Java/JNI: Add native bindings for Schnorr signatures#47
Closed
guggero wants to merge 60 commits intoBlockstreamResearch:secp256k1-zkpfrom
Closed
Java/JNI: Add native bindings for Schnorr signatures#47guggero wants to merge 60 commits intoBlockstreamResearch:secp256k1-zkpfrom
guggero wants to merge 60 commits intoBlockstreamResearch:secp256k1-zkpfrom
Conversation
This commit adds three new cryptosystems to libsecp256k1: Pedersen commitments are a system for making blinded commitments to a value. Functionally they work like: commit_b,v = H(blind_b || value_v), except they are additively homorphic, e.g. C(b1, v1) - C(b2, v2) = C(b1 - b2, v1 - v2) and C(b1, v1) - C(b1, v1) = 0, etc. The commitments themselves are EC points, serialized as 33 bytes. In addition to the commit function this implementation includes utility functions for verifying that a set of commitments sums to zero, and for picking blinding factors that sum to zero. If the blinding factors are uniformly random, pedersen commitments have information theoretic privacy. Borromean ring signatures are a novel efficient ring signature construction for AND/OR admissions policies (the code here implements an AND of ORs, each of any size). This construction requires 32 bytes of signature per pubkey used plus 32 bytes of constant overhead. With these you can construct signatures like "Given pubkeys A B C D E F G, the signer knows the discrete logs satisifying (A || B) & (C || D || E) & (F || G)". ZK range proofs allow someone to prove a pedersen commitment is in a particular range (e.g. [0..2^64)) without revealing the specific value. The construction here is based on the above borromean ring signature and uses a radix-4 encoding and other optimizations to maximize efficiency. It also supports encoding proofs with a non-private base-10 exponent and minimum-value to allow trading off secrecy for size and speed (or just avoiding wasting space keeping data private that was already public due to external constraints). A proof for a 32-bit mantissa takes 2564 bytes, but 2048 bytes of this can be used to communicate a private message to a receiver who shares a secret random seed with the prover.
… cleanup Switch to secp256k1_pedersen_commitment by Andrew Poelstra. Switch to quadratic residue based disambiguation by Pieter Wuille.
Including a fix by Jonas Nick.
* add summing function for blinded generators * drop `excess` and `gen` from `verify_tally` * add extra_commit to rangeproof sign and verify
Includes fix and tests by Jonas Nick.
Include test_impl.h
…simplify whitelisting
…ace is given and just multiplies and adds the points.
Enable more builds with rest of experimental flags
use proper types for rangeproof min/max in unit test case
…ning, verification and batch verification. [0] https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki
Add MuSig module
Use monospaced font for math expressions
…Blockstream blog post
…g-docs musig: add user documentation
Contributor
|
I don't know anything about the java bindings in this library but this is nice. We should just be aware that the schnorrsig API isn't all that stable at the moment. In particular the sign-to-contract PRs may change it . See PR bitcoin-core/secp256k1#589 and the difference in the |
Author
|
Ok, thanks for the warning. |
Contributor
|
Not sure what's better but it can take a while until schnorrsig-PR is merged upstream. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I added the native bindings for
secp256k1_schnorrsig_signandsecp256k1_schnorrsig_verifyand also wrote a test for them in Java.