ホーム エクスプローラ ヘルプ
サインイン
SigmaProtocol
/
sigma-compiler
3
1
フォーク 0
ファイル
ツリー: 4cd834c20e
ブランチ タグ
sigma-compiler
/
sigma-compiler-core
/
src
/
pedersen.rs

pedersen.rs 59 KB
履歴 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857 
  1. //! A module for finding and manipulating Pedersen commitments in a
    2. 

  2. //! [`StatementTree`].
    3. 

  3. //!
    4. 

  4. //! A Pedersen commitment to a private `Scalar` `x` looks like
    5. 

  5. //!
    6. 

  6. //! `C = (a*x+b)*A + (c*r+d)*B`
    7. 

  7. //!
    8. 

  8. //! Where `a` and `c` are a constant non-zero `Scalar`s (defaults to
    9. 

  9. //! [`Scalar::ONE`](https://docs.rs/ff/0.13.1/ff/trait.Field.html#associatedconstant.ONE)),
    10. 

  10. //! `b`, and `d` are public `Scalar`s or constants (or combinations of
    11. 

  11. //! those), `r` is a random private `Scalar` that appears nowhere else
    12. 

  12. //! in the [`StatementTree`], `C` is a public `Point`, and `A` and `B`
    13. 

  13. //! are computationally independent public `Point`s.
    14. 

  14. 

  15. use super::sigma::combiners::*;
    16. 

  16. use super::sigma::types::*;
    17. 

  17. use super::syntax::*;
    18. 

  18. use super::transform::paren_if_needed;
    19. 

  19. use proc_macro2::TokenStream;
    20. 

  20. use quote::quote;
    21. 

  21. use std::collections::{HashMap, HashSet};
    22. 

  22. use syn::parse::Result;
    23. 

  23. use syn::visit::Visit;
    24. 

  24. use syn::{parse_quote, Error, Expr, Ident};
    25. 

  25. 

  26. /// Find all random private `Scalar`s (according to the
    27. 

  27. /// [`TaggedVarDict`]) that appear exactly once in the
    28. 

  28. /// [`StatementTree`].
    29. 

  29. pub fn unique_random_scalars(vars: &TaggedVarDict, st: &StatementTree) -> HashSet<String> {
    30. 

  30.     // Filter the TaggedVarDict so that it only contains the private
    31. 

  31.     // _random_ Scalars
    32. 

  32.     let random_private_scalars: VarDict = vars
    33. 

  33.         .iter()
    34. 

  34.         .filter(|(_, v)| {
    35. 

  35.             matches!(
    36. 

  36.                 v,
    37. 

  37.                 TaggedIdent::Scalar(TaggedScalar {
    38. 

  38.                     is_pub: false,
    39. 

  39.                     is_rand: true,
    40. 

  40.                     ..
    41. 

  41.                 })
    42. 

  42.             )
    43. 

  43.         })
    44. 

  44.         .map(|(k, v)| (k.clone(), AExprType::from(v)))
    45. 

  45.         .collect();
    46. 

  46. 

  47.     let mut seen_randoms: HashMap<String, usize> = HashMap::new();
    48. 

  48. 

  49.     // Create a PrivScalarMap that will call the given closure for each
    50. 

  50.     // private Scalar (listed in the VarDict) in a supplied expression
    51. 

  51.     let mut var_map = PrivScalarMap {
    52. 

  52.         vars: &random_private_scalars,
    53. 

  53.         // The closure counts how many times each private random Scalar
    54. 

  54.         // in the VarDict appears in total
    55. 

  55.         closure: &mut |ident| {
    56. 

  56.             let id_str = ident.to_string();
    57. 

  57.             let val = seen_randoms.get(&id_str);
    58. 

  58.             let newval = match val {
    59. 

  59.                 Some(n) => n + 1,
    60. 

  60.                 None => 1,
    61. 

  61.             };
    62. 

  62.             seen_randoms.insert(id_str, newval);
    63. 

  63.             Ok(())
    64. 

  64.         },
    65. 

  65.         result: Ok(()),
    66. 

  66.     };
    67. 

  67.     // Call the PrivScalarMap for each leaf expression in the
    68. 

  68.     // StatementTree
    69. 

  69.     for e in st.leaves() {
    70. 

  70.         var_map.visit_expr(e);
    71. 

  71.     }
    72. 

  72.     // Return a HashSet of the ones that we saw exactly once
    73. 

  73.     seen_randoms
    74. 

  74.         .into_iter()
    75. 

  75.         .filter_map(|(k, v)| if v == 1 { Some(k) } else { None })
    76. 

  76.         .collect()
    77. 

  77. }
    78. 

  78. 

  79. /// A representation of `a*x + b` where `a` is a constant `Scalar`, `b`
    80. 

  80. /// is a public `Scalar` [arithmetic expression], and `x` is a private
    81. 

  81. /// `Scalar` variable.  `a` is optional, and defaults to `1`. `b` is
    82. 

  82. /// optional, and defaults to `0`
    83. 

  83. ///
    84. 

  84. /// [arithmetic expression]: expr_type
    85. 

  85. #[derive(Clone, Debug, PartialEq, Eq)]
    86. 

  86. pub struct LinScalar {
    87. 

  87.     /// The coefficient `a`
    88. 

  88.     pub coeff: i128,
    89. 

  89.     /// The public `Scalar` expression `b`, if present
    90. 

  90.     pub pub_scalar_expr: Option<Expr>,
    91. 

  91.     /// The private `Scalar` `x`
    92. 

  92.     pub id: Ident,
    93. 

  93.     /// Whether `x` is a vector variable
    94. 

  94.     pub is_vec: bool,
    95. 

  95. }
    96. 

  96. 

  97. impl LinScalar {
    98. 

  98.     /// Negate a [`LinScalar`]
    99. 

  99.     pub fn negate(self) -> Result<Self> {
    100. 

  100.         Ok(Self {
    101. 

  101.             coeff: self.coeff.checked_neg().ok_or(Error::new(
    102. 

  102.                 proc_macro2::Span::call_site(),
    103. 

  103.                 "i128 neg overflow",
    104. 

  104.             ))?,
    105. 

  105.             pub_scalar_expr: if let Some(expr) = self.pub_scalar_expr {
    106. 

  106.                 let pexpr = paren_if_needed(expr);
    107. 

  107.                 Some(parse_quote! { -#pexpr })
    108. 

  108.             } else {
    109. 

  109.                 None
    110. 

  110.             },
    111. 

  111.             ..self
    112. 

  112.         })
    113. 

  113.     }
    114. 

  114. 

  115.     /// Add a public `Scalar` expression to a [`LinScalar`]
    116. 

  116.     pub fn add_opt_pub_scalar_expr(self, opsexpr: Option<Expr>) -> Result<Self> {
    117. 

  117.         if let Some(psexpr) = opsexpr {
    118. 

  118.             Ok(Self {
    119. 

  119.                 pub_scalar_expr: if let Some(expr) = self.pub_scalar_expr {
    120. 

  120.                     let ppsexpr = paren_if_needed(psexpr);
    121. 

  121.                     Some(parse_quote! { #expr + #ppsexpr })
    122. 

  122.                 } else {
    123. 

  123.                     Some(psexpr)
    124. 

  124.                 },
    125. 

  125.                 ..self
    126. 

  126.             })
    127. 

  127.         } else {
    128. 

  128.             Ok(self)
    129. 

  129.         }
    130. 

  130.     }
    131. 

  131. 

  132.     /// Add a [`LinScalar`] to a [`LinScalar`].
    133. 

  133.     ///
    134. 

  134.     /// The private variables must match.
    135. 

  135.     pub fn add_linscalar(self, arg: Self) -> Result<Self> {
    136. 

  136.         if self.id != arg.id {
    137. 

  137.             return Err(Error::new(
    138. 

  138.                 proc_macro2::Span::call_site(),
    139. 

  139.                 "private variables in added LinScalars do not match",
    140. 

  140.             ));
    141. 

  141.         }
    142. 

  142.         Self {
    143. 

  143.             coeff: self.coeff.checked_add(arg.coeff).ok_or(Error::new(
    144. 

  144.                 proc_macro2::Span::call_site(),
    145. 

  145.                 "i128 add overflow",
    146. 

  146.             ))?,
    147. 

  147.             ..self
    148. 

  148.         }
    149. 

  149.         .add_opt_pub_scalar_expr(arg.pub_scalar_expr)
    150. 

  150.     }
    151. 

  151. 

  152.     /// Multiply a [`LinScalar`] by a constant
    153. 

  153.     pub fn mul_const(self, arg: i128) -> Result<Self> {
    154. 

  154.         Ok(Self {
    155. 

  155.             coeff: self.coeff.checked_mul(arg).ok_or(Error::new(
    156. 

  156.                 proc_macro2::Span::call_site(),
    157. 

  157.                 "i128 mul overflow",
    158. 

  158.             ))?,
    159. 

  159.             pub_scalar_expr: if let Some(expr) = self.pub_scalar_expr {
    160. 

  160.                 if arg == 1 {
    161. 

  161.                     Some(expr)
    162. 

  162.                 } else {
    163. 

  163.                     let pexpr = paren_if_needed(expr);
    164. 

  164.                     Some(parse_quote! { #pexpr * #arg })
    165. 

  165.                 }
    166. 

  166.             } else {
    167. 

  167.                 None
    168. 

  168.             },
    169. 

  169.             ..self
    170. 

  170.         })
    171. 

  171.     }
    172. 

  172. 

  173.     /// Output a [`LinScalar`] as an [`Expr`]
    174. 

  174.     pub fn to_expr(&self) -> Expr {
    175. 

  175.         let coeff = self.coeff;
    176. 

  176.         let id = &self.id;
    177. 

  177.         // If there's a non-1 coefficient, multiply it by the id
    178. 

  178.         let coeff_var_term: Expr = if coeff == 1 {
    179. 

  179.             parse_quote! { #id }
    180. 

  180.         } else {
    181. 

  181.             parse_quote! { #coeff * #id }
    182. 

  182.         };
    183. 

  183.         // If there's a pub_scalar_expr, add it to the result
    184. 

  184.         if let Some(ref pse) = self.pub_scalar_expr {
    185. 

  185.             let ppse = paren_if_needed(pse.clone());
    186. 

  186.             parse_quote! { #coeff_var_term + #ppse }
    187. 

  187.         } else {
    188. 

  188.             coeff_var_term
    189. 

  189.         }
    190. 

  190.     }
    191. 

  191. }
    192. 

  192. 

  193. /// A representation of `b*A` where `b` is a public `Scalar` [arithmetic
    194. 

  194. /// expression] (default to `1`) and `A` is a computationally
    195. 

  195. /// independent `Point`.
    196. 

  196. ///
    197. 

  197. /// [arithmetic expression]: expr_type
    198. 

  198. #[derive(Clone, Debug, PartialEq, Eq)]
    199. 

  199. pub struct CIndPoint {
    200. 

  200.     /// The public `Scalar` expression `b`
    201. 

  201.     pub coeff: Option<Expr>,
    202. 

  202.     /// The value of the coeff, if it's a constant
    203. 

  203.     pub coeff_val: Option<i128>,
    204. 

  204.     /// The public `Point` `A`
    205. 

  205.     pub id: Ident,
    206. 

  206. }
    207. 

  207. 

  208. impl CIndPoint {
    209. 

  209.     /// Negate a [`CIndPoint`]
    210. 

  210.     pub fn negate(self) -> Result<Self> {
    211. 

  211.         Ok(Self {
    212. 

  212.             coeff: Some(if let Some(expr) = self.coeff {
    213. 

  213.                 let pexpr = paren_if_needed(expr);
    214. 

  214.                 parse_quote! { -#pexpr }
    215. 

  215.             } else {
    216. 

  216.                 parse_quote! { -1 }
    217. 

  217.             }),
    218. 

  218.             coeff_val: if let Some(val) = self.coeff_val {
    219. 

  219.                 val.checked_neg()
    220. 

  220.             } else {
    221. 

  221.                 None
    222. 

  222.             },
    223. 

  223.             ..self
    224. 

  224.         })
    225. 

  225.     }
    226. 

  226. 

  227.     /// Add a [`CIndPoint`] to a [`CIndPoint`]
    228. 

  228.     pub fn add_cind(self, arg: CIndPoint) -> Result<Self> {
    229. 

  229.         if self.id != arg.id {
    230. 

  230.             return Err(Error::new(
    231. 

  231.                 proc_macro2::Span::call_site(),
    232. 

  232.                 "public points in added CIndPoints do not match",
    233. 

