Expand description
Implementation of the generic Fully Linear Proof (FLP) system specified in
[draft-irtf-cfrg-vdaf-08]. This is the main building block of Prio3
.
The FLP is derived for any implementation of the Type
trait. Such an implementation
specifies a validity circuit that defines the set of valid measurements, as well as the finite
field in which the validity circuit is evaluated. It also determines how raw measurements are
encoded as inputs to the validity circuit, and how aggregates are decoded from sums of
measurements.
§Overview
The proof system is comprised of three algorithms. The first, prove
, is run by the prover in
order to generate a proof of a statement’s validity. The second and third, query
and
decide
, are run by the verifier in order to check the proof. The proof asserts that the input
is an element of a language recognized by the arithmetic circuit. If an input is not valid,
then the verification step will fail with high probability:
use prio::flp::types::Count;
use prio::flp::Type;
use prio::field::{random_vector, FieldElement, Field64};
// The prover chooses a measurement.
let count = Count::new();
let input: Vec<Field64> = count.encode_measurement(&false).unwrap();
// The prover and verifier agree on "joint randomness" used to generate and
// check the proof. The application needs to ensure that the prover
// "commits" to the input before this point. In Prio3, the joint
// randomness is derived from additive shares of the input.
let joint_rand = random_vector(count.joint_rand_len()).unwrap();
// The prover generates the proof.
let prove_rand = random_vector(count.prove_rand_len()).unwrap();
let proof = count.prove(&input, &prove_rand, &joint_rand).unwrap();
// The verifier checks the proof. In the first step, the verifier "queries"
// the input and proof, getting the "verifier message" in response. It then
// inspects the verifier to decide if the input is valid.
let query_rand = random_vector(count.query_rand_len()).unwrap();
let verifier = count.query(&input, &proof, &query_rand, &joint_rand, 1).unwrap();
assert!(count.decide(&verifier).unwrap());
Modules§
- A collection of gadgets.
- test_utils
test-util
Utilities for testing FLPs. - A collection of
Type
implementations.
Enums§
- Errors propagated by methods in this module.
Traits§
- A gadget, a non-affine arithmetic circuit that is called when evaluating a validity circuit.
- A type. Implementations of this trait specify how a particular kind of measurement is encoded as a vector of field elements and how validity of the encoded measurement is determined. Validity is determined via an arithmetic circuit evaluated over the encoded measurement.
- TypeWithNoise
experimental
A type which supports adding noise to aggregate shares for Server Differential Privacy.