sigma-rs
diff --git a/‎src/fiat_shamir.rs‎
Lines changed: 76 additions & 9 deletions b/‎src/fiat_shamir.rs‎
Lines changed: 76 additions & 9 deletions
diff --git a/‎src/proof_builder.rs‎
Lines changed: 12 additions & 3 deletions b/‎src/proof_builder.rs‎
Lines changed: 12 additions & 3 deletions
diff --git a/‎src/schnorr_proof.rs‎
Lines changed: 94 additions & 21 deletions b/‎src/schnorr_proof.rs‎
Lines changed: 94 additions & 21 deletions
diff --git a/‎src/trait.rs‎
Lines changed: 28 additions & 1 deletion b/‎src/trait.rs‎
Lines changed: 28 additions & 1 deletion
@@ -14,9 +14,7 @@
 //! - `G`: the group used for commitments and operations (`Group` trait).
 
 use crate::{
-    codec::Codec,
-    SigmaProtocol,
-    ProofError
+    codec::Codec, CompactProtocol, ProofError, SigmaProtocol
 };
 
 use group::{Group, GroupEncoding};
@@ -65,8 +63,12 @@ where
         }
     }
 
-    /// Produces a non-interactive proof for a witness and serializes it as a vector of bytes.
-    pub fn prove(&mut self, witness: &P::Witness, rng: &mut (impl RngCore + CryptoRng)) -> Vec<u8> {
+    /// Produces a non-interactive proof for a witness.
+    pub fn prove(
+        &mut self,
+        witness: &P::Witness,
+        rng: &mut (impl RngCore + CryptoRng)
+    ) -> (P::Commitment, P::Challenge, P::Response) {
         let mut codec = self.hash_state.clone();
 
         let (commitment, prover_state) = self.sigmap.prover_commit(witness, rng);
@@ -86,16 +88,53 @@ where
             .sigmap
             .verifier(&commitment, &challenge, &response)
             .is_ok());
+        (commitment, challenge, response)
+    }
+
+    /// Verify a non-interactive proof and returns a Result: `Ok(())` if the proof verifies successfully, `Err(())` otherwise.
+    pub fn verify(
+        &mut self,
+        commitment: &P::Commitment,
+        challenge: &P::Challenge,
+        response: &P::Response
+    ) -> Result<(), ProofError> {
+        let mut codec = self.hash_state.clone();
+
+        // Commitment data for expected challenge generation
+        let mut data = Vec::new();
+        for commit in commitment {
+            data.extend_from_slice(commit.to_bytes().as_ref());
+        }
+        // Recompute the challenge
+        let expected_challenge = codec
+            .prover_message(&data)
+            .verifier_challenge();
+        // Verification of the proof
+        match *challenge == expected_challenge {
+            true => self.sigmap.verifier(commitment, challenge, response),
+            false => Err(ProofError::VerificationFailure),
+        }
+    }
+
+    pub fn prove_batchable(
+        &mut self,
+        witness: &P::Witness,
+        rng: &mut (impl RngCore + CryptoRng)
+    ) -> Vec<u8> {
+        let (commitment, challenge, response) = self.prove(witness, rng);
         self.sigmap
             .serialize_batchable(&commitment, &challenge, &response)
     }
 
-    /// Verify a non-interactive serialized proof and returns a Result: `Ok(())` if the proof verifies successfully, `Err(())` otherwise.
-    pub fn verify(&mut self, proof: &[u8]) -> Result<(), ProofError> {
+    pub fn verify_batchable(
+        &mut self,
+        proof: &[u8]
+    ) -> Result<(), ProofError> {
+        let (commitment, response) = self.sigmap.deserialize_batchable(proof).unwrap();
+
         let mut codec = self.hash_state.clone();
 
