Struct SchnorrProof

pub struct SchnorrProof<G: Group + GroupEncoding>(pub LinearRelation<G>);

A Schnorr protocol proving knowledge of a witness for a linear group relation.

This implementation generalizes Schnorr’s discrete logarithm proof by using a LinearRelation, representing an abstract linear relation over the group.

Type Parameters

• G: A cryptographic group implementing Group and GroupEncoding.

Tuple Fields

0: LinearRelation<G>

Implementations

impl<G: Group + GroupEncoding> SchnorrProof<G>

pub fn witness_length(&self) -> usize

pub fn commitment_length(&self) -> usize

Trait Implementations

impl<G: Clone + Group + GroupEncoding> Clone for SchnorrProof<G>

fn clone(&self) -> SchnorrProof<G>

Returns a duplicate of the value.

const fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl<G: Debug + Group + GroupEncoding> Debug for SchnorrProof<G>

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<G: Default + Group + GroupEncoding> Default for SchnorrProof<G>

fn default() -> SchnorrProof<G>

Returns the “default value” for a type.

impl<G> From<LinearRelation<G>> for SchnorrProof<G>

where G: Group + GroupEncoding,

fn from(value: LinearRelation<G>) -> Self

Converts to this type from the input type.

impl<G> From<SchnorrProof<G>> for Protocol<G>

where G: Group + GroupEncoding,

fn from(value: SchnorrProof<G>) -> Self

Converts to this type from the input type.

impl<G> SigmaProtocol for SchnorrProof<G>

where G: Group + GroupEncoding,

fn prover_commit( &self, witness: &Self::Witness, rng: &mut (impl RngCore + CryptoRng), ) -> Result<(Self::Commitment, Self::ProverState), Error>

Prover’s first message: generates a commitment using random nonces.

Parameters

• witness: A vector of scalars that satisfy the linear map relation.
• rng: A cryptographically secure random number generator.

Returns

• A tuple containing:
  • The commitment (a vector of group elements).
  • The prover state (random nonces and witness) used to compute the response.

Errors

-Error::InvalidInstanceWitnessPair if the witness vector length is incorrect.

fn prover_response( &self, prover_state: Self::ProverState, challenge: &Self::Challenge, ) -> Result<Self::Response, Error>

Computes the prover’s response (second message) using the challenge.

Parameters

• state: The prover state returned by prover_commit, typically containing randomness and witness components.
• challenge: The verifier’s challenge scalar.

Returns

• A vector of scalars forming the prover’s response.

Errors

• Returns Error::InvalidInstanceWitnessPair if the prover state vectors have incorrect lengths.

fn verifier( &self, commitment: &Self::Commitment, challenge: &Self::Challenge, response: &Self::Response, ) -> Result<(), Error>

Verifies the correctness of the proof.

Parameters

• commitment: The prover’s commitment vector (group elements).
• challenge: The challenge scalar.
• response: The prover’s response vector.

Returns

• Ok(()) if the proof is valid.
• Err(Error::VerificationFailure) if the proof is invalid.
• Err(Error::InvalidInstanceWitnessPair) if the lengths of commitment or response do not match the expected counts.

Errors

-Error::VerificationFailure if the computed relation does not hold for the provided challenge and response, indicating proof invalidity. -Error::InvalidInstanceWitnessPair if the commitment or response length is incorrect.

fn serialize_commitment(&self, commitment: &Self::Commitment) -> Vec<u8>

Serializes the prover’s commitment into a byte vector.

This function encodes the vector of group elements (the commitment) into a binary format suitable for transmission or storage. This is typically the first message sent in a Sigma protocol round.

Parameters

• commitment: A vector of group elements representing the prover’s commitment.

Returns

A Vec<u8> containing the serialized group elements.

fn serialize_challenge(&self, challenge: &Self::Challenge) -> Vec<u8>

Serializes the verifier’s challenge scalar into bytes.

Converts the challenge scalar into a fixed-length byte encoding. This can be used for Fiat–Shamir hashing, transcript recording, or proof transmission.

Parameters

• challenge: The scalar challenge value.

Returns

A Vec<u8> containing the serialized scalar.

fn serialize_response(&self, response: &Self::Response) -> Vec<u8>

Serializes the prover’s response vector into a byte format.

The response is a vector of scalars computed by the prover after receiving the verifier’s challenge. This function encodes the vector into a format suitable for transmission or inclusion in a batchable proof.

Parameters

• response: A vector of scalar responses computed by the prover.

Returns

A Vec<u8> containing the serialized scalars.

fn deserialize_commitment(&self, data: &[u8]) -> Result<Self::Commitment, Error>

Deserializes a byte slice into a vector of group elements (commitment).

This function reconstructs the prover’s commitment from its binary representation. The number of elements expected is determined by the number of linear constraints in the underlying linear relation.

Parameters

• data: A byte slice containing the serialized commitment.

Returns

A Vec<G> containing the deserialized group elements.

Errors

• Returns Error::VerificationFailure if the data is malformed or contains an invalid encoding.

fn deserialize_challenge(&self, data: &[u8]) -> Result<Self::Challenge, Error>

Deserializes a byte slice into a challenge scalar.

This function expects a single scalar to be encoded and returns it as the verifier’s challenge.

Parameters

• data: A byte slice containing the serialized scalar challenge.

Returns

The deserialized scalar challenge value.

Errors

• Returns Error::VerificationFailure if deserialization fails or data is invalid.

fn deserialize_response(&self, data: &[u8]) -> Result<Self::Response, Error>

Deserializes a byte slice into the prover’s response vector.

The response vector contains scalars used in the second round of the Sigma protocol. The expected number of scalars matches the number of witness variables.

Parameters

• data: A byte slice containing the serialized response.

Returns

A vector of deserialized scalars.

Errors

• Returns Error::VerificationFailure if the byte data is malformed or the length is incorrect.

type Commitment = Vec<G>

type ProverState = (Vec<<G as Group>::Scalar>, Vec<<G as Group>::Scalar>)

type Response = Vec<<G as Group>::Scalar>

type Witness = Vec<<G as Group>::Scalar>

type Challenge = <G as Group>::Scalar

fn instance_label(&self) -> impl AsRef<[u8]>

fn protocol_identifier(&self) -> impl AsRef<[u8]>

impl<G> SigmaProtocolSimulator for SchnorrProof<G>

where G: Group + GroupEncoding,

fn simulate_response<R: Rng + CryptoRng>(&self, rng: &mut R) -> Self::Response

Simulates a valid transcript for a given challenge without a witness.

Parameters

• challenge: A scalar value representing the challenge.
• rng: A cryptographically secure RNG.

Returns

• A commitment and response forming a valid proof for the given challenge.

fn simulate_transcript<R: Rng + CryptoRng>( &self, rng: &mut R, ) -> Result<(Self::Commitment, Self::Challenge, Self::Response), Error>

Simulates a full proof transcript using a randomly generated challenge.

Parameters

• rng: A cryptographically secure RNG.

Returns

• A tuple (commitment, challenge, response) forming a valid proof.

fn simulate_commitment( &self, challenge: &Self::Challenge, response: &Self::Response, ) -> Result<Self::Commitment, Error>

Recomputes the commitment from the challenge and response (used in compact proofs).

Parameters

• challenge: The challenge scalar issued by the verifier or derived via Fiat–Shamir.
• response: The prover’s response vector.

Returns

• A vector of group elements representing the simulated commitment (one per linear constraint).

Errors

• Error::InvalidInstanceWitnessPair if the response length does not match the expected number of scalars.