rangeproof: document "blinding factor may be 0 if min_bits is >= 3"

Also bump the message width in the test to 128 bytes, just to make sure this works.
BlockstreamResearch · Aug 5, 2022 · a595c73 · a595c73
1 parent 3036577
commit a595c73
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 6 deletions.
diff --git a/include/secp256k1_rangeproof.h b/include/secp256k1_rangeproof.h
@@ -227,7 +227,8 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_rangeproof_rewind(
  *          proof:  pointer to array to receive the proof, can be up to 5134 bytes. (cannot be NULL)
  *          min_value: constructs a proof where the verifer can tell the minimum value is at least the specified amount.
  *          commit: the commitment being proved.
- *          blind:  32-byte blinding factor used by commit.
+ *          blind:  32-byte blinding factor used by commit. The blinding factor may be all-zeros as long as min_bits is set to 3 or greater.
+ *                  This is a side-effect of the underlying crypto, not a deliberate API choice, but it may be useful when balancing CT transactions.
  *          nonce:  32-byte secret nonce used to initialize the proof (value can be reverse-engineered out of the proof if this secret is known.)
  *          exp:    Base-10 exponent. Digits below above will be made public, but the proof will be made smaller. Allowed range is -1 to 18.
  *                  (-1 is a special case that makes the value public. 0 is the most private.)

diff --git a/src/modules/rangeproof/tests_impl.h b/src/modules/rangeproof/tests_impl.h
@@ -579,17 +579,20 @@ static void test_rangeproof_null_blinder(void) {
     /* Rewinding with 3-bits works */
     {
         uint64_t value_out;
-        unsigned char msg[32];
-        unsigned char msg_out[32];
+        unsigned char msg[128];
+        unsigned char msg_out[128];
         unsigned char blind_out[32];
         size_t msg_len = sizeof(msg);
 
         len = 1000;
         secp256k1_testrand256(msg);
-        CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, v, &commit, blind, commit.data, 0, 3, v, msg, 32, NULL, 0, secp256k1_generator_h));
+        secp256k1_testrand256(&msg[32]);
+        secp256k1_testrand256(&msg[64]);
+        secp256k1_testrand256(&msg[96]);
+        CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, v, &commit, blind, commit.data, 0, 3, v, msg, sizeof(msg), NULL, 0, secp256k1_generator_h));
         CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, msg_out, &msg_len, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h) != 0);
-        CHECK(memcmp(blind, blind_out, 32) == 0);
-        CHECK(memcmp(msg, msg_out, 32) == 0);
+        CHECK(memcmp(blind, blind_out, sizeof(blind)) == 0);
+        CHECK(memcmp(msg, msg_out, sizeof(msg)) == 0);
         CHECK(value_out == v);
         CHECK(minv == v);
         CHECK(maxv == v + 7);