Add Pedersen::{commit,open,verify} MSM error handling

privacy-scaling-explorations · Oct 30, 2023 · c44edca · c44edca
1 parent 597ac27
commit c44edca
Show file tree

Hide file tree

Showing 9 changed files with 80 additions and 59 deletions.
diff --git a/src/folding/hypernova/cccs.rs b/src/folding/hypernova/cccs.rs
@@ -38,18 +38,18 @@ impl<C: CurveGroup> CCS<C> {
         rng: &mut R,
         pedersen_params: &PedersenParams<C>,
         z: &[C::ScalarField],
-    ) -> (CCCS<C>, Witness<C::ScalarField>) {
+    ) -> Result<(CCCS<C>, Witness<C::ScalarField>), Error> {
         let w: Vec<C::ScalarField> = z[(1 + self.l)..].to_vec();
         let r_w = C::ScalarField::rand(rng);
-        let C = Pedersen::<C>::commit(pedersen_params, &w, &r_w);
+        let C = Pedersen::<C>::commit(pedersen_params, &w, &r_w)?;
 
-        (
+        Ok((
             CCCS::<C> {
                 C,
                 x: z[1..(1 + self.l)].to_vec(),
             },
             Witness::<C::ScalarField> { w, r_w },
-        )
+        ))
     }
 
     /// Computes q(x) = \sum^q c_i * \prod_{j \in S_i} ( \sum_{y \in {0,1}^s'} M_j(x, y) * z(y) )
@@ -109,7 +109,7 @@ impl<C: CurveGroup> CCCS<C> {
     ) -> Result<(), Error> {
         // check that C is the commitment of w. Notice that this is not verifying a Pedersen
         // opening, but checking that the Commmitment comes from committing to the witness.
-        if self.C != Pedersen::commit(pedersen_params, &w.w, &w.r_w) {
+        if self.C != Pedersen::commit(pedersen_params, &w.w, &w.r_w)? {
             return Err(Error::NotSatisfied);
         }
 

diff --git a/src/folding/hypernova/lcccs.rs b/src/folding/hypernova/lcccs.rs
@@ -40,15 +40,15 @@ impl<C: CurveGroup> CCS<C> {
         rng: &mut R,
         pedersen_params: &PedersenParams<C>,
         z: &[C::ScalarField],
-    ) -> (LCCCS<C>, Witness<C::ScalarField>) {
+    ) -> Result<(LCCCS<C>, Witness<C::ScalarField>), Error> {
         let w: Vec<C::ScalarField> = z[(1 + self.l)..].to_vec();
         let r_w = C::ScalarField::rand(rng);
-        let C = Pedersen::commit(pedersen_params, &w, &r_w);
+        let C = Pedersen::commit(pedersen_params, &w, &r_w)?;
 
         let r_x: Vec<C::ScalarField> = (0..self.s).map(|_| C::ScalarField::rand(rng)).collect();
         let v = self.compute_v_j(z, &r_x);
 
-        (
+        Ok((
             LCCCS::<C> {
                 C,
                 u: C::ScalarField::one(),
@@ -57,7 +57,7 @@ impl<C: CurveGroup> CCS<C> {
                 v,
             },
             Witness::<C::ScalarField> { w, r_w },
-        )
+        ))
     }
 }
 
@@ -94,7 +94,7 @@ impl<C: CurveGroup> LCCCS<C> {
     ) -> Result<(), Error> {
         // check that C is the commitment of w. Notice that this is not verifying a Pedersen
         // opening, but checking that the Commmitment comes from committing to the witness.
-        if self.C != Pedersen::commit(pedersen_params, &w.w, &w.r_w) {
+        if self.C != Pedersen::commit(pedersen_params, &w.w, &w.r_w)? {
             return Err(Error::NotSatisfied);
         }
 
@@ -129,7 +129,7 @@ pub mod tests {
         ccs.check_relation(&z.clone()).unwrap();
 
         let pedersen_params = Pedersen::<Projective>::new_params(&mut rng, ccs.n - ccs.l - 1);
-        let (lcccs, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z);
+        let (lcccs, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z).unwrap();
         // with our test vector comming from R1CS, v should have length 3
         assert_eq!(lcccs.v.len(), 3);
 
