Struct merlin::TranscriptRngBuilder

source ·
pub struct TranscriptRngBuilder { /* private fields */ }
Expand description

Constructs a TranscriptRng by rekeying the Transcript with prover secrets and an external RNG.

The prover uses a TranscriptRngBuilder to rekey with its witness data, before using an external RNG to finalize to a TranscriptRng. The resulting TranscriptRng will be a PRF of all of the entire public transcript, the prover’s secret witness data, and randomness from the external RNG.

§Usage

To construct a TranscriptRng, a prover calls Transcript::build_rng() to clone the transcript state, then uses rekey_with_witness_bytes() to rekey the transcript with the prover’s secrets, before finally calling finalize(). This rekeys the transcript with the output of an external rand_core::RngCore instance and returns a finalized TranscriptRng.

These methods are intended to be chained, passing from a borrowed Transcript to an owned TranscriptRng as follows:

transcript.append_message(b"public", public_data);

let mut rng = transcript
    .build_rng()
    .rekey_with_witness_bytes(b"witness1", witness_data)
    .rekey_with_witness_bytes(b"witness2", more_witness_data)
    .finalize(&mut rand_core::OsRng);

In this example, the final rng is a PRF of public_data (as well as all previous transcript state), and of the prover’s secret witness_data and more_witness_data, and finally, of the output of the thread-local RNG. Note that because the TranscriptRng is produced from finalize(), it’s impossible to forget to rekey the transcript with external randomness.

§Note

Protocols that require randomness in multiple places (e.g., to choose blinding factors for a multi-round protocol) should create a fresh TranscriptRng each time they need randomness, rather than reusing a single instance. This ensures that the randomness in each round is bound to the latest transcript state, rather than just the state of the transcript when randomness was first required.

§Typed Witness Data

Like the Transcript, the TranscriptRngBuilder provides a minimal, byte-oriented API, and like the Transcript, this API can be extended to allow rekeying with protocol-specific types using an extension trait. See the Transcript Protocols section of the Merlin website for more details.

Implementations§

source§

impl TranscriptRngBuilder

source

pub fn rekey_with_witness_bytes( self, label: &'static [u8], witness: &[u8], ) -> TranscriptRngBuilder

Rekey the transcript using the provided witness data.

The label parameter is metadata about witness.

source

pub fn commit_witness_bytes( self, label: &'static [u8], witness: &[u8], ) -> TranscriptRngBuilder

👎Deprecated since 1.1.0: renamed to rekey_with_witness_bytes for clarity.

Deprecated. This function was renamed to rekey_with_witness_bytes.

This is intended to avoid any possible confusion between the transcript-level messages and protocol-level commitments.

source

pub fn finalize<R>(self, rng: &mut R) -> TranscriptRng
where R: RngCore + CryptoRng,

Use the supplied external rng to rekey the transcript, so that the finalized TranscriptRng is a PRF bound to randomness from the external RNG, as well as all other transcript data.

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.