Refactor Non-Interactive Proofs to use type NiProof

cggmp24/src/key_refresh/aux_only.rs

@@ -93,10 +93,7 @@ pub struct MsgRound2<L: SecurityLevel> {
 pub struct MsgRound3 {
     /// $\psi_i$
     // this should be L::M instead, but no rustc support yet
-    pub mod_proof: (
-        π_mod::Commitment,
-        π_mod::Proof<{ crate::security_level::M }>,
-    ),
+    pub mod_proof: π_mod::NiProof<{ crate::security_level::M }>,
     /// $\phi_i^j$
     pub fac_proof: π_fac::Proof,
 }
@@ -438,16 +435,14 @@ where
         &decommitments,
         &shares_msg_b,
         |j, decommitment, proof_msg| {
-            let (comm, proof) = &proof_msg.mod_proof;
             π_mod::non_interactive::verify::<{ crate::security_level::M }, D>(
                 &unambiguous::ProofMod {
                     sid,
                     rho: rho_bytes.as_ref(),
                     prover: j,
                 },
                 π_mod::Data { n: &decommitment.N },
-                comm,
-                proof,
+                &proof_msg.mod_proof,
             )
             .is_err()
         },

paillier-zk/src/paillier_blum_modulus.rs

@@ -28,7 +28,7 @@
 //! let data = p::Data { n: &n };
 //! let pdata = p::PrivateData { p: &p, q: &q };
 //!
-//! let (commitment, proof) =
+//! let proof =
 //!     p::non_interactive::prove::<{SECURITY}, sha2::Sha256>(
 //!         &shared_state,
 //!         data,
@@ -38,18 +38,17 @@
 //!
 //! // 2. P sends `data, commitment, proof` to the verifier V
 //!
-//! # fn send(_: &p::Data, _: &p::Commitment, _: &p::Proof<{SECURITY}>) { }
-//! send(&data, &commitment, &proof);
+//! # fn send(_: &p::Data, _: &p::NiProof<{SECURITY}>) { }
+//! send(&data, &proof);
 //!
 //! // 3. V receives and verifies the proof:
 //!
-//! # let recv = || (data, commitment, proof);
-//! let (data, commitment, proof) = recv();
+//! # let recv = || (data, proof);
+//! let (data, proof) = recv();
 //!
 //! p::non_interactive::verify::<{SECURITY}, sha2::Sha256>(
 //!     &shared_state,
 //!     data,
-//!     &commitment,
 //!     &proof,
 //! )?;
 //! # Ok(()) }
@@ -102,8 +101,8 @@ pub struct ProofPoint {
     pub z: Integer,
 }
 
-/// The ZK proof. Computed by [`interactive::prove`] or
-/// [`non_interactive::prove`]. Consists of M proofs for each challenge
+/// The ZK proof. Computed by [`interactive::prove`].
+/// Consists of M proofs for each challenge
 #[derive(Debug, Clone)]
 #[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
 pub struct Proof<const M: usize> {
@@ -115,6 +114,15 @@ pub struct Proof<const M: usize> {
     pub points: [ProofPoint; M],
 }
 
+/// The non-interactive ZK proof. Computed by [`non_interactive::prove`].
+/// Combines commitment and proof.
+#[derive(Debug, Clone)]
+#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
+pub struct NiProof<const M: usize> {
+    pub commitment: Commitment,
+    pub proof: Proof<M>,
+}
+
 /// The interactive version of the ZK proof. Should be completed in 3 rounds:
 /// prover commits to data, verifier responds with a random challenge, and
 /// prover gives proof with commitment and challenge.
@@ -241,7 +249,7 @@ pub mod non_interactive {
 
     use crate::{Error, InvalidProof};
 
-    use super::{Challenge, Commitment, Data, PrivateData, Proof};
+    use super::{Challenge, Commitment, Data, NiProof, PrivateData};
 
     /// Compute proof for the given data, producing random commitment and
     /// deriving determenistic challenge.
@@ -252,22 +260,21 @@ pub mod non_interactive {
         data: Data,
         pdata: PrivateData,
         rng: &mut impl rand_core::RngCore,
-    ) -> Result<(Commitment, Proof<M>), Error> {
+    ) -> Result<NiProof<M>, Error> {
         let commitment = super::interactive::commit(data, rng);
         let challenge = challenge::<M, D>(shared_state, data, &commitment);
         let proof = super::interactive::prove(data, pdata, &commitment, &challenge)?;
-        Ok((commitment, proof))
+        Ok(NiProof { commitment, proof })
     }
 
     /// Verify the proof, deriving challenge independently from same data
     pub fn verify<const M: usize, D: Digest>(
         shared_state: &impl udigest::Digestable,
         data: Data,
-        commitment: &Commitment,
-        proof: &Proof<M>,
+        proof: &NiProof<M>,
     ) -> Result<(), InvalidProof> {
-        let challenge = challenge::<M, D>(shared_state, data, commitment);
-        super::interactive::verify(data, commitment, &challenge, proof)
+        let challenge = challenge::<M, D>(shared_state, data, &proof.commitment);
+        super::interactive::verify(data, &proof.commitment, &challenge, &proof.proof)
     }
 
     /// Deterministically compute challenge based on prior known values in protocol
@@ -305,9 +312,9 @@ mod test {
         let data = super::Data { n: &n };
         let pdata = super::PrivateData { p: &p, q: &q };
         let shared_state = "shared state";
-        let (commitment, proof) =
+        let proof =
             super::non_interactive::prove::<65, D>(&shared_state, data, pdata, &mut rng).unwrap();
-        let r = super::non_interactive::verify::<65, D>(&shared_state, data, &commitment, &proof);
+        let r = super::non_interactive::verify::<65, D>(&shared_state, data, &proof);
         match r {
             Ok(()) => (),
             Err(e) => panic!("{e:?}"),
@@ -329,9 +336,9 @@ mod test {
         let data = super::Data { n: &n };
         let pdata = super::PrivateData { p: &p, q: &q };
         let shared_state = "shared state";
-        let (commitment, proof) =
+        let proof =
             super::non_interactive::prove::<65, D>(&shared_state, data, pdata, &mut rng).unwrap();
-        let r = super::non_interactive::verify::<65, D>(&shared_state, data, &commitment, &proof);
+        let r = super::non_interactive::verify::<65, D>(&shared_state, data, &proof);
         if r.is_ok() {
             panic!("proof should not pass");
         }