1
//! # Module 09: Commitment Schemes and Sigma Protocols — Exercises
2
//!
3
//! ## Progression
4
//! 1. `pedersen_commit`  — signature + doc
5
//! 2. `pedersen_verify`  — signature + doc
6
//! 3. `schnorr_prove`    — signature + doc
7
//! 4. `schnorr_verify`   — signature + doc
8
//! 5. `fiat_shamir`      — signature only
9

10
/// Create a Pedersen commitment: C = g^m * h^r mod p.
11
///
12
/// - `g`, `h`: generators (h must have unknown discrete log w.r.t. g)
13
/// - `m`: the message/value to commit to
14
/// - `r`: randomness (blinding factor)
15
/// - `p`: prime modulus
16
pub fn pedersen_commit(g: u64, h: u64, m: u64, r: u64, p: u64) -> u64 {
17
    todo!("C = g^m * h^r mod p")
18
}
19

20
/// Verify a Pedersen commitment opening.
21
///
22
/// Check that `commitment == g^m * h^r mod p`.
23
pub fn pedersen_verify(g: u64, h: u64, m: u64, r: u64, commitment: u64, p: u64) -> bool {
24
    todo!("Check commitment == g^m * h^r mod p")
25
}
26

27
/// Generate a Schnorr proof of knowledge of discrete log.
28
///
29
/// Prover knows `x` such that `pk = g^x mod p`.
30
/// Protocol:
31
///   1. Choose random `k`, compute `commitment = g^k mod p`
32
///   2. Receive `challenge` (from verifier or Fiat-Shamir)
33
///   3. Compute `response = k - x * challenge mod (p-1)`
34
///
35
/// Returns `(commitment, challenge, response)`.
36
pub fn schnorr_prove(
37
    g: u64,
38
    x: u64,
39
    p: u64,
40
    k: u64,
41
    challenge: u64,
42
) -> (u64, u64, u64) {
43
    todo!("Schnorr proof: (g^k, challenge, k - x*challenge mod p-1)")
44
}
45

46
/// Verify a Schnorr proof.
47
///
48
/// Check: g^response * pk^challenge ≡ commitment (mod p).
49
pub fn schnorr_verify(
50
    g: u64,
51
    pk: u64,
52
    commitment: u64,
53
    challenge: u64,
54
    response: u64,
55
    p: u64,
56
) -> bool {
57
    todo!("Check g^response * pk^challenge == commitment mod p")
58
}
59

60
/// Apply the Fiat-Shamir transform: derive challenge from transcript.
61
///
62
/// Hash the concatenation of (g, pk, commitment, message) to produce
63
/// a deterministic challenge. Use a simple hash for this exercise.
64
///
65
/// Returns the challenge value.
66
pub fn fiat_shamir(g: u64, pk: u64, commitment: u64, message: &[u8]) -> u64 {
67
    todo!("Hash-based challenge derivation")
68
}
69

70
#[cfg(test)]
71
mod tests {
72
    use super::*;
73

74
    #[test]
75
    #[ignore]
76
    fn test_pedersen_commit_verify() {
77
        let p = 23;
78
        let g = 4;
79
        let h = 9;
80
        let m = 5;
81
        let r = 3;
82
        let c = pedersen_commit(g, h, m, r, p);
83
        assert!(pedersen_verify(g, h, m, r, c, p));
84
        // Wrong message should fail
85
        assert!(!pedersen_verify(g, h, m + 1, r, c, p));
86
    }
87

88
    #[test]
89
    #[ignore]
90
    fn test_schnorr_roundtrip() {
91
        let p = 23;
92
        let g = 5;
93
        let x = 7; // secret key
94
        // pk = g^x mod p
95
        let pk = 5_u64.pow(7) % 23; // = 17
96
        let k = 3; // random nonce
97
        let challenge = 11;
98
        let (comm, ch, resp) = schnorr_prove(g, x, p, k, challenge);
99
        assert_eq!(ch, challenge);
100
        assert!(schnorr_verify(g, pk, comm, ch, resp, p));
101
    }
102
}
103

104