Add more example relations: pedersen commitment equality and elgamal encryption subtraction (#97)

mmaker · nougzarm · web-flow · commit 8945b33ee92a · 2025-10-26T15:29:07.000+01:00
---------

Co-authored-by: nougzarm &lt;nougzarm@icloud.com&gt;
diff --git a/src/tests/test_composition.rs b/src/tests/test_composition.rs
@@ -23,7 +23,7 @@ fn test_composition_example() {
     let (relation1, witness1) = dleq(&mut rng);
     let (relation2, witness2) = pedersen_commitment(&mut rng);
     let (relation3, witness3) = discrete_logarithm(&mut rng);
-    let (relation4, witness4) = pedersen_commitment_dleq(&mut rng);
+    let (relation4, witness4) = pedersen_commitment(&mut rng);
     let (relation5, witness5) = bbs_blind_commitment(&mut rng);
 
     let wrong_witness2 = (0..witness2.len())
diff --git a/src/tests/test_relations.rs b/src/tests/test_relations.rs
@@ -6,8 +6,6 @@ use crate::codec::Shake128DuplexSponge;
 use crate::fiat_shamir::Nizk;
 use crate::linear_relation::{CanonicalLinearRelation, LinearRelation, Sum};
 
-use crate::group::msm::VariableMultiScalarMul;
-
 /// LinearMap for knowledge of a discrete logarithm relative to a fixed basepoint.
 #[allow(non_snake_case)]
 pub fn discrete_logarithm<G: PrimeGroup, R: rand::RngCore>(
@@ -162,43 +160,6 @@ pub fn twisted_pedersen_commitment<G: PrimeGroup, R: RngCore>(
     (instance, witness)
 }
 
-/// LinearMap for knowledge of equal openings to two distinct Pedersen commitments.
-#[allow(non_snake_case)]
-pub fn pedersen_commitment_dleq<G: PrimeGroup, R: RngCore>(
-    rng: &mut R,
-) -> (CanonicalLinearRelation<G>, Vec<G::Scalar>) {
-    let generators = [
-        G::random(&mut *rng),
-        G::random(&mut *rng),
-        G::random(&mut *rng),
-        G::random(&mut *rng),
-    ];
-    let witness = [G::Scalar::random(&mut *rng), G::Scalar::random(&mut *rng)];
-    let mut relation = LinearRelation::new();
-
-    let X = G::msm(&witness, &[generators[0], generators[1]]);
-    let Y = G::msm(&witness, &[generators[2], generators[3]]);
-
-    let [var_x, var_r] = relation.allocate_scalars();
-
-    let var_Gs = relation.allocate_elements::<4>();
-    let var_X = relation.allocate_eq(var_x * var_Gs[0] + var_r * var_Gs[1]);
-    let var_Y = relation.allocate_eq(var_x * var_Gs[2] + var_r * var_Gs[3]);
-
-    relation.set_elements([
-        (var_Gs[0], generators[0]),
-        (var_Gs[1], generators[1]),
-        (var_Gs[2], generators[2]),
-        (var_Gs[3], generators[3]),
-    ]);
-    relation.set_elements([(var_X, X), (var_Y, Y)]);
-
-    assert!(vec![X, Y] == relation.linear_map.evaluate(&witness).unwrap());
-    let witness_vec = witness.to_vec();
-    let instance = (&relation).try_into().unwrap();
-    (instance, witness_vec)
-}
-
 /// Test that a Pedersen commitment is in the given range.
 #[allow(non_snake_case)]
 pub fn range_instance_generation<G: PrimeGroup, R: RngCore>(
@@ -498,6 +459,57 @@ fn nested_affine_relation<G: PrimeGroup, R: RngCore>(
     (instance, witness)
 }
 
+fn pedersen_commitment_equality<G: PrimeGroup, R: RngCore>(
+    rng: &mut R,
+) -> (CanonicalLinearRelation<G>, Vec<G::Scalar>) {
+    let mut instance = LinearRelation::new();
+
+    let [m, r1, r2] = instance.allocate_scalars();
+    let [var_G, var_H] = instance.allocate_elements();
+    // This relation is redundant and inefficient.
+    instance.allocate_eq(var_G * m + var_H * r1);
+    instance.allocate_eq(var_G * m + var_H * r2);
+
+    instance.set_elements([(var_G, G::generator()), (var_H, G::random(&mut *rng))]);
+
+    let witness = vec![
+        G::Scalar::from(42),
+        G::Scalar::random(&mut *rng),
+        G::Scalar::random(&mut *rng),
+    ];
+    instance.compute_image(&witness).unwrap();
+
+    (instance.canonical().unwrap(), witness)
+}
+
+fn elgamal_subtraction<G: PrimeGroup, R: RngCore>(
+    rng: &mut R,
+) -> (CanonicalLinearRelation<G>, Vec<G::Scalar>) {
+    let mut instance = LinearRelation::new();
+    let [dk, a, r] = instance.allocate_scalars();
+    let [ek, C, D, H, G] = instance.allocate_elements();
+    let v = G::Scalar::from(100);
+
+    instance.append_equation(ek, dk * H);
+
+    instance.append_equation(D, r * H);
+    instance.append_equation(C, r * ek + a * G);
+
+    instance.append_equation(C, G * v + dk * D + a * G);
+
+    // set dk for testing to
+    let witness = vec![
+        G::Scalar::from(4242),
+        G::Scalar::from(1000),
+        G::Scalar::random(&mut *rng),
+    ];
+    let alt_gen = G::random(&mut *rng);
+    instance.set_elements([(G, G::generator()), (H, alt_gen)]);
+    instance.compute_image(&witness).unwrap();
+
+    (instance.canonical().unwrap(), witness)
+}
+
 #[test]
 fn test_cmz_wallet_with_fee() {
     use group::Group;
@@ -556,14 +568,15 @@ fn test_relations() {
         ("shifted_dleq", &shifted_dleq),
         ("pedersen_commitment", &pedersen_commitment),
         ("twisted_pedersen_commitment", &twisted_pedersen_commitment),
-        ("pedersen_commitment_dleq", &pedersen_commitment_dleq),
+        ("pedersen_commitment_dleq", &pedersen_commitment_equality),
         ("bbs_blind_commitment", &bbs_blind_commitment),
         ("test_range", &test_range),
         ("weird_linear_combination", &weird_linear_combination),
         ("simple_subtractions", &simple_subtractions),
         ("subtractions_with_shift", &subtractions_with_shift),
         ("cmz_wallet_spend_relation", &cmz_wallet_spend_relation),
         ("nested_affine_relation", &nested_affine_relation),
+        ("elgamal_public_subtract", &elgamal_subtraction),
     ];
 
     for (relation_name, relation_sampler) in instance_generators.iter() {
