(test as fn(u32, u32) -> bool) + .quickcheck(schnorr_zkp_correctness:: as fn(u32, u32) -> bool) } #[cfg(test)] -pub fn or_zkp_correctness>( +pub fn or_zkp_correctness( random_w: u32, random_r: u32, random_d: u32, @@ -75,10 +59,10 @@ pub fn or_zkp_correctness>( random_x: u32, v: bool, ) -> bool { - let mut h = G::g_pow(Z::random_field_elem(random_h)); - let x = Z::random_field_elem(random_x); - let pi: OrZKPCommit = zkp_one_out_of_two(random_w, random_r, random_d, h, x, v); - let valid = zkp_one_out_of_two_validate::(h, pi); + let mut h = G::g_pow(G::Z::random_field_elem(random_h)); + let x = G::Z::random_field_elem(random_x); + let pi: OrZKPCommit = zkp_one_out_of_two(random_w, random_r, random_d, h, x, v); + let valid = zkp_one_out_of_two_validate::(h, pi); valid } @@ -86,30 +70,30 @@ pub fn or_zkp_correctness>( pub fn or_zkp_correctness_z89() { QuickCheck::new() .tests(10000) - .quickcheck(or_zkp_correctness:: as fn(u32, u32, u32, u32, u32, bool) -> bool) + .quickcheck(or_zkp_correctness:: as fn(u32, u32, u32, u32, u32, bool) -> bool) } #[test] // TODO: Fix inverse opeation, should make this test parse pub fn or_zkp_secp256k1_correctness() { QuickCheck::new().tests(10).quickcheck( - or_zkp_correctness:: as fn(u32, u32, u32, u32, u32, bool) -> bool, + or_zkp_correctness:: as fn(u32, u32, u32, u32, u32, bool) -> bool, ) } #[cfg(test)] -pub fn sum_to_zero, const n: usize>() { - let mut xis: [Z::field_type; n] = [Z::field_zero(); n]; - let mut g_pow_xis: [G::group_type; n] = [G::group_one(); n]; +pub fn sum_to_zero() { + let mut xis: [G::Z; n] = [G::Z::field_zero(); n]; + let mut g_pow_xis: [G; n] = [G::group_one(); n]; use rand::random; for i in 0..n { - xis[i] = Z::random_field_elem(random()); + xis[i] = G::Z::random_field_elem(random()); g_pow_xis[i] = G::g_pow(xis[i]); } let mut res = G::group_one(); for i in 0..n { - let g_pow_yi = compute_g_pow_yi::(i, g_pow_xis); + let g_pow_yi = compute_g_pow_yi::(i, g_pow_xis); res = G::prod(res, G::pow(g_pow_yi, xis[i])); } @@ -118,18 +102,62 @@ pub fn sum_to_zero, const n: usize>() { #[test] pub fn sum_to_zero_z89() { - sum_to_zero::() + sum_to_zero::() } #[test] pub fn sum_to_zero_secp256k1() { - sum_to_zero::() + sum_to_zero::() +} + +use rand::random; + + +#[derive(Copy, Clone, hacspec_concordium::Serial, hacspec_concordium::Deserial)] +pub struct ElemOfEach { + i : u32, + z : G::Z, + g : G, } #[cfg(test)] -pub fn test_correctness, const n: usize, A: HasActions>( +pub fn test_params_of_group< + G: Group, + A: HasActions, + >() { + // Setup the context + let mut ctx = hacspec_concordium::test_infrastructure::ReceiveContextTest::empty(); + let parameter = ElemOfEach:: { + i: random(), + z: G::Z::random_field_elem(random()), + g: G::g_pow(G::Z::random_field_elem(random())), + }; + let parameter_bytes = to_bytes(¶meter); + let ctx_params = ctx.clone().set_parameter(¶meter_bytes); + let param_back: Result, ParseError> = + ctx_params.parameter_cursor().get(); + assert!(param_back.is_ok()); + + let wu_param = param_back.unwrap(); + assert!(wu_param.i == parameter.i); + assert!(wu_param.z == parameter.z); + assert!