more complex linear relations

mmaker · mmaker · commit 123bb051b741 · 2025-07-25T19:14:50.000-07:00
diff --git a/src/tests/test_relations.rs b/src/tests/test_relations.rs
@@ -1,5 +1,6 @@
 use std::collections::HashMap;
 
+use bls12_381::Scalar;
 use ff::Field;
 use group::prime::PrimeGroup;
 use rand::rngs::OsRng;
@@ -51,8 +52,7 @@ pub fn shifted_dlog<G: PrimeGroup, R: RngCore>(
 
     let var_X = relation.allocate_eq(var_G * var_x + var_G * <G::Scalar as Field>::ONE);
     // another way of writing this is:
-    relation.append_equation(var_X, (var_x + <G::Scalar as Field>::ONE) * var_G);
-
+    relation.append_equation(var_X, (var_x + Scalar::from(1)) * var_G);
 
     relation.set_element(var_G, G::generator());
     relation.compute_image(&[x]).unwrap();
@@ -144,6 +144,31 @@ pub fn pedersen_commitment<G: PrimeGroup, R: RngCore>(
     (instance, witness)
 }
 
+#[allow(non_snake_case)]
+pub fn twisted_pedersen_commitment<G: PrimeGroup, R: RngCore>(
+    rng: &mut R,
+) -> (CanonicalLinearRelation<G>, Vec<G::Scalar>) {
+    let H = G::random(&mut *rng);
+    let x = G::Scalar::random(&mut *rng);
+    let r = G::Scalar::random(&mut *rng);
+    let mut relation = LinearRelation::new();
+
+    let [var_x, var_r] = relation.allocate_scalars();
+    let [var_G, var_H] = relation.allocate_elements();
+
+    let var_C = relation.allocate_eq((var_x * Scalar::from(3)) * var_G + (var_r * Scalar::from(2) + Scalar::from(3)) * var_H);
+
+    relation.set_elements([(var_H, H), (var_G, G::generator())]);
+    relation.compute_image(&[x, r]).unwrap();
+
+    let C = relation.linear_map.group_elements.get(var_C).unwrap();
+
+    let witness = vec![x, r];
+    assert_eq!(C, G::generator() * x + H * r);
+    let instance = (&relation).try_into().unwrap();
+    (instance, witness)
+}
+
 /// LinearMap for knowledge of equal openings to two distinct Pedersen commitments.
 #[allow(non_snake_case)]
 pub fn pedersen_commitment_dleq<G: PrimeGroup, R: RngCore>(
@@ -181,6 +206,7 @@ pub fn pedersen_commitment_dleq<G: PrimeGroup, R: RngCore>(
     (instance, witness_vec)
 }
 
+
 /// LinearMap for knowledge of an opening for use in a BBS commitment.
 // BBS message length is 3
 #[allow(non_snake_case)]
diff --git a/src/tests/test_validation_criteria.rs b/src/tests/test_validation_criteria.rs
@@ -186,10 +186,12 @@ mod instance_validation {
 #[cfg(test)]
 mod proof_validation {
     use crate::codec::KeccakByteSchnorrCodec;
+    use crate::composition::{ComposedRelation, ComposedWitness};
     use crate::fiat_shamir::Nizk;
     use crate::linear_relation::{CanonicalLinearRelation, LinearRelation};
     use crate::schnorr_protocol::SchnorrProof;
     use bls12_381::{G1Projective as G, Scalar};
+    use ff::Field;
     use rand::{thread_rng, RngCore};
 
     type TestNizk = Nizk<SchnorrProof<G>, KeccakByteSchnorrCodec<G>>;
@@ -359,4 +361,75 @@ mod proof_validation {
             "Proof verification should fail for random bytes"
         );
     }
+
+    #[test]
+    fn test_or_relation_wrong_branch() {
+        // This test reproduces the issue from sigma_compiler's simple_or test
+        // where an OR relation fails verification when using the wrong branch
+        let mut rng = thread_rng();
+        
+        // Create generators
+        // For this test, we'll use two different multiples of the generator
+        let B = G::generator();
+        let A = B * Scalar::from(42u64); // Different generator
+        
+        // Create scalars
+        let x = Scalar::random(&mut rng);
+        let y = Scalar::random(&mut rng);
+        
+        // Set C = y*B (so the second branch should be satisfied)
+        let C = B * y;
+        
+        // Create the first branch: C = x*A
+        let mut lr1 = LinearRelation::<G>::new();
+        let x_var = lr1.allocate_scalar();
+        let A_var = lr1.allocate_element();
+        let eq1 = lr1.allocate_eq(x_var * A_var);
+        lr1.set_element(A_var, A);
+        lr1.set_element(eq1, C);
+        
+        // Create the second branch: C = y*B
+        let mut lr2 = LinearRelation::<G>::new();
+        let y_var = lr2.allocate_scalar();
+        let B_var = lr2.allocate_element();
+        let eq2 = lr2.allocate_eq(y_var * B_var);
+        lr2.set_element(B_var, B);
+        lr2.set_element(eq2, C);
+        
+        // Create OR composition
+        let or_relation = ComposedRelation::Or(vec![
+            ComposedRelation::from(lr1),
+            ComposedRelation::from(lr2),
+        ]);
+        
+        // The issue from sigma_compiler: the witness is always using branch 0
+        // even when branch 1 should be used
+        let witness_wrong = ComposedWitness::Or(
+            0, // Always using branch 0
+            vec![
+                ComposedWitness::Simple(vec![x]),
+                ComposedWitness::Simple(vec![y]),
+            ],
+        );
+        
+        // Test the bug: using branch 0 when C = y*B (branch 1 should be used)
+        let nizk = Nizk::<_, KeccakByteSchnorrCodec<G>>::new(b"test_or_bug", or_relation);
+        let proof_result = nizk.prove_batchable(&witness_wrong, &mut rng);
+        
+        // This currently passes but should fail - this is the bug!
+        // The prover is using branch 0 (C = x*A) but C actually equals y*B
+        match proof_result {
+            Ok(proof) => {
+                let verify_result = nizk.verify_batchable(&proof);
+                println!("Bug reproduced: Proof with wrong branch verified: {:?}", verify_result.is_ok());
+                assert!(
+                    verify_result.is_err(),
+                    "BUG: Proof should fail when using wrong branch in OR relation, but it passed!"
+                );
+            }
+            Err(e) => {
+                println!("Proof generation failed as expected: {:?}", e);
+            }
+        }
+    }
 }
