Merge pull request #152 from dalek-cryptography/generators-capacity

Add a notion of capacity to the Generators struct

Author: hdevalence

rust-toolchain

@@ -1 +1 @@
-nightly-2018-07-16
+nightly-2018-09-04

src/errors.rs

@@ -39,6 +39,7 @@ impl From<MPCError> for ProofError {
         match e {
             MPCError::InvalidBitsize => ProofError::InvalidBitsize,
             MPCError::InvalidAggregation => ProofError::InvalidAggregation,
+            MPCError::InvalidGeneratorsLength => ProofError::InvalidGeneratorsLength,
             _ => ProofError::ProvingError(e),
         }
     }
@@ -65,6 +66,9 @@ pub enum MPCError {
     /// proof with non-power-of-two aggregation size.
     #[fail(display = "Invalid aggregation size, m must be a power of 2")]
     InvalidAggregation,
+    /// This error occurs when the generators are of the wrong length.
+    #[fail(display = "Invalid generators length, must be equal to n.")]
+    InvalidGeneratorsLength,
     /// This error occurs when the dealer is given the wrong number of
     /// value commitments.
     #[fail(display = "Wrong number of value commitments")]

src/generators.rs

@@ -11,6 +11,36 @@ use curve25519_dalek::traits::MultiscalarMul;
 use digest::{ExtendableOutput, Input, XofReader};
 use sha3::{Sha3XofReader, Shake256};
 
+/// Represents a pair of base points for Pedersen commitments.
+#[derive(Copy, Clone)]
+pub struct PedersenGenerators {
+    /// Base for the committed value
+    pub B: RistrettoPoint,
+
+    /// Base for the blinding factor
+    pub B_blinding: RistrettoPoint,
+}
+
+impl PedersenGenerators {
+    /// Creates a Pedersen commitment using the value scalar and a blinding factor.
+    pub fn commit(&self, value: Scalar, blinding: Scalar) -> RistrettoPoint {
+        RistrettoPoint::multiscalar_mul(&[value, blinding], &[self.B, self.B_blinding])
+    }
+}
+
+impl Default for PedersenGenerators {
+    fn default() -> Self {
+        PedersenGenerators {
+            B: GeneratorsChain::new(b"Bulletproofs.Generators.B")
+                .next()
+                .unwrap(),
+            B_blinding: GeneratorsChain::new(b"Bulletproofs.Generators.B_blinding")
+                .next()
+                .unwrap(),
+        }
+    }
+}
+
 /// The `GeneratorsChain` creates an arbitrary-long sequence of orthogonal generators.
 /// The sequence can be deterministically produced starting with an arbitrary point.
 struct GeneratorsChain {
@@ -55,108 +85,160 @@ impl Iterator for GeneratorsChain {
 /// aggregating `m` range proofs of `n` bits each.
 #[derive(Clone)]
 pub struct Generators {
-    /// Number of bits in a rangeproof
-    pub n: usize,
-    /// Number of values or parties
-    pub m: usize,
     /// Bases for Pedersen commitments
     pub pedersen_gens: PedersenGenerators,
+    /// The maximum number of usable generators for each party.
+    pub gens_capacity: usize,
+    /// Number of values or parties
+    pub party_capacity: usize,
     /// Per-bit generators for the bit values
-    pub G: Vec<RistrettoPoint>,
-    /// Per-bit generators for the bit blinding factors
-    pub H: Vec<RistrettoPoint>,
-}
-
-/// The `GeneratorsView` is produced by `Generators::share()`.
-///
-/// The `Generators` struct represents generators for an aggregated
-/// range proof `m` proofs of `n` bits each; the `GeneratorsView`
-/// represents the generators for one of the `m` parties' shares.
-#[derive(Copy, Clone)]
-pub struct GeneratorsView<'a> {
-    /// Bases for Pedersen commitments
-    pub pedersen_gens: &'a PedersenGenerators,
-    /// Per-bit generators for the bit values
-    pub G: &'a [RistrettoPoint],
+    G_vec: Vec<Vec<RistrettoPoint>>,
     /// Per-bit generators for the bit blinding factors
-    pub H: &'a [RistrettoPoint],
-}
-
-/// Represents a pair of base points for Pedersen commitments.
-#[derive(Copy, Clone)]
-pub struct PedersenGenerators {
-    /// Base for the committed value
-    pub B: RistrettoPoint,
-
-    /// Base for the blinding factor
-    pub B_blinding: RistrettoPoint,
-}
-
-impl PedersenGenerators {
-    /// Creates a Pedersen commitment using the value scalar and a blinding factor.
-    pub fn commit(&self, value: Scalar, blinding: Scalar) -> RistrettoPoint {
-        RistrettoPoint::multiscalar_mul(&[value, blinding], &[self.B, self.B_blinding])
-    }
-}
-
-impl Default for PedersenGenerators {
-    fn default() -> Self {
-        PedersenGenerators {
-            B: GeneratorsChain::new(b"Bulletproofs.Generators.B")
-                .next()
-                .unwrap(),
-            B_blinding: GeneratorsChain::new(b"Bulletproofs.Generators.B_blinding")
-                .next()
-                .unwrap(),
-        }
-    }
+    H_vec: Vec<Vec<RistrettoPoint>>,
 }
 
