From dbf2e4d3e1dda55a1a33dd4d86918a3c2281d8dc Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Wed, 19 Apr 2023 12:20:32 +0000 Subject: [PATCH] bppp: align terminology with paper (mu, rho) q-> mu, r -> rho --- src/modules/bppp/bppp_norm_product_impl.h | 122 +++++++++++----------- src/modules/bppp/tests_impl.h | 84 +++++++-------- 2 files changed, 103 insertions(+), 103 deletions(-) diff --git a/src/modules/bppp/bppp_norm_product_impl.h b/src/modules/bppp/bppp_norm_product_impl.h index ecb758c36..4ca4eca62 100644 --- a/src/modules/bppp/bppp_norm_product_impl.h +++ b/src/modules/bppp/bppp_norm_product_impl.h @@ -43,7 +43,7 @@ static int secp256k1_scalar_inner_product( /* Computes the q-weighted inner product of two vectors of scalars * for elements starting from offset a and offset b respectively with the * given step. - * Returns: Sum_{i=0..len-1}(a[offset_a + step*i] * b[offset_b2 + step*i]*q^(i+1)) */ + * Returns: Sum_{i=0..len-1}(a[offset_a + step*i] * b[offset_b2 + step*i]*mu^(i+1)) */ static int secp256k1_weighted_scalar_inner_product( secp256k1_scalar* res, const secp256k1_scalar* a_vec, @@ -52,29 +52,29 @@ static int secp256k1_weighted_scalar_inner_product( const size_t b_offset, const size_t step, const size_t len, - const secp256k1_scalar* q + const secp256k1_scalar* mu ) { - secp256k1_scalar q_pow; + secp256k1_scalar mu_pow; size_t i; secp256k1_scalar_set_int(res, 0); - q_pow = *q; + mu_pow = *mu; for (i = 0; i < len; i++) { secp256k1_scalar term; secp256k1_scalar_mul(&term, &a_vec[a_offset + step*i], &b_vec[b_offset + step*i]); - secp256k1_scalar_mul(&term, &term, &q_pow); - secp256k1_scalar_mul(&q_pow, &q_pow, q); + secp256k1_scalar_mul(&term, &term, &mu_pow); + secp256k1_scalar_mul(&mu_pow, &mu_pow, mu); secp256k1_scalar_add(res, res, &term); } return 1; } -/* Compute the powers of r as r, r^2, r^4 ... r^(2^(n-1)) */ -static void secp256k1_bppp_powers_of_r(secp256k1_scalar *powers, const secp256k1_scalar *r, size_t n) { +/* Compute the powers of rho as rho, rho^2, rho^4 ... rho^(2^(n-1)) */ +static void secp256k1_bppp_powers_of_rho(secp256k1_scalar *powers, const secp256k1_scalar *rho, size_t n) { size_t i; if (n == 0) { return; } - powers[0] = *r; + powers[0] = *rho; for (i = 1; i < n; i++) { secp256k1_scalar_sqr(&powers[i], &powers[i - 1]); } @@ -99,7 +99,7 @@ static int ecmult_bp_commit_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t id } /* Create a commitment `commit` = vG + n_vec*G_vec + l_vec*H_vec where - v = |n_vec*n_vec|_q + . |w|_q denotes q-weighted norm of w and + v = |n_vec*n_vec|_mu + . |w|_mu denotes mu-weighted norm of w and denotes inner product of l and r. */ static int secp256k1_bppp_commit( @@ -113,7 +113,7 @@ static int secp256k1_bppp_commit( size_t l_vec_len, const secp256k1_scalar* c_vec, size_t c_vec_len, - const secp256k1_scalar* q + const secp256k1_scalar* mu ) { secp256k1_scalar v, l_c; /* First n_vec_len generators are Gs, rest are Hs*/ @@ -125,8 +125,8 @@ static int secp256k1_bppp_commit( VERIFY_CHECK(secp256k1_is_power_of_two(n_vec_len)); VERIFY_CHECK(secp256k1_is_power_of_two(c_vec_len)); - /* Compute v = n_vec*n_vec*q + l_vec*c_vec */ - secp256k1_weighted_scalar_inner_product(&v, n_vec, 0 /*a offset */, n_vec, 0 /*b offset*/, 1 /*step*/, n_vec_len, q); + /* Compute v = n_vec*n_vec*mu + l_vec*c_vec */ + secp256k1_weighted_scalar_inner_product(&v, n_vec, 0 /*a offset */, n_vec, 0 /*b offset*/, 1 /*step*/, n_vec_len, mu); secp256k1_scalar_inner_product(&l_c, l_vec, 0 /*a offset */, c_vec, 0 /*b offset*/, 1 /*step*/, l_vec_len); secp256k1_scalar_add(&v, &v, &l_c); @@ -150,8 +150,8 @@ typedef struct ecmult_x_cb_data { const secp256k1_scalar *n; const secp256k1_ge *g; const secp256k1_scalar *l; - const secp256k1_scalar *r; - const secp256k1_scalar *r_inv; + const secp256k1_scalar *rho; + const secp256k1_scalar *rho_inv; size_t G_GENS_LEN; /* Figure out initialization syntax so that this can also be const */ size_t n_len; } ecmult_x_cb_data; @@ -160,10 +160,10 @@ static int ecmult_x_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void ecmult_x_cb_data *data = (ecmult_x_cb_data*) cbdata; if (idx < data->n_len) { if (idx % 2 == 0) { - secp256k1_scalar_mul(sc, &data->n[idx + 1], data->r); + secp256k1_scalar_mul(sc, &data->n[idx + 1], data->rho); *pt = data->g[idx]; } else { - secp256k1_scalar_mul(sc, &data->n[idx - 1], data->r_inv); + secp256k1_scalar_mul(sc, &data->n[idx - 1], data->rho_inv); *pt = data->g[idx]; } } else { @@ -201,11 +201,11 @@ static int ecmult_r_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void } /* Recursively compute the norm argument proof satisfying the relation - * _q + = v for some commitment - * C = v*G + + . _q is the weighted inner - * product of x with itself, where the weights are the first n powers of q. - * _q = q*x_1^2 + q^2*x_2^2 + q^3*x_3^2 + ... + q^n*x_n^2. - * The API computes q as square of the r challenge (`r^2`). + * _mu + = v for some commitment + * C = v*G + + . _mu is the weighted inner + * product of x with itself, where the weights are the first n powers of mu. + * _mu = mu*x_1^2 + mu^2*x_2^2 + mu^3*x_3^2 + ... + mu^n*x_n^2. + * The API computes mu as square of the r challenge (`r^2`). * * The norm argument is not zero knowledge and does not operate on any secret data. * Thus the following code uses variable time operations while computing the proof. @@ -222,7 +222,7 @@ static int secp256k1_bppp_rangeproof_norm_product_prove( unsigned char* proof, size_t *proof_len, secp256k1_sha256* transcript, /* Transcript hash of the parent protocol */ - const secp256k1_scalar* r, + const secp256k1_scalar* rho, secp256k1_ge* g_vec, size_t g_vec_len, secp256k1_scalar* n_vec, @@ -232,7 +232,7 @@ static int secp256k1_bppp_rangeproof_norm_product_prove( secp256k1_scalar* c_vec, size_t c_vec_len ) { - secp256k1_scalar q_f, r_f = *r; + secp256k1_scalar mu_f, rho_f = *rho; size_t proof_idx = 0; ecmult_x_cb_data x_cb_data; ecmult_r_cb_data r_cb_data; @@ -259,30 +259,30 @@ static int secp256k1_bppp_rangeproof_norm_product_prove( r_cb_data.g1 = g_vec; r_cb_data.l1 = l_vec; r_cb_data.G_GENS_LEN = G_GENS_LEN; - secp256k1_scalar_sqr(&q_f, &r_f); + secp256k1_scalar_sqr(&mu_f, &rho_f); while (g_len > 1 || h_len > 1) { size_t i, num_points; - secp256k1_scalar