├── TestHTLP ├── .gitignore ├── Makefile ├── LICENSE ├── src ├── AHTLP.hpp ├── MHTLP.hpp ├── HTLP.hpp ├── Puzzle.hpp ├── HTLP.cpp ├── AHTLP.cpp ├── main.cpp └── MHTLP.cpp └── README.md /TestHTLP: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/liu-yi/HTLP/HEAD/TestHTLP -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.log 2 | *.aux 3 | *.fls 4 | *.bbl 5 | *.fdb_latexmk 6 | *.synctex.gz 7 | *.o 8 | 9 | *.aux 10 | *.log 11 | *.lof 12 | *.lot 13 | *.bbl 14 | *.blg 15 | *.thm 16 | *.toc 17 | *.out 18 | *.loa 19 | 20 | .DS_Store -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | CC = g++ 2 | TARGET = TestHTLP 3 | 4 | SRC = $(wildcard *.cpp src/*.cpp) 5 | FILE = $(notdir $(SRC)) 6 | OBJ = $(patsubst %.cpp, build/%.o, $(FILE)) 7 | 8 | FLAGES = -g -O2 -std=c++2a -pthread -march=native -c 9 | LIB = -lntl -lssl -lcrypto -lgmp -lm 10 | 11 | $(TARGET) : $(OBJ) 12 | $(CC) $^ -o $(TARGET) $(LIB) 13 | 14 | build/%.o: src/%.cpp 15 | $(CC) $(FLAGES) $< -o $@ 16 | 17 | .PHONY:clean 18 | clean: 19 | rm -f *.o src/*.o build/*.o $(TARGET) 20 | 21 | 22 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Liu Yi 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /src/AHTLP.hpp: -------------------------------------------------------------------------------- 1 | #ifndef AHTLP_HPP_ 2 | #define AHTLP_HPP_ 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #include "HTLP.hpp" 11 | #include "Puzzle.hpp" 12 | 13 | #ifndef RSA_ 14 | #define RSA_ 15 | typedef struct RSA 16 | { 17 | NTL::ZZ p; 18 | NTL::ZZ q; 19 | } RSA; 20 | #endif 21 | 22 | class AHTLP : public HTLP 23 | { 24 | 25 | public: 26 | AHTLP(const long modulus_len, const long T, const long kappa); 27 | AHTLP(const NTL::ZZ &n, const NTL::ZZ &g, const NTL::ZZ &h, const long T, const long kappa); 28 | AHTLP(const long modulus_len, const long T, const long kappa, bool cheeting_mode); 29 | 30 | APuzzle GeneratePuzzle(const NTL::ZZ &s); 31 | APuzzle GeneratePuzzle(const NTL::ZZ &s, const NTL::ZZ &r); 32 | NTL::ZZ SolvePuzzle(const APuzzle &Z); 33 | NTL::ZZ QuickSolvePuzzle(const APuzzle &Z); 34 | 35 | std::tuple GenerateAValidProof(const APuzzle &Z, const NTL::ZZ &s, const NTL::ZZ &r); 36 | bool VerifyAValidProof(const APuzzle &Z, const std::tuple &proof); 37 | 38 | std::tuple SolvePuzzleWithProof(const long k, const long gamma, const APuzzle &Z); 39 | std::tuple QuickSolvePuzzleWithProof(const APuzzle &Z); 40 | 41 | int VerifyProofOfSol(const APuzzle Z, const std::tuple &proof); 42 | }; 43 | 44 | #endif -------------------------------------------------------------------------------- /src/MHTLP.hpp: -------------------------------------------------------------------------------- 1 | #ifndef MHTLP_HPP_ 2 | #define MHTLP_HPP_ 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #include "Puzzle.hpp" 11 | #include "HTLP.hpp" 12 | 13 | #ifndef RSA_ 14 | #define RSA_ 15 | typedef struct RSA 16 | { 17 | NTL::ZZ p; 18 | NTL::ZZ q; 19 | } RSA; 20 | #endif 21 | 22 | class MHTLP : public HTLP 23 | { 24 | 25 | private: 26 | NTL::ZZ chi_; 27 | 28 | public: 29 | MHTLP(const long modulus_len, const long T, const long kappa); 30 | MHTLP(const NTL::ZZ &n, const NTL::ZZ &g, const NTL::ZZ &h, const NTL::ZZ &chi, const long T, const long kappa); 31 | MHTLP(const long modulus_len, const long T, const long kappa, bool cheeting_mode); 32 | 33 | NTL::ZZ chi() 34 | { 35 | return chi_; 36 | } 37 | 38 | MPuzzle GeneratePuzzle(const NTL::ZZ &s); 39 | MPuzzle GeneratePuzzle(const NTL::ZZ &s, const NTL::ZZ &r, const NTL::ZZ &r_prime); 40 | NTL::ZZ SolvePuzzle(const MPuzzle &Z); 41 | NTL::ZZ QuickSolvePuzzle(const MPuzzle &Z); 42 | 43 | std::tuple, std::vector, std::vector, std::vector> GenerateMValidProof(const MPuzzle &Z, const NTL::ZZ &s, const NTL::ZZ &r, const NTL::ZZ &r_prime); 44 | bool VerifyMValidProof(const MPuzzle &Z, const std::tuple, std::vector, std::vector, std::vector> &proof); 45 | 46 | std::tuple SolvePuzzleWithProof(const long k, const long gamma, const MPuzzle &Z); 47 | std::tuple QuickSolvePuzzleWithProof(const MPuzzle &Z); 48 | 49 | int VerifyProofOfSol(const MPuzzle Z, const std::tuple &proof); 50 | }; 51 | 52 | #endif -------------------------------------------------------------------------------- /src/HTLP.hpp: -------------------------------------------------------------------------------- 1 | #ifndef HTLP_HPP_ 2 | #define HTLP_HPP_ 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #include "Puzzle.hpp" 11 | 12 | #ifndef RSA_ 13 | #define RSA_ 14 | typedef struct RSA 15 | { 16 | NTL::ZZ p; 17 | NTL::ZZ q; 18 | } RSA; 19 | #endif 20 | 21 | class HTLP 22 | { 23 | protected: 24 | const bool cheeting_mode_; 25 | RSA rsa_; 26 | NTL::ZZ n_; 27 | NTL::ZZ n_square_; 28 | NTL::ZZ g_; 29 | NTL::ZZ h_; 30 | NTL::ZZ lambda_; 31 | const long T_; 32 | const long kappa_; 33 | long prime_len_; 34 | const long modulus_len_; 35 | NTL::ZZ trapdoor_; 36 | RSA GenerateRSAModulus(const long modulus_len); 37 | 38 | public: 39 | HTLP(const long modulus_len, const long T, const long kappa); 40 | HTLP(const NTL::ZZ &n, const NTL::ZZ &g, const NTL::ZZ &h, const long T, const long kappa); 41 | HTLP(const long modulus_len, const long T, const long kappa, bool cheeting_mode); 42 | 43 | NTL::ZZ HashToElement(const std::string str); 44 | NTL::ZZ HashToPrime(const NTL::ZZ &g, const