v1.16: [zk-token-sdk] Refactor ciphertext validity sigma proof and re…

…name `ValidityProof` to `GroupedCiphertextValidityProof` (backport of #32040) (#32096)
solana-labs · Jun 13, 2023 · def781a · def781a
1 parent c69fdef
commit def781a
Show file tree

Hide file tree

Showing 10 changed files with 232 additions and 188 deletions.
diff --git a/zk-token-sdk/src/instruction/batched_grouped_ciphertext_validity.rs b/zk-token-sdk/src/instruction/batched_grouped_ciphertext_validity.rs
@@ -20,7 +20,7 @@ use {
             pedersen::PedersenOpening,
         },
         errors::ProofError,
-        sigma_proofs::validity_proof::AggregatedValidityProof,
+        sigma_proofs::batched_grouped_ciphertext_validity_proof::BatchedGroupedCiphertext2HandlesValidityProof,
         transcript::TranscriptProtocol,
     },
     merlin::Transcript,
@@ -43,7 +43,7 @@ use {
 pub struct BatchedGroupedCiphertext2HandlesValidityProofData {
     pub context: BatchedGroupedCiphertext2HandlesValidityProofContext,
 
-    pub proof: pod::AggregatedValidityProof,
+    pub proof: pod::BatchedGroupedCiphertext2HandlesValidityProof,
 }
 
 #[derive(Clone, Copy, Pod, Zeroable)]
@@ -84,7 +84,7 @@ impl BatchedGroupedCiphertext2HandlesValidityProofData {
 
         let mut transcript = context.new_transcript();
 
-        let proof = AggregatedValidityProof::new(
+        let proof = BatchedGroupedCiphertext2HandlesValidityProof::new(
             (destination_pubkey, auditor_pubkey),
             (amount_lo, amount_hi),
             (opening_lo, opening_hi),
@@ -122,7 +122,7 @@ impl ZkProofData<BatchedGroupedCiphertext2HandlesValidityProofContext>
         let destination_handle_hi = grouped_ciphertext_hi.handles.get(0).unwrap();
         let auditor_handle_hi = grouped_ciphertext_hi.handles.get(1).unwrap();
 
-        let proof: AggregatedValidityProof = self.proof.try_into()?;
+        let proof: BatchedGroupedCiphertext2HandlesValidityProof = self.proof.try_into()?;
 
         proof
             .verify(

diff --git a/zk-token-sdk/src/instruction/grouped_ciphertext_validity.rs b/zk-token-sdk/src/instruction/grouped_ciphertext_validity.rs
@@ -18,7 +18,7 @@ use {
             pedersen::PedersenOpening,
         },
         errors::ProofError,
-        sigma_proofs::validity_proof::ValidityProof,
+        sigma_proofs::grouped_ciphertext_validity_proof::GroupedCiphertext2HandlesValidityProof,
         transcript::TranscriptProtocol,
     },
     merlin::Transcript,
@@ -41,7 +41,7 @@ use {
 pub struct GroupedCiphertext2HandlesValidityProofData {
     pub context: GroupedCiphertext2HandlesValidityProofContext,
 
-    pub proof: pod::ValidityProof,
+    pub proof: pod::GroupedCiphertext2HandlesValidityProof,
 }
 
 #[derive(Clone, Copy, Pod, Zeroable)]
@@ -75,7 +75,7 @@ impl GroupedCiphertext2HandlesValidityProofData {
 
         let mut transcript = context.new_transcript();
 
-        let proof = ValidityProof::new(
+        let proof = GroupedCiphertext2HandlesValidityProof::new(
             (destination_pubkey, auditor_pubkey),
             amount,
             opening,
@@ -108,7 +108,7 @@ impl ZkProofData<GroupedCiphertext2HandlesValidityProofContext>
         let destination_handle = grouped_ciphertext.handles.get(0).unwrap();
         let auditor_handle = grouped_ciphertext.handles.get(1).unwrap();
 
