From 65376e93e5d077d90348d531b911ee22ded411b3 Mon Sep 17 00:00:00 2001
From: Luke Parker <lukeparker5132@gmail.com>
Date: Fri, 24 Feb 2023 05:11:01 -0500
Subject: [PATCH] 3.4.3 Merge the nonce calculation from DLEqProof and
 MultiDLEqProof into a single function

3.4.3 actually describes getting rid of DLEqProof for a thin wrapper around
MultiDLEqProof. That can't be done due to DLEqProof not requiring the std
features, enabling Vecs, which MultiDLEqProof relies on.

Merging the verification statement does simplify the code a bit. While merging
the proof could also be, it has much less value due to the simplicity of
proving (nonce * G, scalar * G).
---
 crypto/dleq/src/lib.rs | 31 +++++++++++++++++++------------
 1 file changed, 19 insertions(+), 12 deletions(-)

diff --git a/crypto/dleq/src/lib.rs b/crypto/dleq/src/lib.rs
index f224dd88..1936d5aa 100644
--- a/crypto/dleq/src/lib.rs
+++ b/crypto/dleq/src/lib.rs
@@ -140,6 +140,21 @@ impl<G: PrimeGroup> DLEqProof<G> {
     DLEqProof { c, s }
   }
 
+  // Transcript a specific generator/nonce/point (G/R/A), as used when verifying a proof.
+  // This takes in the generator/point, and then the challenge and solution to calculate the nonce.
+  fn verify_statement<T: Transcript>(
+    transcript: &mut T,
+    generator: G,
+    point: G,
+    c: G::Scalar,
+    s: G::Scalar,
+  ) {
+    // s = r + ca
+    // sG - cA = R
+    // R, A
+    Self::transcript(transcript, generator, (generator * s) - (point * c), point);
+  }
+
   /// Verify the specified points share a discrete logarithm across the specified generators.
   pub fn verify<T: Transcript>(
     &self,
@@ -153,10 +168,7 @@ impl<G: PrimeGroup> DLEqProof<G> {
 
     transcript.domain_separate(b"dleq");
     for (generator, point) in generators.iter().zip(points) {
-      // s = r + ca
-      // sG - cA = R
-      // R, A
-      Self::transcript(transcript, *generator, (*generator * self.s) - (*point * self.c), *point);
+      Self::verify_statement(transcript, *generator, *point, self.c, self.s);
     }
 
     if self.c != challenge(transcript) {
@@ -212,7 +224,7 @@ impl<G: PrimeGroup> MultiDLEqProof<G> {
   where
     G::Scalar: Zeroize,
   {
-    transcript.domain_separate(b"multi-dleq");
+    transcript.domain_separate(b"multi_dleq");
 
     let mut nonces = vec![];
     for (i, (scalar, generators)) in scalars.iter().zip(generators).enumerate() {
@@ -256,7 +268,7 @@ impl<G: PrimeGroup> MultiDLEqProof<G> {
       Err(DLEqError::InvalidProof)?;
     }
 
-    transcript.domain_separate(b"multi-dleq");
+    transcript.domain_separate(b"multi_dleq");
     for (i, (generators, points)) in generators.iter().zip(points).enumerate() {
       if points.len() != generators.len() {
         Err(DLEqError::InvalidProof)?;
@@ -264,12 +276,7 @@ impl<G: PrimeGroup> MultiDLEqProof<G> {
 
       transcript.append_message(b"discrete_logarithm", i.to_le_bytes());
       for (generator, point) in generators.iter().zip(points) {
-        DLEqProof::transcript(
-          transcript,
-          *generator,
-          (*generator * self.s[i]) - (*point * self.c),
-          *point,
-        );
+        DLEqProof::verify_statement(transcript, *generator, *point, self.c, self.s[i]);
       }
     }