 impl Generators {
-    /// Creates generators for `m` range proofs of `n` bits each.
-    pub fn new(pedersen_gens: PedersenGenerators, n: usize, m: usize) -> Self {
+    /// Create a new `Generators` object.
+    ///
+    /// # Inputs
+    ///
+    /// * `pedersen_gens` is a pair of generators used for Pedersen
+    ///    commitments.
+    /// * `gens_capacity` is the number of generators to precompute
+    ///    for each party.  For rangeproofs, it is sufficient to pass
+    ///    `64`, the maximum bitsize of the rangeproofs.  For circuit
+    ///    proofs, the capacity must be greater than the number of
+    ///    multipliers, rounded up to the next power of two.
+    /// * `party_capacity` is the maximum number of parties that can
+    ///    produce an aggregated proof.
+    pub fn new(
+        pedersen_gens: PedersenGenerators,
+        gens_capacity: usize,
+        party_capacity: usize,
+    ) -> Self {
         use byteorder::{ByteOrder, LittleEndian};
 
-        let G = (0..m)
-            .flat_map(|i| {
+        let G_vec = (0..party_capacity)
+            .map(|i| {
                 let party_index = i as u32;
                 let mut label = [b'G', 0, 0, 0, 0];
                 LittleEndian::write_u32(&mut label[1..5], party_index);
 
-                GeneratorsChain::new(&label).take(n)
-            })
-            .collect();
+                GeneratorsChain::new(&label)
+                    .take(gens_capacity)
+                    .collect::<Vec<_>>()
+            }).collect();
 
-        let H = (0..m)
-            .flat_map(|i| {
+        let H_vec = (0..party_capacity)
+            .map(|i| {
                 let party_index = i as u32;
                 let mut label = [b'H', 0, 0, 0, 0];
                 LittleEndian::write_u32(&mut label[1..5], party_index);
 
-                GeneratorsChain::new(&label).take(n)
-            })
-            .collect();
+                GeneratorsChain::new(&label)
+                    .take(gens_capacity)
+                    .collect::<Vec<_>>()
+            }).collect();
 
         Generators {
             pedersen_gens,
-            n,
-            m,
-            G,
-            H,
+            gens_capacity,
+            party_capacity,
+            G_vec,
+            H_vec,
         }
     }
 
     /// Returns j-th share of generators, with an appropriate
     /// slice of vectors G and H for the j-th range proof.
     pub fn share(&self, j: usize) -> GeneratorsView {
-        let lower = self.n * j;
-        let upper = self.n * (j + 1);
         GeneratorsView {
             pedersen_gens: &self.pedersen_gens,
-            G: &self.G[lower..upper],
-            H: &self.H[lower..upper],
+            gens: &self,
+            share: j,
+        }
+    }
+
+    /// Return an iterator over the aggregation of the parties' G generators with given size `n`.
+    pub(crate) fn G(&self, n: usize, m: usize) -> impl Iterator<Item = &RistrettoPoint> {
+        AggregatedGensIter {
+            n,
+            m,
+            array: &self.G_vec,
+            party_idx: 0,
+            gen_idx: 0,
+        }
+    }
+
+    /// Return an iterator over the aggregation of the parties' H generators with given size `n`.
+    pub(crate) fn H(&self, n: usize, m: usize) -> impl Iterator<Item = &RistrettoPoint> {
+        AggregatedGensIter {
+            n,
+            m,
+            array: &self.H_vec,
+            party_idx: 0,
+            gen_idx: 0,
+        }
+    }
+}
+
+struct AggregatedGensIter<'a> {
+    array: &'a Vec<Vec<RistrettoPoint>>,
+    n: usize,
+    m: usize,
+    party_idx: usize,
+    gen_idx: usize,
+}
+
+impl<'a> Iterator for AggregatedGensIter<'a> {
+    type Item = &'a RistrettoPoint;
+
+    fn next(&mut self) -> Option<Self::Item> {
+        if self.gen_idx >= self.n {
+            self.gen_idx = 0;
+            self.party_idx += 1;
+        }
+
+        if self.party_idx >= self.m {
+            None
+        } else {
+            let cur_gen = self.gen_idx;
+            self.gen_idx += 1;
+            Some(&self.array[self.party_idx][cur_gen])
         }
     }
+
+    fn size_hint(&self) -> (usize, Option<usize>) {
+        let size = self.n * self.m;
+        (size, Some(size))
+    }
+}
+
+/// The `GeneratorsView` is produced by `Generators::share()`.
+///
+/// The `Generators` struct represents generators for an aggregated
+/// range proof `m` proofs of `n` bits each; the `GeneratorsView`
+/// represents the generators for one of the `m` parties' shares.
+#[derive(Copy, Clone)]
+pub struct GeneratorsView<'a> {
+    /// Bases for Pedersen commitments
+    pub pedersen_gens: &'a PedersenGenerators,
+    /// The parent object that this is a view into
+    gens: &'a Generators,
+    /// Which share we are
+    share: usize,
+}
+
+impl<'a> GeneratorsView<'a> {
+    /// Return an iterator over this party's G generators with given size `n`.
+    pub(crate) fn G(&self, n: usize) -> impl Iterator<Item = &'a RistrettoPoint> {
+        self.gens.G_vec[self.share].iter().take(n)
+    }
+
+    /// Return an iterator over this party's H generators with given size `n`.
+    pub(crate) fn H(&self, n: usize) -> impl Iterator<Item = &'a RistrettoPoint> {
+        self.gens.H_vec[self.share].iter().take(n)
+    }
 }
 