@@ -160,7 +160,7 @@ pub mod tests {
 
         let pedersen_params = Pedersen::<Projective>::new_params(&mut rng, ccs.n - ccs.l - 1);
         // Compute v_j with the right z
-        let (lcccs, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z);
+        let (lcccs, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z).unwrap();
         // with our test vector comming from R1CS, v should have length 3
         assert_eq!(lcccs.v.len(), 3);
 

diff --git a/src/folding/hypernova/nimfs.rs b/src/folding/hypernova/nimfs.rs
@@ -373,8 +373,8 @@ pub mod tests {
     #[test]
     fn test_fold() {
         let ccs = get_test_ccs();
-        let z1 = get_test_z(3);
-        let z2 = get_test_z(4);
+        let z1 = get_test_z::<Fr>(3);
+        let z2 = get_test_z::<Fr>(4);
         ccs.check_relation(&z1).unwrap();
         ccs.check_relation(&z2).unwrap();
 
@@ -386,8 +386,8 @@ pub mod tests {
 
         let pedersen_params = Pedersen::<Projective>::new_params(&mut rng, ccs.n - ccs.l - 1);
 
-        let (lcccs, w1) = ccs.to_lcccs(&mut rng, &pedersen_params, &z1);
-        let (cccs, w2) = ccs.to_cccs(&mut rng, &pedersen_params, &z2);
+        let (lcccs, w1) = ccs.to_lcccs(&mut rng, &pedersen_params, &z1).unwrap();
+        let (cccs, w2) = ccs.to_cccs(&mut rng, &pedersen_params, &z2).unwrap();
 
         lcccs.check_relation(&pedersen_params, &ccs, &w1).unwrap();
         cccs.check_relation(&pedersen_params, &ccs, &w2).unwrap();
@@ -420,9 +420,9 @@ pub mod tests {
         let z_2 = get_test_z(4);
 
         // Create the LCCCS instance out of z_1
-        let (running_instance, w1) = ccs.to_lcccs(&mut rng, &pedersen_params, &z_1);
+        let (running_instance, w1) = ccs.to_lcccs(&mut rng, &pedersen_params, &z_1).unwrap();
         // Create the CCCS instance out of z_2
-        let (new_instance, w2) = ccs.to_cccs(&mut rng, &pedersen_params, &z_2);
+        let (new_instance, w2) = ccs.to_cccs(&mut rng, &pedersen_params, &z_2).unwrap();
 
         // Prover's transcript
         let mut transcript_p = IOPTranscript::<Fr>::new(b"multifolding");
@@ -471,7 +471,8 @@ pub mod tests {
 
         // LCCCS witness
         let z_1 = get_test_z(2);
-        let (mut running_instance, mut w1) = ccs.to_lcccs(&mut rng, &pedersen_params, &z_1);
+        let (mut running_instance, mut w1) =
+            ccs.to_lcccs(&mut rng, &pedersen_params, &z_1).unwrap();
 
         let mut transcript_p = IOPTranscript::<Fr>::new(b"multifolding");
         let mut transcript_v = IOPTranscript::<Fr>::new(b"multifolding");
@@ -486,7 +487,7 @@ pub mod tests {
             let z_2 = get_test_z(i);
             println!("z_2 {:?}", z_2); // DBG
 
-            let (new_instance, w2) = ccs.to_cccs(&mut rng, &pedersen_params, &z_2);
+            let (new_instance, w2) = ccs.to_cccs(&mut rng, &pedersen_params, &z_2).unwrap();
 
             // run the prover side of the multifolding
             let (proof, folded_lcccs, folded_witness) = NIMFS::<Projective>::prove(
@@ -550,15 +551,15 @@ pub mod tests {
         let mut lcccs_instances = Vec::new();
         let mut w_lcccs = Vec::new();
         for z_i in z_lcccs.iter() {
-            let (running_instance, w) = ccs.to_lcccs(&mut rng, &pedersen_params, z_i);
+            let (running_instance, w) = ccs.to_lcccs(&mut rng, &pedersen_params, z_i).unwrap();
             lcccs_instances.push(running_instance);
             w_lcccs.push(w);
         }
         // Create the CCCS instance out of z_cccs
         let mut cccs_instances = Vec::new();
         let mut w_cccs = Vec::new();
         for z_i in z_cccs.iter() {
-            let (new_instance, w) = ccs.to_cccs(&mut rng, &pedersen_params, z_i);
+            let (new_instance, w) = ccs.to_cccs(&mut rng, &pedersen_params, z_i).unwrap();
             cccs_instances.push(new_instance);
             w_cccs.push(w);
         }
@@ -640,15 +641,15 @@ pub mod tests {
             let mut lcccs_instances = Vec::new();
             let mut w_lcccs = Vec::new();
             for z_i in z_lcccs.iter() {
-                let (running_instance, w) = ccs.to_lcccs(&mut rng, &pedersen_params, z_i);
+                let (running_instance, w) = ccs.to_lcccs(&mut rng, &pedersen_params, z_i).unwrap();
                 lcccs_instances.push(running_instance);
                 w_lcccs.push(w);
             }
             // Create the CCCS instance out of z_cccs
             let mut cccs_instances = Vec::new();
             let mut w_cccs = Vec::new();
             for z_i in z_cccs.iter() {
-                let (new_instance, w) = ccs.to_cccs(&mut rng, &pedersen_params, z_i);
+                let (new_instance, w) = ccs.to_cccs(&mut rng, &pedersen_params, z_i).unwrap();
                 cccs_instances.push(new_instance);
                 w_cccs.push(w);
             }

