arnaucube/sonobe
1
1
Fork 0
mirror of https://github.com/arnaucube/sonobe.git synced 2026-01-09 23:41:30 +01:00
Code Issues Projects Releases Wiki Activity

Add Pedersen::{commit,open,verify} MSM error handling (#34)

Browse Source
This commit is contained in:
arnaucube
2023-10-31 08:02:44 +01:00
committed by GitHub
parent 597ac27288
commit 8edea23c2f
9 changed files with 80 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/folding/hypernova/cccs.rs
View File

@@ -38,18 +38,18 @@ impl<C: CurveGroup> CCS<C> {
rng: &mut R, rng: &mut R,
pedersen_params: &PedersenParams<C>, pedersen_params: &PedersenParams<C>,
z: &[C::ScalarField], z: &[C::ScalarField],
) -> (CCCS<C>, Witness<C::ScalarField>) { ) -> Result<(CCCS<C>, Witness<C::ScalarField>), Error> {
let w: Vec<C::ScalarField> = z[(1 + self.l)..].to_vec(); let w: Vec<C::ScalarField> = z[(1 + self.l)..].to_vec();
let r_w = C::ScalarField::rand(rng); let r_w = C::ScalarField::rand(rng);
let C = Pedersen::<C>::commit(pedersen_params, &w, &r_w); let C = Pedersen::<C>::commit(pedersen_params, &w, &r_w)?;
( Ok((
CCCS::<C> { CCCS::<C> {
C, C,
x: z[1..(1 + self.l)].to_vec(), x: z[1..(1 + self.l)].to_vec(),
}, },
Witness::<C::ScalarField> { w, r_w }, Witness::<C::ScalarField> { w, r_w },
) ))
} }
/// Computes q(x) = \sum^q c_i * \prod_{j \in S_i} ( \sum_{y \in {0,1}^s'} M_j(x, y) * z(y) ) /// Computes q(x) = \sum^q c_i * \prod_{j \in S_i} ( \sum_{y \in {0,1}^s'} M_j(x, y) * z(y) )
@@ -109,7 +109,7 @@ impl<C: CurveGroup> CCCS<C> {
) -> Result<(), Error> { ) -> Result<(), Error> {
// check that C is the commitment of w. Notice that this is not verifying a Pedersen // check that C is the commitment of w. Notice that this is not verifying a Pedersen
// opening, but checking that the Commmitment comes from committing to the witness. // opening, but checking that the Commmitment comes from committing to the witness.
if self.C != Pedersen::commit(pedersen_params, &w.w, &w.r_w) { if self.C != Pedersen::commit(pedersen_params, &w.w, &w.r_w)? {
return Err(Error::NotSatisfied); return Err(Error::NotSatisfied);
} }

