secp256k1 support

[tarcieri]

I'm implementing traits from the group crate in the k256 crate (presently Group and Curve, but after that PrimeGroup would not be too difficult):

https://github.com/RustCrypto/elliptic-curves/pull/164/files

I'm curious if it would be possible to use these traits to support Bulletproofs using other prime order groups besides Ristretto255 (Just an intellectual curiosity; I have no use case for this)

[oleganza]

This should be possible in principle. BPs use arithmetic API for scalars and opaque group elements, plus a multiscalar multiplication API for efficient verification.

Implementation of multiscalar multiplication (see curve25519-dalek impls) is more group-specific, as it relies on certain size and bit patterns in the scalars, plus various point representations on curve25519, switching from one to another based on whether a point is readded multiple times.

[hdevalence]

I suspect that a bigger obstacle is that secp256k1 bulletproofs already exist, but are implemented differently and with a different proof format. So I'm not sure who would be the audience for ristretto-style bulletproofs using secp256k1.

[sgeisler]

I suspect that a bigger obstacle is that secp256k1 bulletproofs already exist

Hi, I am looking for exactly that, but all I could find was this dead PR in libsecp256k1-zkp. Were you referring to another one by any chance? If so could you point me to it?