fix composition relying on PrimeGroup

Author: mmaker

examples/simple_composition.rs

@@ -48,8 +48,6 @@ fn create_relation(P1: G, P2: G, Q: G, H: G) -> Protocol<G> {
 /// Prove knowledge of one of the witnesses (we know x2 for the DLEQ)
 #[allow(non_snake_case)]
 fn prove(P1: G, x2: Scalar, H: G) -> ProofResult<Vec<u8>> {
-    let mut rng = OsRng;
-
     // Compute public values
     let P2 = G::generator() * x2;
     let Q = H * x2;
@@ -58,7 +56,7 @@ fn prove(P1: G, x2: Scalar, H: G) -> ProofResult<Vec<u8>> {
     let witness = ProtocolWitness::Or(1, vec![ProtocolWitness::Simple(vec![x2])]);
     let nizk = Nizk::<_, ShakeCodec<G>>::new(b"or_proof_example", protocol);
 
-    nizk.prove_batchable(&witness, &mut rng)
+    nizk.prove_batchable(&witness, &mut OsRng)
 }
 
 /// Verify an OR proof given the public values
@@ -72,12 +70,10 @@ fn verify(P1: G, P2: G, Q: G, H: G, proof: &[u8]) -> ProofResult<()> {
 
 #[allow(non_snake_case)]
 fn main() {
-    let mut rng = OsRng;
-
     // Setup: We don't know x1, but we do know x2
-    let x1 = Scalar::random(&mut rng);
-    let x2 = Scalar::random(&mut rng);
-    let H = G::random(&mut rng);
+    let x1 = Scalar::random(&mut OsRng);
+    let x2 = Scalar::random(&mut OsRng);
+    let H = G::random(&mut OsRng);
 
     // Compute public values
     let P1 = G::generator() * x1; // We don't actually know x1 in the proof

src/composition.rs

@@ -19,7 +19,7 @@
 //! ```
 
 use ff::{Field, PrimeField};
-use group::{Group, GroupEncoding};
+use group::{prime::PrimeGroup, Group};
 use sha3::Digest;
 use sha3::Sha3_256;
 
@@ -38,15 +38,15 @@ use crate::{
 /// # Type Parameters
 /// - `G`: A cryptographic group implementing [`Group`] and [`GroupEncoding`].
 #[derive(Clone)]
-pub enum Protocol<G: Group + GroupEncoding> {
+pub enum Protocol<G: PrimeGroup> {
     Simple(SchnorrProof<G>),
     And(Vec<Protocol<G>>),
     Or(Vec<Protocol<G>>),
 }
 
 impl<G> From<SchnorrProof<G>> for Protocol<G>
 where
-    G: Group + GroupEncoding,
+    G: PrimeGroup,
 {
     fn from(value: SchnorrProof<G>) -> Self {
         Protocol::Simple(value)
@@ -55,7 +55,7 @@ where
 
 impl<G> From<LinearRelation<G>> for Protocol<G>
 where
-    G: Group + GroupEncoding,
+    G: PrimeGroup,
 {
     fn from(value: LinearRelation<G>) -> Self {
         Self::from(SchnorrProof::from(value))
@@ -64,15 +64,15 @@ where
 
 // Structure representing the Commitment type of Protocol as SigmaProtocol
 #[derive(Clone)]
-pub enum ProtocolCommitment<G: Group + GroupEncoding> {
+pub enum ProtocolCommitment<G: PrimeGroup> {
     Simple(<SchnorrProof<G> as SigmaProtocol>::Commitment),
     And(Vec<ProtocolCommitment<G>>),
     Or(Vec<ProtocolCommitment<G>>),
 }
 
 // Structure representing the ProverState type of Protocol as SigmaProtocol
 #[derive(Clone)]
-pub enum ProtocolProverState<G: Group + GroupEncoding> {
+pub enum ProtocolProverState<G: PrimeGroup> {
     Simple(<SchnorrProof<G> as SigmaProtocol>::ProverState),
     And(Vec<ProtocolProverState<G>>),
     Or(
@@ -84,14 +84,14 @@ pub enum ProtocolProverState<G: Group + GroupEncoding> {
 
 // Structure representing the Response type of Protocol as SigmaProtocol
 #[derive(Clone)]
-pub enum ProtocolResponse<G: Group + GroupEncoding> {
+pub enum ProtocolResponse<G: PrimeGroup> {
     Simple(<SchnorrProof<G> as SigmaProtocol>::Response),
     And(Vec<ProtocolResponse<G>>),
     Or(Vec<ProtocolChallenge<G>>, Vec<ProtocolResponse<G>>),
 }
 
 // Structure representing the Witness type of Protocol as SigmaProtocol
-pub enum ProtocolWitness<G: Group + GroupEncoding> {
+pub enum ProtocolWitness<G: PrimeGroup> {
     Simple(<SchnorrProof<G> as SigmaProtocol>::Witness),
     And(Vec<ProtocolWitness<G>>),
     Or(usize, Vec<ProtocolWitness<G>>),
@@ -100,7 +100,7 @@ pub enum ProtocolWitness<G: Group + GroupEncoding> {
 // Structure representing the Challenge type of Protocol as SigmaProtocol
 type ProtocolChallenge<G> = <SchnorrProof<G> as SigmaProtocol>::Challenge;
 