q_sq, r_inv, c0_l1, c1_l0, x_v, c1_l1, r_v; + secp256k1_scalar mu_sq, rho_inv, c0_l1, c1_l0, x_v, c1_l1, r_v; secp256k1_gej rj, xj; secp256k1_ge r_ge, x_ge; secp256k1_scalar e; - secp256k1_scalar_inverse_var(&r_inv, &r_f); - secp256k1_scalar_sqr(&q_sq, &q_f); + secp256k1_scalar_inverse_var(&rho_inv, &rho_f); + secp256k1_scalar_sqr(&mu_sq, &mu_f); - /* Compute the X commitment X = WIP(r_inv*n0,n1)_q2 * g + r + */ + /* Compute the X commitment X = WIP(rho_inv*n0,n1)_mu2 * g + r + */ secp256k1_scalar_inner_product(&c0_l1, c_vec, 0, l_vec, 1, 2, h_len/2); secp256k1_scalar_inner_product(&c1_l0, c_vec, 1, l_vec, 0, 2, h_len/2); - secp256k1_weighted_scalar_inner_product(&x_v, n_vec, 0, n_vec, 1, 2, g_len/2, &q_sq); - secp256k1_scalar_mul(&x_v, &x_v, &r_inv); + secp256k1_weighted_scalar_inner_product(&x_v, n_vec, 0, n_vec, 1, 2, g_len/2, &mu_sq); + secp256k1_scalar_mul(&x_v, &x_v, &rho_inv); secp256k1_scalar_add(&x_v, &x_v, &x_v); secp256k1_scalar_add(&x_v, &x_v, &c0_l1); secp256k1_scalar_add(&x_v, &x_v, &c1_l0); - x_cb_data.r = &r_f; - x_cb_data.r_inv = &r_inv; + x_cb_data.rho = &rho_f; + x_cb_data.rho_inv = &rho_inv; x_cb_data.n_len = g_len >= 2 ? g_len : 0; num_points = x_cb_data.n_len + (h_len >= 2 ? h_len : 0); @@ -290,7 +290,7 @@ static int secp256k1_bppp_rangeproof_norm_product_prove( return 0; } - secp256k1_weighted_scalar_inner_product(&r_v, n_vec, 1, n_vec, 1, 2, g_len/2, &q_sq); + secp256k1_weighted_scalar_inner_product(&r_v, n_vec, 1, n_vec, 1, 2, g_len/2, &mu_sq); secp256k1_scalar_inner_product(&c1_l1, c_vec, 1, l_vec, 1, 2, h_len/2); secp256k1_scalar_add(&r_v, &r_v, &c1_l1); @@ -322,12 +322,12 @@ static int secp256k1_bppp_rangeproof_norm_product_prove( for (i = 0; i < g_len; i = i + 2) { secp256k1_scalar nl, nr; secp256k1_gej gl, gr; - secp256k1_scalar_mul(&nl, &n_vec[i], &r_inv); + secp256k1_scalar_mul(&nl, &n_vec[i], &rho_inv); secp256k1_scalar_mul(&nr, &n_vec[i + 1], &e); secp256k1_scalar_add(&n_vec[i/2], &nl, &nr); secp256k1_gej_set_ge(&gl, &g_vec[i]); - secp256k1_ecmult(&gl, &gl, &r_f, NULL); + secp256k1_ecmult(&gl, &gl, &rho_f, NULL); secp256k1_gej_set_ge(&gr, &g_vec[i + 1]); secp256k1_ecmult(&gr, &gr, &e, NULL); secp256k1_gej_add_var(&gl, &gl, &gr, NULL); @@ -353,8 +353,8 @@ static int secp256k1_bppp_rangeproof_norm_product_prove( } g_len = g_len / 2; h_len = h_len / 2; - r_f = q_f; - q_f = q_sq; + rho_f = mu_f; + mu_f = mu_sq; } secp256k1_scalar_get_b32(&proof[proof_idx], &n_vec[0]); @@ -432,15 +432,15 @@ static int secp256k1_bppp_rangeproof_norm_product_verify( const unsigned char* proof, size_t proof_len, secp256k1_sha256* transcript, - const secp256k1_scalar* r, + const secp256k1_scalar* rho, const secp256k1_bppp_generators* g_vec, size_t g_len, const secp256k1_scalar* c_vec, size_t c_vec_len, const secp256k1_ge* commit ) { - secp256k1_scalar r_f, q_f, v, n, l, r_inv, h_c; - secp256k1_scalar *es, *s_g, *s_h, *r_inv_pows; + secp256k1_scalar rho_f, mu_f, v, n, l, rho_inv, h_c; + secp256k1_scalar *es, *s_g, *s_h, *rho_inv_pows; secp256k1_gej res1, res2; size_t i = 0, scratch_checkpoint; int overflow; @@ -467,27 +467,27 @@ static int