New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replacing the FiatShamirRng
with Merlin?
#5
Comments
At minimum some I think merlin has stayed rand_core 0.4 (rand 0.6) so doing this doubles the rand dependencies, although merlin's own rand dependencies could be upgraded. I do not understand all the code of course, but it appears marlin only uses I do think merlin's challenge methods could replace your own I believe strobe-rs removed all the |
@hdevalence Thanks for bringing up this issue. Yes, currently I'm not too happy with our custom hand-written framework for generating FS randomness, but the reason we haven't switched away is that we want to write a R1CS gadget for the marlin verifier, and it's not clear to me how to me how to write a constraint system with custom SNARK-friendky hashes for Merlin. Maybe if one could abstract away the changes behind a trait or something, it would be easier? |
@burdges yes, I should minimize the dependency down to |
Sure: #6 arkworks-rs/poly-commit#2 Afaik, anyone using merlin or strobe-rs uses an extension trait anyways, even when only doing trivial stuff: https://github.com/w3f/schnorrkel/blob/master/src/context.rs#L46 If you abstract enough for SNARK-friendky hashes then would you still use |
@Pratyush Wanting to be able to write an R1CS gadget for the Marlin verifier is a good reason not to use Merlin, because Merlin is designed only for the "machine model" and isn't intended to be used in R1CS. It would be nice to have an R1CS-friendly Merlin-ish construction for exactly this kind of case but it doesn't exist as a drop-in right now, so it's not useful for this issue. |
Currently Marlin includes its own
FiatShamirRng
which uses chacha20 and a genericDigest
function (instantiated with I thinkblake2s
).Would you be interested in a PR that replaces it with Merlin?
In contrast to the existing implementation, this provides more secure prover randomness generation, allows binding Marlin proofs to arbitrary structured application data rather than just a single domain separator string, or to transcripts of other proof protocols, and potentially makes the implementation slightly cleaner (although the
FiatShamirRng
API is already pretty reasonable). It also simplifies the (cryptographic) dependencies, as rather than relying on the security of both chacha20 and blake2s (or some other hash function), the security relies only on keccak-f/1600.I would be happy to create a PR for this change but only if it's one that you'd actually want.
The text was updated successfully, but these errors were encountered: