commitment: allow setting the blinding factor generator for Pedersen commitments

We now use ecmult_const rather than ecmult_gen, which will slow down
the generation of Pedersen commitments. However as far as I'm aware,
this is never the bottleneck in proof generation.

Author: apoelstra

include/secp256k1_commitment.h

@@ -60,10 +60,11 @@ void secp256k1_pedersen_context_initialize(secp256k1_context* ctx);
  *          0: Error. The blinding factor is larger than the group order
  *             (probability for random 32 byte number < 2^-127) or results in the
  *             point at infinity. Retry with a different factor.
- *  In:     ctx:        pointer to a context object, initialized for signing and Pedersen commitment (cannot be NULL)
+ *  In:     ctx:        pointer to a context object (cannot be NULL)
  *          blind:      pointer to a 32-byte blinding factor (cannot be NULL)
  *          value:      unsigned 64-bit integer value to commit to.
- *          gen:        additional generator 'h'
+ *          value_gen:  value generator 'h'
+ *          blind_gen:  blinding factor generator 'g'
  *  Out:    commit:     pointer to the commitment (cannot be NULL)
  *
  *  Blinding factors can be generated and verified in the same way as secp256k1 private keys for ECDSA.
@@ -73,8 +74,9 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_pedersen_commit(
   secp256k1_pedersen_commitment *commit,
   const unsigned char *blind,
   uint64_t value,
-  const secp256k1_generator *gen
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5);
+  const secp256k1_generator *value_gen,
+  const secp256k1_generator *blind_gen
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6);
 
 /** Computes the sum of multiple positive and negative blinding factors.
  *  Returns 1: Sum successfully computed.

src/bench_rangeproof.c

@@ -29,7 +29,7 @@ static void bench_rangeproof_setup(void* arg) {
 
     data->v = 0;
     for (i = 0; i < 32; i++) data->blind[i] = i + 1;
-    CHECK(secp256k1_pedersen_commit(data->ctx, &data->commit, data->blind, data->v, &secp256k1_generator_const_h));
+    CHECK(secp256k1_pedersen_commit(data->ctx, &data->commit, data->blind, data->v, &secp256k1_generator_const_h, &secp256k1_generator_const_g));
     data->len = 5134;
     CHECK(secp256k1_rangeproof_sign(data->ctx, data->proof, &data->len, 0, &data->commit, data->blind, (const unsigned char*)&data->commit, 0, data->min_bits, data->v, NULL, 0, NULL, 0, &secp256k1_generator_const_h));
     CHECK(secp256k1_rangeproof_verify(data->ctx, &minv, &maxv, &data->commit, data->proof, data->len, NULL, 0, &secp256k1_generator_const_h));

src/modules/commitment/main_impl.h

@@ -47,22 +47,24 @@ int secp256k1_pedersen_commitment_serialize(const secp256k1_context* ctx, unsign
 }
 
 /* Generates a pedersen commitment: *commit = blind * G + value * G2. The blinding factor is 32 bytes.*/
-int secp256k1_pedersen_commit(const secp256k1_context* ctx, secp256k1_pedersen_commitment *commit, const unsigned char *blind, uint64_t value, const secp256k1_generator* gen) {
-    secp256k1_ge genp;
+int secp256k1_pedersen_commit(const secp256k1_context* ctx, secp256k1_pedersen_commitment *commit, const unsigned char *blind, uint64_t value, const secp256k1_generator* value_gen, const secp256k1_generator* blind_gen) {
+    secp256k1_ge value_genp;
+    secp256k1_ge blind_genp;
     secp256k1_gej rj;
     secp256k1_ge r;
     secp256k1_scalar sec;
     int overflow;
     int ret = 0;
     VERIFY_CHECK(ctx != NULL);
-    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
     ARG_CHECK(commit != NULL);
     ARG_CHECK(blind != NULL);
-    ARG_CHECK(gen != NULL);
-    secp256k1_generator_load(&genp, gen);
+    ARG_CHECK(value_gen != NULL);
+    ARG_CHECK(blind_gen != NULL);
+    secp256k1_generator_load(&value_genp, value_gen);
+    secp256k1_generator_load(&blind_genp, blind_gen);
     secp256k1_scalar_set_b32(&sec, blind, &overflow);
     if (!overflow) {
-        secp256k1_pedersen_ecmult(&ctx->ecmult_gen_ctx, &rj, &sec, value, &genp);
+        secp256k1_pedersen_ecmult(&rj, &sec, value, &value_genp, &blind_genp);
         if (!secp256k1_gej_is_infinity(&rj)) {
             secp256k1_ge_set_gej(&r, &rj);
             secp256k1_pedersen_commitment_save(commit, &r);

