AaronFeickert
diff --git a/‎src/parallel/parameters.rs
Lines changed: 25 additions & 8 deletions b/‎src/parallel/parameters.rs
Lines changed: 25 additions & 8 deletions
diff --git a/‎src/parallel/proof.rs
Lines changed: 85 additions & 29 deletions b/‎src/parallel/proof.rs
Lines changed: 85 additions & 29 deletions
@@ -38,8 +38,11 @@ pub struct TriptychParameters {
 #[derive(Debug, Snafu)]
 pub enum ParameterError {
     /// An invalid parameter was provided.
-    #[snafu(display("An invalid parameter was provided"))]
-    InvalidParameter,
+    #[snafu(display("An invalid parameter was provided: {reason}"))]
+    InvalidParameter {
+        /// The reason for the parameter error.
+        reason: &'static str,
+    },
 }
 
 impl TriptychParameters {
@@ -98,13 +101,18 @@ impl TriptychParameters {
         U: &RistrettoPoint,
     ) -> Result<Self, ParameterError> {
         // These bounds are required by the protocol
-        if n < 2 || m < 2 {
-            return Err(ParameterError::InvalidParameter);
+        if n < 2 {
+            return Err(ParameterError::InvalidParameter { reason: "`n < 2`" });
+        }
+        if m < 2 {
+            return Err(ParameterError::InvalidParameter { reason: "`m < 2`" });
         }
 
         // Check that the parameters don't overflow `u32`
         if n.checked_pow(m).is_none() {
-            return Err(ParameterError::InvalidParameter);
+            return Err(ParameterError::InvalidParameter {
+                reason: "`n**m` overflowed `u32`",
+            });
         }
 
         // Use `BLAKE3` to generate `CommitmentH`
@@ -121,7 +129,9 @@ impl TriptychParameters {
         hasher.update(&m.to_le_bytes());
         let mut hasher_xof = hasher.finalize_xof();
         let mut CommitmentG_bytes = [0u8; 64];
-        let CommitmentG = (0..n.checked_mul(m).ok_or(ParameterError::InvalidParameter)?)
+        let CommitmentG = (0..n.checked_mul(m).ok_or(ParameterError::InvalidParameter {
+            reason: "`n*m` overflowed `u32`",
+        })?)
             .map(|_| {
                 hasher_xof.fill(&mut CommitmentG_bytes);
                 RistrettoPoint::from_uniform_bytes(&CommitmentG_bytes)
@@ -166,8 +176,15 @@ impl TriptychParameters {
         timing: OperationTiming,
     ) -> Result<RistrettoPoint, ParameterError> {
         // Check that the matrix dimensions are valid
-        if matrix.len() != (self.m as usize) || matrix.iter().any(|m| m.len() != (self.n as usize)) {
-            return Err(ParameterError::InvalidParameter);
+        if matrix.len() != (self.m as usize) {
+            return Err(ParameterError::InvalidParameter {
+                reason: "matrix did not have `m` rows",
+            });
+        }
+        if matrix.iter().any(|m| m.len() != (self.n as usize)) {
+            return Err(ParameterError::InvalidParameter {
+                reason: "matrix did not have `n` columns",
+            });
         }
 
         // Flatten before evaluating the commitment
 
@@ -53,8 +53,11 @@ pub struct TriptychProof {
 #[derive(Debug, Snafu)]
 pub enum ProofError {
     /// An invalid parameter was provided.
-    #[snafu(display("An invalid parameter was provided"))]
-    InvalidParameter,
+    #[snafu(display("An invalid parameter was provided: {reason}"))]
+    InvalidParameter {
+        /// The reason for the parameter error.
+        reason: &'static str,
+    },
     /// A transcript challenge was invalid.
     #[snafu(display("A transcript challenge was invalid"))]
     InvalidChallenge,
@@ -174,7 +177,9 @@ impl TriptychProof {
     ) -> Result<Self, ProofError> {
         // Check that the witness and statement have identical parameters
         if witness.get_params() != statement.get_params() {
-            return Err(ProofError::InvalidParameter);
+            return Err(ProofError::InvalidParameter {
+                reason: "witness and statement parameters did not match",
+            });
         }
 
         // Extract values for convenience
@@ -205,13 +210,17 @@ impl TriptychProof {
         }
 
         if M_l != r * params.get_G() {
-            return Err(ProofError::InvalidParameter);
+            return Err(ProofError::InvalidParameter {
+                reason: "`M[l] != r * G`",
+            });
         }
         if M1_l - offset != r1 * params.get_G1() {
-            return Err(ProofError::InvalidParameter);
+            return Err(ProofError::InvalidParameter {
+                reason: "`M1[l] - offset != r1 * G1`",
+            });
         }
         if &(r * J) != params.get_U() {
-            return Err(ProofError::InvalidParameter);
+            return Err(ProofError::InvalidParameter { reason: "`r * J != U`" });
         }
 
