chore: document tests for trivial linear relations.

Let the relation builder create relations for which no valid witness exists.
It's responsibility of the user to check that the relation is satisfiable.

Author: mmaker

src/lib.rs

@@ -67,3 +67,6 @@ pub mod tests;
 
 pub use fiat_shamir::Nizk;
 pub use linear_relation::LinearRelation;
+
+#[deprecated = "Use sigma_rs::group::serialization instead"]
+pub use group::serialization;

src/linear_relation/canonical.rs

@@ -453,6 +453,10 @@ impl<G: PrimeGroup> TryFrom<&LinearRelation<G>> for CanonicalLinearRelation<G> {
                 if lhs_value == rhs_value {
                     continue; // Skip processing trivially true constraints
                 }
+                // We know that there is no valid witness for the relation here.
+                // return Err(InvalidInstance::new(
+                //     "Trivial constraint does not hold (LHS != RHS)",
+                // ));
             } else if lhs_value == G::identity() {
                 return Err(InvalidInstance::new("Image contains identity element"));
             }

src/tests/test_relations.rs

@@ -1,6 +1,5 @@
 use ff::Field;
 use group::prime::PrimeGroup;
-use rand::rngs::OsRng;
 use rand::RngCore;
 
 use crate::codec::Shake128DuplexSponge;
@@ -474,7 +473,7 @@ fn test_cmz_wallet_with_fee() {
     use group::Group;
     type G = bls12_381::G1Projective;
 
-    let mut rng = OsRng;
+    let mut rng = rand::thread_rng();
 
     // This version should fail with InvalidInstanceWitnessPair
     // because it uses a scalar constant directly in the equation
@@ -508,7 +507,7 @@ fn test_cmz_wallet_with_fee() {
 
     // Try to convert to CanonicalLinearRelation - this should fail
     let nizk = relation.into_nizk(b"session_identifier").unwrap();
-    let result = nizk.prove_batchable(&vec![n_balance, i_price, z_w_balance], &mut OsRng);
+    let result = nizk.prove_batchable(&vec![n_balance, i_price, z_w_balance], &mut rng);
     assert!(result.is_ok());
     let proof = result.unwrap();
     let verify_result = nizk.verify_batchable(&proof);
@@ -518,12 +517,9 @@ fn test_cmz_wallet_with_fee() {
 /// Generic helper function to test both relation correctness and NIZK functionality
 #[test]
 fn test_relations() {
-    use group::Group;
     type G = bls12_381::G1Projective;
-    type RelationGenerator<G> =
-        &'static dyn Fn(&mut OsRng) -> (CanonicalLinearRelation<G>, Vec<<G as Group>::Scalar>);
 
-    let instance_generators: Vec<(&str, RelationGenerator<G>)> = vec![
+    let instance_generators: Vec<(_, &'static dyn Fn(&mut _) -> _)> = vec![
         ("dlog", &discrete_logarithm),
         ("shifted_dlog", &shifted_dlog),
         ("dleq", &dleq),
@@ -541,7 +537,7 @@ fn test_relations() {
     ];
 
     for (relation_name, relation_sampler) in instance_generators.iter() {
-        let mut rng = OsRng;
+        let mut rng = rand::thread_rng();
         let (canonical_relation, witness) = relation_sampler(&mut rng);
 
         // Test the NIZK protocol
@@ -555,10 +551,10 @@ fn test_relations() {
 
         // Test both proof types
         let proof_batchable = nizk
-            .prove_batchable(&witness, &mut OsRng)
+            .prove_batchable(&witness, &mut rng)
             .unwrap_or_else(|_| panic!("Failed to create batchable proof for {relation_name}"));
         let proof_compact = nizk
-            .prove_compact(&witness, &mut OsRng)
+            .prove_compact(&witness, &mut rng)
             .unwrap_or_else(|_| panic!("Failed to create compact proof for {relation_name}"));
 
         // Verify both proof types

src/tests/test_validation_criteria.rs

@@ -131,23 +131,18 @@ mod instance_validation {
 
         let X = G::generator() * Scalar::from(4);
 
-        // The following relation is invalid and should trigger a fail.
+        // The following relation is trivially invalid.
+        // That is, we know that no witness will ever satisfy it.
+        // In this case, we're letting the prover fail and build the relation anyways.
         let mut linear_relation = LinearRelation::<G>::new();
         let B_var = linear_relation.allocate_element();
         let C_var = linear_relation.allocate_eq(B_var);
         linear_relation.set_element(B_var, B);
         linear_relation.set_element(C_var, C);
-        assert!(linear_relation.canonical().is_err());
-
-        // The following relation is valid and should pass.
-        let mut linear_relation = LinearRelation::<G>::new();
-        let B_var = linear_relation.allocate_element();
-        let C_var = linear_relation.allocate_eq(B_var);
-        linear_relation.set_element(B_var, B);
-        linear_relation.set_element(C_var, B);
         assert!(linear_relation.canonical().is_ok());
 
-        // The following relation is invalid and should trigger a fail.
+        // Also in this case, we know that no witness will ever satisfy the relation.
+        // Also here, the relation is built even though the prover will never be able to give a valid proof for it.
         // X != B * pub_scalar + A * 3
         let mut linear_relation = LinearRelation::<G>::new();
         let B_var = linear_relation.allocate_element();
@@ -157,7 +152,15 @@ mod instance_validation {
         linear_relation.set_element(B_var, B);
         linear_relation.set_element(A_var, A);
         linear_relation.set_element(X_var, X);
-        assert!(linear_relation.canonical().is_err());
+        assert!(linear_relation.canonical().is_ok());
+
+        // The following relation is valid and should pass.
+        let mut linear_relation = LinearRelation::<G>::new();
+        let B_var = linear_relation.allocate_element();
+        let C_var = linear_relation.allocate_eq(B_var);
+        linear_relation.set_element(B_var, B);
+        linear_relation.set_element(C_var, B);
+        assert!(linear_relation.canonical().is_ok());
 
         // The following relation is valid and should pass.
         // C = B * pub_scalar + A * 3