Provides a method that will give an upper bound on the size of a rangeproof,
given an upper bound on the value to be passed in and an upper bound on the
min_bits parameter.
There is a lot of design freedom here since the actual size of the rangeproof
depends on every parameter passed to rangeproof_sign, including the value to
be proven, often in quite intricate ways. For the sake of simplicity we assume
a nonzero `min_value` and that `exp` will be 0 (the default, and size-maximizing,
choice), and provide an exact value for a proof of the given value and min_bits.
5ac8fb035e surjectionproof: make sure that n_used_pubkeys > 0 in generate (Jonas Nick)
Pull request description:
ACKs for top commit:
apoelstra:
utACK 5ac8fb035e
Tree-SHA512: 915f7181e69e2c4e1f830d6c2620a2d9b0af4d2ae8a63709b489b01ed9e13ccfeeaedebd4680cf2d927cd473a6ae88602cf29e2fdd116cb597fba6c0ab77720d
If the proof was generated with surjectionproof_initialize (as mandated by the
API docs), then n_used_pubkeys can never be 0. Without this commit, compilers
will (rightfully) warn that borromean_s[ring_input_index] is not initialized in
surjectionproof_generate. Therefore, this commit makes sure that n_used_pubkeys
is greater than 0 which ensures that the array is initialized at
ring_input_index.
5a40f3d99b replace memcmp with secp256k1_memcmp_var throughout the codebase (Andrew Poelstra)
92820d944b rangeproof: add a test for all-zero blinding factors (Andrew Poelstra)
Pull request description:
I was curious about under what conditions you can create a rangeproof on an "unblinded" commitment which has a zero blinding factor. Apparently the answer is "when you are proving at least 3-bits". In this case rewinding words and you can encode 32 bytes of data. (In fact I believe you can encode up to 128 but I haven't tested that.)
ACKs for top commit:
real-or-random:
utACK 5a40f3d99b
Tree-SHA512: bed7f9362d082d2b56668809077d5ddde52280109c992a290d87b55cb70138a08799fcca18cafbb3b3e9efed4349418bf9bb2c0ccedacdce0567e841e6d21e13
347f96d94a fix include paths in all the -zkp modules (Andrew Poelstra)
Pull request description:
This is causing out-of-tree build failures in Elements.
ACKs for top commit:
real-or-random:
utACK 347f96d94a
Tree-SHA512: 7d6211f3b8d5612f95bcb3085c22458e7ceaa79f1ee74e37404cc6d1fdf0fbc02b4443b02623b9b6c1225437c1a1954b6d36a953d52b020ac7913326404894e0
d1175d265d surjectionproof: use secp256k1_memcmp_var rather than bare memcmp (Andrew Poelstra)
bf18ff5a8c surjectionproof: fix generation to fail when any input == the output (Andrew Poelstra)
4ff6e4274d surjectionproof: add test for existing behavior on input=output proofs (Andrew Poelstra)
Pull request description:
If any ephemeral input tag equals the ephemeral output tag (i.e. an input asset is exactly equal to the output asset), verification will fail due to an unexpected interaction between our surjectionproof logic and the underlying borromean ring siganture logic. However, our generation code still allows creating proofs like this, "succeeding" in creating bad proofs.
Since we cannot fix the verification side without hardforking Liquid, fix the generation side to fail in this situation.
ACKs for top commit:
real-or-random:
utACK d1175d265d
Tree-SHA512: c15e130de028d6c1f705543fe2774ec23016c71f9d6b38ef0708820a517d156e2126f8369e94f16f9fd1855c29cd907d406f6ea26c95499a9ae1ce0dd92f77b2
67247e53af musig-spec: More minor cleanup (Elliott Jin)
Pull request description:
ACKs for top commit:
jonasnick:
ACK 67247e53af
Tree-SHA512: 8ea2880aef0bd69e2faf10a5eb44d5ba3839867565bd735a4582189f04ea54ab73ec23f04d08aed1d10bc5aaa55bab688ff4cb4e733dc73e2a5946f9a187c7ac
376733b58b musig-spec: clarify hashing in noncegen by converting ints to bytes (Jonas Nick)
Pull request description:
ACKs for top commit:
real-or-random:
ACK 376733b58b
Tree-SHA512: c4708c476094d242fe7312177e345932bd40b52549007b43d2e5e4efc094101624d8583647f305bcbd042692a9d0117eda38f71e22fee0e0f49d677d9f512a8e
b7f8ea2f2a musig-spec: address robot-dreams' comments (Jonas Nick)
Pull request description:
- KeyAggCoeff' -> KeyAggCoeffInternal for consistency
- In Sign, add mod n when calculating d
- In Tweak, reorder the parameters to (Q, gacc, tacc, tweak, is_xonly) because
the first three are "state" arguments
- Rename Tweak function to ApplyTweak to avoid confusion with tweak (the
vector). This becomes apparent in the python reference code.
ACKs for top commit:
real-or-random:
ACK b7f8ea2f2a
Tree-SHA512: 6f9066af2f67b6d2769f38ebb2537769568e77bab18d487590a0095a695eab5c34a7177e4d299f27e3e30628dd07aff831f3f08db256cf2ae13ea0d92f3e18b8
- KeyAggCoeff' -> KeyAggCoeffInternal for consistency
- In Sign, add mod n when calculating d
- In Tweak, reorder the parameters to (Q, gacc, tacc, tweak, is_xonly) because
the first three are "state" arguments
- Rename Tweak function to ApplyTweak to avoid confusion with tweak (the
vector). This becomes apparent in the python reference code.
fd51a6281e musig-spec: add authors (Jonas Nick)
f56e223a7a musig-spec: explain NonceGen and tweaking in signing flow context (Jonas Nick)
e463ea42bb musig-spec: mention stateless signing in signing flow (Jonas Nick)
a29b961eb7 musig-spec: add acknowledgements and improve abstract (Jonas Nick)
1a086ba9c9 musig-spec: add optional arguments to strengthen nonce function (Jonas Nick)
8d04ac318f musig-spec: remove unnecessary and inconsistent input paragraph (Jonas Nick)
Pull request description:
Based on #177
It's likely we're missing people in the acknowledgements. Ping me if you think you are.
ACKs for top commit:
real-or-random:
ACK fd51a6281e
Tree-SHA512: 5240b783c15f76655b2593422dc7c76de1c5e298bbe2f39858daca4ee1b1877f1ff179b4043e6f1f75f8c804b734f4bb739d38a18a54b094d8640c57fd074ed9
