move validation criterias for relation in CanonicalLinearRelation

Author: mmaker

src/composition.rs

@@ -60,7 +60,10 @@ where
     G: PrimeGroup,
 {
     fn from(value: LinearRelation<G>) -> Self {
-        Self::from(SchnorrProof::from(value))
+        Self::Simple(
+            SchnorrProof::try_from(value)
+                .expect("Failed to convert LinearRelation to SchnorrProof"),
+        )
     }
 }
 

src/linear_relation/mod.rs

@@ -435,7 +435,7 @@ impl<G: PrimeGroup> CanonicalLinearRelation<G> {
         Ok(())
     }
 
-    /// Serialize the canonical linear relation to bytes.
+    /// Serialize the linear relation to bytes.
     ///
     /// The output format is:
     /// - [Ne: u32] number of equations
@@ -444,7 +444,7 @@ impl<G: PrimeGroup> CanonicalLinearRelation<G> {
     ///   - [Nt: u32] number of terms
     ///   - Nt × [scalar_index: u32, group_index: u32] term entries
     /// - Followed by all group elements in serialized form
-    pub fn label(&self) -> Result<Vec<u8>, Error> {
+    pub fn label(&self) -> Vec<u8> {
         let mut out = Vec::new();
 
         // Replicate the original LinearRelationReprBuilder ordering behavior
@@ -473,7 +473,10 @@ impl<G: PrimeGroup> CanonicalLinearRelation<G> {
             // Build the RHS terms
             let mut rhs_terms = Vec::new();
             for (scalar_var, group_var) in constraint_terms {
-                let group_elem = self.group_elements.get(*group_var)?;
+                let group_elem = self
+                    .group_elements
+                    .get(*group_var)
+                    .expect("Group element not found");
                 let group_index = repr_index(group_elem.to_bytes());
                 rhs_terms.push((scalar_var.0 as u32, group_index));
             }
@@ -505,19 +508,32 @@ impl<G: PrimeGroup> CanonicalLinearRelation<G> {
             out.extend_from_slice(elem_repr.as_ref());
         }
 
-        Ok(out)
+        out
     }
 }
 
-impl<G: PrimeGroup> TryFrom<LinearRelation<G>> for CanonicalLinearRelation<G> {
+impl<G: PrimeGroup> TryFrom<&LinearRelation<G>> for CanonicalLinearRelation<G> {
     type Error = Error;
 
-    fn try_from(relation: LinearRelation<G>) -> Result<Self, Self::Error> {
-        assert_eq!(
-            relation.image.len(),
-            relation.linear_map.linear_combinations.len(),
-            "Number of equations and image variables must match"
-        );
+    fn try_from(relation: &LinearRelation<G>) -> Result<Self, Self::Error> {
+        // Number of equations and image variables must match
+        if relation.image.len() != relation.linear_map.linear_combinations.len() {
+            return Err(Error::InvalidInstanceWitnessPair);
+        }
+
+        // If the image is the identity, then the relation must be trivial, or else the proof will be unsound
+        if !relation.image().is_ok_and(|img| img.iter().all(|&x| x != G::identity())) {
+            return Err(Error::InvalidInstanceWitnessPair);
+        }
+
+        // Empty relations (without constraints) cannot be proven
+        if relation.linear_map.linear_combinations.is_empty() {
+            return Err(Error::InvalidInstanceWitnessPair);
+        }
+
+        if relation.linear_map.linear_combinations.iter().any(|lc| lc.0.is_empty()) {
+            return Err(Error::InvalidInstanceWitnessPair);
+        }
 
         let mut canonical = CanonicalLinearRelation::new();
         canonical.num_scalars = relation.linear_map.num_scalars;
@@ -532,7 +548,7 @@ impl<G: PrimeGroup> TryFrom<LinearRelation<G>> for CanonicalLinearRelation<G> {
             canonical.process_constraint(
                 *image_var,
                 equation,
-                &relation,
+                relation,
                 &mut weighted_group_cache,
             )?;
         }
@@ -709,20 +725,6 @@ impl<G: PrimeGroup> LinearRelation<G> {
             .collect()
     }
 
-    /// Returns a binary label describing the linear map.
-    ///
-    /// The format is:
-    /// - [Ne: u32] number of equations
-    /// - For each equation:
-    ///   - [output_point_index: u32]
-    ///   - [Nt: u32] number of terms
-    ///   - Nt × [scalar_index: u32, point_index: u32] term entries
-    pub fn label(&self) -> Vec<u8> {
-        // XXX. We should return an error if the group elements are not assigned, instead of panicking.
-        let canonical: CanonicalLinearRelation<G> = self.clone().try_into().unwrap();
-        canonical.label().unwrap()
-    }
-
     /// Convert this LinearRelation into a non-interactive zero-knowledge protocol
     /// using the ShakeCodec and a specified context/domain separator.
     ///
@@ -758,7 +760,8 @@ impl<G: PrimeGroup> LinearRelation<G> {
         self,
         session_identifier: &[u8],
     ) -> Nizk<SchnorrProof<G>, Shake128DuplexSponge<G>> {
-        let schnorr = SchnorrProof::from(self);
+        let schnorr =
+            SchnorrProof::try_from(self).expect("Failed to convert LinearRelation to SchnorrProof");
         Nizk::new(session_identifier, schnorr)
     }
 }

src/schnorr_protocol.rs

@@ -54,13 +54,12 @@ impl<G: PrimeGroup> SchnorrProof<G> {
     }
 }
 
-impl<G: PrimeGroup> From<LinearRelation<G>> for SchnorrProof<G> {
-    fn from(value: LinearRelation<G>) -> Self {
-        Self(
-            value
-                .try_into()
-                .expect("Failed to convert LinearRelation to CanonicalLinearRelation"),
-        )
+impl<G: PrimeGroup> TryFrom<LinearRelation<G>> for SchnorrProof<G> {
+    type Error = Error;
+
+    fn try_from(linear_relation: LinearRelation<G>) -> Result<Self, Self::Error> {
+        let canonical_linear_relation = (&linear_relation).try_into()?;
+        Ok(Self(canonical_linear_relation))
     }
 }
 