  233.             ));
    234. 

  234.         }
    235. 

  235.         let lexpr = if let Some(expr) = self.coeff {
    236. 

  236.             expr
    237. 

  237.         } else {
    238. 

  238.             parse_quote! { 1 }
    239. 

  239.         };
    240. 

  240.         let rexpr = if let Some(expr) = arg.coeff {
    241. 

  241.             paren_if_needed(expr)
    242. 

  242.         } else {
    243. 

  243.             parse_quote! { 1 }
    244. 

  244.         };
    245. 

  245.         let coeff_val = if let (Some(lval), Some(rval)) = (self.coeff_val, arg.coeff_val) {
    246. 

  246.             lval.checked_add(rval)
    247. 

  247.         } else {
    248. 

  248.             None
    249. 

  249.         };
    250. 

  250.         Ok(Self {
    251. 

  251.             coeff: Some(parse_quote! { #lexpr + #rexpr }),
    252. 

  252.             coeff_val,
    253. 

  253.             ..self
    254. 

  254.         })
    255. 

  255.     }
    256. 

  256. 

  257.     /// Multiply a public Scalar [`Expr`] by a [`CIndPoint`].  val is
    258. 

  258.     /// Some(v) if the Expr is the constant v.
    259. 

  259.     pub fn mul_pub_scalar_expr(self, expr: Expr, val: Option<i128>) -> Result<Self> {
    260. 

  260.         let coeff = match self.coeff {
    261. 

  261.             None => Some(expr),
    262. 

  262.             Some(selfexpr) => {
    263. 

  263.                 let pleft = paren_if_needed(selfexpr);
    264. 

  264.                 let pright = paren_if_needed(expr);
    265. 

  265.                 Some(parse_quote! { #pleft * #pright })
    266. 

  266.             }
    267. 

  267.         };
    268. 

  268.         let coeff_val = match (self.coeff_val, val) {
    269. 

  269.             (Some(leftval), Some(rightval)) => leftval.checked_mul(rightval),
    270. 

  270.             _ => None,
    271. 

  271.         };
    272. 

  272.         Ok(Self {
    273. 

  273.             coeff,
    274. 

  274.             coeff_val,
    275. 

  275.             ..self
    276. 

  276.         })
    277. 

  277.     }
    278. 

  278. }
    279. 

  279. 

  280. /// A representation of `(a*x + b)*A` where `a` is a constant `Scalar`
    281. 

  281. /// (default to `1`), `b` is a public `Scalar` [arithmetic expression]
    282. 

  282. /// (default to `0`), `x` is a private `Scalar` variable, and `A` is a
    283. 

  283. /// computationally independent `Point`
    284. 

  284. #[derive(Clone, Debug, PartialEq, Eq)]
    285. 

  285. pub struct Term {
    286. 

  286.     /// The `Scalar` expression `a*x + b`
    287. 

  287.     pub coeff: LinScalar,
    288. 

  288.     /// The public `Point` `A`
    289. 

  289.     pub id: Ident,
    290. 

  290. }
    291. 

  291. 

  292. impl Term {
    293. 

  293.     /// Negate a [`Term`]
    294. 

  294.     pub fn negate(self) -> Result<Self> {
    295. 

  295.         Ok(Self {
    296. 

  296.             coeff: self.coeff.negate()?,
    297. 

  297.             ..self
    298. 

  298.         })
    299. 

  299.     }
    300. 

  300. 

  301.     /// Add a [`CIndPoint`] to a [`Term`]
    302. 

  302.     pub fn add_cind(self, arg: CIndPoint) -> Result<Self> {
    303. 

  303.         if self.id != arg.id {
    304. 

  304.             return Err(Error::new(
    305. 

  305.                 proc_macro2::Span::call_site(),
    306. 

  306.                 "public points in added CIndPoint and Term do not match",
    307. 

  307.             ));
    308. 

  308.         }
    309. 

  309.         Ok(Self {
    310. 

  310.             coeff: self.coeff.add_opt_pub_scalar_expr(arg.coeff)?,
    311. 

  311.             ..self
    312. 

  312.         })
    313. 

  313.     }
    314. 

  314. 

  315.     /// Add a [`Term`] to a [`Term`]
    316. 

  316.     pub fn add_term(self, arg: Term) -> Result<Self> {
    317. 

  317.         if self.id != arg.id {
    318. 

  318.             return Err(Error::new(
    319. 

  319.                 proc_macro2::Span::call_site(),
    320. 

  320.                 "public points in added Terms do not match",
    321. 

  321.             ));
    322. 

  322.         }
    323. 

  323.         Ok(Self {
    324. 

  324.             coeff: self.coeff.add_linscalar(arg.coeff)?,
    325. 

  325.             ..self
    326. 

  326.         })
    327. 

  327.     }
    328. 

  328. 

  329.     /// Multiply a [`Term`] by a constant
    330. 

  330.     pub fn mul_const(self, arg: i128) -> Result<Self> {
    331. 

  331.         Ok(Self {
    332. 

  332.             coeff: self.coeff.mul_const(arg)?,
    333. 

  333.             ..self
    334. 

  334.         })
    335. 

  335.     }
    336. 

  336. }
    337. 

  337. 

  338. /// A representation of `(a*x+b)*A + (c*r+d)*B` where `a` and `c` are a
    339. 

  339. /// constant non-zero `Scalar`s (default to `1`), `b`, and `d` are
    340. 

  340. /// public `Scalar`s or constants or combinations of those (default to
    341. 

  341. /// `0`), `x` is a private `Scalar`, `r` is a random private `Scalar`
    342. 

  342. /// that appears nowhere else in the [`StatementTree`], and `A` and `B`
    343. 

  343. /// are computationally independent public `Point`s.
    344. 

  344. #[derive(Clone, Debug, PartialEq, Eq)]
    345. 

  345. pub struct Pedersen {
    346. 

  346.     /// The term containing the variable being committed to (`x` above)
    347. 

  347.     pub var_term: Term,
    348. 

  348.     /// The term containing the random variable (`r` above)
    349. 

  349.     pub rand_term: Term,
    350. 

  350. }
    351. 

  351. 

  352. impl Pedersen {
    353. 

  353.     /// Get the `Ident` for the committed private `Scalar` in a [`Pedersen`]
    354. 

  354.     pub fn var(&self) -> Ident {
    355. 

  355.         self.var_term.coeff.id.clone()
    356. 

  356.     }
    357. 

  357. 

  358.     /// Negate a [`Pedersen`]
    359. 

  359.     pub fn negate(self) -> Result<Self> {
    360. 

  360.         Ok(Self {
    361. 

  361.             var_term: self.var_term.negate()?,
    362. 

  362.             rand_term: self.rand_term.negate()?,
    363. 

  363.         })
    364. 

  364.     }
    365. 

  365. 

  366.     /// Add a [`CIndPoint`] to a [`Pedersen`]
    367. 

  367.     pub fn add_cind(self, arg: CIndPoint) -> Result<Self> {
    368. 

  368.         if self.var_term.id == arg.id {
    369. 

  369.             Ok(Self {
    370. 

  370.                 var_term: self.var_term.add_cind(arg)?,
    371. 

  371.                 ..self
    372. 

  372.             })
    373. 

  373.         } else if self.rand_term.id == arg.id {
    374. 

  374.             // This branch actually can't happen, since the private
    375. 

  375.             // random Scalar variable can only appear once in the
    376. 

  376.             // StatementTree.
    377. 

  377.             Ok(Self {
    378. 

  378.                 rand_term: self.rand_term.add_cind(arg)?,
    379. 

  379.                 ..self
    380. 

  380.             })
    381. 

  381.         } else {
    382. 

  382.             Err(Error::new(
    383. 

  383.                 proc_macro2::Span::call_site(),
    384. 

  384.                 "public points in added Pedersen and CIndPoint do not match",
    385. 

  385.             ))
    386. 

  386.         }
    387. 

  387.     }
    388. 

  388. 

  389.     /// Add a [`Term`] to a [`Pedersen`]
    390. 

  390.     pub fn add_term(self, arg: Term) -> Result<Self> {
    391. 

  391.         if self.var_term.id == arg.id {
    392. 

  392.             Ok(Self {
    393. 

  393.                 var_term: self.var_term.add_term(arg)?,
    394. 

  394.                 ..self
    395. 

  395.             })
    396. 

  396.         } else if self.rand_term.id == arg.id {
    397. 

  397.             // This branch actually can't happen, since the private
    398. 

  398.             // random Scalar variable can only appear once in the
    399. 

  399.             // StatementTree.
    400. 

  400.             Ok(Self {
    401. 

  401.                 rand_term: self.rand_term.add_term(arg)?,
    402. 

  402.                 ..self
    403. 

  403.             })
    404. 

  404.         } else {
    405. 

  405.             Err(Error::new(
    406. 

  406.                 proc_macro2::Span::call_site(),
    407. 

  407.                 "public points in added Pedersen and CIndPoint do not match",
    408. 

  408.             ))
    409. 

  409.         }
    410. 

  410.     }
    411. 

  411. 

  412.     /// Multiply a [`Pedersen`] by a constant
    413. 

  413.     pub fn mul_const(self, arg: i128) -> Result<Self> {
    414. 

  414.         Ok(Self {
    415. 

  415.             var_term: self.var_term.mul_const(arg)?,
    416. 

  416.             rand_term: self.rand_term.mul_const(arg)?,
    417. 

  417.         })
    418. 

  418.     }
    419. 

  419. }
    420. 

  420. 

  421. /// Components of a Pedersen commitment
    422. 

  422. #[derive(Clone, Debug, PartialEq, Eq)]
    423. 

  423. pub enum PedersenExpr {
    424. 

  424.     PubScalarExpr(Expr),
    425. 

  425.     LinScalar(LinScalar),
    426. 

  426.     CIndPoint(CIndPoint),
    427. 

  427.     Term(Term),
    428. 

  428.     Pedersen(Pedersen),
    429. 

  429. }
    430. 

  430. 

  431. /// A struct that implements [`AExprFold`] in service of
    432. 

  432. /// [`recognize_pedersen`], [`recognize_linscalar`], and
    433. 

  433. /// [`recognize_pubscalar`]
    434. 

  434. struct RecognizeFold<'a> {
    435. 

  435.     /// The [`TaggedVarDict`] that maps variable names to their types
    436. 

  436.     vars: &'a TaggedVarDict,
    437. 

  437. 

  438.     /// The HashSet of random variables that appear exactly once in the
    439. 

  439.     /// parent [`StatementTree`]
    440. 

  440.     randoms: &'a HashSet<String>,
    441. 

  441. }
    442. 

  442. 

  443. impl<'a> AExprFold<PedersenExpr> for RecognizeFold<'a> {
    444. 

  444.     /// Called when an identifier found in the [`VarDict`] is
    445. 

  445.     /// encountered in the [`Expr`]
    446. 

  446.     fn ident(&mut self, id: &Ident, _restype: AExprType) -> Result<PedersenExpr> {
    447. 

  447.         let Some(vartype) = self.vars.get(&id.to_string()) else {
    448. 

  448.             return Err(Error::new(id.span(), "unknown identifier"));
    449. 

  449.         };
    450. 

  450.         match vartype {
    451. 

  451.             TaggedIdent::Scalar(TaggedScalar { is_pub: true, .. }) => {
    452. 

  452.                 // A bare public Scalar is a simple PubScalarExpr
    453. 

  453.                 Ok(PedersenExpr::PubScalarExpr(parse_quote! { #id }))
    454. 

  454.             }
    455. 

  455.             TaggedIdent::Scalar(TaggedScalar {
    456. 

  456.                 is_pub: false,
    457. 

  457.                 is_vec,
    458. 

  458.                 ..
    459. 

  459.             }) => {
    460. 

  460.                 // A bare private Scalar is a simple LinScalar
    461. 

  461.                 Ok(PedersenExpr::LinScalar(LinScalar {
    462. 

  462.                     coeff: 1i128,
    463. 

  463.                     pub_scalar_expr: None,
    464. 

  464.                     id: id.clone(),
    465. 

  465.                     is_vec: *is_vec,
    466. 

  466.                 }))
    467. 

  467.             }
    468. 

  468.             TaggedIdent::Point(TaggedPoint { is_cind: true, .. }) => {
    469. 

  469.                 // A bare cind Point is a CIndPoint
    470. 

  470.                 Ok(PedersenExpr::CIndPoint(CIndPoint {
    471. 

  471.                     coeff: None,
    472. 

  472.                     coeff_val: Some(1),
    473. 

