Randomized pairing checker, some helpers and refactoring

Signed-off-by: lovesh <lovesh.bond@gmail.com>

Author: lovesh

bbs_plus/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "bbs_plus"
-version = "0.8.0"
+version = "0.9.0"
 edition.workspace = true
 authors.workspace = true
 license.workspace = true
@@ -19,7 +19,7 @@ ark-std.workspace = true
 digest.workspace = true
 rayon = {workspace = true, optional = true}
 schnorr_pok = { version = "0.7.0", default-features = false, path = "../schnorr_pok" }
-dock_crypto_utils = { version = "0.5.0", default-features = false, path = "../utils" }
+dock_crypto_utils = { version = "0.6.0", default-features = false, path = "../utils" }
 serde.workspace = true
 serde_with.workspace = true
 zeroize.workspace = true

bbs_plus/src/error.rs

@@ -8,6 +8,7 @@ use serde::Serialize;
 
 #[derive(Debug, Serialize)]
 pub enum BBSPlusError {
+    CannotInvert0,
     NoMessageToSign,
     MessageCountIncompatibleWithSigParams(usize, usize),
     InvalidMessageIdx(usize),

bbs_plus/src/proof.rs

@@ -72,6 +72,7 @@ use ark_std::{
     vec::Vec,
     One, UniformRand,
 };
+use dock_crypto_utils::randomized_pairing_check::RandomizedPairingChecker;
 use dock_crypto_utils::serde_utils::*;
 use schnorr_pok::{error::SchnorrError, SchnorrCommitment, SchnorrResponse};
 use serde::{Deserialize, Serialize};
@@ -175,7 +176,7 @@ where
 
         let r1 = E::Fr::rand(rng);
         let r2 = E::Fr::rand(rng);
-        let r3 = r1.inverse().unwrap();
+        let r3 = r1.inverse().ok_or(BBSPlusError::CannotInvert0)?;
 
         // b = (e+x) * A = g1 + h_0*s + sum(h_i*m_i) for all i in I
         let b = params.b(
@@ -374,9 +375,7 @@ where
         pk: &PublicKeyG2<E>,
         params: &SignatureParamsG1<E>,
     ) -> Result<(), BBSPlusError> {
-        if self.A_prime.is_zero() {
-            return Err(BBSPlusError::ZeroSignature);
-        }
+        self.verify_except_pairings(revealed_msgs, challenge, params)?;
 
         // Verify the randomized signature
         if !E::product_of_pairings(&[
@@ -390,7 +389,70 @@ where
         {
             return Err(BBSPlusError::PairingCheckFailed);
         }
+        Ok(())
+    }
+
+    pub fn verify_with_randomized_pairing_checker(
+        &self,
+        revealed_msgs: &BTreeMap<usize, E::Fr>,
+        challenge: &E::Fr,
+        pk: &PublicKeyG2<E>,
+        params: &SignatureParamsG1<E>,
+        pairing_checker: &mut RandomizedPairingChecker<E>,
+    ) -> Result<(), BBSPlusError> {
+        self.verify_except_pairings(revealed_msgs, challenge, params)?;
+        pairing_checker.add_sources(self.A_prime, pk.0, self.A_bar, params.g2);
+        Ok(())
+    }
 