diff --git a/src/folding/hypernova/utils.rs b/src/folding/hypernova/utils.rs
@@ -269,7 +269,7 @@ pub mod tests {
 
         // Initialize a multifolding object
         let pedersen_params = Pedersen::new_params(&mut rng, ccs.n - ccs.l - 1);
-        let (lcccs_instance, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z1);
+        let (lcccs_instance, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z1).unwrap();
 
         let sigmas_thetas =
             compute_sigmas_and_thetas(&ccs, &[z1.clone()], &[z2.clone()], &r_x_prime);
@@ -312,7 +312,7 @@ pub mod tests {
 
         // Initialize a multifolding object
         let pedersen_params = Pedersen::new_params(&mut rng, ccs.n - ccs.l - 1);
-        let (lcccs_instance, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z1);
+        let (lcccs_instance, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z1).unwrap();
 
         let mut sum_v_j_gamma = Fr::zero();
         for j in 0..lcccs_instance.v.len() {

diff --git a/src/folding/nova/circuits.rs b/src/folding/nova/circuits.rs
@@ -424,8 +424,8 @@ mod tests {
         let pedersen_params = Pedersen::<Projective>::new_params(&mut rng, r1cs.A.n_rows);
 
         // compute committed instances
-        let ci1 = w1.commit(&pedersen_params, x1.clone());
-        let ci2 = w2.commit(&pedersen_params, x2.clone());
+        let ci1 = w1.commit(&pedersen_params, x1.clone()).unwrap();
+        let ci2 = w2.commit(&pedersen_params, x2.clone()).unwrap();
 
         // get challenge from transcript
         let poseidon_config = poseidon_test_config::<Fr>();
@@ -695,7 +695,7 @@ mod tests {
             // compute committed instances, w_{i+1}, u_{i+1}, which will be used as w_i, u_i, so we
             // assign them directly to w_i, u_i.
             w_i = Witness::<Projective>::new(w_i1.clone(), r1cs.A.n_rows);
-            u_i = w_i.commit(&pedersen_params, vec![u_i1_x]);
+            u_i = w_i.commit(&pedersen_params, vec![u_i1_x]).unwrap();
 
             check_instance_relation(&r1cs, &w_i, &u_i).unwrap();
             check_instance_relation(&r1cs, &W_i1, &U_i1).unwrap();

diff --git a/src/folding/nova/mod.rs b/src/folding/nova/mod.rs
@@ -92,18 +92,18 @@ where
         &self,
         params: &PedersenParams<C>,
         x: Vec<C::ScalarField>,
-    ) -> CommittedInstance<C> {
+    ) -> Result<CommittedInstance<C>, Error> {
         let mut cmE = C::zero();
         if !is_zero_vec::<C::ScalarField>(&self.E) {
-            cmE = Pedersen::commit(params, &self.E, &self.rE);
+            cmE = Pedersen::commit(params, &self.E, &self.rE)?;
         }
-        let cmW = Pedersen::commit(params, &self.W, &self.rW);
-        CommittedInstance {
+        let cmW = Pedersen::commit(params, &self.W, &self.rW)?;
+        Ok(CommittedInstance {
             cmE,
             u: C::ScalarField::one(),
             cmW,
             x,
-        }
+        })
     }
 }
 

diff --git a/src/folding/nova/nifs.rs b/src/folding/nova/nifs.rs
@@ -103,7 +103,7 @@ where
         // compute cross terms
         let T = Self::compute_T(r1cs, ci1.u, ci2.u, &z1, &z2)?;
         let rT = C::ScalarField::one(); // use 1 as rT since we don't need hiding property for cm(T)
-        let cmT = Pedersen::commit(pedersen_params, &T, &rT);
+        let cmT = Pedersen::commit(pedersen_params, &T, &rT)?;
 
