AUTHDECODE

This crates implements the AUTHDECODE functionality described in the tlsn repo. It uses the ark-poly-commit crate for proofs that are generic over polynomial commitment schemes.

What is implemented:

• The R_binary relation has a prover and verifier, and unit tests
• Selective revelation is implemented and benchmarked. To see the benchmarks, run cargo test --release -- --nocapture
• The skeleton of the R_decode prover

What remains to be done:

• Complete the implementation of R_decode. The protocol is simple, but it seems that ark-poly-commit is missing a definition of scalar multiplication on commitments. This is necessary in order to compute the Δ·com_p term in R_decode. Fortunately, it exposes addition on the relevant types, so scalar multiplication isn't far off.
• Optional: implement the R_pack protocol to pack plaintext bits into bytes
• Use merlin transcripts to generate challenges. Currently, they're just placeholder values. A secure Fiat-Shamir'ed protocol should be hashing the whole transcript.
• Ensure proper hiding for plaintext polynomials. It might already be the case that this works, via the supported_hiding_bound in PolynomialCommitment::trim.