Struct merlin::TranscriptRngBuilder
source · pub struct TranscriptRngBuilder { /* private fields */ }
Expand description
Constructs a TranscriptRng
by rekeying the Transcript
with
prover secrets and an external RNG.
The prover uses a TranscriptRngBuilder
to rekey with its
witness data, before using an external RNG to finalize to a
TranscriptRng
. The resulting TranscriptRng
will be a PRF
of all of the entire public transcript, the prover’s secret
witness data, and randomness from the external RNG.
§Usage
To construct a TranscriptRng
, a prover calls
Transcript::build_rng()
to clone the transcript state, then
uses rekey_with_witness_bytes()
to rekey the
transcript with the prover’s secrets, before finally calling
finalize()
. This rekeys the transcript with the
output of an external rand_core::RngCore
instance and returns
a finalized TranscriptRng
.
These methods are intended to be chained, passing from a borrowed
Transcript
to an owned TranscriptRng
as follows:
transcript.append_message(b"public", public_data);
let mut rng = transcript
.build_rng()
.rekey_with_witness_bytes(b"witness1", witness_data)
.rekey_with_witness_bytes(b"witness2", more_witness_data)
.finalize(&mut rand_core::OsRng);
In this example, the final rng
is a PRF of public_data
(as well as all previous transcript
state), and of the prover’s
secret witness_data
and more_witness_data
, and finally, of the
output of the thread-local RNG.
Note that because the TranscriptRng
is produced from
finalize()
, it’s impossible to forget
to rekey the transcript with external randomness.
§Note
Protocols that require randomness in multiple places (e.g., to
choose blinding factors for a multi-round protocol) should create
a fresh TranscriptRng
each time they need randomness,
rather than reusing a single instance. This ensures that the
randomness in each round is bound to the latest transcript state,
rather than just the state of the transcript when randomness was
first required.
§Typed Witness Data
Like the Transcript
, the TranscriptRngBuilder
provides a
minimal, byte-oriented API, and like the Transcript
, this API
can be extended to allow rekeying with protocol-specific types
using an extension trait. See the Transcript
Protocols section of the
Merlin website for more details.
Implementations§
source§impl TranscriptRngBuilder
impl TranscriptRngBuilder
sourcepub fn rekey_with_witness_bytes(
self,
label: &'static [u8],
witness: &[u8],
) -> TranscriptRngBuilder
pub fn rekey_with_witness_bytes( self, label: &'static [u8], witness: &[u8], ) -> TranscriptRngBuilder
Rekey the transcript using the provided witness data.
The label
parameter is metadata about witness
.
sourcepub fn commit_witness_bytes(
self,
label: &'static [u8],
witness: &[u8],
) -> TranscriptRngBuilder
👎Deprecated since 1.1.0: renamed to rekey_with_witness_bytes for clarity.
pub fn commit_witness_bytes( self, label: &'static [u8], witness: &[u8], ) -> TranscriptRngBuilder
Deprecated. This function was renamed to
rekey_with_witness_bytes
.
This is intended to avoid any possible confusion between the transcript-level messages and protocol-level commitments.
sourcepub fn finalize<R>(self, rng: &mut R) -> TranscriptRng
pub fn finalize<R>(self, rng: &mut R) -> TranscriptRng
Use the supplied external rng
to rekey the transcript, so
that the finalized TranscriptRng
is a PRF bound to
randomness from the external RNG, as well as all other
transcript data.