Creation of KeccakTranscript, which is completely separate from ShakeTranscript, both of which implement TranscriptCodec and are therefore usable in NISigmaProtocol.

nougzarm · nougzarm · commit 09113454f886 · 2025-05-06T16:00:31.000+02:00
- KeccakTranscript aims to approximate the test vectors of the Sage implementation.
diff --git a/Cargo.toml b/Cargo.toml
@@ -38,6 +38,7 @@ sha2 = "0.10"
 subtle = "2.6.1"
 num-bigint = "0.4.6"
 num-traits = "0.2.19"
+tiny-keccak = { version = "2.0.2", features = ["keccak"] }
 
 [dev-dependencies]
 bincode = "1"
diff --git a/src/toolbox/sigma/sage_test/BLS12_381.rs b/src/toolbox/sigma/sage_test/BLS12_381.rs
@@ -1,7 +1,7 @@
-use crate::toolbox::sigma::sage_test::{SInput, SRandom};
+use crate::toolbox::sigma::{sage_test::{SInput, SRandom}, transcript::keccak_transcript::Modulable};
 use group::Group;
 use ff::PrimeField;
-use bls12_381::G1Projective;
+use bls12_381::{G1Projective, Scalar};
 use rand::{Rng, CryptoRng};
 use subtle::CtOption;
 use num_bigint::BigUint;
@@ -64,4 +64,10 @@ impl SRandom for G1Projective {
         }
         G1Projective::scalar_from_hex_be(&hex_string).unwrap()
     }
+}
+
+impl Modulable for Scalar {
+    fn cardinal() -> BigUint {
+        BigUint::parse_bytes(b"111001111101101101001110101001100101001100111010111110101001000001100110011100111011000000010000000100110100001110110000000010101010011101111011010010000000010111111111111111001011011111111101111111111111111111111111111111100000000000000000000000000000001", 2).unwrap()
+    }
 }
diff --git a/src/toolbox/sigma/transcript/keccak_transcript.rs b/src/toolbox/sigma/transcript/keccak_transcript.rs
@@ -0,0 +1,198 @@
+use tiny_keccak::keccakf;
+use std::convert::TryInto;
+use group::{Group, GroupEncoding};
+use ff::PrimeField;
+use crate::toolbox::sigma::transcript::r#trait::{TranscriptCodec, DuplexSpongeInterface};
+use crate::toolbox::sigma::GroupSerialisation;
+use num_bigint::BigUint;
+
+const R: usize = 136;
+const N: usize = 136 + 64;
+
+pub struct KeccakPermutationState {
+    pub state: [u8; 200],
+    pub rate: usize,
+    pub capacity: usize,
+}
+
+impl KeccakPermutationState {
+    pub fn new() -> Self {
+        KeccakPermutationState {
+            state: [0u8; 200],
+            rate: 136,
+            capacity: 64,
+        }
+    }
+
+    fn _bytes_to_keccak_state(&self) -> [[u64; 5]; 5] {
+        let mut flat: [u64; 25] = [0u64; 25];
+        for i in 0..25 {
+            let start = i * 8;
+            flat[i] = u64::from_le_bytes(self.state[start..start + 8].try_into().unwrap());
+        }
+        let mut matrix = [[0u64; 5]; 5];
+        for y in 0..5 {
+            for x in 0..5 {
+                matrix[x][y] = flat[5 * y + x];
+            }
+        }
+        matrix
+    }
+
+    fn _keccak_state_to_bytes(&mut self, state: [[u64; 5]; 5]) {
+        let mut flat: [u64; 25] = [0; 25];
+        for y in 0..5 {
+            for x in 0..5 {
+                flat[5 * y + x] = state[x][y];
+            }
+        }
+        for i in 0..25 {
+            let bytes = flat[i].to_le_bytes();
+            let start = i * 8;
+            self.state[start..start + 8].copy_from_slice(&bytes);
+        }
+    }
+
+    fn bytes_to_flat_state(&self) -> [u64; 25] {
+        let mut flat = [0u64; 25];
+        for i in 0..25 {
+            let start = i * 8;
+            flat[i] = u64::from_le_bytes(self.state[start..start + 8].try_into().unwrap());
+        }
+        flat
+    }
+
+    fn flat_state_to_bytes(&mut self, flat: [u64; 25]) {
+        for i in 0..25 {
+            let bytes = flat[i].to_le_bytes();
+            let start = i * 8;
+            self.state[start..start + 8].copy_from_slice(&bytes);
+        }
+    }
+
+    pub fn permute(&mut self) {
+        let mut flat = self.bytes_to_flat_state();
+        keccakf(&mut flat);
+        self.flat_state_to_bytes(flat);
