Bulletproofs (rangeproofs only)

[apoelstra]

This is #16 without any of the arithmetic circuit stuff.

At this point there are probably still obvious code cleanliness things to be dealt with, but I think it's ready for review. I'd like to get this merged so that we can get the rangeproofs at least into Elements soon.

cc @sipa @real-or-random @jonasnick can a couple of you review this? I'm happy to split it into multple PRs if that makes sense.

[rodasmith]

(nit) s/to/two/

[real-or-random]

Discussions about ciphers can be annoying... Is there a specific reason to use chacha20? It's just used to derive randomness, why not rely on SHA256? I don't think that performance is a concern here. If performance is a concern, then I guess that AES is the canonical choice because of its hardware implementations (and constant-time software implementations are pretty good too). I know @sipa has looked into these things, so I could imagine that all of this has been discussed extensively and I'm just late to the party. It's also interesting for dicemix, which requires a PRG (or better a PRF) and needs much more randomness, each party needs O(|m| * n^2) bytes for n parties. So the performance of the PRF could be worth to think about and it would be preferable to use something which is already in libsecp256k1 of course. Am 26. Mai 2018 00:22:25 MESZ schrieb Andrew Poelstra <notifications@github.com>:

…

This is #16 without any of the arithmetic circuit stuff. At this point there are probably still obvious code cleanliness things to be dealt with, but I think it's ready for review. I'd like to get this merged so that we can get the rangeproofs at least into Elements soon. cc @sipa @real-or-random @jonasnick can a couple of you review this? I'm happy to split it into multple PRs if that makes sense. You can view, comment on, or merge this pull request online at: #23 -- Commit Summary -- * generator: add constant G and H generators * add chacha20 function * split Pedersen commitments out into their own module * commitment: allow setting the blinding factor generator for Pedersen commitments * bulletproofs: add module, full support for rangeproofs * bulletproofs: add benchmark * bulletproofs: add rangeproof rewinding capability -- File Changes -- M .gitignore (3) M Makefile.am (8) M configure.ac (50) A include/secp256k1_bulletproofs.h (185) A include/secp256k1_commitment.h (167) M include/secp256k1_generator.h (6) M include/secp256k1_rangeproof.h (157) A src/bench_bulletproof.c (337) M src/bench_rangeproof.c (9) A src/modules/bulletproofs/Makefile.am.include (12) A src/modules/bulletproofs/inner_product_impl.h (786) A src/modules/bulletproofs/main_impl.h (249) A src/modules/bulletproofs/rangeproof_impl.h (792) A src/modules/bulletproofs/tests_impl.h (616) A src/modules/bulletproofs/util.h (116) A src/modules/commitment/Makefile.am.include (4) A src/modules/commitment/main_impl.h (186) A src/modules/commitment/pedersen_impl.h (38) A src/modules/commitment/tests_impl.h (230) M src/modules/generator/main_impl.h (26) M src/modules/rangeproof/Makefile.am.include (2) M src/modules/rangeproof/main_impl.h (187) D src/modules/rangeproof/pedersen.h (22) D src/modules/rangeproof/pedersen_impl.h (51) M src/modules/rangeproof/rangeproof_impl.h (12) M src/modules/rangeproof/tests_impl.h (318) M src/scalar.h (3) M src/scalar_4x64_impl.h (91) M src/scalar_8x32_impl.h (100) M src/scalar_low_impl.h (5) M src/secp256k1.c (18) M src/tests.c (70) -- Patch Links -- https://github.com/ElementsProject/secp256k1-zkp/pull/23.patch https://github.com/ElementsProject/secp256k1-zkp/pull/23.diff -- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: #23

[apoelstra]

It was performance motivated. The prover derives 64 * n_gates bytes of randomness, so there was a measurable performance improvement from using chacha. In the rewinding failure case, deriving randomness is a nontrivial portion of the computation (the whole thing is only a couple microseconds and a SHA2 compression is ~300 ns, so that's 10%).

