AztecProtocol · codygunton · Mar 2, 2023 · Feb 17, 2023 · Feb 21, 2023 · Feb 27, 2023
diff --git a/cpp/src/aztec/stdlib/encryption/schnorr/schnorr.cpp b/cpp/src/aztec/stdlib/encryption/schnorr/schnorr.cpp
@@ -1,4 +1,5 @@
 #include "schnorr.hpp"
+#include <array>
 #include <crypto/pedersen/pedersen.hpp>
 #include <ecc/curves/grumpkin/grumpkin.hpp>
 #include <stdlib/hash/blake2s/blake2s.hpp>
@@ -265,12 +266,16 @@ point<C> variable_base_mul(const point<C>& pub_key, const point<C>& current_accu
 }
 
 /**
- * @brief Verify a signature (s, e)  i.e., compute e' = hash(([s]g + [e]pub).x | message) and check that e' == e.
+ * @brief Make the computations needed to verify a signature (s, e),  i.e., compute
+ *          e' = hash(([s]g + [e]pub).x | message)
+          and return e'.
  *
  * @details TurboPlonk: ~10850 gates (~4k for variable_base_mul, ~6k for blake2s) for a string of length < 32.
  */
 template <typename C>
-void verify_signature(const byte_array<C>& message, const point<C>& pub_key, const signature_bits<C>& sig)
+std::array<field_t<C>, 2> verify_signature_internal(const byte_array<C>& message,
+                                                    const point<C>& pub_key,
+                                                    const signature_bits<C>& sig)
 {
     // Compute [s]g, where s = (s_lo, s_hi) and g = G1::one.
     point<C> R_1 = group<C>::fixed_base_scalar_mul(sig.s_lo, sig.s_hi);
@@ -293,10 +298,39 @@ void verify_signature(const byte_array<C>& message, const point<C>& pub_key, con
 
     field_t<C> output_hi(output.slice(0, 16));
     field_t<C> output_lo(output.slice(16, 16));
+
+    return { output_lo, output_hi };
+}
+
+/**
+ * @brief Verify that a signature (s, e) is valid, i.e., compute
+ *          e' = hash(([s]g + [e]pub).x | message)
+ *        and check that
+ *          e' == e is true.
+ */
+template <typename C>
+void verify_signature(const byte_array<C>& message, const point<C>& pub_key, const signature_bits<C>& sig)
+{
+    auto [output_lo, output_hi] = verify_signature_internal(message, pub_key, sig);
     output_lo.assert_equal(sig.e_lo, "verify signature failed");
     output_hi.assert_equal(sig.e_hi, "verify signature failed");
 }
 
+/**
+ * @brief Attempt to verify a signature (s, e) and return the result, i.e., compute
+ *          e' = hash(([s]g + [e]pub).x | message)
+ *        and return the boolean witness e' == e.
+ */
+template <typename C>
+bool_t<C> signature_verification_result(const byte_array<C>& message,
+                                        const point<C>& pub_key,
+                                        const signature_bits<C>& sig)
+{
+    auto [output_lo, output_hi] = verify_signature_internal(message, pub_key, sig);
+    bool_t<C> valid = (output_lo == sig.e_lo) && (output_hi == sig.e_hi);
+    return valid;
+}
+
 template wnaf_record<plonk::TurboComposer> convert_field_into_wnaf<plonk::TurboComposer>(
     plonk::TurboComposer* context, const field_t<plonk::TurboComposer>& limb);
 
@@ -311,13 +345,31 @@ template point<plonk::TurboComposer> variable_base_mul<plonk::TurboComposer>(con
                                                                              const point<plonk::TurboComposer>&,
                                                                              const wnaf_record<plonk::TurboComposer>&);
 
+template std::array<field_t<plonk::TurboComposer>, 2> verify_signature_internal<plonk::TurboComposer>(
+    const byte_array<plonk::TurboComposer>&,
+    const point<plonk::TurboComposer>&,
+    const signature_bits<plonk::TurboComposer>&);
+template std::array<field_t<plonk::UltraComposer>, 2> verify_signature_internal<plonk::UltraComposer>(
+    const byte_array<plonk::UltraComposer>&,
+    const point<plonk::UltraComposer>&,
+    const signature_bits<plonk::UltraComposer>&);
+
 template void verify_signature<plonk::TurboComposer>(const byte_array<plonk::TurboComposer>&,
                                                      const point<plonk::TurboComposer>&,
                                                      const signature_bits<plonk::TurboComposer>&);
 template void verify_signature<plonk::UltraComposer>(const byte_array<plonk::UltraComposer>&,
                                                      const point<plonk::UltraComposer>&,
                                                      const signature_bits<plonk::UltraComposer>&);
 
