WIP: bulletproofs #16
Conversation
89d844e
to
c9d66d2
Compare
c9d66d2
to
f22f0c0
Compare
| /* Compute Ti = t_i*A + tau_i*G for i = 1,2 */ | ||
| secp256k1_gej_set_ge(&tmpj, genp); | ||
| secp256k1_ecmult(ecmult_ctx, &tj[0], &tmpj, &t1, &tau1); | ||
| secp256k1_ecmult(ecmult_ctx, &tj[1], &tmpj, &t2, &tau2); |
There was a problem hiding this comment.
Both these ecmult need to be constant time since tau1 and tau2 are secrets.
f22f0c0
to
ab92bbf
Compare
|
Doesn't compile: |
|
Try now? that constant is defined in include/secp256k1_bulletproofs.h, maybe I forgot to commit that in an earlier patchset. |
|
Looks like some files in the |
| row = &w[index]; | ||
|
|
||
| row->size++; | ||
| row->entry = checked_realloc(&ctx->error_callback, row->entry, row->size * sizeof(*row->entry)); |
There was a problem hiding this comment.
row->entry is never freed
| ret->wv = (secp256k1_bulletproof_wmatrix_row *)checked_malloc(&ctx->error_callback, ret->n_commits * sizeof(*ret->wv)); | ||
| ret->c = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, ret->n_constraints * sizeof(*ret->wl)); | ||
|
|
||
| ret->scratch = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, ret->n_constraints * sizeof(*ret->scratch)); |
|
Got a compilation error: |
|
@benma sorry, you have to disable exhaustive tests for now. |
3a13492
to
1d5899f
Compare
|
update with current state, rebase on current |
d8b95b9
to
66d79b3
Compare
1043ca4
to
ffdd7e5
Compare
|
@sipa When you get a chance, can you take a look at my rebase branch at https://github.com/apoelstra/secp256k1-mw/tree/secp256k1-zkp-rebase ? Aside from the rebase, I think this PR is ready for review. |
2b50d19
to
1b2d5cc
Compare
83e933f
to
9fedd82
Compare
|
Rebased on #23 |
…oof_init_p_give_up Add comment to explain effect of max_n_iterations in surjectionproof_…
9fedd82
to
bc4a532
Compare
…commitments We now use ecmult_const rather than ecmult_gen, which will slow down the generation of Pedersen commitments. However as far as I'm aware, this is never the bottleneck in proof generation.
bc4a532
to
9c3ba0c
Compare
e100037
to
53ad841
Compare
There was a problem hiding this comment.
I added a couple of fixes and clarifications to my musig-dn branch (https://github.com/jonasnick/secp256k1-zkp/tree/bulletproof-musig-dn). Feel free to cherry-pick.
e34a03e Document that bulletproof_circuit_prove blinding factors can not be 0
912741d Fix unintialized memory in bulletproof circuit verify if nr of multiplication gates is not a power of 2
acf9efe Fix heap overflow when bulletproving a circuit without constraints
745f6a5 Document secp256k1_bulletproof_circuit_decode format
a9f3a2c bulletproof example
70e8c71 Add ability to evaluate an arithmetic circuit with a given assignment
9fe6454 Allow committing to an arbitrary value and not only a 64 bit int
66cad17 Add function to compare bulletproof circuits
| fclose(fh); | ||
| return NULL; | ||
| } | ||
| row_width = secp256k1_bulletproof_encoding_width(ret->n_gates); |
There was a problem hiding this comment.
shouldn't row_width be dependent on the n_constraints instead of n_gates? Every entry in a row encodes the index of the constraint (also encoded with row_width-many bytes) the wire is added to and the factor the wire is multiplied with in that constraint. Therefore there are at most n_constraint many entries in a row.
add compact signature encoding
|
Closing this. It's good to remember that the code is here to crib from when we revisit the inner product argument, but there's no value in keeping an open PR for it. |
Based on rebase of strauss-multiexp from upstream onto -zkp
TODO rangeproof aggregationTODO const time provingTODO pippenger supportTODO 48-bit (and generally non-power-of-2) rangeproofs and aggregates
TODO general arithmetic circuit support