### Build LaZer Documentation Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/getting_started.rst Commands to navigate to the documentation subdirectory and build the HTML documentation for the LaZer project using Sphinx. ```console cd lazer/docs make html ``` -------------------------------- ### Clone LaZer Git Repository Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/getting_started.rst Instructions to clone the LaZer source code repository from GitHub to your local machine, allowing you to access the project files. ```console git clone https://github.com/IBM/lazer ``` -------------------------------- ### Build LaZer Core Library Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/getting_started.rst Commands to navigate into the LaZer directory and compile the core library using the make utility. This builds the basic components of the LaZer project. ```console cd lazer make ``` -------------------------------- ### Build LaZer Library with AVX-512 Support Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/getting_started.rst Commands to build the LaZer library including functions that require the AVX-512 instruction set extension for optimized performance. These functions will only be available on compatible systems. ```console cd lazer make all ``` -------------------------------- ### Build LaZer Python Module Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/getting_started.rst Commands to navigate to the Python subdirectory within the LaZer project and build the Python module, enabling Python applications to interface with the LaZer library. ```console cd lazer/python make ``` -------------------------------- ### Initialize Lazer Prover and Verifier with Generated C Parameters Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/params_c.rst This C example demonstrates how to integrate and use the generated parameter header file (e.g., `demo-params.h`) within a Lazer application. It shows the initialization of `lin_prover_state_t` and `lin_verifier_state_t` objects using the `params` variable defined in the header, followed by their proper clearing. ```C #include "lazer.h" #include "demo-params.h" // variable "params" defined here int main(void) { uint8_t pp[32] = { /* public randomness */ }; lin_prover_state_t prover; lin_verifier_state_t verifier; lin_prover_init (prover, pp, params); lin_verifier_init (verifier, pp, params); /* do stuff ... */ lin_prover_clear (prover); lin_verifier_clear (verifier); return 0; } ``` -------------------------------- ### Signer: Initialize with FALCON Secret Key and Verifier (Python) Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst The Signer class is initialized with a FALCON secret key, which is stored for signing operations. Additionally, the signer sets up a verification state using the public parameter P1PP and parameters from 'blindsig_p1_params.py'. This setup is essential for verifying the first Zero-Knowledge Proof (ZK proof) from the zk1 equation. ```python def __init__(self, sk: falcon_skenc): self.sk = sk self.p1_verifier = lin_verifier_state_t(P1PP, lib.get_params("p1_param")) ``` -------------------------------- ### Specify complex witness properties with multiple partitions in Python Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/linrel.rst This example demonstrates how to define more complex witness properties. It partitions `s` into three sub-vectors (`wpart`), applies different L2 norm bounds (`wl2`), and specifies binary constraints (`wbin`) for each partition. ```python wpart = [ list(range(0,4)), list(range(5,7)),[7] ] wl2 = [ sqrt(1024), 0, sqrt(64) ] wbin = [ 0, 1, 0 ] ``` -------------------------------- ### Initialize Lazer Prover and Verifier with Compiled Parameters Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/params_py.rst This Python script demonstrates how to import the `lazer` module and the compiled parameter sets from `_demo_params_cffi`. It then uses the `lib.get_params("param")` method to retrieve a specific parameter set and initialize `lin_prover_state_t` and `lin_verifier_state_t` objects, which are essential for setting up the ZK proof system. ```python from lazer import * # import lazer python module from _demo_params_cffi import lib # import parameter sets seed = # public randomness prover = lin_prover_state_t(seed, lib.get_params("param")) verifier = lin_verifier_state_t(seed, lib.get_params("param")) ``` -------------------------------- ### Generate C Header File for ZK Proof Parameters using Sage Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/params_py.rst This console command demonstrates how to use a Sage script (`lin-codegen.sage`) to generate an optimized C header file (`demo-params.h`) from a Python parameter definition file (`demo-params.py`). This header file will contain the parameters required for the linear Zero-Knowledge proof system. ```console cd scripts sage lin-codegen.sage demo-params.py > demo-params.h ``` -------------------------------- ### Generate C Header from Python Parameter Specification using Sage Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/params_c.rst This console command executes the `lin-codegen.sage` script, taking a Python file (e.g., `demo-params.py`) as input to generate a C header file (e.g., `demo-params.h`). The output header defines a `lin_params_t` variable, named according to the Python specification, which encapsulates the