Codec: more appropriate and explicit name for the API to provide a deterministic challenge for the Fiat-Shamir transform

Author: nougzarm

Cargo.toml

@@ -2,7 +2,7 @@
 name = "sigma-rs"
 version = "0.1.0"
 authors = [
-    "nougzarm <[email protected]>",
+    "Nugzari Uzoevi <[email protected]>",
     "Michele Orrù <[email protected]>",
     "Lénaïck Gouriou <[email protected]>"
 ]

src/transcript/keccak_transcript.rs renamed to src/codec/keccak_codec.rs

@@ -1,4 +1,4 @@
-use crate::transcript::r#trait::{DuplexSpongeInterface, TranscriptCodec};
+use crate::codec::r#trait::{DuplexSpongeInterface, Codec};
 use crate::GroupSerialisation;
 use ff::PrimeField;
 use group::{Group, GroupEncoding};
@@ -160,7 +160,7 @@ where
     _marker: core::marker::PhantomData<G>,
 }
 
-impl<G, H> TranscriptCodec<G> for ByteSchnorrCodec<G, H>
+impl<G, H> Codec<G> for ByteSchnorrCodec<G, H>
 where
     G: Group + GroupEncoding + GroupSerialisation,
     H: DuplexSpongeInterface,

src/codec/mod.rs

@@ -0,0 +1,7 @@
+pub mod keccak_codec;
+pub mod shake_codec;
+pub mod r#trait;
+
+pub use keccak_codec::{ByteSchnorrCodec, KeccakDuplexSponge};
+pub use r#trait::Codec;
+pub use shake_codec::ShakeCodec;

src/transcript/shake_transcript.rs renamed to src/codec/shake_codec.rs

@@ -1,15 +1,15 @@
-//! Implementation of a Fiat-Shamir transcript codec using SHAKE128 (Keccak)
+//! Implementation of a Fiat-Shamir codec using SHAKE128
 //!
-//! This module defines `KeccakTranscript`, a concrete implementation of the `TranscriptCodec`
+//! This module defines `ShakeCodec`, a concrete implementation of the `Codec`
 //! trait. It uses the SHAKE128 extendable output function (XOF) from the Keccak family
 //! to generate Fiat-Shamir challenges for Sigma protocols.
 //!
-//! It allows commitments (group elements) to be absorbed into a transcript,
+//! It allows commitments (group elements) to be absorbed into a codec,
 //! and produces scalar challenges by squeezing bytes from the hash state.
 //!
 //! # Usage
-//! - The prover and verifier absorb the same messages into identical `KeccakTranscript` instances.
-//! - The prover and the verifier then squeeze the hash to generate a challenge scalar for the protocol. The verifier can check that the prover used the challenge output by the transcript because he owns an identical transcript.
+//! - The prover and verifier absorb the same messages into identical `ShakeCodec` instances.
+//! - The prover and the verifier then squeeze the hash to generate a challenge scalar for the protocol. The verifier can check that the prover used the challenge output by the codec because he owns an identical codec.
 
 use ff::PrimeField;
 use group::{Group, GroupEncoding};
@@ -18,28 +18,28 @@ use sha3::{
     Shake128,
 };
 
-use crate::transcript::r#trait::TranscriptCodec;
+use crate::codec::r#trait::Codec;
 
-/// A Fiat-Shamir transcript over a group `G`, using SHAKE128 (Keccak).
+/// A Fiat-Shamir codec over a group `G`, using SHAKE128.
 ///
 /// This struct manages the state of the hash function and produces
 /// deterministic, random-looking scalars for use in Sigma protocols.
 ///
-/// The transcript is initialized with a domain separator and absorbs serialized
+/// The codec is initialized with a domain separator and absorbs serialized
 /// group elements. It outputs challenges compatible with the group’s scalar field.
-pub struct ShakeTranscript<G: Group> {
+pub struct ShakeCodec<G: Group> {
     /// Internal SHAKE128 hasher state.
     hasher: Shake128,
-    /// Marker to bind this transcript to a specific group `G`.
+    /// Marker to bind this codec to a specific group `G`.
     _marker: core::marker::PhantomData<G>,
 }
 
