charm-crypto-framework 0.61.1__cp313-cp313-macosx_10_13_universal2.whl

charm/test/zkp_compiler/test_or_proof.py

@@ -0,0 +1,231 @@
+"""
+Unit tests for OR Composition proof (CDS94) implementation.
+
+Tests cover:
+- Non-interactive OR proof generation and verification
+- Witness indistinguishability property
+- Serialization and deserialization
+"""
+
+import unittest
+from charm.toolbox.pairinggroup import PairingGroup, ZR, G1
+from charm.zkp_compiler.or_proof import ORProof, ORProofData
+
+
+class TestORProofNonInteractive(unittest.TestCase):
+    """Tests for non-interactive OR proof (CDS94)."""
+
+    def setUp(self):
+        """Set up test fixtures."""
+        self.group = PairingGroup('BN254')
+        self.g = self.group.random(G1)
+        # Create two public values with known discrete logs
+        self.x1 = self.group.random(ZR)
+        self.x2 = self.group.random(ZR)
+        self.h1 = self.g ** self.x1
+        self.h2 = self.g ** self.x2
+
+    def test_prove_first_statement(self):
+        """Test proving h1 = g^x (which=0)."""
+        proof = ORProof.prove_non_interactive(
+            self.group, self.g, self.h1, self.h2, self.x1, which=0
+        )
+
+        self.assertIsNotNone(proof)
+        self.assertIsNotNone(proof.commitment1)
+        self.assertIsNotNone(proof.commitment2)
+        self.assertIsNotNone(proof.challenge1)
+        self.assertIsNotNone(proof.challenge2)
+        self.assertIsNotNone(proof.response1)
+        self.assertIsNotNone(proof.response2)
+
+        result = ORProof.verify_non_interactive(
+            self.group, self.g, self.h1, self.h2, proof
+        )
+        self.assertTrue(result)
+
+    def test_prove_second_statement(self):
+        """Test proving h2 = g^x (which=1)."""
+        proof = ORProof.prove_non_interactive(
+            self.group, self.g, self.h1, self.h2, self.x2, which=1
+        )
+
+        self.assertIsNotNone(proof)
+        result = ORProof.verify_non_interactive(
+            self.group, self.g, self.h1, self.h2, proof
+        )
+        self.assertTrue(result)
+
+    def test_wrong_secret_fails(self):
+        """Test that wrong secret fails verification."""
+        wrong_x = self.group.random(ZR)
+        proof = ORProof.prove_non_interactive(
+            self.group, self.g, self.h1, self.h2, wrong_x, which=0
+        )
+
+        result = ORProof.verify_non_interactive(
+            self.group, self.g, self.h1, self.h2, proof
+        )
+        self.assertFalse(result)
+
+    def test_wrong_which_fails(self):
+        """Test that claiming wrong branch fails."""
+        # x1 is secret for h1, but claim it's for h2 (which=1)
+        proof = ORProof.prove_non_interactive(
+            self.group, self.g, self.h1, self.h2, self.x1, which=1
+        )
+
+        result = ORProof.verify_non_interactive(
+            self.group, self.g, self.h1, self.h2, proof
+        )
+        self.assertFalse(result)
+
+    def test_tampered_proof_fails(self):
+        """Test that tampered proof fails verification."""
+        proof = ORProof.prove_non_interactive(
+            self.group, self.g, self.h1, self.h2, self.x1, which=0
+        )
+
+        # Tamper with response1
+        tampered = ORProofData(
+            commitment1=proof.commitment1,
+            commitment2=proof.commitment2,
+            challenge1=proof.challenge1,
+            challenge2=proof.challenge2,
+            response1=proof.response1 + self.group.random(ZR),
+            response2=proof.response2,
+            proof_type=proof.proof_type
+        )
+
+        result = ORProof.verify_non_interactive(
+            self.group, self.g, self.h1, self.h2, tampered
+        )
+        self.assertFalse(result)
+
+    def test_challenges_sum_correctly(self):
+        """Test that c1 + c2 equals main challenge."""
+        proof = ORProof.prove_non_interactive(
+            self.group, self.g, self.h1, self.h2, self.x1, which=0
+        )
+
+        # Recompute expected challenge
+        expected_c = ORProof._compute_challenge_hash(
+            self.group, self.g, self.h1, self.h2,
+            proof.commitment1, proof.commitment2
+        )
+
+        # Verify c1 + c2 = c
+        actual_c = proof.challenge1 + proof.challenge2
+        self.assertEqual(expected_c, actual_c)
+
+
+class TestORProofWitnessIndistinguishability(unittest.TestCase):
+    """Tests for witness indistinguishability property."""
