frost/secp256k1-zkp
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,022 Commits 14 Branches 0 Tags
Commit Graph

1022 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jonas Nick
898c9f05bb Clarify how to derive alternative generator H 2019-05-30 14:08:30 +00:00
Roman Zeyde
15d92782d3 Add bench_generator and bench_rangeproof to .gitignore 2019-05-30 14:08:30 +00:00
Tim Ruffing
86240b207d Clean up ./configure help strings (zkp extensions) 2019-05-30 14:08:30 +00:00
Roman Zeyde
865b76186c Fix a small typo in the generator parameter name 2019-05-30 14:08:30 +00:00
Andrew Poelstra
cd5ba5c3b9 generator: remove CHECK abort calls exposed by public API 2019-05-30 14:08:30 +00:00
Andrew Poelstra
ff16651273 musig: add user documentation 2019-05-30 14:08:21 +00:00
Jonas Nick
0ad6b6036f Add 3-of-3 MuSig example 2019-05-30 14:04:38 +00:00
Jonas Nick
b61a1a9d98 Add MuSig module which allows creating n-of-n multisignatures and adaptor signatures. 2019-05-30 14:04:38 +00:00
Andrew Poelstra
5d5374f92c Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification. 
[0] https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki
 2019-05-30 14:04:38 +00:00
Andrew Poelstra
a8ae6baff3 add chacha20 function 2019-05-30 14:04:38 +00:00
Gregory Sanders
9a8a71e8bb use proper types for rangeproof min/max 2019-05-30 14:04:38 +00:00
Andrew Poelstra
14769b9648 rangeproof: reduce iteration count in unit tests 2019-05-30 14:04:38 +00:00
Gregory Sanders
0593861cc5 Enable more builds with rest of experimental flags 2019-05-30 14:04:38 +00:00
Jonas Nick
e9fea74278 Add explanation about how BIP32 unhardened derivation can be used to simplify whitelisting 2019-05-30 14:04:38 +00:00
Jonas Nick
dec1b9ce27 Add comment to explain effect of max_n_iterations in surjectionproof_init 2019-05-30 14:04:38 +00:00
Andrew Poelstra
ea62bfe221 add unit test for generator and pedersen commitment roundtripping 2019-05-30 14:04:38 +00:00
Andrew Poelstra
e32924f0ee rangeproof: fix serialization of pedersen commintments 2019-05-30 14:04:38 +00:00
Andrew Poelstra
972d056fac rangeproof: verify correctness of pedersen commitments when parsing 2019-05-30 14:04:38 +00:00
Andrew Poelstra
2cc4c6fef1 generator: verify correctness of point when parsing 2019-05-30 14:04:38 +00:00
Andrew Poelstra
65ffea43d5 rangeproof: check that points deserialize correctly when verifying rangeproof 2019-05-30 14:04:38 +00:00
Andrew Poelstra
cb786d6d1a rangeproof: add fixed vector test case 2019-05-30 14:04:38 +00:00
Frank V. Castellucci
b387ba0389 Expose generator in shared library 
Was failing linking to `*.so` library
 2019-05-30 14:04:38 +00:00
Gregory Sanders
8da432855c fix spelling in documentation 2019-05-30 14:04:38 +00:00
Tim Ruffing
6f14fe40d9 Test for rejection of trailing bytes in range proofs 2019-05-30 14:04:38 +00:00
Tim Ruffing
ab4fbc1be8 Test for rejection of trailing bytes in surjection proofs 2019-05-30 14:04:38 +00:00
Tim Ruffing
c908c97d67 Reject surjection proofs with trailing garbage 2019-05-30 14:04:38 +00:00
datavetaren
f723bf5b37 Minor bugfix. Wrong length due to NUL character. 2019-05-30 14:04:38 +00:00
Jonas Nick
6872069de9 Add whitelisting benchmark 2019-05-30 14:04:38 +00:00
Gregory Sanders
6ceccb75be add whitelist_impl.h to include for dist 2019-05-30 14:04:38 +00:00
Andrew Poelstra
a3ad4a8668 generator: add API tests 2019-05-30 14:04:38 +00:00
Andrew Poelstra
e93e886cb4 generator: remove unnecessary ARG_CHECK from generate() 2019-05-30 14:04:38 +00:00
Gregory Sanders
f1d6e4b831 Fix generator makefile 
Include test_impl.h
 2019-05-30 14:04:38 +00:00
Jonas Nick
68be611317 Fix pedersen_blind_generator_blind_sum return value documentation 2019-05-30 14:04:38 +00:00
Jonas Nick
51fc58ae6b Add n_keys argument to whitelist_verify 2019-05-30 14:04:38 +00:00
Jonas Nick
36b100c779 Fix checks of whitelist serialize/parse arguments 2019-05-30 14:04:38 +00:00
Andrew Poelstra
c8f54e12ec whitelist: fix serialize/parse API to take serialized length 2019-05-30 14:04:38 +00:00
Jonas Nick
56fca50778 Fix include/secp256k1_rangeproof.h function argument documentation. 2019-05-30 14:04:38 +00:00
Andrew Poelstra
4617f04784 rangeproof: add API tests 2019-05-30 14:04:38 +00:00
Andrew Poelstra
cd4e438a3a surjectionproof: rename unit test functions to be more consistent with other modules 2019-05-30 14:04:38 +00:00
Andrew Poelstra
2cc7f1e045 surjectionproof: add API unit tests 2019-05-30 14:04:38 +00:00
Andrew Poelstra
c4097f758f surjectionproof: tests_impl.h s/assert/CHECK/g 2019-05-30 14:04:38 +00:00
Andrew Poelstra
5ee6bf3418 rangeproof: fix memory leak in unit tests 2019-05-30 14:04:38 +00:00
Andrew Poelstra
94e81a250e add surjection proof module 
Includes fix and tests by Jonas Nick.
 2019-05-30 14:04:38 +00:00
Andrew Poelstra
a66ea35227 Implement ring-signature based whitelist delegation scheme 2019-05-30 14:04:38 +00:00
Andrew Poelstra
2bb5133615 rangeproof: several API changes 
* add summing function for blinded generators
* drop `excess` and `gen` from `verify_tally`
* add extra_commit to rangeproof sign and verify
 2019-05-30 14:04:38 +00:00
Pieter Wuille
9b00b61d9d Expose generator in pedersen/rangeproof API 2019-05-30 14:04:38 +00:00
Pieter Wuille
54fa2639e1 Constant-time generator module 2019-05-30 14:04:38 +00:00
Andrew Poelstra
023aa86ac0 rangeproof: expose sidechannel message field in the signing API 
Including a fix by Jonas Nick.
 2019-05-30 14:04:38 +00:00
Andrew Poelstra
89e7451d42 [RANGEPROOF BREAK] Use quadratic residue for tie break and modularity cleanup 
Switch to secp256k1_pedersen_commitment by Andrew Poelstra.
Switch to quadratic residue based disambiguation by Pieter Wuille.
 2019-05-30 14:04:38 +00:00
Gregory Maxwell
f126331bc9 Pedersen commitments, borromean ring signatures, and ZK range proofs. 
This commit adds three new cryptosystems to libsecp256k1:

