Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: bulletproofs #16

Closed
wants to merge 64 commits into from
Closed

Conversation

@apoelstra
Copy link
Member

@apoelstra apoelstra commented Nov 27, 2017

Based on rebase of strauss-multiexp from upstream onto -zkp

TODO rangeproof aggregation
TODO const time proving
TODO pippenger support
TODO 48-bit (and generally non-power-of-2) rangeproofs and aggregates
TODO general arithmetic circuit support

@apoelstra apoelstra force-pushed the apoelstra:bulletproofs branch 3 times, most recently from 89d844e to c9d66d2 Nov 27, 2017
@apoelstra apoelstra force-pushed the apoelstra:bulletproofs branch from c9d66d2 to f22f0c0 Dec 10, 2017
/* Compute Ti = t_i*A + tau_i*G for i = 1,2 */
secp256k1_gej_set_ge(&tmpj, genp);
secp256k1_ecmult(ecmult_ctx, &tj[0], &tmpj, &t1, &tau1);
secp256k1_ecmult(ecmult_ctx, &tj[1], &tmpj, &t2, &tau2);

This comment has been minimized.

@apoelstra

apoelstra Jan 19, 2018
Author Member

Both these ecmult need to be constant time since tau1 and tau2 are secrets.

@apoelstra apoelstra force-pushed the apoelstra:bulletproofs branch from f22f0c0 to ab92bbf Jan 31, 2018
@jonasnick
Copy link
Contributor

@jonasnick jonasnick commented Feb 2, 2018

Doesn't compile:

./src/modules/bulletproof/inner_product_impl.h:49:33: error: ‘MAX_BATCH_QTY’ undeclared here (not in a function)
     secp256k1_scalar randomizer[MAX_BATCH_QTY];
@apoelstra
Copy link
Member Author

@apoelstra apoelstra commented Feb 2, 2018

Try now? that constant is defined in include/secp256k1_bulletproofs.h, maybe I forgot to commit that in an earlier patchset.

@jonasnick
Copy link
Contributor

@jonasnick jonasnick commented Feb 2, 2018

Looks like some files in the circuits directory are missing:

src/bench_bulletproof.c:16:18: fatal error: src/modules/bulletproof/circuits/jubjub-3072.circuit: No such file or directory
 #define FILENAME "src/modules/bulletproof/circuits/jubjub-3072.circuit"
row = &w[index];

row->size++;
row->entry = checked_realloc(&ctx->error_callback, row->entry, row->size * sizeof(*row->entry));

This comment has been minimized.

@jonasnick

jonasnick Feb 2, 2018
Contributor

row->entry is never freed

ret->wv = (secp256k1_bulletproof_wmatrix_row *)checked_malloc(&ctx->error_callback, ret->n_commits * sizeof(*ret->wv));
ret->c = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, ret->n_constraints * sizeof(*ret->wl));

ret->scratch = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, ret->n_constraints * sizeof(*ret->scratch));

This comment has been minimized.

@jonasnick

jonasnick Feb 2, 2018
Contributor

scratch is never freed

@benma
Copy link
Contributor

@benma benma commented Mar 13, 2018

Got a compilation error:

$ make 
  CCLD     exhaustive_tests
src/exhaustive_tests-tests_exhaustive.o: In function `secp256k1_bulletproof_circuit_prove':
secp256k1-zkp/src/modules/bulletproof/circuits/jubjub-3072.assn:1: undefined reference to `SECP256K1_SCALAR_CONST'
@apoelstra
Copy link
Member Author

@apoelstra apoelstra commented Mar 13, 2018

@benma sorry, you have to disable exhaustive tests for now.

@apoelstra apoelstra force-pushed the apoelstra:bulletproofs branch 2 times, most recently from 3a13492 to 1d5899f Mar 13, 2018
@apoelstra
Copy link
Member Author

@apoelstra apoelstra commented Mar 13, 2018

update with current state, rebase on current secp256k1-zkp branch. still very much WIP

@apoelstra apoelstra force-pushed the apoelstra:bulletproofs branch 3 times, most recently from d8b95b9 to 66d79b3 Mar 13, 2018
@apoelstra apoelstra force-pushed the apoelstra:bulletproofs branch 7 times, most recently from 1043ca4 to ffdd7e5 Mar 26, 2018
@apoelstra
Copy link
Member Author

@apoelstra apoelstra commented Mar 31, 2018

@sipa When you get a chance, can you take a look at my rebase branch at https://github.com/apoelstra/secp256k1-mw/tree/secp256k1-zkp-rebase ?

Aside from the rebase, I think this PR is ready for review.

@apoelstra apoelstra force-pushed the apoelstra:bulletproofs branch 2 times, most recently from 2b50d19 to 1b2d5cc Apr 4, 2018
Fix pedersen commitment serialization after #30 broke it
@apoelstra apoelstra force-pushed the apoelstra:bulletproofs branch from 83e933f to 9fedd82 Oct 10, 2018
@apoelstra
Copy link
Member Author

@apoelstra apoelstra commented Oct 10, 2018

Rebased on #23

Add comment to explain effect of max_n_iterations in surjectionproof_…
@apoelstra apoelstra force-pushed the apoelstra:bulletproofs branch from 9fedd82 to bc4a532 Oct 10, 2018
@apoelstra apoelstra force-pushed the apoelstra:bulletproofs branch from bc4a532 to 9c3ba0c Oct 10, 2018
@apoelstra apoelstra force-pushed the ElementsProject:secp256k1-zkp branch from e100037 to 53ad841 Dec 14, 2018
@apoelstra apoelstra force-pushed the ElementsProject:secp256k1-zkp branch from bcabca9 to 6f3b0c0 May 30, 2019
Copy link
Contributor

@jonasnick jonasnick left a comment

I added a couple of fixes and clarifications to my musig-dn branch (https://github.com/jonasnick/secp256k1-zkp/tree/bulletproof-musig-dn). Feel free to cherry-pick.

e34a03e Document that bulletproof_circuit_prove blinding factors can not be 0
912741d Fix unintialized memory in bulletproof circuit verify if nr of multiplication gates is not a power of 2
acf9efe Fix heap overflow when bulletproving a circuit without constraints
745f6a5 Document secp256k1_bulletproof_circuit_decode format
a9f3a2c bulletproof example
70e8c71 Add ability to evaluate an arithmetic circuit with a given assignment
9fe6454 Allow committing to an arbitrary value and not only a 64 bit int
66cad17 Add function to compare bulletproof circuits
fclose(fh);
return NULL;
}
row_width = secp256k1_bulletproof_encoding_width(ret->n_gates);

This comment has been minimized.

@jonasnick

jonasnick Jan 23, 2020
Contributor

shouldn't row_width be dependent on the n_constraints instead of n_gates? Every entry in a row encodes the index of the constraint (also encoded with row_width-many bytes) the wire is added to and the factor the wire is multiplied with in that constraint. Therefore there are at most n_constraint many entries in a row.

tomtau pushed a commit to crypto-com/secp256k1-zkp that referenced this pull request Jul 9, 2020
@jonasnick jonasnick force-pushed the ElementsProject:secp256k1-zkp branch from dc4181a to fabc8f7 Jul 24, 2020
@apoelstra
Copy link
Member Author

@apoelstra apoelstra commented Dec 3, 2020

Closing this. It's good to remember that the code is here to crib from when we revisit the inner product argument, but there's no value in keeping an open PR for it.

@apoelstra apoelstra closed this Dec 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

10 participants
You can’t perform that action at this time.