+    }
+}
+
+pub struct KeccakDuplexSponge {
+    pub state: KeccakPermutationState,
+    pub rate: usize,
+    pub capacity: usize,
+    absorb_index: usize,
+    squeeze_index: usize,
+}
+
+impl KeccakDuplexSponge {
+    pub fn new(iv: &[u8]) -> Self {
+        assert_eq!(iv.len(), 32);
+        let state = KeccakPermutationState::new();
+        let rate = R;
+        let capacity = N - R;
+        KeccakDuplexSponge {
+            state,
+            rate,
+            capacity,
+            absorb_index: 0,
+            squeeze_index: 0,
+        }
+    }
+}
+
+impl DuplexSpongeInterface for KeccakDuplexSponge {
+    fn new(iv: &[u8]) -> Self {
+        KeccakDuplexSponge::new(iv)
+    }
+
+    fn absorb(&mut self, mut input: &[u8]) {
+        self.squeeze_index = self.rate;
+
+        while !input.is_empty() {
+            if self.absorb_index == self.rate {
+                self.state.permute();
+                self.absorb_index = 0;
+            }
+
+            let chunk_size = usize::min(self.rate - self.absorb_index, input.len());
+            let dest = &mut self.state.state[self.absorb_index..self.absorb_index + chunk_size];
+            dest.copy_from_slice(&input[..chunk_size]);
+            self.absorb_index += chunk_size;
+            input = &input[chunk_size..];
+        }
+    }
+
+    fn squeeze(&mut self, mut length: usize) -> Vec<u8> {
+        self.absorb_index = self.rate;
+
+        let mut output = Vec::new();
+        while length != 0 {
+            if self.squeeze_index == self.rate {
+                self.state.permute();
+                self.squeeze_index = 0;
+            }
+
+            let chunk_size = usize::min(self.rate - self.squeeze_index, length);
+            output.extend_from_slice(&self.state.state[self.squeeze_index..self.squeeze_index + chunk_size]);
+            self.squeeze_index += chunk_size;
+            length -= chunk_size;
+        }
+
+        output
+    }
+}
+
+pub trait Modulable: PrimeField {
+    fn cardinal() -> BigUint;
+}
+
+pub struct ByteSchnorrCodec<G, H>
+where
+    G: Group + GroupEncoding + GroupSerialisation,
+    G::Scalar: Modulable,
+    H: DuplexSpongeInterface
+{
+    order: BigUint,
+    hasher: H,
+    _marker: core::marker::PhantomData<G>,
+}
+
+impl<G, H> TranscriptCodec<G> for ByteSchnorrCodec<G, H>
+where
+    G: Group + GroupEncoding + GroupSerialisation,
+    G::Scalar: Modulable,
+    H: DuplexSpongeInterface
+{
+    fn new(domain_sep: &[u8]) -> Self {
+        let mut hasher = H::new(domain_sep);
+        let order = G::Scalar::cardinal();
+        Self { order, hasher, _marker: Default::default() }
+    }
+
+    fn prover_message(&mut self, elems: &[G]) -> &mut Self {
+        for elem in elems {
+            self.hasher.absorb(&G::serialize_element(elem));
+        }
+        self
+    }
+
+    fn verifier_challenge(&mut self) -> G::Scalar {
+        let scalar_byte_length = <<G as Group>::Scalar as PrimeField>::Repr::default().as_ref().len();
+
+        let uniform_bytes = self.hasher.squeeze(scalar_byte_length + 16);
+        println!("big : {:?}", &self.order);
+        let scalar = BigUint::from_bytes_be(&uniform_bytes);
+        let reduced = scalar % self.order.clone();
+
+        let mut bytes = vec![0u8; scalar_byte_length];
+        let reduced_bytes = reduced.to_bytes_be();
+        let start = bytes.len() - reduced_bytes.len();
+        bytes[start..].copy_from_slice(&reduced_bytes);
+
+        let mut repr = <<G as Group>::Scalar as PrimeField>::Repr::default();
+        repr.as_mut().copy_from_slice(&bytes);
+
+        <<G as Group>::Scalar as PrimeField>::from_repr(repr).expect("Error")
+    }
+}
diff --git a/src/toolbox/sigma/transcript/mod.rs b/src/toolbox/sigma/transcript/mod.rs
@@ -1,5 +1,7 @@
 pub mod r#trait;
-pub mod transcriptcodec;
+pub mod shake_transcript;
+pub mod keccak_transcript;
 
