refactor: simulator for sigma protocols.

Author: mmaker

src/composition.rs

@@ -129,20 +129,20 @@ impl<G: Group + GroupEncoding> SigmaProtocol for Protocol<G> {
                 ))
             }
             (Protocol::Or(ps), ProtocolWitness::Or(w_index, w)) => {
-                let mut commitments = Vec::with_capacity(ps.len());
+                let mut commitments = Vec::new();
                 let mut simulated_challenges = Vec::new();
                 let mut simulated_responses = Vec::new();
-                let (real_commit, real_state) = ps[*w_index].prover_commit(&w[0], rng)?;
-                for (i, _) in ps.iter().enumerate() {
-                    if i != *w_index {
-                        let (c, ch, r) = ps[i].simulate_transcript(rng);
-                        commitments.push(c);
-                        simulated_challenges.push(ch);
-                        simulated_responses.push(r);
-                    } else {
-                        commitments.push(real_commit.clone());
-                    }
+
+                let (real_commitment, real_state) = ps[*w_index].prover_commit(&w[0], rng)?;
+
+                for i in (0..ps.len()).filter(|i| i != w_index) {
+                    let (commitment, challenge, response) = ps[i].simulate_transcript(rng)?;
+                    commitments.push(commitment);
+                    simulated_challenges.push(challenge);
+                    simulated_responses.push(response);
                 }
+                commitments.insert(*w_index, real_commitment);
+
                 Ok((
                     ProtocolCommitment::Or(commitments),
                     ProtocolProverState::Or(
@@ -152,7 +152,7 @@ impl<G: Group + GroupEncoding> SigmaProtocol for Protocol<G> {
                     ),
                 ))
             }
-            _ => panic!(),
+            _ => unreachable!(),
         }
     }
 
@@ -423,7 +423,9 @@ impl<G: Group + GroupEncoding> SigmaProtocol for Protocol<G> {
             }
         }
     }
+}
 
+impl<G: Group + GroupEncoding> SigmaProtocolSimulator for Protocol<G> {
     fn simulate_commitment(
         &self,
         challenge: &Self::Challenge,
@@ -450,107 +452,75 @@ impl<G: Group + GroupEncoding> SigmaProtocol for Protocol<G> {
             _ => panic!(),
         }
     }
-}
 
-impl<G: Group + GroupEncoding> SigmaProtocolSimulator for Protocol<G> {
-    fn simulate_proof(
-        &self,
-        challenge: &Self::Challenge,
-        rng: &mut (impl rand::Rng + rand::CryptoRng),
-    ) -> (Self::Commitment, Self::Response) {
+    fn simulate_response<R: rand::Rng + rand::CryptoRng>(&self, rng: &mut R) -> Self::Response {
         match self {
-            Protocol::Simple(p) => {
-                let (c, r) = p.simulate_proof(challenge, rng);
-                (ProtocolCommitment::Simple(c), ProtocolResponse::Simple(r))
-            }
+            Protocol::Simple(p) => ProtocolResponse::Simple(p.simulate_response(rng)),
             Protocol::And(ps) => {
-                let mut commitments = Vec::with_capacity(ps.len());
-                let mut responses = Vec::with_capacity(ps.len());
-
-                for p in ps.iter() {
-                    let (c, r) = p.simulate_proof(challenge, rng);
-                    commitments.push(c);
-                    responses.push(r);
-                }
-                (
-                    ProtocolCommitment::And(commitments),
-                    ProtocolResponse::And(responses),
-                )
+                ProtocolResponse::And(ps.iter().map(|p| p.simulate_response(rng)).collect())
             }
             Protocol::Or(ps) => {
-                let mut commitments = Vec::with_capacity(ps.len());
-                let mut challenges = Vec::new();
+                let mut challenges = Vec::with_capacity(ps.len());
                 let mut responses = Vec::with_capacity(ps.len());
-
-                for p in ps.iter().take(ps.len() - 1) {
-                    let (c, ch, r) = p.simulate_transcript(rng);
-                    commitments.push(c);
-                    challenges.push(ch);
-                    responses.push(r);
+                for _ in 0..ps.len() {
+                    challenges.push(G::Scalar::random(&mut *rng));
                 }
-                let last_ch: <G as Group>::Scalar = challenges.iter().sum();
-                let (last_c, last_r) = ps[ps.len() - 1].simulate_proof(&last_ch, rng);
-                commitments.push(last_c);
-                challenges.push(last_ch);
-                responses.push(last_r);
-
-                (
-                    ProtocolCommitment::Or(commitments),
-                    ProtocolResponse::Or(challenges, responses),
-                )
+                for p in ps.iter() {
+                    responses.push(p.simulate_response(&mut *rng));
+                }
+                ProtocolResponse::Or(challenges, responses)
             }
         }
     }
 
