ProverInterpreter
Related Doc:
package interpreter
Processor instance which is used by this interpreter to execute ErgoTrees that contain neither DeserializeContext nor sigmastate.utxo.DeserializeRegister operations.
Processor instance which is used by this interpreter to execute ErgoTrees that contain neither DeserializeContext nor sigmastate.utxo.DeserializeRegister operations.
Substitute Deserialize* nodes with deserialized subtrees We can estimate cost of the tree evaluation only after this step.
Substitute Deserialize* nodes with deserialized subtrees We can estimate cost of the tree evaluation only after this step.
A method which is extracting partial proofs of secret knowledge for particular secrets with their respective public images given.
A method which is extracting partial proofs of secret knowledge for particular secrets with their respective public images given. Useful for distributed signature applications.
See DistributedSigSpecification for examples of usage.
- context used to reduce the proposition
- public key (in form of a sigma-tree)
- signature for the key
- public keys of secrets with real proofs
- public keys of secrets with simulated proofs
- bag of OtherSecretProven and OtherCommitment hints
A method which is extracting partial proofs of secret knowledge for particular secrets with their respective public images given.
A method which is extracting partial proofs of secret knowledge for particular secrets with their respective public images given. Useful for distributed signature applications.
See DistributedSigSpecification for examples of usage.
- context used to reduce the proposition
- proposition to reduce
- proof for reduced proposition
- public keys of secrets with real proofs
- public keys of secrets with simulated proofs
- bag of OtherSecretProven and OtherCommitment hints
Verifier Step 4: For every leaf node, compute the commitment a from the challenge e and response $z$, per the verifier algorithm of the leaf's Sigma-protocol.
Verifier Step 4: For every leaf node, compute the commitment a from the challenge e and response $z$, per the verifier algorithm of the leaf's Sigma-protocol. If the verifier algorithm of the Sigma-protocol for any of the leaves rejects, then reject the entire proof.
Deserializes given script bytes using ValueSerializer (i.e.
Deserializes given script bytes using ValueSerializer (i.e. assuming expression tree format).
It also measures tree complexity adding to the total estimated cost of script execution.
The new returned context contains increased initCost and should be used for further processing.
The method SHOULD be called only inside trySoftForkable scope, to make deserialization soft-forkable.
NOTE: While ErgoTree is always of type SigmaProp, ValueSerializer can serialize expression of any type. So it cannot be replaced with ErgoTreeSerializer here.
Full reduction of initial expression given in the ErgoTree form to a SigmaBoolean value (which encodes whether a sigma-protocol proposition or a boolean value, so true or false).
Full reduction of initial expression given in the ErgoTree form to a SigmaBoolean value (which encodes whether a sigma-protocol proposition or a boolean value, so true or false).
Works as follows: 1) parse ErgoTree instance into a typed AST 2) go bottom-up the tree to replace DeserializeContext nodes only 3) estimate cost and reduce the AST to a SigmaBoolean instance (so sigma-tree or trivial boolean value)
- input ErgoTree expression to reduce
- context used in reduction
- script environment
sigma boolean and the updated cost counter after reduction
Generate commitments for given crypto-tree (sigma-tree) for prover's secrets.
Generate commitments for given ergo tree for prover's secrets.
Generate commitments for given ergo tree for prover's secrets. The prover is reducing the given tree to crypto-tree by using the given context, and then generates commitments.
A method which is is generating commitments for all the public keys provided.
A method which is is generating commitments for all the public keys provided.
Currently only keys in form of ProveDlog and ProveDiffieHellman are supported, not more complex subtrees.
- crypto-tree
- public keys for which commitments should be generated
generated commitments (private, containing secret randomness, and public, containing only commitments)
Generate commitments for a given ergoTree (mixed-tree) and public keys.
Generate commitments for a given ergoTree (mixed-tree) and public keys.
First, the given tree is to be reduced to crypto-tree (sigma-tree) by using context provided.
Prover Step 1: This step will mark as "real" every node for which the prover can produce a real proof.
