frost/secp256k1-zkp
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,744 Commits 14 Branches 0 Tags
Commit Graph

45 Commits

Author SHA1 Message Date
Jonas Nick
775f5e242b
Merge commits '1b13415d 374e2b54 96294c00 8d2960c8 ce765a5b b2f6712d eedd7810 b327abfc 5d8fa825 3d05c86d bcffeb14 de657c20 060e32cb 0ba2b945 48b1d939 6b9507ad 5373693e 2e6cf9ba 6ee14550 26a98992 4d7fe609 ea26b71c 65c79fe2 727bec5b 0b4640ae 199d27ce cbf3053f 49be5be9 b10ddd2b 4fd00f4b ba9cb6f3 ee7aaf21 ' into temp-merge-1395 
- Replace fe_equal_var with fe_equal
- Use CHECK_ILLEGAL instead of CHECK/ecount
- Turn on secp256k1-zkp specific modules in CI
 2023-09-20 09:38:36 +00:00
Tim Ruffing
167194bede rangeproof: Use util functions for writing big endian 2023-08-01 10:48:34 +02:00
Tim Ruffing
54b37db953 build: Fix linkage of extra binaries in -zkp modules 2023-07-28 14:20:42 +02:00
Jonas Nick
7a07f3d33f
Merge commits '3bab71cf 4258c54f 566faa17 9ce9984f 04bf3f67 5be353d6 2e035af2 5b0444a3 a6f4bcf6 5ec1333d f6bef03c 1f33bb2b 1c895367 6b7e5b71 596b336f 4b84f4bf 024a4094 222ecaf6 4b0f711d 3c818388 f30c7486 1cf15ebd 24c768ae 341cc197 c63ec88e 54d34b6c 073d98a0 9eb6934f ab5a9171 fb3a8063 006ddc1f 3353d3c7 b54a0672 7d4f86d2 e8295d07 3e3d125b acf5c55a ' into temp-merge-1312 2023-07-24 20:15:07 +00:00
Jonas Nick
0d540ec942
Merge commits '88e80722 ff8edf89 f29a3270 a7a7bfaf a01a7d86 b1579cf5 ad7433b1 233822d8 5fbff5d3 2b77240b 1bff2005 e1817a6f 5596ec5c 8ebe5c52 1cca7c17 1b21aa51 cbd25559 09b1d466 57573187 8962fc95 9d1b458d eb8749fc 6048e6c0 ' into temp-merge-1222 2023-07-20 16:29:40 +00:00
Jonas Nick
304fc88557
Merge commits '9a8d65f0 75d7b7f5 665ba77e 3f57b9f7 eacad90f 01b819a8 31ed5386 2a39ac16 0eb30004 cbe41ac1 cc3b8a4f ' into temp-merge-1187 2023-07-20 12:19:00 +00:00
Jonas Nick
6c54db1987
Merge commits '2286f809 751c4354 477f02c4 e3f84777 5c789dcd 8c949f56 21ffe4b2 ' into temp-merge-1055 2023-07-18 12:51:17 +00:00
Tim Ruffing
e444d24bca Fix include guards: No _ prefix/suffix but _H suffix (as in upstream) 2023-04-21 12:02:28 +02:00
Tim Ruffing
4eca406f4c Use relative #include paths in library (as in upstream) 2023-04-21 11:50:24 +02:00
Andrew Poelstra
87373f5145 MOVE ONLY: move Pedersen commitment stuff to generator module from rangeproof module 
You can verify this commit with `git diff --color-moved=zebra`
 2023-01-23 10:18:21 -08:00
Jonas Nick
6b6ced9839 rangeproof: add more max_size tests 2022-08-25 14:26:02 +00:00
Jonas Nick
34876ecb5f rangeproof: add more static test vectors 
Fixes #42
 2022-08-25 14:26:02 +00:00
Andrew Poelstra
310e517061 rangeproof: add a bunch more testing 
Add two new fixed rangeproof vectors; check that various extracted
values are correct; add a test for creating and verifying single-value
proofs.
 2022-08-25 14:26:02 +00:00
Andrew Poelstra
f1410cb67a rangeproof: add secp256k1_rangeproof_max_size function to estimate rangeproof size 
Provides a method that will give an upper bound on the size of a rangeproof,
given an upper bound on the value to be passed in and an upper bound on the
min_bits parameter.

