Update Sigma Protocol Terminology

rust-src/concordium_base/CHANGELOG.md

@@ -10,6 +10,7 @@
 - Add `From<&AccountKeys>` instance for AccountAccessStructure.
 - Add `verify_data_signature` function to verify a signature with account keys
   on arbitrary data.
+- Update notation of sigma protocols to better match the literature and the bluepaper. 
 
 ## 2.0.0 (2023-06-16)
 

rust-src/concordium_base/Cargo.toml

@@ -114,7 +114,7 @@ name = "verify_cdi"
 harness = false
 
 [[bench]]
-name = "aggr_dlog_commit_point"
+name = "aggr_dlog_commit_message"
 harness = false
 
 [[bench]]

rust-src/concordium_base/benches/aggr_dlog_commit_point.rs → rust-src/concordium_base/benches/aggr_dlog_commit_message.rs

@@ -7,7 +7,7 @@ use pairing::bls12_381::G1;
 use rand::*;
 
 /// Benchmark the aggregate dlog sigma protocol
-fn bench_aggr_dlog_commit_point(c: &mut Criterion) {
+fn bench_aggr_dlog_commit_message(c: &mut Criterion) {
     let mut csprng = thread_rng();
     let number_of_coeffs = 42;
     let mut coeffs = Vec::with_capacity(number_of_coeffs);
@@ -19,10 +19,10 @@ fn bench_aggr_dlog_commit_point(c: &mut Criterion) {
         public: public_key,
         coeff:  coeffs,
     };
-    c.bench_function("Aggregate dlog commit point", move |b| {
-        b.iter(|| dlog.commit_point(&mut csprng))
+    c.bench_function("Aggregate dlog commit message", move |b| {
+        b.iter(|| dlog.compute_commit_message(&mut csprng))
     });
 }
 
-criterion_group!(commit_point_benchmarks, bench_aggr_dlog_commit_point);
+criterion_group!(commit_point_benchmarks, bench_aggr_dlog_commit_message);
 criterion_main!(commit_point_benchmarks);

rust-src/concordium_base/src/aggregate_sig/mod.rs

@@ -136,7 +136,7 @@ impl<P: Pairing> PartialEq for Signature<P> {
 }
 
 /// A proof of knowledge of a secretkey
-pub type Proof<P> = SigmaProof<Witness<<P as Pairing>::G2>>;
+pub type Proof<P> = SigmaProof<Response<<P as Pairing>::G2>>;
 
 /// Verifies an aggregate signature on pairs `(messages m_i, PK_i)` `for i=1..n`
 /// by checking     `pairing(sig, g_2) == product_{i=0}^n (

rust-src/concordium_base/src/eddsa_ed25519/dlog_ed25519.rs

@@ -1,3 +1,7 @@
+//! This module provides the implementation of the `dlog` sigma protocol for
+//! curve25519 (cf. "Proof of Knowledge of Discrete Logarithm" Section 9.2.1,
+//! Bluepaper v1.2.5) which enables one to prove knowledge of the discrete
+//! logarithm without revealing it.
 use crate::{common::*, random_oracle::RandomOracle};
 use anyhow::bail;
 use curve25519_dalek::{
@@ -13,14 +17,14 @@ use thiserror::Error;
 #[derive(Clone, Copy, Debug, Eq, PartialEq, SerdeBase16Serialize)]
 pub struct Ed25519DlogProof {
     challenge: Scalar,
-    witness:   Scalar,
+    response:  Scalar,
 }
 
