# [−][src]Struct merlin::TranscriptRngBuilder

pub struct TranscriptRngBuilder { /* fields omitted */ }

Constructs a TranscriptRng by rekeying the Transcript with prover secrets and an external RNG.

The prover uses a TranscriptRngBuilder to rekey with its witness data, before using an external RNG to finalize to a TranscriptRng. The resulting TranscriptRng will be a PRF of all of the entire public transcript, the prover's secret witness data, and randomness from the external RNG.

# Usage

To construct a TranscriptRng, a prover calls Transcript::build_rng() to clone the transcript state, then uses rekey_with_witness_bytes() to rekey the transcript with the prover's secrets, before finally calling finalize(). This rekeys the transcript with the output of an external rand_core::RngCore instance and returns a finalized TranscriptRng.

These methods are intended to be chained, passing from a borrowed Transcript to an owned TranscriptRng as follows:

transcript.append_message(b"public", public_data);

let mut rng = transcript
.build_rng()
.rekey_with_witness_bytes(b"witness1", witness_data)
.rekey_with_witness_bytes(b"witness2", more_witness_data)
.finalize(&mut rand_core::OsRng);

In this example, the final rng is a PRF of public_data (as well as all previous transcript state), and of the prover's secret witness_data and more_witness_data, and finally, of the output of the thread-local RNG. Note that because the TranscriptRng is produced from finalize(), it's impossible to forget to rekey the transcript with external randomness.

# Note

Protocols that require randomness in multiple places (e.g., to choose blinding factors for a multi-round protocol) should create a fresh TranscriptRng each time they need randomness, rather than reusing a single instance. This ensures that the randomness in each round is bound to the latest transcript state, rather than just the state of the transcript when randomness was first required.

# Typed Witness Data

Like the Transcript, the TranscriptRngBuilder provides a minimal, byte-oriented API, and like the Transcript, this API can be extended to allow rekeying with protocol-specific types using an extension trait. See the Transcript Protocols section of the Merlin website for more details.

## Methods

### impl TranscriptRngBuilder[src]

#### pub fn rekey_with_witness_bytes(    self,     label: &'static [u8],     witness: &[u8]) -> TranscriptRngBuilder[src]

Rekey the transcript using the provided witness data.

The label parameter is metadata about witness.

#### pub fn commit_witness_bytes(    self,     label: &'static [u8],     witness: &[u8]) -> TranscriptRngBuilder[src]

Deprecated since 1.1.0:

renamed to rekey_with_witness_bytes for clarity.

Deprecated. This function was renamed to rekey_with_witness_bytes.

This is intended to avoid any possible confusion between the transcript-level messages and protocol-level commitments.

#### pub fn finalize<R>(self, rng: &mut R) -> TranscriptRng where    R: RngCore + CryptoRng, [src]

Use the supplied external rng to rekey the transcript, so that the finalized TranscriptRng is a PRF bound to randomness from the external RNG, as well as all other transcript data.

## Blanket Implementations

### impl<T, U> TryFrom<U> for T where    U: Into<T>, [src]

#### type Error = !

The type returned in the event of a conversion error.

### impl<T, U> TryInto<U> for T where    U: TryFrom<T>, [src]

#### type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.