Provides a method that will give an upper bound on the size of a rangeproof,
given an upper bound on the value to be passed in and an upper bound on the
min_bits parameter.
There is a lot of design freedom here since the actual size of the rangeproof
depends on every parameter passed to rangeproof_sign, including the value to
be proven, often in quite intricate ways. For the sake of simplicity we assume
a nonzero `min_value` and that `exp` will be 0 (the default, and size-maximizing,
choice), and provide an exact value for a proof of the given value and min_bits.
5ac8fb035e8f0ad012d9f54b49e77b5d1f5e713a surjectionproof: make sure that n_used_pubkeys > 0 in generate (Jonas Nick)
Pull request description:
ACKs for top commit:
apoelstra:
utACK 5ac8fb035e8f0ad012d9f54b49e77b5d1f5e713a
Tree-SHA512: 915f7181e69e2c4e1f830d6c2620a2d9b0af4d2ae8a63709b489b01ed9e13ccfeeaedebd4680cf2d927cd473a6ae88602cf29e2fdd116cb597fba6c0ab77720d
If the proof was generated with surjectionproof_initialize (as mandated by the
API docs), then n_used_pubkeys can never be 0. Without this commit, compilers
will (rightfully) warn that borromean_s[ring_input_index] is not initialized in
surjectionproof_generate. Therefore, this commit makes sure that n_used_pubkeys
is greater than 0 which ensures that the array is initialized at
ring_input_index.
5a40f3d99bbd879391a3fb3c038a6d49ec01bc03 replace memcmp with secp256k1_memcmp_var throughout the codebase (Andrew Poelstra)
92820d944b52d923dad57b7d5bae5fec48f28ddd rangeproof: add a test for all-zero blinding factors (Andrew Poelstra)
Pull request description:
I was curious about under what conditions you can create a rangeproof on an "unblinded" commitment which has a zero blinding factor. Apparently the answer is "when you are proving at least 3-bits". In this case rewinding words and you can encode 32 bytes of data. (In fact I believe you can encode up to 128 but I haven't tested that.)
ACKs for top commit:
real-or-random:
utACK 5a40f3d99bbd879391a3fb3c038a6d49ec01bc03
Tree-SHA512: bed7f9362d082d2b56668809077d5ddde52280109c992a290d87b55cb70138a08799fcca18cafbb3b3e9efed4349418bf9bb2c0ccedacdce0567e841e6d21e13
347f96d94a6c2840e045510672549897be743101 fix include paths in all the -zkp modules (Andrew Poelstra)
Pull request description:
This is causing out-of-tree build failures in Elements.
ACKs for top commit:
real-or-random:
utACK 347f96d94a6c2840e045510672549897be743101
Tree-SHA512: 7d6211f3b8d5612f95bcb3085c22458e7ceaa79f1ee74e37404cc6d1fdf0fbc02b4443b02623b9b6c1225437c1a1954b6d36a953d52b020ac7913326404894e0
d1175d265d514bd0c22faaf262d7df362f33af89 surjectionproof: use secp256k1_memcmp_var rather than bare memcmp (Andrew Poelstra)
bf18ff5a8c6295cb7db6e2989aefd6a78df7720f surjectionproof: fix generation to fail when any input == the output (Andrew Poelstra)
4ff6e4274d49cb95ab246b599b274104baf83f9f surjectionproof: add test for existing behavior on input=output proofs (Andrew Poelstra)
Pull request description:
If any ephemeral input tag equals the ephemeral output tag (i.e. an input asset is exactly equal to the output asset), verification will fail due to an unexpected interaction between our surjectionproof logic and the underlying borromean ring siganture logic. However, our generation code still allows creating proofs like this, "succeeding" in creating bad proofs.
Since we cannot fix the verification side without hardforking Liquid, fix the generation side to fail in this situation.
ACKs for top commit:
real-or-random:
utACK d1175d265d514bd0c22faaf262d7df362f33af89
Tree-SHA512: c15e130de028d6c1f705543fe2774ec23016c71f9d6b38ef0708820a517d156e2126f8369e94f16f9fd1855c29cd907d406f6ea26c95499a9ae1ce0dd92f77b2
cc07b8f7a9a7aa3a023f04127cb85c1723dd1bf9 musig-spec: remove it (Jonas Nick)
Pull request description:
Moved to https://github.com/jonasnick/bips/blob/musig2/bip-musig2.mediawiki.