 pub use r#trait::TranscriptCodec;
-pub use transcriptcodec::KeccakTranscript;
+pub use shake_transcript::ShakeTranscript;
+pub use keccak_transcript::{KeccakDuplexSponge, Modulable, ByteSchnorrCodec};
diff --git a/src/toolbox/sigma/transcript/shake_transcript.rs b/src/toolbox/sigma/transcript/shake_transcript.rs
@@ -24,14 +24,14 @@ use crate::toolbox::sigma::transcript::r#trait::TranscriptCodec;
 ///
 /// The transcript is initialized with a domain separator and absorbs serialized
 /// group elements. It outputs challenges compatible with the group’s scalar field.
-pub struct KeccakTranscript<G: Group> {
+pub struct ShakeTranscript<G: Group> {
     /// Internal SHAKE128 hasher state.
     hasher: Shake128,
     /// Marker to bind this transcript to a specific group `G`.
     _marker: core::marker::PhantomData<G>,
 }
 
-impl<G> TranscriptCodec<G> for KeccakTranscript<G>
+impl<G> TranscriptCodec<G> for ShakeTranscript<G>
 where
     G: Group + GroupEncoding,
     G::Scalar: PrimeField,
diff --git a/src/toolbox/sigma/transcript/trait.rs b/src/toolbox/sigma/transcript/trait.rs
@@ -4,6 +4,13 @@
 
 use group::Group;
 
+pub trait DuplexSpongeInterface {
+    fn new(iv: &[u8]) -> Self;
+
+    fn absorb(&mut self, input: &[u8]);
+
+    fn squeeze(&mut self, length: usize) -> Vec<u8>;
+}
 /// A trait defining the behavior of a domain-separated transcript hashing, which is typically used for Sigma Protocols.
 /// 
 /// A domain-separated hashing transcript is a transcript, identified by a domain, which is incremented with successive messages ("absorb"). The transcript can then output a bit stream of any length, which is typically used to generate a challenge unique to the given transcript ("squeeze"). (See Sponge Construction).
diff --git a/tests/interactive_codec.rs b/tests/interactive_codec.rs
@@ -1,9 +1,9 @@
 use rand::rngs::OsRng;
 use curve25519_dalek::ristretto::RistrettoPoint;
 
-use sigma_rs::toolbox::sigma::transcript::{r#trait::TranscriptCodec, transcriptcodec::KeccakTranscript};
+use sigma_rs::toolbox::sigma::transcript::{r#trait::TranscriptCodec, shake_transcript::ShakeTranscript};
 