  473.                     id: id.clone(),
    474. 

  474.                 }))
    475. 

  475.             }
    476. 

  476.             TaggedIdent::Point(TaggedPoint { is_cind: false, .. }) => {
    477. 

  477.                 // Not a part of a valid Pedersen expression
    478. 

  478.                 Err(Error::new(id.span(), "non-cind Point"))
    479. 

  479.             }
    480. 

  480.         }
    481. 

  481.     }
    482. 

  482. 

  483.     /// Called when the arithmetic expression evaluates to a constant
    484. 

  484.     /// [`i128`] value.
    485. 

  485.     fn const_i128(&mut self, restype: AExprType) -> Result<PedersenExpr> {
    486. 

  486.         let AExprType::Scalar { val: Some(val), .. } = restype else {
    487. 

  487.             return Err(Error::new(
    488. 

  488.                 proc_macro2::Span::call_site(),
    489. 

  489.                 "BUG: it should not happen that const_i128 is called without a value",
    490. 

  490.             ));
    491. 

  491.         };
    492. 

  492.         Ok(PedersenExpr::PubScalarExpr(parse_quote! { #val }))
    493. 

  493.     }
    494. 

  494. 

  495.     /// Called for unary negation
    496. 

  496.     fn neg(&mut self, arg: (AExprType, PedersenExpr), _restype: AExprType) -> Result<PedersenExpr> {
    497. 

  497.         match arg.1 {
    498. 

  498.             PedersenExpr::PubScalarExpr(expr) => {
    499. 

  499.                 Ok(PedersenExpr::PubScalarExpr(parse_quote! { -#expr }))
    500. 

  500.             }
    501. 

  501.             PedersenExpr::LinScalar(linscalar) => Ok(PedersenExpr::LinScalar(linscalar.negate()?)),
    502. 

  502.             PedersenExpr::CIndPoint(cind) => Ok(PedersenExpr::CIndPoint(cind.negate()?)),
    503. 

  503.             PedersenExpr::Term(term) => Ok(PedersenExpr::Term(term.negate()?)),
    504. 

  504.             PedersenExpr::Pedersen(pedersen) => Ok(PedersenExpr::Pedersen(pedersen.negate()?)),
    505. 

  505.         }
    506. 

  506.     }
    507. 

  507. 

  508.     /// Called for a parenthesized expression
    509. 

  509.     fn paren(
    510. 

  510.         &mut self,
    511. 

  511.         arg: (AExprType, PedersenExpr),
    512. 

  512.         _restype: AExprType,
    513. 

  513.     ) -> Result<PedersenExpr> {
    514. 

  514.         match arg.1 {
    515. 

  515.             PedersenExpr::PubScalarExpr(expr) => {
    516. 

  516.                 Ok(PedersenExpr::PubScalarExpr(parse_quote! { (#expr) }))
    517. 

  517.             }
    518. 

  518.             _ => Ok(arg.1),
    519. 

  519.         }
    520. 

  520.     }
    521. 

  521. 

  522.     /// Called when adding two `Scalar`s
    523. 

  523.     fn add_scalars(
    524. 

  524.         &mut self,
    525. 

  525.         larg: (AExprType, PedersenExpr),
    526. 

  526.         rarg: (AExprType, PedersenExpr),
    527. 

  527.         _restype: AExprType,
    528. 

  528.     ) -> Result<PedersenExpr> {
    529. 

  529.         match (larg.1, rarg.1) {
    530. 

  530.             // Adding two PubScalarExprs yields a PubScalarExpr
    531. 

  531.             (PedersenExpr::PubScalarExpr(lexpr), PedersenExpr::PubScalarExpr(rexpr)) => Ok(
    532. 

  532.                 PedersenExpr::PubScalarExpr(parse_quote! { #lexpr + #rexpr }),
    533. 

  533.             ),
    534. 

  534.             // Adding a PubScalarExpr and a LinScalar yields a LinScalar
    535. 

  535.             (PedersenExpr::PubScalarExpr(psexpr), PedersenExpr::LinScalar(linscalar))
    536. 

  536.             | (PedersenExpr::LinScalar(linscalar), PedersenExpr::PubScalarExpr(psexpr)) => Ok(
    537. 

  537.                 PedersenExpr::LinScalar(linscalar.add_opt_pub_scalar_expr(Some(psexpr))?),
    538. 

  538.             ),
    539. 

  539.             // Adding two LinScalars yields a LinScalar if they're for
    540. 

  540.             // the same private Scalar
    541. 

  541.             (PedersenExpr::LinScalar(llinscalar), PedersenExpr::LinScalar(rlinscalar)) => Ok(
    542. 

  542.                 PedersenExpr::LinScalar(llinscalar.add_linscalar(rlinscalar)?),
    543. 

  543.             ),
    544. 

  544.             // Nothing else is valid
    545. 

  545.             _ => Err(Error::new(
    546. 

  546.                 proc_macro2::Span::call_site(),
    547. 

  547.                 "not a component of a Pedersen commitment",
    548. 

  548.             )),
    549. 

  549.         }
    550. 

  550.     }
    551. 

  551. 

  552.     /// Called when adding two `Point`s
    553. 

  553.     fn add_points(
    554. 

  554.         &mut self,
    555. 

  555.         larg: (AExprType, PedersenExpr),
    556. 

  556.         rarg: (AExprType, PedersenExpr),
    557. 

  557.         _restype: AExprType,
    558. 

  558.     ) -> Result<PedersenExpr> {
    559. 

  559.         match (larg.1, rarg.1) {
    560. 

  560.             // Adding two CIndPoints yields a CIndPoint if they're for
    561. 

  561.             // the same public Point
    562. 

  562.             (PedersenExpr::CIndPoint(lcind), PedersenExpr::CIndPoint(rcind)) => {
    563. 

  563.                 Ok(PedersenExpr::CIndPoint(lcind.add_cind(rcind)?))
    564. 

  564.             }
    565. 

  565.             // Adding a CIndPoint to a Term yields a Term if they're for
    566. 

  566.             // the same public Point
    567. 

  567.             (PedersenExpr::CIndPoint(cind), PedersenExpr::Term(term))
    568. 

  568.             | (PedersenExpr::Term(term), PedersenExpr::CIndPoint(cind)) => {
    569. 

  569.                 Ok(PedersenExpr::Term(term.add_cind(cind)?))
    570. 

  570.             }
    571. 

  571.             // Adding a Term to a Term yields a Term if they're for the
    572. 

  572.             // same public Point and private Scalar, or a Pedersen if
    573. 

  573.             // they're different, but one is for a private random Scalar
    574. 

  574.             // that only appears once in the [`StatementTree`]
    575. 

  575.             (PedersenExpr::Term(lterm), PedersenExpr::Term(rterm)) => {
    576. 

  576.                 if lterm.id == rterm.id {
    577. 

  577.                     Ok(PedersenExpr::Term(lterm.add_term(rterm)?))
    578. 

  578.                 } else if self.randoms.contains(&rterm.coeff.id.to_string()) {
    579. 

  579.                     Ok(PedersenExpr::Pedersen(Pedersen {
    580. 

  580.                         var_term: lterm,
    581. 

  581.                         rand_term: rterm,
    582. 

  582.                     }))
    583. 

  583.                 } else if self.randoms.contains(&lterm.coeff.id.to_string()) {
    584. 

  584.                     Ok(PedersenExpr::Pedersen(Pedersen {
    585. 

  585.                         var_term: rterm,
    586. 

  586.                         rand_term: lterm,
    587. 

  587.                     }))
    588. 

  588.                 } else {
    589. 

  589.                     Err(Error::new(
    590. 

  590.                         proc_macro2::Span::call_site(),
    591. 

  591.                         "public points in added Terms do not form a Pedersen commitment",
    592. 

  592.                     ))
    593. 

  593.                 }
    594. 

  594.             }
    595. 

  595.             // Adding a CIndPoint to a Pedersen yields a Pedersen if one
    596. 

  596.             // of the two public Points in the Pedersen matches the one
    597. 

  597.             // in the CIndPoint
    598. 

  598.             (PedersenExpr::CIndPoint(cind), PedersenExpr::Pedersen(pedersen))
    599. 

  599.             | (PedersenExpr::Pedersen(pedersen), PedersenExpr::CIndPoint(cind)) => {
    600. 

  600.                 Ok(PedersenExpr::Pedersen(pedersen.add_cind(cind)?))
    601. 

  601.             }
    602. 

  602.             // Adding a Term to a Pedersen yields a Pedersen if one of
    603. 

  603.             // the two public Points in the Pedersen matches the one
    604. 

  604.             // in the Term
    605. 

  605.             (PedersenExpr::Term(term), PedersenExpr::Pedersen(pedersen))
    606. 

  606.             | (PedersenExpr::Pedersen(pedersen), PedersenExpr::Term(term)) => {
    607. 

  607.                 Ok(PedersenExpr::Pedersen(pedersen.add_term(term)?))
    608. 

  608.             }
    609. 

  609. 

  610.             // Note that it's impossible to add a Pedersen to a
    611. 

  611.             // Pedersen, since the private random Scalar only appears
    612. 

  612.             // once in the StatementTree.
    613. 

  613. 

  614.             // Nothing else is valid
    615. 

  615.             _ => Err(Error::new(
    616. 

  616.                 proc_macro2::Span::call_site(),
    617. 

  617.                 "not a component of a Pedersen commitment",
    618. 

  618.             )),
    619. 

  619.         }
    620. 

  620.     }
    621. 

  621. 

  622.     /// Called when summing a vector of `Scalar`s
    623. 

  623.     fn sum_scalars(
    624. 

  624.         &mut self,
    625. 

  625.         _arg: (AExprType, PedersenExpr),
    626. 

  626.         _restype: AExprType,
    627. 

  627.     ) -> Result<PedersenExpr> {
    628. 

  628.         // Sums are never recognized as components of Pedersen
    629. 

  629.         // commitments
    630. 

  630.         Err(Error::new(
    631. 

  631.             proc_macro2::Span::call_site(),
    632. 

  632.             "not a component of a Pedersen commitment",
    633. 

  633.         ))
    634. 

  634.     }
    635. 

  635. 

  636.     /// Called when summing a vector of `Point`s
    637. 

  637.     fn sum_points(
    638. 

  638.         &mut self,
    639. 

  639.         _arg: (AExprType, PedersenExpr),
    640. 

  640.         _restype: AExprType,
    641. 

  641.     ) -> Result<PedersenExpr> {
    642. 

  642.         // Sums are never recognized as components of Pedersen
    643. 

  643.         // commitments
    644. 

  644.         Err(Error::new(
    645. 

  645.             proc_macro2::Span::call_site(),
    646. 

  646.             "not a component of a Pedersen commitment",
    647. 

  647.         ))
    648. 

  648.     }
    649. 

  649. 

  650.     /// Called when subtracting two `Scalar`s
    651. 

  651.     fn sub_scalars(
    652. 

  652.         &mut self,
    653. 

  653.         (largtype, larg): (AExprType, PedersenExpr),
    654. 

  654.         (rargtype, rarg): (AExprType, PedersenExpr),
    655. 

  655.         restype: AExprType,
    656. 

  656.     ) -> Result<PedersenExpr> {
    657. 

  657.         if let PedersenExpr::PubScalarExpr(ref lexpr) = larg {
    658. 

  658.             if let PedersenExpr::PubScalarExpr(ref rexpr) = rarg {
    659. 

  659.                 // Subtracting two PubScalarExprs yields a PubScalarExpr
    660. 

  660.                 return Ok(PedersenExpr::PubScalarExpr(
    661. 

  661.                     parse_quote! { #lexpr - #rexpr },
    662. 

  662.                 ));
    663. 

  663.             }
    664. 

  664.         }
    665. 

  665.         // Anything else gets the default treatment
    666. 

  666.         let negrarg = self.neg((rargtype, rarg), rargtype)?;
    667. 

  667.         self.add_scalars((largtype, larg), (rargtype, negrarg), restype)
    668. 

  668.     }
    669. 

  669. 

  670.     /// Called when subtracting two `Point`s
    671. 

  671.     fn sub_points(
    672. 

  672.         &mut self,
    673. 

  673.         larg: (AExprType, PedersenExpr),
    674. 

  674.         rarg: (AExprType, PedersenExpr),
    675. 

  675.         restype: AExprType,
    676. 

  676.     ) -> Result<PedersenExpr> {
    677. 

  677.         let rargtype = rarg.0;
    678. 

  678.         let negrarg = self.neg(rarg, rargtype)?;
    679. 

