Implemented a TestDRNG structure to pull Scalars in the same way as on sage

Author: nougzarm

Cargo.toml

@@ -34,6 +34,10 @@ ff = { version = "0.13", features = ["derive"] }
 sha3 = "0.10.8"
 rand_chacha = "0.3"
 hex = "0.4"
+sha2 = "0.10"
+subtle = "2.6.1"
+num-bigint = "0.4.6"
+num-traits = "0.2.19"
 
 [dev-dependencies]
 bincode = "1"

src/toolbox/sigma/mod.rs

@@ -6,8 +6,9 @@ pub mod schnorr_proof;
 /// Defines the transcript for a Sigma Protocol
 pub mod transcript;
 pub mod group_serialisation;
+pub mod sage_test;
 
-pub use r#trait::{SigmaProtocol, SigmaProtocolSimulator};
+pub use r#trait::{SigmaProtocol, SigmaProtocolSimulator, GroupSerialisation};
 pub use proof_composition::{AndProtocol, OrProtocol};
 pub use fiat_shamir::NISigmaProtocol;
 pub use schnorr_proof::SchnorrProof;

src/toolbox/sigma/sage_test/BLS12_381.rs

@@ -0,0 +1,63 @@
+use crate::toolbox::sigma::sage_test::{TestDRNG, SInput, SRandom};
+use group::Group;
+use ff::PrimeField;
+use bls12_381::G1Projective;
+use subtle::CtOption;
+use num_bigint::BigUint;
+use hex::FromHex;
+use num_traits::One;
+use crate::rand::RngCore;
+
+impl SInput for G1Projective {
+    fn scalar_from_hex_be(
+            hex_str: &str
+        ) -> Option<Self::Scalar> {
+        let be_bytes = Vec::from_hex(hex_str).ok()?;
+        if be_bytes.len() != 32 {
+            return None;
+        }
+
+        let mut le_bytes = [0u8; 32];
+        for (i, b) in be_bytes.iter().enumerate() {
+            le_bytes[31 - i] = *b;
+        }
+
+        let ctopt: CtOption<Self::Scalar> = <Self as Group>::Scalar::from_repr(le_bytes);
+        if bool::from(ctopt.is_some()) {
+            Some(ctopt.unwrap())
+        } else {
+            None
+        }
+    }
+}
+
+impl SRandom<TestDRNG> for G1Projective {
+    fn randint_big(rng: &mut TestDRNG, l: &BigUint, h: &BigUint) -> BigUint {
+        assert!(l <= h);
+        let range = h - l + BigUint::one();
+        let bits = range.bits();
+        let bytes_needed = ((bits + 7) / 8) as usize;
+
+        loop {
+            let mut buf = vec![0u8; bytes_needed];
+            rng.fill_bytes(&mut buf);
+            let val = BigUint::from_bytes_be(&buf);
+            if val.bits() <= bits {
+                return l + (val % &range);
+            }
+        }
+    }
+
+    fn srandom(
+        rng: &mut TestDRNG
+    ) -> Self::Scalar {
+        let low = BigUint::parse_bytes(b"1", 10).unwrap();
+        let high = BigUint::parse_bytes(b"73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000", 16).unwrap();
+        let rand = rng.randint_big(&low, &high);
+        let mut hex_string = rand.to_str_radix(16);
+        if hex_string.len() < 64 {
+            hex_string = format!("{:0>64}", hex_string); // pad à gauche avec des zéros
+        }
+        G1Projective::scalar_from_hex_be(&hex_string).unwrap()
+    }
+}

src/toolbox/sigma/sage_test/mod.rs

@@ -0,0 +1,6 @@
+pub mod test_drng;
+pub mod random;
+pub mod BLS12_381;
+
+pub use test_drng::TestDRNG;
+pub use random::{SInput, SRandom};

src/toolbox/sigma/sage_test/random.rs

@@ -0,0 +1,19 @@
+use group::{Group, GroupEncoding};
+use rand::{Rng, CryptoRng};
+use num_bigint::BigUint;
+
+pub trait SInput: Group + GroupEncoding {
+    fn scalar_from_hex_be(
+        hex_str: &str
+    ) -> Option<Self::Scalar>;
+}
+
+pub trait SRandom<DRNG: Rng + CryptoRng>: Group {
+    fn randint_big(
+        rng: &mut DRNG, l: &BigUint, h: &BigUint
+    ) -> BigUint;
+
+    fn srandom(
+        rng: &mut DRNG
+    ) -> Self::Scalar;
+}