-pub type KeccakTranscriptRistretto = KeccakTranscript<curve25519_dalek::ristretto::RistrettoPoint>;
+pub type KeccakTranscriptRistretto = ShakeTranscript<curve25519_dalek::ristretto::RistrettoPoint>;
 
 #[allow(non_snake_case)]
 #[test]
diff --git a/tests/non_interactive_protocol.rs b/tests/non_interactive_protocol.rs
@@ -4,7 +4,7 @@ use curve25519_dalek::scalar::Scalar;
 
 use sigma_rs::toolbox::sigma::group_morphism::GroupMorphismPreimage;
 use sigma_rs::toolbox::sigma::schnorr_proof::SchnorrProof;
-use sigma_rs::toolbox::sigma::transcript::transcriptcodec::KeccakTranscript;
+use sigma_rs::toolbox::sigma::transcript::shake_transcript::ShakeTranscript;
 use sigma_rs::toolbox::sigma::fiat_shamir::NISigmaProtocol;
 
 type G = RistrettoPoint;
@@ -39,7 +39,7 @@ fn fiat_shamir_schnorr_proof_ristretto() {
     let protocol = SchnorrProof { morphismp };
 
     // Fiat-Shamir wrapper
-    let mut nizk = NISigmaProtocol::<SchnorrProof<G>, KeccakTranscript<G>, G>::new(domain_sep, protocol);
+    let mut nizk = NISigmaProtocol::<SchnorrProof<G>, ShakeTranscript<G>, G>::new(domain_sep, protocol);
 
     // Prove
     let proof_bytes = nizk.prove(&witness, &mut rng);
diff --git a/tests/sage_test_vectors.rs b/tests/sage_test_vectors.rs
@@ -1,12 +1,13 @@
 use bls12_381::G1Projective;
 use rand::{Rng, CryptoRng};
 use group::{Group, GroupEncoding, ff::Field};
-use sigma_rs::toolbox::sigma::sage_test::TestDRNG;
+use sigma_rs::toolbox::sigma::sage_test::{SRandom, TestDRNG};
 use sigma_rs::toolbox::sigma::sage_test::custom_schnorr_proof::SchnorrProofCustom;
 
+use sigma_rs::toolbox::sigma::transcript::KeccakDuplexSponge;
 use sigma_rs::toolbox::sigma::{
     GroupMorphismPreimage,
-    transcript::KeccakTranscript,
+    transcript::{ShakeTranscript, ByteSchnorrCodec},
     NISigmaProtocol,
 };
 
@@ -22,7 +23,7 @@ fn msm_pr<G: Group>(scalars: &[G::Scalar], bases: &[G]) -> G {
 
 
 #[allow(non_snake_case)]
-fn discrete_logarithm<G: Group + GroupEncoding>(
+fn discrete_logarithm<G: SRandom + Group + GroupEncoding>(
     rng: &mut (impl Rng + CryptoRng)
 ) -> (GroupMorphismPreimage<G>, Vec<G::Scalar>) {
     let mut morphismp: GroupMorphismPreimage<G> = GroupMorphismPreimage::new();
@@ -36,7 +37,7 @@ fn discrete_logarithm<G: Group + GroupEncoding>(
     let G = G::generator();
     morphismp.set_elements(&[(var_G, G)]);
 
-    let x = G::Scalar::random(&mut *rng);
+    let x = G::srandom(&mut *rng);
     let X = G * x;
     assert!(vec![X] == morphismp.morphism.evaluate(&[x]));
     morphismp.set_elements(&[(var_X, X)]);
@@ -173,14 +174,14 @@ fn bbs_blind_commitment_computation<G: Group + GroupEncoding>(
 #[allow(non_snake_case)]
 #[test]
 fn NI_discrete_logarithm() {
-    let mut rng = TestDRNG::new(b"79656c6c6f77207375626d6172696e6579656c6c6f77207375626d6172696e65");
+    let mut rng = TestDRNG::new(b"hello world");
     let (morphismp, witness) = discrete_logarithm::<Gp>(&mut rng);
 