  679.         self.add_points(larg, (rargtype, negrarg), restype)
    680. 

  680.     }
    681. 

  681. 

  682.     /// Called when multiplying two `Scalar`s
    683. 

  683.     fn mul_scalars(
    684. 

  684.         &mut self,
    685. 

  685.         larg: (AExprType, PedersenExpr),
    686. 

  686.         rarg: (AExprType, PedersenExpr),
    687. 

  687.         _restype: AExprType,
    688. 

  688.     ) -> Result<PedersenExpr> {
    689. 

  689.         match (larg, rarg) {
    690. 

  690.             // Multiplying two PubScalarExprs yields a PubScalarExpr
    691. 

  691.             ((_, PedersenExpr::PubScalarExpr(lexpr)), (_, PedersenExpr::PubScalarExpr(rexpr))) => {
    692. 

  692.                 Ok(PedersenExpr::PubScalarExpr(
    693. 

  693.                     parse_quote! { #lexpr * #rexpr },
    694. 

  694.                 ))
    695. 

  695.             }
    696. 

  696.             // Multiplying a PubScalarExpr by a LinScalar yields a
    697. 

  697.             // LinScalar if the PubScalarExpr is actually a constant
    698. 

  698.             // (indicated by the AExprType's val field containing
    699. 

  699.             // Some(val))
    700. 

  700.             (
    701. 

  701.                 (
    702. 

  702.                     AExprType::Scalar {
    703. 

  703.                         val: Some(psval), ..
    704. 

  704.                     },
    705. 

  705.                     PedersenExpr::PubScalarExpr(_),
    706. 

  706.                 ),
    707. 

  707.                 (_, PedersenExpr::LinScalar(linscalar)),
    708. 

  708.             )
    709. 

  709.             | (
    710. 

  710.                 (_, PedersenExpr::LinScalar(linscalar)),
    711. 

  711.                 (
    712. 

  712.                     AExprType::Scalar {
    713. 

  713.                         val: Some(psval), ..
    714. 

  714.                     },
    715. 

  715.                     PedersenExpr::PubScalarExpr(_),
    716. 

  716.                 ),
    717. 

  717.             ) => Ok(PedersenExpr::LinScalar(linscalar.mul_const(psval)?)),
    718. 

  718.             // Nothing else is valid
    719. 

  719.             _ => Err(Error::new(
    720. 

  720.                 proc_macro2::Span::call_site(),
    721. 

  721.                 "not a component of a Pedersen commitment",
    722. 

  722.             )),
    723. 

  723.         }
    724. 

  724.     }
    725. 

  725. 

  726.     /// Called when multiplying a `Scalar` and a `Point` (the `Scalar`
    727. 

  727.     /// will always be passed as the first argument)
    728. 

  728.     fn mul_scalar_point(
    729. 

  729.         &mut self,
    730. 

  730.         sarg: (AExprType, PedersenExpr),
    731. 

  731.         parg: (AExprType, PedersenExpr),
    732. 

  732.         _restype: AExprType,
    733. 

  733.     ) -> Result<PedersenExpr> {
    734. 

  734.         match (sarg.0, sarg.1, parg.1) {
    735. 

  735.             // Multiplying a PubScalarExpr by a CIndPoint yields a
    736. 

  736.             // CIndPoint
    737. 

  737.             (
    738. 

  738.                 AExprType::Scalar { val, .. },
    739. 

  739.                 PedersenExpr::PubScalarExpr(pub_expr),
    740. 

  740.                 PedersenExpr::CIndPoint(cind),
    741. 

  741.             ) => Ok(PedersenExpr::CIndPoint(
    742. 

  742.                 cind.mul_pub_scalar_expr(pub_expr, val)?,
    743. 

  743.             )),
    744. 

  744.             // Multiplying a LinScalar by a CIndPoint yields a Term
    745. 

  745.             // if the coefficient in the CIndPoint is a constant
    746. 

  746.             (
    747. 

  747.                 _,
    748. 

  748.                 PedersenExpr::LinScalar(linscalar),
    749. 

  749.                 PedersenExpr::CIndPoint(CIndPoint {
    750. 

  750.                     coeff_val: Some(cval),
    751. 

  751.                     id,
    752. 

  752.                     ..
    753. 

  753.                 }),
    754. 

  754.             ) => Ok(PedersenExpr::Term(Term {
    755. 

  755.                 coeff: linscalar.mul_const(cval)?,
    756. 

  756.                 id,
    757. 

  757.             })),
    758. 

  758.             // Multiplying a PubScalarExpr by a Term yields a Term if
    759. 

  759.             // the PubScalarExpr is a constant
    760. 

  760.             (
    761. 

  761.                 AExprType::Scalar {
    762. 

  762.                     val: Some(const_val),
    763. 

  763.                     ..
    764. 

  764.                 },
    765. 

  765.                 PedersenExpr::PubScalarExpr(_),
    766. 

  766.                 PedersenExpr::Term(term),
    767. 

  767.             ) => Ok(PedersenExpr::Term(term.mul_const(const_val)?)),
    768. 

  768.             // Multiplying a PubScalarExpr by a Pedersen yields a
    769. 

  769.             // Pedersen if the PubScalarExpr is a constant
    770. 

  770.             (
    771. 

  771.                 AExprType::Scalar {
    772. 

  772.                     val: Some(const_val),
    773. 

  773.                     ..
    774. 

  774.                 },
    775. 

  775.                 PedersenExpr::PubScalarExpr(_),
    776. 

  776.                 PedersenExpr::Pedersen(pedersen),
    777. 

  777.             ) => Ok(PedersenExpr::Pedersen(pedersen.mul_const(const_val)?)),
    778. 

  778.             // Nothing else is valid
    779. 

  779.             _ => Err(Error::new(
    780. 

  780.                 proc_macro2::Span::call_site(),
    781. 

  781.                 "not a component of a Pedersen commitment",
    782. 

  782.             )),
    783. 

  783.         }
    784. 

  784.     }
    785. 

  785. }
    786. 

  786. 

  787. /// Parse the right-hand side of the = in an [`Expr`] to see if we
    788. 

  788. /// recognize it as a Pedersen commitment
    789. 

  789. pub fn recognize_pedersen(
    790. 

  790.     vars: &TaggedVarDict,
    791. 

  791.     randoms: &HashSet<String>,
    792. 

  792.     vardict: &VarDict,
    793. 

  793.     expr: &Expr,
    794. 

  794. ) -> Option<Pedersen> {
    795. 

  795.     let mut fold = RecognizeFold { vars, randoms };
    796. 

  796.     let Ok((aetype, PedersenExpr::Pedersen(pedersen))) = fold.fold(vardict, expr) else {
    797. 

  797.         return None;
    798. 

  798.     };
    799. 

  799.     // It's not allowed for the overall expression to be a vector type,
    800. 

  800.     // but the randomizer variable be a non-vector
    801. 

  801.     if let Some(TaggedIdent::Scalar(TaggedScalar { is_vec: false, .. })) =
    802. 

  802.         vars.get(&pedersen.rand_term.id.to_string())
    803. 

  803.     {
    804. 

  804.         if matches!(aetype, AExprType::Point { is_vec: true, .. }) {
    805. 

  805.             return None;
    806. 

  806.         }
    807. 

  807.     }
    808. 

  808.     // It's not allowed for either the committed variable or the random
    809. 

  809.     // variable to have a 0 coefficient
    810. 

  810.     if pedersen.var_term.coeff.coeff == 0 || pedersen.rand_term.coeff.coeff == 0 {
    811. 

  811.         return None;
    812. 

  812.     }
    813. 

  813.     Some(pedersen)
    814. 

  814. }
    815. 

  815. 

  816. /// Parse an [`Expr`] to see if we recognize it as a [`LinScalar`]
    817. 

  817. pub fn recognize_linscalar(
    818. 

  818.     vars: &TaggedVarDict,
    819. 

  819.     vardict: &VarDict,
    820. 

  820.     expr: &Expr,
    821. 

  821. ) -> Option<LinScalar> {
    822. 

  822.     let mut fold = RecognizeFold {
    823. 

  823.         vars,
    824. 

  824.         randoms: &HashSet::new(),
    825. 

  825.     };
    826. 

  826.     let Ok((_, PedersenExpr::LinScalar(linscalar))) = fold.fold(vardict, expr) else {
    827. 

  827.         return None;
    828. 

  828.     };
    829. 

  829.     // A 0 coefficient is not allowed
    830. 

  830.     if linscalar.coeff == 0 {
    831. 

  831.         return None;
    832. 

  832.     }
    833. 

  833.     Some(linscalar)
    834. 

  834. }
    835. 

  835. 

  836. /// Parse an [`Expr`] to see if we recognize it as an expression that
    837. 

  837. /// evaluates to a public `Scalar`.
    838. 

  838. ///
    839. 

  839. /// The returned [`bool`] is true if the expression evaluates to a
    840. 

  840. /// vector.  The [`i128`] is the value of the expression if it is a
    841. 

  841. /// constant.
    842. 

  842. pub fn recognize_pubscalar(
    843. 

  843.     vars: &TaggedVarDict,
    844. 

  844.     vardict: &VarDict,
    845. 

  845.     expr: &Expr,
    846. 

  846. ) -> Option<(bool, Option<i128>)> {
    847. 

  847.     let mut fold = RecognizeFold {
    848. 

  848.         vars,
    849. 

  849.         randoms: &HashSet::new(),
    850. 

  850.     };
    851. 

  851.     let Ok((AExprType::Scalar { is_vec, val, .. }, PedersenExpr::PubScalarExpr(_))) =
    852. 

  852.         fold.fold(vardict, expr)
    853. 

  853.     else {
    854. 

  854.         return None;
    855. 

  855.     };
    856. 

  856.     Some((is_vec, val))
    857. 

  857. }
    858. 

  858. 

  859. /// A representation of an assignment [`Expr`] assigning a [Pedersen
    860. 

  860. /// expression](Pedersen) to a public `Point`.
    861. 

  861. #[derive(Clone, Debug, PartialEq, Eq)]
    862. 

  862. pub struct PedersenAssignment {
    863. 

  863.     /// The public `Point` being assigned to
    864. 

  864.     pub id: Ident,
    865. 

  865.     /// The Pedersen expression being assigned
    866. 

  866.     pub pedersen: Pedersen,
    867. 

  867. }
    868. 

  868. 

  869. impl PedersenAssignment {
    870. 

  870.     /// Get the `Ident` for the committed private `Scalar` in a
    871. 

  871.     /// [`PedersenAssignment`]
    872. 

  872.     pub fn var(&self) -> Ident {
    873. 

  873.         self.pedersen.var()
    874. 

  874.     }
    875. 

  875. }
    876. 

  876. 

  877. /// Parse an [`Expr`] to see if we recognize it as an assignment
    878. 

  878. /// statement assigning a [Pedersen expression](Pedersen) to an
    879. 

  879. /// [`struct@Ident`] for a public `Point`.
    880. 

  880. pub fn recognize_pedersen_assignment(
    881. 

  881.     vars: &TaggedVarDict,
    882. 

  882.     randoms: &HashSet<String>,
    883. 

  883.     vardict: &VarDict,
    884. 

  884.     expr: &Expr,
    885. 

  885. ) -> Option<PedersenAssignment> {
    886. 

  886.     let Expr::Assign(syn::ExprAssign { left, right, .. }) = expr else {
    887. 

  887.         return None;
    888. 

  888.     };
    889. 

  889.     let Expr::Path(syn::ExprPath { path, .. }) = left.as_ref() else {
    890. 

  890.         return None;
    891. 

  891.     };
    892. 

  892.     let id = path.get_ident()?;
    893. 

  893.     let pedersen = recognize_pedersen(vars, randoms, vardict, right)?;
    894. 

  894.     Some(PedersenAssignment {
    895. 

  895.         id: id.clone(),
    896. 

  896.         pedersen,
    897. 

  897.     })
    898. 

  898. }
    899. 

  899. 

  900. /// Output code to convert a commitment given by a
    901. 

  901. /// [`PedersenAssignment`] into one for a different [`LinScalar`] of the
    902. 

  902. /// same variable.
    903. 

  903. pub fn convert_commitment(
    904. 

  904.     output_commitment: &Ident,
    905. 

  905.     ped_assign: &PedersenAssignment,
    906. 

  906.     new_linscalar: &LinScalar,
    907. 

  907.     vardict: &VarDict,
    908. 

  908. ) -> Result<TokenStream> {
    909. 

  909.     let orig_commitment = &ped_assign.id;
    910. 

