From 61ef5fc0b1163d03039ad93dd96871813072a0fc Mon Sep 17 00:00:00 2001 From: Srinath Setty Date: Mon, 4 Oct 2021 14:55:16 -0700 Subject: [PATCH] This commit introduces the following changes: * Separate types for Relaxed R1CS and R1CS instances and witnesses * Allows creating default values for Relaxed R1CS types * StepSNARK now folds a regular R1CS instance-witness into a running Relaxed R1CS instance-witness * We additionally enforce input chaining checks: the incoming instance must have input that matches the output of the incremental computation thus far --- src/errors.rs | 2 + src/lib.rs | 186 +++++++++++++++++++++++++++------------------ src/r1cs.rs | 205 +++++++++++++++++++++++++++++++++++--------------- src/traits.rs | 2 +- 4 files changed, 262 insertions(+), 133 deletions(-) diff --git a/src/errors.rs b/src/errors.rs index 7b63a9e..7038121 100644 --- a/src/errors.rs +++ b/src/errors.rs @@ -6,6 +6,8 @@ use core::fmt::Debug; pub enum NovaError { /// returned if the supplied row or col in (row,col,val) tuple is out of range InvalidIndex, + /// returned if the supplied input is not even-sized + OddInputLength, /// returned if the supplied input is not of the right length InvalidInputLength, /// returned if the supplied witness is not of the right length diff --git a/src/lib.rs b/src/lib.rs index fea21ac..d3ce225 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -15,7 +15,9 @@ use std::marker::PhantomData; use commitments::{AppendToTranscriptTrait, CompressedCommitment}; use errors::NovaError; use merlin::Transcript; -use r1cs::{R1CSGens, R1CSInstance, R1CSShape, R1CSWitness}; +use r1cs::{ + R1CSGens, R1CSInstance, R1CSShape, R1CSWitness, RelaxedR1CSInstance, RelaxedR1CSWitness, +}; use traits::{ChallengeTrait, Group}; /// A SNARK that holds the proof of a step of an incremental computation @@ -29,20 +31,27 @@ impl StepSNARK { b"NovaStepSNARK" } - /// Takes as input two relaxed R1CS instance-witness tuples `(U1, W1)` and `(U2, W2)` - /// with the same structure `shape` and defined with respect to the same `gens`, - /// and outputs a folded instance-witness tuple `(U, W)` of the same shape `shape`, + /// Takes as input a Relaxed R1CS instance-witness tuple `(U1, W1)` and + /// an R1CS instance-witness tuple `(U2, W2)` with the same structure `shape` + /// and defined with respect to the same `gens`, and outputs + /// a folded Relaxed R1CS instance-witness tuple `(U, W)` of the same shape `shape`, /// with the guarantee that the folded witness `W` satisfies the folded instance `U` /// if and only if `W1` satisfies `U1` and `W2` satisfies `U2`. pub fn prove( gens: &R1CSGens, S: &R1CSShape, - U1: &R1CSInstance, - W1: &R1CSWitness, + U1: &RelaxedR1CSInstance, + W1: &RelaxedR1CSWitness, U2: &R1CSInstance, W2: &R1CSWitness, transcript: &mut Transcript, - ) -> Result<(StepSNARK, (R1CSInstance, R1CSWitness)), NovaError> { + ) -> Result< + ( + StepSNARK, + (RelaxedR1CSInstance, RelaxedR1CSWitness), + ), + NovaError, + > { // append the protocol name to the transcript //transcript.append_protocol_name(StepSNARK::protocol_name()); transcript.append_message(b"protocol-name", StepSNARK::::protocol_name()); @@ -72,17 +81,17 @@ impl StepSNARK { )) } - /// Takes as input two relaxed R1CS instances `U1` and `U2` + /// Takes as input a relaxed R1CS instance `U1` and and R1CS instance `U2` /// with the same shape and defined with respect to the same parameters, /// and