feat(composition): improve error handling and optimize memory usage

- feat: implement comprehensive error handling in proof_composition functions
- perf: optimize memory allocations throughout proof_composition module
- refactor: remove unnecessary manual Default trait implementations
- fix: resolve clippy warnings across codebase

Author: nougzarm

src/fiat_shamir.rs

@@ -18,6 +18,12 @@ use crate::{codec::Codec, CompactProtocol, ProofError, SigmaProtocol};
 use group::{Group, GroupEncoding};
 use rand::{CryptoRng, RngCore};
 
+type Transcript<P> = (
+    <P as SigmaProtocol>::Commitment,
+    <P as SigmaProtocol>::Challenge,
+    <P as SigmaProtocol>::Response,
+);
+
 /// A Fiat-Shamir transformation of a Sigma protocol into a non-interactive proof.
 ///
 /// `NISigmaProtocol` wraps an interactive Sigma protocol `P`
@@ -62,7 +68,7 @@ where
         &mut self,
         witness: &P::Witness,
         rng: &mut (impl RngCore + CryptoRng),
-    ) -> Result<(P::Commitment, P::Challenge, P::Response), ProofError> {
+    ) -> Result<Transcript<P>, ProofError> {
         let mut codec = self.hash_state.clone();
 
         let (commitment, prover_state) = self.sigmap.prover_commit(witness, rng)?;

src/group_morphism.rs

@@ -42,6 +42,7 @@ pub struct LinearCombination {
 ///
 /// It supports dynamic allocation of scalars and elements,
 /// and evaluates by performing multi-scalar multiplications.
+#[derive(Default)]
 pub struct Morphism<G: Group> {
     pub linear_combination: Vec<LinearCombination>,
     pub group_elements: Vec<G>,
@@ -58,12 +59,6 @@ pub fn msm_pr<G: Group>(scalars: &[G::Scalar], bases: &[G]) -> G {
     acc
 }
 
-impl<G: Group> Default for Morphism<G> {
-    fn default() -> Self {
-        Self::new()
-    }
-}
-
 impl<G: Group> Morphism<G> {
     /// Creates a new empty Morphism.
     pub fn new() -> Self {
@@ -110,6 +105,7 @@ impl<G: Group> Morphism<G> {
 /// Provides a higher-level API to build proof instances from sparse constraints. The equations are manipulated solely through 2 lists:
 /// - the index of a set of Group elements (maintained in Morphism)
 /// - the index of a set of scalars (provided as input for the execution)
+#[derive(Default)]
 pub struct GroupMorphismPreimage<G>
 where
     G: Group + GroupEncoding,
@@ -120,15 +116,6 @@ where
     pub image: Vec<PointVar>,
 }
 
-impl<G> Default for GroupMorphismPreimage<G>
-where
-    G: Group + GroupEncoding,
-{
-    fn default() -> Self {
-        Self::new()
-    }
-}
-
 impl<G> GroupMorphismPreimage<G>
 where
     G: Group + GroupEncoding,

