Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Make transcripts composable #114

Closed
AaronFeickert opened this issue Feb 12, 2024 · 0 comments · Fixed by #115
Closed

Make transcripts composable #114

AaronFeickert opened this issue Feb 12, 2024 · 0 comments · Fixed by #115

Comments

@AaronFeickert
Copy link
Contributor

Merlin transcripts are designed to support composition, where transcripts passed as parameters can use domain separation for flexibility.

This library doesn't currently support composition, and keeps transcript operations completely internal. As a side effect, it makes the API more awkward, since labels must be &'static to force them to be defined in advance. A more idiomatic approach would be to pass existing mutable transcripts into the prover and verifier. Callers that don't need or want to expose transcript creation can handle this themselves.
@AaronFeickert AaronFeickert mentioned this issue Feb 12, 2024
Merged
hansieodendaal pushed a commit that referenced this issue Mar 5, 2024
@AaronFeickert
feat!: use transcript composition (#115)
6be2bda 
The library uses [Merlin](https://merlin.cool/) transcripts internally
for handling Fiat-Shamir operations. When generating and verifying a
proof, the caller provides a label that is used to instantiate the
transcript.

This is not particularly idiomatic, because it requires a `&'static`
lifetime for the label, it does not follow Merlin's design
recommendations, and it does not support transcript composition.
Composition allows a single transcript to be used for multiple
sub-protocols safely and flexibly.

This PR makes a breaking change in two ways to support this.

First, it changes the public API to replace transcript labels with
mutable references to Merlin transcripts. This means in particular that
the caller is responsible for the transcript: it either instantiates a
new transcript with a label of its choice, or passes along an existing
transcript for composition.

Second, it changes how domain separation is applied to the transcript.
The Merlin
[documentation](https://merlin.cool/transcript/ops.html#initialization)
requires the use of a fixed domain separation message label `dom-sep`,
and recommends its use in composition. The library currently uses a
[different
design](https://github.com/tari-project/bulletproofs-plus/blob/da71f7872f02a0e9d3000c316bb083181daa9942/src/transcripts.rs#L72)
that, while safe if transcripts are strictly internal, could cause
issues during composition.

If it's desirable for existing proofs to verify, the domain separation
change can be reverted, but the documentation should be modified to
indicate this nonstandard behavior.

Closes #114.

BREAKING CHANGE: Changes the prover and verifier APIs to replace
transcript labels with Merlin transcripts. Changes how domain separation
is applied internally.
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat!: use transcript composition AaronFeickert/bulletproofs-plus
1 participant
@AaronFeickert