Struct bulletproofs::r1cs::Verifier

pub struct Verifier<'t> {
    transcript: &'t mut Transcript,
    constraints: Vec<LinearCombination>,
    num_vars: usize,
    V: Vec<CompressedRistretto>,
    deferred_constraints: Vec<Box<dyn Fn(&mut RandomizingVerifier<'t>) -> Result<(), R1CSError>>>,
    pending_multiplier: Option<usize>,
}

A ConstraintSystem implementation for use by the verifier.

The verifier adds high-level variable commitments to the transcript, allocates low-level variables and creates constraints in terms of these high-level variables and low-level variables.

When all constraints are added, the verifying code calls verify which consumes the Verifier instance, samples random challenges that instantiate the randomized constraints, and verifies the proof.

Fields

transcript: &'t mut Transcript

constraints: Vec<LinearCombination>

num_vars: usize

Records the number of low-level variables allocated in the constraint system.

Because the VerifierCS only keeps the constraints themselves, it doesn't record the assignments (they're all Missing), so the num_vars isn't kept implicitly in the variable assignments.

V: Vec<CompressedRistretto>

deferred_constraints: Vec<Box<dyn Fn(&mut RandomizingVerifier<'t>) -> Result<(), R1CSError>>>

This list holds closures that will be called in the second phase of the protocol, when non-randomized variables are committed. After that, the option will flip to None and additional calls to randomize_constraints will invoke closures immediately.

pending_multiplier: Option<usize>

Index of a pending multiplier that's not fully assigned yet.

Methods

impl<'t> Verifier<'t>

pub fn new(transcript: &'t mut Transcript) -> Self

Construct an empty constraint system with specified external input variables.

Inputs

The transcript parameter is a Merlin proof transcript. The VerifierCS holds onto the &mut Transcript until it consumes itself during [VerifierCS::verify], releasing its borrow of the transcript. This ensures that the transcript cannot be altered except by the VerifierCS before proving is complete.

The commitments parameter is a list of Pedersen commitments to the external variables for the constraint system. All external variables must be passed up-front, so that challenges produced by [ConstraintSystem::challenge_scalar] are bound to the external variables.

Returns

Returns a tuple (cs, vars).

The first element is the newly constructed constraint system.

The second element is a list of Variables corresponding to the external inputs, which can be used to form constraints.

pub fn commit(&mut self, commitment: CompressedRistretto) -> Variable

Creates commitment to a high-level variable and adds it to the transcript.

Inputs

The commitment parameter is a Pedersen commitment to the external variable for the constraint system. All external variables must be passed up-front, so that challenges produced by [ConstraintSystem::challenge_scalar] are bound to the external variables.

Returns

Returns a pair of a Pedersen commitment (as a compressed Ristretto point), and a Variable corresponding to it, which can be used to form constraints.

fn flattened_constraints(
    &mut self,
    z: &Scalar
) -> (Vec<Scalar>, Vec<Scalar>, Vec<Scalar>, Vec<Scalar>, Scalar)

Use a challenge, z, to flatten the constraints in the constraint system into vectors used for proving and verification.

Output

Returns a tuple of

(wL, wR, wO, wV, wc)

where w{L,R,O} is \( z \cdot z^Q \cdot W_{L,R,O} \).

This has the same logic as ProverCS::flattened_constraints() but also computes the constant terms (which the prover skips because they're not needed to construct the proof).

fn create_randomized_constraints(self) -> Result<Self, R1CSError>

Calls all remembered callbacks with an API that allows generating challenge scalars.

pub fn verify(
    self,
    proof: &R1CSProof,
    pc_gens: &PedersenGens,
    bp_gens: &BulletproofGens
) -> Result<(), R1CSError>

Consume this VerifierCS and attempt to verify the supplied proof. The pc_gens and bp_gens are generators for Pedersen commitments and Bulletproofs vector commitments, respectively. The BulletproofGens should have gens_capacity greater than the number of multiplication constraints that will eventually be added into the constraint system.

Trait Implementations

impl<'t> ConstraintSystem for Verifier<'t>

fn transcript(&mut self) -> &mut Transcript

Leases the proof transcript to the user, so they can add extra data to which the proof must be bound, but which is not available before creation of the constraint system.

fn multiply(
    &mut self,
    left: LinearCombination,
    right: LinearCombination
) -> (Variable, Variable, Variable)

Allocate and constrain multiplication variables.

fn allocate(&mut self, _: Option<Scalar>) -> Result<Variable, R1CSError>

Allocate a single variable.

fn allocate_multiplier(
    &mut self,
    _: Option<(Scalar, Scalar)>
) -> Result<(Variable, Variable, Variable), R1CSError>

Allocate variables left, right, and out with the implicit constraint that text left * right = out

fn constrain(&mut self, lc: LinearCombination)

Enforce the explicit constraint that text lc = 0

impl<'t> RandomizableConstraintSystem for Verifier<'t>

type RandomizedCS = RandomizingVerifier<'t>

Represents a concrete type for the CS in a randomization phase.

fn specify_randomized_constraints<F>(
    &mut self,
    callback: F
) -> Result<(), R1CSError> where
    F: 'static + Fn(&mut Self::RandomizedCS) -> Result<(), R1CSError>, 

Specify additional variables and constraints randomized using a challenge scalar bound to the assignments of the non-randomized variables.