 impl Serial for Ed25519DlogProof {
     fn serial<B: Buffer>(&self, out: &mut B) {
         out.write_all(self.challenge.as_bytes())
             .expect("Writing to buffer should succeed.");
-        out.write_all(self.witness.as_bytes())
+        out.write_all(self.response.as_bytes())
             .expect("Writing to buffer should succeed.");
     }
 }
@@ -31,10 +35,13 @@ impl Deserial for Ed25519DlogProof {
         source.read_exact(&mut buf)?;
         if let Some(challenge) = Scalar::from_canonical_bytes(buf) {
             source.read_exact(&mut buf)?;
-            if let Some(witness) = Scalar::from_canonical_bytes(buf) {
-                Ok(Ed25519DlogProof { challenge, witness })
+            if let Some(response) = Scalar::from_canonical_bytes(buf) {
+                Ok(Ed25519DlogProof {
+                    challenge,
+                    response,
+                })
             } else {
-                bail!("Not a valid witness.")
+                bail!("Not a valid response.")
             }
         } else {
             bail!("Not a valid scalar.")
@@ -102,7 +109,7 @@ pub fn prove_dlog_ed25519<R: Rng + CryptoRng>(
     let challenge = Scalar::from_bytes_mod_order(array);
     Ed25519DlogProof {
         challenge,
-        witness: rand_scalar - challenge * secret,
+        response: rand_scalar - challenge * secret,
     }
 }
 
@@ -115,7 +122,7 @@ pub fn verify_dlog_ed25519(
         None => false,
         Some(public) => {
             let randomised_point =
-                public * proof.challenge + &proof.witness * &constants::ED25519_BASEPOINT_TABLE;
+                public * proof.challenge + &proof.response * &constants::ED25519_BASEPOINT_TABLE;
             ro.append_message(b"dlog_ed25519", public_key);
             ro.append_message(b"randomised_point", &randomised_point.compress().to_bytes());
 

rust-src/concordium_base/src/encrypted_transfers/proofs/dlogaggequal.rs

@@ -4,7 +4,7 @@
 
 //! NB:
 //! This module is currently not used, and is only here as a reference.
-//! When using the code needs to be thouroughly reviewed.
+//! When using the code needs to be thoroughly reviewed.
 
 use crate::{
     common::*,
@@ -22,18 +22,18 @@ pub struct DlogAndAggregateDlogsEqual<C: Curve> {
 }
 
 #[derive(Debug, Serialize)]
-pub struct Witness<C: Curve> {
+pub struct Response<C: Curve> {
     #[size_length = 4]
-    witnesses:      Vec<Vec<C::Scalar>>,
-    witness_common: C::Scalar, // For equality
+    responses:       Vec<Vec<C::Scalar>>,
+    response_common: C::Scalar, // For equality
 }
 
 #[allow(clippy::type_complexity)]
 impl<C: Curve> SigmaProtocol for DlogAndAggregateDlogsEqual<C> {
     type CommitMessage = (C, Vec<C>);
     type ProtocolChallenge = C::Scalar;
     type ProverState = (C::Scalar, Vec<Vec<C::Scalar>>);
-    type ProverWitness = Witness<C>;
+    type Response = Response<C>;
     type SecretData = (Rc<C::Scalar>, Vec<Vec<Rc<C::Scalar>>>);
 
     fn public(&self, ro: &mut RandomOracle) {
@@ -45,7 +45,7 @@ impl<C: Curve> SigmaProtocol for DlogAndAggregateDlogsEqual<C> {
         C::scalar_from_bytes(challenge)
     }
 
-    fn commit_point<R: rand::Rng>(
+    fn compute_commit_message<R: rand::Rng>(
         &self,
         csprng: &mut R,
     ) -> Option<(Self::CommitMessage, Self::ProverState)> {
@@ -82,51 +82,51 @@ impl<C: Curve> SigmaProtocol for DlogAndAggregateDlogsEqual<C> {
         Some((commit, rand))
     }
 
-    fn generate_witness(
+    fn compute_response(
         &self,
         secret: Self::SecretData,
         state: Self::ProverState,
         challenge: &Self::ProtocolChallenge,
-    ) -> Option<Self::ProverWitness> {
-        let mut witness_common = *challenge;
-        witness_common.mul_assign(&secret.0);
-        witness_common.negate(); // According to Bluepaper, we negate here. Shouldn't matter.
-        witness_common.add_assign(&state.0);
-        let mut witnesses = vec![];
+    ) -> Option<Self::Response> {
+        let mut response_common = *challenge;
+        response_common.mul_assign(&secret.0);
+        response_common.negate(); // According to Bluepaper, we negate here. Shouldn't matter.
+        response_common.add_assign(&state.0);
+        let mut responses = vec![];
         for (secret_vec, state_vec) in izip!(secret.1, state.1) {
-            let mut witness = vec![];
+            let mut response = vec![];
             for (ref s, ref r) in izip!(secret_vec, state_vec) {
-                let mut wit = *challenge;
-                wit.mul_assign(s);
-                wit.negate();
-                wit.add_assign(r);
-                witness.push(wit);
+                let mut res = *challenge;
+                res.mul_assign(s);
+                res.negate();
+                res.add_assign(r);
+                response.push(res);
             }
-            witnesses.push(witness);
+            responses.push(response);
         }
-        Some(Witness {
-            witnesses,
-            witness_common,
+        Some(Response {
+            responses,
+            response_common,
         })
     }
 
