WIP: bulletproofs #16
Conversation
apoelstra
force-pushed
the
bulletproofs
branch
3 times, most recently
from
89d844e
to
c9d66d2
Compare
apoelstra
force-pushed
the
bulletproofs
branch
from
c9d66d2
to
f22f0c0
Compare
| /* Compute Ti = t_i*A + tau_i*G for i = 1,2 */ | ||
| secp256k1_gej_set_ge(&tmpj, genp); | ||
| secp256k1_ecmult(ecmult_ctx, &tj[0], &tmpj, &t1, &tau1); | ||
| secp256k1_ecmult(ecmult_ctx, &tj[1], &tmpj, &t2, &tau2); |
There was a problem hiding this comment.
Both these ecmult need to be constant time since tau1 and tau2 are secrets.
apoelstra
force-pushed
the
bulletproofs
branch
from
f22f0c0
to
ab92bbf
Compare
|
Doesn't compile: |
|
Try now? that constant is defined in include/secp256k1_bulletproofs.h, maybe I forgot to commit that in an earlier patchset. |
|
Looks like some files in the |
| row = &w[index]; | ||
|
|
||
| row->size++; | ||
| row->entry = checked_realloc(&ctx->error_callback, row->entry, row->size * sizeof(*row->entry)); |
There was a problem hiding this comment.
row->entry is never freed
| ret->wv = (secp256k1_bulletproof_wmatrix_row *)checked_malloc(&ctx->error_callback, ret->n_commits * sizeof(*ret->wv)); | ||
| ret->c = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, ret->n_constraints * sizeof(*ret->wl)); | ||
|
|
||
| ret->scratch = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, ret->n_constraints * sizeof(*ret->scratch)); |
|
Got a compilation error: |
|
@benma sorry, you have to disable exhaustive tests for now. |
apoelstra
force-pushed
the
bulletproofs
branch
2 times, most recently
from
3a13492
to
1d5899f
Compare
|
update with current state, rebase on current |
apoelstra
force-pushed
the
bulletproofs
branch
3 times, most recently
from
d8b95b9
to
66d79b3
Compare
apoelstra
force-pushed
the
bulletproofs
branch
7 times, most recently
from
1043ca4
to
ffdd7e5
Compare
|
@sipa When you get a chance, can you take a look at my rebase branch at https://github.com/apoelstra/secp256k1-mw/tree/secp256k1-zkp-rebase ? Aside from the rebase, I think this PR is ready for review. |
apoelstra
force-pushed
the
bulletproofs
branch
2 times, most recently
from
2b50d19
to
1b2d5cc
Compare
apoelstra
force-pushed
the
bulletproofs
branch
from
83e933f
to
9fedd82
Compare
|
Rebased on #23 |
…oof_init_p_give_up Add comment to explain effect of max_n_iterations in surjectionproof_…
apoelstra
force-pushed
the
bulletproofs
branch
from
9fedd82
to
bc4a532
Compare
…commitments We now use ecmult_const rather than ecmult_gen, which will slow down the generation of Pedersen commitments. However as far as I'm aware, this is never the bottleneck in proof generation.
apoelstra
force-pushed
the
bulletproofs
branch
from
bc4a532
to
9c3ba0c
Compare
apoelstra
force-pushed
the
secp256k1-zkp
branch
from
e100037
to
53ad841
Compare
There was a problem hiding this comment.
I added a couple of fixes and clarifications to my musig-dn branch (https://github.com/jonasnick/secp256k1-zkp/tree/bulletproof-musig-dn). Feel free to cherry-pick.
e34a03e Document that bulletproof_circuit_prove blinding factors can not be 0
912741d Fix unintialized memory in bulletproof circuit verify if nr of multiplication gates is not a power of 2
acf9efe Fix heap overflow when bulletproving a circuit without constraints
745f6a5 Document secp256k1_bulletproof_circuit_decode format
a9f3a2c bulletproof example
70e8c71 Add ability to evaluate an arithmetic circuit with a given assignment
9fe6454 Allow committing to an arbitrary value and not only a 64 bit int
66cad17 Add function to compare bulletproof circuits
| fclose(fh); | ||
| return NULL; | ||
| } | ||
| row_width = secp256k1_bulletproof_encoding_width(ret->n_gates); |
There was a problem hiding this comment.
shouldn't row_width be dependent on the n_constraints instead of n_gates? Every entry in a row encodes the index of the constraint (also encoded with row_width-many bytes) the wire is added to and the factor the wire is multiplied with in that constraint. Therefore there are at most n_constraint many entries in a row.
add compact signature encoding
|
Closing this. It's good to remember that the code is here to crib from when we revisit the inner product argument, but there's no value in keeping an open PR for it. |
Based on rebase of strauss-multiexp from upstream onto -zkp
TODO rangeproof aggregationTODO const time provingTODO pippenger supportTODO 48-bit (and generally non-power-of-2) rangeproofs and aggregates
TODO general arithmetic circuit support