Rename delegated Chaum-Pedersen to delegated Schnorr (#135)

api/src/anon_xfr/abar_to_bar.rs

@@ -27,9 +27,9 @@ use zei_algebra::{
 };
 use zei_crypto::{
     basic::pedersen_comm::{PedersenCommitment, PedersenCommitmentRistretto},
-    delegated_chaum_pedersen::{
-        prove_delegated_chaum_pedersen, verify_delegated_chaum_pedersen,
-        DelegatedChaumPedersenInspection, DelegatedChaumPedersenProof,
+    delegated_schnorr::{
+        prove_delegated_schnorr, verify_delegated_schnorr, DelegatedSchnorrInspection,
+        DelegatedSchnorrProof,
     },
     field_simulation::{SimFr, SimFrParams, SimFrParamsRistretto},
 };
@@ -64,9 +64,9 @@ pub struct AbarToBarPreNote {
     pub witness: PayerWitness,
     /// Input key pair.
     pub input_keypair: AXfrKeyPair,
-    /// Inspection data in the delegated Chaum-Pedersen proof on Ristretto.
+    /// Inspection data in the delegated Schnorr proof on Ristretto.
     pub inspection:
-        DelegatedChaumPedersenInspection<RistrettoScalar, RistrettoPoint, SimFrParamsRistretto>,
+        DelegatedSchnorrInspection<RistrettoScalar, RistrettoPoint, SimFrParamsRistretto>,
     /// Beta on Ristretto.
     pub beta: RistrettoScalar,
     /// Lambda on Ristretto.
@@ -81,8 +81,8 @@ pub struct AbarToBarBody {
     /// The new BAR to be created.
     pub output: BlindAssetRecord,
     /// The inspector's proof on Ristretto.
-    pub delegated_cp_proof:
-        DelegatedChaumPedersenProof<RistrettoScalar, RistrettoPoint, SimFrParamsRistretto>,
+    pub delegated_schnorr_proof:
+        DelegatedSchnorrProof<RistrettoScalar, RistrettoPoint, SimFrParamsRistretto>,
     /// The Merkle root hash.
     pub merkle_root: BLSScalar,
     /// The Merkle root version.
@@ -145,10 +145,10 @@ pub fn init_abar_to_bar_note<R: CryptoRng + RngCore>(
     let point_q = pc_gens.commit(y, delta);
 
     // 4. Compute the inspector's proof.
-    let (delegated_cp_proof, delegated_cp_inspection, beta, lambda) = {
+    let (delegated_schnorr_proof, delegated_schnorr_inspection, beta, lambda) = {
         let mut transcript = Transcript::new(ABAR_TO_BAR_PLONK_PROOF_TRANSCRIPT);
         transcript.append_message(b"nullifier", &this_nullifier.to_bytes());
-        prove_delegated_chaum_pedersen(
+        prove_delegated_schnorr(
             prng,
             &vec![(x, gamma), (y, delta)],
             &pc_gens,
@@ -173,7 +173,7 @@ pub fn init_abar_to_bar_note<R: CryptoRng + RngCore>(
     let body = AbarToBarBody {
         input: this_nullifier,
         output: obar.blind_asset_record.clone(),
-        delegated_cp_proof: delegated_cp_proof.clone(),
+        delegated_schnorr_proof: delegated_schnorr_proof.clone(),
         merkle_root: mt_info_temp.root,
         merkle_root_version: mt_info_temp.root_version,
         memo: owner_memo,
@@ -183,7 +183,7 @@ pub fn init_abar_to_bar_note<R: CryptoRng + RngCore>(
         body,
         witness: payers_witness,
         input_keypair: abar_keypair.clone(),
-        inspection: delegated_cp_inspection,
+        inspection: delegated_schnorr_inspection,
         beta,
         lambda,
     })
@@ -218,7 +218,7 @@ pub fn finish_abar_to_bar_note<R: CryptoRng + RngCore, D: Digest<OutputSize = U6
         prng,
         params,
         witness,
-        &body.delegated_cp_proof,
+        &body.delegated_schnorr_proof,
         &inspection,
         &beta,
         &lambda,
@@ -295,11 +295,11 @@ pub fn verify_abar_to_bar_note<D: Digest<OutputSize = U64> + Default>(
     // important: address folding relies significantly on the Fiat-Shamir transform.
     transcript.append_message(b"nullifier", &note.body.input.to_bytes());
 
-    // 2. Verify the delegated Chaum-Pedersen proof.
-    let (beta, lambda) = verify_delegated_chaum_pedersen(
+    // 2. Verify the delegated Schnorr proof.
+    let (beta, lambda) = verify_delegated_schnorr(
         &pc_gens,
         &vec![com_amount, com_asset_type],
-        &note.body.delegated_cp_proof,
+        &note.body.delegated_schnorr_proof,
         &mut transcript,
     )
     .c(d!())?;
@@ -314,11 +314,11 @@ pub fn verify_abar_to_bar_note<D: Digest<OutputSize = U64> + Default>(
     let address_folding_public_input =
         prepare_verifier_input(&note.folding_instance, &beta_folding, &lambda_folding);
 
