Skip to content

Commit

Permalink
Move TranscriptRng into RangeProofTranscript
Browse files Browse the repository at this point in the history
  • Loading branch information
AaronFeickert committed Jan 12, 2024
1 parent 6f1aab6 commit dc8c55f
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 33 deletions.
31 changes: 15 additions & 16 deletions src/range_proof.rs
Original file line number Diff line number Diff line change
Expand Up @@ -278,7 +278,7 @@ where
}

// Start a new transcript and generate the transcript RNG
let (mut transcript, mut transcript_rng) = RangeProofTranscript::<P>::new(
let mut transcript = RangeProofTranscript::<P>::new(
transcript_label,
&statement.generators.h_base().compress(),
statement.generators.g_bases_compressed(),
Expand Down Expand Up @@ -322,7 +322,7 @@ where
nonce(&seed_nonce, "alpha", None, Some(k))?
} else {
// Zero is allowed by the protocol, but excluded by the implementation to be unambiguous
Scalar::random_not_zero(&mut transcript_rng)
Scalar::random_not_zero(transcript.as_mut_rng())
});
}
let a = statement.generators.precomp().vartime_mixed_multiscalar_mul(
Expand All @@ -332,7 +332,7 @@ where
);

// Update transcript, get challenges, and update RNG
let (y, z) = transcript.challenges_y_z(&mut transcript_rng, rng, &a.compress())?;
let (y, z) = transcript.challenges_y_z(rng, &a.compress())?;

let z_square = z * z;

Expand Down Expand Up @@ -418,7 +418,7 @@ where
// Zero is allowed by the protocol, but excluded by the implementation to be unambiguous
Zeroizing::new(
(0..extension_degree)
.map(|_| Scalar::random_not_zero(&mut transcript_rng))
.map(|_| Scalar::random_not_zero(transcript.as_mut_rng()))
.collect(),
)
};
Expand All @@ -432,7 +432,7 @@ where
// Zero is allowed by the protocol, but excluded by the implementation to be unambiguous
Zeroizing::new(
(0..extension_degree)
.map(|_| Scalar::random_not_zero(&mut transcript_rng))
.map(|_| Scalar::random_not_zero(transcript.as_mut_rng()))
.collect(),
)
};
Expand Down Expand Up @@ -466,7 +466,6 @@ where

// Update transcript, get challenge, and update RNG
let e = transcript.challenge_round_e(
&mut transcript_rng,
rng,
&li.last()
.ok_or(ProofError::InvalidLength("Bad inner product vector length".to_string()))?
Expand Down Expand Up @@ -511,8 +510,8 @@ where

// Random masks
// Zero is allowed by the protocol, but excluded by the implementation to be unambiguous
let r = Zeroizing::new(Scalar::random_not_zero(&mut transcript_rng));
let s = Zeroizing::new(Scalar::random_not_zero(&mut transcript_rng));
let r = Zeroizing::new(Scalar::random_not_zero(transcript.as_mut_rng()));
let s = Zeroizing::new(Scalar::random_not_zero(transcript.as_mut_rng()));
let d = if let Some(seed_nonce) = statement.seed_nonce {
Zeroizing::new(
(0..extension_degree)
Expand All @@ -523,7 +522,7 @@ where
// Zero is allowed by the protocol, but excluded by the implementation to be unambiguous
Zeroizing::new(
(0..extension_degree)
.map(|_| Scalar::random_not_zero(&mut transcript_rng))
.map(|_| Scalar::random_not_zero(transcript.as_mut_rng()))
.collect(),
)
};
Expand All @@ -537,7 +536,7 @@ where
// Zero is allowed by the protocol, but excluded by the implementation to be unambiguous
Zeroizing::new(
(0..extension_degree)
.map(|_| Scalar::random_not_zero(&mut transcript_rng))
.map(|_| Scalar::random_not_zero(transcript.as_mut_rng()))
.collect(),
)
};
Expand All @@ -553,7 +552,7 @@ where
}

// Update transcript, get challenge, and update RNG
let e = transcript.challenge_final_e(&mut transcript_rng, rng, &a1.compress(), &b.compress())?;
let e = transcript.challenge_final_e(rng, &a1.compress(), &b.compress())?;
let e_square = e * e;

let r1 = *r + a_li[0] * e;
Expand Down Expand Up @@ -825,7 +824,7 @@ where
}

// Start the transcript
let (mut transcript, mut transcript_rng) = RangeProofTranscript::new(
let mut transcript = RangeProofTranscript::new(
transcript_label,
&h_base_compressed,
g_bases_compressed,
Expand All @@ -838,17 +837,17 @@ where
)?;

