Expose BP++ Apis

sanket1729 · sanket1729 · commit 08e922c21633 · 2022-12-01T02:26:24.000-08:00
diff --git a/include/secp256k1_bulletproofs.h b/include/secp256k1_bulletproofs.h
@@ -9,22 +9,22 @@ extern "C" {
 
 #include <stdint.h>
 
+#include "include/secp256k1_generator.h"
+
 /** Opaque structure representing a large number of NUMS generators */
 typedef struct secp256k1_bulletproofs_generators secp256k1_bulletproofs_generators;
 
 /** Opaque structure representing a prover context used in bulletproofs++ prover */
 typedef struct secp256k1_bulletproofs_pp_rangeproof_prover_context secp256k1_bulletproofs_pp_rangeproof_prover_context;
 
-/** Returns a list of generators, or NULL if allocation failed.
+/** Allocates and initializes a list of NUMS generators
+ *  Returns a list of generators, or NULL if allocation failed.
  *  Args:          ctx: pointer to a context object
  *                   n: number of NUMS generators to produce. Should be 16 + 7 = 23
  * for a 64 bit range proof with base 16. In general, n = max(num_digits, base) + 7
  * where num_digits is the number of digits in base `base` representation of `n_bits`
  * base 2 number.
  *
- * TODO: For the first version of PR, this is would still require 16 + 8 = 24 NUMS
- * points. We will later use G = H0(required for compatibility with pedersen_commitment DS)
- * in a separate commit to make review easier.
  */
 SECP256K1_API secp256k1_bulletproofs_generators *secp256k1_bulletproofs_generators_create(
     const secp256k1_context* ctx,
@@ -52,9 +52,6 @@ SECP256K1_API secp256k1_bulletproofs_generators* secp256k1_bulletproofs_generato
  *                    least 33 times the number of generators plus one(33 * (num_gens + 1));
  *                    will be ser to 33 times the number of generators plus one
  *                    on successful return
- *
- * TODO: For ease of review, this setting G = H0 is not included in this commit. We will
- * add it in a separate commit.
  */
 SECP256K1_API int secp256k1_bulletproofs_generators_serialize(
     const secp256k1_context* ctx,
@@ -73,6 +70,97 @@ SECP256K1_API void secp256k1_bulletproofs_generators_destroy(
     secp256k1_bulletproofs_generators* gen
 ) SECP256K1_ARG_NONNULL(1);
 
+/** Returns the serialized size of an bulletproofs plus plus proof of a given number
+ *  of bits and the base. Both base and n_bits must be a power of two. The number
+ *  of digits required to represent number of bits in the given base must also be
+ *  a power of two. Specifically, all of n_bits, base and num_digits = (n_bits / log2(base))
+ *  must all be a power of two.
+ *  Args:   ctx: pointer to a context object
+ *  Out:    len: 0 if the parameters and num_digits (n_bits/log2(base)) are not a power of two
+ *               length of the serialized proof otherwise
+ *  In:  n_bits: number of bits to prove (max 64, should usually be 64)
+ *         base: base representation to be used in proof construction (max 256, recommended 16)
+ */
+SECP256K1_API size_t secp256k1_bulletproofs_pp_rangeproof_proof_length(
+    const secp256k1_context* ctx,
+    size_t n_bits,
+    size_t base
+) SECP256K1_ARG_NONNULL(1);
+
+/** Produces a Bulletproofs++ rangeproof. Returns 1 on success, 0 on failure.
+ * Proof creation can only fail if the arguments are invalid. The documentation
+ * below specifies the constraints on inputs and arguments under which this API
+ * can fail.
+ *  Args:      ctx: pointer to a context object
+ *         scratch: pointer to a scratch space
+ *            gens: pointer to the generator set to use, which must have exactly
+ *                 `n = max(num_digits, base) + 7` generators, where num_digits is the number.
+ *       asset_gen: pointer to the asset generator for the Pedersen/CT commitment
+ *  Out:     proof: pointer to a byte array to output the proof into
+ *  In/Out:   plen: pointer to the size of the above array; will be set to the actual size of
+ *                  the serialized proof. To learn this value in advance, to allocate a sufficient
+ *                  buffer, call `secp256k1_bulletproofs_pp_rangeproof_proof_length`
+ *  In:     n_bits: size of range being proven, in bits. Must be a power of two,
+ *                  and at most 64.
+ *            base: base representation to be used in proof construction. Must be a power of two,
+ *           value: value committed in the Pedersen commitment. Must be less
+ *                  than 2^n_bits.
+ *       min_value: minimum value of the range being proven. Must be less than value
+ *          commit: the Pedersen commitment being proven
+ *           blind: blinding factor for the Pedersen commitment. Must be a 32 byte
+ *                  valid scalar within secp curve order.
+ *           nonce: seed for the RNG used to generate random data during proving
+ *    extra_commit: arbitrary extra data that the proof commits to (may be NULL if extra_commit_len is 0)
+ *    extra_commit_len: length of the arbitrary extra data
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_bulletproofs_pp_rangeproof_prove(
+    const secp256k1_context* ctx,
+    secp256k1_scratch_space *scratch,
+    const secp256k1_bulletproofs_generators* gens,
+    const secp256k1_generator* asset_gen,
+    unsigned char* proof,
+    size_t* plen,
+    const size_t n_bits,
+    const size_t base,
+    const uint64_t value,
+    const uint64_t min_value,
+    const secp256k1_pedersen_commitment* commit,
+    const unsigned char* blind,
+    const unsigned char* nonce,
+    const unsigned char* extra_commit,
+    size_t extra_commit_len
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(11) SECP256K1_ARG_NONNULL(12) SECP256K1_ARG_NONNULL(13);
+
+/** Verifies an Bulletproofs++ rangeproof. Returns 1 on success, 0 on failure.
+ *  Args:      ctx: pointer to a context object
+ *         scratch: pointer to a scratch space
+ *            gens: pointer to the generator set to use, which must have at least 2*n_bits generators
+ *       asset_gen: pointer to the asset generator for the CT commitment
+ *  In:      proof: pointer to a byte array containing the serialized proof
+ *            plen: length of the serialized proof
+ *          n_bits: size of range being proven, in bits. Must be a power of two,
+ *                  and at most 64.
+ *            base: base representation to be used in proof construction. Must be a power of two,
+ *       min_value: minimum value of the range being proven
+ *          commit: the Pedersen commitment being proven
+ *    extra_commit: arbitrary extra data that the proof commits to (may be NULL if extra_commit_len is 0)
+ *    extra_commit_len: length of the arbitrary extra data
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_bulletproofs_pp_rangeproof_verify(
+    const secp256k1_context* ctx,
+    secp256k1_scratch_space *scratch,
+    const secp256k1_bulletproofs_generators* gens,
+    const secp256k1_generator* asset_gen,
+    const unsigned char* proof,
+    const size_t plen,
+    const uint64_t n_bits,
+    const uint64_t base,
+    const uint64_t min_value,
+    const secp256k1_pedersen_commitment* commit,
+    const unsigned char* extra_commit,
+    size_t extra_commit_len
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(10);
+
 # ifdef __cplusplus
 }
 # endif
diff --git a/src/modules/bulletproofs/main_impl.h b/src/modules/bulletproofs/main_impl.h
@@ -170,4 +170,106 @@ size_t secp256k1_bulletproofs_pp_rangeproof_proof_length(
     return 33 * 4 + 65*n_rounds + 64;
 }
 