-    let delegated_cp_proof = note.body.delegated_cp_proof.clone();
+    let delegated_schnorr_proof = note.body.delegated_schnorr_proof.clone();
 
     let beta_lambda = beta * &lambda;
-    let s1_plus_lambda_s2 = delegated_cp_proof.response_scalars[0].0
-        + delegated_cp_proof.response_scalars[1].0 * &lambda;
+    let s1_plus_lambda_s2 = delegated_schnorr_proof.response_scalars[0].0
+        + delegated_schnorr_proof.response_scalars[1].0 * &lambda;
 
     let beta_sim_fr =
         SimFr::<SimFrParamsRistretto>::from(&BigUint::from_bytes_le(&beta.to_bytes()));
@@ -334,7 +334,7 @@ pub fn verify_abar_to_bar_note<D: Digest<OutputSize = U64> + Default>(
 
     online_inputs.push(input.clone());
     online_inputs.push(merkle_root.clone());
-    online_inputs.push(delegated_cp_proof.inspection_comm);
+    online_inputs.push(delegated_schnorr_proof.inspection_comm);
     online_inputs.extend_from_slice(&beta_sim_fr.limbs);
     online_inputs.extend_from_slice(&lambda_sim_fr.limbs);
     online_inputs.extend_from_slice(&beta_lambda_sim_fr.limbs);
@@ -356,12 +356,8 @@ fn prove_abar_to_bar<R: CryptoRng + RngCore>(
     rng: &mut R,
     params: &ProverParams,
     payers_witness: PayerWitness,
-    proof: &DelegatedChaumPedersenProof<RistrettoScalar, RistrettoPoint, SimFrParamsRistretto>,
-    inspection: &DelegatedChaumPedersenInspection<
-        RistrettoScalar,
-        RistrettoPoint,
-        SimFrParamsRistretto,
-    >,
+    proof: &DelegatedSchnorrProof<RistrettoScalar, RistrettoPoint, SimFrParamsRistretto>,
+    inspection: &DelegatedSchnorrInspection<RistrettoScalar, RistrettoPoint, SimFrParamsRistretto>,
     beta: &RistrettoScalar,
     lambda: &RistrettoScalar,
     folding_witness: &AXfrAddressFoldingWitness,
@@ -393,12 +389,8 @@ fn prove_abar_to_bar<R: CryptoRng + RngCore>(
 /// Construct the anonymous-to-confidential constraint system.
 pub fn build_abar_to_bar_cs(
     payers_witness: PayerWitness,
-    proof: &DelegatedChaumPedersenProof<RistrettoScalar, RistrettoPoint, SimFrParamsRistretto>,
-    inspection: &DelegatedChaumPedersenInspection<
-        RistrettoScalar,
-        RistrettoPoint,
-        SimFrParamsRistretto,
-    >,
+    proof: &DelegatedSchnorrProof<RistrettoScalar, RistrettoPoint, SimFrParamsRistretto>,
+    inspection: &DelegatedSchnorrInspection<RistrettoScalar, RistrettoPoint, SimFrParamsRistretto>,
     beta: &RistrettoScalar,
     lambda: &RistrettoScalar,
     folding_witness: &AXfrAddressFoldingWitness,

