crypto/dleq/src/cross_group/bits.rs

use rand_core::{RngCore, CryptoRng};

use transcript::Transcript;

use group::{ff::PrimeFieldBits, prime::PrimeGroup};
use multiexp::BatchVerifier;

use crate::cross_group::{Generators, DLEqError, aos::{Re, Aos}};

#[cfg(feature = "serialize")]
use std::io::{Read, Write};
#[cfg(feature = "serialize")]
use crate::cross_group::read_point;

pub(crate) enum BitSignature {
  ClassicLinear,
  ConciseLinear,
  EfficientLinear,
  CompromiseLinear
}

impl BitSignature {
  pub(crate) const fn to_u8(&self) -> u8 {
    match self {
      BitSignature::ClassicLinear => 0,
      BitSignature::ConciseLinear => 1,
      BitSignature::EfficientLinear => 2,
      BitSignature::CompromiseLinear => 3
    }
  }

  pub(crate) const fn from(algorithm: u8) -> BitSignature {
    match algorithm {
      0 => BitSignature::ClassicLinear,
      1 => BitSignature::ConciseLinear,
      2 => BitSignature::EfficientLinear,
      3 => BitSignature::CompromiseLinear,
      _ => panic!("Unknown algorithm")
    }
  }

  pub(crate) const fn bits(&self) -> usize {
    match self {
      BitSignature::ClassicLinear => 1,
      BitSignature::ConciseLinear => 2,
      BitSignature::EfficientLinear => 1,
      BitSignature::CompromiseLinear => 2
    }
  }

  pub(crate) const fn ring_len(&self) -> usize {
    2_usize.pow(self.bits() as u32)
  }

  fn aos_form<G0: PrimeGroup, G1: PrimeGroup>(&self) -> Re<G0, G1> {
    match self {
      BitSignature::ClassicLinear => Re::e_default(),
      BitSignature::ConciseLinear => Re::e_default(),
      BitSignature::EfficientLinear => Re::R_default(),
      BitSignature::CompromiseLinear => Re::R_default()
    }
  }
}

#[derive(Clone, PartialEq, Eq, Debug)]
pub(crate) struct Bits<
  G0: PrimeGroup,
  G1: PrimeGroup,
  const SIGNATURE: u8,
  const RING_LEN: usize
> {
  pub(crate) commitments: (G0, G1),
  signature: Aos<G0, G1, RING_LEN>
}

impl<
  G0: PrimeGroup,
  G1: PrimeGroup,
  const SIGNATURE: u8,
  const RING_LEN: usize
> Bits<G0, G1, SIGNATURE, RING_LEN> where G0::Scalar: PrimeFieldBits, G1::Scalar: PrimeFieldBits {
  fn transcript<T: Transcript>(transcript: &mut T, i: usize, commitments: (G0, G1)) {
    transcript.domain_separate(b"bits");
    transcript.append_message(b"group", &u16::try_from(i).unwrap().to_le_bytes());
    transcript.append_message(b"commitment_0", commitments.0.to_bytes().as_ref());
    transcript.append_message(b"commitment_1", commitments.1.to_bytes().as_ref());
  }

  fn ring(pow_2: (G0, G1), commitments: (G0, G1)) -> Vec<(G0, G1)> {
    let mut res = vec![commitments; RING_LEN];
    for i in 1 .. RING_LEN  {
      res[i] = (res[i - 1].0 - pow_2.0, res[i - 1].1 - pow_2.1);
    }
    res
  }

  fn shift(pow_2: &mut (G0, G1)) {
    for _ in 0 .. BitSignature::from(SIGNATURE).bits() {
      pow_2.0 = pow_2.0.double();
      pow_2.1 = pow_2.1.double();
    }
  }

  pub(crate) fn prove<R: RngCore + CryptoRng, T: Clone + Transcript>(
    rng: &mut R,
    transcript: &mut T,
    generators: (Generators<G0>, Generators<G1>),
    i: usize,
    pow_2: &mut (G0, G1),
    bits: u8,
    blinding_key: (G0::Scalar, G1::Scalar)
  ) -> Self {
    let mut commitments = (
      (generators.0.alt * blinding_key.0),
      (generators.1.alt * blinding_key.1)
    );
    commitments.0 += pow_2.0 * G0::Scalar::from(bits.into());
    commitments.1 += pow_2.1 * G1::Scalar::from(bits.into());

