diff --git a/src/bbs_verify.sol b/src/bbs_verify.sol index be7dda9..e10fdc8 100644 --- a/src/bbs_verify.sol +++ b/src/bbs_verify.sol @@ -763,7 +763,7 @@ contract BBS_Verifier { uint256 l = u + r; uint8[] memory undisclosedIndices = complement(uint8(u), uint8(r), disclosedIndices); - uint256 domain = calculate_domain(pk, uint64(l + 1)); + uint256 domain = calculate_domain(pk, uint64(l)); Pairing.G1Point memory t1 = Pairing.scalar_mul(proof.bBar, proof.challenge); Pairing.G1Point memory t11 = Pairing.scalar_mul(proof.aBar, proof.eCap); Pairing.G1Point memory t12 = Pairing.scalar_mul(proof.d, proof.r1Cap); @@ -773,9 +773,9 @@ contract BBS_Verifier { Pairing.G1Point memory bv1 = Pairing.scalar_mul(BBS.generators()[0], domain); Pairing.G1Point memory bv = Pairing.plus(BBS.BP1(), bv1); - for (uint256 i = 1; i < disclosedIndices.length; i++) { + for (uint256 i = 0; i < disclosedIndices.length; i++) { uint8 disclosedIndex = disclosedIndices[i] + 1; - uint256 disclosedm = disclosedMsg[i - 1]; + uint256 disclosedm = disclosedMsg[i]; Pairing.G1Point memory t = Pairing.scalar_mul(BBS.generators()[disclosedIndex], disclosedm); bv = Pairing.plus(bv, t); } diff --git a/test/bbs_verify.t.sol b/test/bbs_verify.t.sol index 5c5938e..7e08a76 100644 --- a/test/bbs_verify.t.sol +++ b/test/bbs_verify.t.sol @@ -64,6 +64,53 @@ contract BBS_VerifierTest is Test { uint256(15886074934859455688300902859116025241719978288647494891665273100122551253775) ] ); + + proof.aBar = Pairing.G1Point( + uint256(2389859733424702129156888454204363947129790103145727264232242043740634819795), + uint256(1097959188506991370624082972495363785392704497493505982994469705407803350963) + ); + proof.bBar = Pairing.G1Point( + uint256(5583742200394344059117141975579204392825248477802207110572797814797870159151), + uint256(9483599358002031430276889173892716777483137155844013203204704308340368005455) + ); + proof.d = Pairing.G1Point( + uint256(3582064199758817395084567888979131399489180310854527659722233373316200088935), + uint256(5013664001823222493328983250535695894780415104032411286476938301746177789413) + ); + proof.eCap = uint256(18845685828282296109338653832715366439340731857280092412100502542093238017121); + proof.r1Cap = uint256(9407374954518962485998988864037019598594980826080218297998777788535340323505); + proof.r3Cap = uint256(5837326718558961775248227894568850849739195076278847619090820141173179156286); + proof.challenge = uint256(1591638219516725013719722625634121132371156700165462279008346780516639045559); + + proof.commitments = new uint256[](28); + proof.commitments[0] = uint256(19294976838385181770793500356536976137761603712764994792098766193374191876912); + proof.commitments[1] = uint256(15665415302100139273532636634079826924901045981054052367536616453496735458217); + proof.commitments[2] = uint256(683930125651279685941922347584330726360286383661921413071836909971322658487); + proof.commitments[3] = uint256(19139389920714243985207332025043197035989631040457777976356301787011323729276); + proof.commitments[4] = uint256(18618858673441963890372012149463249331474633025425724406359200230791204287230); + proof.commitments[5] = uint256(2976275943360506885513902927829991119821049217269141554546744125648883808942); + proof.commitments[6] = uint256(7741497297544722970404455630072351311578064143715935462570603923441613133744); + proof.commitments[7] = uint256(12967032185914576602520344445528015313070963424802156236169192801463223968661); + proof.commitments[8] = uint256(6043705854067455577201571917734598072195060225500347736839100243640844147002); + proof.commitments[9] = uint256(7975958630214731015881597638148368736223203423519335663374795593972224628115); + proof.commitments[10] = uint256(5063917606748444318907002556386444282092995588424392944567946512018789907140); + proof.commitments[11] = uint256(128040869348113497802925734488026672154884121598398892285429338520827919187); + proof.commitments[12] = uint256(14166237414040449407807471567974813122898634008531680576980068190629841500992); + proof.commitments[13] = uint256(10471689082020479049925288784800851938975928999514484173830417499950256354756); + proof.commitments[14] = uint256(15442764830050595368343336168542039867667707392169536613884312984553476659334); + proof.commitments[15] = uint256(4190278990131177527923939339437262621281884418841174445527841942545704670174); + proof.commitments[16] = uint256(16721190604424697547606415666395009966841952016976459857585742817670838860790); + proof.commitments[17] = uint256(14019571406538264268957540789616106976608464