Skip to main content

dory_pcs/
messages.rs

1//! Protocol messages exchanged between prover and verifier
2//!
3//! These messages correspond to the Extended Dory Reduce protocol from Section 3.2
4//! and the VMV transformation for polynomial commitments.
5
6/// First prover message in the Dory-Reduce protocol (Section 3.2)
7///
8/// Contains D₁L, D₁R, D₂L, D₂R, E₁β, E₂β
9#[derive(Clone, Debug, PartialEq)]
10pub struct FirstReduceMessage<G1, G2, GT> {
11    /// D₁L - left pairing for first set
12    pub d1_left: GT,
13    /// D₁R - right pairing for first set
14    pub d1_right: GT,
15    /// D₂L - left pairing for second set
16    pub d2_left: GT,
17    /// D₂R - right pairing for second set
18    pub d2_right: GT,
19    /// E₁β - extension element in G1 (Section 4.2)
20    pub e1_beta: G1,
21    /// E₂β - extension element in G2 (Section 4.2)
22    pub e2_beta: G2,
23}
24
25/// Second prover message in the Dory-Reduce protocol (Section 3.2)
26///
27/// Contains C₊, C₋, E₁₊, E₁₋, E₂₊, E₂₋
28#[derive(Clone, Debug, PartialEq)]
29pub struct SecondReduceMessage<G1, G2, GT> {
30    /// C₊ - plus combination
31    pub c_plus: GT,
32    /// C₋ - minus combination
33    pub c_minus: GT,
34    /// E₁₊ - extension element plus in G1
35    pub e1_plus: G1,
36    /// E₁₋ - extension element minus in G1
37    pub e1_minus: G1,
38    /// E₂₊ - extension element plus in G2
39    pub e2_plus: G2,
40    /// E₂₋ - extension element minus in G2
41    pub e2_minus: G2,
42}
43
44/// Vector-Matrix-Vector message for polynomial commitment transformation
45///
46/// Contains C, D₂, E₁. Note: E₂ can be computed by verifier as y·Γ₂,fin
47#[derive(Clone, Debug, PartialEq)]
48pub struct VMVMessage<G1, GT> {
49    /// C = e(MSM(T_vec', v_vec), Γ₂,fin)
50    pub c: GT,
51    /// D₂ = e(MSM(Γ₁\[nu\], v_vec), Γ₂,fin)
52    pub d2: GT,
53    /// E₁ = MSM(T_vec', L_vec)
54    pub e1: G1,
55}
56
57/// Final scalar product message (Section 3.1)
58///
59/// Contains E₁, E₂ for the final pairing verification
60#[derive(Clone, Debug, PartialEq)]
61pub struct ScalarProductMessage<G1, G2> {
62    /// E₁ - final G1 element
63    pub e1: G1,
64    /// E₂ - final G2 element
65    pub e2: G2,
66}
67
68/// Σ-protocol 1: proves E2 and y_com commit to the same y.
69#[cfg(feature = "zk")]
70#[derive(Clone, Debug, PartialEq)]
71#[allow(missing_docs)]
72pub struct Sigma1Proof<G1, G2, F> {
73    pub a1: G2,
74    pub a2: G1,
75    pub z1: F,
76    pub z2: F,
77    pub z3: F,
78}
79
80/// Σ-protocol 2: proves e(E1, Γ2,fin) - D2 = e(H1, t1·Γ2,fin + t2·H2).
81#[cfg(feature = "zk")]
82#[derive(Clone, Debug, PartialEq)]
83#[allow(missing_docs)]
84pub struct Sigma2Proof<F, GT> {
85    pub a: GT,
86    pub z1: F,
87    pub z2: F,
88}
89
90/// ZK scalar product proof: proves (C, D1, D2) are consistent with blinded v1, v2.
91#[derive(Clone, Debug, PartialEq)]
92#[allow(missing_docs)]
93pub struct ScalarProductProof<G1, G2, F, GT> {
94    pub p1: GT,
95    pub p2: GT,
96    pub q: GT,
97    pub r: GT,
98    pub e1: G1,
99    pub e2: G2,
100    pub r1: F,
101    pub r2: F,
102    pub r3: F,
103}