Fix nonlinear relation handling in SchnorrProof #63
Conversation
…add related test - Fixed the `SchnorrProof::simulate_commitment` method to correctly handle nonlinear relations during simulation, ensuring compliance with the protocol’s expected behavior. - Added a dedicated test (`translated_discrete_logarithm`) to validate simulation and verification in the presence of nonlinear constraints. These changes improve protocol correctness and strengthen test coverage for complex use cases.
| rhs.push({ | ||
| let image_var = self.0.image[i]; | ||
| self.0.linear_map.group_elements.get(image_var)? * challenge + g | ||
| (self.0.linear_map.group_elements.get(image_var)? - zero_image[i]) * challenge + g |
There was a problem hiding this comment.
Taking the example of a relation of the form X = (x + 1) * G = x * G + G where the nonlinear part is G:
Before the correction, the verification consisted of checking the equality between:
lhs = (r + wc) * G + G
rhs = (wG + G)c + (rG + G)
which is completely false since the relation contains a nonlinear part (the excess c*G component remains in rhs).
So, to correct this problem, we must subtract the image of the zero vector by the function before multiplying by c in rhs, which amounts to checking the equality between:
lhs = (r + wc) * G + G
rhs = ((wG + G) - G)c + (rG + G) = (w*G)c + (rG + G)
which is now verified
| .zip(&image) | ||
| .map(|(res, img)| *res - *img * challenge) | ||
| .zip(&zero_image) | ||
| .map(|((res, img), z_img)| *res - (*img - *z_img) * challenge) |
There was a problem hiding this comment.
Taking again the example of the relation X = (x + 1) * G:
with r the nonces, w the witness, T the commitment, and c the challenge,
we initially have:
response_image = (r + w·c)·G + G
image = w·G + G
To recover T, which by definition equals r·G + G, we used to compute:
response_image – image · c
This works in the case where we do not have a nonlinear component.
However, in this case it would give:
(r·G + G) – c·G = T – c·G
Therefore, in the fix, during the computation of T, we must subtract c · zero_image,
where zero_image is the image of the zero vector under the function.
|
|
||
| /// LinearMap for knowledge of a translated discrete logarithm relative to a fixed basepoint. | ||
| #[allow(non_snake_case)] | ||
| pub fn translated_discrete_logarithm<G: Group + GroupEncoding>( |
There was a problem hiding this comment.
Implementation of the relation X = (x + 1) * G, viewed as a “translated” discrete logarithm, in order to perform tests on the protocol induced by it.
Here, the function corresponds to x -> (x + 1)*G, and the part called "nonlinear" is the image of zero, so G
nougzarm
changed the title
|
|
||
| /// LinearMap for knowledge of a translated dleq. | ||
| #[allow(non_snake_case)] | ||
| pub fn translated_dleq<G: Group + GroupEncoding>( |
There was a problem hiding this comment.
Implementation of the relation containing the following nonlinear equations: "X = xG + H" and "Y = xH + G", viewed as a set of equations corresponding to the "translated" dleq
Here, the function corresponds to x -> (xG + H, xH + G), and the part called "nonlinear" is the image of zero, so (H, G)
2 participants
I identified additional issues when handling compact proofs with nonlinear relations, specifically for relations of the form C = (x + 1) * B.
Both the simulate_commitment and the verify methods of SchnorrProof were not correctly handling the nonlinear part of the relation.
🔧 Changes in this PR
With these fixes, both simulation and verification now fully support nonlinear relations proofs.