484428950403832393757541615116503); + proof.commitments[18] = uint256(13161687818138085884961868953000174105307154828324712897804198838117049296373); + proof.commitments[19] = uint256(6019614396043304926995639315223000477434362157996549649396479567418199051814); + proof.commitments[20] = uint256(21398477016991141441638825844804401235924603218228216791095578579507004064104); + proof.commitments[21] = uint256(1284175716692509966139981641582834335237711428658302342410234707146408446478); + proof.commitments[22] = uint256(6624718910876334988261064022540419708897921318648870734901499422236758644237); + proof.commitments[23] = uint256(5020676234843826149023183290373090464129613657687115661309141620371659838114); + proof.commitments[24] = uint256(2784673656377231901294632131937418325662199844847647577081445797306124167264); + proof.commitments[25] = uint256(2606587054699910611464857084585278905009451516207206420773353623680103150777); + proof.commitments[26] = uint256(2908463991346345116779230591032285009421675994539341126361104083742823396510); + proof.commitments[27] = uint256(19581358284736034190184981706514887539334457204635337638025215728461147420373); } function test_verify() public { @@ -73,6 +120,49 @@ contract BBS_VerifierTest is Test { bool res = verifier.verifySignature(pk, sig, msgScalar); assert(res); } + + function test_proof_verify_init() public { + BBS_Verifier verifier; + verifier = new BBS_Verifier(); + uint256[] memory disclosed_msg = new uint256[](3); + disclosed_msg[0] = 2266124219189018131; + disclosed_msg[1] = 15553430782966677989; + disclosed_msg[2] = 4743228516788447402; + + uint8[] memory disclosed_indices = new uint8[](3); + disclosed_indices[0] = 0; + disclosed_indices[1] = 1; + disclosed_indices[2] = 5; + + BBS_Verifier.InitProof memory initProof; + initProof.points[0] = Pairing.G1Point( + uint256(2389859733424702129156888454204363947129790103145727264232242043740634819795), + uint256(1097959188506991370624082972495363785392704497493505982994469705407803350963) + ); + initProof.points[1] = Pairing.G1Point( + uint256(5583742200394344059117141975579204392825248477802207110572797814797870159151), + uint256(9483599358002031430276889173892716777483137155844013203204704308340368005455) + ); + initProof.points[2] = Pairing.G1Point( + uint256(3582064199758817395084567888979131399489180310854527659722233373316200088935), + uint256(5013664001823222493328983250535695894780415104032411286476938301746177789413) + ); + initProof.points[3] = Pairing.G1Point( + uint256(2608558917589104469794946005308295328376354729516260293998541446338037245316), + uint256(7380216098169806522493651841483387702118496867918844646938817052216546927834) + ); + initProof.points[4] = Pairing.G1Point( + uint256(10970264894326745811902665330882027157454649744995755774915880032341514664640), + uint256(2673275558703332757019628075603459814671885523946659461460975817206171298679) + ); + initProof.scalar = uint256(4661402122534330745222086575742781481159552639583525480514127238648290568236); + + BBS_Verifier.InitProof memory init_output = + verifier.proofVerifyInit(pk, proof, disclosed_msg, disclosed_indices); + assert(initProof.scalar == init_output.scalar); + // assert(initProof.points[4].X == init_output.points[4].X); + // assert(initProof.points[3].Y == init_output.points[3].Y); + } } contract hashToCurve is Test { diff --git a/test_vector.txt b/test_vector.txt index 1513536..1fa2f00 100644 --- a/test_vector.txt +++ b/test_vector.txt @@ -67,4 +67,45 @@ generator : "(189810459381132836124433882517927671070942403512021061448844752803 generator : "(5849608471641896932689050259307265823896272072351795065590531311030596429007, 21229044712538721502348483276244406588878344472909917768994382101200976203326)" generator : "(393432175667211108483070939793661330735615114668362658763611056763370352241, 19985271941600432926866508116673625261827724078554764982827712024353220929168)" signature.A : "(16605941458272293469898459593559962462499885703597334825353004900710945536242, 15276896411257112930580737499920866088375905247814230771366087132031781450435)" -signature.E : "20145301027381071188604537375435971326340204640470956156185142406370688319043" \ No newline at end of file +signature.E : "20145301027381071188604537375435971326340204640470956156185142406370688319043" +proof.a : "(2389859733424702129156888454204363947129790103145727264232242043740634819795, 1097959188506991370624082972495363785392704497493505982994469705407803350963)" +proof.b : "(5583742200394344059117141975579204392825248477802207110572797814797870159151, 