frost/secp256k1-zkp
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
928 Commits 14 Branches 0 Tags
Commit Graph

554 Commits

Author SHA1 Message Date
Tim Ruffing
3f1a8580a2 Prepare for manual memory management in preallocated memory 
* Determine ALIGNMENT more cleverly and move it to util.h
 * Implement manual_malloc() helper function
 2019-03-05 13:22:46 +01:00
Andrew Poelstra
89b7f5b73b f nits 2019-02-20 15:25:47 +00:00
Janus Troelsen
792d504315
Update musig.md 
Use monospaced font for math expressions
 2019-02-18 16:30:31 +01:00
Andrew Poelstra
9125c16622 f remove markdown indentation 2019-02-12 14:58:08 +00:00
Andrew Poelstra
0512dd2ba9 f reword adaptor signature stuf 2019-02-12 14:53:36 +00:00
Andrew Poelstra
8cab1c5cae f more nits 2019-02-12 14:43:35 +00:00
Andrew Poelstra
0492592010 f replace C by L 2019-02-12 14:39:03 +00:00
Andrew Poelstra
6b0b22bc89 musig: add user documentation 2019-02-12 00:44:31 +00:00
Andrew Poelstra
d5e22a59f6
Merge pull request #35 from jonasnick/2018-10-musig 
Add MuSig module
 2019-02-07 00:19:41 +00:00
Jonas Nick
2fc700a943 Add 3-of-3 MuSig example 2019-02-06 11:27:46 +00:00
Jonas Nick
77d5b4ac7d Add MuSig module which allows creating n-of-n multisignatures and adaptor signatures. 2019-02-06 11:27:37 +00:00
Andrew Poelstra
f0e4bb9283 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification. 
[0] https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki
 2019-01-29 11:02:07 +00:00
Andrew Poelstra
8260800491 add chacha20 function 2019-01-29 10:59:27 +00:00
Andrew Poelstra
43dd1f4fe7
Merge pull request #40 from instagibbs/size_t 
use proper types for rangeproof min/max in unit test case
 2019-01-03 22:56:58 +00:00
Andrew Poelstra
2b2429dfaa rangeproof: reduce iteration count in unit tests 2019-01-03 14:21:48 -05:00
Gregory Sanders
8c444eef6a use proper types for rangeproof min/max 2019-01-03 14:18:39 -05:00
Jonas Nick
ed59fbe8b7 Add trivial ecmult_multi algorithm. It is selected when no scratch space is given and just multiplies and adds the points. 2018-12-22 22:38:01 +00:00
Jonas Nick
53ad841caf Add explanation about how BIP32 unhardened derivation can be used to simplify whitelisting 2018-12-14 20:25:51 +00:00
Andrew Poelstra
85fd42fb7e add unit test for generator and pedersen commitment roundtripping 2018-12-14 20:25:51 +00:00
Andrew Poelstra
2ccf885419 rangeproof: fix serialization of pedersen commintments 2018-12-14 20:25:51 +00:00
Andrew Poelstra
60c173b640 rangeproof: verify correctness of pedersen commitments when parsing 2018-12-14 20:25:51 +00:00
Andrew Poelstra
32d7526cd5 generator: verify correctness of point when parsing 2018-12-14 20:25:51 +00:00
Andrew Poelstra
ae14e8a9d8 rangeproof: check that points deserialize correctly when verifying rangeproof 2018-12-14 20:25:51 +00:00
Andrew Poelstra
44fe43d757 rangeproof: add fixed vector test case 2018-12-14 20:25:51 +00:00
Tim Ruffing
fb75faa147 Test for rejection of trailing bytes in range proofs 2018-12-14 20:25:51 +00:00
Tim Ruffing
9b2cf1708d Test for rejection of trailing bytes in surjection proofs 2018-12-14 20:25:51 +00:00
Tim Ruffing
a3a1800ba6 Reject surjection proofs with trailing garbage 2018-12-14 20:25:51 +00:00
datavetaren
0c77ae9a75 Minor bugfix. Wrong length due to NUL character. 2018-12-14 20:25:51 +00:00
Jonas Nick
b1f31bc4b6 Add whitelisting benchmark 2018-12-14 20:25:51 +00:00
Gregory Sanders
52a9f8f8f3 add whitelist_impl.h to include for dist 2018-12-14 20:25:51 +00:00
Andrew Poelstra
a707865bc5 generator: add API tests 2018-12-14 20:25:51 +00:00
Andrew Poelstra
ec1ef040f5 generator: remove unnecessary ARG_CHECK from generate() 2018-12-14 20:25:51 +00:00
Gregory Sanders
b0e9aa828f Fix generator makefile 
Include test_impl.h
 2018-12-14 20:25:51 +00:00
Jonas Nick
b51886e722 Add n_keys argument to whitelist_verify 2018-12-14 20:25:51 +00:00
Jonas Nick
37c57de083 Fix checks of whitelist serialize/parse arguments 2018-12-14 20:25:51 +00:00
Andrew Poelstra
9b8a9d91eb whitelist: fix serialize/parse API to take serialized length 2018-12-14 20:25:51 +00:00
Andrew Poelstra
0d817020d9 rangeproof: add API tests 2018-12-14 20:25:51 +00:00
Andrew Poelstra
417bb0643f surjectionproof: rename unit test functions to be more consistent with other modules 2018-12-14 20:25:51 +00:00
Andrew Poelstra
1e2d5c1a26 surjectionproof: add API unit tests 2018-12-14 20:25:51 +00:00
Andrew Poelstra
7878a298b2 surjectionproof: tests_impl.h s/assert/CHECK/g 2018-12-14 20:25:51 +00:00
Andrew Poelstra
e609591b66 rangeproof: fix memory leak in unit tests 2018-12-14 20:25:51 +00:00
Andrew Poelstra
0c17f7972a add surjection proof module 
Includes fix and tests by Jonas Nick.
 2018-12-14 20:25:51 +00:00
Andrew Poelstra
c174f0c609 Implement ring-signature based whitelist delegation scheme 2018-12-14 20:25:51 +00:00
Andrew Poelstra
a2bc6604f9 rangeproof: several API changes 
* add summing function for blinded generators
* drop `excess` and `gen` from `verify_tally`
* add extra_commit to rangeproof sign and verify
 2018-12-14 20:25:51 +00:00
Pieter Wuille
21bfb3c91a Expose generator in pedersen/rangeproof API 2018-12-14 20:25:51 +00:00
Pieter Wuille
f4620de040 Constant-time generator module 2018-12-14 20:25:51 +00:00
Andrew Poelstra
d46fc3c191 rangeproof: expose sidechannel message field in the signing API 
Including a fix by Jonas Nick.
 2018-12-14 20:25:51 +00:00
Andrew Poelstra
cf40b1bed2 [RANGEPROOF BREAK] Use quadratic residue for tie break and modularity cleanup 
Switch to secp256k1_pedersen_commitment by Andrew Poelstra.
Switch to quadratic residue based disambiguation by Pieter Wuille.
 2018-12-14 20:25:51 +00:00
Andrew Poelstra
6d28767c79 Get rid of precomputed H tables (Pieter Wuille) 2018-12-14 20:25:51 +00:00
Gregory Maxwell
ae1e576f67 Pedersen commitments, borromean ring signatures, and ZK range proofs. 
This commit adds three new cryptosystems to libsecp256k1:

