/**
* Computes the simulator computation.
*
* @param input MUST be an instance of SigmaDHCommonInput.
* @param challenge
* @return the output of the computation - (a, e, z).
* @throws CheatAttemptException if the received challenge's length is not equal to the soundness
* parameter.
* @throws IllegalArgumentException if the given input is not an instance of SigmaDHCommonInput.
*/
public SigmaSimulatorOutput simulate(SigmaCommonInput input, byte[] challenge)
throws CheatAttemptException {
// check the challenge validity.
if (!checkChallengeLength(challenge)) {
throw new CheatAttemptException(
"the length of the given challenge is differ from the soundness parameter");
}
if (!(input instanceof SigmaDHCommonInput)) {
throw new IllegalArgumentException("the given input must be an instance of SigmaDHInput");
}
SigmaDHCommonInput dhInput = ((SigmaDHCommonInput) input);
// Sample a random z <- Zq
BigInteger z = BigIntegers.createRandomInRange(BigInteger.ZERO, qMinusOne, random);
// Compute a = g^z*u^(-e) (where -e here means -e mod q)
GroupElement gToZ = dlog.exponentiate(dlog.getGenerator(), z);
BigInteger e = new BigInteger(1, challenge);
BigInteger minusE = dlog.getOrder().subtract(e);
GroupElement uToE = dlog.exponentiate(dhInput.getU(), minusE);
GroupElement a = dlog.multiplyGroupElements(gToZ, uToE);
// Compute b = h^z*v^(-e) (where -e here means -e mod q)
GroupElement hToZ = dlog.exponentiate(dhInput.getH(), z);
GroupElement vToE = dlog.exponentiate(dhInput.getV(), minusE);
GroupElement b = dlog.multiplyGroupElements(hToZ, vToE);
// Output ((a,b),e,z).
return new SigmaDHSimulatorOutput(
new SigmaDHMsg(a.generateSendableData(), b.generateSendableData()),
challenge,
new SigmaBIMsg(z));
}
/**
* Converts the input for the underlying prover computation.
*
* @param input MUST be an instance of SigmaPedersenCommittedValueProverInput.
* @throws IllegalArgumentException if input is not an instance of
* SigmaPedersenCommittedValueProverInput.
*/
private SigmaDlogProverInput convertInput(SigmaProverInput in) {
if (!(in instanceof SigmaPedersenCommittedValueProverInput)) {
throw new IllegalArgumentException(
"the given input must be an instance of SigmaPedersenCommittedValueProverInput");
}
SigmaPedersenCommittedValueProverInput input = (SigmaPedersenCommittedValueProverInput) in;
SigmaPedersenCommittedValueCommonInput params = input.getCommonParams();
// Convert the input to the underlying Dlog prover. h' = c*h^(-x).
BigInteger minusX = dlog.getOrder().subtract(params.getX());
GroupElement hToX = dlog.exponentiate(params.getH(), minusX);
GroupElement c = params.getCommitment();
GroupElement hTag = dlog.multiplyGroupElements(c, hToX);
return new SigmaDlogProverInput(hTag, input.getR());
}
/**
* Checks the validity of the given soundness parameter.
*
* @return true if the soundness parameter is valid; false, otherwise.
*/
private boolean checkSoundnessParam() {
// If soundness parameter does not satisfy 2^t<q, return false.
BigInteger soundness = new BigInteger("2").pow(t);
BigInteger q = dlog.getOrder();
if (soundness.compareTo(q) >= 0) {
return false;
}
return true;
}
/**
* Constructor that gets the underlying DlogGroup, soundness parameter and SecureRandom.
*
* @param dlog
* @param t Soundness parameter in BITS.
* @param random
*/
public SigmaDHSimulator(DlogGroup dlog, int t, SecureRandom random) {
// Sets the parameters.
this.dlog = dlog;
this.t = t;
// Check the soundness validity.
if (!checkSoundnessParam()) {
throw new IllegalArgumentException("soundness parameter t does not satisfy 2^t<q");
}
this.random = random;
qMinusOne = dlog.getOrder().subtract(BigInteger.ONE);
}