  910.     let mut is_vec = matches!(
    911. 

  911.         vardict.get(&orig_commitment.to_string()),
    912. 

  912.         Some(AExprType::Point { is_vec: true, .. })
    913. 

  913.     );
    914. 

  914.     let mut needs_clone = is_vec;
    915. 

  915.     let ped_assign_linscalar = &ped_assign.pedersen.var_term.coeff;
    916. 

  916.     let generator = &ped_assign.pedersen.var_term.id;
    917. 

  917.     let generator_is_vec = matches!(
    918. 

  918.         vardict.get(&generator.to_string()),
    919. 

  919.         Some(AExprType::Point { is_vec: true, .. })
    920. 

  920.     );
    921. 

  921.     let mut generated_code = quote! { #orig_commitment };
    922. 

  922.     // Subtract the pub_scalar_expr in ped_assign_linscalar (if present)
    923. 

  923.     // times the generator
    924. 

  924.     if let Some(ref pse) = ped_assign_linscalar.pub_scalar_expr {
    925. 

  925.         let (ppse_type, ppse_tokens) = expr_type_tokens(vardict, &paren_if_needed(pse.clone()))?;
    926. 

  926.         let ppse_is_vec = matches!(ppse_type, AExprType::Scalar { is_vec: true, .. });
    927. 

  927.         generated_code = tokens_sub_maybe_vec(
    928. 

  928.             generated_code,
    929. 

  929.             is_vec,
    930. 

  930.             tokens_mul_maybe_vec(
    931. 

  931.                 ppse_tokens,
    932. 

  932.                 ppse_is_vec,
    933. 

  933.                 quote! { #generator },
    934. 

  934.                 generator_is_vec,
    935. 

  935.             ),
    936. 

  936.             ppse_is_vec | generator_is_vec,
    937. 

  937.         );
    938. 

  938.         is_vec |= ppse_is_vec | generator_is_vec;
    939. 

  939.         needs_clone = false;
    940. 

  940.     }
    941. 

  941.     // Divide by the coeff in ped_assign_linscalar, if present (noting
    942. 

  942.     // it also cannot be 0, so will have an inverse)
    943. 

  943.     if ped_assign_linscalar.coeff != 1 {
    944. 

  944.         let coeff_tokens = const_i128_tokens(ped_assign_linscalar.coeff);
    945. 

  945.         generated_code = tokens_mul_maybe_vec(
    946. 

  946.             quote! { <Scalar as Field>::invert(&#coeff_tokens).unwrap() },
    947. 

  947.             false,
    948. 

  948.             generated_code,
    949. 

  949.             is_vec,
    950. 

  950.         );
    951. 

  951.         needs_clone = false;
    952. 

  952.     }
    953. 

  953.     // Now multiply by the coeff in new_linscalar, if present
    954. 

  954.     if new_linscalar.coeff != 1 {
    955. 

  955.         let coeff_tokens = const_i128_tokens(new_linscalar.coeff);
    956. 

  956.         generated_code = tokens_mul_maybe_vec(coeff_tokens, false, generated_code, is_vec);
    957. 

  957.         needs_clone = false;
    958. 

  958.     }
    959. 

  959.     // And add the pub_scalar_expr in new_linscalar (if present) times
    960. 

  960.     // the generator
    961. 

  961.     if let Some(ref pse) = new_linscalar.pub_scalar_expr {
    962. 

  962.         let (ppse_type, ppse_tokens) = expr_type_tokens(vardict, &paren_if_needed(pse.clone()))?;
    963. 

  963.         let ppse_is_vec = matches!(ppse_type, AExprType::Scalar { is_vec: true, .. });
    964. 

  964.         generated_code = tokens_add_maybe_vec(
    965. 

  965.             generated_code,
    966. 

  966.             is_vec,
    967. 

  967.             tokens_mul_maybe_vec(
    968. 

  968.                 ppse_tokens,
    969. 

  969.                 ppse_is_vec,
    970. 

  970.                 quote! { #generator },
    971. 

  971.                 generator_is_vec,
    972. 

  972.             ),
    973. 

  973.             ppse_is_vec | generator_is_vec,
    974. 

  974.         );
    975. 

  975.         needs_clone = false;
    976. 

  976.     }
    977. 

  977.     if needs_clone {
    978. 

  978.         generated_code = quote! { #generated_code.clone() };
    979. 

  979.     }
    980. 

  980. 

  981.     Ok(quote! { let #output_commitment = #generated_code; })
    982. 

  982. }
    983. 

  983. 

  984. /// Output code to convert the randomness given by a
    985. 

  985. /// [`PedersenAssignment`] into that resulting from the conversion in
    986. 

  986. /// [`convert_commitment`].
    987. 

  987. pub fn convert_randomness(
    988. 

  988.     output_randomness: &Ident,
    989. 

  989.     ped_assign: &PedersenAssignment,
    990. 

  990.     new_linscalar: &LinScalar,
    991. 

  991.     vardict: &VarDict,
    992. 

  992. ) -> Result<TokenStream> {
    993. 

  993.     let ped_assign_linscalar = &ped_assign.pedersen.var_term.coeff;
    994. 

  994.     // Start with the LinScalar in ped_assign.pedersen.rand_term
    995. 

  995.     let (coeff_type, mut generated_code) = expr_type_tokens(
    996. 

  996.         vardict,
    997. 

  997.         &paren_if_needed(ped_assign.pedersen.rand_term.coeff.to_expr()),
    998. 

  998.     )?;
    999. 

  999.     let is_vec = matches!(coeff_type, AExprType::Scalar { is_vec: true, .. });
    1000. 

  1000.     let mut needs_clone = is_vec;
    1001. 

  1001.     // Divide by the coeff in ped_assign_linscalar, if present (noting
    1002. 

  1002.     // it also cannot be 0, so will have an inverse)
    1003. 

  1003.     if ped_assign_linscalar.coeff != 1 {
    1004. 

  1004.         let coeff_tokens = const_i128_tokens(ped_assign_linscalar.coeff);
    1005. 

  1005.         generated_code = tokens_mul_maybe_vec(
    1006. 

  1006.             quote! { <Scalar as Field>::invert(&#coeff_tokens).unwrap() },
    1007. 

  1007.             false,
    1008. 

  1008.             generated_code,
    1009. 

  1009.             is_vec,
    1010. 

  1010.         );
    1011. 

  1011.         needs_clone = false;
    1012. 

  1012.     }
    1013. 

  1013.     // Now multiply by the coeff in new_linscalar, if present
    1014. 

  1014.     if new_linscalar.coeff != 1 {
    1015. 

  1015.         let coeff_tokens = const_i128_tokens(new_linscalar.coeff);
    1016. 

  1016.         generated_code = tokens_mul_maybe_vec(coeff_tokens, false, generated_code, is_vec);
    1017. 

  1017.         needs_clone = false;
    1018. 

  1018.     }
    1019. 

  1019.     if needs_clone {
    1020. 

  1020.         generated_code = quote! { #generated_code.clone() };
    1021. 

  1021.     }
    1022. 

  1022. 

  1023.     Ok(quote! { let #output_randomness = #generated_code; })
    1024. 

  1024. }
    1025. 

  1025. 

  1026. #[cfg(test)]
    1027. 

  1027. mod test {
    1028. 

  1028.     use super::*;
    1029. 

  1029.     use quote::format_ident;
    1030. 

  1030.     use syn::{parse_quote, Expr};
    1031. 

  1031. 

  1032.     fn unique_random_scalars_tester(vars: (&[&str], &[&str]), e: Expr, expected: &[&str]) {
    1033. 

  1033.         let taggedvardict = taggedvardict_from_strs(vars);
    1034. 

  1034.         let st = StatementTree::parse(&e).unwrap();
    1035. 

  1035.         let expected_out = expected.iter().map(|s| s.to_string()).collect();
    1036. 

  1036.         let output = unique_random_scalars(&taggedvardict, &st);
    1037. 

  1037.         assert_eq!(output, expected_out);
    1038. 

  1038.     }
    1039. 

  1039. 

  1040.     #[test]
    1041. 

  1041.     fn unique_random_scalars_test() {
    1042. 

  1042.         let vars = (
    1043. 

  1043.             ["x", "y", "z", "rand r", "rand s", "rand t"].as_slice(),
    1044. 

  1044.             ["C", "cind A", "cind B"].as_slice(),
    1045. 

  1045.         );
    1046. 

  1046. 

  1047.         unique_random_scalars_tester(
    1048. 

  1048.             vars,
    1049. 

  1049.             parse_quote! {
    1050. 

  1050.                 C = x*A + r*B
    1051. 

  1051.             },
    1052. 

  1052.             ["r"].as_slice(),
    1053. 

  1053.         );
    1054. 

  1054. 

  1055.         unique_random_scalars_tester(
    1056. 

  1056.             vars,
    1057. 

  1057.             parse_quote! {
    1058. 

  1058.                 AND (
    1059. 

  1059.                     C = x*A + r*B,
    1060. 

  1060.                     D = y*A + s*B,
    1061. 

  1061.                 )
    1062. 

  1062.             },
    1063. 

  1063.             ["r", "s"].as_slice(),
    1064. 

  1064.         );
    1065. 

  1065. 

  1066.         unique_random_scalars_tester(
    1067. 

  1067.             vars,
    1068. 

  1068.             parse_quote! {
    1069. 

  1069.                 AND (
    1070. 

  1070.                     C = x*A + r*B,
    1071. 

  1071.                     OR (
    1072. 

  1072.                         D = y*A + s*B,
    1073. 

  1073.                         E = y*A + t*B,
    1074. 

  1074.                     ),
    1075. 

  1075.                     E = z*A + r*B,
    1076. 

  1076.                 )
    1077. 

  1077.             },
    1078. 

  1078.             ["s", "t"].as_slice(),
    1079. 

  1079.         );
    1080. 

  1080.     }
    1081. 

  1081. 

  1082.     fn fold_tester(
    1083. 

  1083.         vars: (&[&str], &[&str]),
    1084. 

  1084.         randoms: &[&str],
    1085. 

  1085.         e: Expr,
    1086. 

  1086.         expected_out: Option<PedersenExpr>,
    1087. 

  1087.     ) {
    1088. 

  1088.         let taggedvardict = taggedvardict_from_strs(vars);
    1089. 

  1089.         let vardict = taggedvardict_to_vardict(&taggedvardict);
    1090. 

  1090.         let mut randoms_hash = HashSet::new();
    1091. 

  1091.         for r in randoms {
    1092. 

  1092.             randoms_hash.insert(r.to_string());
    1093. 

  1093.         }
    1094. 

  1094.         let mut fold = RecognizeFold {
    1095. 

  1095.             vars: &taggedvardict,
    1096. 

  1096.             randoms: &randoms_hash,
    1097. 

  1097.         };
    1098. 

  1098.         let output = if let Ok((_, pe)) = fold.fold(&vardict, &e) {
    1099. 

  1099.             Some(pe)
    1100. 

  1100.         } else {
    1101. 

  1101.             None
    1102. 

  1102.         };
    1103. 

  1103.         assert_eq!(output, expected_out);
    1104. 

  1104.     }
    1105. 

  1105. 

  1106.     #[test]
    1107. 

  1107.     fn fold_test() {
    1108. 

  1108.         let vars = (
    1109. 

  1109.             [
    1110. 

  1110.                 "x", "y", "z", "pub a", "pub b", "pub c", "rand r", "rand s", "rand t",
    1111. 

  1111.             ]
    1112. 

  1112.             .as_slice(),
    1113. 

  1113.             ["C", "cind A", "cind B"].as_slice(),
    1114. 

  1114.         );
    1115. 

  1115.         let randoms = ["r", "s", "t"].as_slice();
    1116. 

  1116. 

  1117.         fold_tester(
    1118. 

  1118.             vars,
    1119. 

  1119.             randoms,
    1120. 

  1120.             parse_quote! {
    1121. 

  1121.                 1
    1122. 

  1122.             },
    1123. 

  1123.             Some(PedersenExpr::PubScalarExpr(parse_quote! { 1i128 })),
    1124. 

  1124.         );
    1125. 

  1125. 

  1126.         fold_tester(
    1127. 

  1127.             vars,
    1128. 

  1128.             randoms,
    1129. 

  1129.             parse_quote! {
    1130. 

  1130.                 1 + 2
    1131. 

  1131.             },
    1132. 

  1132.             Some(PedersenExpr::PubScalarExpr(parse_quote! { 3i128 })),
    1133. 

  1133.         );
    1134. 

  1134. 

