wip: progress in constant-time or proofs

Author: mmaker

examples/simple_composition.rs

@@ -10,7 +10,6 @@ use sigma_rs::{
     errors::Error,
     LinearRelation, Nizk,
 };
-use subtle::CtOption;
 
 type G = RistrettoPoint;
 type ProofResult<T> = Result<T, Error>;
@@ -56,11 +55,8 @@ fn prove(P1: G, x2: Scalar, H: G) -> ProofResult<Vec<u8>> {
     let instance = create_relation(P1, P2, Q, H);
     // Create OR witness with branch 1 being the real one (index 1)
     let witness = ComposedWitness::Or(vec![
-        CtOption::new(
-            ComposedWitness::Simple(vec![Scalar::from(0u64)]),
-            0u8.into(),
-        ), // dummy for branch 0
-        CtOption::new(ComposedWitness::Simple(vec![x2]), 1u8.into()), // real witness for branch 1
+        ComposedWitness::Simple(vec![Scalar::from(0u64)]),
+        ComposedWitness::Simple(vec![x2]),
     ]);
     let nizk = Nizk::<_, Shake128DuplexSponge<G>>::new(b"or_proof_example", instance);
 

src/composition.rs

@@ -22,7 +22,9 @@ use ff::{Field, PrimeField};
 use group::prime::PrimeGroup;
 use sha3::Digest;
 use sha3::Sha3_256;
-use subtle::CtOption;
+use subtle::Choice;
+use subtle::ConditionallySelectable;
+use subtle::ConstantTimeEq;
 
 use crate::{
     codec::Shake128DuplexSponge,
@@ -71,17 +73,15 @@ pub enum ComposedCommitment<G: PrimeGroup> {
 }
 
 // Structure representing the ProverState type of Protocol as SigmaProtocol
-pub enum ComposedProverState<G: PrimeGroup> {
+pub enum ComposedProverState<G: PrimeGroup + ConstantTimeEq> {
     Simple(<SchnorrProof<G> as SigmaProtocol>::ProverState),
     And(Vec<ComposedProverState<G>>),
     Or(ComposedOrProverState<G>),
 }
 
-type ComposedOrProverState<G> = (
-    Vec<Option<ComposedProverState<G>>>,
-    Vec<Option<ComposedChallenge<G>>>,
-    Vec<Option<ComposedResponse<G>>>,
-);
+struct ComposedOrProverState<G: PrimeGroup + ConstantTimeEq> {
+    prover_states: Vec<(Choice, ComposedProverState<G>, ComposedChallenge<G>, ComposedResponse<G>)>,
+}
 
 // Structure representing the Response type of Protocol as SigmaProtocol
 #[derive(Clone)]
@@ -96,7 +96,7 @@ pub enum ComposedResponse<G: PrimeGroup> {
 pub enum ComposedWitness<G: PrimeGroup> {
     Simple(<SchnorrProof<G> as SigmaProtocol>::Witness),
     And(Vec<ComposedWitness<G>>),
-    Or(Vec<CtOption<ComposedWitness<G>>>),
+    Or(Vec<ComposedWitness<G>>),
 }
 
 type ComposedChallenge<G> = <SchnorrProof<G> as SigmaProtocol>::Challenge;
@@ -105,7 +105,30 @@ const fn composed_challenge_size<G: PrimeGroup>() -> usize {
     (G::Scalar::NUM_BITS as usize + 7) / 8
 }
 
-impl<G: PrimeGroup> ComposedRelation<G> {
+
+impl<G: PrimeGroup + ConstantTimeEq> ComposedRelation<G> {
+    fn is_witness_valid(&self, witness: &ComposedWitness<G>) -> Choice {
+        let validity_bit = Choice::from(0);
+        match (self, witness) {
+            (ComposedRelation::Simple(instance), ComposedWitness::Simple(witness)) => {
+                instance.0.is_witness_valid(witness)
+            }
+            (ComposedRelation::And(instances), ComposedWitness::And(witnesses)) => instances
+                .iter()
+                .zip(witnesses)
+                .fold(Choice::from(0), |bit, (instance, witness)| {
+                    bit & instance.is_witness_valid(witness)
+                }),
+            (ComposedRelation::Or(instances), ComposedWitness::Or(witnesses)) => instances
+                .iter()
+                .zip(witnesses)
+                .fold(Choice::from(0), |bit, (instance, witness)| {
+                    bit | instance.is_witness_valid(witness)
+                }),
+            _ => unreachable!(),
+        };
+        validity_bit
+    }
     fn prover_commit_simple(
         protocol: &SchnorrProof<G>,
         witness: &<SchnorrProof<G> as SigmaProtocol>::Witness,
@@ -173,45 +196,43 @@ impl<G: PrimeGroup> ComposedRelation<G> {
 