-        let (commitment, response) = self.sigmap.deserialize_batchable(proof).unwrap();
-        // Commitment data for challenge generation
+        // Commitment data for expected challenge generation
         let mut data = Vec::new();
         for commit in &commitment {
             data.extend_from_slice(commit.to_bytes().as_ref());
@@ -107,4 +146,32 @@ where
         // Verification of the proof
         self.sigmap.verifier(&commitment, &challenge, &response)
     }
+}
+
+impl<P, C, G> NISigmaProtocol<P, C, G>
+where
+    G: Group + GroupEncoding,
+    P: SigmaProtocol<Commitment = Vec<G>, Challenge = <G as Group>::Scalar> + CompactProtocol,
+    C: Codec<Challenge = <G as Group>::Scalar> + Clone,
+{
+    pub fn prove_compact(
+        &mut self,
+        witness: &P::Witness,
+        rng: &mut (impl RngCore + CryptoRng)
+    ) -> Vec<u8> {
+        let (commitment, challenge, response) = self.prove(witness, rng);
+        self.sigmap
+            .serialize_compact(&commitment, &challenge, &response)
+    }
+
+    pub fn verify_compact(
+        &mut self,
+        proof: &[u8]
+    ) -> Result<(), ProofError> {
+        let (challenge, response) = self.sigmap.deserialize_compact(proof).unwrap();
+        // Compute the commitments
+        let commitment = self.sigmap.get_commitment(&challenge, &response);
+        // Verify the proof
+        self.verify(&commitment, &challenge, &response)
+    }
 }
@@ -101,10 +101,10 @@ where
     /// - `rng`: A random number generator
     ///
     /// # Returns
-    /// A serialized proof as a vector of bytes.
+    /// A serialized proof as a vector of bytes in batchable ('commitment', 'response') format.
     pub fn prove(&mut self, witness: &[<G as Group>::Scalar], rng: &mut (impl RngCore + CryptoRng)) -> Vec<u8> {
         let witness_tmp = witness.to_vec();
-        self.protocol.prove(&witness_tmp, rng)
+        self.protocol.prove_batchable(&witness_tmp, rng)
     }
 
     /// Verifies a serialized proof against the current statement.
@@ -115,6 +115,15 @@ where
     /// # Returns
     /// `Ok(())` if the proof is valid, or a [`ProofError`] if verification fails.
     pub fn verify(&mut self, proof: &[u8]) -> Result<(), ProofError> {
-        self.protocol.verify(proof)
+        self.protocol.verify_batchable(proof)
+    }
+
+    pub fn prove_compact(&mut self, witness: &[<G as Group>::Scalar], rng: &mut (impl RngCore + CryptoRng)) -> Vec<u8> {
+        let witness_tmp = witness.to_vec();
+        self.protocol.prove_compact(&witness_tmp, rng)
+    }
+
+    pub fn verify_compact(&mut self, proof: &[u8]) -> Result<(), ProofError> {
+        self.protocol.verify_compact(proof)
     }
 }
@@ -5,10 +5,7 @@
 //! through a group morphism abstraction (see Maurer09).
 
 use crate::{
-    GroupMorphismPreimage,
-    serialisation::GroupSerialisation, 
-    SigmaProtocol,
-    ProofError,
+    serialisation::GroupSerialisation, CompactProtocol, GroupMorphismPreimage, ProofError, SigmaProtocol
 };
 
 use ff::{Field, PrimeField};
@@ -81,59 +78,62 @@ where
         }
     }
 
-    /// Serializes the proof (`commitment`, `response`) into a batchable format for transmission.
+    /// Serializes the proof into a batchable (`commitment`, `response`) format for transmission.
     fn serialize_batchable(
         &self,
         commitment: &Self::Commitment,
         _challenge: &Self::Challenge,
         response: &Self::Response,
     ) -> Vec<u8> {
         let mut bytes = Vec::new();
-        let scalar_nb = self.0.morphism.num_scalars;
-        let point_nb = self.0.morphism.num_statements();
+        let commit_nb = self.0.morphism.num_statements();
+        let response_nb = self.0.morphism.num_scalars;
 
         // Serialize commitments
-        for commit in commitment.iter().take(point_nb) {
+        for commit in commitment.iter().take(commit_nb) {
             bytes.extend_from_slice(&G::serialize_element(commit));
         }
 
         // Serialize responses
-        for response in response.iter().take(scalar_nb) {
+        for response in response.iter().take(response_nb) {
             bytes.extend_from_slice(&G::serialize_scalar(response));
         }
         bytes
     }
 
     /// Deserializes a batchable proof format back into (`commitment`, `response`).
-    fn deserialize_batchable(&self, data: &[u8]) -> Option<(Self::Commitment, Self::Response)> {
-        let scalar_nb = self.0.morphism.num_scalars;
-        let point_nb = self.0.morphism.num_statements();
+    fn deserialize_batchable(
+        &self,
+        data: &[u8]
+    ) -> Option<(Self::Commitment, Self::Response)> {
+        let commit_nb = self.0.morphism.num_statements();
+        let response_nb = self.0.morphism.num_scalars;
 
-        let point_size = G::generator().to_bytes().as_ref().len();
-        let scalar_size = <<G as Group>::Scalar as PrimeField>::Repr::default()
+        let commit_size = G::generator().to_bytes().as_ref().len();
+        let response_size = <<G as Group>::Scalar as PrimeField>::Repr::default()
             .as_ref()
             .len();
 
