Expose BP++ Apis

Author: sanket1729

include/secp256k1_bppp.h

@@ -9,6 +9,8 @@ extern "C" {
 
 #include <stdint.h>
 
+#include "include/secp256k1_generator.h"
+
 /** Opaque structure representing a large number of NUMS generators */
 typedef struct secp256k1_bppp_generators secp256k1_bppp_generators;
 
@@ -19,10 +21,6 @@ typedef struct secp256k1_bppp_rangeproof_prover_context secp256k1_bppp_rangeproo
  *  Returns a list of generators, or calls the error callback if the allocation fails.
  *  Args:          ctx: pointer to a context object
  *                   n: number of NUMS generators to produce.
- *
- * TODO: In a followup range-proof PR, this is would still require 16 + 8 = 24 NUMS
- * points. We will later use G = H0(required for compatibility with pedersen_commitment DS)
- * in a separate commit to make review easier.
  */
 SECP256K1_API secp256k1_bppp_generators *secp256k1_bppp_generators_create(
     const secp256k1_context *ctx,
@@ -46,11 +44,9 @@ SECP256K1_API secp256k1_bppp_generators *secp256k1_bppp_generators_parse(
  *  Args:        ctx: pointer to a context object
  *               gen: pointer to the generator set to be serialized
  *  Out:        data: pointer to buffer into which the generators will be serialized
- *  In/Out: data_len: the length of the `data` buffer. Should be at least
- *                    k = 33 * num_gens. Will be set to k on successful return
- *
- * TODO: For ease of review, this setting G = H0 is not included in this commit. We will
- * add it in the follow-up rangeproof PR.
+ *  In/Out: data_len: the length of the `data` buffer. Should be initially set to at
+ *                    least 33 times the number of generators plus one(33 * (num_gens - 1)).
+ *                    Upon success, data_len will be set to the (33 * (num_gens - 1)).
  */
 SECP256K1_API int secp256k1_bppp_generators_serialize(
     const secp256k1_context *ctx,
@@ -69,6 +65,97 @@ SECP256K1_API void secp256k1_bppp_generators_destroy(
     secp256k1_bppp_generators *gen
 ) SECP256K1_ARG_NONNULL(1);
 