proof system constants. ```console cd scripts sage lin-codegen.sage demo-params.py > demo-params.h ``` -------------------------------- ### Python: Import Parameters and Initialize Prover/Verifier States Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/kyber1024.rst This code imports necessary parameters for Kyber and the proof system from external files. It then initializes 'lin_prover_state_t' and 'lin_verifier_state_t' objects, passing the public randomness 'P1PP' and proof system parameters. These objects are essential for generating and verifying zero-knowledge proofs. ```python from kyber1024_params import mod, deg, m, n # import kyber parameters from _kyber1024_params_cffi import lib # import proof system parameters prover = lin_prover_state_t(P1PP, lib.get_params("param")) verifier = lin_verifier_state_t(P1PP, lib.get_params("param")) ``` -------------------------------- ### User Class Initialization for Blind Signature Provers Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst This `__init__` method for the `User` class initializes the user's state with the signer's public key, converting it to the polynomial `B2`. It then sets up two linear prover states, `p1_prover` and `p2_prover`, using the pre-generated public randomness and auto-generated parameters for the zero-knowledge proof systems. ```python def __init__(self, pk: falcon_pkenc): #self.B2 = poly_t(RING, falcon_decode_pk(pk)) self.B2 = falcon_decode_pk(pk) self.p1_prover = lin_prover_state_t(P1PP, lib.get_params("p1_param")) self.p2_prover = lin_prover_state_t(P2PP, lib.get_params("p2_param")) ``` -------------------------------- ### Instantiate User, Signer, and Verifier Objects Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst This code initializes the core components of the blind signature protocol: the user, signer, and verifier. The user and verifier are instantiated with the public key, while the signer uses the secret key. ```python user = user_t(pk) signer = signer_t(sk) verifier = verifier_t(pk) ``` -------------------------------- ### Initialize Proof Statement with System Parameters Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/AggregateSignature.rst This code initializes the `proof_statement` object, `PS`, using the previously defined parameters: `deg_list`, `num_pols_list`, `norm_list`, `num_constraints` (equal to `sig_num`), and `PRIMESIZE`. This sets up the core structure for the succinct proof system. ```python num_constraints=sig_num PS=proof_statement(deg_list,num_pols_list,norm_list,num_constraints,PRIMESIZE) ``` -------------------------------- ### Initialize ZK2 Verifier with Falcon Public Key Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst This Python snippet defines the initialization method for a verifier, taking a Falcon public key (pk) as input. It decodes the public key and sets up the linear verifier state for the ZK2 proof system. ```python def __init__(self, pk: falcon_pkenc): self.B2 = falcon_decode_pk(pk) self.p2_verifier = lin_verifier_state_t(P2PP, lib.get_params("p2_param")) ``` -------------------------------- ### Import parameters and initialize prover/verifier states in Python Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/linrel.rst This code imports cryptographic parameters (modulus, degree, dimensions) from `demo_params`, initializes a public 32-byte seed, and then uses an automatically-generated CFFI interface to initialize the prover and verifier states with these parameters. ```python from demo_params import mod, deg, dim d, p, m, n = deg, mod, dim[0], dim[1] seed = b'\0' * 32 from _demo_params_cffi import lib prover = lin_prover_state_t(seed, lib.get_params("param")) verifier = lin_verifier_state_t(seed, lib.get_params("param")) ``` -------------------------------- ### Setting parameters for the second proof (p2_param) Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst This snippet initializes parameters for the second zero-knowledge proof in the blind signature scheme. `vname` names the parameter set 'p2_param', and `deg` sets the polynomial ring degree to 512, consistent with the first proof's environment. ```python vname = "p2_param" deg = 512 ``` -------------------------------- ### Import CFFI Library and Proof System Parameters Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst This snippet imports the necessary C functions via `_blindsig_params_cffi` for obtaining auto-generated proof system parameters. It also imports critical values like `mod`, `deg`, and `wl2` from `blindsig_p1_params`, which are essential for setting up the cryptographic schemes. ```python from _blindsig_params_cffi import lib from blindsig_p1_params import mod, deg, wl2 ``` -------------------------------- ### Python: Verify Zero-Knowledge Proof Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/kyber1024.rst This snippet demonstrates the verification process for a zero-knowledge proof. The verifier attempts to verify the generated 'proof' using its initialized state. If the verification fails, a 'VerificationError' is caught, and 'reject' is printed; otherwise, 'accept' is printed, indicating a successful proof verification. ```python try: verifier.verify(proof) except VerificationError: print("reject") else: print("accept") ``` -------------------------------- ### Expressing witness properties for the first zero-knowledge proof Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst These lines define the properties of the witness for the first zero-knowledge proof. `wpart` breaks down the witness into two logical parts (the vector `r` and the message `m`). `wl2` specifies the L2 norm bounds for each part, and `wbin` indicates which parts are binary polynomials, crucial for proof validation. ```python wpart = [ [0,1], [2] ] wl2 = [ 109, 0 ] wbin = [ 0, 1 ] ``` -------------------------------- ### Signer: Sample FALCON Pre-image for Signature (Python) Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst Following successful verification, the signer generates a binary polynomial τ. Subsequently, a short pre-image (s1, s2) is sampled using the FALCON secret key (sk), ensuring that it satisfies the sigout equation. ```python tau_ = secrets.token_bytes(64) tau = poly_t(RING, tau_) s1, s2 = falcon_preimage_sample(self.sk, ATAU * tau + t) ``` -------------------------------- ### Pre-image Sample and Lift Falcon Signature Components Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/AggregateSignature.rst This snippet performs pre-image sampling using `skenc` and `f_t` to derive the Falcon signature components `l_s1` and `l_s2`. Both components are then lifted to the `BIGMOD_RING` to align with the proof system's ring structure. ```python l_s1, l_s2 = falcon_preimage_sample(skenc, f_t) l_s1=l_s1.lift(BIGMOD_RING) l_s2=l_s2.lift(BIGMOD_RING) ``` -------------------------------- ### Compile Generated C Parameters into a Python Module Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/params_py.rst This console command executes the `params_cffi_build.py` script to compile the previously generated C header file (`demo_params.h`) into a Python module. This module, typically named `_demo_params_cffi`, exports a `lib` object that provides access to the compiled parameter sets. ```console cd python python3 params_cffi_build.py demo_params.h ``` -------------------------------- ### Define Witness Structure and Norm Bounds Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst These variables specify the structure and properties of the witness polynomials used in the zero-knowledge proof. `wpart` defines partitioning, `wl2` sets L2-norm bounds for witness components, and `wbin` indicates which components are binary polynomials. ```python wpart = [ [0,1], [2], [3,4] ] wl2 = [ 109, 0, sqrt(34034726) ] wbin = [ 0, 1, 0 ] ``` -------------------------------- ### Python: Prover Sets Statement, Witness, and Generates Proof Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/linrel.rst The prover initializes the statement (A, t) and the witness (s) for the zero-knowledge proof. It then generates the proof using the `prove()` method. This process is based on parameters defined in `demo_params.py`. ```python prover.set_statement(A, t) prover.set_witness(s) proof = prover.prove() ``` -------------------------------- ### Signer: Verify User's ZK Proof (Python) Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst The signer constructs the public components A and u for the linear equation A*w + u = 0. The proof is extracted from the masked_msg by slicing it after the known length of 't' (tlen). The signer then sets the statement for the verifier and attempts to verify the extracted proof against the defined statement. ```python A = polymat_t(RING, 1, 3, [AR1, AR2, AM]) u = polyvec_t(RING, 1, [-t]) proof = masked_msg[tlen:] self.p1_verifier.set_statement(A, u) try: self.p1_verifier.verify(proof) except VerificationError: raise InvalidMaskedMsg("Masked message invalid.") ``` -------------------------------- ### Python: Configure Witness Partition and Norm Bounds for ZK Proof Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/kyber1024.rst This snippet sets up the 'wpart', 'wl2', and 'wbin' parameters for the zero-knowledge proof system. 'wpart' defines the partition list for the 8 polynomials of the witness vector 's'. 'wl2' specifies the upper bound for the L2-norm of 's', and 'wbin' is set to 0, indicating that the coefficients of 's' are not required to be binary. ```python wpart = [ list(range(0,8)) ] wl2 = [ 1.2*sqrt(2048) ] wbin = [ 0 ] ``` -------------------------------- ### User: Generate ZK Proof for Linear Equation (Python) Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst The user prepares to generate a Zero-Knowledge Proof (ZK proof) by setting up a linear equation. This involves constructing matrix A and vectors u and w such that A*w + u = 0, corresponding to the zk2 equation. The user then defines the statement and witness for the proof and proceeds to generate the ZK proof. ```python A = polymat_t(RING, 1, 5, [AR1, AR2, ATAU, -B1, -self.B2]) u = polyvec_t(RING, 1, [AM * self.m]) w = polyvec_t(RING, 5, [self.r1, self.r2, tau_, s1, s2]) self.p2_prover.set_statement(A, u) self.p2_prover.set_witness(w) proof = self.p2_prover.prove() ``` -------------------------------- ### Importing LaZer and LaBRADOR Cryptographic Libraries Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/AggregateSignature.rst This Python snippet demonstrates how to import all necessary components from the `lazer` and `labrador` libraries. These libraries provide the foundational cryptographic primitives and proof systems required for constructing the aggregate signature scheme. ```python from lazer import * from labrador import * ``` -------------------------------- ### Setting the name for the