@@ -272,9 +272,9 @@ fn update_public_vec_for_range_proof(
272272 z_r : & Vec < Scalar > ,
273273 z_e : & Vec < Scalar > ,
274274 z_vw : & Vec < Scalar > ,
275- psi_r : Scalar ,
276- psi_e : Scalar ,
277- psi_vw : Scalar ,
275+ psi_r : & Vec < Scalar > ,
276+ psi_e : & Vec < Scalar > ,
277+ psi_vw : & Vec < Scalar > ,
278278 n : usize ,
279279 range_comm_offset : usize ,
280280 samples_required : usize ,
@@ -298,20 +298,14 @@ fn update_public_vec_for_range_proof(
298298
299299 // The range proofs equation also involves length 128 innerproducts involving the relevant
300300 // psi these are included in the last 3*128 entries of the inner product vectors.
301- let mut phi_psi_r_pow = phi;
302- let mut phi2_psi_e_pow = phi2;
303- let mut phi3_psi_vw_pow = phi3;
304301 for i in 0 ..128 {
305- public_vec[ i + range_comm_offset] = phi_psi_r_pow ;
306- public_vec[ i + range_comm_offset + 128 ] = phi2_psi_e_pow ;
307- public_vec[ i + range_comm_offset + 256 ] = phi3_psi_vw_pow ;
302+ public_vec[ i + range_comm_offset] = phi * Scalar :: from ( psi_r [ i ] ) ;
303+ public_vec[ i + range_comm_offset + 128 ] = phi2 * Scalar :: from ( psi_e [ i ] ) ;
304+ public_vec[ i + range_comm_offset + 256 ] = phi3 * Scalar :: from ( psi_vw [ i ] ) ;
308305 // Add contributions of the range proofs to the overall inner product result.
309- * result += z_r[ i] * phi_psi_r_pow;
310- * result += z_e[ i] * phi2_psi_e_pow;
311- * result += z_vw[ i] * phi3_psi_vw_pow;
312- phi_psi_r_pow *= psi_r;
313- phi2_psi_e_pow *= psi_e;
314- phi3_psi_vw_pow *= psi_vw;
306+ * result += z_r[ i] * public_vec[ i + range_comm_offset] ;
307+ * result += z_e[ i] * public_vec[ i + range_comm_offset + 128 ] ;
308+ * result += z_vw[ i] * public_vec[ i + range_comm_offset + 256 ] ;
315309 }
316310}
317311
@@ -364,33 +358,37 @@ pub fn flatten_challenge_matrix(
364358 R1 : Vec < u128 > ,
365359 R2 : Vec < u128 > ,
366360 challenge_label : & ' static [ u8 ] ,
367- ) -> Result < ( Vec < Scalar > , Scalar ) , status:: StatusError > {
361+ ) -> Result < ( Vec < Scalar > , Vec < Scalar > ) , status:: StatusError > {
368362 let n = R1 . len ( ) ;
369363 if n != R2 . len ( ) {
370364 return Err ( status:: failed_precondition ( "R1 and R2 have different lengths" . to_string ( ) ) ) ;
371365 }
372366
373- let mut buf = [ 0u8 ; 64 ] ;
374- transcript. challenge_bytes ( challenge_label, & mut buf) ;
375- let psi = Scalar :: from_bytes_mod_order_wide ( & buf) ;
376-
377- let mut R = vec ! [ Scalar :: from( 0 as u64 ) ; n] ;
378- let mut psi_powers = [ Scalar :: from ( 1 as u64 ) ; 128 ] ;
379- for j in 1 ..128 {
380- psi_powers[ j] = psi_powers[ j - 1 ] * psi;
367+ let mut Rplus = vec ! [ 0u128 ; n] ;
368+ let mut Rminus = vec ! [ 0u128 ; n] ;
369+ let mut Rscalar = vec ! [ Scalar :: from( 0 as u64 ) ; n] ;
370+
371+ let mut psi = [ 0u128 ; 128 ] ;
372+ let mut psi_scalar = vec ! [ Scalar :: from( 0 as u64 ) ; 128 ] ;
373+ let mut buf = [ 0u8 ; 16 ] ;
374+ for j in 0 ..128 {
375+ transcript. challenge_bytes ( challenge_label, & mut buf) ;
376+ psi[ j] = u128:: from_le_bytes ( buf) . rem_euclid ( 1u128 << 120 ) ;
377+ psi_scalar[ j] = Scalar :: from ( psi[ j] ) ;
381378 }
382379 for i in 0 ..n {
383380 for j in 0 ..128 {
384381 if R1 [ i] & ( 1u128 << j) != 0 {
385- R [ i] += psi_powers [ j] ;
382+ Rplus [ i] += psi [ j] ;
386383 }
387384 if R2 [ i] & ( 1u128 << j) != 0 {
388- R [ i] -= psi_powers [ j] ;
385+ Rminus [ i] += psi [ j] ;
389386 }
390387 }
388+ Rscalar [ i] = Scalar :: from ( Rplus [ i] ) - Scalar :: from ( Rminus [ i] ) ;
391389 }
392390
393- Ok ( ( R , psi ) )
391+ Ok ( ( Rscalar , psi_scalar ) )
394392}
395393
396394// Check that loose_bound = bound*2500*sqrt(v.len()+1) fits within an i128.
