Merge pull request #2 from brave-experiments/non-zero

Implement the non-zero proof

macros/src/bench_tcurve.rs

@@ -141,6 +141,52 @@ macro_rules! bench_tcurve_mul_verifier_time {
     };
 }
 
+#[macro_export]
+macro_rules! bench_tcurve_non_zero_prover_time {
+    ($config: ty, $bench_name: ident, $curve_name: tt, $OtherProjectiveType: ty) => {
+        pub fn $bench_name(c: &mut Criterion) {
+            type SF = <$config as CurveConfig>::ScalarField;
+            type PC = PedersenComm<$config>;
+
+            let label = b"PedersenNonZero";
+            let x = SF::rand(&mut OsRng);
+
+            let c1: PC = PC::new(x, &mut OsRng);
+
+            c.bench_function(concat!($curve_name, " non-zero proof prover time"), |bf| {
+                bf.iter(|| {
+                    let mut transcript = Transcript::new(label);
+                    NZP::create(&mut transcript, &mut OsRng, &x, &c1);
+                });
+            });
+        }
+    };
+}
+
+#[macro_export]
+macro_rules! bench_tcurve_non_zero_verifier_time {
+    ($config: ty, $bench_name: ident, $curve_name: tt, $OtherProjectiveType: ty) => {
+        pub fn $bench_name(c: &mut Criterion) {
+            type SF = <$config as CurveConfig>::ScalarField;
+            type PC = PedersenComm<$config>;
+
+            let label = b"PedersenNonZero";
+            let x = SF::rand(&mut OsRng);
+
+            let c1: PC = PC::new(x, &mut OsRng);
+            let mut transcript = Transcript::new(label);
+            let proof = NZP::create(&mut transcript, &mut OsRng, &x, &c1);
+
+            c.bench_function(concat!($curve_name, " non-zero proof verifier time"), |b| {
+                b.iter(|| {
+                    let mut transcript_v = Transcript::new(label);
+                    proof.verify(&mut transcript_v, &c1.comm);
+                });
+            });
+        }
+    };
+}
+
 #[macro_export]
 macro_rules! bench_tcurve_point_add_prover_time {
     ($config: ty, $bench_name: ident, $curve_name: tt, $OtherProjectiveType: ty) => {
@@ -1208,6 +1254,7 @@ macro_rules! bench_tcurve_import_everything {
             fs_scalar_mul_protocol::FSECScalarMulProof as FSECSMP,
             gk_zero_one_protocol::ZeroOneProof as ZOP,
             mul_protocol::MulProof as MP,
+            non_zero_protocol::NonZeroProof as NZP,
             opening_protocol::OpeningProof as OP,
             pedersen_config::PedersenComm,
             pedersen_config::PedersenConfig,
@@ -1272,6 +1319,18 @@ macro_rules! bench_tcurve_make_all {
             $curve_name,
             $OtherProjectiveType
         );
+        $crate::bench_tcurve_non_zero_prover_time!(
+            $config,
+            non_zero_proof_creation,
+            $curve_name,
+            $OtherProjectiveType
+        );
+        $crate::bench_tcurve_non_zero_verifier_time!(
+            $config,
+            non_zero_proof_verification,
+            $curve_name,
+            $OtherProjectiveType
+        );
 
         $crate::bench_tcurve_point_add_prover_time!(
             $config,
@@ -1411,6 +1470,8 @@ macro_rules! bench_tcurve_make_all {
             equality_proof_verification,
             mul_proof_creation,
             mul_proof_verification,
+            non_zero_proof_creation,
+            non_zero_proof_verification,
             point_add_creation,
             zk_attest_point_add_creation,
             point_add_verification,

macros/src/test_pedersen.rs

@@ -503,6 +503,161 @@ macro_rules! __test_pedersen {
             assert!(!proof.verify_proof(&c1.comm, &c2.comm, &c3.comm, &cf[..]));
         }
 
