1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366
// Client-side-validation foundation libraries.
//
// SPDX-License-Identifier: Apache-2.0
//
// Written in 2019-2023 by
// Dr. Maxim Orlovsky <orlovsky@lnp-bp.org>
//
// Copyright (C) 2019-2023 LNP/BP Standards Association. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//! Embedded commitments (commit-embed-verify scheme).
use crate::{CommitEncode, CommitmentProtocol};
/// Trait for equivalence verification. Implemented for all types implemeting
/// `Eq`. For non-`Eq` types this trait provides way to implement custom
/// equivalence verification used during commitment verification procedure.
pub trait VerifyEq {
/// Verifies commit-equivalence of two instances of the same type.
fn verify_eq(&self, other: &Self) -> bool;
}
impl<T> VerifyEq for T
where T: Eq
{
fn verify_eq(&self, other: &Self) -> bool { self == other }
}
/// Proofs produced by [`EmbedCommitVerify::embed_commit`] procedure.
pub trait EmbedCommitProof<Msg, Container, Protocol>
where
Self: Sized + VerifyEq,
Container: EmbedCommitVerify<Msg, Protocol>,
Msg: CommitEncode,
Protocol: CommitmentProtocol,
{
/// Restores original container before the commitment from the proof data
/// and a container containing embedded commitment.
fn restore_original_container(
&self,
commit_container: &Container,
) -> Result<Container, Container::VerifyError>;
}
/// Trait for *embed-commit-verify scheme*, where some data structure (named
/// *container*) may commit to existing *message* (producing *commitment* data
/// structure and a *proof*) in such way that the original message can't be
/// restored from the commitment, however the fact of the commitment may be
/// deterministically *verified* when the message and the proof are *revealed*.
///
/// To use *embed-commit-verify scheme* one needs to implement this trait for
/// a data structure acting as a container for a specific commitment under
/// certain protocol, specified as generic parameter. The container type must
/// specify as associated types proof and commitment types.
///
/// Operations with *embed-commit-verify scheme* may be represented in form of
/// `EmbedCommit: (Container, Message) -> (Container', Proof)` (see
/// [`Self::embed_commit`] and `Verify: (Container', Message, Proof) -> bool`
/// (see [`Self::verify`]).
///
/// This trait is heavily used in **deterministic bitcoin commitments**.
///
/// # Protocol definition
///
/// Generic parameter `Protocol` provides context & configuration for commitment
/// scheme protocol used for this container type.
///
/// Introduction of this generic allows to:
/// - implement trait for foreign data types;
/// - add multiple implementations under different commitment protocols to the
/// combination of the same message and container type (each of each will have
/// its own `Proof` type defined as an associated generic).
///
/// Usually represents an uninstantiable type, but may be a structure
/// containing commitment protocol configuration or context objects.
///
/// ```
/// # use commit_verify::CommitmentProtocol;
///
/// // Uninstantiable type
/// pub enum Lnpbp6 {}
///
/// impl CommitmentProtocol for Lnpbp6 {}
///
/// // Protocol definition
/// pub enum Lnpbp1 {}
/// // ...
/// ```
pub trait EmbedCommitVerify<Msg, Protocol>
where
Self: Sized,
Msg: CommitEncode,
Protocol: CommitmentProtocol,
{
/// The proof of the commitment produced as a result of
/// [`Self::embed_commit`] procedure. This proof is later used
/// for verification.
type Proof: EmbedCommitProof<Msg, Self, Protocol>;
/// Error type that may be reported during [`Self::embed_commit`] procedure.
/// It may also be returned from [`Self::verify`] in case the proof data are
/// invalid and the commitment can't be re-created.
type CommitError: std::error::Error;
/// Error type that may be reported during [`Self::verify`] procedure.
/// It must be a subset of [`Self::CommitError`].
type VerifyError: std::error::Error + From<Self::CommitError>;
/// Creates a commitment to a message and embeds it into the provided
/// container (`self`) by mutating it and returning commitment proof.
///
/// Implementations must error with a dedicated error type enumerating
/// commitment procedure mistakes.
fn embed_commit(&mut self, msg: &Msg) -> Result<Self::Proof, Self::CommitError>;
/// Verifies commitment with commitment proof against the message.
