Instead of holding &mut Transcript, Prover/Verifier accepts BorrowMut<Transcript>. This means, Transcript can be passed in not only as a mutable reference, but also moved in and owned by the constraint system.
Verifier::verify and Prover::prove have new variants _and_return_transcript() that return the transcript back to the user. So if the user moved the transcript into CS, they can get it back and continue working with it.
Rationale
The proposed API allows users to "bundle" transcript and intermediate CS state in an object, so that it can be used after the CS is built, but before the proof is created/verified. Specifically, in ZkVM, the transaction effects and its ID are computed together with building a constraint system. New API would allow us to perform cheaper verification of the effects before doing a more expensive ZKP verification. Without the new API we'd need to make an extra precomputation pass to get the effects w/o ZKP verification.
Alternative: pinned bundle around the existing API
We can probably keep the self-referential struct: the bundle would have to own a transcript and also contain a CS instance with a &mut reference to it. To make such object safe to use, it must be additionally wrapped in a pinned Box, and also we'd need some careful pointer manipulation inside unsafe{}. I haven't tried it out, but it does not seem very straightforward.
Pros: the API remains the same.
Cons: more complex wrapper solution.
This changes the Prover/Verifier API as follows:
&mut Transcript, Prover/Verifier acceptsBorrowMut<Transcript>. This means, Transcript can be passed in not only as a mutable reference, but also moved in and owned by the constraint system.Verifier::verifyandProver::provehave new variants_and_return_transcript()that return the transcript back to the user. So if the user moved the transcript into CS, they can get it back and continue working with it.Rationale
The proposed API allows users to "bundle" transcript and intermediate CS state in an object, so that it can be used after the CS is built, but before the proof is created/verified. Specifically, in ZkVM, the transaction effects and its ID are computed together with building a constraint system. New API would allow us to perform cheaper verification of the effects before doing a more expensive ZKP verification. Without the new API we'd need to make an extra precomputation pass to get the effects w/o ZKP verification.
Alternative: pinned bundle around the existing API
We can probably keep the self-referential struct: the bundle would have to own a transcript and also contain a CS instance with a &mut reference to it. To make such object safe to use, it must be additionally wrapped in a pinned Box, and also we'd need some careful pointer manipulation inside
unsafe{}. I haven't tried it out, but it does not seem very straightforward.Pros: the API remains the same. Cons: more complex wrapper solution.