Skip to content

/ secp256k1-zkp

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: bulletproofs #16

Closed
wants to merge 64 commits into from
Closed

WIP: bulletproofs #16

wants to merge 64 commits into from

Conversation

@apoelstra
Copy link
Member

@apoelstra apoelstra commented Nov 27, 2017
edited

Based on rebase of strauss-multiexp from upstream onto -zkp

TODO rangeproof aggregation
TODO const time proving
TODO pippenger support
TODO 48-bit (and generally non-power-of-2) rangeproofs and aggregates
TODO general arithmetic circuit support
@apoelstra apoelstra force-pushed the apoelstra:bulletproofs branch 3 times, most recently from 89d844e to c9d66d2 Nov 27, 2017
@yeastplume yeastplume mentioned this pull request Dec 5, 2017
Closed
@apoelstra apoelstra force-pushed the apoelstra:bulletproofs branch from c9d66d2 to f22f0c0 Dec 10, 2017
@apoelstra
apoelstra reviewed Jan 19, 2018
View changes
src/modules/bulletproof/rangeproof_impl.h Outdated
/* Compute Ti = t_i*A + tau_i*G for i = 1,2 */
secp256k1_gej_set_ge(&tmpj, genp);
secp256k1_ecmult(ecmult_ctx, &tj[0], &tmpj, &t1, &tau1);
secp256k1_ecmult(ecmult_ctx, &tj[1], &tmpj, &t2, &tau2);

This comment has been minimized.

Sign in to view
@apoelstra

apoelstra Jan 19, 2018
Author Member

Both these ecmult need to be constant time since tau1 and tau2 are secrets.
@apoelstra apoelstra force-pushed the apoelstra:bulletproofs branch from f22f0c0 to ab92bbf Jan 31, 2018
@jonasnick
Copy link
Contributor

@jonasnick jonasnick commented Feb 2, 2018

Doesn't compile:

./src/modules/bulletproof/inner_product_impl.h:49:33: error: ‘MAX_BATCH_QTY’ undeclared here (not in a function)
     secp256k1_scalar randomizer[MAX_BATCH_QTY];
@apoelstra
Copy link
Member Author

@apoelstra apoelstra commented Feb 2, 2018

Try now? that constant is defined in include/secp256k1_bulletproofs.h, maybe I forgot to commit that in an earlier patchset.
@jonasnick
Copy link
Contributor

@jonasnick jonasnick commented Feb 2, 2018

Looks like some files in the circuits directory are missing:

src/bench_bulletproof.c:16:18: fatal error: src/modules/bulletproof/circuits/jubjub-3072.circuit: No such file or directory
 #define FILENAME "src/modules/bulletproof/circuits/jubjub-3072.circuit"
@jonasnick
jonasnick reviewed Feb 2, 2018
View changes
src/modules/bulletproof/parser_impl.h Outdated
row = &w[index];

row->size++;
row->entry = checked_realloc(&ctx->error_callback, row->entry, row->size * sizeof(*row->entry));

This comment has been minimized.

Sign in to view
@jonasnick

jonasnick Feb 2, 2018
Contributor

row->entry is never freed
@jonasnick
jonasnick reviewed Feb 2, 2018
View changes
src/modules/bulletproof/parser_impl.h Outdated
ret->wv = (secp256k1_bulletproof_wmatrix_row *)checked_malloc(&ctx->error_callback, ret->n_commits * sizeof(*ret->wv));
ret->c = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, ret->n_constraints * sizeof(*ret->wl));

ret->scratch = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, ret->n_constraints * sizeof(*ret->scratch));

This comment has been minimized.

Sign in to view
@jonasnick

jonasnick Feb 2, 2018
Contributor

scratch is never freed
@benma
Copy link
Contributor

@benma benma commented Mar 13, 2018

Got a compilation error:

$ make 
  CCLD     exhaustive_tests
src/exhaustive_tests-tests_exhaustive.o: In function `secp256k1_bulletproof_circuit_prove':
secp256k1-zkp/src/modules/bulletproof/circuits/jubjub-3072.assn:1: undefined reference to `SECP256K1_SCALAR_CONST'
@apoelstra
Copy link
Member Author

@apoelstra apoelstra commented Mar 13, 2018

@benma sorry, you have to disable exhaustive tests for now.
@apoelstra apoelstra force-pushed the apoelstra:bulletproofs branch 2 times, most recently from 3a13492 to 1d5899f Mar 13, 2018
@apoelstra
Copy link
Member Author

@apoelstra apoelstra commented Mar 13, 2018

update with current state, rebase on current secp256k1-zkp branch. still very much WIP
@apoelstra apoelstra force-pushed the apoelstra:bulletproofs branch 3 times, most recently from d8b95b9 to 66d79b3 Mar 13, 2018
@apoelstra apoelstra force-pushed the apoelstra:bulletproofs branch 7 times, most recently from 1043ca4 to ffdd7e5 Mar 26, 2018
@apoelstra
Copy link
Member Author

@apoelstra apoelstra commented Mar 31, 2018

@sipa When you get a chance, can you take a look at my rebase branch at https://github.com/apoelstra/secp256k1-mw/tree/secp256k1-zkp-rebase ?

