fix unit-tests and update test vectors

Author: mmaker

src/codec.rs

@@ -23,7 +23,11 @@ pub trait Codec {
     type Challenge;
 
     /// Generates an empty codec that can be identified by a domain separator.
-    fn new(protocol_identifier: &[u8], session_identifier: &[u8], instance_label: &[u8]) -> Self;
+    fn new(
+        protocol_identifier: &[u8; 64],
+        session_identifier: &[u8],
+        instance_label: &[u8],
+    ) -> Self;
 
     /// Allows for precomputed initialization of the codec with a specific IV.
     fn from_iv(iv: [u8; 64]) -> Self;
@@ -65,12 +69,11 @@ fn length_to_bytes(x: usize) -> [u8; WORD_SIZE] {
 /// This function computes a deterministic IV from the protocol identifier,
 /// session identifier, and instance label using the specified duplex sponge.
 pub fn compute_iv<H: DuplexSpongeInterface>(
-    protocol_id: &[u8],
+    protocol_id: &[u8; 64],
     session_id: &[u8],
     instance_label: &[u8],
 ) -> [u8; 64] {
     let mut tmp = H::new([0u8; 64]);
-    tmp.absorb(&length_to_bytes(protocol_id.len()));
     tmp.absorb(protocol_id);
     tmp.absorb(&length_to_bytes(session_id.len()));
     tmp.absorb(session_id);
@@ -86,9 +89,16 @@ where
 {
     type Challenge = G::Scalar;
 
-    fn new(protocol_id: &[u8], session_id: &[u8], instance_label: &[u8]) -> Self {
-        let iv = compute_iv::<H>(protocol_id, session_id, instance_label);
-        Self::from_iv(iv)
+    fn new(protocol_id: &[u8; 64], session_id: &[u8], instance_label: &[u8]) -> Self {
+        let mut hasher = H::new(*protocol_id);
+        hasher.absorb(&length_to_bytes(session_id.len()));
+        hasher.absorb(session_id);
+        hasher.absorb(&length_to_bytes(instance_label.len()));
+        hasher.absorb(instance_label);
+        Self {
+            hasher,
+            _marker: core::marker::PhantomData,
+        }
     }
 
     fn from_iv(iv: [u8; 64]) -> Self {

src/composition.rs

@@ -556,7 +556,7 @@ impl<G: PrimeGroup + ConstantTimeEq + ConditionallySelectable> SigmaProtocol
         }
     }
 
-    fn protocol_identifier(&self) -> impl AsRef<[u8]> {
+    fn protocol_identifier(&self) -> [u8; 64] {
         let mut hasher = Sha3_256::new();
 
         match self {
@@ -569,19 +569,21 @@ impl<G: PrimeGroup + ConstantTimeEq + ConditionallySelectable> SigmaProtocol
                 let mut hasher = Sha3_256::new();
                 hasher.update([1u8; 32]);
                 for p in protocols {
-                    hasher.update(p.protocol_identifier());
+                    hasher.update(p.protocol_identifier().as_ref());
                 }
             }
             ComposedRelation::Or(protocols) => {
                 let mut hasher = Sha3_256::new();
                 hasher.update([2u8; 32]);
                 for p in protocols {
-                    hasher.update(p.protocol_identifier());
+                    hasher.update(p.protocol_identifier().as_ref());
                 }
             }
         }
 
-        hasher.finalize()
+        let mut protocol_id = [0u8; 64];
+        (&mut protocol_id[..32]).clone_from_slice(&hasher.finalize());
+        protocol_id
     }
 
     fn serialize_response(&self, response: &Self::Response) -> Vec<u8> {

src/fiat_shamir.rs

@@ -68,7 +68,7 @@ where
     /// A new [`Nizk`] that can generate and verify non-interactive proofs.
     pub fn new(session_identifier: &[u8], interactive_proof: P) -> Self {
         let hash_state = C::new(
-            interactive_proof.protocol_identifier().as_ref(),
+            &interactive_proof.protocol_identifier(),
             session_identifier,
             interactive_proof.instance_label().as_ref(),
         );

src/schnorr_protocol.rs

@@ -233,8 +233,11 @@ impl<G: PrimeGroup> SigmaProtocol for CanonicalLinearRelation<G> {
         self.label()
     }
 
-    fn protocol_identifier(&self) -> impl AsRef<[u8]> {
-        b"draft-zkproof-fiat-shamir"
+    fn protocol_identifier(&self) -> [u8; 64] {
+        const PROTOCOL_ID: &[u8; 32] = b"ietf sigma proof linear relation";
+        let mut protocol_id = [0; 64];
+        protocol_id[..32].clone_from_slice(PROTOCOL_ID);
+        protocol_id
     }
 }
 

src/traits.rs

@@ -98,7 +98,7 @@ pub trait SigmaProtocol {
     /// Deserializes a response from bytes.
     fn deserialize_response(&self, data: &[u8]) -> Result<Self::Response, Error>;
 
-    fn protocol_identifier(&self) -> impl AsRef<[u8]>;
+    fn protocol_identifier(&self) -> [u8; 64];
 
     fn instance_label(&self) -> impl AsRef<[u8]>;
 }

tests/relations/mod.rs

@@ -182,27 +182,25 @@ pub fn range_instance_generation<G: PrimeGroup, R: RngCore>(
     let [var_G, var_H] = instance.allocate_elements();
     let [var_x, var_r] = instance.allocate_scalars();
     let vars_b = instance.allocate_scalars_vec(bases.len());
-    let vars_s = instance.allocate_scalars_vec(bases.len() - 1);
+    let vars_s = instance.allocate_scalars_vec(bases.len());
     let var_s2 = instance.allocate_scalars_vec(bases.len());
     let var_Ds = instance.allocate_elements_vec(bases.len());
 