+
+    def setUp(self):
+        """Set up test fixtures."""
+        self.group = PairingGroup('BN254')
+        self.g = self.group.random(G1)
+        self.x1 = self.group.random(ZR)
+        self.x2 = self.group.random(ZR)
+        self.h1 = self.g ** self.x1
+        self.h2 = self.g ** self.x2
+
+    def test_proofs_look_similar(self):
+        """Test that both branches produce valid-looking proofs."""
+        proof0 = ORProof.prove_non_interactive(
+            self.group, self.g, self.h1, self.h2, self.x1, which=0
+        )
+        proof1 = ORProof.prove_non_interactive(
+            self.group, self.g, self.h1, self.h2, self.x2, which=1
+        )
+
+        # Both proofs should have same structure
+        self.assertEqual(proof0.proof_type, proof1.proof_type)
+        self.assertEqual(proof0.proof_type, 'or')
+
+        # Both should be valid
+        result0 = ORProof.verify_non_interactive(
+            self.group, self.g, self.h1, self.h2, proof0
+        )
+        result1 = ORProof.verify_non_interactive(
+            self.group, self.g, self.h1, self.h2, proof1
+        )
+        self.assertTrue(result0)
+        self.assertTrue(result1)
+
+    def test_verifier_cannot_distinguish(self):
+        """Test that verifier accepts both without knowing which."""
+        # Generate multiple proofs from each branch
+        proofs = []
+        for _ in range(3):
+            proof0 = ORProof.prove_non_interactive(
+                self.group, self.g, self.h1, self.h2, self.x1, which=0
+            )
+            proof1 = ORProof.prove_non_interactive(
+                self.group, self.g, self.h1, self.h2, self.x2, which=1
+            )
+            proofs.extend([proof0, proof1])
+
+        # Verifier should accept all proofs identically
+        for proof in proofs:
+            result = ORProof.verify_non_interactive(
+                self.group, self.g, self.h1, self.h2, proof
+            )
+            self.assertTrue(result)
+
+
+class TestORProofSerialization(unittest.TestCase):
+    """Tests for OR proof serialization."""
+
+    def setUp(self):
+        """Set up test fixtures."""
+        self.group = PairingGroup('BN254')
+        self.g = self.group.random(G1)
+        self.x = self.group.random(ZR)
+        self.h1 = self.g ** self.x
+        self.h2 = self.g ** self.group.random(ZR)
+
+    def test_serialization_roundtrip(self):
+        """Test serialize and deserialize proof."""
+        proof = ORProof.prove_non_interactive(
+            self.group, self.g, self.h1, self.h2, self.x, which=0
+        )
+
+        # Serialize
+        serialized = ORProof.serialize_proof(proof, self.group)
+        self.assertIsInstance(serialized, bytes)
+        self.assertGreater(len(serialized), 0)
+
+        # Deserialize
+        deserialized = ORProof.deserialize_proof(serialized, self.group)
+
+        # Check all fields match
+        self.assertEqual(proof.commitment1, deserialized.commitment1)
+        self.assertEqual(proof.commitment2, deserialized.commitment2)
+        self.assertEqual(proof.challenge1, deserialized.challenge1)
+        self.assertEqual(proof.challenge2, deserialized.challenge2)
+        self.assertEqual(proof.response1, deserialized.response1)
+        self.assertEqual(proof.response2, deserialized.response2)
+        self.assertEqual(proof.proof_type, deserialized.proof_type)
+
+    def test_serialized_proof_verifies(self):
+        """Test that deserialized proof still verifies."""
+        proof = ORProof.prove_non_interactive(
+            self.group, self.g, self.h1, self.h2, self.x, which=0
+        )
+
+        # Serialize and deserialize
+        serialized = ORProof.serialize_proof(proof, self.group)
+        deserialized = ORProof.deserialize_proof(serialized, self.group)
+
+        # Deserialized proof should verify
+        result = ORProof.verify_non_interactive(
+            self.group, self.g, self.h1, self.h2, deserialized
+        )
+        self.assertTrue(result)
+
+
+if __name__ == "__main__":
+    unittest.main()
+

charm/test/zkp_compiler/test_proof_serialization.py

@@ -0,0 +1,121 @@
+"""
+Unit tests for ZK proof serialization.
