fix(examples): simpler composition (#37)

mmaker · web-flow · commit 961c8a6a12a5 · 2025-06-16T09:56:09.000+02:00
diff --git a/examples/schnorr.rs b/examples/schnorr.rs
@@ -12,7 +12,7 @@ use group::Group;
 use rand::rngs::OsRng;
 
 use sigma_rs::errors::Error;
-use sigma_rs::{LinearRelation, NISigmaProtocol};
+use sigma_rs::LinearRelation;
 
 type ProofResult<T> = Result<T, Error>;
 
@@ -34,14 +34,14 @@ fn create_relation(P: RistrettoPoint) -> LinearRelation<RistrettoPoint> {
 /// generate a proof that P = x * G
 #[allow(non_snake_case)]
 fn prove(x: Scalar, P: RistrettoPoint) -> ProofResult<Vec<u8>> {
-    let nizk: NISigmaProtocol<_, _> = create_relation(P).into();
+    let nizk = create_relation(P).into_nizk(b"schnorr-proof");
     nizk.prove_batchable(&vec![x], &mut OsRng)
 }
 
 /// Verify a proof of knowledge of discrete logarithm for the given public key P
 #[allow(non_snake_case)]
 fn verify(P: RistrettoPoint, proof: &[u8]) -> ProofResult<()> {
-    let nizk: NISigmaProtocol<_, _> = create_relation(P).into();
+    let nizk = create_relation(P).into_nizk(b"schnorr-proof");
     nizk.verify_batchable(proof)
 }
 
diff --git a/examples/simple_composition.rs b/examples/simple_composition.rs
@@ -14,72 +14,90 @@ use sigma_rs::{
 type G = RistrettoPoint;
 type ProofResult<T> = Result<T, Error>;
 
+/// Create an OR relation between two statements:
+/// 1. Knowledge of discrete log: P1 = x1 * G
+/// 2. Knowledge of DLEQ: (P2 = x2 * G, Q = x2 * H)
 #[allow(non_snake_case)]
-pub fn discrete_logarithm(x: Scalar) -> (LinearRelation<G>, Vec<Scalar>) {
-    let mut relation = LinearRelation::<G>::new();
-
-    let var_x = relation.allocate_scalar();
-    let var_G = relation.allocate_element();
-    let _var_X = relation.allocate_eq(var_x * var_G);
-
-    relation.set_element(var_G, G::generator());
-    relation.compute_image(&[x]).unwrap();
-
-    (relation, vec![x])
-}
-
-#[allow(non_snake_case)]
-pub fn dleq(x: Scalar, h: G) -> (LinearRelation<G>, Vec<Scalar>) {
-    let mut relation = LinearRelation::<G>::new();
-
-    let var_x = relation.allocate_scalar();
-    let [var_G, var_H] = relation.allocate_elements();
-    let _var_X = relation.allocate_eq(var_x * var_G);
-    let _var_Y = relation.allocate_eq(var_x * var_H);
-
-    relation.set_elements([(var_G, G::generator()), (var_H, h)]);
-    relation.compute_image(&[x]).unwrap();
-
-    (relation, vec![x])
-}
-
-fn create_or_relations(x1: Scalar, x2: Scalar, h: G) -> (Protocol<G>, ProtocolWitness<G>) {
-    let (rel1, _) = discrete_logarithm(x1);
-    let (rel2, witness2) = dleq(x2, h);
-
+fn create_relation(P1: G, P2: G, Q: G, H: G) -> Protocol<G> {
+    // First relation: discrete logarithm P1 = x1 * G
+    let mut rel1 = LinearRelation::<G>::new();
+    let x1 = rel1.allocate_scalar();
+    let G1 = rel1.allocate_element();
+    let P1_var = rel1.allocate_eq(x1 * G1);
+    rel1.set_element(G1, G::generator());
+    rel1.set_element(P1_var, P1);
+
+    // Second relation: DLEQ (P2 = x2 * G, Q = x2 * H)
+    let mut rel2 = LinearRelation::<G>::new();
+    let x2 = rel2.allocate_scalar();
+    let G2 = rel2.allocate_element();
+    let H_var = rel2.allocate_element();
+    let P2_var = rel2.allocate_eq(x2 * G2);
+    let Q_var = rel2.allocate_eq(x2 * H_var);
+    rel2.set_element(G2, G::generator());
+    rel2.set_element(H_var, H);
+    rel2.set_element(P2_var, P2);
+    rel2.set_element(Q_var, Q);
+
+    // Compose into OR protocol
     let proto1 = Protocol::from(rel1);
     let proto2 = Protocol::from(rel2);
-    let composed = Protocol::Or(vec![proto1, proto2]);
-
-    let witness = ProtocolWitness::Or(1, vec![ProtocolWitness::Simple(witness2)]);
-
-    (composed, witness)
+    Protocol::Or(vec![proto1, proto2])
 }
 
