From 25b7339805c3185185bea469b8252d96a00f144d Mon Sep 17 00:00:00 2001 From: 0xvon <38716910+0xvon@users.noreply.github.com> Date: Mon, 6 Nov 2023 21:13:04 +0900 Subject: [PATCH] Coconut Proof allows empty blinding messages (#21) * allow empty messages on coconut UnpackedBlindedMessages * use j instead of i * chal_bytes is used for both prover and verifier * pass empty blinded_messages * commit 05f02df * fmt --- benches/benches/ps_proof.rs | 4 +- coconut/src/proof/messages_pok/mod.rs | 131 +++++++++++-------------- coconut/src/proof/mod.rs | 4 +- coconut/src/proof/signature_pok/mod.rs | 93 +++++++++--------- 4 files changed, 107 insertions(+), 125 deletions(-) diff --git a/benches/benches/ps_proof.rs b/benches/benches/ps_proof.rs index 655c01e7..ec467b71 100644 --- a/benches/benches/ps_proof.rs +++ b/benches/benches/ps_proof.rs @@ -76,7 +76,7 @@ fn pok_sig_benchmark(c: &mut Criterion) { let sig = &sigs_range[i]; let mut prove_group = c.benchmark_group(format!("Creating proof for Proof-of-knowledge of signature and corresponding multi-message of size {}", count)); - for (_j, r_count) in k.iter().enumerate() { + for (j, r_count) in k.iter().enumerate() { prove_group.bench_with_input( BenchmarkId::from_parameter(format!("Revealing {} messages", r_count)), &r_count, @@ -89,7 +89,7 @@ fn pok_sig_benchmark(c: &mut Criterion) { .iter() .enumerate() .merge_join_by( - revealed_indices[i].iter(), + revealed_indices[j].iter(), |(m_idx, _), reveal_idx| m_idx.cmp(reveal_idx), ) .map(|either| match either { diff --git a/coconut/src/proof/messages_pok/mod.rs b/coconut/src/proof/messages_pok/mod.rs index 61a86f68..ca5a2298 100644 --- a/coconut/src/proof/messages_pok/mod.rs +++ b/coconut/src/proof/messages_pok/mod.rs @@ -230,17 +230,14 @@ mod tests { let pok = MessagesPoKGenerator::init(&mut rng, &messages, ¶ms, &h).unwrap(); - let mut chal_bytes_prover = vec![]; - pok.challenge_contribution(&mut chal_bytes_prover, ¶ms, &h) + let mut chal_bytes = vec![]; + pok.challenge_contribution(&mut chal_bytes, ¶ms, &h) .unwrap(); - let challenge_prover = - compute_random_oracle_challenge::(&chal_bytes_prover); + let challenge = compute_random_oracle_challenge::(&chal_bytes); - let proof = pok.clone().gen_proof(&challenge_prover).unwrap(); + let proof = pok.clone().gen_proof(&challenge).unwrap(); - proof - .verify(&challenge_prover, empty(), ¶ms, &h) - .unwrap(); + proof.verify(&challenge, empty(), ¶ms, &h).unwrap(); } } @@ -269,21 +266,15 @@ mod tests { assert_eq!(messages.len() / 2, pok.com_j.len()); - let mut chal_bytes_prover = vec![]; - pok.challenge_contribution(&mut chal_bytes_prover, ¶ms, &h) + let mut chal_bytes = vec![]; + pok.challenge_contribution(&mut chal_bytes, ¶ms, &h) .unwrap(); - let challenge_prover = - compute_random_oracle_challenge::(&chal_bytes_prover); + let challenge = compute_random_oracle_challenge::(&chal_bytes); - let proof = pok.clone().gen_proof(&challenge_prover).unwrap(); + let proof = pok.clone().gen_proof(&challenge).unwrap(); proof - .verify( - &challenge_prover, - (0..messages.len()).step_by(2), - ¶ms, - &h, - ) + .verify(&challenge, (0..messages.len()).step_by(2), ¶ms, &h) .unwrap(); } } @@ -385,17 +376,16 @@ mod tests { assert_eq!