Expose BP++ Apis

Author: sanket1729

include/secp256k1_bppp.h

@@ -9,6 +9,8 @@ extern "C" {
 
 #include <stdint.h>
 
+#include "include/secp256k1_generator.h"
+
 /** Opaque structure representing a large number of NUMS generators */
 typedef struct secp256k1_bppp_generators secp256k1_bppp_generators;
 
@@ -19,10 +21,6 @@ typedef struct secp256k1_bppp_rangeproof_prover_context secp256k1_bppp_rangeproo
  *  Returns a list of generators, or calls the error callback if the allocation fails.
  *  Args:          ctx: pointer to a context object
  *                   n: number of NUMS generators to produce.
- *
- * TODO: In a followup range-proof PR, this is would still require 16 + 8 = 24 NUMS
- * points. We will later use G = H0(required for compatibility with pedersen_commitment DS)
- * in a separate commit to make review easier.
  */
 SECP256K1_API secp256k1_bppp_generators *secp256k1_bppp_generators_create(
     const secp256k1_context* ctx,
@@ -46,11 +44,9 @@ SECP256K1_API secp256k1_bppp_generators* secp256k1_bppp_generators_parse(
  *  Args:        ctx: pointer to a context object
  *               gen: pointer to the generator set to be serialized
  *  Out:        data: pointer to buffer into which the generators will be serialized
- *  In/Out: data_len: the length of the `data` buffer. Should be at least
- *                    k = 33 * num_gens. Will be set to k on successful return
- *
- * TODO: For ease of review, this setting G = H0 is not included in this commit. We will
- * add it in the follow-up rangeproof PR.
+ *  In/Out: data_len: the length of the `data` buffer. Should be initially set to at
+ *                    least 33 times the number of generators plus one(33 * (num_gens - 1)).
+ *                    Upon success, data_len will be set to the (33 * (num_gens - 1)).
  */
 SECP256K1_API int secp256k1_bppp_generators_serialize(
     const secp256k1_context* ctx,
@@ -69,6 +65,97 @@ SECP256K1_API void secp256k1_bppp_generators_destroy(
     secp256k1_bppp_generators* gen
 ) SECP256K1_ARG_NONNULL(1);
 
+/** Returns the serialized size of an bulletproofs++ proof of a given number
+ *  of bits and the base. Both base and n_bits must be a power of two. The number
+ *  of digits required to represent number of bits in the given base must also be
+ *  a power of two. Specifically, all of n_bits, base and num_digits = (n_bits / log2(base))
+ *  must all be a power of two.
+ *  Args:   ctx: pointer to a context object
+ *  Out:    len: 0 if the parameters and num_digits (n_bits/log2(base)) are not a power of two
+ *               length of the serialized proof otherwise
+ *  In:  n_bits: number of bits to prove (max 64, should usually be 64)
+ *         base: base representation to be used in proof construction (max 256, recommended 16)
+ */
+SECP256K1_API size_t secp256k1_bppp_rangeproof_proof_length(
+    const secp256k1_context* ctx,
+    size_t n_bits,
+    size_t base
+) SECP256K1_ARG_NONNULL(1);
+
+/** Produces a Bulletproofs++ rangeproof. Returns 1 on success, 0 on failure.
+ * Proof creation can only fail if the arguments are invalid. The documentation
+ * below specifies the constraints on inputs and arguments under which this API
+ * can fail.
+ *  Args:      ctx: pointer to a context object
+ *         scratch: pointer to a scratch space
+ *            gens: pointer to the generator set to use, which must have exactly
+ *                 `n = max(num_digits, base) + 7` generators, where num_digits is the number.
+ *       asset_gen: pointer to the asset generator for the Pedersen/CT commitment
+ *  Out:     proof: pointer to a byte array to output the proof into
+ *  In/Out:   plen: pointer to the size of the above array; will be set to the actual size of
+ *                  the serialized proof. To learn this value in advance, to allocate a sufficient
+ *                  buffer, call `secp256k1_bppp_rangeproof_proof_length`
+ *  In:     n_bits: size of range being proven, in bits. Must be a power of two,
+ *                  and at most 64.
+ *            base: base representation to be used in proof construction. Must be a power of two,
+ *           value: value committed in the Pedersen commitment. Must be less
+ *                  than 2^n_bits.
+ *       min_value: minimum value of the range being proven. Must be less than value
+ *          commit: the Pedersen commitment being proven
+ *           blind: blinding factor for the Pedersen commitment. Must be a 32 byte
+ *                  valid scalar within secp curve order.
+ *           nonce: seed for the RNG used to generate random data during proving
+ *    extra_commit: arbitrary extra data that the proof commits to (may be NULL if extra_commit_len is 0)
+ *    extra_commit_len: length of the arbitrary extra data.
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_bppp_rangeproof_prove(
+    const secp256k1_context* ctx,
+    secp256k1_scratch_space *scratch,
+    const secp256k1_bppp_generators* gens,
+    const secp256k1_generator* asset_gen,
+    unsigned char* proof,
+    size_t* plen,
+    const size_t n_bits,
+    const size_t base,
+    const uint64_t value,
+    const uint64_t min_value,
+    const secp256k1_pedersen_commitment* commit,
+    const unsigned char* blind,
+    const unsigned char* nonce,
+    const unsigned char* extra_commit,
+    size_t extra_commit_len
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(11) SECP256K1_ARG_NONNULL(12) SECP256K1_ARG_NONNULL(13);
+
+/** Verifies an Bulletproofs++ rangeproof. Returns 1 on success, 0 on failure.
+ *  Args:      ctx: pointer to a context object
+ *         scratch: pointer to a scratch space
+ *            gens: pointer to the generator set to use, which must have at least 2*n_bits generators
+ *       asset_gen: pointer to the asset generator for the CT commitment
+ *  In:      proof: pointer to a byte array containing the serialized proof
+ *            plen: length of the serialized proof
+ *          n_bits: size of range being proven, in bits. Must be a power of two,
+ *                  and at most 64.
+ *            base: base representation to be used in proof construction. Must be a power of two,
+ *       min_value: minimum value of the range being proven
+ *          commit: the Pedersen commitment being proven
+ *    extra_commit: arbitrary extra data that the proof commits to (may be NULL if extra_commit_len is 0)
+ *    extra_commit_len: length of the arbitrary extra data
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_bppp_rangeproof_verify(
+    const secp256k1_context* ctx,
+    secp256k1_scratch_space *scratch,
+    const secp256k1_bppp_generators* gens,
+    const secp256k1_generator* asset_gen,
+    const unsigned char* proof,
+    const size_t plen,
+    const uint64_t n_bits,
+    const uint64_t base,
+    const uint64_t min_value,
+    const secp256k1_pedersen_commitment* commit,
+    const unsigned char* extra_commit,
+    size_t extra_commit_len
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(10);
+
 # ifdef __cplusplus
 }
 # endif