api/src/anon_xfr/address_folding.rs

@@ -10,9 +10,9 @@ use zei_algebra::secp256k1::SECP256K1Scalar;
 use zei_algebra::secq256k1::{SECQ256K1Scalar, SECQ256K1G1};
 use zei_crypto::basic::pedersen_comm::PedersenCommitmentSecq256k1;
 use zei_crypto::bulletproofs::scalar_mul::ScalarMulProof;
-use zei_crypto::delegated_chaum_pedersen::{
-    prove_delegated_chaum_pedersen, verify_delegated_chaum_pedersen,
-    DelegatedChaumPedersenInspection, DelegatedChaumPedersenProof,
+use zei_crypto::delegated_schnorr::{
+    prove_delegated_schnorr, verify_delegated_schnorr, DelegatedSchnorrInspection,
+    DelegatedSchnorrProof,
 };
 use zei_crypto::field_simulation::{SimFr, SimFrParams, SimFrParamsSecq256k1};
 use zei_plonk::plonk::constraint_system::field_simulation::SimFrVar;
@@ -23,8 +23,8 @@ use zei_plonk::plonk::constraint_system::VarIndex;
 /// The instance for address folding.
 pub struct AXfrAddressFoldingInstance {
     /// The inspector's proof.
-    pub delegated_cp_proof:
-        DelegatedChaumPedersenProof<SECQ256K1Scalar, SECQ256K1G1, SimFrParamsSecq256k1>,
+    pub delegated_schnorr_proof:
+        DelegatedSchnorrProof<SECQ256K1Scalar, SECQ256K1G1, SimFrParamsSecq256k1>,
     /// The commitments generated during the scalar mul proof, used in delegated CP.
     pub scalar_mul_commitments: Vec<SECQ256K1G1>,
     /// The scalar mul proof.
@@ -39,11 +39,11 @@ pub struct AXfrAddressFoldingWitness {
     /// Blinding factors of the commitments
     pub blinding_factors: Vec<SECQ256K1Scalar>,
     /// The inspector's proof.
-    pub delegated_cp_proof:
-        DelegatedChaumPedersenProof<SECQ256K1Scalar, SECQ256K1G1, SimFrParamsSecq256k1>,
-    /// Inspection data in the delegated Chaum-Pedersen proof.
-    pub delegated_cp_inspection:
-        DelegatedChaumPedersenInspection<SECQ256K1Scalar, SECQ256K1G1, SimFrParamsSecq256k1>,
+    pub delegated_schnorr_proof:
+        DelegatedSchnorrProof<SECQ256K1Scalar, SECQ256K1G1, SimFrParamsSecq256k1>,
+    /// Inspection data in the delegated Schnorr proof.
+    pub delegated_schnorr_inspection:
+        DelegatedSchnorrInspection<SECQ256K1Scalar, SECQ256K1G1, SimFrParamsSecq256k1>,
     /// Beta.
     pub beta: SECQ256K1Scalar,
     /// Lambda.
@@ -55,39 +55,36 @@ impl Default for AXfrAddressFoldingWitness {
         let keypair = AXfrKeyPair::default();
         let blinding_factors = vec![SECQ256K1Scalar::default(); 3];
 
-        let delegated_cp_proof =
-            DelegatedChaumPedersenProof::<SECQ256K1Scalar, SECQ256K1G1, SimFrParamsSecq256k1> {
+        let delegated_schnorr_proof =
+            DelegatedSchnorrProof::<SECQ256K1Scalar, SECQ256K1G1, SimFrParamsSecq256k1> {
                 inspection_comm: Default::default(),
                 randomizers: vec![SECQ256K1G1::default(); 3],
                 response_scalars: vec![(SECQ256K1Scalar::default(), SECQ256K1Scalar::default()); 3],
                 params_phantom: Default::default(),
             };
 
-        let delegated_cp_inspection = DelegatedChaumPedersenInspection::<
-            SECQ256K1Scalar,
-            SECQ256K1G1,
-            SimFrParamsSecq256k1,
-        > {
-            committed_data_and_randomizer: vec![
-                (
-                    SECQ256K1Scalar::default(),
-                    SECQ256K1Scalar::default()
-                );
-                3
-            ],
-            r: BLSScalar::default(),
-            params_phantom: Default::default(),
-            group_phantom: Default::default(),
-        };
+        let delegated_schnorr_inspection =
+            DelegatedSchnorrInspection::<SECQ256K1Scalar, SECQ256K1G1, SimFrParamsSecq256k1> {
+                committed_data_and_randomizer: vec![
+                    (
+                        SECQ256K1Scalar::default(),
+                        SECQ256K1Scalar::default()
+                    );
+                    3
+                ],
+                r: BLSScalar::default(),
+                params_phantom: Default::default(),
+                group_phantom: Default::default(),
+            };
 
         let beta = SECQ256K1Scalar::default();
         let lambda = SECQ256K1Scalar::default();
 
         Self {
             keypair,
             blinding_factors,
-            delegated_cp_proof,
-            delegated_cp_inspection,
+            delegated_schnorr_proof,
+            delegated_schnorr_inspection,
             beta,
             lambda,
         }
@@ -114,10 +111,10 @@ pub fn create_address_folding<R: CryptoRng + RngCore, D: Digest<OutputSize = U64
     let (scalar_mul_proof, scalar_mul_commitments, blinding_factors) =
         { ScalarMulProof::prove(prng, &bp_gens, transcript, &public_key.0, &secret_key.0)? };
 
-    let (delegated_cp_proof, delegated_cp_inspection, beta, lambda) = {
+    let (delegated_schnorr_proof, delegated_schnorr_inspection, beta, lambda) = {
         let secret_key_in_fq = SECQ256K1Scalar::from_bytes(&secret_key.0.to_bytes())?;
 