-        let expected_len = scalar_nb * scalar_size + point_nb * point_size;
+        let expected_len = response_nb * response_size + commit_nb * commit_size;
         if data.len() != expected_len {
             return None;
         }
 
         let mut commitments: Self::Commitment = Vec::new();
         let mut responses: Self::Response = Vec::new();
 
-        for i in 0..point_nb {
-            let start = i * point_size;
-            let end = start + point_size;
+        for i in 0..commit_nb {
+            let start = i * commit_size;
+            let end = start + commit_size;
 
             let slice = &data[start..end];
             let elem = G::deserialize_element(slice)?;
             commitments.push(elem);
         }
 
-        for i in 0..scalar_nb {
-            let start = point_nb * point_size + i * scalar_size;
-            let end = start + scalar_size;
+        for i in 0..response_nb {
+            let start = commit_nb * commit_size + i * response_size;
+            let end = start + response_size;
 
             let slice = &data[start..end];
             let scalar = G::deserialize_scalar(slice)?;
@@ -143,3 +143,76 @@ where
         Some((commitments, responses))
     }
 }
+
+impl<G> CompactProtocol for SchnorrProof<G>
+where
+    G: Group + GroupEncoding + GroupSerialisation,
+{
+    fn get_commitment(
+        &self,
+        challenge: &Self::Challenge,
+        response: &Self::Response
+    ) -> Self::Commitment {
+        let response_image = self.0.morphism.evaluate(response);
+        let image= self.0.image();
+        
+        let mut commitment = Vec::new();
+        for i in 0..image.len() {
+            commitment.push(response_image[i] - image[i] * challenge);
+        }
+        commitment
+    }
+
+    /// Serializes the proof into a compact (`challenge`, `response`) format for transmission.
+    fn serialize_compact(
+        &self,
+        _commitment: &Self::Commitment,
+        challenge: &Self::Challenge,
+        response: &Self::Response,
+    ) -> Vec<u8> {
+        let mut bytes = Vec::new();
+        let response_nb = self.0.morphism.num_scalars;
+
+        // Serialize challenge
+        bytes.extend_from_slice(&G::serialize_scalar(challenge));
+
+        // Serialize responses
+        for response in response.iter().take(response_nb) {
+            bytes.extend_from_slice(&G::serialize_scalar(response));
+        }
+        bytes
+    }
+
+    /// Deserializes a compact proof format back into (`challenge`, `response`).
+    fn deserialize_compact(
+        &self,
+        data: &[u8]
+    ) -> Option<(Self::Challenge, Self::Response)> {
+        let response_nb = self.0.morphism.num_scalars;
+        let response_size = <<G as Group>::Scalar as PrimeField>::Repr::default()
+            .as_ref()
+            .len();
+
+        let expected_len = (response_nb + 1) * response_size;
+
+        if data.len() != expected_len {
+            return None;
+        }
+
+        let mut responses: Self::Response = Vec::new();
+
+        let slice = &data[0..response_size];
+        let challenge = G::deserialize_scalar(slice)?;
+
+        for i in 0..response_nb {
+            let start = (i + 1) * response_size;
+            let end = start + response_size;
+
+            let slice = &data[start..end];
+            let scalar = G::deserialize_scalar(slice)?;
+            responses.push(scalar);
+        }
+
+        Some((challenge, responses))
+    }
+}
@@ -79,11 +79,38 @@ pub trait SigmaProtocol {
     ///
     /// # Panics
     /// Panics if deserialization is not supported for this protocol.
-    fn deserialize_batchable(&self, _data: &[u8]) -> Option<(Self::Commitment, Self::Response)> {
+    fn deserialize_batchable(
+        &self,
+        _data: &[u8]
+    ) -> Option<(Self::Commitment, Self::Response)> {
         panic!("deserialize_batchable not implemented for this protocol")
     }
 }
 
+pub trait CompactProtocol: SigmaProtocol {
+    fn get_commitment(
+        &self,
+        challenge: &Self::Challenge,
+        response: &Self::Response
+    ) -> Self::Commitment;
+
+    fn serialize_compact(
+        &self,
+        _commitment: &Self::Commitment,
+        _challenge: &Self::Challenge,
+        _response: &Self::Response,
+    ) -> Vec<u8> {
+        panic!("serialize_compact not implemented for this protocol")
+    }
+
+    fn deserialize_compact(
+        &self,
+        _data: &[u8]
+    ) -> Option<(Self::Challenge, Self::Response)> {
+        panic!("deserialize_compact not implemented for this protocol")
+    }
+}
+
 /// A trait defining the behavior of a Sigma protocol for which simulation of transcripts is necessary.
 ///
 /// All Sigma protocols can technically simulate a valid transcript, but this mostly serve to prove the security of the protocol and is not used in the real protocol execution.