Add keyed verification of weak-BB sig and reuse it in other crates an…

…d use CDH version of proving knowledge of weak-BB sig in set-membership and range proofs

Signed-off-by: lovesh <[email protected]>

bbs_plus/src/proof.rs

@@ -316,10 +316,7 @@ impl<E: Pairing> PoKOfSignatureG1Protocol<E> {
     }
 }
 
-impl<E> PoKOfSignatureG1Proof<E>
-where
-    E: Pairing,
-{
+impl<E: Pairing> PoKOfSignatureG1Proof<E> {
     /// Verify if the proof is valid. Assumes that the public key and parameters have been
     /// validated already.
     pub fn verify(

bbs_plus/src/proof_23.rs

@@ -36,6 +36,7 @@ use itertools::{multiunzip, MultiUnzip};
 
 use crate::setup::PreparedSignatureParams23G1;
 use dock_crypto_utils::{
+    expect_equality,
     extend_some::ExtendSome,
     misc::rand,
     randomized_pairing_check::RandomizedPairingChecker,
@@ -131,12 +132,11 @@ impl<E: Pairing> PoKOfSignature23G1Protocol<E> {
                 ),
             })
             .multiunzip();
-        if messages.len() != params.supported_message_count() {
-            Err(BBSPlusError::MessageCountIncompatibleWithSigParams(
-                messages.len(),
-                params.supported_message_count(),
-            ))?
-        }
+        expect_equality!(
+            messages.len(),
+            params.supported_message_count(),
+            BBSPlusError::MessageCountIncompatibleWithSigParams
+        );
 
         let signature_randomizer = signature_randomizer.unwrap_or_else(|| rand(rng));
         let blinding_for_known_message_commitment =
@@ -252,10 +252,7 @@ impl<E: Pairing> PoKOfSignature23G1Protocol<E> {
     }
 }
 
-impl<E> PoKOfSignature23G1Proof<E>
-where
-    E: Pairing,
-{
+impl<E: Pairing> PoKOfSignature23G1Proof<E> {
     /// Verify if the proof is valid. Assumes that the public key and parameters have been
     /// validated already.
     pub fn verify(

bbs_plus/src/proof_23_cdl.rs

@@ -262,10 +262,7 @@ impl<E: Pairing> PoKOfSignature23G1Protocol<E> {
     }
 }
 
-impl<E> PoKOfSignature23G1Proof<E>
-where
-    E: Pairing,
-{
+impl<E: Pairing> PoKOfSignature23G1Proof<E> {
     /// Verify if the proof is valid. Assumes that the public key and parameters have been
     /// validated already.
     pub fn verify(

bbs_plus/src/signature.rs

@@ -94,7 +94,7 @@ use crate::{
     prelude::PreparedSignatureParamsG1,
     setup::{PreparedPublicKeyG2, PublicKeyG1, SecretKey, SignatureParamsG1, SignatureParamsG2},
 };
-use dock_crypto_utils::{serde_utils::*, signature::MultiMessageSignatureParams};
+use dock_crypto_utils::{expect_equality, serde_utils::*, signature::MultiMessageSignatureParams};
 use serde::{Deserialize, Serialize};
 use serde_with::serde_as;
 use zeroize::{Zeroize, ZeroizeOnDrop};
@@ -143,12 +143,11 @@ macro_rules! impl_signature_alg {
                 if messages.is_empty() {
                     return Err(BBSPlusError::NoMessageToSign);
                 }
-                if messages.len() != params.supported_message_count() {
-                    return Err(BBSPlusError::MessageCountIncompatibleWithSigParams(
-                        messages.len(),
-                        params.supported_message_count(),
-                    ));
-                }
+                expect_equality!(
+                    messages.len(),
+                    params.supported_message_count(),
+                    BBSPlusError::MessageCountIncompatibleWithSigParams
+                );
                 // Create map of msg index (0-based) -> message
                 let msg_map: BTreeMap<usize, &E::ScalarField> =
                     messages.iter().enumerate().map(|(i, e)| (i, e)).collect();
@@ -235,12 +234,11 @@ macro_rules! impl_signature_alg {
                 if messages.is_empty() {
                     return Err(BBSPlusError::NoMessageToSign);
                 }
-                if messages.len() != params.supported_message_count() {
-                    return Err(BBSPlusError::MessageCountIncompatibleWithSigParams(
-                        messages.len(),
-                        params.supported_message_count(),
-                    ));
-                }
+                expect_equality!(
+                    messages.len(),
+                    params.supported_message_count(),
+                    BBSPlusError::MessageCountIncompatibleWithSigParams
+                );
                 if !self.is_non_zero() {
                     return Err(BBSPlusError::ZeroSignature);
                 }

