Refactor hashing domains (#107)

This PR moves hashing domains to a common module, in order to reduce the risk of collisions. It also ensures that all hashing operations are versioned.

BREAKING CHANGE: Updates how some hashing operations are performed, which will break existing proofs.

Author: AaronFeickert

src/lib.rs

@@ -116,8 +116,6 @@ extern crate alloc;
 
 pub use merlin::Transcript;
 
-pub(crate) const TRANSCRIPT_HASH_BYTES: usize = 32;
-
 /// Iterated arbitrary-base Gray code functionality.
 pub(crate) mod gray;
 /// Public parameters used for generating and verifying Triptych proofs.
@@ -139,3 +137,32 @@ pub use witness::TriptychWitness;
 
 /// Parallel Triptych functionality.
 pub mod parallel;
+
+/// Domain separators used for hashing operations
+pub(crate) mod domains {
+    // Version
+    pub(crate) const VERSION: u64 = 0;
+
+    // Number of bytes in a transcript hash
+    pub(crate) const TRANSCRIPT_HASH_BYTES: usize = 32;
+
+    // Parameters
+    pub(crate) const TRANSCRIPT_PARAMETERS: &str = "Triptych parameters";
+    pub(crate) const TRANSCRIPT_PARALLEL_PARAMETERS: &str = "Parallel Triptych parameters";
+    pub(crate) const POINT_G1: &str = "Triptych G1";
+    pub(crate) const POINT_U: &str = "Triptych U";
+    pub(crate) const POINT_COMMITMENT_G: &str = "Triptych CommitmentG";
+    pub(crate) const POINT_COMMITMENT_H: &str = "Triptych CommitmentH";
+
+    // Statement
+    pub(crate) const TRANSCRIPT_INPUT_SET: &str = "Triptych input set";
+    pub(crate) const TRANSCRIPT_PARALLEL_INPUT_SET: &str = "Parallel Triptych input set";
+    pub(crate) const TRANSCRIPT_STATEMENT: &str = "Triptych statement";
+    pub(crate) const TRANSCRIPT_PARALLEL_STATEMENT: &str = "Parallel Triptych statement";
+
+    // Proof
+    pub(crate) const TRANSCRIPT_PROOF: &str = "Triptych proof";
+    pub(crate) const TRANSCRIPT_PARALLEL_PROOF: &str = "Parallel Triptych proof";
+    pub(crate) const TRANSCRIPT_VERIFIER_WEIGHTS: &str = "Triptych verifier weights";
+    pub(crate) const TRANSCRIPT_PARALLEL_VERIFIER_WEIGHTS: &str = "Parallel Triptych verifier weights";
+}

src/parallel/parameters.rs

@@ -13,7 +13,7 @@ use curve25519_dalek::{
 };
 use snafu::prelude::*;
 
-use crate::{util::OperationTiming, Transcript, TRANSCRIPT_HASH_BYTES};
+use crate::{domains, util::OperationTiming, Transcript};
 
 /// Public parameters used for generating and verifying Triptych proofs.
 ///
@@ -46,11 +46,6 @@ pub enum ParameterError {
 }
 
 impl TriptychParameters {
-    // Domain separator used for hashing
-    const DOMAIN: &'static str = "Parallel Triptych parameters";
-    // Version identifier used for hashing
-    const VERSION: u64 = 0;
-
     /// Generate new [`TriptychParameters`] for Triptych proofs.
     ///
     /// The base `n > 1` and exponent `m > 1` define the size of verification key vectors, so it must be the case that
@@ -66,14 +61,16 @@ impl TriptychParameters {
         // Use `BLAKE3` to generate `G1`
         let mut G1_bytes = [0u8; 64];
         let mut hasher = Hasher::new();
-        hasher.update(b"Triptych G1");
+        hasher.update(domains::POINT_G1.as_bytes());
+        hasher.update(&domains::VERSION.to_le_bytes());
         hasher.finalize_xof().fill(&mut G1_bytes);
         let G1 = RistrettoPoint::from_uniform_bytes(&G1_bytes);
 
