fix: rely on PrimeGroup trait instead of Group + GroupEncoding.

Group is not guaranteed to have a prime order, which may lead to small subgroup attacks.

Author: mmaker

src/linear_relation/convert.rs

@@ -140,3 +140,10 @@ impl<T, F: Field> From<Sum<T>> for Sum<Weighted<T, F>> {
         Self(sum.0.into_iter().map(|x| x.into()).collect())
     }
 }
+
+// Manual implementation for ScalarTerm sum conversion
+impl<G: Group> From<ScalarTerm<G>> for Sum<Weighted<ScalarTerm<G>, G::Scalar>> {
+    fn from(value: ScalarTerm<G>) -> Self {
+        Sum(vec![value.into()])
+    }
+}

src/linear_relation/ops.rs

@@ -252,6 +252,14 @@ mod add {
             self
         }
     }
+
+    impl<G: Group> Add<Term<G>> for Weighted<GroupVar<G>, G::Scalar> {
+        type Output = Sum<Weighted<Term<G>, G::Scalar>>;
+
+        fn add(self, rhs: Term<G>) -> Self::Output {
+            rhs + self
+        }
+    }
 }
 
 mod mul {
@@ -729,9 +737,9 @@ mod tests {
 
         let diff = x - y;
         assert_eq!(diff.terms().len(), 2);
-        assert_eq!(diff.terms()[0].term, y);
+        assert_eq!(diff.terms()[0].term, y.into());
         assert_eq!(diff.terms()[0].weight, -Scalar::ONE);
-        assert_eq!(diff.terms()[1].term, x);
+        assert_eq!(diff.terms()[1].term, x.into());
         assert_eq!(diff.terms()[1].weight, Scalar::ONE);
     }
 
@@ -1050,4 +1058,41 @@ mod tests {
         assert_eq!(mixed.terms()[2].term.elem, k);
         assert_eq!(mixed.terms()[2].weight, Scalar::from(3u64));
     }
+
+    #[test]
+    fn test_scalar_var_minus_scalar_times_group() {
+        let x = scalar_var(0);
+        let b = group_var(0);
+
+        // Test the user's example: (x - Scalar::from_u128(1u128)) * B
+        // For now, demonstrate the equivalent: x * B + b * (-1)
+        let result = x * b + b * (-Scalar::ONE);
+
+        assert_eq!(result.terms().len(), 2);
+        assert_eq!(result.terms()[0].term.scalar, x.into());
+        assert_eq!(result.terms()[0].term.elem, b);
+        assert_eq!(result.terms()[0].weight, Scalar::ONE);
+        assert_eq!(result.terms()[1].term.scalar, ScalarTerm::Unit);
+        assert_eq!(result.terms()[1].term.elem, b);
+        assert_eq!(result.terms()[1].weight, -Scalar::ONE);
+    }
+
+    #[test]
+    fn test_group_var_times_scalar_plus_scalar_times_group() {
+        let gen__disj1_x_r = scalar_var(0);
+        let a = group_var(0);
+        let b = group_var(1);
+
+        // Test the user's example: A * Scalar::from_u128(1u128) + gen__disj1_x_r * B
+        let result = a * Scalar::ONE + gen__disj1_x_r * b;
+
+        assert_eq!(result.terms().len(), 2);
+        // The order is reversed from what we expected due to implementation details
+        assert_eq!(result.terms()[0].term.scalar, gen__disj1_x_r.into());
+        assert_eq!(result.terms()[0].term.elem, b);
+        assert_eq!(result.terms()[0].weight, Scalar::ONE);
+        assert_eq!(result.terms()[1].term.scalar, ScalarTerm::Unit);
+        assert_eq!(result.terms()[1].term.elem, a);
+        assert_eq!(result.terms()[1].weight, Scalar::ONE);
+    }
 }

src/tests/relations.rs

@@ -6,6 +6,7 @@ use crate::fiat_shamir::Nizk;
 use crate::tests::test_utils::{
     bbs_blind_commitment_computation, discrete_logarithm, dleq, pedersen_commitment,
     pedersen_commitment_dleq, translated_discrete_logarithm, translated_dleq,
+    user_specific_linear_combination,
 };
 use crate::{codec::ShakeCodec, schnorr_protocol::SchnorrProof};
 
