Prover round 4: Norm proof argument

sanket1729 · sanket1729 · commit 20a73852c7bc · 2022-12-01T01:48:41.000-08:00
Run the run norm proof argument on the computed C
diff --git a/src/modules/bulletproofs/bulletproofs_pp_rangeproof_impl.h b/src/modules/bulletproofs/bulletproofs_pp_rangeproof_impl.h
@@ -445,4 +445,252 @@ static void secp256k1_bulletproofs_pp_rangeproof_prove_round3_impl(
     }
 }
 
+/* Round 4 of the proof. Computes the norm proof on the w and l values.
+ * Can fail only when the norm proof fails.
+ * This should not happen in our setting because w_vec and l_vec and uniformly
+ * distributed and thus norm argument can only fail when the lengths are not a
+ * power of two or if the allocated proof size is not enough.
+ *
+ * We check for both of these conditions beforehand, therefore in practice this
+ * function should never fail because it returns point at infinity during some
+ * interim calculations. However, since the overall API can fail, we also fail
+ * if the norm proofs fails for any reason.
+ */
+static int secp256k1_bulletproofs_pp_rangeproof_prove_round4_impl(
+    const secp256k1_context* ctx,
+    secp256k1_scratch_space* scratch,
+    const secp256k1_bulletproofs_generators* gens,
+    const secp256k1_ge* asset_genp,
+    secp256k1_bulletproofs_pp_rangeproof_prover_context* prover_ctx,
+    unsigned char* output,
+    size_t *output_len,
+    secp256k1_sha256* transcript,
+    const secp256k1_scalar* gamma,
+    const size_t num_digits,
+    const size_t digit_base
+) {
+    size_t i;
+    size_t g_offset = digit_base > num_digits ? digit_base : num_digits;
+    /* Compute w = s + t*m + t^2*d + t^3*r + t^4*alpha_m. Store w in s*/
+    /* Has capacity 8 because we can re-use it as the c-poly. */
+    secp256k1_scalar t_pows[8];
+    secp256k1_bulletproofs_pp_rangeproof_powers_of_q(&t_pows[0], &prover_ctx->t, 7); /* Computes from t^1 to t^7 */
+
+    for (i = 0; i < g_offset; i++) {
+        if (i < num_digits) {
+            secp256k1_scalar_mul(&prover_ctx->r[i], &prover_ctx->r[i], &t_pows[2]);
+            secp256k1_scalar_add(&prover_ctx->s[i], &prover_ctx->s[i], &prover_ctx->r[i]);
+
+            secp256k1_scalar_mul(&prover_ctx->d[i], &prover_ctx->d[i], &t_pows[1]);
+            secp256k1_scalar_add(&prover_ctx->s[i], &prover_ctx->s[i], &prover_ctx->d[i]);
+        }
+        if (i < digit_base) {
+            secp256k1_scalar_mul(&prover_ctx->m[i], &prover_ctx->m[i], &t_pows[0]);
+            secp256k1_scalar_add(&prover_ctx->s[i], &prover_ctx->s[i], &prover_ctx->m[i]);
+
+            secp256k1_scalar_mul(&prover_ctx->alpha_m[i], &prover_ctx->alpha_m[i], &t_pows[3]);
+            secp256k1_scalar_add(&prover_ctx->s[i], &prover_ctx->s[i], &prover_ctx->alpha_m[i]);
+        }
+    }
+    /* Compute l = l_s + t*l_m + t^2*l_d + t^3*l_r. Store l in l_s*/
+    for (i = 0; i < 6; i++) {
+        secp256k1_scalar tmp;
+        secp256k1_scalar_mul(&tmp, &prover_ctx->l_m[i], &t_pows[0]);
+        secp256k1_scalar_add(&prover_ctx->l_s[i], &prover_ctx->l_s[i], &tmp);
+    }
+    /* Manually add l_d2 and l_d4 */
+    {
+        secp256k1_scalar tmp;
+        secp256k1_scalar_mul(&tmp, &prover_ctx->l_m[3], &t_pows[1]);
+        secp256k1_scalar_negate(&tmp, &tmp);/* l_d2 = -l_m3 */
+        secp256k1_scalar_add(&prover_ctx->l_s[2], &prover_ctx->l_s[2], &tmp);