  1135.         fold_tester(
    1136. 

  1136.             vars,
    1137. 

  1137.             randoms,
    1138. 

  1138.             parse_quote! {
    1139. 

  1139.                 1 - 2
    1140. 

  1140.             },
    1141. 

  1141.             Some(PedersenExpr::PubScalarExpr(parse_quote! { -1i128 })),
    1142. 

  1142.         );
    1143. 

  1143. 

  1144.         fold_tester(
    1145. 

  1145.             vars,
    1146. 

  1146.             randoms,
    1147. 

  1147.             parse_quote! {
    1148. 

  1148.                 a
    1149. 

  1149.             },
    1150. 

  1150.             Some(PedersenExpr::PubScalarExpr(parse_quote! { a })),
    1151. 

  1151.         );
    1152. 

  1152. 

  1153.         fold_tester(
    1154. 

  1154.             vars,
    1155. 

  1155.             randoms,
    1156. 

  1156.             parse_quote! {
    1157. 

  1157.                 a + 1
    1158. 

  1158.             },
    1159. 

  1159.             Some(PedersenExpr::PubScalarExpr(parse_quote! { a + 1i128 })),
    1160. 

  1160.         );
    1161. 

  1161. 

  1162.         fold_tester(
    1163. 

  1163.             vars,
    1164. 

  1164.             randoms,
    1165. 

  1165.             parse_quote! {
    1166. 

  1166.                 a + b + 1
    1167. 

  1167.             },
    1168. 

  1168.             Some(PedersenExpr::PubScalarExpr(parse_quote! { a + b + 1i128 })),
    1169. 

  1169.         );
    1170. 

  1170. 

  1171.         fold_tester(
    1172. 

  1172.             vars,
    1173. 

  1173.             randoms,
    1174. 

  1174.             parse_quote! {
    1175. 

  1175.                 a + 2*b + 1
    1176. 

  1176.             },
    1177. 

  1177.             Some(PedersenExpr::PubScalarExpr(
    1178. 

  1178.                 parse_quote! { a + 2i128 * b + 1i128 },
    1179. 

  1179.             )),
    1180. 

  1180.         );
    1181. 

  1181. 

  1182.         fold_tester(
    1183. 

  1183.             vars,
    1184. 

  1184.             randoms,
    1185. 

  1185.             parse_quote! {
    1186. 

  1186.                 a - 2*b + 1
    1187. 

  1187.             },
    1188. 

  1188.             Some(PedersenExpr::PubScalarExpr(
    1189. 

  1189.                 parse_quote! { a - 2i128 * b + 1i128 },
    1190. 

  1190.             )),
    1191. 

  1191.         );
    1192. 

  1192. 

  1193.         fold_tester(
    1194. 

  1194.             vars,
    1195. 

  1195.             randoms,
    1196. 

  1196.             parse_quote! {
    1197. 

  1197.                 a - (2*b + 1)
    1198. 

  1198.             },
    1199. 

  1199.             Some(PedersenExpr::PubScalarExpr(
    1200. 

  1200.                 parse_quote! { a - (2i128 * b + 1i128) },
    1201. 

  1201.             )),
    1202. 

  1202.         );
    1203. 

  1203. 

  1204.         fold_tester(
    1205. 

  1205.             vars,
    1206. 

  1206.             randoms,
    1207. 

  1207.             parse_quote! {
    1208. 

  1208.                 x
    1209. 

  1209.             },
    1210. 

  1210.             Some(PedersenExpr::LinScalar(LinScalar {
    1211. 

  1211.                 coeff: 1,
    1212. 

  1212.                 pub_scalar_expr: None,
    1213. 

  1213.                 id: parse_quote! {x},
    1214. 

  1214.                 is_vec: false,
    1215. 

  1215.             })),
    1216. 

  1216.         );
    1217. 

  1217. 

  1218.         fold_tester(
    1219. 

  1219.             vars,
    1220. 

  1220.             randoms,
    1221. 

  1221.             parse_quote! {
    1222. 

  1222.                 x + 2
    1223. 

  1223.             },
    1224. 

  1224.             Some(PedersenExpr::LinScalar(LinScalar {
    1225. 

  1225.                 coeff: 1,
    1226. 

  1226.                 pub_scalar_expr: Some(parse_quote! { 2i128 }),
    1227. 

  1227.                 id: parse_quote! {x},
    1228. 

  1228.                 is_vec: false,
    1229. 

  1229.             })),
    1230. 

  1230.         );
    1231. 

  1231. 

  1232.         fold_tester(
    1233. 

  1233.             vars,
    1234. 

  1234.             randoms,
    1235. 

  1235.             parse_quote! {
    1236. 

  1236.                 3*x + 2
    1237. 

  1237.             },
    1238. 

  1238.             Some(PedersenExpr::LinScalar(LinScalar {
    1239. 

  1239.                 coeff: 3,
    1240. 

  1240.                 pub_scalar_expr: Some(parse_quote! { 2i128 }),
    1241. 

  1241.                 id: parse_quote! {x},
    1242. 

  1242.                 is_vec: false,
    1243. 

  1243.             })),
    1244. 

  1244.         );
    1245. 

  1245. 

  1246.         fold_tester(
    1247. 

  1247.             vars,
    1248. 

  1248.             randoms,
    1249. 

  1249.             parse_quote! {
    1250. 

  1250.                 3*(x + 2)
    1251. 

  1251.             },
    1252. 

  1252.             Some(PedersenExpr::LinScalar(LinScalar {
    1253. 

  1253.                 coeff: 3,
    1254. 

  1254.                 pub_scalar_expr: Some(parse_quote! { 2i128 * 3i128 }),
    1255. 

  1255.                 id: parse_quote! {x},
    1256. 

  1256.                 is_vec: false,
    1257. 

  1257.             })),
    1258. 

  1258.         );
    1259. 

  1259. 

  1260.         fold_tester(
    1261. 

  1261.             vars,
    1262. 

  1262.             randoms,
    1263. 

  1263.             parse_quote! {
    1264. 

  1264.                 3*(x - 2)
    1265. 

  1265.             },
    1266. 

  1266.             Some(PedersenExpr::LinScalar(LinScalar {
    1267. 

  1267.                 coeff: 3,
    1268. 

  1268.                 pub_scalar_expr: Some(parse_quote! { (-2i128) * 3i128 }),
    1269. 

  1269.                 id: parse_quote! {x},
    1270. 

  1270.                 is_vec: false,
    1271. 

  1271.             })),
    1272. 

  1272.         );
    1273. 

  1273. 

  1274.         fold_tester(
    1275. 

  1275.             vars,
    1276. 

  1276.             randoms,
    1277. 

  1277.             parse_quote! {
    1278. 

  1278.                 3*(x + a)
    1279. 

  1279.             },
    1280. 

  1280.             Some(PedersenExpr::LinScalar(LinScalar {
    1281. 

  1281.                 coeff: 3,
    1282. 

  1282.                 pub_scalar_expr: Some(parse_quote! { a * 3i128 }),
    1283. 

  1283.                 id: parse_quote! {x},
    1284. 

  1284.                 is_vec: false,
    1285. 

  1285.             })),
    1286. 

  1286.         );
    1287. 

  1287. 

  1288.         // Adding two private Scalars
    1289. 

  1289.         fold_tester(
    1290. 

  1290.             vars,
    1291. 

  1291.             randoms,
    1292. 

  1292.             parse_quote! {
    1293. 

  1293.                 3*(x + y)
    1294. 

  1294.             },
    1295. 

  1295.             None,
    1296. 

  1296.         );
    1297. 

  1297. 

  1298.         fold_tester(
    1299. 

  1299.             vars,
    1300. 

  1300.             randoms,
    1301. 

  1301.             parse_quote! {
    1302. 

  1302.                 a * A
    1303. 

  1303.             },
    1304. 

  1304.             Some(PedersenExpr::CIndPoint(CIndPoint {
    1305. 

  1305.                 coeff: Some(parse_quote! { a }),
    1306. 

  1306.                 coeff_val: None,
    1307. 

  1307.                 id: parse_quote! {A},
    1308. 

  1308.             })),
    1309. 

  1309.         );
    1310. 

  1310. 

  1311.         fold_tester(
    1312. 

  1312.             vars,
    1313. 

  1313.             randoms,
    1314. 

  1314.             parse_quote! {
    1315. 

  1315.                 a * A * b
    1316. 

  1316.             },
    1317. 

  1317.             Some(PedersenExpr::CIndPoint(CIndPoint {
    1318. 

  1318.                 coeff: Some(parse_quote! { a * b }),
    1319. 

  1319.                 coeff_val: None,
    1320. 

  1320.                 id: parse_quote! {A},
    1321. 

  1321.             })),
    1322. 

  1322.         );
    1323. 

  1323. 

  1324.         fold_tester(
    1325. 

  1325.             vars,
    1326. 

  1326.             randoms,
    1327. 

  1327.             parse_quote! {
    1328. 

  1328.                 A * b * (c+1)
    1329. 

  1329.             },
    1330. 

  1330.             Some(PedersenExpr::CIndPoint(CIndPoint {
    1331. 

  1331.                 coeff: Some(parse_quote! { b * (c + 1i128) }),
    1332. 

  1332.                 coeff_val: None,
    1333. 

  1333.                 id: parse_quote! {A},
    1334. 

  1334.             })),
    1335. 

  1335.         );
    1336. 

  1336. 

  1337.         fold_tester(
    1338. 

  1338.             vars,
    1339. 

  1339.             randoms,
    1340. 

  1340.             parse_quote! {
    1341. 

  1341.                 3*(x + a) * A
    1342. 

  1342.             },
    1343. 

  1343.             Some(PedersenExpr::Term(Term {
    1344. 

  1344.                 coeff: LinScalar {
    1345. 

  1345.                     coeff: 3,
    1346. 

  1346.                     pub_scalar_expr: Some(parse_quote! { a * 3i128 }),
    1347. 

  1347.                     id: parse_quote! {x},
    1348. 

  1348.                     is_vec: false,
    1349. 

  1349.                 },
    1350. 

  1350.                 id: parse_quote! {A},
    1351. 

  1351.             })),
    1352. 

  1352.         );
    1353. 

  1353. 

  1354.         fold_tester(
    1355. 

  1355.             vars,
    1356. 

  1356.             randoms,
    1357. 

  1357.             parse_quote! {
    1358. 

  1358.                 3*(x + a) * A + A * b
    1359. 

  1359.             },
    1360. 

  1360.             Some(PedersenExpr::Term(Term {
    1361. 

  1361.                 coeff: LinScalar {
    1362. 

  1362.                     coeff: 3,
    1363. 

  1363.                     pub_scalar_expr: Some(parse_quote! { a * 3i128 + b }),
    1364. 

  1364.                     id: parse_quote! {x},
    1365. 

  1365.                     is_vec: false,
    1366. 

  1366.                 },
    1367. 

  1367.                 id: parse_quote! {A},
    1368. 

  1368.             })),
    1369. 

  1369.         );
    1370. 

  1370. 

  1371.         fold_tester(
    1372. 

  1372.             vars,
    1373. 

  1373.             randoms,
    1374. 

  1374.             parse_quote! {
    1375. 

  1375.                 3*(x + a) * A + A * b * (c + 1)
    1376. 

  1376.             },
    1377. 

  1377.             Some(PedersenExpr::Term(Term {
    1378. 

  1378.                 coeff: LinScalar {
    1379. 

  1379.                     coeff: 3,
    1380. 

  1380.                     pub_scalar_expr: Some(parse_quote! { a * 3i128 + (b*(c+1i128)) }),
    1381. 

  1381.                     id: parse_quote! {x},
    1382. 

  1382.                     is_vec: false,
    1383. 

  1383.                 },
    1384. 

  1384.                 id: parse_quote! {A},
    1385. 

  1385.             })),
    1386. 

  1386.         );
    1387. 

  1387. 

  1388.         fold_tester(
    1389. 

  1389.             vars,
    1390. 

  1390.             randoms,
    1391. 

  1391.             parse_quote! {
    1392. 

  1392.                 3*(x + a) * A + A * b * (c + 1) + r * B
    1393. 

  1393.             },
    1394. 

  1394.             Some(PedersenExpr::Pedersen(Pedersen {
    1395. 

  1395.                 var_term: Term {
    1396. 

  1396.                     coeff: LinScalar {
    1397. 

  1397.                         coeff: 3,
    1398. 

  1398.                         pub_scalar_expr: Some(parse_quote! { a * 3i128 + (b * (c + 1i128)) }),
    1399. 