+    /// For the verifier to independently calculate the challenge
+    pub fn challenge_contribution<W: Write>(
+        &self,
+        revealed_msgs: &BTreeMap<usize, E::Fr>,
+        params: &SignatureParamsG1<E>,
+        writer: W,
+    ) -> Result<(), BBSPlusError> {
+        PoKOfSignatureG1Protocol::compute_challenge_contribution(
+            &self.A_prime,
+            &self.A_bar,
+            &self.d,
+            &self.T1,
+            &self.T2,
+            revealed_msgs,
+            params,
+            writer,
+        )
+    }
+
+    /// Get the response from post-challenge phase of the Schnorr protocol for the given message index
+    /// `msg_idx`. Used when comparing message equality
+    pub fn get_resp_for_message(
+        &self,
+        msg_idx: usize,
+        revealed_msg_ids: &BTreeSet<usize>,
+    ) -> Result<&E::Fr, BBSPlusError> {
+        // Revealed messages are not part of Schnorr protocol
+        if revealed_msg_ids.contains(&msg_idx) {
+            return Err(BBSPlusError::InvalidMsgIdxForResponse(msg_idx));
+        }
+        // Adjust message index as the revealed messages are not part of the Schnorr protocol
+        let mut adjusted_idx = msg_idx;
+        for i in revealed_msg_ids {
+            if *i < msg_idx {
+                adjusted_idx -= 1;
+            }
+        }
+        // 2 added to the index, since 0th and 1st index are reserved for `s'` and `r2`
+        let r = self.sc_resp_2.get_response(2 + adjusted_idx)?;
+        Ok(r)
+    }
+
+    pub fn verify_schnorr_proofs(
+        &self,
+        revealed_msgs: &BTreeMap<usize, E::Fr>,
+        challenge: &E::Fr,
+        params: &SignatureParamsG1<E>,
+    ) -> Result<(), BBSPlusError> {
         // Verify the 1st Schnorr proof
         let bases_1 = [self.A_prime, params.h_0];
         // A_bar - d
@@ -441,46 +503,18 @@ where
         Ok(())
     }
 
-    /// For the verifier to independently calculate the challenge
-    pub fn challenge_contribution<W: Write>(
+    /// Verify the proof except the pairing equations. This is useful when doing several verifications (of this
+    /// protocol or others) and the pairing equations are combined in a randomized pairing check.
+    fn verify_except_pairings(
         &self,
         revealed_msgs: &BTreeMap<usize, E::Fr>,
+        challenge: &E::Fr,
         params: &SignatureParamsG1<E>,
-        writer: W,
     ) -> Result<(), BBSPlusError> {
-        PoKOfSignatureG1Protocol::compute_challenge_contribution(
-            &self.A_prime,
-            &self.A_bar,
-            &self.d,
-            &self.T1,
-            &self.T2,
-            revealed_msgs,
-            params,
-            writer,
-        )
-    }
-
-    /// Get the response from post-challenge phase of the Schnorr protocol for the given message index
-    /// `msg_idx`. Used when comparing message equality
-    pub fn get_resp_for_message(
-        &self,
-        msg_idx: usize,
-        revealed_msg_ids: &BTreeSet<usize>,
-    ) -> Result<&E::Fr, BBSPlusError> {
-        // Revealed messages are not part of Schnorr protocol
-        if revealed_msg_ids.contains(&msg_idx) {
-            return Err(BBSPlusError::InvalidMsgIdxForResponse(msg_idx));
-        }
-        // Adjust message index as the revealed messages are not part of the Schnorr protocol
-        let mut adjusted_idx = msg_idx;
-        for i in revealed_msg_ids {
-            if *i < msg_idx {
-                adjusted_idx -= 1;
-            }
+        if self.A_prime.is_zero() {
+            return Err(BBSPlusError::ZeroSignature);
         }
-        // 2 added to the index, since 0th and 1st index are reserved for `s'` and `r2`
-        let r = self.sc_resp_2.get_response(2 + adjusted_idx)?;
-        Ok(r)
+        self.verify_schnorr_proofs(revealed_msgs, challenge, params)
     }
 }
 
