Line data Source code
1 : /** 2 : * @file Params.h 3 : * 4 : * @brief Parameter classes for Zerocoin. 5 : * 6 : * @author Ian Miers, Christina Garman and Matthew Green 7 : * @date June 2013 8 : * 9 : * @copyright Copyright 2013 Ian Miers, Christina Garman and Matthew Green 10 : * @license This project is released under the MIT license. 11 : **/ 12 : // Copyright (c) 2017-2021 The PIVX Core developers 13 : 14 : #ifndef PIVX_LIBZEROCOIN_PARAMS_H 15 : #define PIVX_LIBZEROCOIN_PARAMS_H 16 : 17 : #include "bignum.h" 18 : #include "ZerocoinDefines.h" 19 : 20 : namespace libzerocoin { 21 : 22 : class IntegerGroupParams { 23 : public: 24 : /** @brief Integer group class, default constructor 25 : * 26 : * Allocates an empty (uninitialized) set of parameters. 27 : **/ 28 : IntegerGroupParams(); 29 : 30 : /** 31 : * Generates a random group element 32 : * @return a random element in the group. 33 : */ 34 : CBigNum randomElement() const; 35 : bool initialized; 36 : 37 : /** 38 : * A generator for the group. 39 : */ 40 : CBigNum g; 41 : 42 : /** 43 : * A second generator for the group. 44 : * Note log_g(h) and log_h(g) must 45 : * be unknown. 46 : */ 47 : CBigNum h; 48 : 49 : /** 50 : * The modulus for the group. 51 : */ 52 : CBigNum modulus; 53 : 54 : /** 55 : * The order of the group 56 : */ 57 : CBigNum groupOrder; 58 : 59 0 : SERIALIZE_METHODS(IntegerGroupParams, obj) { READWRITE(obj.initialized, obj.g , obj.h, obj.modulus, obj.groupOrder); } 60 : }; 61 : 62 : class AccumulatorAndProofParams { 63 : public: 64 : /** @brief Construct a set of Zerocoin parameters from a modulus "N". 65 : * @param N A trusted RSA modulus 66 : * @param securityLevel A security level expressed in symmetric bits (default 80) 67 : * 68 : * Allocates and derives a set of Zerocoin parameters from 69 : * a trustworthy RSA modulus "N". This routine calculates all 70 : * of the remaining parameters (group descriptions etc.) from N 71 : * using a verifiable, deterministic procedure. 72 : * 73 : * Note: this constructor makes the fundamental assumption that "N" 74 : * encodes a valid RSA-style modulus of the form "e1 * e2" where 75 : * "e1" and "e2" are safe primes. The factors "e1", "e2" MUST NOT 76 : * be known to any party, or the security of Zerocoin is 77 : * compromised. The integer "N" must be a MINIMUM of 1024 78 : * in length. 3072 bits is strongly recommended. 79 : **/ 80 : AccumulatorAndProofParams(); 81 : 82 : //AccumulatorAndProofParams(CBigNum accumulatorModulus); 83 : 84 : bool initialized; 85 : 86 : /** 87 : * Modulus used for the accumulator. 88 : * Product of two safe primes who's factorization is unknown. 89 : */ 90 : CBigNum accumulatorModulus; 91 : 92 : /** 93 : * The initial value for the accumulator 94 : * A random Quadratic residue mod n that's not 1 95 : */ 96 : CBigNum accumulatorBase; 97 : 98 : /** 99 : * Lower bound on the value for committed coin. 100 : * Required by the accumulator proof. 101 : */ 102 : CBigNum minCoinValue; 103 : 104 : /** 105 : * Upper bound on the value for a committed coin. 106 : * Required by the accumulator proof. 107 : */ 108 : CBigNum maxCoinValue; 109 : 110 : /** 111 : * The second of two groups used to form a commitment to 112 : * a coin (which it self is a commitment to a serial number). 113 : * This one differs from serialNumberSokCommitment due to 114 : * restrictions from Camenisch and Lysyanskaya's paper. 115 : */ 116 : IntegerGroupParams accumulatorPoKCommitmentGroup; 117 : 118 : /** 119 : * Hidden order quadratic residue group mod N. 120 : * Used in the accumulator proof. 121 : */ 122 : IntegerGroupParams accumulatorQRNCommitmentGroup; 123 : 124 : /** 125 : * Security parameter. 126 : * Bit length of the challenges used in the accumulator proof. 127 : */ 128 : uint32_t k_prime; 129 : 130 : /** 131 : * Security parameter. 132 : * The statistical zero-knowledgeness of the accumulator proof. 133 : */ 134 : uint32_t k_dprime; 135 0 : SERIALIZE_METHODS(AccumulatorAndProofParams, obj) { 136 0 : READWRITE(obj.initialized, obj.accumulatorModulus, obj.accumulatorBase, obj.accumulatorPoKCommitmentGroup); 137 0 : READWRITE(obj.accumulatorQRNCommitmentGroup, obj.minCoinValue, obj.maxCoinValue, obj.k_prime, obj.k_dprime); 138 0 : } 139 : }; 140 : 141 : class ZerocoinParams { 142 : public: 143 : /** @brief Construct a set of Zerocoin parameters from a modulus "N". 144 : * @param N A trusted RSA modulus 145 : * @param securityLevel A security level expressed in symmetric bits (default 80) 146 : * 147 : * Allocates and derives a set of Zerocoin parameters from 148 : * a trustworthy RSA modulus "N". This routine calculates all 149 : * of the remaining parameters (group descriptions etc.) from N 150 : * using a verifiable, deterministic procedure. 151 : * 152 : * Note: this constructor makes the fundamental assumption that "N" 153 : * encodes a valid RSA-style modulus of the form "e1 * e2" where 154 : * "e1" and "e2" are safe primes. The factors "e1", "e2" MUST NOT 155 : * be known to any party, or the security of Zerocoin is 156 : * compromised. The integer "N" must be a MINIMUM of 1024 157 : * in length. 3072 bits is strongly recommended. 158 : **/ 159 : explicit ZerocoinParams(CBigNum accumulatorModulus, uint32_t securityLevel = ZEROCOIN_DEFAULT_SECURITYLEVEL); 160 : 161 : bool initialized; 162 : 163 : AccumulatorAndProofParams accumulatorParams; 164 : 165 : /** 166 : * The Quadratic Residue group from which we form 167 : * a coin as a commitment to a serial number. 168 : */ 169 : IntegerGroupParams coinCommitmentGroup; 170 : 171 : /** 172 : * One of two groups used to form a commitment to 173 : * a coin (which it self is a commitment to a serial number). 174 : * This is the one used in the serial number poof. 175 : * It's order must be equal to the modulus of coinCommitmentGroup. 176 : */ 177 : IntegerGroupParams serialNumberSoKCommitmentGroup; 178 : 179 : /** 180 : * The number of iterations to use in the serial 181 : * number proof. 182 : */ 183 : uint32_t zkp_iterations; 184 : 185 : /** 186 : * The amount of the hash function we use for 187 : * proofs. 188 : */ 189 : uint32_t zkp_hash_len; 190 : 191 0 : SERIALIZE_METHODS(ZerocoinParams, obj) { 192 0 : READWRITE(obj.initialized, obj.accumulatorParams, obj.coinCommitmentGroup, obj.serialNumberSoKCommitmentGroup, obj.zkp_iterations, obj.zkp_hash_len); 193 : } 194 : }; 195 : 196 : } /* namespace libzerocoin */ 197 : 198 : #endif // PIVX_LIBZEROCOIN_PARAMS_H