    Self::transcript(transcript, i, commitments);

    let signature = Aos::prove(
      rng,
      transcript.clone(),
      generators,
      &Self::ring(*pow_2, commitments),
      usize::from(bits),
      blinding_key,
      BitSignature::from(SIGNATURE).aos_form()
    );

    Self::shift(pow_2);
    Bits { commitments, signature }
  }

  pub(crate) fn verify<R: RngCore + CryptoRng, T: Clone + Transcript>(
    &self,
    rng: &mut R,
    transcript: &mut T,
    generators: (Generators<G0>, Generators<G1>),
    batch: &mut (BatchVerifier<(), G0>, BatchVerifier<(), G1>),
    i: usize,
    pow_2: &mut (G0, G1)
  ) -> Result<(), DLEqError> {
    Self::transcript(transcript, i, self.commitments);

    self.signature.verify(
      rng,
      transcript.clone(),
      generators,
      batch,
      &Self::ring(*pow_2, self.commitments)
    )?;

    Self::shift(pow_2);
    Ok(())
  }

  #[cfg(feature = "serialize")]
  pub(crate) fn serialize<W: Write>(&self, w: &mut W) -> std::io::Result<()> {
    w.write_all(self.commitments.0.to_bytes().as_ref())?;
    w.write_all(self.commitments.1.to_bytes().as_ref())?;
    self.signature.serialize(w)
  }

  #[cfg(feature = "serialize")]
  pub(crate) fn deserialize<R: Read>(r: &mut R) -> std::io::Result<Self> {
    Ok(
      Bits {
        commitments: (read_point(r)?, read_point(r)?),
        signature: Aos::deserialize(r, BitSignature::from(SIGNATURE).aos_form())?
      }
    )
  }
}
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 19:10:30 -04:00			`use rand_core::{RngCore, CryptoRng};`

			`use transcript::Transcript;`

			`use group::{ff::PrimeFieldBits, prime::PrimeGroup};`
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`use multiexp::BatchVerifier;`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 19:10:30 -04:00
Update the DLEq proof for any amount of generators The two-generator limit wasn't required nor beneficial. This does theoretically optimize FROST, yet not for any current constructions. A follow up proof which would optimize current constructions has been noted in #38. Adds explicit no_std support to the core DLEq proof. Closes #34. 2022-07-13 23:29:48 -04:00			`use crate::cross_group::{Generators, DLEqError, aos::{Re, Aos}};`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 19:10:30 -04:00
			`#[cfg(feature = "serialize")]`
			`use std::io::{Read, Write};`
			`#[cfg(feature = "serialize")]`
			`use crate::cross_group::read_point;`

Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`pub(crate) enum BitSignature {`
Add Classic/Compromise DLEqs and a benchmark Formatted results from my laptop: EfficientLinear had a average prove time of 188ms EfficientLinear had a average verify time of 126ms CompromiseLinear had a average prove time of 176ms CompromiseLinear had a average verify time of 141ms ConciseLinear had a average prove time of 191ms ConciseLinear had a average verify time of 160ms ClassicLinear had a average prove time of 214ms ClassicLinear had a average verify time of 159ms There is a decent error margin here. Concise is a drop-in replacement for Classic, in practice not theory. Efficient is optimal for performance, yet largest. Compromise is a middleground. 2022-07-07 08:26:59 -04:00			`ClassicLinear,`
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`ConciseLinear,`
Add Classic/Compromise DLEqs and a benchmark Formatted results from my laptop: EfficientLinear had a average prove time of 188ms EfficientLinear had a average verify time of 126ms CompromiseLinear had a average prove time of 176ms CompromiseLinear had a average verify time of 141ms ConciseLinear had a average prove time of 191ms ConciseLinear had a average verify time of 160ms ClassicLinear had a average prove time of 214ms ClassicLinear had a average verify time of 159ms There is a decent error margin here. Concise is a drop-in replacement for Classic, in practice not theory. Efficient is optimal for performance, yet largest. Compromise is a middleground. 2022-07-07 08:26:59 -04:00			`EfficientLinear,`
			`CompromiseLinear`
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`}`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 19:10:30 -04:00
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`impl BitSignature {`
			`pub(crate) const fn to_u8(&self) -> u8 {`
			`match self {`
Add Classic/Compromise DLEqs and a benchmark Formatted results from my laptop: EfficientLinear had a average prove time of 188ms EfficientLinear had a average verify time of 126ms CompromiseLinear had a average prove time of 176ms CompromiseLinear had a average verify time of 141ms ConciseLinear had a average prove time of 191ms ConciseLinear had a average verify time of 160ms ClassicLinear had a average prove time of 214ms ClassicLinear had a average verify time of 159ms There is a decent error margin here. Concise is a drop-in replacement for Classic, in practice not theory. Efficient is optimal for performance, yet largest. Compromise is a middleground. 2022-07-07 08:26:59 -04:00			`BitSignature::ClassicLinear => 0,`
			`BitSignature::ConciseLinear => 1,`
			`BitSignature::EfficientLinear => 2,`
			`BitSignature::CompromiseLinear => 3`
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`}`
			`}`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 19:10:30 -04:00
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`pub(crate) const fn from(algorithm: u8) -> BitSignature {`
			`match algorithm {`
Add Classic/Compromise DLEqs and a benchmark Formatted results from my laptop: EfficientLinear had a average prove time of 188ms EfficientLinear had a average verify time of 126ms CompromiseLinear had a average prove time of 176ms CompromiseLinear had a average verify time of 141ms ConciseLinear had a average prove time of 191ms ConciseLinear had a average verify time of 160ms ClassicLinear had a average prove time of 214ms ClassicLinear had a average verify time of 159ms There is a decent error margin here. Concise is a drop-in replacement for Classic, in practice not theory. Efficient is optimal for performance, yet largest. Compromise is a middleground. 2022-07-07 08:26:59 -04:00			`0 => BitSignature::ClassicLinear,`
			`1 => BitSignature::ConciseLinear,`
			`2 => BitSignature::EfficientLinear,`
			`3 => BitSignature::CompromiseLinear,`
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`_ => panic!("Unknown algorithm")`
			`}`
			`}`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 19:10:30 -04:00
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`pub(crate) const fn bits(&self) -> usize {`
			`match self {`
Add Classic/Compromise DLEqs and a benchmark Formatted results from my laptop: EfficientLinear had a average prove time of 188ms EfficientLinear had a average verify time of 126ms CompromiseLinear had a average prove time of 176ms CompromiseLinear had a average verify time of 141ms ConciseLinear had a average prove time of 191ms ConciseLinear had a average verify time of 160ms ClassicLinear had a average prove time of 214ms ClassicLinear had a average verify time of 159ms There is a decent error margin here. Concise is a drop-in replacement for Classic, in practice not theory. Efficient is optimal for performance, yet largest. Compromise is a middleground. 2022-07-07 08:26:59 -04:00			`BitSignature::ClassicLinear => 1,`
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`BitSignature::ConciseLinear => 2,`
Add Classic/Compromise DLEqs and a benchmark Formatted results from my laptop: EfficientLinear had a average prove time of 188ms EfficientLinear had a average verify time of 126ms CompromiseLinear had a average prove time of 176ms CompromiseLinear had a average verify time of 141ms ConciseLinear had a average prove time of 191ms ConciseLinear had a average verify time of 160ms ClassicLinear had a average prove time of 214ms ClassicLinear had a average verify time of 159ms There is a decent error margin here. Concise is a drop-in replacement for Classic, in practice not theory. Efficient is optimal for performance, yet largest. Compromise is a middleground. 2022-07-07 08:26:59 -04:00			`BitSignature::EfficientLinear => 1,`
			`BitSignature::CompromiseLinear => 2`
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`}`
			`}`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 19:10:30 -04:00
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`pub(crate) const fn ring_len(&self) -> usize {`
			`2_usize.pow(self.bits() as u32)`
			`}`