 #[cfg(test)]
@@ -165,23 +247,43 @@ mod tests {
     use super::*;
 
     #[test]
-    fn rangeproof_generators() {
-        let n = 2;
-        let m = 3;
-        let gens = Generators::new(PedersenGenerators::default(), n, m);
-
-        // The concatenation of shares must be the full generator set
-        assert_eq!(
-            [gens.G[..n].to_vec(), gens.H[..n].to_vec()],
-            [gens.share(0).G[..].to_vec(), gens.share(0).H[..].to_vec()]
-        );
-        assert_eq!(
-            [gens.G[n..][..n].to_vec(), gens.H[n..][..n].to_vec()],
-            [gens.share(1).G[..].to_vec(), gens.share(1).H[..].to_vec()]
-        );
-        assert_eq!(
-            [gens.G[2 * n..][..n].to_vec(), gens.H[2 * n..][..n].to_vec()],
-            [gens.share(2).G[..].to_vec(), gens.share(2).H[..].to_vec()]
-        );
+    fn aggregated_gens_iter_matches_flat_map() {
+        let gens = Generators::new(PedersenGenerators::default(), 64, 8);
+
+        let helper = |n: usize, m: usize| {
+            let agg_G: Vec<RistrettoPoint> = gens.G(n, m).cloned().collect();
+            let flat_G: Vec<RistrettoPoint> = gens
+                .G_vec
+                .iter()
+                .take(m)
+                .flat_map(move |G_j| G_j.iter().take(n))
+                .cloned()
+                .collect();
+
+            let agg_H: Vec<RistrettoPoint> = gens.H(n, m).cloned().collect();
+            let flat_H: Vec<RistrettoPoint> = gens
+                .H_vec
+                .iter()
+                .take(m)
+                .flat_map(move |H_j| H_j.iter().take(n))
+                .cloned()
+                .collect();
+
+            assert_eq!(agg_G, flat_G);
+            assert_eq!(agg_H, flat_H);
+        };
+
+        helper(64, 8);
+        helper(64, 4);
+        helper(64, 2);
+        helper(64, 1);
+        helper(32, 8);
+        helper(32, 4);
+        helper(32, 2);
+        helper(32, 1);
+        helper(16, 8);
+        helper(16, 4);
+        helper(16, 2);
+        helper(16, 1);
     }
 }

src/inner_product_proof.rs

@@ -300,7 +300,8 @@ impl InnerProductProof {
         }
 
         let pos = 2 * lg_n * 32;
-        let a = Scalar::from_canonical_bytes(read32(&slice[pos..])).ok_or(ProofError::FormatError)?;
+        let a =
+            Scalar::from_canonical_bytes(read32(&slice[pos..])).ok_or(ProofError::FormatError)?;
         let b = Scalar::from_canonical_bytes(read32(&slice[pos + 32..]))
             .ok_or(ProofError::FormatError)?;
 
@@ -337,8 +338,8 @@ mod tests {
 
         use generators::{Generators, PedersenGenerators};
         let gens = Generators::new(PedersenGenerators::default(), n, 1);
-        let G = gens.share(0).G.to_vec();
-        let H = gens.share(0).H.to_vec();
+        let G: Vec<RistrettoPoint> = gens.share(0).G(n).cloned().collect();
+        let H: Vec<RistrettoPoint> = gens.share(0).H(n).cloned().collect();
 
         // Q would be determined upstream in the protocol, so we pick a random one.
         let Q = RistrettoPoint::hash_from_bytes::<Sha3_512>(b"test point");