NTL::ZZ &h); 45 | 46 | NTL::ZZ GenerateProof(const long k, const long gamma, std::vector &C, NTL::ZZ &l); 47 | 48 | NTL::ZZ GenerateJacobiOne(); 49 | NTL::ZZ GenerateRandomExponent() 50 | { 51 | return RandomBnd(n_ / 2); 52 | } 53 | NTL::ZZ GenerateRandomElement() 54 | { 55 | return RandomBnd(n_); 56 | } 57 | 58 | NTL::ZZ n() 59 | { 60 | return n_; 61 | } 62 | NTL::ZZ n_square() 63 | { 64 | return n_square_; 65 | } 66 | NTL::ZZ g() 67 | { 68 | return g_; 69 | } 70 | NTL::ZZ h() 71 | { 72 | return h_; 73 | } 74 | long T() 75 | { 76 | return T_; 77 | } 78 | 79 | }; 80 | 81 | #endif -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Homomorphic Time-Lock Puzzle Schemes 2 | ![](https://img.shields.io/badge/version-v0.1-blue) 3 | 4 | This is the repository for the paper 5 | 6 | Towards Practical Homomorphic Time-Lock Puzzles: Applicability and Verifiability, *ESORICS 2022* [[Link](https://link.springer.com/chapter/10.1007/978-3-031-17140-6_21)] 7 | 8 | by Yi Liu, Qi Wang, Siu-Ming Yiu. 9 | 10 | ## Introduction 11 | 12 | This repository provides implementations for the **additively** homomorphic time-lock puzzle scheme with solution space $\mathbb{Z}_n$ in [[MT19]](https://eprint.iacr.org/2019/635.pdf) and our **multiplicatively** homomorphic time-lock puzzle scheme with solution space $\mathbb{Z}_n^*$. 13 | 14 | To avoid the redundant cost of the puzzle-solving process, we provide three *simple* and *fast* protocols for both the additively HTLP scheme with the solution space $\mathbb{Z}_n$ and our multiplicatively HTLP scheme, respectively, to verify the following three properties. 15 | 16 | 1. **Correctness.** A puzzle solver is able to convince other parties of the *correctness of the solution* that he solves from a puzzle. 17 | 2. **Invalidity.** Upon finding that a puzzle is invalid, one can convince other parties of the *invalidity of the puzzle*. 18 | 3. **Validity.** A puzzle generator can convince other parties of the *validity of the puzzle* he generated. 19 | 20 | ## Dependencies 21 | 22 | This project has dependencies of [NTL](https://github.com/libntl/ntl) and [OpenSSL](https://www.openssl.org/). 23 | 24 | ## Build 25 | 26 | 1. Install [NTL](https://github.com/libntl/ntl). 27 | 2. Install libssl-dev 28 | 3. Clone the repository: 29 | ``` 30 | git clone https://github.com/liu-yi/HTLP 31 | ``` 32 | 4. Enter the directory 33 | ``` 34 | cd HTLP 35 | ``` 36 | 5. Assuming you have globally installed NTL and libssl-dev: 37 | ``` 38 | make 39 | ``` 40 | 41 | 6. You can test the execution by `./TestHTLP`, which is defined in `src/main.cpp`. 42 | 43 | -------------------------------------------------------------------------------- /src/Puzzle.hpp: -------------------------------------------------------------------------------- 1 | #ifndef PUZZLE_HPP_ 2 | #define PUZZLE_HPP_ 3 | 4 | 5 | class APuzzle 6 | { 7 | private: 8 | NTL::ZZ n_; 9 | 10 | public: 11 | NTL::ZZ u; 12 | NTL::ZZ v; 13 | APuzzle(const NTL::ZZ &u, const NTL::ZZ &v, const NTL::ZZ n) : n_(n) 14 | { 15 | this->u = u; 16 | this->v = v; 17 | } 18 | APuzzle(const NTL::ZZ n) : n_(n) 19 | { 20 | } 21 | 22 | NTL::ZZ n() 23 | { 24 | return n_; 25 | } 26 | 27 | APuzzle operator+(const APuzzle &a) 28 | { 29 | assert(n_ == a.n_); 30 | APuzzle Z(u * a.u % n_, v * a.v % (n_ * n_), n_); 31 | return Z; 32 | } 33 | 34 | friend APuzzle operator+(const NTL::ZZ &a, const APuzzle &b) 35 | { 36 | NTL::ZZ c = a % b.n_; 37 | APuzzle Z(b.u, (1 + c * b.n_) * b.v % (b.n_ * b.n_), b.n_); 38 | return Z; 39 | } 40 | 41 | friend APuzzle operator+(long a, const APuzzle &b) 42 | { 43 | NTL::ZZ c = NTL::ZZ(a) % b.n_; 44 | APuzzle Z(b.u, (1 + c * b.n_) * b.v % (b.n_ * b.n_), b.n_); 45 | return Z; 46 | } 47 | 48 | friend APuzzle operator*(long a, const APuzzle &b) 49 | { 50 | APuzzle Z(PowerMod(b.u, a, b.n_), PowerMod(b.v, a, b.n_) % (b.n_ * b.n_), b.n_); 51 | return Z; 52 | } 53 | }; 54 | 55 | class MPuzzle 56 | { 57 | private: 58 | NTL::ZZ n_; 59 | 60 | public: 61 | NTL::ZZ u; 62 | NTL::ZZ u_prime; 63 | NTL::ZZ v; 64 | NTL::ZZ theta; 65 | 66 | MPuzzle(const NTL::ZZ &u, const NTL::ZZ &u_prime, const NTL::ZZ &v, const NTL::ZZ &theta, const NTL::ZZ n) : n_(n) 67 | { 68 | this->u = u; 69 | this->u_prime = u_prime; 70 | this->v = v; 71 | this->theta = theta; 72 | } 73 | MPuzzle(const NTL::ZZ n) : n_(n) 74 | { 75 | } 76 | 77 | MPuzzle operator*(const MPuzzle &a) 78 | { 79 | assert(n_ == a.n_); 80 | MPuzzle Z(u * a.u % n_, u_prime * a.u_prime % n_, v * a.v % n_, theta * a.theta % (n_ * n_), n_); 81 | return Z; 82 | } 83 | 84 | MPuzzle Power(const long e){ 85 | MPuzzle Z(PowerMod(u, e, n_), PowerMod(u_prime, e, n_), PowerMod(v, e, n_), PowerMod(theta, e, n_), n_); 86 | return Z; 87 | } 88 | 89 | NTL::ZZ n() 90 | { 91 | return n_; 92 | } 93 | }; 94 | 95 | #endif -------------------------------------------------------------------------------- /src/HTLP.cpp: -------------------------------------------------------------------------------- 1 | #include "HTLP.hpp" 2 | 3 | HTLP::HTLP(const long modulus_len, const long T, const long kappa, bool cheeting_mode) : modulus_len_(modulus_len), T_(T), kappa_(kappa), cheeting_mode_(cheeting_mode) 4 | { 5 | rsa_ = GenerateRSAModulus(modulus_len); 6 | n_ = rsa_.p * rsa_.q; 7 | n_square_ = n_ * n_; 8 | lambda_ = (rsa_.p - 1) * (rsa_.q - 1) / 2; 9 | trapdoor_ = PowerMod(NTL::ZZ(2), T_, lambda_); 10 | g_ = GenerateJacobiOne(); 11 | h_ = NTL::PowerMod(g_, trapdoor_, n_); 12 | prime_len_ = ceil((2.0 * kappa_ * log(2) - log(2 * kappa_ * log(2) - 1.1)) / 8); // For x-th prime y, we have y < x / (log(x) - 1.1) 13 | } 14 | 15 | HTLP::HTLP(const long modulus_len, const long T, const long kappa) : modulus_len_(modulus_len), T_(T), kappa_(kappa), cheeting_mode_(true) 16 | { 17 | rsa_ = GenerateRSAModulus(modulus_len); 18 | n_ = rsa_.p * rsa_.q; 19 | n_square_ = n_ * n_; 20 | lambda_ = (rsa_.p - 1) * (rsa_.q - 1) / 2; 21 | trapdoor_ = PowerMod(NTL::ZZ(2), T_, lambda_); 22 | g_ = GenerateJacobiOne(); 23 | h_ = NTL::PowerMod(g_, trapdoor_, n_); 24 | } 25 | 26 | HTLP::HTLP(const NTL::ZZ &n, const NTL::ZZ &g, const NTL::ZZ &h, const long T, const long kappa) : modulus_len_(NumBits(n)), g_(g), h_(h), T_(T), kappa_(kappa), cheeting_mode_(false) 27 | { 28 | n_square_ = n_ * n_; 29 | } 30 | 31 | RSA HTLP::GenerateRSAModulus(const long modulus_len) 32 | { 33 | NTL::ZZ p, q; 34 | while (true) 35 | { 36 | p = 2 * NTL::GenGermainPrime_ZZ(modulus_len / 2 - 1) + 1; 37 | q = 2 * NTL::GenGermainPrime_ZZ(modulus_len / 2 - 1) + 1; 38 | n_ = p * q; 39 | if (NumBits(n_) == modulus_len) 40 | { 41 | break; 42 | } 43 | } 44 | rsa_.p = p; 45 | rsa_.q = q; 46 | return rsa_; 47 | } 48 | 49 | NTL::ZZ HTLP::GenerateJacobiOne() 50 | { 51 | NTL::ZZ a; 52 | while (true) 53 | { 54 | a = RandomBnd(n_); 55 | if (Jacobi(a, n_) == 1) 56 | { 57 | return a; 58 | } 59 | } 60 | } 61 | 62 | NTL::ZZ HTLP::HashToElement(const std::string str) 63 | { 64 | unsigned char hash[SHA256_DIGEST_LENGTH]; 65 | SHA256_CTX sha256; 66 | SHA256_Init(&sha256); 67 | SHA256_Update(&sha256, str.c_str(), str.size()); 68 | SHA256_Final(hash, &sha256); 69 | std::stringstream ss; 70 | NTL::ZZ hash_value = NTL::ZZFromBytes(hash, kappa_ / 8); 71 | return hash_value; 72 | } 73 | 74 | NTL::ZZ HTLP::HashToPrime(const NTL::ZZ &g, const NTL::ZZ &h) 75 | { 76 | assert(g >= 0 && g < n_); 77 | assert(h >= 0 && h < n_); 78 | 79 | uint64_t j = 0; 80 | unsigned char hash[SHA512_DIGEST_LENGTH]; 81 | while (true) 82 | { 83 | SHA512_CTX sha512; 84 | SHA512_Init(&sha512); 85 | std::string s = "prime"; 86 | SHA512_Update(&sha512, &j, 8); 87 | SHA512_Update(&sha512, s.c_str(), s.size()); 88 | unsigned char g_bytes[NumBytes(g)]; 89 | unsigned char h_bytes[NumBytes(h)]; 90 | BytesFromZZ(g_bytes, g, NumBytes(g)); 91 | BytesFromZZ(h_bytes, h, NumBytes(g)); 92 | SHA512_Update(&sha512, g_bytes, NumBytes(g)); 93 | SHA512_Update(&sha512, h_bytes, NumBytes(h)); 94 | SHA512_Final(hash, &sha512); 95 | NTL::ZZ n = NTL::ZZFromBytes(hash, prime_len_); 96 | if (ProbPrime(n)) 97 | { 98 | return n; 99 | } 100 | j++; 101 | } 102 | } 103 | 104 | NTL::ZZ HTLP::GenerateProof(const long k, const long gamma, std::vector &C, NTL::ZZ &l) 105 | { 106 | long k1 = k >> 2; 107 | long k0 = k - k1; 108 | NTL::ZZ x(1); 109 | long k_exp = 1 << k; 110 | long k0_exp = 1 << k0; 111 | long k1_exp = 1 << k1; 112 | auto GetBlock = ([&](long i) -> long 113 | { 114 | NTL::ZZ p = PowerMod(NTL::ZZ(2), T_ - k * (i + 1), l); 115 | return trunc_long(k_exp * p / l, sizeof(long)); }); 116 | 117 | for (long j = gamma - 1; j >= 0; j--) 118 | { 119 | x = PowerMod(x, k_exp, n_); 120 | std::vector y(k_exp, NTL::ZZ(1)); 121 | long bound = T_ % (k * gamma) == 0 ? T_ / (k * gamma) : T_ / (k * gamma) + 1; 122 | for (long i = 0; i < bound; i++) 123 | { 124 | if (T_ - k * (i * gamma + j + 1) < 0) 125 | { 126 | continue; 127 | } 128 | long b = GetBlock(i * gamma + j); 129 | y[b] = y[b] * C[i] % n_; 130 | } 131 | 132 | for (long b1 = 0; b1 < NTL::power_long(2, k1); b1++) 133 | { 134 | NTL::ZZ z(1); 135 | for (long b0 = 0; b0 < NTL::power_long(2, k0); b0++) 136 | { 137 | z = z * y[b1 * NTL::power_long(2, k0) + b0] % n_; 138 | } 139 | x = x * PowerMod(PowerMod(z, b1, n_), NTL::power_long(2, k0), n_) % n_; 140 | } 141 | 142 | for (long b0 = 0; b0 < NTL::power_long(2, k0); b0++) 143 | { 144 | NTL::ZZ z(1); 145 | for (long b1 = 0; b1 < NTL::power_long(2, k1); b1++) 146 | { 147 | z = z * y[b1 * NTL::power_long(2, k0) + b0] % n_; 148 | } 149 | x = x * PowerMod(z, b0, n_) % n_; 150 | } 151 | } 152 | return x; 153 | } -------------------------------------------------------------------------------- /src/AHTLP.cpp: -------------------------------------------------------------------------------- 1 | #include "AHTLP.hpp" 2 | 3 | #define IS_CHEET_MODE assert(cheeting_mode_); 4 | 5 | AHTLP::AHTLP(const long modulus_len, const long T, const long kappa) : HTLP(modulus_len, T, kappa) 6 | { 7 | } 8 | AHTLP::AHTLP(const NTL::ZZ &n, const NTL::ZZ &g, const NTL::ZZ &h, const long T, const long kappa) : HTLP(n, g, h, T, kappa) 9 | { 10 | } 11 | AHTLP::AHTLP(const long modulus_len, const long T, const long kappa, bool cheeting_mode) : HTLP(modulus_len, T, kappa, cheeting_mode) 12 | { 13 | } 14 | 15 | std::tuple AHTLP::GenerateAValidProof(const APuzzle &Z, const NTL::ZZ &s, const NTL::ZZ &r) 16 | { 17 | NTL::ZZ x = NTL::RandomLen_ZZ(modulus_len_ - 1 + 2 * kappa_); 18 | NTL::ZZ t = GenerateRandomElement(); 19 | NTL::ZZ a = PowerMod(g_, x, n_); 20 | NTL::ZZ b = PowerMod(h_, x * n_, n_square_) * (1 + t * n_) % n_square_; 21 | 22 | std::stringstream ss; 23 | ss << n_ << g_ << h_ << Z.u << Z.v << a << b; 24 | NTL::ZZ e = HashToElement(ss.str()); 25 | 26 | NTL::ZZ alpha = r * e + x; 27 | NTL::ZZ beta = s * e + t % n_; 28 | 29 | return {a, b, alpha, beta}; 30 | } 31 | 32 | bool AHTLP::VerifyAValidProof(const APuzzle &Z, const std::tuple &proof) 33 | { 34 | const NTL::ZZ &a = std::get<0>(proof); 35 | const NTL::ZZ &b = std::get<1>(proof); 36 | const NTL::ZZ &alpha = std::get<2>(proof); 37 | const NTL::ZZ &beta = std::get<3>(proof); 38 | std::stringstream ss; 39 | ss << n_ << g_ << h_ << Z.u << Z.v << a << b; 40 | NTL::ZZ e = HashToElement(ss.str()); 41 | if (PowerMod(Z.u, e, n_) * a % n_ != PowerMod(g_, alpha, n_)) 42 | { 43 | return false; 44 | } 45 | if (PowerMod(h_, alpha * n_, n_square_) * (1 + beta * n_) % n_square_ != PowerMod(Z.v, e, n_square_) * b % n_square_) 46 | { 47 | return false; 48 | } 49 | return true; 50 | } 51 | 52 | APuzzle AHTLP::GeneratePuzzle(const NTL::ZZ &s) 53 | { 54 | assert(s < n_ && s >= 0); 55 | APuzzle Z(n_); 56 | NTL::ZZ r = GenerateRandomExponent(); 57 | Z.u = PowerMod(g_, r, n_); 58 | Z.v = PowerMod(h_, r * n_, n_square_) * (1 + s * n_) % n_square_; 59 | return Z; 60 | } 61 | 62 | APuzzle AHTLP::GeneratePuzzle(const NTL::ZZ &s, const NTL::ZZ &r) 63 | { 64 | assert(s < n_ && s >= 0); 65 | assert(r < n_ / 2 && r >= 0); 66 | APuzzle Z(n_); 67 | Z.u = PowerMod(g_, r, n_); 68 | Z.v = PowerMod(h_, r * n_, n_square_) * (1 + s * n_) % n_square_; 69 | return Z; 70 | } 71 | 72 | // return solution s, will return -1 if the puzzle is invalid 73 | NTL::ZZ AHTLP::QuickSolvePuzzle(const APuzzle &Z) 74 | { 75 | IS_CHEET_MODE 76 | const NTL::ZZ &u = Z.u; 77 | const NTL::ZZ &v = Z.v; 78 | NTL::ZZ w = NTL::PowerMod(u, trapdoor_, n_); 79 | NTL::ZZ temp = (v * InvMod(PowerMod(w, n_, n_square_), n_square_) % n_square_ - 1); 80 | return temp % n_ == NTL::ZZ(0) ? temp / n_ : NTL::ZZ(-1); 81 | } 82 | 83 | std::tuple AHTLP::QuickSolvePuzzleWithProof(const APuzzle &Z) 84 | { 85 | IS_CHEET_MODE 86 | const NTL::ZZ &u = Z.u; 87 | const NTL::ZZ &v = Z.v; 88 | NTL::ZZ w = NTL::PowerMod(u, trapdoor_, n_); 89 | NTL::ZZ temp = (v * InvMod(PowerMod(w, n_, n_square_), n_square_) % n_square_ - 1); 90 | NTL::ZZ s = temp % n_ == NTL::ZZ(0) ? temp / n_ : NTL::ZZ(-1); 91 | 92 | NTL::ZZ l = HashToPrime(u, w); 93 | 94 | NTL::ZZ r = PowerMod(NTL::ZZ(2), T_, l); 95 | NTL::ZZ q = (PowerMod(NTL::ZZ(2), T_, lambda_) - r) * InvMod(l, lambda_) % lambda_; 96 | NTL::ZZ pi = PowerMod(u, q, n_); 97 | return {s, w, pi}; 98 | } 99 | 100 | NTL::ZZ AHTLP::SolvePuzzle(const APuzzle &Z) 101 | { 102 | const NTL::ZZ &u = Z.u; 103 | const NTL::ZZ &v = Z.v; 104 | NTL::ZZ w = u; 105 | for (NTL::ZZ i(0); i < T_; i++) 106 | { 107 | w = NTL::SqrMod(w, n_); 108 | } 109 | NTL::ZZ temp = (v * InvMod(PowerMod(w, n_, n_square_), n_square_) % n_square_ - 1); 110 | NTL::ZZ s = temp % n_ == NTL::ZZ(0) ? temp / n_ : NTL::ZZ(-1); 111 | return s; 112 | } 113 | 114 | std::tuple AHTLP::SolvePuzzleWithProof(const long k, const long gamma, const APuzzle &Z) 115 | { 116 | const NTL::ZZ &u = Z.u; 117 | const NTL::ZZ &v = Z.v; 118 | NTL::ZZ w = u; 119 | std::vector C(T_ / (k * gamma) + 1); 120 | for (long i = 0; i < T_; i++) 121 | { 122 | if (i % (k * gamma) == 0) 123 | { 124 | C[i / (k * gamma)] = w; 125 | } 126 | w = NTL::SqrMod(w, n_); 127 | } 128 | NTL::ZZ temp = v * PowerMod(w, -n_, n_square_) % n_square_ - 1; 129 | NTL::ZZ s = temp % n_ == NTL::ZZ(0) ? temp / n_ : NTL::ZZ(-1); 130 | 131 | NTL::ZZ l = HashToPrime(u, w); 132 | 133 | clock_t start_time = clock(); 134 | NTL::ZZ pi = GenerateProof(k, gamma, C, l); 135 | clock_t end_time = clock(); 136 | std::cout << "Time of generating a MCorSol/MIvalid proof \t" << (double)(end_time - start_time) / CLOCKS_PER_SEC << std::endl; 137 | 138 | return {s, w, pi}; 139 | } 140 | 141 | // invalid proof = 0, valid solution = 1, invalid solution = -1 142 | int AHTLP::VerifyProofOfSol(const APuzzle Z, const std::tuple &solution_and_proof) 143 | { 144 | const NTL::ZZ &u = Z.u; 145 | const NTL::ZZ &v = Z.v; 146 | const NTL::ZZ &s = std::get<0>(solution_and_proof); 147 | const NTL::ZZ &w = std::get<1>(solution_and_proof); 148 | const NTL::ZZ &pi = std::get<2>(solution_and_proof); 149 | 150 | NTL::ZZ l = HashToPrime(u, w); 151 | NTL::ZZ r = PowerMod(NTL::ZZ(2), T_, l); 152 | if (PowerMod(pi, l, n_) * PowerMod(u, r, n_) % n_ != w) 153 | { 154 | return 0; 155 | } 156 | if (s >= 0 && s < n_ && PowerMod(w, n_, n_square_) * (1 + s * n_) % n_square_ == v) 157 | { 158 | return 1; 159 | } 160 | 161 | if (s == -1 && (v * PowerMod(w, -n_, n_square_) % n_square_ - 1) % n_ != 0) 162 | { 163 | return -1; 164 | } 165 | 166 | return 0; 167 | } 168 | -------------------------------------------------------------------------------- /src/main.cpp: -------------------------------------------------------------------------------- 1 | #include "AHTLP.hpp" 2 | #include "MHTLP.hpp" 3 | #include "Puzzle.hpp" 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | using namespace std; 11 | using namespace NTL; 12 | 13 | clock_t start_time, end_time; 14 | 15 | void TestAHTLP(const long k, const long gamma, const long T, const long MODULUS_LEN = 2048, const long kappa = 128) 16 | { 17 | cout << "Init AHTLP scheme. " << endl; 18 | AHTLP scheme(MODULUS_LEN, T, kappa, true); // Init AHTLP scheme. 