src/modules/commitment/pedersen_impl.h

@@ -9,43 +9,30 @@
 
 #include <string.h>
 
-#include "eckey.h"
 #include "ecmult_const.h"
-#include "ecmult_gen.h"
 #include "group.h"
-#include "field.h"
 #include "scalar.h"
-#include "util.h"
 
-static void secp256k1_pedersen_scalar_set_u64(secp256k1_scalar *sec, uint64_t value) {
-    unsigned char data[32];
-    int i;
-    for (i = 0; i < 24; i++) {
-        data[i] = 0;
-    }
-    for (; i < 32; i++) {
-        data[i] = value >> 56;
-        value <<= 8;
-    }
-    secp256k1_scalar_set_b32(sec, data, NULL);
-    memset(data, 0, 32);
-}
+/* sec * G + value * G2. */
+SECP256K1_INLINE static void secp256k1_pedersen_ecmult(secp256k1_gej *rj, const secp256k1_scalar *sec, uint64_t value, const secp256k1_ge* value_gen, const secp256k1_ge* blind_gen) {
+    secp256k1_scalar vs;
+    secp256k1_gej bj;
+    secp256k1_ge bp;
 
-static void secp256k1_pedersen_ecmult_small(secp256k1_gej *r, uint64_t gn, const secp256k1_ge* genp) {
-    secp256k1_scalar s;
-    secp256k1_pedersen_scalar_set_u64(&s, gn);
-    secp256k1_ecmult_const(r, genp, &s, 64);
-    secp256k1_scalar_clear(&s);
-}
+    secp256k1_scalar_set_u64(&vs, value);
+    secp256k1_ecmult_const(rj, value_gen, &vs, 64);
+    secp256k1_ecmult_const(&bj, blind_gen, sec, 256);
 
-/* sec * G + value * G2. */
-SECP256K1_INLINE static void secp256k1_pedersen_ecmult(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_gej *rj, const secp256k1_scalar *sec, uint64_t value, const secp256k1_ge* genp) {
-    secp256k1_gej vj;
-    secp256k1_ecmult_gen(ecmult_gen_ctx, rj, sec);
-    secp256k1_pedersen_ecmult_small(&vj, value, genp);
-    /* FIXME: constant time. */
-    secp256k1_gej_add_var(rj, rj, &vj, NULL);
-    secp256k1_gej_clear(&vj);
+    /* zero blinding factor indicates that we are not trying to be zero-knowledge,
+     * so not being constant-time in this case is OK. */
+    if (!secp256k1_gej_is_infinity(&bj)) {
+        secp256k1_ge_set_gej(&bp, &bj);
+        secp256k1_gej_add_ge(rj, rj, &bp);
+    }
+
+    secp256k1_gej_clear(&bj);
+    secp256k1_ge_clear(&bp);
+    secp256k1_scalar_clear(&vs);
 }
 
 #endif

src/modules/commitment/tests_impl.h

@@ -41,54 +41,56 @@ static void test_commitment_api(void) {
     secp256k1_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount);
 
     secp256k1_rand256(blind);
-    CHECK(secp256k1_pedersen_commit(none, &commit, blind, val, &secp256k1_generator_const_h) == 0);
+    CHECK(secp256k1_pedersen_commit(none, &commit, blind, val, &secp256k1_generator_const_h, &secp256k1_generator_const_g) == 0);
     CHECK(ecount == 1);
-    CHECK(secp256k1_pedersen_commit(vrfy, &commit, blind, val, &secp256k1_generator_const_h) == 0);
+    CHECK(secp256k1_pedersen_commit(vrfy, &commit, blind, val, &secp256k1_generator_const_h, &secp256k1_generator_const_g) == 0);
     CHECK(ecount == 2);
-    CHECK(secp256k1_pedersen_commit(sign, &commit, blind, val, &secp256k1_generator_const_h) != 0);
+    CHECK(secp256k1_pedersen_commit(sign, &commit, blind, val, &secp256k1_generator_const_h, &secp256k1_generator_const_g) != 0);
     CHECK(ecount == 2);
 
