fix: update test vectors, now matching latest spec.

Author: mmaker

src/codec.rs

@@ -59,6 +59,25 @@ fn length_to_bytes(x: usize) -> [u8; WORD_SIZE] {
     (x as u32).to_be_bytes()
 }
 
+/// Compute the initialization vector (IV) for a protocol instance.
+///
+/// This function computes a deterministic IV from the protocol identifier,
+/// session identifier, and instance label using the specified duplex sponge.
+pub fn compute_iv<H: DuplexSpongeInterface>(
+    protocol_id: &[u8],
+    session_id: &[u8],
+    instance_label: &[u8],
+) -> [u8; 32] {
+    let mut tmp = H::new([0u8; 32]);
+    tmp.absorb(&length_to_bytes(protocol_id.len()));
+    tmp.absorb(protocol_id);
+    tmp.absorb(&length_to_bytes(session_id.len()));
+    tmp.absorb(session_id);
+    tmp.absorb(&length_to_bytes(instance_label.len()));
+    tmp.absorb(instance_label);
+    tmp.squeeze(32).try_into().unwrap()
+}
+
 impl<G, H> Codec for ByteSchnorrCodec<G, H>
 where
     G: PrimeGroup,
@@ -67,17 +86,7 @@ where
     type Challenge = G::Scalar;
 
     fn new(protocol_id: &[u8], session_id: &[u8], instance_label: &[u8]) -> Self {
-        let iv = {
-            let mut tmp = H::new([0u8; 32]);
-            tmp.absorb(&length_to_bytes(protocol_id.len()));
-            tmp.absorb(protocol_id);
-            tmp.absorb(&length_to_bytes(session_id.len()));
-            tmp.absorb(session_id);
-            tmp.absorb(&length_to_bytes(instance_label.len()));
-            tmp.absorb(instance_label);
-            tmp.squeeze(32).try_into().unwrap()
-        };
-
+        let iv = compute_iv::<H>(protocol_id, session_id, instance_label);
         Self::from_iv(iv)
     }
 

src/composition.rs

@@ -234,9 +234,11 @@ impl<G: PrimeGroup> SigmaProtocol for ComposedRelation<G> {
         response: &Self::Response,
     ) -> Result<(), Error> {
         match (self, commitment, response) {
-            (ComposedRelation::Simple(p), ProtocolCommitment::Simple(c), ProtocolResponse::Simple(r)) => {
-                p.verifier(c, challenge, r)
-            }
+            (
+                ComposedRelation::Simple(p),
+                ProtocolCommitment::Simple(c),
+                ProtocolResponse::Simple(r),
+            ) => p.verifier(c, challenge, r),
             (
                 ComposedRelation::And(ps),
                 ProtocolCommitment::And(commitments),
@@ -267,7 +269,9 @@ impl<G: PrimeGroup> SigmaProtocol for ComposedRelation<G> {
 
     fn serialize_commitment(&self, commitment: &Self::Commitment) -> Vec<u8> {
         match (self, commitment) {
-            (ComposedRelation::Simple(p), ProtocolCommitment::Simple(c)) => p.serialize_commitment(c),
+            (ComposedRelation::Simple(p), ProtocolCommitment::Simple(c)) => {
+                p.serialize_commitment(c)
+            }
             (ComposedRelation::And(ps), ProtocolCommitment::And(commitments))
             | (ComposedRelation::Or(ps), ProtocolCommitment::Or(commitments)) => ps
                 .iter()
@@ -432,9 +436,9 @@ impl<G: PrimeGroup> SigmaProtocolSimulator for ComposedRelation<G> {
         response: &Self::Response,
     ) -> Result<Self::Commitment, Error> {
         match (self, response) {
-            (ComposedRelation::Simple(p), ProtocolResponse::Simple(r)) => Ok(ProtocolCommitment::Simple(
-                p.simulate_commitment(challenge, r)?,
-            )),
+            (ComposedRelation::Simple(p), ProtocolResponse::Simple(r)) => Ok(
+                ProtocolCommitment::Simple(p.simulate_commitment(challenge, r)?),
+            ),
             (ComposedRelation::And(ps), ProtocolResponse::And(rs)) => {
                 let commitments = ps
                     .iter()

src/errors.rs

@@ -8,6 +8,29 @@
 //! - Mismatched parameter lengths (e.g., during batch verification),
 //! - Access to unassigned group variables in constraint systems.
 