19 | 20 | ZZ s = scheme.GenerateRandomElement(); // Generate a random solution from Z_n 21 | ZZ s_prime = scheme.GenerateRandomElement(); 22 | ZZ r = scheme.GenerateRandomExponent(); // Generate randomness for puzzle s 23 | APuzzle Z = scheme.GeneratePuzzle(s); // Generate a AHTLP for solution s 24 | APuzzle Z_prime = scheme.GeneratePuzzle(s_prime); 25 | APuzzle Z_AValid = scheme.GeneratePuzzle(s, r); 26 | 27 | APuzzle Z_add = Z + Z_prime; 28 | 29 | APuzzle invalid_Z(Z.n()); 30 | invalid_Z.u = scheme.GenerateJacobiOne(); 31 | invalid_Z.v = RandomBnd(scheme.n_square()); 32 | 33 | auto sol_and_proof = scheme.SolvePuzzleWithProof(k, gamma, Z); 34 | auto invalid_Z_proof = scheme.SolvePuzzleWithProof(k, gamma, invalid_Z); 35 | auto sol_and_invalid_proof = sol_and_proof; 36 | get<2>(sol_and_invalid_proof) = scheme.GenerateRandomElement(); 37 | 38 | auto s_add = scheme.SolvePuzzle(Z_add); 39 | assert((s + s_prime) % scheme.n() == s_add); 40 | 41 | auto AValid_proof = scheme.GenerateAValidProof(Z_AValid, s, r); 42 | 43 | start_time = clock(); 44 | assert(scheme.VerifyProofOfSol(Z, sol_and_proof) == 1); 45 | end_time = clock(); 46 | cout << "Time of VerifyProofOfSol for 1 \t\t" << (double)(end_time - start_time) / CLOCKS_PER_SEC << endl; 47 | 48 | start_time = clock(); 49 | assert(scheme.VerifyProofOfSol(invalid_Z, invalid_Z_proof) == -1); 50 | end_time = clock(); 51 | cout << "Time of VerifyProofOfSol for -1 \t" << (double)(end_time - start_time) / CLOCKS_PER_SEC << endl; 52 | 53 | start_time = clock(); 54 | assert(scheme.VerifyProofOfSol(Z, sol_and_invalid_proof) == 0); 55 | end_time = clock(); 56 | cout << "Time of VerifyProofOfSol for 0 \t\t" << (double)(end_time - start_time) / CLOCKS_PER_SEC << endl; 57 | 58 | start_time = clock(); 59 | assert(scheme.VerifyAValidProof(Z_AValid, AValid_proof) == true); 60 | end_time = clock(); 61 | cout << "Time of VerifyAValidProof \t\t" << (double)(end_time - start_time) / CLOCKS_PER_SEC << endl; 62 | } 63 | 64 | void TestACorSol(const long k, const long gamma, const long T, const long MODULUS_LEN = 2048, const long kappa = 128) 65 | { 66 | cout << "Test ACorSol. " << endl; 67 | AHTLP scheme(MODULUS_LEN, T, kappa, true); // Init AHTLP scheme. 68 | 69 | ZZ s = scheme.GenerateRandomElement(); // Generate a random solution from Z_n 70 | APuzzle Z = scheme.GeneratePuzzle(s); // Generate a AHTLP for solution s 71 | 72 | start_time = clock(); 73 | auto sol_and_proof = scheme.SolvePuzzleWithProof(k, gamma, Z); 74 | end_time = clock(); 75 | cout << "Time of solving a puzzle and generating a ACorSol proof \t" << (double)(end_time - start_time) / CLOCKS_PER_SEC << endl; 76 | 77 | start_time = clock(); 78 | assert(scheme.VerifyProofOfSol(Z, sol_and_proof) == 1); 79 | end_time = clock(); 80 | cout << "Time of verifying a ACorSol proof \t" << (double)(end_time - start_time) / CLOCKS_PER_SEC << endl; 81 | } 82 | 83 | void TestAInvalid(const long k, const long gamma, const long T, const long MODULUS_LEN = 2048, const long kappa = 128) 84 | { 85 | cout << "Test AInvalid. " << endl; 86 | AHTLP scheme(MODULUS_LEN, T, kappa, true); // Init AHTLP scheme. 87 | 88 | ZZ s = scheme.GenerateRandomElement(); // Generate a random solution from Z_n 89 | APuzzle Z = scheme.GeneratePuzzle(s); // Generate a AHTLP for solution s 90 | 91 | APuzzle invalid_Z(Z.n()); 92 | invalid_Z.u = scheme.GenerateJacobiOne(); 93 | invalid_Z.v = RandomBnd(scheme.n_square()); 94 | 95 | start_time = clock(); 96 | auto invalid_Z_proof = scheme.SolvePuzzleWithProof(k, gamma, invalid_Z); 97 | end_time = clock(); 98 | cout << "Time of solving a puzzle and generating a AInvalid proof \t" << (double)(end_time - start_time) / CLOCKS_PER_SEC << endl; 99 | 100 | start_time = clock(); 101 | assert(scheme.VerifyProofOfSol(invalid_Z, invalid_Z_proof) == -1); 102 | end_time = clock(); 103 | cout << "Time of verifying a AInvalid proof \t" << (double)(end_time - start_time) / CLOCKS_PER_SEC << endl; 104 | } 105 | 106 | void TestAValid(const long k, const long gamma, const long T, const long MODULUS_LEN = 2048, const long kappa = 128) 107 | { 108 | cout << "Test AValid. " << endl; 109 | AHTLP scheme(MODULUS_LEN, T, kappa, true); // Init AHTLP scheme. 110 | 111 | ZZ s = scheme.GenerateRandomElement(); // Generate a random solution from Z_n 112 | ZZ r = scheme.GenerateRandomExponent(); // Generate randomness for puzzle s 113 | APuzzle Z_AValid = scheme.GeneratePuzzle(s, r); 114 | 115 | start_time = clock(); 116 | auto AValid_proof = scheme.GenerateAValidProof(Z_AValid, s, r); 117 | end_time = clock(); 118 | cout << "Time of generating a AValid proof \t" << (double)(end_time - start_time) / CLOCKS_PER_SEC << endl; 119 | 120 | start_time = clock(); 121 | assert(scheme.VerifyAValidProof(Z_AValid, AValid_proof) == true); 122 | end_time = clock(); 123 | cout << "Time of verifying a AValid proof \t" << (double)(end_time - start_time) / CLOCKS_PER_SEC << endl; 124 | } 125 | 126 | void TestMHTLP(const long k, const long gamma, const long T, const long MODULUS_LEN = 2048, const long kappa = 128) 127 | { 128 | cout << "Init MHTLP scheme. " << endl; 129 | MHTLP scheme(MODULUS_LEN, T, kappa, true); // Init AHTLP scheme. 