+/** Returns the serialized size of an bulletproofs++ proof of a given number
+ *  of bits and the base. Both base and n_bits must be a power of two. The number
+ *  of digits required to represent number of bits in the given base must also be
+ *  a power of two. Specifically, all of n_bits, base and num_digits = (n_bits / log2(base))
+ *  must all be a power of two.
+ *  Args:   ctx: pointer to a context object
+ *  Out:    len: 0 if the parameters and num_digits (n_bits/log2(base)) are not a power of two
+ *               length of the serialized proof otherwise
+ *  In:  n_bits: number of bits to prove (max 64, should usually be 64)
+ *         base: base representation to be used in proof construction (max 256, recommended 16)
+ */
+SECP256K1_API size_t secp256k1_bppp_rangeproof_proof_length(
+    const secp256k1_context* ctx,
+    size_t n_bits,
+    size_t base
+) SECP256K1_ARG_NONNULL(1);
+
+/** Produces a Bulletproofs++ rangeproof. Returns 1 on success, 0 on failure.
+ * Proof creation can only fail if the arguments are invalid. The documentation
+ * below specifies the constraints on inputs and arguments under which this API
+ * can fail.
+ *  Args:      ctx: pointer to a context object
+ *         scratch: pointer to a scratch space
+ *            gens: pointer to the generator set to use, which must have exactly
+ *                 `n = max(num_digits, base) + 7` generators, where num_digits is the number.
+ *       asset_gen: pointer to the asset generator for the Pedersen/CT commitment
+ *  Out:     proof: pointer to a byte array to output the proof into
+ *  In/Out:   plen: pointer to the size of the above array; will be set to the actual size of
+ *                  the serialized proof. To learn this value in advance, to allocate a sufficient
+ *                  buffer, call `secp256k1_bppp_rangeproof_proof_length`
+ *  In:     n_bits: size of range being proven, in bits. Must be a power of two,
+ *                  and at most 64.
+ *            base: base representation to be used in proof construction. Must be a power of two,
+ *           value: value committed in the Pedersen commitment. Must be less
+ *                  than 2^n_bits.
+ *       min_value: minimum value of the range being proven. Must be less than value
+ *          commit: the Pedersen commitment being proven
+ *           blind: blinding factor for the Pedersen commitment. Must be a 32 byte
+ *                  valid scalar within secp curve order.
+ *           nonce: seed for the RNG used to generate random data during proving
+ *    extra_commit: arbitrary extra data that the proof commits to (may be NULL if extra_commit_len is 0)
+ *    extra_commit_len: length of the arbitrary extra data.
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_bppp_rangeproof_prove(
+    const secp256k1_context* ctx,
+    secp256k1_scratch_space *scratch,
+    const secp256k1_bppp_generators* gens,
+    const secp256k1_generator* asset_gen,
+    unsigned char* proof,
+    size_t* plen,
+    const size_t n_bits,
+    const size_t base,
+    const uint64_t value,
+    const uint64_t min_value,
+    const secp256k1_pedersen_commitment* commit,
+    const unsigned char* blind,
+    const unsigned char* nonce,
+    const unsigned char* extra_commit,
+    size_t extra_commit_len
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(11) SECP256K1_ARG_NONNULL(12) SECP256K1_ARG_NONNULL(13);
+
+/** Verifies an Bulletproofs++ rangeproof. Returns 1 on success, 0 on failure.
+ *  Args:      ctx: pointer to a context object
+ *         scratch: pointer to a scratch space
+ *            gens: pointer to the generator set to use, which must have at least 2*n_bits generators
+ *       asset_gen: pointer to the asset generator for the CT commitment
+ *  In:      proof: pointer to a byte array containing the serialized proof
+ *            plen: length of the serialized proof
+ *          n_bits: size of range being proven, in bits. Must be a power of two,
+ *                  and at most 64.
+ *            base: base representation to be used in proof construction. Must be a power of two,
+ *       min_value: minimum value of the range being proven
+ *          commit: the Pedersen commitment being proven
+ *    extra_commit: arbitrary extra data that the proof commits to (may be NULL if extra_commit_len is 0)
+ *    extra_commit_len: length of the arbitrary extra data
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_bppp_rangeproof_verify(
+    const secp256k1_context* ctx,
+    secp256k1_scratch_space *scratch,
+    const secp256k1_bppp_generators* gens,
+    const secp256k1_generator* asset_gen,
+    const unsigned char* proof,
+    const size_t plen,
+    const uint64_t n_bits,
+    const uint64_t base,
+    const uint64_t min_value,
+    const secp256k1_pedersen_commitment* commit,
+    const unsigned char* extra_commit,
+    size_t extra_commit_len
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(10);
+
 # ifdef __cplusplus
 }
 # endif

src/modules/bppp/bppp_rangeproof_impl.h

@@ -8,16 +8,16 @@
 #define _SECP256K1_MODULE_BPP_RANGEPROOF_IMPL_
 
 
-#include "group.h"
-#include "scalar.h"
-#include "secp256k1.h"
-#include "ecmult_const.h"
-#include "field.h"
-#include "include/secp256k1_bppp.h"
+#include "../../group.h"
+#include "../../scalar.h"
+#include "../../../include/secp256k1.h"
+#include "../../ecmult_const.h"
+#include "../../field.h"
+#include "../../../include/secp256k1_bppp.h"
 
-#include "modules/bppp/bppp_util.h"
-#include "modules/bppp/bppp_transcript_impl.h"
-#include "modules/bppp/bppp_norm_product_impl.h"
+#include "../bppp/bppp_util.h"
+#include "../bppp/bppp_transcript_impl.h"
+#include "../bppp/bppp_norm_product_impl.h"
 
 struct secp256k1_bppp_rangeproof_prover_context {
 
@@ -72,7 +72,6 @@ static void secp256k1_bppp_rangeproof_prove_round1_impl(
 ) {
     size_t log_base = secp256k1_bppp_log2(digit_base);
     size_t i, j;
-    size_t log_num_digits = secp256k1_bppp_log2(num_digits);
     size_t g_offset = digit_base > num_digits ? digit_base : num_digits;
     secp256k1_gej d_commj, m_commj;
     uint16_t multiplicities[64]; /* SECP256K1_BPP_MAX_BASE = 64. TODO: Check this in high level API */
@@ -91,7 +90,7 @@ static void secp256k1_bppp_rangeproof_prove_round1_impl(
     }
 
