sigma-rs
diff --git a/‎examples/schnorr.rs‎
Lines changed: 1 addition & 1 deletion b/‎examples/schnorr.rs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎examples/simple_composition.rs‎
Lines changed: 3 additions & 3 deletions b/‎examples/simple_composition.rs‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/codec.rs‎
Lines changed: 98 additions & 0 deletions b/‎src/codec.rs‎
Lines changed: 98 additions & 0 deletions
diff --git a/‎src/codec/keccak_codec.rs‎
Lines changed: 0 additions & 236 deletions b/‎src/codec/keccak_codec.rs‎
Lines changed: 0 additions & 236 deletions
diff --git a/‎src/codec/mod.rs‎
Lines changed: 0 additions & 8 deletions b/‎src/codec/mod.rs‎
Lines changed: 0 additions & 8 deletions
@@ -76,7 +76,7 @@ pub fn discrete_logarithm<G: Group + GroupEncoding>(
 
     // The relation has been defined and is ready to be used in a protocol.
     // Sanity check: ensure `P = x * G`
-    let P = morphism.morphism.group_elements.get(var_P).unwrap();
+    let P = morphism.linear_map.group_elements.get(var_P).unwrap();
     assert_eq!(P, G::generator() * x);
 
     // Output the relation and the witness for the upcoming proof
 
@@ -79,7 +79,7 @@ pub fn discrete_logarithm<G: Group + GroupEncoding>(
     morphism.compute_image(&[x]).unwrap();
 
     // Verify: X = x * G
-    let X = morphism.morphism.group_elements.get(var_X).unwrap();
+    let X = morphism.linear_map.group_elements.get(var_X).unwrap();
     assert_eq!(X, G::generator() * x);
 
     (morphism, vec![x])
@@ -106,8 +106,8 @@ pub fn dleq<G: Group + GroupEncoding>(x: G::Scalar, H: G) -> (LinearRelation<G>,
     morphism.compute_image(&[x]).unwrap();
 
     // Verify: X = x * G and Y = x * H
-    let X = morphism.morphism.group_elements.get(_var_X).unwrap();
-    let Y = morphism.morphism.group_elements.get(_var_Y).unwrap();
+    let X = morphism.linear_map.group_elements.get(_var_X).unwrap();
+    let Y = morphism.linear_map.group_elements.get(_var_Y).unwrap();
     assert_eq!(X, G::generator() * x);
     assert_eq!(Y, H * x);
 
 
@@ -0,0 +1,98 @@
+//! Encoding and decoding utilities for Fiat-Shamir and group operations.
+
+pub use crate::duplex_sponge::keccak::KeccakDuplexSponge;
+use crate::duplex_sponge::{DuplexSpongeInterface, shake::ShakeDuplexSponge};
+use crate::serialization::scalar_byte_size;
+use ff::PrimeField;
+use group::{Group, GroupEncoding};
+use num_bigint::BigUint;
+use num_traits::identities::One;
+
+/// A trait defining the behavior of a domain-separated codec hashing, which is typically used for [`crate::traits::SigmaProtocol`]s.
+///
+/// A domain-separated hashing codec is a codec, identified by a domain, which is incremented with successive messages ("absorb"). The codec can then output a bit stream of any length, which is typically used to generate a challenge unique to the given codec ("squeeze"). (See Sponge Construction).
+///
+/// The output is deterministic for a given set of input. Thus, both Prover and Verifier can generate the codec on their sides and ensure the same inputs have been used in both side of the protocol.
+///
+/// ## Minimal Implementation
+/// Types implementing [`Codec`] must define:
+/// - `new`
+/// - `prover_message`
+/// - `verifier_challenge`
+pub trait Codec {
+    type Challenge;
+
+    /// Generates an empty codec that can be identified by a domain separator.
+    fn new(domain_sep: &[u8]) -> Self;
+
+    /// Absorbs data into the codec.
+    fn prover_message(&mut self, data: &[u8]);
+
+    /// Produces a scalar that can be used as a challenge from the codec.
+    fn verifier_challenge(&mut self) -> Self::Challenge;
+}
+
+fn cardinal<F: PrimeField>() -> BigUint {
+    let bytes = (F::ZERO - F::ONE).to_repr();
+    BigUint::from_bytes_le(bytes.as_ref()) + BigUint::one()
+}
+
+/// A byte-level Schnorr codec that works with any duplex sponge.
+///
+/// This codec is generic over both the group `G` and the hash function `H`.
+/// It can be used with different duplex sponge implementations.
+#[derive(Clone)]
+pub struct ByteSchnorrCodec<G, H>
+where
+    G: Group + GroupEncoding,
+    H: DuplexSpongeInterface,
+{
+    hasher: H,
+    _marker: core::marker::PhantomData<G>,
+}
+
+impl<G, H> Codec for ByteSchnorrCodec<G, H>
+where
+    G: Group + GroupEncoding,
+    H: DuplexSpongeInterface,
+{
+    type Challenge = <G as Group>::Scalar;
+
+    fn new(domain_sep: &[u8]) -> Self {
+        let hasher = H::new(domain_sep);
+        Self {
+            hasher,
+            _marker: Default::default(),
+        }
+    }
+
+    fn prover_message(&mut self, data: &[u8]) {
+        self.hasher.absorb(data);
+    }
+
+    fn verifier_challenge(&mut self) -> G::Scalar {
+        let scalar_byte_length = scalar_byte_size::<G::Scalar>();
+
+        let uniform_bytes = self.hasher.squeeze(scalar_byte_length + 16);
+        let scalar = BigUint::from_bytes_be(&uniform_bytes);
+        let reduced = scalar % cardinal::<G::Scalar>();
+
+        let mut bytes = vec![0u8; scalar_byte_length];
+        let reduced_bytes = reduced.to_bytes_be();
+        let start = bytes.len() - reduced_bytes.len();
+        bytes[start..].copy_from_slice(&reduced_bytes);
+        bytes.reverse();
+
+        let mut repr = <<G as Group>::Scalar as PrimeField>::Repr::default();
+        repr.as_mut().copy_from_slice(&bytes);
+
+        <<G as Group>::Scalar as PrimeField>::from_repr(repr).expect("Error")
+    }
+}
+
+/// Type alias for a Keccak-based ByteSchnorrCodec.
+/// This is the codec used for matching test vectors from Sage.
+pub type KeccakByteSchnorrCodec<G> = ByteSchnorrCodec<G, KeccakDuplexSponge>;
+
+/// Type alias for a SHAKE-based ByteSchnorrCodec.
+pub type ShakeCodec<G> = ByteSchnorrCodec<G, ShakeDuplexSponge>;