-impl<G> TranscriptCodec<G> for ShakeTranscript<G>
+impl<G> Codec<G> for ShakeCodec<G>
 where
     G: Group + GroupEncoding,
     G::Scalar: PrimeField,
 {
-    /// Initializes the transcript with a domain separation label, to avoid cross-protocol collisions.
+    /// Initializes the codec with a domain separation label, to avoid cross-protocol collisions.
     fn new(domain_sep: &[u8]) -> Self {
         let mut hasher = Shake128::default();
         hasher.update(domain_sep);
@@ -49,15 +49,15 @@ where
         }
     }
 
-    /// Absorbs a slice of group elements into the transcript. Each element is serialized and fed into the hasher.
+    /// Absorbs a slice of group elements into the codec. Each element is serialized and fed into the hasher.
     fn prover_message(&mut self, elems: &[G]) -> &mut Self {
         for elem in elems {
             self.hasher.update(elem.to_bytes().as_ref());
         }
         self
     }
 
-    /// Produce a random-looking challenge scalar from the transcript.
+    /// Produce a random-looking challenge scalar from the codec.
     ///
     /// The method reads from the finalized SHAKE128 state until it finds
     /// a valid scalar (i.e., one within the field).

src/codec/trait.rs

@@ -0,0 +1,37 @@
+//! Codec Trait
+//!
+//! This module defines the `Codec` trait, a generic interface to manage codecs of a protocol execution.
+
+use group::Group;
+
+pub trait DuplexSpongeInterface {
+    fn new(iv: &[u8]) -> Self;
+
+    fn absorb(&mut self, input: &[u8]);
+
+    fn squeeze(&mut self, length: usize) -> Vec<u8>;
+}
+
+/// A trait defining the behavior of a domain-separated codec hashing, which is typically used for Sigma Protocols.
+///
+/// A domain-separated hashing codec is a codec, identified by a domain, which is incremented with successive messages ("absorb"). The codec can then output a bit stream of any length, which is typically used to generate a challenge unique to the given codec ("squeeze"). (See Sponge Construction).
+///
+/// The output is deterministic for a given set of input. Thus, both Prover and Verifier can generate the codec on their sides and ensure the same inputs have been used in both side of the protocol.
+///
+/// ## Minimal Implementation
+/// Types implementing `Codec` must define:
+/// - `new`
+/// - `prover_message`
+/// - `verifier_challenge`
+pub trait Codec<G: Group> {
+    /// Generates an empty codec that can be identified by a domain separator.
+    fn new(domain_sep: &[u8]) -> Self;
+
+    /// Absorbs a list of group elements (e.g., commitments) into the codec.
+    fn prover_message(&mut self, elems: &[G]) -> &mut Self
+    where
+        Self: Sized;
+
+    /// Produces a scalar that can be used as a challenge from the codec.
+    fn verifier_challenge(&mut self) -> G::Scalar;
+}

src/fiat_shamir.rs

@@ -1,20 +1,20 @@
 //! Fiat-Shamir transformation for Sigma protocols.
 //!
 //! This module defines `NISigmaProtocol`, a generic non-interactive Sigma protocol wrapper,
-//! based on applying the Fiat-Shamir heuristic using a transcript codec.
+//! based on applying the Fiat-Shamir heuristic using a codec.
 //!
 //! It transforms an interactive Sigma protocol into a non-interactive one,
 //! by deriving challenges deterministically from previous protocol messages
-//! via a cryptographic sponge function (transcript).
+//! via a cryptographic sponge function (Codec).
 //!
 //! # Usage
 //! This struct is generic over:
 //! - `P`: the underlying Sigma protocol (`SigmaProtocol` trait).
-//! - `C`: the transcript codec (`TranscriptCodec` trait).
+//! - `C`: the codec (`Codec` trait).
 //! - `G`: the group used for commitments and operations (`Group` trait).
 