-fn prove_or(x1: Scalar, x2: Scalar, h: G) -> ProofResult<Vec<u8>> {
+/// Prove knowledge of one of the witnesses (we know x2 for the DLEQ)
+#[allow(non_snake_case)]
+fn prove(P1: G, x2: Scalar, H: G) -> ProofResult<Vec<u8>> {
     let mut rng = OsRng;
-    let (composed, witness) = create_or_relations(x1, x2, h);
-    let nizk = NISigmaProtocol::<_, ShakeCodec<G>>::new(b"or_proof_example", composed);
+
+    // Compute public values
+    let P2 = G::generator() * x2;
+    let Q = H * x2;
+
+    let protocol = create_relation(P1, P2, Q, H);
+    let witness = ProtocolWitness::Or(1, vec![ProtocolWitness::Simple(vec![x2])]);
+    let nizk = NISigmaProtocol::<_, ShakeCodec<G>>::new(b"or_proof_example", protocol);
 
     nizk.prove_batchable(&witness, &mut rng)
 }
 
-fn verify_or(x1: Scalar, x2: Scalar, h: G, proof: &[u8]) -> ProofResult<()> {
-    let (composed, _) = create_or_relations(x1, x2, h);
-    let nizk = NISigmaProtocol::<_, ShakeCodec<G>>::new(b"or_proof_example", composed);
+/// Verify an OR proof given the public values
+#[allow(non_snake_case)]
+fn verify(P1: G, P2: G, Q: G, H: G, proof: &[u8]) -> ProofResult<()> {
+    let protocol = create_relation(P1, P2, Q, H);
+    let nizk = NISigmaProtocol::<_, ShakeCodec<G>>::new(b"or_proof_example", protocol);
 
