908 Commits

Author SHA1 Message Date
Gregory Sanders
12b0e5dda7 Enable more builds with rest of experimental flags 2019-01-03 14:21:48 -05:00
Jonas Nick
53ad841caf Add explanation about how BIP32 unhardened derivation can be used to simplify whitelisting 2018-12-14 20:25:51 +00:00
Jonas Nick
71c5fe0f6e Add comment to explain effect of max_n_iterations in surjectionproof_init 2018-12-14 20:25:51 +00:00
Andrew Poelstra
85fd42fb7e add unit test for generator and pedersen commitment roundtripping 2018-12-14 20:25:51 +00:00
Andrew Poelstra
2ccf885419 rangeproof: fix serialization of pedersen commintments 2018-12-14 20:25:51 +00:00
Andrew Poelstra
60c173b640 rangeproof: verify correctness of pedersen commitments when parsing 2018-12-14 20:25:51 +00:00
Andrew Poelstra
32d7526cd5 generator: verify correctness of point when parsing 2018-12-14 20:25:51 +00:00
Andrew Poelstra
ae14e8a9d8 rangeproof: check that points deserialize correctly when verifying rangeproof 2018-12-14 20:25:51 +00:00
Andrew Poelstra
44fe43d757 rangeproof: add fixed vector test case 2018-12-14 20:25:51 +00:00
Frank V. Castellucci
e065d7df9f Expose generator in shared library
Was failing linking to `*.so` library
2018-12-14 20:25:51 +00:00
Gregory Sanders
fb1ba329aa fix spelling in documentation 2018-12-14 20:25:51 +00:00
Tim Ruffing
fb75faa147 Test for rejection of trailing bytes in range proofs 2018-12-14 20:25:51 +00:00
Tim Ruffing
9b2cf1708d Test for rejection of trailing bytes in surjection proofs 2018-12-14 20:25:51 +00:00
Tim Ruffing
a3a1800ba6 Reject surjection proofs with trailing garbage 2018-12-14 20:25:51 +00:00
datavetaren
0c77ae9a75 Minor bugfix. Wrong length due to NUL character. 2018-12-14 20:25:51 +00:00
Jonas Nick
b1f31bc4b6 Add whitelisting benchmark 2018-12-14 20:25:51 +00:00
Gregory Sanders
52a9f8f8f3 add whitelist_impl.h to include for dist 2018-12-14 20:25:51 +00:00
Andrew Poelstra
a707865bc5 generator: add API tests 2018-12-14 20:25:51 +00:00
Andrew Poelstra
ec1ef040f5 generator: remove unnecessary ARG_CHECK from generate() 2018-12-14 20:25:51 +00:00
Gregory Sanders
b0e9aa828f Fix generator makefile
Include test_impl.h
2018-12-14 20:25:51 +00:00
Jonas Nick
526c65499f Fix pedersen_blind_generator_blind_sum return value documentation 2018-12-14 20:25:51 +00:00
Jonas Nick
b51886e722 Add n_keys argument to whitelist_verify 2018-12-14 20:25:51 +00:00
Jonas Nick
37c57de083 Fix checks of whitelist serialize/parse arguments 2018-12-14 20:25:51 +00:00
Andrew Poelstra
9b8a9d91eb whitelist: fix serialize/parse API to take serialized length 2018-12-14 20:25:51 +00:00
Jonas Nick
7f17515609 Fix include/secp256k1_rangeproof.h function argument documentation. 2018-12-14 20:25:51 +00:00
Andrew Poelstra
0d817020d9 rangeproof: add API tests 2018-12-14 20:25:51 +00:00
Andrew Poelstra
417bb0643f surjectionproof: rename unit test functions to be more consistent with other modules 2018-12-14 20:25:51 +00:00
Andrew Poelstra
1e2d5c1a26 surjectionproof: add API unit tests 2018-12-14 20:25:51 +00:00
Andrew Poelstra
7878a298b2 surjectionproof: tests_impl.h s/assert/CHECK/g 2018-12-14 20:25:51 +00:00
Andrew Poelstra
e609591b66 rangeproof: fix memory leak in unit tests 2018-12-14 20:25:51 +00:00
Andrew Poelstra
0c17f7972a add surjection proof module
Includes fix and tests by Jonas Nick.
2018-12-14 20:25:51 +00:00
Andrew Poelstra
c174f0c609 Implement ring-signature based whitelist delegation scheme 2018-12-14 20:25:51 +00:00
Andrew Poelstra
a2bc6604f9 rangeproof: several API changes
* add summing function for blinded generators
* drop `excess` and `gen` from `verify_tally`
* add extra_commit to rangeproof sign and verify
2018-12-14 20:25:51 +00:00
Pieter Wuille
21bfb3c91a Expose generator in pedersen/rangeproof API 2018-12-14 20:25:51 +00:00
Pieter Wuille
f4620de040 Constant-time generator module 2018-12-14 20:25:51 +00:00
Andrew Poelstra
d46fc3c191 rangeproof: expose sidechannel message field in the signing API
Including a fix by Jonas Nick.
2018-12-14 20:25:51 +00:00
Andrew Poelstra
cf40b1bed2 [RANGEPROOF BREAK] Use quadratic residue for tie break and modularity cleanup
Switch to secp256k1_pedersen_commitment by Andrew Poelstra.
Switch to quadratic residue based disambiguation by Pieter Wuille.
2018-12-14 20:25:51 +00:00
Andrew Poelstra
6d28767c79 Get rid of precomputed H tables (Pieter Wuille) 2018-12-14 20:25:51 +00:00
Gregory Maxwell
ae1e576f67 Pedersen commitments, borromean ring signatures, and ZK range proofs.
This commit adds three new cryptosystems to libsecp256k1:

