Struct bulletproofs::r1cs::prover::Prover

pub struct Prover<'t, 'g> {
    transcript: &'t mut Transcript,
    pc_gens: &'g PedersenGens,
    constraints: Vec<LinearCombination>,
    a_L: Vec<Scalar>,
    a_R: Vec<Scalar>,
    a_O: Vec<Scalar>,
    v: Vec<Scalar>,
    v_blinding: Vec<Scalar>,
    deferred_constraints: Vec<Box<dyn Fn(&mut RandomizingProver<'t, 'g>) -> Result<(), R1CSError>>>,
    pending_multiplier: Option<usize>,
}

A ConstraintSystem implementation for use by the prover.

The prover commits high-level variables and their blinding factors (v, v_blinding), allocates low-level variables and creates constraints in terms of these high-level variables and low-level variables.

When all constraints are added, the proving code calls prove which consumes the Prover instance, samples random challenges that instantiate the randomized constraints, and creates a complete proof.

Fields

transcript: &'t mut Transcript

pc_gens: &'g PedersenGens

constraints: Vec<LinearCombination>

The constraints accumulated so far.

a_L: Vec<Scalar>

Stores assignments to the "left" of multiplication gates

a_R: Vec<Scalar>

Stores assignments to the "right" of multiplication gates

a_O: Vec<Scalar>

Stores assignments to the "output" of multiplication gates

v: Vec<Scalar>

High-level witness data (value openings to V commitments)

v_blinding: Vec<Scalar>

High-level witness data (blinding openings to V commitments)

deferred_constraints: Vec<Box<dyn Fn(&mut RandomizingProver<'t, 'g>) -> Result<(), R1CSError>>>

This list holds closures that will be called in the second phase of the protocol, when non-randomized variables are committed.

pending_multiplier: Option<usize>

Index of a pending multiplier that's not fully assigned yet.

Methods

impl<'t, 'g> Prover<'t, 'g>

pub fn new(pc_gens: &'g PedersenGens, transcript: &'t mut Transcript) -> Self

Construct an empty constraint system with specified external input variables.

Inputs

The bp_gens and pc_gens are generators for Bulletproofs and for the Pedersen commitments, respectively. The BulletproofGens should have gens_capacity greater than the number of multiplication constraints that will eventually be added into the constraint system.

The transcript parameter is a Merlin proof transcript. The ProverCS holds onto the &mut Transcript until it consumes itself during [ProverCS::prove], releasing its borrow of the transcript. This ensures that the transcript cannot be altered except by the ProverCS before proving is complete.

Returns

Returns a new Prover instance.

pub fn commit(
    &mut self,
    v: Scalar,
    v_blinding: Scalar
) -> (CompressedRistretto, Variable)

Creates commitment to a high-level variable and adds it to the transcript.

Inputs

The v and v_blinding parameters are openings to the commitment to the external variable for the constraint system. Passing the opening (the value together with the blinding factor) makes it possible to reference pre-existing commitments in the constraint system. All external variables must be passed up-front, so that challenges produced by [ConstraintSystem::challenge_scalar] are bound to the external variables.

Returns

Returns a pair of a Pedersen commitment (as a compressed Ristretto point), and a Variable corresponding to it, which can be used to form constraints.

fn flattened_constraints(
    &mut self,
    z: &Scalar
) -> (Vec<Scalar>, Vec<Scalar>, Vec<Scalar>, Vec<Scalar>)

Use a challenge, z, to flatten the constraints in the constraint system into vectors used for proving and verification.

Output

Returns a tuple of

(wL, wR, wO, wV)

where w{L,R,O} is \( z \cdot z^Q \cdot W_{L,R,O} \).

fn eval(&self, lc: &LinearCombination) -> Scalar

fn create_randomized_constraints(self) -> Result<Self, R1CSError>

Calls all remembered callbacks with an API that allows generating challenge scalars.

pub fn prove(self, bp_gens: &BulletproofGens) -> Result<R1CSProof, R1CSError>

Consume this ConstraintSystem to produce a proof.

Trait Implementations

impl<'t, 'g> ConstraintSystem for Prover<'t, 'g>

fn transcript(&mut self) -> &mut Transcript

Leases the proof transcript to the user, so they can add extra data to which the proof must be bound, but which is not available before creation of the constraint system.

fn multiply(
    &mut self,
    left: LinearCombination,
    right: LinearCombination
) -> (Variable, Variable, Variable)

Allocate and constrain multiplication variables.

fn allocate(
    &mut self,
    assignment: Option<Scalar>
) -> Result<Variable, R1CSError>

Allocate a single variable.

fn allocate_multiplier(
    &mut self,
    input_assignments: Option<(Scalar, Scalar)>
) -> Result<(Variable, Variable, Variable), R1CSError>

Allocate variables left, right, and out with the implicit constraint that text left * right = out

fn constrain(&mut self, lc: LinearCombination)

Enforce the explicit constraint that text lc = 0

impl<'t, 'g> Drop for Prover<'t, 'g>

Overwrite secrets with null bytes when they go out of scope.

fn drop(&mut self)

Executes the destructor for this type.

impl<'t, 'g> RandomizableConstraintSystem for Prover<'t, 'g>

type RandomizedCS = RandomizingProver<'t, 'g>

Represents a concrete type for the CS in a randomization phase.

fn specify_randomized_constraints<F>(
    &mut self,
    callback: F
) -> Result<(), R1CSError> where
    F: 'static + Fn(&mut Self::RandomizedCS) -> Result<(), R1CSError>, 

Specify additional variables and constraints randomized using a challenge scalar bound to the assignments of the non-randomized variables.