diff --git a/zk-token-sdk/src/errors.rs b/zk-token-sdk/src/errors.rs index ba6a344cf..c0a54808e 100644 --- a/zk-token-sdk/src/errors.rs +++ b/zk-token-sdk/src/errors.rs @@ -1,19 +1,16 @@ //! Errors related to proving and verifying proofs. +use crate::{range_proof::errors::RangeProofError, sigma_proofs::errors::*}; use thiserror::Error; -use crate::{ - range_proof::errors::RangeProofError, - sigma_proofs::errors::*, -}; // TODO: clean up errors for encryption #[derive(Error, Clone, Debug, Eq, PartialEq)] pub enum ProofError { #[error("proof failed to verify")] - VerificationError, + Verification, #[error("range proof failed to verify")] - RangeProofError, + RangeProof, #[error("sigma proof failed to verify")] - SigmaProofError, + SigmaProof, #[error( "`zk_token_elgamal::pod::ElGamalCiphertext` contains invalid ElGamalCiphertext ciphertext" )] @@ -28,29 +25,29 @@ pub enum TranscriptError { impl From for ProofError { fn from(_err: RangeProofError) -> Self { - Self::RangeProofError + Self::RangeProof } } impl From for ProofError { fn from(_err: EqualityProofError) -> Self { - Self::SigmaProofError + Self::SigmaProof } } impl From for ProofError { fn from(_err: FeeProofError) -> Self { - Self::SigmaProofError + Self::SigmaProof } } impl From for ProofError { fn from(_err: ZeroBalanceProofError) -> Self { - Self::SigmaProofError + Self::SigmaProof } } impl From for ProofError { fn from(_err: ValidityProofError) -> Self { - Self::SigmaProofError + Self::SigmaProof } } diff --git a/zk-token-sdk/src/instruction/transfer.rs b/zk-token-sdk/src/instruction/transfer.rs index 8a75f92f1..578f7d87a 100644 --- a/zk-token-sdk/src/instruction/transfer.rs +++ b/zk-token-sdk/src/instruction/transfer.rs @@ -176,7 +176,7 @@ impl TransferData { if let (Some(amount_lo), Some(amount_hi)) = (amount_lo, amount_hi) { Ok((amount_lo as u64) + (TWO_32 * amount_hi as u64)) } else { - Err(ProofError::VerificationError) + Err(ProofError::Verification) } } } diff --git a/zk-token-sdk/src/range_proof/errors.rs b/zk-token-sdk/src/range_proof/errors.rs index ca5e5fba7..6a50b3c9a 100644 --- a/zk-token-sdk/src/range_proof/errors.rs +++ b/zk-token-sdk/src/range_proof/errors.rs @@ -1,27 +1,27 @@ //! Errors related to proving and verifying range proofs. -use thiserror::Error; use crate::errors::TranscriptError; +use thiserror::Error; #[derive(Error, Clone, Debug, Eq, PartialEq)] pub enum RangeProofError { #[error("the required algebraic relation does not hold")] - AlgebraicRelationError, + AlgebraicRelation, #[error("malformed proof")] - FormatError, + Format, #[error("attempted to create a proof with a non-power-of-two bitsize or bitsize too big")] InvalidBitsize, #[error("insufficient generators for the proof")] InvalidGeneratorsLength, #[error("multiscalar multiplication failed")] - MultiscalarMulError, + MultiscalarMul, #[error("transcript failed to produce a challenge")] - TranscriptError, + Transcript, #[error("number of blinding factors do not match the number of values")] WrongNumBlindingFactors, } impl From for RangeProofError { fn from(_err: TranscriptError) -> Self { - Self::TranscriptError + Self::Transcript } } diff --git a/zk-token-sdk/src/range_proof/inner_product.rs b/zk-token-sdk/src/range_proof/inner_product.rs index 45d0310ad..2d5658d7e 100644 --- a/zk-token-sdk/src/range_proof/inner_product.rs +++ b/zk-token-sdk/src/range_proof/inner_product.rs @@ -1,5 +1,8 @@ use { - crate::{range_proof::{errors::RangeProofError, util}, transcript::TranscriptProtocol}, + crate::{ + range_proof::{errors::RangeProofError, util}, + transcript::TranscriptProtocol, + }, core::iter, curve25519_dalek::{ ristretto::{CompressedRistretto, RistrettoPoint}, @@ -295,13 +298,13 @@ impl InnerProductProof { let Ls = self .L_vec .iter() - .map(|p| p.decompress().ok_or(RangeProofError::FormatError)) + .map(|p| p.decompress().ok_or(RangeProofError::Format)) .collect::, _>>()?; let Rs = self .R_vec .iter() - .map(|p| p.decompress().ok_or(RangeProofError::FormatError)) + .map(|p| p.decompress().ok_or(RangeProofError::Format)) .collect::, _>>()?; let expect_P = RistrettoPoint::vartime_multiscalar_mul( @@ -320,7 +323,7 @@ impl InnerProductProof { if expect_P == *P { Ok(()) } else { - Err(RangeProofError::AlgebraicRelationError) + Err(RangeProofError::AlgebraicRelation) } } @@ -357,18 +360,18 @@ impl InnerProductProof { pub fn from_bytes(slice: &[u8]) -> Result { let b = slice.len(); if b % 32 != 0 { - return Err(RangeProofError::FormatError); + return Err(RangeProofError::Format); } let num_elements = b / 32; if num_elements < 2 { - return Err(RangeProofError::FormatError); + return Err(RangeProofError::Format); } if (num_elements - 2) % 2 != 0 { - return Err(RangeProofError::FormatError); + return Err(RangeProofError::Format); } let lg_n = (num_elements - 2) / 2; if lg_n >= 32 { - return Err(RangeProofError::FormatError); + return Err(RangeProofError::Format); } let mut L_vec: Vec = Vec::with_capacity(lg_n); @@ -381,9 +384,9 @@ impl InnerProductProof { let pos = 2 * lg_n * 32; let a = Scalar::from_canonical_bytes(util::read32(&slice[pos..])) - .ok_or(RangeProofError::FormatError)?; + .ok_or(RangeProofError::Format)?; let b = Scalar::from_canonical_bytes(util::read32(&slice[pos + 32..])) - .ok_or(RangeProofError::FormatError)?; + .ok_or(RangeProofError::Format)?; Ok(InnerProductProof { L_vec, R_vec, a, b }) } diff --git a/zk-token-sdk/src/range_proof/mod.rs b/zk-token-sdk/src/range_proof/mod.rs index 88e04add7..ffc66c718 100644 --- a/zk-token-sdk/src/range_proof/mod.rs +++ b/zk-token-sdk/src/range_proof/mod.rs @@ -8,7 +8,9 @@ use { use { crate::{ encryption::pedersen::PedersenBase, - range_proof::{errors::RangeProofError, generators::BulletproofGens, inner_product::InnerProductProof}, + range_proof::{ + errors::RangeProofError, generators::BulletproofGens, inner_product::InnerProductProof, + }, transcript::TranscriptProtocol, }, core::iter, @@ -20,10 +22,10 @@ use { merlin::Transcript, }; +pub mod errors; pub mod generators; pub mod inner_product; pub mod util; -pub mod errors; #[allow(non_snake_case)] #[derive(Clone)] @@ -94,12 +96,13 @@ impl RangeProof { // generate blinding factor for Pedersen commitment; `s_blinding` should not to be confused // with blinding factors for the actual inner product vector - let s_blinding = Scalar::random(&mut OsRng); + let s_blinding = Scalar::random(&mut OsRng); let S = RistrettoPoint::multiscalar_mul( iter::once(&s_blinding).chain(s_L.iter()).chain(s_R.iter()), iter::once(&H).chain(bp_gens.G(nm)).chain(bp_gens.H(nm)), - ).compress(); + ) + .compress(); // add the Pedersen vector commitments to the transcript (send the commitments to the verifier) transcript.append_point(b"A", &A); @@ -190,6 +193,9 @@ impl RangeProof { let G_factors: Vec = iter::repeat(Scalar::one()).take(nm).collect(); let H_factors: Vec = util::exp_iter(y.invert()).take(nm).collect(); + // generate challenge `c` for consistency with the verifier's transcript + transcript.challenge_scalar(b"c"); + let ipp_proof = InnerProductProof::create( &Q, &G_factors, @@ -201,9 +207,7 @@ impl RangeProof { transcript, ); - // generate challenge `c` for consistency with the verifier's transcript - transcript.challenge_scalar(b"c"); - + println!("{:?