Adding vector sizes into transcript, inner product domain separator m…

…oved up
firoorg · Apr 13, 2021 · c1a84ce · c1a84ce
1 parent 905dee5
commit c1a84ce
Show file tree

Hide file tree

Showing 11 changed files with 71 additions and 65 deletions.
diff --git a/src/lelantus.cpp b/src/lelantus.cpp
@@ -109,9 +109,9 @@ void GenerateMintSchnorrProof(const lelantus::PrivateCoin& coin, CDataStream&  s
     unique_ptr<ChallengeGenerator> challengeGenerator;
     if (afterFixes) {
         // start to use CHash256 which is more secure
-        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CHash256>>();
+        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CHash256>>(1);
     }  else {
-        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CSHA256>>();
+        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CSHA256>>(0);
     }
 
     // commit (G^s*H1^v*H2^r), comm (G^s*H2^r), and H1^v are used in challenge generation if nLelantusFixesStartBlock is passed
@@ -132,9 +132,9 @@ bool VerifyMintSchnorrProof(const uint64_t& v, const secp_primitives::GroupEleme
     unique_ptr<ChallengeGenerator> challengeGenerator;
     if (afterFixes) {
         // start to use CHash256 which is more secure
-        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CHash256>>();
+        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CHash256>>(1);
     }  else {
-        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CSHA256>>();
+        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CSHA256>>(0);
     }
 
     // commit (G^s*H1^v*H2^r), comm (G^s*H2^r), and H1^v are used in challenge generation if nLelantusFixesStartBlock is passed

diff --git a/src/liblelantus/challenge_generator_impl.h b/src/liblelantus/challenge_generator_impl.h
@@ -5,7 +5,7 @@
 #include <secp256k1/include/GroupElement.h>
 #include "../../crypto/sha256.h"
 #include "challenge_generator.h"
-
+#include <iostream>
 namespace lelantus {
 
 using namespace secp_primitives;
@@ -14,7 +14,8 @@ template <class Hasher>
 class ChallengeGeneratorImpl : public ChallengeGenerator {
 
 public:
-    ChallengeGeneratorImpl() {
+    ChallengeGeneratorImpl(int version_ = 0) {
+        version = version_;
         data.resize(GroupElement::serialize_size);
         scalar_data.resize(32);
     }
@@ -25,6 +26,7 @@ class ChallengeGeneratorImpl : public ChallengeGenerator {
     }
 
     void add(const std::vector<GroupElement>& group_elements) {
+        addSize(group_elements.size());
         for (size_t i = 0; i < group_elements.size(); ++i) {
             add(group_elements[i]);
         }
@@ -36,6 +38,7 @@ class ChallengeGeneratorImpl : public ChallengeGenerator {
     }
 
     void add(const std::vector<Scalar>& scalars) {
+        addSize(scalars.size());
         for (size_t i = 0; i < scalars.size(); ++i) {
             add(scalars[i]);
         }
@@ -57,6 +60,14 @@ class ChallengeGeneratorImpl : public ChallengeGenerator {
     }
 
 private:
+    void addSize(uint32_t size) {
+        if (version >= 1) {
+            std::string s = std::to_string(size);
+            hash.Write((const unsigned char*)s.c_str(), s.size());
+        }
+    }
+private:
+    int version;
     Hasher hash;
     std::vector<unsigned char> data;
     std::vector<unsigned char> scalar_data;

diff --git a/src/liblelantus/innerproduct_proof_generator.cpp b/src/liblelantus/innerproduct_proof_generator.cpp
@@ -79,13 +79,8 @@ void InnerProductProofGenerator::generate_proof_util(
 
     // if(version_ >= 2) we should be using CHash256,
     // we want to link transcripts from previous iteration in each step, so we are not restarting in that case,
-    if (version_ >= 2) {
-        // add domain separator in each step
-        std::string domain_separator = "INNER_PRODUCT";
-        std::vector<unsigned char> pre(domain_separator.begin(), domain_separator.end());
-        challengeGenerator->add(pre);
-    } else {
-        challengeGenerator.reset(new ChallengeGeneratorImpl<CSHA256>());
+    if (version_ < 2) {
+      challengeGenerator.reset(new ChallengeGeneratorImpl<CSHA256>(0));
     }
     challengeGenerator->add(group_elements);
     challengeGenerator->get_challenge(x);

diff --git a/src/liblelantus/innerproduct_proof_verifier.cpp b/src/liblelantus/innerproduct_proof_verifier.cpp
@@ -45,13 +45,8 @@ bool InnerProductProofVerifier::verify_util(
 
