@@ -35,6 +35,8 @@ static void test_bulletproof_api(void) {
35
35
uint64_t value [4 ] = { 1234 , 4567 , 8910 , 1112 } ;
36
36
uint64_t min_value [4 ] = { 1000 , 4567 , 0 , 5000 } ;
37
37
const uint64_t * mv_ptr = min_value ;
38
+ unsigned char rewind_blind [32 ];
39
+ size_t rewind_v ;
38
40
39
41
int32_t ecount = 0 ;
40
42
@@ -212,6 +214,35 @@ static void test_bulletproof_api(void) {
212
214
CHECK (secp256k1_bulletproof_rangeproof_verify_multi (both , scratch , gens , & proof_ptr , 1 , plen , & mv_ptr , pcommit_arr , 4 , 64 , & value_gen , blind_ptr , & blindlen ) == 0 );
213
215
CHECK (ecount == 14 );
214
216
217
+ /* Rewind */
218
+ ecount = 0 ;
219
+ CHECK (secp256k1_bulletproof_rangeproof_rewind (none , gens , & rewind_v , rewind_blind , proof , plen , min_value [0 ], pcommit , & value_gen , blind , blind , 32 ) == 1 );
220
+ CHECK (ecount == 0 );
221
+ CHECK (secp256k1_bulletproof_rangeproof_rewind (none , NULL , & rewind_v , rewind_blind , proof , plen , min_value [0 ], pcommit , & value_gen , blind , blind , 32 ) == 0 );
222
+ CHECK (ecount == 1 );
223
+ CHECK (secp256k1_bulletproof_rangeproof_rewind (none , gens , NULL , rewind_blind , proof , plen , min_value [0 ], pcommit , & value_gen , blind , blind , 32 ) == 0 );
224
+ CHECK (ecount == 2 );
225
+ CHECK (secp256k1_bulletproof_rangeproof_rewind (none , gens , & rewind_v , NULL , proof , plen , min_value [0 ], pcommit , & value_gen , blind , blind , 32 ) == 0 );
226
+ CHECK (ecount == 3 );
227
+ CHECK (secp256k1_bulletproof_rangeproof_rewind (none , gens , & rewind_v , rewind_blind , NULL , plen , min_value [0 ], pcommit , & value_gen , blind , blind , 32 ) == 0 );
228
+ CHECK (ecount == 4 );
229
+ CHECK (secp256k1_bulletproof_rangeproof_rewind (none , gens , & rewind_v , rewind_blind , proof , 0 , min_value [0 ], pcommit , & value_gen , blind , blind , 32 ) == 0 );
230
+ CHECK (ecount == 4 );
231
+ CHECK (secp256k1_bulletproof_rangeproof_rewind (none , gens , & rewind_v , rewind_blind , proof , plen , 0 , pcommit , & value_gen , blind , blind , 32 ) == 0 );
232
+ CHECK (ecount == 4 );
233
+ CHECK (secp256k1_bulletproof_rangeproof_rewind (none , gens , & rewind_v , rewind_blind , proof , plen , min_value [0 ], NULL , & value_gen , blind , blind , 32 ) == 0 );
234
+ CHECK (ecount == 5 );
235
+ CHECK (secp256k1_bulletproof_rangeproof_rewind (none , gens , & rewind_v , rewind_blind , proof , plen , min_value [0 ], pcommit , NULL , blind , blind , 32 ) == 0 );
236
+ CHECK (ecount == 6 );
237
+ CHECK (secp256k1_bulletproof_rangeproof_rewind (none , gens , & rewind_v , rewind_blind , proof , plen , min_value [0 ], pcommit , & value_gen , NULL , blind , 32 ) == 0 );
238
+ CHECK (ecount == 7 );
239
+ CHECK (secp256k1_bulletproof_rangeproof_rewind (none , gens , & rewind_v , rewind_blind , proof , plen , min_value [0 ], pcommit , & value_gen , blind , NULL , 32 ) == 0 );
240
+ CHECK (ecount == 8 );
241
