Add zkp

Author: survived

Cargo.toml

@@ -3,4 +3,5 @@ members = [
   "generic-ec",
   "generic-ec-core",
   "generic-ec-curves",
+  "generic-ec-zkp",
 ]

generic-ec-core/src/lib.rs

@@ -11,7 +11,9 @@ use zeroize::Zeroize;
 pub mod coords;
 pub mod hash_to_curve;
 
-pub trait Curve: Debug + Copy + Eq + Ord + Hash + Default + Sync + Send {
+pub trait Curve: Debug + Copy + Eq + Ord + Hash + Default + Sync + Send + 'static {
+    const CURVE_NAME: &'static str;
+
     type Point: Additive
         + From<CurveGenerator>
         + Zero

generic-ec-zkp/Cargo.toml

@@ -0,0 +1,17 @@
+[package]
+name = "generic-ec-zkp"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+generic-ec = { path = "../generic-ec" }
+
+subtle = "2.4"
+digest = "0.10"
+rand_core = "0.6"
+
+[dev-dependencies]
+rand = "0.8"
+sha2 = "0.10"

generic-ec-zkp/src/hash_commitment.rs

@@ -0,0 +1,304 @@
+//! Hash commitment
+//!
+//! Hash commitment is a procedure that allows player $\P$ to commit some value (scalar, point, byte string, etc.),
+//! and reveal it later on. Player $\V$ can verify that commitment matches revealed value.
+//!
+//! ## Example
+//!
+//! 1. $\P$ commits some data (point, scalars, slices, whatever that can be represented as bytes):
+//!    ```rust
+//!    # use generic_ec::{Point, Scalar, Curve};
+//!    # use generic_ec_zkp::hash_commitment::HashCommit;
+//!    # use sha2::Sha256; use rand::rngs::OsRng;
+//!    #
+//!    # fn doc_fn<E: Curve>() {
+//!    let point: Point<E> = some_point();
+//!    let scalars: &[Scalar<E>] = some_scalars();
+//!    let arbitrary_data: &[&[u8]] = some_arbitrary_data();
+//!
+//!    let (commit, decommit) = HashCommit::<Sha256>::builder()
+//!        .mix(point)
+//!        .mix_many(scalars)
+//!        .mix_many_bytes(arbitrary_data)
+//!        .commit(&mut OsRng);
+//!    # }
+//!    # fn some_point<E: Curve>() -> Point<E> { unimplemented!() }
+//!    # fn some_scalars<T>() -> T { unimplemented!() }
+//!    # fn some_arbitrary_data<T>() -> T { unimplemented!() }
+//!    ```
+//! 2. $\P$ sends `commit` to $\V$
+//! 3. At some point, $\P$ chooses to reveal committed data. It sends data + `decommit` to $\V$.
+//!
+//!    $\V$ verifies that revealed data matches `commit`:
+//!
+//!    ```rust
+//!    # use generic_ec::{Point, Scalar, Curve};
+//!    # use generic_ec_zkp::hash_commitment::{HashCommit, DecommitNonce, MismatchedRevealedData};
+//!    # use sha2::Sha256;
+//!    #
+//!    # fn doc_fn<E: Curve>() -> Result<(), MismatchedRevealedData> {
+//!    # let commit: HashCommit<Sha256> = unimplemented!();
+//!    # let (point, scalars, arbitrary_data): (Point<E>, &[Scalar<E>], &[&[u8]]) = unimplemented!();
+//!    # let decommit: DecommitNonce<Sha256> = unimplemented!();
+//!    HashCommit::<Sha256>::builder()
+//!        .mix(point)
+//!        .mix_many(scalars)
+//!        .mix_many_bytes(arbitrary_data)
+//!        .verify(&commit, &decommit)?;
+//!    # }
+//!    ```
+//!
+//! ## Algorithm
+//! Underlying algorithm is based on hash function $\H$. To commit data, we sample a large random nonce,
+//! and hash it along with data. When we hash bytestrings, we prepend its length to it, in that way we
+//! ensure that there's only one set of inputs that can be decommitted.
+//!
+//! Roughly, algorithm is:
+//!
+//! 1. $commit(i_1, \dots, i_n) =$ \
+//!    1. $\mathit{nonce} \gets \\{0,1\\}^k$
+//!    2. $\text{return}\ \H(\dots \\| \text{u32\\_to\\_be}(\mathit{len}(i_j)) \\| i_j \\| \dots \\| \mathit{nonce}), \mathit{nonce}$
+//!
+//! 2. $decommit(commit, nonce, i_1, \dots, i_n) =$
+//!    1. $\text{return}\ \H(\dots \\| \text{u32\\_to\\_be}(\mathit{len}(i_j)) \\| i_j \\| \dots \\| nonce) \\? commit$
+
