Add blinding factor for switch commitment

[jaspervdm]

Calculates the modified blinding factor x + H(xG+vH | xJ). Relevant grin PR: https://github.com/mimblewimble/grin/pull/2157

I got the raw bytes of J, starting by the compressed point in https://github.com/mimblewimble/rust-secp256k1-zkp/pull/9/files#diff-13288cc06e4963042a0eeb6b457647dfR85. I loaded these bytes as a public key, then dumped the bytes. Please, someone verify that I didn't make a mistake in this procedure.

[jaspervdm]

@garyyu Can you also check this? Especially if I didn't make a mistake in calculating J.

[garyyu]

@jaspervdm the byte order issue, as I write on code review.

And one more important thing about this J, we MUST describe the NUMS (Nothing Up My Sleeve). So, how did we get this J?

For example, the NUMS to get H, it's computed as the hash of the EC generator G, DER-encoded with 0x04 (uncompressed pubkey) as its flag byte. Refer to https://github.com/garyyu/rust-secp256k1-zkp/wiki/Pedersen-Commitment#h:

To check it:

$ echo "0479be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8" | xxd -r -p > G.bin

$ openssl dgst -sha256 G.bin
SHA256(G.bin)= 50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0

[yeastplume]

Yes, agreed NUMS should be described (just a few verifiable comments). Then some tests to exercise the call and this should be fine. Once this and the corresponding libsecp changes are in place, we can commit them then move forward with the main grin changes.

[jaspervdm]

I agree we should add a comment on how to verify the NUMS generation. @yeastplume I took the value for J from your previous switch commitment PR, how was it generated?

[yeastplume]

I believe it was just a sha256 of H but don't remember the exact details. I tried to find that PR in libsecp earlier, as there was a script in there that did the generation. Which PR are you looking at?

[jaspervdm]

This one: https://github.com/mimblewimble/rust-secp256k1-zkp/pull/9/files#diff-13288cc06e4963042a0eeb6b457647dfR85

[garyyu]

👍 I confirm this NUMS is OK:

$ echo "0479be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8" | xxd -r -p > G.bin

$ openssl dgst -sha256 G.bin
SHA256(G.bin)= 50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0

$ echo "50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0" | xxd -r -p > H.bin

$ openssl dgst -sha256 H.bin
SHA256(H.bin)= b860f56795fc03f3c21685383d1b5a2f2954f49b7e398b8d2a0193933621155f

and the J used in this code:
let GENERATOR_PUB_J_COMPR : [u8;33] = [
    0x02,
    0xb8, 0x60, 0xf5, 0x67, 0x95, 0xfc, 0x03, 0xf3,
    0xc2, 0x16, 0x85, 0x38, 0x3d, 0x1b, 0x5a, 0x2f,
    0x29, 0x54, 0xf4, 0x9b, 0x7e, 0x39, 0x8b, 0x8d,
    0x2a, 0x01, 0x93, 0x93, 0x36, 0x21, 0x15, 0x5f
];

[yeastplume]

Okay, going to merge, update the submodule, and check automated tests.