         // fold witness
         let w3 = NIFS::<C>::fold_witness(r, w1, w2, &T, rT)?;
@@ -170,12 +170,9 @@ where
             // cm_proofs should have length 3: [cmE_proof, cmW_proof, cmT_proof]
             return Err(Error::NotExpectedLength);
         }
-        if !Pedersen::verify(pedersen_params, tr, ci.cmE, cm_proofs[0].clone())
-            || !Pedersen::verify(pedersen_params, tr, ci.cmW, cm_proofs[1].clone())
-            || !Pedersen::verify(pedersen_params, tr, cmT, cm_proofs[2].clone())
-        {
-            return Err(Error::CommitmentVerificationFail);
-        }
+        Pedersen::verify(pedersen_params, tr, ci.cmE, cm_proofs[0].clone())?;
+        Pedersen::verify(pedersen_params, tr, ci.cmW, cm_proofs[1].clone())?;
+        Pedersen::verify(pedersen_params, tr, cmT, cm_proofs[2].clone())?;
         Ok(())
     }
 }
@@ -210,7 +207,9 @@ pub mod tests {
 
         // dummy instance, witness and public inputs zeroes
         let w_dummy = Witness::<Projective>::new(vec![Fr::zero(); w1.len()], r1cs.A.n_rows);
-        let mut u_dummy = w_dummy.commit(&pedersen_params, vec![Fr::zero(); x1.len()]);
+        let mut u_dummy = w_dummy
+            .commit(&pedersen_params, vec![Fr::zero(); x1.len()])
+            .unwrap();
         u_dummy.u = Fr::zero();
 
         let w_i = w_dummy.clone();
@@ -250,8 +249,8 @@ pub mod tests {
         let r = Fr::rand(&mut rng); // folding challenge would come from the transcript
 
         // compute committed instances
-        let ci1 = w1.commit(&pedersen_params, x1.clone());
-        let ci2 = w2.commit(&pedersen_params, x2.clone());
+        let ci1 = w1.commit(&pedersen_params, x1.clone()).unwrap();
+        let ci2 = w2.commit(&pedersen_params, x2.clone()).unwrap();
 
         // NIFS.P
         let (w3, ci3_aux, T, cmT) =
@@ -273,7 +272,7 @@ pub mod tests {
 
         // check that folded commitments from folded instance (ci) are equal to folding the
         // use folded rE, rW to commit w3
-        let ci3_expected = w3.commit(&pedersen_params, ci3.x.clone());
+        let ci3_expected = w3.commit(&pedersen_params, ci3.x.clone()).unwrap();
         assert_eq!(ci3_expected.cmE, ci3.cmE);
         assert_eq!(ci3_expected.cmW, ci3.cmW);
 
@@ -322,7 +321,8 @@ pub mod tests {
 
         // prepare the running instance
         let mut running_instance_w = Witness::<Projective>::new(w.clone(), r1cs.A.n_rows);
-        let mut running_committed_instance = running_instance_w.commit(&pedersen_params, x);
+        let mut running_committed_instance =
+            running_instance_w.commit(&pedersen_params, x).unwrap();
         assert!(check_relaxed_r1cs(
             &r1cs,
             &z,
@@ -336,7 +336,8 @@ pub mod tests {
             let incomming_instance_z = get_test_z(i + 4);
             let (w, x) = r1cs.split_z(&incomming_instance_z);
             let incomming_instance_w = Witness::<Projective>::new(w.clone(), r1cs.A.n_rows);
-            let incomming_committed_instance = incomming_instance_w.commit(&pedersen_params, x);
+            let incomming_committed_instance =
+                incomming_instance_w.commit(&pedersen_params, x).unwrap();
             assert!(check_relaxed_r1cs(
                 &r1cs,
                 &incomming_instance_z.clone(),

diff --git a/src/lib.rs b/src/lib.rs
@@ -31,8 +31,10 @@ pub enum Error {
     NotExpectedLength,
     #[error("Can not be empty")]
     Empty,
-    #[error("Commitment verification failed")]
-    CommitmentVerificationFail,
+    #[error("Pedersen parameters length is not suficient")]
+    PedersenParamsLen,
+    #[error("Pedersen verification failed")]
+    PedersenVerificationFail,
 }
 
 /// FoldingScheme defines trait that is implemented by the diverse folding schemes. It is defined