ACKs for top commit:
real-or-random:
ACK cc07b8f7a9a7aa3a023f04127cb85c1723dd1bf9
Tree-SHA512: 67aebe6afbacd83153c465fcea794d36f07d067e21f767d9f82d7429458d91fe1df8a7289c10d9fa5b5458b1b6603b51a3349528dc8af6b0293f34f0b25c311f
67247e53afdf32f414a9fbd0fb008b3935b1e6d9 musig-spec: More minor cleanup (Elliott Jin)
Pull request description:
ACKs for top commit:
jonasnick:
ACK 67247e53afdf32f414a9fbd0fb008b3935b1e6d9
Tree-SHA512: 8ea2880aef0bd69e2faf10a5eb44d5ba3839867565bd735a4582189f04ea54ab73ec23f04d08aed1d10bc5aaa55bab688ff4cb4e733dc73e2a5946f9a187c7ac
376733b58b282a4985dd78d0125749473f0aeff3 musig-spec: clarify hashing in noncegen by converting ints to bytes (Jonas Nick)
Pull request description:
ACKs for top commit:
real-or-random:
ACK 376733b58b282a4985dd78d0125749473f0aeff3
Tree-SHA512: c4708c476094d242fe7312177e345932bd40b52549007b43d2e5e4efc094101624d8583647f305bcbd042692a9d0117eda38f71e22fee0e0f49d677d9f512a8e
b7f8ea2f2a828cb5a6804320a39750a77fffafba musig-spec: address robot-dreams' comments (Jonas Nick)
Pull request description:
- KeyAggCoeff' -> KeyAggCoeffInternal for consistency
- In Sign, add mod n when calculating d
- In Tweak, reorder the parameters to (Q, gacc, tacc, tweak, is_xonly) because
the first three are "state" arguments
- Rename Tweak function to ApplyTweak to avoid confusion with tweak (the
vector). This becomes apparent in the python reference code.
ACKs for top commit:
real-or-random:
ACK b7f8ea2f2a828cb5a6804320a39750a77fffafba
Tree-SHA512: 6f9066af2f67b6d2769f38ebb2537769568e77bab18d487590a0095a695eab5c34a7177e4d299f27e3e30628dd07aff831f3f08db256cf2ae13ea0d92f3e18b8
- KeyAggCoeff' -> KeyAggCoeffInternal for consistency
- In Sign, add mod n when calculating d
- In Tweak, reorder the parameters to (Q, gacc, tacc, tweak, is_xonly) because
the first three are "state" arguments
- Rename Tweak function to ApplyTweak to avoid confusion with tweak (the
vector). This becomes apparent in the python reference code.
fd51a6281ec21c9dcb71c13666a2551370e31fd1 musig-spec: add authors (Jonas Nick)
f56e223a7a79aa52748d4f542ecebc2ce6c537b2 musig-spec: explain NonceGen and tweaking in signing flow context (Jonas Nick)
e463ea42bb1fe48e30e6d289461cff4fa0935f77 musig-spec: mention stateless signing in signing flow (Jonas Nick)
a29b961eb75d4bd4c871ee5cc7de861a2b7011aa musig-spec: add acknowledgements and improve abstract (Jonas Nick)
1a086ba9c9143ef572b6f1fa3d7c6b8ca173414e musig-spec: add optional arguments to strengthen nonce function (Jonas Nick)
8d04ac318f2f6f160480faf6aeb843a1cba28db0 musig-spec: remove unnecessary and inconsistent input paragraph (Jonas Nick)
Pull request description:
Based on #177
It's likely we're missing people in the acknowledgements. Ping me if you think you are.
ACKs for top commit:
real-or-random:
ACK fd51a6281ec21c9dcb71c13666a2551370e31fd1
Tree-SHA512: 5240b783c15f76655b2593422dc7c76de1c5e298bbe2f39858daca4ee1b1877f1ff179b4043e6f1f75f8c804b734f4bb739d38a18a54b094d8640c57fd074ed9