}", w); RangeProof { A, S, @@ -288,6 +292,9 @@ impl RangeProof { w * (self.t_x - a * b) + c * (delta(&bit_lengths, &y, &z) - self.t_x); let value_commitment_scalars = util::exp_iter(z).take(m).map(|z_exp| c * zz * z_exp); + println!("here"); + println!("{:?}", w); + let mega_check = RistrettoPoint::optional_multiscalar_mul( iter::once(Scalar::one()) .chain(iter::once(x)) @@ -312,12 +319,16 @@ impl RangeProof { .chain(bp_gens.H(nm).map(|&x| Some(x))) .chain(comms.iter().map(|V| V.decompress())), ) - .ok_or(RangeProofError::MultiscalarMulError)?; + .ok_or(RangeProofError::MultiscalarMul)?; + + println!("here2"); + println!("{:?}", mega_check.compress()); if mega_check.is_identity() { Ok(()) } else { - Err(RangeProofError::AlgebraicRelationError) + println!("here3"); + Err(RangeProofError::AlgebraicRelation) } } @@ -340,10 +351,10 @@ impl RangeProof { // changed. pub fn from_bytes(slice: &[u8]) -> Result { if slice.len() % 32 != 0 { - return Err(RangeProofError::FormatError); + return Err(RangeProofError::Format); } if slice.len() < 7 * 32 { - return Err(RangeProofError::FormatError); + return Err(RangeProofError::Format); } let A = CompressedRistretto(util::read32(&slice[0..])); @@ -352,11 +363,11 @@ impl RangeProof { let T_2 = CompressedRistretto(util::read32(&slice[3 * 32..])); let t_x = Scalar::from_canonical_bytes(util::read32(&slice[4 * 32..])) - .ok_or(RangeProofError::FormatError)?; + .ok_or(RangeProofError::Format)?; let t_x_blinding = Scalar::from_canonical_bytes(util::read32(&slice[5 * 32..])) - .ok_or(RangeProofError::FormatError)?; + .ok_or(RangeProofError::Format)?; let e_blinding = Scalar::from_canonical_bytes(util::read32(&slice[6 * 32..])) - .ok_or(RangeProofError::FormatError)?; + .ok_or(RangeProofError::Format)?; let ipp_proof = InnerProductProof::from_bytes(&slice[7 * 32..])?; diff --git a/zk-token-sdk/src/sigma_proofs/equality_proof.rs b/zk-token-sdk/src/sigma_proofs/equality_proof.rs index 2d84eb342..88d5098f4 100644 --- a/zk-token-sdk/src/sigma_proofs/equality_proof.rs +++ b/zk-token-sdk/src/sigma_proofs/equality_proof.rs @@ -109,9 +109,9 @@ impl EqualityProof { let ww = w * w; // check that the required algebraic condition holds - let Y_0 = self.Y_0.decompress().ok_or(EqualityProofError::FormatError)?; - let Y_1 = self.Y_1.decompress().ok_or(EqualityProofError::FormatError)?; - let Y_2 = self.Y_2.decompress().ok_or(EqualityProofError::FormatError)?; + let Y_0 = self.Y_0.decompress().ok_or(EqualityProofError::Format)?; + let Y_1 = self.Y_1.decompress().ok_or(EqualityProofError::Format)?; + let Y_2 = self.Y_2.decompress().ok_or(EqualityProofError::Format)?; let check = RistrettoPoint::vartime_multiscalar_mul( vec![ @@ -133,7 +133,7 @@ impl EqualityProof { if check.is_identity() { Ok(()) } else { - Err(EqualityProofError::AlgebraicRelationError) + Err(EqualityProofError::AlgebraicRelation) } } @@ -156,9 +156,9 @@ impl EqualityProof { let Y_1 = CompressedRistretto::from_slice(Y_1); let Y_2 = CompressedRistretto::from_slice(Y_2); - let z_s = Scalar::from_canonical_bytes(*z_s).ok_or(EqualityProofError::FormatError)?; - let z_x = Scalar::from_canonical_bytes(*z_x).ok_or(EqualityProofError::FormatError)?; - let z_r = Scalar::from_canonical_bytes(*z_r).ok_or(EqualityProofError::FormatError)?; + let z_s = Scalar::from_canonical_bytes(*z_s).ok_or(EqualityProofError::Format)?; + let z_x = Scalar::from_canonical_bytes(*z_x).ok_or(EqualityProofError::Format)?; + let z_r = Scalar::from_canonical_bytes(*z_r).ok_or(EqualityProofError::Format)?; Ok(EqualityProof { Y_0, diff --git a/zk-token-sdk/src/sigma_proofs/errors.rs b/zk-token-sdk/src/sigma_proofs/errors.rs index 3cb2985ac..973ba15d6 100644 --- a/zk-token-sdk/src/sigma_proofs/errors.rs +++ b/zk-token-sdk/src/sigma_proofs/errors.rs @@ -1,75 +1,75 @@ //! Errors related to proving and verifying sigma proofs. -use thiserror::Error; use crate::errors::TranscriptError; +use thiserror::Error; #[derive(Error, Clone, Debug, Eq, PartialEq)] pub enum EqualityProofError { #[error("the required algebraic relation does not hold")] - AlgebraicRelationError, + AlgebraicRelation, #[error("malformed proof")] - FormatError, + Format, #[error("multiscalar multiplication failed")] - MultiscalarMulError, + MultiscalarMul, #[error("transcript failed to produce a challenge")] - TranscriptError, + Transcript, } impl From for EqualityProofError { fn from(_err: TranscriptError) -> Self { - Self::TranscriptError + Self::Transcript } } #[derive(Error, Clone, Debug, Eq, PartialEq)] pub enum ValidityProofError { #[error("the required algebraic relation does not hold")] - AlgebraicRelationError, + AlgebraicRelation, #[error("malformed proof")] - FormatError, + Format, #[error("multiscalar multiplication failed")] - MultiscalarMulError, + MultiscalarMul, #[error("transcript failed to produce a challenge")] - TranscriptError, + Transcript, } impl From for ValidityProofError { fn from(_err: TranscriptError) -> Self { - Self::TranscriptError + Self::Transcript } } #[derive(Error, Clone, Debug, Eq, PartialEq)] pub enum ZeroBalanceProofError { #[error("the required algebraic relation does not hold")] - AlgebraicRelationError, + AlgebraicRelation, #[error("malformed proof")] - FormatError, + Format, #[error("multiscalar multiplication failed")] - MultiscalarMulError, + MultiscalarMul, #[error("transcript failed to produce a challenge")] - TranscriptError, + Transcript, } impl From for ZeroBalanceProofError { fn from(_err: TranscriptError) -> Self { - Self::TranscriptError + Self::Transcript } } #[derive(Error, Clone, Debug, Eq, PartialEq)] pub enum FeeProofError { #[error("the required algebraic relation does not hold")] - AlgebraicRelationError, + AlgebraicRelation, #[error("malformed proof")] - FormatError, + Format, #[error("multiscalar multiplication failed")] - MultiscalarMulError, + MultiscalarMul, #[error("transcript failed to produce a challenge")] - TranscriptError, + Transcript, } impl From for FeeProofError { fn from(_err: TranscriptError) -> Self { - Self::TranscriptError + Self::Transcript } } diff --git a/zk-token-sdk/src/sigma_proofs/fee_proof.rs b/zk-token-sdk/src/sigma_proofs/fee_proof.rs index d9a4abc22..1568b89e2 100644 --- a/zk-token-sdk/src/sigma_proofs/fee_proof.rs +++ b/zk-token-sdk/src/sigma_proofs/fee_proof.rs @@ -202,19 +202,19 @@ impl FeeProof { .fee_max_proof .Y_max .decompress() - .ok_or(FeeProofError::FormatError)?; + .ok_or(FeeProofError::Format)?; let z_max = self.fee_max_proof.z_max; let Y_delta_real = self .fee_equality_proof .Y_delta_real .decompress() - .ok_or(FeeProofError::FormatError)?; + .ok_or(FeeProofError::Format)?; let Y_delta_claimed = self .fee_equality_proof .Y_delta_claimed .decompress() - .ok_or(FeeProofError::FormatError)?; + .ok_or(FeeProofError::Format)?; let z_x = self.fee_equality_proof.z_x; let z_delta_real = self.fee_equality_proof.z_delta_real; let z_delta_claimed = self.fee_equality_proof.z_delta_claimed; @@ -262,7 +262,7 @@ impl FeeProof { if check.is_identity() { Ok(()) } else { - Err(FeeProofError::AlgebraicRelationError) + Err(FeeProofError::AlgebraicRelation) } } } diff --git a/zk-token-sdk/src/sigma_proofs/validity_proof.rs b/zk-token-sdk/src/sigma_proofs/validity_proof.rs index ce3f917c1..361c57041 100644 --- a/zk-token-sdk/src/sigma_proofs/validity_proof.rs +++ b/zk-token-sdk/src/sigma_proofs/validity_proof.rs @@ -103,9 +103,9 @@ impl ValidityProof { let ww = w * w; // check the required algebraic conditions - let Y_0 = self.Y_0.decompress().ok_or(ValidityProofError::FormatError)?; - let Y_1 = self.Y_1.decompress().ok_or(ValidityProofError::FormatError)?; - let Y_2 = self.Y_2.decompress().ok_or(ValidityProofError::FormatError)?; + let Y_0 = self.Y_0.decompress().ok_or(ValidityProofError::Format)?; + let Y_1 = self.Y_1.decompress().ok_or(ValidityProofError::Format)?; + let Y_2 = self.Y_2.decompress().ok_or(ValidityProofError::Format)?; let P_dest = elgamal_pubkey_dest.get_point(); let P_auditor = elgamal_pubkey_auditor.get_point(); @@ -133,7 +133,7 @@ impl ValidityProof { if check.is_identity() { Ok(()) } else { - Err(ValidityProofError::AlgebraicRelationError) + Err(ValidityProofError::AlgebraicRelation) } } @@ -155,8 +155,8 @@ impl ValidityProof { let Y_1 = CompressedRistretto::from_slice(Y_1); let Y_2 = CompressedRistretto::from_slice(Y_2); - let z_r = Scalar::from_canonical_bytes(*z_r).ok_or(ValidityProofError::FormatError)?; - let z_x = Scalar::from_canonical_bytes(*z_x).ok_or(ValidityProofError::FormatError)?; + let z_r = Scalar::from_canonical_bytes(*z_r).ok_or(ValidityProofError::Format)?; + let z_x = Scalar::from_canonical_bytes(*z_x).ok_or(ValidityProofError::Format)?; Ok(ValidityProof { Y_0, diff --git a/zk-token-sdk/src/sigma_proofs/zero_balance_proof.rs b/zk-token-sdk/src/sigma_proofs/zero_balance_proof.rs index 9d40dea64..6259f0f04 100644 --- a/zk-token-sdk/src/sigma_proofs/zero_balance_proof.rs +++ b/zk-token-sdk/src/sigma_proofs/zero_balance_proof.rs @@ -89,8 +89,8 @@ impl ZeroBalanceProof { let w = transcript.challenge_scalar(b"w"); // w used for multiscalar multiplication verification // decompress R or return verification error - let Y_P = self.Y_P.decompress().ok_or(ZeroBalanceProofError::FormatError)?; - let Y_D = self.Y_D.decompress().ok_or(ZeroBalanceProofError::FormatError)?; + let Y_P = self.Y_P.decompress().ok_or(ZeroBalanceProofError::Format)?; + let Y_D = self.Y_D.decompress().ok_or(ZeroBalanceProofError::Format)?; let z = self.z; // check the required algebraic relation @@ -102,7 +102,7 @@ impl ZeroBalanceProof { if check.is_identity() { Ok(()) } else { - Err(ZeroBalanceProofError::AlgebraicRelationError) + Err(ZeroBalanceProofError::AlgebraicRelation) } } @@ -121,7 +121,7 @@ impl ZeroBalanceProof { let Y_P = CompressedRistretto::from_slice(Y_P); let Y_D = CompressedRistretto::from_slice(Y_D); - let z = Scalar::from_canonical_bytes(*z).ok_or(ZeroBalanceProofError::FormatError)?; + let z = Scalar::from_canonical_bytes(*z).ok_or(ZeroBalanceProofError::Format)?; Ok(ZeroBalanceProof { Y_P, Y_D, z }) } diff --git a/zk-token-sdk/src/zk_token_elgamal/convert.rs b/zk-token-sdk/src/zk_token_elgamal/convert.rs index 5fbcb9984..ce9ebc59c 100644 --- a/zk-token-sdk/src/zk_token_elgamal/convert.rs +++ b/zk-token-sdk/src/zk_token_elgamal/convert.rs @@ -23,8 +23,7 @@ mod target_arch { errors::ProofError, range_proof::{errors::RangeProofError, RangeProof}, sigma_proofs::{ - errors::*, - equality_proof::EqualityProof, validity_proof::ValidityProof, + equality_proof::EqualityProof, errors::*, validity_proof::ValidityProof, zero_balance_proof::ZeroBalanceProof, }, }, @@ -192,7 +191,7 @@ mod target_arch { fn try_from(proof: RangeProof) -> Result { if proof.ipp_proof.serialized_size() != 448 { - return Err(RangeProofError::FormatError); + return Err(RangeProofError::Format); } let mut buf = [0_u8; 672]; @@ -222,7 +221,7 @@ mod target_arch { fn try_from(proof: RangeProof) -> Result { if proof.ipp_proof.serialized_size() != 512 { - return Err(RangeProofError::FormatError); + return Err(RangeProofError::Format); } let mut buf = [0_u8; 736];