130 | 131 | ZZ s = scheme.GenerateRandomElement(); // Generate a random solution from Z_n 132 | ZZ s_prime = scheme.GenerateRandomElement(); 133 | ZZ r = scheme.GenerateRandomExponent(); // Custom randomness 134 | ZZ r_prime = scheme.GenerateRandomExponent(); // Custom randomness 135 | MPuzzle Z = scheme.GeneratePuzzle(s); // Generate a AHTLP for solution s 136 | MPuzzle Z_prime = scheme.GeneratePuzzle(s_prime); 137 | MPuzzle Z_MValid = scheme.GeneratePuzzle(s, r, r_prime); 138 | 139 | MPuzzle Z_mul = Z * Z_prime; 140 | 141 | MPuzzle invalid_Z(Z.n()); 142 | invalid_Z.u = scheme.GenerateJacobiOne(); 143 | invalid_Z.u_prime = scheme.GenerateJacobiOne(); 144 | invalid_Z.v = scheme.GenerateJacobiOne(); 145 | invalid_Z.theta = RandomBnd(scheme.n_square()); 146 | 147 | auto sol_and_proof = scheme.SolvePuzzleWithProof(k, gamma, Z); 148 | // auto sol_and_proof = scheme.QuickSolvePuzzleWithProof(Z); 149 | auto invalid_Z_proof = scheme.SolvePuzzleWithProof(k, gamma, invalid_Z); 150 | auto sol_and_invalid_proof = sol_and_proof; 151 | get<2>(sol_and_invalid_proof) = scheme.GenerateRandomElement(); 152 | 153 | auto s_mul = scheme.SolvePuzzle(Z_mul); 154 | assert(s * s_prime % scheme.n() == s_mul); 155 | 156 | auto MValid_proof = scheme.GenerateMValidProof(Z_MValid, s, r, r_prime); 157 | 158 | assert(s == std::get<0>(sol_and_proof)); 159 | assert(-1 == std::get<0>(invalid_Z_proof)); 160 | 161 | assert(scheme.VerifyProofOfSol(Z, sol_and_proof) == 1); 162 | assert(scheme.VerifyProofOfSol(invalid_Z, invalid_Z_proof) == -1); 163 | assert(scheme.VerifyProofOfSol(Z, sol_and_invalid_proof) == 0); 164 | 165 | assert(scheme.VerifyMValidProof(Z_MValid, MValid_proof) == true); 166 | } 167 | 168 | void TestMCorSol(const long k, const long gamma, const long T, const long MODULUS_LEN = 2048, const long kappa = 128) 169 | { 170 | cout << "Test MCorSol. " << endl; 171 | MHTLP scheme(MODULUS_LEN, T, kappa, true); // Init AHTLP scheme. 172 | 173 | ZZ s = scheme.GenerateRandomElement(); // Generate a random solution from Z_n 174 | MPuzzle Z = scheme.GeneratePuzzle(s); // Generate a AHTLP for solution s 175 | 176 | start_time = clock(); 177 | auto sol_and_proof = scheme.SolvePuzzleWithProof(k, gamma, Z); 178 | end_time = clock(); 179 | cout << "Time of solving a puzzle and generating a MCorSol proof \t" << (double)(end_time - start_time) / CLOCKS_PER_SEC << endl; 180 | 181 | start_time = clock(); 182 | assert(scheme.VerifyProofOfSol(Z, sol_and_proof) == 1); 183 | end_time = clock(); 184 | cout << "Time of verifying a MCorSol proof \t" << (double)(end_time - start_time) / CLOCKS_PER_SEC << endl; 185 | } 186 | 187 | void TestMInvalid(const long k, const long gamma, const long T, const long MODULUS_LEN = 2048, const long kappa = 128) 188 | { 189 | cout << "Test MInvalid. " << endl; 190 | MHTLP scheme(MODULUS_LEN, T, kappa, true); // Init AHTLP scheme. 191 | 192 | ZZ s = scheme.GenerateRandomElement(); // Generate a random solution from Z_n 193 | MPuzzle Z = scheme.GeneratePuzzle(s); // Generate a AHTLP for solution s 194 | 195 | MPuzzle invalid_Z(Z.n()); 196 | invalid_Z.u = scheme.GenerateJacobiOne(); 197 | invalid_Z.u_prime = scheme.GenerateJacobiOne(); 198 | invalid_Z.v = scheme.GenerateJacobiOne(); 199 | invalid_Z.theta = RandomBnd(scheme.n_square()); 200 | 201 | start_time = clock(); 202 | auto invalid_Z_proof = scheme.SolvePuzzleWithProof(k, gamma, invalid_Z); 203 | end_time = clock(); 204 | cout << "Time of solving a puzzle and generating a MInvalid proof \t" << (double)(end_time - start_time) / CLOCKS_PER_SEC << endl; 205 | 206 | start_time = clock(); 207 | assert(scheme.VerifyProofOfSol(invalid_Z, invalid_Z_proof) == -1); 208 | end_time = clock(); 209 | cout << "Time of verifying a MInvalid proof \t" << (double)(end_time - start_time) / CLOCKS_PER_SEC << endl; 210 | } 211 | 212 | void TestMValid(const long k, const long gamma, const long T, const long MODULUS_LEN = 2048, const long kappa = 128) 213 | { 214 | cout << "Test MValid. " << endl; 215 | MHTLP scheme(MODULUS_LEN, T, kappa, true); // Init AHTLP scheme. 216 | 217 | ZZ s = scheme.GenerateRandomElement(); // Generate a random solution from Z_n 218 | ZZ r = scheme.GenerateRandomExponent(); // Custom randomness 219 | ZZ r_prime = scheme.GenerateRandomExponent(); // Custom randomness 220 | MPuzzle Z_MValid = scheme.GeneratePuzzle(s, r, r_prime); 221 | 222 | start_time = clock(); 223 | auto MValid_proof = scheme.GenerateMValidProof(Z_MValid, s, r, r_prime); 224 | end_time = clock(); 225 | cout << "Time of solving a puzzle and generating a MValid proof \t" << (double)(end_time - start_time) / CLOCKS_PER_SEC << endl; 226 | 227 | start_time = clock(); 228 | assert(scheme.VerifyMValidProof(Z_MValid, MValid_proof) == true); 229 | end_time = clock(); 230 | cout << "Time of verifying a MValid proof \t" << (double)(end_time - start_time) / CLOCKS_PER_SEC << endl; 231 | } 232 | 233 | int main(void) 234 | { 235 | // Parameter setting for VDF 236 | const long T = 10000000; 237 | const long k = max(1, long(log2(T)) / 3); 238 | const long gamma = max(1, long(sqrt(T))); 239 | 240 | TestACorSol(k, gamma, T); 241 | 242 | TestAInvalid(k, gamma, T); 243 | 244 | TestAValid(k, gamma, T); 245 | 246 | TestMCorSol(k, gamma, T); 247 | 248 | TestMInvalid(k, gamma, T); 249 | 250 | TestMValid(k, gamma, T); 251 | 252 | // TestAHTLP(k, gamma, T); 253 | 254 | // TestMHTLP(k, gamma, T); 255 | 256 | return 0; 257 | } -------------------------------------------------------------------------------- /src/MHTLP.cpp: -------------------------------------------------------------------------------- 1 | #include "MHTLP.hpp" 2 | 3 | #define IS_CHEET_MODE assert(cheeting_mode_); 4 | 5 | MHTLP::MHTLP(const long modulus_len, const long T, const long kappa) : HTLP(modulus_len, T, kappa) 6 | { 7 | while (true) 8 | { 9 | chi_ = GenerateRandomElement(); 10 | if (Jacobi(chi_, n_) == -1) 11 | { 12 | break; 13 | } 14 | } 15 | } 16 | MHTLP::MHTLP(const NTL::ZZ &n, const NTL::ZZ &g, const NTL::ZZ &h, const NTL::ZZ &chi, const long T, const long kappa) : HTLP(n, g, h, T, kappa) 17 | { 18 | chi_ = chi; 19 | } 20 | MHTLP::MHTLP(const long modulus_len, const long T, const long kappa, bool cheeting_mode) : HTLP(modulus_len, T, kappa, cheeting_mode) 21 | { 22 | while (true) 23 | { 24 | chi_ = GenerateRandomElement(); 25 | if (Jacobi(chi_, n_) == -1) 26 | { 27 | break; 28 | } 29 | } 30 | } 31 | 32 | std::tuple, std::vector, std::vector, std::vector> MHTLP::GenerateMValidProof(const MPuzzle &Z, const NTL::ZZ &s, const NTL::ZZ &r, const NTL::ZZ &r_prime) 33 | { 34 | int sigma; 35 | if (NTL::Jacobi(s, n_) == -1) 36 | { 37 | sigma = 1; 38 | } 39 | else 40 | { 41 | sigma = 0; 42 | } 43 | std::vector theta(2); 44 | theta[0] = Z.theta; 45 | theta[1] = Z.theta * NTL::InvMod(1 + n_, n_square_) % n_square_; 46 | const NTL::ZZ &u_prime = Z.u_prime; 47 | std::vector a(2); 48 | std::vector b(2); 49 | std::vector e(2); 50 | std::vector alpha(2); 51 | std::vector beta(2); 52 | 53 | e[1 - sigma] = NTL::RandomLen_ZZ(kappa_); 54 | alpha[1 - sigma] = NTL::RandomLen_ZZ(modulus_len_ - 1 + 2 * kappa_); 55 | a[1 - sigma] = PowerMod(g_, alpha[1 - sigma], n_) * PowerMod(u_prime, -e[1 - sigma], n_) % n_; 56 | b[1 - sigma] = PowerMod(h_, alpha[1 - sigma] * n_, n_square_) * PowerMod(theta[1 - sigma], -e[1 - sigma], n_square_) % n_square_; 57 | 58 | NTL::ZZ x = NTL::RandomLen_ZZ(modulus_len_ - 1 + 2 * kappa_); 59 | a[sigma] = PowerMod(g_, x, n_); 60 | b[sigma] = PowerMod(h_, x * n_, n_square_); 61 | 62 | std::stringstream ss; 63 | ss << n_ << g_ << h_ << Z.u << Z.u_prime << Z.v << Z.theta << a[0] << a[1] << b[0] << b[1]; 64 | NTL::ZZ e_challenge = HashToElement(ss.str()); 65 | 66 | e[sigma] = e_challenge ^ e[1 - sigma]; 67 | 68 | alpha[sigma] = r_prime * e[sigma] + x; 69 | 70 | return {a, b, e, alpha}; 71 | } 72 | 73 | bool MHTLP::VerifyMValidProof(const MPuzzle &Z, const std::tuple, std::vector, std::vector, std::vector> &proof) 74 | { 75 | const std::vector &a = std::get<0>(proof); 76 | const std::vector &b = std::get<1>(proof); 77 | const std::vector &e = std::get<2>(proof); 78 | const std::vector &alpha = std::get<3>(proof); 79 | std::vector theta(2); 80 | theta[0] = Z.theta; 81 | theta[1] = Z.theta * NTL::InvMod(1 + n_, n_square_) % n_square_; 82 | std::stringstream ss; 83 | ss << n_ << g_ << h_ << Z.u << Z.u_prime << Z.v << Z.theta << a[0] << a[1] << b[0] << b[1]; 84 | NTL::ZZ e_challenge = HashToElement(ss.str()); 85 | if (e_challenge != (e[0] ^ e[1])) 86 | { 87 | 88 | return false; 89 | } 90 | for (int i = 0; i < 2; i++) 91 | { 92 | if (PowerMod(Z.u_prime, e[i], n_) * a[i] % n_ != PowerMod(g_, alpha[i], n_)) 93 | { 94 | return false; 95 | } 96 | if (PowerMod(theta[i], e[i], n_square_) * b[i] % n_square_ != PowerMod(h_, alpha[i] * n_, n_square_)) 97 | { 98 | return false; 99 | } 100 | } 101 | return true; 102 | } 103 | 104 | MPuzzle MHTLP::GeneratePuzzle(const NTL::ZZ &s) 105 | { 106 | assert(s < n_ && s >= 0); 107 | MPuzzle Z(n_); 108 | NTL::ZZ r = GenerateRandomExponent(); 109 | NTL::ZZ r_prime = GenerateRandomExponent(); 110 | int sigma; 111 | if (NTL::Jacobi(s, n_) == -1) 112 | { 113 | sigma = 1; 114 | } 115 | else 116 | { 117 | sigma = 0; 118 | } 119 | Z.u = PowerMod(g_, r, n_); 120 | Z.u_prime = PowerMod(g_, r_prime, n_); 121 | Z.v = PowerMod(h_, r, n_) * PowerMod(chi_, sigma, n_) * s % n_; 122 | Z.theta = PowerMod(h_, r_prime * n_, n_square_) * (1 + sigma * n_) % n_square_; 123 | return Z; 124 | } 125 | MPuzzle MHTLP::GeneratePuzzle(const NTL::ZZ &s, const NTL::ZZ &r, const NTL::ZZ &r_prime) 126 | { 127 | assert(s < n_ && s >= 0); 128 | assert(r < n_ / 2 && r >= 0); 129 | assert(r_prime < n_ / 2 && r_prime >= 0); 130 | MPuzzle Z(n_); 131 | int sigma; 132 | if (NTL::Jacobi(s, n_) == -1) 133 | { 134 | sigma = 1; 135 | } 136 | else 137 | { 138 | sigma = 0; 139 | } 140 | Z.u = PowerMod(g_, r, n_); 141 | Z.u_prime = PowerMod(g_, r_prime, n_); 142 | Z.v = PowerMod(h_, r, n_) * PowerMod(chi_, sigma, n_) * s % n_; 143 | Z.theta = PowerMod(h_, r_prime * n_, n_square_) * (1 + sigma * n_) % n_square_; 144 | return Z; 145 | } 146 | 147 | NTL::ZZ MHTLP::SolvePuzzle(const MPuzzle &Z) 148 | { 149 | const NTL::ZZ &u = Z.u; 150 | const NTL::ZZ &u_prime = Z.u_prime; 151 | const NTL::ZZ &v = Z.v; 152 | const NTL::ZZ &theta = Z.theta; 153 | NTL::ZZ w = u; 154 | NTL::ZZ w_prime = u_prime; 155 | for (NTL::ZZ i(0); i < T_; i++) 156 | { 157 | w = NTL::SqrMod(w, n_); 158 | } 159 | for (NTL::ZZ i(0); i < T_; i++) 160 | { 161 | w_prime = NTL::SqrMod(w_prime, n_); 162 | } 163 | NTL::ZZ temp = theta * PowerMod(w_prime, -n_, n_square_) % n_square_ - 1; 164 | NTL::ZZ sigma = temp % n_ == NTL::ZZ(0) ? temp / n_ : NTL::ZZ(-1); 165 | 166 | NTL::ZZ s; 167 | if (sigma == -1) 168 | { 169 | s = -1; 170 | } 171 | else 