Prover Step 1: This step will mark as "real" every node for which the prover can produce a real proof. This step may mark as "real" more nodes than necessary if the prover has more than the minimal necessary number of witnesses (for example, more than one child of an OR). This will be corrected in the next step. In a bottom-up traversal of the tree, do the following for each node:
Prover Step 3: This step will change some "real" nodes to "simulated" to make sure each node has the right number of simulated children.
Prover Step 3: This step will change some "real" nodes to "simulated" to make sure each node has the right number of simulated children. Also, children will get proper position set during this step. In a top-down traversal of the tree, do the following for each node:
Extracts proposition for ErgoTree handing soft-fork condition.
Extracts proposition for ErgoTree handing soft-fork condition.
soft-fork handler
The comments in this section are taken from the algorithm for the Sigma-protocol prover as described in the ErgoScript white-paper https://ergoplatform.org/docs/ErgoScript.pdf , Appendix A
The comments in this section are taken from the algorithm for the Sigma-protocol prover as described in the ErgoScript white-paper https://ergoplatform.org/docs/ErgoScript.pdf , Appendix A
Prover Step 9: Perform a top-down traversal of only the portion of the tree marked "real" in order to compute the challenge e for every node marked "real" below the root and, additionally, the response z for every leaf marked "real"
Public keys of prover's secrets.
Public keys of prover's secrets. This operation can be costly if there are many secrets the prover knows, consider re-implementation of this field then.
This method is used in both prover and verifier to compute SigmaBoolean value.
This method is used in both prover and verifier to compute SigmaBoolean value.
As the first step the cost of computing the exp expression in the given context is estimated.
If cost is above limit
then exception is returned and exp is not executed
else exp is computed in the given context and the resulting SigmaBoolean returned.
the context in which exp should be executed
environment of system variables used by the interpreter internally
expression to be executed in the given context
result of script reduction
ReductionResult
Set positions for children of a unproven inner node (conjecture, so AND/OR/THRESHOLD)
Set positions for children of a unproven inner node (conjecture, so AND/OR/THRESHOLD)
Sign arbitrary message under a key representing a statement provable via a sigma-protocol.
Sign arbitrary message under a key representing a statement provable via a sigma-protocol.
- public key
- message to sign
- additional hints for a signer (useful for distributed signing)
- signature or error
Prover Step 4: In a top-down traversal of the tree, compute the challenges e for simulated children of every node Prover Step 5: For every leaf marked "simulated", use the simulator of the Sigma-protocol for that leaf to compute the commitment $a$ and the response z, given the challenge e that is already stored in the leaf.
Prover Step 4: In a top-down traversal of the tree, compute the challenges e for simulated children of every node Prover Step 5: For every leaf marked "simulated", use the simulator of the Sigma-protocol for that leaf to compute the commitment $a$ and the response z, given the challenge e that is already stored in the leaf. Prover Step 6: For every leaf marked "real", use the first prover step of the Sigma-protocol for that leaf to compute the commitment a.
call back to setup new context (with updated cost limit) to be passed next time
Executes the script in a given context.
Executes the script in a given context.
Step 1: Deserialize context variables
Step 2: Evaluate expression and produce SigmaProp value, which is zero-knowledge statement (see also SigmaBoolean).
Step 3: Verify that the proof is presented to satisfy SigmaProp conditions.
environment of system variables used by the interpreter internally
ErgoTree expression to execute in the given context and verify its result
the context in which exp should be executed
The proof of knowledge of the secrets which is expected by the resulting SigmaProp
message bytes, which are used in verification of the proof
verification result or Exception.
If if the estimated cost of execution of the exp exceeds the limit (given in context),
then exception if thrown and packed in Try.
If left component is false, then:
1) script executed to false or
2) the given proof failed to validate resulting SigmaProp conditions.
reduceToCrypto
Verify a signature on given (arbitrary) message for a given public key.
Verify a signature on given (arbitrary) message for a given public key.
- public key (represented as a tree)
- message
- signature for the message
- whether signature is valid or not
Interpreter with enhanced functionality to prove statements.