Bip Draft: Discrete Log Equality Proofs (DLEQ) #1689
Conversation
|
There was some previous discussion on this gist before making this PR |
jonatack
changed the title
jonatack
added
the
PR Author action required
|
Thanks for your comments @jonatack, @stratospher, @theStack. I've also updated the BIP to include the generator G as an input, and so the BIP is no longer specific to secp256k1. This was mentioned on the mailing list as an improvement to make this standard work with other curves as well. |
jonatack
removed
the
PR Author action required
There was a problem hiding this comment.
From an editorial standpoint this looks good so far. As mentioned by Jon, please include a Backwards Compatibility section, if only to state that there are no concerns.
I did not verify the cryptography of the proof, but after staring at it for a few minutes, I and perhaps other would perhaps benefit from a couple sentences of why/how the proof works e.g. as a footnote. I was also wondering whether you might want to expand on related work, alternate designs, and design decisions in this document. For example you might want to mention some of the things from the opening comment on the PR here, in the footnotes.
|
Fwiw, I've written a reference implementation of this BIP for secp256k1 in Python, see: https://github.com/theStack/bips/blob/bip-DLEQ-add_reference_impl/bip-DLEQ/reference.py |
bip-DLEQ.mediawiki
Outdated
| * Fail if ''k = 0''. | ||
| * Let ''R<sub>1</sub> = k⋅G''. | ||
| * Let ''R<sub>2</sub> = k⋅B''. | ||
| * Let ''e = int(hash<sub>BIP0???/challenge</sub>(cbytes(A) || cbytes(B) || cbytes(C) || cbytes(G) || cbytes(R<sub>1</sub>) || cbytes(R<sub>2</sub>)))''. |
There was a problem hiding this comment.
nit: I wonder if it is really needed to also include the generator point in the challenge hash? Seems excessive to me as its implicitly included in all other points. Generally I'm not sure what are the best practices here, since this seems to be the first BIP where the generator point can be generic and is not defined as the one in secp256k1.
There was a problem hiding this comment.
Are we sure we can remove this? I added it to reference.py in case.
murchandamus
added
the
PR Author action required
Co-authored-by: Sebastian Falbesoner <sebastian.falbesoner@gmail.com>
Co-authored-by: Sebastian Falbesoner <sebastian.falbesoner@gmail.com>
jonatack
removed
the
PR Author action required
Squashed from the following commits: - Add skeleton for generating DLEQ proof test vectors - Add run_test_vectors.py counterpart for generated DLEQ proofs - Add DLEQ test vectors for proof verification
|
A first draft for DLEQ test vectors is available now (special thanks to @stratospher for discussing the BIP and collecting test ideas together!): https://github.com/theStack/bips/tree/bip-DLEQ-add_test_vectors (commit theStack@6b16952) They can be generated and ran by: There are probably more failure and edge cases possible, but they at least already paid off by revealing a bug in the reference implementation (see comments below; the fix is included as a separate commit in the branch). Also, by now only secp256k1's generator point is exercised. Further test ideas and comments are very welcome! @jonatack @murchandamus: Is there still something to be done for assigning a BIP number? 🤠 |
@murchandamus I added some text on a few design decisions, as well as a description section describing the algebra of the proof. |
|
Thanks!
I was waiting for the review to be addressed, but now it’s back on my review list. I’ll consider that point when I get around to review. |
This BIP specifies a standard way to generate and verify DLEQ proofs. This is motivated by sending to silent payments in PSBTs. However, there are also other uses where DLEQs could be useful, so it would be good to have this BIP for others to reference.
This is inspired by https://github.com/discreetlogcontracts/dlcspecs/blob/master/ECDSA-adaptor.md#proof-of-discrete-logarithm-equality, but is a little more specific.
There is an implementation of that already at https://github.com/BlockstreamResearch/secp256k1-zkp/blob/master/src/modules/ecdsa_adaptor/dleq_impl.h, which this BIP attempts to be compatible with.
Inital ML post: https://groups.google.com/g/bitcoindev/c/MezoKV5md7s