rangeproof: several API changes

* add summing function for blinded generators * drop `excess` and `gen` from `verify_tally` * add extra_commit to rangeproof sign and verify
2016-07-06 15:44:09 +00:00
parent 21bfb3c91a
commit a2bc6604f9
11 changed files with 266 additions and 87 deletions
--- a/include/secp256k1_rangeproof.h
+++ b/include/secp256k1_rangeproof.h
@@ -16,8 +16,7 @@ extern "C" {
 *  guaranteed to be portable between different platforms or versions. It is
 *  however guaranteed to be 33 bytes in size, and can be safely copied/moved.
 *  If you need to convert to a format suitable for storage or transmission, use
- *  the secp256k1_pedersen_commitment_serialize_* and
- *  secp256k1_pedersen_commitment_serialize_* functions.
+ *  secp256k1_pedersen_commitment_serialize and secp256k1_pedersen_commitment_parse.
 *
 *  Furthermore, it is guaranteed to identical signatures will have identical
 *  representation, so they can be memcmp'ed.
@@ -71,7 +70,7 @@ void secp256k1_pedersen_context_initialize(secp256k1_context* ctx);
 *
 *  Blinding factors can be generated and verified in the same way as secp256k1 private keys for ECDSA.
 */
-SECP256K1_WARN_UNUSED_RESULT int secp256k1_pedersen_commit(
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_pedersen_commit(
  const secp256k1_context* ctx,
  secp256k1_pedersen_commitment *commit,
  const unsigned char *blind,
@@ -88,7 +87,7 @@ SECP256K1_WARN_UNUSED_RESULT int secp256k1_pedersen_commit(
 *          nneg:       how many of the initial factors should be treated with a positive sign.
 *  Out:    blind_out:  pointer to a 32-byte array for the sum (cannot be NULL)
 */
-SECP256K1_WARN_UNUSED_RESULT int secp256k1_pedersen_blind_sum(
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_pedersen_blind_sum(
  const secp256k1_context* ctx,
  unsigned char *blind_out,
  const unsigned char * const *blinds,
@@ -104,24 +103,57 @@ SECP256K1_WARN_UNUSED_RESULT int secp256k1_pedersen_blind_sum(
 *         pcnt:       number of commitments pointed to by commits.
 *         ncommits:   pointer to array of pointers to the negative commitments. (cannot be NULL if ncnt is non-zero)
 *         ncnt:       number of commitments pointed to by ncommits.
- *         excess:     signed 64bit amount to add to the total to bring it to zero, can be negative.
 *
- * This computes sum(commit[0..pcnt)) - sum(ncommit[0..ncnt)) - excess*H == 0.
+ * This computes sum(commit[0..pcnt)) - sum(ncommit[0..ncnt)) == 0.
 *
- * A pedersen commitment is xG + vH where G and H are generators for the secp256k1 group and x is a blinding factor,
- * while v is the committed value. For a collection of commitments to sum to zero both their blinding factors and
- * values must sum to zero.
+ * A pedersen commitment is xG + vA where G and A are generators for the secp256k1 group and x is a blinding factor,
+ * while v is the committed value. For a collection of commitments to sum to zero, for each distinct generator
+ * A all blinding factors and all values must sum to zero.
 *
 */
-SECP256K1_WARN_UNUSED_RESULT int secp256k1_pedersen_verify_tally(
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_pedersen_verify_tally(
  const secp256k1_context* ctx,
  const secp256k1_pedersen_commitment * const* commits,
  size_t pcnt,
  const secp256k1_pedersen_commitment * const* ncommits,
-  size_t ncnt,
-  int64_t excess,
-  const secp256k1_generator *gen
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(7);
+  size_t ncnt
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4);
+
+/** Sets the final Pedersen blinding factor correctly when the generators themselves
+ *  have blinding factors.
+ *
+ * Consider a generator of the form A' = A + rG, where A is the "real" generator
+ * but A' is the generator provided to verifiers. Then a Pedersen commitment
+ * P = vA' + r'G really has the form vA + (vr + r')G. To get all these (vr + r')
+ * to sum to zero for multiple commitments, we take three arrays consisting of
+ * the `v`s, `r`s, and `r'`s, respectively called `value`s, `generator_blind`s
+ * and `blinding_factor`s, and sum them.
+ *
+ * The function then subtracts the sum of all (vr + r') from the last element
+ * of the `blinding_factor` array, setting the total sum to zero.
+ *
+ * Returns 1 always.
+ *
+ * In:                 ctx: pointer to a context object
+ *                   value: array of asset values, `v` in the above paragraph.
+ *                          May not be NULL unless `n_total` is 0.
+ *         generator_blind: array of asset blinding factors, `r` in the above paragraph
+ *                          May not be NULL unless `n_total` is 0.
+ *                 n_total: Total size of the above arrays
+ *                n_inputs: How many of the initial array elements represent commitments that
+ *                          will be negated in the final sum
+ * In/Out: blinding_factor: array of commitment blinding factors, `r'` in the above paragraph
+ *                          May not be NULL unless `n_total` is 0.
+ *                          the last value will be modified to get the total sum to zero.
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_pedersen_blind_generator_blind_sum(
+  const secp256k1_context* ctx,
+  const uint64_t *value,
+  const unsigned char* const* generator_blind,
+  unsigned char* const* blinding_factor,
+  size_t n_total,
+  size_t n_inputs
+);