14
src/folding/hypernova/lcccs.rs
View File

@@ -40,15 +40,15 @@ impl<C: CurveGroup> CCS<C> {
rng: &mut R, rng: &mut R,
pedersen_params: &PedersenParams<C>, pedersen_params: &PedersenParams<C>,
z: &[C::ScalarField], z: &[C::ScalarField],
) -> (LCCCS<C>, Witness<C::ScalarField>) { ) -> Result<(LCCCS<C>, Witness<C::ScalarField>), Error> {
let w: Vec<C::ScalarField> = z[(1 + self.l)..].to_vec(); let w: Vec<C::ScalarField> = z[(1 + self.l)..].to_vec();
let r_w = C::ScalarField::rand(rng); let r_w = C::ScalarField::rand(rng);
let C = Pedersen::commit(pedersen_params, &w, &r_w); let C = Pedersen::commit(pedersen_params, &w, &r_w)?;
let r_x: Vec<C::ScalarField> = (0..self.s).map(|_| C::ScalarField::rand(rng)).collect(); let r_x: Vec<C::ScalarField> = (0..self.s).map(|_| C::ScalarField::rand(rng)).collect();
let v = self.compute_v_j(z, &r_x); let v = self.compute_v_j(z, &r_x);
( Ok((
LCCCS::<C> { LCCCS::<C> {
C, C,
u: C::ScalarField::one(), u: C::ScalarField::one(),
@@ -57,7 +57,7 @@ impl<C: CurveGroup> CCS<C> {
v, v,
}, },
Witness::<C::ScalarField> { w, r_w }, Witness::<C::ScalarField> { w, r_w },
) ))
} }
} }
@@ -94,7 +94,7 @@ impl<C: CurveGroup> LCCCS<C> {
) -> Result<(), Error> { ) -> Result<(), Error> {
// check that C is the commitment of w. Notice that this is not verifying a Pedersen // check that C is the commitment of w. Notice that this is not verifying a Pedersen
// opening, but checking that the Commmitment comes from committing to the witness. // opening, but checking that the Commmitment comes from committing to the witness.
if self.C != Pedersen::commit(pedersen_params, &w.w, &w.r_w) { if self.C != Pedersen::commit(pedersen_params, &w.w, &w.r_w)? {
return Err(Error::NotSatisfied); return Err(Error::NotSatisfied);
} }
@@ -129,7 +129,7 @@ pub mod tests {
ccs.check_relation(&z.clone()).unwrap(); ccs.check_relation(&z.clone()).unwrap();
let pedersen_params = Pedersen::<Projective>::new_params(&mut rng, ccs.n - ccs.l - 1); let pedersen_params = Pedersen::<Projective>::new_params(&mut rng, ccs.n - ccs.l - 1);
let (lcccs, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z); let (lcccs, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z).unwrap();
// with our test vector comming from R1CS, v should have length 3 // with our test vector comming from R1CS, v should have length 3
assert_eq!(lcccs.v.len(), 3); assert_eq!(lcccs.v.len(), 3);
@@ -160,7 +160,7 @@ pub mod tests {
let pedersen_params = Pedersen::<Projective>::new_params(&mut rng, ccs.n - ccs.l - 1); let pedersen_params = Pedersen::<Projective>::new_params(&mut rng, ccs.n - ccs.l - 1);
// Compute v_j with the right z // Compute v_j with the right z
let (lcccs, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z); let (lcccs, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z).unwrap();
// with our test vector comming from R1CS, v should have length 3 // with our test vector comming from R1CS, v should have length 3
assert_eq!(lcccs.v.len(), 3); assert_eq!(lcccs.v.len(), 3);