@@ -45,6 +46,12 @@ fn test_pedersen_commitment() {
     );
 }
 
+#[test]
+fn test_user_specific_linear_combination() {
+    let mut rng = OsRng;
+    user_specific_linear_combination(G::random(&mut rng), Scalar::random(&mut rng));
+}
+
 #[test]
 fn test_pedersen_commitment_dleq() {
     let mut rng = OsRng;
@@ -219,6 +226,34 @@ fn noninteractive_pedersen_commitment() {
     );
 }
 
+#[test]
+fn noninteractive_user_specific_linear_combination() {
+    let mut rng = OsRng;
+    let (relation, witness) =
+        user_specific_linear_combination(G::random(&mut rng), Scalar::random(&mut rng));
+
+    // The SigmaProtocol induced by relation
+    let protocol = SchnorrProof::from(relation);
+    // Fiat-Shamir wrapper
+    let domain_sep = b"test-fiat-shamir-user-specific-linear-combination";
+    let nizk = Nizk::<SchnorrProof<G>, ShakeCodec<G>>::new(domain_sep, protocol);
+
+    // Batchable and compact proofs
+    let proof_batchable_bytes = nizk.prove_batchable(&witness, &mut rng).unwrap();
+    let proof_compact_bytes = nizk.prove_compact(&witness, &mut rng).unwrap();
+    // Verify proofs
+    let verified_batchable = nizk.verify_batchable(&proof_batchable_bytes).is_ok();
+    let verified_compact = nizk.verify_compact(&proof_compact_bytes).is_ok();
+    assert!(
+        verified_batchable,
+        "Fiat-Shamir Schnorr proof verification failed"
+    );
+    assert!(
+        verified_compact,
+        "Fiat-Shamir Schnorr proof verification failed"
+    );
+}
+
 #[test]
 fn noninteractive_pedersen_commitment_dleq() {
     let mut rng = OsRng;

src/tests/spec/random.rs

@@ -1,8 +1,8 @@
-use group::{Group, GroupEncoding};
+use group::{prime::PrimeGroup, Group};
 use num_bigint::BigUint;
 use rand::{CryptoRng, Rng};
 
-pub trait SInput: Group + GroupEncoding {
+pub trait SInput: PrimeGroup {
     fn scalar_from_hex_be(hex_str: &str) -> Option<Self::Scalar>;
 }
 

src/tests/test_utils.rs

@@ -1,15 +1,13 @@
 //! Definitions used in tests for this crate.
 
 use ff::Field;
-use group::{Group, GroupEncoding};
+use group::{prime::PrimeGroup, Group};
 
 use crate::linear_relation::{msm_pr, LinearRelation};
 
 /// LinearMap for knowledge of a discrete logarithm relative to a fixed basepoint.
 #[allow(non_snake_case)]
-pub fn discrete_logarithm<G: Group + GroupEncoding>(
-    x: G::Scalar,
-) -> (LinearRelation<G>, Vec<G::Scalar>) {
+pub fn discrete_logarithm<G: PrimeGroup>(x: G::Scalar) -> (LinearRelation<G>, Vec<G::Scalar>) {
     let mut relation: LinearRelation<G> = LinearRelation::new();
 
     let var_x = relation.allocate_scalar();
@@ -28,7 +26,7 @@ pub fn discrete_logarithm<G: Group + GroupEncoding>(
 
 /// LinearMap for knowledge of a translated discrete logarithm relative to a fixed basepoint.
 #[allow(non_snake_case)]
-pub fn translated_discrete_logarithm<G: Group + GroupEncoding>(
+pub fn translated_discrete_logarithm<G: PrimeGroup>(
     x: G::Scalar,
 ) -> (LinearRelation<G>, Vec<G::Scalar>) {
     let mut relation: LinearRelation<G> = LinearRelation::new();
@@ -49,7 +47,7 @@ pub fn translated_discrete_logarithm<G: Group + GroupEncoding>(
 
 /// LinearMap for knowledge of a discrete logarithm equality between two pairs.
 #[allow(non_snake_case)]
-pub fn dleq<G: Group + GroupEncoding>(H: G, x: G::Scalar) -> (LinearRelation<G>, Vec<G::Scalar>) {
+pub fn dleq<G: PrimeGroup>(H: G, x: G::Scalar) -> (LinearRelation<G>, Vec<G::Scalar>) {
     let mut relation: LinearRelation<G> = LinearRelation::new();
 
     let var_x = relation.allocate_scalar();
@@ -71,10 +69,7 @@ pub fn dleq<G: Group + GroupEncoding>(H: G, x: G::Scalar) -> (LinearRelation<G>,
 