(messages.len() / 2, pok.com_j.len()); - let mut chal_bytes_prover = vec![]; - pok.challenge_contribution(&mut chal_bytes_prover, ¶ms, &h) + let mut chal_bytes = vec![]; + pok.challenge_contribution(&mut chal_bytes, ¶ms, &h) .unwrap(); - let challenge_prover = - compute_random_oracle_challenge::(&chal_bytes_prover); + let challenge = compute_random_oracle_challenge::(&chal_bytes); - let proof = pok.clone().gen_proof(&challenge_prover).unwrap(); + let proof = pok.clone().gen_proof(&challenge).unwrap(); let mut indices = (0..messages.len()).step_by(2).rev(); assert_eq!( - proof.verify(&challenge_prover, indices.clone(), ¶ms, &h,), + proof.verify(&challenge, indices.clone(), ¶ms, &h,), Err(MessagesPoKError::RevealedIndicesMustBeUniqueAndSorted { previous: indices.next().unwrap(), current: indices.next().unwrap() @@ -426,17 +416,14 @@ mod tests { ) .unwrap(); - let mut chal_bytes_prover = vec![]; - pok.challenge_contribution(&mut chal_bytes_prover, ¶ms, &h) + let mut chal_bytes = vec![]; + pok.challenge_contribution(&mut chal_bytes, ¶ms, &h) .unwrap(); - let challenge_prover = - compute_random_oracle_challenge::(&chal_bytes_prover); + let challenge = compute_random_oracle_challenge::(&chal_bytes); - let proof = pok.clone().gen_proof(&challenge_prover).unwrap(); + let proof = pok.clone().gen_proof(&challenge).unwrap(); - proof - .verify(&challenge_prover, empty(), ¶ms, &h) - .unwrap(); + proof.verify(&challenge, empty(), ¶ms, &h).unwrap(); } } @@ -460,22 +447,17 @@ mod tests { ) .unwrap(); - let mut chal_bytes_prover = vec![]; - pok.challenge_contribution(&mut chal_bytes_prover, ¶ms, &h) + let mut chal_bytes = vec![]; + pok.challenge_contribution(&mut chal_bytes, ¶ms, &h) .unwrap(); - let challenge_prover = - compute_random_oracle_challenge::(&chal_bytes_prover); + let challenge = compute_random_oracle_challenge::(&chal_bytes); - let mut proof = pok.clone().gen_proof(&challenge_prover).unwrap(); - assert!(proof - .verify(&challenge_prover, empty(), ¶ms, &h) - .is_ok()); + let mut proof = pok.clone().gen_proof(&challenge).unwrap(); + assert!(proof.verify(&challenge, empty(), ¶ms, &h).is_ok()); proof.com_resp.response.0[0] = rand(&mut rng); - assert!(proof - .verify(&challenge_prover, empty(), ¶ms, &h) - .is_err()); + assert!(proof.verify(&challenge, empty(), ¶ms, &h).is_err()); } #[test] @@ -498,22 +480,17 @@ mod tests { ) .unwrap(); - let mut chal_bytes_prover = vec![]; - pok.challenge_contribution(&mut chal_bytes_prover, ¶ms, &h) + let mut chal_bytes = vec![]; + pok.challenge_contribution(&mut chal_bytes, ¶ms, &h) .unwrap(); - let challenge_prover = - compute_random_oracle_challenge::(&chal_bytes_prover); + let challenge = compute_random_oracle_challenge::(&chal_bytes); - let mut proof = pok.clone().gen_proof(&challenge_prover).unwrap(); - assert!(proof - .verify(&challenge_prover, empty(), ¶ms, &h) - .is_ok()); + let mut proof = pok.clone().gen_proof(&challenge).unwrap(); + assert!(proof.verify(&challenge, empty(), ¶ms, &h).is_ok()); *proof.com_resp.value = G1::rand(&mut rng).into_affine(); - assert!(proof - .verify(&challenge_prover, empty(), ¶ms, &h) - .is_err()); + assert!(proof.verify(&challenge, empty(), ¶ms, &h).is_err()); } #[test] @@ -536,36 +513,44 @@ mod tests { ) .unwrap(); - let mut chal_bytes_prover = vec![]; - pok.challenge_contribution(&mut chal_bytes_prover, ¶ms, &h) + let mut chal_bytes = vec![]; + pok.challenge_contribution(&mut chal_bytes, ¶ms, &h) .unwrap(); - let challenge_prover = - compute_random_oracle_challenge::(&chal_bytes_prover); + let challenge = compute_random_oracle_challenge::(&chal_bytes); - let mut proof = pok.clone().gen_proof(&challenge_prover).unwrap(); + let mut proof = pok.clone().gen_proof(&challenge).unwrap(); - assert!