-        prove_delegated_chaum_pedersen(
+        prove_delegated_schnorr(
             prng,
             &vec![
                 (public_key.0.get_x(), blinding_factors[0]),
@@ -132,16 +129,16 @@ pub fn create_address_folding<R: CryptoRng + RngCore, D: Digest<OutputSize = U64
     };
 
     let instance = AXfrAddressFoldingInstance {
-        delegated_cp_proof: delegated_cp_proof.clone(),
+        delegated_schnorr_proof: delegated_schnorr_proof.clone(),
         scalar_mul_commitments,
         scalar_mul_proof,
     };
 
     let witness = AXfrAddressFoldingWitness {
         keypair: keypair.clone(),
         blinding_factors,
-        delegated_cp_proof,
-        delegated_cp_inspection,
+        delegated_schnorr_proof,
+        delegated_schnorr_inspection,
         beta,
         lambda,
     };
@@ -166,10 +163,10 @@ pub fn verify_address_folding<D: Digest<OutputSize = U64> + Default>(
         .scalar_mul_proof
         .verify(&bp_gens, transcript, &instance.scalar_mul_commitments)?;
 
-    let (beta, lambda) = verify_delegated_chaum_pedersen(
+    let (beta, lambda) = verify_delegated_schnorr(
         &pc_gens,
         &instance.scalar_mul_commitments,
-        &instance.delegated_cp_proof,
+        &instance.delegated_schnorr_proof,
         transcript,
     )?;
 
@@ -368,7 +365,7 @@ pub fn prove_address_folding_in_cs(
         cs.equal(*sim_bit, *scalar_bit);
     }
 
-    // 5. allocate the simulated field elements for the delegated Chaum-Pedersen protocol.
+    // 5. allocate the simulated field elements for the delegated Schnorr protocol.
     // note: the verifier will combine the challenges using the power series of lambda.
     let lambda_series = vec![
         SECQ256K1Scalar::one(),
@@ -403,7 +400,7 @@ pub fn prove_address_folding_in_cs(
         .iter()
         .zip(
             witness
-                .delegated_cp_inspection
+                .delegated_schnorr_inspection
                 .committed_data_and_randomizer
                 .iter(),
         )
@@ -421,9 +418,9 @@ pub fn prove_address_folding_in_cs(
             SimFrVar<SimFrParamsSecq256k1>,
         )>>();
 
-    let combined_response_scalar = witness.delegated_cp_proof.response_scalars[0].0
-        + witness.delegated_cp_proof.response_scalars[1].0 * witness.lambda
-        + witness.delegated_cp_proof.response_scalars[2].0 * witness.lambda * witness.lambda;
+    let combined_response_scalar = witness.delegated_schnorr_proof.response_scalars[0].0
+        + witness.delegated_schnorr_proof.response_scalars[1].0 * witness.lambda
+        + witness.delegated_schnorr_proof.response_scalars[2].0 * witness.lambda * witness.lambda;
     let combined_response_scalar_sim_fr = SimFr::<SimFrParamsSecq256k1>::from(
         &<SECQ256K1Scalar as Into<BigUint>>::into(combined_response_scalar),
     );
@@ -528,9 +525,9 @@ pub fn prove_address_folding_in_cs(
     }
 
     // 7. compare with the inspector's state.
-    let r = witness.delegated_cp_inspection.r;
+    let r = witness.delegated_schnorr_inspection.r;
     let r_var = cs.new_variable(r);
-    let comm_var = cs.new_variable(witness.delegated_cp_proof.inspection_comm);
+    let comm_var = cs.new_variable(witness.delegated_schnorr_proof.inspection_comm);
 
     {
         let mut input_vars = compressed_limbs_var.clone();
@@ -585,7 +582,7 @@ pub fn prepare_verifier_input(
     beta: &SECQ256K1Scalar,
     lambda: &SECQ256K1Scalar,
 ) -> Vec<BLSScalar> {
-    let mut v = vec![instance.delegated_cp_proof.inspection_comm];
+    let mut v = vec![instance.delegated_schnorr_proof.inspection_comm];
 
     let lambda_series = vec![SECQ256K1Scalar::one(), *lambda, *lambda * lambda];
     let beta_lambda_series = lambda_series
@@ -607,9 +604,9 @@ pub fn prepare_verifier_input(
         v.extend_from_slice(&sim_fr.limbs);
     }
 
-    let combined_response_scalar = instance.delegated_cp_proof.response_scalars[0].0
-        + instance.delegated_cp_proof.response_scalars[1].0 * lambda
-        + instance.delegated_cp_proof.response_scalars[2].0 * lambda * lambda;
+    let combined_response_scalar = instance.delegated_schnorr_proof.response_scalars[0].0
+        + instance.delegated_schnorr_proof.response_scalars[1].0 * lambda
+        + instance.delegated_schnorr_proof.response_scalars[2].0 * lambda * lambda;
     let combined_response_scalar_sim_fr = SimFr::<SimFrParamsSecq256k1>::from(
         &<SECQ256K1Scalar as Into<BigUint>>::into(combined_response_scalar),
     );