frost/secp256k1-zkp
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rangeproof: add secp256k1_rangeproof_max_size function to estimate rangeproof size

Browse Source 
Provides a method that will give an upper bound on the size of a rangeproof,
given an upper bound on the value to be passed in and an upper bound on the
min_bits parameter.

There is a lot of design freedom here since the actual size of the rangeproof
depends on every parameter passed to rangeproof_sign, including the value to
be proven, often in quite intricate ways. For the sake of simplicity we assume
a nonzero `min_value` and that `exp` will be 0 (the default, and size-maximizing,
choice), and provide an exact value for a proof of the given value and min_bits.
This commit is contained in:
Andrew Poelstra
2022-08-13 00:37:20 +00:00
parent 7ff446df8b
commit f1410cb67a
3 changed files with 50 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/modules/rangeproof/main_impl.h
View File

@@ -304,4 +304,16 @@ int secp256k1_rangeproof_sign(const secp256k1_context* ctx, unsigned char *proof
proof, plen, min_value, &commitp, blind, nonce, exp, min_bits, value, message, msg_len, extra_commit, extra_commit_len, &genp);
}
size_t secp256k1_rangeproof_max_size(const secp256k1_context* ctx, uint64_t max_value, int min_bits) {
const int val_mantissa = max_value > 0 ? 64 - secp256k1_clz64_var(max_value) : 1;
const int mantissa = min_bits > val_mantissa ? min_bits : val_mantissa;
const size_t rings = (mantissa + 1) / 2;
const size_t npubs = rings * 4 - 2 * (mantissa % 2);
VERIFY_CHECK(ctx != NULL);
(void) ctx;
return 10 + 32 * (npubs + rings - 1) + 32 + ((rings - 1 + 7) / 8);
}
#endif

11
src/modules/rangeproof/tests_impl.h
View File

@@ -225,6 +225,11 @@ static void test_rangeproof_api(const secp256k1_context *none, const secp256k1_c
CHECK(secp256k1_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, NULL, 0, NULL) == 0);
CHECK(*ecount == 29);
}
/* This constant is hardcoded in these tests and elsewhere, so we
* consider it to be part of the API and test it here. */
CHECK(secp256k1_rangeproof_max_size(none, 0, 64) == 5134);
CHECK(secp256k1_rangeproof_max_size(none, UINT64_MAX, 0) == 5134);
}
static void test_api(void) {
@@ -431,6 +436,7 @@ static void test_rangeproof(void) {
len = 5134;
CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, v, input_message, input_message_len, NULL, 0, secp256k1_generator_h));
CHECK(len <= 5134);
CHECK(len <= secp256k1_rangeproof_max_size(ctx, v, 0));
mlen = 4096;
CHECK(secp256k1_rangeproof_rewind(ctx, blindout, &vout, message, &mlen, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
if (input_message != NULL) {
@@ -447,6 +453,7 @@ static void test_rangeproof(void) {
len = 5134;
CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, v, &commit, blind, commit.data, -1, 64, v, NULL, 0, NULL, 0, secp256k1_generator_h));
CHECK(len <= 73);
CHECK(len <= secp256k1_rangeproof_max_size(ctx, v, 0));
CHECK(secp256k1_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
CHECK(secp256k1_memcmp_var(blindout, blind, 32) == 0);
CHECK(vout == v);
@@ -457,6 +464,7 @@ static void test_rangeproof(void) {
len = 5134;
CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, v, &commit, blind, commit.data, -1, 64, v, NULL, 0, message_short, sizeof(message_short), secp256k1_generator_h));
CHECK(len <= 73);
CHECK(len <= secp256k1_rangeproof_max_size(ctx, v, 0));
CHECK(!secp256k1_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
CHECK(!secp256k1_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, message_long, sizeof(message_long), secp256k1_generator_h));
CHECK(secp256k1_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, message_short, sizeof(message_short), secp256k1_generator_h));
@@ -472,6 +480,7 @@ static void test_rangeproof(void) {
for (i = 0; i < 19; i++) {
len = 5134;
CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, 0, &commit, blind, commit.data, i, 0, v, NULL, 0, NULL, 0, secp256k1_generator_h));
CHECK(len <= secp256k1_rangeproof_max_size(ctx, v, 0));
CHECK(secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
CHECK(len <= 5134);
CHECK(minv <= v);
@@ -487,6 +496,7 @@ static void test_rangeproof(void) {
len = 5134;
CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, 0, &commit, blind, commit.data, 0, 3, v, NULL, 0, NULL, 0, secp256k1_generator_h));
CHECK(len <= 5134);
CHECK(len <= secp256k1_rangeproof_max_size(ctx, v, 3));
/* Test if trailing bytes are rejected. */
proof[len] = v;
CHECK(!secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len + 1, NULL, 0, secp256k1_generator_h));
@@ -521,6 +531,7 @@ static void test_rangeproof(void) {
}
CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, exp, min_bits, v, NULL, 0, NULL, 0, secp256k1_generator_h));
CHECK(len <= 5134);
CHECK(len <= secp256k1_rangeproof_max_size(ctx, v, min_bits));
mlen = 4096;
CHECK(secp256k1_rangeproof_rewind(ctx, blindout, &vout, message, &mlen, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
for (j = 0; j < mlen; j++) {