Update Merlin to 1.1

Author: hdevalence

Cargo.toml

@@ -21,7 +21,7 @@ byteorder = "1"
 serde = "1"
 serde_derive = "1"
 failure = "0.1"
-merlin = "1"
+merlin = "1.1"
 clear_on_drop = "0.2"
 
 [dev-dependencies]

src/inner_product_proof.rs

@@ -107,8 +107,8 @@ impl InnerProductProof {
             L_vec.push(L);
             R_vec.push(R);
 
-            transcript.commit_point(b"L", &L);
-            transcript.commit_point(b"R", &R);
+            transcript.append_point(b"L", &L);
+            transcript.append_point(b"R", &R);
 
             let u = transcript.challenge_scalar(b"u");
             let u_inv = u.invert();
@@ -154,8 +154,8 @@ impl InnerProductProof {
             L_vec.push(L);
             R_vec.push(R);
 
-            transcript.commit_point(b"L", &L);
-            transcript.commit_point(b"R", &R);
+            transcript.append_point(b"L", &L);
+            transcript.append_point(b"R", &R);
 
             let u = transcript.challenge_scalar(b"u");
             let u_inv = u.invert();
@@ -205,8 +205,8 @@ impl InnerProductProof {
 
         let mut challenges = Vec::with_capacity(lg_n);
         for (L, R) in self.L_vec.iter().zip(self.R_vec.iter()) {
-            transcript.validate_and_commit_point(b"L", L)?;
-            transcript.validate_and_commit_point(b"R", R)?;
+            transcript.validate_and_append_point(b"L", L)?;
+            transcript.validate_and_append_point(b"R", R)?;
             challenges.push(transcript.challenge_scalar(b"u"));
         }
 

src/r1cs/prover.rs

@@ -204,7 +204,7 @@ impl<'a, 'b> Prover<'a, 'b> {
 
         // Add the commitment to the transcript.
         let V = self.cs.pc_gens.commit(v, v_blinding).compress();
-        self.cs.transcript.commit_point(b"V", &V);
+        self.cs.transcript.append_point(b"V", &V);
 
         (V, Variable::Committed(i))
     }
@@ -216,7 +216,7 @@ impl<'a, 'b> Prover<'a, 'b> {
         // We cannot do this in advance because user can commit variables one-by-one,
         // but this suffix provides safe disambiguation because each variable
         // is prefixed with a separate label.
-        self.cs.transcript.commit_u64(b"m", self.m);
+        self.cs.transcript.append_u64(b"m", self.m);
         self.cs
     }
 }
@@ -368,9 +368,9 @@ impl<'a, 'b> ProverCS<'a, 'b> {
         )
         .compress();
 
-        self.transcript.commit_point(b"A_I", &A_I);
-        self.transcript.commit_point(b"A_O", &A_O);
-        self.transcript.commit_point(b"S", &S);
+        self.transcript.append_point(b"A_I", &A_I);
+        self.transcript.append_point(b"A_O", &A_O);
+        self.transcript.append_point(b"S", &S);
 
         // 4. Compute blinded vector polynomials l(x) and r(x)
 
@@ -419,11 +419,11 @@ impl<'a, 'b> ProverCS<'a, 'b> {
         let T_5 = self.pc_gens.commit(t_poly.t5, t_5_blinding).compress();
         let T_6 = self.pc_gens.commit(t_poly.t6, t_6_blinding).compress();
 
-        self.transcript.commit_point(b"T_1", &T_1);
-        self.transcript.commit_point(b"T_3", &T_3);
-        self.transcript.commit_point(b"T_4", &T_4);
-        self.transcript.commit_point(b"T_5", &T_5);
-        self.transcript.commit_point(b"T_6", &T_6);
+        self.transcript.append_point(b"T_1", &T_1);
+        self.transcript.append_point(b"T_3", &T_3);
+        self.transcript.append_point(b"T_4", &T_4);
+        self.transcript.append_point(b"T_5", &T_5);
+        self.transcript.append_point(b"T_6", &T_6);
 
         let x = self.transcript.challenge_scalar(b"x");
 