@@ -1034,4 +1068,94 @@ mod tests {
             }
         }
     }
+
+    #[test]
+    fn test_PoK_multiple_sigs_with_randomized_pairing_check() {
+        let mut rng = StdRng::seed_from_u64(0u64);
+        let message_count = 5;
+        let params =
+            SignatureParamsG1::<Bls12_381>::new::<Blake2b>("test".as_bytes(), message_count);
+        let keypair = KeypairG2::<Bls12_381>::generate_using_rng(&mut rng, &params);
+
+        let sig_count = 10;
+        let mut msgs = vec![];
+        let mut sigs = vec![];
+        let mut chal_bytes_prover = vec![];
+        let mut poks = vec![];
+        let mut proofs = vec![];
+        for i in 0..sig_count {
+            msgs.push(
+                (0..message_count)
+                    .into_iter()
+                    .map(|_| Fr::rand(&mut rng))
+                    .collect::<Vec<Fr>>(),
+            );
+            sigs.push(
+                SignatureG1::<Bls12_381>::new(&mut rng, &msgs[i], &keypair.secret_key, &params)
+                    .unwrap(),
+            );
+            let pok = PoKOfSignatureG1Protocol::init(
+                &mut rng,
+                &sigs[i],
+                &params,
+                &msgs[i],
+                BTreeMap::new(),
+                BTreeSet::new(),
+            )
+            .unwrap();
+            pok.challenge_contribution(&BTreeMap::new(), &params, &mut chal_bytes_prover)
+                .unwrap();
+            poks.push(pok);
+        }
+
+        let challenge_prover = compute_random_oracle_challenge::<Fr, Blake2b>(&chal_bytes_prover);
+
+        for pok in poks {
+            proofs.push(pok.gen_proof(&challenge_prover).unwrap());
+        }
+
+        let mut chal_bytes_verifier = vec![];
+
+        for proof in &proofs {
+            proof
+                .challenge_contribution(&BTreeMap::new(), &params, &mut chal_bytes_verifier)
+                .unwrap();
+        }
+
+        let challenge_verifier =
+            compute_random_oracle_challenge::<Fr, Blake2b>(&chal_bytes_verifier);
+
+        let start = Instant::now();
+        for proof in proofs.clone() {
+            proof
+                .verify(
+                    &BTreeMap::new(),
+                    &challenge_verifier,
+                    &keypair.public_key,
+                    &params,
+                )
+                .unwrap();
+        }
+        println!("Time to verify {} sigs: {:?}", sig_count, start.elapsed());
+
+        let mut pairing_checker = RandomizedPairingChecker::new_using_rng(&mut rng, true);
+        let start = Instant::now();
+        for proof in proofs.clone() {
+            proof
+                .verify_with_randomized_pairing_checker(
+                    &BTreeMap::new(),
+                    &challenge_verifier,
+                    &keypair.public_key,
+                    &params,
+                    &mut pairing_checker,
+                )
+                .unwrap();
+        }
+        assert!(pairing_checker.verify());
+        println!(
+            "Time to verify {} sigs using randomized pairing checker: {:?}",
+            sig_count,
+            start.elapsed()
+        );
+    }
 }

bbs_plus/src/setup.rs

@@ -30,7 +30,7 @@
 //! ```
 
 use crate::error::BBSPlusError;
-use ark_ec::{msm::VariableBaseMSM, AffineCurve, PairingEngine, ProjectiveCurve};
+use ark_ec::{AffineCurve, PairingEngine, ProjectiveCurve};
 use ark_ff::{to_bytes, PrimeField, SquareRootField};
 use ark_serialize::{CanonicalDeserialize, CanonicalSerialize, SerializationError};
 use ark_std::collections::BTreeMap;
@@ -49,6 +49,7 @@ use zeroize::Zeroize;
 use dock_crypto_utils::hashing_utils::{
     field_elem_from_seed, projective_group_elem_from_try_and_incr,
 };
+use dock_crypto_utils::msm::variable_base_msm;
 use dock_crypto_utils::serde_utils::*;
 
 #[cfg(feature = "parallel")]
@@ -207,10 +208,7 @@ macro_rules! impl_sig_params {
                 blinding: &E::Fr,
             ) -> Result<E::$group_affine, BBSPlusError> {
                 #[cfg(feature = "parallel")]
-                let (mut bases, mut scalars): (
-                    Vec<E::$group_affine>,
-                    Vec<<<E as ark_ec::PairingEngine>::Fr as PrimeField>::BigInt>,
-                ) = {
+                let (mut bases, mut scalars): (Vec<E::$group_affine>, Vec<E::Fr>) = {
                     // Need to manually check that no message index exceeds the maximum number of messages allowed
                     // because this function can be called with only uncommitted messages; so size of BTreeMap is
                     // not representative of the number of messages
@@ -220,12 +218,12 @@ macro_rules! impl_sig_params {
                         }
                     }
                     cfg_into_iter!(messages)
-                        .map(|(i, msg)| (self.h[i].clone(), msg.into_repr()))
+                        .map(|(i, msg)| (self.h[i].clone(), *msg))
                         .unzip()
                 };
 
