search

mimblewimble / rust-secp256k1-zkp

ZKP fork for rust-secp256k1, adds wrappers for range proofs, pedersen commitments, etc
Creative Commons Zero v1.0 Universal
56 stars 51 forks source link

improve explanation of NUMS derivation of H and J #42

Closed johnzweng closed 5 years ago

johnzweng commented 5 years ago

Improve documentation on how the generator points have been dervied

This PR only changes comments in the constants.rs file.

When I tried to understand if and how the generation points for Pedersen and Switch Commitments have been derived in a secure, nothing-up-my-sleeve (NUMS) way, I realized it would be helpful to have a better explanation in the comments.

As important properties of the commitment schemes only hold if these points are chosen transparently, I thought this should be better documented.

Let me know what you think about it, or if I should change something. 🙂

antiochp commented 5 years ago

@tromp @ignopeverell @yeastplume Any idea what's going on with this reversed byte order in J? Did we mess something up with endianness? Or is this expected?

tromp commented 5 years ago

@tromp @ignopeverell @yeastplume Any idea what's going on with this reversed byte order in J?

I didn't review this code. Forwarding to Jasper, who should know more...

Did we mess something up with endianness? Or is this expected?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

jaspervdm commented 5 years ago

@antiochp @tromp This is the internal representation of a public key in secp256k1_pubkey. See also discussion in https://github.com/mimblewimble/rust-secp256k1-zkp/pull/38. We checked that these bytes in fact do represent the correct point, by comparing the compressed point with the one originally introduced in #9. This is also explicitly tested in secp256k1-zkp

jaspervdm commented 5 years ago

@johnzweng Thank you for verifying and checking these points. The expanded documentation on the derivation is also very helpful! 👍

johnzweng commented 5 years ago

@jaspervdm My pleasure. Glad I could help. :-)

johnzweng commented 5 years ago

And the PR got the number 42.. 😄 🎉

johnzweng commented 5 years ago

Another small thought regarding the different notation of J:

Why is the declaration of J in "secp256k1-zkp" different from G and H in the first place (see secp256k1_generator vs secp256k1_pubkey in the function signature of secp256k1_blind_switch).

I am not that familiar with C code or the secp256k1-zkp library but naively I would have assumed that all 3 generator points are used in a similiar fashion (namely EC point multiplication).

G and H in the Pederson commitment as xG + vH (see secp256k1_pedersen_commit, which calls secp256k1_pedersen_ecmult and uses secp256k1_ecmult_const for EC multiplication)

and J in the switch commitment (within the blinding factor calculation) here: secp256k1_blind_switch which uses secp256k1_ec_pubkey_tweak_mul for the EC multiplication.

What is the difference between secp256k1_ecmult_const and secp256k1_ec_pubkey_tweak_mul?

Please bear with me if I got something wrong, or I miss some important points here as I am not a C programmer. 🙂

Also it seems to work correctly like it is. This was just curiosity. 🙂

ignopeverell commented 5 years ago

Merged the improvement as it was good in itself. Don't let that stop the discussion though.