rangeproof: introduce rangeproof_header structure and use it for verification/rewind

Author: apoelstra

src/modules/rangeproof/main_impl.h

@@ -232,17 +232,23 @@ int secp256k1_pedersen_blind_generator_blind_sum(const secp256k1_context* ctx, c
 
 int secp256k1_rangeproof_info(const secp256k1_context* ctx, int *exp, int *mantissa,
  uint64_t *min_value, uint64_t *max_value, const unsigned char *proof, size_t plen) {
+    secp256k1_rangeproof_header header;
     size_t offset;
-    uint64_t scale;
     ARG_CHECK(exp != NULL);
     ARG_CHECK(mantissa != NULL);
     ARG_CHECK(min_value != NULL);
     ARG_CHECK(max_value != NULL);
     ARG_CHECK(proof != NULL);
     offset = 0;
-    scale = 1;
     (void)ctx;
-    return secp256k1_rangeproof_getheader_impl(&offset, exp, mantissa, &scale, min_value, max_value, proof, plen);
+    if (!secp256k1_rangeproof_header_parse(&header, &offset, proof, plen)) {
+        return 0;
+    }
+    *exp = header.exp;
+    *mantissa = header.mantissa;
+    *min_value = header.min_value;
+    *max_value = header.max_value;
+    return 1;
 }
 
 int secp256k1_rangeproof_rewind(const secp256k1_context* ctx,

src/modules/rangeproof/rangeproof.h

@@ -12,6 +12,64 @@
 #include "ecmult.h"
 #include "ecmult_gen.h"
 
+/** Structure representing data directly encoded into a rangeproof header
+ *
+ * A rangeproof is a proof, associated with a Pedersen commitment, that a
+ * "proven value" in is the range [0, 2^mantissa]. The committed value is
+ * related to the proven value by the contents of this header, as
+ *
+ *    committed = min_value + 10^exp * proven
+ */
+typedef struct secp256k1_rangeproof_header {
+    /** Power of ten to multiply the proven value by, or -1 for an exact proof
+     *
+     * Encoded in the header. */
+    int exp;
+    /** Number of bits used to represent the proven value
+     *
+     * Encoded in the header. */
+    int mantissa;
+    /** 10 to the power of exp, or 1 for a proof of an exact value.
+     *
+     * Implied by `exp`, not encoded. */
+    uint64_t scale;
+    /** Minimum value for the range (added to the proven value).
+     *
+     * Encoded in the header. */
+    uint64_t min_value;
+    /** Maximum value for the range (min_value + 10^exp * 2^mantissa).
+     *
+     * Implied by `min_value`, `exp`, `mantissa`. Not encoded. */
+    uint64_t max_value;
+    /** Number of rings to use in the underlying borromean ring signature
+     *
+     * Implied by `mantissa`. Not encoded. */
+    size_t n_rings;
+    /** Number of public keys to use in the underlying borromean ring signature
+     *
+     * Implied by `mantissa`. Not encoded. */
+    size_t n_pubs;
+    /** Number of keys in each ring
+     *
+     * Implied by `mantissa`. Not encoded. */
+    size_t rsizes[32];
+} secp256k1_rangeproof_header;
+
+/** Parses out a rangeproof header from a rangeproof and fills in all fields
+ *
+ * Returns: 1 on success, 0 on failure
+ * Out: header: the parsed header
+ *      offset: the number of bytes of `proof` that the header occupied
+ * In:   proof: the proof to parse the header out of
+ *        plen: the length of the proof
+ */
+static int secp256k1_rangeproof_header_parse(
+    secp256k1_rangeproof_header* header,
+    size_t* offset,
+    const unsigned char* proof,
+    size_t plen
+);
+
 static int secp256k1_rangeproof_verify_impl(const secp256k1_ecmult_gen_context* ecmult_gen_ctx,
  unsigned char *blindout, uint64_t *value_out, unsigned char *message_out, size_t *outlen, const unsigned char *nonce,
  uint64_t *min_value, uint64_t *max_value, const secp256k1_ge *commit, const unsigned char *proof, size_t plen,