outputs a folded instance `U` with the same shape, /// with the guarantee that the folded instance `U` /// if and only if `U1` and `U2` are satisfiable. pub fn verify( &self, - U1: &R1CSInstance, + U1: &RelaxedR1CSInstance, U2: &R1CSInstance, transcript: &mut Transcript, - ) -> Result, NovaError> { + ) -> Result, NovaError> { // append the protocol name to the transcript transcript.append_message(b"protocol-name", StepSNARK::::protocol_name()); @@ -102,12 +111,12 @@ impl StepSNARK { /// A SNARK that holds the proof of the final step of an incremental computation pub struct FinalSNARK { - W: R1CSWitness, + W: RelaxedR1CSWitness, } impl FinalSNARK { /// Produces a proof of a instance given its satisfying witness `W`. - pub fn prove(W: &R1CSWitness) -> Result, NovaError> { + pub fn prove(W: &RelaxedR1CSWitness) -> Result, NovaError> { Ok(FinalSNARK { W: W.clone() }) } @@ -116,10 +125,10 @@ impl FinalSNARK { &self, gens: &R1CSGens, S: &R1CSShape, - U: &R1CSInstance, + U: &RelaxedR1CSInstance, ) -> Result<(), NovaError> { // check that the witness is a valid witness to the folded instance `U` - S.is_sat(gens, U, &self.W) + S.is_sat_relaxed(gens, U, &self.W) } } @@ -135,16 +144,17 @@ mod tests { #[test] fn test_tiny_r1cs() { let one = S::one(); - let (num_cons, num_vars, num_inputs, A, B, C) = { + let (num_cons, num_vars, num_io, A, B, C) = { let num_cons = 4; let num_vars = 4; - let num_inputs = 1; + let num_io = 2; + // Consider a cubic equation: `x^3 + x + 5 = y`, where `x` and `y` are respectively the input and output. // The R1CS for this problem consists of the following constraints: - // `Z0 * Z0 - Z1 = 0` - // `Z1 * Z0 - Z2 = 0` - // `(Z2 + Z0) * 1 - Z3 = 0` - // `(Z3 + 5) * 1 - I0 = 0` + // `I0 * I0 - Z0 = 0` + // `Z0 * I0 - Z1 = 0` + // `(Z1 + I0) * 1 - Z2 = 0` + // `(Z2 + 5) * 1 - I1 = 0` // Relaxed R1CS is a set of three sparse matrices (A B C), where there is a row for every // constraint and a column for every entry in z = (vars, u, inputs) @@ -155,33 +165,37 @@ mod tests { let mut C: Vec<(usize, usize, S)> = Vec::new(); // constraint 0 entries in (A,B,C) - A.push((0, 0, one)); - B.push((0, 0, one)); - C.push((0, 1, one)); + // `I0 * I0 - Z0 = 0` + A.push((0, num_vars + 1, one)); + B.push((0, num_vars + 1, one)); + C.push((0, 0, one)); // constraint 1 entries in (A,B,C) - A.push((1, 1, one)); - B.push((1, 0, one)); - C.push((1, 2, one)); + // `Z0 * I0 - Z1 = 0` + A.push((1, 0, one)); + B.push((1, num_vars + 1, one)); + C.push((1, 1, one)); // constraint 2 entries in (A,B,C) - A.push((2, 2, one)); - A.push((2, 0, one)); + // `(Z1 + I0) * 1 - Z2 = 0` + A.push((2, 1, one)); + A.push((2, num_vars + 1, one)); B.push((2, num_vars, one)); - C.push((2, 3, one)); + C.push((2, 2, one)); // constraint 3 entries in (A,B,C) - A.push((3, 3, one)); + // `(Z2 + 5) * 1 - I1 = 0` + A.push((3, 2, one)); A.push((3, num_vars, one + one + one + one + one)); B.push((3, num_vars, one)); - C.push((3, num_vars + 1, one)); + C.push((3, num_vars + 2, one)); - (num_cons, num_vars, num_inputs, A, B, C) + (num_cons, num_vars, num_io, A, B, C) }; // create a shape object let S = { - let res = R1CSShape::new(num_cons, num_vars, num_inputs, &A, &B, &C); + let res = R1CSShape::new(num_cons, num_vars, num_io, &A, &B, &C); assert!