[−][src]Struct merlin::TranscriptRngBuilder
Constructs a TranscriptRng
by rekeying the Transcript
with
prover secrets and an external RNG.
The prover commits witness data to the
TranscriptRngBuilder
before using an external RNG to
finalize to a TranscriptRng
. The resulting TranscriptRng
will be a PRF of all of the entire public transcript, the prover's
secret witness data, and randomness from the external RNG.
Usage
To construct a TranscriptRng
, a prover calls
Transcript::build_rng()
to clone the transcript state, then
uses commit_witness_bytes()
to rekey the
transcript with the prover's secrets, before finally calling
finalize()
. This rekeys the transcript with the
output of an external rand_core::RngCore
instance and returns
a finalized TranscriptRng
.
These methods are intended to be chained, passing from a borrowed
Transcript
to an owned TranscriptRng
as follows:
transcript.commit_bytes(b"public", public_data); let mut rng = transcript .build_rng() .commit_witness_bytes(b"witness1", witness_data) .commit_witness_bytes(b"witness2", more_witness_data) .finalize(&mut rand::thread_rng());
In this example, the final rng
is a PRF of public_data
(as well as all previous transcript
state), and of the prover's
secret witness_data
and more_witness_data
, and finally, of the
output of the thread-local RNG.
Note that because the TranscriptRng
is produced from
finalize()
, it's impossible to forget
to rekey the transcript with external randomness.
Note
Protocols that require randomness in multiple places (e.g., to
choose blinding factors for a multi-round protocol) should create
a fresh TranscriptRng
each time they need randomness,
rather than reusing a single instance. This ensures that the
randomness in each round is bound to the latest transcript state,
rather than just the state of the transcript when randomness was
first required.
Typed Witness Data
Like the Transcript
, the TranscriptRngBuilder
provides
a minimal, byte-oriented API, and like the Transcript
, this
API can be extended to allow committing protocol-specific types
using an extension trait. See the Transcript
documentation
for more details.
Methods
impl TranscriptRngBuilder
[src]
pub fn commit_witness_bytes(
self,
label: &'static [u8],
witness: &[u8]
) -> TranscriptRngBuilder
[src]
self,
label: &'static [u8],
witness: &[u8]
) -> TranscriptRngBuilder
Rekey the transcript using the provided witness data.
The label
parameter is metadata about witness
, and is
also committed to the transcript.
Implementation
Performs the STROBE operations
meta-AD( label || LE32(witness.len()) );
KEY( witness );
pub fn finalize<R>(self, rng: &mut R) -> TranscriptRng where
R: RngCore + CryptoRng,
[src]
R: RngCore + CryptoRng,
Use the supplied external rng
to rekey the transcript, so
that the finalized TranscriptRng
is a PRF bound to
randomness from the external RNG, as well as all other
transcript data.
Implementation
Performs the STROBE operations
meta-AD( "rng" );
KEY( 32 bytes of rng output );
Auto Trait Implementations
impl Send for TranscriptRngBuilder
impl Sync for TranscriptRngBuilder
Blanket Implementations
impl<T> From for T
[src]
impl<T, U> Into for T where
U: From<T>,
[src]
U: From<T>,
impl<T, U> TryFrom for T where
U: Into<T>,
[src]
U: Into<T>,
type Error = !
try_from
)The type returned in the event of a conversion error.
fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>
[src]
impl<T> Borrow for T where
T: ?Sized,
[src]
T: ?Sized,
impl<T> Any for T where
T: 'static + ?Sized,
[src]
T: 'static + ?Sized,
impl<T> BorrowMut for T where
T: ?Sized,
[src]
T: ?Sized,
fn borrow_mut(&mut self) -> &mut T
[src]
impl<T, U> TryInto for T where
U: TryFrom<T>,
[src]
U: TryFrom<T>,