+template bool_t<plonk::TurboComposer> signature_verification_result<plonk::TurboComposer>(
+    const byte_array<plonk::TurboComposer>&,
+    const point<plonk::TurboComposer>&,
+    const signature_bits<plonk::TurboComposer>&);
+template bool_t<plonk::UltraComposer> signature_verification_result<plonk::UltraComposer>(
+    const byte_array<plonk::UltraComposer>&,
+    const point<plonk::UltraComposer>&,
+    const signature_bits<plonk::UltraComposer>&);
+
 template signature_bits<plonk::TurboComposer> convert_signature<plonk::TurboComposer>(
     plonk::TurboComposer*, const crypto::schnorr::signature&);
 template signature_bits<plonk::UltraComposer> convert_signature<plonk::UltraComposer>(

diff --git a/cpp/src/aztec/stdlib/encryption/schnorr/schnorr.hpp b/cpp/src/aztec/stdlib/encryption/schnorr/schnorr.hpp
@@ -32,9 +32,19 @@ point<C> variable_base_mul(const point<C>& pub_key, const field_t<C>& low_bits,
 
 template <typename C> signature_bits<C> convert_signature(C* context, const crypto::schnorr::signature& sig);
 
+template <typename C>
+std::array<field_t<C>, 2> verify_signature_internal(const byte_array<C>& message,
+                                                    const point<C>& pub_key,
+                                                    const signature_bits<C>& sig);
+
 template <typename C>
 void verify_signature(const byte_array<C>& message, const point<C>& pub_key, const signature_bits<C>& sig);
 
+template <typename C>
+bool_t<C> signature_verification_result(const byte_array<C>& message,
+                                        const point<C>& pub_key,
+                                        const signature_bits<C>& sig);
+
 extern template point<plonk::TurboComposer> variable_base_mul<plonk::TurboComposer>(
     const point<plonk::TurboComposer>&, const point<plonk::TurboComposer>&, const wnaf_record<plonk::TurboComposer>&);
 
@@ -48,13 +58,31 @@ extern template wnaf_record<plonk::TurboComposer> convert_field_into_wnaf<plonk:
 extern template wnaf_record<plonk::UltraComposer> convert_field_into_wnaf<plonk::UltraComposer>(
     plonk::UltraComposer* context, const field_t<plonk::UltraComposer>& limb);
 
+extern template std::array<field_t<plonk::TurboComposer>, 2> verify_signature_internal<plonk::TurboComposer>(
+    const byte_array<plonk::TurboComposer>&,
+    const point<plonk::TurboComposer>&,
+    const signature_bits<plonk::TurboComposer>&);
+extern template std::array<field_t<plonk::UltraComposer>, 2> verify_signature_internal<plonk::UltraComposer>(
+    const byte_array<plonk::UltraComposer>&,
+    const point<plonk::UltraComposer>&,
+    const signature_bits<plonk::UltraComposer>&);
+
 extern template void verify_signature<plonk::TurboComposer>(const byte_array<plonk::TurboComposer>&,
                                                             const point<plonk::TurboComposer>&,
                                                             const signature_bits<plonk::TurboComposer>&);
 extern template void verify_signature<plonk::UltraComposer>(const byte_array<plonk::UltraComposer>&,
                                                             const point<plonk::UltraComposer>&,
                                                             const signature_bits<plonk::UltraComposer>&);
 
+extern template bool_t<plonk::TurboComposer> signature_verification_result<plonk::TurboComposer>(
+    const byte_array<plonk::TurboComposer>&,
+    const point<plonk::TurboComposer>&,
+    const signature_bits<plonk::TurboComposer>&);
+extern template bool_t<plonk::UltraComposer> signature_verification_result<plonk::UltraComposer>(
+    const byte_array<plonk::UltraComposer>&,
+    const point<plonk::UltraComposer>&,
+    const signature_bits<plonk::UltraComposer>&);
+
 extern template signature_bits<plonk::TurboComposer> convert_signature<plonk::TurboComposer>(
     plonk::TurboComposer*, const crypto::schnorr::signature&);
 extern template signature_bits<plonk::UltraComposer> convert_signature<plonk::UltraComposer>(

diff --git a/cpp/src/aztec/stdlib/encryption/schnorr/schnorr.test.cpp b/cpp/src/aztec/stdlib/encryption/schnorr/schnorr.test.cpp
@@ -35,7 +35,7 @@ auto run_scalar_mul_test = [](grumpkin::fr scalar_mont, bool expect_verify) {
 
     auto prover = composer.create_prover();
 
-    printf("composer gates = %zu\n", composer.get_num_gates());
+    info("composer gates = %zu\n", composer.get_num_gates());
     auto verifier = composer.create_verifier();
 
     plonk::proof proof = prover.construct_proof();
@@ -154,7 +154,7 @@ TEST(stdlib_schnorr, convert_field_into_wnaf)
 
     auto prover = composer.create_prover();
 
-    printf("composer gates = %zu\n", composer.get_num_gates());
+    info("composer gates = %zu\n", composer.get_num_gates());
     auto verifier = composer.create_verifier();
 
     plonk::proof proof = prover.construct_proof();
@@ -209,7 +209,7 @@ TEST(stdlib_schnorr, verify_signature)
         stdlib::schnorr::verify_signature(message, pub_key, sig);
 
         auto prover = composer.create_prover();
-        printf("composer gates = %zu\n", composer.get_num_gates());
+        info("composer gates = %zu\n", composer.get_num_gates());
         auto verifier = composer.create_verifier();
         plonk::proof proof = prover.construct_proof();
         bool result = verifier.verify_proof(proof);
@@ -254,7 +254,7 @@ TEST(stdlib_schnorr, verify_signature_failure)
 
     auto prover = composer.create_prover();
 