(res.is_ok()); res.unwrap() }; @@ -189,64 +203,90 @@ mod tests { // generate generators let gens = R1CSGens::new(num_cons, num_vars); - let rand_inst_witness_generator = |gens: &R1CSGens| -> (R1CSInstance, R1CSWitness) { - // compute a satisfying (vars, X) tuple - let (vars, X) = { - let mut csprng: OsRng = OsRng; - let z0 = S::random(&mut csprng); - let z1 = z0 * z0; // constraint 0 - let z2 = z1 * z0; // constraint 1 - let z3 = z2 + z0; // constraint 2 - let i0 = z3 + one + one + one + one + one; // constraint 3 - - let vars = vec![z0, z1, z2, z3]; - let X = vec![i0]; - (vars, X) + let rand_inst_witness_generator = + |gens: &R1CSGens, I: &S| -> (S, R1CSInstance, R1CSWitness) { + let i0 = I.clone(); + + // compute a satisfying (vars, X) tuple + let (O, vars, X) = { + let z0 = i0 * i0; // constraint 0 + let z1 = i0 * z0; // constraint 1 + let z2 = z1 + i0; // constraint 2 + let i1 = z2 + one + one + one + one + one; // constraint 3 + + // store the witness and IO for the instance + let W = vec![z0, z1, z2, S::zero()]; + let X = vec![i0, i1]; + (i1, W, X) + }; + + let W = { + let res = R1CSWitness::new(&S, &vars); + assert!(res.is_ok()); + res.unwrap() + }; + let U = { + let comm_W = W.commit(&gens); + let res = R1CSInstance::new(&S, &comm_W, &X); + assert!(res.is_ok()); + res.unwrap() + }; + + // check that generated instance is satisfiable + assert!(S.is_sat(&gens, &U, &W).is_ok()); + + (O, U, W) }; - let W = { - let E = vec![S::zero(); num_cons]; // default E - let res = R1CSWitness::new(&S, &vars, &E); - assert!(res.is_ok()); - res.unwrap() - }; - let U = { - let (comm_W, comm_E) = W.commit(&gens); - let u = S::one(); //default u - let res = R1CSInstance::new(&S, &comm_W, &comm_E, &X, &u); - assert!(res.is_ok()); - res.unwrap() - }; - - // check that generated instance is satisfiable - let is_sat = S.is_sat(&gens, &U, &W); - assert!(is_sat.is_ok()); - (U, W) - }; + let mut csprng: OsRng = OsRng; + let I = S::random(&mut csprng); // the first input is picked randomly for the first instance + let (O, U1, W1) = rand_inst_witness_generator(&gens, &I); + let (_O, U2, W2) = rand_inst_witness_generator(&gens, &O); - let (U1, W1) = rand_inst_witness_generator(&gens); - let (U2, W2) = rand_inst_witness_generator(&gens); + // produce a default running instance + let mut r_W = RelaxedR1CSWitness::default(&S); + let mut r_U = RelaxedR1CSInstance::default(&gens, &S); - // produce a step SNARK + // produce a step SNARK with (W1, U1) as the first incoming witness-instance pair let mut prover_transcript = Transcript::new(b"StepSNARKExample"); - let res = StepSNARK::prove(&gens, &S, &U1, &W1, &U2, &W2, &mut prover_transcript); + let res = StepSNARK::prove(&gens, &S, &r_U, &r_W, &U1, &W1, &mut prover_transcript); assert!(res.is_ok()); let (step_snark, (_U, W)) = res.unwrap(); - // verify the step SNARK + // verify the step SNARK with U1 as the first incoming instance let mut verifier_transcript = Transcript::new(b"StepSNARKExample"); - let res = step_snark.verify(&U1, &U2, &mut verifier_transcript); + let res = step_snark.verify(&r_U, &U1, &mut verifier_transcript); + assert!(res.is_ok()); + let U = res.unwrap(); + + assert_eq!(U, _U); + + // update the running witness and instance + r_W = W; + r_U = U; + + // produce a step SNARK with (W2, U2) as the second incoming witness-instance pair + let res = StepSNARK::prove(&gens, &S, &r_U, &r_W, &U2, &W2, &mut prover_transcript); + assert!(res.is_ok()); + let (step_snark, (_U, W)) = res.unwrap(); + + // verify the step SNARK with U1 as the first incoming instance + let res = step_snark.verify(&r_U, &U2, &mut verifier_transcript); assert!