No public description

PiperOrigin-RevId: 846194679

Author: mathsjames

willow/src/zk/linear_ip.rs

@@ -36,6 +36,7 @@ pub struct LinearInnerProductParameters {
     F: RistrettoPoint,
     F_: RistrettoPoint,
     G: Vec<RistrettoPoint>,
+    seed: Vec<u8>,
 }
 
 pub fn inner_product(a: &[Scalar], b: &[Scalar]) -> Scalar {
@@ -59,6 +60,7 @@ fn common_setup(length: usize, parameter_seed: &[u8]) -> LinearInnerProductParam
                 )
             })
             .collect(),
+        seed: parameter_seed.to_vec(),
     }
 }
 
@@ -67,11 +69,9 @@ fn append_params_to_transcript(
     params: &LinearInnerProductParameters,
 ) {
     transcript.append_u64(b"n", params.n as u64);
-    for G_i in &params.G {
-        transcript.append_message(b"G_i", G_i.compress().as_bytes());
-    }
-    transcript.append_message(b"F", params.F.compress().as_bytes());
-    transcript.append_message(b"F_", params.F_.compress().as_bytes());
+    // We append the seed not the resulting params themselves because appending that many params
+    // more than doubles the run time of both prove and verify.
+    transcript.append_message(b"seed", &params.seed);
 }
 
 fn validate_and_append_point(

willow/src/zk/rlwe_relation.rs

@@ -272,9 +272,9 @@ fn update_public_vec_for_range_proof(
     z_r: &Vec<Scalar>,
     z_e: &Vec<Scalar>,
     z_vw: &Vec<Scalar>,
-    psi_r: Scalar,
-    psi_e: Scalar,
-    psi_vw: Scalar,
+    psi_r: &Vec<Scalar>,
+    psi_e: &Vec<Scalar>,
+    psi_vw: &Vec<Scalar>,
     n: usize,
     range_comm_offset: usize,
     samples_required: usize,
@@ -298,20 +298,14 @@ fn update_public_vec_for_range_proof(
 
     // The range proofs equation also involves length 128 innerproducts involving the relevant
     // psi these are included in the last 3*128 entries of the inner product vectors.
-    let mut phi_psi_r_pow = phi;
-    let mut phi2_psi_e_pow = phi2;
-    let mut phi3_psi_vw_pow = phi3;
     for i in 0..128 {
-        public_vec[i + range_comm_offset] = phi_psi_r_pow;
-        public_vec[i + range_comm_offset + 128] = phi2_psi_e_pow;
-        public_vec[i + range_comm_offset + 256] = phi3_psi_vw_pow;
+        public_vec[i + range_comm_offset] = phi * Scalar::from(psi_r[i]);
+        public_vec[i + range_comm_offset + 128] = phi2 * Scalar::from(psi_e[i]);
+        public_vec[i + range_comm_offset + 256] = phi3 * Scalar::from(psi_vw[i]);
         // Add contributions of the range proofs to the overall inner product result.
-        *result += z_r[i] * phi_psi_r_pow;
-        *result += z_e[i] * phi2_psi_e_pow;
-        *result += z_vw[i] * phi3_psi_vw_pow;
-        phi_psi_r_pow *= psi_r;
-        phi2_psi_e_pow *= psi_e;
-        phi3_psi_vw_pow *= psi_vw;
+        *result += z_r[i] * public_vec[i + range_comm_offset];
+        *result += z_e[i] * public_vec[i + range_comm_offset + 128];
+        *result += z_vw[i] * public_vec[i + range_comm_offset + 256];
     }
 }
 
@@ -333,28 +327,39 @@ pub fn generate_challenge_matrix(
     result
 }
 
-// Multiplies a 128 by n matrix m and a length n vector v.
-// m is a binary matrix each column of which has entries given by the bits of a single entry in the
-// input vector m.
-// Both the output and v are vectors of 128 bit signed integers.
-pub fn multiply_by_challenge_matrix(
+// Applies a challenge matrix R1-R2 to a vector v and checks if the result satisfies the conditions
+// for not needing to be rejected. An internal error is returned in the event of rejection otherwise
+// the resulting vector z is returned.
+pub fn try_matrices_and_compute_z(
     v: &[i128],
-    m: &[u128],
+    R1: &[u128],
+    R2: &[u128],
+    y: &[i128],
+    half_loose_bound: i128,
 ) -> Result<Vec<i128>, status::StatusError> {
     let n = v.len();
-    if m.len() != n {
-        return Err(status::failed_precondition("m and v have different lengths".to_string()));
+    if n != R1.len() || n != R2.len() {
+        return Err(status::failed_precondition(
+            "R1, R2, and v must have the same length".to_string(),
+        ));
     }
-
-    let mut result = vec![0 as i128; 128];
-    for i in 0..n {
-        for j in 0..128 {
-            if m[i] & (1u128 << j) != 0 {
-                result[j] += v[i];
+    let mut z = vec![0 as i128; 128];
+    for j in 0..128 {
+        let mut u = 0i128;
+        for i in 0..n {
+            if R1[i] & (1u128 << j) != 0 {
+                u += v[i];
+            }
+            if R2[i] & (1u128 << j) != 0 {
+                u -= v[i];
             }
         }
+        z[j] = u + y[j];
+        if u.abs() > half_loose_bound / 128 || z[j].abs() > half_loose_bound {
+            return Err(status::internal("Sample Rejected"));
+        }
     }
-    Ok(result)
+    Ok(z)
 }
 
