Add a transcript protocol function that checks for identity points.

Cargo.toml

@@ -12,7 +12,7 @@ keywords = ["cryptography", "ristretto", "zero-knowledge", "bulletproofs"]
 description = "A pure-Rust implementation of Bulletproofs using Ristretto"
 
 [dependencies]
-curve25519-dalek = { version = "1", features = ["serde"] }
+curve25519-dalek = { version = "1.0.3", features = ["serde"] }
 subtle = "2"
 sha3 = "0.8"
 digest = "0.8"
@@ -21,7 +21,7 @@ byteorder = "1"
 serde = "1"
 serde_derive = "1"
 failure = "0.1"
-merlin = "1"
+merlin = "1.1"
 clear_on_drop = "0.2"
 
 [dev-dependencies]

src/inner_product_proof.rs

@@ -107,8 +107,8 @@ impl InnerProductProof {
             L_vec.push(L);
             R_vec.push(R);
 
-            transcript.commit_point(b"L", &L);
-            transcript.commit_point(b"R", &R);
+            transcript.append_point(b"L", &L);
+            transcript.append_point(b"R", &R);
 
             let u = transcript.challenge_scalar(b"u");
             let u_inv = u.invert();
@@ -154,8 +154,8 @@ impl InnerProductProof {
             L_vec.push(L);
             R_vec.push(R);
 
-            transcript.commit_point(b"L", &L);
-            transcript.commit_point(b"R", &R);
+            transcript.append_point(b"L", &L);
+            transcript.append_point(b"R", &R);
 
             let u = transcript.challenge_scalar(b"u");
             let u_inv = u.invert();
@@ -205,8 +205,8 @@ impl InnerProductProof {
 
         let mut challenges = Vec::with_capacity(lg_n);
         for (L, R) in self.L_vec.iter().zip(self.R_vec.iter()) {
-            transcript.commit_point(b"L", L);
-            transcript.commit_point(b"R", R);
+            transcript.validate_and_append_point(b"L", L)?;
+            transcript.validate_and_append_point(b"R", R)?;
             challenges.push(transcript.challenge_scalar(b"u"));
         }
 

src/r1cs/prover.rs

@@ -204,7 +204,7 @@ impl<'a, 'b> Prover<'a, 'b> {
 
         // Add the commitment to the transcript.
         let V = self.cs.pc_gens.commit(v, v_blinding).compress();
-        self.cs.transcript.commit_point(b"V", &V);
+        self.cs.transcript.append_point(b"V", &V);
 
         (V, Variable::Committed(i))
     }
@@ -216,7 +216,7 @@ impl<'a, 'b> Prover<'a, 'b> {
         // We cannot do this in advance because user can commit variables one-by-one,
         // but this suffix provides safe disambiguation because each variable
         // is prefixed with a separate label.
-        self.cs.transcript.commit_u64(b"m", self.m);
+        self.cs.transcript.append_u64(b"m", self.m);
         self.cs
     }
 }
@@ -325,7 +325,7 @@ impl<'a, 'b> ProverCS<'a, 'b> {
 
             // Commit the blinding factors for the input wires
             for v_b in &self.v_blinding {
-                builder = builder.commit_witness_bytes(b"v_blinding", v_b.as_bytes());
+                builder = builder.rekey_with_witness_bytes(b"v_blinding", v_b.as_bytes());
             }
 
             use rand::thread_rng;
@@ -368,9 +368,9 @@ impl<'a, 'b> ProverCS<'a, 'b> {
         )
         .compress();
 
-        self.transcript.commit_point(b"A_I", &A_I);
-        self.transcript.commit_point(b"A_O", &A_O);
-        self.transcript.commit_point(b"S", &S);
+        self.transcript.append_point(b"A_I", &A_I);
+        self.transcript.append_point(b"A_O", &A_O);
+        self.transcript.append_point(b"S", &S);
 
         // 4. Compute blinded vector polynomials l(x) and r(x)
 
@@ -419,11 +419,11 @@ impl<'a, 'b> ProverCS<'a, 'b> {
         let T_5 = self.pc_gens.commit(t_poly.t5, t_5_blinding).compress();
         let T_6 = self.pc_gens.commit(t_poly.t6, t_6_blinding).compress();
 
-        self.transcript.commit_point(b"T_1", &T_1);
-        self.transcript.commit_point(b"T_3", &T_3);
-        self.transcript.commit_point(b"T_4", &T_4);
-        self.transcript.commit_point(b"T_5", &T_5);
-        self.transcript.commit_point(b"T_6", &T_6);
+        self.transcript.append_point(b"T_1", &T_1);
+        self.transcript.append_point(b"T_3", &T_3);
+        self.transcript.append_point(b"T_4", &T_4);
+        self.transcript.append_point(b"T_5", &T_5);
+        self.transcript.append_point(b"T_6", &T_6);
 
         let x = self.transcript.challenge_scalar(b"x");
 