-    printf("composer gates = %zu\n", composer.get_num_gates());
+    info("composer gates = %zu\n", composer.get_num_gates());
     auto verifier = composer.create_verifier();
 
     plonk::proof proof = prover.construct_proof();
@@ -263,4 +263,84 @@ TEST(stdlib_schnorr, verify_signature_failure)
     EXPECT_EQ(verification_result, false);
 }
 
+/**
+ * @test Like stdlib_schnorr.verify_signature, but we use the function signature_verification that produces a
+ * boolean witness and does not require the prover to provide a valid signature.
+ */
+TEST(stdlib_schnorr, signature_verification_result)
+{
+    std::string longer_string = "This is a test string of length 34";
+
+    Composer composer = Composer();
+
+    crypto::schnorr::key_pair<grumpkin::fr, grumpkin::g1> account;
+    account.private_key = grumpkin::fr::random_element();
+    account.public_key = grumpkin::g1::one * account.private_key;
+
+    crypto::schnorr::signature signature =
+        crypto::schnorr::construct_signature<Blake2sHasher, grumpkin::fq, grumpkin::fr, grumpkin::g1>(longer_string,
+                                                                                                      account);
+
+    bool first_result = crypto::schnorr::verify_signature<Blake2sHasher, grumpkin::fq, grumpkin::fr, grumpkin::g1>(
+        longer_string, account.public_key, signature);
+    EXPECT_EQ(first_result, true);
+
+    point_ct pub_key{ witness_ct(&composer, account.public_key.x), witness_ct(&composer, account.public_key.y) };
+    stdlib::schnorr::signature_bits sig = stdlib::schnorr::convert_signature(&composer, signature);
+    byte_array_ct message(&composer, longer_string);
+    bool_ct signature_result = stdlib::schnorr::signature_verification_result(message, pub_key, sig);
+    EXPECT_EQ(signature_result.witness_bool, true);
+
+    plonk::stdlib::types::Prover prover = composer.create_prover();
+    info("composer gates = %zu\n", composer.get_num_gates());
+    plonk::stdlib::types::Verifier verifier = composer.create_verifier();
+    plonk::proof proof = prover.construct_proof();
+    bool result = verifier.verify_proof(proof);
+    EXPECT_EQ(result, true);
+}
+
+/**
+ * @test Like stdlib_schnorr.verify_signature_failure, but we use the function signature_verification that produces a
+ * boolean witness and allow for proving that a signature verification fails.
+ */
+TEST(stdlib_schnorr, signature_verification_result_failure)
+{
+    Composer composer = Composer();
+    std::string message_string = "This is a test string of length 34";
+
+    // create key pair 1
+    crypto::schnorr::key_pair<grumpkin::fr, grumpkin::g1> account1;
+    account1.private_key = grumpkin::fr::random_element();
+    account1.public_key = grumpkin::g1::one * account1.private_key;
+
+    // create key pair 2
+    crypto::schnorr::key_pair<grumpkin::fr, grumpkin::g1> account2;
+    account2.private_key = grumpkin::fr::random_element();
+    account2.public_key = grumpkin::g1::one * account2.private_key;
+
+    // sign the message with account 1 private key
+    crypto::schnorr::signature signature =
+        crypto::schnorr::construct_signature<Blake2sHasher, grumpkin::fq, grumpkin::fr, grumpkin::g1>(message_string,
+                                                                                                      account1);
+
+    // check native verification with account 2 public key fails
+    bool native_result = crypto::schnorr::verify_signature<Blake2sHasher, grumpkin::fq, grumpkin::fr, grumpkin::g1>(
+        message_string, account2.public_key, signature);
+    EXPECT_EQ(native_result, false);
+
+    // check stdlib verification with account 2 public key fails
+    point_ct pub_key2_ct{ witness_ct(&composer, account2.public_key.x), witness_ct(&composer, account2.public_key.y) };
+    stdlib::schnorr::signature_bits sig = stdlib::schnorr::convert_signature(&composer, signature);
+    byte_array_ct message(&composer, message_string);
+    bool_ct signature_result = stdlib::schnorr::signature_verification_result(message, pub_key2_ct, sig);
+    EXPECT_EQ(signature_result.witness_bool, false);
+
+    plonk::stdlib::types::Prover prover = composer.create_prover();
+    info("composer gates = %zu\n", composer.get_num_gates());
+    plonk::stdlib::types::Verifier verifier = composer.create_verifier();
+    plonk::proof proof = prover.construct_proof();
+    bool verification_result = verifier.verify_proof(proof);
+    EXPECT_EQ(verification_result, true);
+}
+
 } // namespace test_stdlib_schnorr