25
src/folding/hypernova/nimfs.rs
View File

@@ -373,8 +373,8 @@ pub mod tests {
#[test] #[test]
fn test_fold() { fn test_fold() {
let ccs = get_test_ccs(); let ccs = get_test_ccs();
let z1 = get_test_z(3); let z1 = get_test_z::<Fr>(3);
let z2 = get_test_z(4); let z2 = get_test_z::<Fr>(4);
ccs.check_relation(&z1).unwrap(); ccs.check_relation(&z1).unwrap();
ccs.check_relation(&z2).unwrap(); ccs.check_relation(&z2).unwrap();
@@ -386,8 +386,8 @@ pub mod tests {
let pedersen_params = Pedersen::<Projective>::new_params(&mut rng, ccs.n - ccs.l - 1); let pedersen_params = Pedersen::<Projective>::new_params(&mut rng, ccs.n - ccs.l - 1);
let (lcccs, w1) = ccs.to_lcccs(&mut rng, &pedersen_params, &z1); let (lcccs, w1) = ccs.to_lcccs(&mut rng, &pedersen_params, &z1).unwrap();
let (cccs, w2) = ccs.to_cccs(&mut rng, &pedersen_params, &z2); let (cccs, w2) = ccs.to_cccs(&mut rng, &pedersen_params, &z2).unwrap();
lcccs.check_relation(&pedersen_params, &ccs, &w1).unwrap(); lcccs.check_relation(&pedersen_params, &ccs, &w1).unwrap();
cccs.check_relation(&pedersen_params, &ccs, &w2).unwrap(); cccs.check_relation(&pedersen_params, &ccs, &w2).unwrap();
@@ -420,9 +420,9 @@ pub mod tests {
let z_2 = get_test_z(4); let z_2 = get_test_z(4);
// Create the LCCCS instance out of z_1 // Create the LCCCS instance out of z_1
let (running_instance, w1) = ccs.to_lcccs(&mut rng, &pedersen_params, &z_1); let (running_instance, w1) = ccs.to_lcccs(&mut rng, &pedersen_params, &z_1).unwrap();
// Create the CCCS instance out of z_2 // Create the CCCS instance out of z_2
let (new_instance, w2) = ccs.to_cccs(&mut rng, &pedersen_params, &z_2); let (new_instance, w2) = ccs.to_cccs(&mut rng, &pedersen_params, &z_2).unwrap();
// Prover's transcript // Prover's transcript
let mut transcript_p = IOPTranscript::<Fr>::new(b"multifolding"); let mut transcript_p = IOPTranscript::<Fr>::new(b"multifolding");
@@ -471,7 +471,8 @@ pub mod tests {
// LCCCS witness // LCCCS witness
let z_1 = get_test_z(2); let z_1 = get_test_z(2);
let (mut running_instance, mut w1) = ccs.to_lcccs(&mut rng, &pedersen_params, &z_1); let (mut running_instance, mut w1) =
ccs.to_lcccs(&mut rng, &pedersen_params, &z_1).unwrap();
let mut transcript_p = IOPTranscript::<Fr>::new(b"multifolding"); let mut transcript_p = IOPTranscript::<Fr>::new(b"multifolding");
let mut transcript_v = IOPTranscript::<Fr>::new(b"multifolding"); let mut transcript_v = IOPTranscript::<Fr>::new(b"multifolding");
@@ -486,7 +487,7 @@ pub mod tests {
let z_2 = get_test_z(i); let z_2 = get_test_z(i);
println!("z_2 {:?}", z_2); // DBG println!("z_2 {:?}", z_2); // DBG
let (new_instance, w2) = ccs.to_cccs(&mut rng, &pedersen_params, &z_2); let (new_instance, w2) = ccs.to_cccs(&mut rng, &pedersen_params, &z_2).unwrap();
// run the prover side of the multifolding // run the prover side of the multifolding
let (proof, folded_lcccs, folded_witness) = NIMFS::<Projective>::prove( let (proof, folded_lcccs, folded_witness) = NIMFS::<Projective>::prove(
@@ -550,7 +551,7 @@ pub mod tests {
let mut lcccs_instances = Vec::new(); let mut lcccs_instances = Vec::new();
let mut w_lcccs = Vec::new(); let mut w_lcccs = Vec::new();
for z_i in z_lcccs.iter() { for z_i in z_lcccs.iter() {
let (running_instance, w) = ccs.to_lcccs(&mut rng, &pedersen_params, z_i); let (running_instance, w) = ccs.to_lcccs(&mut rng, &pedersen_params, z_i).unwrap();
lcccs_instances.push(running_instance); lcccs_instances.push(running_instance);
w_lcccs.push(w); w_lcccs.push(w);
} }
@@ -558,7 +559,7 @@ pub mod tests {
let mut cccs_instances = Vec::new(); let mut cccs_instances = Vec::new();
let mut w_cccs = Vec::new(); let mut w_cccs = Vec::new();
for z_i in z_cccs.iter() { for z_i in z_cccs.iter() {
let (new_instance, w) = ccs.to_cccs(&mut rng, &pedersen_params, z_i); let (new_instance, w) = ccs.to_cccs(&mut rng, &pedersen_params, z_i).unwrap();
cccs_instances.push(new_instance); cccs_instances.push(new_instance);
w_cccs.push(w); w_cccs.push(w);
} }
@@ -640,7 +641,7 @@ pub mod tests {
let mut lcccs_instances = Vec::new(); let mut lcccs_instances = Vec::new();
let mut w_lcccs = Vec::new(); let mut w_lcccs = Vec::new();
for z_i in z_lcccs.iter() { for z_i in z_lcccs.iter() {
let (running_instance, w) = ccs.to_lcccs(&mut rng, &pedersen_params, z_i); let (running_instance, w) = ccs.to_lcccs(&mut rng, &pedersen_params, z_i).unwrap();
lcccs_instances.push(running_instance); lcccs_instances.push(running_instance);
w_lcccs.push(w); w_lcccs.push(w);
} }
@@ -648,7 +649,7 @@ pub mod tests {
let mut cccs_instances = Vec::new(); let mut cccs_instances = Vec::new();
let mut w_cccs = Vec::new(); let mut w_cccs = Vec::new();
for z_i in z_cccs.iter() { for z_i in z_cccs.iter() {
let (new_instance, w) = ccs.to_cccs(&mut rng, &pedersen_params, z_i); let (new_instance, w) = ccs.to_cccs(&mut rng, &pedersen_params, z_i).unwrap();
cccs_instances.push(new_instance); cccs_instances.push(new_instance);
w_cccs.push(w); w_cccs.push(w);
} }

