proof-cat-core 0.1.0

Field-agnostic proof-system primitives (sumcheck, multilinear, Fiat-Shamir, Merkle) shared by proof-cat and stark-cat
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

//! Fiat-Shamir transcript for non-interactive proofs.
//!
//! The [`Transcript`] accumulates protocol messages (absorb) and
//! produces verifier challenges (squeeze) deterministically via
//! SHA-256.  It is functional: each operation consumes the
//! transcript and returns a new one (no interior mutation).

use field_cat::FieldBytes;
use sha2::{Digest, Sha256};

use crate::error::Error;

/// A Fiat-Shamir transcript.
///
/// Operations consume `self` and return a new transcript,
/// ensuring the hash state evolves deterministically.
///
/// # Examples
///
/// ```
/// use field_cat::BabyBear;
/// use proof_cat_core::Transcript;
///
/// // Create a transcript, absorb some data, squeeze a challenge.
/// let transcript = Transcript::new(b"my-protocol")
///     .absorb_field(&BabyBear::new(42));
/// let (_challenge, _transcript): (BabyBear, _) =
///     transcript.squeeze_challenge()?;
///
/// // The challenge is deterministic: same inputs produce
/// // the same challenge every time.
/// # Ok::<(), proof_cat_core::Error>(())
/// ```
#[derive(Debug, Clone)]
pub struct Transcript {
    state: Vec<u8>,
}

impl Transcript {
    /// Create a new transcript with a domain separation label.
    #[must_use]
    pub fn new(label: &[u8]) -> Self {
        Self {
            state: label.to_vec(),
        }
    }

    /// Absorb raw bytes into the transcript.
    #[must_use]
    pub fn absorb_bytes(self, data: &[u8]) -> Self {
        Self {
            state: self.state.into_iter().chain(data.iter().copied()).collect(),
        }
    }

    /// Absorb a field element into the transcript.
    #[must_use]
    pub fn absorb_field<F: FieldBytes>(self, elem: &F) -> Self {
        self.absorb_bytes(&elem.to_le_bytes())
    }

    /// Squeeze a challenge field element from the transcript.
    ///
    /// Hashes the current state with SHA-256, interprets the
    /// output as a field element, and returns the challenge
    /// along with an updated transcript.
    ///
    /// # Errors
    ///
    /// Returns [`Error::FieldCat`] if the hash output cannot be
    /// interpreted as a field element.
    pub fn squeeze_challenge<F: FieldBytes>(self) -> Result<(F, Self), Error> {
        let digest = Sha256::digest(&self.state);
        let challenge = F::from_le_bytes(digest.as_slice())?;
        let new_state = self
            .state
            .into_iter()
            .chain(digest.iter().copied())
            .collect();
        Ok((challenge, Self { state: new_state }))
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use field_cat::{BabyBear, F101};

    #[test]
    fn deterministic_challenges() -> Result<(), Error> {
        let t1 = Transcript::new(b"test").absorb_field(&BabyBear::new(42));
        let t2 = Transcript::new(b"test").absorb_field(&BabyBear::new(42));
        let (c1, _) = t1.squeeze_challenge::<BabyBear>()?;
        let (c2, _) = t2.squeeze_challenge::<BabyBear>()?;
        assert_eq!(c1, c2);
        Ok(())
    }

    #[test]
    fn different_inputs_different_challenges() -> Result<(), Error> {
        let t1 = Transcript::new(b"test").absorb_field(&BabyBear::new(1));
        let t2 = Transcript::new(b"test").absorb_field(&BabyBear::new(2));
        let (c1, _) = t1.squeeze_challenge::<BabyBear>()?;
        let (c2, _) = t2.squeeze_challenge::<BabyBear>()?;
        assert_ne!(c1, c2);
        Ok(())
    }

    #[test]
    fn absorb_order_matters() -> Result<(), Error> {
        let t1 = Transcript::new(b"test")
            .absorb_field(&F101::new(1))
            .absorb_field(&F101::new(2));
        let t2 = Transcript::new(b"test")
            .absorb_field(&F101::new(2))
            .absorb_field(&F101::new(1));
        let (c1, _) = t1.squeeze_challenge::<F101>()?;
        let (c2, _) = t2.squeeze_challenge::<F101>()?;
        assert_ne!(c1, c2);
        Ok(())
    }

    #[test]
    fn label_matters() -> Result<(), Error> {
        let t1 = Transcript::new(b"label_a").absorb_field(&BabyBear::new(42));
        let t2 = Transcript::new(b"label_b").absorb_field(&BabyBear::new(42));
        let (c1, _) = t1.squeeze_challenge::<BabyBear>()?;
        let (c2, _) = t2.squeeze_challenge::<BabyBear>()?;
        assert_ne!(c1, c2);
        Ok(())
    }
}