  1399.                         id: parse_quote! {x},
    1400. 

  1400.                         is_vec: false,
    1401. 

  1401.                     },
    1402. 

  1402.                     id: parse_quote! {A},
    1403. 

  1403.                 },
    1404. 

  1404.                 rand_term: Term {
    1405. 

  1405.                     coeff: LinScalar {
    1406. 

  1406.                         coeff: 1,
    1407. 

  1407.                         pub_scalar_expr: None,
    1408. 

  1408.                         id: parse_quote! {r},
    1409. 

  1409.                         is_vec: false,
    1410. 

  1410.                     },
    1411. 

  1411.                     id: parse_quote! {B},
    1412. 

  1412.                 },
    1413. 

  1413.             })),
    1414. 

  1414.         );
    1415. 

  1415.     }
    1416. 

  1416. 

  1417.     fn recognize_tester(
    1418. 

  1418.         vars: (&[&str], &[&str]),
    1419. 

  1419.         randoms: &[&str],
    1420. 

  1420.         e: Expr,
    1421. 

  1421.         expected_out: Option<Pedersen>,
    1422. 

  1422.     ) {
    1423. 

  1423.         let taggedvardict = taggedvardict_from_strs(vars);
    1424. 

  1424.         let vardict = taggedvardict_to_vardict(&taggedvardict);
    1425. 

  1425.         let mut randoms_hash = HashSet::new();
    1426. 

  1426.         for r in randoms {
    1427. 

  1427.             randoms_hash.insert(r.to_string());
    1428. 

  1428.         }
    1429. 

  1429.         let output = recognize_pedersen(&taggedvardict, &randoms_hash, &vardict, &e);
    1430. 

  1430.         assert_eq!(output, expected_out);
    1431. 

  1431.     }
    1432. 

  1432. 

  1433.     #[test]
    1434. 

  1434.     fn recognize_pedersen_test() {
    1435. 

  1435.         let vars = (
    1436. 

  1436.             [
    1437. 

  1437.                 "x", "y", "z", "pub a", "pub b", "pub c", "rand r", "rand s", "rand t",
    1438. 

  1438.             ]
    1439. 

  1439.             .as_slice(),
    1440. 

  1440.             ["C", "cind A", "cind B"].as_slice(),
    1441. 

  1441.         );
    1442. 

  1442.         let randoms = ["r", "s", "t"].as_slice();
    1443. 

  1443. 

  1444.         recognize_tester(
    1445. 

  1445.             vars,
    1446. 

  1446.             randoms,
    1447. 

  1447.             parse_quote! {
    1448. 

  1448.                 3*(x + a) * A + A * b * (c + 1) + r * B
    1449. 

  1449.             },
    1450. 

  1450.             Some(Pedersen {
    1451. 

  1451.                 var_term: Term {
    1452. 

  1452.                     coeff: LinScalar {
    1453. 

  1453.                         coeff: 3,
    1454. 

  1454.                         pub_scalar_expr: Some(parse_quote! { a * 3i128 + (b * (c + 1i128)) }),
    1455. 

  1455.                         id: parse_quote! {x},
    1456. 

  1456.                         is_vec: false,
    1457. 

  1457.                     },
    1458. 

  1458.                     id: parse_quote! {A},
    1459. 

  1459.                 },
    1460. 

  1460.                 rand_term: Term {
    1461. 

  1461.                     coeff: LinScalar {
    1462. 

  1462.                         coeff: 1,
    1463. 

  1463.                         pub_scalar_expr: None,
    1464. 

  1464.                         id: parse_quote! {r},
    1465. 

  1465.                         is_vec: false,
    1466. 

  1466.                     },
    1467. 

  1467.                     id: parse_quote! {B},
    1468. 

  1468.                 },
    1469. 

  1469.             }),
    1470. 

  1470.         );
    1471. 

  1471. 

  1472.         recognize_tester(
    1473. 

  1473.             vars,
    1474. 

  1474.             randoms,
    1475. 

  1475.             parse_quote! {
    1476. 

  1476.                 3 * (2*x + a*b) * A + B * (3 * r - 7)
    1477. 

  1477.             },
    1478. 

  1478.             Some(Pedersen {
    1479. 

  1479.                 var_term: Term {
    1480. 

  1480.                     coeff: LinScalar {
    1481. 

  1481.                         coeff: 6,
    1482. 

  1482.                         pub_scalar_expr: Some(parse_quote! { (a * b) * 3i128 }),
    1483. 

  1483.                         id: parse_quote! {x},
    1484. 

  1484.                         is_vec: false,
    1485. 

  1485.                     },
    1486. 

  1486.                     id: parse_quote! {A},
    1487. 

  1487.                 },
    1488. 

  1488.                 rand_term: Term {
    1489. 

  1489.                     coeff: LinScalar {
    1490. 

  1490.                         coeff: 3,
    1491. 

  1491.                         pub_scalar_expr: Some(parse_quote! { -7i128 }),
    1492. 

  1492.                         id: parse_quote! {r},
    1493. 

  1493.                         is_vec: false,
    1494. 

  1494.                     },
    1495. 

  1495.                     id: parse_quote! {B},
    1496. 

  1496.                 },
    1497. 

  1497.             }),
    1498. 

  1498.         );
    1499. 

  1499. 

  1500.         recognize_tester(
    1501. 

  1501.             vars,
    1502. 

  1502.             randoms,
    1503. 

  1503.             parse_quote! {
    1504. 

  1504.                 (3 * (2*x + a*b) * A + B * (3 * r - 7))* (7-2)
    1505. 

  1505.             },
    1506. 

  1506.             Some(Pedersen {
    1507. 

  1507.                 var_term: Term {
    1508. 

  1508.                     coeff: LinScalar {
    1509. 

  1509.                         coeff: 30,
    1510. 

  1510.                         pub_scalar_expr: Some(parse_quote! { ((a * b) * 3i128) * 5i128 }),
    1511. 

  1511.                         id: parse_quote! {x},
    1512. 

  1512.                         is_vec: false,
    1513. 

  1513.                     },
    1514. 

  1514.                     id: parse_quote! {A},
    1515. 

  1515.                 },
    1516. 

  1516.                 rand_term: Term {
    1517. 

  1517.                     coeff: LinScalar {
    1518. 

  1518.                         coeff: 15,
    1519. 

  1519.                         pub_scalar_expr: Some(parse_quote! { (-7i128) * 5i128 }),
    1520. 

  1520.                         id: parse_quote! {r},
    1521. 

  1521.                         is_vec: false,
    1522. 

  1522.                     },
    1523. 

  1523.                     id: parse_quote! {B},
    1524. 

  1524.                 },
    1525. 

  1525.             }),
    1526. 

  1526.         );
    1527. 

  1527.     }
    1528. 

  1528. 

  1529.     fn recognize_linscalar_tester(
    1530. 

  1530.         vars: (&[&str], &[&str]),
    1531. 

  1531.         e: Expr,
    1532. 

  1532.         expected_out: Option<LinScalar>,
    1533. 

  1533.         expected_expr: Option<Expr>,
    1534. 

  1534.     ) {
    1535. 

  1535.         let taggedvardict = taggedvardict_from_strs(vars);
    1536. 

  1536.         let vardict = taggedvardict_to_vardict(&taggedvardict);
    1537. 

  1537.         let output = recognize_linscalar(&taggedvardict, &vardict, &e);
    1538. 

  1538.         assert_eq!(output, expected_out);
    1539. 

  1539.         if output.is_some() {
    1540. 

  1540.             assert_eq!(output.unwrap().to_expr(), expected_expr.unwrap());
    1541. 

  1541.         }
    1542. 

  1542.     }
    1543. 

  1543. 

  1544.     #[test]
    1545. 

  1545.     fn recognize_linscalar_test() {
    1546. 

  1546.         let vars = (
    1547. 

  1547.             [
    1548. 

  1548.                 "x", "y", "z", "pub a", "pub b", "pub c", "rand r", "rand s", "rand t",
    1549. 

  1549.             ]
    1550. 

  1550.             .as_slice(),
    1551. 

  1551.             ["C", "cind A", "cind B"].as_slice(),
    1552. 

  1552.         );
    1553. 

  1553. 

  1554.         recognize_linscalar_tester(
    1555. 

  1555.             vars,
    1556. 

  1556.             parse_quote! {
    1557. 

  1557.                 x
    1558. 

  1558.             },
    1559. 

  1559.             Some(LinScalar {
    1560. 

  1560.                 coeff: 1,
    1561. 

  1561.                 pub_scalar_expr: None,
    1562. 

  1562.                 id: parse_quote! {x},
    1563. 

  1563.                 is_vec: false,
    1564. 

  1564.             }),
    1565. 

  1565.             Some(parse_quote! { x }),
    1566. 

  1566.         );
    1567. 

  1567. 

  1568.         recognize_linscalar_tester(
    1569. 

  1569.             vars,
    1570. 

  1570.             parse_quote! {
    1571. 

  1571.                 x * 7 - x * 3
    1572. 

  1572.             },
    1573. 

  1573.             Some(LinScalar {
    1574. 

  1574.                 coeff: 4,
    1575. 

  1575.                 pub_scalar_expr: None,
    1576. 

  1576.                 id: parse_quote! {x},
    1577. 

  1577.                 is_vec: false,
    1578. 

  1578.             }),
    1579. 

  1579.             Some(parse_quote! { 4i128 * x }),
    1580. 

  1580.         );
    1581. 

  1581. 

  1582.         recognize_linscalar_tester(
    1583. 

  1583.             vars,
    1584. 

  1584.             parse_quote! {
    1585. 

  1585.                 x - (a + 12)
    1586. 

  1586.             },
    1587. 

  1587.             Some(LinScalar {
    1588. 

  1588.                 coeff: 1,
    1589. 

  1589.                 pub_scalar_expr: Some(parse_quote! {-(a + 12i128)}),
    1590. 

  1590.                 id: parse_quote! {x},
    1591. 

  1591.                 is_vec: false,
    1592. 

  1592.             }),
    1593. 

  1593.             Some(parse_quote! { x + (-(a + 12i128))}),
    1594. 

  1594.         );
    1595. 

  1595. 

  1596.         recognize_linscalar_tester(
    1597. 

  1597.             vars,
    1598. 

  1598.             parse_quote! {
    1599. 

  1599.                 3*(x + a + 1)
    1600. 

  1600.             },
    1601. 

  1601.             Some(LinScalar {
    1602. 

  1602.                 coeff: 3,
    1603. 

  1603.                 pub_scalar_expr: Some(parse_quote! { ( a + 1i128 ) * 3i128 }),
    1604. 

  1604.                 id: parse_quote! {x},
    1605. 

  1605.                 is_vec: false,
    1606. 

  1606.             }),
    1607. 

  1607.             Some(parse_quote! { 3i128 * x + ((a + 1i128) * 3i128) }),
    1608. 

  1608.         );
    1609. 

  1609. 

  1610.         recognize_linscalar_tester(
    1611. 

  1611.             vars,
    1612. 

  1612.             parse_quote! {
    1613. 

  1613.                 3*(x + a + 1) - x*4
    1614. 

  1614.             },
    1615. 

  1615.             Some(LinScalar {
    1616. 

  1616.                 coeff: -1,
    1617. 

  1617.                 pub_scalar_expr: Some(parse_quote! { ( a + 1i128 ) * 3i128 }),
    1618. 

  1618.                 id: parse_quote! {x},
    1619. 

  1619.                 is_vec: false,
    1620. 

  1620.             }),
    1621. 

  1621.             Some(parse_quote! { -1i128 * x + ((a + 1i128) * 3i128) }),
    1622. 

  1622.         );
    1623. 

  1623. 

  1624.         recognize_linscalar_tester(
    1625. 

  1625.             vars,
    1626. 

  1626.             parse_quote! {
    1627. 

  1627.                 3*(x + a + 1) - x*4 + x
    1628. 

  1628.             },
    1629. 

  1629.             None,
    1630. 

  1630.             None,
    1631. 

  1631.         );
    1632. 

  1632.     }
    1633. 

  1633. 

  1634.     fn recognize_pubscalar_tester(
    1635. 

  1635.         vars: (&[&str], &[&str]),
    1636. 

  1636.         e: Expr,
    1637. 

  1637.         expected_out: Option<(bool, Option<i128>)>,
    1638. 

  1638.     ) {
    1639. 

  1639.         let taggedvardict = taggedvardict_from_strs(vars);
    1640. 

  1640.         let vardict = taggedvardict_to_vardict(&taggedvardict);
    1641. 