-    fn extract_point(
+    fn extract_commit_message(
         &self,
         challenge: &Self::ProtocolChallenge,
-        witness: &Self::ProverWitness,
+        response: &Self::Response,
     ) -> Option<Self::CommitMessage> {
         let dlog_point = self
             .dlog
             .coeff
-            .mul_by_scalar(&witness.witness_common)
+            .mul_by_scalar(&response.response_common)
             .plus_point(&self.dlog.public.mul_by_scalar(challenge));
         let mut agg_points = vec![];
-        for (aggregate_dlog, w) in izip!(&self.aggregate_dlogs, &witness.witnesses) {
+        for (aggregate_dlog, w) in izip!(&self.aggregate_dlogs, &response.responses) {
             if w.len() + 1 != aggregate_dlog.coeff.len() {
                 return None;
             }
             let mut point = aggregate_dlog.public.mul_by_scalar(challenge);
-            let mut exps = vec![witness.witness_common];
+            let mut exps = vec![response.response_common];
             exps.extend_from_slice(w);
             let product = multiexp(&aggregate_dlog.coeff, &exps);
             point = point.plus_point(&product);

rust-src/concordium_base/src/encrypted_transfers/proofs/dlogeq.rs

@@ -8,7 +8,7 @@ use crate::{
     curve_arithmetic::Curve,
     id::sigma_protocols::{
         common::*,
-        dlog::{Witness as DlogWitness, *},
+        dlog::{Response as DlogResponse, *},
     },
     random_oracle::{Challenge, RandomOracle},
 };
@@ -22,7 +22,7 @@ impl<C: Curve> SigmaProtocol for DlogEqual<C> {
     type CommitMessage = (C, C);
     type ProtocolChallenge = C::Scalar;
     type ProverState = C::Scalar;
-    type ProverWitness = DlogWitness<C>;
+    type Response = DlogResponse<C>;
     type SecretData = DlogSecret<C>;
 
     fn public(&self, ro: &mut RandomOracle) {
@@ -34,7 +34,7 @@ impl<C: Curve> SigmaProtocol for DlogEqual<C> {
         C::scalar_from_bytes(challenge)
     }
 
-    fn commit_point<R: rand::Rng>(
+    fn compute_commit_message<R: rand::Rng>(
         &self,
         csprng: &mut R,
     ) -> Option<(Self::CommitMessage, Self::ProverState)> {
@@ -45,23 +45,23 @@ impl<C: Curve> SigmaProtocol for DlogEqual<C> {
         Some((commit, rand_scalar))
     }
 
-    fn generate_witness(
+    fn compute_response(
         &self,
         secret: Self::SecretData,
         state: Self::ProverState,
         challenge: &Self::ProtocolChallenge,
-    ) -> Option<Self::ProverWitness> {
-        let w1 = self.dlog1.generate_witness(secret, state, challenge)?;
+    ) -> Option<Self::Response> {
+        let w1 = self.dlog1.compute_response(secret, state, challenge)?;
         Some(w1)
     }
 
-    fn extract_point(
+    fn extract_commit_message(
         &self,
         challenge: &Self::ProtocolChallenge,
-        witness: &Self::ProverWitness,
+        response: &Self::Response,
     ) -> Option<Self::CommitMessage> {
-        let p1 = self.dlog1.extract_point(challenge, witness)?;
-        let p2 = self.dlog2.extract_point(challenge, witness)?;
+        let p1 = self.dlog1.extract_commit_message(challenge, response)?;
+        let p2 = self.dlog2.extract_commit_message(challenge, response)?;
         Some((p1, p2))
     }