@@ -460,10 +460,10 @@ impl<'a, 'b> ProverCS<'a, 'b> {
 
         let e_blinding = x * (i_blinding + x * (o_blinding + x * s_blinding));
 
-        self.transcript.commit_scalar(b"t_x", &t_x);
+        self.transcript.append_scalar(b"t_x", &t_x);
         self.transcript
-            .commit_scalar(b"t_x_blinding", &t_x_blinding);
-        self.transcript.commit_scalar(b"e_blinding", &e_blinding);
+            .append_scalar(b"t_x_blinding", &t_x_blinding);
+        self.transcript.append_scalar(b"e_blinding", &e_blinding);
 
         // Get a challenge value to combine statements for the IPP
         let w = self.transcript.challenge_scalar(b"w");

src/r1cs/verifier.rs

@@ -171,7 +171,7 @@ impl<'a, 'b> Verifier<'a, 'b> {
         self.cs.V.push(commitment);
 
         // Add the commitment to the transcript.
-        self.cs.transcript.commit_point(b"V", &commitment);
+        self.cs.transcript.append_point(b"V", &commitment);
 
         Variable::Committed(i)
     }
@@ -183,7 +183,7 @@ impl<'a, 'b> Verifier<'a, 'b> {
         // We cannot do this in advance because user can commit variables one-by-one,
         // but this suffix provides safe disambiguation because each variable
         // is prefixed with a separate label.
-        self.cs.transcript.commit_u64(b"m", self.m);
+        self.cs.transcript.append_u64(b"m", self.m);
         self.cs
     }
 }
@@ -261,26 +261,26 @@ impl<'a, 'b> VerifierCS<'a, 'b> {
         // We are performing a single-party circuit proof, so party index is 0.
         let gens = self.bp_gens.share(0);
 
-        self.transcript.commit_point(b"A_I", &proof.A_I);
-        self.transcript.commit_point(b"A_O", &proof.A_O);
-        self.transcript.commit_point(b"S", &proof.S);
+        self.transcript.append_point(b"A_I", &proof.A_I);
+        self.transcript.append_point(b"A_O", &proof.A_O);
+        self.transcript.append_point(b"S", &proof.S);
 
         let y = self.transcript.challenge_scalar(b"y");
         let z = self.transcript.challenge_scalar(b"z");
 
-        self.transcript.commit_point(b"T_1", &proof.T_1);
-        self.transcript.commit_point(b"T_3", &proof.T_3);
-        self.transcript.commit_point(b"T_4", &proof.T_4);
-        self.transcript.commit_point(b"T_5", &proof.T_5);
-        self.transcript.commit_point(b"T_6", &proof.T_6);
+        self.transcript.append_point(b"T_1", &proof.T_1);
+        self.transcript.append_point(b"T_3", &proof.T_3);
+        self.transcript.append_point(b"T_4", &proof.T_4);
+        self.transcript.append_point(b"T_5", &proof.T_5);
+        self.transcript.append_point(b"T_6", &proof.T_6);
 
         let x = self.transcript.challenge_scalar(b"x");
 
-        self.transcript.commit_scalar(b"t_x", &proof.t_x);
+        self.transcript.append_scalar(b"t_x", &proof.t_x);
         self.transcript
-            .commit_scalar(b"t_x_blinding", &proof.t_x_blinding);
+            .append_scalar(b"t_x_blinding", &proof.t_x_blinding);
         self.transcript
-            .commit_scalar(b"e_blinding", &proof.e_blinding);
+            .append_scalar(b"e_blinding", &proof.e_blinding);
 
         let w = self.transcript.challenge_scalar(b"w");
 

src/range_proof/dealer.rs

@@ -94,15 +94,15 @@ impl<'a, 'b> DealerAwaitingBitCommitments<'a, 'b> {
 
         // Commit each V_j individually
         for vc in bit_commitments.iter() {
-            self.transcript.commit_point(b"V", &vc.V_j);
+            self.transcript.append_point(b"V", &vc.V_j);
         }
 
