bulletproofs: add module, full support for rangeproofs

Author: apoelstra

.gitignore

@@ -8,6 +8,7 @@ bench_recover
 bench_internal
 bench_generator
 bench_rangeproof
+bench_bulletproof
 tests
 exhaustive_tests
 gen_context

Makefile.am

@@ -202,6 +202,10 @@ if ENABLE_MODULE_RANGEPROOF
 include src/modules/rangeproof/Makefile.am.include
 endif
 
+if ENABLE_MODULE_BULLETPROOF
+include src/modules/bulletproofs/Makefile.am.include
+endif
+
 if ENABLE_MODULE_WHITELIST
 include src/modules/whitelist/Makefile.am.include
 endif

configure.ac

@@ -159,6 +159,12 @@ AC_ARG_ENABLE(module_rangeproof,
     [enable_module_rangeproof=$enableval],
     [enable_module_rangeproof=no])
 
+AC_ARG_ENABLE(module_bulletproof,
+    AS_HELP_STRING([--enable-module-bulletproof],[enable Pedersen / zero-knowledge bulletproofs module (default is no)]),
+    [enable_module_bulletproof=$enableval],
+    [enable_module_bulletproof=no])
+
+
 AC_ARG_ENABLE(module_whitelist,
     AS_HELP_STRING([--enable-module-whitelist],[enable key whitelisting module (default is no)]),
     [enable_module_whitelist=$enableval],
@@ -208,6 +214,19 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[void myfunc() {__builtin_popcount(0);}]])],
     [ AC_MSG_RESULT([no])
     ])
 
+AC_MSG_CHECKING([for __builtin_popcountl])
+AC_COMPILE_IFELSE([AC_LANG_SOURCE([[void myfunc() {__builtin_popcountl(0);}]])],
+    [ AC_MSG_RESULT([yes]);AC_DEFINE(HAVE_BUILTIN_POPCOUNTL,1,[Define this symbol if __builtin_popcountl is available]) ],
+    [ AC_MSG_RESULT([no])
+    ])
+
+AC_MSG_CHECKING([for __builtin_ctzl])
+AC_COMPILE_IFELSE([AC_LANG_SOURCE([[void myfunc() {__builtin_ctzl(0);}]])],
+    [ AC_MSG_RESULT([yes]);AC_DEFINE(HAVE_BUILTIN_CTZL,1,[Define this symbol if __builtin_ctzl is available]) ],
+    [ AC_MSG_RESULT([no])
+    ])
+
+
 if test x"$use_ecmult_static_precomputation" != x"no"; then
   save_cross_compiling=$cross_compiling
   cross_compiling=no
@@ -502,6 +521,10 @@ if test x"$enable_module_rangeproof" = x"yes"; then
   AC_DEFINE(ENABLE_MODULE_RANGEPROOF, 1, [Define this symbol to enable the zero knowledge range proof module])
 fi
 
+if test x"$enable_module_bulletproof" = x"yes"; then
+  AC_DEFINE(ENABLE_MODULE_BULLETPROOF, 1, [Define this symbol to enable the Pedersen / zero knowledge bulletproof module])
+fi
+
 if test x"$enable_module_whitelist" = x"yes"; then
   AC_DEFINE(ENABLE_MODULE_WHITELIST, 1, [Define this symbol to enable the key whitelisting module])
 fi
@@ -536,6 +559,7 @@ if test x"$enable_experimental" = x"yes"; then
   AC_MSG_NOTICE([Building NUMS generator module: $enable_module_generator])
   AC_MSG_NOTICE([Building Pedersen commitment module: $enable_module_commitment])
   AC_MSG_NOTICE([Building range proof module: $enable_module_rangeproof])
+  AC_MSG_NOTICE([Building bulletproof module: $enable_module_bulletproof])
   AC_MSG_NOTICE([Building key whitelisting module: $enable_module_whitelist])
   AC_MSG_NOTICE([Building surjection proof module: $enable_module_surjectionproof])
   AC_MSG_NOTICE([Building schnorrsig module: $enable_module_schnorrsig])
@@ -553,12 +577,18 @@ if test x"$enable_experimental" = x"yes"; then
     if test x"$enable_module_commitment" = x"yes"; then
       AC_MSG_ERROR([Commitment module requires the generator module. Use --enable-module-generator to allow.])
     fi
+    if test x"$enable_module_bulletproof" = x"yes"; then
+      AC_MSG_ERROR([Bulletproof module requires the generator module. Use --enable-module-generator to allow.])
+    fi
   fi
 
   if test x"$enable_module_commitment" != x"yes"; then
     if test x"$enable_module_rangeproof" = x"yes"; then
       AC_MSG_ERROR([Rangeproof module requires the commitment module. Use --enable-module-commitment to allow.])
     fi
+    if test x"$enable_module_bulletproof" = x"yes"; then
+      AC_MSG_ERROR([Bulletproof module requires the commitment module. Use --enable-module-commitment to allow.])
+    fi
   fi
 
