Closed johnzweng closed 5 years ago
@tromp @ignopeverell @yeastplume Any idea what's going on with this reversed byte order in J? Did we mess something up with endianness? Or is this expected?
@tromp @ignopeverell @yeastplume Any idea what's going on with this reversed byte order in J?
I didn't review this code. Forwarding to Jasper, who should know more...
Did we mess something up with endianness? Or is this expected?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
@antiochp @tromp This is the internal representation of a public key in secp256k1_pubkey
. See also discussion in https://github.com/mimblewimble/rust-secp256k1-zkp/pull/38. We checked that these bytes in fact do represent the correct point, by comparing the compressed point with the one originally introduced in #9. This is also explicitly tested in secp256k1-zkp
@johnzweng Thank you for verifying and checking these points. The expanded documentation on the derivation is also very helpful! 👍
@jaspervdm My pleasure. Glad I could help. :-)
And the PR got the number 42.. 😄 🎉
Another small thought regarding the different notation of J
:
Why is the declaration of J
in "secp256k1-zkp" different from G
and H
in the first place (see secp256k1_generator
vs secp256k1_pubkey
in the function signature of secp256k1_blind_switch
).
I am not that familiar with C code or the secp256k1-zkp library but naively I would have assumed that all 3 generator points are used in a similiar fashion (namely EC point multiplication).
G
and H
in the Pederson commitment as xG + vH
(see secp256k1_pedersen_commit
, which calls secp256k1_pedersen_ecmult
and uses secp256k1_ecmult_const
for EC multiplication)
and J
in the switch commitment (within the blinding factor calculation) here: secp256k1_blind_switch
which uses secp256k1_ec_pubkey_tweak_mul
for the EC multiplication.
What is the difference between secp256k1_ecmult_const
and secp256k1_ec_pubkey_tweak_mul
?
Please bear with me if I got something wrong, or I miss some important points here as I am not a C programmer. 🙂
Also it seems to work correctly like it is. This was just curiosity. 🙂
Merged the improvement as it was good in itself. Don't let that stop the discussion though.
Improve documentation on how the generator points have been dervied
This PR only changes comments in the
constants.rs
file.When I tried to understand if and how the generation points for Pedersen and Switch Commitments have been derived in a secure, nothing-up-my-sleeve (NUMS) way, I realized it would be helpful to have a better explanation in the comments.
As important properties of the commitment schemes only hold if these points are chosen transparently, I thought this should be better documented.
Let me know what you think about it, or if I should change something. 🙂