src/toolbox/sigma/sage_test/test_drng.rs

@@ -0,0 +1,91 @@
+use sha2::{Sha256, Digest};
+use rand::{CryptoRng, Error, RngCore};
+use num_bigint::BigUint;
+use num_traits::One;
+
+pub struct TestDRNG {
+    seed: [u8; 32],
+}
+
+impl TestDRNG {
+    pub fn new(seed: &[u8]) -> Self {
+        let mut hasher = Sha256::new();
+        hasher.update(seed);
+        let result = hasher.finalize();
+        let mut seed_bytes = [0u8; 32];
+        seed_bytes.copy_from_slice(&result);
+        Self { seed: seed_bytes }
+    }
+
+    pub fn randint(&mut self, l: u64, h: u64) -> u64 {
+        assert!(l <= h);
+        let range = h - l + 1;
+        let bits = 64 - range.leading_zeros();
+        let bytes_needed = ((bits + 7) / 8) as usize;
+
+        loop {
+            let mut buf = vec![0u8; bytes_needed];
+            self.fill_bytes(&mut buf);
+            let mut val = 0u64;
+            for b in buf {
+                val = (val << 8) | b as u64;
+            }
+            if val < (1u64 << bits) {
+                return l + (val % range);
+            }
+        }
+    }
+
+    pub fn randint_big(&mut self, l: &BigUint, h: &BigUint) -> BigUint {
+        assert!(l <= h);
+        let range = h - l + BigUint::one();
+        let bits = range.bits();
+        let bytes_needed = ((bits + 7) / 8) as usize;
+
+        loop {
+            let mut buf = vec![0u8; bytes_needed];
+            self.fill_bytes(&mut buf);
+            let val = BigUint::from_bytes_be(&buf);
+            if val.bits() <= bits {
+                return l + (val % &range);
+            }
+        }
+    }
+}
+
+impl RngCore for TestDRNG {
+    fn next_u32(&mut self) -> u32 {
+        let val = u32::from_be_bytes([self.seed[0], self.seed[1], self.seed[2], self.seed[3]]);
+        let mut hasher = Sha256::new();
+        hasher.update(val.to_be_bytes());
+        let result = hasher.finalize();
+        self.seed.copy_from_slice(&result);
+        val
+    }
+
+    fn next_u64(&mut self) -> u64 {
+        ((self.next_u32() as u64) << 32) | (self.next_u32() as u64)
+    }
+
+    fn fill_bytes(&mut self, dest: &mut [u8]) {
+        let mut i = 0;
+        while i < dest.len() {
+            let rand = self.next_u32().to_be_bytes();
+            for b in rand.iter() {
+                if i < dest.len() {
+                    dest[i] = *b;
+                    i += 1;
+                } else {
+                    break;
+                }
+            }
+        }
+    }
+
+    fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), Error> {
+        self.fill_bytes(dest);
+        Ok(())
+    }
+}
+
+impl CryptoRng for TestDRNG { }

src/toolbox/sigma/schnorr_proof.rs

@@ -6,10 +6,8 @@
 
 use rand::{CryptoRng, Rng};
 use group::{Group, GroupEncoding};
-use ff::{PrimeField,Field};
-use crate::{toolbox::sigma::{GroupMorphismPreimage, SigmaProtocol}, ProofError};
-
-use super::r#trait::GroupSerialisation;
+use ff::{PrimeField, Field};
+use crate::{toolbox::sigma::{GroupMorphismPreimage, SigmaProtocol, GroupSerialisation}, ProofError};
 
 /// A Schnorr protocol proving knowledge some discrete logarithm relation.
 ///
@@ -32,8 +30,7 @@ pub struct SchnorrState<S> {
 
 impl<G> SigmaProtocol for SchnorrProof<G>
 where
-    G: Group + GroupEncoding + GroupSerialisation, 
-    G::Scalar: Field + Clone,
+    G: Group + GroupEncoding + GroupSerialisation
 {
     type Commitment = Vec<G>;
     type ProverState = (Vec<<G as Group>::Scalar>, Vec<<G as Group>::Scalar>);

src/toolbox/sigma/trait.rs

@@ -2,7 +2,6 @@
 //!
 //! This module defines the `SigmaProtocol` trait, a generic interface for 3-message Sigma protocols.
 
-use ff::PrimeField;
 use group::{Group, GroupEncoding};
 use rand::{Rng, CryptoRng};
 use crate::ProofError;
@@ -124,10 +123,7 @@ pub trait SigmaProtocolSimulator: SigmaProtocol {
     }
 }
 
-pub trait GroupSerialisation: Group + GroupEncoding
-where 
-    Self::Scalar: PrimeField, 
-{
+pub trait GroupSerialisation: Group + GroupEncoding {
     fn serialize_element(point: &Self) -> Vec<u8>;
     fn deserialize_element(bytes: &[u8]) -> Option<Self>;