-    CHECK(secp256k1_pedersen_commit(sign, NULL, blind, val, &secp256k1_generator_const_h) == 0);
+    CHECK(secp256k1_pedersen_commit(sign, NULL, blind, val, &secp256k1_generator_const_h, &secp256k1_generator_const_g) == 0);
     CHECK(ecount == 3);
-    CHECK(secp256k1_pedersen_commit(sign, &commit, NULL, val, &secp256k1_generator_const_h) == 0);
+    CHECK(secp256k1_pedersen_commit(sign, &commit, NULL, val, &secp256k1_generator_const_h, &secp256k1_generator_const_g) == 0);
     CHECK(ecount == 4);
-    CHECK(secp256k1_pedersen_commit(sign, &commit, blind, val, NULL) == 0);
+    CHECK(secp256k1_pedersen_commit(sign, &commit, blind, val, NULL, &secp256k1_generator_const_g) == 0);
     CHECK(ecount == 5);
+    CHECK(secp256k1_pedersen_commit(sign, &commit, blind, val, &secp256k1_generator_const_h, NULL) == 0);
+    CHECK(ecount == 6);
 
     CHECK(secp256k1_pedersen_blind_sum(none, blind_out, &blind_ptr, 1, 1) != 0);
-    CHECK(ecount == 5);
-    CHECK(secp256k1_pedersen_blind_sum(none, NULL, &blind_ptr, 1, 1) == 0);
     CHECK(ecount == 6);
-    CHECK(secp256k1_pedersen_blind_sum(none, blind_out, NULL, 1, 1) == 0);
+    CHECK(secp256k1_pedersen_blind_sum(none, NULL, &blind_ptr, 1, 1) == 0);
     CHECK(ecount == 7);
-    CHECK(secp256k1_pedersen_blind_sum(none, blind_out, &blind_ptr, 0, 1) == 0);
+    CHECK(secp256k1_pedersen_blind_sum(none, blind_out, NULL, 1, 1) == 0);
     CHECK(ecount == 8);
+    CHECK(secp256k1_pedersen_blind_sum(none, blind_out, &blind_ptr, 0, 1) == 0);
+    CHECK(ecount == 9);
     CHECK(secp256k1_pedersen_blind_sum(none, blind_out, &blind_ptr, 0, 0) != 0);
-    CHECK(ecount == 8);
+    CHECK(ecount == 9);
 
-    CHECK(secp256k1_pedersen_commit(sign, &commit, blind, val, &secp256k1_generator_const_h) != 0);
+    CHECK(secp256k1_pedersen_commit(sign, &commit, blind, val, &secp256k1_generator_const_h, &secp256k1_generator_const_g) != 0);
     CHECK(secp256k1_pedersen_verify_tally(none, &commit_ptr, 1, &commit_ptr, 1) != 0);
     CHECK(secp256k1_pedersen_verify_tally(none, NULL, 0, &commit_ptr, 1) == 0);
     CHECK(secp256k1_pedersen_verify_tally(none, &commit_ptr, 1, NULL, 0) == 0);
     CHECK(secp256k1_pedersen_verify_tally(none, NULL, 0, NULL, 0) != 0);
-    CHECK(ecount == 8);
-    CHECK(secp256k1_pedersen_verify_tally(none, NULL, 1, &commit_ptr, 1) == 0);
     CHECK(ecount == 9);
-    CHECK(secp256k1_pedersen_verify_tally(none, &commit_ptr, 1, NULL, 1) == 0);
+    CHECK(secp256k1_pedersen_verify_tally(none, NULL, 1, &commit_ptr, 1) == 0);
     CHECK(ecount == 10);
+    CHECK(secp256k1_pedersen_verify_tally(none, &commit_ptr, 1, NULL, 1) == 0);
+    CHECK(ecount == 11);
 
