Merge branch 'main' of github.com:mmaker/sigma-rs into victor/branch-1

Author: nategraf

Cargo.toml

@@ -22,27 +22,21 @@ exclude = [
 [dependencies]
 ff = { version = "0.13", features = ["derive"] }
 group = "0.13.0"
-hex = "0.4"
 num-bigint = "0.4.6"
 num-traits = "0.2.19"
 rand = "0.8.5"
-serde = "1"
-serde_derive = "1"
-sha2 = "0.10"
 sha3 = "0.10.8"
-subtle = "2.6.1"
 thiserror = "1"
 tiny-keccak = { version = "2.0.2", features = ["fips202"] }
 
 [dev-dependencies]
-bincode = "2"
 bls12_381 = "0.8.0"
-criterion = { version = "0.6", features = ["html_reports"] }
 curve25519-dalek = { version = "4", default-features = false, features = ["serde", "rand_core", "alloc", "digest", "precomputed-tables", "group"] }
-hex-literal = "1.0.0"
+hex = "0.4"
 json = "0.12.4"
 sha2 = "0.10"
 sigma-rs = { path = ".", features = ["test-utils"] }
+subtle = "2.6.1"
 
 [profile.dev]
 # Makes tests run much faster at the cost of slightly longer builds and worse debug info.

src/codec/keccak_codec.rs

@@ -1,6 +1,6 @@
 //! # Keccak-based Fiat-Shamir Codec for vector tests
 //!
-//! This module implements a **Fiat-Shamir codec** using the Keccak-f[1600] permutation
+//! This module implements a **Fiat-Shamir codec** using the Keccak-f\[1600\] permutation
 //! in a duplex sponge construction
 //!
 //! It includes:
@@ -17,7 +17,7 @@
 //! - The `verifier_challenge` logic performs SHAKE-style domain separation and modulus reduction via `num-bigint`.
 //!
 //! ## Components
-//! - `KeccakPermutationState`: Low-level Keccak-f[1600] state representation
+//! - `KeccakPermutationState`: Low-level Keccak-f\[1600\] state representation
 //! - `KeccakDuplexSponge`: Duplex sponge over 200-byte state buffer
 //! - `ByteSchnorrCodec`: Fiat-Shamir codec compatible with Sage Schnorr proofs
 use crate::codec::r#trait::{Codec, DuplexSpongeInterface};

src/codec/shake_codec.rs

@@ -1,14 +1,14 @@
 //! Implementation of a Fiat-Shamir codec using SHAKE128
 //!
-//! This module defines `ShakeCodec`, a concrete implementation of the `Codec`
+//! This module defines [`ShakeCodec`], a concrete implementation of the [`Codec`]
 //! trait. It uses the SHAKE128 extendable output function (XOF) from the Keccak family
 //! to generate Fiat-Shamir challenges for Sigma protocols.
 //!
 //! It allows commitments (group elements) to be absorbed into a codec,
 //! and produces scalar challenges by squeezing bytes from the hash state.
 //!
 //! # Usage
-//! - The prover and verifier absorb the same messages into identical `ShakeCodec` instances.
+//! - The prover and verifier absorb the same messages into identical [`ShakeCodec`] instances.
 //! - The prover and the verifier then squeeze the hash to generate a challenge scalar for the protocol. The verifier can check that the prover used the challenge output by the codec because he owns an identical codec.
 
 use ff::PrimeField;

src/codec/trait.rs

@@ -1,6 +1,6 @@
 //! Codec Trait
 //!
-//! This module defines the `Codec` trait, a generic interface to manage codecs of a protocol execution.
+//! This module defines the [`Codec`] trait, a generic interface to manage codecs of a protocol execution.
 
 pub trait DuplexSpongeInterface {
     fn new(iv: &[u8]) -> Self;
@@ -17,7 +17,7 @@ pub trait DuplexSpongeInterface {
 /// The output is deterministic for a given set of input. Thus, both Prover and Verifier can generate the codec on their sides and ensure the same inputs have been used in both side of the protocol.
 ///
 /// ## Minimal Implementation
-/// Types implementing `Codec` must define:
+/// Types implementing [`Codec`] must define:
 /// - `new`
 /// - `prover_message`
 /// - `verifier_challenge`

