docs and update tests

Signed-off-by: lovesh <lovesh.bond@gmail.com>

Author: lovesh

equality_across_groups/Cargo.toml

@@ -25,8 +25,9 @@ rand = "0.8"
 blake2.workspace = true
 ark-bls12-381.workspace = true
 rand_core = { version = "0.6", default-features = false }
+test_utils = { default-features = false, path = "../test_utils" }
 
 [features]
 default = ["parallel"]
-std = ["ark-ff/std", "ark-ec/std", "ark-std/std", "ark-serialize/std", "rand_core/std", "crypto-bigint/rand", "dock_crypto_utils/std", "bulletproofs_plus_plus/std", "kvac/std", "schnorr_pok/std"]
-parallel = ["std", "ark-ff/parallel", "ark-ec/parallel", "ark-std/parallel", "rayon", "dock_crypto_utils/parallel", "bulletproofs_plus_plus/parallel", "kvac/parallel", "schnorr_pok/parallel"]
+std = ["ark-ff/std", "ark-ec/std", "ark-std/std", "ark-serialize/std", "rand_core/std", "crypto-bigint/rand", "dock_crypto_utils/std", "bulletproofs_plus_plus/std", "kvac/std", "schnorr_pok/std", "test_utils/std"]
+parallel = ["std", "ark-ff/parallel", "ark-ec/parallel", "ark-std/parallel", "rayon", "dock_crypto_utils/parallel", "bulletproofs_plus_plus/parallel", "kvac/parallel", "schnorr_pok/parallel", "test_utils/parallel"]

equality_across_groups/README.md

@@ -6,11 +6,11 @@ Protocols for proving equality of committed values across groups.
 extension in section 5 of the paper [Proofs of discrete logarithm equality across groups](https://eprint.iacr.org/2022/1593). Check the [module](./src/eq_across_groups.rs) for more docs
 - Implements the protocol to prove elliptic curve point addition and scalar multiplication from the paper [ZKAttest Ring and Group Signatures for Existing ECDSA Keys](https://eprint.iacr.org/2021/1183). Check the [point addition module](./src/ec/sw_point_addition.rs) and [scalar multiplication module](./src/ec/sw_scalar_mult.rs) for more docs
 - Use the above protocols to prove knowledge of a committed ECDSA public key on Tom-256 curve. Check the [module](./src/pok_ecdsa_pubkey.rs) for more docs
-- Use the above protocols to prove knowledge of a committed ECDSA public key on BLS12-381 curve. Check the tests in [module](./src/pok_ecdsa_pubkey.rs).
+- Use the above protocols to prove knowledge of a committed ECDSA public key on BLS12-381 curve. Check the test `pok_ecdsa_pubkey_committed_in_bls12_381_commitment` in [module](./src/pok_ecdsa_pubkey.rs).
 
 **CREDIT**
 
-This idea of using these 2 protocols to prove knowledge of ECDSA public key committed on the BLS12-381 curve came from Patrick Amrein from [Unique AG](https://www.unique.ch)
+This idea of using these 2 protocols to prove knowledge of ECDSA public key committed on the BLS12-381 curve came from Patrick Amrein from [Ubique](https://ubique.ch/)
 and their work [here](https://github.com/UbiqueInnovation/zkattest-rs) is prior art.
 
 <!-- cargo-rdme end -->

equality_across_groups/src/ec/commitments.rs

@@ -49,6 +49,7 @@ impl<C: AffineRepr> PointCommitmentWithOpening<C> {
         Self::new_given_randomness(point, r_x, r_y, comm_key)
     }
 
