Merge pull request #20 from Chausseaumoine/feat/morphism-absorption

feat: absorb morphism into Fiat-Shamir transcript for SchnorrProtocol

A git force-push was done to adapt to the refactorization of GroupMorphism -> LinearRelation, which happened during the PR development.

Author: Chausseaumoine

src/composition.rs

@@ -15,9 +15,9 @@ use crate::codec::Codec;
 use crate::traits::CompactProtocol;
 use crate::{
     errors::Error,
-    fiat_shamir::{FiatShamir, HasGroupMorphism},
-    linear_relation::LinearRelation,
+    fiat_shamir::FiatShamir,
     group_serialization::{deserialize_scalar, serialize_scalar},
+    linear_relation::LinearRelation,
     schnorr_protocol::SchnorrProtocol,
     traits::{SigmaProtocol, SigmaProtocolSimulator},
 };
@@ -637,17 +637,19 @@ where
     G: Group + GroupEncoding,
     C: Codec<Challenge = ProtocolChallenge<G>>,
 {
-    fn push_commitment(&self, codec: &mut C, commitment: &Self::Commitment) {
+    fn absorb_statement_and_commitment(&self, codec: &mut C, commitment: &Self::Commitment) {
         match (self, commitment) {
-            (Protocol::Simple(p), ProtocolCommitment::Simple(c)) => p.push_commitment(codec, c),
+            (Protocol::Simple(p), ProtocolCommitment::Simple(c)) => {
+                p.absorb_statement_and_commitment(codec, c)
+            }
             (Protocol::And(ps), ProtocolCommitment::And(cs)) => {
                 for (i, p) in ps.iter().enumerate() {
-                    p.push_commitment(codec, &cs[i]);
+                    p.absorb_statement_and_commitment(codec, &cs[i]);
                 }
             }
             (Protocol::Or(ps), ProtocolCommitment::Or(cs)) => {
                 for (i, p) in ps.iter().enumerate() {
-                    p.push_commitment(codec, &cs[i]);
+                    p.absorb_statement_and_commitment(codec, &cs[i]);
                 }
             }
             _ => panic!(),
@@ -658,17 +660,3 @@ where
         Ok(codec.verifier_challenge())
     }
 }
-
-impl<G: Group + GroupEncoding> HasGroupMorphism for Protocol<G> {
-    fn absorb_morphism_structure<C: Codec>(&self, codec: &mut C) -> Result<(), Error> {
-        match self {
-            Protocol::Simple(p) => p.absorb_morphism_structure(codec),
-            Protocol::And(ps) | Protocol::Or(ps) => {
-                for p in ps {
-                    p.absorb_morphism_structure(codec)?
-                }
-                Ok(())
-            }
-        }
-    }
-}

src/fiat_shamir.rs

@@ -22,24 +22,17 @@ use rand::{CryptoRng, RngCore};
 /// deterministic challenge generation function.
 ///
 /// Challenge generation occurs in two stages:
-/// - `push_commitment`: absorbs commitments to feed the codec
+/// - `absorb_statement_and_commitment`: absorbs commitments to feed the codec
 /// - `get_challenge`: extracts the challenge from the codec
 ///
 /// # Type Parameters
 /// - `C`: the codec used for encoding/decoding messages to/from the IP space.
 pub trait FiatShamir<C: Codec>: SigmaProtocol {
-    fn push_commitment(&self, codec: &mut C, commitment: &Self::Commitment);
+    fn absorb_statement_and_commitment(&self, codec: &mut C, commitment: &Self::Commitment);
 
     fn get_challenge(&self, codec: &mut C) -> Result<Self::Challenge, Error>;
 }
 
-/// Structures implementing this trait must implicitly have an associated linear relation.
-///
-/// This trait allows the data of the morphisms underlying the structure to be absorbed into a codec.
-pub trait HasGroupMorphism {
-    fn absorb_morphism_structure<C: Codec>(&self, codec: &mut C) -> Result<(), Error>;
-}
-
 type Transcript<P> = (
     <P as SigmaProtocol>::Commitment,
     <P as SigmaProtocol>::Challenge,
@@ -116,7 +109,8 @@ where
 
         let (commitment, prover_state) = self.sigmap.prover_commit(witness, rng)?;
         // Fiat Shamir challenge
-        self.sigmap.push_commitment(&mut codec, &commitment);
+        self.sigmap
+            .absorb_statement_and_commitment(&mut codec, &commitment);
         let challenge = self.sigmap.get_challenge(&mut codec)?;
         // Prover's response
         let response = self.sigmap.prover_response(prover_state, &challenge)?;
@@ -149,7 +143,8 @@ where
         let mut codec = self.hash_state.clone();
 
