Merge pull request #15 from Chausseaumoine/feat/absorb-morphism-transcript

feat(fiat-shamir): absorb morphism structure into transcript codec

Author: Chausseaumoine

src/codec/shake_codec.rs

@@ -27,7 +27,7 @@ use crate::codec::r#trait::Codec;
 ///
 /// The codec is initialized with a domain separator and absorbs serialized
 /// group elements. It outputs challenges compatible with the group’s scalar field.
-#[derive(Clone)]
+#[derive(Clone, Debug)]
 pub struct ShakeCodec<G: Group> {
     /// Internal SHAKE128 hasher state.
     hasher: Shake128,

src/fiat_shamir.rs

@@ -14,8 +14,10 @@
 
 use crate::codec::Codec;
 use crate::errors::Error;
+use crate::group_morphism::HasGroupMorphism;
 use crate::traits::{CompactProtocol, SigmaProtocol};
 
+use group::{Group, GroupEncoding};
 use rand::{CryptoRng, RngCore};
 
 pub trait FiatShamir<C: Codec>: SigmaProtocol {
@@ -41,6 +43,7 @@ type Transcript<P> = (
 /// # Type Parameters
 /// - `P`: the Sigma protocol implementation.
 /// - `C`: the codec used for Fiat-Shamir.
+#[derive(Debug)]
 pub struct NISigmaProtocol<P, C>
 where
     P: SigmaProtocol<Challenge: PartialEq> + FiatShamir<C>,
@@ -243,3 +246,16 @@ where
         self.verify(&commitment, &challenge, &response)
     }
 }
+
+impl<P, C> NISigmaProtocol<P, C>
+where
+    P: SigmaProtocol<Challenge = <P::Group as Group>::Scalar> + HasGroupMorphism + FiatShamir<C>,
+    P::Challenge: PartialEq,
+    P::Group: Group + GroupEncoding,
+    C: Codec<Challenge = P::Challenge> + Clone,
+{
+    /// Absorbs the morphism structure into the transcript codec.
+    pub fn absorb_morphism(&self, codec: &mut C) -> Result<(), Error> {
+        self.sigmap.absorb_morphism_structure(codec)
+    }
+}

src/group_morphism.rs

@@ -10,6 +10,7 @@
 
 use std::iter;
 
+use crate::codec::Codec;
 use crate::errors::Error;
 use group::{Group, GroupEncoding};
 
@@ -47,6 +48,15 @@ pub struct Term {
     elem: GroupVar,
 }
 
+impl Term {
+    pub fn scalar(&self) -> ScalarVar {
+        self.scalar
+    }
+    pub fn elem(&self) -> GroupVar {
+        self.elem
+    }
+}
+
 impl From<(ScalarVar, GroupVar)> for Term {
     fn from((scalar, elem): (ScalarVar, GroupVar)) -> Self {
         Self { scalar, elem }
@@ -61,9 +71,15 @@ impl From<(ScalarVar, GroupVar)> for Term {
 /// where `s_i` are scalars (referenced by `scalar_vars`) and `P_i` are group elements (referenced by `element_vars`).
 ///
 /// The indices refer to external lists managed by the containing Morphism.
-#[derive(Clone)]
+#[derive(Clone, Debug)]
 pub struct LinearCombination(Vec<Term>);
 
+impl LinearCombination {
+    pub fn terms(&self) -> &[Term] {
+        &self.0
+    }
+}
+
 impl<T: Into<Term>> From<T> for LinearCombination {
     fn from(term: T) -> Self {
         Self(vec![term.into()])
@@ -169,7 +185,7 @@ impl<G: Group> FromIterator<(GroupVar, G)> for GroupMap<G> {
 ///
 /// It supports dynamic allocation of scalars and elements,
 /// and evaluates by performing multi-scalar multiplications.
-#[derive(Clone, Default)]
+#[derive(Clone, Default, Debug)]
 pub struct Morphism<G: Group> {
     /// The set of linear combination constraints (equations).
     pub constraints: Vec<LinearCombination>,
@@ -260,7 +276,7 @@ impl<G: Group> Morphism<G> {
 /// Internally, the constraint system is defined through:
 /// - A list of group elements and linear equations (held in the [`Morphism`] field),
 /// - A list of [`GroupVar`] indices (`image`) that specify the expected output for each constraint.
-#[derive(Clone, Default)]
+#[derive(Clone, Default, Debug)]
 pub struct GroupMorphismPreimage<G>
 where
     G: Group + GroupEncoding,
@@ -444,3 +460,24 @@ where
             .collect()
     }
 }
+
+/// Trait for accessing the underlying group morphism in a Sigma protocol.
+pub trait HasGroupMorphism {
+    type Group: Group + GroupEncoding;
+    fn group_morphism(&self) -> &GroupMorphismPreimage<Self::Group>;
+
+    /// Absorbs the morphism structure into a codec.
+    /// Only compatible with 64-bit platforms
+    fn absorb_morphism_structure<C: Codec>(&self, codec: &mut C) -> Result<(), Error> {
+        let morphism = self.group_morphism();
+        for lc in &morphism.morphism.constraints {
+            for term in lc.terms() {
+                let mut buf = [0u8; 16];
+                buf[..8].copy_from_slice(&(term.scalar().index() as u64).to_le_bytes());
+                buf[8..].copy_from_slice(&(term.elem().index() as u64).to_le_bytes());
+                codec.prover_message(&buf);
+            }
+        }
+        Ok(())
+    }
+}

