feat!: use transcript composition #115
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Note that this updated design likely makes it easier for callers who want to define overlying protocols and bind context to proofs. To do this, the caller instantiates the transcript (or adds domain separation to an existing transcript) with a protocol-specific label, and then appends one or more messages that establish the context binding in a protocol-defined way. This avoids the current design's |
AaronFeickert
force-pushed
the
transcript-composition
branch
from
0187152
to
f41e54a
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The library uses Merlin transcripts internally for handling Fiat-Shamir operations. When generating and verifying a proof, the caller provides a label that is used to instantiate the transcript.
This is not particularly idiomatic, because it requires a
&'staticlifetime for the label, it does not follow Merlin's design recommendations, and it does not support transcript composition. Composition allows a single transcript to be used for multiple sub-protocols safely and flexibly.This PR makes a breaking change in two ways to support this.
First, it changes the public API to replace transcript labels with mutable references to Merlin transcripts. This means in particular that the caller is responsible for the transcript: it either instantiates a new transcript with a label of its choice, or passes along an existing transcript for composition.
Second, it changes how domain separation is applied to the transcript. The Merlin documentation requires the use of a fixed domain separation message label
dom-sep, and recommends its use in composition. The library currently uses a different design that, while safe if transcripts are strictly internal, could cause issues during composition.If it's desirable for existing proofs to verify, the domain separation change can be reverted, but the documentation should be modified to indicate this nonstandard behavior.
Closes #114.
BREAKING CHANGE: Changes the prover and verifier APIs to replace transcript labels with Merlin transcripts. Changes how domain separation is applied internally.