@@ -460,10 +460,10 @@ impl<'a, 'b> ProverCS<'a, 'b> {
 
         let e_blinding = x * (i_blinding + x * (o_blinding + x * s_blinding));
 
-        self.transcript.commit_scalar(b"t_x", &t_x);
+        self.transcript.append_scalar(b"t_x", &t_x);
         self.transcript
-            .commit_scalar(b"t_x_blinding", &t_x_blinding);
-        self.transcript.commit_scalar(b"e_blinding", &e_blinding);
+            .append_scalar(b"t_x_blinding", &t_x_blinding);
+        self.transcript.append_scalar(b"e_blinding", &e_blinding);
 
         // Get a challenge value to combine statements for the IPP
         let w = self.transcript.challenge_scalar(b"w");

src/r1cs/verifier.rs

@@ -171,7 +171,7 @@ impl<'a, 'b> Verifier<'a, 'b> {
         self.cs.V.push(commitment);
 
         // Add the commitment to the transcript.
-        self.cs.transcript.commit_point(b"V", &commitment);
+        self.cs.transcript.append_point(b"V", &commitment);
 
         Variable::Committed(i)
     }
@@ -183,7 +183,7 @@ impl<'a, 'b> Verifier<'a, 'b> {
         // We cannot do this in advance because user can commit variables one-by-one,
         // but this suffix provides safe disambiguation because each variable
         // is prefixed with a separate label.
-        self.cs.transcript.commit_u64(b"m", self.m);
+        self.cs.transcript.append_u64(b"m", self.m);
         self.cs
     }
 }
@@ -261,26 +261,26 @@ impl<'a, 'b> VerifierCS<'a, 'b> {
         // We are performing a single-party circuit proof, so party index is 0.
         let gens = self.bp_gens.share(0);
 
-        self.transcript.commit_point(b"A_I", &proof.A_I);
-        self.transcript.commit_point(b"A_O", &proof.A_O);
-        self.transcript.commit_point(b"S", &proof.S);
+        self.transcript.append_point(b"A_I", &proof.A_I);
+        self.transcript.append_point(b"A_O", &proof.A_O);
+        self.transcript.append_point(b"S", &proof.S);
 
         let y = self.transcript.challenge_scalar(b"y");
         let z = self.transcript.challenge_scalar(b"z");
 
-        self.transcript.commit_point(b"T_1", &proof.T_1);
-        self.transcript.commit_point(b"T_3", &proof.T_3);
-        self.transcript.commit_point(b"T_4", &proof.T_4);
-        self.transcript.commit_point(b"T_5", &proof.T_5);
-        self.transcript.commit_point(b"T_6", &proof.T_6);
+        self.transcript.append_point(b"T_1", &proof.T_1);
+        self.transcript.append_point(b"T_3", &proof.T_3);
+        self.transcript.append_point(b"T_4", &proof.T_4);
+        self.transcript.append_point(b"T_5", &proof.T_5);
+        self.transcript.append_point(b"T_6", &proof.T_6);
 
         let x = self.transcript.challenge_scalar(b"x");
 
-        self.transcript.commit_scalar(b"t_x", &proof.t_x);
+        self.transcript.append_scalar(b"t_x", &proof.t_x);
         self.transcript
-            .commit_scalar(b"t_x_blinding", &proof.t_x_blinding);
+            .append_scalar(b"t_x_blinding", &proof.t_x_blinding);
         self.transcript
-            .commit_scalar(b"e_blinding", &proof.e_blinding);
+            .append_scalar(b"e_blinding", &proof.e_blinding);
 
         let w = self.transcript.challenge_scalar(b"w");
 

src/range_proof/dealer.rs

@@ -94,15 +94,15 @@ impl<'a, 'b> DealerAwaitingBitCommitments<'a, 'b> {
 
         // Commit each V_j individually
         for vc in bit_commitments.iter() {
-            self.transcript.commit_point(b"V", &vc.V_j);
+            self.transcript.append_point(b"V", &vc.V_j);
         }
 
         // Commit aggregated A_j, S_j
         let A: RistrettoPoint = bit_commitments.iter().map(|vc| vc.A_j).sum();
-        self.transcript.commit_point(b"A", &A.compress());
+        self.transcript.append_point(b"A", &A.compress());
 
         let S: RistrettoPoint = bit_commitments.iter().map(|vc| vc.S_j).sum();
-        self.transcript.commit_point(b"S", &S.compress());
+        self.transcript.append_point(b"S", &S.compress());
 
         let y = self.transcript.challenge_scalar(b"y");
         let z = self.transcript.challenge_scalar(b"z");
@@ -158,8 +158,8 @@ impl<'a, 'b> DealerAwaitingPolyCommitments<'a, 'b> {
         let T_1: RistrettoPoint = poly_commitments.iter().map(|pc| pc.T_1_j).sum();
         let T_2: RistrettoPoint = poly_commitments.iter().map(|pc| pc.T_2_j).sum();
 