+use digest::{generic_array::GenericArray, Digest, Output};
+use rand_core::RngCore;
+use subtle::ConstantTimeEq;
+
+use generic_ec::{Curve, Point, Scalar};
+
+/// Builder for commitment/verification
+pub struct Builder<D: Digest>(D);
+
+impl<D: Digest> Builder<D> {
+    /// Creates an instance of [`Builder`]
+    pub fn new() -> Self {
+        Self(D::new())
+    }
+
+    /// Mixes value serialized to bytes into commitment
+    ///
+    /// You can use this method with [`Point<E>`](Point) or [`Scalar<E>`](Scalar). Also you can
+    /// implement [`EncodesToBytes`] for your own types.
+    ///
+    /// ```rust
+    /// use generic_ec::{Point, Scalar};
+    /// use generic_ec_zkp::hash_commitment::HashCommit;
+    /// # use sha2::Sha256;
+    /// # use rand::rngs::OsRng;
+    ///
+    /// # use generic_ec::Curve;
+    /// # fn doc_fn<E: Curve>() {
+    /// let point: Point<E> = some_point();
+    /// let scalar: Scalar<E> = some_scalar();
+    ///
+    /// let (commit, decommit) = HashCommit::<Sha256>::builder()
+    ///     .mix(point)
+    ///     .mix(scalar)
+    ///     .commit(&mut OsRng);
+    /// # }
+    /// # fn some_point<E: Curve>() -> Point<E> { unimplemented!() }
+    /// # fn some_scalar<E: Curve>() -> Scalar<E> { unimplemented!() }
+    /// ```
+    ///
+    /// ## Panics
+    /// Panics if serialized value length exceeds `u32::MAX`. On most of modern systems, it's not
+    /// possible to allocate such large chunk of memory.
+    pub fn mix<T>(self, encodable: T) -> Self
+    where
+        T: EncodesToBytes,
+    {
+        self.mix_bytes(encodable.to_bytes())
+    }
+
+    /// Mixes values serialized to bytes into commitment
+    ///
+    /// ```rust
+    /// use generic_ec::Point;
+    /// use generic_ec_zkp::hash_commitment::HashCommit;
+    /// # use sha2::Sha256;
+    /// # use rand::rngs::OsRng;
+    ///
+    /// # use generic_ec::Curve;
+    /// # fn doc_fn<E: Curve>() {
+    /// let points: Vec<Point<E>> = some_points();
+    ///
+    /// let (commit, decommit) = HashCommit::<Sha256>::builder()
+    ///     .mix_many(&points)
+    ///     .commit(&mut OsRng);
+    /// # }
+    /// # fn some_points<E: Curve>() -> Vec<Point<E>> { unimplemented!() }
+    /// ```
+    ///
+    /// ## Panics
+    /// Panics if number of values exceeds `u32::MAX` or if any of serialized values length exceeds
+    /// `u32::MAX`.
+    pub fn mix_many<T>(mut self, encodables: &[T]) -> Self
+    where
+        T: EncodesToBytes,
+    {
+        let len: u32 = encodables
+            .len()
+            .try_into()
+            .expect("encodables len exceeds u32::MAX");
+        self = self.mix_bytes(len.to_be_bytes());
+        for encodable in encodables {
+            self = self.mix(encodable);
+        }
+        self
+    }
+
+    /// Mixes bytes into commitment
+    ///
+    /// ```rust
+    /// use generic_ec_zkp::hash_commitment::HashCommit;
+    /// # use sha2::Sha256;
+    /// # use rand::rngs::OsRng;
+    ///
+    /// # use generic_ec::Curve;
+    /// # fn doc_fn<E: Curve>() {
+    /// let (commit, decommit) = HashCommit::<Sha256>::builder()
+    ///     .mix_bytes(b"some message")
+    ///     .commit(&mut OsRng);
+    /// # }
+    /// ```
+    ///
+    /// ## Panics
+    /// Panics if `data` length exceeds `u32::MAX`. On most of modern systems, it's not possible
+    /// to allocate such large chuck of memory.
+    pub fn mix_bytes(self, data: impl AsRef<[u8]>) -> Self {
+        let data_len: u32 = data
+            .as_ref()
+            .len()
+            .try_into()
+            .expect("data len exceeds u32::MAX");
+        Self(
+            self.0
+                .chain_update(data_len.to_be_bytes())
+                .chain_update(data),
