Create ZK prover / verifier at ShellVahe construction and re-use it across operations

schoppmp · copybara-github · commit 934750ca0423 · 2026-01-23T09:10:06.000-08:00
PiperOrigin-RevId: 859700359
diff --git a/willow/src/shell/vahe.rs b/willow/src/shell/vahe.rs
@@ -19,7 +19,7 @@ use merlin::Transcript as MerlinTranscript;
 use proofs_rust_proto::{RlweRelationProofListProto, RlweRelationProofProto};
 use proto_serialization_traits::{FromProto, ToProto};
 use protobuf::{proto, AsView};
-use rlwe_relation::{RlweRelationProof, RlweRelationProver, RlweRelationVerifier};
+use rlwe_relation::{RlweRelationProof, RlweRelationProverVerifier};
 use rlwe_relation_serialization::{rlwe_relation_proof_from_proto, rlwe_relation_proof_to_proto};
 use single_thread_hkdf::{compute_hkdf, Seed};
 use status::Status;
@@ -100,22 +100,22 @@ pub struct ShellVahe {
     ahe: ShellAhe,
     q: u128,
     public_seed: Seed,
+    rlwe_zk: RlweRelationProverVerifier,
 }
 
 impl ShellVahe {
-    fn get_transcript_and_proof_seed(
+    fn transcript_seed(&self) -> &[u8] {
+        &self.public_seed.as_bytes()
+            [single_thread_hkdf::seed_length()..2 * single_thread_hkdf::seed_length()]
+    }
+
+    fn transcript(
         &self,
         operation_name: &'static [u8],
-    ) -> Result<(MerlinTranscript, Seed), status::StatusError> {
-        let proof_seed = compute_hkdf(
-            self.public_seed.as_bytes(),
-            b"",
-            &[operation_name, b"_proof_seed"].concat(),
-            16,
-        )?;
+    ) -> Result<MerlinTranscript, status::StatusError> {
         let mut transcript = MerlinTranscript::new(operation_name);
-        transcript.append_message(b"public_seed:", self.public_seed.as_bytes());
-        Ok((transcript, proof_seed))
+        transcript.append_message(b"transcript_seed:", self.transcript_seed());
+        Ok(transcript)
     }
 }
 
@@ -155,14 +155,18 @@ impl AheBase for ShellVahe {
             context_string,
             b"",
             b"ShellVahe.public_seed",
-            single_thread_hkdf::seed_length(),
+            2 * single_thread_hkdf::seed_length(), // Separate seeds for transcripts and proofs.
         )?;
         let mut q = 1;
         for modulus in &config.qs {
             q *= *modulus as u128;
         }
         let ahe = ShellAhe::new(config, context_string)?;
-        Ok(ShellVahe { ahe: ahe, q: q, public_seed: public_seed })
+        let rlwe_zk = RlweRelationProverVerifier::new(
+            &public_seed.as_bytes()[..single_thread_hkdf::seed_length()],
+            ahe.num_coeffs(),
+        );
+        Ok(ShellVahe { ahe: ahe, q: q, public_seed: public_seed, rlwe_zk: rlwe_zk })
     }
 
     fn aggregate_public_key_shares<'a>(
@@ -253,9 +257,8 @@ impl VerifiableKeyGen for ShellVahe {
         let rlwe_witness =
             RlweRelationProofWitness { r: &sk_share.0, e: &pk_share_error.0, v: &pk_wraparound };
 
-        let (mut transcript, proof_seed) = self.get_transcript_and_proof_seed(b"key_gen")?;
-        let prover = RlweRelationProver::new(proof_seed.as_bytes(), self.ahe.num_coeffs());
-        let key_gen_proof = prover.prove(&rlwe_statement, &rlwe_witness, &mut transcript)?;
+        let mut transcript = self.transcript(b"key_gen")?;
+        let key_gen_proof = self.rlwe_zk.prove(&rlwe_statement, &rlwe_witness, &mut transcript)?;
         Ok((sk_share, pk_share_b, ShellKeyGenProof(key_gen_proof)))
     }
 }
@@ -273,9 +276,8 @@ impl KeyGenVerify for ShellVahe {
             bound_e: 16,
         };
 
-        let (mut transcript, proof_seed) = self.get_transcript_and_proof_seed(b"key_gen")?;
-        let verifier = RlweRelationVerifier::new(proof_seed.as_bytes(), self.ahe.num_coeffs());
-        verifier.verify(&statement, &proof.0, &mut transcript)
+        let mut transcript = self.transcript(b"key_gen")?;
+        self.rlwe_zk.verify(&statement, &proof.0, &mut transcript)
     }
 }
 