-        let proof: ValidityProof = self.proof.try_into()?;
+        let proof: GroupedCiphertext2HandlesValidityProof = self.proof.try_into()?;
 
         proof
             .verify(

diff --git a/zk-token-sdk/src/instruction/transfer/with_fee.rs b/zk-token-sdk/src/instruction/transfer/with_fee.rs
@@ -14,8 +14,9 @@ use {
         },
         range_proof::RangeProof,
         sigma_proofs::{
+            batched_grouped_ciphertext_validity_proof::BatchedGroupedCiphertext2HandlesValidityProof,
             ciphertext_commitment_equality_proof::CiphertextCommitmentEqualityProof,
-            fee_proof::FeeSigmaProof, validity_proof::AggregatedValidityProof,
+            fee_proof::FeeSigmaProof,
         },
         transcript::TranscriptProtocol,
     },
@@ -399,9 +400,9 @@ pub struct TransferWithFeeProof {
     pub new_source_commitment: pod::PedersenCommitment,
     pub claimed_commitment: pod::PedersenCommitment,
     pub equality_proof: pod::CiphertextCommitmentEqualityProof,
-    pub ciphertext_amount_validity_proof: pod::AggregatedValidityProof,
+    pub ciphertext_amount_validity_proof: pod::BatchedGroupedCiphertext2HandlesValidityProof,
     pub fee_sigma_proof: pod::FeeSigmaProof,
-    pub fee_ciphertext_validity_proof: pod::AggregatedValidityProof,
+    pub fee_ciphertext_validity_proof: pod::BatchedGroupedCiphertext2HandlesValidityProof,
     pub range_proof: pod::RangeProofU256,
 }
 
@@ -443,7 +444,7 @@ impl TransferWithFeeProof {
         );
 
         // generate ciphertext validity proof
-        let ciphertext_amount_validity_proof = AggregatedValidityProof::new(
+        let ciphertext_amount_validity_proof = BatchedGroupedCiphertext2HandlesValidityProof::new(
             (destination_pubkey, auditor_pubkey),
             (transfer_amount_lo, transfer_amount_hi),
             (opening_lo, opening_hi),
@@ -496,7 +497,7 @@ impl TransferWithFeeProof {
         );
 
         // generate ciphertext validity proof for fee ciphertexts
-        let fee_ciphertext_validity_proof = AggregatedValidityProof::new(
+        let fee_ciphertext_validity_proof = BatchedGroupedCiphertext2HandlesValidityProof::new(
             (destination_pubkey, withdraw_withheld_authority_pubkey),
             (fee_amount_lo, fee_amount_hi),
             (opening_fee_lo, opening_fee_hi),
@@ -565,10 +566,10 @@ impl TransferWithFeeProof {
         let claimed_commitment: PedersenCommitment = self.claimed_commitment.try_into()?;
 
         let equality_proof: CiphertextCommitmentEqualityProof = self.equality_proof.try_into()?;
-        let ciphertext_amount_validity_proof: AggregatedValidityProof =
+        let ciphertext_amount_validity_proof: BatchedGroupedCiphertext2HandlesValidityProof =
             self.ciphertext_amount_validity_proof.try_into()?;
         let fee_sigma_proof: FeeSigmaProof = self.fee_sigma_proof.try_into()?;
-        let fee_ciphertext_validity_proof: AggregatedValidityProof =
+        let fee_ciphertext_validity_proof: BatchedGroupedCiphertext2HandlesValidityProof =
             self.fee_ciphertext_validity_proof.try_into()?;
         let range_proof: RangeProof = self.range_proof.try_into()?;
 

diff --git a/zk-token-sdk/src/instruction/transfer/without_fee.rs b/zk-token-sdk/src/instruction/transfer/without_fee.rs
@@ -11,8 +11,8 @@ use {
         },
         range_proof::RangeProof,
         sigma_proofs::{
+            batched_grouped_ciphertext_validity_proof::BatchedGroupedCiphertext2HandlesValidityProof,
             ciphertext_commitment_equality_proof::CiphertextCommitmentEqualityProof,
-            validity_proof::AggregatedValidityProof,
         },
         transcript::TranscriptProtocol,
     },
@@ -267,7 +267,7 @@ pub struct TransferProof {
     pub equality_proof: pod::CiphertextCommitmentEqualityProof,
 