         // Recompute the challenge
-        self.sigmap.push_commitment(&mut codec, commitment);
+        self.sigmap
+            .absorb_statement_and_commitment(&mut codec, commitment);
         let expected_challenge = self.sigmap.get_challenge(&mut codec)?;
         // Verification of the proof
         match *challenge == expected_challenge {
@@ -199,7 +194,8 @@ where
         let mut codec = self.hash_state.clone();
 
         // Recompute the challenge
-        self.sigmap.push_commitment(&mut codec, &commitment);
+        self.sigmap
+            .absorb_statement_and_commitment(&mut codec, &commitment);
         let challenge = self.sigmap.get_challenge(&mut codec)?;
         // Verification of the proof
         self.sigmap.verifier(&commitment, &challenge, &response)
@@ -259,15 +255,3 @@ where
         self.verify(&commitment, &challenge, &response)
     }
 }
-
-impl<P, C> NISigmaProtocol<P, C>
-where
-    P: SigmaProtocol + HasGroupMorphism + FiatShamir<C>,
-    P::Challenge: PartialEq,
-    C: Codec<Challenge = P::Challenge> + Clone,
-{
-    /// Absorbs the morphism structure into the transcript codec.
-    pub fn absorb_morphism(&self, codec: &mut C) -> Result<(), Error> {
-        self.sigmap.absorb_morphism_structure::<C>(codec)
-    }
-}

src/lib.rs

@@ -15,8 +15,8 @@
 pub mod composition;
 pub mod errors;
 pub mod fiat_shamir;
-pub mod linear_relation;
 pub mod group_serialization;
+pub mod linear_relation;
 pub mod schnorr_protocol;
 pub mod traits;
 
@@ -25,5 +25,4 @@ pub mod codec;
 #[cfg(test)]
 pub mod tests;
 
-
-pub use linear_relation::LinearRelation;
+pub use linear_relation::LinearRelation;

src/linear_relation.rs

@@ -10,7 +10,7 @@
 
 use crate::errors::Error;
 use group::{Group, GroupEncoding};
-use std::iter;
+use std::{io::Write, iter};
 
 /// Implementations of core ops for the linear combination types.
 mod ops;
@@ -161,6 +161,13 @@ impl<G: Group> GroupMap<G> {
             .enumerate()
             .filter_map(|(i, x)| x.map(|x| (GroupVar(i), x)))
     }
+
+    pub fn iter(&self) -> impl Iterator<Item = (GroupVar, &G)> {
+        self.0
+            .iter()
+            .enumerate()
+            .filter_map(|(i, opt)| opt.as_ref().map(|g| (GroupVar(i), g)))
+    }
 }
 
 impl<G> Default for GroupMap<G> {
@@ -455,4 +462,42 @@ where
             .map(|&var| self.morphism.group_elements.get(var))
             .collect()
     }
+
+    /// Returns a binary label describing the morphism structure, following the Signal POKSHO format.
+    ///
+    /// The format is:
+    /// - [Ne: u8] number of equations
+    /// - For each equation:
+    ///   - [output_point_index: u8]
+    ///   - [Nt: u8] number of terms
+    ///   - Nt × [scalar_index: u8, point_index: u8] term entries
+    pub fn label(&self) -> Vec<u8> {
+        let mut out = Vec::new();
+
+        // 1. Number of equations (must match image vector length)
+        let ne = self.image.len();
+        assert_eq!(
+            ne,
+            self.morphism.constraints.len(),
+            "Number of equations and image variables must match"
+        );
+        out.write_all(&[ne as u8]).unwrap();
+
+        // 2. Encode each equation with its LHS and terms
+        for (constraint, output_var) in self.morphism.constraints.iter().zip(self.image.iter()) {
+            // a. Output point index (LHS)
+            out.write_all(&[output_var.index() as u8]).unwrap();
+
+            // b. Number of terms in the linear combination
+            let terms = constraint.terms();
+            out.write_all(&[terms.len() as u8]).unwrap();
+
+            // c. Each term: (scalar_index, point_index)
+            for term in terms {
+                out.write_all(&[term.scalar().index() as u8]).unwrap();
+                out.write_all(&[term.elem().index() as u8]).unwrap();
+            }
+        }
+        out
+    }
 }