src/errors.rs

@@ -6,25 +6,19 @@
 //! These errors include:
 //! - Verification failures (e.g., when a proof does not verify correctly).
 //! - Mismatched parameters during batch verification.
-//! - Not implemented methods
-//! - Group element/scalar serialization failed
+//! - Unimplemented methods.
+//! - Group element or scalar serialization failures.
 use thiserror::Error;
 /// An error during proving or verification, such as a verification failure.
 #[derive(Debug, Error)]
 pub enum ProofError {
     /// Something is wrong with the proof, causing a verification failure.
     #[error("Verification failed.")]
     VerificationFailure,
-    /// Occurs during batch verification if the batch parameters do not have the right size.
+    /// Indicates a mismatch in parameter sizes during batch verification.
     #[error("Mismatched parameter sizes for batch verification.")]
     ProofSizeMismatch,
-    /// Occurs when a feature is not implemented yet.
-    #[error("The method is not yet implemented for this struct")]
-    NotImplemented(&'static str),
-    /// Serialization of a group element/scalar failed
-    #[error("Serialization of a group element/scalar failed")]
+    /// Serialization of a group element/scalar has failed.
+    #[error("Serialization of a group element/scalar failed.")]
     GroupSerializationFailure,
-    /// Other error
-    #[error("Other")]
-    Other,
 }

src/fiat_shamir.rs

@@ -1,6 +1,6 @@
 //! Fiat-Shamir transformation for Sigma protocols.
 //!
-//! This module defines `NISigmaProtocol`, a generic non-interactive Sigma protocol wrapper,
+//! This module defines [`NISigmaProtocol`], a generic non-interactive Sigma protocol wrapper,
 //! based on applying the Fiat-Shamir heuristic using a codec.
 //!
 //! It transforms an interactive Sigma protocol into a non-interactive one,
@@ -9,11 +9,13 @@
 //!
 //! # Usage
 //! This struct is generic over:
-//! - `P`: the underlying Sigma protocol (`SigmaProtocol` trait).
-//! - `C`: the codec (`Codec` trait).
-//! - `G`: the group used for commitments and operations (`Group` trait).
+//! - `P`: the underlying Sigma protocol ([`SigmaProtocol`] trait).
+//! - `C`: the codec ([`Codec`] trait).
+//! - `G`: the group used for commitments and operations ([`Group`] trait).
 
-use crate::{codec::Codec, CompactProtocol, ProofError, SigmaProtocol};
+use crate::codec::Codec;
+use crate::errors::ProofError;
+use crate::traits::{CompactProtocol, SigmaProtocol};
 
 use group::{Group, GroupEncoding};
 use rand::{CryptoRng, RngCore};
@@ -26,7 +28,7 @@ type Transcript<P> = (
 
 /// A Fiat-Shamir transformation of a Sigma protocol into a non-interactive proof.
 ///
-/// `NISigmaProtocol` wraps an interactive Sigma protocol `P`
+/// [`NISigmaProtocol`] wraps an interactive Sigma protocol `P`
 /// and a hash-based codec `C`, to produce non-interactive proofs.
 ///
 /// It manages the domain separation, codec reset,
@@ -55,7 +57,14 @@ where
     P: SigmaProtocol<Commitment = Vec<G>, Challenge = <G as Group>::Scalar>,
     C: Codec<Challenge = <G as Group>::Scalar> + Clone,
 {
-    /// Creates a new non-interactive Sigma protocol, identified by a domain separator (usually fixed per protocol instantiation), and an initialized Sigma protocol instance.
+    /// Constructs a new [`NISigmaProtocol`] instance.
+    ///
+    /// # Parameters
+    /// - `iv`: Domain separation tag for the hash function (e.g., protocol name or context).
+    /// - `instance`: An instance of the interactive Sigma protocol.
+    ///
+    /// # Returns
+    /// A new [`NISigmaProtocol`] that can generate and verify non-interactive proofs.
     pub fn new(iv: &[u8], instance: P) -> Self {
         let hash_state = C::new(iv);
         Self {
@@ -64,7 +73,23 @@ where
         }
     }
 