     // if(version >= 2) we should be using CHash256,
     // we want to link transcripts from previous iteration in each step, so we are not restarting in that case,
-    if (version_ >= 2) {
-        // add domain separator in each step
-        std::string domain_separator = "INNER_PRODUCT";
-        std::vector<unsigned char> pre(domain_separator.begin(), domain_separator.end());
-        challengeGenerator->add(pre);
-    } else {
-        challengeGenerator.reset(new ChallengeGeneratorImpl<CSHA256>());
+    if (version_ < 2) {
+        challengeGenerator.reset(new ChallengeGeneratorImpl<CSHA256>(0));
     }
     challengeGenerator->add(group_elements);
     challengeGenerator->get_challenge(x);
@@ -86,13 +81,8 @@ bool InnerProductProofVerifier::verify_fast_util(
 
         // if(version_ >= 2) we should be using CHash256,
         // we want to link transcripts from previous iteration in each step, so we are not restarting in that case,
-        if (version_ >= 2) {
-            // add domain separator in each step
-            std::string domain_separator = "INNER_PRODUCT";
-            std::vector<unsigned char> pre(domain_separator.begin(), domain_separator.end());
-            challengeGenerator->add(pre);
-        } else {
-            challengeGenerator.reset(new ChallengeGeneratorImpl<CSHA256>());
+        if (version_ < 2) {
+            challengeGenerator.reset(new ChallengeGeneratorImpl<CSHA256>(0));
         }
         challengeGenerator->add(group_elements);
         challengeGenerator->get_challenge(x_j[i]);

diff --git a/src/liblelantus/lelantus_primitives.cpp b/src/liblelantus/lelantus_primitives.cpp
@@ -14,11 +14,11 @@ void LelantusPrimitives::generate_challenge(
 
     std::unique_ptr<ChallengeGenerator> challengeGenerator;
     if (domain_separator != "") {
-        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CHash256>>();
+        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CHash256>>(1);
         std::vector<unsigned char> pre(domain_separator.begin(), domain_separator.end());
         challengeGenerator->add(pre);
     } else {
-        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CSHA256>>();
+        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CSHA256>>(0);
     }
 
     challengeGenerator->add(group_elements);
@@ -103,7 +103,7 @@ void  LelantusPrimitives::generate_Lelantus_challenge(
 
     // starting from LELANTUS_TX_VERSION_4_5 we are using CHash256, and adding domain separator, version, pubkeys and serials into it
     if (version >= LELANTUS_TX_VERSION_4_5) {
-        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CHash256>>();
+        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CHash256>>(1);
         std::string domainSeparator = lts + std::to_string(version);
         std::vector<unsigned char> pre(domainSeparator.begin(), domainSeparator.end());
         challengeGenerator->add(pre);
@@ -113,7 +113,7 @@ void  LelantusPrimitives::generate_Lelantus_challenge(
             challengeGenerator->add(pubkey);
         challengeGenerator->add(serialNumbers);
     } else {
-        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CSHA256>>();
+        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CSHA256>>(0);
     }
 
     if (Cout.size() > 0) {

diff --git a/src/liblelantus/range_prover.cpp b/src/liblelantus/range_prover.cpp
@@ -64,14 +64,14 @@ void RangeProver::batch_proof(
     Scalar y, z;
     unique_ptr<ChallengeGenerator> challengeGenerator;
     if (version >= LELANTUS_TX_VERSION_4_5) {
-        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CHash256>>();
+        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CHash256>>(1);
         // add domain separator and transaction version into transcript
         std::string domain_separator = "RANGE_PROOF" + std::to_string(version);
         std::vector<unsigned char> pre(domain_separator.begin(), domain_separator.end());
         challengeGenerator->add(pre);
         challengeGenerator->add(commitments);
     } else {
-        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CSHA256>>();
+        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CSHA256>>(0);
     }
 
     challengeGenerator->add({proof_out.A, proof_out.S});
@@ -168,6 +168,13 @@ void RangeProver::batch_proof(
     challengeGenerator->add({proof_out.T_x1, proof_out.T_x2, proof_out.u});
     challengeGenerator->get_challenge(x_u);
 
