feat(protocol): add generalized Protocol structure with AND/OR compositions (#16)

- feat: define Protocol structure that generalizes SchnorrProtocol through AND/OR compositions
- feat: implement sigma protocol traits for the new Protocol structure
- test: add example test demonstrating Protocol structure functionality

Author: nougzarm

src/fiat_shamir.rs

@@ -11,15 +11,19 @@
 //! This struct is generic over:
 //! - `P`: the underlying Sigma protocol ([`SigmaProtocol`] trait).
 //! - `C`: the codec ([`Codec`] trait).
-//! - `G`: the group used for commitments and operations ([`Group`] trait).
 
 use crate::codec::Codec;
 use crate::errors::Error;
 use crate::traits::{CompactProtocol, SigmaProtocol};
 
-use group::{Group, GroupEncoding};
 use rand::{CryptoRng, RngCore};
 
+pub trait FiatShamir<C: Codec>: SigmaProtocol {
+    fn push_commitment(&self, codec: &mut C, commitment: &Self::Commitment);
+
+    fn get_challenge(&self, codec: &mut C) -> Result<Self::Challenge, Error>;
+}
+
 type Transcript<P> = (
     <P as SigmaProtocol>::Commitment,
     <P as SigmaProtocol>::Challenge,
@@ -37,12 +41,10 @@ type Transcript<P> = (
 /// # Type Parameters
 /// - `P`: the Sigma protocol implementation.
 /// - `C`: the codec used for Fiat-Shamir.
-/// - `G`: the group on which the protocol operates.
-pub struct NISigmaProtocol<P, C, G>
+pub struct NISigmaProtocol<P, C>
 where
-    G: Group + GroupEncoding,
-    P: SigmaProtocol<Commitment = Vec<G>, Challenge = <G as Group>::Scalar>,
-    C: Codec<Challenge = <G as Group>::Scalar>,
+    P: SigmaProtocol<Challenge: PartialEq> + FiatShamir<C>,
+    C: Codec<Challenge = P::Challenge>,
 {
     /// Current codec state.
     pub hash_state: C,
@@ -51,11 +53,10 @@ where
 }
 
 // TODO: Write a serialization of the morphism to the transcript.
-impl<P, C, G> NISigmaProtocol<P, C, G>
+impl<P, C> NISigmaProtocol<P, C>
 where
-    G: Group + GroupEncoding,
-    P: SigmaProtocol<Commitment = Vec<G>, Challenge = <G as Group>::Scalar>,
-    C: Codec<Challenge = <G as Group>::Scalar> + Clone,
+    P: SigmaProtocol<Challenge: PartialEq> + FiatShamir<C>,
+    C: Codec<Challenge = P::Challenge> + Clone,
 {
     /// Constructs a new [`NISigmaProtocol`] instance.
     ///
@@ -98,13 +99,9 @@ where
         let mut codec = self.hash_state.clone();
 
         let (commitment, prover_state) = self.sigmap.prover_commit(witness, rng)?;
-        // Commitment data for challenge generation
-        let mut data = Vec::new();
-        for commit in &commitment {
-            data.extend_from_slice(commit.to_bytes().as_ref());
-        }
         // Fiat Shamir challenge
-        let challenge = codec.prover_message(&data).verifier_challenge();
+        self.sigmap.push_commitment(&mut codec, &commitment);
+        let challenge = self.sigmap.get_challenge(&mut codec)?;
         // Prover's response
         let response = self.sigmap.prover_response(prover_state, &challenge)?;
         // Local verification of the proof
@@ -135,13 +132,9 @@ where
     ) -> Result<(), Error> {
         let mut codec = self.hash_state.clone();
 
-        // Commitment data for expected challenge generation
-        let mut data = Vec::new();
-        for commit in commitment {
-            data.extend_from_slice(commit.to_bytes().as_ref());
-        }
         // Recompute the challenge
-        let expected_challenge = codec.prover_message(&data).verifier_challenge();
+        self.sigmap.push_commitment(&mut codec, commitment);
+        let expected_challenge = self.sigmap.get_challenge(&mut codec)?;
         // Verification of the proof
         match *challenge == expected_challenge {
             true => self.sigmap.verifier(commitment, challenge, response),
@@ -189,23 +182,18 @@ where
 
         let mut codec = self.hash_state.clone();
 
-        // Commitment data for expected challenge generation
-        let mut data = Vec::new();
-        for commit in &commitment {
-            data.extend_from_slice(commit.to_bytes().as_ref());
-        }
         // Recompute the challenge
-        let challenge = codec.prover_message(&data).verifier_challenge();
+        self.sigmap.push_commitment(&mut codec, &commitment);
+        let challenge = self.sigmap.get_challenge(&mut codec)?;
         // Verification of the proof
         self.sigmap.verifier(&commitment, &challenge, &response)
     }
 }
 