Aside from the rebase, I think this PR is ready for review.
@apoelstra apoelstra force-pushed the apoelstra:bulletproofs branch 2 times, most recently from 2b50d19 to 1b2d5cc Apr 4, 2018
@apoelstra
Merge pull request #31 from apoelstra/2018-10-commit-fix
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
Loading status checks…
2318f18 
Fix pedersen commitment serialization after #30 broke it
@apoelstra apoelstra force-pushed the apoelstra:bulletproofs branch from 83e933f to 9fedd82 Oct 10, 2018
@apoelstra
Copy link
Member Author

@apoelstra apoelstra commented Oct 10, 2018

Rebased on #23
@jonasnick
Merge pull request #19 from jonasnick/surjectionproof_init_p_give_up
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
Loading status checks…
809016c 
Add comment to explain effect of max_n_iterations in surjectionproof_…
@apoelstra apoelstra force-pushed the apoelstra:bulletproofs branch from 9fedd82 to bc4a532 Oct 10, 2018
apoelstra added 17 commits Apr 3, 2018
@apoelstra
add chacha20 function
4642c38
@apoelstra
generator: add constant G and H generators
c70d4bf
@apoelstra
split Pedersen commitments out into their own module
2153239
@apoelstra
commitment: allow setting the blinding factor generator for Pedersen …
1e8874e 
…commitments

We now use ecmult_const rather than ecmult_gen, which will slow down
the generation of Pedersen commitments. However as far as I'm aware,
this is never the bottleneck in proof generation.
@apoelstra
bulletproofs: add module, full support for rangeproofs
7ec1d8a
@apoelstra
bulletproofs: add rangeproof rewinding capability
cc06fdd
@apoelstra
bulletproofs: add benchmark
92b917a
@apoelstra
commitment and bulletproof: fix a bunch of typos and stuff (thanks Ti…
19ef4bb 
…m Ruffing)
@apoelstra
bulletproofs: extensively comment inner product proof, remove a coupl…
e1d690e 
…e expired TODOs
@apoelstra
bulletproofs: add `n_commits` to the hash of all rangeproof input data
7dd0d1b
@apoelstra
add new modules to travis
26df649
@apoelstra
rangeproof: reduce test iterations; add echo script to travis to prev…
Loading status checks…
376d4fa 
…ent timeout
@apoelstra
bulletproofs: add circuit support
aa6c5fd
@apoelstra
bulletproofs: add a bunch of binary example circuits
c26bc86
@apoelstra
bulletproofs: extend API tests to cover circuits, fix existing tests
159060d
@apoelstra
bulletproofs: add binary circuit with a committed input, test it
f308664
@apoelstra
bulletproofs: add benchmark
Loading status checks…
9c3ba0c
@apoelstra apoelstra force-pushed the apoelstra:bulletproofs branch from bc4a532 to 9c3ba0c Oct 10, 2018
@apoelstra apoelstra force-pushed the ElementsProject:secp256k1-zkp branch from e100037 to 53ad841 Dec 14, 2018
@apoelstra apoelstra force-pushed the ElementsProject:secp256k1-zkp branch from bcabca9 to 6f3b0c0 May 30, 2019
@jonasnick
jonasnick reviewed Jan 23, 2020
View changes
Copy link
Contributor

@jonasnick jonasnick left a comment
edited

I added a couple of fixes and clarifications to my musig-dn branch (https://github.com/jonasnick/secp256k1-zkp/tree/bulletproof-musig-dn). Feel free to cherry-pick.

e34a03e Document that bulletproof_circuit_prove blinding factors can not be 0
912741d Fix unintialized memory in bulletproof circuit verify if nr of multiplication gates is not a power of 2
acf9efe Fix heap overflow when bulletproving a circuit without constraints
745f6a5 Document secp256k1_bulletproof_circuit_decode format
a9f3a2c bulletproof example
70e8c71 Add ability to evaluate an arithmetic circuit with a given assignment
9fe6454 Allow committing to an arbitrary value and not only a 64 bit int
66cad17 Add function to compare bulletproof circuits
src/modules/bulletproofs/main_impl.h
fclose(fh);
return NULL;
}
row_width = secp256k1_bulletproof_encoding_width(ret->n_gates);

This comment has been minimized.

Sign in to view
@jonasnick

jonasnick Jan 23, 2020
Contributor

shouldn't row_width be dependent on the n_constraints instead of n_gates? Every entry in a row encodes the index of the constraint (also encoded with row_width-many bytes) the wire is added to and the factor the wire is multiplied with in that constraint. Therefore there are at most n_constraint many entries in a row.
tomtau pushed a commit to crypto-com/secp256k1-zkp that referenced this pull request Jul 9, 2020
@apoelstra
Merge pull request ElementsProject#16 from apoelstra/compact-sig
e69fedb 
add compact signature encoding
@jonasnick jonasnick force-pushed the ElementsProject:secp256k1-zkp branch from dc4181a to fabc8f7 Jul 24, 2020
@apoelstra
Copy link
Member Author

@apoelstra apoelstra commented Dec 3, 2020

Closing this. It's good to remember that the code is here to crib from when we revisit the inner product argument, but there's no value in keeping an open PR for it.
@apoelstra apoelstra closed this Dec 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jonasnick jonasnick

@yeastplume yeastplume

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

10 participants
@apoelstra @jonasnick @benma @yeastplume @gmaxwell @sipa @instagibbs @datavetaren @real-or-random @FrankC01
You can’t perform that action at this time.