9483599358002031430276889173892716777483137155844013203204704308340368005455)" +proof.d : "(3582064199758817395084567888979131399489180310854527659722233373316200088935, 5013664001823222493328983250535695894780415104032411286476938301746177789413)" +proof.eCap : "18845685828282296109338653832715366439340731857280092412100502542093238017121" +proof.r1Cap : "9407374954518962485998988864037019598594980826080218297998777788535340323505" +proof.r3Cap : "5837326718558961775248227894568850849739195076278847619090820141173179156286" +proof.challenge : "1591638219516725013719722625634121132371156700165462279008346780516639045559" +proof.commitments[0] : "19294976838385181770793500356536976137761603712764994792098766193374191876912" +proof.commitments[1] : "15665415302100139273532636634079826924901045981054052367536616453496735458217" +proof.commitments[2] : "683930125651279685941922347584330726360286383661921413071836909971322658487" +proof.commitments[3] : "19139389920714243985207332025043197035989631040457777976356301787011323729276" +proof.commitments[4] : "18618858673441963890372012149463249331474633025425724406359200230791204287230" +proof.commitments[5] : "2976275943360506885513902927829991119821049217269141554546744125648883808942" +proof.commitments[6] : "7741497297544722970404455630072351311578064143715935462570603923441613133744" +proof.commitments[7] : "12967032185914576602520344445528015313070963424802156236169192801463223968661" +proof.commitments[8] : "6043705854067455577201571917734598072195060225500347736839100243640844147002" +proof.commitments[9] : "7975958630214731015881597638148368736223203423519335663374795593972224628115" +proof.commitments[10] : "5063917606748444318907002556386444282092995588424392944567946512018789907140" +proof.commitments[11] : "128040869348113497802925734488026672154884121598398892285429338520827919187" +proof.commitments[12] : "14166237414040449407807471567974813122898634008531680576980068190629841500992" +proof.commitments[13] : "10471689082020479049925288784800851938975928999514484173830417499950256354756" +proof.commitments[14] : "15442764830050595368343336168542039867667707392169536613884312984553476659334" +proof.commitments[15] : "4190278990131177527923939339437262621281884418841174445527841942545704670174" +proof.commitments[16] : "16721190604424697547606415666395009966841952016976459857585742817670838860790" +proof.commitments[17] : "14019571406538264268957540789616106976608464484428950403832393757541615116503" +proof.commitments[18] : "13161687818138085884961868953000174105307154828324712897804198838117049296373" +proof.commitments[19] : "6019614396043304926995639315223000477434362157996549649396479567418199051814" +proof.commitments[20] : "21398477016991141441638825844804401235924603218228216791095578579507004064104" +proof.commitments[21] : "1284175716692509966139981641582834335237711428658302342410234707146408446478" +proof.commitments[22] : "6624718910876334988261064022540419708897921318648870734901499422236758644237" +proof.commitments[23] : "5020676234843826149023183290373090464129613657687115661309141620371659838114" +proof.commitments[24] : "2784673656377231901294632131937418325662199844847647577081445797306124167264" +proof.commitments[25] : "2606587054699910611464857084585278905009451516207206420773353623680103150777" +proof.commitments[26] : "2908463991346345116779230591032285009421675994539341126361104083742823396510" +proof.commitments[27] : "19581358284736034190184981706514887539334457204635337638025215728461147420373" +points[0] : "(2389859733424702129156888454204363947129790103145727264232242043740634819795, 1097959188506991370624082972495363785392704497493505982994469705407803350963)" +points[1] : "(5583742200394344059117141975579204392825248477802207110572797814797870159151, 9483599358002031430276889173892716777483137155844013203204704308340368005455)" +points[2] : "(3582064199758817395084567888979131399489180310854527659722233373316200088935, 5013664001823222493328983250535695894780415104032411286476938301746177789413)" +points[3] : "(2608558917589104469794946005308295328376354729516260293998541446338037245316, 7380216098169806522493651841483387702118496867918844646938817052216546927834)" +points[4] : "(10970264894326745811902665330882027157454649744995755774915880032341514664640, 2673275558703332757019628075603459814671885523946659461460975817206171298679)" +scalar : "4661402122534330745222086575742781481159552639583525480514127238648290568236" \ No newline at end of file