+int secp256k1_bulletproofs_pp_rangeproof_prove(
+    const secp256k1_context* ctx,
+    secp256k1_scratch_space *scratch,
+    const secp256k1_bulletproofs_generators* gens,
+    const secp256k1_generator* asset_gen,
+    unsigned char* proof,
+    size_t* plen,
+    const size_t n_bits,
+    const size_t base,
+    const uint64_t value,
+    const uint64_t min_value,
+    const secp256k1_pedersen_commitment* commit,
+    const unsigned char* blind,
+    const unsigned char* nonce,
+    const unsigned char* extra_commit,
+    size_t extra_commit_len
+) {
+    secp256k1_ge commitp, asset_genp;
+    secp256k1_scalar blinds;
+    int overflow;
+
+    VERIFY_CHECK(ctx != NULL);
+    VERIFY_CHECK(scratch != NULL);
+    ARG_CHECK(gens != NULL);
+    ARG_CHECK(asset_gen != NULL);
+    ARG_CHECK(proof != NULL);
+    ARG_CHECK(plen != NULL);
+    ARG_CHECK(commit != NULL);
+    ARG_CHECK(blind != NULL);
+    ARG_CHECK(nonce != NULL);
+    ARG_CHECK(extra_commit != NULL || extra_commit_len == 0);
+
+    secp256k1_scalar_set_b32(&blinds, blind, &overflow);
+    if (overflow) {
+        return 0;
+    }
+
+    secp256k1_pedersen_commitment_load(&commitp, commit);
+    secp256k1_generator_load(&asset_genp, asset_gen);
+
+    return secp256k1_bulletproofs_pp_rangeproof_prove_impl(
+        ctx,
+        scratch,
+        gens,
+        &asset_genp,
+        proof,
+        plen,
+        n_bits,
+        base,
+        value,
+        min_value,
+        &commitp,
+        &blinds,
+        nonce,
+        extra_commit,
+        extra_commit_len
+    );
+}
+
+int secp256k1_bulletproofs_pp_rangeproof_verify(
+    const secp256k1_context* ctx,
+    secp256k1_scratch_space *scratch,
+    const secp256k1_bulletproofs_generators* gens,
+    const secp256k1_generator* asset_gen,
+    const unsigned char* proof,
+    const size_t plen,
+    const uint64_t n_bits,
+    const uint64_t base,
+    const uint64_t min_value,
+    const secp256k1_pedersen_commitment* commit,
+    const unsigned char* extra_commit,
+    size_t extra_commit_len
+) {
+    secp256k1_ge commitp, asset_genp;
+
+    VERIFY_CHECK(ctx != NULL);
+    VERIFY_CHECK(scratch != NULL);
+    ARG_CHECK(gens != NULL);
+    ARG_CHECK(asset_gen != NULL);
+    ARG_CHECK(proof != NULL);
+    ARG_CHECK(commit != NULL);
+    ARG_CHECK(extra_commit != NULL || extra_commit_len == 0);
+
+    secp256k1_pedersen_commitment_load(&commitp, commit);
+    secp256k1_generator_load(&asset_genp, asset_gen);
+
+    return secp256k1_bulletproofs_pp_rangeproof_verify_impl(
+        ctx,
+        scratch,
+        gens,
+        &asset_genp,
+        proof,
+        plen,
+        n_bits,
+        base,
+        min_value,
+        &commitp,
+        extra_commit,
+        extra_commit_len
+    );
+}
+
 #endif