+ CHECK (secp256k1_bulletproof_rangeproof_rewind (none , gens , & rewind_v , rewind_blind , proof , plen , min_value [0 ], pcommit , & value_gen , blind , blind , 0 ) == 0 );
242
+ CHECK (ecount == 8 );
243
+ CHECK (secp256k1_bulletproof_rangeproof_rewind (none , gens , & rewind_v , rewind_blind , proof , plen , min_value [0 ], pcommit , & value_gen , blind , NULL , 0 ) == 0 );
244
+ CHECK (ecount == 8 );
245
+
215
246
secp256k1_bulletproof_generators_destroy (none , gens );
216
247
secp256k1_bulletproof_generators_destroy (none , NULL );
217
248
secp256k1_scratch_destroy (scratch );
@@ -427,15 +458,18 @@ void test_bulletproof_inner_product(size_t n, const secp256k1_bulletproof_genera
427
458
428
459
void test_bulletproof_rangeproof (size_t nbits , size_t expected_size , const secp256k1_bulletproof_generators * gens ) {
429
460
secp256k1_scalar blind ;
461
+ secp256k1_scalar blind_recovered ;
430
462
unsigned char proof [1024 ];
431
463
unsigned char proof2 [1024 ];
432
464
unsigned char proof3 [1024 ];
433
465
const unsigned char * proof_ptr [3 ];
434
466
size_t plen = sizeof (proof );
435
467
uint64_t v = 123456 ;
468
+ uint64_t v_recovered ;
436
469
secp256k1_gej commitj ;
437
470
secp256k1_ge commitp ;
438
471
secp256k1_ge commitp2 ;
472
+ secp256k1_pedersen_commitment pcommit ;
439
473
const secp256k1_ge * commitp_ptr [3 ];
440
474
secp256k1_ge value_gen [3 ];
441
475
unsigned char nonce [32 ] = "my kingdom for some randomness!!" ;
@@ -461,6 +495,7 @@ void test_bulletproof_rangeproof(size_t nbits, size_t expected_size, const secp2
461
495
secp256k1_ge_set_gej (& commitp2 , & commitj );
462
496
commitp_ptr [0 ] = commitp_ptr [1 ] = & commitp ;
463
497
commitp_ptr [2 ] = & commitp2 ;
498
+ secp256k1_pedersen_commitment_save (& pcommit , & commitp );
464
499
465
500
CHECK (secp256k1_bulletproof_rangeproof_prove_impl (& ctx -> ecmult_ctx , scratch , proof , & plen , nbits , & v , NULL , & blind , & commitp , 1 , & value_gen [0 ], gens , nonce , NULL , 0 ) == 1 );
466
501
CHECK (plen == expected_size );
@@ -478,6 +513,14 @@ void test_bulletproof_rangeproof(size_t nbits, size_t expected_size, const secp2
478
513
/* Verify thrice at once where one has a different asset type */
479
514
CHECK (secp256k1_bulletproof_rangeproof_verify_impl (& ctx -> ecmult_ctx , scratch , proof_ptr , 3 , plen , nbits , NULL , commitp_ptr , 1 , value_gen , gens , NULL , 0 ) == 1 );
480
515
516
+ /* Rewind */
517
+ CHECK (secp256k1_bulletproof_rangeproof_rewind_impl (& v_recovered , & blind_recovered , proof , plen , 0 , & pcommit , & secp256k1_generator_const_g , gens -> blinding_gen , nonce , NULL , 0 ) == 1 );
518
+ CHECK (v_recovered == v );
519
+ CHECK (secp256k1_scalar_eq (& blind_recovered , & blind ) == 1 );
520
+
521
+ nonce [0 ] ^= 111 ;
522
+ CHECK (secp256k1_bulletproof_rangeproof_rewind_impl (& v_recovered , & blind_recovered , proof , plen , 0 , & pcommit , & secp256k1_generator_const_g , gens -> blinding_gen , nonce , NULL , 0 ) == 0 );
523
+
481
524
secp256k1_scratch_destroy (scratch );
482
525
}
483
526
0 commit comments