Minor handling and refactoring

Signed-off-by: lovesh <[email protected]>

.github/workflows/test.yml

@@ -58,7 +58,7 @@ jobs:
       - name: Install WASM
         run: rustup target add wasm32-unknown-unknown
       - name: Build for WASM target
-        run: cargo build --no-default-features --target wasm32-unknown-unknown
+        run: cargo build --no-default-features --features=wasmer-js --target wasm32-unknown-unknown
 
   test:
     runs-on: ubuntu-latest

Cargo.toml

@@ -11,6 +11,7 @@ members = [
     "benches",
     "test_utils"
 ]
+resolver = "2"
 
 [profile.release]
 lto = true

README.md

@@ -11,7 +11,13 @@ Library providing privacy enhancing cryptographic primitives.
 1. [Schnorr proof of knowledge protocol](./schnorr_pok) to prove knowledge of discrete log. [This](https://crypto.stanford.edu/cs355/19sp/lec5.pdf) is a good reference. 
 2. [BBS+ signature](./bbs_plus) for anonymous credentials. Based on the paper [Anonymous Attestation Using the Strong Diffie Hellman Assumption Revisited](https://eprint.iacr.org/2016/663)
 3. [Dynamic accumulators, both positive and universal](./vb_accumulator). Based on the paper [Dynamic Universal Accumulator with Batch Update over Bilinear Groups](https://eprint.iacr.org/2020/777)
-4. [Composite proof system](./proof_system) that combines above primitives for use cases like prove knowledge of a BBS+ signature and the corresponding messages and the (non)membership of a certain message(s) in the accumulator. Also numeric bounds (min, max) on the messages can be proved in zero-knowledge and verifiable encryption of messages is also supported.
+4. [Composite proof system](./proof_system) that combines above primitives for use cases like 
+   - prove knowledge of a BBS+ signature and the corresponding messages
+   - equality of signed messages (from same or different signatures) in zero knowledge
+   - the (non)membership of a certain signed message(s)in the accumulator
+   - numeric bounds (min, max) on the messages can be proved in zero-knowledge 
+   - verifiable encryption of signed messages under BBS+. 
+   - zk-SNARK created from R1CS and WASM generated by [Circom](https://docs.circom.io/) with witnesses as BBS+ signed messages. 
 5. [Verifiable encryption](./saver) using [SAVER](https://eprint.iacr.org/2019/1270).
 6. [Compression and amortization of Sigma protocols](./compressed_sigma). This is PoC implementation.
 
@@ -29,7 +35,7 @@ To build with standard library but without parallelization, use `cargo build --n
 
 For `no_std` support, build as `cargo build --no-default-features`
 
-For WASM, build as `cargo build --no-default-features --target wasm32-unknown-unknown`
+For WASM, build as `cargo build --no-default-features --features=wasmer-js --target wasm32-unknown-unknown`
 
 ## Test
 

proof_system/Cargo.toml

@@ -34,7 +34,7 @@ zeroize = { version = "1.5.5", features = ["derive"] }
 git = "https://github.com/lovesh/legogro16"
 branch = "circom"
 #rev = '5bc5e4af466c1bb84a636e18002dcffeeb0d1899'
-#version = "0.3.0"
+version = "0.3.0"
 default-features = false
 features = ["circom"]
 
@@ -46,6 +46,8 @@ test_utils = { version = "0.1.0", default-features = false, path = "../test_util
 
 [features]
 default = [ "parallel" ]
-std = [ "ark-ff/std", "ark-ec/std", "ark-std/std", "ark-serialize/std", "schnorr_pok/std", "dock_crypto_utils/std", "serde/std", "saver/std", "ark-groth16/std", "legogroth16/std", "ark-r1cs-std/std", "ark-relations/std" ]
+std = [ "ark-ff/std", "ark-ec/std", "ark-std/std", "ark-serialize/std", "schnorr_pok/std", "dock_crypto_utils/std", "serde/std", "saver/std", "ark-groth16/std", "legogroth16/std", "ark-r1cs-std/std", "ark-relations/std", "legogroth16/circom" ]
 print-trace = [ "ark-std/print-trace", "schnorr_pok/print-trace", "bbs_plus/print-trace", "vb_accumulator/print-trace", "dock_crypto_utils/print-trace" ]
-parallel = [ "std", "ark-ff/parallel", "ark-ec/parallel", "ark-std/parallel", "rayon", "schnorr_pok/parallel", "bbs_plus/parallel", "vb_accumulator/parallel", "saver/parallel", "ark-groth16/parallel", "legogroth16/parallel", "ark-r1cs-std/parallel", "dock_crypto_utils/parallel" ]
+parallel = [ "std", "ark-ff/parallel", "ark-ec/parallel", "ark-std/parallel", "rayon", "schnorr_pok/parallel", "bbs_plus/parallel", "vb_accumulator/parallel", "saver/parallel", "ark-groth16/parallel", "legogroth16/parallel", "ark-r1cs-std/parallel", "dock_crypto_utils/parallel" ]
+wasmer-js = ["legogroth16/wasmer-js"]
+wasmer-sys = ["legogroth16/wasmer-sys"]