src/schnorr_protocol.rs

@@ -6,7 +6,7 @@
 
 use crate::codec::Codec;
 use crate::errors::Error;
-use crate::fiat_shamir::{FiatShamir, HasGroupMorphism};
+use crate::fiat_shamir::FiatShamir;
 use crate::linear_relation::LinearRelation;
 use crate::{
     group_serialization::*,
@@ -413,16 +413,18 @@ where
     C: Codec<Challenge = <G as Group>::Scalar>,
     G: Group + GroupEncoding,
 {
-    /// Absorbs commitments into the codec for future use of the codec
+    /// Absorbs statement and commitment into the codec
     ///
     /// # Parameters
     /// - `codec`: the Codec that absorbs commitments
     /// - `commitment`: a commitment of SchnorrProtocol
-    fn push_commitment(&self, codec: &mut C, commitment: &Self::Commitment) {
-        let mut data = Vec::new();
+    fn absorb_statement_and_commitment(&self, codec: &mut C, commitment: &Self::Commitment) {
+        let mut data = self.0.label();
+
         for commit in commitment {
             data.extend_from_slice(commit.to_bytes().as_ref());
         }
+
         codec.prover_message(&data);
     }
 
@@ -437,17 +439,3 @@ where
         Ok(codec.verifier_challenge())
     }
 }
-
-impl<G: Group + GroupEncoding> HasGroupMorphism for SchnorrProtocol<G> {
-    fn absorb_morphism_structure<C: Codec>(&self, codec: &mut C) -> Result<(), Error> {
-        for lc in &self.0.morphism.constraints {
-            for term in lc.terms() {
-                let mut buf = [0u8; 16];
-                buf[..8].copy_from_slice(&(term.scalar().index() as u64).to_le_bytes());
-                buf[8..].copy_from_slice(&(term.elem().index() as u64).to_le_bytes());
-                codec.prover_message(&buf);
-            }
-        }
-        Ok(())
-    }
-}

src/tests/composition.rs

@@ -8,7 +8,7 @@ use super::test_utils::{
 };
 use crate::codec::ShakeCodec;
 use crate::composition::{Protocol, ProtocolWitness};
-use crate::fiat_shamir::{HasGroupMorphism, NISigmaProtocol};
+use crate::fiat_shamir::NISigmaProtocol;
 use crate::schnorr_protocol::SchnorrProtocol;
 
 type G = RistrettoPoint;
@@ -83,13 +83,9 @@ fn composition_proof_correct() {
     let protocol = Protocol::And(vec![or_protocol1, simple_protocol1, and_protocol1]);
     let witness = ProtocolWitness::And(vec![or_witness1, simple_witness1, and_witness1]);
 
-    let mut nizk =
+    let nizk =
         NISigmaProtocol::<Protocol<RistrettoPoint>, ShakeCodec<G>>::new(domain_sep, protocol);
 
-    nizk.sigmap
-        .absorb_morphism_structure(&mut nizk.hash_state)
-        .unwrap();
-
     // Batchable and compact proofs
     let proof_batchable_bytes = nizk.prove_batchable(&witness, &mut rng).unwrap();
     let proof_compact_bytes = nizk.prove_compact(&witness, &mut rng).unwrap();

src/tests/composition_protocol.rs

@@ -8,7 +8,7 @@ use super::test_utils::{
 };
 use crate::codec::ShakeCodec;
 use crate::composition::{Protocol, ProtocolWitness};
-use crate::fiat_shamir::{HasGroupMorphism, NISigmaProtocol};
+use crate::fiat_shamir::NISigmaProtocol;
 use crate::schnorr_protocol::SchnorrProtocol;
 
 type G = RistrettoPoint;
@@ -83,13 +83,9 @@ fn composition_proof_correct() {
     let protocol = Protocol::And(vec![or_protocol1, simple_protocol1, and_protocol1]);
     let witness = ProtocolWitness::And(vec![or_witness1, simple_witness1, and_witness1]);
 
-    let mut nizk =
+    let nizk =
         NISigmaProtocol::<Protocol<RistrettoPoint>, ShakeCodec<G>>::new(domain_sep, protocol);
 
