Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type BitReader ¶
type BitReader struct {
// contains filtered or unexported fields
}
BitReader is a utility to read a slice of bytes bit by bit. It should be initialized via the NewBitReader method. Its main use-case is to help converting generate random field elements into a list of bounded integers as the list of random column to open in Vortex.
func NewBitReader ¶
NewBitReader constructs a BitReader based on an underlying array of bytes. The underlying parameter is expected to represent a sequence of field elements in big endian form.
The BitReader will internally represent the same integers in little endian and in reverse order. The reason for this transformation is that otherwise it makes it expensive to arithmetize the bit splitting as it requires a bit decomposition. In contrast, the little endian form allows using look-up table and doing direct limb-decomposition.
In the current version, the BitReader is only instantiated for a single field element and in this case, numBytes is set to field.Bytes - 1 (so 31). The reason is that the most significant byte cannot be assumed to contain enough entropy to properly instantiate a challenge.
numBits corresponds to the designated capacity of the reader: the total number of bits we should look for in it.
type GnarkFiatShamir ¶
type GnarkFiatShamir struct {
// contains filtered or unexported fields
}
GnarkFiatShamir mirrors State in a gnark circuit. It provides analogous methods for every of State's method and works over frontend.Variable instead of field.Element.
This implementation design eases the task of writing a gnark circuit version of the verifier of a protocol calling State as it allows having a very similar code for both tasks.
func NewGnarkFiatShamir ¶
func NewGnarkFiatShamir(api frontend.API, factory *gkrmimc.HasherFactory) *GnarkFiatShamir
NewGnarkFiatShamir creates a GnarkFiatShamir object. The function accepts an optional gkrmimc.HasherFactory object as input. This is expected to be used in the scope of a frontend.Define function.
func (*GnarkFiatShamir) RandomField ¶
func (fs *GnarkFiatShamir) RandomField() frontend.Variable
RandomField returns a single valued fiat-shamir hash
func (*GnarkFiatShamir) RandomManyIntegers ¶
func (fs *GnarkFiatShamir) RandomManyIntegers(num, upperBound int) []frontend.Variable
RandomManyIntegers returns a vector of variable that will contain small integers
func (*GnarkFiatShamir) Update ¶
func (fs *GnarkFiatShamir) Update(vec ...frontend.Variable)
Update updates the Fiat-Shamir state with a vector of frontend.Variable representing field element each.
func (*GnarkFiatShamir) UpdateVec ¶
func (fs *GnarkFiatShamir) UpdateVec(mat ...[]frontend.Variable)
UpdateVec updates the Fiat-Shamir state with a matrix of field element.
type State ¶
type State struct { TranscriptSize int NumCoinGenerated int // contains filtered or unexported fields }
State holds a Fiat-Shamir state. The Fiat-Shamir state can be updated by providing field elements and can be consumed to generate either field elements or sequences of small integers. The Fiat-Shamir instantiation relies on the MiMC hash function and uses the following strategy for generating random public coins:
- The messages are appended to the hasher as it is received by the Fiat- Shamir state, field element by field element
- When requested by the caller, the State can generates a field element by hashing the transcript. Recall that we are using a SNARK-friendly hash function and that its output should be interpreted as a field element.
- Everytime a field element has been generated, the hasher is updated by appending an artificial message: field.Element(0). This is to ensure that all generated field elements are independants.
To be safely used, the Fiat-Shamir State should initialized by passing an initial field element summarizing the protocol in its full-extent. This is to prevent rogue protocol attack as in the Frozen Heart vulnerability.
https://blog.trailofbits.com/2022/04/18/the-frozen-heart-vulnerability-in-plonk/
func NewMiMCFiatShamir ¶
func NewMiMCFiatShamir() *State
NewMiMCFiatShamir constructs a fresh and empty Fiat-Shamir state.
func (*State) RandomField ¶
RandomField generates and returns a single field element from the Fiat-Shamir transcript.
func (*State) RandomManyIntegers ¶
RandomManyIntegers returns a list of challenge small integers. That is, a list of positive integer bounded by `upperBound`. The upperBound is strict and is restricted to being only be a power of two.
The function will panic if the coin cannot be generated. We motivate this behaviour by the fact that if it happens, this will always be for "deterministic" reasons pertaining to the description of the user's protocol and never because of the values that are in the transcript itself.
The function is implemented by, first generating random field elements, and then breaking each of them down separately into several small integers. The "remainder" bits (nameely, the bits of the generated field element that we could not pack into a small integer) are thrown away.
If the caller provides num=0, the function no-ops after doing its sanity-checks although the call makes no possible sense.
func (*State) Update ¶
Update the Fiat-Shamir state with a one or more of field elements. The function as no-op if the caller supplies no field elements.
func (*State) UpdateSV ¶
func (fs *State) UpdateSV(sv smartvectors.SmartVector)
UpdateSV updates the FS state with a smart-vector. No-op if the smart-vector has a length of zero.