WIP: bulletproofs #16
Conversation
89d844e
to
c9d66d2
/* Compute Ti = t_i*A + tau_i*G for i = 1,2 */ | ||
secp256k1_gej_set_ge(&tmpj, genp); | ||
secp256k1_ecmult(ecmult_ctx, &tj[0], &tmpj, &t1, &tau1); | ||
secp256k1_ecmult(ecmult_ctx, &tj[1], &tmpj, &t2, &tau2); |
apoelstra
Jan 19, 2018
Author
Member
Both these ecmult
need to be constant time since tau1
and tau2
are secrets.
Both these ecmult
need to be constant time since tau1
and tau2
are secrets.
Doesn't compile:
|
Try now? that constant is defined in include/secp256k1_bulletproofs.h, maybe I forgot to commit that in an earlier patchset. |
Looks like some files in the
|
row = &w[index]; | ||
|
||
row->size++; | ||
row->entry = checked_realloc(&ctx->error_callback, row->entry, row->size * sizeof(*row->entry)); |
jonasnick
Feb 2, 2018
Contributor
row->entry is never freed
row->entry is never freed
ret->wv = (secp256k1_bulletproof_wmatrix_row *)checked_malloc(&ctx->error_callback, ret->n_commits * sizeof(*ret->wv)); | ||
ret->c = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, ret->n_constraints * sizeof(*ret->wl)); | ||
|
||
ret->scratch = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, ret->n_constraints * sizeof(*ret->scratch)); |
jonasnick
Feb 2, 2018
Contributor
scratch is never freed
scratch is never freed
Got a compilation error:
|
@benma sorry, you have to disable exhaustive tests for now. |
3a13492
to
1d5899f
update with current state, rebase on current |
d8b95b9
to
66d79b3
1043ca4
to
ffdd7e5
@sipa When you get a chance, can you take a look at my rebase branch at https://github.com/apoelstra/secp256k1-mw/tree/secp256k1-zkp-rebase ? Aside from the rebase, I think this PR is ready for review. |
2b50d19
to
1b2d5cc
Fix pedersen commitment serialization after #30 broke it
Rebased on #23 |
Add comment to explain effect of max_n_iterations in surjectionproof_…
…commitments We now use ecmult_const rather than ecmult_gen, which will slow down the generation of Pedersen commitments. However as far as I'm aware, this is never the bottleneck in proof generation.
e100037
to
53ad841
bcabca9
to
6f3b0c0
I added a couple of fixes and clarifications to my musig-dn branch (https://github.com/jonasnick/secp256k1-zkp/tree/bulletproof-musig-dn). Feel free to cherry-pick.
|
fclose(fh); | ||
return NULL; | ||
} | ||
row_width = secp256k1_bulletproof_encoding_width(ret->n_gates); |
jonasnick
Jan 23, 2020
Contributor
shouldn't row_width be dependent on the n_constraints
instead of n_gates
? Every entry in a row encodes the index of the constraint (also encoded with row_width
-many bytes) the wire is added to and the factor the wire is multiplied with in that constraint. Therefore there are at most n_constraint
many entries in a row.
shouldn't row_width be dependent on the n_constraints
instead of n_gates
? Every entry in a row encodes the index of the constraint (also encoded with row_width
-many bytes) the wire is added to and the factor the wire is multiplied with in that constraint. Therefore there are at most n_constraint
many entries in a row.
add compact signature encoding
dc4181a
to
fabc8f7
Closing this. It's good to remember that the code is here to crib from when we revisit the inner product argument, but there's no value in keeping an open PR for it. |
Based on rebase of strauss-multiexp from upstream onto -zkp
TODO rangeproof aggregationTODO const time provingTODO pippenger supportTODO 48-bit (and generally non-power-of-2) rangeproofs and aggregates
TODO general arithmetic circuit support