@@ -108,9 +107,9 @@ where
             return Err(Error::InvalidInstanceWitnessPair);
         }
 
-        let nonces: Vec<G::Scalar> = (0..self.witness_length())
+        let nonces = (0..self.witness_length())
             .map(|_| G::Scalar::random(&mut *rng))
-            .collect();
+            .collect::<Vec<_>>();
         let commitment = self.evaluate(&nonces)?;
         let prover_state = (nonces, witness.clone());
         Ok((commitment, prover_state))
@@ -280,7 +279,7 @@ where
     }
 
     fn instance_label(&self) -> impl AsRef<[u8]> {
-        self.0.label().unwrap_or_default()
+        self.0.label()
     }
 
     fn protocol_identifier(&self) -> impl AsRef<[u8]> {

src/tests/composition.rs

@@ -1,5 +1,4 @@
 use curve25519_dalek::ristretto::RistrettoPoint;
-use group::Group;
 use rand::rngs::OsRng;
 
 use super::test_utils::{
@@ -26,55 +25,25 @@ fn composition_proof_correct() {
     let domain_sep = b"hello world";
 
     // definitions of the underlying protocols
-    let (relation1, witness1) = dleq(
-        G::random(&mut OsRng),
-        <G as Group>::Scalar::random(&mut OsRng),
-    );
-    let (relation2, _) = pedersen_commitment(
-        G::random(&mut OsRng),
-        <G as Group>::Scalar::random(&mut OsRng),
-        <G as Group>::Scalar::random(&mut OsRng),
-    );
-    let (relation3, witness3) = discrete_logarithm(<G as Group>::Scalar::random(&mut OsRng));
-    let (relation4, witness4) = pedersen_commitment_dleq(
-        (0..4)
-            .map(|_| G::random(&mut OsRng))
-            .collect::<Vec<_>>()
-            .try_into()
-            .unwrap(),
-        (0..2)
-            .map(|_| <G as Group>::Scalar::random(&mut OsRng))
-            .collect::<Vec<_>>()
-            .try_into()
-            .unwrap(),
-    );
-    let (relation5, witness5) = bbs_blind_commitment_computation(
-        (0..4)
-            .map(|_| G::random(&mut OsRng))
-            .collect::<Vec<_>>()
-            .try_into()
-            .unwrap(),
-        (0..3)
-            .map(|_| <G as Group>::Scalar::random(&mut OsRng))
-            .collect::<Vec<_>>()
-            .try_into()
-            .unwrap(),
-        <G as Group>::Scalar::random(&mut OsRng),
-    );
+    let (relation1, witness1) = dleq::<G>();
+    let (relation2, _) = pedersen_commitment::<G>();
+    let (relation3, witness3) = discrete_logarithm::<G>();
+    let (relation4, witness4) = pedersen_commitment_dleq::<G>();
+    let (relation5, witness5) = bbs_blind_commitment_computation::<G>();
 
     // second layer protocol definitions
     let or_protocol1 = Protocol::Or(vec![
-        Protocol::Simple(SchnorrProof::from(relation1)),
-        Protocol::Simple(SchnorrProof::from(relation2)),
+        Protocol::Simple(SchnorrProof(relation1)),
+        Protocol::Simple(SchnorrProof(relation2)),
     ]);
     let or_witness1 = ProtocolWitness::Or(0, vec![ProtocolWitness::Simple(witness1)]);
 
-    let simple_protocol1 = Protocol::from(relation3);
+    let simple_protocol1 = Protocol::Simple(SchnorrProof(relation3));
     let simple_witness1 = ProtocolWitness::Simple(witness3);
 
     let and_protocol1 = Protocol::And(vec![
-        Protocol::Simple(SchnorrProof::from(relation4)),
-        Protocol::Simple(SchnorrProof::from(relation5)),
+        Protocol::Simple(SchnorrProof(relation4)),
+        Protocol::Simple(SchnorrProof(relation5)),
     ]);
     let and_witness1 = ProtocolWitness::And(vec![
         ProtocolWitness::Simple(witness4),
@@ -91,10 +60,6 @@ fn composition_proof_correct() {
     let proof_batchable_bytes = nizk.prove_batchable(&witness, &mut OsRng).unwrap();
     let proof_compact_bytes = nizk.prove_compact(&witness, &mut OsRng).unwrap();
     // Verify proofs
-    let verified_batchable = nizk.verify_batchable(&proof_batchable_bytes).is_ok();
-    let verified_compact = nizk.verify_compact(&proof_compact_bytes).is_ok();
-    assert!(
-        verified_batchable & verified_compact,
-        "Fiat-Shamir Schnorr proof verification failed"
-    );
+    assert!(nizk.verify_batchable(&proof_batchable_bytes).is_ok());
+    assert!(nizk.verify_compact(&proof_compact_bytes).is_ok());
 }

src/tests/mod.rs

@@ -2,3 +2,4 @@ mod composition;
 mod relations;
 mod spec;
 pub mod test_utils;
+mod test_validation_criterias;