src/modules/bppp/main_impl.h

@@ -164,4 +164,106 @@ size_t secp256k1_bppp_rangeproof_proof_length(
     return 33 * 4 + 65*n_rounds + 64;
 }
 
+int secp256k1_bppp_rangeproof_prove(
+    const secp256k1_context* ctx,
+    secp256k1_scratch_space *scratch,
+    const secp256k1_bppp_generators* gens,
+    const secp256k1_generator* asset_gen,
+    unsigned char* proof,
+    size_t* plen,
+    const size_t n_bits,
+    const size_t base,
+    const uint64_t value,
+    const uint64_t min_value,
+    const secp256k1_pedersen_commitment* commit,
+    const unsigned char* blind,
+    const unsigned char* nonce,
+    const unsigned char* extra_commit,
+    size_t extra_commit_len
+) {
+    secp256k1_ge commitp, asset_genp;
+    secp256k1_scalar blinds;
+    int overflow;
+
+    VERIFY_CHECK(ctx != NULL);
+    VERIFY_CHECK(scratch != NULL);
+    ARG_CHECK(gens != NULL);
+    ARG_CHECK(asset_gen != NULL);
+    ARG_CHECK(proof != NULL);
+    ARG_CHECK(plen != NULL);
+    ARG_CHECK(commit != NULL);
+    ARG_CHECK(blind != NULL);
+    ARG_CHECK(nonce != NULL);
+    ARG_CHECK(extra_commit != NULL || extra_commit_len == 0);
+
+    secp256k1_scalar_set_b32(&blinds, blind, &overflow);
+    if (overflow) {
+        return 0;
+    }
+
+    secp256k1_pedersen_commitment_load(&commitp, commit);
+    secp256k1_generator_load(&asset_genp, asset_gen);
+
+    return secp256k1_bppp_rangeproof_prove_impl(
+        ctx,
+        scratch,
+        gens,
+        &asset_genp,
+        proof,
+        plen,
+        n_bits,
+        base,
+        value,
+        min_value,
+        &commitp,
+        &blinds,
+        nonce,
+        extra_commit,
+        extra_commit_len
+    );
+}
+
+int secp256k1_bppp_rangeproof_verify(
+    const secp256k1_context* ctx,
+    secp256k1_scratch_space *scratch,
+    const secp256k1_bppp_generators* gens,
+    const secp256k1_generator* asset_gen,
+    const unsigned char* proof,
+    const size_t plen,
+    const uint64_t n_bits,
+    const uint64_t base,
+    const uint64_t min_value,
+    const secp256k1_pedersen_commitment* commit,
+    const unsigned char* extra_commit,
+    size_t extra_commit_len
+) {
+    secp256k1_ge commitp, asset_genp;
+
+    VERIFY_CHECK(ctx != NULL);
+    VERIFY_CHECK(scratch != NULL);
+    ARG_CHECK(gens != NULL);
+    ARG_CHECK(asset_gen != NULL);
+    ARG_CHECK(proof != NULL);
+    ARG_CHECK(commit != NULL);
+    ARG_CHECK(extra_commit != NULL || extra_commit_len == 0);
+
+    secp256k1_pedersen_commitment_load(&commitp, commit);
+    secp256k1_generator_load(&asset_genp, asset_gen);
+
+    return secp256k1_bppp_rangeproof_verify_impl(
+        ctx,
+        scratch,
+        gens,
+        &asset_genp,
+        proof,
+        plen,
+        n_bits,
+        base,
+        min_value,
+        &commitp,
+        extra_commit,
+        extra_commit_len
+    );
+}
+
 #endif