bulletproofs: add rangeproof rewinding capability

apoelstra · apoelstra · commit eb4047f22da9 · 2018-05-25T21:47:26.000Z
diff --git a/include/secp256k1_bulletproofs.h b/include/secp256k1_bulletproofs.h
@@ -112,6 +112,36 @@ SECP256K1_API int secp256k1_bulletproof_rangeproof_verify_multi(
     size_t *extra_commit_len
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(8);
 
+/** Extracts the value and blinding factor from a single-commit rangeproof given a secret nonce
+ *  Returns: 1: value and blinding factor were extracted and matched the input commit
+ *           0: one of the above was not true, extraction failed
+ *  Args:       ctx: pointer to a context object (cannot be NULL)
+ *             gens: generator set used to make original proof (cannot be NULL)
+ *  Out:      value: pointer to value that will be extracted
+ *            blind: pointer to 32-byte array for blinding factor to be extracted
+ *  In:       proof: byte-serialized rangeproof (cannot be NULL)
+ *             plen: length of every individual proof
+ *        min_value: minimum value that the proof ranges over
+ *           commit: pedersen commitment that the rangeproof is over (cannot be NULL)
+ *        value_gen: generator multiplied by value in pedersen commitments (cannot be NULL)
+ *            nonce: random 32-byte seed used to derive blinding factors (cannot be NULL)
+ *     extra_commit: additonal data committed to by the rangeproof
+ * extra_commit_len: length of additional data
+ */
+SECP256K1_API int secp256k1_bulletproof_rangeproof_rewind(
+    const secp256k1_context* ctx,
+    const secp256k1_bulletproof_generators* gens,
+    uint64_t* value,
+    unsigned char* blind,
+    const unsigned char* proof,
+    size_t plen,
+    size_t min_value,
+    const secp256k1_pedersen_commitment* commit,
+    const secp256k1_generator* value_gen,
+    const unsigned char* nonce,
+    const unsigned char* extra_commit,
+    size_t extra_commit_len
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(8) SECP256K1_ARG_NONNULL(9);
 
 /** Produces an aggregate Bulletproof rangeproof for a set of Pedersen commitments
  *  Returns: 1: rangeproof was successfully created
diff --git a/src/modules/bulletproofs/main_impl.h b/src/modules/bulletproofs/main_impl.h
@@ -173,6 +173,27 @@ int secp256k1_bulletproof_rangeproof_verify_multi(const secp256k1_context* ctx,
     return ret;
 }
 
+int secp256k1_bulletproof_rangeproof_rewind(const secp256k1_context* ctx, const secp256k1_bulletproof_generators *gens, uint64_t *value, unsigned char *blind, const unsigned char *proof, size_t plen, uint64_t min_value, const secp256k1_pedersen_commitment* commit, const secp256k1_generator *value_gen, const unsigned char *nonce, const unsigned char *extra_commit, size_t extra_commit_len) {
+    secp256k1_scalar blinds;
+    int ret;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(value != NULL);
+    ARG_CHECK(blind != NULL);
+    ARG_CHECK(gens != NULL);
+    ARG_CHECK(proof != NULL);
+    ARG_CHECK(commit != NULL);
+    ARG_CHECK(value_gen != NULL);
+    ARG_CHECK(nonce != NULL);
+    ARG_CHECK(extra_commit != NULL || extra_commit_len == 0);
+
+    ret = secp256k1_bulletproof_rangeproof_rewind_impl(value, &blinds, proof, plen, min_value, commit, value_gen, gens->blinding_gen, nonce, extra_commit, extra_commit_len);
+    if (ret == 1) {
+        secp256k1_scalar_get_b32(blind, &blinds);
+    }
+    return ret;
+}
+
 int secp256k1_bulletproof_rangeproof_prove(const secp256k1_context* ctx, secp256k1_scratch_space *scratch, const secp256k1_bulletproof_generators *gens, unsigned char *proof, size_t *plen, const uint64_t *value, const uint64_t *min_value, const unsigned char* const* blind, size_t n_commits, const secp256k1_generator *value_gen, size_t nbits, const unsigned char *nonce, const unsigned char *extra_commit, size_t extra_commit_len) {
     int ret;
     secp256k1_ge *commitp;
diff --git a/src/modules/bulletproofs/rangeproof_impl.h b/src/modules/bulletproofs/rangeproof_impl.h
@@ -488,6 +488,13 @@ static int secp256k1_bulletproof_rangeproof_prove_impl(const secp256k1_ecmult_co
 
     secp256k1_scalar_chacha20(&alpha, &rho, nonce, 0);
     secp256k1_scalar_chacha20(&tau1, &tau2, nonce, 1);
+    /* Encrypt value into alpha, so it will be recoverable from -mu by someone who knows `nonce` */
+    if (n_commits == 1) {
+        secp256k1_scalar vals;
+        secp256k1_scalar_set_u64(&vals, value[0]);
+        secp256k1_scalar_negate(&vals, &vals); /* Negate so it'll be positive in -mu */
+        secp256k1_scalar_add(&alpha, &alpha, &vals);
+    }
 