-    fn simulate_transcript(
+    fn simulate_transcript<R: rand::Rng + rand::CryptoRng>(
         &self,
-        rng: &mut (impl rand::Rng + rand::CryptoRng),
-    ) -> (Self::Commitment, Self::Challenge, Self::Response) {
+        rng: &mut R,
+    ) -> Result<(Self::Commitment, Self::Challenge, Self::Response), Error> {
         match self {
             Protocol::Simple(p) => {
-                let (c, ch, r) = p.simulate_transcript(rng);
-                (
+                let (c, ch, r) = p.simulate_transcript(rng)?;
+                Ok((
                     ProtocolCommitment::Simple(c),
                     ch,
                     ProtocolResponse::Simple(r),
-                )
+                ))
             }
             Protocol::And(ps) => {
-                let mut commitments = Vec::with_capacity(ps.len());
+                let challenge = G::Scalar::random(&mut *rng);
                 let mut responses = Vec::with_capacity(ps.len());
-
-                let (c, challenge, r) = ps[0].simulate_transcript(rng);
-                commitments.push(c);
-                responses.push(r);
-
-                for p in ps.iter().skip(1) {
-                    let (c, r) = p.simulate_proof(&challenge, rng);
-                    commitments.push(c);
-                    responses.push(r);
+                for p in ps.iter() {
+                    responses.push(p.simulate_response(&mut *rng));
                 }
-                (
+                let commitments = ps
+                    .iter()
+                    .enumerate()
+                    .map(|(i, p)| p.simulate_commitment(&challenge, &responses[i]))
+                    .collect::<Result<Vec<_>, Error>>()?;
+
+                Ok((
                     ProtocolCommitment::And(commitments),
                     challenge,
                     ProtocolResponse::And(responses),
-                )
+                ))
             }
             Protocol::Or(ps) => {
                 let mut commitments = Vec::with_capacity(ps.len());
                 let mut challenges = Vec::with_capacity(ps.len());
                 let mut responses = Vec::with_capacity(ps.len());
 
                 for p in ps.iter() {
-                    let (c, ch, r) = p.simulate_transcript(rng);
+                    let (c, ch, r) = p.simulate_transcript(rng)?;
                     commitments.push(c);
                     challenges.push(ch);
                     responses.push(r);
                 }
                 let challenge = challenges.iter().sum();
-                (
+                Ok((
                     ProtocolCommitment::Or(commitments),
                     challenge,
                     ProtocolResponse::Or(challenges, responses),
-                )
+                ))
             }
         }
     }

src/fiat_shamir.rs

@@ -12,9 +12,9 @@
 //! - `P`: the underlying Sigma protocol ([`SigmaProtocol`] trait).
 //! - `C`: the codec ([`Codec`] trait).
 
-use crate::codec::Codec;
 use crate::errors::Error;
 use crate::traits::SigmaProtocol;
+use crate::{codec::Codec, traits::SigmaProtocolSimulator};
 
 use rand::{CryptoRng, RngCore};
 
@@ -205,7 +205,7 @@ where
 
 impl<P, C> NISigmaProtocol<P, C>
 where
-    P: SigmaProtocol,
+    P: SigmaProtocol + SigmaProtocolSimulator,
     P::Challenge: PartialEq,
     C: Codec<Challenge = P::Challenge> + Clone,
 {

src/schnorr_protocol.rs

@@ -15,7 +15,7 @@ use crate::{
 
 use ff::Field;
 use group::{Group, GroupEncoding};
-use rand::{CryptoRng, RngCore};
+use rand::{CryptoRng, Rng, RngCore};
 
 /// A Schnorr protocol proving knowledge of a witness for a linear group relation.
 ///
@@ -259,6 +259,43 @@ where
     fn protocol_identifier(&self) -> impl AsRef<[u8]> {
         b"SchnorrProof"
     }
+}
+
+impl<G> SigmaProtocolSimulator for SchnorrProof<G>
+where
+    G: Group + GroupEncoding,
+{
+    /// Simulates a valid transcript for a given challenge without a witness.
+    ///
+    /// # Parameters
+    /// - `challenge`: A scalar value representing the challenge.
+    /// - `rng`: A cryptographically secure RNG.
+    ///
+    /// # Returns
+    /// - A commitment and response forming a valid proof for the given challenge.
+    fn simulate_response<R: Rng + CryptoRng>(&self, mut rng: &mut R) -> Self::Response {
+        let response: Vec<G::Scalar> = (0..self.witness_length())
+            .map(|_| G::Scalar::random(&mut rng))
+            .collect();
+        response
+    }
+
+    /// Simulates a full proof transcript using a randomly generated challenge.
+    ///
+    /// # Parameters
+    /// - `rng`: A cryptographically secure RNG.
+    ///
+    /// # Returns
+    /// - A tuple `(commitment, challenge, response)` forming a valid proof.
+    fn simulate_transcript<R: Rng + CryptoRng>(
+        &self,
+        rng: &mut R,
+    ) -> Result<(Self::Commitment, Self::Challenge, Self::Response), Error> {
+        let challenge = G::Scalar::random(&mut *rng);
+        let response = self.simulate_response(&mut *rng);
+        let commitment = self.simulate_commitment(&challenge, &response)?;
+        Ok((commitment, challenge, response))
+    }
 