@@ -298,9 +300,8 @@ impl VerifiableEncrypt for ShellVahe {
             return Err(status::internal("Ciphertexts from encryption library are malformed."));
         }
 
-        let (mut transcript, proof_seed) = self.get_transcript_and_proof_seed(b"encryption")?;
+        let mut transcript = self.transcript(b"encryption")?;
         transcript.append_message(b"nonce:", nonce);
-        let prover = RlweRelationProver::new(proof_seed.as_bytes(), self.ahe.num_coeffs());
         let mut proof = vec![];
         for i in 0..num_polynomials {
             let rlwe_statement = RlweRelationProofStatement {
@@ -318,7 +319,7 @@ impl VerifiableEncrypt for ShellVahe {
                 e: &metadata.error_e[i],
                 v: &wraparounds[i],
             };
-            proof.push(prover.prove(&rlwe_statement, &rlwe_witness, &mut transcript)?);
+            proof.push(self.rlwe_zk.prove(&rlwe_statement, &rlwe_witness, &mut transcript)?);
         }
         Ok((ciphertext, ShellEncryptionProof(proof)))
     }
@@ -338,9 +339,8 @@ impl EncryptVerify for ShellVahe {
             ));
         }
 
-        let (mut transcript, proof_seed) = self.get_transcript_and_proof_seed(b"encryption")?;
+        let mut transcript = self.transcript(b"encryption")?;
         transcript.append_message(b"nonce:", nonce);
-        let verifier = RlweRelationVerifier::new(proof_seed.as_bytes(), self.ahe.num_coeffs());
         for i in 0..num_polynomials {
             let statement = RlweRelationProofStatement {
                 n: self.ahe.num_coeffs(),
@@ -352,7 +352,7 @@ impl EncryptVerify for ShellVahe {
                 bound_r: 1,
                 bound_e: 16,
             };
-            verifier.verify(&statement, &proof.0[i], &mut transcript)?;
+            self.rlwe_zk.verify(&statement, &proof.0[i], &mut transcript)?;
         }
         Ok(())
     }
@@ -375,9 +375,7 @@ impl VerifiablePartialDec for ShellVahe {
             ));
         }
 
-        let (mut transcript, proof_seed) =
-            self.get_transcript_and_proof_seed(b"partial_decryption")?;
-        let prover = RlweRelationProver::new(proof_seed.as_bytes(), self.ahe.num_coeffs());
+        let mut transcript = self.transcript(b"partial_decryption")?;
         let mut proof = vec![];
         for i in 0..num_polynomials {
             let rlwe_statement = RlweRelationProofStatement {
@@ -392,7 +390,7 @@ impl VerifiablePartialDec for ShellVahe {
             };
             let rlwe_witness =
                 RlweRelationProofWitness { r: &sk.0, e: &errors[i], v: &wraparounds[i] };
-            proof.push(prover.prove(&rlwe_statement, &rlwe_witness, &mut transcript)?);
+            proof.push(self.rlwe_zk.prove(&rlwe_statement, &rlwe_witness, &mut transcript)?);
         }
         Ok((pd, ShellPartialDecProof(proof)))
     }
@@ -412,9 +410,7 @@ impl PartialDecVerify for ShellVahe {
             ));
         }
 
-        let (mut transcript, proof_seed) =
-            self.get_transcript_and_proof_seed(b"partial_decryption")?;
-        let verifier = RlweRelationVerifier::new(proof_seed.as_bytes(), self.ahe.num_coeffs());
+        let mut transcript = self.transcript(b"partial_decryption")?;
         for i in 0..num_polynomials {
             let statement = RlweRelationProofStatement {
                 n: self.ahe.num_coeffs(),
@@ -426,7 +422,7 @@ impl PartialDecVerify for ShellVahe {
                 bound_r: 1,
                 bound_e: self.ahe.flood_bound()?,
             };
-            verifier.verify(&statement, &proof.0[i], &mut transcript)?;
+            self.rlwe_zk.verify(&statement, &proof.0[i], &mut transcript)?;
         }
         Ok(())
     }
diff --git a/willow/src/zk/linear_ip.rs b/willow/src/zk/linear_ip.rs
@@ -47,7 +47,7 @@ pub fn inner_product(a: &[Scalar], b: &[Scalar]) -> Scalar {
     out
 }
 