     /* Compute A and S */
     secp256k1_ecmult_const(&aj, &gens->blinding_gen[0], &alpha, 256);
@@ -645,4 +652,141 @@ static int secp256k1_bulletproof_rangeproof_prove_impl(const secp256k1_ecmult_co
 
     return 1;
 }
+
+static int secp256k1_bulletproof_rangeproof_rewind_impl(uint64_t *value, secp256k1_scalar *blind, const unsigned char *proof, const size_t plen, uint64_t min_value, const secp256k1_pedersen_commitment *pcommit, const secp256k1_generator *value_gen, const secp256k1_ge *blind_gen, const unsigned char *nonce, const unsigned char *extra_commit, size_t extra_commit_len) {
+    secp256k1_sha256 sha256;
+    static const unsigned char zero24[24] = { 0 };
+    unsigned char commit[32] = { 0 };
+    unsigned char lrparity;
+    secp256k1_scalar taux, mu;
+    secp256k1_scalar alpha, rho, tau1, tau2;
+    secp256k1_scalar x, z;
+    secp256k1_ge commitp, value_genp;
+    secp256k1_gej rewind_commitj;
+    int overflow;
+
+    if (plen < 64 + 128 + 1 || plen > SECP256K1_BULLETPROOF_MAX_PROOF) {
+        return 0;
+    }
+
+    /* Extract data from beginning of proof */
+    secp256k1_scalar_set_b32(&taux, &proof[0], &overflow);
+    if (overflow || secp256k1_scalar_is_zero(&taux)) {
+        return 0;
+    }
+    secp256k1_scalar_set_b32(&mu, &proof[32], &overflow);
+    if (overflow || secp256k1_scalar_is_zero(&mu)) {
+        return 0;
+    }
+
+    secp256k1_scalar_chacha20(&alpha, &rho, nonce, 0);
+    secp256k1_scalar_chacha20(&tau1, &tau2, nonce, 1);
+
+    if (min_value > 0) {
+        unsigned char vbuf[8];
+        vbuf[0] = min_value;
+        vbuf[1] = min_value >> 8;
+        vbuf[2] = min_value >> 16;
+        vbuf[3] = min_value >> 24;
+        vbuf[4] = min_value >> 32;
+        vbuf[5] = min_value >> 40;
+        vbuf[6] = min_value >> 48;
+        vbuf[7] = min_value >> 56;
+        secp256k1_sha256_initialize(&sha256);
+        secp256k1_sha256_write(&sha256, commit, 32);
+        secp256k1_sha256_write(&sha256, vbuf, 8);
+        secp256k1_sha256_finalize(&sha256, commit);
+    }
+
+    /* This breaks the abstraction of both the Pedersen commitment and the generator
+     * type by directly reading the parity bit and x-coordinate from the data. But
+     * the alternative using the _load functions is to do two full point decompression,
+     * and in my benchmarks we save ~80% of the rewinding time by avoiding this. -asp */
+    lrparity = 2 * !!(pcommit->data[0] & 1) + !!(value_gen->data[0] & 1);
+    secp256k1_sha256_initialize(&sha256);
+    secp256k1_sha256_write(&sha256, commit, 32);
+    secp256k1_sha256_write(&sha256, &lrparity, 1);
+    secp256k1_sha256_write(&sha256, &pcommit->data[1], 32);
+    secp256k1_sha256_write(&sha256, &value_gen->data[1], 32);
+    secp256k1_sha256_finalize(&sha256, commit);
+
+    if (extra_commit != NULL) {
+        secp256k1_sha256_initialize(&sha256);
+        secp256k1_sha256_write(&sha256, commit, 32);
+        secp256k1_sha256_write(&sha256, extra_commit, extra_commit_len);
+        secp256k1_sha256_finalize(&sha256, commit);
+    }
+
+    /* Extract A and S to compute y and z */
+    lrparity = 2 * !!(proof[64] & 1) + !!(proof[64] & 2);
