Comments (7)
I think there's a slight complication.
The ideal flow would be that the dealer decides whether or not the proof shares are trusted (e.g., self-aggregation). If the shares are untrusted, the dealer should
- Return
Ok(proof)
if the aggregated proof verifies - Otherwise, check each share for validity and return an
Err
with info about which shares were invalid.
The reason to do this is that verifying the aggregated proof is cheaper than verifying each share individually. However, the dealer can't just call .verify()
since that code attempts to replay the proof and generate challenges, which requires having the starting transcript state, which the dealer already destroyed by running the protocol.
One option would be to save the transcript state at the beginning, then pass it to the verify
call. Another would be to duplicate the verification logic inside of the dealer, to take account of the fact that the dealer still has all of the challenges at hand. The second option seems less nice.
from bulletproofs.
One option would be to save the transcript state at the beginning
Sounds right to me. Cloning a transcript is a pretty cheap operation and we already support that. (Although, we should probably add tests for that use case.)
from bulletproofs.
Another point: right now, the transcript state is maintained by the protocol orchestrator, and passed in as a parameter to each step of the dealer's work. The alternative would be for the dealer to hold on to the transcript reference until the protocol is complete.
The alternative seems like it might be better, since a) it's one less parameter and b) it would disallow any other code from touching the transcript state while the dealer is active. b) is kind of a fringe benefit, but right now, it's conceivably possible to write code that fed an extra message into the transcript between dealer steps, which would give an invalid proof (since the challenges would not replay).
from bulletproofs.
Maybe this would also be good to do for parameters like the GeneratorsView
that's used at the very end? i.e., pass all of them into new
, so that once the initial Dealer
state is created, the only inputs needed to advance the state are the protocol messages.
@cathieyun WDYT?
from bulletproofs.
I do think it's better to have the transcript passed between the dealer states, instead of being passed in every time (the counterargument for that is that the rng is passed in every time... but that's different in that it doesn't matter if anyone touches the rng in between dealer states).
with regards to challenges - is it possible to (instead of cloning the transcript at the beginning) make a new transcript with the same initial string, and the use that for the verification?
from bulletproofs.
I think we can't make a new transcript except by cloning the initial one, since there's no way for the dealer code to know the customization string -- or even if the state was created by using a customization string, since the RP protocol could be composed into a larger protocol (in the same way that the IPP is composed into the RP protocol).
I'll patch up the dealer states to hold on to their arguments.
from bulletproofs.
makes sense - in that case, I think holding on to a clone of the initial transcript makes sense
from bulletproofs.
Related Issues (20)
- [Question] Is public data in the rangeproof secure. HOT 2
- Verifier lc evaluation
- Digest error HOT 2
- WASM compatibility issues - do deterministic PRNGs exist for no_std verification? HOT 2
- feature(external_doc) feature removed in latest nightly HOT 3
- [Question] 8 bits range proofs behaviour with numbers larger than u8 HOT 1
- Extend R1CS with support for vector commitments for external variables HOT 1
- Fix LaTeX rendering in r1cs_proof. HOT 1
- notes-rp.md questions/clarification
- Question about "Q" in the InnerProductProof HOT 1
- error: could not compile `packed_simd_2` due to 3 previous errors HOT 7
- [Question] Support for disjunctive proofs HOT 1
- [Question] Does R1CS support "free" multiply-by-scalar? HOT 2
- Error: external_doc feature removed and unknown feature HOT 6
- run `cargo test` failed HOT 6
- Working over other curves HOT 4
- run `cargo test` error HOT 1
- Issue: Downloading multiple versions of the same dependency simultaneously. HOT 1
- Example on Readme is outdated | should use curve25519_dalek_ng HOT 3
- Source code for the diagram
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bulletproofs.