-fn common_setup(length: usize, parameter_seed: &[u8]) -> LinearInnerProductParameters {
+fn generate_params(length: usize, parameter_seed: &[u8]) -> LinearInnerProductParameters {
     use sha3::Sha3_512;
     LinearInnerProductParameters {
         n: length,
@@ -88,13 +88,13 @@ fn validate_and_append_point(
     }
 }
 
-pub struct LinearInnerProductProver {
+pub struct LinearInnerProductProverVerifier {
     pub params: LinearInnerProductParameters,
 }
 
-impl LinearInnerProductProver {
+impl LinearInnerProductProverVerifier {
     pub fn new(parameter_seed: &[u8], length: usize) -> Self {
-        let params = common_setup(length, parameter_seed);
+        let params = generate_params(length, parameter_seed);
         Self { params }
     }
 
@@ -145,7 +145,7 @@ impl
     ZeroKnowledgeProver<
         LinearInnerProductProofStatement<Scalar>,
         LinearInnerProductProofWitness<Scalar>,
-    > for LinearInnerProductProver
+    > for LinearInnerProductProverVerifier
 {
     type Proof = LinearInnerProductProof;
 
@@ -214,19 +214,8 @@ impl
     }
 }
 
-pub struct LinearInnerProductVerifier {
-    pub params: LinearInnerProductParameters,
-}
-
-impl LinearInnerProductVerifier {
-    pub fn new(parameter_seed: &[u8], length: usize) -> Self {
-        let params = common_setup(length, parameter_seed);
-        Self { params }
-    }
-}
-
 impl ZeroKnowledgeVerifier<LinearInnerProductProofStatement<Scalar>, LinearInnerProductProof>
-    for LinearInnerProductVerifier
+    for LinearInnerProductProverVerifier
 {
     fn verify(
         &self,
@@ -309,14 +298,14 @@ mod tests {
         let a: Vec<Scalar> = (1..5).map(|x| Scalar::from(x as u64)).collect();
         let mut rng = rand::thread_rng();
 
-        let prover = LinearInnerProductProver::new(b"42", a.len());
+        let prover = LinearInnerProductProverVerifier::new(b"42", a.len());
         let delta_a = Scalar::random(&mut rng);
         let comm_a = prover.commit(&a, delta_a)?;
         let b: Vec<Scalar> = (5..9).map(|x| Scalar::from(x as u64)).collect();
         let c: Scalar = Scalar::from(5 + 12 + 21 + 32 as u64);
         let mut transcript = MerlinTranscript::new(b"linear_ip_zkp_test");
 
-        let verifier = LinearInnerProductVerifier::new(b"42", a.len());
+        let verifier = LinearInnerProductProverVerifier::new(b"42", a.len());
         verify_eq!(prover.params.F, verifier.params.F)?;
         verify_eq!(prover.params.F_, verifier.params.F_)?;
         verify_eq!(prover.params.G, verifier.params.G)?;
@@ -339,15 +328,15 @@ mod tests {
         let r: Vec<_> = (0..a.len()).map(|_| Scalar::random(&mut rng)).collect();
         let mut transcript = MerlinTranscript::new(b"linear_ip_zkp_test");
 
-        let prover = LinearInnerProductProver::new(b"42", a.len());
+        let prover = LinearInnerProductProverVerifier::new(b"42", a.len());
         let delta_a = Scalar::random(&mut rng);
         let comm_a = prover.commit(&a, delta_a)?;
         let delta_r = Scalar::random(&mut rng);
         let comm_r = prover.commit(&r, delta_r)?;
         let b: Vec<Scalar> = (5..9).map(|x| Scalar::from(x as u64)).collect();
         let c: Scalar = Scalar::from(5 + 12 + 21 + 32 + 1 as u64);
 
-        let verifier = LinearInnerProductVerifier::new(b"42", a.len());
+        let verifier = LinearInnerProductProverVerifier::new(b"42", a.len());
         let statement = LinearInnerProductProofStatement { n: a.len(), b: b, c: c, comm_a: comm_a };
         let proof = prover.prove(
             &statement,
diff --git a/willow/src/zk/linear_ip_serialization.rs b/willow/src/zk/linear_ip_serialization.rs
@@ -67,7 +67,7 @@ mod tests {
     use super::*;
     use curve25519_dalek::scalar::Scalar;
     use googletest::gtest;
-    use linear_innerproduct::{LinearInnerProductProver, LinearInnerProductVerifier};
+    use linear_innerproduct::LinearInnerProductProverVerifier;
     use merlin::Transcript as MerlinTranscript;
     use rand;
     use zk_traits::{
@@ -80,14 +80,14 @@ mod tests {
         let a: Vec<Scalar> = (1..5).map(|x| Scalar::from(x as u64)).collect();
         let mut rng = rand::thread_rng();
 