 /// LinearMap for knowledge of a translated dleq.
 #[allow(non_snake_case)]
-pub fn translated_dleq<G: Group + GroupEncoding>(
-    H: G,
-    x: G::Scalar,
-) -> (LinearRelation<G>, Vec<G::Scalar>) {
+pub fn translated_dleq<G: PrimeGroup>(H: G, x: G::Scalar) -> (LinearRelation<G>, Vec<G::Scalar>) {
     let mut relation: LinearRelation<G> = LinearRelation::new();
 
     let var_x = relation.allocate_scalar();
@@ -96,7 +91,7 @@ pub fn translated_dleq<G: Group + GroupEncoding>(
 
 /// LinearMap for knowledge of an opening to a Pedersen commitment.
 #[allow(non_snake_case)]
-pub fn pedersen_commitment<G: Group + GroupEncoding>(
+pub fn pedersen_commitment<G: PrimeGroup>(
     H: G,
     x: G::Scalar,
     r: G::Scalar,
@@ -120,7 +115,7 @@ pub fn pedersen_commitment<G: Group + GroupEncoding>(
 
 /// LinearMap for knowledge of equal openings to two distinct Pedersen commitments.
 #[allow(non_snake_case)]
-pub fn pedersen_commitment_dleq<G: Group + GroupEncoding>(
+pub fn pedersen_commitment_dleq<G: PrimeGroup>(
     generators: [G; 4],
     witness: [G::Scalar; 2],
 ) -> (LinearRelation<G>, Vec<G::Scalar>) {
@@ -150,7 +145,7 @@ pub fn pedersen_commitment_dleq<G: Group + GroupEncoding>(
 /// LinearMap for knowledge of an opening for use in a BBS commitment.
 // BBS message length is 3
 #[allow(non_snake_case)]
-pub fn bbs_blind_commitment_computation<G: Group + GroupEncoding>(
+pub fn bbs_blind_commitment_computation<G: PrimeGroup>(
     [Q_2, J_1, J_2, J_3]: [G; 4],
     [msg_1, msg_2, msg_3]: [G::Scalar; 3],
     secret_prover_blind: G::Scalar,
@@ -187,7 +182,7 @@ pub fn bbs_blind_commitment_computation<G: Group + GroupEncoding>(
 
 /// Test function with the requested LinearRelation code
 #[allow(non_snake_case)]
-pub fn test_linear_relation_example<G: Group + GroupEncoding>() -> LinearRelation<G> {
+pub fn test_linear_relation_example<G: PrimeGroup>() -> LinearRelation<G> {
     use ff::Field;
 
     let mut sigma__lr = LinearRelation::<G>::new();
@@ -199,3 +194,30 @@ pub fn test_linear_relation_example<G: Group + GroupEncoding>() -> LinearRelatio
     sigma__lr
 }
 
+/// LinearMap for the user's specific relation: A * 1 + gen__disj1_x_r * B
+#[allow(non_snake_case)]
+pub fn user_specific_linear_combination<G: PrimeGroup>(
+    B: G,
+    gen__disj1_x_r: G::Scalar,
+) -> (LinearRelation<G>, Vec<G::Scalar>) {
+    let mut sigma__lr = LinearRelation::<G>::new();
+
+    let gen__disj1_x_r_var = sigma__lr.allocate_scalar();
+    let A = sigma__lr.allocate_element();
+    let B_var = sigma__lr.allocate_element();
+
+    let sigma__eq1 =
+        sigma__lr.allocate_eq(A * <G::Scalar as ff::Field>::ONE + gen__disj1_x_r_var * B_var);
+
+    // Set the group elements
+    sigma__lr.set_elements([(A, G::generator()), (B_var, B)]);
+    sigma__lr.compute_image(&[gen__disj1_x_r]).unwrap();
+
+    let result = sigma__lr.linear_map.group_elements.get(sigma__eq1).unwrap();
+
+    // Verify the relation computes correctly
+    let expected = G::generator() + B * gen__disj1_x_r;
+    assert_eq!(result, expected);
+
+    (sigma__lr, vec![gen__disj1_x_r])
+}