There is a lot of design freedom here since the actual size of the rangeproof
depends on every parameter passed to rangeproof_sign, including the value to
be proven, often in quite intricate ways. For the sake of simplicity we assume
a nonzero `min_value` and that `exp` will be 0 (the default, and size-maximizing,
choice), and provide an exact value for a proof of the given value and min_bits.
 2022-08-25 14:26:00 +00:00
Andrew Poelstra
5a40f3d99b replace memcmp with secp256k1_memcmp_var throughout the codebase 
memcmp only appears in -zkp-specific modules. Fix those.
 2022-08-10 22:14:31 +00:00
Andrew Poelstra
92820d944b rangeproof: add a test for all-zero blinding factors 2022-08-10 22:10:33 +00:00
Andrew Poelstra
347f96d94a fix include paths in all the -zkp modules 
This is causing out-of-tree build failures in Elements.
 2022-08-05 14:56:10 +00:00
Jonas Nick
b7ebe6436c Test APIs of funcs that need an ecmult_gen ctx with static ctx 
The API tests of upstream functions were similarly amended in commit 3b0c2185eab0fe5cb910fffee4c88e134f6d3cad.
 2022-01-04 12:57:57 +00:00
Jonas Nick
72c8deac03 Merge commits with sync-upstream.sh 
da0092bc 10f9bd84 297ce820 f34b5cae 920a0e5f 9526874d aa1b889b 20d791ed 3e7b2ea1 21c188b3 8fa41201 515a5dbd c74a7b7e 74c34e72 7006f1b9 ea5e8a9c 793ad901 2e5e4b67 fecf436d 49f608de 49002274 6ad908aa 4f01840b 61ae37c6 486205aa 5d0dbef0 0559fc6e be6944ad a69df3ad b39d431a 0b83b203 09971a3f 9281c9f4 423b6d19 a310e79e 39a36db9 a1102b12