     /* Commit to the vector d in gens */
-    secp256k1_ecmult_const(&d_commj, asset_genp, &prover_ctx->r_d_0, 256);
+    secp256k1_ecmult_const(&d_commj, asset_genp, &prover_ctx->r_d_0);
 
     for (i = 0; i < num_digits; i++) {
         secp256k1_gej resj;
@@ -103,7 +102,7 @@ static void secp256k1_bppp_rangeproof_prove_round1_impl(
             multiplicities[j] += (j == digit);
         }
         secp256k1_scalar_set_int(&prover_ctx->d[i], digit);
-        secp256k1_ecmult_const(&resj, &gens->gens[i], &prover_ctx->d[i], log_base + 1); /* (I think ) there should there be +1 here? */
+        secp256k1_ecmult_const(&resj, &gens->gens[i], &prover_ctx->d[i]); /* should be = log_base + 1 bits here */
         secp256k1_ge_set_gej(&d_comm, &d_commj);
         secp256k1_gej_add_ge(&d_commj, &resj, &d_comm); /* d_comm cannot be zero */
     }
@@ -119,29 +118,29 @@ static void secp256k1_bppp_rangeproof_prove_round1_impl(
 
         secp256k1_scalar_clear(&prover_ctx->r_m_1_vec[3]); /* r_m_1_vec[3] = 0 */
         secp256k1_scalar_clear(&prover_ctx->r_m_1_vec[6]); /* r_m_1_vec[6] = 0 */
-        secp256k1_ecmult_const(&resj, &gens->gens[g_offset + 2], &prover_ctx->r_d_1_vec_2, 256);
+        secp256k1_ecmult_const(&resj, &gens->gens[g_offset + 2], &prover_ctx->r_d_1_vec_2);
         secp256k1_ge_set_gej(&d_comm, &d_commj);
         secp256k1_gej_add_ge(&d_commj, &resj, &d_comm);
-        secp256k1_ecmult_const(&resj, &gens->gens[g_offset + 5], &prover_ctx->r_d_1_vec_5, 256);
+        secp256k1_ecmult_const(&resj, &gens->gens[g_offset + 5], &prover_ctx->r_d_1_vec_5);
         secp256k1_ge_set_gej(&d_comm, &d_commj);
         secp256k1_gej_add_ge(&d_commj, &resj, &d_comm);
     }
 
     /* Compute the m vector as multiplicity of each digit */
-    secp256k1_ecmult_const(&m_commj, asset_genp, &prover_ctx->r_m_0, 256);
+    secp256k1_ecmult_const(&m_commj, asset_genp, &prover_ctx->r_m_0);
     for (i = 0; i < digit_base; i++) {
         secp256k1_gej resj;
         secp256k1_ge m_comm;
         secp256k1_scalar_set_int(&prover_ctx->m[i], multiplicities[i]);
-        secp256k1_ecmult_const(&resj, &gens->gens[i], &prover_ctx->m[i], log_num_digits + 1); /* (I think ) there should there be +1 here? */
+        secp256k1_ecmult_const(&resj, &gens->gens[i], &prover_ctx->m[i]); /* , log_num_digits + 1 (I think ) there should there be +1 here? */
         secp256k1_ge_set_gej(&m_comm, &m_commj);
         secp256k1_gej_add_ge(&m_commj, &resj, &m_comm); /* m_comm cannot be zero*/
     }
 
     for (i = 0; i < 8; i++) {
         secp256k1_gej resj;
         secp256k1_ge m_comm;
-        secp256k1_ecmult_const(&resj, &gens->gens[g_offset + i], &prover_ctx->r_m_1_vec[i], 256);
+        secp256k1_ecmult_const(&resj, &gens->gens[g_offset + i], &prover_ctx->r_m_1_vec[i]);
         secp256k1_ge_set_gej(&m_comm, &m_commj);
         secp256k1_gej_add_ge(&m_commj, &resj, &m_comm); /* m_comm cannot be zero */
     }
@@ -191,13 +190,13 @@ static void secp256k1_bppp_rangeproof_prove_round2_impl(
     secp256k1_scalar_chacha20(&prover_ctx->r_r_0, &prover_ctx->r_r_0, nonce, 5);
 