///
/// Default implementation reconstructs original container with the
/// [`EmbedCommitProof::restore_original_container`] method and repeats
/// [`Self::embed_commit`] procedure checking that the resulting proof and
/// commitment matches the provided `self` and `proof`.
///
/// Errors if the provided commitment can't be created, i.e. the
/// [`Self::embed_commit`] procedure for the original container, restored
/// from the proof and current container, can't be performed. This means
/// that the verification has failed and the commitment and proof are
/// invalid. The function returns error in this case (ano not simply
/// `false`) since this usually means the software error in managing
/// container and proof data, or selection of a different commitment
/// protocol parameters comparing to the ones used during commitment
/// creation. In all these cases we'd like to provide devs with more
/// information for debugging.
///
/// The proper way of using the function in a well-debugged software should
/// be `if commitment.verify(...).expect("proof managing system") { .. }`.
/// However if the proofs are provided by some sort of user/network input
/// from an untrusted party, a proper form would be
/// `if commitment.verify(...).unwrap_or(false) { .. }`.
#[inline]
fn verify(&self, msg: &Msg, proof: &Self::Proof) -> Result<bool, Self::VerifyError>
where
Self: VerifyEq,
Self::Proof: VerifyEq,
{
let mut container_prime = proof.restore_original_container(self)?;
let proof_prime = container_prime.embed_commit(msg)?;
Ok(proof_prime.verify_eq(proof) && self.verify_eq(&container_prime))
}
/// Phantom method used to add `Protocol` generic parameter to the trait.
///
/// # Panics
///
/// Always panics when called.
#[doc(hidden)]
fn _phantom(_: Protocol) {
unimplemented!("EmbedCommitVerify::_phantom is a marker method which must not be used")
}
}
/// Helpers for writing test functions working with embed-commit-verify scheme.
#[cfg(test)]
pub(crate) mod test_helpers {
use core::fmt::Debug;
use core::hash::Hash;
use std::collections::HashSet;
use super::*;
use crate::{ConvolveCommit, ConvolveCommitProof};
pub enum TestProtocol {}
impl CommitmentProtocol for TestProtocol {}
pub const SUPPLEMENT: [u8; 32] = [0xFFu8; 32];
/// Runs round-trip of commitment-embed-verify for a given set of messages
/// and provided container.
pub fn embed_commit_verify_suite<Msg, Container>(messages: Vec<Msg>, container: Container)
where
Msg: AsRef<[u8]> + CommitEncode + Eq + Clone,
Container: EmbedCommitVerify<Msg, TestProtocol> + Eq + Hash + Debug + Clone,
Container::Proof: Clone,
{
messages.iter().fold(
HashSet::<Container>::with_capacity(messages.len()),
|mut acc, msg| {
let mut commitment = container.clone();
let proof = commitment.embed_commit(msg).unwrap();
// Commitments MUST be deterministic: the same message must
// always produce the same commitment
(1..10).for_each(|_| {
let mut commitment_prime = container.clone();
commitment_prime.embed_commit(msg).unwrap();
assert_eq!(commitment_prime, commitment);
});
// Testing verification
assert!(commitment.clone().verify(msg, &proof).unwrap());
messages.iter().for_each(|m| {
// Testing that commitment verification succeeds only
// for the original message and fails for the rest
assert_eq!(commitment.clone().verify(m, &proof).unwrap(), m == msg);
});
acc.iter().for_each(|cmt| {
// Testing that verification against other commitments
// returns `false`
assert!(!cmt.clone().verify(msg, &proof).unwrap());
});
// Detecting collision: each message should produce a unique
// commitment even if the same container is used
assert!(acc.insert(commitment));
acc
},
);
}
/// Runs round-trip of commitment-embed-verify for a given set of messages
/// and provided container.