-impl<P, C, G> NISigmaProtocol<P, C, G>
+impl<P, C> NISigmaProtocol<P, C>
 where
-    G: Group + GroupEncoding,
-    P: SigmaProtocol<Commitment = Vec<G>, Challenge = <G as Group>::Scalar> + CompactProtocol,
-    C: Codec<Challenge = <G as Group>::Scalar> + Clone,
+    P: SigmaProtocol<Challenge: PartialEq> + CompactProtocol + FiatShamir<C>,
+    C: Codec<Challenge = P::Challenge> + Clone,
 {
     /// Generates a compact serialized proof.
     ///

src/group_morphism.rs

@@ -61,6 +61,7 @@ impl From<(ScalarVar, GroupVar)> for Term {
 /// where `s_i` are scalars (referenced by `scalar_vars`) and `P_i` are group elements (referenced by `element_vars`).
 ///
 /// The indices refer to external lists managed by the containing Morphism.
+#[derive(Clone)]
 pub struct LinearCombination(Vec<Term>);
 
 impl<T: Into<Term>> From<T> for LinearCombination {
@@ -168,7 +169,7 @@ impl<G: Group> FromIterator<(GroupVar, G)> for GroupMap<G> {
 ///
 /// It supports dynamic allocation of scalars and elements,
 /// and evaluates by performing multi-scalar multiplications.
-#[derive(Default)]
+#[derive(Clone, Default)]
 pub struct Morphism<G: Group> {
     /// The set of linear combination constraints (equations).
     pub constraints: Vec<LinearCombination>,
@@ -259,7 +260,7 @@ impl<G: Group> Morphism<G> {
 /// Internally, the constraint system is defined through:
 /// - A list of group elements and linear equations (held in the [`Morphism`] field),
 /// - A list of [`GroupVar`] indices (`image`) that specify the expected output for each constraint.
-#[derive(Default)]
+#[derive(Clone, Default)]
 pub struct GroupMorphismPreimage<G>
 where
     G: Group + GroupEncoding,

src/group_serialization.rs

@@ -30,12 +30,12 @@ pub fn serialize_element<G: Group + GroupEncoding>(element: &G) -> Vec<u8> {
 ///   does not represent a valid group element.
 pub fn deserialize_element<G: Group + GroupEncoding>(data: &[u8]) -> Result<G, Error> {
     let element_len = G::Repr::default().as_ref().len();
-    if data.len() != element_len {
+    if data.len() < element_len {
         return Err(Error::GroupSerializationFailure);
     }
 
     let mut repr = G::Repr::default();
-    repr.as_mut().copy_from_slice(data);
+    repr.as_mut().copy_from_slice(&data[..element_len]);
     let ct_point = G::from_bytes(&repr);
     if ct_point.is_some().into() {
         let point = ct_point.unwrap();
@@ -70,13 +70,13 @@ pub fn deserialize_scalar<G: Group>(data: &[u8]) -> Result<G::Scalar, Error> {
     let scalar_len = <<G as Group>::Scalar as PrimeField>::Repr::default()
         .as_ref()
         .len();
-    if data.len() != scalar_len {
+    if data.len() < scalar_len {
         return Err(Error::GroupSerializationFailure);
     }
 
     let mut repr = <<G as Group>::Scalar as PrimeField>::Repr::default();
     repr.as_mut().copy_from_slice(&{
-        let mut tmp = data.to_vec();
+        let mut tmp = data[..scalar_len].to_vec();
         tmp.reverse();
         tmp
     });

src/lib.rs

@@ -18,7 +18,7 @@ pub mod fiat_shamir;
 pub mod group_morphism;
 pub mod group_serialization;
 pub mod proof_builder;
-pub mod proof_composition;
+pub mod protocol;
 pub mod schnorr_protocol;
 pub mod traits;
 

src/proof_builder.rs

@@ -22,4 +22,4 @@ use crate::{codec::ShakeCodec, fiat_shamir::NISigmaProtocol, schnorr_protocol::S
 /// - `G`: A group that implements both [`Group`] and [`GroupEncoding`].
 ///
 /// [`GroupMorphismPreimage`]: crate::GroupMorphismPreimage
-pub type NISchnorr<G> = NISigmaProtocol<SchnorrProtocol<G>, ShakeCodec<G>, G>;
+pub type NISchnorr<G> = NISigmaProtocol<SchnorrProtocol<G>, ShakeCodec<G>>;