diff --git a/.gitignore b/.gitignore index 6466ebf..2832471 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ /target -*.py \ No newline at end of file +*.py +Cargo.lock diff --git a/src/constraints.rs b/src/constraints.rs index cbae34b..0a5ddcb 100644 --- a/src/constraints.rs +++ b/src/constraints.rs @@ -5,14 +5,11 @@ use ark_crypto_primitives::sponge::{ }; use ark_ec::CurveGroup; use ark_ff::Field; -use ark_relations::r1cs::ConstraintSystemRef; - use ark_r1cs_std::{ boolean::Boolean, fields::fp::FpVar, fields::nonnative::NonNativeFieldVar, groups::CurveVar, ToBitsGadget, ToConstraintFieldGadget, }; - -use crate::Error; +use ark_relations::r1cs::ConstraintSystemRef; /// CF stands for ConstraintField pub type CF = <::BaseField as Field>::BasePrimeField; @@ -24,29 +21,31 @@ pub fn verify( pk: GC, sig: (GC, NonNativeFieldVar>), msg: FpVar>, -) -> Result>, Error> +) -> ark_relations::r1cs::Result>> where C: CurveGroup, GC: CurveVar> + ToConstraintFieldGadget>, { let (r, s): (GC, NonNativeFieldVar>) = sig; - let r_xy = r.to_constraint_field().unwrap(); - let pk_xy = pk.to_constraint_field().unwrap(); + let r_xy = r.to_constraint_field()?; + let pk_xy = pk.to_constraint_field()?; let mut poseidon = PoseidonSpongeVar::new(cs.clone(), &poseidon_config); - poseidon.absorb(&r_xy).unwrap(); - poseidon.absorb(&pk_xy).unwrap(); - poseidon.absorb(&msg).unwrap(); - let k = poseidon.squeeze_field_elements(1).unwrap(); - let k = k.first().unwrap(); + poseidon.absorb(&r_xy)?; + poseidon.absorb(&pk_xy)?; + poseidon.absorb(&msg)?; + let k = poseidon.squeeze_field_elements(1)?; + let k = k + .first() + .ok_or(ark_relations::r1cs::SynthesisError::Unsatisfiable)?; - let kx_b = pk.scalar_mul_le(k.to_bits_le().unwrap().iter()).unwrap(); + let kx_b = pk.scalar_mul_le(k.to_bits_le()?.iter())?; - let g = GC::new_constant(cs.clone(), C::generator()).unwrap(); - let s_b = g.scalar_mul_le(s.to_bits_le().unwrap().iter()).unwrap(); + let g = GC::new_constant(cs.clone(), C::generator())?; + let s_b = g.scalar_mul_le(s.to_bits_le()?.iter())?; let r_rec: GC = s_b - kx_b; - Ok(r_rec.is_eq(&r).unwrap()) + Ok(r_rec.is_eq(&r)?) } #[cfg(test)] @@ -69,14 +68,16 @@ mod tests { let sk = SigningKey::::generate::(&mut OsRng).unwrap(); let msg_raw = b"xxx yyy <<< zzz >>> bunny"; let msg = Fq::from_le_bytes_mod_order(msg_raw); - let sig = sk.sign::(&poseidon_config, &msg); + let sig = sk + .sign::(&poseidon_config, &msg) + .unwrap(); let pk = sk.public_key(); pk.verify(&poseidon_config, &msg, &sig).unwrap(); let cs = ConstraintSystem::::new_ref(); - let pk_var: GVar = GVar::new_witness(cs.clone(), || Ok(pk.0)).unwrap(); - let r_var: GVar = GVar::new_witness(cs.clone(), || Ok(sig.r)).unwrap(); - let s_var = NonNativeFieldVar::::new_witness(cs.clone(), || Ok(sig.s)).unwrap(); + let pk_var: GVar = GVar::new_witness(cs.clone(), || Ok(*pk.as_ref())).unwrap(); + let r_var: GVar = GVar::new_witness(cs.clone(), || Ok(*sig.r())).unwrap(); + let s_var = NonNativeFieldVar::::new_witness(cs.clone(), || Ok(sig.s())).unwrap(); let msg_var = FpVar::::new_witness(cs.clone(), || Ok(msg)).unwrap(); let res = verify::(cs.clone(), poseidon_config, pk_var, (r_var, s_var), msg_var) diff --git a/src/eddsa.rs b/src/eddsa.rs index 1fea364..810448f 100644 --- a/src/eddsa.rs +++ b/src/eddsa.rs @@ -45,11 +45,11 @@ impl SecretKey { /// `PublicKey` is EdDSA signature verification key #[derive(Copy, Clone, Debug, CanonicalSerialize, CanonicalDeserialize)] -pub struct PublicKey(pub Affine); +pub struct PublicKey(Affine); impl