pub fn convolve_commit_verify_suite<Msg, Source>(messages: Vec<Msg>, container: Source)
where
Msg: AsRef<[u8]> + CommitEncode + Eq + Clone,
Source: ConvolveCommit<Msg, [u8; 32], TestProtocol> + VerifyEq + Eq + Hash + Debug + Clone,
Source::Commitment: Clone + Debug + Hash + VerifyEq + Eq,
[u8; 32]: ConvolveCommitProof<Msg, Source, TestProtocol, Suppl = [u8; 32]>,
{
messages.iter().fold(
HashSet::<Source::Commitment>::with_capacity(messages.len()),
|mut acc, msg| {
let (commitment, _) = container.convolve_commit(&SUPPLEMENT, msg).unwrap();
// Commitments MUST be deterministic: the same message must
// always produce the same commitment
(1..10).for_each(|_| {
let (commitment_prime, _) =
container.convolve_commit(&SUPPLEMENT, msg).unwrap();
assert_eq!(commitment_prime, commitment);
});
// Testing verification
assert!(SUPPLEMENT.verify(msg, &commitment).unwrap());
messages.iter().for_each(|m| {
// Testing that commitment verification succeeds only
// for the original message and fails for the rest
assert_eq!(SUPPLEMENT.verify(m, &commitment).unwrap(), m == msg);
});
acc.iter().for_each(|commitment| {
// Testing that verification against other commitments
// returns `false`
assert!(!SUPPLEMENT.verify(msg, commitment).unwrap());
});
// Detecting collision: each message should produce a unique
// commitment even if the same container is used
assert!(acc.insert(commitment));
acc
},
);
}
}
#[cfg(test)]
mod test {
use core::fmt::Debug;
use amplify::confinement::{SmallVec, U32};
use sha2::Sha256;
use super::test_helpers::*;
use super::*;
use crate::digest::DigestExt;
use crate::test_helpers::gen_messages;
use crate::{ConvolveCommit, ConvolveCommitProof};
#[derive(Clone, PartialEq, Eq, Debug, Hash, Error, Display)]
#[display("error")]
struct Error;
#[derive(Clone, PartialEq, Eq, Debug, Hash)]
struct DummyVec(SmallVec<u8>);
#[derive(Clone, PartialEq, Eq, Debug, Hash)]
struct DummyProof(SmallVec<u8>);
impl<T> EmbedCommitProof<T, DummyVec, TestProtocol> for DummyProof
where T: AsRef<[u8]> + Clone + CommitEncode
{
fn restore_original_container(&self, _: &DummyVec) -> Result<DummyVec, Error> {
Ok(DummyVec(self.0.clone()))
}
}
impl<T> EmbedCommitVerify<T, TestProtocol> for DummyVec
where T: AsRef<[u8]> + Clone + CommitEncode
{
type Proof = DummyProof;
type CommitError = Error;
type VerifyError = Error;
fn embed_commit(&mut self, msg: &T) -> Result<Self::Proof, Self::CommitError> {
let proof = self.0.clone();
let result = &mut self.0;
result.extend(msg.as_ref().iter().copied()).unwrap();
Ok(DummyProof(proof))
}
}
impl<T> ConvolveCommit<T, [u8; 32], TestProtocol> for DummyVec
where T: AsRef<[u8]> + Clone + CommitEncode
{
type Commitment = [u8; 32];
type CommitError = Error;
fn convolve_commit(
&self,
supplement: &[u8; 32],
msg: &T,
) -> Result<(Self::Commitment, [u8; 32]), Self::CommitError> {
let mut engine = Sha256::default();
engine.input_raw(supplement);
engine.input_with_len::<U32>(msg.as_ref());
Ok((engine.finish(), *supplement))
}
}
impl<T> ConvolveCommitProof<T, DummyVec, TestProtocol> for [u8; 32]
where T: AsRef<[u8]> + Clone + CommitEncode
{
type Suppl = [u8; 32];
fn restore_original(&self, _: &[u8; 32]) -> DummyVec { DummyVec(default!()) }
fn extract_supplement(&self) -> &Self::Suppl { self }
}
#[test]
fn test_embed_commit() {
embed_commit_verify_suite::<SmallVec<u8>, DummyVec>(gen_messages(), DummyVec(default!()));
}
#[test]
fn test_convolve_commit() {
convolve_commit_verify_suite::<SmallVec<u8>, DummyVec>(
gen_messages(),
DummyVec(small_vec![0xC0; 15]),
);
}
}