(res.is_ok()); let U = res.unwrap(); assert_eq!(U, _U); + // update the running witness and instance + r_W = W; + r_U = U; + // produce a final SNARK - let res = FinalSNARK::prove(&W); + let res = FinalSNARK::prove(&r_W); assert!(res.is_ok()); let final_snark = res.unwrap(); // verify the final SNARK - let res = final_snark.verify(&gens, &S, &U); + let res = final_snark.verify(&gens, &S, &r_U); assert!(res.is_ok()); } } diff --git a/src/r1cs.rs b/src/r1cs.rs index 7595523..85b95e7 100644 --- a/src/r1cs.rs +++ b/src/r1cs.rs @@ -1,4 +1,4 @@ -//! This module defines R1CS related types and a folding scheme for (relaxed) R1CS +//! This module defines R1CS related types and a folding scheme for Relaxed R1CS #![allow(clippy::type_complexity)] use super::commitments::{CommitGens, CommitTrait, Commitment, CompressedCommitment}; use super::errors::NovaError; @@ -17,7 +17,7 @@ pub struct R1CSGens { pub struct R1CSShape { num_cons: usize, num_vars: usize, - num_inputs: usize, + num_io: usize, A: Vec<(usize, usize, G::Scalar)>, B: Vec<(usize, usize, G::Scalar)>, C: Vec<(usize, usize, G::Scalar)>, @@ -27,16 +27,31 @@ pub struct R1CSShape { #[derive(Clone, Debug)] pub struct R1CSWitness { W: Vec, - E: Vec, } /// A type that holds an R1CS instance #[derive(Clone, Debug, PartialEq, Eq)] pub struct R1CSInstance { + comm_W: Commitment, + X: Vec, +} + +/// A type that holds a witness for a given Relaxed R1CS instance +#[derive(Clone, Debug)] +pub struct RelaxedR1CSWitness { + W: Vec, + E: Vec, +} + +/// A type that holds a Relaxed R1CS instance +#[derive(Clone, Debug, PartialEq, Eq)] +pub struct RelaxedR1CSInstance { comm_W: Commitment, comm_E: Commitment, X: Vec, u: G::Scalar, + Y_last: Vec, // output of the last instance that was folded + counter: usize, // the number of folds thus far } impl R1CSGens { @@ -57,7 +72,7 @@ impl R1CSShape { pub fn new( num_cons: usize, num_vars: usize, - num_inputs: usize, + num_io: usize, A: &[(usize, usize, G::Scalar)], B: &[(usize, usize, G::Scalar)], C: &[(usize, usize, G::Scalar)], @@ -85,18 +100,23 @@ impl R1CSShape { } }; - let res_A = is_valid(num_cons, num_vars, num_inputs, A); - let res_B = is_valid(num_cons, num_vars, num_inputs, B); - let res_C = is_valid(num_cons, num_vars, num_inputs, C); + let res_A = is_valid(num_cons, num_vars, num_io, A); + let res_B = is_valid(num_cons, num_vars, num_io, B); + let res_C = is_valid(num_cons, num_vars, num_io, C); if res_A.is_err() || res_B.is_err() || res_C.is_err() { return Err(NovaError::InvalidIndex); } + // We require the number of public inputs/outputs to be even + if num_io % 2 != 0 { + return Err(NovaError::OddInputLength); + } + let shape = R1CSShape { num_cons, num_vars, - num_inputs, + num_io, A: A.to_owned(), B: B.to_owned(), C: C.to_owned(), @@ -109,7 +129,7 @@ impl R1CSShape { &self, z: &[G::Scalar], ) -> Result<(Vec, Vec, Vec), NovaError> { - if z.len() != self.num_inputs + self.num_vars + 1 { + if z.len() != self.num_io + self.num_vars + 1 { return Err(NovaError::InvalidWitnessLength); } @@ -136,16 +156,16 @@ impl R1CSShape { Ok((Az, Bz, Cz)) } - /// Checks if the R1CS instance is satisfiable given a witness and its shape - pub fn is_sat( + /// Checks if the Relaxed R1CS instance is satisfiable given a witness and its shape + pub fn is_sat_relaxed( &self, gens: &R1CSGens, - U: &R1CSInstance, - W: &R1CSWitness, + U: &RelaxedR1CSInstance, + W: &RelaxedR1CSWitness, ) -> Result<(), NovaError> { assert_eq!