-        self.transcript.commit_point(b"T_1", &T_1.compress());
-        self.transcript.commit_point(b"T_2", &T_2.compress());
+        self.transcript.append_point(b"T_1", &T_1.compress());
+        self.transcript.append_point(b"T_2", &T_2.compress());
 
         let x = self.transcript.challenge_scalar(b"x");
         let poly_challenge = PolyChallenge { x };
@@ -221,10 +221,10 @@ impl<'a, 'b> DealerAwaitingProofShares<'a, 'b> {
         let t_x_blinding: Scalar = proof_shares.iter().map(|ps| ps.t_x_blinding).sum();
         let e_blinding: Scalar = proof_shares.iter().map(|ps| ps.e_blinding).sum();
 
-        self.transcript.commit_scalar(b"t_x", &t_x);
+        self.transcript.append_scalar(b"t_x", &t_x);
         self.transcript
-            .commit_scalar(b"t_x_blinding", &t_x_blinding);
-        self.transcript.commit_scalar(b"e_blinding", &e_blinding);
+            .append_scalar(b"t_x_blinding", &t_x_blinding);
+        self.transcript.append_scalar(b"e_blinding", &e_blinding);
 
         // Get a challenge value to combine statements for the IPP
         let w = self.transcript.challenge_scalar(b"w");

src/range_proof/mod.rs

@@ -287,24 +287,27 @@ impl RangeProof {
         transcript.rangeproof_domain_sep(n as u64, m as u64);
 
         for V in value_commitments.iter() {
-            transcript.commit_point(b"V", V);
+            // Allow the commitments to be zero (0 value, 0 blinding)
+            // See https://github.com/dalek-cryptography/bulletproofs/pull/248#discussion_r255167177
+            transcript.append_point(b"V", V);
         }
-        transcript.commit_point(b"A", &self.A);
-        transcript.commit_point(b"S", &self.S);
+
+        transcript.validate_and_append_point(b"A", &self.A)?;
+        transcript.validate_and_append_point(b"S", &self.S)?;
 
         let y = transcript.challenge_scalar(b"y");
         let z = transcript.challenge_scalar(b"z");
         let zz = z * z;
         let minus_z = -z;
 
-        transcript.commit_point(b"T_1", &self.T_1);
-        transcript.commit_point(b"T_2", &self.T_2);
+        transcript.validate_and_append_point(b"T_1", &self.T_1)?;
+        transcript.validate_and_append_point(b"T_2", &self.T_2)?;
 
         let x = transcript.challenge_scalar(b"x");
 
-        transcript.commit_scalar(b"t_x", &self.t_x);
-        transcript.commit_scalar(b"t_x_blinding", &self.t_x_blinding);
-        transcript.commit_scalar(b"e_blinding", &self.e_blinding);
+        transcript.append_scalar(b"t_x", &self.t_x);
+        transcript.append_scalar(b"t_x_blinding", &self.t_x_blinding);
+        transcript.append_scalar(b"e_blinding", &self.e_blinding);
 
         let w = transcript.challenge_scalar(b"w");
 

src/transcript.rs

@@ -1,59 +1,75 @@
 //! Defines a `TranscriptProtocol` trait for using a Merlin transcript.
 
-use byteorder::{ByteOrder, LittleEndian};
 use curve25519_dalek::ristretto::CompressedRistretto;
 use curve25519_dalek::scalar::Scalar;
 use merlin::Transcript;
 