4
src/folding/hypernova/utils.rs
View File

@@ -269,7 +269,7 @@ pub mod tests {
// Initialize a multifolding object // Initialize a multifolding object
let pedersen_params = Pedersen::new_params(&mut rng, ccs.n - ccs.l - 1); let pedersen_params = Pedersen::new_params(&mut rng, ccs.n - ccs.l - 1);
let (lcccs_instance, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z1); let (lcccs_instance, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z1).unwrap();
let sigmas_thetas = let sigmas_thetas =
compute_sigmas_and_thetas(&ccs, &[z1.clone()], &[z2.clone()], &r_x_prime); compute_sigmas_and_thetas(&ccs, &[z1.clone()], &[z2.clone()], &r_x_prime);
@@ -312,7 +312,7 @@ pub mod tests {
// Initialize a multifolding object // Initialize a multifolding object
let pedersen_params = Pedersen::new_params(&mut rng, ccs.n - ccs.l - 1); let pedersen_params = Pedersen::new_params(&mut rng, ccs.n - ccs.l - 1);
let (lcccs_instance, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z1); let (lcccs_instance, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z1).unwrap();
let mut sum_v_j_gamma = Fr::zero(); let mut sum_v_j_gamma = Fr::zero();
for j in 0..lcccs_instance.v.len() { for j in 0..lcccs_instance.v.len() {

6
src/folding/nova/circuits.rs
View File

@@ -424,8 +424,8 @@ mod tests {
let pedersen_params = Pedersen::<Projective>::new_params(&mut rng, r1cs.A.n_rows); let pedersen_params = Pedersen::<Projective>::new_params(&mut rng, r1cs.A.n_rows);
// compute committed instances // compute committed instances
let ci1 = w1.commit(&pedersen_params, x1.clone()); let ci1 = w1.commit(&pedersen_params, x1.clone()).unwrap();
let ci2 = w2.commit(&pedersen_params, x2.clone()); let ci2 = w2.commit(&pedersen_params, x2.clone()).unwrap();
// get challenge from transcript // get challenge from transcript
let poseidon_config = poseidon_test_config::<Fr>(); let poseidon_config = poseidon_test_config::<Fr>();
@@ -695,7 +695,7 @@ mod tests {
// compute committed instances, w_{i+1}, u_{i+1}, which will be used as w_i, u_i, so we // compute committed instances, w_{i+1}, u_{i+1}, which will be used as w_i, u_i, so we
// assign them directly to w_i, u_i. // assign them directly to w_i, u_i.
w_i = Witness::<Projective>::new(w_i1.clone(), r1cs.A.n_rows); w_i = Witness::<Projective>::new(w_i1.clone(), r1cs.A.n_rows);
u_i = w_i.commit(&pedersen_params, vec![u_i1_x]); u_i = w_i.commit(&pedersen_params, vec![u_i1_x]).unwrap();
check_instance_relation(&r1cs, &w_i, &u_i).unwrap(); check_instance_relation(&r1cs, &w_i, &u_i).unwrap();
check_instance_relation(&r1cs, &W_i1, &U_i1).unwrap(); check_instance_relation(&r1cs, &W_i1, &U_i1).unwrap();