     /// Recomputes the commitment from the challenge and response (used in compact proofs).
     ///
@@ -291,47 +328,3 @@ where
         Ok(commitment)
     }
 }
-
-impl<G> SigmaProtocolSimulator for SchnorrProof<G>
-where
-    G: Group + GroupEncoding,
-{
-    /// Simulates a valid transcript for a given challenge without a witness.
-    ///
-    /// # Parameters
-    /// - `challenge`: A scalar value representing the challenge.
-    /// - `rng`: A cryptographically secure RNG.
-    ///
-    /// # Returns
-    /// - A commitment and response forming a valid proof for the given challenge.
-    fn simulate_proof(
-        &self,
-        challenge: &Self::Challenge,
-        mut rng: &mut (impl RngCore + CryptoRng),
-    ) -> (Self::Commitment, Self::Response) {
-        let response: Vec<G::Scalar> = (0..self.witness_length())
-            .map(|_| G::Scalar::random(&mut rng))
-            .collect();
-
-        // Use simulate_commitment to compute the commitment
-        let commitment = self.simulate_commitment(challenge, &response).unwrap();
-
-        (commitment, response)
-    }
-
-    /// Simulates a full proof transcript using a randomly generated challenge.
-    ///
-    /// # Parameters
-    /// - `rng`: A cryptographically secure RNG.
-    ///
-    /// # Returns
-    /// - A tuple `(commitment, challenge, response)` forming a valid proof.
-    fn simulate_transcript(
-        &self,
-        mut rng: &mut (impl RngCore + CryptoRng),
-    ) -> (Self::Commitment, Self::Challenge, Self::Response) {
-        let challenge = G::Scalar::random(&mut rng);
-        let (commitment, response) = self.simulate_proof(&challenge, rng);
-        (commitment, challenge, response)
-    }
-}

src/tests/spec/custom_schnorr_protocol.rs

@@ -7,7 +7,7 @@ use crate::serialization::{
     deserialize_elements, deserialize_scalars, serialize_elements, serialize_scalars,
 };
 use crate::tests::spec::random::SRandom;
-use crate::traits::SigmaProtocol;
+use crate::traits::{SigmaProtocol, SigmaProtocolSimulator};
 
 pub struct SchnorrProtocolCustom<G: SRandom + GroupEncoding>(pub LinearRelation<G>);
 
@@ -113,7 +113,16 @@ where
         deserialize_scalars::<G>(data, self.0.linear_map.num_scalars)
             .ok_or(Error::VerificationFailure)
     }
+    fn instance_label(&self) -> impl AsRef<[u8]> {
+        self.0.label()
+    }
 
+    fn protocol_identifier(&self) -> impl AsRef<[u8]> {
+        b"draft-zkproof-fiat-shamir"
+    }
+}
+
+impl<G: SRandom + GroupEncoding> SigmaProtocolSimulator for SchnorrProtocolCustom<G> {
     fn simulate_commitment(
         &self,
         challenge: &Self::Challenge,
@@ -133,11 +142,19 @@ where
         Ok(commitment)
     }
 
-    fn instance_label(&self) -> impl AsRef<[u8]> {
-        self.0.label()
+    fn simulate_response<R: Rng + CryptoRng>(&self, rng: &mut R) -> Self::Response {
+        (0..self.0.linear_map.num_scalars)
+            .map(|_| <G as SRandom>::srandom(rng))
+            .collect()
     }
 
-    fn protocol_identifier(&self) -> impl AsRef<[u8]> {
-        b"draft-zkproof-fiat-shamir"
+    fn simulate_transcript<R: Rng + CryptoRng>(
+        &self,
+        rng: &mut R,
+    ) -> Result<(Self::Commitment, Self::Challenge, Self::Response), Error> {
+        let challenge = <G as SRandom>::srandom(rng);
+        let response = self.simulate_response(rng);
+        let commitment = self.simulate_commitment(&challenge, &response)?;
+        Ok((commitment, challenge, response))
     }
 }