Skip to content

Commit

Permalink
Coconut Proof allows empty blinding messages (#21)
Browse files Browse the repository at this point in the history 
* allow empty messages on coconut UnpackedBlindedMessages

* use j instead of i

* chal_bytes is used for both prover and verifier

* pass empty blinded_messages

* commit 05f02df

* fmt
  • Loading branch information
@grandchildrice
grandchildrice authored Nov 6, 2023
1 parent ef3650a commit 25b7339
Show file tree
Hide file tree
Showing 4 changed files with 107 additions and 125 deletions.
4 changes: 2 additions & 2 deletions benches/benches/ps_proof.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ fn pok_sig_benchmark(c: &mut Criterion) {
let sig = &sigs_range[i];

let mut prove_group = c.benchmark_group(format!("Creating proof for Proof-of-knowledge of signature and corresponding multi-message of size {}", count));
for (_j, r_count) in k.iter().enumerate() {
for (j, r_count) in k.iter().enumerate() {
prove_group.bench_with_input(
BenchmarkId::from_parameter(format!("Revealing {} messages", r_count)),
&r_count,
Expand All @@ -89,7 +89,7 @@ fn pok_sig_benchmark(c: &mut Criterion) {
.iter()
.enumerate()
.merge_join_by(
revealed_indices[i].iter(),
revealed_indices[j].iter(),
|(m_idx, _), reveal_idx| m_idx.cmp(reveal_idx),
)
.map(|either| match either {
Expand Down
131 changes: 58 additions & 73 deletions coconut/src/proof/messages_pok/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -230,17 +230,14 @@ mod tests {

let pok = MessagesPoKGenerator::init(&mut rng, &messages, &params, &h).unwrap();

let mut chal_bytes_prover = vec![];
pok.challenge_contribution(&mut chal_bytes_prover, &params, &h)
let mut chal_bytes = vec![];
pok.challenge_contribution(&mut chal_bytes, &params, &h)
.unwrap();
let challenge_prover =
compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes_prover);
let challenge = compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes);

let proof = pok.clone().gen_proof(&challenge_prover).unwrap();
let proof = pok.clone().gen_proof(&challenge).unwrap();

proof
.verify(&challenge_prover, empty(), &params, &h)
.unwrap();
proof.verify(&challenge, empty(), &params, &h).unwrap();
}
}

Expand Down Expand Up @@ -269,21 +266,15 @@ mod tests {

assert_eq!(messages.len() / 2, pok.com_j.len());

let mut chal_bytes_prover = vec![];
pok.challenge_contribution(&mut chal_bytes_prover, &params, &h)
let mut chal_bytes = vec![];
pok.challenge_contribution(&mut chal_bytes, &params, &h)
.unwrap();
let challenge_prover =
compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes_prover);
let challenge = compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes);

let proof = pok.clone().gen_proof(&challenge_prover).unwrap();
let proof = pok.clone().gen_proof(&challenge).unwrap();

proof
.verify(
&challenge_prover,
(0..messages.len()).step_by(2),
&params,
&h,
)
.verify(&challenge, (0..messages.len()).step_by(2), &params, &h)
.unwrap();
}
}
Expand Down Expand Up @@ -385,17 +376,16 @@ mod tests {

assert_eq!(messages.len() / 2, pok.com_j.len());

let mut chal_bytes_prover = vec![];
pok.challenge_contribution(&mut chal_bytes_prover, &params, &h)
let mut chal_bytes = vec![];
pok.challenge_contribution(&mut chal_bytes, &params, &h)
.unwrap();
let challenge_prover =
compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes_prover);
let challenge = compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes);

let proof = pok.clone().gen_proof(&challenge_prover).unwrap();
let proof = pok.clone().gen_proof(&challenge).unwrap();
let mut indices = (0..messages.len()).step_by(2).rev();

assert_eq!(
proof.verify(&challenge_prover, indices.clone(), &params, &h,),
proof.verify(&challenge, indices.clone(), &params, &h,),
Err(MessagesPoKError::RevealedIndicesMustBeUniqueAndSorted {
previous: indices.next().unwrap(),
current: indices.next().unwrap()
Expand Down Expand Up @@ -426,17 +416,14 @@ mod tests {
)
.unwrap();

let mut chal_bytes_prover = vec![];
pok.challenge_contribution(&mut chal_bytes_prover, &params, &h)
let mut chal_bytes = vec![];
pok.challenge_contribution(&mut chal_bytes, &params, &h)
.unwrap();
let challenge_prover =
compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes_prover);
let challenge = compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes);

let proof = pok.clone().gen_proof(&challenge_prover).unwrap();
let proof = pok.clone().gen_proof(&challenge).unwrap();

proof
.verify(&challenge_prover, empty(), &params, &h)
.unwrap();
proof.verify(&challenge, empty(), &params, &h).unwrap();
}
}