PublicKey { - pub fn xy(&self) -> (&TE::BaseField, &TE::BaseField) { - self.as_ref().xy().unwrap() + pub fn xy(&self) -> Result<(&TE::BaseField, &TE::BaseField), Error> { + self.as_ref().xy().ok_or(Error::Coordinates) } pub fn to_bytes(&self) -> Vec { @@ -125,7 +125,7 @@ where &self, poseidon: &PoseidonConfig, message: &TE::BaseField, - ) -> Signature { + ) -> Result, Error> { let (x, prefix) = self.secret_key.expand::(); let mut h = D::new(); @@ -140,22 +140,22 @@ where let mut poseidon = PoseidonSponge::new(poseidon); - let (sig_r_x, sig_r_y) = sig_r.xy().unwrap(); + let (sig_r_x, sig_r_y) = sig_r.xy().ok_or(Error::Coordinates)?; poseidon.absorb(sig_r_x); poseidon.absorb(sig_r_y); - let (pk_x, pk_y) = self.public_key.0.xy().unwrap(); + let (pk_x, pk_y) = self.public_key.0.xy().ok_or(Error::Coordinates)?; poseidon.absorb(pk_x); poseidon.absorb(pk_y); poseidon.absorb(message); // use poseidon over Fq, so that it can be done too in-circuit let k = poseidon.squeeze_field_elements::(1); - let k = k.first().unwrap(); + let k = k.first().ok_or(Error::BadDigestOutput)?; let k = TE::ScalarField::from_le_bytes_mod_order(&k.into_bigint().to_bytes_le()); let sig_s = (x * k) + r; - Signature::new(sig_r, sig_s) + Ok(Signature::new(sig_r, sig_s)) } } @@ -181,17 +181,17 @@ where ) -> Result<(), Error> { let mut poseidon = PoseidonSponge::new(poseidon); - let (sig_r_x, sig_r_y) = signature.r().xy().unwrap(); + let (sig_r_x, sig_r_y) = signature.r().xy().ok_or(Error::Coordinates)?; poseidon.absorb(sig_r_x); poseidon.absorb(sig_r_y); - let (pk_x, pk_y) = self.0.xy().unwrap(); + let (pk_x, pk_y) = self.0.xy().ok_or(Error::Coordinates)?; poseidon.absorb(pk_x); poseidon.absorb(pk_y); poseidon.absorb(message); // use poseidon over Fq, so that it can be done too in-circuit let k = poseidon.squeeze_field_elements::(1); - let k = k.first().unwrap(); + let k = k.first().ok_or(Error::BadDigestOutput)?; let kx_b = self.0.mul_bigint(k.into_bigint()); let s_b = Affine::::generator() * signature.s(); diff --git a/src/lib.rs b/src/lib.rs index acc9157..e4958ad 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -19,6 +19,7 @@ pub(crate) fn from_digest(digest: D) -> F { #[derive(Clone, Copy, Debug, Eq, PartialEq)] pub enum Error { + Coordinates, Verify, BadDigestOutput, } @@ -26,6 +27,7 @@ pub enum Error { impl core::fmt::Display for Error { fn fmt(&self, f: &mut core::fmt::Formatter) -> core::fmt::Result { match *self { + Error::Coordinates => write!(f, "Could not obtain the coordinates of a point"), Error::Verify => write!(f, "Signature verification failed"), Error::BadDigestOutput => write!(f, "Bad digest output size"), } @@ -68,7 +70,7 @@ mod test { let signing_key = SigningKey::::generate::(&mut OsRng).unwrap(); let message_raw = b"xxx yyy <<< zzz >>> bunny"; let message = TE::BaseField::from_le_bytes_mod_order(message_raw); - let signature = signing_key.sign::(&poseidon, &message); + let signature = signing_key.sign::(&poseidon, &message).unwrap(); let public_key = signing_key.public_key(); public_key.verify(&poseidon, &message, &signature).unwrap(); } diff --git a/src/signature.rs b/src/signature.rs index 3cc1819..65ea776 100644 --- a/src/signature.rs +++ b/src/signature.rs @@ -6,8 +6,8 @@ use ark_serialize::CanonicalSerialize; /// `SignatureComponents` contains the realized parts of a signature #[derive(Copy, Clone, Debug, CanonicalSerialize, CanonicalDeserialize)] pub struct Signature { - pub r: Affine, - pub s: TE::ScalarField, + r: Affine, + s: TE::ScalarField, } impl Signature {