Add docs and support for 16 bit chunks in SAVER

Signed-off-by: lovesh <lovesh.bond@gmail.com>

Author: lovesh

bbs_plus/src/proof.rs

@@ -1,5 +1,5 @@
 //! Proof of knowledge of the signature and corresponding messages as per section 4.5 of the paper
-//! https://eprint.iacr.org/2016/663.pdf
+//! <https://eprint.iacr.org/2016/663.pdf>
 //! # Examples
 //!
 //! Creating proof of knowledge of signature and verifying it:

bbs_plus/src/setup.rs

@@ -110,15 +110,16 @@ macro_rules! impl_sig_params {
             /// Generate params by hashing a known string. The hash function is vulnerable to timing
             /// attack but since all this is public knowledge, it is fine.
             /// This is useful if people need to be convinced that the discrete log of group elements wrt each other is not known.
-            pub fn new<D: Digest>(label: &[u8], n: usize) -> Self {
-                // Need n+2 elements of signature group and 1 element of other group
-                let mut sig_group_elems = Vec::with_capacity(n + 2);
+            pub fn new<D: Digest>(label: &[u8], message_count: usize) -> Self {
+                assert_ne!(message_count, 0);
+                // Need message_count+2 elements of signature group and 1 element of other group
+                let mut sig_group_elems = Vec::with_capacity(message_count + 2);
                 // Group element by hashing `label`||`g1` as string.
                 let g1 = projective_group_elem_from_try_and_incr::<E::$group_affine, D>(
                     &to_bytes![label, " : g1".as_bytes()].unwrap(),
                 );
-                // h_0 and h[i] for i in 1 to n
-                let mut h = cfg_into_iter!((0..=n))
+                // h_0 and h[i] for i in 1 to message_count
+                let mut h = cfg_into_iter!((0..=message_count))
                     .map(|i| {
                         projective_group_elem_from_try_and_incr::<E::$group_affine, D>(
                             &to_bytes![label, " : h_".as_bytes(), i as u64].unwrap(),
@@ -148,11 +149,12 @@ macro_rules! impl_sig_params {
             }
 
             /// Generate params using a random number generator
-            pub fn generate_using_rng<R>(rng: &mut R, n: usize) -> Self
+            pub fn generate_using_rng<R>(rng: &mut R, message_count: usize) -> Self
             where
                 R: RngCore,
             {
-                let h = (0..n)
+                assert_ne!(message_count, 0);
+                let h = (0..message_count)
                     .into_iter()
                     .map(|_| E::$group_projective::rand(rng))
                     .collect::<Vec<E::$group_projective>>();

benches/Cargo.toml

@@ -14,6 +14,9 @@ ark-ff = { version = "^0.3.0", default-features = false }
 ark-ec = { version = "^0.3.0", default-features = false }
 ark-std = { version = "^0.3.0", default-features = false }
 ark-bls12-381 = { version = "^0.3.0", default-features = false, features = [ "curve" ] }
+serde = { version = "1.0", default-features = false, features = ["derive"] }
+serde_with = { version = "1.10.0", default-features = false, features = ["macros"] }
+dock_crypto_utils = { default-features = false, path = "../utils" }
 
 [dev-dependencies]
 criterion = "0.3"

benches/benches/schnorr_protocol.rs

@@ -1,4 +1,5 @@
 use ark_bls12_381::Bls12_381;
+use ark_ec::msm::VariableBaseMSM;
 use ark_ec::PairingEngine;
 use ark_ec::{AffineCurve, ProjectiveCurve};
 use ark_ff::PrimeField;
@@ -8,12 +9,13 @@ use ark_std::{
     rand::{rngs::StdRng, SeedableRng},
     UniformRand,
 };
+use criterion::{black_box, criterion_group, criterion_main, BenchmarkId, Criterion};
+use dock_crypto_utils::serde_utils::*;
 use schnorr_pok::{
     error::SchnorrError, impl_proof_of_knowledge_of_discrete_log, SchnorrCommitment,
 };
-
-use ark_ec::msm::VariableBaseMSM;
-use criterion::{black_box, criterion_group, criterion_main, BenchmarkId, Criterion};
+use serde::{Deserialize, Serialize};
+use serde_with::serde_as;
 
 type Fr = <Bls12_381 as PairingEngine>::Fr;
 

proof_system/Cargo.toml

@@ -32,7 +32,7 @@ ark-relations = { version = "^0.3.0", default-features = false }
 [dependencies.legogroth16]
 git = "https://github.com/lovesh/legogro16"
 #branch = "comm-wit"
-rev = '00dfaf6e75464b8a246db7912eeb48070d10e067'
+rev = '5bc5e4af466c1bb84a636e18002dcffeeb0d1899'
 default-features = false
 