proof_system/src/lib.rs

@@ -2,6 +2,7 @@
 
 //! The goal of this crate is to allow creating and combining zero knowledge proofs by executing several
 //! protocols as sub-protocols.
+//!
 //! The idea is to represent each relation to be proved as a [`Statement`], and any relations between
 //! [`Statement`]s as a [`MetaStatement`]. Both of these types contain public (known to both prover
 //! and verifier) information and are contained in a [`ProofSpec`] whose goal is to unambiguously
@@ -12,6 +13,7 @@
 //! they don't need to. Thus for such protocols, there are different [`Statement`]s for prover and verifier,
 //! like [`SaverProver`] and [`SaverVerifier`] are statements for prover and verifier respectively,
 //! executing SAVER protocol.
+//!
 //! Several [`Statement`]s might need same public parameters like proving knowledge of several BBS+
 //! from the same signer, or verifiable encryption of several messages for the same decryptor. Its not
 //! very efficient to pass the same parameters to each [`Statement`] especially when using this code's WASM
@@ -20,6 +22,67 @@
 //! while creating an [`Statement`]. This array of [`SetupParams`] is then included in the [`ProofSpec`]
 //! and used by the prover and verifier during proof creation and verification respectively.
 //!
+//! A common requirement is to prove equality of certain [`Witness`]s of certain [`Statement`](s). This
+//! is done by using the [`EqualWitnesses`] meta-statement. For each set of [`Witness`]s (from the same or different [`Statement`]s)
+//! that need to proven equal, a [`EqualWitnesses`] is created which is a set of witness references [`WitnessRef`].
+//! Each [`WitnessRef`] contains the [`Statement`] index and the [`Witness`] index in that [`Statement`] and
+//! thus uniquely identifies any [`Witness`] across [`Statement`]s. The [`EqualWitnesses`] meta-statement is also
+//! used to prove predicates over signed messages in zero knowledge, when doing a range-proof over a
+//! signed message (using BBS+), the [`EqualWitnesses`] will refer [`Witness`]s from `Statement::PoKBBSSignatureG1`
+//! statement and `Statement::BoundCheckLegoGroth16` statement. Following are some illustrations of [`EqualWitnesses`]
+//!
+//!  ┌────────────────────────────┐    ┌──────────────────────────────┐     ┌────────────────────────────┐
+//!  │ PokBBSSignatureG1          │    │ PokBBSSignatureG1            │     │ PokBBSSignatureG1          │
+//!  │ Statement 1                │    │ Statement 2                  │     │ Statement 3                │
+//!  ├────────────────────────────┤    ├──────────────────────────────┤     ├────────────────────────────┤
+//!  │ A1, A2, A3, A4, A5         │    │ B1, B2, B3, B4               │     │ C1, C2, C3, C4, C5, C6     │
+//!  └─────────▲──────────────────┘    └─────▲────────▲───────────────┘     └─▲────────────────▲─────────┘
+//!            │                             │        │                       │                │
+//!            │                             │        │                       │                │
+//!            │                             │        │                       │                │
+//!            │                             │        │                       │                │
+//!            │            ┌-───────────────┴────────┴───┬───────────────────┼──────┬─────────┴──────────────────┐
+//!            └────────────┼(0, 2), (1, 1), (2, 0)       ├───────────────────┘      │ (2, 3), (3, 4)             │
+//!                         ├-────────────────────────────┤                          ├────────────────────────────┤
+//!                         │       EqualWitnesses        │                          │  EqualWitnesses            │
+//!                         │       MetaStatement 1       │                          │  MetaStatement 2           │
+//!                         │ A3, B2 and C1 are equal     │                          │  B4 and C5 are equal       │
+//!                         └─────────────────────────────┘                          └────────────────────────────┘
+//!
+//!        For proving certain messages from 3 BBS+ signatures are equal. Here there 2 sets of equalities,
+//!        1. message A3 from 1st signature, B2 from 2nd signature and C1 from 3rd signature
+//!        2. message B4 from 2nd signature and C5 from 3rd signature
+//!
+//!        Thus 3 statements, one for each signature, and 2 meta statements, one for each equality
+//!---------------------------------------------------------------------------------------------------------------------------------------------------
+//!
+//!  ┌────────────────────────────┐    ┌──────────────────────────────┐     ┌────────────────────────────┐
+//!  │ PokBBSSignatureG1          │    │ BoundCheckLegoGroth16        │     │ SAVER                      │
+//!  │ Statement 1                │    │ Statement 2                  │     │ Statement 3                │
+//!  ├────────────────────────────┤    ├──────────────────────────────┤     ├────────────────────────────┤
+//!  │ A1, A2, A3, A4, A5         │    │     B1                       │     │             C1             │
+//!  └─────────▲───────▲──────────┘    └─────▲────────-───────────────┘     └───────────────▲────-───────┘
+//!            │       |─────────────────|   │                                              │
+//!            │                         |   │                                              │
+//!            │                         |──-│-────────────────────|                        │
+//!            │                             │                     |                        |───|
+//!            │            ┌-───────────────┴────────-───┬────────|───────────────────────────-|─────────────────┐
+//!            └────────────┼(0, 2),  (1, 0)              |        |─────────────────│── (0, 4), (2, 1)           │
+//!                         ├-────────────────────────────┤                          ├────────────────────────────┤
+//!                         │       EqualWitnesses        │                          │  EqualWitnesses            │
+//!                         │       MetaStatement 1       │                          │  MetaStatement 2           │
+//!                         │ A3 and  B1 are equal        │                          │  A5 and C1 are equal       │
+//!                         └─────────────────────────────┘                          └────────────────────────────┘
+//!
+//!
+//!        For proving certain messages from a BBS+ signature satisfy 2 predicates,
+//!         1) message A3 satisfies bounds specified in statement 2
+//!         2) message A5 has been verifiably encrypted as per statement 3.
+//!
+//!       Thus 3 statements, one for a signature, and one each for a predicate. 2 meta statements, one each
+//!       for proving equality of the message of the signature and the witness of the predicate
+//! --------------------------------------------------------------------------------------------------------------------------------
+//!
 //! After creating the [`ProofSpec`], the prover uses a [`Witness`] per [`Statement`] and creates a
 //! corresponding [`StatementProof`]. All [`StatementProof`]s are grouped together in a [`Proof`].
 //! The verifier also creates its [`ProofSpec`] and uses it to verify the given proof. Currently it is
@@ -72,6 +135,8 @@
 //!
 //! [`Statement`]: crate::statement::Statement
 //! [`MetaStatement`]: crate::meta_statement::MetaStatement
+//! [`EqualWitnesses`]: crate::meta_statement::EqualWitnesses
+//! [`WitnessRef`]: crate::meta_statement::WitnessRef
 //! [`SaverProver`]: crate::statement::saver::SaverProver
 //! [`SaverVerifier`]: crate::statement::saver::SaverVerifier
 //! [`SetupParams`]: crate::setup_params::SetupParams

proof_system/src/meta_statement.rs

@@ -52,8 +52,8 @@ pub struct MetaStatements(pub Vec<MetaStatement>);
 /// let eq_2_w = EqualWitnesses(eq_2);
 ///
 /// let mut meta_statements = MetaStatements::new();
-/// meta_statements.add(MetaStatement::WitnessEquality(eq_1_w));
-/// meta_statements.add(MetaStatement::WitnessEquality(eq_2_w));
+/// meta_statements.add_witness_equality(eq_1_w);
+/// meta_statements.add_witness_equality(eq_2_w);
 /// ```
 ///
 #[derive(
@@ -78,6 +78,10 @@ impl MetaStatements {
         self.0.len() - 1
     }
 
+    pub fn add_witness_equality(&mut self, item: EqualWitnesses) -> usize {
+        self.add(MetaStatement::WitnessEquality(item))
+    }
+
     pub fn is_empty(&self) -> bool {
         self.0.is_empty()
     }

proof_system/src/proof_spec.rs

@@ -6,7 +6,7 @@ use crate::statement::{Statement, Statements};
 use ark_ec::{AffineCurve, PairingEngine};
 use ark_serialize::{CanonicalDeserialize, CanonicalSerialize, SerializationError};
 use ark_std::{
-    collections::BTreeMap,
+    collections::{BTreeMap, BTreeSet},
     io::{Read, Write},
     vec::Vec,
 };
@@ -67,13 +67,32 @@ where
     /// Sanity check to ensure the proof spec is valid. This should never be false as these are used
     /// by same entity creating them.
     pub fn is_valid(&self) -> bool {
+        // Ensure that messages(s) being revealed are not used in a witness equality.
+        let mut revealed_wit_refs = BTreeSet::new();
+
+        for (i, st) in self.statements.0.iter().enumerate() {
+            match st {
+                Statement::PoKBBSSignatureG1(s) => {
+                    for k in s.revealed_messages.keys() {
+                        revealed_wit_refs.insert((i, *k));
+                    }
+                }
+                _ => continue,
+            }
+        }
+
         for mt in &self.meta_statements.0 {
             match mt {
                 // All witness equalities should be valid
                 MetaStatement::WitnessEquality(w) => {
                     if !w.is_valid() {
                         return false;
                     }
+                    for r in w.0.iter() {
+                        if revealed_wit_refs.contains(r) {
+                            return false;
+                        }
+                    }
                 }
             }
         }