Fix bug that occurs when public point is the identity

Author: onyiny-ang

src/macros.rs

@@ -292,7 +292,7 @@ macro_rules! define_proof {
 
                 let public_vars = PublicVars {
                     $(
-                        $instance_var: verifier.allocate_point(
+                        $instance_var: verifier.allocate_public_point(
                             TRANSCRIPT_LABELS.$instance_var.as_bytes(),
                             *assignments.$instance_var,
                         )?,

src/toolbox/verifier.rs

@@ -62,6 +62,21 @@ impl<'a> Verifier<'a> {
         ScalarVar(self.num_scalars - 1)
     }
 
+    /// Attempt to allocate a public point variable, or fail verification if
+    /// the assignment is invalid. This function allows for public points being the identity.
+    pub fn allocate_public_point(
+        &mut self,
+        label: &'static [u8],
+        assignment: CompressedRistretto,
+    ) -> Result<PointVar, ProofError> {
+        let encoding = assignment.decompress();
+        self.transcript
+            .append_point_var(label, &encoding.unwrap());
+        self.points.push(assignment);
+        self.point_labels.push(label);
+        Ok(PointVar(self.points.len() - 1))
+    }
+
     /// Attempt to allocate a point variable, or fail verification if
     /// the assignment is invalid.
     pub fn allocate_point(

tests/vrf_public_zero.rs

@@ -0,0 +1,98 @@
+// We really want points to be capital letters and scalars to be
+// lowercase letters
+#![allow(non_snake_case)]
+
+#[macro_use]
+extern crate zkp;
+
+use curve25519_dalek::constants as dalek_constants;
+use curve25519_dalek::ristretto::RistrettoPoint;
+use curve25519_dalek::scalar::Scalar;
+
+use zkp::Transcript;
+
+define_proof! {
+    testproof,
+    "Test Proof",
+    (s, a, b, c),
+    (W, X, Y, Z),
+    (B):
+    Z = (s*B + a*W + b*X + c*Y)
+}
+
+// Test the generation and verification of the proof where (W,X,Y) =
+// (w*B, x*B, y*B) and B is the Ristretto generator.  This situation
+// comes up in the issuing protocol of CMZ14 credentials, where w, x,
+// and y are the (public) attributes on the credential being issued.
+pub fn test_issue(w: &Scalar, x: &Scalar, y: &Scalar) {
+    let B: RistrettoPoint = dalek_constants::RISTRETTO_BASEPOINT_POINT;
+
+    // Public points based on the public attributes
+    let (W, X, Y) = (w*B, x*B, y*B);
+
+    let mut rng = rand::thread_rng();
+    // Private coefficients (the prover's MAC key)
+    let a = Scalar::random(&mut rng);
+    let b = Scalar::random(&mut rng);
+    let c = Scalar::random(&mut rng);
+    let s = Scalar::random(&mut rng);
+
+    // (Part of the) public MAC
+    let Z = s*B + a*W + b*X + c*Y;
+
+    // Construct the proof
+    let mut prv_transcript = Transcript::new(b"test transcript");
+    let pi = testproof::prove_compact(
+        &mut prv_transcript,
+        testproof::ProveAssignments {
+            B: &B,
+            W: &W,
+            X: &X,
+            Y: &Y,
+            Z: &Z,
+            a: &a,
+            b: &b,
+            c: &c,
+            s: &s,
+        },
+    )
+    .0;
+
+    // Send (Z, pi) to the verifier
+
+    // The verifier will recompute W, Y, Z as above and then verify:
+
+    let mut vrf_transcript = Transcript::new(b"test transcript");
+    let result =  testproof::verify_compact(
+        &pi,
+        &mut vrf_transcript,
+        testproof::VerifyAssignments {
+            B: &B.compress(),
+            W: &W.compress(),
+            X: &X.compress(),
+            Y: &Y.compress(),
+            Z: &Z.compress(),
+        },
+    );
+
+    assert!(result.is_ok());
+}
+
+#[test]
+fn test_nozero() {
+    let mut rng = rand::thread_rng();
+    let w = Scalar::random(&mut rng);
+    let x = Scalar::random(&mut rng);
+    let y = Scalar::random(&mut rng);
+    test_issue(&w, &x, &y);
+}
+
+#[test]
+fn test_zero() {
+    let mut rng = rand::thread_rng();
+    let w = Scalar::random(&mut rng);
+    let x = Scalar::ZERO;
+    let y = Scalar::random(&mut rng);
+    test_issue(&w, &x, &y);
+}
+