     fn prover_commit_or(
         instances: &[ComposedRelation<G>],
-        witnesses: &[CtOption<ComposedWitness<G>>],
+        witnesses: &[ComposedWitness<G>],
         rng: &mut (impl rand::Rng + rand::CryptoRng),
     ) -> Result<(ComposedCommitment<G>, ComposedProverState<G>), Error> {
         if instances.len() != witnesses.len() {
             return Err(Error::InvalidInstanceWitnessPair);
         }
 
-        let mut simulated_challenges = Vec::new();
-        let mut simulated_responses = Vec::new();
-        let mut commitments = Vec::<ComposedCommitment<G>>::with_capacity(instances.len());
+        let mut commitments = Vec::new();
         let mut prover_states = Vec::new();
 
-        for (i, witness) in witnesses.iter().enumerate() {
-            // let (simulated_commitment, simulated_challenge, simulated_response) = instances[i].simulate_transcript(rng)?;
-            let witness = witness.clone().into_option();
-            match witness {
-                Some(w) => {
-                    let (commitment, prover_state) = instances[i].prover_commit(&w, rng)?;
-                    commitments.push(commitment);
-                    prover_states.push(Some(prover_state));
-                    simulated_challenges.push(None);
-                    simulated_responses.push(None);
-                }
-                None => {
-                    let (simulated_commitment, simulated_challenge, simulated_response) =
-                        instances[i].simulate_transcript(rng)?;
-                    commitments.push(simulated_commitment);
-                    prover_states.push(None);
-                    simulated_challenges.push(Some(simulated_challenge));
-                    simulated_responses.push(Some(simulated_response));
-                }
-            }
+        for (i, w) in witnesses.iter().enumerate() {
+            let (commitment, prover_state) = instances[i].prover_commit(&w, rng)?;
+            let (simulated_commitment, simulated_challenge, simulated_response) =
+                instances[i].simulate_transcript(rng)?;
+
+            let valid_witness = instances[i].is_witness_valid(&w);
+            commitments.push(if valid_witness.unwrap_u8() == 1 {commitment } else { simulated_commitment.clone()} );
+            prover_states.push((valid_witness, prover_state, simulated_challenge, simulated_response));
+        }
+        // check that we have only one witness set
+        let witnesses_found = prover_states
+            .iter()
+            .map(|x| x.0.unwrap_u8() as usize)
+            .sum::<usize>();
+        let prover_state =
+            ComposedOrProverState {
+                prover_states,
+            };
+
+        if witnesses_found > 1 {
+            return Err(Error::InvalidInstanceWitnessPair);
+        } else {
+            Ok((
+                ComposedCommitment::Or(commitments),
+                ComposedProverState::Or(prover_state),
+            ))
         }
-        let prover_state: ComposedOrProverState<G> =
-            (prover_states, simulated_challenges, simulated_responses);
-        Ok((
-            ComposedCommitment::Or(commitments),
-            ComposedProverState::Or(prover_state),
-        ))
     }
 
     fn prover_response_or(
@@ -222,34 +243,30 @@ impl<G: PrimeGroup> ComposedRelation<G> {
         let mut result_challenges = Vec::with_capacity(instances.len());
         let mut result_responses = Vec::with_capacity(instances.len());
 
-        // Calculate the real challenge by subtracting all simulated challenges
-        let (child_states, simulated_challenges, simulated_responses) = prover_state;
+        let ComposedOrProverState { prover_states } = prover_state;
 
-        let real_challenge = challenge - simulated_challenges.iter().flatten().sum::<G::Scalar>();
+        let mut witness_challenge = challenge;
+        for (valid_witness, _prover_state, simulated_challenge, _simulated_response) in &prover_states {
+            let c = G::Scalar::conditional_select(&G::Scalar::ZERO, &simulated_challenge, *valid_witness);
+            witness_challenge -= c;
+        }
+        for (instance, (valid_witness, prover_state, simulated_challenge, simulated_response)) in instances.iter().zip(prover_states) {
+            let challenge_i = G::Scalar::conditional_select(&witness_challenge, &simulated_challenge, valid_witness);
 