     CHECK(secp256k1_pedersen_blind_generator_blind_sum(none, &val, &blind_ptr, &blind_out_ptr, 1, 0) != 0);
-    CHECK(ecount == 10);
-    CHECK(secp256k1_pedersen_blind_generator_blind_sum(none, &val, &blind_ptr, &blind_out_ptr, 1, 1) == 0);
     CHECK(ecount == 11);
-    CHECK(secp256k1_pedersen_blind_generator_blind_sum(none, &val, &blind_ptr, &blind_out_ptr, 0, 0) == 0);
+    CHECK(secp256k1_pedersen_blind_generator_blind_sum(none, &val, &blind_ptr, &blind_out_ptr, 1, 1) == 0);
     CHECK(ecount == 12);
-    CHECK(secp256k1_pedersen_blind_generator_blind_sum(none, NULL, &blind_ptr, &blind_out_ptr, 1, 0) == 0);
+    CHECK(secp256k1_pedersen_blind_generator_blind_sum(none, &val, &blind_ptr, &blind_out_ptr, 0, 0) == 0);
     CHECK(ecount == 13);
-    CHECK(secp256k1_pedersen_blind_generator_blind_sum(none, &val, NULL, &blind_out_ptr, 1, 0) == 0);
+    CHECK(secp256k1_pedersen_blind_generator_blind_sum(none, NULL, &blind_ptr, &blind_out_ptr, 1, 0) == 0);
     CHECK(ecount == 14);
-    CHECK(secp256k1_pedersen_blind_generator_blind_sum(none, &val, &blind_ptr, NULL, 1, 0) == 0);
+    CHECK(secp256k1_pedersen_blind_generator_blind_sum(none, &val, NULL, &blind_out_ptr, 1, 0) == 0);
     CHECK(ecount == 15);
+    CHECK(secp256k1_pedersen_blind_generator_blind_sum(none, &val, &blind_ptr, NULL, 1, 0) == 0);
+    CHECK(ecount == 16);
 
     secp256k1_context_destroy(none);
     secp256k1_context_destroy(sign);
@@ -132,7 +134,7 @@ static void test_pedersen(void) {
     }
     CHECK(secp256k1_pedersen_blind_sum(ctx, &blinds[(total - 1) * 32], bptr, total - 1, inputs));
     for (i = 0; i < total; i++) {
-        CHECK(secp256k1_pedersen_commit(ctx, &commits[i], &blinds[i * 32], values[i], &secp256k1_generator_const_h));
+        CHECK(secp256k1_pedersen_commit(ctx, &commits[i], &blinds[i * 32], values[i], &secp256k1_generator_const_h, &secp256k1_generator_const_g));
     }
     CHECK(secp256k1_pedersen_verify_tally(ctx, cptr, inputs, &cptr[inputs], outputs));
     CHECK(secp256k1_pedersen_verify_tally(ctx, &cptr[inputs], outputs, cptr, inputs));
@@ -147,7 +149,7 @@ static void test_pedersen(void) {
     values[1] = 0;
     values[2] = 1;
     for (i = 0; i < 3; i++) {
-        CHECK(secp256k1_pedersen_commit(ctx, &commits[i], &blinds[i * 32], values[i], &secp256k1_generator_const_h));
+        CHECK(secp256k1_pedersen_commit(ctx, &commits[i], &blinds[i * 32], values[i], &secp256k1_generator_const_h, &secp256k1_generator_const_g));
     }
     CHECK(secp256k1_pedersen_verify_tally(ctx, &cptr[0], 1, &cptr[0], 1));
     CHECK(secp256k1_pedersen_verify_tally(ctx, &cptr[1], 1, &cptr[1], 1));
@@ -202,7 +204,7 @@ void test_multiple_generators(void) {
     /* Correct for blinding factors and do the commitments */
     CHECK(secp256k1_pedersen_blind_generator_blind_sum(ctx, value, (const unsigned char * const *) generator_blind, pedersen_blind, n_generators, n_inputs));
     for (i = 0; i < n_generators; i++) {
-        CHECK(secp256k1_pedersen_commit(ctx, &commit[i], pedersen_blind[i], value[i], &generator[i]));
+        CHECK(secp256k1_pedersen_commit(ctx, &commit[i], pedersen_blind[i], value[i], &generator[i], &secp256k1_generator_const_h));
     }
 