@@ -430,7 +428,7 @@ fn generate_range_product(
430428 transcript : & mut ( impl Transcript + Clone ) ,
431429 challenge_label : & ' static [ u8 ] ,
432430) -> Result <
433- ( Vec < Scalar > , RistrettoPoint , Vec < Scalar > , Scalar , Scalar , Vec < Scalar > ) ,
431+ ( Vec < Scalar > , RistrettoPoint , Vec < Scalar > , Scalar , Vec < Scalar > , Vec < Scalar > ) ,
434432 status:: StatusError ,
435433> {
436434 // Check that computing loose bound does not result in an overflow.
@@ -522,7 +520,7 @@ fn generate_range_product_for_verification_and_verify_z_bound(
522520 z : & Vec < Scalar > ,
523521 transcript : & mut impl Transcript ,
524522 challenge_label : & ' static [ u8 ] ,
525- ) -> Result < ( Vec < Scalar > , Scalar ) , status:: StatusError > {
523+ ) -> Result < ( Vec < Scalar > , Vec < Scalar > ) , status:: StatusError > {
526524 // Check that computing loose bound does not result in an overflow.
527525 check_loose_bound_will_not_overflow ( bound, n) ?;
528526
@@ -798,9 +796,9 @@ impl<'a> ZeroKnowledgeProver<RlweRelationProofStatement<'a>, RlweRelationProofWi
798796 & z_r,
799797 & z_e,
800798 & z_vw,
801- psi_r,
802- psi_e,
803- psi_vw,
799+ & psi_r,
800+ & psi_e,
801+ & psi_vw,
804802 n,
805803 range_comm_offset,
806804 samples_required,
@@ -977,9 +975,9 @@ impl<'a> ZeroKnowledgeVerifier<RlweRelationProofStatement<'a>, RlweRelationProof
977975 & proof. z_r ,
978976 & proof. z_e ,
979977 & proof. z_vw ,
980- psi_r,
981- psi_e,
982- psi_vw,
978+ & psi_r,
979+ & psi_e,
980+ & psi_vw,
983981 n,
984982 range_comm_offset,
985983 samples_required,
@@ -1260,12 +1258,10 @@ mod tests {
12601258 for i in 0 ..4 {
12611259 public_vec[ i] = R [ i] ;
12621260 }
1263- let mut psi_pow = Scalar :: from ( 1u128 ) ;
12641261 let mut result = Scalar :: from ( 0u128 ) ;
12651262 for i in 4 ..132 {
1266- public_vec[ i] = psi_pow;
1267- result += z[ i - 4 ] * psi_pow;
1268- psi_pow *= psi;
1263+ public_vec[ i] = psi[ i - 4 ] ;
1264+ result += z[ i - 4 ] * psi[ i - 4 ] ;
12691265 }
12701266 let mut expected_result = Scalar :: from ( 0u128 ) ;
12711267 for j in 0 ..132 {
0 commit comments