+    /// `r_x` and `r_y` are randomness in the Pedersen commitments to x and y coordinates respectively
     pub fn new_given_randomness<P: AffineRepr>(
         point: &P,
         r_x: C::ScalarField,

equality_across_groups/src/ec/sw_point_addition.rs

@@ -309,15 +309,19 @@ mod tests {
     use blake2::Blake2b512;
     use dock_crypto_utils::transcript::{new_merlin_transcript, Transcript};
     use rand_core::OsRng;
-    use std::ops::Neg;
+    use std::{ops::Neg, time::Instant};
+    use test_utils::statistics::statistics;
 
     #[test]
     fn point_addition() {
         let mut rng = OsRng::default();
 
         let comm_key = PedersenCommitmentKey::<tomAff>::new::<Blake2b512>(b"test");
 
-        for _ in 0..100 {
+        let mut prov_time = vec![];
+        let mut ver_time = vec![];
+        let num_iters = 100;
+        for i in 0..num_iters {
             let a = secpAff::rand(&mut rng);
             let b = secpAff::rand(&mut rng);
             let t = (a + b).into_affine();
@@ -329,6 +333,7 @@ mod tests {
                 PointCommitmentWithOpening::<tomAff>::new::<_, secpAff>(&mut rng, &b, &comm_key)
                     .unwrap();
 
+            let start = Instant::now();
             let mut prover_transcript = new_merlin_transcript(b"test");
             prover_transcript.append(b"comm_key", &comm_key);
             prover_transcript.append(b"comm_a", &comm_a.comm);
@@ -345,7 +350,9 @@ mod tests {
                 &mut prover_transcript,
             )
             .unwrap();
+            prov_time.push(start.elapsed());
 
+            let start = Instant::now();
             let mut verifier_transcript = new_merlin_transcript(b"test");
             verifier_transcript.append(b"comm_key", &comm_key);
             verifier_transcript.append(b"comm_a", &comm_a.comm);
@@ -360,6 +367,11 @@ mod tests {
                     &mut verifier_transcript,
                 )
                 .unwrap();
+            ver_time.push(start.elapsed());
+
+            if i == 0 {
+                println!("Proof size = {} bytes", proof.compressed_size());
+            }
 
             // Verifying with incorrect sum fails
             let mut verifier_transcript = new_merlin_transcript(b"test");
@@ -412,5 +424,9 @@ mod tests {
             )
             .is_err());
         }
+
+        println!("For {} iterations", num_iters);
+        println!("Proving time: {:?}", statistics(prov_time));
+        println!("Verifying time: {:?}", statistics(ver_time));
     }
 }

equality_across_groups/src/ec/sw_scalar_mult.rs

@@ -327,6 +327,8 @@ mod tests {
     use blake2::Blake2b512;
     use dock_crypto_utils::transcript::{new_merlin_transcript, Transcript};
     use rand_core::OsRng;
+    use std::time::Instant;
+    use test_utils::statistics::statistics;
 
     #[test]
     fn scalar_mult() {
@@ -335,44 +337,66 @@ mod tests {
         let comm_key_1 = PedersenCommitmentKey::<secpAff>::new::<Blake2b512>(b"test1");
         let comm_key_2 = PedersenCommitmentKey::<tomAff>::new::<Blake2b512>(b"test2");
 
-        let base = secpAff::rand(&mut rng);
-        let scalar = secpFr::rand(&mut rng);
-        let result = (base * scalar).into_affine();
+        let mut prov_time = vec![];
+        let mut ver_time = vec![];
+        // Since the proof size depends on the values of the random challenge bits
+        let mut proof_sizes = vec![];
+        let num_iters = 10;
+        for _ in 0..num_iters {
+            let base = secpAff::rand(&mut rng);
+            let scalar = secpFr::rand(&mut rng);
+            let result = (base * scalar).into_affine();
 
-        let comm_scalar = CommitmentWithOpening::new(&mut rng, scalar, &comm_key_1);
-        let comm_result = PointCommitmentWithOpening::new(&mut rng, &result, &comm_key_2).unwrap();
+            let comm_scalar = CommitmentWithOpening::new(&mut rng, scalar, &comm_key_1);
+            let comm_result =
+                PointCommitmentWithOpening::new(&mut rng, &result, &comm_key_2).unwrap();
 
