sigma-rs
diff --git a/‎Cargo.toml‎
Lines changed: 1 addition & 1 deletion b/‎Cargo.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎examples/simple_composition.rs‎
Lines changed: 9 additions & 1 deletion b/‎examples/simple_composition.rs‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎src/codec.rs‎
Lines changed: 3 additions & 3 deletions b/‎src/codec.rs‎
Lines changed: 3 additions & 3 deletions
@@ -26,6 +26,7 @@ num-bigint = "0.4.6"
 num-traits = "0.2.19"
 rand = "0.8.5"
 sha3 = "0.10.8"
+subtle = "2.6.1"
 thiserror = "1"
 keccak = "0.1.5"
 zerocopy = "0.8"
@@ -40,7 +41,6 @@ json = "0.12.4"
 serde = { version = "1.0.219", features = ["derive"] }
 serde_json = "1.0.140"
 sha2 = "0.10"
-subtle = "2.6.1"
 
 [profile.dev]
 # Makes tests run much faster at the cost of slightly longer builds and worse debug info.
 
@@ -10,6 +10,7 @@ use sigma_rs::{
     errors::Error,
     LinearRelation, Nizk,
 };
+use subtle::CtOption;
 
 type G = RistrettoPoint;
 type ProofResult<T> = Result<T, Error>;
@@ -53,7 +54,14 @@ fn prove(P1: G, x2: Scalar, H: G) -> ProofResult<Vec<u8>> {
     let Q = H * x2;
 
     let instance = create_relation(P1, P2, Q, H);
-    let witness = ComposedWitness::Or(1, vec![ComposedWitness::Simple(vec![x2])]);
+    // Create OR witness with branch 1 being the real one (index 1)
+    let witness = ComposedWitness::Or(vec![
+        CtOption::new(
+            ComposedWitness::Simple(vec![Scalar::from(0u64)]),
+            0u8.into(),
+        ), // dummy for branch 0
+        CtOption::new(ComposedWitness::Simple(vec![x2]), 1u8.into()), // real witness for branch 1
+    ]);
     let nizk = Nizk::<_, Shake128DuplexSponge<G>>::new(b"or_proof_example", instance);
 
     nizk.prove_batchable(&witness, &mut OsRng)
 
@@ -1,7 +1,7 @@
 //! Encoding and decoding utilities for Fiat-Shamir and group operations.
 
-pub use crate::duplex_sponge::keccak::KeccakDuplexSponge;
-use crate::duplex_sponge::{shake::ShakeDuplexSponge, DuplexSpongeInterface};
+use crate::duplex_sponge::DuplexSpongeInterface;
+pub use crate::duplex_sponge::{keccak::KeccakDuplexSponge, shake::ShakeDuplexSponge};
 use ff::PrimeField;
 use group::prime::PrimeGroup;
 use num_bigint::BigUint;
@@ -101,7 +101,7 @@ where
         self.hasher.absorb(data);
     }
 
-    fn verifier_challenge(&mut self) -> G::Scalar {
+    fn verifier_challenge(&mut self) -> Self::Challenge {
         #[allow(clippy::manual_div_ceil)]
         let scalar_byte_length = (G::Scalar::NUM_BITS as usize + 7) / 8;