-impl<G: Group + GroupEncoding> SigmaProtocol for Protocol<G> {
+impl<G: PrimeGroup> SigmaProtocol for Protocol<G> {
     type Commitment = ProtocolCommitment<G>;
     type ProverState = ProtocolProverState<G>;
     type Response = ProtocolResponse<G>;
@@ -422,7 +422,7 @@ impl<G: Group + GroupEncoding> SigmaProtocol for Protocol<G> {
     }
 }
 
-impl<G: Group + GroupEncoding> SigmaProtocolSimulator for Protocol<G> {
+impl<G: PrimeGroup> SigmaProtocolSimulator for Protocol<G> {
     fn simulate_commitment(
         &self,
         challenge: &Self::Challenge,

src/schnorr_protocol.rs

@@ -93,7 +93,7 @@ where
     fn prover_commit(
         &self,
         witness: &Self::Witness,
-        mut rng: &mut (impl RngCore + CryptoRng),
+        rng: &mut (impl RngCore + CryptoRng),
     ) -> Result<(Self::Commitment, Self::ProverState), Error> {
         if witness.len() != self.witness_length() {
             return Err(Error::InvalidInstanceWitnessPair);
@@ -105,7 +105,7 @@ where
         }
 
         let nonces: Vec<G::Scalar> = (0..self.witness_length())
-            .map(|_| G::Scalar::random(&mut rng))
+            .map(|_| G::Scalar::random(&mut *rng))
             .collect();
         let commitment = self.evaluate(&nonces)?;
         let prover_state = (nonces, witness.clone());
@@ -296,9 +296,9 @@ where
     ///
     /// # Returns
     /// - A commitment and response forming a valid proof for the given challenge.
-    fn simulate_response<R: Rng + CryptoRng>(&self, mut rng: &mut R) -> Self::Response {
+    fn simulate_response<R: Rng + CryptoRng>(&self, rng: &mut R) -> Self::Response {
         let response: Vec<G::Scalar> = (0..self.witness_length())
-            .map(|_| G::Scalar::random(&mut rng))
+            .map(|_| G::Scalar::random(&mut *rng))
             .collect();
         response
     }

src/tests/composition.rs

@@ -23,41 +23,43 @@ fn composition_proof_correct() {
     //     Simple( discrete_logarithm ),
     //     And( pedersen_commitment_dleq, bbs_blind_commitment_computation )
     // )
-    let mut rng = OsRng;
     let domain_sep = b"hello world";
 
     // definitions of the underlying protocols
-    let (relation1, witness1) = dleq(G::random(&mut rng), <G as Group>::Scalar::random(&mut rng));
+    let (relation1, witness1) = dleq(
+        G::random(&mut OsRng),
+        <G as Group>::Scalar::random(&mut OsRng),
+    );
     let (relation2, _) = pedersen_commitment(
-        G::random(&mut rng),
-        <G as Group>::Scalar::random(&mut rng),
-        <G as Group>::Scalar::random(&mut rng),
+        G::random(&mut OsRng),
+        <G as Group>::Scalar::random(&mut OsRng),
+        <G as Group>::Scalar::random(&mut OsRng),
     );
-    let (relation3, witness3) = discrete_logarithm(<G as Group>::Scalar::random(&mut rng));
+    let (relation3, witness3) = discrete_logarithm(<G as Group>::Scalar::random(&mut OsRng));
     let (relation4, witness4) = pedersen_commitment_dleq(
         (0..4)
-            .map(|_| G::random(&mut rng))
+            .map(|_| G::random(&mut OsRng))
             .collect::<Vec<_>>()
             .try_into()
             .unwrap(),
         (0..2)
-            .map(|_| <G as Group>::Scalar::random(&mut rng))
+            .map(|_| <G as Group>::Scalar::random(&mut OsRng))
             .collect::<Vec<_>>()
             .try_into()
             .unwrap(),
     );
     let (relation5, witness5) = bbs_blind_commitment_computation(
         (0..4)
-            .map(|_| G::random(&mut rng))
+            .map(|_| G::random(&mut OsRng))
             .collect::<Vec<_>>()
             .try_into()
             .unwrap(),
         (0..3)
-            .map(|_| <G as Group>::Scalar::random(&mut rng))
+            .map(|_| <G as Group>::Scalar::random(&mut OsRng))
             .collect::<Vec<_>>()
             .try_into()
             .unwrap(),
-        <G as Group>::Scalar::random(&mut rng),
+        <G as Group>::Scalar::random(&mut OsRng),
     );
 
     // second layer protocol definitions
@@ -86,8 +88,8 @@ fn composition_proof_correct() {
     let nizk = Nizk::<Protocol<RistrettoPoint>, ShakeCodec<G>>::new(domain_sep, protocol);
 
     // Batchable and compact proofs
-    let proof_batchable_bytes = nizk.prove_batchable(&witness, &mut rng).unwrap();
-    let proof_compact_bytes = nizk.prove_compact(&witness, &mut rng).unwrap();
+    let proof_batchable_bytes = nizk.prove_batchable(&witness, &mut OsRng).unwrap();
+    let proof_compact_bytes = nizk.prove_compact(&witness, &mut OsRng).unwrap();
     // Verify proofs
     let verified_batchable = nizk.verify_batchable(&proof_batchable_bytes).is_ok();
     let verified_compact = nizk.verify_compact(&proof_compact_bytes).is_ok();