172 | { 173 | s = v * PowerMod(chi_, -sigma, n_) * NTL::InvMod(w, n_) % n_; 174 | } 175 | return s; 176 | } 177 | 178 | // return solution s, will return -1 if the puzzle is invalid 179 | NTL::ZZ MHTLP::QuickSolvePuzzle(const MPuzzle &Z) 180 | { 181 | IS_CHEET_MODE 182 | const NTL::ZZ &u = Z.u; 183 | const NTL::ZZ &u_prime = Z.u_prime; 184 | const NTL::ZZ &v = Z.v; 185 | const NTL::ZZ &theta = Z.theta; 186 | 187 | NTL::ZZ w = NTL::PowerMod(u, trapdoor_, n_); 188 | NTL::ZZ w_prime = NTL::PowerMod(u_prime, trapdoor_, n_); 189 | NTL::ZZ temp = theta * PowerMod(w_prime, -n_, n_square_) % n_square_ - 1; 190 | NTL::ZZ sigma = temp % n_ == NTL::ZZ(0) ? temp / n_ : NTL::ZZ(-1); 191 | 192 | NTL::ZZ s; 193 | if (sigma == -1) 194 | { 195 | s = -1; 196 | } 197 | else 198 | { 199 | s = v * PowerMod(chi_, -sigma, n_) * NTL::InvMod(w, n_) % n_; 200 | } 201 | return s; 202 | } 203 | 204 | std::tuple MHTLP::QuickSolvePuzzleWithProof(const MPuzzle &Z) 205 | { 206 | IS_CHEET_MODE 207 | const NTL::ZZ &u = Z.u; 208 | const NTL::ZZ &u_prime = Z.u_prime; 209 | const NTL::ZZ &v = Z.v; 210 | const NTL::ZZ &theta = Z.theta; 211 | 212 | NTL::ZZ w = NTL::PowerMod(u, trapdoor_, n_); 213 | NTL::ZZ w_prime = NTL::PowerMod(u_prime, trapdoor_, n_); 214 | NTL::ZZ temp = theta * PowerMod(w_prime, -n_, n_square_) % n_square_ - 1; 215 | NTL::ZZ sigma = temp % n_ == NTL::ZZ(0) ? temp / n_ : NTL::ZZ(-1); 216 | 217 | NTL::ZZ s; 218 | if (sigma == -1) 219 | { 220 | s = -1; 221 | } 222 | else 223 | { 224 | s = v * PowerMod(chi_, -sigma, n_) * NTL::InvMod(w, n_) % n_; 225 | } 226 | 227 | NTL::ZZ l = HashToPrime(u, w); 228 | NTL::ZZ l_prime = HashToPrime(u_prime, w_prime); 229 | 230 | NTL::ZZ r = PowerMod(NTL::ZZ(2), T_, l); 231 | NTL::ZZ r_prime = PowerMod(NTL::ZZ(2), T_, l_prime); 232 | NTL::ZZ q = (PowerMod(NTL::ZZ(2), T_, lambda_) - r) * InvMod(l, lambda_) % lambda_; 233 | NTL::ZZ q_prime = (PowerMod(NTL::ZZ(2), T_, lambda_) - r_prime) * InvMod(l_prime, lambda_) % lambda_; 234 | NTL::ZZ pi = PowerMod(u, q, n_); 235 | NTL::ZZ pi_prime = PowerMod(u_prime, q_prime, n_); 236 | return {s, w, w_prime, pi, pi_prime}; 237 | } 238 | 239 | std::tuple MHTLP::SolvePuzzleWithProof(const long k, const long gamma, const MPuzzle &Z) 240 | { 241 | const NTL::ZZ &u = Z.u; 242 | const NTL::ZZ &u_prime = Z.u_prime; 243 | const NTL::ZZ &v = Z.v; 244 | const NTL::ZZ &theta = Z.theta; 245 | NTL::ZZ w = u; 246 | NTL::ZZ w_prime = u_prime; 247 | std::vector C(T_ / (k * gamma) + 1); 248 | std::vector C_prime(T_ / (k * gamma) + 1); 249 | for (long i = 0; i < T_; i++) 250 | { 251 | if (i % (k * gamma) == 0) 252 | { 253 | C[i / (k * gamma)] = w; 254 | } 255 | w = NTL::SqrMod(w, n_); 256 | } 257 | clock_t start = clock(); 258 | for (long i = 0; i < T_; i++) 259 | { 260 | if (i % (k * gamma) == 0) 261 | { 262 | C_prime[i / (k * gamma)] = w_prime; 263 | } 264 | w_prime = NTL::SqrMod(w_prime, n_); 265 | } 266 | clock_t end = clock(); 267 | std::cout << "Time \t" << (double)(end - start) / CLOCKS_PER_SEC << std::endl; 268 | 269 | 270 | NTL::ZZ temp = theta * PowerMod(w_prime, -n_, n_square_) % n_square_ - 1; 271 | NTL::ZZ sigma = temp % n_ == NTL::ZZ(0) ? temp / n_ : NTL::ZZ(-1); 272 | 273 | NTL::ZZ s; 274 | if (sigma == -1) 275 | { 276 | s = -1; 277 | } 278 | else 279 | { 280 | s = v * PowerMod(chi_, -sigma, n_) * NTL::InvMod(w, n_) % n_; 281 | } 282 | 283 | NTL::ZZ l = HashToPrime(u, w); 284 | NTL::ZZ l_prime = HashToPrime(u_prime, w_prime); 285 | 286 | clock_t start_time = clock(); 287 | 288 | NTL::ZZ pi = GenerateProof(k, gamma, C, l); 289 | NTL::ZZ pi_prime = GenerateProof(k, gamma, C_prime, l_prime); 290 | 291 | clock_t end_time = clock(); 292 | std::cout << "Time of generating a MCorSol/MIvalid proof \t" << (double)(end_time - start_time) / CLOCKS_PER_SEC << std::endl; 293 | 294 | return {s, w, w_prime, pi, pi_prime}; 295 | } 296 | 297 | // invalid proof = 0, valid solution = 1, invalid solution = -1 298 | int MHTLP::VerifyProofOfSol(const MPuzzle Z, const std::tuple &solution_and_proof) 299 | { 300 | const NTL::ZZ &u = Z.u; 301 | const NTL::ZZ &u_prime = Z.u_prime; 302 | const NTL::ZZ &v = Z.v; 303 | const NTL::ZZ &theta = Z.theta; 304 | const NTL::ZZ &s = std::get<0>(solution_and_proof); 305 | const NTL::ZZ &w = std::get<1>(solution_and_proof); 306 | const NTL::ZZ &w_prime = std::get<2>(solution_and_proof); 307 | const NTL::ZZ &pi = std::get<3>(solution_and_proof); 308 | const NTL::ZZ &pi_prime = std::get<4>(solution_and_proof); 309 | 310 | NTL::ZZ l = HashToPrime(u, w); 311 | NTL::ZZ l_prime = HashToPrime(u_prime, w_prime); 312 | NTL::ZZ r = PowerMod(NTL::ZZ(2), T_, l); 313 | NTL::ZZ r_prime = PowerMod(NTL::ZZ(2), T_, l_prime); 314 | if (PowerMod(pi, l, n_) * PowerMod(u, r, n_) % n_ != w || PowerMod(pi_prime, l_prime, n_) * PowerMod(u_prime, r_prime, n_) % n_ != w_prime) 315 | { 316 | return 0; 317 | } 318 | 319 | NTL::ZZ temp = theta * PowerMod(w_prime, -n_, n_square_) % n_square_ - 1; 320 | NTL::ZZ sigma = temp % n_ == NTL::ZZ(0) ? temp / n_ : NTL::ZZ(-1); 321 | if (sigma == -1 && s == -1) 322 | { 323 | return -1; 324 | } 325 | if (s >= 0 && s <= n_ && v == w * PowerMod(chi_, sigma, n_) * s % n_) 326 | { 327 | return 1; 328 | } 329 | return 0; 330 | } 331 | 332 | 333 | --------------------------------------------------------------------------------