 use crate::{
-    transcript::TranscriptCodec,
+    codec::Codec,
     SigmaProtocol,
     ProofError
 };
@@ -25,24 +25,24 @@ use rand::{CryptoRng, RngCore};
 /// A Fiat-Shamir transformation of a Sigma protocol into a non-interactive proof.
 ///
 /// `NISigmaProtocol` wraps an interactive Sigma protocol `P`
-/// and a hash-based transcript `C`, to produce non-interactive proofs.
+/// and a hash-based codec `C`, to produce non-interactive proofs.
 ///
-/// It manages the domain separation, transcript reset,
+/// It manages the domain separation, codec reset,
 /// proof generation, and proof verification.
 ///
 /// # Type Parameters
 /// - `P`: the Sigma protocol implementation.
-/// - `C`: the transcript codec used for Fiat-Shamir.
+/// - `C`: the codec used for Fiat-Shamir.
 /// - `G`: the group on which the protocol operates.
 pub struct NISigmaProtocol<P, C, G>
 where
     G: Group,
     P: SigmaProtocol<Commitment = Vec<G>, Challenge = <G as Group>::Scalar>,
-    C: TranscriptCodec<G>,
+    C: Codec<G>,
 {
     /// Domain separation string for the Fiat-Shamir transform.
     domain_sep: Vec<u8>,
-    /// Current transcript state.
+    /// Current codec state.
     hash_state: C,
     /// Underlying Sigma protocol.
     sigmap: P,
@@ -52,7 +52,7 @@ impl<P, C, G> NISigmaProtocol<P, C, G>
 where
     G: Group,
     P: SigmaProtocol<Commitment = Vec<G>, Challenge = <G as Group>::Scalar>,
-    C: TranscriptCodec<G>,
+    C: Codec<G>,
 {
     /// Creates a new non-interactive Sigma protocol, identified by a domain separator (usually fixed per protocol instantiation), and an initialized Sigma protocol instance.
     pub fn new(iv: &[u8], instance: P) -> Self {

src/lib.rs

@@ -28,5 +28,5 @@ pub use proof_composition::*;
 pub use schnorr_proof::*;
 pub use r#trait::*;
 
-pub mod transcript;
+pub mod codec;
 pub mod old;

src/transcript/mod.rs

@@ -1,30 +1,30 @@
 use curve25519_dalek::ristretto::RistrettoPoint;
 use rand::rngs::OsRng;
 
-use sigma_rs::transcript::{
-    r#trait::TranscriptCodec, shake_transcript::ShakeTranscript,
+use sigma_rs::codec::{
+    r#trait::Codec, shake_codec::ShakeCodec,
 };
 
-pub type KeccakTranscriptRistretto = ShakeTranscript<curve25519_dalek::ristretto::RistrettoPoint>;
+pub type ShakeCodecRistretto = ShakeCodec<curve25519_dalek::ristretto::RistrettoPoint>;
 
 #[allow(non_snake_case)]
 #[test]
-fn keccak_transcript_ristretto() {
+fn shake_codec_ristretto() {
     // Type alias to mirror the Sage naming
-    type Transcript = KeccakTranscriptRistretto;
+    type Codec = ShakeCodecRistretto;
 
     // Generate some commitments
     let G = RistrettoPoint::random(&mut OsRng);
     let H = RistrettoPoint::random(&mut OsRng);
 
-    let domain_sep = b"test-keccak-ristretto";
+    let domain_sep = b"test-shake-ristretto";
 
-    // Initialize transcript
-    let mut binding = Transcript::new(domain_sep);
-    let transcript = binding.prover_message(&[G, H]);
+    // Initialize codec
+    let mut binding = Codec::new(domain_sep);
+    let codec = binding.prover_message(&[G, H]);
 
     // Derive challenge
-    let challenge = transcript.verifier_challenge();
+    let challenge = codec.verifier_challenge();
 
     // Output result
     println!("Challenge: {:?}", challenge);