Pedersen commitments are a system for making blinded commitments
 to a value.  Functionally they work like:
  commit_b,v = H(blind_b || value_v),
 except they are additively homorphic, e.g.
  C(b1, v1) - C(b2, v2) = C(b1 - b2, v1 - v2) and
  C(b1, v1) - C(b1, v1) = 0, etc.
 The commitments themselves are EC points, serialized as 33 bytes.
 In addition to the commit function this implementation includes
 utility functions for verifying that a set of commitments sums
 to zero, and for picking blinding factors that sum to zero.
 If the blinding factors are uniformly random, pedersen commitments
 have information theoretic privacy.

Borromean ring signatures are a novel efficient ring signature
 construction for AND/OR admissions policies (the code here implements
 an AND of ORs, each of any size).  This construction requires
 32 bytes of signature per pubkey used plus 32 bytes of constant
 overhead. With these you can construct signatures like "Given pubkeys
 A B C D E F G, the signer knows the discrete logs
 satisifying (A || B) & (C || D || E) & (F || G)".

ZK range proofs allow someone to prove a pedersen commitment is in
 a particular range (e.g. [0..2^64)) without revealing the specific
 value.  The construction here is based on the above borromean
 ring signature and uses a radix-4 encoding and other optimizations
 to maximize efficiency.  It also supports encoding proofs with a
 non-private base-10 exponent and minimum-value to allow trading
 off secrecy for size and speed (or just avoiding wasting space
 keeping data private that was already public due to external
 constraints).

A proof for a 32-bit mantissa takes 2564 bytes, but 2048 bytes of
 this can be used to communicate a private message to a receiver
 who shares a secret random seed with the prover.
 2018-12-14 20:25:51 +00:00