                 #[cfg(not(feature = "parallel"))]
-                let (mut bases, mut scalars) = {
+                let (mut bases, mut scalars): (Vec<E::$group_affine>, Vec<E::Fr>) = {
                     let mut bases = Vec::with_capacity(messages.len());
                     let mut scalars = Vec::with_capacity(messages.len());
                     for (i, msg) in messages.into_iter() {
@@ -234,14 +232,14 @@ macro_rules! impl_sig_params {
                             return Err(BBSPlusError::InvalidMessageIdx(i));
                         }
                         bases.push(self.h[i].clone());
-                        scalars.push(msg.into_repr());
+                        scalars.push(*msg);
                     }
                     (bases, scalars)
                 };
 
                 bases.push(self.h_0.clone());
-                scalars.push(blinding.into_repr());
-                Ok(VariableBaseMSM::multi_scalar_mul(&bases, &scalars).into_affine())
+                scalars.push(*blinding);
+                Ok(variable_base_msm(&bases, &scalars).into_affine())
             }
 
             /// Compute `b` from the paper (equivalently 'A*{e+x}').

bbs_plus/src/signature.rs

@@ -230,7 +230,7 @@ macro_rules! impl_signature_alg {
 
                 let e = E::Fr::rand(rng);
                 // 1/(e+x)
-                let e_plus_x_inv = (e + sk.0).inverse().unwrap();
+                let e_plus_x_inv = (e + sk.0).inverse().ok_or(BBSPlusError::CannotInvert0)?;
 
                 // {commitment + b} * {1/(e+x)}
                 let commitment_plus_b = b.add_mixed(commitment);

benches/Cargo.toml

@@ -6,9 +6,9 @@ authors.workspace = true
 license.workspace = true
 
 [dependencies]
-bbs_plus = { version = "0.8.0", default-features = false, path = "../bbs_plus" }
+bbs_plus = { version = "0.9.0", default-features = false, path = "../bbs_plus" }
 schnorr_pok = { version = "0.7.0", default-features = false, path = "../schnorr_pok" }
-vb_accumulator = { version = "0.9.0", default-features = false, path = "../vb_accumulator" }
+vb_accumulator = { version = "0.10.0", default-features = false, path = "../vb_accumulator" }
 test_utils = { version = "0.1.0", default-features = false, path = "../test_utils" }
 ark-ff.workspace = true
 ark-ec.workspace = true

benches/benches/schnorr_protocol.rs

@@ -1,5 +1,4 @@
 use ark_bls12_381::Bls12_381;
-use ark_ec::msm::VariableBaseMSM;
 use ark_ec::PairingEngine;
 use ark_ec::{AffineCurve, ProjectiveCurve};
 use ark_ff::PrimeField;
@@ -74,11 +73,7 @@ macro_rules! bench_vector {
                 .into_iter()
                 .map(|_| Fr::rand(&mut rng))
                 .collect::<Vec<_>>();
-            let y = VariableBaseMSM::multi_scalar_mul(
-                &bases,
-                &witnesses.iter().map(|w| w.into_repr()).collect::<Vec<_>>(),
-            )
-            .into_affine();
+            let y = variable_base_msm(&bases, &witnesses).into_affine();
             bases_vec.push(bases);
             witnesses_vec.push(witnesses);
             y_vec.push(y);

compressed_sigma/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "compressed_sigma"
-version = "0.0.1"
+version = "0.0.2"
 edition.workspace = true
 authors.workspace = true
 license.workspace = true
@@ -15,7 +15,7 @@ ark-sponge = { version = "^0.3.0", default-features = false }
 ark-poly = { version = "^0.3.0", default-features = false }
 rayon = {workspace = true, optional = true}
 digest.workspace = true
-dock_crypto_utils = { version = "0.5.0", default-features = false, path = "../utils" }
+dock_crypto_utils = { version = "0.6.0", default-features = false, path = "../utils" }
 
 [dev-dependencies]
 blake2.workspace = true