Module prio::flp

source ·
Expand description

Implementation of the generic Fully Linear Proof (FLP) system specified in [draft-irtf-cfrg-vdaf-08]. This is the main building block of Prio3.

The FLP is derived for any implementation of the Type trait. Such an implementation specifies a validity circuit that defines the set of valid measurements, as well as the finite field in which the validity circuit is evaluated. It also determines how raw measurements are encoded as inputs to the validity circuit, and how aggregates are decoded from sums of measurements.

§Overview

The proof system is comprised of three algorithms. The first, prove, is run by the prover in order to generate a proof of a statement’s validity. The second and third, query and decide, are run by the verifier in order to check the proof. The proof asserts that the input is an element of a language recognized by the arithmetic circuit. If an input is not valid, then the verification step will fail with high probability:

use prio::flp::types::Count;
use prio::flp::Type;
use prio::field::{random_vector, FieldElement, Field64};

// The prover chooses a measurement.
let count = Count::new();
let input: Vec<Field64> = count.encode_measurement(&false).unwrap();

// The prover and verifier agree on "joint randomness" used to generate and
// check the proof. The application needs to ensure that the prover
// "commits" to the input before this point. In Prio3, the joint
// randomness is derived from additive shares of the input.
let joint_rand = random_vector(count.joint_rand_len()).unwrap();

// The prover generates the proof.
let prove_rand = random_vector(count.prove_rand_len()).unwrap();
let proof = count.prove(&input, &prove_rand, &joint_rand).unwrap();

// The verifier checks the proof. In the first step, the verifier "queries"
// the input and proof, getting the "verifier message" in response. It then
// inspects the verifier to decide if the input is valid.
let query_rand = random_vector(count.query_rand_len()).unwrap();
let verifier = count.query(&input, &proof, &query_rand, &joint_rand, 1).unwrap();
assert!(count.decide(&verifier).unwrap());

Modules§

Enums§

  • FlpError
    Errors propagated by methods in this module.

Traits§

  • Gadget
    A gadget, a non-affine arithmetic circuit that is called when evaluating a validity circuit.
  • Type
    A type. Implementations of this trait specify how a particular kind of measurement is encoded as a vector of field elements and how validity of the encoded measurement is determined. Validity is determined via an arithmetic circuit evaluated over the encoded measurement.
  • TypeWithNoiseexperimental
    A type which supports adding noise to aggregate shares for Server Differential Privacy.