+/// Represents an invalid instance error.
+#[derive(Debug, thiserror::Error)]
+#[error("Invalid instance: {message}")]
+pub struct InvalidInstance {
+    /// The error message describing what's invalid about the instance.
+    pub message: String,
+}
+
+impl InvalidInstance {
+    /// Create a new InvalidInstance error with the given message.
+    pub fn new(message: impl Into<String>) -> Self {
+        Self {
+            message: message.into(),
+        }
+    }
+}
+
+impl From<InvalidInstance> for Error {
+    fn from(_err: InvalidInstance) -> Self {
+        Error::InvalidInstanceWitnessPair
+    }
+}
+
 /// Represents an error encountered during the execution of a Sigma protocol.
 ///
 /// This may occur during proof generation, response computation, or verification.

src/linear_relation/mod.rs

@@ -510,6 +510,154 @@ impl<G: PrimeGroup> CanonicalLinearRelation<G> {
 
         out
     }
+
+    /// Parse a canonical linear relation from its label representation
+    pub fn from_label(data: &[u8]) -> Result<Self, Error> {
+        use crate::errors::InvalidInstance;
+        use crate::serialization::group_elt_serialized_len;
+
+        let mut offset = 0;
+
+        // Read number of equations (4 bytes, little endian)
+        if data.len() < 4 {
+            return Err(InvalidInstance::new("Invalid label: too short for equation count").into());
+        }
+        let num_equations = u32::from_le_bytes([data[0], data[1], data[2], data[3]]) as usize;
+        offset += 4;
+
+        // Parse constraints and collect unique group element indices
+        let mut constraint_data = Vec::new();
+        let mut max_scalar_index = 0u32;
+        let mut max_group_index = 0u32;
+
+        for _ in 0..num_equations {
+            // Read LHS index (4 bytes)
+            if offset + 4 > data.len() {
+                return Err(InvalidInstance::new("Invalid label: truncated LHS index").into());
+            }
+            let lhs_index = u32::from_le_bytes([
+                data[offset],
+                data[offset + 1],
+                data[offset + 2],
+                data[offset + 3],
+            ]);
+            offset += 4;
+            max_group_index = max_group_index.max(lhs_index);
+
+            // Read number of RHS terms (4 bytes)
+            if offset + 4 > data.len() {
+                return Err(InvalidInstance::new("Invalid label: truncated RHS count").into());
+            }
+            let num_rhs_terms = u32::from_le_bytes([
+                data[offset],
+                data[offset + 1],
+                data[offset + 2],
+                data[offset + 3],
+            ]) as usize;
+            offset += 4;
+
+            // Read RHS terms
+            let mut rhs_terms = Vec::new();
+            for _ in 0..num_rhs_terms {
+                // Read scalar index (4 bytes)
+                if offset + 4 > data.len() {
+                    return Err(
+                        InvalidInstance::new("Invalid label: truncated scalar index").into(),
+                    );
+                }
+                let scalar_index = u32::from_le_bytes([
+                    data[offset],
+                    data[offset + 1],
+                    data[offset + 2],
+                    data[offset + 3],
+                ]);
+                offset += 4;
+                max_scalar_index = max_scalar_index.max(scalar_index);
+
+                // Read group index (4 bytes)
+                if offset + 4 > data.len() {
+                    return Err(InvalidInstance::new("Invalid label: truncated group index").into());
+                }
+                let group_index = u32::from_le_bytes([
+                    data[offset],
+                    data[offset + 1],
+                    data[offset + 2],
+                    data[offset + 3],
+                ]);
+                offset += 4;
+                max_group_index = max_group_index.max(group_index);
+
+                rhs_terms.push((scalar_index, group_index));
+            }
+
+            constraint_data.push((lhs_index, rhs_terms));
+        }
+
+        // Calculate expected number of group elements
+        let num_group_elements = (max_group_index + 1) as usize;
+        let group_element_size = group_elt_serialized_len::<G>();
+        let expected_remaining = num_group_elements * group_element_size;
+
+        if data.len() - offset != expected_remaining {
+            return Err(InvalidInstance::new(format!(
+                "Invalid label: expected {} bytes for {} group elements, got {}",
+                expected_remaining,
+                num_group_elements,
+                data.len() - offset
+            ))
+            .into());
+        }
+
+        // Parse group elements
+        let mut group_elements_ordered = Vec::new();
+        for i in 0..num_group_elements {
+            let start = offset + i * group_element_size;
+            let end = start + group_element_size;
+            let elem_bytes = &data[start..end];
+
+            let mut repr = G::Repr::default();
+            repr.as_mut().copy_from_slice(elem_bytes);
+
+            let elem = Option::<G>::from(G::from_bytes(&repr)).ok_or_else(|| {
+                Error::from(InvalidInstance::new(format!(
+                    "Invalid group element at index {}",
+                    i
+                )))
+            })?;
+
+            group_elements_ordered.push(elem);
+        }
+
+        // Build the canonical relation
+        let mut canonical = Self::new();
+        canonical.num_scalars = (max_scalar_index + 1) as usize;
+
+        // Add all group elements to the map
+        let mut group_var_map = Vec::new();
+        for elem in &group_elements_ordered {
+            let var = canonical.group_elements.push(*elem);
+            group_var_map.push(var);
+        }
+
+        // Build constraints
+        for (lhs_index, rhs_terms) in constraint_data {
+            // Add image element
+            canonical
+                .image
+                .push(group_elements_ordered[lhs_index as usize]);
+
+            // Build linear combination
+            let mut linear_combination = Vec::new();
+            for (scalar_index, group_index) in rhs_terms {
+                let scalar_var = ScalarVar(scalar_index as usize, PhantomData);
+                let group_var = group_var_map[group_index as usize];
+                linear_combination.push((scalar_var, group_var));
+            }
+            canonical.linear_combinations.push(linear_combination);
+        }
+
+        Ok(canonical)
+    }
 }
 
 impl<G: PrimeGroup> TryFrom<&LinearRelation<G>> for CanonicalLinearRelation<G> {

src/schnorr_protocol.rs

@@ -311,7 +311,7 @@ where
     }
 
     fn protocol_identifier(&self) -> impl AsRef<[u8]> {
-        b"SchnorrProof"
+        b"draft-zkproof-fiat-shamir"
     }
 }
 

src/serialization.rs

@@ -6,6 +6,14 @@
 use ff::PrimeField;
 use group::prime::PrimeGroup;
 
