search

mimblewimble / secp256k1-zkp

Fork of secp256k1-zkp for the Grin/MimbleWimble project
MIT License
32 stars 41 forks source link

Is the serialization format of the proof byte-array documented somewhere? #52

Open luckysori opened 4 years ago

luckysori commented 4 years ago

I have been trying to make sense of the proof array filled in by secp256k1_bulletproof_rangeproof_prove, but its format doesn't seem to be documented, so I'm left trying to infer it from the code. Is this documented somewhere?

My assumption is that this is incorrect:

https://github.com/mimblewimble/secp256k1-zkp/blob/84563edb127a8f7a9c56c2cccbaa35882bbbf036/src/modules/bulletproofs/rangeproof_impl.h#L425-L426

Am I wrong?

jafalter commented 4 years ago

I have been asking myself the same question. https://bitcoin.stackexchange.com/questions/92998/disecting-bulletproof-hex

Here is an example proof: 0b1bdf235e9c438aab5c6d02d3fe8173304bc528a3330825fb2311fa60fcdd6bfb92a248e26f849aebd511d2b326fa34b7f3030517d2f8e08a9b3cac7fa9fd200d07a46ca6ec5af30ce569b1e5faf2acf525cf1ed90cbed74ab7378b9b3957f28635fe7440aac2dc2c4bf43265b6ad1bfa82fddd9a827c4e97a913ce451b9a66bb06d3c08e03e85e98c581bbdf8c852796371a4603b8d52b80a1f2e95bd5e2a91c7a00b4d4564d9586235a7858d9ce8a8888bead7d51be2dd802de5af2921e079586817fce16d36c7764af8b4bf133b56b39970d6a568bf9ff101e6d33409e7c3bb081df7425b276655be611941245ceaad529495a86bc0e3d0f8634a8acf65c34c4e244959a5098bd58285408945a247d2fd894e5b18027d698c7e494e4256110553df54babf90592fbdffa0138b6b5a2a423ea5e2ec4d8f852a33c271a73b10fed9e1ee8cb2db1e71311cacd9e1d0b6dbf6cfab15723ec3cac4cc52154fc9d532202a085238e756ad1fa804cce2a634decc1b348f6ff939f9f80187d85aa5c308224a505c75e7f58fc7f35424276db7956474c1895e23ac55f864f4177b59f3ce92ef8c99e011cf55e0cefc5635d2eaf573df29af057a19bb209392a8c0e29a4b77adad76d385422e7f1d06de2d4f14e61ac3619aa22ae5bc288bb41cb56ddb70bb39ae84d00eb0cb34b4063bb55a83b9fe52604e545adcd41beb6ce14cdff73a21beb7493fa443a34585b7d2927f608cad17aa5f0e8e154b14d35315f63dd3580e80d06d8be4039f58778967f7bf2cdd9020fbcc9fed799b8159814f6a261c568e8b59c59df3180efb9cc13c576bf313248c96fa867aba43a80e799ff19ac685d7208cea7944dc9dcba7a61f2809540ecd0711e76b601969bdc551845e0b11fb821871d00e417ad002a70353867db25fa647e98a0db4c3bbaf828d97fc66079ef0d

jaspervdm commented 4 years ago 
    secp256k1_scalar_get_b32(&proof[0], &taux); // <-- tau
    secp256k1_scalar_get_b32(&proof[32], &mu); // <-- mu
    secp256k1_bulletproof_serialize_points(&proof[64], out_pt, 4); // <-- A, S, T1, T2
    secp256k1_bulletproof_inner_product_prove_impl(ecmult_ctx, scratch, &proof[64 + 128 + 1], plen, gens, &y, nbits * n_commits, secp256k1_bulletproof_abgh_callback, (void *) &abgh_data, commit) // <-- {L_i}, {R_i}