     /// Associated ciphertext validity proof
-    pub validity_proof: pod::AggregatedValidityProof,
+    pub validity_proof: pod::BatchedGroupedCiphertext2HandlesValidityProof,
 
     // Associated range proof
     pub range_proof: pod::RangeProofU128,
@@ -301,7 +301,7 @@ impl TransferProof {
         );
 
         // generate ciphertext validity proof
-        let validity_proof = AggregatedValidityProof::new(
+        let validity_proof = BatchedGroupedCiphertext2HandlesValidityProof::new(
             (destination_pubkey, auditor_pubkey),
             (transfer_amount_lo, transfer_amount_hi),
             (opening_lo, opening_hi),
@@ -363,7 +363,8 @@ impl TransferProof {
 
         let commitment: PedersenCommitment = self.new_source_commitment.try_into()?;
         let equality_proof: CiphertextCommitmentEqualityProof = self.equality_proof.try_into()?;
-        let aggregated_validity_proof: AggregatedValidityProof = self.validity_proof.try_into()?;
+        let aggregated_validity_proof: BatchedGroupedCiphertext2HandlesValidityProof =
+            self.validity_proof.try_into()?;
         let range_proof: RangeProof = self.range_proof.try_into()?;
 
         // verify equality proof

diff --git a/zk-token-sdk/src/sigma_proofs/batched_grouped_ciphertext_validity_proof.rs b/zk-token-sdk/src/sigma_proofs/batched_grouped_ciphertext_validity_proof.rs
@@ -0,0 +1,155 @@
+//! The ciphertext validity sigma proof system.
+//!
+//! The ciphertext validity proof is defined with respect to a Pedersen commitment and two
+//! decryption handles. The proof certifies that a given Pedersen commitment can be decrypted using
+//! ElGamal private keys that are associated with each of the two decryption handles. To generate
+//! the proof, a prover must provide the Pedersen opening associated with the commitment.
+//!
+//! The protocol guarantees computational soundness (by the hardness of discrete log) and perfect
+//! zero-knowledge in the random oracle model.
+
+#[cfg(not(target_os = "solana"))]
+use crate::encryption::{
+    elgamal::{DecryptHandle, ElGamalPubkey},
+    pedersen::{PedersenCommitment, PedersenOpening},
+};
+use {
+    crate::{
+        sigma_proofs::{
+            errors::ValidityProofError,
+            grouped_ciphertext_validity_proof::GroupedCiphertext2HandlesValidityProof,
+        },
+        transcript::TranscriptProtocol,
+    },
+    curve25519_dalek::scalar::Scalar,
+    merlin::Transcript,
+};
+
+/// Batched grouped ciphertext validity proof with two handles.
+///
+/// A batched grouped ciphertext validity proof certifies the validity of two instances of a
+/// standard ciphertext validity proof. An instance of a standard validity proof consists of one
+/// ciphertext and two decryption handles: `(commitment, destination_handle, auditor_handle)`. An
+/// instance of a batched ciphertext validity proof is a pair `(commitment_0,
+/// destination_handle_0, auditor_handle_0)` and `(commitment_1, destination_handle_1,
+/// auditor_handle_1)`. The proof certifies the analogous decryptable properties for each one of
+/// these pairs of commitment and decryption handles.
+#[allow(non_snake_case)]
+#[derive(Clone)]
+pub struct BatchedGroupedCiphertext2HandlesValidityProof(GroupedCiphertext2HandlesValidityProof);
+
+#[allow(non_snake_case)]
+#[cfg(not(target_os = "solana"))]
+impl BatchedGroupedCiphertext2HandlesValidityProof {
+    /// Batched grouped ciphertext validity proof constructor.
+    ///
+    /// The function simply batches the input openings and invokes the standard grouped ciphertext
+    /// validity proof constructor.
+    pub fn new<T: Into<Scalar>>(
+        (destination_pubkey, auditor_pubkey): (&ElGamalPubkey, &ElGamalPubkey),
+        (amount_lo, amount_hi): (T, T),
+        (opening_lo, opening_hi): (&PedersenOpening, &PedersenOpening),
+        transcript: &mut Transcript,
+    ) -> Self {
