Rename generator (#91)

Parallel proofs support the use of separate generators for verification and auxiliary verification keys. Currently, the notation `H` is used for the latter, which may be confusing depending on use case by conflicting with other notation (like Pedersen commitments).

This PR renames the generator to `G1`, which is also more in line with how input sets are defined. Note that this is also reflected in proof transcripts.

BREAKING CHANGE: Changes the public API for parallel proofs. Existing proofs will not verify.

benches/parallel.rs

@@ -60,7 +60,7 @@ fn generate_data<R: CryptoRngCore>(
  for witness in &witnesses {
  M[witness.get_l() as usize] = witness.compute_verification_key();
  let r_offset = Scalar::random(rng);
- offsets.push(r_offset * params.get_H());
+ offsets.push(r_offset * params.get_G1());
  M1[witness.get_l() as usize] = witness.compute_auxiliary_verification_key() + offsets.last().unwrap();
  }
  let input_set = Arc::new(TriptychInputSet::new(&M, &M1).unwrap());

src/parallel/mod.rs

@@ -6,12 +6,12 @@
 //! It's possible to extend Triptych proving functionality to the case where each element of an input set if composed of
 //! two keys, a verification key and an auxiliary verification key. This enables additional functionality.
 //!
-//! More formally, let `G`, `H`, and `U` be fixed independent generators of the Ristretto group.
+//! More formally, let `G`, `G1`, and `U` be fixed independent generators of the Ristretto group.
 //! Let `N = n**m`, where `n, m > 1` are fixed parameters.
 //! The parallel Triptych proving system protocol is a sigma protocol for the following relation, where `M` and `M1` are
 //! both `N`-vectors of group elements:
 //!
-//! `{ M, M1, offset, J ; (l, r, r1) : M[l] = r*G, M1[l] - offset = r1*H, r*J = U }`
+//! `{ M, M1, offset, J ; (l, r, r1) : M[l] = r*G, M1[l] - offset = r1*G1, r*J = U }`
 //!
 //! # Example
 //!
@@ -40,7 +40,7 @@
 //! let witness = TriptychWitness::random(&params, &mut rng);
 //!
 //! // Select a random offset
-//! let offset = Scalar::random(&mut rng) * params.get_H();
+//! let offset = Scalar::random(&mut rng) * params.get_G1();
 //!
 //! // Generate an input set of random verification keys, placing ours at the chosen index
 //! // This is `Arc`-wrapped to facilitate efficient reuse!
@@ -56,7 +56,7 @@
 //! let M1 = (0..params.get_N())
 //! .map(|i| {
 //! if i == witness.get_l() {
-//! // This ensures that `M1[l] - offset = r1 * H` to satisfy the proving relation
+//! // This ensures that `M1[l] - offset = r1 * G1` to satisfy the proving relation
 //! witness.compute_auxiliary_verification_key() + offset
 //! } else {
 //! RistrettoPoint::random(&mut rng)

src/parallel/parameters.rs

@@ -27,7 +27,7 @@ pub struct TriptychParameters {
  n: u32,
  m: u32,
  G: RistrettoPoint,
- H: RistrettoPoint,
+ G1: RistrettoPoint,
  U: RistrettoPoint,
  CommitmentG: Vec<RistrettoPoint>,
  CommitmentH: RistrettoPoint,
@@ -53,19 +53,19 @@ impl TriptychParameters {
  /// The base `n > 1` and exponent `m > 1` define the size of verification key vectors, so it must be the case that
  /// `n**m` does not overflow [`prim@u32`]. If any of these conditions is not met, returns a [`ParameterError`].
  ///
- /// This function produces group generators `G`, `H` and `U` for you.
+ /// This function produces group generators `G`, `G1` and `U` for you.
  /// If your use case requires specific generators, use [`TriptychParameters::new_with_generators`] instead.
  #[allow(non_snake_case)]
  pub fn new(n: u32, m: u32) -> Result<Self, ParameterError> {
  // Use the default base point for `G` (this is arbitrary)
  let G = RISTRETTO_BASEPOINT_POINT;
 
- // Use `BLAKE3` to generate `H`
- let mut H_bytes = [0u8; 64];
+ // Use `BLAKE3` to generate `G1`
+ let mut G1_bytes = [0u8; 64];
  let mut hasher = Hasher::new();
- hasher.update(b"Triptych H");
- hasher.finalize_xof().fill(&mut H_bytes);
- let H = RistrettoPoint::from_uniform_bytes(&H_bytes);
+ hasher.update(b"Triptych G1");
+ hasher.finalize_xof().fill(&mut G1_bytes);
+ let G1 = RistrettoPoint::from_uniform_bytes(&G1_bytes);
 
  // Use `BLAKE3` to generate `U`
  let mut U_bytes = [0u8; 64];
@@ -74,17 +74,17 @@ impl TriptychParameters {
  hasher.finalize_xof().fill(&mut U_bytes);
  let U = RistrettoPoint::from_uniform_bytes(&U_bytes);
 
