[−][src]Trait one_of_many_proofs::proofs::OneOfManyProofs

pub trait OneOfManyProofs {
    fn prove_with_offset(
        &self, 
        gens: &ProofGens, 
        transcript: &mut Transcript, 
        l: usize, 
        r: &Scalar, 
        offset: Option<&RistrettoPoint>
    ) -> ProofResult<OneOfManyProof>;
    fn verify_batch_with_offsets(
        &self, 
        gens: &ProofGens, 
        transcript: &mut Transcript, 
        proofs: &[OneOfManyProof], 
        offsets: &[Option<&RistrettoPoint>]
    ) -> ProofResult<()>;

    fn prove(
        &self, 
        gens: &ProofGens, 
        transcript: &mut Transcript, 
        l: usize, 
        r: &Scalar
    ) -> ProofResult<OneOfManyProof> { ... }
    fn verify(
        &self, 
        gens: &ProofGens, 
        transcript: &mut Transcript, 
        proof: &OneOfManyProof
    ) -> ProofResult<()> { ... }
    fn verify_with_offset(
        &self, 
        gens: &ProofGens, 
        transcript: &mut Transcript, 
        proof: &OneOfManyProof, 
        offset: Option<&RistrettoPoint>
    ) -> ProofResult<()> { ... }
    fn verify_batch(
        &self, 
        gens: &ProofGens, 
        transcript: &mut Transcript, 
        proofs: &[OneOfManyProof]
    ) -> ProofResult<()> { ... }
}

Trait for computing and verifying OneOfMany zero-knowledge membership proofs over a set of points. Each method is designed to iterate over a set of RistrettoPoints representing pedersen commitments. A prover should know the opening of one commitment in the set, and the index of that commitment within the set.

Proof of knowledge of a commitment that opens to zero

The prove() and verify() methods may be used to compute and verify membership of a commitment that opens to zero within a specified set of commitments. Proofs for commitments are demonstrated further below.

// Set up proof generators
let gens = ProofGens::new(5).unwrap();

// Create the prover's commitment to zero
let l: usize = 3; // The prover's commitment will be third in the set
let v = Scalar::zero();
let r = Scalar::random(&mut OsRng); // You should use a more secure RNG
let C_l = gens.commit(&v, &r).unwrap();

// Build a random set containing the prover's commitment at index `l`
let mut set = (1..gens.max_set_size())
    .map(|_| RistrettoPoint::random(&mut OsRng))
    .collect::<Vec<RistrettoPoint>>();
set.insert(l, C_l);

// Compute a `OneOfMany` membership proof for this commitment
let mut t = Transcript::new(b"OneOfMany-Test");
let proof = set.iter().prove(&gens, &mut t.clone(), l, &r).unwrap();

// Verify this membership proof, without any knowledge of `l` or `r`.
assert!(set
    .iter()
    .verify(&gens, &mut t.clone(), &proof)
    .is_ok());

Proof of knowledge of a commitment that opens to any value

This is an extension of the OneOfMany proof protocol, to enable proof of knowledge of a commitment to any value within the set.

If the prover knows the index, l, and opening of some commitment, C_l, within a set of commitments, then the prover can prove this knowledge, and also prove that some new commitment, C_new, commits to the same value as C_l.

The basic concept is that C_new will be supplied as an offset in the proof computation. This offset will be subtracted from every member in the set before computing a OneOfMany proof. Since, C_new commits to the same value as C_l, the result after subtraction will yield a commitment to 0 at index l within the set. This commitment to 0 can now be used to compute a OneOfMany proof of membership.

Note: the resultant commitment to zero is blinded by r - r_new, and this value must be supplied instead of r, to compute the proof.

// Set up proof generators
let gens = ProofGens::new(5).unwrap();

// Create the prover's commitment to a random value
let l: usize = 3; // The prover's commitment will be third in the set
let v = Scalar::random(&mut OsRng); // You should use a more secure RNG
let r = Scalar::random(&mut OsRng); // You should use a more secure RNG
let C_l = gens.commit(&v, &r).unwrap();

// Build a random set containing the prover's commitment at index `l`
let mut set = (1..gens.max_set_size())
    .map(|_| RistrettoPoint::random(&mut OsRng))
    .collect::<Vec<RistrettoPoint>>();
set.insert(l, C_l);

// Create a new commitment to the same value as `C_l`
let r_new = Scalar::random(&mut OsRng); // You should use a more secure RNG
let C_new = gens.commit(&v, &r_new).unwrap();

// Compute a `OneOfMany` membership proof for this commitment
let mut t = Transcript::new(b"OneOfMany-Test");
let proof = set.iter().prove_with_offset(&gens, &mut t.clone(), l, &(r - r_new), Some(&C_new)).unwrap();

// Verify this membership proof, without any knowledge of `l` or `r`.
assert!(set
    .iter()
    .verify_with_offset(&gens, &mut t.clone(), &proof, Some(&C_new))
    .is_ok());

Required methods

`fn prove_with_offset( &self, gens: &ProofGens, transcript: &mut Transcript, l: usize, r: &Scalar, offset: Option<&RistrettoPoint> ) -> ProofResult<OneOfManyProof>`

Prove knowledge of a commitment opening to any value.

`fn verify_batch_with_offsets( &self, gens: &ProofGens, transcript: &mut Transcript, proofs: &[OneOfManyProof], offsets: &[Option<&RistrettoPoint>] ) -> ProofResult<()>`

Batch verification of membership proofs

Loading content...