+        )
+    }
+
+    /// Mixes list of byte strings into commitment
+    ///
+    /// ```rust
+    /// use generic_ec_zkp::hash_commitment::HashCommit;
+    /// # use sha2::Sha256;
+    /// # use rand::rngs::OsRng;
+    ///
+    /// # use generic_ec::Curve;
+    /// # fn doc_fn<E: Curve>() {
+    /// let (commit, decommit) = HashCommit::<Sha256>::builder()
+    ///     .mix_many_bytes(&[b"some message", b"another message"])
+    ///     .commit(&mut OsRng);
+    /// # }
+    /// ```
+    ///
+    /// ## Panics
+    /// Panics if `list` length exceeds `u32::MAX` or if length of any item of the list exceeds
+    /// `u32::MAX`.
+    pub fn mix_many_bytes(mut self, list: &[&[u8]]) -> Self {
+        let list_len: u32 = list.len().try_into().expect("list len exceeds u32::MAX");
+        self = self.mix_bytes(list_len.to_be_bytes());
+        for item in list {
+            self = self.mix_bytes(item)
+        }
+        self
+    }
+
+    /// Performs commitment
+    ///
+    /// Decommitment nonce is generated from provided randomness source
+    pub fn commit<R: RngCore>(self, rng: &mut R) -> (HashCommit<D>, DecommitNonce<D>) {
+        let mut nonce = DecommitNonce::<D>::default();
+        rng.fill_bytes(&mut nonce.nonce);
+        (self.commit_with_fixed_nonce(&nonce), nonce)
+    }
+
+    /// Performs commitment with specified decommitment nonce
+    pub fn commit_with_fixed_nonce(mut self, nonce: &DecommitNonce<D>) -> HashCommit<D> {
+        self = self.mix_bytes(&nonce.nonce);
+        let resulting_hash = self.0.finalize();
+        HashCommit(resulting_hash)
+    }
+
+    /// Verifies that provided data matches commitment and decommitment
+    pub fn verify(
+        self,
+        commit: &HashCommit<D>,
+        nonce: &DecommitNonce<D>,
+    ) -> Result<(), MismatchedRevealedData> {
+        let should_be = self.commit_with_fixed_nonce(nonce);
+        if commit.0.ct_eq(&should_be.0).into() {
+            Ok(())
+        } else {
+            Err(MismatchedRevealedData)
+        }
+    }
+}
+
+/// Committed value
+#[derive(Clone)]
+pub struct HashCommit<D: Digest>(pub Output<D>);
+
+impl<D: Digest> HashCommit<D> {
+    pub fn builder() -> Builder<D> {
+        Builder::new()
+    }
+}
+
+/// Random nonce that was used to "blind" commitment
+#[derive(Clone)]
+pub struct DecommitNonce<D: Digest> {
+    pub nonce: GenericArray<u8, D::OutputSize>,
+}
+
+impl<D: Digest> Default for DecommitNonce<D> {
+    fn default() -> Self {
+        Self {
+            nonce: Default::default(),
+        }
+    }
+}
+
+/// Infallibly encodable to bytes
+///
+/// Used in [`hash_commitment::Builder`](Builder) methods [`mix`](Builder::mix) and [`mix_many`](Builder::mix_many) to convert given value to bytes.
+pub trait EncodesToBytes {
+    /// Value byte representation
+    type Bytes: AsRef<[u8]>;
+    /// Encodes value to bytes
+    fn to_bytes(&self) -> Self::Bytes;
+}
+
+impl<T: EncodesToBytes> EncodesToBytes for &T {
+    type Bytes = T::Bytes;
+    fn to_bytes(&self) -> Self::Bytes {
+        <T as EncodesToBytes>::to_bytes(*self)
+    }
+}
+
+impl<E: Curve> EncodesToBytes for Point<E> {
+    type Bytes = generic_ec::EncodedPoint<E>;
+    fn to_bytes(&self) -> Self::Bytes {
+        self.to_bytes(true)
+    }
+}
+
+impl<E: Curve> EncodesToBytes for Scalar<E> {
+    type Bytes = generic_ec::EncodedScalar<E>;
+    fn to_bytes(&self) -> Self::Bytes {
+        self.to_bytes()
+    }
+}
+
+impl EncodesToBytes for u16 {
+    type Bytes = [u8; 2];
+    fn to_bytes(&self) -> Self::Bytes {
+        self.to_be_bytes()
+    }
+}
+
+/// Error indicating that revealed data doesn't match commitment
+pub struct MismatchedRevealedData;

