Merlin provides a specified way to use STROBE. STROBE is a protocol framework intended for constructing online transport protocols. Merlin is aimed at a different use-case, zero-knowledge proofs, so it uses only a subset of STROBE. This means that a Merlin implementation can either use a STROBE implementation as a library, or implement the required subset of STROBE operations directly. See the STROBE specification for more details on STROBE operations.
A Merlin transcript is a typed wrapper around a STROBE object, instantiated using Keccak-f/1600 at the 128-bit security level.
Merlin transcripts are initialized with a single parameter,
byte string which represents an application-specific domain separator.
See the Passing Transcripts section for more
details on usage.
To construct a Merlin transcript, first, construct a STROBE-128 object
with the 11-byte label
b"Merlin v1.0". Next, append the message
app_label with label
b"dom-sep", as described in the
following section. Finally, return the transcript.
Merlin messages are byte strings up to 4GB (
long. Very long messages are allowed but discouraged; consider
prehashing long messages and appending the hash as a message.
Messages are labeled by a byte string. See Transcript
Protocols for more information about message
To append a message
message with label
label, perform the STROBE
AD[label || LE32(message.len())](message);
LE32(x) is the 4-byte, little-endian encoding of the 32-bit
OP[meta](data) is defined on page 9 of the STROBE
paper. Because Merlin does not have a transport
concept, the metadata is encoded using
To extract a sequence of challenge bytes labeled by
label into the
dest, perform the STROBE operation
dest <- PRF[label || LE32(dest.len())]();
LE32 is defined as before.