(W.W.len(), self.num_vars); assert_eq!(W.E.len(), self.num_cons); - assert_eq!(U.X.len(), self.num_inputs); + assert_eq!(U.X.len(), self.num_io); // verify if Az * Bz = u*Cz + E let res_eq: bool = { @@ -183,12 +203,48 @@ impl R1CSShape { } } - /// A method to compute a commitment to the cross-term `T` given two R1CS instance-witness pairs + /// Checks if the R1CS instance is satisfiable given a witness and its shape + pub fn is_sat( + &self, + gens: &R1CSGens, + U: &R1CSInstance, + W: &R1CSWitness, + ) -> Result<(), NovaError> { + assert_eq!(W.W.len(), self.num_vars); + assert_eq!(U.X.len(), self.num_io); + + // verify if Az * Bz = u*Cz + let res_eq: bool = { + let z = concat(vec![W.W.clone(), vec![G::Scalar::one()], U.X.clone()]); + let (Az, Bz, Cz) = self.multiply_vec(&z)?; + assert_eq!(Az.len(), self.num_cons); + assert_eq!(Bz.len(), self.num_cons); + assert_eq!(Cz.len(), self.num_cons); + + let res: usize = (0..self.num_cons) + .map(|i| if Az[i] * Bz[i] == Cz[i] { 0 } else { 1 }) + .sum(); + + res == 0 + }; + + // verify if comm_W is a commitment to W + let res_comm: bool = U.comm_W == W.W.commit(&gens.gens_W); + + if res_eq && res_comm { + Ok(()) + } else { + Err(NovaError::UnSat) + } + } + + /// A method to compute a commitment to the cross-term `T` given a + /// Relaxed R1CS instance-witness pair and an R1CS instance-witness pair pub fn commit_T( &self, gens: &R1CSGens, - U1: &R1CSInstance, - W1: &R1CSWitness, + U1: &RelaxedR1CSInstance, + W1: &RelaxedR1CSWitness, U2: &R1CSInstance, W2: &R1CSWitness, ) -> Result< @@ -204,7 +260,7 @@ impl R1CSShape { }; let (AZ_2, BZ_2, CZ_2) = { - let Z2 = concat(vec![W2.W.clone(), vec![U2.u], U2.X.clone()]); + let Z2 = concat(vec![W2.W.clone(), vec![G::Scalar::one()], U2.X.clone()]); self.multiply_vec(&Z2)? }; @@ -217,9 +273,7 @@ impl R1CSShape { let u_1_cdot_CZ_2 = (0..CZ_2.len()) .map(|i| U1.u * CZ_2[i]) .collect::>(); - let u_2_cdot_CZ_1 = (0..CZ_1.len()) - .map(|i| U2.u * CZ_1[i]) - .collect::>(); + let u_2_cdot_CZ_1 = (0..CZ_1.len()).map(|i| CZ_1[i]).collect::>(); let T = AZ_1_circ_BZ_2 .par_iter() @@ -237,20 +291,46 @@ impl R1CSShape { impl R1CSWitness { /// A method to create a witness object using a vector of scalars + pub fn new(S: &R1CSShape, W: &[G::Scalar]) -> Result, NovaError> { + if S.num_vars != W.len() { + Err(NovaError::InvalidWitnessLength) + } else { + Ok(R1CSWitness { W: W.to_owned() }) + } + } + + /// Commits to the witness using the supplied generators + pub fn commit(&self, gens: &R1CSGens) -> Commitment { + self.W.commit(&gens.gens_W) + } +} + +impl R1CSInstance { + /// A method to create an instance object using consitituent elements pub fn new( S: &R1CSShape, - W: &[G::Scalar], - E: &[G::Scalar], - ) -> Result, NovaError> { - if S.num_vars != W.len() || S.num_cons != E.len() { - Err(NovaError::InvalidWitnessLength) + comm_W: &Commitment, + X: &[G::Scalar], + ) -> Result, NovaError> { + if S.num_io != X.len() { + Err(NovaError::InvalidInputLength) } else { - Ok(R1CSWitness { - W: W.to_owned(), - E: E.to_owned(), + Ok(R1CSInstance { + comm_W: *comm_W, + X: X.to_owned(), }) } } +} + +impl RelaxedR1CSWitness { + /// Produces a default RelaxedR1CSWitness given an R1CSShape + pub fn default(S: &R1CSShape) -> RelaxedR1CSWitness { + RelaxedR1CSWitness { + W: vec![G::Scalar::zero(); S.num_vars], + E: vec![G::Scalar::zero(); S.num_cons], + } + } /// Commits to the witness using the supplied generators pub fn commit(&self, gens: &R1CSGens) -> (Commitment, Commitment) { @@ -263,9 +343,9 @@ impl R1CSWitness { W2: &R1CSWitness, T: &[G::Scalar], r: &G::Scalar, - ) -> Result, NovaError> { + ) -> Result, NovaError> { let (W1, E1) = (&self.W, &self.E); - let (W2, E2) = (&W2.W, &W2.E); + let W2 = &W2.W; if W1.len() != W2.len() { return Err(NovaError::InvalidWitnessLength); @@ -279,61 +359,68 @@ impl R1CSWitness { let E = E1 .par_iter() .zip(T) - .zip(E2) - .map(|((a, b), c)| *a + *r * *b + *r * *r * *c) + .map(|(a, b)| *a + *r * *b) .collect::>(); - Ok(R1CSWitness { W, E }) + Ok(RelaxedR1CSWitness { W, E }) } } -impl R1CSInstance { - /// A method to create an instance object using consitituent elements - pub fn new( - S: &R1CSShape, - comm_W: &Commitment, - comm_E: &Commitment, - X: &[G::Scalar], - u: &G::Scalar, - ) -> Result, NovaError> { - if S.num_inputs != X.len() { - Err(NovaError::InvalidInputLength) - } else { - Ok(R1CSInstance { - comm_W: *comm_W, - comm_E: *comm_E, - X: X.to_owned(), - u: *u, - }) +impl RelaxedR1CSInstance { + /// Produces a default RelaxedR1CSInstance given R1CSGens and R1CSShape + pub fn default(gens: &R1CSGens, S: &R1CSShape) -> RelaxedR1CSInstance { + let (comm_W, comm_E) = RelaxedR1CSWitness::default(S).commit(gens); + RelaxedR1CSInstance { + comm_W, + comm_E, + u: G::Scalar::zero(), + X: vec![G::Scalar::zero(); S.num_io], + Y_last: vec![G::Scalar::zero(); S.num_io / 2], + counter: 0, } } - /// Folds an incoming R1CSInstance into the current one + /// Folds an incoming RelaxedR1CSInstance into the current one pub fn fold( &self, U2: &R1CSInstance, comm_T: &CompressedCommitment, r: &G::Scalar, - ) -> Result, NovaError> { + ) -> Result, NovaError> { let comm_T_unwrapped = comm_T.decompress()?; let (X1, u1, comm_W_1, comm_E_1) = (&self.X, &self.u, &self.comm_W.clone(), &self.comm_E.clone()); - let (X2, u2, comm_W_2, comm_E_2) = (&U2.X, &U2.u, &U2.comm_W, &U2.comm_E); + let (X2, comm_W_2) = (&U2.X, &U2.comm_W); + + // check if the input of the incoming instance matches the output + // of the incremental computation thus far if counter > 0 + if self.counter > 0 { + if self.Y_last.len() != U2.X.len() / 2 { + return Err(NovaError::InvalidInputLength); + } + for i in 0..self.Y_last.len() { + if self.Y_last[i] != U2.X[i] { + return Err(NovaError::InvalidInputLength); + } + } + } - // weighted sum of X + // weighted sum of X, comm_W, comm_E, and u let X = X1 .par_iter() .zip(X2) .map(|(a, b)| *a + *r * *b) .collect::>(); let comm_W = comm_W_1 + comm_W_2 * r; - let comm_E = *comm_E_1 + comm_T_unwrapped * *r + comm_E_2 * r * *r; - let u = *u1 + *r * *u2; + let comm_E = *comm_E_1 + comm_T_unwrapped * *r; + let u = *u1 + *r; - Ok(R1CSInstance { + Ok(RelaxedR1CSInstance { comm_W, comm_E, X, u, + Y_last: U2.X[U2.X.len() / 2..].to_owned(), + counter: self.counter + 1, }) } } diff --git a/src/traits.rs b/src/traits.rs index 75e08c4..864200e 100644 --- a/src/traits.rs +++ b/src/traits.rs @@ -72,7 +72,7 @@ pub trait Group: /// Compresses the group element fn compress(&self) -> Self::CompressedGroupElement; - /// Attempts to create a group element from a sequence of bytes, + /// Attempts to create a group element from a sequence of bytes, /// failing with a `None` if the supplied bytes do not encode the group element fn from_uniform_bytes(bytes: &[u8]) -> Option; }