first proof parameter set Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst This snippet sets the variable `vname` to 'p1_param', identifying the parameter set for the first zero-knowledge proof in the blind signature protocol. This name is used to reference the specific configuration for the proof. ```python vname = "p1_param" ``` -------------------------------- ### Define Parameter Set Name for Kyber1024 Proof System Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/kyber1024.rst This snippet defines a variable `vname` to name the parameter set, which will be imported and used in the main proof system file for Kyber1024. This helps organize and reference the specific set of cryptographic parameters. ```python vname = "param" ``` -------------------------------- ### Define Polynomial Ring and Initialize Public Parameters Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst This snippet sets up the polynomial ring `R_p` (a Falcon ring) and initializes several uniformly random polynomials (`AR1`, `AR2`, `AM`, `ATAU`) within this ring. These polynomials, along with `B1` set as the identity, constitute the public parameters for the blind signature scheme. ```python RING = polyring_t(deg, mod) # falcon ring BND = int((mod-1)/2) AR1, AR2, AM, ATAU = poly_t(RING), poly_t(RING), poly_t(RING), poly_t(RING) AR1.urandom_bnd(-BND, BND, BLINDSIGPP, 0) AR2.urandom_bnd(-BND, BND, BLINDSIGPP, 1) AM.urandom_bnd(-BND, BND, BLINDSIGPP, 2) ATAU.urandom_bnd(-BND, BND, BLINDSIGPP, 3) B1 = poly_t(RING, {0: 1}) ``` -------------------------------- ### Generate Zero-Knowledge Proof of Knowledge Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst This code demonstrates the final steps in generating a zero-knowledge proof. It sets the previously constructed statement (`A`, `u`) and the corresponding witness (`w`) within the `p1_prover` object. The `prove()` method is then invoked to compute and produce the actual proof, which can be verified by others. ```python self.p1_prover.set_statement(A, u) self.p1_prover.set_witness(w) proof = self.p1_prover.prove() ``` -------------------------------- ### Define parameter set name in Python Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/linrel.rst This snippet defines a string variable `vname` to name the parameter set, which will be imported and used in the main proof system file. ```python vname = "param" ``` -------------------------------- ### Include Lazer C Header File Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/library.rst Includes the necessary header file `lazer.h` to use the Lazer crypto library in a C application. This header provides access to the library's interfaces and functions. ```C #include "lazer.h" ``` -------------------------------- ### Python: Generate Zero-Knowledge Proof for Linear Relation Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/kyber1024.rst This code initializes the prover with the statement to be proven, which is the linear relation 'A*sk + pk = 0'. It then sets the secret key 'sk' as the witness. Finally, it calls the 'prove()' method to generate the zero-knowledge proof byte array, demonstrating the prover's role in the ZK protocol. ```python prover.set_statement(A, -pk) prover.set_witness(sk) proof = prover.prove() ``` -------------------------------- ### Python: Set L-infinity Norm Bound for ZK Proof Parameters Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/kyber1024.rst This code sets the 'wlinf' variable, which represents an optional bound on the L-infinity norm of the witness. Providing this bound allows for slightly tighter parameters in the ZK proof, resulting in a shorter proof. For Kyber-1024, all coefficients are at most 2 in magnitude, so 'wlinf' is set to 2. ```python wlinf = 2 ``` -------------------------------- ### Python: Create Kyber Matrix A, Secret Key, and Public Key Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/kyber1024.rst This snippet constructs the Kyber matrix 'A' as '[A1 | I]', where 'A1' is a randomly generated polynomial matrix and 'A2' is an identity matrix. It then generates the secret key 'sk' using a binomial distribution and computes the public key 'pk' by multiplying 'A' with 'sk'. This process follows the Kyber key generation procedure. ```python R = polyring_t(deg, mod) A1 = polymat_t.urandom_static(R, m, m, mod, KYBERPP, 0) A2 = polymat_t.identity(R, m) A = polymat_t(R, m, n, [A1, A2]) sk = polyvec_t.brandom_static(R, n, 2, secrets.token_bytes(32), 0) pk = A*sk ``` -------------------------------- ### Construct Statement and Witness for Zero-Knowledge Proof Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst This snippet constructs the necessary components for a zero-knowledge proof: the matrix `A`, the vector `u`, and the witness vector `w`. These elements are carefully formed such that `A*w+u=0`, establishing the mathematical statement for which the user will prove knowledge of the witness `w` without revealing it. ```python A = polymat_t(RING, 1, 3, [AR1, AR2, AM]) u = polyvec_t(RING, 1, [-t]) w = polyvec_t(RING, 3, [r1, r2, m]) ``` -------------------------------- ### Importing the Lazer Python Module Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/python_module.rst This snippet demonstrates the basic step of importing the 'lazer' module into a Python application, which is necessary to access its functionalities and interfaces. ```python import lazer ``` -------------------------------- ### Generate Falcon Keys for Blind Signature Protocol Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst This snippet demonstrates the generation of secret (sk) and public (pk) FALCON keys. In a real-world scenario, these keys would typically be generated by the signer. ```python sk, pk, _ = falcon_keygen() ``` -------------------------------- ### User: Save ZK Proof Variables (Python) Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst The variables r1, r2, and m are crucial for the user's next step, specifically when generating the Zero-Knowledge Proof (ZK proof) for the zk2 equation. To ensure their availability for subsequent operations, these variables are saved within the user object. ```python self.r1 = r1 self.r2 = r2 self.m = m ``` -------------------------------- ### Python: Derive Public Randomness for Kyber and Proof System Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/kyber1024.rst This snippet demonstrates the derivation of public randomness using SHAKE-128. 'KYBERPP' is generated for Kyber key derivation, and 'P1PP' is generated for the commitment scheme and proof system. This ensures that the randomness used is publicly verifiable and consistent. ```python shake128 = hashlib.shake_128(bytes.fromhex("00")) KYBERPP = shake128.digest(32) # kyber public randmoness shake128 = hashlib.shake_128(bytes.fromhex("01")) P1PP = shake128.digest(32) # proof system public radomness ``` -------------------------------- ### Set L-infinity Norm Bound for Witness Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst The `wlinf` parameter specifies an optional bound on the L-infinity norm of the witness. Applying this bound can help reduce the overall size of the generated proof by a few bytes, optimizing efficiency. ```python wlinf = 5833 ``` -------------------------------- ### Setting maximum infinity norm for the witness in the first proof Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst This optional argument, `wlinf`, indicates the maximum infinity norm for the entire witness in the first zero-knowledge proof. Setting it to 19 suggests that with very high probability, the infinity norm of the witness will not exceed this value, optimizing proof parameters. ```python wlinf=19 ``` -------------------------------- ### Python: Falcon Pre-image Sampling in Signer Class Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/anoncred.rst This code performs pre-image sampling using the `falcon_preimage_sample` function within the signer class. It takes the secret key, a combined vector `ATAU * tau + t` (which is in `R_p^8`), and a `RING` parameter. The function internally handles conversions between the FALCON ring and `R_p` to obtain the final `s1, s2` vectors. ```python s1, s2 = falcon_preimage_sample(self.sk, ATAU * tau + t,RING) ``` -------------------------------- ### Generate and Lift Falcon Key Pair Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/AggregateSignature.rst This snippet generates a Falcon secret key (`skenc`), public key (`pkenc`), and polynomial public key (`pkpol`) using `falcon_keygen()`. The polynomial public key is then lifted to the `BIGMOD_RING` for use in the proof system. ```python skenc,pkenc,pkpol=falcon_keygen() l_pk=pkpol.lift(BIGMOD_RING) ``` -------------------------------- ### Initialize Randomness and Inverse Modulo for Falcon Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/AggregateSignature.rst This code sets up a SHAKE-128 hash for randomness, generates a target parameter `TARGPP`, creates an identity polynomial `ID`, and computes the modular inverse of `mod` within `BIGMOD_RING.mod` for Falcon operations. ```python shake128 = hashlib.shake_128(bytes.fromhex("00")) TARGPP = shake128.digest(32) ID=int_to_poly(1,BIGMOD_RING) inv_fal_mod=_invmod(mod,BIGMOD_RING.mod) ``` -------------------------------- ### User's Mask Message Function for Blind Signature Protocol Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst The `maskmsg` function initiates the user's first move in the blind signature protocol. It processes a 64-byte message, samples two polynomials `r1` and `r2` from a discrete Gaussian distribution with a specified L2-norm bound, and computes the polynomial `t` based on these and public parameters. This `t` is a masked version of the original message. ```python def maskmsg(self, msg: bytes): if len(msg) != 64: raise ValueError("msg must be 32 bytes.") # sample (r1,r1) r1, r2 = poly_t(RING), poly_t(RING) m = poly_t(RING, msg) seed = secrets.token_bytes(32) # internal coins logsigma = 1 # sigma = 1.55*2^logsigma l2sqr_bnd = wl2[0] * wl2[0] # l2(r1,r2)^2 ctr = 0 while (True): r1.grandom(logsigma, seed, ctr) ctr += 1 r2.grandom(logsigma, seed, ctr) ctr += 1 l2sqr = r1.l2sq() + r2.l2sq() if (l2sqr <= l2sqr_bnd): break t = AR1*r1 + AR2*r2 + AM*m ``` -------------------------------- ### User: Return Encoded Data and ZK Proof (Python) Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst After processing, the function concludes by returning a concatenated string. This string combines the encoding of 't' with the generated Zero-Knowledge Proof (proof), forming the complete output. ```python return tenc + proof ``` -------------------------------- ### Defining polynomial ring and public matrix dimensions for the first proof Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst This code defines the polynomial