bbs_plus/src/signature_23.rs

@@ -10,7 +10,7 @@ use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use ark_std::{
     collections::BTreeMap, fmt::Debug, ops::Mul, rand::RngCore, vec::Vec, UniformRand, Zero,
 };
-use dock_crypto_utils::{serde_utils::*, signature::MultiMessageSignatureParams};
+use dock_crypto_utils::{expect_equality, serde_utils::*, signature::MultiMessageSignatureParams};
 use serde::{Deserialize, Serialize};
 use serde_with::serde_as;
 use zeroize::{Zeroize, ZeroizeOnDrop};
@@ -47,12 +47,11 @@ impl<E: Pairing> Signature23G1<E> {
         if messages.is_empty() {
             return Err(BBSPlusError::NoMessageToSign);
         }
-        if messages.len() != params.supported_message_count() {
-            return Err(BBSPlusError::MessageCountIncompatibleWithSigParams(
-                messages.len(),
-                params.supported_message_count(),
-            ));
-        }
+        expect_equality!(
+            messages.len(),
+            params.supported_message_count(),
+            BBSPlusError::MessageCountIncompatibleWithSigParams
+        );
         // Create map of msg index (0-based) -> message
         let msg_map: BTreeMap<usize, &E::ScalarField> =
             messages.iter().enumerate().map(|(i, e)| (i, e)).collect();
@@ -122,12 +121,11 @@ impl<E: Pairing> Signature23G1<E> {
         if messages.is_empty() {
             return Err(BBSPlusError::NoMessageToSign);
         }
-        if messages.len() != params.supported_message_count() {
-            return Err(BBSPlusError::MessageCountIncompatibleWithSigParams(
-                messages.len(),
-                params.supported_message_count(),
-            ));
-        }
+        expect_equality!(
+            messages.len(),
+            params.supported_message_count(),
+            BBSPlusError::MessageCountIncompatibleWithSigParams
+        );
         if !self.is_non_zero() {
             return Err(BBSPlusError::ZeroSignature);
         }

bbs_plus/src/threshold/cointoss.rs

@@ -11,6 +11,7 @@ use oblivious_transfer_protocols::ParticipantId;
 
 use crate::error::BBSPlusError;
 
+use dock_crypto_utils::expect_equality;
 #[cfg(feature = "parallel")]
 use rayon::prelude::*;
 
@@ -77,12 +78,11 @@ impl<F: PrimeField, const SALT_SIZE: usize> Party<F, SALT_SIZE> {
                 sender_id,
             ));
         }
-        if self.own_shares_and_salts.len() != commitments.0.len() {
-            return Err(BBSPlusError::IncorrectNoOfCommitments(
-                self.own_shares_and_salts.len(),
-                commitments.0.len(),
-            ));
-        }
+        expect_equality!(
+            self.own_shares_and_salts.len(),
+            commitments.0.len(),
+            BBSPlusError::IncorrectNoOfCommitments
+        );
         self.other_commitments.insert(sender_id, commitments);
         Ok(())
     }
@@ -103,12 +103,11 @@ impl<F: PrimeField, const SALT_SIZE: usize> Party<F, SALT_SIZE> {
         if self.other_shares.contains_key(&sender_id) {
             return Err(BBSPlusError::AlreadyHaveSharesFromParticipant(sender_id));
         }
-        if self.own_shares_and_salts.len() != shares_and_salts.len() {
-            return Err(BBSPlusError::IncorrectNoOfShares(
-                self.own_shares_and_salts.len(),
-                shares_and_salts.len(),
-            ));
-        }
+        expect_equality!(
+            self.own_shares_and_salts.len(),
+            shares_and_salts.len(),
+            BBSPlusError::IncorrectNoOfShares
+        );
         let expected_commitments = Self::compute_commitments(&shares_and_salts, &self.protocol_id);
         if expected_commitments != self.other_commitments.get(&sender_id).unwrap().0 {
             return Err(BBSPlusError::IncorrectCommitment);