+/// Get the serialized length of a group element in bytes.
+///
+/// # Returns
+/// The number of bytes required to serialize a group element.
+pub fn group_elt_serialized_len<G: PrimeGroup>() -> usize {
+    G::Repr::default().as_ref().len()
+}
+
 /// Serialize a slice of group elements into a byte vector.
 ///
 /// # Parameters
@@ -31,7 +39,7 @@ pub fn serialize_elements<G: PrimeGroup>(elements: &[G]) -> Vec<u8> {
 /// - `Some(Vec<G>)`: The deserialized group elements if all are valid.
 /// - `None`: If the byte slice length is incorrect or any element is invalid.
 pub fn deserialize_elements<G: PrimeGroup>(data: &[u8], count: usize) -> Option<Vec<G>> {
-    let element_len = G::Repr::default().as_ref().len();
+    let element_len = group_elt_serialized_len::<G>();
     let expected_len = count * element_len;
 
     if data.len() < expected_len {

src/tests/composition.rs

@@ -2,8 +2,7 @@ use curve25519_dalek::ristretto::RistrettoPoint;
 use rand::rngs::OsRng;
 
 use super::test_utils::{
-    bbs_blind_commitment_computation, discrete_logarithm, dleq, pedersen_commitment,
-    pedersen_commitment_dleq,
+    bbs_blind_commitment, discrete_logarithm, dleq, pedersen_commitment, pedersen_commitment_dleq,
 };
 use crate::codec::Shake128DuplexSponge;
 use crate::composition::{ComposedRelation, ProtocolWitness};
@@ -30,7 +29,7 @@ fn composition_proof_correct() {
     let (relation2, _) = pedersen_commitment::<G, _>(&mut rng);
     let (relation3, witness3) = discrete_logarithm::<G, _>(&mut rng);
     let (relation4, witness4) = pedersen_commitment_dleq::<G, _>(&mut rng);
-    let (relation5, witness5) = bbs_blind_commitment_computation::<G, _>(&mut rng);
+    let (relation5, witness5) = bbs_blind_commitment::<G, _>(&mut rng);
 
     // second layer protocol definitions
     let or_protocol1 = ComposedRelation::Or(vec![
@@ -55,7 +54,9 @@ fn composition_proof_correct() {
     let protocol = ComposedRelation::And(vec![or_protocol1, simple_protocol1, and_protocol1]);
     let witness = ProtocolWitness::And(vec![or_witness1, simple_witness1, and_witness1]);
 
-    let nizk = Nizk::<ComposedRelation<RistrettoPoint>, Shake128DuplexSponge<G>>::new(domain_sep, protocol);
+    let nizk = Nizk::<ComposedRelation<RistrettoPoint>, Shake128DuplexSponge<G>>::new(
+        domain_sep, protocol,
+    );
 
     // Batchable and compact proofs
     let proof_batchable_bytes = nizk.prove_batchable(&witness, &mut OsRng).unwrap();

src/tests/mod.rs

@@ -1,4 +1,4 @@
 mod composition;
 mod relations;
 mod spec;
-pub mod test_utils;
+pub mod test_utils;

src/tests/relations.rs

@@ -3,9 +3,8 @@ use rand::rngs::OsRng;
 
 use crate::fiat_shamir::Nizk;
 use crate::tests::test_utils::{
-    bbs_blind_commitment_computation, discrete_logarithm, dleq, pedersen_commitment,
-    pedersen_commitment_dleq, shifted_discrete_logarithm, shifted_dleq,
-    user_specific_linear_combination,
+    bbs_blind_commitment, discrete_logarithm, dleq, pedersen_commitment, pedersen_commitment_dleq,
+    shifted_discrete_logarithm, shifted_dleq, user_specific_linear_combination,
 };
 use crate::{
     codec::Shake128DuplexSponge, linear_relation::CanonicalLinearRelation,
@@ -99,7 +98,7 @@ fn test_pedersen_commitment_dleq() {
 #[test]
 fn test_bbs_blind_commitment_computation() {
     test_relation_and_nizk(
-        |rng| bbs_blind_commitment_computation::<G, _>(rng),
+        |rng| bbs_blind_commitment::<G, _>(rng),
         "bbs-blind-commitment-computation",
     );
 }

src/tests/spec/bls12_381.rs

@@ -61,5 +61,4 @@ impl SRandom for G1Projective {
         }
         G1Projective::scalar_from_hex_be(&hex_string).unwrap()
     }
-
 }