generic-ec-zkp/src/lib.rs

@@ -0,0 +1,2 @@
+pub mod hash_commitment;
+pub mod schnorr_pok;

generic-ec-zkp/src/schnorr_pok.rs

@@ -0,0 +1,151 @@
+//! Schnorr Proof of Knowledge $\Pi^\text{sch}$
+//!
+//! Schnorr Proof of Knowledge is an interactive $\Sigma$ protocol that lets prover $\P$ convince
+//! verifier $\V$ that it knows secret $x$ such as $X = x \cdot G$.
+//!
+//! ## Example
+//!
+//! 0. $\P$ knows a secret $x$ and wants to prove its knowledge.
+//!    ```rust
+//!    # use generic_ec::{Curve, SecretScalar, Point};
+//!    # use rand::rngs::OsRng;
+//!    # fn doc_fn<E: Curve>() {
+//!    let x = SecretScalar::<E>::random(&mut OsRng);
+//!    let X = Point::generator() * &x; // assumed to be known by verifier
+//!    # }
+//!    ```
+//! 1. $\P$ generates and commits an ephemeral secret. Committed secret is sent to $\V$.
+//!    ```rust
+//!    # use generic_ec::Curve;
+//!    # use generic_ec_zkp::schnorr_pok::*;
+//!    # use rand::rngs::OsRng;
+//!    # fn doc_fn<E: Curve>() {
+//!    let (eph_secret, commit) = prover_commits_ephemeral_secret::<E, _>(&mut OsRng);
+//!    send(commit);
+//!    # }
+//!    # fn send<T>(_: T) {}
+//!    ```
+//! 2. $\V$ receives commitment, and responds with challenge.
+//!    ```rust
+//!    # use generic_ec::Curve;
+//!    # use generic_ec_zkp::schnorr_pok::*;
+//!    # use rand::rngs::OsRng;
+//!    # fn doc_fn<E: Curve>() {
+//!    let commit: Commit<E> = receive();
+//!    let challenge = Challenge::<E>::generate(&mut OsRng);
+//!    send(challenge);
+//!    # }
+//!    # fn send<T>(_: T) {}
+//!    # fn receive<T>() -> T { unimplemented!() }
+//!    ```
+//! 3. $\P$ receives a challenge and responds with proof.
+//!    ```rust
+//!    # use generic_ec::{Curve, SecretScalar};
+//!    # use generic_ec_zkp::schnorr_pok::*;
+//!    # use rand::rngs::OsRng;
+//!    # fn doc_fn<E: Curve>() {
+//!    # let (eph_secret, x): (ProverSecret<E>, SecretScalar<E>) = recall();
+//!    let challenge: Challenge<E> = receive();
+//!    let proof = prove(&eph_secret, &challenge, &x);
+//!    send(proof);
+//!    # }
+//!    # fn send<T>(_: T) {}
+//!    # fn receive<T>() -> T { unimplemented!() }
+//!    # fn recall<T>() -> T { unimplemented!() }
+//!    ```
+//! 4. $\V$ receives a proof and verifies it.
+//!    ```rust
+//!    # use generic_ec::{Curve, Point};
+//!    # use generic_ec_zkp::schnorr_pok::*;
+//!    # use rand::rngs::OsRng;
+//!    # fn doc_fn<E: Curve>() {
+//!    # let (commit, challenge, X): (Commit<E>, Challenge<E>, Point<E>) = recall();
+//!    let proof: Proof<E> = receive();
+//!    proof.verify(&commit, &challenge, &X);
+//!    # }