bbs_plus/src/threshold/threshold_bbs.rs

@@ -10,6 +10,7 @@ use ark_std::{
     vec::Vec,
 };
 use digest::DynDigest;
+use dock_crypto_utils::expect_equality;
 
 use crate::{
     error::BBSPlusError, setup::SignatureParams23G1, signature_23::Signature23G1,
@@ -111,12 +112,11 @@ impl<E: Pairing> BBSSignatureShare<E> {
         if messages.is_empty() {
             return Err(BBSPlusError::NoMessageToSign);
         }
-        if messages.len() != sig_params.supported_message_count() {
-            return Err(BBSPlusError::MessageCountIncompatibleWithSigParams(
-                messages.len(),
-                sig_params.supported_message_count(),
-            ));
-        }
+        expect_equality!(
+            messages.len(),
+            sig_params.supported_message_count(),
+            BBSPlusError::MessageCountIncompatibleWithSigParams
+        );
         // Create map of msg index (0-based) -> message
         let msg_map: BTreeMap<usize, &E::ScalarField> =
             messages.iter().enumerate().map(|(i, e)| (i, e)).collect();

bbs_plus/src/threshold/threshold_bbs_plus.rs

@@ -9,6 +9,7 @@ use ark_std::{
     vec::Vec,
 };
 use digest::DynDigest;
+use dock_crypto_utils::expect_equality;
 use oblivious_transfer_protocols::ParticipantId;
 
 use super::{multiplication_phase::Phase2Output, utils::compute_R_and_u};
@@ -115,12 +116,11 @@ impl<E: Pairing> BBSPlusSignatureShare<E> {
         if messages.is_empty() {
             return Err(BBSPlusError::NoMessageToSign);
         }
-        if messages.len() != sig_params.supported_message_count() {
-            return Err(BBSPlusError::MessageCountIncompatibleWithSigParams(
-                messages.len(),
-                sig_params.supported_message_count(),
-            ));
-        }
+        expect_equality!(
+            messages.len(),
+            sig_params.supported_message_count(),
+            BBSPlusError::MessageCountIncompatibleWithSigParams
+        );
         // Create map of msg index (0-based) -> message
         let msg_map: BTreeMap<usize, &E::ScalarField> =
             messages.iter().enumerate().map(|(i, e)| (i, e)).collect();

kvac/src/bddt_2016/mac.rs

@@ -9,7 +9,9 @@ use ark_ff::{Field, Zero};
 use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use ark_std::{collections::BTreeMap, ops::Neg, rand::RngCore, vec, vec::Vec, UniformRand};
 use digest::Digest;
-use dock_crypto_utils::{serde_utils::ArkObjectBytes, signature::MultiMessageSignatureParams};
+use dock_crypto_utils::{
+    expect_equality, serde_utils::ArkObjectBytes, signature::MultiMessageSignatureParams,
+};
 use schnorr_pok::{
     compute_random_oracle_challenge,
     discrete_log::{PokDiscreteLog, PokDiscreteLogProtocol},
@@ -66,12 +68,11 @@ impl<G: AffineRepr> MAC<G> {
         if messages.is_empty() {
             return Err(KVACError::NoMessageGiven);
         }
-        if messages.len() != params.supported_message_count() {
-            return Err(KVACError::MessageCountIncompatibleWithMACParams(
-                messages.len(),
-                params.supported_message_count(),
-            ));
-        }
+        expect_equality!(
+            messages.len(),
+            params.supported_message_count(),
+            KVACError::MessageCountIncompatibleWithMACParams
+        );
         let s = G::ScalarField::rand(rng);
         let mut e = G::ScalarField::rand(rng);
         while (e + secret_key.0).is_zero() {
@@ -140,12 +141,11 @@ impl<G: AffineRepr> MAC<G> {
         if messages.is_empty() {
             return Err(KVACError::NoMessageGiven);
         }
-        if messages.len() != params.supported_message_count() {
-            return Err(KVACError::MessageCountIncompatibleWithMACParams(
-                messages.len(),
-                params.supported_message_count(),
-            ));
-        }
+        expect_equality!(
+            messages.len(),
+            params.supported_message_count(),
+            KVACError::MessageCountIncompatibleWithMACParams
+        );
         let b = params.b(messages.iter().enumerate(), &self.s)?;
         let e_plus_x_inv = (self.e + sk.0).inverse().ok_or(KVACError::CannotInvert0)?;
         if (b * e_plus_x_inv).into_affine() != self.A {

