dusk-plonk 0.23.0

A pure-Rust implementation of the PLONK ZK-Proof algorithm
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146

// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
//
// Copyright (c) DUSK NETWORK. All rights reserved.

//! This is an extension over the [Merlin Transcript](Transcript)
//! which adds a few extra functionalities.

use alloc::boxed::Box;

use dusk_bytes::Serializable;
use dusk_curves::bls12_381::BlsScalar;
use merlin::Transcript;

use crate::commitment_scheme::Commitment;
use crate::proof_system::VerifierKey;

// Merlin's `Transcript::new` requires `&'static [u8]`, but callers pass
// runtime `&[u8]` labels. `Box::leak` bridges the gap by promoting the
// allocation to `'static`. Without caching, every call to `base` / `base_v3`
// leaks a new allocation — on a long-running node this accumulates
// proportionally to the number of verified transactions.
cfg_if::cfg_if! {
    if #[cfg(feature = "std")] {
        // With std we cache leaked labels in a `HashMap` so each distinct
        // label is only leaked once, bounding memory to the number of
        // unique circuit labels (typically a handful).
        fn transcript_label_static(label: &[u8]) -> &'static [u8] {
            use alloc::vec::Vec;
            use std::sync::Mutex;
            use std::collections::HashMap;

            static CACHE: Mutex<Option<HashMap<Vec<u8>, &'static [u8]>>> =
                Mutex::new(None);

            let mut guard =
                CACHE.lock().unwrap_or_else(|e| e.into_inner());
            let map = guard.get_or_insert_with(HashMap::new);

            if let Some(&cached) = map.get(label) {
                return cached;
            }

            let leaked: &'static [u8] =
                Box::leak(label.to_vec().into_boxed_slice());
            map.insert(label.to_vec(), leaked);
            leaked
        }
    } else {
        // no_std (WASM): executions are short-lived so accumulation is not
        // a concern — keep the simple Box::leak approach.
        fn transcript_label_static(label: &[u8]) -> &'static [u8] {
            Box::leak(label.to_vec().into_boxed_slice())
        }
    }
}

/// Transcript adds an abstraction over the Merlin transcript
/// For convenience
pub(crate) trait TranscriptProtocol {
    /// Append a `commitment` with the given `label`.
    fn append_commitment(&mut self, label: &'static [u8], comm: &Commitment);

    /// Append a `BlsScalar` with the given `label`.
    fn append_scalar(&mut self, label: &'static [u8], s: &BlsScalar);

    /// Compute a `label`ed challenge variable.
    fn challenge_scalar(&mut self, label: &'static [u8]) -> BlsScalar;

    /// Append domain separator for the circuit size.
    fn circuit_domain_sep(&mut self, n: u64);

    /// Create a new instance of the base transcript of the protocol
    fn base(
        label: &[u8],
        verifier_key: &VerifierKey,
        constraints: usize,
    ) -> Self;

    /// Create a transcript seeded with v3 verifier-key binding behavior.
    fn base_v3(
        label: &[u8],
        verifier_key: &VerifierKey,
        constraints: usize,
    ) -> Self;
}

impl TranscriptProtocol for Transcript {
    fn append_commitment(&mut self, label: &'static [u8], comm: &Commitment) {
        self.append_message(label, &comm.0.to_bytes());
    }

    fn append_scalar(&mut self, label: &'static [u8], s: &BlsScalar) {
        self.append_message(label, &s.to_bytes())
    }

    fn challenge_scalar(&mut self, label: &'static [u8]) -> BlsScalar {
        let mut buf = [0u8; 64];
        self.challenge_bytes(label, &mut buf);

        BlsScalar::from_bytes_wide(&buf)
    }

    fn circuit_domain_sep(&mut self, n: u64) {
        self.append_message(b"dom-sep", b"circuit_size");
        self.append_u64(b"n", n);
    }

    fn base(
        label: &[u8],
        verifier_key: &VerifierKey,
        constraints: usize,
    ) -> Self {
        // Transcript can't be serialized/deserialized. One alternative is to
        // fork merlin and implement these functionalities, so we can use custom
        // transcripts for provers and verifiers. However, we don't have a use
        // case for this feature in Dusk.

        let label = transcript_label_static(label);

        let mut transcript = Transcript::new(label);

        transcript.circuit_domain_sep(constraints as u64);

        verifier_key.seed_transcript_legacy(&mut transcript);

        transcript
    }

    fn base_v3(
        label: &[u8],
        verifier_key: &VerifierKey,
        constraints: usize,
    ) -> Self {
        let label = transcript_label_static(label);

        let mut transcript = Transcript::new(label);

        transcript.circuit_domain_sep(constraints as u64);

        verifier_key.seed_transcript(&mut transcript);

        transcript
    }
}