+    /* y */
+    secp256k1_sha256_initialize(&sha256);
+    secp256k1_sha256_write(&sha256, commit, 32);
+    secp256k1_sha256_write(&sha256, &lrparity, 1);
+    secp256k1_sha256_write(&sha256, &proof[65], 64);
+    secp256k1_sha256_finalize(&sha256, commit);
+
+    /* z */
+    secp256k1_sha256_initialize(&sha256);
+    secp256k1_sha256_write(&sha256, commit, 32);
+    secp256k1_sha256_write(&sha256, &lrparity, 1);
+    secp256k1_sha256_write(&sha256, &proof[65], 64);
+    secp256k1_sha256_finalize(&sha256, commit);
+
+    secp256k1_scalar_set_b32(&z, commit, &overflow);
+    if (overflow || secp256k1_scalar_is_zero(&z)) {
+        return 0;
+    }
+
+    /* x */
+    lrparity = 2 * !!(proof[64] & 4) + !!(proof[64] & 8);
+    secp256k1_sha256_initialize(&sha256);
+    secp256k1_sha256_write(&sha256, commit, 32);
+    secp256k1_sha256_write(&sha256, &lrparity, 1);
+    secp256k1_sha256_write(&sha256, &proof[129], 64);
+    secp256k1_sha256_finalize(&sha256, commit);
+
+    secp256k1_scalar_set_b32(&x, commit, &overflow);
+    if (overflow || secp256k1_scalar_is_zero(&x)) {
+        return 0;
+    }
+
+    /* Compute candidate mu and add to (negated) mu from proof to get value */
+    secp256k1_scalar_mul(&rho, &rho, &x);
+    secp256k1_scalar_add(&mu, &mu, &rho);
+    secp256k1_scalar_add(&mu, &mu, &alpha);
+
+    secp256k1_scalar_get_b32(commit, &mu);
+    if (memcmp(commit, zero24, 24) != 0) {
+        return 0;
+    }
+    *value = commit[31] + ((uint64_t) commit[30] << 8) +
+             ((uint64_t) commit[29] << 16) + ((uint64_t) commit[28] << 24) +
+             ((uint64_t) commit[27] << 32) + ((uint64_t) commit[26] << 40) +
+             ((uint64_t) commit[25] << 48) + ((uint64_t) commit[24] << 56);
+
+    /* Derive blinding factor */
+    secp256k1_scalar_mul(&tau1, &tau1, &x);
+    secp256k1_scalar_mul(&tau2, &tau2, &x);
+    secp256k1_scalar_mul(&tau2, &tau2, &x);
+
+    secp256k1_scalar_add(&taux, &taux, &tau1);
+    secp256k1_scalar_add(&taux, &taux, &tau2);
+
+    secp256k1_scalar_sqr(&z, &z);
+    secp256k1_scalar_inverse_var(&z, &z);
+    secp256k1_scalar_mul(blind, &taux, &z);
+    secp256k1_scalar_negate(blind, blind);
+
+    /* Check blinding factor */
+    secp256k1_pedersen_commitment_load(&commitp, pcommit);
+    secp256k1_generator_load(&value_genp, value_gen);
+
+    secp256k1_pedersen_ecmult(&rewind_commitj, blind, *value, &value_genp, blind_gen);
+    secp256k1_gej_neg(&rewind_commitj, &rewind_commitj);
+    secp256k1_gej_add_ge_var(&rewind_commitj, &rewind_commitj, &commitp, NULL);
+
+    return secp256k1_gej_is_infinity(&rewind_commitj);
+}
+
 #endif
diff --git a/src/modules/bulletproofs/tests_impl.h b/src/modules/bulletproofs/tests_impl.h
@@ -35,9 +35,8 @@ static void test_bulletproof_api(void) {
     uint64_t value[4] = { 1234, 4567, 8910, 1112 } ;
     uint64_t min_value[4] = { 1000, 4567, 0, 5000 } ;
     const uint64_t *mv_ptr = min_value;
-
-    const char circ_desc_good[] = "2,0,0,4; L0 = 17; 2*L1 - L0 = 21; O0 = 1; O1 = 1;";
-    const char circ_desc_bad[] = "2,0,0,4; L0 = 17; 2*L1 - L0 = 21; O0 = 1; O1 x 1;";
+    unsigned char rewind_blind[32];
+    size_t rewind_v;
 