+
+Tests cover:
+- Serializing proofs to bytes
+- Deserializing bytes back to proofs
+- Roundtrip preservation
+- Error handling for invalid data
+"""
+
+import unittest
+from charm.toolbox.pairinggroup import PairingGroup, ZR, G1
+from charm.zkp_compiler.schnorr_proof import SchnorrProof, Proof
+
+
+class TestProofSerialization(unittest.TestCase):
+    """Tests for proof serialization."""
+    
+    def setUp(self):
+        """Set up test fixtures."""
+        self.group = PairingGroup('BN254')
+        self.g = self.group.random(G1)
+        self.x = self.group.random(ZR)
+        self.h = self.g ** self.x
+    
+    def test_serialize_deserialize_roundtrip(self):
+        """Test that proof survives serialization roundtrip."""
+        # Generate proof
+        proof = SchnorrProof.prove_non_interactive(
+            self.group, self.g, self.h, self.x
+        )
+        
+        # Serialize
+        data = SchnorrProof.serialize_proof(proof, self.group)
+        self.assertIsInstance(data, bytes)
+        self.assertGreater(len(data), 0)
+        
+        # Deserialize
+        recovered = SchnorrProof.deserialize_proof(data, self.group)
+        self.assertIsNotNone(recovered)
+        
+        # Verify recovered proof still works
+        result = SchnorrProof.verify_non_interactive(
+            self.group, self.g, self.h, recovered
+        )
+        self.assertTrue(result)
+    
+    def test_serialized_proof_is_bytes(self):
+        """Test that serialization produces bytes."""
+        proof = SchnorrProof.prove_non_interactive(
+            self.group, self.g, self.h, self.x
+        )
+        data = SchnorrProof.serialize_proof(proof, self.group)
+        self.assertIsInstance(data, bytes)
+    
+    def test_different_proofs_different_serialization(self):
+        """Test that different proofs produce different serialized data."""
+        proof1 = SchnorrProof.prove_non_interactive(
+            self.group, self.g, self.h, self.x
+        )
+        proof2 = SchnorrProof.prove_non_interactive(
+            self.group, self.g, self.h, self.x
+        )
+        
+        data1 = SchnorrProof.serialize_proof(proof1, self.group)
+        data2 = SchnorrProof.serialize_proof(proof2, self.group)
+        
+        # Different proofs should have different serializations
+        # (due to different random commitments)
+        self.assertNotEqual(data1, data2)
+    
+    def test_deserialize_preserves_proof_type(self):
+        """Test that proof_type is preserved through serialization."""
+        proof = SchnorrProof.prove_non_interactive(
+            self.group, self.g, self.h, self.x
+        )
+        
+        data = SchnorrProof.serialize_proof(proof, self.group)
+        recovered = SchnorrProof.deserialize_proof(data, self.group)
+        
+        self.assertEqual(recovered.proof_type, proof.proof_type)
+    
+    def test_serialization_with_different_groups(self):
+        """Test serialization works with different pairing groups."""
+        for curve in ['BN254', 'MNT224']:
+            with self.subTest(curve=curve):
+                group = PairingGroup(curve)
+                g = group.random(G1)
+                x = group.random(ZR)
+                h = g ** x
+                
+                proof = SchnorrProof.prove_non_interactive(group, g, h, x)
+                data = SchnorrProof.serialize_proof(proof, group)
+                recovered = SchnorrProof.deserialize_proof(data, group)
+                
+                result = SchnorrProof.verify_non_interactive(
+                    group, g, h, recovered
+                )
+                self.assertTrue(result)
+
+
+class TestProofSerializationErrors(unittest.TestCase):
+    """Tests for serialization error handling."""
+    
+    def setUp(self):
+        self.group = PairingGroup('BN254')
+    
+    def test_deserialize_invalid_data_fails(self):
+        """Test that invalid data raises an exception."""
+        with self.assertRaises(Exception):
+            SchnorrProof.deserialize_proof(b"not valid data", self.group)
+    
+    def test_deserialize_empty_data_fails(self):
+        """Test that empty data raises an exception."""
+        with self.assertRaises(Exception):
+            SchnorrProof.deserialize_proof(b"", self.group)
+
+
+if __name__ == "__main__":
+    unittest.main()
+

charm/test/zkp_compiler/test_range_proof.py

@@ -0,0 +1,241 @@
+"""
+Unit tests for Range Proof implementation.
