Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support new Bulletproof rewind scheme #50

Merged
merged 7 commits into from
Jun 10, 2019
Merged

Support new Bulletproof rewind scheme #50

merged 7 commits into from
Jun 10, 2019

Conversation

jaspervdm
Copy link
Contributor

Two relatively small changes that will enable mimblewimble/grin-wallet#105:

  • Changed message size to 20 bytes
  • Allow two separate nonces during generation

@jaspervdm jaspervdm changed the title Support new rewind method Support new Bulletproof rewind scheme May 27, 2019
@jaspervdm jaspervdm marked this pull request as ready for review June 3, 2019 12:12
garyyu
garyyu reviewed Jun 5, 2019
View reviewed changes
src/pedersen.rs Show resolved Hide resolved
src/pedersen.rs Show resolved Hide resolved
src/pedersen.rs Show resolved Hide resolved
src/pedersen.rs Show resolved Hide resolved
src/pedersen.rs Outdated Show resolved Hide resolved
@garyyu
Copy link
Contributor

garyyu commented Jun 5, 2019
edited
Loading

1st question, will the rewind get the blinding iff rewind_nonce is same as private_nonce when creating bulletproof?

If knowing both rewind_nonce and private_nonce, is there a method to calculate the blinding?

2nd question about what level we're confident at the safety of private_nonce regarding the following solution?

rewind_nonce = H(H(root_key|0), commit)
private_nonce = H(H(root_key|1), commit)

i.e. when we open the H(root_key|0) to a watch-only wallet, how difficult it will be to deduce the H(root_key|1)?

@jaspervdm
Copy link
Contributor Author

jaspervdm commented Jun 6, 2019
edited
Loading

Thanks for the review @garyyu

1st question, will the rewind get the blinding iff rewind_nonce is same as private_nonce when creating bulletproof?

with the current rewind function, yes.

If knowing both rewind_nonce and private_nonce, is there a method to calculate the blinding?

yes, but since we don't need it in the wallet for the HF, i propose we add it sometime in the future. it doesnt require us to change the generation code, only the rewind code.

2nd question about what level we're confident at the safety of private_nonce regarding the following solution?

rewind_nonce = H(H(root_key|0), commit)
private_nonce = H(H(root_key|1), commit)

i.e. when we open the H(root_key|0) to a watch-only wallet, how difficult it will be to deduce the H(root_key|1)?

This should be safe to do, however anyway I was thinking of slightly changing the proposal after your earlier suggestion in the grin-wallet issue. Basically, if we use H(H(public_extended_root_key), commit) for the rewind_nonce (and keep private_nonce tied to the root_key), it means that to be able to have a watch-only wallet you just need the public extended key, instead of some extra information.

@garyyu
Copy link
Contributor

garyyu commented Jun 6, 2019

👍 this make me feel much better 😄

rewind_nonce = H(H(public_extended_root_key), commit)
private_nonce = H(H(root_key|1), commit)     <<<<  or `|0` or whatever else

@garyyu
Copy link
Contributor

garyyu commented Jun 7, 2019
edited
Loading

will merge and label it to enable those related PRs in Grin / Grin-wallet repo.

@yeastplume yeastplume merged commit 0b26463 into mimblewimble:master Jun 10, 2019
garyyu pushed a commit to gottstech/rust-secp256k1-zkp that referenced this pull request Sep 10, 2019
@jaspervdm @garyyu
Support new Bulletproof rewind scheme (mimblewimble#50)
2a44899 
* Bulletproofs: change message to 20 bytes, allow 2 nonces in generation

* Updated syntax of rewind function

* Update to latest libsecp

* Update tests

* Fix borrow after move

* Update tests
suemto pushed a commit to mwcproject/rust-secp256k1-zkp that referenced this pull request Oct 28, 2020
@jaspervdm @suemto
Support new Bulletproof rewind scheme (mimblewimble#50)
38968c1 
* Bulletproofs: change message to 20 bytes, allow 2 nonces in generation

* Updated syntax of rewind function

* Update to latest libsecp

* Update tests

* Fix borrow after move

* Update tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yeastplume yeastplume yeastplume approved these changes

@garyyu garyyu garyyu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jaspervdm @garyyu @yeastplume