         // Use `BLAKE3` to generate `U`
         let mut U_bytes = [0u8; 64];
         let mut hasher = Hasher::new();
-        hasher.update(b"Triptych U");
+        hasher.update(domains::POINT_U.as_bytes());
+        hasher.update(&domains::VERSION.to_le_bytes());
         hasher.finalize_xof().fill(&mut U_bytes);
         let U = RistrettoPoint::from_uniform_bytes(&U_bytes);
 
@@ -118,13 +115,15 @@ impl TriptychParameters {
         // Use `BLAKE3` to generate `CommitmentH`
         let mut CommitmentH_bytes = [0u8; 64];
         let mut hasher = Hasher::new();
-        hasher.update(b"Triptych CommitmentH");
+        hasher.update(domains::POINT_COMMITMENT_H.as_bytes());
+        hasher.update(&domains::VERSION.to_le_bytes());
         hasher.finalize_xof().fill(&mut CommitmentH_bytes);
         let CommitmentH = RistrettoPoint::from_uniform_bytes(&CommitmentH_bytes);
 
         // Use `BLAKE3` for the commitment matrix generators
         let mut hasher = Hasher::new();
-        hasher.update(b"Triptych CommitmentG");
+        hasher.update(domains::POINT_COMMITMENT_G.as_bytes());
+        hasher.update(&domains::VERSION.to_le_bytes());
         hasher.update(&n.to_le_bytes());
         hasher.update(&m.to_le_bytes());
         let mut hasher_xof = hasher.finalize_xof();
@@ -139,8 +138,8 @@ impl TriptychParameters {
             .collect::<Vec<RistrettoPoint>>();
 
         // Use Merlin for the transcript hash
-        let mut transcript = Transcript::new(Self::DOMAIN.as_bytes());
-        transcript.append_u64(b"version", Self::VERSION);
+        let mut transcript = Transcript::new(domains::TRANSCRIPT_PARALLEL_PARAMETERS.as_bytes());
+        transcript.append_u64(b"version", domains::VERSION);
         transcript.append_message(b"n", &n.to_le_bytes());
         transcript.append_message(b"m", &m.to_le_bytes());
         transcript.append_message(b"G", G.compress().as_bytes());
@@ -150,7 +149,7 @@ impl TriptychParameters {
             transcript.append_message(b"CommitmentG", item.compress().as_bytes());
         }
         transcript.append_message(b"CommitmentH", CommitmentH.compress().as_bytes());
-        let mut hash = vec![0u8; TRANSCRIPT_HASH_BYTES];
+        let mut hash = vec![0u8; domains::TRANSCRIPT_HASH_BYTES];
         transcript.challenge_bytes(b"hash", &mut hash);
 
         Ok(TriptychParameters {

src/parallel/proof.rs

@@ -21,6 +21,7 @@ use subtle::{ConditionallySelectable, ConstantTimeEq};
 use zeroize::Zeroizing;
 
 use crate::{
+    domains,
     gray::GrayIterator,
     parallel::{transcript::ProofTranscript, TriptychStatement, TriptychWitness},
     util::{delta, NullRng, OperationTiming},
@@ -722,7 +723,8 @@ impl TriptychProof {
         let mut U_scalar = Scalar::ZERO;
 
         // Set up a transcript generator for use in weighting
-        let mut transcript_weights = Transcript::new(b"Triptych verifier weights");
+        let mut transcript_weights = Transcript::new(domains::TRANSCRIPT_PARALLEL_VERIFIER_WEIGHTS.as_bytes());
+        transcript_weights.append_u64(b"version", domains::VERSION);
 
         let mut null_rng = NullRng;
 

src/parallel/statement.rs

@@ -6,7 +6,7 @@ use alloc::{sync::Arc, vec, vec::Vec};
 use curve25519_dalek::{traits::Identity, RistrettoPoint};
 use snafu::prelude::*;
 
-use crate::{parallel::TriptychParameters, Transcript, TRANSCRIPT_HASH_BYTES};
+use crate::{domains, parallel::TriptychParameters, Transcript};
 