Interesting observation about AES hardware. In general we haven't done any hardware-specific optimizations in -zkp, though we have assembler implementations of some operations upstream. Another motivation was to keep things simple, and chacha is (a) dead simple and (b) we already had code for it laying around in multiple places.

[real-or-random]

Okay I see, that makes sense. ChaCha20's software performance is certainly excellent and the way to go if hardware optimizations are not a goal, and they're indeed a doubly-edged sword: If you have AES-NI, AES is super fast and well, if you don't have it, then ChaCha20 is much faster. So ChaCha20 is a choice that does not prefer peers with a specific architecture [1]. And I think that's the right way to go in systems where everybody should be able to participate.

(That's by the way interesting for online protocols such as DiceMix. Everybody needs to wait for the slowest peer every round, so if you want to optimize for a lower wall-clock time, you can even make the argument that it makes sense to optimize for slower machines. Though I don't think that matters a lot for protocols where bandwidth is the bottleneck and not computation. But that's another story.)

[1] https://calomel.org/aesni_ssl_performance.html

[real-or-random]

More next week. :)

[real-or-random]

I need H = C.lift_x(F(int(hashlib.sha256(G_bytes).hexdigest(),16))) here.

[apoelstra]

Interesting, this must be a new change in sage. Thanks for the fix!

[real-or-random]

This right shift has undefined behavior if idx/size_t has 32 bits (or fewer). Same below.

(I guess this is rather a concern in the other file.)

[real-or-random]

This is still open.

[apoelstra]

idx is now a uint64_t.

[real-or-random]

This is related to the comment below: size_t idx is somewhat strange. The code below is intended to handle foridx values that are longer than 32 bits but then size_t is not the right type to do this consistently on every platform, i.e., the 32-bit and 64-bit machines will behave differently (even if idx >> 32 == 0 on a 32-bit machine).

My suggestion is to use uint32_t here and set x13 = 0 (and accept that we won't need more than 256 GiB of randomness. Another way is simply to use uint64_t.

[real-or-random]

I wouldn't use size_t for the two counter variables either (because the values do not express memory sizes). But in this case this is probably just personal taste. ;)

[real-or-random]

Does not compile for me.

src/bench_bulletproof.c:43:5: error: unknown type name ‘secp256k1_bulletproof_circuit’
     secp256k1_bulletproof_circuit **circ;
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/bench_bulletproof.c:44:5: error: unknown type name ‘secp256k1_bulletproof_circuit_assignment’
     secp256k1_bulletproof_circuit_assignment *assn;
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from src/bench_bulletproof.c:12:
src/bench_bulletproof.c: In function ‘bench_bulletproof_circuit_setup’:
src/bench_bulletproof.c:109:11: warning: implicit declaration of function ‘secp256k1_bulletproof_circuit_prove’; did you mean ‘secp256k1_bulletproof_rangeproof_prove’? [-Wimplicit-function-declaration]
     CHECK(secp256k1_bulletproof_circuit_prove(data->common->ctx, data->common->scratch, data->common->generators, data->circ[0], data->common->proof[0], &data->common->plen, data->assn, NULL, 0, data->common->nonce, &data->common->value_gen[0], NULL, 0) == 1);
           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[apoelstra]

Derp, I forgot to commit the circuit-removal from the benchmarks. Fixed.

[real-or-random]

I know all of this is just moved code but here are a few nits... Feel free to ignore.

[real-or-random]

s/pedersen/Pedersen

[apoelstra]

I'll add a commit that fixes these typos and renames some things. I'll leave any re-ordering of arguments to future PRs because that'll break Elements.

[real-or-random]

indentation of the second column

[real-or-random]

I found initial initially confusing here. ;)

[real-or-random]

Pedersen

[real-or-random]

In the above function, n was the prefix for "number", so I expected ncommits to be the number of commitments, but this function apparently uses a cnt suffix.

[real-or-random]

Here the prefix is n_ even.