src/proof_composition.rs

@@ -39,6 +39,11 @@ impl<G: Group + GroupEncoding> SigmaProtocol for AndProtocol<G> {
         witness: &Self::Witness,
         rng: &mut (impl rand::Rng + rand::CryptoRng),
     ) -> Result<(Self::Commitment, Self::ProverState), ProofError> {
+        let expected_w_len: usize = self.0.iter().map(|p| p.scalars_nb()).sum();
+        if expected_w_len != witness.len() || self.is_empty() {
+            return Err(ProofError::Other);
+        }
+
         let mut cursor = 0;
         let mut commitment = Vec::with_capacity(self.0.iter().map(|p| p.statements_nb()).sum());
         let mut state = Vec::with_capacity(self.len());
@@ -59,6 +64,10 @@ impl<G: Group + GroupEncoding> SigmaProtocol for AndProtocol<G> {
         state: Self::ProverState,
         challenge: &Self::Challenge,
     ) -> Result<Self::Response, ProofError> {
+        if state.len() != self.len() {
+            return Err(ProofError::Other);
+        }
+
         let mut response = Vec::with_capacity(self.0.iter().map(|p| p.scalars_nb()).sum());
         for (proto, proto_state) in self.0.iter().zip(state) {
             let proto_response = proto.prover_response(proto_state, challenge)?;
@@ -73,6 +82,12 @@ impl<G: Group + GroupEncoding> SigmaProtocol for AndProtocol<G> {
         challenge: &Self::Challenge,
         response: &Self::Response,
     ) -> Result<(), ProofError> {
+        let expected_c_len: usize = self.0.iter().map(|p| p.statements_nb()).sum();
+        let expected_r_len: usize = self.0.iter().map(|p| p.scalars_nb()).sum();
+        if commitment.len() != expected_c_len || response.len() != expected_r_len {
+            return Err(ProofError::Other);
+        }
+
         let mut c_cursor = 0;
         let mut r_cursor = 0;
         for proto in &self.0 {
@@ -96,6 +111,12 @@ impl<G: Group + GroupEncoding> SigmaProtocol for AndProtocol<G> {
         challenge: &Self::Challenge,
         response: &Self::Response,
     ) -> Result<Vec<u8>, ProofError> {
+        let expected_c_len: usize = self.0.iter().map(|p| p.statements_nb()).sum();
+        let expected_r_len: usize = self.0.iter().map(|p| p.scalars_nb()).sum();
+        if commitment.len() != expected_c_len || response.len() != expected_r_len {
+            return Err(ProofError::Other);
+        }
+
         let mut bytes = Vec::new();
         let mut c_cursor = 0;
         let mut r_cursor = 0;
@@ -185,12 +206,13 @@ impl<G: Group + GroupEncoding> SigmaProtocol for OrProtocol<G> {
         rng: &mut (impl rand::Rng + rand::CryptoRng),
     ) -> Result<(Self::Commitment, Self::ProverState), ProofError> {
         let real_index = witness.0;
-        if real_index >= self.len() {
+        let expected_w_len = self.0[real_index].scalars_nb();
+        if real_index >= self.len() || witness.1.len() != expected_w_len {
             return Err(ProofError::Other);
         }
 
-        let mut fake_transcripts = Vec::new();
-        let mut commitment = Vec::new();
+        let mut fake_transcripts = Vec::with_capacity(self.len() - 1);
+        let mut commitment = Vec::with_capacity(self.0.iter().map(|p| p.statements_nb()).sum());
         let (real_commit, real_state) = self.0[real_index].prover_commit(&witness.1, rng)?;
         for (i, proto) in self.0.iter().enumerate() {
             if i != real_index {
@@ -244,6 +266,16 @@ impl<G: Group + GroupEncoding> SigmaProtocol for OrProtocol<G> {
         challenge: &Self::Challenge,
         response: &Self::Response,
     ) -> Result<(), ProofError> {
+        let expected_c_len: usize = self.0.iter().map(|p| p.statements_nb()).sum();
+        let expected_ch_nb = self.len();
+        let expected_r_len: usize = self.0.iter().map(|p| p.scalars_nb()).sum();
+        if commitment.len() != expected_c_len
+            || response.0.len() != expected_ch_nb
+            || response.1.len() != expected_r_len
+        {
+            return Err(ProofError::Other);
+        }
+
         let mut expected_difference = *challenge;
         let mut c_cursor = 0;
         let mut r_cursor = 0;
@@ -270,6 +302,16 @@ impl<G: Group + GroupEncoding> SigmaProtocol for OrProtocol<G> {
         _challenge: &Self::Challenge,
         response: &Self::Response,
     ) -> Result<Vec<u8>, ProofError> {
+        let expected_c_len: usize = self.0.iter().map(|p| p.statements_nb()).sum();
+        let expected_ch_nb = self.len();
+        let expected_r_len: usize = self.0.iter().map(|p| p.scalars_nb()).sum();
+        if commitment.len() != expected_c_len
+            || response.0.len() != expected_ch_nb
+            || response.1.len() != expected_r_len
+        {
+            return Err(ProofError::Other);
+        }
+
         let mut bytes = Vec::new();
         let mut c_cursor = 0;
         let mut r_cursor = 0;
@@ -292,18 +334,27 @@ impl<G: Group + GroupEncoding> SigmaProtocol for OrProtocol<G> {
         &self,
         data: &[u8],
     ) -> Result<(Self::Commitment, Self::Response), ProofError> {
+        let point_size = G::generator().to_bytes().as_ref().len();
+        let scalar_size = <<G as Group>::Scalar as PrimeField>::Repr::default()
+            .as_ref()
+            .len();
+
+        let expected_d_len: usize = self
+            .0
+            .iter()
+            .map(|p| (p.scalars_nb() + 1) * scalar_size + p.statements_nb() * point_size)
+            .sum();
+        if data.len() != expected_d_len {
+            return Err(ProofError::ProofSizeMismatch);
+        }
+
         let mut cursor = 0;
         let mut commitment = Vec::with_capacity(self.0.iter().map(|p| p.statements_nb()).sum());
         let mut response = (
             Vec::with_capacity(self.len()),
             Vec::with_capacity(self.0.iter().map(|p| p.scalars_nb()).sum()),
         );
 