     int32_t ecount = 0;
 
@@ -223,6 +222,35 @@ static void test_bulletproof_api(void) {
     CHECK(secp256k1_bulletproof_rangeproof_verify_multi(both, scratch, gens, &proof_ptr, 1, plen, &mv_ptr, pcommit_arr, 4, 64, &value_gen, blind_ptr, &blindlen) == 0);
     CHECK(ecount == 14);
 
+    /* Rewind */
+    ecount = 0;
+    CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, rewind_blind, proof, plen, min_value[0], pcommit, &value_gen, blind, blind, 32) == 1);
+    CHECK(ecount == 0);
+    CHECK(secp256k1_bulletproof_rangeproof_rewind(none, NULL, &rewind_v, rewind_blind, proof, plen, min_value[0], pcommit, &value_gen, blind, blind, 32) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, NULL, rewind_blind, proof, plen, min_value[0], pcommit, &value_gen, blind, blind, 32) == 0);
+    CHECK(ecount == 2);
+    CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, NULL, proof, plen, min_value[0], pcommit, &value_gen, blind, blind, 32) == 0);
+    CHECK(ecount == 3);
+    CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, rewind_blind, NULL, plen, min_value[0], pcommit, &value_gen, blind, blind, 32) == 0);
+    CHECK(ecount == 4);
+    CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, rewind_blind, proof, 0, min_value[0], pcommit, &value_gen, blind, blind, 32) == 0);
+    CHECK(ecount == 4);
+    CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, rewind_blind, proof, plen, 0, pcommit, &value_gen, blind, blind, 32) == 0);
+    CHECK(ecount == 4);
+    CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, rewind_blind, proof, plen, min_value[0], NULL, &value_gen, blind, blind, 32) == 0);
+    CHECK(ecount == 5);
+    CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, rewind_blind, proof, plen, min_value[0], pcommit, NULL, blind, blind, 32) == 0);
+    CHECK(ecount == 6);
+    CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, rewind_blind, proof, plen, min_value[0], pcommit, &value_gen, NULL, blind, 32) == 0);
+    CHECK(ecount == 7);
+    CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, rewind_blind, proof, plen, min_value[0], pcommit, &value_gen, blind, NULL, 32) == 0);
+    CHECK(ecount == 8);
+    CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, rewind_blind, proof, plen, min_value[0], pcommit, &value_gen, blind, blind, 0) == 0);
+    CHECK(ecount == 8);
+    CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, rewind_blind, proof, plen, min_value[0], pcommit, &value_gen, blind, NULL, 0) == 0);
+    CHECK(ecount == 8);
+
     secp256k1_bulletproof_generators_destroy(none, gens);
     secp256k1_bulletproof_generators_destroy(none, NULL);
     secp256k1_scratch_destroy(scratch);
@@ -438,15 +466,18 @@ void test_bulletproof_inner_product(size_t n, const secp256k1_bulletproof_genera
 
 void test_bulletproof_rangeproof(size_t nbits, size_t expected_size, const secp256k1_bulletproof_generators *gens) {
     secp256k1_scalar blind;
+    secp256k1_scalar blind_recovered;
     unsigned char proof[1024];
     unsigned char proof2[1024];
     unsigned char proof3[1024];
     const unsigned char *proof_ptr[3];
     size_t plen = sizeof(proof);
     uint64_t v = 123456;
+    uint64_t v_recovered;
     secp256k1_gej commitj;
     secp256k1_ge commitp;
     secp256k1_ge commitp2;
+    secp256k1_pedersen_commitment pcommit;
     const secp256k1_ge *commitp_ptr[3];
     secp256k1_ge value_gen[3];
     unsigned char nonce[32] = "my kingdom for some randomness!!";
@@ -472,6 +503,7 @@ void test_bulletproof_rangeproof(size_t nbits, size_t expected_size, const secp2
     secp256k1_ge_set_gej(&commitp2, &commitj);
     commitp_ptr[0] = commitp_ptr[1] = &commitp;
     commitp_ptr[2] = &commitp2;
+    secp256k1_pedersen_commitment_save(&pcommit, &commitp);
 
     CHECK(secp256k1_bulletproof_rangeproof_prove_impl(&ctx->ecmult_ctx, scratch, proof, &plen, nbits, &v, NULL, &blind, &commitp, 1, &value_gen[0], gens, nonce, NULL, 0) == 1);
     CHECK(plen == expected_size);
@@ -489,6 +521,14 @@ void test_bulletproof_rangeproof(size_t nbits, size_t expected_size, const secp2
     /* Verify thrice at once where one has a different asset type */
     CHECK(secp256k1_bulletproof_rangeproof_verify_impl(&ctx->ecmult_ctx, scratch, proof_ptr, 3, plen, nbits, NULL, commitp_ptr, 1, value_gen, gens, NULL, 0) == 1);
 
+    /* Rewind */
+    CHECK(secp256k1_bulletproof_rangeproof_rewind_impl(&v_recovered, &blind_recovered, proof, plen, 0, &pcommit, &secp256k1_generator_const_g, gens->blinding_gen, nonce, NULL, 0) == 1);
+    CHECK(v_recovered == v);
+    CHECK(secp256k1_scalar_eq(&blind_recovered, &blind) == 1);
+
+    nonce[0] ^= 111;
+    CHECK(secp256k1_bulletproof_rangeproof_rewind_impl(&v_recovered, &blind_recovered, proof, plen, 0, &pcommit, &secp256k1_generator_const_g, gens->blinding_gen, nonce, NULL, 0) == 0);
+
     secp256k1_scratch_destroy(scratch);
 }
 
