[][src]Struct merlin::TranscriptRngBuilder

pub struct TranscriptRngBuilder { /* fields omitted */ }

Constructs a TranscriptRng by rekeying the Transcript with prover secrets and an external RNG.

The prover uses a TranscriptRngBuilder to rekey with its witness data, before using an external RNG to finalize to a TranscriptRng. The resulting TranscriptRng will be a PRF of all of the entire public transcript, the prover's secret witness data, and randomness from the external RNG.


To construct a TranscriptRng, a prover calls Transcript::build_rng() to clone the transcript state, then uses rekey_with_witness_bytes() to rekey the transcript with the prover's secrets, before finally calling finalize(). This rekeys the transcript with the output of an external rand_core::RngCore instance and returns a finalized TranscriptRng.

These methods are intended to be chained, passing from a borrowed Transcript to an owned TranscriptRng as follows:

transcript.append_message(b"public", public_data);

let mut rng = transcript
    .rekey_with_witness_bytes(b"witness1", witness_data)
    .rekey_with_witness_bytes(b"witness2", more_witness_data)
    .finalize(&mut rand_core::OsRng);

In this example, the final rng is a PRF of public_data (as well as all previous transcript state), and of the prover's secret witness_data and more_witness_data, and finally, of the output of the thread-local RNG. Note that because the TranscriptRng is produced from finalize(), it's impossible to forget to rekey the transcript with external randomness.


Protocols that require randomness in multiple places (e.g., to choose blinding factors for a multi-round protocol) should create a fresh TranscriptRng each time they need randomness, rather than reusing a single instance. This ensures that the randomness in each round is bound to the latest transcript state, rather than just the state of the transcript when randomness was first required.

Typed Witness Data

Like the Transcript, the TranscriptRngBuilder provides a minimal, byte-oriented API, and like the Transcript, this API can be extended to allow rekeying with protocol-specific types using an extension trait. See the Transcript Protocols section of the Merlin website for more details.


impl TranscriptRngBuilder[src]

pub fn rekey_with_witness_bytes(
    label: &'static [u8],
    witness: &[u8]
) -> TranscriptRngBuilder

Rekey the transcript using the provided witness data.

The label parameter is metadata about witness.

pub fn commit_witness_bytes(
    label: &'static [u8],
    witness: &[u8]
) -> TranscriptRngBuilder

Deprecated since 1.1.0:

renamed to rekey_with_witness_bytes for clarity.

Deprecated. This function was renamed to rekey_with_witness_bytes.

This is intended to avoid any possible confusion between the transcript-level messages and protocol-level commitments.

pub fn finalize<R>(self, rng: &mut R) -> TranscriptRng where
    R: RngCore + CryptoRng

Use the supplied external rng to rekey the transcript, so that the finalized TranscriptRng is a PRF bound to randomness from the external RNG, as well as all other transcript data.

Auto Trait Implementations

impl RefUnwindSafe for TranscriptRngBuilder

impl Send for TranscriptRngBuilder

impl Sync for TranscriptRngBuilder

impl Unpin for TranscriptRngBuilder

impl UnwindSafe for TranscriptRngBuilder

Blanket Implementations

impl<T> Any for T where
    T: 'static + ?Sized

impl<T> Borrow<T> for T where
    T: ?Sized

impl<T> BorrowMut<T> for T where
    T: ?Sized

impl<T> From<T> for T[src]

impl<T, U> Into<U> for T where
    U: From<T>, 

impl<T, U> TryFrom<U> for T where
    U: Into<T>, 

type Error = !

The type returned in the event of a conversion error.

impl<T, U> TryInto<U> for T where
    U: TryFrom<T>, 

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.