[−][src]Macro zkp::define_proof
Creates a module with code required to produce a non-interactive zero-knowledge proof statement, to serialize it to wire format, to parse from wire format, and to verify the proof or batch-verify multiple proofs.
The statement is specified in an embedded DSL resembling Camenisch-Stadler notation. For instance, a proof of knowledge of two equal discrete logarithms ("DLEQ") is specified as:
define_proof! {dleq, "DLEQ Proof", (x), (A, B, H), (G) : A = (x * G), B = (x * H) }
This creates a module dleq with code for proving knowledge of a
secret x: Scalar such that A = x * G, B = x * H for
per-proof public parameters A, B, H: RistrettoPoint and common
parameters G: RistrettoPoint; the UTF-8 string "DLEQ Proof" is
added to the transcript as a domain separator.
In general the syntax is
define_proof!{ module_name, // all generated code for this statement goes here "Proof Label", // a UTF-8 domain separator unique to the statement (x,y,z,...), // secret variable labels (preferably lower-case) (A,B,C,...), // public per-proof parameter labels (upper-case) (G,H,...) // public common parameter labels (upper-case) : LHS = (x * A + y * B + z * C + ... ), // comma-separated statements ... }
Statements have the form LHS = (A * x + B * y + C * z + ... ),
where LHS is one of the points listed as a public parameter, and
the right-hand side is a sum of public points multiplied by secret
scalars.
Points which have the same assignment for all instances of the proof statement (for instance, a basepoint) should be specified as common public parameters, so that the generated implementation of batch verification is more efficient.
Proof creation is done in constant time. Proof verification uses variable-time code.