+        #[test]
+        fn test_pedersen_non_zero() {
+            // Test that the non-zero proof goes through.
+            let label = b"PedersenNonZero";
+
+            let x = SF::rand(&mut OsRng);
+
+            let c1: PC = PC::new(x, &mut OsRng);
+
+            let mut transcript = Transcript::new(label);
+            let proof = NZP::create(&mut transcript, &mut OsRng, &x, &c1);
+            assert!(proof.t1.is_on_curve());
+            assert!(proof.t2.is_on_curve());
+            assert!(proof.t3.is_on_curve());
+
+            // Now check that the proof verifies.
+            let mut transcript_v = Transcript::new(label);
+            assert!(proof.verify(&mut transcript_v, &c1.comm));
+
+            // And now check it would fail on a different c1 value.
+
+            let mut d = SF::rand(&mut OsRng);
+
+            loop {
+                if d != x {
+                    break;
+                }
+                d = SF::rand(&mut OsRng);
+            }
+
+            let c2: PC = PC::new(d, &mut OsRng);
+            let mut transcript_f = Transcript::new(label);
+            assert!(!proof.verify(&mut transcript_f, &c2.comm));
+        }
+
+        #[test]
+        fn test_pedersen_non_zero_fail() {
+            // Test that the non-zero proof does not go through.
+            let label = b"PedersenNonZero";
+
+            let x = SF::ZERO;
+
+            let c1: PC = PC::new(x, &mut OsRng);
+
+            let mut transcript = Transcript::new(label);
+            let proof = NZP::create(&mut transcript, &mut OsRng, &x, &c1);
+            assert!(proof.t1.is_on_curve());
+            assert!(proof.t2.is_on_curve());
+            assert!(proof.t3.is_on_curve());
+
+            // Now check that the proof fails on verification.
+            let mut transcript_v = Transcript::new(label);
+            assert!(!proof.verify(&mut transcript_v, &c1.comm));
+            assert!(proof.t1 == sw::Affine::identity());
+        }
+
+        #[test]
+        fn test_pedersen_non_zero_other_challenge() {
+            // Check that the non-zero proof fails if the wrong challenge is used.
+            // Test that the non-zero proof goes through.
+            let label = b"PedersenNonZero";
+
+            let x = SF::rand(&mut OsRng);
+
+            let c1: PC = PC::new(x, &mut OsRng);
+
+            let mut transcript = Transcript::new(label);
+
+            let proof_i = NZP::create_intermediates(&mut transcript, &mut OsRng, &x, &c1);
+
+            // Now we pre-specify the challenge to be the CM1 point.
+            let c = make_challenge(&<$config as PedersenConfig>::CM1);
+
+            let proof = NZP::create_proof(&x, &proof_i, &c1, &c[..]);
+            assert!(proof.t1.is_on_curve());
+            assert!(proof.t2.is_on_curve());
+            assert!(proof.t3.is_on_curve());
+
+            // Now check that the proof verifies on the same challenge.
+            assert!(proof.verify_proof(&c1.comm, &c[..]));
+
+            // And that it fails on the other one.
+            let cf = make_challenge(&<$config as PedersenConfig>::CP1);
+            assert!(!proof.verify_proof(&c1.comm, &cf[..]));
+        }
+
+        #[test]
+        fn test_pedersen_non_zero_nist() {
+            // Test that the non-zero proof goes through.
+            let label = b"PedersenNonZero";
+
+            let x_t = OSF::rand(&mut OsRng);
+
+            let x = <$config as PedersenConfig>::from_oc(x_t);
+
+            let c1: PC = PC::new(x, &mut OsRng);
+
+            let mut transcript = Transcript::new(label);
+            let proof = NZP::create(&mut transcript, &mut OsRng, &x, &c1);
+            assert!(proof.t1.is_on_curve());
+            assert!(proof.t2.is_on_curve());
+            assert!(proof.t3.is_on_curve());
+
+            // Now check that the proof verifies.
+            let mut transcript_v = Transcript::new(label);
+            assert!(proof.verify(&mut transcript_v, &c1.comm));
+
+            // And now check it would fail on a different c1 value.
+
+            let mut d = SF::rand(&mut OsRng);
+
+            loop {
+                if d != x {
+                    break;
+                }
+                d = SF::rand(&mut OsRng);
+            }
+
+            let c2: PC = PC::new(d, &mut OsRng);
+            let mut transcript_f = Transcript::new(label);
+            assert!(!proof.verify(&mut transcript_f, &c2.comm));
+        }
+
+        #[test]
+        fn test_pedersen_non_zero_nist_other_challenge() {
+            // Check that the non-zero proof fails if the wrong challenge is used.
+            // Test that the non-zero proof goes through.
+            let label = b"PedersenMul";
+
+            let x_t = OSF::rand(&mut OsRng);
+
+            let x = <$config as PedersenConfig>::from_oc(x_t);
+
+            let c1: PC = PC::new(x, &mut OsRng);
+
+            let mut transcript = Transcript::new(label);
+
+            let proof_i = NZP::create_intermediates(&mut transcript, &mut OsRng, &x, &c1);
+
+            // Now we pre-specify the challenge to be the CM1 point.
+            let c = make_challenge(&<$config as PedersenConfig>::CM1);
+
+            let proof = NZP::create_proof(&x, &proof_i, &c1, &c[..]);
+            assert!(proof.t1.is_on_curve());
+            assert!(proof.t2.is_on_curve());
+            assert!(proof.t3.is_on_curve());
+
+            // Now check that the proof verifies on the same challenge.
+            assert!(proof.verify_proof(&c1.comm, &c[..]));
+
+            // And that it fails on the other one.
+            let cf = make_challenge(&<$config as PedersenConfig>::CP1);
+            assert!(!proof.verify_proof(&c1.comm, &cf[..]));
+        }
+
         #[test]
         fn test_pedersen_point_add() {
             // Test that the point addition proof goes through.
@@ -1225,6 +1380,7 @@ macro_rules! test_pedersen {
                 gk_zero_one_protocol::{ZeroOneProof as ZOP, ZeroOneProofIntermediate as ZOPI},
                 interpolate::PolynomialInterpolation,
                 mul_protocol::MulProof as MP,
+                non_zero_protocol::NonZeroProof as NZP,
                 opening_protocol::OpeningProof as OP,
                 pedersen_config::PedersenComm,
                 pedersen_config::PedersenConfig,

pedersen/src/lib.rs

@@ -8,6 +8,7 @@ pub mod fs_scalar_mul_protocol;
 pub mod gk_zero_one_protocol;
 pub mod interpolate;
 pub mod mul_protocol;
+pub mod non_zero_protocol;
 pub mod opening_protocol;
 pub mod pedersen_config;
 pub mod point_add;