   if test x"$enable_module_rangeproof" != x"yes"; then
@@ -591,6 +621,9 @@ else
   if test x"$enable_module_rangeproof" = x"yes"; then
     AC_MSG_ERROR([Range proof module is experimental. Use --enable-experimental to allow.])
   fi
+  if test x"$enable_module_bulletproof" = x"yes"; then
+    AC_MSG_ERROR([Bulletproof module is experimental. Use --enable-experimental to allow.])
+  fi
   if test x"$enable_module_whitelist" = x"yes"; then
     AC_MSG_ERROR([Key whitelisting module is experimental. Use --enable-experimental to allow.])
   fi
@@ -618,6 +651,7 @@ AM_CONDITIONAL([ENABLE_MODULE_RECOVERY], [test x"$enable_module_recovery" = x"ye
 AM_CONDITIONAL([ENABLE_MODULE_GENERATOR], [test x"$enable_module_generator" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_COMMITMENT], [test x"$enable_module_commitment" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_RANGEPROOF], [test x"$enable_module_rangeproof" = x"yes"])
+AM_CONDITIONAL([ENABLE_MODULE_BULLETPROOF], [test x"$enable_module_bulletproof" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_WHITELIST], [test x"$enable_module_whitelist" = x"yes"])
 AM_CONDITIONAL([USE_JNI], [test x"$use_jni" == x"yes"])
 AM_CONDITIONAL([USE_EXTERNAL_ASM], [test x"$use_external_asm" = x"yes"])