			`fn aos_form<G0: PrimeGroup, G1: PrimeGroup>(&self) -> Re<G0, G1> {`
			`match self {`
Add Classic/Compromise DLEqs and a benchmark Formatted results from my laptop: EfficientLinear had a average prove time of 188ms EfficientLinear had a average verify time of 126ms CompromiseLinear had a average prove time of 176ms CompromiseLinear had a average verify time of 141ms ConciseLinear had a average prove time of 191ms ConciseLinear had a average verify time of 160ms ClassicLinear had a average prove time of 214ms ClassicLinear had a average verify time of 159ms There is a decent error margin here. Concise is a drop-in replacement for Classic, in practice not theory. Efficient is optimal for performance, yet largest. Compromise is a middleground. 2022-07-07 08:26:59 -04:00			`BitSignature::ClassicLinear => Re::e_default(),`
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`BitSignature::ConciseLinear => Re::e_default(),`
Add Classic/Compromise DLEqs and a benchmark Formatted results from my laptop: EfficientLinear had a average prove time of 188ms EfficientLinear had a average verify time of 126ms CompromiseLinear had a average prove time of 176ms CompromiseLinear had a average verify time of 141ms ConciseLinear had a average prove time of 191ms ConciseLinear had a average verify time of 160ms ClassicLinear had a average prove time of 214ms ClassicLinear had a average verify time of 159ms There is a decent error margin here. Concise is a drop-in replacement for Classic, in practice not theory. Efficient is optimal for performance, yet largest. Compromise is a middleground. 2022-07-07 08:26:59 -04:00			`BitSignature::EfficientLinear => Re::R_default(),`
			`BitSignature::CompromiseLinear => Re::R_default()`
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`}`
			`}`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 19:10:30 -04:00			`}`

			`#[derive(Clone, PartialEq, Eq, Debug)]`
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`pub(crate) struct Bits<`
			`G0: PrimeGroup,`
			`G1: PrimeGroup,`
			`const SIGNATURE: u8,`
			`const RING_LEN: usize`
			`> {`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 19:10:30 -04:00			`pub(crate) commitments: (G0, G1),`
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`signature: Aos<G0, G1, RING_LEN>`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 19:10:30 -04:00			`}`

Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`impl<`
			`G0: PrimeGroup,`
			`G1: PrimeGroup,`
			`const SIGNATURE: u8,`
			`const RING_LEN: usize`
			`> Bits<G0, G1, SIGNATURE, RING_LEN> where G0::Scalar: PrimeFieldBits, G1::Scalar: PrimeFieldBits {`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 19:10:30 -04:00			`fn transcript<T: Transcript>(transcript: &mut T, i: usize, commitments: (G0, G1)) {`
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`transcript.domain_separate(b"bits");`
			`transcript.append_message(b"group", &u16::try_from(i).unwrap().to_le_bytes());`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 19:10:30 -04:00			`transcript.append_message(b"commitment_0", commitments.0.to_bytes().as_ref());`
			`transcript.append_message(b"commitment_1", commitments.1.to_bytes().as_ref());`
			`}`