 // Linearly combines the 128 vector challenges of a challenge matrix into a single vector challenge
@@ -364,33 +369,37 @@ pub fn flatten_challenge_matrix(
     R1: Vec<u128>,
     R2: Vec<u128>,
     challenge_label: &'static [u8],
-) -> Result<(Vec<Scalar>, Scalar), status::StatusError> {
+) -> Result<(Vec<Scalar>, Vec<Scalar>), status::StatusError> {
     let n = R1.len();
     if n != R2.len() {
         return Err(status::failed_precondition("R1 and R2 have different lengths".to_string()));
     }
 
-    let mut buf = [0u8; 64];
-    transcript.challenge_bytes(challenge_label, &mut buf);
-    let psi = Scalar::from_bytes_mod_order_wide(&buf);
-
-    let mut R = vec![Scalar::from(0 as u64); n];
-    let mut psi_powers = [Scalar::from(1 as u64); 128];
-    for j in 1..128 {
-        psi_powers[j] = psi_powers[j - 1] * psi;
+    let mut Rplus = vec![0u128; n];
+    let mut Rminus = vec![0u128; n];
+    let mut Rscalar = vec![Scalar::from(0 as u64); n];
+
+    let mut psi = [0u128; 128];
+    let mut psi_scalar = vec![Scalar::from(0 as u64); 128];
+    let mut buf = [0u8; 16];
+    for j in 0..128 {
+        transcript.challenge_bytes(challenge_label, &mut buf);
+        psi[j] = u128::from_le_bytes(buf).rem_euclid(1u128 << 120);
+        psi_scalar[j] = Scalar::from(psi[j]);
     }
     for i in 0..n {
         for j in 0..128 {
             if R1[i] & (1u128 << j) != 0 {
-                R[i] += psi_powers[j];
+                Rplus[i] += psi[j];
             }
             if R2[i] & (1u128 << j) != 0 {
-                R[i] -= psi_powers[j];
+                Rminus[i] += psi[j];
             }
         }
+        Rscalar[i] = Scalar::from(Rplus[i]) - Scalar::from(Rminus[i]);
     }
 
-    Ok((R, psi))
+    Ok((Rscalar, psi_scalar))
 }
 
 // Check that loose_bound = bound*2500*sqrt(v.len()+1) fits within an i128.
@@ -430,7 +439,7 @@ fn generate_range_product(
     transcript: &mut (impl Transcript + Clone),
     challenge_label: &'static [u8],
 ) -> Result<
-    (Vec<Scalar>, RistrettoPoint, Vec<Scalar>, Scalar, Scalar, Vec<Scalar>),
+    (Vec<Scalar>, RistrettoPoint, Vec<Scalar>, Scalar, Vec<Scalar>, Vec<Scalar>),
     status::StatusError,
 > {
     // Check that computing loose bound does not result in an overflow.
@@ -453,7 +462,6 @@ fn generate_range_product(
     let mut z = vec![0 as i128; 128];
     let mut attempts = 0;
     loop {
-        let mut done = true;
         attempts += 1;
         y = (0..128).map(|_| (rng.gen_range(0..possible_y) as i128)).collect();
         for i in 0..128 {
@@ -468,21 +476,9 @@ fn generate_range_product(
         // subtracting the other we get a challenge matrix with the correct distribution.
         R1 = generate_challenge_matrix(transcript, challenge_label, v.len());
         R2 = generate_challenge_matrix(transcript, challenge_label, v.len());
-        let u1 = multiply_by_challenge_matrix(v, &R1)?;
-        let u2 = multiply_by_challenge_matrix(v, &R2)?;
-        for i in 0..128 {
-            let u = u1[i] - u2[i];
-            if u.abs() > half_loose_bound / 128 {
-                done = false;
-                break;
-            }
-            z[i] = u + y[i];
-            if z[i].abs() > half_loose_bound {
-                done = false;
-                break;
-            }
-        }
-        if done {
+        let z_or_error = try_matrices_and_compute_z(v, &R1, &R2, &y, half_loose_bound);
+        if z_or_error.is_ok() {
+            z = z_or_error.unwrap();
             break;
         }
         if attempts > 1000 {
@@ -522,7 +518,7 @@ fn generate_range_product_for_verification_and_verify_z_bound(
     z: &Vec<Scalar>,
     transcript: &mut impl Transcript,
     challenge_label: &'static [u8],
-) -> Result<(Vec<Scalar>, Scalar), status::StatusError> {
+) -> Result<(Vec<Scalar>, Vec<Scalar>), status::StatusError> {
     // Check that computing loose bound does not result in an overflow.
     check_loose_bound_will_not_overflow(bound, n)?;
 