-    /// Produces a non-interactive proof for a witness.
+    /// Generates a non-interactive proof for a witness.
+    ///
+    /// Executes the interactive protocol steps (commit, derive challenge via hash, respond),
+    /// and checks the result locally for consistency.
+    ///
+    /// # Parameters
+    /// - `witness`: The secret witness for the Sigma protocol.
+    /// - `rng`: A cryptographically secure random number generator.
+    ///
+    /// # Returns
+    /// A tuple of:
+    /// - `P::Commitment`: The prover's commitment(s).
+    /// - `P::Challenge`: The challenge derived via Fiat-Shamir.
+    /// - `P::Response`: The prover's response.
+    ///
+    /// # Panics
+    /// Panics if local verification fails.
     pub fn prove(
         &mut self,
         witness: &P::Witness,
@@ -93,7 +118,21 @@ where
         Ok((commitment, challenge, response))
     }
 
-    /// Verify a non-interactive proof and returns a Result: `Ok(())` if the proof verifies successfully, `Err(())` otherwise.
+    /// Verifies a non-interactive proof using the Fiat-Shamir transformation.
+    ///
+    /// # Parameters
+    /// - `commitment`: The commitment(s) sent by the prover.
+    /// - `challenge`: The challenge allegedly derived via Fiat-Shamir.
+    /// - `response`: The prover's response to the challenge.
+    ///
+    /// # Returns
+    /// - `Ok(())` if the proof is valid.
+    /// - `Err(ProofError::VerificationFailure)` if the challenge is invalid or the response fails to verify.
+    ///
+    /// # Errors
+    /// - Returns `ProofError::VerificationFailure` if:
+    ///   - The challenge doesn't match the recomputed one from the commitment.
+    ///   - The response fails verification under the Sigma protocol.
     pub fn verify(
         &mut self,
         commitment: &P::Commitment,
@@ -115,7 +154,17 @@ where
             false => Err(ProofError::VerificationFailure),
         }
     }
-
+    /// Generates a batchable, serialized non-interactive proof.
+    ///
+    /// # Parameters
+    /// - `witness`: The secret witness.
+    /// - `rng`: A cryptographically secure random number generator.
+    ///
+    /// # Returns
+    /// A serialized proof suitable for batch verification.
+    ///
+    /// # Panics
+    /// Panics if serialization fails (should not happen under correct implementation).
     pub fn prove_batchable(
         &mut self,
         witness: &P::Witness,
@@ -135,6 +184,19 @@ where
             .unwrap())
     }
 
+    /// Verifies a batchable non-interactive proof.
+    ///
+    /// # Parameters
+    /// - `proof`: A serialized batchable proof.
+    ///
+    /// # Returns
+    /// - `Ok(())` if the proof is valid.
+    /// - `Err(ProofError)` if deserialization or verification fails.
+    ///
+    /// # Errors
+    /// - Returns `ProofError::VerificationFailure` if:
+    ///   - The challenge doesn't match the recomputed one from the commitment.
+    ///   - The response fails verification under the Sigma protocol.
     pub fn verify_batchable(&mut self, proof: &[u8]) -> Result<(), ProofError> {
         let (commitment, response) = self.sigmap.deserialize_batchable(proof).unwrap();
 
@@ -158,6 +220,19 @@ where
     P: SigmaProtocol<Commitment = Vec<G>, Challenge = <G as Group>::Scalar> + CompactProtocol,
     C: Codec<Challenge = <G as Group>::Scalar> + Clone,
 {
+    /// Generates a compact serialized proof.
+    ///
+    /// Uses a more space-efficient representation compared to batchable proofs.
+    ///
+    /// # Parameters
+    /// - `witness`: The secret witness.
+    /// - `rng`: A cryptographically secure random number generator.
+    ///
+    /// # Returns
+    /// A compact, serialized proof.
+    ///
+    /// # Panics
+    /// Panics if serialization fails.
     pub fn prove_compact(
         &mut self,
         witness: &P::Witness,
@@ -170,6 +245,21 @@ where
             .unwrap())
     }
 
+    /// Verifies a compact proof.
+    ///
+    /// Recomputes the commitment from the challenge and response, then verifies it.
+    ///
+    /// # Parameters
+    /// - `proof`: A compact serialized proof.
+    ///
+    /// # Returns
+    /// - `Ok(())` if the proof is valid.
+    /// - `Err(ProofError)` if deserialization or verification fails.
+    ///
+    /// # Errors
+    /// - Returns `ProofError::VerificationFailure` if:
+    ///   - Deserialization fails.
+    ///   - The recomputed commitment or response is invalid under the Sigma protocol.
     pub fn verify_compact(&mut self, proof: &[u8]) -> Result<(), ProofError> {
         let (challenge, response) = self.sigmap.deserialize_compact(proof).unwrap();
         // Compute the commitments