(wu_param.g == parameter.g); +} + +#[test] +pub fn test_params_of_group_z89() { + test_params_of_group::() +} + +#[test] +pub fn test_params_of_group_secp256k1() { + test_params_of_group::() +} + +#[cfg(test)] +pub fn test_correctness( votes: [bool; n], - xis: [Z::field_type; n], + xis: [G::Z; n], rp_zkp_randoms: [u32; n], cvp_zkp_random_ws1: [u32; n], cvp_zkp_random_rs1: [u32; n], @@ -141,22 +169,22 @@ pub fn test_correctness, const n: usize, A: HasActions>( // Setup the context let mut ctx = hacspec_concordium::test_infrastructure::ReceiveContextTest::empty(); - let mut state: OvnContractState = init_ovn_contract().unwrap(); + let mut state: OvnContractState = init_ovn_contract().unwrap(); for i in 0..n { - let parameter = RegisterParam:: { + let parameter = RegisterParam:: { rp_i: i as u32, rp_xi: xis[i], rp_zkp_random: rp_zkp_randoms[i], }; let parameter_bytes = to_bytes(¶meter); (_, state) = - register_vote::(ctx.clone().set_parameter(¶meter_bytes), state) + register_vote::(ctx.clone().set_parameter(¶meter_bytes), state) .unwrap(); } for i in 0..n { - let parameter = CastVoteParam:: { + let parameter = CastVoteParam:: { cvp_i: i as u32, cvp_xi: xis[i], cvp_zkp_random_w: cvp_zkp_random_ws1[i], @@ -166,12 +194,12 @@ pub fn test_correctness, const n: usize, A: HasActions>( }; let parameter_bytes = to_bytes(¶meter); (_, state) = - commit_to_vote::(ctx.clone().set_parameter(¶meter_bytes), state) + commit_to_vote::(ctx.clone().set_parameter(¶meter_bytes), state) .unwrap(); } for i in 0..n { - let parameter = CastVoteParam:: { + let parameter = CastVoteParam:: { cvp_i: i as u32, cvp_xi: xis[i], cvp_zkp_random_w: cvp_zkp_random_ws2[i], @@ -181,19 +209,19 @@ pub fn test_correctness, const n: usize, A: HasActions>( }; let parameter_bytes = to_bytes(¶meter); (_, state) = - cast_vote::(ctx.clone().set_parameter(¶meter_bytes), state).unwrap(); + cast_vote::(ctx.clone().set_parameter(¶meter_bytes), state).unwrap(); } let parameter = TallyParameter {}; let parameter_bytes = to_bytes(¶meter); ctx = ctx.set_parameter(¶meter_bytes); - (_, state) = tally_votes::(ctx.clone(), state).unwrap(); + (_, state) = tally_votes::(ctx.clone(), state).unwrap(); let mut count = 0u32; for v in votes { if v { - count = count + 1; // += 1 does not work correctly + count = count + 1; } } @@ -202,10 +230,10 @@ pub fn test_correctness, const n: usize, A: HasActions>( } #[cfg(test)] -fn randomized_full_test, const n: usize>() -> bool { +fn randomized_full_test() -> bool { use rand::random; let mut votes: [bool; n] = [false; n]; - let mut xis: [Z::field_type; n] = [Z::field_zero(); n]; + let mut xis: [G::Z; n] = [G::Z::field_zero(); n]; let mut rp_zkp_randoms: [u32; n] = [0; n]; let mut cvp_zkp_random_ws1: [u32; n] = [0; n]; let mut cvp_zkp_random_rs1: [u32; n] = [0; n]; @@ -217,7 +245,7 @@ fn randomized_full_test, const n: usize>() -> bool { for i in 0..n { votes[i] = random(); - xis[i] = Z::random_field_elem(random()); + xis[i] = G::Z::random_field_elem(random()); rp_zkp_randoms[i] = random(); cvp_zkp_random_ws1[i] = random(); cvp_zkp_random_rs1[i] = random(); @@ -227,7 +255,7 @@ fn randomized_full_test, const n: usize>() -> bool { cvp_zkp_random_ds2[i] = random(); } - test_correctness::( + test_correctness::( votes, xis, rp_zkp_randoms, @@ -245,13 +273,13 @@ fn randomized_full_test, const n: usize>() -> bool { fn test_full_z89() { QuickCheck::new() .tests(100) - .quickcheck(randomized_full_test:: as fn() -> bool) + .quickcheck(randomized_full_test:: as fn() -> bool) } -// // #[concordium_test] -// #[test] -// fn test_full_secp256k1() { -// QuickCheck::new() -// .tests(1) -// .quickcheck(randomized_full_test:: as fn() -> bool) -// } +// #[concordium_test] +#[test] +fn test_full_secp256k1() { + QuickCheck::new() + .tests(1) + .quickcheck(randomized_full_test:: as fn() -> bool) +} diff --git a/ovn/tests/ovn_zk_example.rs b/ovn/tests/ovn_zk_example.rs index 5286407..b9b5664 100644 --- a/ovn/tests/ovn_zk_example.rs +++ b/ovn/tests/ovn_zk_example.rs @@ -15,10 +15,10 @@ extern crate quickcheck_macros; #[cfg(test)] use quickcheck::*; -pub use bls12_381::{*, Scalar as BlsScalar}; +pub use