src/schnorr_protocol.rs

@@ -7,7 +7,7 @@
 use crate::codec::Codec;
 use crate::errors::Error;
 use crate::fiat_shamir::FiatShamir;
-use crate::group_morphism::GroupMorphismPreimage;
+use crate::group_morphism::{GroupMorphismPreimage, HasGroupMorphism};
 use crate::{
     group_serialization::*,
     traits::{CompactProtocol, SigmaProtocol, SigmaProtocolSimulator},
@@ -24,7 +24,7 @@ use rand::{CryptoRng, RngCore};
 ///
 /// # Type Parameters
 /// - `G`: A cryptographic group implementing [`Group`] and [`GroupEncoding`].
-#[derive(Clone, Default)]
+#[derive(Clone, Default, Debug)]
 pub struct SchnorrProtocol<G: Group + GroupEncoding>(pub GroupMorphismPreimage<G>);
 
 impl<G: Group + GroupEncoding> SchnorrProtocol<G> {
@@ -429,3 +429,10 @@ where
         Ok(codec.verifier_challenge())
     }
 }
+
+impl<G: Group + GroupEncoding> HasGroupMorphism for SchnorrProtocol<G> {
+    type Group = G;
+    fn group_morphism(&self) -> &GroupMorphismPreimage<G> {
+        &self.0
+    }
+}

tests/morphism_preimage.rs

@@ -3,6 +3,7 @@ use group::{Group, ff::Field};
 use rand::rngs::OsRng;
 
 use sigma_rs::fiat_shamir::NISigmaProtocol;
+use sigma_rs::group_morphism::HasGroupMorphism;
 use sigma_rs::test_utils::{
     bbs_blind_commitment_computation, discrete_logarithm, dleq, pedersen_commitment,
     pedersen_commitment_dleq,
@@ -97,6 +98,43 @@ fn noninteractive_discrete_logarithm() {
     );
 }
 
+/// This part tests the implementation of the SigmaProtocol trait for the
+/// SchnorrProtocol structure as well as the Fiat-Shamir NISigmaProtocol transform,
+/// with additional morphism structure absorption into the transcript.
+#[test]
+fn noninteractive_discrete_logarithm_with_morphism_transcript() {
+    let mut rng = OsRng;
+    let (morphismp, witness) = discrete_logarithm(Scalar::random(&mut rng));
+
+    // The SigmaProtocol induced by morphismp
+    let protocol = SchnorrProtocol::from(morphismp);
+
+    // Fiat-Shamir wrapper
+    let domain_sep = b"test-fiat-shamir-schnorr";
+    let mut nizk = NISigmaProtocol::<SchnorrProtocol<G>, ShakeCodec<G>>::new(domain_sep, protocol);
+
+    // Morphism absorption
+    nizk.sigmap
+        .absorb_morphism_structure(&mut nizk.hash_state)
+        .unwrap();
+
+    // Generate and verify proofs
+    let proof_batchable_bytes = nizk.prove_batchable(&witness, &mut rng).unwrap();
+    let proof_compact_bytes = nizk.prove_compact(&witness, &mut rng).unwrap();
+
+    let verified_batchable = nizk.verify_batchable(&proof_batchable_bytes).is_ok();
+    let verified_compact = nizk.verify_compact(&proof_compact_bytes).is_ok();
+
+    assert!(
+        verified_batchable,
+        "Fiat-Shamir Schnorr proof with morphism absorption failed (batchable)"
+    );
+    assert!(
+        verified_compact,
+        "Fiat-Shamir Schnorr proof with morphism absorption failed (compact)"
+    );
+}
+
 #[test]
 fn noninteractive_dleq() {
     let mut rng = OsRng;