Redo getBatchingVectorAndChallenge

reverse engineered from VMN
replace test data

src/main/kotlin/org/cryptobiotic/mixnet/Challenge.kt

@@ -4,27 +4,62 @@ import org.cryptobiotic.eg.election.parameterBaseHash
 import org.cryptobiotic.eg.core.*
 import org.cryptobiotic.maths.*
 
-fun getBatchingVectorAndChallenge(
+// Generate a seed to the PRG for batching. TODO cryptographer review.
+fun makeBatchingVector(
     group: GroupContext,
     mixName: String,
     h: VectorP,
     u: VectorP,
     pk: ElGamalPublicKey,
     w: List<VectorCiphertext>,
     wp: List<VectorCiphertext>,
-): Pair<VectorQ, ElementModQ> {
-    // Generate a seed to the PRG for batching. TODO cryptographer review.
+): Pair<UInt256, VectorQ> {
+    //        ByteTreeContainer challengeData =
+    //            new ByteTreeContainer(P.g.toByteTree(), // group generator
+    //                                  P.h.toByteTree(), // generators
+    //                                  P.u.toByteTree(),
+    //                                  pkey.toByteTree(),
+    //                                  w.toByteTree(),
+    //                                  wp.toByteTree());
     val baseHash = parameterBaseHash(group.constants)
     val ciphertexts = w.flatMap { it.elems }
     val shuffled = wp.flatMap { it.elems }
     val prgSeed = hashFunction(baseHash.bytes, 0x101.toByte(), h.elems, u.elems, pk, ciphertexts, shuffled)
 
+    // TODO use PRG with n_r ??
     // generate "batching vector"
-    val batchVector = VectorQ(group, Nonces(prgSeed.toElementModQ(group), mixName).take(h.nelems))
-    // create another nonce for the challenge
-    val challenge = hashFunction(prgSeed.bytes, 0x102.toByte(), mixName)
+    return Pair(prgSeed, VectorQ(group, Nonces(prgSeed.toElementModQ(group), mixName).take(h.nelems)))
+}
 
-    return Pair(batchVector, challenge.toElementModQ(group))
+// data class ProofCommittment (
+//    val u: VectorP, // permutation commitment = pcommit
+//    val d: ElementModQ, // x[n-1]
+//    val e: VectorQ,
+//
+//    val Ap: ElementModP, // Proof commitment used for the bridging commitments
+//    val B: VectorP, // Bridging commitments used to build up a product in the exponent
+//    val Bp: VectorP, // Proof commitments for the bridging commitments
+//    val Cp: ElementModP, // Proof commitment for proving sum of random components
+//    val Dp: ElementModP, // Proof commitment for proving product of random components.
+//
+//    val Fp: VectorCiphertext, // width
+//)
+fun makeChallenge(
+    group: GroupContext,
+    prgSeed: UInt256,
+    pos: ProofCommittment,
+): ElementModQ {
+    //        return new ByteTreeContainer(B.toByteTree(),
+    //                                     Ap.toByteTree(),
+    //                                     Bp.toByteTree(),
+    //                                     Cp.toByteTree(),
+    //                                     Dp.toByteTree(),
+    //                                     Fp.toByteTree());
+
+    // TODO use PRG with n_r ??
+    val challenge = hashFunction(prgSeed.bytes, 0x102.toByte(), pos.Ap, pos.B.elems, pos.Bp.elems, pos.Cp, pos.Dp, pos.Fp.elems)
+
+    return challenge.toElementModQ(group)
 }
 
 //// PoSTW 95
@@ -47,14 +82,13 @@ fun getBatchingVectorAndChallenge(
 //                                  w.toByteTree(),
 //                                  wp.toByteTree());
 //
-// make a seed from challengeData
+// make a seed from challengeData, use it in commit
 //        final byte[] prgSeed = challenger.challenge(tempLog2, challengeData, 8 * prg.minNoSeedBytes(), rbitlen);
 //
 //        tempLog.info("Compute commitment.");
 //        final ByteTreeBasic commitment = P.commit(prgSeed);
 // ..
-// PoSTW 143
-//        // Generate a challenge.
+//// PoSTW 143 Generate a challenge. Uses same prgSeed to create new challengeData
 //        challengeData = new ByteTreeContainer(new ByteTree(prgSeed), commitment);
 //        final byte[] challengeBytes = challenger.challenge(tempLog2, challengeData, vbitlen(), rbitlen);
 //        final LargeInteger integerChallenge = LargeInteger.toPositive(challengeBytes);
@@ -118,23 +152,10 @@ fun getBatchingVectorAndChallenge(
 //    }
 