         // Commit aggregated A_j, S_j
         let A: RistrettoPoint = bit_commitments.iter().map(|vc| vc.A_j).sum();
-        self.transcript.commit_point(b"A", &A.compress());
+        self.transcript.append_point(b"A", &A.compress());
 
         let S: RistrettoPoint = bit_commitments.iter().map(|vc| vc.S_j).sum();
-        self.transcript.commit_point(b"S", &S.compress());
+        self.transcript.append_point(b"S", &S.compress());
 
         let y = self.transcript.challenge_scalar(b"y");
         let z = self.transcript.challenge_scalar(b"z");
@@ -158,8 +158,8 @@ impl<'a, 'b> DealerAwaitingPolyCommitments<'a, 'b> {
         let T_1: RistrettoPoint = poly_commitments.iter().map(|pc| pc.T_1_j).sum();
         let T_2: RistrettoPoint = poly_commitments.iter().map(|pc| pc.T_2_j).sum();
 
-        self.transcript.commit_point(b"T_1", &T_1.compress());
-        self.transcript.commit_point(b"T_2", &T_2.compress());
+        self.transcript.append_point(b"T_1", &T_1.compress());
+        self.transcript.append_point(b"T_2", &T_2.compress());
 
         let x = self.transcript.challenge_scalar(b"x");
         let poly_challenge = PolyChallenge { x };
@@ -221,10 +221,10 @@ impl<'a, 'b> DealerAwaitingProofShares<'a, 'b> {
         let t_x_blinding: Scalar = proof_shares.iter().map(|ps| ps.t_x_blinding).sum();
         let e_blinding: Scalar = proof_shares.iter().map(|ps| ps.e_blinding).sum();
 
-        self.transcript.commit_scalar(b"t_x", &t_x);
+        self.transcript.append_scalar(b"t_x", &t_x);
         self.transcript
-            .commit_scalar(b"t_x_blinding", &t_x_blinding);
-        self.transcript.commit_scalar(b"e_blinding", &e_blinding);
+            .append_scalar(b"t_x_blinding", &t_x_blinding);
+        self.transcript.append_scalar(b"e_blinding", &e_blinding);
 
         // Get a challenge value to combine statements for the IPP
         let w = self.transcript.challenge_scalar(b"w");

src/range_proof/mod.rs

@@ -287,25 +287,25 @@ impl RangeProof {
         transcript.rangeproof_domain_sep(n as u64, m as u64);
 
         for V in value_commitments.iter() {
-            transcript.validate_and_commit_point(b"V", V)?;
+            transcript.validate_and_append_point(b"V", V)?;
         }
 
-        transcript.validate_and_commit_point(b"A", &self.A)?;
-        transcript.validate_and_commit_point(b"S", &self.S)?;
+        transcript.validate_and_append_point(b"A", &self.A)?;
+        transcript.validate_and_append_point(b"S", &self.S)?;
 
         let y = transcript.challenge_scalar(b"y");
         let z = transcript.challenge_scalar(b"z");
         let zz = z * z;
         let minus_z = -z;
 
-        transcript.validate_and_commit_point(b"T_1", &self.T_1)?;
-        transcript.validate_and_commit_point(b"T_2", &self.T_2)?;
+        transcript.validate_and_append_point(b"T_1", &self.T_1)?;
+        transcript.validate_and_append_point(b"T_2", &self.T_2)?;
 
         let x = transcript.challenge_scalar(b"x");
 
-        transcript.commit_scalar(b"t_x", &self.t_x);
-        transcript.commit_scalar(b"t_x_blinding", &self.t_x_blinding);
-        transcript.commit_scalar(b"e_blinding", &self.e_blinding);
+        transcript.append_scalar(b"t_x", &self.t_x);
+        transcript.append_scalar(b"t_x_blinding", &self.t_x_blinding);
+        transcript.append_scalar(b"e_blinding", &self.e_blinding);
 
         let w = transcript.challenge_scalar(b"w");
 

src/transcript.rs

@@ -1,34 +1,30 @@
 //! Defines a `TranscriptProtocol` trait for using a Merlin transcript.
 