include/secp256k1_bulletproofs.h

@@ -0,0 +1,146 @@
+#ifndef _SECP256K1_BULLETPROOF_
+# define _SECP256K1_BULLETPROOF_
+
+# include "secp256k1.h"
+# include "secp256k1_generator.h"
+# include "secp256k1_rangeproof.h"
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+
+/** Opaque structure representing a large number of NUMS generators */
+typedef struct secp256k1_bulletproof_generators secp256k1_bulletproof_generators;
+
+/* Maximum depth of 31 lets us validate an aggregate of 2^25 64-bit proofs */
+#define SECP256K1_BULLETPROOF_MAX_DEPTH 31
+
+/* Size of a hypothetical 31-depth rangeproof, in bytes */
+#define SECP256K1_BULLETPROOF_MAX_PROOF (160 + 66*32 + 7)
+
+/** Allocates and initializes a list of NUMS generators, along with precomputation data
+ *  Returns a list of generators, or NULL if allocation failed.
+ *  Args:          ctx: pointer to a context object (cannot be NULL)
+ *  In:   blinding_gen: generator that blinding factors will be multiplied by (cannot be NULL)
+ *                   n: number of NUMS generators to produce
+ */
+SECP256K1_API secp256k1_bulletproof_generators *secp256k1_bulletproof_generators_create(
+    const secp256k1_context* ctx,
+    const secp256k1_generator *blinding_gen,
+    size_t n
+) SECP256K1_ARG_NONNULL(1);
+
+/** Destroys a list of NUMS generators, freeing allocated memory
+ *  Args:   ctx: pointer to a context object (cannot be NULL)
+ *          gen: pointer to the generator set to be destroyed
+ */
+SECP256K1_API void secp256k1_bulletproof_generators_destroy(
+    const secp256k1_context* ctx,
+    secp256k1_bulletproof_generators *gen
+) SECP256K1_ARG_NONNULL(1);
+
+/** Verifies a single bulletproof (aggregate) rangeproof
+ *  Returns: 1: rangeproof was valid
+ *           0: rangeproof was invalid, or out of memory
+ *  Args:       ctx: pointer to a context object initialized for verification (cannot be NULL)
+ *          scratch: scratch space with enough memory for verification (cannot be NULL)
+ *             gens: generator set with at least 2*nbits*n_commits many generators (cannot be NULL)
+ *  In:       proof: byte-serialized rangeproof (cannot be NULL)
+ *             plen: length of the proof
+ *        min_value: array of minimum values to prove ranges above, or NULL for all-zeroes
+ *           commit: array of pedersen commitment that this rangeproof is over (cannot be NULL)
+ *        n_commits: number of commitments in the above array (cannot be 0)
+ *            nbits: number of bits proven for each range
+ *        value_gen: generator multiplied by value in pedersen commitments (cannot be NULL)
+ *     extra_commit: additonal data committed to by the rangeproof (may be NULL if `extra_commit_len` is 0)
+ *     extra_commit_len: length of additional data
+ */
+SECP256K1_API int secp256k1_bulletproof_rangeproof_verify(
+    const secp256k1_context* ctx,
+    secp256k1_scratch_space* scratch,
+    const secp256k1_bulletproof_generators *gens,
+    const unsigned char* proof,
+    size_t plen,
+    const uint64_t* min_value,
+    const secp256k1_pedersen_commitment* commit,
+    size_t n_commits,
+    size_t nbits,
+    const secp256k1_generator* value_gen,
+    const unsigned char* extra_commit,
+    size_t extra_commit_len
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(7) SECP256K1_ARG_NONNULL(10);
+
+/** Batch-verifies multiple bulletproof (aggregate) rangeproofs of the same size using same generator
+ *  Returns: 1: all rangeproofs were valid
+ *           0: some rangeproof was invalid, or out of memory
+ *  Args:       ctx: pointer to a context object initialized for verification (cannot be NULL)
+ *          scratch: scratch space with enough memory for verification (cannot be NULL)
+ *             gens: generator set with at least 2*nbits*n_commits many generators (cannot be NULL)
+ *  In:       proof: array of byte-serialized rangeproofs (cannot be NULL)
+ *         n_proofs: number of proofs in the above array, and number of arrays in the `commit` array
+ *             plen: length of every individual proof
+ *        min_value: array of arrays of minimum values to prove ranges above, or NULL for all-zeroes
+ *           commit: array of arrays of pedersen commitment that the rangeproofs is over (cannot be NULL)
+ *        n_commits: number of commitments in each element of the above array (cannot be 0)
+ *            nbits: number of bits in each proof
+ *        value_gen: generator multiplied by value in pedersen commitments (cannot be NULL)
+ *     extra_commit: additonal data committed to by the rangeproof (may be NULL if `extra_commit_len` is 0)
+ *     extra_commit_len: array of lengths of additional data
+ */
+SECP256K1_API int secp256k1_bulletproof_rangeproof_verify_multi(
+    const secp256k1_context* ctx,
+    secp256k1_scratch_space* scratch,
+    const secp256k1_bulletproof_generators *gens,
+    const unsigned char* const* proof,
+    size_t n_proofs,
+    size_t plen,
+    const uint64_t* const* min_value,
+    const secp256k1_pedersen_commitment* const* commit,
+    size_t n_commits,
+    size_t nbits,
+    const secp256k1_generator* value_gen,
+    const unsigned char* const* extra_commit,
+    size_t *extra_commit_len
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(8);
+
+
+/** Produces an aggregate Bulletproof rangeproof for a set of Pedersen commitments
+ *  Returns: 1: rangeproof was successfully created
+ *           0: rangeproof could not be created, or out of memory
+ *  Args:       ctx: pointer to a context object initialized for signing and verification (cannot be NULL)
+ *          scratch: scratch space with enough memory for verification (cannot be NULL)
+ *             gens: generator set with at least 2*nbits*n_commits many generators (cannot be NULL)
+ *  Out:      proof: byte-serialized rangeproof (cannot be NULL)
+ *  In/out:    plen: pointer to size of `proof`, to be replaced with actual length of proof (cannot be NULL)
+ *  In:       value: array of values committed by the Pedersen commitments (cannot be NULL)
+ *        min_value: array of minimum values to prove ranges above, or NULL for all-zeroes
+ *            blind: array of blinding factors of the Pedersen commitments (cannot be NULL)
+ *        n_commits: number of entries in the `value` and `blind` arrays
+ *        value_gen: generator multiplied by value in pedersen commitments (cannot be NULL)
+ *            nbits: number of bits proven for each range
+ *            nonce: random 32-byte seed used to derive blinding factors (cannot be NULL)
+ *     extra_commit: additonal data committed to by the rangeproof
+ * extra_commit_len: length of additional data
+ */
+SECP256K1_API int secp256k1_bulletproof_rangeproof_prove(
+    const secp256k1_context* ctx,
+    secp256k1_scratch_space* scratch,
+    const secp256k1_bulletproof_generators *gens,
+    unsigned char* proof,
+    size_t* plen,
+    const uint64_t *value,
+    const uint64_t *min_value,
+    const unsigned char* const* blind,
+    size_t n_commits,
+    const secp256k1_generator* value_gen,
+    size_t nbits,
+    const unsigned char* nonce,
+    const unsigned char* extra_commit,
+    size_t extra_commit_len
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6) SECP256K1_ARG_NONNULL(8) SECP256K1_ARG_NONNULL(10) SECP256K1_ARG_NONNULL(12);
+
+# ifdef __cplusplus
+}
+# endif
+
+#endif

src/modules/bulletproofs/Makefile.am.include

@@ -0,0 +1,6 @@
+include_HEADERS += include/secp256k1_bulletproofs.h
+noinst_HEADERS += src/modules/bulletproofs/inner_product_impl.h
+noinst_HEADERS += src/modules/bulletproofs/rangeproof_impl.h
+noinst_HEADERS += src/modules/bulletproofs/main_impl.h
+noinst_HEADERS += src/modules/bulletproofs/tests_impl.h
+noinst_HEADERS += src/modules/bulletproofs/util.h