-        let mut prover_transcript = new_merlin_transcript(b"test");
-        prover_transcript.append(b"comm_key_1", &comm_key_1);
-        prover_transcript.append(b"comm_key_2", &comm_key_2);
-        prover_transcript.append(b"comm_scalar", &comm_scalar.comm);
-        prover_transcript.append(b"comm_result", &comm_result.comm);
-        let proof = ScalarMultiplicationProof::<secpAff, tomAff>::new(
-            &mut rng,
-            comm_scalar.clone(),
-            comm_result.clone(),
-            result,
-            base,
-            &comm_key_1,
-            &comm_key_2,
-            &mut prover_transcript,
-        )
-        .unwrap();
-
-        let mut verifier_transcript = new_merlin_transcript(b"test");
-        verifier_transcript.append(b"comm_key_1", &comm_key_1);
-        verifier_transcript.append(b"comm_key_2", &comm_key_2);
-        verifier_transcript.append(b"comm_scalar", &comm_scalar.comm);
-        verifier_transcript.append(b"comm_result", &comm_result.comm);
-        proof
-            .verify(
-                &comm_scalar.comm,
-                &comm_result.comm,
-                &base,
+            let start = Instant::now();
+            let mut prover_transcript = new_merlin_transcript(b"test");
+            prover_transcript.append(b"comm_key_1", &comm_key_1);
+            prover_transcript.append(b"comm_key_2", &comm_key_2);
+            prover_transcript.append(b"comm_scalar", &comm_scalar.comm);
+            prover_transcript.append(b"comm_result", &comm_result.comm);
+            let proof = ScalarMultiplicationProof::<secpAff, tomAff>::new(
+                &mut rng,
+                comm_scalar.clone(),
+                comm_result.clone(),
+                result,
+                base,
                 &comm_key_1,
                 &comm_key_2,
-                &mut verifier_transcript,
+                &mut prover_transcript,
             )
             .unwrap();
+            prov_time.push(start.elapsed());
+
+            proof_sizes.push(proof.compressed_size());
+
+            let start = Instant::now();
+            let mut verifier_transcript = new_merlin_transcript(b"test");
+            verifier_transcript.append(b"comm_key_1", &comm_key_1);
+            verifier_transcript.append(b"comm_key_2", &comm_key_2);
+            verifier_transcript.append(b"comm_scalar", &comm_scalar.comm);
+            verifier_transcript.append(b"comm_result", &comm_result.comm);
+            proof
+                .verify(
+                    &comm_scalar.comm,
+                    &comm_result.comm,
+                    &base,
+                    &comm_key_1,
+                    &comm_key_2,
+                    &mut verifier_transcript,
+                )
+                .unwrap();
+            ver_time.push(start.elapsed());
+        }
+
+        println!("For {} iterations", num_iters);
+        println!("Proving time: {:?}", statistics(prov_time));
+        println!("Verifying time: {:?}", statistics(ver_time));
+        println!(
+            "Proof size (bytes): {:?}",
+            statistics::<usize, usize>(proof_sizes)
+        );
     }
 }

