## User actions 1. Generate pub/priv key pair 2. Registration - Register your hiding commitment 4. Wait for registration to complete (wait until specified blocktime) 5. Smart contract chooses the werewolf using previous block hash - block hash mod set size = werewolf index - (based on hiding commitment, not pubkey) --- Game starts -- 5. Werewolf submits a proof-of-opening, sig, and the hiding comm of the player to elim 6. Vote on the guess of who's the were wolf - Sign your vote with your pub key 7. Remove the voted public key and abstain pub keys --- Challenge phase --- 8. If the were wolf doesn't submit a proof that the preimage is not the pub key which was voted out, the game ends. If it can, the game continues. 9. If the tanner opens the comm that equals to voted out pub key, the game ends. ## Game flow - ### A game starts **Registration** - Users register their public keys **Round** If this is the first round - 1. Players submit their hiding commitments - 2. The smart contract chooses 2 commitments - 3. Players vote to eliminate a player (pub key) - 4. How to know the were wolf is still alive - If it can prove it can to a public key that is not the it wins **Round ** $C_{i1} = g_1^s \cdot h_1^{r_1}$ ${g_1^s_1} - C_{i1}$ Open $C_{i1}$ Vote - against a public key Private voting - Proof of opening - Proof of equivalence - Equivalent to some commitment from the past ### Proof of non-equivalence Given $C_v = g^{x_v}$ $P$ can give a zk-proof that it knows an $x, r$ such that $$ C_w = g^{x} \cdot h^r \land x \neq x_v $$ Observe that, if $x = x_v$, then $$ C_w / g^{x_v} \cdot h^r \\ \to g^{x} \cdot h^r / g^{x_v} \cdot h^r \\ = 1 \\ $$ and $x_v \neq x$, then $$ C_w / g^{x_v} \cdot h^r \\ \to g^{x} \cdot h^r / g^{x_v} \cdot h^r \\ = g^{x - x_v} = C' $$ Claim.1 $P$ knows an $x'$ such that $g^{x'} = C'$ iff $x \neq x_v$ Proof. Extractor. 1. $P$ picks an $b \leftarrow _RF_q$ and send $\beta = g^b$ to the verifier. 2. $V$ picks $c$ and sends it to $P$ 3. $P$ sends $z = c(x + x') + b$ 4. $V$ checks that $g^z \neq 0$