     nizk.verify_batchable(proof)
 }
 
+#[allow(non_snake_case)]
 fn main() {
     let mut rng = OsRng;
+
+    // Setup: We don't know x1, but we do know x2
     let x1 = Scalar::random(&mut rng);
     let x2 = Scalar::random(&mut rng);
-    let h = G::random(&mut rng);
-
-    let proof = prove_or(x1, x2, h).expect("Proof generation failed");
-    let verified = verify_or(x1, x2, h, &proof).is_ok();
-
-    println!("OR-proof verified: {verified}");
-    println!("Proof bytes: {}", hex::encode(&proof));
+    let H = G::random(&mut rng);
+
+    // Compute public values
+    let P1 = G::generator() * x1; // We don't actually know x1 in the proof
+    let P2 = G::generator() * x2; // We know x2
+    let Q = H * x2; // Q = x2 * H
+
+    println!("OR-proof example: Proving knowledge of x1 OR x2");
+    println!("(We only know x2, not x1)");
+
+    match prove(P1, x2, H) {
+        Ok(proof) => {
+            println!("Proof generated successfully");
+            println!("Proof (hex): {}", hex::encode(&proof));
+
+            // Verify the proof
+            match verify(P1, P2, Q, H, &proof) {
+                Ok(()) => println!("✓ Proof verified successfully!"),
+                Err(e) => println!("✗ Proof verification failed: {:?}", e),
+            }
+        }
+        Err(e) => println!("✗ Failed to generate proof: {:?}", e),
+    }
 }
diff --git a/src/fiat_shamir.rs b/src/fiat_shamir.rs
@@ -249,40 +249,3 @@ where
         self.verify(&commitment, &challenge, &response)
     }
 }
-
-/// Convenience trait implementation to create a NIZK directly from a LinearRelation.
-impl<G> From<crate::linear_relation::LinearRelation<G>>
-    for NISigmaProtocol<crate::schnorr_protocol::SchnorrProof<G>, crate::codec::ShakeCodec<G>>
-where
-    G: group::Group + group::GroupEncoding,
-{
-    /// Convert a LinearRelation into a non-interactive zero-knowledge protocol
-    /// using the default ShakeCodec and a generic domain separator.
-    ///
-    /// # Example
-    /// ```
-    /// # use sigma_rs::{LinearRelation, NISigmaProtocol};
-    /// # use curve25519_dalek::RistrettoPoint as G;
-    /// # use curve25519_dalek::scalar::Scalar;
-    /// # use rand::rngs::OsRng;
-    /// # use group::Group;
-    ///
-    /// let mut relation = LinearRelation::<G>::new();
-    /// let x_var = relation.allocate_scalar();
-    /// let g_var = relation.allocate_element();
-    /// let p_var = relation.allocate_eq(x_var * g_var);
-    ///
-    /// relation.set_element(g_var, G::generator());
-    /// let x = Scalar::random(&mut OsRng);
-    /// relation.compute_image(&[x]).unwrap();
-    ///
-    /// // Convert to NIZK using From trait
-    /// let nizk: NISigmaProtocol<_, _> = relation.into();
-    /// let proof = nizk.prove_batchable(&vec![x], &mut OsRng).unwrap();
-    /// assert!(nizk.verify_batchable(&proof).is_ok());
-    /// ```
-    fn from(relation: crate::linear_relation::LinearRelation<G>) -> Self {
-        let schnorr = crate::schnorr_protocol::SchnorrProof::from(relation);
-        Self::new(b"sigma-rs-default", schnorr)
-    }
-}
diff --git a/src/linear_relation/mod.rs b/src/linear_relation/mod.rs
@@ -510,4 +510,49 @@ where
 
         out
     }
+
+    /// Convert this LinearRelation into a non-interactive zero-knowledge protocol
+    /// using the ShakeCodec and a specified context/domain separator.
+    ///
+    /// # Parameters
+    /// - `context`: Domain separator bytes for the Fiat-Shamir transform
+    ///
+    /// # Returns
+    /// A `NISigmaProtocol` instance ready for proving and verification
+    ///
+    /// # Example
+    /// ```
+    /// # use sigma_rs::{LinearRelation, NISigmaProtocol};
+    /// # use curve25519_dalek::RistrettoPoint as G;
+    /// # use curve25519_dalek::scalar::Scalar;
+    /// # use rand::rngs::OsRng;
+    /// # use group::Group;
+    ///
+    /// let mut relation = LinearRelation::<G>::new();
+    /// let x_var = relation.allocate_scalar();
+    /// let g_var = relation.allocate_element();
+    /// let p_var = relation.allocate_eq(x_var * g_var);
+    ///
+    /// relation.set_element(g_var, G::generator());
+    /// let x = Scalar::random(&mut OsRng);
+    /// relation.compute_image(&[x]).unwrap();
+    ///
+    /// // Convert to NIZK with custom context
+    /// let nizk = relation.into_nizk(b"my-protocol-v1");
+    /// let proof = nizk.prove_batchable(&vec![x], &mut OsRng).unwrap();
+    /// assert!(nizk.verify_batchable(&proof).is_ok());
+    /// ```
+    pub fn into_nizk(
+        self,
+        context: &[u8],
+    ) -> crate::fiat_shamir::NISigmaProtocol<
+        crate::schnorr_protocol::SchnorrProof<G>,
+        crate::codec::ShakeCodec<G>,
+    >
+    where
+        G: group::GroupEncoding,
+    {
+        let schnorr = crate::schnorr_protocol::SchnorrProof::from(self);
+        crate::fiat_shamir::NISigmaProtocol::new(context, schnorr)
+    }
 }
