# [−][src]Macro zkp::define_proof

macro_rules! define_proof {
(
$proof_module_name:ident // Name of the module to create ,$proof_label_string:expr // A string literal, used as a domain separator
,
( $($secret_var:ident),+ ) // Secret variables, sep by commas
,
( $($instance_var:ident),* ) // Public instance variables, separated by commas
,
( $($common_var:ident),* ) // Public common variables, separated by commas
:
// List of statements to prove
// Format: LHS = ( ... RHS expr ... ),
$($lhs:ident = \$statement:tt),+
) => { ... };
}

Creates a module with code required to produce a non-interactive zero-knowledge proof statement, to serialize it to wire format, to parse from wire format, and to verify the proof or batch-verify multiple proofs.

The statement is specified in an embedded DSL resembling Camenisch-Stadler notation. For instance, a proof of knowledge of two equal discrete logarithms ("DLEQ") is specified as:

define_proof! {dleq, "DLEQ Proof", (x), (A, B, H), (G) : A = (x * G), B = (x * H) }

This creates a module dleq with code for proving knowledge of a secret x: Scalar such that A = x * G, B = x * H for per-proof public parameters A, B, H: RistrettoPoint and common parameters G: RistrettoPoint; the UTF-8 string "DLEQ Proof" is added to the transcript as a domain separator.

In general the syntax is

define_proof!{
module_name,   // all generated code for this statement goes here
"Proof Label", // a UTF-8 domain separator unique to the statement
(x,y,z,...),   // secret variable labels (preferably lower-case)
(A,B,C,...),   // public per-proof parameter labels (upper-case)
(G,H,...)      // public common parameter labels (upper-case)
:
LHS = (x * A + y * B + z * C + ... ),  // comma-separated statements
...
}

Statements have the form LHS = (A * x + B * y + C * z + ... ), where LHS is one of the points listed as a public parameter, and the right-hand side is a sum of public points multiplied by secret scalars.

Points which have the same assignment for all instances of the proof statement (for instance, a basepoint) should be specified as common public parameters, so that the generated implementation of batch verification is more efficient.

Proof creation is done in constant time. Proof verification uses variable-time code.