ring parameters for the first zero-knowledge proof. `deg` sets the degree of the polynomial ring to 512, `mod` sets the modulus `p` to 12289, and `dim` specifies the dimensions of the public matrix as 1x3 over the ring R_p, aligning with the linear relation in the proof. ```python deg = 512 mod = 12289 dim = (1,3) ``` -------------------------------- ### Specify witness properties for norm bound in Python Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/linrel.rst This snippet configures the properties of the witness `s`. `wpart` defines the partition of `s` (here, all 8 polynomials), `wl2` sets the L2 norm bound to sqrt(2048), and `wbin` indicates that coefficients are not binary. ```python wpart = [ list(range(0,8)) ] wl2 = [ sqrt(2048) ] wbin = [ 0 ] ``` -------------------------------- ### User Masks Message in Blind Signature Protocol Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst This snippet shows the user's initial action in the blind signature protocol. The user takes the original message and applies a masking operation to produce a 'masked_msg' that will be sent to the signer. ```python masked_msg = user.maskmsg(msg) ``` -------------------------------- ### Python: Generate and Verify Zero-Knowledge Proof Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/AggregateSignature.rst This snippet demonstrates how to generate a zero-knowledge proof using PS.pack_prove() and then verify it using pack_verify(). It relies on a pre-computed statement (stmnt) and a prime size (PRIMESIZE) for verification. ```python proof = PS.pack_prove() pack_verify(proof,stmnt,PRIMESIZE) ``` -------------------------------- ### Python: Verifier Sets Statement and Verifies Proof Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/linrel.rst The verifier sets the same statement (A, t) as the prover. It then uses the `verify()` method to check the validity of the proof generated by the prover. ```python verifier.set_statement(A, t) verifier.verify(proof) ``` -------------------------------- ### Add Falcon Equation to Proof Statement Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/AggregateSignature.rst This snippet prepares the left-hand side (`stat_left`) and witness vector (`wit`) for a Falcon equation. It then adds this equation to the proof statement `PS` using `fresh_statement`, representing the core algebraic relation `l_pk*l_s2 + ID*l_s1 + ID*mod*v = l_t` within `BIGMOD_RING`. ```python stat_left=[l_pk,ID,ID*mod] wit=[l_s2,l_s1,v] PS.fresh_statement(stat_left,wit,l_t) ``` -------------------------------- ### Import all from Lazer module in Python Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/linrel.rst This line imports all functionalities from the `lazer` module, which is essential for interacting with the Lazer cryptographic library. ```python from lazer import * ``` -------------------------------- ### Append parent directory to Python system path Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/linrel.rst This optional snippet adds the parent directory to the Python system path. This is necessary if the `lazer` module or other required files are not located in the current working directory. ```python import sys sys.path.append('..') ``` -------------------------------- ### Set optional L-infinity norm bound for witness in Python Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/linrel.rst This snippet sets the optional `wlinf` variable, indicating an L-infinity norm bound for the witness. This information helps optimize the ZK proof parameters, making the proof shorter, but does not imply an additional proof constraint. ```python wlinf = 1 ``` -------------------------------- ### Create random polynomial matrix A in Python Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/linrel.rst This code creates a polynomial matrix `A` of dimensions `m`x`n` over the polynomial ring `Rp`. It then populates `A` with uniformly random coefficients using the modulus `p` and the public `seed`. ```python A = polymat_t(Rp, m, n) A.urandom(p, seed, 0) ``` -------------------------------- ### Generate Public Randomness for Cryptographic Systems Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst This code generates distinct public randomness values (`BLINDSIGPP`, `P1PP`, `P2PP`) using SHAKE128. These values are crucial for initializing the public parameters of the blind signature scheme and the two zero-knowledge proof systems, ensuring their security and uniqueness. ```python shake128 = hashlib.shake_128(bytes.fromhex("00")) BLINDSIGPP = shake128.digest(32) shake128 = hashlib.shake_128(bytes.fromhex("01")) P1PP = shake128.digest(32) shake128 = hashlib.shake_128(bytes.fromhex("02")) P2PP = shake128.digest(32) ``` -------------------------------- ### Instantiate Coder Object for Variable Encoding Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst This line instantiates a `coder_t` object, which is a utility class designed for encoding cryptographic variables. This object is a prerequisite for preparing data, such as the masked message `t`, for secure transmission or storage. ```python coder = coder_t() ``` -------------------------------- ### User Finalizes Signature and Verifier Verifies Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst In the final steps of the blind signature protocol, the user takes the 'blindsig' from the signer and performs their second move to finalize the