+//!    # fn send<T>(_: T) {}
+//!    # fn receive<T>() -> T { unimplemented!() }
+//!    # fn recall<T>() -> T { unimplemented!() }
+//!    ```
+//!
+//! ## Algorithm
+//!
+//! Schnor PoK is defined as:
+//!
+//! * Prove
+//!   1. Prover samples $\alpha \gets \Z_q$ and sends $A = \alpha \cdot G$ to verifier
+//!   2. Verifier replies with $e \gets \Z_q$
+//!   3. Prover sends $z = \alpha + ex$
+//! * Verification \
+//!   Verifier checks that $z \cdot G \\? A + e \cdot X$
+
+use generic_ec::{Curve, Point, Scalar, SecretScalar};
+use rand_core::{CryptoRng, RngCore};
+use subtle::ConstantTimeEq;
+
+/// Committed prover ephemeral secret
+#[derive(Clone)]
+pub struct Commit<E: Curve>(pub Point<E>);
+
+/// Prover ephemeral secret
+pub struct ProverSecret<E: Curve> {
+    pub nonce: SecretScalar<E>,
+}
+
+/// Challenge generated by verifier
+pub struct Challenge<E: Curve> {
+    pub nonce: Scalar<E>,
+}
+
+impl<E: Curve> Challenge<E> {
+    /// Generates a random challenge
+    pub fn generate<R: RngCore>(rng: &mut R) -> Self {
+        Self {
+            nonce: Scalar::random(rng),
+        }
+    }
+}
+
+/// The proof that can convince $\V$ that $\P$ knows secret $x$
+#[derive(Clone)]
+pub struct Proof<E: Curve>(pub Scalar<E>);
+
+impl<E: Curve> Proof<E> {
+    /// Verifies that prover knows secret $x$ such as $X = x \cdot G$
+    #[allow(non_snake_case)]
+    pub fn verify(
+        &self,
+        commit: &Commit<E>,
+        challenge: &Challenge<E>,
+        X: &Point<E>,
+    ) -> Result<(), InvalidProof> {
+        let lhs = Point::generator() * self.0;
+        let rhs = commit.0 + challenge.nonce * X;
+        if lhs.ct_eq(&rhs).into() {
+            Ok(())
+        } else {
+            Err(InvalidProof)
+        }
+    }
+}
+
+/// Generates and commits prover ephemeral secret
+pub fn prover_commits_ephemeral_secret<E: Curve, R: RngCore + CryptoRng>(
+    rng: &mut R,
+) -> (ProverSecret<E>, Commit<E>) {
+    let secret = SecretScalar::random(rng);
+    let public = Point::generator() * &secret;
+    (ProverSecret { nonce: secret }, Commit(public))
+}
+
+/// Proves knowledge of `secret`
+pub fn prove<E: Curve>(
+    committed_secret: &ProverSecret<E>,
+    challenge: &Challenge<E>,
+    secret: impl AsRef<Scalar<E>>,
+) -> Proof<E> {
+    Proof(&committed_secret.nonce + challenge.nonce * secret.as_ref())
+}
+
+/// Invalid proof error
+pub struct InvalidProof;

generic-ec/src/arithmetic.rs

@@ -1,4 +1,4 @@
-use core::ops::{Add, Mul, Neg, Sub};
+use core::ops::{Add, AddAssign, Mul, MulAssign, Neg, Sub};
 
 use crate::{Curve, Generator, NonZero, Point, Scalar, SecretScalar};
 