-use byteorder::{ByteOrder, LittleEndian};
 use curve25519_dalek::ristretto::CompressedRistretto;
 use curve25519_dalek::scalar::Scalar;
 use merlin::Transcript;
 
 use errors::ProofError;
 
 pub trait TranscriptProtocol {
-    /// Commit a domain separator for an `n`-bit, `m`-party range proof.
+    /// Append a domain separator for an `n`-bit, `m`-party range proof.
     fn rangeproof_domain_sep(&mut self, n: u64, m: u64);
 
-    /// Commit a domain separator for a length-`n` inner product proof.
+    /// Append a domain separator for a length-`n` inner product proof.
     fn innerproduct_domain_sep(&mut self, n: u64);
 
-    /// Commit a domain separator for a constraint system.
+    /// Append a domain separator for a constraint system.
     fn r1cs_domain_sep(&mut self);
 
-    /// Commit a 64-bit integer.
-    fn commit_u64(&mut self, label: &'static [u8], n: u64);
+    /// Append a `scalar` with the given `label`.
+    fn append_scalar(&mut self, label: &'static [u8], scalar: &Scalar);
 
-    /// Commit a `scalar` with the given `label`.
-    fn commit_scalar(&mut self, label: &'static [u8], scalar: &Scalar);
+    /// Append a `point` with the given `label`.
+    fn append_point(&mut self, label: &'static [u8], point: &CompressedRistretto);
 
-    /// Commit a `point` with the given `label`.
-    fn commit_point(&mut self, label: &'static [u8], point: &CompressedRistretto);
-
-    /// Check that a point is not the identity, then commit it to the
+    /// Check that a point is not the identity, then append it to the
     /// transcript.  Otherwise, return an error.
-    fn validate_and_commit_point(
+    fn validate_and_append_point(
         &mut self,
         label: &'static [u8],
         point: &CompressedRistretto,
@@ -38,41 +34,31 @@ pub trait TranscriptProtocol {
     fn challenge_scalar(&mut self, label: &'static [u8]) -> Scalar;
 }
 
-fn le_u64(value: u64) -> [u8; 8] {
-    let mut value_bytes = [0u8; 8];
-    LittleEndian::write_u64(&mut value_bytes, value);
-    value_bytes
-}
-
 impl TranscriptProtocol for Transcript {
     fn rangeproof_domain_sep(&mut self, n: u64, m: u64) {
-        self.commit_bytes(b"dom-sep", b"rangeproof v1");
-        self.commit_bytes(b"n", &le_u64(n));
-        self.commit_bytes(b"m", &le_u64(m));
+        self.append_message(b"dom-sep", b"rangeproof v1");
+        self.append_u64(b"n", n);
+        self.append_u64(b"m", m);
     }
 
     fn innerproduct_domain_sep(&mut self, n: u64) {
-        self.commit_bytes(b"dom-sep", b"ipp v1");
-        self.commit_bytes(b"n", &le_u64(n));
+        self.append_message(b"dom-sep", b"ipp v1");
+        self.append_u64(b"n", n);
     }
 
     fn r1cs_domain_sep(&mut self) {
-        self.commit_bytes(b"dom-sep", b"r1cs v1");
-    }
-
-    fn commit_u64(&mut self, label: &'static [u8], n: u64) {
-        self.commit_bytes(label, &le_u64(n));
+        self.append_message(b"dom-sep", b"r1cs v1");
     }
 
-    fn commit_scalar(&mut self, label: &'static [u8], scalar: &Scalar) {
-        self.commit_bytes(label, scalar.as_bytes());
+    fn append_scalar(&mut self, label: &'static [u8], scalar: &Scalar) {
+        self.append_message(label, scalar.as_bytes());
     }
 
-    fn commit_point(&mut self, label: &'static [u8], point: &CompressedRistretto) {
-        self.commit_bytes(label, point.as_bytes());
+    fn append_point(&mut self, label: &'static [u8], point: &CompressedRistretto) {
+        self.append_message(label, point.as_bytes());
     }
 
-    fn validate_and_commit_point(
+    fn validate_and_append_point(
         &mut self,
         label: &'static [u8],
         point: &CompressedRistretto,
@@ -82,7 +68,7 @@ impl TranscriptProtocol for Transcript {
         if point.is_identity() {
             Err(ProofError::VerificationError)
         } else {
-            Ok(self.commit_bytes(label, point.as_bytes()))
+            Ok(self.append_message(label, point.as_bytes()))
         }
     }