+
+        secp256k1_scalar_mul(&tmp, &prover_ctx->l_m[5], &t_pows[1]);
+        secp256k1_scalar_negate(&tmp, &tmp);/* l_d4 = -l_m5 */
+        secp256k1_scalar_add(&prover_ctx->l_s[4], &prover_ctx->l_s[4], &tmp);
+
+        /* Add two_gamma * t5 to l_s[0] */
+        secp256k1_scalar_add(&tmp, &t_pows[4], &t_pows[4]);
+        secp256k1_scalar_mul(&tmp, &tmp, gamma);
+        secp256k1_scalar_add(&prover_ctx->l_s[0], &prover_ctx->l_s[0], &tmp);
+    }
+    /* Set non used 7th and 8th l_s to 0 */
+    secp256k1_scalar_set_int(&prover_ctx->l_s[6], 0);
+    secp256k1_scalar_set_int(&prover_ctx->l_s[7], 0);
+
+    /* Make c = y*(T, T^2, T^3, T^4, T^6, T^7, 0, 0) */
+    t_pows[4] = t_pows[5];
+    t_pows[5] = t_pows[6];
+    for (i = 0; i < 6; i++) {
+        secp256k1_scalar_mul(&t_pows[i], &t_pows[i], &prover_ctx->y);
+    }
+    secp256k1_scalar_set_int(&t_pows[6], 0);
+    secp256k1_scalar_set_int(&t_pows[7], 0);
+    /* Call the norm argument on w, l */
+
+    return secp256k1_bulletproofs_pp_rangeproof_norm_product_prove(
+        ctx,
+        scratch,
+        output,
+        output_len,
+        transcript,
+        &prover_ctx->q_sqrt,
+        gens,
+        asset_genp,
+        prover_ctx->s,
+        g_offset,
+        prover_ctx->l_s,
+        8,
+        t_pows,
+        8
+    );
+}
+
+static int secp256k1_bulletproofs_pp_rangeproof_prove_impl(
+    const secp256k1_context* ctx,
+    secp256k1_scratch_space* scratch,
+    const secp256k1_bulletproofs_generators* gens,
+    const secp256k1_ge* asset_genp,
+    unsigned char* proof,
+    size_t* proof_len,
+    const size_t n_bits,
+    const size_t digit_base,
+    const uint64_t value,
+    const uint64_t min_value,
+    const secp256k1_ge* commitp,
+    const secp256k1_scalar* gamma,
+    const unsigned char* nonce,
+    const unsigned char* extra_commit,
+    size_t extra_commit_len
+) {
+    size_t scratch_checkpoint, n_proof_bytes_written, norm_proof_len;
+    secp256k1_sha256 transcript;
+    size_t num_digits = n_bits / secp256k1_bulletproofs_pp_log2(digit_base);
+    size_t h_len = 8;
+    size_t g_offset = num_digits > digit_base ? num_digits : digit_base;
+    size_t log_n = secp256k1_bulletproofs_pp_log2(g_offset), log_m = secp256k1_bulletproofs_pp_log2(h_len);
+    size_t n_rounds = log_n > log_m ? log_n : log_m;
+    int res;
+    secp256k1_bulletproofs_pp_rangeproof_prover_context prover_ctx;
+    /* Check proof sizes*/
+    if (*proof_len < 33 * 4 + (65 * n_rounds) + 64) {
+        return 0;
+    }
+    if (gens->n != (g_offset + h_len)) {
+        return 0;
+    }
+    if (!secp256k1_check_power_of_two(digit_base) ||  !secp256k1_check_power_of_two(num_digits)) {
+        return 0;
+    }
+    if (n_bits > 64) {
+        return 0;
+    }
+    if (value < min_value) {
+        return 0;
+    }
+    if (n_bits < 64 && (value - min_value) >= (1ull << n_bits)) {
+        return 0;
+    }
+    if (extra_commit_len > 0 && extra_commit == NULL) {
+        return 0;
+    }
+
+    /* Compute the base digits representation of the value */
+    /* Alloc for prover->ctx */
+    scratch_checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
+    prover_ctx.s = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, g_offset * sizeof(secp256k1_scalar));