 [dev-dependencies]

proof_system/src/derived_params.rs

@@ -1,5 +1,7 @@
-//! Parameters derived from parameters during proof generation and verification. Used to prevent repeatedly creating these parameters.
-use crate::prelude::bound_check::BoundCheckProtocol;
+//! Parameters derived from other parameters during proof generation and verification. Used to prevent repeatedly
+//! creating these parameters.
+
+use crate::sub_protocols::bound_check_legogroth16::BoundCheckProtocol;
 use crate::sub_protocols::saver::SaverProtocol;
 use ark_ec::PairingEngine;
 use ark_std::{collections::BTreeMap, marker::PhantomData, vec, vec::Vec};
@@ -14,17 +16,23 @@ use saver::saver_groth16::{
     PreparedVerifyingKey as SaverPreparedVerifyingKey, VerifyingKey as SaverVerifyingKey,
 };
 
+/// Allows creating a new derived parameter from reference to original parameter
 pub trait DerivedParams<'a, Ref, DP> {
     fn new_derived(orig: &Ref) -> DP;
 }
 
 pub struct DerivedParamsTracker<'a, Ref: PartialEq, DP, E> {
+    /// References to the original parameter to which the derivation is applied
     origs_ref: Vec<&'a Ref>,
+    /// The newly created derived param. The key in the map is reference to the original parameter and serves
+    /// as a unique identifier for the derived param.
     derived_params: BTreeMap<usize, DP>,
+    /// Maps a statement identifier to a derived parameter identifier.
     derived_params_for_statement: BTreeMap<usize, usize>,
     phantom: PhantomData<E>,
 }
 
+/// Maps statement identifiers to derived params
 pub struct StatementDerivedParams<DP> {
     derived_params: BTreeMap<usize, DP>,
     derived_params_for_statement: BTreeMap<usize, usize>,
@@ -42,11 +50,14 @@ where
             phantom: PhantomData,
         }
     }
+
     pub fn find(&self, orig: &Ref) -> Option<usize> {
         self.origs_ref.iter().position(|v: &&Ref| **v == *orig)
     }
 
-    pub fn update_for_orig(&mut self, orig: &'a Ref, s_idx: usize) {
+    /// Creates a new derived param for the statement index if need be else store the reference to
+    /// old parameter.
+    pub fn on_new_statement_idx(&mut self, orig: &'a Ref, s_idx: usize) {
         if let Some(k) = self.find(orig) {
             self.derived_params_for_statement.insert(s_idx, k);
         } else {
@@ -58,6 +69,7 @@ where
         }
     }
 
+    /// Finished tracking derived params, return map of statement to derived params
     pub fn finish(self) -> StatementDerivedParams<DP> {
         StatementDerivedParams {
             derived_params: self.derived_params,