@@ -298,6 +298,21 @@ macro_rules! impl_unary_ops {
     )*};
 }
 
+macro_rules! impl_op_assign {
+    ($($ty:ty, $trait:ident, $rhs:ty, $fn:ident, $op:tt),+,) => {$(
+        impl<E: Curve> $trait<$rhs> for $ty {
+            fn $fn(&mut self, rhs: $rhs) {
+                *self = *self $op rhs;
+            }
+        }
+        impl<E: Curve> $trait<&$rhs> for $ty {
+            fn $fn(&mut self, rhs: &$rhs) {
+                *self = *self $op rhs;
+            }
+        }
+    )+};
+}
+
 // Point <> Point, Point <> Scalar, Scalar <> Scalar arithmetic ops
 impl_binary_ops! {
     Add (Point<E>, add, Point<E> = Point<E>) laws::sum_of_points_is_valid_point,
@@ -374,6 +389,13 @@ impl_unary_ops! {
     Neg (neg NonZero<Scalar<E>>) scalar::neg_nonzero,
 }
 
+impl_op_assign! {
+    Point<E>, AddAssign, Point<E>, add_assign, +,
+    Point<E>, MulAssign, Scalar<E>, mul_assign, *,
+    Scalar<E>, AddAssign, Scalar<E>, add_assign, +,
+    Scalar<E>, MulAssign, Scalar<E>, mul_assign, *,
+}
+
 #[cfg(test)]
 #[allow(dead_code)]
 fn ensure_ops_implemented<E: Curve>(

generic-ec/src/point/mod.rs

@@ -1,3 +1,5 @@
+use core::iter::Sum;
+
 use subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption};
 
 use crate::{
@@ -128,3 +130,15 @@ impl<E: Curve> AsRef<Point<E>> for Point<E> {
         self
     }
 }
+
+impl<E: Curve> Sum for Point<E> {
+    fn sum<I: Iterator<Item = Self>>(iter: I) -> Self {
+        iter.fold(Point::zero(), |acc, p| acc + p)
+    }
+}
+
+impl<'a, E: Curve> Sum<&'a Point<E>> for Point<E> {
+    fn sum<I: Iterator<Item = &'a Point<E>>>(iter: I) -> Self {
+        iter.fold(Point::zero(), |acc, p| acc + p)
+    }
+}

generic-ec/src/scalar/mod.rs

@@ -140,3 +140,27 @@ impl<E: Curve> AsRef<Scalar<E>> for Scalar<E> {
         self
     }
 }
+
+impl<E: Curve> iter::Sum for Scalar<E> {
+    fn sum<I: Iterator<Item = Self>>(iter: I) -> Self {
+        iter.fold(Scalar::zero(), |acc, x| acc + x)
+    }
+}
+
+impl<'a, E: Curve> iter::Sum<&'a Scalar<E>> for Scalar<E> {
+    fn sum<I: Iterator<Item = &'a Self>>(iter: I) -> Self {
+        iter.fold(Scalar::zero(), |acc, x| acc + x)
+    }
+}
+
+impl<E: Curve> iter::Product for Scalar<E> {
+    fn product<I: Iterator<Item = Self>>(iter: I) -> Self {
+        iter.fold(Scalar::one(), |acc, x| acc * x)
+    }
+}
+
+impl<'a, E: Curve> iter::Product<&'a Scalar<E>> for Scalar<E> {
+    fn product<I: Iterator<Item = &'a Self>>(iter: I) -> Self {
+        iter.fold(Scalar::one(), |acc, x| acc * x)
+    }
+}

katex-header.html

@@ -33,6 +33,10 @@
                 "\\G": "\\mathbb{G}",
                 "\\T": "\\mathbb{T}",
                 "\\O": "\\mathcal{O}",
+                "\\P": "\\mathcal{P}",
+                "\\V": "\\mathcal{V}",
+                "\\H": "\\mathcal{H}",
+                "\\?": "\\stackrel{?}{=}",
             },
         });
     });