equality_across_groups/src/lib.rs

@@ -6,16 +6,19 @@
 //! extension in section 5 of the paper [Proofs of discrete logarithm equality across groups](https://eprint.iacr.org/2022/1593). Check the [module](./src/eq_across_groups.rs) for more docs
 //! - Implements the protocol to prove elliptic curve point addition and scalar multiplication from the paper [ZKAttest Ring and Group Signatures for Existing ECDSA Keys](https://eprint.iacr.org/2021/1183). Check the [point addition module](./src/ec/sw_point_addition.rs) and [scalar multiplication module](./src/ec/sw_scalar_mult.rs) for more docs
 //! - Use the above protocols to prove knowledge of a committed ECDSA public key on Tom-256 curve. Check the [module](./src/pok_ecdsa_pubkey.rs) for more docs
-//! - Use the above protocols to prove knowledge of a committed ECDSA public key on BLS12-381 curve. Check the tests in [module](./src/pok_ecdsa_pubkey.rs).
+//! - Use the above protocols to prove knowledge of a committed ECDSA public key on BLS12-381 curve. Check the test `pok_ecdsa_pubkey_committed_in_bls12_381_commitment` in [module](./src/pok_ecdsa_pubkey.rs).
 //!
 //! **CREDIT**
 //!
-//! This idea of using these 2 protocols to prove knowledge of ECDSA public key committed on the BLS12-381 curve came from Patrick Amrein from [Unique AG](https://www.unique.ch)
+//! This idea of using these 2 protocols to prove knowledge of ECDSA public key committed on the BLS12-381 curve came from Patrick Amrein from [Ubique](https://ubique.ch/)
 //! and their work [here](https://github.com/UbiqueInnovation/zkattest-rs) is prior art.
 
 // TODO: The protocols do a lot of scalar multiplication checks during verification. These can be optimized using a randomized
 // linear combination check similar to `RandomizedPairingChecker`
 
+// TODO: Lot of commitments are made using the same commitment key so it would benefit to have a "prepared" commitment key where a `WindowTable`
+// for both `g` and `h` exists
+
 pub mod ec;
 pub mod eq_across_groups;
 pub mod error;

equality_across_groups/src/pok_ecdsa_pubkey.rs

@@ -202,6 +202,7 @@ mod tests {
     use dock_crypto_utils::transcript::new_merlin_transcript;
     use rand_core::OsRng;
     use std::time::{Duration, Instant};
+    use test_utils::statistics::statistics;
 
     #[test]
     fn transformed_sig_verify() {
@@ -229,8 +230,10 @@ mod tests {
 
         let mut prov_time = vec![];
         let mut ver_time = vec![];
+        // Since the proof size depends on the values of the random challenge bits of the scalar multiplication protocol
+        let mut proof_sizes = vec![];
         let num_iters = 10;
-        for i in 0..num_iters {
+        for _ in 0..num_iters {
             let message = Fr::rand(&mut rng);
             let sig = ecdsa::Signature::new_prehashed(&mut rng, message, sk);
             let transformed_sig = TransformedEcdsaSig::new(&sig, message, pk).unwrap();
@@ -255,6 +258,8 @@ mod tests {
             .unwrap();
             prov_time.push(start.elapsed());
 
+            proof_sizes.push(proof.compressed_size());
+
             let start = Instant::now();
             let mut verifier_transcript = new_merlin_transcript(b"test");
             verifier_transcript.append(b"comm_key_secp", &comm_key_secp);
@@ -269,15 +274,14 @@ mod tests {
                 )
                 .unwrap();
             ver_time.push(start.elapsed());
-
-            if i == 0 {
-                println!("Proof size = {} bytes", proof.compressed_size());
-            }
         }
 
-        println!("For {} iterations", num_iters);
-        println!("Proving time: {:?}", timing_info(prov_time));
-        println!("Verifying time: {:?}", timing_info(ver_time));
+        println!("Proving time: {:?}", statistics(prov_time));
+        println!("Verifying time: {:?}", statistics(ver_time));
+        println!(
+            "Proof size (bytes): {:?}",
+            statistics::<usize, usize>(proof_sizes)
+        );
     }
 
     #[test]
@@ -329,8 +333,11 @@ mod tests {
 
         let mut prov_time = vec![];
         let mut ver_time = vec![];
+        // Since the proof size depends on the values of the random challenge bits of the scalar multiplication protocol
+        let mut total_proof_sizes = vec![];
+        let mut dl_eq_proof_sizes = vec![];
         let num_iters = 10;
-        for i in 0..num_iters {
+        for _ in 0..num_iters {
             let message = Fr::rand(&mut rng);
             let sig = ecdsa::Signature::new_prehashed(&mut rng, message, sk);
 