proof_system/src/lib.rs

@@ -5,13 +5,30 @@
 //! The idea is to represent each relation to be proved as a [`Statement`], and any relations between
 //! [`Statement`]s as a [`MetaStatement`]. Both of these types contain public (known to both prover
 //! and verifier) information and are contained in a [`ProofSpec`] whose goal is to unambiguously
-//! define what needs to be proven. The prover then uses a [`Witness`] per [`Statement`] and creates a
-//! [`StatementProof`] per [`Statement`]. All [`StatementProof`]s are grouped together in a [`Proof`]
-//! and the verifier then uses the [`ProofSpec`] and [`Proof`] to verify the proof. Currently it is
+//! define what needs to be proven. Some [`Statement`]s are specific to either the prover or the verifier
+//! as those protocols require prover and verifier to use different public parameters. An example is Groth16
+//! based SNARK protocols where the prover needs to have a proving key and the verifier needs to
+//! have a verifying key. Both the prover and verifier can know both the proving and verifying key but
+//! they don't need to thus for such protocols, there are different [`Statement`]s for prover and verifier,
+//! like [`SaverProver`] and [`SaverVerifier`] are statements for prover and verifier respectively,
+//! executing SAVER protocol.
+//! Several [`Statement`]s might need same public parameters like proving knowledge of several BBS+
+//! from the same signer, or verifiable encryption of several messages for the same decryptor. Its not
+//! very efficient to pass the same parameters to each [`Statement`] especially when using this code's WASM
+//! bindings as the same values will be serialized and deserialized every time. To avoid this, caller can
+//! put all such public parameters as [`SetupParams`] in an array and then reference those by their index
+//! while creating an [`Statement`]. This array of [`SetupParams`] is then included in the [`ProofSpec`]
+//! and used by the prover and verifier during proof creation and verification respectively.
+//!
+//! After creating the [`ProofSpec`], the prover uses a [`Witness`] per [`Statement`] and creates a
+//! corresponding [`StatementProof`]. All [`StatementProof`]s are grouped together in a [`Proof`].
+//! The verifier also creates its [`ProofSpec`] and uses it to verify the given proof. Currently it is
 //! assumed that there is one [`StatementProof`] per [`Statement`] and one [`Witness`] per [`Statement`]
 //! and [`StatementProof`]s appear in the same order in [`Proof`] as [`Statement`]s do in [`ProofSpec`].
+//!
 //! [`Statement`], [`Witness`] and [`StatementProof`] are enums whose variants will be entities from different
-//! protocols. Each of these protocols are variants of the enum [`SubProtocol`].
+//! protocols. Each of these protocols are variants of the enum [`SubProtocol`]. [`SubProtocol`]s can internally
+//! call other [`SubProtocol`]s, eg [`SaverProtocol`] invokes several [`SchnorrProtocol`]s
 //!
 //! Currently supports
 //! - proof of knowledge of a BBS+ signature and signed messages
@@ -38,18 +55,29 @@
 //!   message satisfies some upper and lower bounds i.e. min <= signed message <= max. This is a range proof.
 //! - test `pok_of_bbs_plus_sig_and_verifiable_encryption` shows how to verifiably encrypt a message signed with BBS+ such
 //!   that the verifier cannot decrypt it but still ensure that it is encrypted correctly for the specified decryptor.
+//! - test `pok_of_bbs_plus_sig_with_reusing_setup_params` shows proving knowledge of several BBS+ signatures
+//!   using [`SetupParams`]s. Here the same signers are used in multiple signatures thus their public params
+//!   can be put as a variant of enum [`SetupParams`]. Similarly test
+//!   `pok_of_knowledge_in_pedersen_commitment_and_equality_with_commitment_key_reuse` shows use of [`SetupParams`]
+//!   when the same commitment key is reused in several commitments and test `pok_of_bbs_plus_sig_and_verifiable_encryption_of_many_messages`
+//!   shows use of [`SetupParams`] when several messages are used in verifiable encryption for the same decryptor.
 //!
 //! *Note*: This design is largely inspired from my work at Hyperledger Ursa.
 //!
 //! *Note*: The design is tentative and will likely change as more protocols are integrated.
 //!
 //! [`Statement`]: crate::statement::Statement
 //! [`MetaStatement`]: crate::meta_statement::MetaStatement
+//! [`SaverProver`]: crate::statement::saver::SaverProver
+//! [`SaverVerifier`]: crate::statement::saver::SaverVerifier
+//! [`SetupParams`]: crate::setup_params::SetupParams
 //! [`ProofSpec`]: crate::proof_spec::ProofSpec
 //! [`Witness`]: crate::witness::Witness
 //! [`StatementProof`]: crate::statement_proof::StatementProof
 //! [`Proof`]: crate::proof::Proof
 //! [`SubProtocol`]: crate::sub_protocols::SubProtocol
+//! [`SaverProtocol`]: crate::sub_protocols::saver::SaverProtocol
+//! [`SchnorrProtocol`]: crate::sub_protocols::schnorr::SchnorrProtocol
 
 extern crate core;
 
@@ -75,6 +103,6 @@ pub mod prelude {
     pub use crate::setup_params::*;
     pub use crate::statement::*;
     pub use crate::statement_proof::*;
-    pub use crate::sub_protocols::*;
+    pub use crate::sub_protocols::bound_check_legogroth16::generate_snark_srs_bound_check;
     pub use crate::witness::*;
 }

proof_system/src/meta_statement.rs

@@ -1,3 +1,5 @@
+//! Used to express relation between `Statement`s
+
 use ark_serialize::{CanonicalDeserialize, CanonicalSerialize, SerializationError};
 use ark_std::{
     collections::BTreeSet,

proof_system/src/proof.rs

@@ -25,7 +25,7 @@ use crate::sub_protocols::accumulator::{
     AccumulatorMembershipSubProtocol, AccumulatorNonMembershipSubProtocol,
 };
 use crate::sub_protocols::bbs_plus::PoKBBSSigG1SubProtocol;
-use crate::sub_protocols::bound_check::BoundCheckProtocol;
+use crate::sub_protocols::bound_check_legogroth16::BoundCheckProtocol;
 use crate::sub_protocols::saver::SaverProtocol;
 use crate::sub_protocols::schnorr::SchnorrProtocol;
 use dock_crypto_utils::hashing_utils::field_elem_from_try_and_incr;
@@ -91,7 +91,7 @@ where
             }
         }
 