 /** Initialize a context for usage with Pedersen commitments. */
 void secp256k1_rangeproof_context_initialize(secp256k1_context* ctx);
@@ -133,18 +165,22 @@ void secp256k1_rangeproof_context_initialize(secp256k1_context* ctx);
 *       commit: the commitment being proved. (cannot be NULL)
 *       proof: pointer to character array with the proof. (cannot be NULL)
 *       plen: length of proof in bytes.
+ *       extra_commit: additional data covered in rangeproof signature
+ *       extra_commit_len: length of extra_commit byte array (0 if NULL)
 * Out:  min_value: pointer to a unsigned int64 which will be updated with the minimum value that commit could have. (cannot be NULL)
 *       max_value: pointer to a unsigned int64 which will be updated with the maximum value that commit could have. (cannot be NULL)
 */
-SECP256K1_WARN_UNUSED_RESULT int secp256k1_rangeproof_verify(
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_rangeproof_verify(
  const secp256k1_context* ctx,
  uint64_t *min_value,
  uint64_t *max_value,
  const secp256k1_pedersen_commitment *commit,
  const unsigned char *proof,
  size_t plen,
+  const unsigned char *extra_commit,
+  size_t extra_commit_len,
  const secp256k1_generator* gen
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(7);
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(9);

 /** Verify a range proof proof and rewind the proof to recover information sent by its author.
 *  Returns 1: Value is within the range [0..2^64), the specifically proven range is in the min/max value outputs, and the value and blinding were recovered.
@@ -154,6 +190,8 @@ SECP256K1_WARN_UNUSED_RESULT int secp256k1_rangeproof_verify(
 *        proof: pointer to character array with the proof. (cannot be NULL)
 *        plen: length of proof in bytes.
 *        nonce: 32-byte secret nonce used by the prover (cannot be NULL)
+ *        extra_commit: additional data covered in rangeproof signature
+ *        extra_commit_len: length of extra_commit byte array (0 if NULL)
 *  In/Out: blind_out: storage for the 32-byte blinding factor used for the commitment
 *        value_out: pointer to an unsigned int64 which has the exact value of the commitment.
 *        message_out: pointer to a 4096 byte character array to receive message data from the proof author.
@@ -161,7 +199,7 @@ SECP256K1_WARN_UNUSED_RESULT int secp256k1_rangeproof_verify(
 *        min_value: pointer to an unsigned int64 which will be updated with the minimum value that commit could have. (cannot be NULL)
 *        max_value: pointer to an unsigned int64 which will be updated with the maximum value that commit could have. (cannot be NULL)
 */
-SECP256K1_WARN_UNUSED_RESULT int secp256k1_rangeproof_rewind(
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_rangeproof_rewind(
  const secp256k1_context* ctx,
  unsigned char *blind_out,
  uint64_t *value_out,
@@ -173,8 +211,10 @@ SECP256K1_WARN_UNUSED_RESULT int secp256k1_rangeproof_rewind(
  const secp256k1_pedersen_commitment *commit,
  const unsigned char *proof,
  size_t plen,
