hcom: separate hashing of commitments

src/groth16/aggregate/prove.rs

@@ -62,12 +62,14 @@ pub fn aggregate_proofs<E: Engine + std::fmt::Debug>(
         let com_c = commit::single_g1::<E>(&srs.vkey, refc)
     };
 
+    let hcom = Transcript::<E>::new("hcom")
+        .write(&com_ab)
+        .write(&com_c)
+        .into_challenge();
+
     // Derive a random scalar to perform a linear combination of proofs
     let r = Transcript::<E>::new("random-r")
-        .write(&com_ab.0)
-        .write(&com_ab.1)
-        .write(&com_c.0)
-        .write(&com_c.1)
+        .write(&hcom)
         .write(&transcript_include)
         .into_challenge();
 
@@ -105,10 +107,9 @@ pub fn aggregate_proofs<E: Engine + std::fmt::Debug>(
         &c,
         &wkey_r_inv,
         &r_vec,
-        &com_ab,
-        &com_c,
         &ip_ab,
         &agg_c,
+        &hcom,
     )?;
     debug_assert!({
         let computed_com_ab = commit::pair::<E>(&srs.vkey, &wkey_r_inv, &a, &b_r).unwrap();
@@ -137,16 +138,14 @@ fn prove_tipp_mipp<E: Engine>(
     c: &[E::G1Affine],
     wkey: &WKey<E>, // scaled key w^r^-1
     r_vec: &[E::Fr],
-    com_ab: &commit::Output<E>,
-    com_c: &commit::Output<E>,
     ip_ab: &E::Fqk,
     agg_c: &E::G1,
+    hcom: &E::Fr,
 ) -> Result<TippMippProof<E>, SynthesisError> {
     let r_shift = r_vec[1].clone();
     // Run GIPA
-    let (proof, mut challenges, mut challenges_inv) = gipa_tipp_mipp::<E>(
-        a, b, c, &srs.vkey, &wkey, r_vec, com_ab, com_c, ip_ab, agg_c,
-    )?;
+    let (proof, mut challenges, mut challenges_inv) =
+        gipa_tipp_mipp::<E>(a, b, c, &srs.vkey, &wkey, r_vec, ip_ab, agg_c, hcom)?;
 
     // Prove final commitment keys are wellformed
     // we reverse the transcript so the polynomial in kzg opening is constructed
@@ -202,10 +201,9 @@ fn gipa_tipp_mipp<E: Engine>(
     vkey: &VKey<E>,
     wkey: &WKey<E>, // scaled key w^r^-1
     r: &[E::Fr],
-    com_ab: &commit::Output<E>,
-    com_c: &commit::Output<E>,
     ip_ab: &E::Fqk,
     agg_c: &E::G1,
+    hcom: &E::Fr,
 ) -> Result<(GipaProof<E>, Vec<E::Fr>, Vec<E::Fr>), SynthesisError> {
     // the values of vectors A and B rescaled at each step of the loop
     let (mut m_a, mut m_b) = (a.to_vec(), b.to_vec());
@@ -223,8 +221,7 @@ fn gipa_tipp_mipp<E: Engine>(
     let mut challenges_inv: Vec<E::Fr> = Vec::new();
 
     let mut c_inv: E::Fr = *Transcript::<E>::new("gipa")
-        .write(com_ab)
-        .write(com_c)
+        .write(hcom)
         .write(ip_ab)
         .write(agg_c)
         .write(&r[1])

src/groth16/aggregate/transcript.rs

@@ -35,6 +35,15 @@ impl<E: Engine> std::ops::Deref for Challenge<E> {
     }
 }
 
+impl<E: Engine> Serialize for Challenge<E> {
+    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+    where
+        S: serde::Serializer,
+    {
+        self.0.serialize(serializer)
+    }
+}
+
 impl<E: Engine> Transcript<E> {
     pub fn new(application_tag: &str) -> Self {
         let mut hasher = sha2::Sha256::new();

src/groth16/aggregate/verify.rs

@@ -6,9 +6,12 @@ use log::*;
 use rayon::prelude::*;
 
 use super::{
-    accumulator::PairingChecks, inner_product,
-    prove::polynomial_evaluation_product_form_from_transcript, structured_scalar_power,
-    transcript::Transcript, AggregateProof, KZGOpening, VerifierSRS,
+    accumulator::PairingChecks,
+    inner_product,
+    prove::polynomial_evaluation_product_form_from_transcript,
+    structured_scalar_power,
+    transcript::{Challenge, Transcript},
+    AggregateProof, KZGOpening, VerifierSRS,
 };
 use crate::bls::{Engine, PairingCurveAffine};
 use crate::groth16::{
@@ -55,12 +58,14 @@ pub fn verify_aggregate_proof<E: Engine + std::fmt::Debug, R: rand::RngCore + Se
         ));
     }
 
+    let hcom = Transcript::<E>::new("hcom")
+        .write(&proof.com_ab)
+        .write(&proof.com_c)
+        .into_challenge();
+
     // Random linear combination of proofs
     let r = Transcript::<E>::new("random-r")
-        .write(&proof.com_ab.0)
-        .write(&proof.com_ab.1)
-        .write(&proof.com_c.0)
-        .write(&proof.com_c.1)
+        .write(&hcom)
         .write(&transcript_include)
         .into_challenge();
 
@@ -77,6 +82,7 @@ pub fn verify_aggregate_proof<E: Engine + std::fmt::Debug, R: rand::RngCore + Se
                 proof,
                 &r, // we give the extra r as it's not part of the proof itself - it is simply used on top for the groth16 aggregation
                 pairing_checks_copy,
+                &hcom,
             );
             debug!("TIPP took {} ms", now.elapsed().as_millis(),);
         });
@@ -192,11 +198,13 @@ fn verify_tipp_mipp<E: Engine, R: rand::RngCore + Send>(
     proof: &AggregateProof<E>,
     r_shift: &E::Fr,
     pairing_checks: &PairingChecks<E, R>,
+    hcom: &Challenge<E>,
 ) {
     info!("verify with srs shift");
     let now = Instant::now();
     // (T,U), Z for TIPP and MIPP  and all challenges
-    let (final_res, final_r, challenges, challenges_inv) = gipa_verify_tipp_mipp(&proof, r_shift);
+    let (final_res, final_r, challenges, challenges_inv) =
+        gipa_verify_tipp_mipp(&proof, r_shift, hcom);
     debug!(
         "TIPP verify: gipa verify tipp {}ms",
         now.elapsed().as_millis()
@@ -299,6 +307,7 @@ fn verify_tipp_mipp<E: Engine, R: rand::RngCore + Send>(
 fn gipa_verify_tipp_mipp<E: Engine>(
     proof: &AggregateProof<E>,
     r_shift: &E::Fr,
+    hcom: &E::Fr,
 ) -> (GipaTUZ<E>, E::Fr, Vec<E::Fr>, Vec<E::Fr>) {
     info!("gipa verify TIPP");
     let gipa = &proof.tmipp.gipa;
@@ -316,8 +325,7 @@ fn gipa_verify_tipp_mipp<E: Engine>(
     let mut challenges_inv = Vec::new();
 
     let mut c_inv: E::Fr = *Transcript::<E>::new("gipa")
-        .write(&proof.com_ab)
-        .write(&proof.com_c)
+        .write(hcom)
         .write(&proof.ip_ab)
         .write(&proof.agg_c)
         .write(&r_shift)