Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The library uses Merlin transcripts internally for handling Fiat-Shamir operations. When generating and verifying a proof, the caller provides a label that is used to instantiate the transcript.
This is not particularly idiomatic, because it requires a
&'static
lifetime for the label, it does not follow Merlin's design recommendations, and it does not support transcript composition. Composition allows a single transcript to be used for multiple sub-protocols safely and flexibly.This PR makes a breaking change in two ways to support this.
First, it changes the public API to replace transcript labels with mutable references to Merlin transcripts. This means in particular that the caller is responsible for the transcript: it either instantiates a new transcript with a label of its choice, or passes along an existing transcript for composition.
Second, it changes how domain separation is applied to the transcript. The Merlin documentation requires the use of a fixed domain separation message label
dom-sep
, and recommends its use in composition. The library currently uses a different design that, while safe if transcripts are strictly internal, could cause issues during composition.If it's desirable for existing proofs to verify, the domain separation change can be reverted, but the documentation should be modified to indicate this nonstandard behavior.
Closes #114.
BREAKING CHANGE: Changes the prover and verifier APIs to replace transcript labels with Merlin transcripts. Changes how domain separation is applied internally.