Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] Why blinding vectors in range proof didn't use Transcript::build_rng() #332

Open
alxiong opened this issue Aug 26, 2020 · 1 comment
Open

[Question] Why blinding vectors in range proof didn't use Transcript::build_rng() #332

alxiong opened this issue Aug 26, 2020 · 1 comment

Comments

@alxiong
Copy link

alxiong commented Aug 26, 2020

In range proof, there're blinding vectors S_L and S_R which will be used to be committed to S (snippet),

And I'm wondering why the randomized blinding factor didn't come from Transcript::build_rng(), I thought the purpose of that rng is to protect users from using a bad rng or poor-entropied ones, (according to Merlin docs),

So I'm quite surprised that only in R1CS/yoloproof, was the "transcript-based synthetic randomness" used, but not in range proof.

thanks for clarification in advance!
@oleganza
Copy link
Collaborator

As far as I understand, the current multi-party API makes it awkward to simply extrude RNG out of the main transcript: the transcript is owned by the Dealer, while blinding factors are generated in the Party.

If the goal is to mix the externally-provided blinding factors with the system RNG, then each Party may instantiate an auxiliary instance, throw in the externally provided blinding factors, then extrude an RNG and keep it around through all the subsequent states.

WDYT @cathieyun @hdevalence?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oleganza @alxiong