search

mimblewimble / rust-secp256k1-zkp

ZKP fork for rust-secp256k1, adds wrappers for range proofs, pedersen commitments, etc
Creative Commons Zero v1.0 Universal
56 stars 51 forks source link

Support new Bulletproof rewind scheme #50

Closed jaspervdm closed 5 years ago

jaspervdm commented 5 years ago

Two relatively small changes that will enable https://github.com/mimblewimble/grin-wallet/issues/105:

garyyu commented 5 years ago

1st question, will the rewind get the blinding iff rewind_nonce is same as private_nonce when creating bulletproof?

If knowing both rewind_nonce and private_nonce, is there a method to calculate the blinding?

2nd question about what level we're confident at the safety of private_nonce regarding the following solution?

rewind_nonce = H(H(root_key|0), commit)
private_nonce = H(H(root_key|1), commit)

i.e. when we open the H(root_key|0) to a watch-only wallet, how difficult it will be to deduce the H(root_key|1)?

jaspervdm commented 5 years ago

Thanks for the review @garyyu

1st question, will the rewind get the blinding iff rewind_nonce is same as private_nonce when creating bulletproof?

with the current rewind function, yes.

If knowing both rewind_nonce and private_nonce, is there a method to calculate the blinding?

yes, but since we don't need it in the wallet for the HF, i propose we add it sometime in the future. it doesnt require us to change the generation code, only the rewind code.

2nd question about what level we're confident at the safety of private_nonce regarding the following solution?

rewind_nonce = H(H(root_key|0), commit)
private_nonce = H(H(root_key|1), commit)

i.e. when we open the H(root_key|0) to a watch-only wallet, how difficult it will be to deduce the H(root_key|1)?

This should be safe to do, however anyway I was thinking of slightly changing the proposal after your earlier suggestion in the grin-wallet issue. Basically, if we use H(H(public_extended_root_key), commit) for the rewind_nonce (and keep private_nonce tied to the root_key), it means that to be able to have a watch-only wallet you just need the public extended key, instead of some extra information.

garyyu commented 5 years ago

👍 this make me feel much better 😄 

rewind_nonce = H(H(public_extended_root_key), commit)
private_nonce = H(H(root_key|1), commit)     <<<<  or `|0` or whatever else
garyyu commented 5 years ago

will merge and label it to enable those related PRs in Grin / Grin-wallet repo.