 /// A Triptych input set.
 ///
@@ -21,11 +21,6 @@ pub struct TriptychInputSet {
 }
 
 impl TriptychInputSet {
-    // Domain separator used for hashing
-    const DOMAIN: &'static str = "Parallel Triptych input set";
-    // Version identifier used for hashing
-    const VERSION: u64 = 0;
-
     /// Generate a new [`TriptychInputSet`] from a slice `M` of verification keys and slice `M1` of auxiliary
     /// verification keys.
     #[allow(non_snake_case)]
@@ -98,16 +93,16 @@ impl TriptychInputSet {
         })?;
 
         // Use Merlin for the transcript hash
-        let mut transcript = Transcript::new(Self::DOMAIN.as_bytes());
-        transcript.append_u64(b"version", Self::VERSION);
+        let mut transcript = Transcript::new(domains::TRANSCRIPT_PARALLEL_INPUT_SET.as_bytes());
+        transcript.append_u64(b"version", domains::VERSION);
         transcript.append_message(b"unpadded_size", &unpadded_size.to_le_bytes());
         for item in M {
             transcript.append_message(b"M", item.compress().as_bytes());
         }
         for item in M1 {
             transcript.append_message(b"M1", item.compress().as_bytes());
         }
-        let mut hash = vec![0u8; TRANSCRIPT_HASH_BYTES];
+        let mut hash = vec![0u8; domains::TRANSCRIPT_HASH_BYTES];
         transcript.challenge_bytes(b"hash", &mut hash);
 
         Ok(Self {
@@ -160,11 +155,6 @@ pub enum StatementError {
 }
 
 impl TriptychStatement {
-    // Domain separator used for hashing
-    const DOMAIN: &'static str = "Parallel Triptych statement";
-    // Version identifier used for hashing
-    const VERSION: u64 = 0;
-
     /// Generate a new [`TriptychStatement`].
     ///
     /// The [`TriptychInputSet`] `input_set` must have a verification key vector whose size matches that specified by
@@ -205,13 +195,13 @@ impl TriptychStatement {
         }
 
         // Use Merlin for the transcript hash
-        let mut transcript = Transcript::new(Self::DOMAIN.as_bytes());
-        transcript.append_u64(b"version", Self::VERSION);
+        let mut transcript = Transcript::new(domains::TRANSCRIPT_PARALLEL_STATEMENT.as_bytes());
+        transcript.append_u64(b"version", domains::VERSION);
         transcript.append_message(b"params", params.get_hash());
         transcript.append_message(b"input_set", input_set.get_hash());
         transcript.append_message(b"offset", offset.compress().as_bytes());
         transcript.append_message(b"J", J.compress().as_bytes());
-        let mut hash = vec![0u8; TRANSCRIPT_HASH_BYTES];
+        let mut hash = vec![0u8; domains::TRANSCRIPT_HASH_BYTES];
         transcript.challenge_bytes(b"hash", &mut hash);
 
         Ok(Self {

src/parallel/transcript.rs

@@ -8,6 +8,7 @@ use merlin::TranscriptRng;
 use rand_core::CryptoRngCore;
 
 use crate::{
+    domains,
     parallel::{proof::ProofError, TriptychParameters, TriptychStatement, TriptychWitness},
     Transcript,
 };
@@ -21,11 +22,6 @@ pub(crate) struct ProofTranscript<'a, R: CryptoRngCore> {
 }
 
 impl<'a, R: CryptoRngCore> ProofTranscript<'a, R> {
-    // Domain separator used for hashing
-    const DOMAIN: &'static str = "Parallel Triptych proof";
-    // Version identifier used for hashing
-    const VERSION: u64 = 0;
-
     /// Initialize a transcript.
     pub(crate) fn new(
         transcript: &'a mut Transcript,
@@ -34,8 +30,8 @@ impl<'a, R: CryptoRngCore> ProofTranscript<'a, R> {
         witness: Option<&'a TriptychWitness>,
     ) -> Self {
         // Update the transcript
-        transcript.append_message(b"dom-sep", Self::DOMAIN.as_bytes());
-        transcript.append_u64(b"version", Self::VERSION);
+        transcript.append_message(b"dom-sep", domains::TRANSCRIPT_PARALLEL_PROOF.as_bytes());
+        transcript.append_u64(b"version", domains::VERSION);
         transcript.append_message(b"statement", statement.get_hash());
 
