wip: some fixes for OR relation, still one test failing.

Author: mmaker

src/composition.rs

@@ -79,9 +79,13 @@ pub enum ComposedProverState<G: PrimeGroup + ConstantTimeEq> {
     Or(ComposedOrProverState<G>),
 }
 
-struct ComposedOrProverState<G: PrimeGroup + ConstantTimeEq> {
-    prover_states: Vec<(Choice, ComposedProverState<G>, ComposedChallenge<G>, ComposedResponse<G>)>,
-}
+pub type ComposedOrProverState<G> = Vec<ComposedOrProverStateEntry<G>>;
+pub struct ComposedOrProverStateEntry<G: PrimeGroup + ConstantTimeEq>(
+    Choice,
+    ComposedProverState<G>,
+    ComposedChallenge<G>,
+    ComposedResponse<G>,
+);
 
 // Structure representing the Response type of Protocol as SigmaProtocol
 #[derive(Clone)]
@@ -105,18 +109,16 @@ const fn composed_challenge_size<G: PrimeGroup>() -> usize {
     (G::Scalar::NUM_BITS as usize + 7) / 8
 }
 
-
 impl<G: PrimeGroup + ConstantTimeEq> ComposedRelation<G> {
     fn is_witness_valid(&self, witness: &ComposedWitness<G>) -> Choice {
-        let validity_bit = Choice::from(0);
         match (self, witness) {
             (ComposedRelation::Simple(instance), ComposedWitness::Simple(witness)) => {
                 instance.0.is_witness_valid(witness)
             }
             (ComposedRelation::And(instances), ComposedWitness::And(witnesses)) => instances
                 .iter()
                 .zip(witnesses)
-                .fold(Choice::from(0), |bit, (instance, witness)| {
+                .fold(Choice::from(1), |bit, (instance, witness)| {
                     bit & instance.is_witness_valid(witness)
                 }),
             (ComposedRelation::Or(instances), ComposedWitness::Or(witnesses)) => instances
@@ -125,10 +127,10 @@ impl<G: PrimeGroup + ConstantTimeEq> ComposedRelation<G> {
                 .fold(Choice::from(0), |bit, (instance, witness)| {
                     bit | instance.is_witness_valid(witness)
                 }),
-            _ => unreachable!(),
-        };
-        validity_bit
+            _ => Choice::from(0),
+        }
     }
+
     fn prover_commit_simple(
         protocol: &SchnorrProof<G>,
         witness: &<SchnorrProof<G> as SigmaProtocol>::Witness,
@@ -212,20 +214,26 @@ impl<G: PrimeGroup + ConstantTimeEq> ComposedRelation<G> {
                 instances[i].simulate_transcript(rng)?;
 
             let valid_witness = instances[i].is_witness_valid(&w);
-            commitments.push(if valid_witness.unwrap_u8() == 1 {commitment } else { simulated_commitment.clone()} );
-            prover_states.push((valid_witness, prover_state, simulated_challenge, simulated_response));
+            commitments.push(if valid_witness.unwrap_u8() == 1 {
+                commitment
+            } else {
+                simulated_commitment.clone()
+            });
+            prover_states.push(ComposedOrProverStateEntry(
+                valid_witness,
+                prover_state,
+                simulated_challenge,
+                simulated_response,
+            ));
         }
         // check that we have only one witness set
         let witnesses_found = prover_states
             .iter()
             .map(|x| x.0.unwrap_u8() as usize)
             .sum::<usize>();
-        let prover_state =
-            ComposedOrProverState {
-                prover_states,
-            };
+        let prover_state = prover_states;
 
-        if witnesses_found > 1 {
+        if witnesses_found != 1 {
             return Err(Error::InvalidInstanceWitnessPair);
         } else {
             Ok((
@@ -238,25 +246,52 @@ impl<G: PrimeGroup + ConstantTimeEq> ComposedRelation<G> {
     fn prover_response_or(
         instances: &[ComposedRelation<G>],
         prover_state: ComposedOrProverState<G>,
-        &challenge: &ComposedChallenge<G>,
+        challenge: &ComposedChallenge<G>,
     ) -> Result<ComposedResponse<G>, Error> {
         let mut result_challenges = Vec::with_capacity(instances.len());
         let mut result_responses = Vec::with_capacity(instances.len());
 
