BIP374: Discrete Log Equality Proofs (DLEQ)

bip-DLEQ.mediawiki

@@ -33,14 +33,16 @@ All conventions and notations are used as defined in [https://github.com/bitcoin
 
 === DLEQ Proof Generation ===
 
+The following generates a proof that the result of ''a⋅B'' and the result of ''a⋅G'' are both generated from the same scalar ''a'' without having to reveal ''a''.
+
 Input:
 * The secret key ''a'': a 256-bit unsigned integer
 * The public key ''B'': a point on the curve
-* The generator point ''G'': a point on the curve
 * Auxiliary random data ''r'': a 32-byte array
-* An optional message ''m'': a 32-byte array
+* The generator point ''G'': a point on the curve<ref name="why_include_G"> ''' Why include the generator point G as an input?''' While all other BIPs have used the generator point from Secp256k1, passing it as an input here lets this algorithm be used for other curves.</ref>
+* An optional message ''m'': a 32-byte array<ref name="why_include_a_message"> ''' Why include a message as an input?''' This could be useful for protocols that want to authorize on a compound statement, not just knowledge of a scalar. This allows the protocol to combine knowledge of the scalar and the statement.</ref>
 
-The algorithm ''GenerateProof(a, B, r)'' is defined as:
+The algorithm ''GenerateProof(a, B, r, G, m)'' is defined as:
 * Fail if ''a = 0'' or ''a &ge; n''.
 * Fail if ''is_infinite(B)''.
 * Let ''A = a⋅G''.
@@ -60,15 +62,17 @@ The algorithm ''GenerateProof(a, B, r)'' is defined as:
 
 === DLEQ Proof Verification ===
 
+The following verifies the proof generated in the previous section. If the following algorithm succeeds, the points ''A'' and ''C'' were both generated from the same scalar. The former from multiplying by ''G'', and the latter from multiplying by ''B''.
+
 Input:
 * The public key of the secret key used in the proof generation ''A'': a point on the curve
 * The public key used in the proof generation ''B'': a point on the curve
 * The result of multiplying the secret and public keys used in the proof generation ''C'': a point on the curve
-* The generator point used in the proof generation ''G'': a point on the curve
 * A proof ''proof'': a 64-byte array
-* An optional message ''m'': a 32-byte array
+* The generator point used in the proof generation ''G'': a point on the curve<ref name="why_include_G"> ''' Why include the generator point G as an input?''' While all other BIPs have used the generator point from Secp256k1, passing it as an input here lets this algorithm be used for other curves.</ref>
+* An optional message ''m'': a 32-byte array<ref name="why_include_a_message"> ''' Why include a message as an input?''' This could be useful for protocols that want to authorize on a compound statement, not just knowledge of a scalar. This allows the protocol to combine knowledge of the scalar and the statement.</ref>
 
-The algorithm ''VerifyProof(A, B, C, G, proof)'' is defined as:
+The algorithm ''VerifyProof(A, B, C, proof, G, m)'' is defined as:
 * Let ''e = int(proof[0:32])''.
 * Let ''s = int(proof[32:64])''; fail if ''s &ge; n''.
 * Let ''R<sub>1</sub> = s⋅G - e⋅A''.
@@ -79,9 +83,13 @@ The algorithm ''VerifyProof(A, B, C, G, proof)'' is defined as:
 * Fail if ''e ≠ int(hash<sub>BIP0???/challenge</sub>(cbytes(A) || cbytes(B) || cbytes(C) || cbytes(G) || cbytes(R<sub>1</sub>) || cbytes(R<sub>2</sub>) || cbytes(m')))''.
 * Return success iff no failure occurred before reaching this point.
 
+==Backwards Compatibility==
+
+This proposal is compatible with all older clients.
+
 == Test Vectors and Reference Code ==
 
-TBD
+A reference python implementation is included [./bip-DLEQ/reference.py here].
 
 == Changelog ==