proof_system/src/sub_protocols/accumulator/cdh.rs

@@ -82,7 +82,7 @@ macro_rules! impl_cdh_protocol_struct_and_funcs {
                     rng,
                     witness.element,
                     blinding,
-                    self.accumulator_value,
+                    &self.accumulator_value,
                     &witness.witness,
                 ));
                 Ok(())
@@ -100,7 +100,7 @@ macro_rules! impl_cdh_protocol_struct_and_funcs {
                 self.protocol
                     .as_ref()
                     .unwrap()
-                    .challenge_contribution(self.accumulator_value, writer)?;
+                    .challenge_contribution(&self.accumulator_value, writer)?;
                 Ok(())
             }
 
@@ -128,13 +128,13 @@ macro_rules! impl_cdh_protocol_struct_and_funcs {
             ) -> Result<(), ProofSystemError> {
                 match pairing_checker {
                     Some(c) => proof.verify_with_randomized_pairing_checker(
-                        self.accumulator_value,
+                        &self.accumulator_value,
                         challenge,
                         pk,
                         params,
                         c,
                     ),
-                    None => proof.verify(self.accumulator_value, challenge, pk, params),
+                    None => proof.verify(&self.accumulator_value, challenge, pk, params),
                 }
                 .map_err(|e| ProofSystemError::$error_type(self.id as u32, e))
             }
@@ -328,7 +328,7 @@ impl<'a, E: Pairing> KBPositiveAccumulatorMembershipCDHSubProtocol<'a, E> {
             witness.element,
             blinding,
             &witness.witness,
-            self.accumulator_value,
+            &self.accumulator_value,
             self.public_key,
             self.params,
             self.proving_key,
@@ -344,7 +344,7 @@ impl<'a, E: Pairing> KBPositiveAccumulatorMembershipCDHSubProtocol<'a, E> {
             ));
         }
         self.protocol.as_ref().unwrap().challenge_contribution(
-            self.accumulator_value,
+            &self.accumulator_value,
             self.public_key,
             self.params,
             self.proving_key,
@@ -377,15 +377,15 @@ impl<'a, E: Pairing> KBPositiveAccumulatorMembershipCDHSubProtocol<'a, E> {
     ) -> Result<(), ProofSystemError> {
         match pairing_checker {
             Some(c) => proof.verify_with_randomized_pairing_checker(
-                self.accumulator_value,
+                &self.accumulator_value,
                 challenge,
                 pk,
                 params,
                 self.proving_key,
                 c,
             ),
             None => proof.verify(
-                self.accumulator_value,
+                &self.accumulator_value,
                 challenge,
                 pk,
                 params,

proof_system/src/sub_protocols/bound_check_legogroth16.rs

@@ -335,11 +335,9 @@ impl<ConstraintF: PrimeField> ConstraintSynthesizer<ConstraintF>
 
 /// Generate SNARK proving key and verification key for a circuit that checks that given a witness
 /// `w` and public inputs `min` and `max`, `min <= w < max`
-pub fn generate_snark_srs_bound_check<E, R>(rng: &mut R) -> Result<ProvingKey<E>, ProofSystemError>
-where
-    E: Pairing,
-    R: Rng,
-{
+pub fn generate_snark_srs_bound_check<E: Pairing, R: Rng>(
+    rng: &mut R,
+) -> Result<ProvingKey<E>, ProofSystemError> {
     let circuit = BoundCheckCircuit::<E::ScalarField> {
         min: None,
         max: None,