signature and create the ZK proof (zk2). Subsequently, the verifier checks the validity of the original message against the finalized signature. ```python sig = user.sign(blindsig) verifier.verify(msg, sig) ``` -------------------------------- ### Set Norm Bounds for Proof System Witnesses Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/AggregateSignature.rst This snippet defines `norm_list`, which specifies the L2-squared norm bounds for each witness in the proof system. The `norms` array, representing bounds for `s2`, `s1`, and `v`, is repeated `sig_num` times to cover all aggregate signatures. ```python norm_list=norms*sig_num ``` -------------------------------- ### Compute and Centralize Falcon Proof Polynomial 'v' Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/AggregateSignature.rst This code computes the polynomial `v` as part of the Falcon proof system, based on the lifted target `l_t`, signature components `l_s1` and `l_s2`, and the lifted public key `l_pk`. The result is then reduced and centralized using `v.redc()`. ```python l_v=poly_t(BIGMOD_RING) v=(l_t-l_s1-l_pk*l_s2)*inv_fal_mod v.redc() ``` -------------------------------- ### Signer: Decode Masked Message (Python) Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst Within the sign function, the signer first verifies the ZK proof from zk1 and then prepares to output τ, s1, and s2 satisfying sigout. The function receives the encoded 't' and the proof from the user's maskmsg function. The signer reverses the encoding process to retrieve 't' and determines 'tlen', the length of the encoded 't' in bytes. ```python t = poly_t(RING) try: coder = coder_t() coder.dec_begin(masked_msg) coder.dec_urandom(mod, t) tlen = coder.dec_end() except DecodingError: raise InvalidMaskedMsg ``` -------------------------------- ### Verify ZK Proof for Blind Signature Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst This function verifies a zero-knowledge proof for the statement Aw + u = 0. It takes a message byte string and a ZK proof byte string, converts the message to a poly_t type, constructs the matrix A and vector u, and then runs the verification process. It raises an InvalidSignature error if verification fails. ```python m = poly_t(RING, msg) # verify proof for PoK(w): Aw + u = 0 A = polymat_t(RING, 1, 5, [AR1, AR2, ATAU, -B1, -self.B2]) u = polyvec_t(RING, 1, [AM * m]) self.p2_verifier.set_statement(A, u) try: self.p2_verifier.verify(sig) except VerificationError: raise InvalidSignature("Signature invalid.") ``` -------------------------------- ### LaBRADOR Library Supported Cryptographic Ring Moduli Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/AggregateSignature.rst This API documentation outlines the predefined `polyring_t` configurations available in the `labrador.py` file. These rings, characterized by their dimension (64) and specific prime moduli, are essential for the succinct proof system. Developers must choose one of these supported moduli to ensure compatibility and proper functioning of the LaZer library's proof capabilities. ```APIDOC LAB_RING_24=polyring_t(64,2**24-3), LAB_RING_32=polyring_t(64,2**32-99), LAB_RING_40=polyring_t(64,2**40-195), LAB_RING_48=polyring_t(64,2**48-59), ``` -------------------------------- ### Create and Lift Falcon Target Polynomial Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/AggregateSignature.rst This code creates a random static target polynomial `f_t` within `FALCON_RING` using `TARGPP`. This polynomial, representing a message hash, is then lifted to the `BIGMOD_RING` for consistency with the proof system's larger modulus. ```python f_t=poly_t.urandom_static(FALCON_RING,FALCON_RING.mod,TARGPP,0) l_t=f_t.lift(BIGMOD_RING) ``` -------------------------------- ### Configuring Aggregate Signature Count and Polynomial Norms Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/AggregateSignature.rst This Python code defines `sig_num`, the total number of signatures to be aggregated, and `norms`, an array specifying the `l2^2`-norm bounds for the `s2`, `s1`, and `v` polynomials. These parameters are critical for the security and performance of the FALCON-based aggregate signature, influencing the probability of re-signing. ```python sig_num=1024 norms=[17017363,17017363,round(1248245003*.75)] ``` -------------------------------- ### Define Falcon Ring and Modulus Parameters Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/AggregateSignature.rst This snippet initializes the modulus and degree for the Falcon polynomial rings. It defines `FALCON_RING` and `BIGMOD_RING` based on these parameters, and calculates `PRIMESIZE` for cryptographic operations. ```python mod=12289 deg=512 FALCON_RING=polyring_t(deg,mod) BIGMOD_RING=polyring_t(deg,LAB_RING_40.mod) PRIMESIZE=str(math.ceil(math.log2(BIGMOD_RING.mod))) ``` -------------------------------- ### User: Decode Signer's Polynomials (Python) Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst The user's sign function represents the second phase of the protocol, where the zk2 proof is produced. The user receives polynomials τ, s1, and s2 from the signer, which satisfy the sigout equation. These polynomials, distributed according to a discrete Gaussian distribution (standard deviation ~165), are decoded using the dec_grandom function. The binary polynomial τ, initially a byte string, is decoded as bytes and then converted