secp256k1_bppp_rangeproof_norm_product_verify( if (overflow) return 0; secp256k1_scalar_set_b32(&l, &proof[n_rounds*65 + 32], &overflow); /* l */ if (overflow) return 0; - if (secp256k1_scalar_is_zero(r)) return 0; + if (secp256k1_scalar_is_zero(rho)) return 0; /* Collect the challenges in a new vector */ scratch_checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch); es = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, n_rounds * sizeof(secp256k1_scalar)); s_g = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, g_len * sizeof(secp256k1_scalar)); s_h = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, h_len * sizeof(secp256k1_scalar)); - r_inv_pows = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, log_g_len * sizeof(secp256k1_scalar)); - if (es == NULL || s_g == NULL || s_h == NULL || r_inv_pows == NULL) { + rho_inv_pows = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, log_g_len * sizeof(secp256k1_scalar)); + if (es == NULL || s_g == NULL || s_h == NULL || rho_inv_pows == NULL) { secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, scratch_checkpoint); return 0; } - /* Compute powers of r_inv. Later used in g_factor computations*/ - secp256k1_scalar_inverse_var(&r_inv, r); - secp256k1_bppp_powers_of_r(r_inv_pows, &r_inv, log_g_len); + /* Compute powers of rho_inv. Later used in g_factor computations*/ + secp256k1_scalar_inverse_var(&rho_inv, rho); + secp256k1_bppp_powers_of_rho(rho_inv_pows, &rho_inv, log_g_len); - /* Compute r_f = r^(2^log_g_len) */ - r_f = *r; + /* Compute rho_f = rho^(2^log_g_len) */ + rho_f = *rho; for (i = 0; i < log_g_len; i++) { - secp256k1_scalar_sqr(&r_f, &r_f); + secp256k1_scalar_sqr(&rho_f, &rho_f); } for (i = 0; i < n_rounds; i++) { @@ -496,20 +496,20 @@ static int secp256k1_bppp_rangeproof_norm_product_verify( secp256k1_bppp_challenge_scalar(&e, transcript, 0); es[i] = e; } - /* s_g[0] = n * \prod_{j=0}^{log_g_len - 1} r^(2^j) - * = n * r^(2^log_g_len - 1) - * = n * r_f * r_inv */ - secp256k1_scalar_mul(&s_g[0], &n, &r_f); - secp256k1_scalar_mul(&s_g[0], &s_g[0], &r_inv); + /* s_g[0] = n * \prod_{j=0}^{log_g_len - 1} rho^(2^j) + * = n * rho^(2^log_g_len - 1) + * = n * rho_f * rho_inv */ + secp256k1_scalar_mul(&s_g[0], &n, &rho_f); + secp256k1_scalar_mul(&s_g[0], &s_g[0], &rho_inv); for (i = 1; i < g_len; i++) { size_t log_i = secp256k1_bppp_log2(i); size_t nearest_pow_of_two = (size_t)1 << log_i; - /* This combines the two multiplications of challenges and r_invs in a + /* This combines the two multiplications of challenges and rho_invs in a * single loop. * s_g[i] = s_g[i - nearest_pow_of_two] - * * e[log_i] * r_inv^(2^log_i) */ + * * e[log_i] * rho_inv^(2^log_i) */ secp256k1_scalar_mul(&s_g[i], &s_g[i - nearest_pow_of_two], &es[log_i]); - secp256k1_scalar_mul(&s_g[i], &s_g[i], &r_inv_pows[log_i]); + secp256k1_scalar_mul(&s_g[i], &s_g[i], &rho_inv_pows[log_i]); } s_h[0] = l; secp256k1_scalar_set_int(&h_c, 0); @@ -519,10 +519,10 @@ static int secp256k1_bppp_rangeproof_norm_product_verify( secp256k1_scalar_mul(&s_h[i], &s_h[i - nearest_pow_of_two], &es[log_i]); } secp256k1_scalar_inner_product(&h_c, c_vec, 0 /* a_offset */ , s_h, 0 /* b_offset */, 1 /* step */, h_len); - /* Compute v = n*n*q_f + l*h_c where q_f = r_f^2 */ - secp256k1_scalar_sqr(&q_f, &r_f); + /* Compute v = n*n*mu_f + l*h_c where mu_f = rho_f^2 */ + secp256k1_scalar_sqr(&mu_f, &rho_f); secp256k1_scalar_mul(&v, &n, &n); - secp256k1_scalar_mul(&v, &v, &q_f); + secp256k1_scalar_mul(&v, &v, &mu_f); secp256k1_scalar_add(&v, &v, &h_c); { diff --git a/src/modules/bppp/tests_impl.h b/src/modules/bppp/tests_impl.h index e92316566..bdb261a08 100644 --- a/src/modules/bppp/tests_impl.h +++ b/src/modules/bppp/tests_impl.h @@ -176,15 +176,15 @@ void test_log_exp(void) { } void test_norm_util_helpers(void) { - secp256k1_scalar a_vec[4], b_vec[4], r_pows[4], res, res2, q, r; + secp256k1_scalar a_vec[4], b_vec[4], rho_pows[4], res, res2, mu, rho; int i; - /* a = {1, 2, 3, 4} b = {5, 6, 7, 8}, q = 4, r = 2 */ + /* a = {1, 2, 3, 4} b = {5, 6, 7, 8}, mu = 4, rho = 2 */ for (i = 0; i < 4; i++) { secp256k1_scalar_set_int(&a_vec[i], i + 1); secp256k1_scalar_set_int(&b_vec[i], i + 5); } - secp256k1_scalar_set_int(&q, 4); - secp256k1_scalar_set_int(&r, 2); + secp256k1_scalar_set_int(&mu, 4); + secp256k1_scalar_set_int(&rho, 2); secp256k1_scalar_inner_product(&res, a_vec, 0, b_vec, 0, 1, 4); secp256k1_scalar_set_int(&res2, 70); CHECK(secp256k1_scalar_eq(&res2, &res) == 1); @@ -201,20 +201,20 @@ void test_norm_util_helpers(void) { secp256k1_scalar_set_int(&res2, 44); CHECK(secp256k1_scalar_eq(&res2, &res) == 1); - secp256k1_weighted_scalar_inner_product(&res, a_vec, 0, a_vec, 0, 1, 4, &q); + secp256k1_weighted_scalar_inner_product(&res, a_vec, 0, a_vec, 0, 1, 4, &mu); secp256k1_scalar_set_int(&res2, 4740); /*i*i*4^(i+1) */ CHECK(secp256k1_scalar_eq(&res2, &res) == 1); - secp256k1_bppp_powers_of_r(r_pows, &r, 4); - secp256k1_scalar_set_int(&res, 2); CHECK(secp256k1_scalar_eq(&res, &r_pows[0])); - secp256k1_scalar_set_int(&res, 4); CHECK(secp256k1_scalar_eq(&res, &r_pows[1])); - secp256k1_scalar_set_int(&res, 16); CHECK(secp256k1_scalar_eq(&res, &r_pows[2])); - secp256k1_scalar_set_int(&res, 256); CHECK(secp256k1_scalar_eq(&res, &r_pows[3])); + secp256k1_bppp_powers_of_rho(rho_pows, &rho, 4); + secp256k1_scalar_set_int(&res, 2); CHECK(secp256k1_scalar_eq(&res, &rho_pows[0])); + secp256k1_scalar_set_int(&res, 4); CHECK(secp256k1_scalar_eq(&res, &rho_pows[1])); + secp256k1_scalar_set_int(&res, 16); CHECK(secp256k1_scalar_eq(&res, &rho_pows[2])); + secp256k1_scalar_set_int(&res, 256); CHECK(secp256k1_scalar_eq(&res, &rho_pows[3])); } static void secp256k1_norm_arg_commit_initial_data( secp256k1_sha256* transcript, - const secp256k1_scalar* r, + const secp256k1_scalar* rho, const secp256k1_bppp_generators* gens_vec, size_t g_len, /* Same as n_vec_len, g_len + c_vec_len = gens->n */ const secp256k1_scalar* c_vec, @@ -231,7 +231,7 @@ static void secp256k1_norm_arg_commit_initial_data( CHECK(secp256k1_ge_is_infinity(&comm) == 0); CHECK(secp256k1_bppp_serialize_pt(&ser_commit[0], &comm)); secp256k1_sha256_write(transcript, ser_commit, 33); - secp256k1_scalar_get_b32(ser_scalar, r); + secp256k1_scalar_get_b32(ser_scalar, rho); secp256k1_sha256_write(transcript, ser_scalar, 