         // Set up the transcript generator

src/parameters.rs

@@ -13,7 +13,7 @@ use curve25519_dalek::{
 };
 use snafu::prelude::*;
 
-use crate::{util::OperationTiming, Transcript, TRANSCRIPT_HASH_BYTES};
+use crate::{domains, util::OperationTiming, Transcript};
 
 /// Public parameters used for generating and verifying Triptych proofs.
 ///
@@ -45,11 +45,6 @@ pub enum ParameterError {
 }
 
 impl TriptychParameters {
-    // Domain separator used for hashing
-    const DOMAIN: &'static str = "Triptych parameters";
-    // Version identifier used for hashing
-    const VERSION: u64 = 0;
-
     /// Generate new [`TriptychParameters`] for Triptych proofs.
     ///
     /// The base `n > 1` and exponent `m > 1` define the size of verification key vectors, so it must be the case that
@@ -65,7 +60,8 @@ impl TriptychParameters {
         // Use `BLAKE3` to generate `U`
         let mut U_bytes = [0u8; 64];
         let mut hasher = Hasher::new();
-        hasher.update(b"Triptych U");
+        hasher.update(domains::POINT_U.as_bytes());
+        hasher.update(&domains::VERSION.to_le_bytes());
         hasher.finalize_xof().fill(&mut U_bytes);
         let U = RistrettoPoint::from_uniform_bytes(&U_bytes);
 
@@ -103,13 +99,15 @@ impl TriptychParameters {
         // Use `BLAKE3` to generate `CommitmentH`
         let mut CommitmentH_bytes = [0u8; 64];
         let mut hasher = Hasher::new();
-        hasher.update(b"Triptych CommitmentH");
+        hasher.update(domains::POINT_COMMITMENT_H.as_bytes());
+        hasher.update(&domains::VERSION.to_le_bytes());
         hasher.finalize_xof().fill(&mut CommitmentH_bytes);
         let CommitmentH = RistrettoPoint::from_uniform_bytes(&CommitmentH_bytes);
 
         // Use `BLAKE3` for the commitment matrix generators
         let mut hasher = Hasher::new();
-        hasher.update(b"Triptych CommitmentG");
+        hasher.update(domains::POINT_COMMITMENT_G.as_bytes());
+        hasher.update(&domains::VERSION.to_le_bytes());
         hasher.update(&n.to_le_bytes());
         hasher.update(&m.to_le_bytes());
         let mut hasher_xof = hasher.finalize_xof();
@@ -124,8 +122,8 @@ impl TriptychParameters {
             .collect::<Vec<RistrettoPoint>>();
 
         // Use Merlin for the transcript hash
-        let mut transcript = Transcript::new(Self::DOMAIN.as_bytes());
-        transcript.append_u64(b"version", Self::VERSION);
+        let mut transcript = Transcript::new(domains::TRANSCRIPT_PARAMETERS.as_bytes());
+        transcript.append_u64(b"version", domains::VERSION);
         transcript.append_message(b"n", &n.to_le_bytes());
         transcript.append_message(b"m", &m.to_le_bytes());
         transcript.append_message(b"G", G.compress().as_bytes());
@@ -134,7 +132,7 @@ impl TriptychParameters {
             transcript.append_message(b"CommitmentG", item.compress().as_bytes());
         }
         transcript.append_message(b"CommitmentH", CommitmentH.compress().as_bytes());
-        let mut hash = vec![0u8; TRANSCRIPT_HASH_BYTES];
+        let mut hash = vec![0u8; domains::TRANSCRIPT_HASH_BYTES];
         transcript.challenge_bytes(b"hash", &mut hash);
 