+    if (version >= LELANTUS_TX_VERSION_4_5) {
+        // add domain separator in each step
+        std::string domain_separator = "INNER_PRODUCT";
+        std::vector<unsigned char> pre(domain_separator.begin(), domain_separator.end());
+        challengeGenerator->add(pre);
+    }
+
     // if(inner_product_version >= 2) link range proof data to inner product transcript with passing already filled  challengeGenerator
     InnerProductProofGenerator.generate_proof(l, r, x_u, challengeGenerator, proof_out.innerProductProof);
 }

diff --git a/src/liblelantus/range_verifier.cpp b/src/liblelantus/range_verifier.cpp
@@ -29,14 +29,14 @@ bool RangeVerifier::verify_batch(const std::vector<GroupElement>& V, const std::
     Scalar x, x_u, y, z;
     unique_ptr<ChallengeGenerator> challengeGenerator;
     if (version >= LELANTUS_TX_VERSION_4_5) {
-        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CHash256>>();
+        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CHash256>>(1);
         // add domain separator and transaction version into transcript
         std::string domain_separator = "RANGE_PROOF" + std::to_string(version);
         std::vector<unsigned char> pre(domain_separator.begin(), domain_separator.end());
         challengeGenerator->add(pre);
         challengeGenerator->add(commitments);
     }  else {
-        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CSHA256>>();
+        challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CSHA256>>(0);
     }
     challengeGenerator->add({proof.A, proof.S});
     challengeGenerator->get_challenge(y);
@@ -54,19 +54,22 @@ bool RangeVerifier::verify_batch(const std::vector<GroupElement>& V, const std::
     std::vector<Scalar> x_j, x_j_inv;
     x_j.resize(log_n);
     x_j_inv.reserve(log_n);
+
+    if (version >= LELANTUS_TX_VERSION_4_5) {
+        // add domain separator in each step
+        std::string domain_separator = "INNER_PRODUCT";
+        std::vector<unsigned char> pre(domain_separator.begin(), domain_separator.end());
+        challengeGenerator->add(pre);
+    }
+
     for (int i = 0; i < log_n; ++i)
     {
         std::vector<GroupElement> group_elements_i = {innerProductProof.L_[i], innerProductProof.R_[i]};
 
         // if(version >= LELANTUS_TX_VERSION_4_5) we should be using CHash256,
         // we want to link transcripts from range proof and from previous iteration in each step, so we are not restarting in that case,
-        if (version >= LELANTUS_TX_VERSION_4_5) {
-            // add domain separator in each step
-            std::string domain_separator = "INNER_PRODUCT";
-            std::vector<unsigned char> pre(domain_separator.begin(), domain_separator.end());
-            challengeGenerator->add(pre);
-        } else {
-            challengeGenerator.reset(new ChallengeGeneratorImpl<CSHA256>());
+        if (version < LELANTUS_TX_VERSION_4_5) {
+            challengeGenerator.reset(new ChallengeGeneratorImpl<CSHA256>(0));
         }
 
         challengeGenerator->add(group_elements_i);

diff --git a/src/liblelantus/schnorr_prover.cpp b/src/liblelantus/schnorr_prover.cpp
@@ -32,7 +32,7 @@ void SchnorrProver::proof(
         group_elements = {u, y, a, b};
         challengeGenerator->add(pre);
     } else {
-        challengeGenerator.reset(new ChallengeGeneratorImpl<CSHA256>());
+        challengeGenerator.reset(new ChallengeGeneratorImpl<CSHA256>(0));
     }
     challengeGenerator->add(group_elements);
     challengeGenerator->get_challenge(c);
@@ -53,7 +53,7 @@ void SchnorrProver::proof(
     proof_out.u = u;
     Scalar c;
 
-    ChallengeGeneratorImpl<CHash256> challengeGenerator;
+    ChallengeGeneratorImpl<CHash256> challengeGenerator(1);
     std::string shts = "SCHNORR_PROOF";
     std::vector<unsigned char> pre(shts.begin(), shts.end());
     challengeGenerator.add(pre);

diff --git a/src/liblelantus/schnorr_verifier.cpp b/src/liblelantus/schnorr_verifier.cpp
@@ -25,7 +25,7 @@ bool SchnorrVerifier::verify(
         group_elements = {u, y, a, b};
         challengeGenerator->add(pre);
     } else {
-        challengeGenerator.reset(new ChallengeGeneratorImpl<CSHA256>());
+        challengeGenerator.reset(new ChallengeGeneratorImpl<CSHA256>(0));
     }
     challengeGenerator->add(group_elements);
     challengeGenerator->get_challenge(c);
@@ -53,7 +53,7 @@ bool SchnorrVerifier::verify(
     const GroupElement& u = proof.u;
     Scalar c;
 
-    ChallengeGeneratorImpl<CHash256> challengeGenerator;
+    ChallengeGeneratorImpl<CHash256> challengeGenerator(1);
     std::string shts = "SCHNORR_PROOF";
     std::vector<unsigned char> pre(shts.begin(), shts.end());
     challengeGenerator.add(pre);

diff --git a/src/liblelantus/test/inner_product_test.cpp b/src/liblelantus/test/inner_product_test.cpp
@@ -57,7 +57,7 @@ BOOST_AUTO_TEST_CASE(prove_verify_one)
 