+
+Tests cover:
+- Basic range proofs with boundary values
+- Different bit sizes for ranges
+- Pedersen commitment creation and properties
+- Proof serialization and deserialization
+"""
+
+import unittest
+from charm.toolbox.pairinggroup import PairingGroup, ZR, G1
+from charm.zkp_compiler.range_proof import RangeProof, RangeProofData
+
+
+class TestRangeProofBasic(unittest.TestCase):
+    """Tests for basic range proof functionality with 8-bit range."""
+
+    def setUp(self):
+        """Set up test fixtures."""
+        self.group = PairingGroup('BN254')
+        self.g = self.group.random(G1)
+        self.h = self.group.random(G1)
+        self.num_bits = 8  # Range [0, 256)
+
+    def test_value_zero(self):
+        """Prove 0 is in range [0, 2^8)."""
+        value = 0
+        randomness = self.group.random(ZR)
+        commitment = RangeProof.create_pedersen_commitment(
+            self.group, self.g, self.h, value, randomness
+        )
+        proof = RangeProof.prove(
+            self.group, self.g, self.h, value, randomness, self.num_bits
+        )
+        result = RangeProof.verify(self.group, self.g, self.h, commitment, proof)
+        self.assertTrue(result)
+
+    def test_value_one(self):
+        """Prove 1 is in range [0, 2^8)."""
+        value = 1
+        randomness = self.group.random(ZR)
+        commitment = RangeProof.create_pedersen_commitment(
+            self.group, self.g, self.h, value, randomness
+        )
+        proof = RangeProof.prove(
+            self.group, self.g, self.h, value, randomness, self.num_bits
+        )
+        result = RangeProof.verify(self.group, self.g, self.h, commitment, proof)
+        self.assertTrue(result)
+
+    def test_value_max(self):
+        """Prove 255 (max value) is in range [0, 2^8)."""
+        value = 255  # 2^8 - 1
+        randomness = self.group.random(ZR)
+        commitment = RangeProof.create_pedersen_commitment(
+            self.group, self.g, self.h, value, randomness
+        )
+        proof = RangeProof.prove(
+            self.group, self.g, self.h, value, randomness, self.num_bits
+        )
+        result = RangeProof.verify(self.group, self.g, self.h, commitment, proof)
+        self.assertTrue(result)
+
+    def test_value_middle(self):
+        """Prove 42 is in range [0, 2^8)."""
+        value = 42
+        randomness = self.group.random(ZR)
+        commitment = RangeProof.create_pedersen_commitment(
+            self.group, self.g, self.h, value, randomness
+        )
+        proof = RangeProof.prove(
+            self.group, self.g, self.h, value, randomness, self.num_bits
+        )
+        result = RangeProof.verify(self.group, self.g, self.h, commitment, proof)
+        self.assertTrue(result)
+
+    def test_value_out_of_range_fails(self):
+        """Value >= 2^n should fail."""
+        value = 256  # 2^8, out of range
+        randomness = self.group.random(ZR)
+        with self.assertRaises(ValueError):
+            RangeProof.prove(
+                self.group, self.g, self.h, value, randomness, self.num_bits
+            )
+
+
+class TestRangeProofDifferentBitSizes(unittest.TestCase):
+    """Tests for range proofs with different bit sizes."""
+
+    def setUp(self):
+        """Set up test fixtures."""
+        self.group = PairingGroup('BN254')
+        self.g = self.group.random(G1)
+        self.h = self.group.random(G1)
+
+    def test_4_bit_range(self):
+        """Test range [0, 16) with 4-bit proof."""
+        num_bits = 4
+        value = 15  # Max value in range
+        randomness = self.group.random(ZR)
+        commitment = RangeProof.create_pedersen_commitment(
+            self.group, self.g, self.h, value, randomness
+        )
+        proof = RangeProof.prove(
+            self.group, self.g, self.h, value, randomness, num_bits
+        )
+        self.assertEqual(proof.num_bits, 4)
+        result = RangeProof.verify(self.group, self.g, self.h, commitment, proof)
+        self.assertTrue(result)
+
+    def test_8_bit_range(self):
+        """Test range [0, 256) with 8-bit proof."""
+        num_bits = 8
+        value = 200
+        randomness = self.group.random(ZR)
+        commitment = RangeProof.create_pedersen_commitment(
+            self.group, self.g, self.h, value, randomness
+        )
+        proof = RangeProof.prove(
+            self.group, self.g, self.h, value, randomness, num_bits
+        )
+        self.assertEqual(proof.num_bits, 8)
+        result = RangeProof.verify(self.group, self.g, self.h, commitment, proof)
+        self.assertTrue(result)
+
+    def test_16_bit_range(self):
+        """Test range [0, 65536) with 16-bit proof."""