@@ -798,9 +794,9 @@ impl<'a> ZeroKnowledgeProver<RlweRelationProofStatement<'a>, RlweRelationProofWi
             &z_r,
             &z_e,
             &z_vw,
-            psi_r,
-            psi_e,
-            psi_vw,
+            &psi_r,
+            &psi_e,
+            &psi_vw,
             n,
             range_comm_offset,
             samples_required,
@@ -977,9 +973,9 @@ impl<'a> ZeroKnowledgeVerifier<RlweRelationProofStatement<'a>, RlweRelationProof
             &proof.z_r,
             &proof.z_e,
             &proof.z_vw,
-            psi_r,
-            psi_e,
-            psi_vw,
+            &psi_r,
+            &psi_e,
+            &psi_vw,
             n,
             range_comm_offset,
             samples_required,
@@ -1228,16 +1224,44 @@ mod tests {
     }
 
     #[test]
-    fn test_multiply_by_challenge_matrix_basic_case() -> googletest::Result<()> {
-        let v = &[10i128, 20i128];
-        let m = &[(1u128 << 0) | (1u128 << 2), (1u128 << 1) | (1u128 << 2)];
+    fn test_try_matrices_and_compute_z_valid() -> googletest::Result<()> {
+        let v = [1, -2, 3, -4];
+        let R1 = [1, 2, 3, 4];
+        let R2 = [4, 3, 2, 1];
+        let y = [1; 128];
+        let half_loose_bound = 10000;
+        let result = try_matrices_and_compute_z(&v, &R1, &R2, &y, half_loose_bound)?;
+        let mut expected_z = vec![1; 128];
+        expected_z[0] += 10;
+        expected_z[1] += 0;
+        expected_z[2] += -5;
+        verify_eq!(result, expected_z)?;
+        Ok(())
+    }
 
-        let mut expected_result = vec![0i128; 128];
-        expected_result[0] = 10;
-        expected_result[1] = 20;
-        expected_result[2] = 30;
+    #[test]
+    fn test_try_matrices_and_compute_z_mismatched_lengths() -> googletest::Result<()> {
+        let v = [1, -2, 3, -4];
+        let R1 = [1, 2, 3];
+        let R2 = [4, 3, 2, 1];
+        let y = [1; 128];
+        let half_loose_bound = 1000;
+        let result = try_matrices_and_compute_z(&v, &R1, &R2, &y, half_loose_bound);
+        assert!(result.is_err());
+        verify_eq!(result.unwrap_err().message(), "R1, R2, and v must have the same length")?;
+        Ok(())
+    }
 
-        assert_eq!(multiply_by_challenge_matrix(v, m).unwrap(), expected_result);
+    #[test]
+    fn test_try_matrices_and_compute_z_sample_rejected() -> googletest::Result<()> {
+        let v = [1000, -2000, 3000, -4000];
+        let R1 = [1, 2, 3, 4];
+        let R2 = [4, 3, 2, 1];
+        let y = [1; 128];
+        let half_loose_bound = 100000;
+        let result = try_matrices_and_compute_z(&v, &R1, &R2, &y, half_loose_bound);
+        assert!(result.is_err());
+        verify_eq!(result.unwrap_err().message(), "Sample Rejected")?;
         Ok(())
     }
 
@@ -1260,12 +1284,10 @@ mod tests {
         for i in 0..4 {
             public_vec[i] = R[i];
         }
-        let mut psi_pow = Scalar::from(1u128);
         let mut result = Scalar::from(0u128);
         for i in 4..132 {
-            public_vec[i] = psi_pow;
-            result += z[i - 4] * psi_pow;
-            psi_pow *= psi;
+            public_vec[i] = psi[i - 4];
+            result += z[i - 4] * psi[i - 4];
         }
         let mut expected_result = Scalar::from(0u128);
         for j in 0..132 {