			`fn ring(pow_2: (G0, G1), commitments: (G0, G1)) -> Vec<(G0, G1)> {`
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`let mut res = vec![commitments; RING_LEN];`
			`for i in 1 .. RING_LEN {`
			`res[i] = (res[i - 1].0 - pow_2.0, res[i - 1].1 - pow_2.1);`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 19:10:30 -04:00			`}`
			`res`
			`}`

			`fn shift(pow_2: &mut (G0, G1)) {`
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`for _ in 0 .. BitSignature::from(SIGNATURE).bits() {`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 19:10:30 -04:00			`pow_2.0 = pow_2.0.double();`
			`pow_2.1 = pow_2.1.double();`
			`}`
			`}`

			`pub(crate) fn prove<R: RngCore + CryptoRng, T: Clone + Transcript>(`
			`rng: &mut R,`
			`transcript: &mut T,`
			`generators: (Generators<G0>, Generators<G1>),`
			`i: usize,`
			`pow_2: &mut (G0, G1),`
			`bits: u8,`
			`blinding_key: (G0::Scalar, G1::Scalar)`
			`) -> Self {`
			`let mut commitments = (`
			`(generators.0.alt * blinding_key.0),`
			`(generators.1.alt * blinding_key.1)`
			`);`
			`commitments.0 += pow_2.0 * G0::Scalar::from(bits.into());`
			`commitments.1 += pow_2.1 * G1::Scalar::from(bits.into());`
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 19:10:30 -04:00			`Self::transcript(transcript, i, commitments);`

Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`let signature = Aos::prove(`
			`rng,`
			`transcript.clone(),`
			`generators,`
			`&Self::ring(*pow_2, commitments),`
			`usize::from(bits),`
			`blinding_key,`
			`BitSignature::from(SIGNATURE).aos_form()`
			`);`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 19:10:30 -04:00
			`Self::shift(pow_2);`
			`Bits { commitments, signature }`
			`}`

			`pub(crate) fn verify<R: RngCore + CryptoRng, T: Clone + Transcript>(`
			`&self,`
			`rng: &mut R,`
			`transcript: &mut T,`
			`generators: (Generators<G0>, Generators<G1>),`
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`batch: &mut (BatchVerifier<(), G0>, BatchVerifier<(), G1>),`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 19:10:30 -04:00			`i: usize,`
			`pow_2: &mut (G0, G1)`
			`) -> Result<(), DLEqError> {`
			`Self::transcript(transcript, i, self.commitments);`
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 19:10:30 -04:00			`self.signature.verify(`
			`rng,`
			`transcript.clone(),`
			`generators,`
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`batch,`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 19:10:30 -04:00			`&Self::ring(*pow_2, self.commitments)`
			`)?;`

			`Self::shift(pow_2);`
			`Ok(())`
			`}`

			`#[cfg(feature = "serialize")]`
			`pub(crate) fn serialize<W: Write>(&self, w: &mut W) -> std::io::Result<()> {`
			`w.write_all(self.commitments.0.to_bytes().as_ref())?;`
			`w.write_all(self.commitments.1.to_bytes().as_ref())?;`
			`self.signature.serialize(w)`
			`}`

			`#[cfg(feature = "serialize")]`
Consolidate concise/efficient and clean 2022-07-07 07:30:10 -04:00			`pub(crate) fn deserialize<R: Read>(r: &mut R) -> std::io::Result<Self> {`
Fix serialization This enabled getting the proof sizes, which are: - ConciseLinear had a proof size of 44607 bytes - CompromiseLinear had a proof size of 48765 bytes - ClassicLinear had a proof size of 56829 bytes - EfficientLinear had a proof size of 65145 byte 2022-07-07 08:46:11 -04:00			`Ok(`
			`Bits {`
			`commitments: (read_point(r)?, read_point(r)?),`
			`signature: Aos::deserialize(r, BitSignature::from(SIGNATURE).aos_form())?`
			`}`
			`)`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 19:10:30 -04:00			`}`
			`}`