+use errors::ProofError;
+
 pub trait TranscriptProtocol {
-    /// Commit a domain separator for an `n`-bit, `m`-party range proof.
+    /// Append a domain separator for an `n`-bit, `m`-party range proof.
     fn rangeproof_domain_sep(&mut self, n: u64, m: u64);
-    /// Commit a domain separator for a length-`n` inner product proof.
+
+    /// Append a domain separator for a length-`n` inner product proof.
     fn innerproduct_domain_sep(&mut self, n: u64);
-    /// Commit a domain separator for a constraint system.
+
+    /// Append a domain separator for a constraint system.
     fn r1cs_domain_sep(&mut self);
-    /// Commit a 64-bit integer.
-    fn commit_u64(&mut self, label: &'static [u8], n: u64);
-    /// Commit a `scalar` with the given `label`.
-    fn commit_scalar(&mut self, label: &'static [u8], scalar: &Scalar);
-    /// Commit a `point` with the given `label`.
-    fn commit_point(&mut self, label: &'static [u8], point: &CompressedRistretto);
+
+    /// Append a `scalar` with the given `label`.
+    fn append_scalar(&mut self, label: &'static [u8], scalar: &Scalar);
+
+    /// Append a `point` with the given `label`.
+    fn append_point(&mut self, label: &'static [u8], point: &CompressedRistretto);
+
+    /// Check that a point is not the identity, then append it to the
+    /// transcript.  Otherwise, return an error.
+    fn validate_and_append_point(
+        &mut self,
+        label: &'static [u8],
+        point: &CompressedRistretto,
+    ) -> Result<(), ProofError>;
+
     /// Compute a `label`ed challenge variable.
     fn challenge_scalar(&mut self, label: &'static [u8]) -> Scalar;
 }
 
-fn le_u64(value: u64) -> [u8; 8] {
-    let mut value_bytes = [0u8; 8];
-    LittleEndian::write_u64(&mut value_bytes, value);
-    value_bytes
-}
-
 impl TranscriptProtocol for Transcript {
     fn rangeproof_domain_sep(&mut self, n: u64, m: u64) {
-        self.commit_bytes(b"dom-sep", b"rangeproof v1");
-        self.commit_bytes(b"n", &le_u64(n));
-        self.commit_bytes(b"m", &le_u64(m));
+        self.append_message(b"dom-sep", b"rangeproof v1");
+        self.append_u64(b"n", n);
+        self.append_u64(b"m", m);
     }
 
     fn innerproduct_domain_sep(&mut self, n: u64) {
-        self.commit_bytes(b"dom-sep", b"ipp v1");
-        self.commit_bytes(b"n", &le_u64(n));
+        self.append_message(b"dom-sep", b"ipp v1");
+        self.append_u64(b"n", n);
     }
 
     fn r1cs_domain_sep(&mut self) {
-        self.commit_bytes(b"dom-sep", b"r1cs v1");
+        self.append_message(b"dom-sep", b"r1cs v1");
     }
 
-    fn commit_u64(&mut self, label: &'static [u8], n: u64) {
-        self.commit_bytes(label, &le_u64(n));
+    fn append_scalar(&mut self, label: &'static [u8], scalar: &Scalar) {
+        self.append_message(label, scalar.as_bytes());
     }
 
-    fn commit_scalar(&mut self, label: &'static [u8], scalar: &Scalar) {
-        self.commit_bytes(label, scalar.as_bytes());
+    fn append_point(&mut self, label: &'static [u8], point: &CompressedRistretto) {
+        self.append_message(label, point.as_bytes());
     }
 
-    fn commit_point(&mut self, label: &'static [u8], point: &CompressedRistretto) {
-        self.commit_bytes(label, point.as_bytes());
+    fn validate_and_append_point(
+        &mut self,
+        label: &'static [u8],
+        point: &CompressedRistretto,
+    ) -> Result<(), ProofError> {
+        use curve25519_dalek::traits::IsIdentity;
+
+        if point.is_identity() {
+            Err(ProofError::VerificationError)
+        } else {
+            Ok(self.append_message(label, point.as_bytes()))
+        }
     }
 
     fn challenge_scalar(&mut self, label: &'static [u8]) -> Scalar {

tests/r1cs.rs

@@ -70,9 +70,10 @@ impl ShuffleProof {
         R1CSError,
     > {
         // Apply a domain separator with the shuffle parameters to the transcript
+        // XXX should this be part of the gadget?
         let k = input.len();
-        transcript.commit_bytes(b"dom-sep", b"ShuffleProof");
-        transcript.commit_bytes(b"k", Scalar::from(k as u64).as_bytes());
+        transcript.append_message(b"dom-sep", b"ShuffleProof");
+        transcript.append_u64(b"k", k as u64);
 
         let mut prover = Prover::new(&bp_gens, &pc_gens, transcript);
 
@@ -111,9 +112,10 @@ impl ShuffleProof {
         output_commitments: &Vec<CompressedRistretto>,
     ) -> Result<(), R1CSError> {
         // Apply a domain separator with the shuffle parameters to the transcript
+        // XXX should this be part of the gadget?
         let k = input_commitments.len();
-        transcript.commit_bytes(b"dom-sep", b"ShuffleProof");
-        transcript.commit_bytes(b"k", Scalar::from(k as u64).as_bytes());
+        transcript.append_message(b"dom-sep", b"ShuffleProof");
+        transcript.append_u64(b"k", k as u64);
 
         let mut verifier = Verifier::new(&bp_gens, &pc_gens, transcript);