-        let it = instances
-            .iter()
-            .zip(child_states)
-            .zip(simulated_challenges)
-            .zip(simulated_responses);
-        for (((i, prover_state), simulated_challenge), simulated_response) in it {
-            if let Some(state) = prover_state {
-                // Real case: compute response with real challenge
-                let response = i.prover_response(state, &real_challenge)?;
-                result_challenges.push(real_challenge);
-                result_responses.push(response);
-            } else {
-                result_challenges.push(simulated_challenge.unwrap());
-                result_responses.push(simulated_response.unwrap());
-            }
+            let real_response = instance.prover_response(prover_state, &challenge_i)?;
+
+            // let response_i = ComposedResponse::conditional_select(&real_response, &simulated_response, *witness_location);
+            let response_i = if valid_witness.unwrap_u8() == 1 { real_response } else { simulated_response };
+            result_challenges.push(challenge_i);
+            result_responses.push(response_i);
         }
-        result_challenges.pop();
 
+        result_challenges.pop();
         Ok(ComposedResponse::Or(result_challenges, result_responses))
     }
 }
 
-impl<G: PrimeGroup> SigmaProtocol for ComposedRelation<G> {
+impl<G: PrimeGroup + ConstantTimeEq> SigmaProtocol for ComposedRelation<G> {
     type Commitment = ComposedCommitment<G>;
     type ProverState = ComposedProverState<G>;
     type Response = ComposedResponse<G>;
@@ -501,7 +518,7 @@ impl<G: PrimeGroup> SigmaProtocol for ComposedRelation<G> {
     }
 }
 
-impl<G: PrimeGroup> SigmaProtocolSimulator for ComposedRelation<G> {
+impl<G: PrimeGroup + ConstantTimeEq> SigmaProtocolSimulator for ComposedRelation<G> {
     fn simulate_commitment(
         &self,
         challenge: &Self::Challenge,
@@ -606,7 +623,7 @@ impl<G: PrimeGroup> SigmaProtocolSimulator for ComposedRelation<G> {
     }
 }
 
-impl<G: PrimeGroup> ComposedRelation<G> {
+impl<G: PrimeGroup + ConstantTimeEq> ComposedRelation<G> {
     /// Convert this Protocol into a non-interactive zero-knowledge proof
     /// using the Shake128DuplexSponge codec and a specified session identifier.
     ///

src/linear_relation/canonical.rs

@@ -4,6 +4,7 @@ use std::marker::PhantomData;
 
 use ff::Field;
 use group::prime::PrimeGroup;
+use subtle::{Choice, ConstantTimeEq};
 
 use super::{GroupMap, GroupVar, LinearCombination, LinearRelation, ScalarTerm, ScalarVar};
 use crate::errors::{Error, InvalidInstance};
@@ -49,15 +50,21 @@ impl<G: PrimeGroup> CanonicalLinearRelation<G> {
     }
 
     /// Evaluate the canonical linear relation with the provided scalars
-    pub fn evaluate(&self, scalars: &[G::Scalar]) -> Result<Vec<G>, Error> {
+    pub fn evaluate(&self, scalars: &[G::Scalar]) -> Vec<G> {
         self.linear_combinations
             .iter()
             .map(|lc| {
-                let scalars = lc.iter().map(|(scalar_var, _)| scalars[scalar_var.index()]).collect::<Vec<_>>();
-                let bases = lc.iter().map(|(_, group_var)| self.group_elements.get(*group_var)).collect::<Result<Vec<_>, _>>()?;
-                Ok(msm_pr(&scalars, &bases))
+                let scalars = lc
+                    .iter()
+                    .map(|(scalar_var, _)| scalars[scalar_var.index()])
+                    .collect::<Vec<_>>();
+                let bases = lc
+                    .iter()
+                    .map(|(_, group_var)| self.group_elements.get(*group_var).unwrap())
+                    .collect::<Vec<_>>();
+                msm_pr(&scalars, &bases)
             })
-            .collect::<Result<Vec<_>, _>>().into()
+            .collect()
     }
 