+  const unsigned char *extra_commit,
+  size_t extra_commit_len,
  const secp256k1_generator *gen
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(6) SECP256K1_ARG_NONNULL(7) SECP256K1_ARG_NONNULL(8) SECP256K1_ARG_NONNULL(9) SECP256K1_ARG_NONNULL(10) SECP256K1_ARG_NONNULL(12);
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(6) SECP256K1_ARG_NONNULL(7) SECP256K1_ARG_NONNULL(8) SECP256K1_ARG_NONNULL(9) SECP256K1_ARG_NONNULL(10) SECP256K1_ARG_NONNULL(14);

 /** Author a proof that a committed value is within a range.
 *  Returns 1: Proof successfully created.
@@ -189,6 +229,10 @@ SECP256K1_WARN_UNUSED_RESULT int secp256k1_rangeproof_rewind(
 *                  (-1 is a special case that makes the value public. 0 is the most private.)
 *          min_bits: Number of bits of the value to keep private. (0 = auto/minimal, - 64).
 *          value:  Actual value of the commitment.
+ *          message: pointer to a byte array of data to be embedded in the rangeproof that can be recovered by rewinding the proof
+ *          msg_len: size of the message to be embedded in the rangeproof
+ *          extra_commit: additional data to be covered in rangeproof signature
+ *          extra_commit_len: length of extra_commit byte array (0 if NULL)
 *  In/out: plen:   point to an integer with the size of the proof buffer and the size of the constructed proof.
 *
 *  If min_value or exp is non-zero then the value must be on the range [0, 2^63) to prevent the proof range from spanning past 2^64.
@@ -198,7 +242,7 @@ SECP256K1_WARN_UNUSED_RESULT int secp256k1_rangeproof_rewind(
 *  This can randomly fail with probability around one in 2^100. If this happens, buy a lottery ticket and retry with a different nonce or blinding.
 *
 */
-SECP256K1_WARN_UNUSED_RESULT int secp256k1_rangeproof_sign(
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_rangeproof_sign(
  const secp256k1_context* ctx,
  unsigned char *proof,
  size_t *plen,
@@ -211,8 +255,10 @@ SECP256K1_WARN_UNUSED_RESULT int secp256k1_rangeproof_sign(
  uint64_t value,
  const unsigned char *message,
  size_t msg_len,
+  const unsigned char *extra_commit,
+  size_t extra_commit_len,
  const secp256k1_generator *gen
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6) SECP256K1_ARG_NONNULL(7) SECP256K1_ARG_NONNULL(13);
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6) SECP256K1_ARG_NONNULL(7) SECP256K1_ARG_NONNULL(15);

 /** Extract some basic information from a range-proof.
 *  Returns 1: Information successfully extracted.
@@ -225,7 +271,7 @@ SECP256K1_WARN_UNUSED_RESULT int secp256k1_rangeproof_sign(
 *        min_value: pointer to an unsigned int64 which will be updated with the minimum value that commit could have. (cannot be NULL)
 *        max_value: pointer to an unsigned int64 which will be updated with the maximum value that commit could have. (cannot be NULL)
 */
-SECP256K1_WARN_UNUSED_RESULT int secp256k1_rangeproof_info(
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_rangeproof_info(
  const secp256k1_context* ctx,
  int *exp,
  int *mantissa,