32); secp256k1_bppp_le64(ser_le64, g_len); secp256k1_sha256_write(transcript, ser_le64, 8); @@ -283,7 +283,7 @@ static int secp256k1_norm_arg_prove( secp256k1_scratch_space* scratch, unsigned char* proof, size_t *proof_len, - const secp256k1_scalar* r, + const secp256k1_scalar* rho, const secp256k1_bppp_generators* gens_vec, const secp256k1_scalar* n_vec, size_t n_vec_len, @@ -305,7 +305,7 @@ static int secp256k1_norm_arg_prove( copy_vectors_into_scratch(scratch, &ns, &ls, &cs, &gs, n_vec, l_vec, c_vec, gens_vec->gens, g_len, h_len); /* Commit to the initial public values */ - secp256k1_norm_arg_commit_initial_data(&transcript, r, gens_vec, g_len, c_vec, c_vec_len, &comm); + secp256k1_norm_arg_commit_initial_data(&transcript, rho, gens_vec, g_len, c_vec, c_vec_len, &comm); res = secp256k1_bppp_rangeproof_norm_product_prove( ctx, @@ -313,7 +313,7 @@ static int secp256k1_norm_arg_prove( proof, proof_len, &transcript, /* Transcript hash of the parent protocol */ - r, + rho, gs, gens_vec->n, ns, @@ -332,7 +332,7 @@ static int secp256k1_norm_arg_verify( secp256k1_scratch_space* scratch, const unsigned char* proof, size_t proof_len, - const secp256k1_scalar* r, + const secp256k1_scalar* rho, const secp256k1_bppp_generators* gens_vec, size_t g_len, const secp256k1_scalar* c_vec, @@ -344,7 +344,7 @@ static int secp256k1_norm_arg_verify( secp256k1_sha256 transcript; /* Commit to the initial public values */ - secp256k1_norm_arg_commit_initial_data(&transcript, r, gens_vec, g_len, c_vec, c_vec_len, &comm); + secp256k1_norm_arg_commit_initial_data(&transcript, rho, gens_vec, g_len, c_vec, c_vec_len, &comm); res = secp256k1_bppp_rangeproof_norm_product_verify( ctx, @@ -352,7 +352,7 @@ static int secp256k1_norm_arg_verify( proof, proof_len, &transcript, - r, + rho, gens_vec, g_len, c_vec, @@ -364,15 +364,15 @@ static int secp256k1_norm_arg_verify( void norm_arg_zero(void) { secp256k1_scalar n_vec[64], l_vec[64], c_vec[64]; - secp256k1_scalar r, q; + secp256k1_scalar rho, mu; secp256k1_ge commit; size_t i; secp256k1_scratch *scratch = secp256k1_scratch_space_create(ctx, 1000*10); /* shouldn't need much */ unsigned char proof[1000]; secp256k1_sha256 transcript; - random_scalar_order(&r); - secp256k1_scalar_sqr(&q, &r); + random_scalar_order(&rho); + secp256k1_scalar_sqr(&mu, &rho); /* l is zero vector and n is zero vectors of length 1 each. */ { @@ -386,17 +386,17 @@ void norm_arg_zero(void) { random_scalar_order(&c_vec[0]); secp256k1_sha256_initialize(&transcript); /* No challenges used in n = 1, l = 1, but we set transcript as a good practice*/ - CHECK(secp256k1_bppp_commit(ctx, scratch, &commit, gens, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &q)); + CHECK(secp256k1_bppp_commit(ctx, scratch, &commit, gens, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &mu)); { secp256k1_scalar *ns, *ls, *cs; secp256k1_ge *gs; size_t