-        let ComposedOrProverState { prover_states } = prover_state;
-
-        let mut witness_challenge = challenge;
-        for (valid_witness, _prover_state, simulated_challenge, _simulated_response) in &prover_states {
-            let c = G::Scalar::conditional_select(&G::Scalar::ZERO, &simulated_challenge, *valid_witness);
-            witness_challenge -= c;
+        let prover_states = prover_state;
+
+        let mut witness_challenge = *challenge;
+        for ComposedOrProverStateEntry(
+            valid_witness,
+            _prover_state,
+            simulated_challenge,
+            _simulated_response,
+        ) in &prover_states
+        {
+            let c = G::Scalar::conditional_select(
+                &simulated_challenge,
+                &G::Scalar::ZERO,
+                *valid_witness,
+            );
+            witness_challenge = witness_challenge - c;
         }
-        for (instance, (valid_witness, prover_state, simulated_challenge, simulated_response)) in instances.iter().zip(prover_states) {
-            let challenge_i = G::Scalar::conditional_select(&witness_challenge, &simulated_challenge, valid_witness);
+        for (
+            instance,
+            ComposedOrProverStateEntry(
+                valid_witness,
+                prover_state,
+                simulated_challenge,
+                simulated_response,
+            ),
+        ) in instances.iter().zip(prover_states)
+        {
+            let challenge_i = G::Scalar::conditional_select(
+                &simulated_challenge,
+                &witness_challenge,
+                valid_witness,
+            );
 
             let real_response = instance.prover_response(prover_state, &challenge_i)?;
 
             // let response_i = ComposedResponse::conditional_select(&real_response, &simulated_response, *witness_location);
-            let response_i = if valid_witness.unwrap_u8() == 1 { real_response } else { simulated_response };
+            let response_i = if valid_witness.unwrap_u8() == 1 {
+                real_response
+            } else {
+                simulated_response
+            };
             result_challenges.push(challenge_i);
             result_responses.push(response_i);
         }

src/tests/test_validation_criteria.rs

@@ -393,15 +393,15 @@ mod proof_validation {
         let C = B * y;
 
         // Create the first branch: C = x*A
-        let mut lr1 = LinearRelation::<G>::new();
+        let mut lr1 = LinearRelation::new();
         let x_var = lr1.allocate_scalar();
         let A_var = lr1.allocate_element();
         let eq1 = lr1.allocate_eq(x_var * A_var);
         lr1.set_element(A_var, A);
         lr1.set_element(eq1, C);
 
         // Create the second branch: C = y*B
-        let mut lr2 = LinearRelation::<G>::new();
+        let mut lr2 = LinearRelation::new();
         let y_var = lr2.allocate_scalar();
         let B_var = lr2.allocate_element();
         let eq2 = lr2.allocate_eq(y_var * B_var);
@@ -414,7 +414,7 @@ mod proof_validation {
             ComposedRelation::from(lr2),
         ]);
 
-        let nizk = Nizk::<_, KeccakByteSchnorrCodec<G>>::new(b"test_or_bug", or_relation);
+        let nizk =or_relation.into_nizk(b"test_or_bug");
 
         // Create a correct witness for branch 1 (C = y*B)
         let witness_correct = ComposedWitness::Or(vec![
@@ -441,12 +441,12 @@ mod proof_validation {
             Ok(proof) => {
                 let verify_result = nizk.verify_batchable(&proof);
                 println!(
-                    "Bug reproduced: Proof with wrong branch verified: {:?}",
+                    "Proof with wrong branch verified: {:?}",
                     verify_result.is_ok()
                 );
                 assert!(
                     verify_result.is_err(),
-                    "BUG: Proof should fail when using wrong branch in OR relation, but it passed!"
+                    "Proof should fail when using wrong branch in OR relation, but it passed!"
                 );
             }
             Err(e) => {