Rebase on upstream dbd41db16a0e91b2566820898a3ab2d7dad4fe00 #91
Conversation
This commit adds three new cryptosystems to libsecp256k1: Pedersen commitments are a system for making blinded commitments to a value. Functionally they work like: commit_b,v = H(blind_b || value_v), except they are additively homorphic, e.g. C(b1, v1) - C(b2, v2) = C(b1 - b2, v1 - v2) and C(b1, v1) - C(b1, v1) = 0, etc. The commitments themselves are EC points, serialized as 33 bytes. In addition to the commit function this implementation includes utility functions for verifying that a set of commitments sums to zero, and for picking blinding factors that sum to zero. If the blinding factors are uniformly random, pedersen commitments have information theoretic privacy. Borromean ring signatures are a novel efficient ring signature construction for AND/OR admissions policies (the code here implements an AND of ORs, each of any size). This construction requires 32 bytes of signature per pubkey used plus 32 bytes of constant overhead. With these you can construct signatures like "Given pubkeys A B C D E F G, the signer knows the discrete logs satisifying (A || B) & (C || D || E) & (F || G)". ZK range proofs allow someone to prove a pedersen commitment is in a particular range (e.g. [0..2^64)) without revealing the specific value. The construction here is based on the above borromean ring signature and uses a radix-4 encoding and other optimizations to maximize efficiency. It also supports encoding proofs with a non-private base-10 exponent and minimum-value to allow trading off secrecy for size and speed (or just avoiding wasting space keeping data private that was already public due to external constraints). A proof for a 32-bit mantissa takes 2564 bytes, but 2048 bytes of this can be used to communicate a private message to a receiver who shares a secret random seed with the prover. Also: get rid of precomputed H tables (Pieter Wuille)
… cleanup Switch to secp256k1_pedersen_commitment by Andrew Poelstra. Switch to quadratic residue based disambiguation by Pieter Wuille.
Including a fix by Jonas Nick.
* add summing function for blinded generators * drop `excess` and `gen` from `verify_tally` * add extra_commit to rangeproof sign and verify
Includes fix and tests by Jonas Nick.
Include test_impl.h
Was failing linking to `*.so` library
…` constant and set it to 16
f make helper functions static f hash noncedata into nonce in nonce_function_bipschnorr f expose nonce_function_bipschnorr f fix undefined behavior when shifting an int 31 places f add cplusplus ifdef to schnorrsig include file f hash complete pubkey into batch seed f chacha20 for bigendians f add schnorrsig to travis f show in configure if schnorrsig is enabled
…gn for p2c/taproot commitments
remove the set_msg function and require the message in get_public_nonce at the latest.
|
|
||
| #undef ROTL32 | ||
| #undef QUARTERROUND | ||
| #undef LE32 |
There was a problem hiding this comment.
Can't find a BE32 in this file
There was a problem hiding this comment.
Indeed, was removed in cb8f059, so it was a rebase error on my side.
|
|
||
| #undef ROTL32 | ||
| #undef QUARTERROUND | ||
| #undef LE32 |
|
Thanks for the review!
I think that's to be expected. This branch will become master and the previous master will be renamed to something else (#68 (comment)). |
There was a problem hiding this comment.
I was able to re-create this branch by doing a git rebase upstream/master myself on this branch https://github.com/nkohen/secp256k1-zkp/commits/rebase-on-upstream
(and then adding two commits to fix up benchmarks and tests and config/travis stuff)
|
Didn't push the branch in this PR to the secp256k1-zkp branch but instead pushed https://github.com/real-or-random/secp256k1-zkp/tree/202007-secp256k1-rebase. @real-or-random same recreated the almost the same history but cleand it up a bit and rebased on a newer version of upstream libsecp. Closing. |
|
The pre force push |
post-(merge ?) ACK |
Fixes #85. My personal motivation is that I'd like to add a few modules soon that would benefit from the latest upstream changes, but are more appropriate to add here than upstream (such as ECDSA adaptor sigs @nkohen).
This PR was created by running
git rebase upstream/master.The only conflicts I had to fix were
See this branch for the fixups I applied).
Should be easy to review/recreate @apoelstra @real-or-random @benma