-        // Prepare commitment keys for running Schnorr protocol
+        // Prepare commitment keys for running Schnorr protocols of all statements.
         let (bound_check_comm, ek_comm, chunked_comm) = proof_spec.derive_commitment_keys()?;
 
         let mut sub_protocols =
@@ -277,6 +277,7 @@ where
         if let Some(ctx) = &proof_spec.context {
             challenge_bytes.extend_from_slice(ctx);
         }
+
         // Get each sub-protocol's challenge contribution
         for p in sub_protocols.iter() {
             p.challenge_contribution(&mut challenge_bytes)?;
@@ -312,7 +313,9 @@ where
             ));
         }
 
+        // Prepare commitment keys for running Schnorr protocols of all statements.
         let (bound_check_comm, ek_comm, chunked_comm) = proof_spec.derive_commitment_keys()?;
+        // Prepared required parameters for pairings
         let (derived_lego_vk, derived_gens, derived_ek, derived_saver_vk) =
             proof_spec.derive_prepared_parameters()?;
 

proof_system/src/proof_spec.rs

@@ -81,7 +81,8 @@ where
     }
 
     /// Derive commitment keys for Schnorr protocol from public params. This is done to avoid
-    /// creating them if the same public params are used in multiple statements.
+    /// creating them if the same public params are used in multiple statements and is effectively a
+    /// pre-processing step done for optimization.
     pub fn derive_commitment_keys(
         &self,
     ) -> Result<
@@ -136,8 +137,9 @@ where
                         _ => panic!("This should never happen"),
                     };
 
-                    derived_ek_comm.update_for_orig(enc_key, s_idx);
-                    derived_chunked_comm.update_for_orig(tuple_map.get(&s_idx).unwrap(), s_idx);
+                    derived_ek_comm.on_new_statement_idx(enc_key, s_idx);
+                    derived_chunked_comm
+                        .on_new_statement_idx(tuple_map.get(&s_idx).unwrap(), s_idx);
                 }
                 Statement::BoundCheckLegoGroth16Prover(_)
                 | Statement::BoundCheckLegoGroth16Verifier(_) => {
@@ -150,7 +152,7 @@ where
                         }
                         _ => panic!("This should never happen"),
                     };
-                    derived_bound_check_comm.update_for_orig(verifying_key, s_idx);
+                    derived_bound_check_comm.on_new_statement_idx(verifying_key, s_idx);
                 }
                 _ => (),
             }
@@ -163,7 +165,7 @@ where
     }
 
     /// Derive prepared keys for performing pairings. This is done to avoid preparing the same
-    /// parameters again.
+    /// parameters again and is effectively a pre-processing step done for optimization.
     pub fn derive_prepared_parameters(
         &self,
     ) -> Result<
@@ -188,17 +190,17 @@ where
             match statement {
                 Statement::SaverVerifier(s) => {
                     let gens = s.get_encryption_gens(&self.setup_params, s_idx)?;
-                    derived_gens.update_for_orig(gens, s_idx);
+                    derived_gens.on_new_statement_idx(gens, s_idx);
 
                     let enc_key = s.get_encryption_key(&self.setup_params, s_idx)?;
-                    derived_ek.update_for_orig(enc_key, s_idx);
+                    derived_ek.on_new_statement_idx(enc_key, s_idx);
 
                     let verifying_key = s.get_snark_verifying_key(&self.setup_params, s_idx)?;
-                    derived_saver_vk.update_for_orig(verifying_key, s_idx);
+                    derived_saver_vk.on_new_statement_idx(verifying_key, s_idx);
                 }
                 Statement::BoundCheckLegoGroth16Verifier(s) => {
                     let verifying_key = s.get_verifying_key(&self.setup_params, s_idx)?;
-                    derived_lego_vk.update_for_orig(verifying_key, s_idx);
+                    derived_lego_vk.on_new_statement_idx(verifying_key, s_idx);
                 }
                 _ => (),
             }