Add robustness tests for proof tampering and malformed encodings

Cargo.toml

@@ -27,13 +27,18 @@ num-traits = "0.2.19"
 rand = "0.8.5"
 sha3 = "0.10.8"
 thiserror = "1"
-tiny-keccak = { version = "2.0.2", features = ["fips202"] }
+keccak = "0.1.5"
+zerocopy = "0.8"
+zeroize = "1.8.1"
 
 [dev-dependencies]
 bls12_381 = "0.8.0"
 curve25519-dalek = { version = "4", default-features = false, features = ["serde", "rand_core", "alloc", "digest", "precomputed-tables", "group"] }
 hex = "0.4"
+hex-literal = "0.4"
 json = "0.12.4"
+serde = { version = "1.0.219", features = ["derive"] }
+serde_json = "1.0.140"
 sha2 = "0.10"
 subtle = "2.6.1"
 

README.md

@@ -6,14 +6,6 @@ A Rust library for building and composing Σ-protocols (Sigma protocols) for zer
 
 This library provides a flexible framework for creating zero-knowledge proofs for any statement expressible as a linear relation over group elements. Using the Fiat-Shamir transformation, these interactive protocols become non-interactive proofs suitable for real-world applications.
 
-## Key Features
-
-- **Universal**: Express any linear relation as a Sigma protocol
-- **Composable**: Build complex proofs with AND/OR combinations
-- **Generic**: Works with any prime-order group implementing the `group` trait
-- **Secure**: Constant-time implementations prevent timing attacks
-- **Flexible**: Both high-level macros and low-level constraint API
-
 ## Quick Example
 
 ```rust
@@ -86,4 +78,4 @@ This crate continues the work from the original `zkp` toolkit in [`dalek-cryptog
 This project is funded through [NGI0 Entrust](https://nlnet.nl/entrust), a fund established by [NLnet](https://nlnet.nl) with financial support from the European Commission's [Next Generation Internet](https://ngi.eu) program. Learn more at the [NLnet project page](https://nlnet.nl/project/sigmaprotocols).
 
 [<img src="https://nlnet.nl/logo/banner.png" alt="NLnet foundation logo" width="20%" />](https://nlnet.nl)
-[<img src="https://nlnet.nl/image/logos/NGI0_tag.svg" alt="NGI Zero Logo" width="20%" />](https://nlnet.nl/entrust)
+[<img src="https://nlnet.nl/image/logos/NGI0_tag.svg" alt="NGI Zero Logo" width="20%" />](https://nlnet.nl/entrust)

examples/schnorr.rs

@@ -34,14 +34,14 @@ fn create_relation(P: RistrettoPoint) -> LinearRelation<RistrettoPoint> {
 /// generate a proof that P = x * G
 #[allow(non_snake_case)]
 fn prove(x: Scalar, P: RistrettoPoint) -> ProofResult<Vec<u8>> {
-    let nizk = create_relation(P).into_nizk(b"schnorr-proof");
+    let nizk = create_relation(P).into_nizk(b"sigma-rs::examples");
     nizk.prove_batchable(&vec![x], &mut OsRng)
 }
 
 /// Verify a proof of knowledge of discrete logarithm for the given public key P
 #[allow(non_snake_case)]
 fn verify(P: RistrettoPoint, proof: &[u8]) -> ProofResult<()> {
-    let nizk = create_relation(P).into_nizk(b"schnorr-proof");
+    let nizk = create_relation(P).into_nizk(b"sigma-rs::examples");
     nizk.verify_batchable(proof)
 }
 
@@ -61,9 +61,9 @@ fn main() {
             // Verify the proof
             match verify(P, &proof) {
                 Ok(()) => println!("✓ Proof verified successfully!"),
-                Err(e) => println!("✗ Proof verification failed: {:?}", e),
+                Err(e) => println!("✗ Proof verification failed: {e:?}"),
             }
         }
-        Err(e) => println!("✗ Failed to generate proof: {:?}", e),
+        Err(e) => println!("✗ Failed to generate proof: {e:?}"),
     }
 }

examples/simple_composition.rs

@@ -95,9 +95,9 @@ fn main() {
             // Verify the proof
             match verify(P1, P2, Q, H, &proof) {
                 Ok(()) => println!("✓ Proof verified successfully!"),
-                Err(e) => println!("✗ Proof verification failed: {:?}", e),
+                Err(e) => println!("✗ Proof verification failed: {e:?}"),
             }
         }
-        Err(e) => println!("✗ Failed to generate proof: {:?}", e),
+        Err(e) => println!("✗ Failed to generate proof: {e:?}"),
     }
 }

src/codec.rs

@@ -22,7 +22,10 @@ pub trait Codec {
     type Challenge;
 
     /// Generates an empty codec that can be identified by a domain separator.
-    fn new(domain_sep: &[u8]) -> Self;
+    fn new(protocol_identifier: &[u8], session_identifier: &[u8], instance_label: &[u8]) -> Self;
+
+    /// Allows for precomputed initialization of the codec with a specific IV.
+    fn from_iv(iv: [u8; 32]) -> Self;
 
     /// Absorbs data into the codec.
     fn prover_message(&mut self, data: &[u8]);
@@ -57,11 +60,24 @@ where
 {
     type Challenge = <G as Group>::Scalar;
 
-    fn new(domain_sep: &[u8]) -> Self {
-        let hasher = H::new(domain_sep);
+    fn new(protocol_id: &[u8], session_id: &[u8], instance_label: &[u8]) -> Self {
+        let iv = {
+            let mut tmp = H::new([0u8; 32]);
+            tmp.absorb(protocol_id);
+            tmp.ratchet();
+            tmp.absorb(session_id);
+            tmp.ratchet();
+            tmp.absorb(instance_label);
+            tmp.squeeze(32).try_into().unwrap()
+        };
+
+        Self::from_iv(iv)
+    }
+
+    fn from_iv(iv: [u8; 32]) -> Self {
         Self {
-            hasher,
-            _marker: Default::default(),
+            hasher: H::new(iv),
+            _marker: core::marker::PhantomData,
         }
     }