+        transcript.batched_grouped_ciphertext_validity_proof_domain_sep();
+
+        let t = transcript.challenge_scalar(b"t");
+
+        let batched_message = amount_lo.into() + amount_hi.into() * t;
+        let batched_opening = opening_lo + &(opening_hi * &t);
+
+        BatchedGroupedCiphertext2HandlesValidityProof(GroupedCiphertext2HandlesValidityProof::new(
+            (destination_pubkey, auditor_pubkey),
+            batched_message,
+            &batched_opening,
+            transcript,
+        ))
+    }
+
+    /// Batched grouped ciphertext validity proof verifier.
+    ///
+    /// The function does *not* hash the public keys, commitment, or decryption handles into the
+    /// transcript. For security, the caller (the main protocol) should hash these public
+    /// components prior to invoking this constructor.
+    ///
+    /// This function is randomized. It uses `OsRng` internally to generate random scalars.
+    pub fn verify(
+        self,
+        (destination_pubkey, auditor_pubkey): (&ElGamalPubkey, &ElGamalPubkey),
+        (commitment_lo, commitment_hi): (&PedersenCommitment, &PedersenCommitment),
+        (destination_handle_lo, destination_handle_hi): (&DecryptHandle, &DecryptHandle),
+        (auditor_handle_lo, auditor_handle_hi): (&DecryptHandle, &DecryptHandle),
+        transcript: &mut Transcript,
+    ) -> Result<(), ValidityProofError> {
+        transcript.batched_grouped_ciphertext_validity_proof_domain_sep();
+
+        let t = transcript.challenge_scalar(b"t");
+
+        let batched_commitment = commitment_lo + commitment_hi * t;
+        let destination_batched_handle = destination_handle_lo + destination_handle_hi * t;
+        let auditor_batched_handle = auditor_handle_lo + auditor_handle_hi * t;
+
+        let BatchedGroupedCiphertext2HandlesValidityProof(validity_proof) = self;
+
+        validity_proof.verify(
+            &batched_commitment,
+            (destination_pubkey, auditor_pubkey),
+            (&destination_batched_handle, &auditor_batched_handle),
+            transcript,
+        )
+    }
+
+    pub fn to_bytes(&self) -> [u8; 160] {
+        self.0.to_bytes()
+    }
+
+    pub fn from_bytes(bytes: &[u8]) -> Result<Self, ValidityProofError> {
+        GroupedCiphertext2HandlesValidityProof::from_bytes(bytes).map(Self)
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use {
+        super::*,
+        crate::encryption::{elgamal::ElGamalKeypair, pedersen::Pedersen},
+    };
+
+    #[test]
+    fn test_batched_grouped_ciphertext_validity_proof() {
+        let destination_pubkey = ElGamalKeypair::new_rand().public;
+        let auditor_pubkey = ElGamalKeypair::new_rand().public;
+
+        let amount_lo: u64 = 55;
+        let amount_hi: u64 = 77;
+
+        let (commitment_lo, open_lo) = Pedersen::new(amount_lo);
+        let (commitment_hi, open_hi) = Pedersen::new(amount_hi);
+
+        let destination_handle_lo = destination_pubkey.decrypt_handle(&open_lo);
+        let destination_handle_hi = destination_pubkey.decrypt_handle(&open_hi);
+
+        let auditor_handle_lo = auditor_pubkey.decrypt_handle(&open_lo);
+        let auditor_handle_hi = auditor_pubkey.decrypt_handle(&open_hi);
+
+        let mut prover_transcript = Transcript::new(b"Test");
+        let mut verifier_transcript = Transcript::new(b"Test");
+
+        let proof = BatchedGroupedCiphertext2HandlesValidityProof::new(
+            (&destination_pubkey, &auditor_pubkey),
+            (amount_lo, amount_hi),
+            (&open_lo, &open_hi),
+            &mut prover_transcript,
+        );
+
+        assert!(proof
+            .verify(
+                (&destination_pubkey, &auditor_pubkey),
+                (&commitment_lo, &commitment_hi),
+                (&destination_handle_lo, &destination_handle_hi),
+                (&auditor_handle_lo, &auditor_handle_hi),
+                &mut verifier_transcript,
+            )
+            .is_ok());
+    }
+}