forked from Consensys/gnark
-
Notifications
You must be signed in to change notification settings - Fork 0
/
transcript.go
176 lines (138 loc) · 5.06 KB
/
transcript.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
/*
Copyright © 2020 ConsenSys
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package fiatshamir
import (
"errors"
"golang.org/x/exp/slices"
"github.com/consensys/gnark/frontend"
"github.com/consensys/gnark/std/hash"
"github.com/consensys/gnark/std/math/bits"
)
// errChallengeNotFound is returned when a wrong challenge name is provided.
var (
errChallengeNotFound = errors.New("challenge not recorded in the Transcript")
errChallengeAlreadyComputed = errors.New("challenge already computed, cannot be binded to other values")
errPreviousChallengeNotComputed = errors.New("the previous challenge is needed and has not been computed")
)
// Transcript handles the creation of challenges for Fiat Shamir.
type Transcript struct {
// hash function that is used.
h hash.FieldHasher
challenges map[string]challenge
previous *challenge
// gnark API
api frontend.API
config transcriptConfig
}
type challenge struct {
position int // position of the challenge in the transcript. order matters.
bindings []frontend.Variable // bindings stores the variables a challenge is binded to.
value frontend.Variable // value stores the computed challenge
isComputed bool
}
// NewTranscript returns a new transcript.
// h is the hash function that is used to compute the challenges.
// challenges are the name of the challenges. The order is important.
func NewTranscript(api frontend.API, h hash.FieldHasher, challengesID []string, opts ...TranscriptOption) *Transcript {
cfg := transcriptConfig{}
for _, opt := range opts {
opt(&cfg)
}
n := len(challengesID)
t := Transcript{
challenges: make(map[string]challenge, n),
api: api,
h: h,
config: cfg,
}
for i := 0; i < n; i++ {
t.challenges[challengesID[i]] = challenge{position: i}
}
return &t
}
// Bind binds the challenge to value. A challenge can be binded to an
// arbitrary number of values, but the order in which the binded values
// are added is important. Once a challenge is computed, it cannot be
// binded to other values.
func (t *Transcript) Bind(challengeID string, values []frontend.Variable) error {
challenge, ok := t.challenges[challengeID]
if !ok {
return errChallengeNotFound
}
if challenge.isComputed {
return errChallengeAlreadyComputed
}
challenge.bindings = append(challenge.bindings, values...)
t.challenges[challengeID] = challenge
return nil
}
// ComputeChallenge computes the challenge corresponding to the given name.
// The resulting variable is:
// - H(name ∥ previous_challenge ∥ binded_values...) if the challenge is not the first one
// - H(name ∥ binded_values... ) if it's is the first challenge
func (t *Transcript) ComputeChallenge(challengeID string) (frontend.Variable, error) {
challenge, ok := t.challenges[challengeID]
if !ok {
return nil, errChallengeNotFound
}
// if the challenge was already computed we return it
if challenge.isComputed {
return challenge.value, nil
}
t.h.Reset()
// write the challenge name, the purpose is to have a domain separator
challengeInput := []byte(challengeID)
if t.config.tryBitmode > 0 {
challengeBits := bits.ToBinary(t.api, challengeInput, bits.WithNbDigits(8*len(challengeInput)))
slices.Reverse(challengeBits)
t.h.Write(challengeBits...)
} else {
t.h.Write(challengeInput)
}
// write the previous challenge if it's not the first challenge
if challenge.position != 0 {
if t.previous == nil || (t.previous.position != challenge.position-1) {
return nil, errPreviousChallengeNotComputed
}
if t.config.tryBitmode > 0 {
prevBits := bits.ToBinary(t.api, t.previous.value, bits.WithNbDigits(t.config.tryBitmode))
slices.Reverse(prevBits)
t.h.Write(prevBits...)
} else {
t.h.Write(t.previous.value)
}
}
// write the binded values in the order they were added
t.h.Write(challenge.bindings...)
// compute the hash of the accumulated values
challenge.value = t.h.Sum()
challenge.isComputed = true
t.previous = &challenge
t.challenges[challengeID] = challenge
t.h.Reset()
return challenge.value, nil
}
type transcriptConfig struct {
tryBitmode int
}
// TranscriptOption allows modifying the [Transcript] operation.
type TranscriptOption func(tc *transcriptConfig)
// WithTryBitmode changes the [Transcript] to work on bits instead of field
// elements when writing input to the hasher. Requires that the hasher is also
// set to work in bitmode. This mode of operation is useful in cases where we
// work in mismatching fields and want to avoid overflows.
func WithTryBitmode(nbBits int) TranscriptOption {
return func(tc *transcriptConfig) {
tc.tryBitmode = nbBits
}
}