# [−][src]Macro zkp::define_proof

Creates a module with code required to produce a non-interactive zero-knowledge proof statement, to serialize it to wire format, to parse from wire format, and to verify the proof or batch-verify multiple proofs.

The statement is specified in an embedded DSL resembling Camenisch-Stadler notation. For instance, a proof of knowledge of two equal discrete logarithms ("DLEQ") is specified as:

define_proof! {dleq, "DLEQ Proof", (x), (A, B, H), (G) : A = (x * G), B = (x * H) }

This creates a module `dleq`

with code for proving knowledge of a
secret `x: Scalar`

such that `A = x * G`

, `B = x * H`

for
per-proof public parameters `A, B, H: RistrettoPoint`

and common
parameters `G: RistrettoPoint`

; the UTF-8 string `"DLEQ Proof"`

is
added to the transcript as a domain separator.

In general the syntax is

define_proof!{ module_name, // all generated code for this statement goes here "Proof Label", // a UTF-8 domain separator unique to the statement (x,y,z,...), // secret variable labels (preferably lower-case) (A,B,C,...), // public per-proof parameter labels (upper-case) (G,H,...) // public common parameter labels (upper-case) : LHS = (x * A + y * B + z * C + ... ), // comma-separated statements ... }

Statements have the form `LHS = (A * x + B * y + C * z + ... )`

,
where `LHS`

is one of the points listed as a public parameter, and
the right-hand side is a sum of public points multiplied by secret
scalars.

Points which have the same assignment for all instances of the proof statement (for instance, a basepoint) should be specified as common public parameters, so that the generated implementation of batch verification is more efficient.

Proof creation is done in constant time. Proof verification uses variable-time code.