Deal with
  - secp256k1_test_rng removal in commit
    77a19750b46916b93bb6a08837c26f585bd940fa
  - ecmult_gen context simplification after making table static in commit
    3b0c2185eab0fe5cb910fffee4c88e134f6d3cad
 2022-01-02 16:11:15 +00:00
Jonas Nick
938725c1c9 Merge commits 'd7ec49a6 9a5a87e0 aa5d34a8 2a3a97c6 ' into temp-merge-976 
Also remove remaining uses of ecmult context in secp-zkp and update API tests
accordingly.
 2021-09-16 15:21:11 +00:00
Andrew Poelstra
6ad66de680 rangeproof: add an (unnecessary) variable initialization to shut up CI 2021-07-27 18:15:58 +00:00
Tim Ruffing
cc0b279568 Eliminate a wrong -Wmaybe-uninitialized warning in GCC 2021-07-13 17:30:05 +02:00
Andrew Poelstra
29f9a7dc62 reduce test rounds for rangeproof and surjectionproof 2020-12-03 15:35:50 +00:00
Jonas Nick
e0ced690cf Rename rands64 to testrandi64 
This is to make it consistent with upstream changes.
 2020-11-05 22:07:30 +00:00
Jonas Nick
b0917f3de1 Merge remote-tracking branch 'upstream/master' into temp-merge-835 2020-11-05 20:21:38 +00:00
Andrew Poelstra
8b70795b5e Fix BE platforms by updating endianness macros to match upstream 2020-10-12 13:44:16 +00:00
Jonas Nick
b74f2dc478 Remove mentions of DER in H derivation. 2020-07-24 14:59:36 +02:00
Jonas Nick
9957307c3f Fix explanation of H derivation. It doesn't use DER encoding. 2020-07-24 14:59:36 +02:00
Jonas Nick
2a1750dedd Clarify how to derive alternative generator H 2020-07-24 14:59:36 +02:00
Gregory Sanders
3cdc02ef8a use proper types for rangeproof min/max 2020-07-24 14:50:49 +02:00
Andrew Poelstra
cf21c9d715 rangeproof: reduce iteration count in unit tests 2020-07-24 14:50:49 +02:00
Andrew Poelstra
936d62f248 add unit test for generator and pedersen commitment roundtripping 2020-07-24 14:50:48 +02:00
Andrew Poelstra
e06540de8c rangeproof: fix serialization of pedersen commintments 2020-07-24 14:50:48 +02:00
Andrew Poelstra
edb879f578 rangeproof: verify correctness of pedersen commitments when parsing 2020-07-24 14:50:48 +02:00
Andrew Poelstra
fca4c3b62f generator: verify correctness of point when parsing 2020-07-24 14:50:48 +02:00
Andrew Poelstra
c50b218698 rangeproof: check that points deserialize correctly when verifying rangeproof 2020-07-24 14:50:48 +02:00
Andrew Poelstra
c33e597245 rangeproof: add fixed vector test case 2020-07-24 14:50:48 +02:00
Tim Ruffing
47be098bac Test for rejection of trailing bytes in range proofs 2020-07-24 14:50:48 +02:00
Andrew Poelstra
e13bdf2f23 rangeproof: add API tests 2020-07-24 14:49:33 +02:00
Andrew Poelstra
002002e735 rangeproof: fix memory leak in unit tests 2020-07-24 14:49:33 +02:00
Andrew Poelstra
94425d4a67 rangeproof: several API changes 
* add summing function for blinded generators
* drop `excess` and `gen` from `verify_tally`
* add extra_commit to rangeproof sign and verify
 2020-07-24 14:49:33 +02:00
Pieter Wuille
f6c84a02f3 Expose generator in pedersen/rangeproof API 2020-07-24 14:49:33 +02:00
Andrew Poelstra
e7a8a5f638 rangeproof: expose sidechannel message field in the signing API 
Including a fix by Jonas Nick.
 2020-07-24 14:49:33 +02:00
Andrew Poelstra
a88db4a744 [RANGEPROOF BREAK] Use quadratic residue for tie break and modularity cleanup 
Switch to secp256k1_pedersen_commitment by Andrew Poelstra.
Switch to quadratic residue based disambiguation by Pieter Wuille.
 2020-07-24 14:49:33 +02:00
Gregory Maxwell
16618fcd8d Pedersen commitments, borromean ring signatures, and ZK range proofs. 
This commit adds three new cryptosystems to libsecp256k1:

Pedersen commitments are a system for making blinded commitments
 to a value.  Functionally they work like:
  commit_b,v = H(blind_b || value_v),
 except they are additively homorphic, e.g.
  C(b1, v1) - C(b2, v2) = C(b1 - b2, v1 - v2) and
  C(b1, v1) - C(b1, v1) = 0, etc.
 The commitments themselves are EC points, serialized as 33 bytes.
 In addition to the commit function this implementation includes
 utility functions for verifying that a set of commitments sums
 to zero, and for picking blinding factors that sum to zero.
 If the blinding factors are uniformly random, pedersen commitments
 have information theoretic privacy.

Borromean ring signatures are a novel efficient ring signature
 construction for AND/OR admissions policies (the code here implements
 an AND of ORs, each of any size).  This construction requires
 32 bytes of signature per pubkey used plus 32 bytes of constant
 overhead. With these you can construct signatures like "Given pubkeys
 A B C D E F G, the signer knows the discrete logs
 satisifying (A || B) & (C || D || E) & (F || G)".

ZK range proofs allow someone to prove a pedersen commitment is in
 a particular range (e.g. [0..2^64)) without revealing the specific
 value.  The construction here is based on the above borromean
 ring signature and uses a radix-4 encoding and other optimizations
 to maximize efficiency.  It also supports encoding proofs with a
 non-private base-10 exponent and minimum-value to allow trading
 off secrecy for size and speed (or just avoiding wasting space
 keeping data private that was already public due to external
 constraints).

A proof for a 32-bit mantissa takes 2564 bytes, but 2048 bytes of
 this can be used to communicate a private message to a receiver
 who shares a secret random seed with the prover.

Also: get rid of precomputed H tables (Pieter Wuille)
 2020-07-24 14:49:33 +02:00