-    nizk.sigmap
-        .absorb_morphism_structure(&mut nizk.hash_state)
-        .unwrap();
-
     // Batchable and compact proofs
     let proof_batchable_bytes = nizk.prove_batchable(&witness, &mut rng).unwrap();
     let proof_compact_bytes = nizk.prove_compact(&witness, &mut rng).unwrap();

src/tests/relations.rs

@@ -2,7 +2,7 @@ use bls12_381::{G1Projective as G, Scalar};
 use group::{Group, ff::Field};
 use rand::rngs::OsRng;
 
-use crate::fiat_shamir::{HasGroupMorphism, NISigmaProtocol};
+use crate::fiat_shamir::NISigmaProtocol;
 use crate::tests::test_utils::{
     bbs_blind_commitment_computation, discrete_logarithm, dleq, pedersen_commitment,
     pedersen_commitment_dleq,
@@ -97,43 +97,6 @@ fn noninteractive_discrete_logarithm() {
     );
 }
 
-/// This part tests the implementation of the SigmaProtocol trait for the
-/// SchnorrProtocol structure as well as the Fiat-Shamir NISigmaProtocol transform,
-/// with additional morphism structure absorption into the transcript.
-#[test]
-fn noninteractive_discrete_logarithm_with_morphism_transcript() {
-    let mut rng = OsRng;
-    let (morphismp, witness) = discrete_logarithm(Scalar::random(&mut rng));
-
-    // The SigmaProtocol induced by morphismp
-    let protocol = SchnorrProtocol::from(morphismp);
-
-    // Fiat-Shamir wrapper
-    let domain_sep = b"test-fiat-shamir-schnorr";
-    let mut nizk = NISigmaProtocol::<SchnorrProtocol<G>, ShakeCodec<G>>::new(domain_sep, protocol);
-
-    // Morphism absorption
-    nizk.sigmap
-        .absorb_morphism_structure(&mut nizk.hash_state)
-        .unwrap();
-
-    // Generate and verify proofs
-    let proof_batchable_bytes = nizk.prove_batchable(&witness, &mut rng).unwrap();
-    let proof_compact_bytes = nizk.prove_compact(&witness, &mut rng).unwrap();
-
-    let verified_batchable = nizk.verify_batchable(&proof_batchable_bytes).is_ok();
-    let verified_compact = nizk.verify_compact(&proof_compact_bytes).is_ok();
-
-    assert!(
-        verified_batchable,
-        "Fiat-Shamir Schnorr proof with morphism absorption failed (batchable)"
-    );
-    assert!(
-        verified_compact,
-        "Fiat-Shamir Schnorr proof with morphism absorption failed (compact)"
-    );
-}
-
 #[test]
 fn noninteractive_dleq() {
     let mut rng = OsRng;

src/tests/spec/custom_schnorr_protocol.rs

@@ -5,8 +5,8 @@ use rand::{CryptoRng, Rng};
 use crate::codec::Codec;
 use crate::errors::Error;
 use crate::fiat_shamir::FiatShamir;
-use crate::linear_relation::LinearRelation;
 use crate::group_serialization::*;
+use crate::linear_relation::LinearRelation;
 use crate::tests::spec::random::SRandom;
 use crate::traits::SigmaProtocol;
 
@@ -156,7 +156,7 @@ where
     C: Codec<Challenge = <G as Group>::Scalar>,
     G: SRandom + GroupEncoding,
 {
-    fn push_commitment(&self, codec: &mut C, commitment: &Self::Commitment) {
+    fn absorb_statement_and_commitment(&self, codec: &mut C, commitment: &Self::Commitment) {
         let mut data = Vec::new();
         for commit in commitment {
             data.extend_from_slice(commit.to_bytes().as_ref());

src/traits.rs

@@ -5,6 +5,7 @@
 use crate::errors::Error;
 use rand::{CryptoRng, Rng};
 
+type BatchableProofResult<C, R> = Result<((C, R), usize), Error>;
 /// A trait defining the behavior of a generic Sigma protocol.
 ///
 /// A Sigma protocol is a 3-message proof protocol where a prover can convince
@@ -74,7 +75,7 @@ pub trait SigmaProtocol {
     fn deserialize_batchable(
         &self,
         _data: &[u8],
-    ) -> Result<((Self::Commitment, Self::Response), usize), Error>;
+    ) -> BatchableProofResult<Self::Commitment, Self::Response>;
 }
 
 /// A feature defining the behavior of a protocol for which it is possible to compact the proofs by omitting the commitments.