Pedersen commitments are a system for making blinded commitments
 to a value.  Functionally they work like:
  commit_b,v = H(blind_b || value_v),
 except they are additively homorphic, e.g.
  C(b1, v1) - C(b2, v2) = C(b1 - b2, v1 - v2) and
  C(b1, v1) - C(b1, v1) = 0, etc.
 The commitments themselves are EC points, serialized as 33 bytes.
 In addition to the commit function this implementation includes
 utility functions for verifying that a set of commitments sums
 to zero, and for picking blinding factors that sum to zero.
 If the blinding factors are uniformly random, pedersen commitments
 have information theoretic privacy.

Borromean ring signatures are a novel efficient ring signature
 construction for AND/OR admissions policies (the code here implements
 an AND of ORs, each of any size).  This construction requires
 32 bytes of signature per pubkey used plus 32 bytes of constant
 overhead. With these you can construct signatures like "Given pubkeys
 A B C D E F G, the signer knows the discrete logs
 satisifying (A || B) & (C || D || E) & (F || G)".

ZK range proofs allow someone to prove a pedersen commitment is in
 a particular range (e.g. [0..2^64)) without revealing the specific
 value.  The construction here is based on the above borromean
 ring signature and uses a radix-4 encoding and other optimizations
 to maximize efficiency.  It also supports encoding proofs with a
 non-private base-10 exponent and minimum-value to allow trading
 off secrecy for size and speed (or just avoiding wasting space
 keeping data private that was already public due to external
 constraints).

A proof for a 32-bit mantissa takes 2564 bytes, but 2048 bytes of
 this can be used to communicate a private message to a receiver
 who shares a secret random seed with the prover.
2018-12-14 20:25:51 +00:00
Greg Maxwell
efc61dc0ca Add 64-bit integer utilities 2018-12-14 20:25:51 +00:00
Pieter Wuille
e34ceb333b
Merge #557: Eliminate scratch memory used when generating contexts
b3bf5f9 ecmult_impl: expand comment to explain how effective affine interacts with everything (Andrew Poelstra)
efa783f Store z-ratios in the 'x' coord they'll recover (Peter Dettman)
ffd3b34 add `secp256k1_ge_set_all_gej_var` test which deals with many infinite points (Andrew Poelstra)
84740ac ecmult_impl: save one fe_inv_var (Andrew Poelstra)
4704527 ecmult_impl: eliminate scratch memory used when generating context (Andrew Poelstra)
7f7a2ed ecmult_gen_impl: eliminate scratch memory used when generating context (Andrew Poelstra)

Pull request description:

  Builds on #553

Tree-SHA512: 6031a601a4a476c1d21fc8db219383e7930434d2f199543c61aca0118412322dd814a0109c385ff1f83d16897170dd0c25051697b0f88f15234b0059b661af41
2018-11-26 09:14:58 -08:00
Andrew Poelstra
b3bf5f99a3 ecmult_impl: expand comment to explain how effective affine interacts with everything 2018-11-10 14:01:13 +00:00
Peter Dettman
efa783f8f0 Store z-ratios in the 'x' coord they'll recover 2018-11-10 13:14:43 +00:00
Andrew Poelstra
ffd3b346fe add secp256k1_ge_set_all_gej_var test which deals with many infinite points 2018-11-09 00:20:53 +00:00
Andrew Poelstra
84740acd2a ecmult_impl: save one fe_inv_var 2018-11-09 00:20:53 +00:00
Andrew Poelstra
47045270fa ecmult_impl: eliminate scratch memory used when generating context 2018-11-09 00:20:51 +00:00
Andrew Poelstra
7f7a2ed3a8 ecmult_gen_impl: eliminate scratch memory used when generating context 2018-11-09 00:16:06 +00:00
Pieter Wuille
314a61d724
Merge #553: add static context object which has no capabilities
40fde61 prevent attempts to modify `secp256k1_context_no_precomp` (Andrew Poelstra)
ed7c084 add static context object which has no capabilities (Andrew Poelstra)

Pull request description:

Tree-SHA512: a843ed7ba00a00a46eec3146ce428d4b49eb440af766f44d731b1f51553d08de8cc9a0af5ed114d0dfdca6f4bf4a2ede4dbd6a37d6bd818b81630089424a0ba5
2018-11-05 18:25:56 -08:00
Pieter Wuille
1086fda4c1
Merge #354: [ECDH API change] Support custom hash function
c8fbc3c [ECDH API change] Allow pass arbitrary data to hash function (Kirill Fomichev)
b00be65 [ECDH API change] Support custom hash function (Kirill Fomichev)

Pull request description:

  Solve #352

Tree-SHA512: f5985874d03e976cdb3d59036af7720636ad1488da40fd3bd7881b1fb71b05036a952013d519baa84c4ce4b558bdef25c4ce76b384b297e4d0aece9e37e78a01
2018-10-17 12:14:48 -07:00
Andrew Poelstra
40fde611bd prevent attempts to modify secp256k1_context_no_precomp 2018-10-04 15:16:38 +00:00