     /* Commit to the vector d in gens */
-    secp256k1_ecmult_const(&r_commj, asset_genp, &prover_ctx->r_r_0, 256);
+    secp256k1_ecmult_const(&r_commj, asset_genp, &prover_ctx->r_r_0);
     for (i = 0; i < num_digits; i++) {
         secp256k1_gej resj;
         secp256k1_ge r_comm;
         secp256k1_scalar_add(&prover_ctx->r[i], &prover_ctx->d[i], &prover_ctx->alpha);
         secp256k1_scalar_inverse(&prover_ctx->r[i], &prover_ctx->r[i]); /* r_i cannot be zero as it added by random value `alpha`*/
-        secp256k1_ecmult_const(&resj, &gens->gens[i], &prover_ctx->r[i], 256);
+        secp256k1_ecmult_const(&resj, &gens->gens[i], &prover_ctx->r[i]);
         secp256k1_ge_set_gej(&r_comm, &r_commj);
         secp256k1_gej_add_ge(&r_commj, &resj, &r_comm); /* r_comm cannot be zero */
     }
@@ -211,12 +210,12 @@ static void secp256k1_bppp_rangeproof_prove_round2_impl(
         secp256k1_scalar tmp;
 
         secp256k1_scalar_negate(&tmp, &prover_ctx->r_d_1_vec_2);
-        secp256k1_ecmult_const(&resj, &gens->gens[g_offset + 1], &tmp, 256);
+        secp256k1_ecmult_const(&resj, &gens->gens[g_offset + 1], &tmp);
         secp256k1_ge_set_gej(&r_comm, &r_commj);
         secp256k1_gej_add_ge(&r_commj, &resj, &r_comm);
 
         secp256k1_scalar_negate(&tmp, &prover_ctx->r_d_1_vec_5);
-        secp256k1_ecmult_const(&resj, &gens->gens[g_offset + 4], &tmp, 256);
+        secp256k1_ecmult_const(&resj, &gens->gens[g_offset + 4], &tmp);
         secp256k1_ge_set_gej(&r_comm, &r_commj);
         secp256k1_gej_add_ge(&r_commj, &resj, &r_comm);
     }
@@ -457,19 +456,19 @@ static void secp256k1_bppp_rangeproof_prove_round3_impl(
         secp256k1_scalar_negate(&prover_ctx->r_s_1_vec[6], &w_w_q[TPOW(6)]); /* T^7 */
     }
     /* Commit to the vector s in gens, with r_s_0 along asset and l in H_vec */
-    secp256k1_ecmult_const(&s_commj, asset_genp, &prover_ctx->r_s_0, 256);
+    secp256k1_ecmult_const(&s_commj, asset_genp, &prover_ctx->r_s_0);
     for (i = 0; i < g_offset; i++) {
         secp256k1_gej resj;
         secp256k1_ge s_comm;
-        secp256k1_ecmult_const(&resj, &gens->gens[i], &prover_ctx->s[i], 256);
+        secp256k1_ecmult_const(&resj, &gens->gens[i], &prover_ctx->s[i]);
         secp256k1_ge_set_gej(&s_comm, &s_commj);
         secp256k1_gej_add_ge(&s_commj, &resj, &s_comm); /* s_comm cannot be 0 */
     }
 
     for (i = 0; i < 7; i++) {
         secp256k1_gej resj;
         secp256k1_ge s_comm;
-        secp256k1_ecmult_const(&resj, &gens->gens[g_offset + i], &prover_ctx->r_s_1_vec[i], 256);
+        secp256k1_ecmult_const(&resj, &gens->gens[g_offset + i], &prover_ctx->r_s_1_vec[i]);
         secp256k1_ge_set_gej(&s_comm, &s_commj);
         secp256k1_gej_add_ge(&s_commj, &resj, &s_comm); /* s_comm cannot be 0 */
     }
@@ -614,14 +613,14 @@ static int secp256k1_bppp_rangeproof_prove_impl(
     const secp256k1_context* ctx,
     secp256k1_scratch_space* scratch,
     const secp256k1_bppp_generators* gens,
-    const secp256k1_ge* asset_genp,
+    secp256k1_ge* asset_genp,
     unsigned char* proof,
     size_t* proof_len,
     const size_t n_bits,
     const size_t digit_base,
     const uint64_t value,
     const uint64_t min_value,
-    const secp256k1_ge* commitp,
+    secp256k1_ge* commitp,
     const secp256k1_scalar* gamma,
     const unsigned char* nonce,
     const unsigned char* extra_commit,
@@ -817,13 +816,13 @@ static int secp256k1_bppp_rangeproof_verify_impl(
     const secp256k1_context* ctx,
     secp256k1_scratch_space* scratch,
     const secp256k1_bppp_generators* gens,
-    const secp256k1_ge* asset_genp,
+    secp256k1_ge* asset_genp,
     const unsigned char* proof,
     const size_t proof_len,
     const size_t n_bits,
     const size_t digit_base,
     const uint64_t min_value,
-    const secp256k1_ge* commitp,
+    secp256k1_ge* commitp,
     const unsigned char* extra_commit,
     size_t extra_commit_len
 ) {