[real-or-random]

In secp256k1_pedersen_commit, we had the positive summands first, then the negative ones. Maybe this makes sense like this, I don't know.

[instagibbs]

I'd rather not move arguments around unless there's a strong argument, as they're in use already.

[real-or-random]

I tried to read the callback function in innerproduct_impl but I got lost in too many variables. The long comment is very nice but it's kind of hard to map the symbols in the comment to actual variable names, and all the cached/helper values add to my confusion.

I think a few comments to explain variables and to explain how some code lines relate to the verification formula would be helpful for further review.

[real-or-random]

s/G2/H

[real-or-random]

31 or 60?

[real-or-random]

n_precomp?

[real-or-random]

ull seems overkill

[real-or-random]

New comment intentional? You may want to wrap formulas in ``.

[real-or-random]

It's certainly okay to bail out here but usually we handle (computationally) unreachable code more gracefully.

[real-or-random]

Shouldn't secp256k1_bulletproof_generators store precomp_n too?

[apoelstra]

I think I should just drop the precomp stuff for this PR since it isn't actually used (I had hacked it in when testing Jonas' multiexp code but never implemented it in an acceptable way).

[apoelstra]

Dropped precomp.

[real-or-random]

An explanation of what is stored at what array index would have helped me a lot, including a comment that says that blinding_gen points into gens[]

[real-or-random]

s/secp256k1_bulletproof_generators_create/secp256k1_bulletproof_generators_generate
would be slightly more consistent with the naming in the generators module

[real-or-random]

const size_t *extra_commit_len

[real-or-random]

since you're adding bench_generator', you could also add the missing bench_whitelist`

[HaxThePlanet]

Any news on this making it's way into Elements? Looking forward to it

[apoelstra]

@real-or-random I replaced all the comments in the inner-product verification callback function. It should be possible to follow now.

[instagibbs]

Some preliminary comments with looking towards usage in Elements.

[instagibbs]

Is there any realistic upper-limit as per above constants, or can we go all the way up size_t modulo memory?

[apoelstra]

Not really any upper limit. They take a while to generate, on the order of 1000/sec.

[instagibbs]

I'd rather not move arguments around unless there's a strong argument, as they're in use already.

[instagibbs]

We really don't need to support Elements Alpha.

[apoelstra]

It's useful to have a standard second generator though for non-CA applications.

[apoelstra]

@instagibbs fixed your comments

[yeastplume]

We haven't been able to get secp_bulletproof_rangeproof_verify_multi working thus far. In our testing, it seems to work fine when passing in a single proof and a single commit but as soon as we pass in multiples (which verify when passing in one-by-one,) it refuses to validate.

Also noticing that none of the tests for verify_multi actually specify a length of more than a single commit. Might be worth adding a test or case or two for this?

[apoelstra]

Rebased on #35

[real-or-random]

As pointed out by drexl in IRC, we should make sure to read https://grin-tech.org/audits/jpa-audit-report.html and mimblewimble/secp256k1-zkp#37

[real-or-random]

I think the missing deallocate is the only thing that applies to this PR (but someone else should have a second look).

[real-or-random]

Suggested change

	if (overflow || secp256k1_scalar_is_zero(&blinds[i])) {
	if (overflow || secp256k1_scalar_is_zero(&blinds[i])) {
	secp256k1_scratch_deallocate_frame(scratch);

[real-or-random]

cc @veorq, just for reference

[garyyu]

The last parameter should be secp256k1_generator_const_g instead of secp256k1_generator_const_h.

Related PR in Grin: mimblewimble/secp256k1-zkp#44

[dr-orlovsky]

@apoelstra any chances of having this rebased and getting the great work and effort be finally merged?

[apoelstra]

@dr-orlovsky yes, very good chance in the next week or two :)

[apoelstra]

Closing this. Will retry in a more staged fashion.

[apoelstra]

Closing in favor of #108. Note that the new proofs are not remotely compatible with the old ones.