     Scalar x;
     x.randomize();
-    unique_ptr<ChallengeGenerator> challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CHash256>>();
+    unique_ptr<ChallengeGenerator> challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CHash256>>(1);
 
     // generating proofs
     Proof proof;
@@ -74,9 +74,9 @@ BOOST_AUTO_TEST_CASE(prove_verify_one)
     BOOST_CHECK_EQUAL(log2_n, proof.R_.size());
 
     // verify
-    challengeGenerator.reset(new ChallengeGeneratorImpl<CHash256>());
+    challengeGenerator.reset(new ChallengeGeneratorImpl<CHash256>(1));
     BOOST_CHECK(ProofVerifier(gens_g, gens_h, u, ComputePInit(), 2).verify(x, proof, challengeGenerator));
-    challengeGenerator.reset(new ChallengeGeneratorImpl<CHash256>());
+    challengeGenerator.reset(new ChallengeGeneratorImpl<CHash256>(1));
     BOOST_CHECK(ProofVerifier(gens_g, gens_h, u, ComputePInit(), 2).verify_fast(n, x, proof, challengeGenerator));
 }
 
@@ -89,7 +89,7 @@ BOOST_AUTO_TEST_CASE(prove_verify)
 
     Scalar x;
     x.randomize();
-    unique_ptr<ChallengeGenerator> challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CHash256>>();
+    unique_ptr<ChallengeGenerator> challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CHash256>>(1);
 
     // generating proofs
     Proof proof;
@@ -104,9 +104,9 @@ BOOST_AUTO_TEST_CASE(prove_verify)
     BOOST_CHECK_EQUAL(log2_n, proof.R_.size());
 
     // verify
-    challengeGenerator.reset(new ChallengeGeneratorImpl<CHash256>());
+    challengeGenerator.reset(new ChallengeGeneratorImpl<CHash256>(1));
     BOOST_CHECK(ProofVerifier(gens_g, gens_h, u, ComputePInit(), 2).verify(x, proof, challengeGenerator));
-    challengeGenerator.reset(new ChallengeGeneratorImpl<CHash256>());
+    challengeGenerator.reset(new ChallengeGeneratorImpl<CHash256>(1));
     BOOST_CHECK(ProofVerifier(gens_g, gens_h, u, ComputePInit(), 2).verify_fast(n, x, proof, challengeGenerator));
 }
 
@@ -119,7 +119,7 @@ BOOST_AUTO_TEST_CASE(fake_proof_not_verify)
 
     Scalar x;
     x.randomize();
-    unique_ptr<ChallengeGenerator> challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CHash256>>();
+    unique_ptr<ChallengeGenerator> challengeGenerator = std::make_unique<ChallengeGeneratorImpl<CHash256>>(1);
 
     // generating genertor
     Proof proof;
@@ -129,16 +129,16 @@ BOOST_AUTO_TEST_CASE(fake_proof_not_verify)
     GroupElement fakeP;
     fakeP.randomize();
 
-    challengeGenerator.reset(new ChallengeGeneratorImpl<CHash256>());
+    challengeGenerator.reset(new ChallengeGeneratorImpl<CHash256>(1));
     BOOST_CHECK(!ProofVerifier(gens_g, gens_h, u, fakeP, 2).verify(x, proof, challengeGenerator));
-    challengeGenerator.reset(new ChallengeGeneratorImpl<CHash256>());
+    challengeGenerator.reset(new ChallengeGeneratorImpl<CHash256>(1));
     BOOST_CHECK(!ProofVerifier(gens_g, gens_h, u, fakeP, 2).verify_fast(n, x, proof, challengeGenerator));
 
     // verify with fake proof
     auto verify = [&](Scalar const &_x, Proof const &_p) -> void {
-        challengeGenerator.reset(new ChallengeGeneratorImpl<CHash256>());
+        challengeGenerator.reset(new ChallengeGeneratorImpl<CHash256>(1));
         BOOST_CHECK(!ProofVerifier(gens_g, gens_h, u, ComputePInit(), 2).verify(_x, _p, challengeGenerator));
-        challengeGenerator.reset(new ChallengeGeneratorImpl<CHash256>());
+        challengeGenerator.reset(new ChallengeGeneratorImpl<CHash256>(1));
         BOOST_CHECK(!ProofVerifier(gens_g, gens_h, u, ComputePInit(), 2).verify_fast(n, _x, _p, challengeGenerator));
     };