-        let prover = LinearInnerProductProver::new(b"42", a.len());
+        let prover = LinearInnerProductProverVerifier::new(b"42", a.len());
         let delta_a = Scalar::random(&mut rng);
         let comm_a = prover.commit(&a, delta_a)?;
         let b: Vec<Scalar> = (5..9).map(|x| Scalar::from(x as u64)).collect();
         let c: Scalar = Scalar::from(5 + 12 + 21 + 32 as u64);
         let mut transcript = MerlinTranscript::new(b"linear_ip_zkp_test");
 
-        let verifier = LinearInnerProductVerifier::new(b"42", a.len());
+        let verifier = LinearInnerProductProverVerifier::new(b"42", a.len());
         let statement = LinearInnerProductProofStatement { n: a.len(), b: b, c: c, comm_a: comm_a };
         let proof = prover.prove(
             &statement,
diff --git a/willow/src/zk/quadratic_ip.rs b/willow/src/zk/quadratic_ip.rs
@@ -91,11 +91,12 @@ fn validate_and_append_point(
     }
 }
 
-pub struct QuadraticInnerProductProver {
+/// A single object that can both prove and verify quadratic inner product arguments.
+pub struct QuadraticInnerProductProverVerifier {
     pub params: QuadraticInnerProductParameters,
 }
 
-impl QuadraticInnerProductProver {
+impl QuadraticInnerProductProverVerifier {
     fn new(parameter_seed: &[u8], length: usize) -> Self {
         let params = generate_params(length, parameter_seed);
         Self { params }
@@ -135,7 +136,7 @@ impl
     ZeroKnowledgeProver<
         QuadraticInnerProductProofStatement,
         QuadraticInnerProductProofWitness<Scalar>,
-    > for QuadraticInnerProductProver
+    > for QuadraticInnerProductProverVerifier
 {
     type Proof = QuadraticInnerProductProof;
 
@@ -201,19 +202,8 @@ impl
     }
 }
 
-pub struct QuadraticInnerProductVerifier {
-    pub params: QuadraticInnerProductParameters,
-}
-
-impl QuadraticInnerProductVerifier {
-    fn new(parameter_seed: &[u8], length: usize) -> Self {
-        let params = generate_params(length, parameter_seed);
-        Self { params }
-    }
-}
-
 impl ZeroKnowledgeVerifier<QuadraticInnerProductProofStatement, QuadraticInnerProductProof>
-    for QuadraticInnerProductVerifier
+    for QuadraticInnerProductProverVerifier
 {
     fn verify(
         &self,
@@ -296,8 +286,8 @@ mod tests {
         let mut c: Scalar = Scalar::from(5 + 12 + 21 + 32 as u64);
         c += Scalar::from(142398865683096878195835365925000457236 as u128);
 
-        let prover = QuadraticInnerProductProver::new(b"42", a.len());
-        let verifier = QuadraticInnerProductVerifier::new(b"42", a.len());
+        let prover = QuadraticInnerProductProverVerifier::new(b"42", a.len());
+        let verifier = QuadraticInnerProductProverVerifier::new(b"42", a.len());
 
         let delta: Scalar = Scalar::from(42 as u64);
         let C = prover.commit(&a, &b, c, delta)?;
@@ -325,8 +315,8 @@ mod tests {
         let mut c: Scalar = Scalar::from(5 + 12 + 21 + 32 + 1 as u64);
         c += Scalar::from(142398865683096878195835365925000457236 as u128);
 
-        let prover = QuadraticInnerProductProver::new(b"42", a.len());
-        let verifier = QuadraticInnerProductVerifier::new(b"42", a.len());
+        let prover = QuadraticInnerProductProverVerifier::new(b"42", a.len());
+        let verifier = QuadraticInnerProductProverVerifier::new(b"42", a.len());
 
         let delta: Scalar = Scalar::from(42 as u64);
         let C = prover.commit(&a, &b, c, delta)?;
diff --git a/willow/src/zk/rlwe_relation.rs b/willow/src/zk/rlwe_relation.rs
diff --git a/willow/src/zk/rlwe_relation_serialization.rs b/willow/src/zk/rlwe_relation_serialization.rs