Expand All @@ -460,22 +447,17 @@ mod tests {
)
.unwrap();

let mut chal_bytes_prover = vec![];
pok.challenge_contribution(&mut chal_bytes_prover, &params, &h)
let mut chal_bytes = vec![];
pok.challenge_contribution(&mut chal_bytes, &params, &h)
.unwrap();
let challenge_prover =
compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes_prover);
let challenge = compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes);

let mut proof = pok.clone().gen_proof(&challenge_prover).unwrap();
assert!(proof
.verify(&challenge_prover, empty(), &params, &h)
.is_ok());
let mut proof = pok.clone().gen_proof(&challenge).unwrap();
assert!(proof.verify(&challenge, empty(), &params, &h).is_ok());

proof.com_resp.response.0[0] = rand(&mut rng);

assert!(proof
.verify(&challenge_prover, empty(), &params, &h)
.is_err());
assert!(proof.verify(&challenge, empty(), &params, &h).is_err());
}

#[test]
Expand All @@ -498,22 +480,17 @@ mod tests {
)
.unwrap();

let mut chal_bytes_prover = vec![];
pok.challenge_contribution(&mut chal_bytes_prover, &params, &h)
let mut chal_bytes = vec![];
pok.challenge_contribution(&mut chal_bytes, &params, &h)
.unwrap();
let challenge_prover =
compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes_prover);
let challenge = compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes);

let mut proof = pok.clone().gen_proof(&challenge_prover).unwrap();
assert!(proof
.verify(&challenge_prover, empty(), &params, &h)
.is_ok());
let mut proof = pok.clone().gen_proof(&challenge).unwrap();
assert!(proof.verify(&challenge, empty(), &params, &h).is_ok());

*proof.com_resp.value = G1::rand(&mut rng).into_affine();

assert!(proof
.verify(&challenge_prover, empty(), &params, &h)
.is_err());
assert!(proof.verify(&challenge, empty(), &params, &h).is_err());
}

#[test]
Expand All @@ -536,36 +513,44 @@ mod tests {
)
.unwrap();

let mut chal_bytes_prover = vec![];
pok.challenge_contribution(&mut chal_bytes_prover, &params, &h)
let mut chal_bytes = vec![];
pok.challenge_contribution(&mut chal_bytes, &params, &h)
.unwrap();
let challenge_prover =
compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes_prover);
let challenge = compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes);

let mut proof = pok.clone().gen_proof(&challenge_prover).unwrap();
let mut proof = pok.clone().gen_proof(&challenge).unwrap();

assert!(proof
.verify(&challenge_prover, empty(), &params, &h)
.is_ok());
assert!(proof.verify(&challenge, empty(), &params, &h).is_ok());

*proof.com_j_resp.first_mut().unwrap().value = G1::rand(&mut rng).into_affine();

assert!(proof
.verify(&challenge_prover, empty(), &params, &h)
.is_err());
assert!(proof.verify(&challenge, empty(), &params, &h).is_err());
}

#[test]
fn empty_proof() {
let mut rng = StdRng::seed_from_u64(0u64);
let (_sk, _pk, params, _messages) = test_setup::<Bls12_381, Blake2b512, _>(&mut rng, 1);
let (_, _, params, messages) = test_setup::<Bls12_381, Blake2b512, _>(&mut rng, 1);
let h = G1::rand(&mut rng).into_affine();

assert_eq!(
MessagesPoKGenerator::init(&mut rng, &[], &params, &h),
Err(MessagesPoKError::MessageInputError(
MessageUnpackingError::NoMessagesProvided
))
);
let pok = MessagesPoKGenerator::init(
&mut rng,
messages.iter().map(|_| CommitMessage::RevealMessage),
&params,
&h,
)
.unwrap();

let mut chal_bytes = vec![];
pok.challenge_contribution(&mut chal_bytes, &params, &h)
.unwrap();
let challenge = compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes);

let proof = pok.clone().gen_proof(&challenge).unwrap();
let indices = (0..messages.len()).rev();

assert!(proof
.verify(&challenge, indices.clone(), &params, &h)
.is_ok());
}
}
4 changes: 1 addition & 3 deletions coconut/src/proof/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -177,9 +177,7 @@ impl<'pair, Pair, F: PrimeField> UnpackedBlindedMessages<'pair, Pair, F> {

let (paired, (msgs, blindings)): (Vec<_>, _) =
process_results(paired, |iter| iter.unzip())?;
if paired.is_empty() {
Err(MessageUnpackingError::NoMessagesProvided)
} else if pair_with.len() != total_count {
if pair_with.len() != total_count {
Err(MessageUnpackingError::LessMessagesThanExpected {
provided: total_count,
expected: pair_with.len(),
Expand Down
93 changes: 46 additions & 47 deletions coconut/src/proof/signature_pok/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -173,17 +173,14 @@ mod tests {

let pok = SignaturePoKGenerator::init(&mut rng, &messages, &sig, &pk, &params).unwrap();

let mut chal_bytes_prover = vec![];
pok.challenge_contribution(&mut chal_bytes_prover, &pk, &params)
let mut chal_bytes = vec![];
pok.challenge_contribution(&mut chal_bytes, &pk, &params)
.unwrap();
let challenge_prover =
compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes_prover);
let challenge = compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes);

let proof = pok.clone().gen_proof(&challenge_prover).unwrap();
let proof = pok.clone().gen_proof(&challenge).unwrap();

proof
.verify(&challenge_prover, empty(), &pk, &params)
.unwrap();
proof.verify(&challenge, empty(), &pk, &params).unwrap();
})
}