  1641.         let output = recognize_pubscalar(&taggedvardict, &vardict, &e);
    1642. 

  1642.         assert_eq!(output, expected_out);
    1643. 

  1643.     }
    1644. 

  1644. 

  1645.     #[test]
    1646. 

  1646.     fn recognize_pubscalar_test() {
    1647. 

  1647.         let vars = (
    1648. 

  1648.             [
    1649. 

  1649.                 "x",
    1650. 

  1650.                 "y",
    1651. 

  1651.                 "z",
    1652. 

  1652.                 "pub a",
    1653. 

  1653.                 "pub vec b",
    1654. 

  1654.                 "pub c",
    1655. 

  1655.                 "rand r",
    1656. 

  1656.                 "rand s",
    1657. 

  1657.                 "rand t",
    1658. 

  1658.             ]
    1659. 

  1659.             .as_slice(),
    1660. 

  1660.             ["C", "cind A", "cind B"].as_slice(),
    1661. 

  1661.         );
    1662. 

  1662. 

  1663.         recognize_pubscalar_tester(
    1664. 

  1664.             vars,
    1665. 

  1665.             parse_quote! {
    1666. 

  1666.                 3*(x + a + 1)
    1667. 

  1667.             },
    1668. 

  1668.             None,
    1669. 

  1669.         );
    1670. 

  1670. 

  1671.         recognize_pubscalar_tester(
    1672. 

  1672.             vars,
    1673. 

  1673.             parse_quote! {
    1674. 

  1674.                 3
    1675. 

  1675.             },
    1676. 

  1676.             Some((false, Some(3))),
    1677. 

  1677.         );
    1678. 

  1678. 

  1679.         recognize_pubscalar_tester(
    1680. 

  1680.             vars,
    1681. 

  1681.             parse_quote! {
    1682. 

  1682.                 a
    1683. 

  1683.             },
    1684. 

  1684.             Some((false, None)),
    1685. 

  1685.         );
    1686. 

  1686. 

  1687.         recognize_pubscalar_tester(
    1688. 

  1688.             vars,
    1689. 

  1689.             parse_quote! {
    1690. 

  1690.                 3*(a + 1)
    1691. 

  1691.             },
    1692. 

  1692.             Some((false, None)),
    1693. 

  1693.         );
    1694. 

  1694. 

  1695.         recognize_pubscalar_tester(
    1696. 

  1696.             vars,
    1697. 

  1697.             parse_quote! {
    1698. 

  1698.                 3*(a + b)
    1699. 

  1699.             },
    1700. 

  1700.             Some((true, None)),
    1701. 

  1701.         );
    1702. 

  1702.     }
    1703. 

  1703. 

  1704.     fn convert_commitment_randomness_tester(
    1705. 

  1705.         vars: (&[&str], &[&str]),
    1706. 

  1706.         randoms: &[&str],
    1707. 

  1707.         ped_assign_expr: Expr,
    1708. 

  1708.         lin_scalar_expr: Expr,
    1709. 

  1709.         expect_commitment: TokenStream,
    1710. 

  1710.         expect_randomness: TokenStream,
    1711. 

  1711.     ) {
    1712. 

  1712.         let taggedvardict = taggedvardict_from_strs(vars);
    1713. 

  1713.         let vardict = taggedvardict_to_vardict(&taggedvardict);
    1714. 

  1714.         let mut randoms_hash = HashSet::new();
    1715. 

  1715.         for r in randoms {
    1716. 

  1716.             randoms_hash.insert(r.to_string());
    1717. 

  1717.         }
    1718. 

  1718.         let output_commitment = format_ident! { "out" };
    1719. 

  1719.         let output_randomness = format_ident! { "out_rand" };
    1720. 

  1720.         let ped_assign = recognize_pedersen_assignment(
    1721. 

  1721.             &taggedvardict,
    1722. 

  1722.             &randoms_hash,
    1723. 

  1723.             &vardict,
    1724. 

  1724.             &ped_assign_expr,
    1725. 

  1725.         )
    1726. 

  1726.         .unwrap();
    1727. 

  1727.         let lin_scalar = recognize_linscalar(&taggedvardict, &vardict, &lin_scalar_expr).unwrap();
    1728. 

  1728.         assert_eq!(
    1729. 

  1729.             convert_commitment(&output_commitment, &ped_assign, &lin_scalar, &vardict)
    1730. 

  1730.                 .unwrap()
    1731. 

  1731.                 .to_string(),
    1732. 

  1732.             expect_commitment.to_string()
    1733. 

  1733.         );
    1734. 

  1734.         assert_eq!(
    1735. 

  1735.             convert_randomness(&output_randomness, &ped_assign, &lin_scalar, &vardict)
    1736. 

  1736.                 .unwrap()
    1737. 

  1737.                 .to_string(),
    1738. 

  1738.             expect_randomness.to_string()
    1739. 

  1739.         );
    1740. 

  1740.     }
    1741. 

  1741. 

  1742.     #[test]
    1743. 

  1743.     fn convert_commitment_randomness_test() {
    1744. 

  1744.         let vars = (
    1745. 

  1745.             [
    1746. 

  1746.                 "x", "y", "z", "pub a", "pub b", "pub c", "rand r", "rand s", "rand t",
    1747. 

  1747.             ]
    1748. 

  1748.             .as_slice(),
    1749. 

  1749.             ["C", "cind A", "cind B"].as_slice(),
    1750. 

  1750.         );
    1751. 

  1751.         let randoms = ["r", "s", "t"].as_slice();
    1752. 

  1752. 

  1753.         convert_commitment_randomness_tester(
    1754. 

  1754.             vars,
    1755. 

  1755.             randoms,
    1756. 

  1756.             parse_quote! { C = x*A + r*B },
    1757. 

  1757.             parse_quote! { x },
    1758. 

  1758.             quote! { let out = C; },
    1759. 

  1759.             quote! { let out_rand = r; },
    1760. 

  1760.         );
    1761. 

  1761. 

  1762.         convert_commitment_randomness_tester(
    1763. 

  1763.             vars,
    1764. 

  1764.             randoms,
    1765. 

  1765.             parse_quote! { C = x*A + r*B },
    1766. 

  1766.             parse_quote! { 2 * x },
    1767. 

  1767.             quote! { let out = Scalar::from_u128(2u128) * C; },
    1768. 

  1768.             quote! { let out_rand = Scalar::from_u128(2u128) * r; },
    1769. 

  1769.         );
    1770. 

  1770. 

  1771.         convert_commitment_randomness_tester(
    1772. 

  1772.             vars,
    1773. 

  1773.             randoms,
    1774. 

  1774.             parse_quote! { C = x*A + r*B },
    1775. 

  1775.             parse_quote! { 2 * x + 12 },
    1776. 

  1776.             quote! { let out = (Scalar::from_u128(2u128) * C) +
    1777. 

  1777.             (Scalar::from_u128(12u128) * A); },
    1778. 

  1778.             quote! { let out_rand = Scalar::from_u128(2u128) * r; },
    1779. 

  1779.         );
    1780. 

  1780. 

  1781.         convert_commitment_randomness_tester(
    1782. 

  1782.             vars,
    1783. 

  1783.             randoms,
    1784. 

  1784.             parse_quote! { C = x*A + r*B },
    1785. 

  1785.             parse_quote! { 2 * x + 12 + a },
    1786. 

  1786.             quote! { let out = (Scalar::from_u128(2u128) * C) +
    1787. 

  1787.             ((Scalar::from_u128(12u128) + a) * A); },
    1788. 

  1788.             quote! { let out_rand = Scalar::from_u128(2u128) * r; },
    1789. 

  1789.         );
    1790. 

  1790. 

  1791.         convert_commitment_randomness_tester(
    1792. 

  1792.             vars,
    1793. 

  1793.             randoms,
    1794. 

  1794.             parse_quote! { C = 3*x*A + r*B },
    1795. 

  1795.             parse_quote! { 2 * x + 12 + a },
    1796. 

  1796.             quote! { let out = (Scalar::from_u128(2u128) *
    1797. 

  1797.             (<Scalar as Field>::invert(&Scalar::from_u128(3u128)).unwrap() * C)) +
    1798. 

  1798.             ((Scalar::from_u128(12u128) + a) * A); },
    1799. 

  1799.             quote! { let out_rand = Scalar::from_u128(2u128) *
    1800. 

  1800.             (<Scalar as Field>::invert(&Scalar::from_u128(3u128)).unwrap() * r); },
    1801. 

  1801.         );
    1802. 

  1802. 

  1803.         convert_commitment_randomness_tester(
    1804. 

  1804.             vars,
    1805. 

  1805.             randoms,
    1806. 

  1806.             parse_quote! { C = -3*x*A + r*B },
    1807. 

  1807.             parse_quote! { 2 * x + 12 + a },
    1808. 

  1808.             quote! { let out = (Scalar::from_u128(2u128) *
    1809. 

  1809.             (<Scalar as Field>::invert(&Scalar::from_u128(3u128).neg()).unwrap() * C)) +
    1810. 

  1810.             ((Scalar::from_u128(12u128) + a) * A); },
    1811. 

  1811.             quote! { let out_rand = Scalar::from_u128(2u128) *
    1812. 

  1812.             (<Scalar as Field>::invert(&Scalar::from_u128(3u128).neg()).unwrap() * r); },
    1813. 

  1813.         );
    1814. 

  1814. 

  1815.         convert_commitment_randomness_tester(
    1816. 

  1816.             vars,
    1817. 

  1817.             randoms,
    1818. 

  1818.             parse_quote! { C = (-3*x+4+b)*A + r*B },
    1819. 

  1819.             parse_quote! { 2 * x + 12 + a },
    1820. 

  1820.             quote! { let out = (Scalar::from_u128(2u128) *
    1821. 

  1821.             (<Scalar as Field>::invert(&Scalar::from_u128(3u128).neg()).unwrap() *
    1822. 

  1822.             (C - ((Scalar::from_u128(4u128) + b) * A)))) +
    1823. 

  1823.             ((Scalar::from_u128(12u128) + a) * A); },
    1824. 

  1824.             quote! { let out_rand = Scalar::from_u128(2u128) *
    1825. 

  1825.             (<Scalar as Field>::invert(&Scalar::from_u128(3u128).neg()).unwrap() * r); },
    1826. 

  1826.         );
    1827. 

  1827. 

  1828.         convert_commitment_randomness_tester(
    1829. 

  1829.             vars,
    1830. 

  1830.             randoms,
    1831. 

  1831.             parse_quote! { C = (-3*x+4+b)*A + 2*r*B },
    1832. 

  1832.             parse_quote! { 2 * x + 12 + a },
    1833. 

  1833.             quote! { let out = (Scalar::from_u128(2u128) *
    1834. 

  1834.             (<Scalar as Field>::invert(&Scalar::from_u128(3u128).neg()).unwrap() *
    1835. 

  1835.             (C - ((Scalar::from_u128(4u128) + b) * A)))) +
    1836. 

  1836.             ((Scalar::from_u128(12u128) + a) * A); },
    1837. 

  1837.             quote! { let out_rand = Scalar::from_u128(2u128) *
    1838. 

  1838.             (<Scalar as Field>::invert(&Scalar::from_u128(3u128).neg()).unwrap() *
    1839. 

  1839.             (r * Scalar::from_u128(2u128))); },
    1840. 

  1840.         );
    1841. 

  1841. 

  1842.         convert_commitment_randomness_tester(
    1843. 

  1843.             vars,
    1844. 

  1844.             randoms,
    1845. 

  1845.             parse_quote! { C = (-3*x+4+b)*A + (2*r+c-3)*B },
    1846. 

  1846.             parse_quote! { 2 * x + 12 + a },
    1847. 

  1847.             quote! { let out = (Scalar::from_u128(2u128) *
    1848. 

  1848.             (<Scalar as Field>::invert(&Scalar::from_u128(3u128).neg()).unwrap() *
    1849. 

  1849.             (C - ((Scalar::from_u128(4u128) + b) * A)))) +
    1850. 

  1850.             ((Scalar::from_u128(12u128) + a) * A); },
    1851. 

  1851.             quote! { let out_rand = Scalar::from_u128(2u128) *
    1852. 

  1852.             (<Scalar as Field>::invert(&Scalar::from_u128(3u128).neg()).unwrap() *
    1853. 

  1853.             ((r * Scalar::from_u128(2u128)) +
    1854. 

  1854.             (c + (Scalar::from_u128(3u128).neg())))); },
    1855. 

  1855.         );
    1856. 

  1856.     }
    1857. 

  1857. }
    1858.