Struct Transcript

Source

pub struct Transcript { /* private fields */ }

Expand description

Shake128 transcript style hasher.

Implementations§

Source §

impl Transcript

Source

pub fn from_shake128(hasher: Shake128) -> Transcript

Create a Transcript from Shake128.

Source

pub fn from_accumulation(acc: impl AsRef<[u8]>) -> Transcript

Create a Transcript from previously accumulated bytes.

We do not domain seperate these initial bytes, but we domain seperate everything after this, making this safe.

Source

pub fn new_blank() -> Transcript

Create an empty Transcript.

Source

pub fn new_labeled(label: impl AsLabel) -> Transcript

Create a fresh Transcript with an initial domain label.

We implicitly have an initial zero length user data write preceeding this first label.

Source

pub fn new_blank_accumulator() -> Transcript

Create an empty Transcript in bytes accumulation mode.

You cannot create Readers in accumulation mode, but accumulator_finalize exports the accumulated Vec<u8>. You could then transport this elsewhere and start a real hasher using from_accumulation.

Source

pub fn accumulator_reserve(&mut self, additional: usize)

Avoid repeated allocations by reserving additional space when in accumulation mode.

Source

pub fn accumulator_finalize(self) -> Vec<u8>

Invokes seperate and exports the accumulated transcript bytes, which you later pass into Transcript::from_accumulation.

Source

pub fn seperate(&mut self)

Write basic unlabeled domain seperator into the hasher.

Implemented by writing in big endian the number of bytes written since the previous seperate call, aka I2OSP(len,4) from rfc8017.

We do nothing unless write_bytes was called previously, aka after the previous seperate call. Invoking write_bytes(b"") before seperate forces seperation, aka aligns multiple code paths with convergent hashing, but in which users supply zero length inputs.

Source

pub fn write_bytes(&mut self, bytes: &[u8])

Write bytes into the hasher, increasing doain separator counter.

We wrap each 2^31 bytes into a seperate domain, instead of producing an error.

Source

pub fn append_u64(&mut self, v: u64)

I2OSP(len,8) from rfc8017 with our own domain seperation

Source

pub fn append<O: CanonicalSerialize + ?Sized>(&mut self, itm: &O)

Write into the hasher items seralizable by Arkworks.

We ensure_seperated from any previously supplied user data, so we therfore suggest label be called in between append and writes of possibly empty user data. See concerns on ensure_seperated.

We use uncompressed serialization here for performance.

Source

pub fn append_slice<O, B>(&mut self, itms: &[B])
where O: CanonicalSerialize + ?Sized, B: Borrow<O>,

Write into the hasher a slice of items seralizable by Arkworks, exactly like invoking append repeatedly.

Source

pub fn label(&mut self, label: impl AsLabel)

Write domain separation label into the hasher, after first ending the previous write phase.

Source

pub fn challenge(&mut self, label: impl AsLabel) -> Reader

Create a challenge reader.

Invoking self.label(label) has the same effect upon self, but the reader returnned cannot be obtained by any combinataion of other methods.

Source

pub fn fork(&self, label: impl AsLabel) -> Transcript

Forks transcript to prepare a witness reader.

We clone the transcript and label this clone, but do not touch the original. After forking, you should write any secret seeds into the transcript, and then invoke witness with system randomness.

Source

pub fn witness(self, rng: &mut (impl RngCore + CryptoRng)) -> Reader

Create a witness reader from a forked transcript.

We expect rng to be system randomness when used in production, ala &mut rng_core::OsRng or maybe &mut rand::thread_rng(), as otherwise you incur risks from any weaknesses elsewhere.

You’ll need a deterministic randomness for test vectors of ourse, ala &mut ark_transcript::debug::TestVectorFakeRng. We suggest implementing this choice inside your secret key type, along side whatever supplies secret seeds.