// Reconstruct challenges
let (y, z) = transcript.challenges_y_z(&mut transcript_rng, rng, &proof.a)?;
let (y, z) = transcript.challenges_y_z(rng, &proof.a)?;
let challenges = proof
.li
.iter()
.zip(proof.ri.iter())
.map(|(l, r)| transcript.challenge_round_e(&mut transcript_rng, rng, l, r))
.map(|(l, r)| transcript.challenge_round_e(rng, l, r))
.collect::<Result<Vec<Scalar>, ProofError>>()?;
let e = transcript.challenge_final_e(&mut transcript_rng, rng, &proof.a1, &proof.b)?;
let e = transcript.challenge_final_e(rng, &proof.a1, &proof.b)?;

// Batch weight (may not be equal to a zero valued scalar) - this may not be zero ever
let weight = Scalar::random_not_zero(&mut transcript_rng);
let weight = Scalar::random_not_zero(transcript.as_mut_rng());

// Compute challenge inverses in a batch
let mut challenges_inv = challenges.clone();
Expand Down
36 changes: 19 additions & 17 deletions src/transcripts.rs
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ where
{
transcript: Transcript,
bytes: Option<Zeroizing<Vec<u8>>>,
rng: TranscriptRng,
_phantom: PhantomData<P>,
}

Expand All @@ -65,7 +66,7 @@ where
statement: &RangeStatement<P>,
witness: Option<&RangeWitness>,
external_rng: &mut R,
) -> Result<(Self, TranscriptRng), ProofError> {
) -> Result<Self, ProofError> {
// Initialize the transcript with parameters and statement
let mut transcript = Transcript::new(label.as_bytes());
transcript.domain_separator(b"Bulletproofs+", b"Range Proof");
Expand Down Expand Up @@ -108,30 +109,27 @@ where
};

// Set up the RNG
let transcript_rng = Self::build_rng(&transcript, bytes.as_ref(), external_rng);

Ok((
Self {
transcript,
bytes,
_phantom: PhantomData,
},
transcript_rng,
))
let rng = Self::build_rng(&transcript, bytes.as_ref(), external_rng);

Ok(Self {
transcript,
bytes,
rng,
_phantom: PhantomData,
})
}

// Construct the `y` and `z` challenges and update the RNG
pub(crate) fn challenges_y_z<R: CryptoRngCore>(
&mut self,
transcript_rng: &mut TranscriptRng,
external_rng: &mut R,
a: &P::Compressed,
) -> Result<(Scalar, Scalar), ProofError> {
// Update the transcript
self.transcript.validate_and_append_point(b"A", a)?;

// Update the RNG
*transcript_rng = Self::build_rng(&self.transcript, self.bytes.as_ref(), external_rng);
self.rng = Self::build_rng(&self.transcript, self.bytes.as_ref(), external_rng);

// Return the challenges
Ok((
Expand All @@ -143,7 +141,6 @@ where
/// Construct an inner-product round `e` challenge and update the RNG
pub(crate) fn challenge_round_e<R: CryptoRngCore>(
&mut self,
transcript_rng: &mut TranscriptRng,
external_rng: &mut R,
l: &P::Compressed,
r: &P::Compressed,
Expand All @@ -153,7 +150,7 @@ where
self.transcript.validate_and_append_point(b"R", r)?;

// Update the RNG
*transcript_rng = Self::build_rng(&self.transcript, self.bytes.as_ref(), external_rng);
self.rng = Self::build_rng(&self.transcript, self.bytes.as_ref(), external_rng);

// Return the challenge
self.transcript.challenge_scalar(b"e")
Expand All @@ -162,7 +159,6 @@ where
/// Construct the final `e` challenge and update the RNG
pub(crate) fn challenge_final_e<R: CryptoRngCore>(
&mut self,
transcript_rng: &mut TranscriptRng,
external_rng: &mut R,
a1: &P::Compressed,
b: &P::Compressed,
Expand All @@ -172,7 +168,7 @@ where
self.transcript.validate_and_append_point(b"B", b)?;

// Update the RNG
*transcript_rng = Self::build_rng(&self.transcript, self.bytes.as_ref(), external_rng);
self.rng = Self::build_rng(&self.transcript, self.bytes.as_ref(), external_rng);

// Return the challenge
self.transcript.challenge_scalar(b"e")
Expand All @@ -196,4 +192,10 @@ where
transcript.build_rng().finalize(external_rng)
}
}

/// Get a mutable reference to the transcript RNG.
/// This is suitable for passing into functions that use it to generate random data.
pub(crate) fn as_mut_rng(&mut self) -> &mut TranscriptRng {
&mut self.rng
}
}

0 comments on commit dc8c55f

Please sign in to comment.