Provided methods

`fn prove( &self, gens: &ProofGens, transcript: &mut Transcript, l: usize, r: &Scalar ) -> ProofResult<OneOfManyProof>`

Prove knowledge of a commitment opening to zero. The prover must provide the index l of a commitment within the set that opens to zero, and also its blinding factor, r.

Note: this is just a convenience wrapper around prove_with_offset().

`fn verify( &self, gens: &ProofGens, transcript: &mut Transcript, proof: &OneOfManyProof ) -> ProofResult<()>`

Verify a proof of knowledge of a commitment opening to zero. This verification will only succeed if the proven commitment opens to zero.

Note: this is just a convenience wrapper around verify_with_offset().

`fn verify_with_offset( &self, gens: &ProofGens, transcript: &mut Transcript, proof: &OneOfManyProof, offset: Option<&RistrettoPoint> ) -> ProofResult<()>`

Verify a proof of knowledge of a commitment opening to any value.

`fn verify_batch( &self, gens: &ProofGens, transcript: &mut Transcript, proofs: &[OneOfManyProof] ) -> ProofResult<()>`

Batch verification of membership proofs

Loading content...

Implementors

`impl<'a, I> OneOfManyProofs for I where I: Iterator<Item = &'a RistrettoPoint> + Clone,` [src]

`fn prove_with_offset( &self, gens: &ProofGens, transcript: &mut Transcript, l: usize, r: &Scalar, offset: Option<&RistrettoPoint> ) -> ProofResult<OneOfManyProof>`[src]

`fn verify_batch_with_offsets( &self, gens: &ProofGens, transcript: &mut Transcript, proofs: &[OneOfManyProof], offsets: &[Option<&RistrettoPoint>] ) -> ProofResult<()>`[src]

Loading content...

[−][src]Trait one_of_many_proofs::proofs::OneOfManyProofs

Proof of knowledge of a commitment that opens to zero

Proof of knowledge of a commitment that opens to any value

Required methods

fn prove_with_offset( &self, gens: &ProofGens, transcript: &mut Transcript, l: usize, r: &Scalar, offset: Option<&RistrettoPoint>) -> ProofResult<OneOfManyProof>

fn verify_batch_with_offsets( &self, gens: &ProofGens, transcript: &mut Transcript, proofs: &[OneOfManyProof], offsets: &[Option<&RistrettoPoint>]) -> ProofResult<()>

Provided methods

fn prove( &self, gens: &ProofGens, transcript: &mut Transcript, l: usize, r: &Scalar) -> ProofResult<OneOfManyProof>

fn verify( &self, gens: &ProofGens, transcript: &mut Transcript, proof: &OneOfManyProof) -> ProofResult<()>

fn verify_with_offset( &self, gens: &ProofGens, transcript: &mut Transcript, proof: &OneOfManyProof, offset: Option<&RistrettoPoint>) -> ProofResult<()>

fn verify_batch( &self, gens: &ProofGens, transcript: &mut Transcript, proofs: &[OneOfManyProof]) -> ProofResult<()>

Implementors

impl<'a, I> OneOfManyProofs for I where I: Iterator<Item = &'a RistrettoPoint> + Clone, [src]

fn prove_with_offset( &self, gens: &ProofGens, transcript: &mut Transcript, l: usize, r: &Scalar, offset: Option<&RistrettoPoint>) -> ProofResult<OneOfManyProof>[src]

fn verify_batch_with_offsets( &self, gens: &ProofGens, transcript: &mut Transcript, proofs: &[OneOfManyProof], offsets: &[Option<&RistrettoPoint>]) -> ProofResult<()>[src]

`fn prove_with_offset( &self, gens: &ProofGens, transcript: &mut Transcript, l: usize, r: &Scalar, offset: Option<&RistrettoPoint> ) -> ProofResult<OneOfManyProof>`

`fn verify_batch_with_offsets( &self, gens: &ProofGens, transcript: &mut Transcript, proofs: &[OneOfManyProof], offsets: &[Option<&RistrettoPoint>] ) -> ProofResult<()>`

`fn prove( &self, gens: &ProofGens, transcript: &mut Transcript, l: usize, r: &Scalar ) -> ProofResult<OneOfManyProof>`

`fn verify( &self, gens: &ProofGens, transcript: &mut Transcript, proof: &OneOfManyProof ) -> ProofResult<()>`

`fn verify_with_offset( &self, gens: &ProofGens, transcript: &mut Transcript, proof: &OneOfManyProof, offset: Option<&RistrettoPoint> ) -> ProofResult<()>`

`fn verify_batch( &self, gens: &ProofGens, transcript: &mut Transcript, proofs: &[OneOfManyProof] ) -> ProofResult<()>`

`impl<'a, I> OneOfManyProofs for I where I: Iterator<Item = &'a RistrettoPoint> + Clone,` [src]

`fn prove_with_offset( &self, gens: &ProofGens, transcript: &mut Transcript, l: usize, r: &Scalar, offset: Option<&RistrettoPoint> ) -> ProofResult<OneOfManyProof>`[src]

`fn verify_batch_with_offsets( &self, gens: &ProofGens, transcript: &mut Transcript, proofs: &[OneOfManyProof], offsets: &[Option<&RistrettoPoint>] ) -> ProofResult<()>`[src]