-        let point_size = G::generator().to_bytes().as_ref().len();
-        let scalar_size = <<G as Group>::Scalar as PrimeField>::Repr::default()
-            .as_ref()
-            .len();
-
         for proto in &self.0 {
             let c_nb = proto.statements_nb();
             let r_nb = proto.scalars_nb();

src/schnorr_protocol.rs

@@ -17,14 +17,9 @@ use rand::{CryptoRng, RngCore};
 /// A Schnorr protocol proving knowledge some discrete logarithm relation.
 ///
 /// The specific proof instance is defined by a [`GroupMorphismPreimage`] over a group `G`.
+#[derive(Default)]
 pub struct SchnorrProtocol<G: Group + GroupEncoding>(GroupMorphismPreimage<G>);
 
-impl<G: Group + GroupEncoding> Default for SchnorrProtocol<G> {
-    fn default() -> Self {
-        Self::new()
-    }
-}
-
 impl<G: Group + GroupEncoding> SchnorrProtocol<G> {
     pub fn new() -> Self {
         SchnorrProtocol(GroupMorphismPreimage::<G>::new())
@@ -119,13 +114,15 @@ where
         challenge: &Self::Challenge,
         response: &Self::Response,
     ) -> Result<(), ProofError> {
-        let lhs = self.evaluate(response);
+        if commitment.len() != self.statements_nb() || response.len() != self.scalars_nb() {
+            return Err(ProofError::Other);
+        }
 
+        let lhs = self.evaluate(response);
         let mut rhs = Vec::new();
         for (i, g) in commitment.iter().enumerate().take(self.statements_nb()) {
             rhs.push(self.0.morphism.group_elements[self.0.image[i].index()] * challenge + g);
         }
-
         match lhs == rhs {
             true => Ok(()),
             false => Err(ProofError::VerificationFailure),
@@ -139,10 +136,13 @@ where
         _challenge: &Self::Challenge,
         response: &Self::Response,
     ) -> Result<Vec<u8>, ProofError> {
-        let mut bytes = Vec::new();
         let commit_nb = self.statements_nb();
         let response_nb = self.scalars_nb();
+        if commitment.len() != commit_nb || response.len() != response_nb {
+            return Err(ProofError::Other);
+        }
 
+        let mut bytes = Vec::new();
         // Serialize commitments
         for commit in commitment.iter().take(commit_nb) {
             bytes.extend_from_slice(&serialize_element(commit));
@@ -230,6 +230,9 @@ where
     ) -> Result<Vec<u8>, ProofError> {
         let mut bytes = Vec::new();
         let response_nb = self.scalars_nb();
+        if response.len() != response_nb {
+            return Err(ProofError::Other);
+        }
 
         // Serialize challenge
         bytes.extend_from_slice(&serialize_scalar::<G>(challenge));