use ark_ec::AffineRepr; use ark_std::{ rand::{Rng, RngCore}, UniformRand, }; use std::marker::PhantomData; use crate::transcript::Transcript; use crate::utils::{naive_msm, vec_add, vector_elem_product}; pub struct Proof_elem { R: C, t1: C::ScalarField, t2: C::ScalarField, } pub struct Proof { R: C, u_: Vec, ru_: C::ScalarField, } pub struct Params { g: C, h: C, pub r_vec: Vec, } pub struct Pedersen { _phantom: PhantomData, } impl Pedersen { pub fn new_params(rng: &mut R, max: usize) -> Params { let h_scalar = C::ScalarField::rand(rng); let g: C = C::generator(); let r_vec: Vec = vec![C::rand(rng); max]; let params: Params = Params:: { g, h: g.mul(h_scalar).into(), r_vec, // will need 2 r: rE, rW }; params } pub fn commit_elem( rng: &mut R, params: &Params, v: &C::ScalarField, ) -> CommitmentElem { let r = C::ScalarField::rand(rng); let cm: C = (params.g.mul(v) + params.h.mul(r)).into(); CommitmentElem:: { cm, r } } pub fn commit( params: &Params, v: &Vec, r: &C::ScalarField, // random value is provided, in order to be choosen by other parts of the protocol ) -> Commitment { let cm = params.h.mul(r) + naive_msm(v, ¶ms.r_vec); Commitment::(cm.into()) } pub fn prove_elem( params: &Params, transcript: &mut Transcript, cm: C, v: C::ScalarField, r: C::ScalarField, ) -> Proof_elem { let r1 = transcript.get_challenge(b"r_1"); let r2 = transcript.get_challenge(b"r_2"); let R: C = (params.g.mul(r1) + params.h.mul(r2)).into(); transcript.add(b"cm", &cm); transcript.add(b"R", &R); let e = transcript.get_challenge(b"e"); let t1 = r1 + v * e; let t2 = r2 + r * e; Proof_elem:: { R, t1, t2 } } pub fn prove( params: &Params, transcript: &mut Transcript, cm: &Commitment, // TODO maybe it makes sense to not have a type wrapper and use directly C v: Vec, r: C::ScalarField, ) -> Proof { let r1 = transcript.get_challenge(b"r_1"); let d = transcript.get_challenge_vec(b"d", v.len()); let R: C = (params.h.mul(r1) + naive_msm(&d, ¶ms.r_vec)).into(); transcript.add(b"cm", &cm.0); transcript.add(b"R", &R); let e = transcript.get_challenge(b"e"); let u_ = vec_add(&vector_elem_product(&v, &e), &d); let ru_ = e * r + r1; Proof:: { R, u_, ru_ } } pub fn verify( params: &Params, transcript: &mut Transcript, cm: Commitment, proof: Proof, ) -> bool { // r1, d just to match Prover's transcript transcript.get_challenge(b"r_1"); transcript.get_challenge_vec(b"d", proof.u_.len()); transcript.add(b"cm", &cm.0); transcript.add(b"R", &proof.R); let e = transcript.get_challenge(b"e"); let lhs = proof.R + cm.0.mul(e); let rhs = params.h.mul(proof.ru_) + naive_msm(&proof.u_, ¶ms.r_vec); if lhs != rhs { return false; } true } pub fn verify_elem( params: &Params, transcript: &mut Transcript, cm: C, proof: Proof_elem, ) -> bool { // s1, s2 just to match Prover's transcript transcript.get_challenge(b"r_1"); transcript.get_challenge(b"r_2"); transcript.add(b"cm", &cm); transcript.add(b"R", &proof.R); let e = transcript.get_challenge(b"e"); let lhs = proof.R + cm.mul(e); let rhs = params.g.mul(proof.t1) + params.h.mul(proof.t2); if lhs != rhs { return false; } true } } pub struct Commitment(pub C); pub struct CommitmentElem { pub cm: C, pub r: C::ScalarField, } impl CommitmentElem { pub fn prove( &self, params: &Params, transcript: &mut Transcript, v: C::ScalarField, ) -> Proof_elem { Pedersen::::prove_elem(params, transcript, self.cm, v, self.r) } } #[cfg(test)] mod tests { use super::*; use ark_bn254::{g1::G1Affine, Fr}; use ark_ec::CurveGroup; use std::ops::Mul; #[test] fn test_pedersen_single_element() { let mut rng = ark_std::test_rng(); // setup params let params = Pedersen::::new_params( &mut rng, 0, /* 0, as here we don't use commit_vec */ ); // init Prover's transcript let mut transcript_p: Transcript = Transcript::::new(); // init Verifier's transcript let mut transcript_v: Transcript = Transcript::::new(); let v = Fr::rand(&mut rng); let cm = Pedersen::commit_elem(&mut rng, ¶ms, &v); let proof = cm.prove(¶ms, &mut transcript_p, v); // also can use: // let proof = Pedersen::prove_elem(¶ms, &mut transcript_p, cm.cm, v, cm.r); let v = Pedersen::verify_elem(¶ms, &mut transcript_v, cm.cm, proof); assert!(v); } #[test] fn test_pedersen_vector() { let mut rng = ark_std::test_rng(); const n: usize = 10; // setup params let params = Pedersen::::new_params(&mut rng, n); // init Prover's transcript let mut transcript_p: Transcript = Transcript::::new(); // init Verifier's transcript let mut transcript_v: Transcript = Transcript::::new(); let v: Vec = vec![Fr::rand(&mut rng); n]; let r: Fr = Fr::rand(&mut rng); let cm = Pedersen::commit(¶ms, &v, &r); let proof = Pedersen::prove(¶ms, &mut transcript_p, &cm, v, r); let v = Pedersen::verify(¶ms, &mut transcript_v, cm, proof); assert!(v); } }