         // Set up the transcript
@@ -231,16 +240,23 @@ impl TriptychProof {
         }
         let A = params
             .commit_matrix(&a, &r_A, timing)
-            .map_err(|_| ProofError::InvalidParameter)?;
+            .map_err(|_| ProofError::InvalidParameter {
+                reason: "unable to compute `A`",
+            })?;
 
         // Compute the `B` matrix commitment
         let r_B = Scalar::random(transcript.as_mut_rng());
         let l_decomposed = match timing {
             OperationTiming::Constant => {
-                GrayIterator::decompose(params.get_n(), params.get_m(), l).ok_or(ProofError::InvalidParameter)?
+                GrayIterator::decompose(params.get_n(), params.get_m(), l).ok_or(ProofError::InvalidParameter {
+                    reason: "`l` decomposition failed",
+                })?
             },
-            OperationTiming::Variable => GrayIterator::decompose_vartime(params.get_n(), params.get_m(), l)
-                .ok_or(ProofError::InvalidParameter)?,
+            OperationTiming::Variable => GrayIterator::decompose_vartime(params.get_n(), params.get_m(), l).ok_or(
+                ProofError::InvalidParameter {
+                    reason: "`l` decomposition failed",
+                },
+            )?,
         };
         let sigma = (0..params.get_m())
             .map(|j| {
@@ -251,7 +267,9 @@ impl TriptychProof {
             .collect::<Vec<Vec<Scalar>>>();
         let B = params
             .commit_matrix(&sigma, &r_B, timing)
-            .map_err(|_| ProofError::InvalidParameter)?;
+            .map_err(|_| ProofError::InvalidParameter {
+                reason: "unable to compute `B`",
+            })?;
 
         // Compute the `C` matrix commitment
         let two = Scalar::from(2u32);
@@ -265,7 +283,9 @@ impl TriptychProof {
             .collect::<Vec<Vec<Scalar>>>();
         let C = params
             .commit_matrix(&a_sigma, &r_C, timing)
-            .map_err(|_| ProofError::InvalidParameter)?;
+            .map_err(|_| ProofError::InvalidParameter {
+                reason: "unable to compute `C`",
+            })?;
 
         // Compute the `D` matrix commitment
         let r_D = Scalar::random(transcript.as_mut_rng());
@@ -278,7 +298,9 @@ impl TriptychProof {
             .collect::<Vec<Vec<Scalar>>>();
         let D = params
             .commit_matrix(&a_square, &r_D, timing)
-            .map_err(|_| ProofError::InvalidParameter)?;
+            .map_err(|_| ProofError::InvalidParameter {
+                reason: "unable to compute `D`",
+            })?;
 
         // Random masks
         let rho = Zeroizing::new(
@@ -296,7 +318,9 @@ impl TriptychProof {
         let mut p = Vec::<Vec<Scalar>>::with_capacity(params.get_N() as usize);
         let mut k_decomposed = vec![0; params.get_m() as usize];
         for (gray_index, _, gray_new) in
-            GrayIterator::new(params.get_n(), params.get_m()).ok_or(ProofError::InvalidParameter)?
+            GrayIterator::new(params.get_n(), params.get_m()).ok_or(ProofError::InvalidParameter {
+                reason: "coefficient decomposition failed",
+            })?
         {
             k_decomposed[gray_index] = gray_new;
 
@@ -305,7 +329,9 @@ impl TriptychProof {
             coefficients.resize(
                 (params.get_m() as usize)
                     .checked_add(1)
-                    .ok_or(ProofError::InvalidParameter)?,
+                    .ok_or(ProofError::InvalidParameter {
+                        reason: "polynomial degree overflowed",
+                    })?,
                 Scalar::ZERO,
             );
             coefficients[0] = a[0][k_decomposed[0] as usize];
@@ -564,10 +590,14 @@ impl TriptychProof {
     ) -> Result<(), ProofError> {
         // Check that we have the same number of statements, proofs, and transcripts
         if statements.len() != proofs.len() {
-            return Err(ProofError::InvalidParameter);
+            return Err(ProofError::InvalidParameter {
+                reason: "number of statements and proofs does not match",
+            });
         }
         if statements.len() != transcripts.len() {
-            return Err(ProofError::InvalidParameter);
+            return Err(ProofError::InvalidParameter {
+                reason: "number of statements and transcripts does not match",
+            });
         }
 