10
src/folding/nova/mod.rs
View File

@@ -92,18 +92,18 @@ where
&self, &self,
params: &PedersenParams<C>, params: &PedersenParams<C>,
x: Vec<C::ScalarField>, x: Vec<C::ScalarField>,
) -> CommittedInstance<C> { ) -> Result<CommittedInstance<C>, Error> {
let mut cmE = C::zero(); let mut cmE = C::zero();
if !is_zero_vec::<C::ScalarField>(&self.E) { if !is_zero_vec::<C::ScalarField>(&self.E) {
cmE = Pedersen::commit(params, &self.E, &self.rE); cmE = Pedersen::commit(params, &self.E, &self.rE)?;
} }
let cmW = Pedersen::commit(params, &self.W, &self.rW); let cmW = Pedersen::commit(params, &self.W, &self.rW)?;
CommittedInstance { Ok(CommittedInstance {
cmE, cmE,
u: C::ScalarField::one(), u: C::ScalarField::one(),
cmW, cmW,
x, x,
} })
} }
} }

27
src/folding/nova/nifs.rs
View File

@@ -103,7 +103,7 @@ where
// compute cross terms // compute cross terms
let T = Self::compute_T(r1cs, ci1.u, ci2.u, &z1, &z2)?; let T = Self::compute_T(r1cs, ci1.u, ci2.u, &z1, &z2)?;
let rT = C::ScalarField::one(); // use 1 as rT since we don't need hiding property for cm(T) let rT = C::ScalarField::one(); // use 1 as rT since we don't need hiding property for cm(T)
let cmT = Pedersen::commit(pedersen_params, &T, &rT); let cmT = Pedersen::commit(pedersen_params, &T, &rT)?;
// fold witness // fold witness
let w3 = NIFS::<C>::fold_witness(r, w1, w2, &T, rT)?; let w3 = NIFS::<C>::fold_witness(r, w1, w2, &T, rT)?;
@@ -170,12 +170,9 @@ where
// cm_proofs should have length 3: [cmE_proof, cmW_proof, cmT_proof] // cm_proofs should have length 3: [cmE_proof, cmW_proof, cmT_proof]
return Err(Error::NotExpectedLength); return Err(Error::NotExpectedLength);
} }
if !Pedersen::verify(pedersen_params, tr, ci.cmE, cm_proofs[0].clone()) Pedersen::verify(pedersen_params, tr, ci.cmE, cm_proofs[0].clone())?;
|| !Pedersen::verify(pedersen_params, tr, ci.cmW, cm_proofs[1].clone()) Pedersen::verify(pedersen_params, tr, ci.cmW, cm_proofs[1].clone())?;
|| !Pedersen::verify(pedersen_params, tr, cmT, cm_proofs[2].clone()) Pedersen::verify(pedersen_params, tr, cmT, cm_proofs[2].clone())?;
{
return Err(Error::CommitmentVerificationFail);
}
Ok(()) Ok(())
} }
} }
@@ -210,7 +207,9 @@ pub mod tests {
// dummy instance, witness and public inputs zeroes // dummy instance, witness and public inputs zeroes
let w_dummy = Witness::<Projective>::new(vec![Fr::zero(); w1.len()], r1cs.A.n_rows); let w_dummy = Witness::<Projective>::new(vec![Fr::zero(); w1.len()], r1cs.A.n_rows);
let mut u_dummy = w_dummy.commit(&pedersen_params, vec![Fr::zero(); x1.len()]); let mut u_dummy = w_dummy
.commit(&pedersen_params, vec![Fr::zero(); x1.len()])
.unwrap();
u_dummy.u = Fr::zero(); u_dummy.u = Fr::zero();
let w_i = w_dummy.clone(); let w_i = w_dummy.clone();
@@ -250,8 +249,8 @@ pub mod tests {