         Ok(TriptychParameters {

src/proof.rs

@@ -21,6 +21,7 @@ use subtle::{ConditionallySelectable, ConstantTimeEq};
 use zeroize::Zeroizing;
 
 use crate::{
+    domains,
     gray::GrayIterator,
     transcript::ProofTranscript,
     util::{delta, NullRng, OperationTiming},
@@ -668,7 +669,8 @@ impl TriptychProof {
         let mut U_scalar = Scalar::ZERO;
 
         // Set up a transcript generator for use in weighting
-        let mut transcript_weights = Transcript::new(b"Triptych verifier weights");
+        let mut transcript_weights = Transcript::new(domains::TRANSCRIPT_VERIFIER_WEIGHTS.as_bytes());
+        transcript_weights.append_u64(b"version", domains::VERSION);
 
         let mut null_rng = NullRng;
 

src/statement.rs

@@ -6,7 +6,7 @@ use alloc::{sync::Arc, vec, vec::Vec};
 use curve25519_dalek::{traits::Identity, RistrettoPoint};
 use snafu::prelude::*;
 
-use crate::{Transcript, TriptychParameters, TRANSCRIPT_HASH_BYTES};
+use crate::{domains, Transcript, TriptychParameters};
 
 /// A Triptych input set.
 ///
@@ -20,11 +20,6 @@ pub struct TriptychInputSet {
 }
 
 impl TriptychInputSet {
-    // Domain separator used for hashing
-    const DOMAIN: &'static str = "Triptych input set";
-    // Version identifier used for hashing
-    const VERSION: u64 = 0;
-
     /// Generate a new [`TriptychInputSet`] from a slice `M` of verification keys.
     #[allow(non_snake_case)]
     pub fn new(M: &[RistrettoPoint]) -> Result<Self, StatementError> {
@@ -71,13 +66,13 @@ impl TriptychInputSet {
         })?;
 
         // Use Merlin for the transcript hash
-        let mut transcript = Transcript::new(Self::DOMAIN.as_bytes());
-        transcript.append_u64(b"version", Self::VERSION);
+        let mut transcript = Transcript::new(domains::TRANSCRIPT_INPUT_SET.as_bytes());
+        transcript.append_u64(b"version", domains::VERSION);
         transcript.append_message(b"unpadded_size", &unpadded_size.to_le_bytes());
         for item in M {
             transcript.append_message(b"M", item.compress().as_bytes());
         }
-        let mut hash = vec![0u8; TRANSCRIPT_HASH_BYTES];
+        let mut hash = vec![0u8; domains::TRANSCRIPT_HASH_BYTES];
         transcript.challenge_bytes(b"hash", &mut hash);
 
         Ok(Self {
@@ -122,11 +117,6 @@ pub enum StatementError {
 }
 
 impl TriptychStatement {
-    // Domain separator used for hashing
-    const DOMAIN: &'static str = "Triptych statement";
-    // Version identifier used for hashing
-    const VERSION: u64 = 0;
-
     /// Generate a new [`TriptychStatement`].
     ///
     /// The [`TriptychInputSet`] `input_set` must have a verification key vector whose size matches that specified by
@@ -155,12 +145,12 @@ impl TriptychStatement {
         }
 
         // Use Merlin for the transcript hash
-        let mut transcript = Transcript::new(Self::DOMAIN.as_bytes());
-        transcript.append_u64(b"version", Self::VERSION);
+        let mut transcript = Transcript::new(domains::TRANSCRIPT_STATEMENT.as_bytes());
+        transcript.append_u64(b"version", domains::VERSION);
         transcript.append_message(b"params", params.get_hash());
         transcript.append_message(b"input_set", input_set.get_hash());
         transcript.append_message(b"J", J.compress().as_bytes());
-        let mut hash = vec![0u8; TRANSCRIPT_HASH_BYTES];
+        let mut hash = vec![0u8; domains::TRANSCRIPT_HASH_BYTES];
         transcript.challenge_bytes(b"hash", &mut hash);
 
         Ok(Self {