         // An empty batch is considered trivially valid
@@ -578,12 +608,16 @@ impl TriptychProof {
 
         // Each statement must use the same input set (checked using the hash for efficiency)
         if !statements.iter().map(|s| s.get_input_set().get_hash()).all_equal() {
-            return Err(ProofError::InvalidParameter);
+            return Err(ProofError::InvalidParameter {
+                reason: "statement input sets do not match",
+            });
         }
 
         // Each statement must use the same parameters (checked using the hash for efficiency)
         if !statements.iter().map(|s| s.get_params().get_hash()).all_equal() {
-            return Err(ProofError::InvalidParameter);
+            return Err(ProofError::InvalidParameter {
+                reason: "statement parameters do not match",
+            });
         }
 
         // Extract common values for convenience
@@ -594,26 +628,42 @@ impl TriptychProof {
         // Check that all proof semantics are valid for the statement
         for proof in proofs {
             if proof.X.len() != params.get_m() as usize {
-                return Err(ProofError::InvalidParameter);
+                return Err(ProofError::InvalidParameter {
+                    reason: "proof `X` vector length was not `m`",
+                });
             }
             if proof.X1.len() != params.get_m() as usize {
-                return Err(ProofError::InvalidParameter);
+                return Err(ProofError::InvalidParameter {
+                    reason: "proof `X1` vector length was not `m`",
+                });
             }
             if proof.Y.len() != params.get_m() as usize {
-                return Err(ProofError::InvalidParameter);
+                return Err(ProofError::InvalidParameter {
+                    reason: "proof `Y` vector length was not `m`",
+                });
             }
             if proof.f.len() != params.get_m() as usize {
-                return Err(ProofError::InvalidParameter);
+                return Err(ProofError::InvalidParameter {
+                    reason: "proof `f` matrix did not have `m` rows",
+                });
             }
             for f_row in &proof.f {
-                if f_row.len() != params.get_n().checked_sub(1).ok_or(ProofError::InvalidParameter)? as usize {
-                    return Err(ProofError::InvalidParameter);
+                if f_row.len() !=
+                    params.get_n().checked_sub(1).ok_or(ProofError::InvalidParameter {
+                        reason: "proof `f` matrix column count overflowed",
+                    })? as usize
+                {
+                    return Err(ProofError::InvalidParameter {
+                        reason: "proof `f` matrix did not have `n - 1` columns",
+                    });
                 }
             }
         }
 
         // Determine the size of the final check vector, which must not overflow `usize`
-        let batch_size = u32::try_from(proofs.len()).map_err(|_| ProofError::InvalidParameter)?;
+        let batch_size = u32::try_from(proofs.len()).map_err(|_| ProofError::InvalidParameter {
+            reason: "batch size overflowed `u32`",
+        })?;
 
         // This is unlikely to overflow; even if it does, the only effect is unnecessary reallocation
         #[allow(clippy::arithmetic_side_effects)]
@@ -631,7 +681,9 @@ impl TriptychProof {
                 + 3 * params.get_m() // X, X1, Y
             ),
         )
-        .map_err(|_| ProofError::InvalidParameter)?;
+        .map_err(|_| ProofError::InvalidParameter {
+            reason: "multiscalar multiplication size overflowed `usize`",
+        })?;
 
         // Set up the point vector for the final check
         let points = proofs
@@ -708,7 +760,9 @@ impl TriptychProof {
             // Check that `f` does not contain zero, which breaks batch inversion
             for f_row in &f {
                 if f_row.contains(&Scalar::ZERO) {
-                    return Err(ProofError::InvalidParameter);
+                    return Err(ProofError::InvalidParameter {
+                        reason: "proof `f` matrix contained 0",
+                    });
                 }
             }
 
@@ -779,7 +833,9 @@ impl TriptychProof {
             // Set up the initial `f` product and Gray iterator
             let mut f_product = f.iter().map(|f_row| f_row[0]).product::<Scalar>();
             let gray_iterator =
-                GrayIterator::new(params.get_n(), params.get_m()).ok_or(ProofError::InvalidParameter)?;
+                GrayIterator::new(params.get_n(), params.get_m()).ok_or(ProofError::InvalidParameter {
+                    reason: "coefficient decomposition failed",
+                })?;
 
             // Invert each element of `f` for efficiency
             let mut f_inverse_flat = f.iter().flatten().copied().collect::<Vec<Scalar>>();