     /* Verify */

src/modules/rangeproof/rangeproof_impl.h

@@ -296,7 +296,7 @@ SECP256K1_INLINE static int secp256k1_rangeproof_sign_impl(const secp256k1_ecmul
     npub = 0;
     for (i = 0; i < rings; i++) {
         /*OPT: Use the precomputed gen2 basis?*/
-        secp256k1_pedersen_ecmult(ecmult_gen_ctx, &pubs[npub], &sec[i], ((uint64_t)secidx[i] * scale) << (i*2), genp);
+        secp256k1_pedersen_ecmult(&pubs[npub], &sec[i], ((uint64_t)secidx[i] * scale) << (i*2), genp, &secp256k1_ge_const_g);
         if (secp256k1_gej_is_infinity(&pubs[npub])) {
             return 0;
         }
@@ -604,7 +604,10 @@ SECP256K1_INLINE static int secp256k1_rangeproof_verify_impl(const secp256k1_ecm
     npub = 0;
     secp256k1_gej_set_infinity(&accj);
     if (*min_value) {
-        secp256k1_pedersen_ecmult_small(&accj, *min_value, genp);
+        secp256k1_scalar mvs;
+        secp256k1_scalar_set_u64(&mvs, *min_value);
+        secp256k1_ecmult_const(&accj, genp, &mvs, 64);
+        secp256k1_scalar_clear(&mvs);
     }
     for(i = 0; i < rings - 1; i++) {
         secp256k1_fe fe;
@@ -660,7 +663,7 @@ SECP256K1_INLINE static int secp256k1_rangeproof_verify_impl(const secp256k1_ecm
         /* Unwind apparently successful, see if the commitment can be reconstructed. */
         /* FIXME: should check vv is in the mantissa's range. */
         vv = (vv * scale) + *min_value;
-        secp256k1_pedersen_ecmult(ecmult_gen_ctx, &accj, &blind, vv, genp);
+        secp256k1_pedersen_ecmult(&accj, &blind, vv, genp, &secp256k1_ge_const_g);
         if (secp256k1_gej_is_infinity(&accj)) {
             return 0;
         }

src/modules/rangeproof/tests_impl.h

@@ -31,7 +31,7 @@ static void test_rangeproof_api(const secp256k1_context *none, const secp256k1_c
     size_t ext_commit_len = sizeof(ext_commit);
 
     secp256k1_rand256(blind);
-    CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, val, &secp256k1_generator_const_h));
+    CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, val, &secp256k1_generator_const_h, &secp256k1_generator_const_g));
 
     CHECK(secp256k1_rangeproof_sign(none, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, &secp256k1_generator_const_h) == 0);
     CHECK(*ecount == 1);
@@ -293,7 +293,7 @@ static void test_rangeproof(void) {
     secp256k1_rand256(blind);
     for (i = 0; i < 11; i++) {
         v = testvs[i];
-        CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, &secp256k1_generator_const_h));
+        CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, &secp256k1_generator_const_h, &secp256k1_generator_const_g));
         for (vmin = 0; vmin < (i<9 && i > 0 ? 2 : 1); vmin++) {
             const unsigned char *input_message = NULL;
             size_t input_message_len = 0;
@@ -348,7 +348,7 @@ static void test_rangeproof(void) {
     }
     secp256k1_rand256(blind);
     v = INT64_MAX - 1;
-    CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, &secp256k1_generator_const_h));
+    CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, &secp256k1_generator_const_h, &secp256k1_generator_const_g));
     for (i = 0; i < 19; i++) {
         len = 5134;
         CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, 0, &commit, blind, commit.data, i, 0, v, NULL, 0, NULL, 0, &secp256k1_generator_const_h));
@@ -363,7 +363,7 @@ static void test_rangeproof(void) {
     {
         /*Malleability test.*/
         v = secp256k1_rands64(0, 255);
-        CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, &secp256k1_generator_const_h));
+        CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, &secp256k1_generator_const_h, &secp256k1_generator_const_g));
         len = 5134;
         CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, 0, &commit, blind, commit.data, 0, 3, v, NULL, 0, NULL, 0, &secp256k1_generator_const_h));
         CHECK(len <= 5134);
@@ -389,7 +389,7 @@ static void test_rangeproof(void) {
             vmin = secp256k1_rands64(0, v);
         }
         secp256k1_rand256(blind);
-        CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, &secp256k1_generator_const_h));
+        CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, &secp256k1_generator_const_h, &secp256k1_generator_const_g));
         len = 5134;
         exp = (int)secp256k1_rands64(0,18)-(int)secp256k1_rands64(0,18);
         if (exp < 0) {