     // `var_C` is a Pedersen commitment to `var_x`.
     let var_C = instance.allocate_eq(var_x * var_G + var_r * var_H);
     // `var_Ds[i]` are bit commitments...
-    for i in 1..bases.len() {
+    for i in 0..bases.len() {
         instance.append_equation(var_Ds[i], vars_b[i] * var_G + vars_s[i] * var_H);
         instance.append_equation(var_Ds[i], vars_b[i] * var_Ds[i] + var_s2[i] * var_H);
     }
     // ... satisfying that sum(Ds[i] * bases[i]) = C
     instance.append_equation(
-        var_Ds[0],
-        var_C
-            - var_G * G::Scalar::from(range.start)
-            - (1..bases.len())
+        var_C,
+        var_G * G::Scalar::from(range.start)
+            + (0..bases.len())
                 .map(|i| var_Ds[i] * G::Scalar::from(bases[i]))
                 .sum::<Sum<_>>(),
     );
-    instance.append_equation(var_Ds[0], vars_b[0] * var_Ds[0] + var_s2[0] * var_H);
 
     // Compute the witness
     let r = G::Scalar::random(&mut rng);
@@ -492,24 +490,26 @@ pub fn elgamal_subtraction<G: PrimeGroup, R: RngCore>(
     let mut instance = LinearRelation::new();
     let [dk, a, r] = instance.allocate_scalars();
     let [ek, C, D, H, G] = instance.allocate_elements();
-    let v = G::Scalar::from(100);
 
     instance.append_equation(ek, dk * H);
 
     instance.append_equation(D, r * H);
     instance.append_equation(C, r * ek + a * G);
 
-    instance.append_equation(C, G * v + dk * D + a * G);
+    instance.append_equation(C, dk * D + a * G);
 
-    // set dk for testing to
-    let witness = vec![
-        G::Scalar::from(4242),
-        G::Scalar::from(1000),
-        G::Scalar::random(&mut *rng),
-    ];
+    let witness_dk = G::Scalar::from(4242);
+    let witness_a = G::Scalar::from(1000);
+    let witness_r = G::Scalar::random(&mut *rng);
+    let witness = vec![witness_dk, witness_a, witness_r];
+
+    // Assign group elements consistent with the witness so compute_image is unnecessary.
     let alt_gen = G::random(&mut *rng);
     instance.set_elements([(G, G::generator()), (H, alt_gen)]);
-    instance.compute_image(&witness).unwrap();
+    let ek_val = alt_gen * witness_dk;
+    let D_val = alt_gen * witness_r;
+    let C_val = ek_val * witness_r + G::generator() * witness_a;
+    instance.set_elements([(ek, ek_val), (D, D_val), (C, C_val)]);
 
     (instance.canonical().unwrap(), witness)
 }

tests/spec/custom_schnorr_protocol.rs

@@ -88,7 +88,7 @@ impl<G: SRandom + PrimeGroup> SigmaProtocol for DeterministicSchnorrProof<G> {
         self.0.instance_label()
     }
 
-    fn protocol_identifier(&self) -> impl AsRef<[u8]> {
+    fn protocol_identifier(&self) -> [u8; 64] {
         self.0.protocol_identifier()
     }
 }

tests/spec_vectors.rs

@@ -18,7 +18,6 @@ struct TestVector {
     session_id: Vec<u8>,
     statement: Vec<u8>,
     witness: Vec<u8>,
-    iv: Vec<u8>,
     proof: Vec<u8>,
 }
 
@@ -78,17 +77,10 @@ fn test_spec_testvectors() {
         let nizk = SchnorrNizk::new(&vector.session_id, protocol);
 
         // Verify that the computed IV matches the test vector IV
-        let protocol_id = b"draft-zkproof-fiat-shamir";
-        let instance_label = parsed_instance.label();
-        let computed_iv = sigma_proofs::codec::compute_iv::<sigma_proofs::KeccakDuplexSponge>(
-            protocol_id,
-            &vector.session_id,
-            &instance_label,
-        );
-        assert_eq!(
-            computed_iv,
-            vector.iv.as_slice(),
-            "Computed IV doesn't match test vector IV for {test_name}"
+        // Ensure the provided test vector proof verifies.
+        assert!(
+            nizk.verify_batchable(&vector.proof).is_ok(),
+            "Fiat-Shamir Schnorr proof from vectors did not verify for {test_name}"
         );
 
         // Generate proof with the proof generation RNG
@@ -145,15 +137,8 @@ fn extract_vectors_new() -> Result<HashMap<String, TestVector>, String> {
         )
         .map_err(|e| format!("Invalid hex in Witness for {name}: {e}"))?;
 
-        let iv = Vec::from_hex(
-            obj["IV"]
-                .as_str()
-                .ok_or_else(|| format!("IV field not found for {name}"))?,
-        )
-        .map_err(|e| format!("Invalid hex in IV for {name}: {e}"))?;
-
         let proof = Vec::from_hex(
-            obj["Proof"]
+            obj["Batchable Proof"]
                 .as_str()
                 .ok_or_else(|| format!("Proof field not found for {name}"))?,
         )
@@ -166,7 +151,6 @@ fn extract_vectors_new() -> Result<HashMap<String, TestVector>, String> {
                 session_id,
                 statement,
                 witness,
-                iv,
                 proof,
             },
         );