bls12_381::{Scalar as BlsScalar, *}; +use core::marker::PhantomData; pub use group::{ff::Field, Group}; pub use hacspec_ovn::{ovn_zk_secp256k1::*, ovn_zkgroup::*}; -use core::marker::PhantomData; use rand_core::{RngCore, *}; // use quickcheck::RngCore; @@ -34,7 +34,9 @@ struct GroupBits { impl From for GroupBits<32> { fn from(value: BlsScalar) -> Self { - Self { val: value.to_bytes() } + Self { + val: value.to_bytes(), + } } } @@ -46,10 +48,10 @@ impl Into for GroupBits<32> { impl From for GroupBits<32> { fn from(value: BipScalar) -> Self { - let mut val : [u8; 32] = [0u8; 32]; + let mut val: [u8; 32] = [0u8; 32]; let temp = value.to_be_bytes(); for i in 0..32 { -val[i] = temp[i]; + val[i] = temp[i]; } Self { val } } @@ -61,7 +63,6 @@ impl Into for GroupBits<32> { } } - //////////////////////////// // Group operations tests // //////////////////////////// @@ -175,8 +176,7 @@ pub fn test_params_of_group< G: MGroup, S: Serialize + From + Into, A: HasActions, ->() -{ +>() { // Setup the context let mut ctx = hacspec_concordium::test_infrastructure::ReceiveContextTest::empty(); let parameter = RegisterParam:: { @@ -199,13 +199,14 @@ pub fn test_params_of_group< #[test] pub fn test_params_of_group_zk259() { - test_params_of_group::, hacspec_concordium::test_infrastructure::ActionsTree>() + test_params_of_group::, hacspec_concordium::test_infrastructure::ActionsTree>( + ) } - #[test] pub fn test_params_of_group_bls12_381_real() { - test_params_of_group::, hacspec_concordium::test_infrastructure::ActionsTree>() + test_params_of_group::, hacspec_concordium::test_infrastructure::ActionsTree>( + ) } #[cfg(test)] @@ -224,8 +225,7 @@ pub fn test_correctness< cvp_zkp_random_ws2: [G::Scalar; n], cvp_zkp_random_rs2: [G::Scalar; n], cvp_zkp_random_ds2: [G::Scalar; n], -) -> bool -{ +) -> bool { // Setup the context let ctx = hacspec_concordium::test_infrastructure::ReceiveContextTest::empty(); @@ -236,13 +236,16 @@ pub fn test_correctness< rp_i: i as u32, rp_xi: xis[i], rp_zkp_random: rp_zkp_randoms[i], - phantom: PhantomData, + phantom: PhantomData, }; let parameter_bytes = to_bytes(¶meter); (_, state) = - register_vote::(ctx.clone().set_parameter(¶meter_bytes), state).unwrap(); + register_vote::(ctx.clone().set_parameter(¶meter_bytes), state) + .unwrap(); } + assert!(false, "Got here 2"); + for i in 0..n { let parameter = CastVoteParam:: { cvp_i: i as u32, @@ -251,11 +254,12 @@ pub fn test_correctness< cvp_zkp_random_r: cvp_zkp_random_rs1[i], cvp_zkp_random_d: cvp_zkp_random_ds1[i], cvp_vote: votes[i], - phantom: PhantomData, + phantom: PhantomData, }; let parameter_bytes = to_bytes(¶meter); (_, state) = - commit_to_vote::(ctx.clone().set_parameter(¶meter_bytes), state).unwrap(); + commit_to_vote::(ctx.clone().set_parameter(¶meter_bytes), state) + .unwrap(); } for i in 0..n { @@ -266,13 +270,15 @@ pub fn test_correctness< cvp_zkp_random_r: cvp_zkp_random_rs2[i], cvp_zkp_random_d: cvp_zkp_random_ds2[i], cvp_vote: votes[i], - phantom: PhantomData, + phantom: PhantomData, }; let parameter_bytes = to_bytes(¶meter); (_, state) = cast_vote::(ctx.clone().set_parameter(¶meter_bytes), state).unwrap(); } + assert!(false, "Got here 3"); + let parameter = TallyParameter {}; let parameter_bytes = to_bytes(¶meter); @@ -291,8 +297,11 @@ pub fn test_correctness< } #[cfg(test)] -fn randomized_full_test + Into, const n: usize>() -> bool -{ +fn randomized_full_test< + G: MGroup, + S: Serialize + From + Into, + const n: usize, +>() -> bool { let mut votes: [bool; n] = [false; n]; let mut xis: [G::Scalar; n] = [G::Scalar::ONE; n]; let mut rp_zkp_randoms: [G::Scalar; n] = [G::Scalar::ONE; n];