Crate merlin[−][src]
Merlin: composable proof transcripts for public-coin arguments of knowledge
Merlin is a STROBE-based construction of a proof transcript which applies the Fiat-Shamir transform to an interactive public-coin argument of knowledge. This allows implementing protocols as if they were interactive, committing messages to the proof transcript and obtaining challenges bound to all previous messages.
In comparison to using a hash function directly, this design provides support for:
-
multi-round protocols with alternating commit and challenge phases;
-
natural domain separation, ensuring challenges are bound to the statements to be proved;
-
automatic message framing, preventing ambiguous encoding of commitment data;
-
and protocol composition, by using a common transcript for multiple protocols.
In addition, Merlin provides a transcript-based rand::Rng
instance
for use by the prover. This provides sythetic randomness derived from
the entire public transcript, as well as the prover's witness data,
and an auxiliary input from an external RNG.
WARNING: This code is not yet suitable for deployment.
About
Merlin is authored by Henry de Valence, with design input from Isis Lovecruft and Oleg Andreev. Thanks also to Trevor Perrin and Mike Hamburg for helpful discussions.
This project is licensed under the MIT license; see LICENSE.txt
for
details.
Note that docs will only build on nightly Rust until RFC 1990 stabilizes.
Structs
Transcript |
A transcript of a public-coin argument. |
TranscriptRng |
An RNG providing synthetic randomness to the prover. |
TranscriptRngBuilder |
Constructs a |