let r = Fr::rand(&mut rng); // folding challenge would come from the transcript let r = Fr::rand(&mut rng); // folding challenge would come from the transcript
// compute committed instances // compute committed instances
let ci1 = w1.commit(&pedersen_params, x1.clone()); let ci1 = w1.commit(&pedersen_params, x1.clone()).unwrap();
let ci2 = w2.commit(&pedersen_params, x2.clone()); let ci2 = w2.commit(&pedersen_params, x2.clone()).unwrap();
// NIFS.P // NIFS.P
let (w3, ci3_aux, T, cmT) = let (w3, ci3_aux, T, cmT) =
@@ -273,7 +272,7 @@ pub mod tests {
// check that folded commitments from folded instance (ci) are equal to folding the // check that folded commitments from folded instance (ci) are equal to folding the
// use folded rE, rW to commit w3 // use folded rE, rW to commit w3
let ci3_expected = w3.commit(&pedersen_params, ci3.x.clone()); let ci3_expected = w3.commit(&pedersen_params, ci3.x.clone()).unwrap();
assert_eq!(ci3_expected.cmE, ci3.cmE); assert_eq!(ci3_expected.cmE, ci3.cmE);
assert_eq!(ci3_expected.cmW, ci3.cmW); assert_eq!(ci3_expected.cmW, ci3.cmW);
@@ -322,7 +321,8 @@ pub mod tests {
// prepare the running instance // prepare the running instance
let mut running_instance_w = Witness::<Projective>::new(w.clone(), r1cs.A.n_rows); let mut running_instance_w = Witness::<Projective>::new(w.clone(), r1cs.A.n_rows);
let mut running_committed_instance = running_instance_w.commit(&pedersen_params, x); let mut running_committed_instance =
running_instance_w.commit(&pedersen_params, x).unwrap();
assert!(check_relaxed_r1cs( assert!(check_relaxed_r1cs(
&r1cs, &r1cs,
&z, &z,
@@ -336,7 +336,8 @@ pub mod tests {
let incomming_instance_z = get_test_z(i + 4); let incomming_instance_z = get_test_z(i + 4);
let (w, x) = r1cs.split_z(&incomming_instance_z); let (w, x) = r1cs.split_z(&incomming_instance_z);
let incomming_instance_w = Witness::<Projective>::new(w.clone(), r1cs.A.n_rows); let incomming_instance_w = Witness::<Projective>::new(w.clone(), r1cs.A.n_rows);
let incomming_committed_instance = incomming_instance_w.commit(&pedersen_params, x); let incomming_committed_instance =
incomming_instance_w.commit(&pedersen_params, x).unwrap();
assert!(check_relaxed_r1cs( assert!(check_relaxed_r1cs(
&r1cs, &r1cs,
&incomming_instance_z.clone(), &incomming_instance_z.clone(),

6
src/lib.rs
View File

@@ -31,8 +31,10 @@ pub enum Error {
NotExpectedLength, NotExpectedLength,
#[error("Can not be empty")] #[error("Can not be empty")]
Empty, Empty,
#[error("Commitment verification failed")] #[error("Pedersen parameters length is not suficient")]
CommitmentVerificationFail, PedersenParamsLen,
#[error("Pedersen verification failed")]
PedersenVerificationFail,
} }
/// FoldingScheme defines trait that is implemented by the diverse folding schemes. It is defined /// FoldingScheme defines trait that is implemented by the diverse folding schemes. It is defined

