• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

.github/workflows/H03-May-2022-6662

src/H03-May-2022-815476

.cargo-checksum.jsonH A D03-May-202289 11

.cargo_vcs_info.jsonH A D01-Jan-197074 65

CHANGELOG.mdH A D01-Jan-19701.4 KiB6739

Cargo.tomlH A D01-Jan-19701.7 KiB6556

Cargo.toml.orig-cargoH A D01-Jan-19701.3 KiB4136

README.mdH A D01-Jan-19702.8 KiB7354

README.md

1<img
2 width="33%"
3 align="right"
4 src="https://merlin.cool/merlin.png"/>
5
6## Merlin: composable proof transcripts for public-coin arguments of knowledge
7
8[Merlin][merlin_cool] is a [STROBE][strobe]-based transcript
9construction for zero-knowledge proofs. It automates the Fiat-Shamir
10transform, so that by using Merlin, non-interactive protocols can be
11implemented as if they were interactive.
12
13This is significantly easier and less error-prone than performing the
14transformation by hand, and in addition, it also provides natural
15support for:
16
17* multi-round protocols with alternating commit and challenge phases;
18
19* natural domain separation, ensuring challenges are bound to the
20  statements to be proved;
21
22* automatic message framing, preventing ambiguous encoding of
23  commitment data;
24
25* and protocol composition, by using a common transcript for multiple
26  protocols.
27
28Finally, Merlin also provides a transcript-based random number
29generator as defense-in-depth against bad-entropy attacks (such as
30nonce reuse, or bias over many proofs). This RNG provides synthetic
31randomness derived from the entire public transcript, as well as the
32prover's witness data, and an auxiliary input from an external RNG.
33
34More details on the design of Merlin and how to use it for proof
35systems can be found on the [Merlin website][merlin_cool].
36
37## Features
38
39The `nightly` feature is passed to `clear_on_drop`; it may be replaced
40with a no-op in the future (since `clear_on_drop` is an implementation
41detail).
42
43The `debug-transcript` feature prints an annotated proof transcript to
44`stdout`; it is only suitable for development and testing purposes,
45should not be used in released crates, and should not be considered stable.
46
47An example of an annotated transcript for a Bulletproof rangeproof can
48be [found here][bp_transcript].
49
50## About
51
52Merlin is authored by Henry de Valence, with design input from Isis
53Lovecruft and Oleg Andreev.  The construction grew out of work with Oleg
54Andreev and Cathie Yun on a [Bulletproofs implementation][bp].
55Thanks also to Trevor Perrin and Mike
56Hamburg for helpful discussions.  Merlin is named in reference to
57[Arthur-Merlin protocols][am_wiki] which introduced the notion of
58public coin arguments.
59
60The header image was created by Oleg Andreev as a composite of Arthur Pyle's
61[The Enchanter Merlin][merlin_pyle] and the Keccak Team's [θ-step
62diagram][keccak_theta].
63
64This project is licensed under the MIT license.
65
66[merlin_cool]: https://merlin.cool
67[bp]: https://doc.dalek.rs/bulletproofs/
68[strobe]: https://strobe.sourceforge.io/
69[am_wiki]: https://en.wikipedia.org/wiki/Arthur%E2%80%93Merlin_protocol
70[merlin_pyle]: https://commons.wikimedia.org/wiki/File:Arthur-Pyle_The_Enchanter_Merlin.JPG
71[keccak_theta]: https://keccak.team/figures.html
72[bp_transcript]: https://gist.github.com/hdevalence/9db3997cc275597eeae1ec2461b8e2a1
73