Add BlindSigVerifyGadget::verify impl (r1cs constraints)

src/constraints.rs

@@ -124,3 +124,60 @@ where
         })
     }
 }
+
+pub struct BlindSigVerifyGadget<C: ProjectiveCurve, GC: CurveVar<C, ConstraintF<C>>>
+where
+    for<'a> &'a GC: GroupOpsBounds<'a, C, GC>,
+{
+    params: Parameters<C>,
+    // sig: Signature<C>,
+    _gc: PhantomData<GC>,
+}
+
+impl<C: ProjectiveCurve, GC: CurveVar<C, ConstraintF<C>>> BlindSigVerifyGadget<C, GC>
+where
+    C: ProjectiveCurve,
+    GC: CurveVar<C, ConstraintF<C>>,
+    for<'a> &'a GC: GroupOpsBounds<'a, C, GC>,
+    ark_r1cs_std::groups::curves::twisted_edwards::AffineVar<
+        EdwardsParameters,
+        FpVar<Fp256<FqParameters>>,
+    >: From<GC>,
+    FpVar<<C as ProjectiveCurve>::ScalarField>: Mul<FpVar<Fp256<FqParameters>>>,
+    FpVar<<C as ProjectiveCurve>::ScalarField>: From<<C as ProjectiveCurve>::ScalarField>,
+{
+    fn verify(
+        parameters: &ParametersVar<C, GC>,
+        poseidon_hash: &PoseidonGadget<ConstraintF<C>>,
+        m: FpVar<ConstraintF<C>>,
+        s: &SignatureVar<C, GC>,
+        q: &PublicKeyVar<C, GC>,
+    ) -> Result<Boolean<ConstraintF<C>>, SynthesisError>
+    where
+        <C as ProjectiveCurve>::ScalarField: Iterator, // WIP
+        <C as ProjectiveCurve>::ScalarField: From<
+            <FpVar<<C as ProjectiveCurve>::ScalarField> as Mul<FpVar<Fp256<FqParameters>>>>::Output,
+        >,
+    {
+        let s_s = s.s.clone();
+
+        let sG = parameters
+            .generator
+            .scalar_mul_le(s_s.to_bits_le()?.iter())?;
+
+        // G * s == R + Q * (R.x * H(m))
+        // Note: in a circuit that aggregates multiple verifications, the hashing step could be
+        // done outside the signature verification, once for all 1 votes and once for all 0 votes,
+        // saving lots of constraints
+        let hm = poseidon_hash.hash(&[m])?;
+        let r = EdwardsVar::from(s.r.clone()); // WIP
+
+        let rx_hm: ConstraintF<C> = ConstraintF::<C>::from(hm * r.x);
+        let rx_hm_fp: FpVar<ConstraintF<C>> = FpVar::<ConstraintF<C>>::from(rx_hm);
+
+        let Q_rx_hm = q.pub_key.scalar_mul_le(rx_hm_fp.to_bits_le()?.iter())?;
+        let RHS = s.r.clone() + Q_rx_hm;
+
+        sG.is_eq(&RHS)
+    }
+}

src/lib.rs

@@ -223,33 +223,26 @@ mod tests {
 
     #[test]
     fn test_blind() {
+        type S = BlindSigScheme<EdwardsProjective>;
+
         let poseidon_params = poseidon_setup_params::<ConstraintF>(Curve::Bn254, 5, 3);
         let poseidon_hash = poseidon::Poseidon::new(poseidon_params);
 
         let mut rng = ark_std::test_rng();
 
-        let params = BlindSigScheme::<EdwardsProjective>::setup();
-        let (pk, sk) = BlindSigScheme::<EdwardsProjective>::keygen(&params, &mut rng);
+        let params = S::setup();
+        let (pk, sk) = S::keygen(&params, &mut rng);
 
-        let (k, signer_r) =
-            BlindSigScheme::<EdwardsProjective>::new_request_params(&params, &mut rng);
+        let (k, signer_r) = S::new_request_params(&params, &mut rng);
         let m = ConstraintF::from(1234);
 
-        let (m_blinded, u) = BlindSigScheme::<EdwardsProjective>::blind(
-            &params,
-            &mut rng,
-            &poseidon_hash,
-            m,
-            signer_r,
-        )
-        .unwrap();
+        let (m_blinded, u) = S::blind(&params, &mut rng, &poseidon_hash, m, signer_r).unwrap();
 
-        let s_blinded = BlindSigScheme::<EdwardsProjective>::blind_sign(sk, k, m_blinded);
+        let s_blinded = S::blind_sign(sk, k, m_blinded);
 
-        let s = BlindSigScheme::<EdwardsProjective>::unblind(s_blinded, u);
+        let s = S::unblind(s_blinded, u);
 
-        let verified =
-            BlindSigScheme::<EdwardsProjective>::verify(&params, &poseidon_hash, m, s, pk);
+        let verified = S::verify(&params, &poseidon_hash, m, s, pk);
         assert!(verified);
     }
 }