     println!("witness: {:?}", witness);
 
     let protocol = SchnorrProofCustom { morphismp };
     let domain_sep: Vec<u8> = b"yellow submarineyellow submarine".to_vec();
-    let mut nizk = NISigmaProtocol::<SchnorrProofCustom<Gp>, KeccakTranscript<Gp>, Gp>::new(&domain_sep, protocol);
+    let mut nizk = NISigmaProtocol::<SchnorrProofCustom<Gp>, ByteSchnorrCodec::<Gp, KeccakDuplexSponge>, Gp>::new(&domain_sep, protocol);
     
     let proof_bytes = nizk.prove(&witness, &mut rng);
     let verified = nizk.verify(&proof_bytes).is_ok();
@@ -198,7 +199,7 @@ fn NI_dleq() {
 
     let protocol = SchnorrProofCustom { morphismp };
     let domain_sep: Vec<u8> = b"yellow submarineyellow submarine".to_vec();
-    let mut nizk = NISigmaProtocol::<SchnorrProofCustom<Gp>, KeccakTranscript<Gp>, Gp>::new(&domain_sep, protocol);
+    let mut nizk = NISigmaProtocol::<SchnorrProofCustom<Gp>, ShakeTranscript<Gp>, Gp>::new(&domain_sep, protocol);
     
     let proof_bytes = nizk.prove(&witness, &mut rng);
     let verified = nizk.verify(&proof_bytes).is_ok();
@@ -216,7 +217,7 @@ fn NI_pedersen_commitment() {
 
     let protocol = SchnorrProofCustom { morphismp };
     let domain_sep: Vec<u8> = b"yellow submarineyellow submarine".to_vec();
-    let mut nizk = NISigmaProtocol::<SchnorrProofCustom<Gp>, KeccakTranscript<Gp>, Gp>::new(&domain_sep, protocol);
+    let mut nizk = NISigmaProtocol::<SchnorrProofCustom<Gp>, ShakeTranscript<Gp>, Gp>::new(&domain_sep, protocol);
     
     let proof_bytes = nizk.prove(&witness, &mut rng);
     let verified = nizk.verify(&proof_bytes).is_ok();
@@ -234,7 +235,7 @@ fn NI_pedersen_commitment_dleq() {
 
     let protocol = SchnorrProofCustom { morphismp };
     let domain_sep: Vec<u8> = b"yellow submarineyellow submarine".to_vec();
-    let mut nizk = NISigmaProtocol::<SchnorrProofCustom<Gp>, KeccakTranscript<Gp>, Gp>::new(&domain_sep, protocol);
+    let mut nizk = NISigmaProtocol::<SchnorrProofCustom<Gp>, ShakeTranscript<Gp>, Gp>::new(&domain_sep, protocol);
     
     let proof_bytes = nizk.prove(&witness, &mut rng);
     let verified = nizk.verify(&proof_bytes).is_ok();
@@ -252,7 +253,7 @@ fn NI_bbs_blind_commitment_computation() {
 
     let protocol = SchnorrProofCustom { morphismp };
     let domain_sep: Vec<u8> = b"yellow submarineyellow submarine".to_vec();
-    let mut nizk = NISigmaProtocol::<SchnorrProofCustom<Gp>, KeccakTranscript<Gp>, Gp>::new(&domain_sep, protocol);
+    let mut nizk = NISigmaProtocol::<SchnorrProofCustom<Gp>, ShakeTranscript<Gp>, Gp>::new(&domain_sep, protocol);
     
     let proof_bytes = nizk.prove(&witness, &mut rng);
     let verified = nizk.verify(&proof_bytes).is_ok();
diff --git a/tests/test_sponge.rs b/tests/test_sponge.rs
diff --git a/tests/testos.rs b/tests/testos.rs
diff --git a/tests/various_tests.rs b/tests/various_tests.rs