 
-
-
-
-
-// which calls         setBatchVector(prgSeed);
-
-// PoSBasicTW 552
+// PoSBasicTW 552: set the "batch vector"
 //     public void setBatchVector(final byte[] prgSeed) {
 //        prg.setSeed(prgSeed);
 //        final LargeIntegerArray lia =
 //            LargeIntegerArray.random(size, ebitlen, prg);
 //        this.e = pField.unsafeToElementArray(lia);
 //    }
-
-
-
-//// PoSTW 143 Generate a challenge. Uses same prgSeed to create new challengeData
-//        challengeData = new ByteTreeContainer(new ByteTree(prgSeed), commitment);
-//        final byte[] challengeBytes = challenger.challenge(tempLog2, challengeData, vbitlen(), rbitlen);
-//        final LargeInteger integerChallenge = LargeInteger.toPositive(challengeBytes);

src/main/kotlin/org/cryptobiotic/mixnet/ShuffleProver.kt

@@ -54,7 +54,7 @@ fun runProof(
     // these are the deterministic nonces and generators that verifier must also be able to generate
     val generators = getGeneratorsVmn(group, w.size, mixName) // CE n + 1 acc
     val (pcommit, pnonces) = permutationCommitmentVmn(group, psi, generators)
-    val (e, challenge) = getBatchingVectorAndChallenge(group, mixName, generators, pcommit, publicKey, w, wp)
+    val (prgSeed, e) = makeBatchingVector(group, mixName, generators, pcommit, publicKey, w, wp)
 
     val prover = ProverV(   // CE n acc
         group,
@@ -69,6 +69,7 @@ fun runProof(
         psi,
     )
     val pos = prover.commit(nthreads)
+    val challenge = makeChallenge(group, prgSeed, pos)
     return prover.reply(pos, challenge)
 }
 
@@ -266,7 +267,7 @@ fun innerProductColumn(matrixq: MatrixQ, exps: VectorQ): VectorQ {
     return VectorQ(exps.group, result)
 }
 
-data class ProofCommittment (
+data class ProofCommittment(
     val u: VectorP, // permutation commitment = pcommit
     val d: ElementModQ, // x[n-1]
     val e: VectorQ,
@@ -278,7 +279,9 @@ data class ProofCommittment (
     val Dp: ElementModP, // Proof commitment for proving product of random components.
 
     val Fp: VectorCiphertext, // width
-)
+) {
+    constructor(pos: ProofOfShuffle, d: ElementModQ, e: VectorQ) : this(pos.u, d, e, pos.Ap, pos.B, pos.Bp, pos.Cp, pos.Dp, pos.Fp)
+}
 
 ////////////////////////////////////////////////////////////////////////////////
 

src/main/kotlin/org/cryptobiotic/mixnet/ShuffleVerifier.kt

@@ -48,7 +48,9 @@ fun runVerify(
 ):Boolean {
     // these are the deterministic nonces and generators that prover must also be able to generate
     val generators = getGeneratorsVmn(group, w.size, pos.mixname) // CE 1 acc n exp
-    val (e, challenge) = getBatchingVectorAndChallenge(group, pos.mixname, generators, pos.u, publicKey, w, wp)
+    val (prgSeed, e) = makeBatchingVector(group, pos.mixname, generators, pos.u, publicKey, w, wp)
+    val d = group.randomElementModQ() // dont need d
+    val challenge = makeChallenge(group, prgSeed, ProofCommittment(pos, d, e))
 
     val verifier = VerifierV(
         group,
@@ -59,6 +61,7 @@ fun runVerify(
         w,
         wp,
     )
+
     return verifier.verify(pos, nthreads)
 }
 

src/main/kotlin/org/cryptobiotic/mixnet/cli/RunProofOfShuffleVerifier.kt

@@ -131,7 +131,7 @@ class RunProofOfShuffleVerifier {
                     logger.error { "Validate failed!!" }
                     if (!noexit) exitProcess(7) else return
                 } else {
-                    logger.info { "Validation of ${config.mix_name} success" }
+                    logger.info { "Validation of ${config.mix_name} is successful" }
                 }
 
             } catch (t: Throwable) {