feat!: proof offloading #29
Conversation
AaronFeickert
force-pushed
the
offloading
branch
from
93cbf79
to
844a910
Compare
AaronFeickert
force-pushed
the
offloading
branch
from
53f7505
to
e5f21b3
Compare
AaronFeickert
changed the title
AaronFeickert
changed the title
| @@ -52,7 +52,7 @@ pub struct InnerProductRound<'a, P> { | |||
|
|
|||
| // Seed for mask recovery | |||
| round: usize, | |||
| seed_nonce: Option<Scalar>, | |||
| seed_nonce_helper: Option<Vec<u8>>, | |||
There was a problem hiding this comment.
wondering here, any reason why its not just a Option<[u8;32]>
Is there any cause here if nonce suddenly is only a single u8 because with a vec you can do that
There was a problem hiding this comment.
I switched from requiring the seed nonce be a Scalar to a more general Vec<u8> since there never was a cryptographic reason for the former, except to enforce some level of effective entropy.
| /// The signer receives the bit commitment message from the helper and produces the masked masks (yes, you read that | ||
| /// correctly) | ||
| #[allow(clippy::needless_pass_by_value)] // this ensures we consume the helper message | ||
| fn signer_mask_masks( |
There was a problem hiding this comment.
As far as I read the comments and have been following the code, this should run on the signer device?
If that's the case this wont work at all. All of the data inside of the state is too large to run on a ledger.
We have +- 26kb to work with, h_base + g_base is almost that alone.
The signer can only do like a simple single math commitment, hashes etc. Transcripts I doubt it can.
There was a problem hiding this comment.
Yes, this function runs on the signer. Keep in mind that the g_bases vector contains only the extended commitment generators, not the inner-product generators.
| let values = witness.openings.iter().map(|o| o.v).collect::<Vec<u64>>(); | ||
|
|
||
| // Prepare the signer bootstrap data | ||
| let signer_bootstrap = SignerBootstrapData { |
There was a problem hiding this comment.
Yeah, this will be too large for a ledger.
There was a problem hiding this comment.
See other comment about generators.
|
This design is no longer needed, since the changes described in a draft RFC mean that the helper can safely produce the entire range proof itself. Closing. |
A recent issue suggests a design for proof offloading. This PR implements it using a state machine design with a wrapper for existing proving functionality. Closes issue 27.
The linked design assumes that a signer (who knows commitment masks) and a helper (who only knows the commitment values and commitments) want to collaborate to produce a range proof. We implement their interaction using an informal state machine, where each state transition consumes input message data and a previous state, and generates output message data and a new state. This means that both the signer and helper need the capability to retain this state during the proof generation process.
Because the signer does not want the helper to be able to obtain the mask, we add an additional seed nonce. The signer uses one seed nonce during its operations, and the helper uses the other. During verification, a designated verifier who knows both seeds can extract the mask. To help make this work more cleanly, we move the seed nonces to their own separate
RangeSeedNonce, which is no longer part ofRangeStatement. This also seems more in line with the functioning of seed nonces, which aren't strictly part of the range statement for non-designated verifiers. We also change each of the seed nonces to be a byte vector, which is more generic.We keep the existing proving functionality, where the signer and helper are the same entity. This is accomplished by the use of a simple wrapper that executes the state machine transitions for the signer and helper itself, and keeps the code cleaner.
Note that the linked design has security implications relating to rewinding attacks. The state machine design is intended to help mitigate these, but any nontrivial implementations should carefully consider the implications of such attacks.
BREAKING CHANGE: Changes the prover and verifier APIs. Updates how seed nonces are used in mask recovery. Existing range proofs using seed nonces will fail to recover masks.