(proof - .verify(&challenge_prover, empty(), ¶ms, &h) - .is_ok()); + assert!(proof.verify(&challenge, empty(), ¶ms, &h).is_ok()); *proof.com_j_resp.first_mut().unwrap().value = G1::rand(&mut rng).into_affine(); - assert!(proof - .verify(&challenge_prover, empty(), ¶ms, &h) - .is_err()); + assert!(proof.verify(&challenge, empty(), ¶ms, &h).is_err()); } #[test] fn empty_proof() { let mut rng = StdRng::seed_from_u64(0u64); - let (_sk, _pk, params, _messages) = test_setup::(&mut rng, 1); + let (_, _, params, messages) = test_setup::(&mut rng, 1); let h = G1::rand(&mut rng).into_affine(); - assert_eq!( - MessagesPoKGenerator::init(&mut rng, &[], ¶ms, &h), - Err(MessagesPoKError::MessageInputError( - MessageUnpackingError::NoMessagesProvided - )) - ); + let pok = MessagesPoKGenerator::init( + &mut rng, + messages.iter().map(|_| CommitMessage::RevealMessage), + ¶ms, + &h, + ) + .unwrap(); + + let mut chal_bytes = vec![]; + pok.challenge_contribution(&mut chal_bytes, ¶ms, &h) + .unwrap(); + let challenge = compute_random_oracle_challenge::(&chal_bytes); + + let proof = pok.clone().gen_proof(&challenge).unwrap(); + let indices = (0..messages.len()).rev(); + + assert!(proof + .verify(&challenge, indices.clone(), ¶ms, &h) + .is_ok()); } } diff --git a/coconut/src/proof/mod.rs b/coconut/src/proof/mod.rs index 913f6ecb..5259903e 100644 --- a/coconut/src/proof/mod.rs +++ b/coconut/src/proof/mod.rs @@ -177,9 +177,7 @@ impl<'pair, Pair, F: PrimeField> UnpackedBlindedMessages<'pair, Pair, F> { let (paired, (msgs, blindings)): (Vec<_>, _) = process_results(paired, |iter| iter.unzip())?; - if paired.is_empty() { - Err(MessageUnpackingError::NoMessagesProvided) - } else if pair_with.len() != total_count { + if pair_with.len() != total_count { Err(MessageUnpackingError::LessMessagesThanExpected { provided: total_count, expected: pair_with.len(), diff --git a/coconut/src/proof/signature_pok/mod.rs b/coconut/src/proof/signature_pok/mod.rs index fad81cfa..a6d064ce 100644 --- a/coconut/src/proof/signature_pok/mod.rs +++ b/coconut/src/proof/signature_pok/mod.rs @@ -173,17 +173,14 @@ mod tests { let pok = SignaturePoKGenerator::init(&mut rng, &messages, &sig, &pk, ¶ms).unwrap(); - let mut chal_bytes_prover = vec![]; - pok.challenge_contribution(&mut chal_bytes_prover, &pk, ¶ms) + let mut chal_bytes = vec![]; + pok.challenge_contribution(&mut chal_bytes, &pk, ¶ms) .unwrap(); - let challenge_prover = - compute_random_oracle_challenge::(&chal_bytes_prover); + let challenge = compute_random_oracle_challenge::(&chal_bytes); - let proof = pok.clone().gen_proof(&challenge_prover).unwrap(); + let proof = pok.clone().gen_proof(&challenge).unwrap(); - proof - .verify(&challenge_prover, empty(), &pk, ¶ms) - .unwrap(); + proof.verify(&challenge, empty(), &pk, ¶ms).unwrap(); }) } @@ -212,17 +209,14 @@ mod tests { ) .unwrap(); - let mut chal_bytes_prover = vec![]; - pok.challenge_contribution(&mut chal_bytes_prover, &pk, ¶ms) + let mut chal_bytes = vec![]; + pok.challenge_contribution(&mut chal_bytes, &pk, ¶ms) .unwrap(); - let challenge_prover = - compute_random_oracle_challenge::(&chal_bytes_prover); + let challenge = compute_random_oracle_challenge::(&chal_bytes); - let proof = pok.clone().gen_proof(&challenge_prover).unwrap(); + let proof = pok.clone().gen_proof(&challenge).unwrap(); - proof - .verify(&challenge_prover, reveal_msgs, &pk, ¶ms) - .unwrap(); + proof.verify(&challenge, reveal_msgs, &pk, ¶ms).unwrap(); }) } @@ -321,17 +315,16 @@ mod tests { ) .unwrap(); - let mut chal_bytes_prover = vec![]; - pok.challenge_contribution(&mut chal_bytes_prover, &pk, ¶ms) + let mut chal_bytes = vec![]; + pok.challenge_contribution(&mut chal_bytes, &pk, ¶ms) .unwrap(); - let challenge_prover = - compute_random_oracle_challenge::(&chal_bytes_prover); + let challenge = compute_random_oracle_challenge::(&chal_bytes); - let proof = pok.clone().gen_proof(&challenge_prover).unwrap(); + let proof = pok.clone().gen_proof(&challenge).unwrap(); let mut revealed = reveal_msgs.into_iter().rev(); assert_eq!( - proof.verify(&challenge_prover, revealed.clone(), &pk, ¶ms,), + proof.verify(&challenge, revealed.clone(), &pk, ¶ms,), Err(SignaturePoKError::RevealedIndicesMustBeUniqueAndSorted { previous: revealed.next().unwrap().0, current: revealed.next().unwrap().0 @@ -347,12 +340,26 @@ mod tests { let sig = Signature::new(&mut rng, messages.as_slice(), &sk, ¶ms).unwrap(); - assert_eq!( - SignaturePoKGenerator::init(&mut rng, &[], &sig, &pk, ¶ms), - Err(SignaturePoKError::MessageInputError( - MessageUnpackingError::NoMessagesProvided - )) - ); + let pok = SignaturePoKGenerator::init( + &mut rng, + messages.iter().map(|_| CommitMessage::RevealMessage), + &sig, + &pk, + ¶ms, + ) + .unwrap(); + + let mut chal_bytes = vec![]; + pok.challenge_contribution(&mut chal_bytes, &pk, ¶ms) + .unwrap(); + let challenge = compute_random_oracle_challenge::(&chal_bytes); + + let proof = pok.clone().gen_proof(&challenge).unwrap(); + let revealed = messages.iter().enumerate().into_iter().rev(); + + assert!(proof + .verify(&challenge, revealed.clone(), &pk, ¶ms) + .is_ok()); } #[test] @@ -368,24 +375,17 @@ mod tests { let pok = SignaturePoKGenerator::init(&mut rng, &messages, &sig, &pk, ¶ms).unwrap(); - let mut chal_bytes_prover = vec![]; - pok.challenge_contribution(&mut chal_bytes_prover, &pk, ¶ms) + let mut chal_bytes = vec![]; + pok.challenge_contribution(&mut chal_bytes, &pk, ¶ms) .unwrap(); - let challenge_prover = - compute_random_oracle_challenge::(&chal_bytes_prover); + let challenge = compute_random_oracle_challenge::(&chal_bytes); - let mut proof = pok.clone().gen_proof(&challenge_prover).unwrap(); + let mut proof = pok.clone().gen_proof(&challenge).unwrap(); - assert!(proof - .verify(&challenge_prover, empty(), &pk, ¶ms) - .is_ok()); - assert!(proof - .verify(&challenge_prover, empty(), &pk1, ¶ms) - .is_err()); + assert!(proof.verify(&challenge, empty(), &pk, ¶ms).is_ok()); + assert!(proof.verify(&challenge, empty(), &pk1, ¶ms).is_err()); *proof.k.value = G2Projective::rand(&mut rng).into_affine(); - assert!(proof - .verify(&challenge_prover, empty(), &pk, ¶ms) - .is_err()) + assert!(proof.verify(&challenge, empty(), &pk, ¶ms).is_err()) }) } @@ -413,13 +413,12 @@ mod tests { let pok = SignaturePoKGenerator::init(&mut rng, comms, &sig, &pk, ¶ms).unwrap(); - let mut chal_bytes_prover = vec![]; - pok.challenge_contribution(&mut chal_bytes_prover, &pk, ¶ms) + let mut chal_bytes = vec![]; + pok.challenge_contribution(&mut chal_bytes, &pk, ¶ms) .unwrap(); - let challenge_prover = - compute_random_oracle_challenge::(&chal_bytes_prover); + let challenge = compute_random_oracle_challenge::(&chal_bytes); - let proof = pok.clone().gen_proof(&challenge_prover).unwrap(); + let proof = pok.clone().gen_proof(&challenge).unwrap(); for idx in committed_msg_indices { assert_eq!(