dleq 0.4.1

Implementation of single and cross-curve Discrete Log Equality proofs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200

use core::ops::Deref;

use hex_literal::hex;

use zeroize::Zeroizing;
use rand_core::{RngCore, OsRng};

use ff::{Field, PrimeField};
use group::{Group, GroupEncoding};

use blake2::{Digest, Blake2b512};

use k256::{Scalar, ProjectivePoint};
use dalek_ff_group::{self as dfg, EdwardsPoint};

use transcript::{Transcript, RecommendedTranscript};

use crate::{
  cross_group::{
    scalar::mutual_scalar_from_bytes, Generators, ClassicLinearDLEq, EfficientLinearDLEq,
    ConciseLinearDLEq, CompromiseLinearDLEq,
  },
};

mod scalar;
mod aos;

type G0 = ProjectivePoint;
type G1 = EdwardsPoint;

pub(crate) fn transcript() -> RecommendedTranscript {
  RecommendedTranscript::new(b"Cross-Group DLEq Proof Test")
}

pub(crate) fn generators() -> (Generators<G0>, Generators<G1>) {
  (
    Generators::new(
      ProjectivePoint::GENERATOR,
      ProjectivePoint::from_bytes(
        &(hex!("0250929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0").into()),
      )
      .unwrap(),
    )
    .unwrap(),
    Generators::new(
      EdwardsPoint::generator(),
      EdwardsPoint::from_bytes(&hex!(
        "8b655970153799af2aeadc9ff1add0ea6c7251d54154cfa92c173a0dd39c1f94"
      ))
      .unwrap(),
    )
    .unwrap(),
  )
}

macro_rules! verify_and_deserialize {
  ($type: ty, $proof: ident, $generators: ident, $keys: ident) => {
    let public_keys = $proof.verify(&mut OsRng, &mut transcript(), $generators).unwrap();
    assert_eq!($generators.0.primary * $keys.0.deref(), public_keys.0);
    assert_eq!($generators.1.primary * $keys.1.deref(), public_keys.1);

    #[cfg(feature = "serialize")]
    {
      let mut buf = vec![];
      $proof.write(&mut buf).unwrap();
      let deserialized = <$type>::read::<&[u8]>(&mut buf.as_ref()).unwrap();
      assert_eq!($proof, deserialized);
    }
  };
}

macro_rules! test_dleq {
  ($str: literal, $benchmark: ident, $name: ident, $type: ident) => {
    #[ignore]
    #[test]
    fn $benchmark() {
      println!("Benchmarking with Secp256k1/Ed25519");
      let generators = generators();

      let mut seed = [0; 32];
      OsRng.fill_bytes(&mut seed);
      let key = Blake2b512::new().chain_update(seed);

      let runs = 200;
      let mut proofs = Vec::with_capacity(usize::try_from(runs).unwrap());
      let time = std::time::Instant::now();
      for _ in 0 .. runs {
        proofs.push($type::prove(&mut OsRng, &mut transcript(), generators, key.clone()).0);
      }
      println!("{} had a average prove time of {}ms", $str, time.elapsed().as_millis() / runs);

      let time = std::time::Instant::now();
      for proof in &proofs {
        proof.verify(&mut OsRng, &mut transcript(), generators).unwrap();
      }
      println!("{} had a average verify time of {}ms", $str, time.elapsed().as_millis() / runs);

      #[cfg(feature = "serialize")]
      {
        let mut buf = vec![];
        proofs[0].write(&mut buf).unwrap();
        println!("{} had a proof size of {} bytes", $str, buf.len());
      }
    }

    #[test]
    fn $name() {
      let generators = generators();

      for i in 0 .. 1 {
        let (proof, keys) = if i == 0 {
          let mut seed = [0; 32];
          OsRng.fill_bytes(&mut seed);

          $type::prove(
            &mut OsRng,
            &mut transcript(),
            generators,
            Blake2b512::new().chain_update(seed),
          )
        } else {
          let mut key;
          let mut res;
          while {
            key = Zeroizing::new(Scalar::random(&mut OsRng));
            res = $type::prove_without_bias(&mut OsRng, &mut transcript(), generators, key.clone());
            res.is_none()
          } {}
          let res = res.unwrap();
          assert_eq!(key, res.1 .0);
          res
        };

        verify_and_deserialize!($type::<G0, G1>, proof, generators, keys);
      }
    }
  };
}

test_dleq!("ClassicLinear", benchmark_classic_linear, test_classic_linear, ClassicLinearDLEq);
test_dleq!("ConciseLinear", benchmark_concise_linear, test_concise_linear, ConciseLinearDLEq);
test_dleq!(
  "EfficientLinear",
  benchmark_efficient_linear,
  test_efficient_linear,
  EfficientLinearDLEq
);
test_dleq!(
  "CompromiseLinear",
  benchmark_compromise_linear,
  test_compromise_linear,
  CompromiseLinearDLEq
);

#[test]
fn test_rejection_sampling() {
  let mut pow_2 = Scalar::ONE;
  for _ in 0 .. dfg::Scalar::CAPACITY {
    pow_2 = pow_2.double();
  }

  assert!(
    // Either would work
    EfficientLinearDLEq::prove_without_bias(
      &mut OsRng,
      &mut transcript(),
      generators(),
      Zeroizing::new(pow_2)
    )
    .is_none()
  );
}

#[test]
fn test_remainder() {
  // Uses Secp256k1 for both to achieve an odd capacity of 255
  assert_eq!(Scalar::CAPACITY, 255);
  let generators = (generators().0, generators().0);
  // This will ignore any unused bits, ensuring every remaining one is set
  let keys = mutual_scalar_from_bytes::<Scalar, Scalar>(&[0xFF; 32]);
  let keys = (Zeroizing::new(keys.0), Zeroizing::new(keys.1));
  assert_eq!(Scalar::ONE + keys.0.deref(), Scalar::from(2u64).pow_vartime([255]));
  assert_eq!(keys.0, keys.1);

  let (proof, res) = ConciseLinearDLEq::prove_without_bias(
    &mut OsRng,
    &mut transcript(),
    generators,
    keys.0.clone(),
  )
  .unwrap();
  assert_eq!(keys, res);

  verify_and_deserialize!(
    ConciseLinearDLEq::<ProjectivePoint, ProjectivePoint>,
    proof,
    generators,
    keys
  );
}