- Self::new_with_generators(n, m, &G, &H, &U)
+ Self::new_with_generators(n, m, &G, &G1, &U)
  }
 
  /// Generate new [`TriptychParameters`] for Triptych proofs.
  ///
  /// The base `n > 1` and exponent `m > 1` define the size of verification key vectors, so it must be the case that
  /// `n**m` does not overflow [`prim@u32`]. If any of these conditions is not met, returns a [`ParameterError`].
  ///
- /// You must also provide independent group generators `G`, `H` and `U`:
+ /// You must also provide independent group generators `G`, `G1` and `U`:
  /// - The generator `G` is used to define verification keys.
- /// - The generator `H` is used to define auxiliary verification keys.
+ /// - The generator `G1` is used to define auxiliary verification keys.
  /// - The generator `U` is used to define linking tags.
  ///
  /// The security of these generators cannot be checked by this function.
@@ -94,7 +94,7 @@ impl TriptychParameters {
  n: u32,
  m: u32,
  G: &RistrettoPoint,
- H: &RistrettoPoint,
+ G1: &RistrettoPoint,
  U: &RistrettoPoint,
  ) -> Result<Self, ParameterError> {
  // These bounds are required by the protocol
@@ -134,7 +134,7 @@ impl TriptychParameters {
  transcript.append_message(b"n", &n.to_le_bytes());
  transcript.append_message(b"m", &m.to_le_bytes());
  transcript.append_message(b"G", G.compress().as_bytes());
- transcript.append_message(b"H", H.compress().as_bytes());
+ transcript.append_message(b"G1", G1.compress().as_bytes());
  transcript.append_message(b"U", U.compress().as_bytes());
  for item in &CommitmentG {
  transcript.append_message(b"CommitmentG", item.compress().as_bytes());
@@ -147,7 +147,7 @@ impl TriptychParameters {
  n,
  m,
  G: *G,
- H: *H,
+ G1: *G1,
  U: *U,
  CommitmentG,
  CommitmentH,
@@ -188,12 +188,12 @@ impl TriptychParameters {
  &self.G
  }
 
- /// Get the group generator `H` from these [`TriptychParameters`].
+ /// Get the group generator `G1` from these [`TriptychParameters`].
  ///
  /// This is the generator used for defining auxiliary verification keys.
  #[allow(non_snake_case)]
- pub fn get_H(&self) -> &RistrettoPoint {
- &self.H
+ pub fn get_G1(&self) -> &RistrettoPoint {
+ &self.G1
  }
 
  /// Get the group generator `U` from these [`TriptychParameters`].

src/parallel/proof.rs

@@ -204,7 +204,7 @@ impl TriptychProof {
  if M_l != r * params.get_G() {
  return Err(ProofError::InvalidParameter);
  }
- if M1_l - offset != r1 * params.get_H() {
+ if M1_l - offset != r1 * params.get_G1() {
  return Err(ProofError::InvalidParameter);
  }
  if &(r * J) != params.get_U() {
@@ -356,7 +356,7 @@ impl TriptychProof {
  .enumerate()
  .map(|(j, rho1)| {
  let minus_offset = -offset;
- let X_points = M1.iter().chain(once(params.get_H())).chain(once(&minus_offset));
+ let X_points = M1.iter().chain(once(params.get_G1())).chain(once(&minus_offset));
  let p_sum: Scalar = p.iter().map(|p| &p[j]).sum();
  let X_scalars = p.iter().map(|p| &p[j]).chain(once(rho1)).chain(once(&p_sum));
 
@@ -646,7 +646,7 @@ impl TriptychProof {
  .chain(once(s.get_offset()))
  })
  .chain(once(params.get_G()))
- .chain(once(params.get_H()))
+ .chain(once(params.get_G1()))
  .chain(params.get_CommitmentG().iter())
  .chain(once(params.get_CommitmentH()))
  .chain(M.iter())
@@ -1068,7 +1068,7 @@ mod test {
  M[witness.get_l() as usize] = witness.compute_verification_key();
 
  let r_offset = Scalar::random(rng);
- offsets.push(r_offset * params.get_H());
+ offsets.push(r_offset * params.get_G1());
  M1[witness.get_l() as usize] = witness.compute_auxiliary_verification_key() + offsets.last().unwrap();
  }
  let input_set = Arc::new(TriptychInputSet::new(&M, &M1).unwrap());

src/parallel/witness.rs

@@ -111,6 +111,6 @@ impl TriptychWitness {
 
  /// Compute the auxiliary verification key for the [`TriptychWitness`] signing key.
  pub fn compute_auxiliary_verification_key(&self) -> RistrettoPoint {
- self.r1 * self.params.get_H()
+ self.r1 * self.params.get_G1()
  }
 }