     /// Get or create a GroupVar for a weighted group element, with deduplication
@@ -427,3 +434,13 @@ impl<G: PrimeGroup> TryFrom<&LinearRelation<G>> for CanonicalLinearRelation<G> {
         Ok(canonical)
     }
 }
+
+impl<G: PrimeGroup + ConstantTimeEq> CanonicalLinearRelation<G> {
+    pub fn is_witness_valid(&self, witness: &[G::Scalar]) -> Choice {
+        let got = self.evaluate(witness);
+        self.image
+            .iter()
+            .zip(got)
+            .fold(Choice::from(1), |acc, (lhs, rhs)| acc & lhs.ct_eq(&rhs))
+    }
+}

src/schnorr_protocol.rs

@@ -63,7 +63,7 @@ impl<G: PrimeGroup> SchnorrProof<G> {
             return Err(Error::InvalidInstanceWitnessPair);
         }
 
-        let commitment = self.0.evaluate(nonces)?;
+        let commitment = self.0.evaluate(nonces);
         let prover_state = ProverState(nonces.to_vec(), witness.to_vec());
         Ok((commitment, prover_state))
     }
@@ -176,7 +176,7 @@ impl<G: PrimeGroup> SigmaProtocol for SchnorrProof<G> {
             return Err(Error::InvalidInstanceWitnessPair);
         }
 
-        let lhs = self.0.evaluate(response)?;
+        let lhs = self.0.evaluate(response);
         let mut rhs = Vec::new();
         for (i, g) in commitment.iter().enumerate() {
             rhs.push(self.0.image[i] * challenge + g);
@@ -349,7 +349,7 @@ where
             return Err(Error::InvalidInstanceWitnessPair);
         }
 
-        let response_image = self.0.evaluate(response)?;
+        let response_image = self.0.evaluate(response);
         let image = &self.0.image;
 
         let commitment = response_image

src/tests/test_composition.rs

@@ -1,7 +1,6 @@
 use curve25519_dalek::ristretto::RistrettoPoint;
 use group::Group;
 use rand::rngs::OsRng;
-use subtle::CtOption;
 
 use super::test_relations::*;
 use crate::composition::{ComposedRelation, ComposedWitness};
@@ -38,8 +37,8 @@ fn test_composition_correctness() {
         ComposedRelation::Simple(SchnorrProof(relation2)),
     ]);
     let or_witness1 = ComposedWitness::Or(vec![
-        CtOption::new(ComposedWitness::Simple(witness1), 1u8.into()),
-        CtOption::new(ComposedWitness::Simple(wrong_witness2), 0u8.into()),
+        ComposedWitness::Simple(witness1),
+        ComposedWitness::Simple(wrong_witness2),
     ]);
 
     let simple_protocol1 = ComposedRelation::Simple(SchnorrProof(relation3));

src/tests/test_validation_criteria.rs

@@ -210,7 +210,6 @@ mod proof_validation {
     use bls12_381::{G1Projective as G, Scalar};
     use ff::Field;
     use rand::{thread_rng, RngCore};
-    use subtle::CtOption;
 
     type TestNizk = Nizk<SchnorrProof<G>, KeccakByteSchnorrCodec<G>>;
 
@@ -419,8 +418,8 @@ mod proof_validation {
 
         // Create a correct witness for branch 1 (C = y*B)
         let witness_correct = ComposedWitness::Or(vec![
-            CtOption::new(ComposedWitness::Simple(vec![x]), 0u8.into()), // branch 0 not used
-            CtOption::new(ComposedWitness::Simple(vec![y]), 1u8.into()), // branch 1 is real
+            ComposedWitness::Simple(vec![x]),
+            ComposedWitness::Simple(vec![y]),
         ]);
 
         // This should succeed since branch 1 is correct
@@ -433,8 +432,8 @@ mod proof_validation {
         // Now test with wrong witness: using branch 0 when it's not satisfied
         // Branch 0 requires C = x*A, but C = y*B and A ≠ B, so x would need to be y/42
         let witness_wrong = ComposedWitness::Or(vec![
-            CtOption::new(ComposedWitness::Simple(vec![x]), 1u8.into()), // branch 0 is real (but wrong!)
-            CtOption::new(ComposedWitness::Simple(vec![y]), 0u8.into()), // branch 1 not used
+            ComposedWitness::Simple(vec![x]),
+            ComposedWitness::Simple(vec![y]),
         ]);
         let proof_result = nizk.prove_batchable(&witness_wrong, &mut rng);