+    prover_ctx.d = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, num_digits * sizeof(secp256k1_scalar));
+    prover_ctx.m = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, digit_base * sizeof(secp256k1_scalar));
+    prover_ctx.r = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, num_digits * sizeof(secp256k1_scalar));
+    prover_ctx.alpha_m = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, digit_base * sizeof(secp256k1_scalar));
+
+    prover_ctx.l_m = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, 6 * sizeof(secp256k1_scalar));
+    prover_ctx.l_s = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, h_len * sizeof(secp256k1_scalar));
+
+    prover_ctx.q_pows = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, g_offset * sizeof(secp256k1_scalar));
+    prover_ctx.q_inv_pows = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, g_offset * sizeof(secp256k1_scalar));
+
+    if ( prover_ctx.s == NULL || prover_ctx.d == NULL || prover_ctx.m == NULL || prover_ctx.r == NULL
+        || prover_ctx.alpha_m == NULL || prover_ctx.l_m == NULL || prover_ctx.l_s == NULL
+        || prover_ctx.q_pows == NULL || prover_ctx.q_inv_pows == NULL )
+    {
+        secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, scratch_checkpoint);
+        return 0;
+    }
+
+    /* Initialze the transcript by committing to all the public data */
+    secp256k1_bulletproofs_pp_commit_initial_data(
+        &transcript,
+        num_digits,
+        digit_base,
+        min_value,
+        commitp,
+        asset_genp,
+        extra_commit,
+        extra_commit_len
+    );
+
+    n_proof_bytes_written = 0;
+    secp256k1_bulletproofs_pp_rangeproof_prove_round1_impl(
+        &prover_ctx,
+        gens,
+        asset_genp,
+        &proof[n_proof_bytes_written],
+        &transcript,
+        num_digits,
+        digit_base,
+        value - min_value,
+        nonce
+    );
+    n_proof_bytes_written += 33 *2;
+
+    secp256k1_bulletproofs_pp_rangeproof_prove_round2_impl(
+        &prover_ctx,
+        gens,
+        asset_genp,
+        &proof[n_proof_bytes_written],
+        &transcript,
+        num_digits,
+        digit_base,
+        nonce
+    );
+    n_proof_bytes_written += 33;
+
+    secp256k1_bulletproofs_pp_rangeproof_prove_round3_impl(
+        &prover_ctx,
+        gens,
+        asset_genp,
+        &proof[n_proof_bytes_written],
+        &transcript,
+        num_digits,
+        digit_base,
+        gamma,
+        nonce
+    );
+    n_proof_bytes_written += 33;
+
+    /* Calculate the remaining buffer size. We have already checked that buffer is of correct size */
+    norm_proof_len = *proof_len - n_proof_bytes_written;
+    res = secp256k1_bulletproofs_pp_rangeproof_prove_round4_impl(
+        ctx,
+        scratch,
+        gens,
+        asset_genp,
+        &prover_ctx,
+        &proof[n_proof_bytes_written],
+        &norm_proof_len,
+        &transcript,
+        gamma,
+        num_digits,
+        digit_base
+    );
+    /* No need to worry about constant time-ness from this point. All data is public */
+    if (res) {
+        *proof_len = n_proof_bytes_written + norm_proof_len;
+    }
+    secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, scratch_checkpoint);
+    return res;
+}
+
+
 #endif
