Line data    Source code

       1             : /**
       2             : * @file       Params.h
       3             : *
       4             : * @brief      Parameter classes for Zerocoin.
       5             : *
       6             : * @author     Ian Miers, Christina Garman and Matthew Green
       7             : * @date       June 2013
       8             : *
       9             : * @copyright  Copyright 2013 Ian Miers, Christina Garman and Matthew Green
      10             : * @license    This project is released under the MIT license.
      11             : **/
      12             : // Copyright (c) 2017-2021 The PIVX Core developers
      13             : 
      14             : #ifndef PIVX_LIBZEROCOIN_PARAMS_H
      15             : #define PIVX_LIBZEROCOIN_PARAMS_H
      16             : 
      17             : #include "bignum.h"
      18             : #include "ZerocoinDefines.h"
      19             : 
      20             : namespace libzerocoin {
      21             : 
      22             : class IntegerGroupParams {
      23             : public:
      24             :         /** @brief Integer group class, default constructor
      25             :         *
      26             :         * Allocates an empty (uninitialized) set of parameters.
      27             :         **/
      28             :         IntegerGroupParams();
      29             : 
      30             :         /**
      31             :          * Generates a random group element
      32             :          * @return a random element in the group.
      33             :          */
      34             :         CBigNum randomElement() const;
      35             :         bool initialized;
      36             : 
      37             :         /**
      38             :          * A generator for the group.
      39             :          */
      40             :         CBigNum g;
      41             : 
      42             :         /**
      43             :          * A second generator for the group.
      44             :          * Note log_g(h) and log_h(g) must
      45             :          * be unknown.
      46             :          */
      47             :         CBigNum h;
      48             : 
      49             :         /**
      50             :          * The modulus for the group.
      51             :          */
      52             :         CBigNum modulus;
      53             : 
      54             :         /**
      55             :          * The order of the group
      56             :          */
      57             :         CBigNum groupOrder;
      58             : 
      59           0 :     SERIALIZE_METHODS(IntegerGroupParams, obj) { READWRITE(obj.initialized, obj.g , obj.h, obj.modulus, obj.groupOrder); }
      60             : };
      61             : 
      62             : class AccumulatorAndProofParams {
      63             : public:
      64             :         /** @brief Construct a set of Zerocoin parameters from a modulus "N".
      65             :         * @param N                A trusted RSA modulus
      66             :         * @param securityLevel    A security level expressed in symmetric bits (default 80)
      67             :         *
      68             :         * Allocates and derives a set of Zerocoin parameters from
      69             :         * a trustworthy RSA modulus "N". This routine calculates all
      70             :         * of the remaining parameters (group descriptions etc.) from N
      71             :         * using a verifiable, deterministic procedure.
      72             :         *
      73             :         * Note: this constructor makes the fundamental assumption that "N"
      74             :         * encodes a valid RSA-style modulus of the form "e1 * e2" where
      75             :         * "e1" and "e2" are safe primes. The factors "e1", "e2" MUST NOT
      76             :         * be known to any party, or the security of Zerocoin is
      77             :         * compromised. The integer "N" must be a MINIMUM of 1024
      78             :         * in length. 3072 bits is strongly recommended.
      79             :         **/
      80             :         AccumulatorAndProofParams();
      81             : 
      82             :         //AccumulatorAndProofParams(CBigNum accumulatorModulus);
      83             : 
      84             :         bool initialized;
      85             : 
      86             :         /**
      87             :          * Modulus used for the accumulator.
      88             :          * Product of two safe primes who's factorization is unknown.
      89             :          */
      90             :         CBigNum accumulatorModulus;
      91             : 
      92             :         /**
      93             :          * The initial value for the accumulator
      94             :          * A random Quadratic residue mod n that's not 1
      95             :          */
      96             :         CBigNum accumulatorBase;
      97             : 
      98             :         /**
      99             :          * Lower bound on the value for committed coin.
     100             :          * Required by the accumulator proof.
     101             :          */
     102             :         CBigNum minCoinValue;
     103             : 
     104             :         /**
     105             :          * Upper bound on the value for a committed coin.
     106             :          * Required by the accumulator proof.
     107             :          */
     108             :         CBigNum maxCoinValue;
     109             : 
     110             :         /**
     111             :          * The second of two groups used to form a commitment to
     112             :          * a coin (which it self is a commitment to a serial number).