37
src/pedersen.rs
View File

@@ -37,9 +37,17 @@ impl<C: CurveGroup> Pedersen<C> {
params params
} }
pub fn commit(params: &Params<C>, v: &Vec<C::ScalarField>, r: &C::ScalarField) -> C { pub fn commit(
params: &Params<C>,
v: &Vec<C::ScalarField>,
r: &C::ScalarField,
) -> Result<C, Error> {
if params.generators.len() < v.len() {
return Err(Error::PedersenParamsLen);
}
// h⋅r + <g, v> // h⋅r + <g, v>
params.h.mul(r) + C::msm(&params.generators[..v.len()], v).unwrap() // use msm_unchecked because we already ensured at the if that lengths match
Ok(params.h.mul(r) + C::msm_unchecked(&params.generators[..v.len()], v))
} }
pub fn prove( pub fn prove(
@@ -49,12 +57,17 @@ impl<C: CurveGroup> Pedersen<C> {
v: &Vec<C::ScalarField>, v: &Vec<C::ScalarField>,
r: &C::ScalarField, r: &C::ScalarField,
) -> Result<Proof<C>, Error> { ) -> Result<Proof<C>, Error> {
if params.generators.len() < v.len() {
return Err(Error::PedersenParamsLen);
}
transcript.absorb_point(cm); transcript.absorb_point(cm);
let r1 = transcript.get_challenge(); let r1 = transcript.get_challenge();
let d = transcript.get_challenges(v.len()); let d = transcript.get_challenges(v.len());
// R = h⋅r_1 + <g, d> // R = h⋅r_1 + <g, d>
let R: C = params.h.mul(r1) + C::msm(&params.generators[..d.len()], &d).unwrap(); // use msm_unchecked because we already ensured at the if that lengths match
let R: C = params.h.mul(r1) + C::msm_unchecked(&params.generators[..d.len()], &d);
transcript.absorb_point(&R); transcript.absorb_point(&R);
let e = transcript.get_challenge(); let e = transcript.get_challenge();
@@ -72,7 +85,11 @@ impl<C: CurveGroup> Pedersen<C> {
transcript: &mut impl Transcript<C>, transcript: &mut impl Transcript<C>,
cm: C, cm: C,
proof: Proof<C>, proof: Proof<C>,
) -> bool { ) -> Result<(), Error> {
if params.generators.len() < proof.u.len() {
return Err(Error::PedersenParamsLen);
}
transcript.absorb_point(&cm); transcript.absorb_point(&cm);
transcript.get_challenge(); // r_1 transcript.get_challenge(); // r_1
transcript.get_challenges(proof.u.len()); // d transcript.get_challenges(proof.u.len()); // d
@@ -81,12 +98,13 @@ impl<C: CurveGroup> Pedersen<C> {
// check that: R + cm == h⋅r_u + <g, u> // check that: R + cm == h⋅r_u + <g, u>
let lhs = proof.R + cm.mul(e); let lhs = proof.R + cm.mul(e);
// use msm_unchecked because we already ensured at the if that lengths match
let rhs = params.h.mul(proof.r_u) let rhs = params.h.mul(proof.r_u)
+ C::msm(&params.generators[..proof.u.len()], &proof.u).unwrap(); + C::msm_unchecked(&params.generators[..proof.u.len()], &proof.u);
if lhs != rhs { if lhs != rhs {
return false; return Err(Error::PedersenVerificationFail);
} }
true Ok(())
} }
} }
@@ -113,9 +131,8 @@ mod tests {
let v: Vec<Fr> = vec![Fr::rand(&mut rng); n]; let v: Vec<Fr> = vec![Fr::rand(&mut rng); n];
let r: Fr = Fr::rand(&mut rng); let r: Fr = Fr::rand(&mut rng);
let cm = Pedersen::<Projective>::commit(&params, &v, &r); let cm = Pedersen::<Projective>::commit(&params, &v, &r).unwrap();
let proof = Pedersen::<Projective>::prove(&params, &mut transcript_p, &cm, &v, &r).unwrap(); let proof = Pedersen::<Projective>::prove(&params, &mut transcript_p, &cm, &v, &r).unwrap();
let v = Pedersen::<Projective>::verify(&params, &mut transcript_v, cm, proof); Pedersen::<Projective>::verify(&params, &mut transcript_v, cm, proof).unwrap();
assert!(v);
} }
} }