@@ -441,19 +448,23 @@ mod tests {
                 .unwrap();
             ver_time.push(start.elapsed());
 
-            if i == 0 {
-                let s_pk = pok_pubkey.compressed_size();
-                let s_pk_x = proof_eq_pk_x.compressed_size();
-                let s_pk_y = proof_eq_pk_y.compressed_size();
-                println!(
-                    "Total proof size = {} bytes. Proof size for equality of committed x and y coordinates = {} bytes",
-                    s_pk + s_pk_x + s_pk_y, s_pk_x + s_pk_y
-                );
-            }
+            let s_pk = pok_pubkey.compressed_size();
+            let s_pk_x = proof_eq_pk_x.compressed_size();
+            let s_pk_y = proof_eq_pk_y.compressed_size();
+            total_proof_sizes.push(s_pk + s_pk_x + s_pk_y);
+            dl_eq_proof_sizes.push(s_pk_x + s_pk_y);
         }
 
         println!("For {} iterations", num_iters);
-        println!("Proving time: {:?}", timing_info(prov_time));
-        println!("Verifying time: {:?}", timing_info(ver_time));
+        println!("Proving time: {:?}", statistics(prov_time));
+        println!("Verifying time: {:?}", statistics(ver_time));
+        println!(
+            "Total proof size (bytes): {:?}",
+            statistics::<usize, usize>(total_proof_sizes)
+        );
+        println!(
+            "Proof size for equality of committed x and y coordinates (bytes): {:?}",
+            statistics::<usize, usize>(dl_eq_proof_sizes)
+        );
     }
 }

equality_across_groups/src/util.rs

@@ -19,26 +19,3 @@ pub fn from_bytes_le<const LIMBS: usize>(bytes: &[u8]) -> BigInt<LIMBS> {
     }
     res
 }
-
-#[cfg(test)]
-pub fn timing_info(mut times: Vec<std::time::Duration>) -> String {
-    // Given timings of an operation repeated several times, prints the total time takes, least time,
-    // median time and the highest time
-    times.sort();
-    let median = {
-        let mid = times.len() / 2;
-        if times.len() % 2 == 0 {
-            (times[mid - 1] + times[mid]) / 2
-        } else {
-            times[mid]
-        }
-    };
-    let total = times.iter().sum::<std::time::Duration>();
-    format!(
-        "{:.2?} | [{:.2?}, {:.2?}, {:.2?}]",
-        total,
-        times[0],
-        median,
-        times[times.len() - 1]
-    )
-}

test_utils/src/lib.rs

@@ -11,3 +11,4 @@ pub mod bbs;
 pub mod serialization;
 pub mod kvac;
 pub mod ot;
+pub mod statistics;

test_utils/src/statistics.rs

@@ -0,0 +1,32 @@
+use std::{
+    fmt::Debug,
+    iter::Sum,
+    ops::{Add, Div},
+};
+
+/// Prints the total, least, median, and the highest value of the given list
+pub fn statistics<T, U>(mut values: Vec<T>) -> String
+where
+    T: Copy + Ord + Add<Output = T> + Sum<T> + Div<U, Output = T> + Debug,
+    U: From<u8>,
+{
+    values.sort();
+    let two = U::from(2);
+
+    let median = {
+        let mid = values.len() / 2;
+        if values.len() % 2 == 0 {
+            (values[mid - 1] + values[mid]) / two
+        } else {
+            values[mid]
+        }
+    };
+    let total: T = values.iter().copied().sum();
+    format!(
+        "{:.2?} | [{:.2?}, {:.2?}, {:.2?}]",
+        total,
+        values.first().unwrap(),
+        median,
+        values.last().unwrap()
+    )
+}