     113             :          * This one differs from serialNumberSokCommitment due to
     114             :          * restrictions from Camenisch and Lysyanskaya's paper.
     115             :          */
     116             :         IntegerGroupParams accumulatorPoKCommitmentGroup;
     117             : 
     118             :         /**
     119             :          * Hidden order quadratic residue group mod N.
     120             :          * Used in the accumulator proof.
     121             :          */
     122             :         IntegerGroupParams accumulatorQRNCommitmentGroup;
     123             : 
     124             :         /**
     125             :          * Security parameter.
     126             :          * Bit length of the challenges used in the accumulator proof.
     127             :          */
     128             :         uint32_t k_prime;
     129             : 
     130             :     /**
     131             :      * Security parameter.
     132             :      * The statistical zero-knowledgeness of the accumulator proof.
     133             :      */
     134             :     uint32_t k_dprime;
     135           0 :     SERIALIZE_METHODS(AccumulatorAndProofParams, obj) {
     136           0 :         READWRITE(obj.initialized, obj.accumulatorModulus, obj.accumulatorBase, obj.accumulatorPoKCommitmentGroup);
     137           0 :         READWRITE(obj.accumulatorQRNCommitmentGroup, obj.minCoinValue, obj.maxCoinValue, obj.k_prime, obj.k_dprime);
     138           0 :     }
     139             : };
     140             : 
     141             : class ZerocoinParams {
     142             : public:
     143             :         /** @brief Construct a set of Zerocoin parameters from a modulus "N".
     144             :         * @param N                A trusted RSA modulus
     145             :         * @param securityLevel    A security level expressed in symmetric bits (default 80)
     146             :         *
     147             :         * Allocates and derives a set of Zerocoin parameters from
     148             :         * a trustworthy RSA modulus "N". This routine calculates all
     149             :         * of the remaining parameters (group descriptions etc.) from N
     150             :         * using a verifiable, deterministic procedure.
     151             :         *
     152             :         * Note: this constructor makes the fundamental assumption that "N"
     153             :         * encodes a valid RSA-style modulus of the form "e1 * e2" where
     154             :         * "e1" and "e2" are safe primes. The factors "e1", "e2" MUST NOT
     155             :         * be known to any party, or the security of Zerocoin is
     156             :         * compromised. The integer "N" must be a MINIMUM of 1024
     157             :         * in length. 3072 bits is strongly recommended.
     158             :         **/
     159             :         explicit ZerocoinParams(CBigNum accumulatorModulus, uint32_t securityLevel = ZEROCOIN_DEFAULT_SECURITYLEVEL);
     160             : 
     161             :         bool initialized;
     162             : 
     163             :         AccumulatorAndProofParams accumulatorParams;
     164             : 
     165             :         /**
     166             :          * The Quadratic Residue group from which we form
     167             :          * a coin as a commitment  to a serial number.
     168             :          */
     169             :         IntegerGroupParams coinCommitmentGroup;
     170             : 
     171             :         /**
     172             :          * One of two groups used to form a commitment to
     173             :          * a coin (which it self is a commitment to a serial number).
     174             :          * This is the one used in the serial number poof.
     175             :          * It's order must be equal to the modulus of coinCommitmentGroup.
     176             :          */
     177             :         IntegerGroupParams serialNumberSoKCommitmentGroup;
     178             : 
     179             :         /**
     180             :          * The number of iterations to use in the serial
     181             :          * number proof.
     182             :          */
     183             :         uint32_t zkp_iterations;
     184             : 
     185             :         /**
     186             :          * The amount of the hash function we use for
     187             :          * proofs.
     188             :          */
     189             :         uint32_t zkp_hash_len;
     190             : 
     191           0 :     SERIALIZE_METHODS(ZerocoinParams, obj) {
     192           0 :         READWRITE(obj.initialized, obj.accumulatorParams, obj.coinCommitmentGroup, obj.serialNumberSoKCommitmentGroup, obj.zkp_iterations, obj.zkp_hash_len);
     193             :     }
     194             : };
     195             : 
     196             : } /* namespace libzerocoin */
     197             : 
     198             : #endif // PIVX_LIBZEROCOIN_PARAMS_H