Expand Down Expand Up @@ -212,17 +209,14 @@ mod tests {
)
.unwrap();

let mut chal_bytes_prover = vec![];
pok.challenge_contribution(&mut chal_bytes_prover, &pk, &params)
let mut chal_bytes = vec![];
pok.challenge_contribution(&mut chal_bytes, &pk, &params)
.unwrap();
let challenge_prover =
compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes_prover);
let challenge = compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes);

let proof = pok.clone().gen_proof(&challenge_prover).unwrap();
let proof = pok.clone().gen_proof(&challenge).unwrap();

proof
.verify(&challenge_prover, reveal_msgs, &pk, &params)
.unwrap();
proof.verify(&challenge, reveal_msgs, &pk, &params).unwrap();
})
}

Expand Down Expand Up @@ -321,17 +315,16 @@ mod tests {
)
.unwrap();

let mut chal_bytes_prover = vec![];
pok.challenge_contribution(&mut chal_bytes_prover, &pk, &params)
let mut chal_bytes = vec![];
pok.challenge_contribution(&mut chal_bytes, &pk, &params)
.unwrap();
let challenge_prover =
compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes_prover);
let challenge = compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes);

let proof = pok.clone().gen_proof(&challenge_prover).unwrap();
let proof = pok.clone().gen_proof(&challenge).unwrap();
let mut revealed = reveal_msgs.into_iter().rev();

assert_eq!(
proof.verify(&challenge_prover, revealed.clone(), &pk, &params,),
proof.verify(&challenge, revealed.clone(), &pk, &params,),
Err(SignaturePoKError::RevealedIndicesMustBeUniqueAndSorted {
previous: revealed.next().unwrap().0,
current: revealed.next().unwrap().0
Expand All @@ -347,12 +340,26 @@ mod tests {

let sig = Signature::new(&mut rng, messages.as_slice(), &sk, &params).unwrap();

assert_eq!(
SignaturePoKGenerator::init(&mut rng, &[], &sig, &pk, &params),
Err(SignaturePoKError::MessageInputError(
MessageUnpackingError::NoMessagesProvided
))
);
let pok = SignaturePoKGenerator::init(
&mut rng,
messages.iter().map(|_| CommitMessage::RevealMessage),
&sig,
&pk,
&params,
)
.unwrap();

let mut chal_bytes = vec![];
pok.challenge_contribution(&mut chal_bytes, &pk, &params)
.unwrap();
let challenge = compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes);

let proof = pok.clone().gen_proof(&challenge).unwrap();
let revealed = messages.iter().enumerate().into_iter().rev();

assert!(proof
.verify(&challenge, revealed.clone(), &pk, &params)
.is_ok());
}

#[test]
Expand All @@ -368,24 +375,17 @@ mod tests {

let pok = SignaturePoKGenerator::init(&mut rng, &messages, &sig, &pk, &params).unwrap();

let mut chal_bytes_prover = vec![];
pok.challenge_contribution(&mut chal_bytes_prover, &pk, &params)
let mut chal_bytes = vec![];
pok.challenge_contribution(&mut chal_bytes, &pk, &params)
.unwrap();
let challenge_prover =
compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes_prover);
let challenge = compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes);

let mut proof = pok.clone().gen_proof(&challenge_prover).unwrap();
let mut proof = pok.clone().gen_proof(&challenge).unwrap();

assert!(proof
.verify(&challenge_prover, empty(), &pk, &params)
.is_ok());
assert!(proof
.verify(&challenge_prover, empty(), &pk1, &params)
.is_err());
assert!(proof.verify(&challenge, empty(), &pk, &params).is_ok());
assert!(proof.verify(&challenge, empty(), &pk1, &params).is_err());
*proof.k.value = G2Projective::rand(&mut rng).into_affine();
assert!(proof
.verify(&challenge_prover, empty(), &pk, &params)
.is_err())
assert!(proof.verify(&challenge, empty(), &pk, &params).is_err())
})
}

Expand Down Expand Up @@ -413,13 +413,12 @@ mod tests {

let pok = SignaturePoKGenerator::init(&mut rng, comms, &sig, &pk, &params).unwrap();

let mut chal_bytes_prover = vec![];
pok.challenge_contribution(&mut chal_bytes_prover, &pk, &params)
let mut chal_bytes = vec![];
pok.challenge_contribution(&mut chal_bytes, &pk, &params)
.unwrap();
let challenge_prover =
compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes_prover);
let challenge = compute_random_oracle_challenge::<Fr, Blake2b512>(&chal_bytes);

let proof = pok.clone().gen_proof(&challenge_prover).unwrap();
let proof = pok.clone().gen_proof(&challenge).unwrap();

for idx in committed_msg_indices {
assert_eq!(
Expand Down

0 comments on commit 25b7339

Please sign in to comment.