Implement scalar multiplication, negation, and subtraction for variables (#48)

Co-authored-by: Michele Orrù <[email protected]>

Author: nategraf

examples/schnorr.rs

@@ -34,14 +34,14 @@ fn create_relation(P: RistrettoPoint) -> LinearRelation<RistrettoPoint> {
 /// generate a proof that P = x * G
 #[allow(non_snake_case)]
 fn prove(x: Scalar, P: RistrettoPoint) -> ProofResult<Vec<u8>> {
-    let nizk = create_relation(P).into_nizk(b"schnorr-proof");
+    let nizk = create_relation(P).into_nizk(b"sigma-rs::examples");
     nizk.prove_batchable(&vec![x], &mut OsRng)
 }
 
 /// Verify a proof of knowledge of discrete logarithm for the given public key P
 #[allow(non_snake_case)]
 fn verify(P: RistrettoPoint, proof: &[u8]) -> ProofResult<()> {
-    let nizk = create_relation(P).into_nizk(b"schnorr-proof");
+    let nizk = create_relation(P).into_nizk(b"sigma-rs::examples");
     nizk.verify_batchable(proof)
 }
 
@@ -61,9 +61,9 @@ fn main() {
             // Verify the proof
             match verify(P, &proof) {
                 Ok(()) => println!("✓ Proof verified successfully!"),
-                Err(e) => println!("✗ Proof verification failed: {:?}", e),
+                Err(e) => println!("✗ Proof verification failed: {e:?}"),
             }
         }
-        Err(e) => println!("✗ Failed to generate proof: {:?}", e),
+        Err(e) => println!("✗ Failed to generate proof: {e:?}"),
     }
 }

examples/simple_composition.rs

@@ -95,9 +95,9 @@ fn main() {
             // Verify the proof
             match verify(P1, P2, Q, H, &proof) {
                 Ok(()) => println!("✓ Proof verified successfully!"),
-                Err(e) => println!("✗ Proof verification failed: {:?}", e),
+                Err(e) => println!("✗ Proof verification failed: {e:?}"),
             }
         }
-        Err(e) => println!("✗ Failed to generate proof: {:?}", e),
+        Err(e) => println!("✗ Failed to generate proof: {e:?}"),
     }
 }

src/codec.rs

@@ -22,7 +22,7 @@ pub trait Codec {
     type Challenge;
 
     /// Generates an empty codec that can be identified by a domain separator.
-    fn new(domain_sep: &[u8]) -> Self;
+    fn new(protocol_identifier: &[u8], session_identifier: &[u8], instance_label: &[u8]) -> Self;
 
     /// Allows for precomputed initialization of the codec with a specific IV.
     fn from_iv(iv: [u8; 32]) -> Self;
@@ -60,10 +60,14 @@ where
 {
     type Challenge = <G as Group>::Scalar;
 
-    fn new(domain_sep: &[u8]) -> Self {
+    fn new(protocol_id: &[u8], session_id: &[u8], instance_label: &[u8]) -> Self {
         let iv = {
             let mut tmp = H::new([0u8; 32]);
-            tmp.absorb(domain_sep);
+            tmp.absorb(protocol_id);
+            tmp.ratchet();
+            tmp.absorb(session_id);
+            tmp.ratchet();
+            tmp.absorb(instance_label);
             tmp.squeeze(32).try_into().unwrap()
         };
 

src/composition.rs

@@ -10,6 +10,8 @@
 
 use ff::{Field, PrimeField};
 use group::{Group, GroupEncoding};
+use sha3::Digest;
+use sha3::Sha3_256;
 
 use crate::{
     errors::Error,
@@ -273,6 +275,57 @@ impl<G: Group + GroupEncoding> SigmaProtocol for Protocol<G> {
         serialize_scalars::<G>(&[*challenge])
     }
 
+    fn instance_label(&self) -> impl AsRef<[u8]> {
+        match self {
+            Protocol::Simple(p) => {
+                let label = p.instance_label();
+                label.as_ref().to_vec()
+            }
+            Protocol::And(ps) => {
+                let mut bytes = Vec::new();
+                for p in ps {
+                    bytes.extend(p.instance_label().as_ref());
+                }
+                bytes
+            }
+            Protocol::Or(ps) => {
+                let mut bytes = Vec::new();
+                for p in ps {
+                    bytes.extend(p.instance_label().as_ref());
+                }
+                bytes
+            }
+        }
+    }
+
+    fn protocol_identifier(&self) -> impl AsRef<[u8]> {
+        let mut hasher = Sha3_256::new();
+
+        match self {
+            Protocol::Simple(p) => {
+                // take the digest of the simple protocol id
+                hasher.update([0u8; 32]);
+                hasher.update(p.protocol_identifier());
+            }
+            Protocol::And(protocols) => {
+                let mut hasher = Sha3_256::new();
+                hasher.update([1u8; 32]);
+                for p in protocols {
+                    hasher.update(p.protocol_identifier());
+                }
+            }
+            Protocol::Or(protocols) => {
+                let mut hasher = Sha3_256::new();
+                hasher.update([2u8; 32]);
+                for p in protocols {
+                    hasher.update(p.protocol_identifier());
+                }
+            }
+        }
+
+        hasher.finalize()
+    }
+
     fn serialize_response(&self, response: &Self::Response) -> Vec<u8> {
         match (self, response) {
             (Protocol::Simple(p), ProtocolResponse::Simple(r)) => p.serialize_response(r),

src/duplex_sponge/keccak.rs

@@ -96,6 +96,12 @@ impl DuplexSpongeInterface for KeccakDuplexSponge {
         }
         output
     }
+
+    fn ratchet(&mut self) {
+        self.state.permute();
+        self.absorb_index = 0;
+        self.squeeze_index = RATE;
+    }
 }
 
 #[cfg(test)]

src/duplex_sponge/mod.rs

@@ -23,4 +23,6 @@ pub trait DuplexSpongeInterface {
 
     /// Squeezes output data from the sponge state.
     fn squeeze(&mut self, length: usize) -> Vec<u8>;
+
+    fn ratchet(&mut self);
 }

src/duplex_sponge/shake.rs

@@ -4,7 +4,7 @@
 
 use crate::duplex_sponge::DuplexSpongeInterface;
 use sha3::{
-    digest::{ExtendableOutput, Update},
+    digest::{ExtendableOutput, Reset, Update},
     Shake128,
 };
 
@@ -28,4 +28,11 @@ impl DuplexSpongeInterface for ShakeDuplexSponge {
         self.0.clone().finalize_xof_into(&mut output);
         output
     }
+
+    fn ratchet(&mut self) {
+        let mut output = [0u8; 32];
+        self.0.clone().finalize_xof_into(&mut output);
+        self.0.reset();
+        self.0.update(&output);
+    }
 }

src/fiat_shamir.rs

@@ -62,11 +62,15 @@ where
     ///
     /// # Returns
     /// A new [`NISigmaProtocol`] that can generate and verify non-interactive proofs.
-    pub fn new(iv: &[u8], instance: P) -> Self {
-        let hash_state = C::new(iv);
+    pub fn new(session_identifier: &[u8], interactive_proof: P) -> Self {
+        let hash_state = C::new(
+            interactive_proof.protocol_identifier().as_ref(),
+            session_identifier,
+            interactive_proof.instance_label().as_ref(),
+        );
         Self {
             hash_state,
-            ip: instance,
+            ip: interactive_proof,
         }
     }