into a polynomial variable tau_. ```python try: coder = coder_t() coder.dec_begin(blindsig) coder.dec_bytes(tau) coder.dec_grandom(165, s1) coder.dec_grandom(165, s2) coder.dec_end() except DecodingError: raise InvalidMaskedMsg tau_ = poly_t(RING, tau) ``` -------------------------------- ### Encode Cryptographic Variable 't' for Transmission Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst This snippet illustrates the complete process of encoding the variable `t` using the `coder_t` object. It initializes the encoder with a maximum byte size, encodes `t` as a uniformly random value modulo `mod`, and then finalizes the encoding to produce a byte string `tenc` suitable for transmission to the signer. ```python coder = coder_t() coder.enc_begin(22000) coder.enc_urandom(mod, t) tenc = coder.enc_end() ``` -------------------------------- ### Create random polynomial vector s and compute t in Python Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/linrel.rst This snippet creates a polynomial vector `s` of dimension `n` over `Rp`, populating it with random coefficients from `{-1,0,1}` using a Bernoulli distribution. It then computes `t` as the negation of the product of matrix `A` and vector `s`. ```python s = polyvec_t(Rp, n) s.brandom(1, seed, 0) t = -A*s ``` -------------------------------- ### Specify Number of Polynomials Per Witness Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/AggregateSignature.rst This code defines `num_pols_list`, indicating that each witness in the proof system consists of a single polynomial. This list is populated with `1` for each of the `3 * sig_num` witnesses. ```python num_pols_list=[1]*(3*sig_num) ``` -------------------------------- ### Define Witness Polynomial Degrees for Proof System Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/AggregateSignature.rst This snippet initializes `deg_list`, which specifies the degree of each polynomial in the witness vector for the proof system. For the aggregate signature scheme, each witness consists of three polynomials of degree `deg` (512), repeated `sig_num` times. ```python deg_list=[deg]*(3*sig_num) ``` -------------------------------- ### Python: Zeroing Columns for Hidden Message Part Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/anoncred.rst This snippet demonstrates how the matrix `AM` is modified to handle the hidden part of the message (`m2`) in anonymous credentials. By calling `zero_out_cols` with `pub_mvec`, the columns corresponding to the public message vector `m1` are set to zero. This effectively makes `m2` the full message `m` with public positions zeroed out, simplifying witness declaration. ```python AM_priv=AM.zero_out_cols(pub_mvec) ``` -------------------------------- ### Signer: Encode Signature Components (Python) Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst The byte-string tau_, used to create the polynomial τ, is encoded along with s1 and s2. Since s1 and s2 are discrete Gaussians with a standard deviation of approximately 165, a Gaussian-specific encoding is chosen for efficiency, though a uniform encoding would also be possible but longer. The encoded components form the blindsig. ```python coder = coder_t() coder.enc_begin(2000) coder.enc_bytes(tau_) coder.enc_grandom(165, s1) coder.enc_grandom(165, s2) blindsig = coder.enc_end() ``` -------------------------------- ### Configure polynomial ring and matrix dimensions in Python Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/linrel.rst This code sets the degree of the polynomial ring `deg` to 256, the modulus `mod` to 2^32 - 4607, and the dimensions `dim` of matrix A to 4x8, defining the algebraic structure for the proof. ```python deg = 256 mod = 2**32 - 4607 dim = (4,8) ``` -------------------------------- ### Signer Signs Masked Message Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst After receiving the masked message from the user, the signer performs their role by signing the masked message. The output of this operation is stored in the 'blindsig' variable. ```python blindsig = signer.sign(masked_msg) ``` -------------------------------- ### Set Polynomial Ring and Matrix Dimensions for Kyber1024 Parameters Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/kyber1024.rst This snippet defines the core parameters for the Kyber1024 cryptographic scheme. It sets the polynomial degree (`deg`) to 256, the modulus (`mod`) for the ring to 3329, and the dimensions (`dim`) of the matrix A to 4x8 over the ring Rp. These parameters are crucial for defining the mathematical structure of the Kyber-1024 system. ```python deg = 256 mod = 3329 dim = (4,8) ``` -------------------------------- ### Declare polynomial ring Rp in Python Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/linrel.rst This snippet declares `Rp` as the polynomial ring :math:`R_p=\mathbb{Z}_p[X]/(X^d+1)`, using the previously defined degree `d` and modulus `p`. ```python Rp = polyring_t(d, p) ``` -------------------------------- ### Define Modulus for Cryptographic Operations Source: https://github.com/lazer-crypto/lazer/blob/main/docs/source/blindsig.rst This line defines the modulus `mod` used throughout the cryptographic operations, particularly for polynomial arithmetic within the ring `R_p`. This value is a fundamental parameter for the underlying finite field. ```python mod = 12289 ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.