Pedersen commitments are a system for making blinded commitments
 to a value.  Functionally they work like:
  commit_b,v = H(blind_b || value_v),
 except they are additively homorphic, e.g.
  C(b1, v1) - C(b2, v2) = C(b1 - b2, v1 - v2) and
  C(b1, v1) - C(b1, v1) = 0, etc.
 The commitments themselves are EC points, serialized as 33 bytes.
 In addition to the commit function this implementation includes
 utility functions for verifying that a set of commitments sums
 to zero, and for picking blinding factors that sum to zero.
 If the blinding factors are uniformly random, pedersen commitments
 have information theoretic privacy.

Borromean ring signatures are a novel efficient ring signature
 construction for AND/OR admissions policies (the code here implements
 an AND of ORs, each of any size).  This construction requires
 32 bytes of signature per pubkey used plus 32 bytes of constant
 overhead. With these you can construct signatures like "Given pubkeys
 A B C D E F G, the signer knows the discrete logs
 satisifying (A || B) & (C || D || E) & (F || G)".

ZK range proofs allow someone to prove a pedersen commitment is in
 a particular range (e.g. [0..2^64)) without revealing the specific
 value.  The construction here is based on the above borromean
 ring signature and uses a radix-4 encoding and other optimizations
 to maximize efficiency.  It also supports encoding proofs with a
 non-private base-10 exponent and minimum-value to allow trading
 off secrecy for size and speed (or just avoiding wasting space
 keeping data private that was already public due to external
 constraints).

A proof for a 32-bit mantissa takes 2564 bytes, but 2048 bytes of
 this can be used to communicate a private message to a receiver
 who shares a secret random seed with the prover.

Also: get rid of precomputed H tables (Pieter Wuille)
 2019-05-30 14:04:38 +00:00