+        num_bits = 16
+        value = 50000
+        randomness = self.group.random(ZR)
+        commitment = RangeProof.create_pedersen_commitment(
+            self.group, self.g, self.h, value, randomness
+        )
+        proof = RangeProof.prove(
+            self.group, self.g, self.h, value, randomness, num_bits
+        )
+        self.assertEqual(proof.num_bits, 16)
+        result = RangeProof.verify(self.group, self.g, self.h, commitment, proof)
+        self.assertTrue(result)
+
+
+class TestRangeProofPedersenCommitment(unittest.TestCase):
+    """Tests for Pedersen commitment creation and properties."""
+
+    def setUp(self):
+        """Set up test fixtures."""
+        self.group = PairingGroup('BN254')
+        self.g = self.group.random(G1)
+        self.h = self.group.random(G1)
+
+    def test_create_commitment(self):
+        """Test commitment creation helper."""
+        value = 42
+        randomness = self.group.random(ZR)
+        commitment = RangeProof.create_pedersen_commitment(
+            self.group, self.g, self.h, value, randomness
+        )
+        # Verify commitment is C = g^v * h^r
+        v = self.group.init(ZR, value)
+        expected = (self.g ** v) * (self.h ** randomness)
+        self.assertEqual(commitment, expected)
+
+    def test_commitment_hiding(self):
+        """Same value, different randomness = different commitment."""
+        value = 42
+        r1 = self.group.random(ZR)
+        r2 = self.group.random(ZR)
+        c1 = RangeProof.create_pedersen_commitment(
+            self.group, self.g, self.h, value, r1
+        )
+        c2 = RangeProof.create_pedersen_commitment(
+            self.group, self.g, self.h, value, r2
+        )
+        # Different randomness should produce different commitments
+        self.assertNotEqual(c1, c2)
+
+    def test_commitment_binding(self):
+        """Commitment is binding - different values produce different commitments."""
+        r = self.group.random(ZR)
+        c1 = RangeProof.create_pedersen_commitment(
+            self.group, self.g, self.h, 42, r
+        )
+        c2 = RangeProof.create_pedersen_commitment(
+            self.group, self.g, self.h, 43, r
+        )
+        # Different values with same randomness should produce different commitments
+        self.assertNotEqual(c1, c2)
+
+
+class TestRangeProofSerialization(unittest.TestCase):
+    """Tests for proof serialization and deserialization."""
+
+    def setUp(self):
+        """Set up test fixtures."""
+        self.group = PairingGroup('BN254')
+        self.g = self.group.random(G1)
+        self.h = self.group.random(G1)
+        self.num_bits = 4  # Use small bit size for fast tests
+
+    def test_serialization_roundtrip(self):
+        """Serialize and deserialize proof."""
+        value = 10
+        randomness = self.group.random(ZR)
+        proof = RangeProof.prove(
+            self.group, self.g, self.h, value, randomness, self.num_bits
+        )
+        # Serialize
+        serialized = RangeProof.serialize_proof(proof, self.group)
+        self.assertIsInstance(serialized, bytes)
+        # Deserialize
+        deserialized = RangeProof.deserialize_proof(serialized, self.group)
+        # Check structure is preserved
+        self.assertEqual(deserialized.num_bits, proof.num_bits)
+        self.assertEqual(deserialized.proof_type, proof.proof_type)
+        self.assertEqual(len(deserialized.bit_commitments), len(proof.bit_commitments))
+        self.assertEqual(len(deserialized.bit_proofs), len(proof.bit_proofs))
+
+    def test_serialized_proof_verifies(self):
+        """Deserialized proof still verifies."""
+        value = 12
+        randomness = self.group.random(ZR)
+        commitment = RangeProof.create_pedersen_commitment(
+            self.group, self.g, self.h, value, randomness
+        )
+        proof = RangeProof.prove(
+            self.group, self.g, self.h, value, randomness, self.num_bits
+        )
+        # Serialize and deserialize
+        serialized = RangeProof.serialize_proof(proof, self.group)
+        deserialized = RangeProof.deserialize_proof(serialized, self.group)
+        # Verify deserialized proof
+        result = RangeProof.verify(
+            self.group, self.g, self.h, commitment, deserialized
+        )
+        self.assertTrue(result)
+
+
+if __name__ == "__main__":
+    unittest.main()
+