scratch_checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch); copy_vectors_into_scratch(scratch, &ns, &ls, &cs, &gs, n_vec, l_vec, c_vec, gens->gens, n_vec_len, c_vec_len); - CHECK(secp256k1_bppp_rangeproof_norm_product_prove(ctx, scratch, proof, &plen, &transcript, &r, gs, gens->n, ns, n_vec_len, ls, c_vec_len, cs, c_vec_len)); + CHECK(secp256k1_bppp_rangeproof_norm_product_prove(ctx, scratch, proof, &plen, &transcript, &rho, gs, gens->n, ns, n_vec_len, ls, c_vec_len, cs, c_vec_len)); secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, scratch_checkpoint); } secp256k1_sha256_initialize(&transcript); - CHECK(secp256k1_bppp_rangeproof_norm_product_verify(ctx, scratch, proof, plen, &transcript, &r, gens, c_vec_len, c_vec, c_vec_len, &commit)); + CHECK(secp256k1_bppp_rangeproof_norm_product_verify(ctx, scratch, proof, plen, &transcript, &rho, gens, c_vec_len, c_vec, c_vec_len, &commit)); secp256k1_bppp_generators_destroy(ctx, gens); } @@ -415,8 +415,8 @@ void norm_arg_zero(void) { secp256k1_scalar_set_int(&l_vec[i], 0); random_scalar_order(&c_vec[i]); } - CHECK(secp256k1_bppp_commit(ctx, scratch, &commit, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &q)); - CHECK(!secp256k1_norm_arg_prove(scratch, proof, &plen, &r, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &commit)); + CHECK(secp256k1_bppp_commit(ctx, scratch, &commit, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &mu)); + CHECK(!secp256k1_norm_arg_prove(scratch, proof, &plen, &rho, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &commit)); secp256k1_bppp_generators_destroy(ctx, gs); } @@ -429,11 +429,11 @@ void norm_arg_zero(void) { random_scalar_order(&n_vec[0]); random_scalar_order(&c_vec[0]); random_scalar_order(&l_vec[0]); - CHECK(secp256k1_bppp_commit(ctx, scratch, &commit, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &q)); - CHECK(secp256k1_norm_arg_prove(scratch, proof, &plen, &r, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &commit)); - CHECK(secp256k1_norm_arg_verify(scratch, proof, plen, &r, gs, n_vec_len, c_vec, c_vec_len, &commit)); - CHECK(!secp256k1_norm_arg_verify(scratch, proof, plen, &r, gs, 0, c_vec, c_vec_len, &commit)); - CHECK(!secp256k1_norm_arg_verify(scratch, proof, plen, &r, gs, n_vec_len, c_vec, 0, &commit)); + CHECK(secp256k1_bppp_commit(ctx, scratch, &commit, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &mu)); + CHECK(secp256k1_norm_arg_prove(scratch, proof, &plen, &rho, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &commit)); + CHECK(secp256k1_norm_arg_verify(scratch, proof, plen, &rho, gs, n_vec_len, c_vec, c_vec_len, &commit)); + CHECK(!secp256k1_norm_arg_verify(scratch, proof, plen, &rho, gs, 0, c_vec, c_vec_len, &commit)); + CHECK(!secp256k1_norm_arg_verify(scratch, proof, plen, &rho, gs, n_vec_len, c_vec, 0, &commit)); secp256k1_bppp_generators_destroy(ctx, gs); } @@ -443,7 +443,7 @@ void norm_arg_zero(void) { void norm_arg_test(unsigned int n, unsigned int m) { secp256k1_scalar n_vec[64], l_vec[64], c_vec[64]; - secp256k1_scalar r, q; + secp256k1_scalar rho, mu; secp256k1_ge commit; size_t i, plen; int res; @@ -451,8 +451,8 @@ void norm_arg_test(unsigned int n, unsigned int m) { secp256k1_scratch *scratch = secp256k1_scratch_space_create(ctx, 1000*1000); /* shouldn't need much */ unsigned char proof[1000]; plen = 1000; - random_scalar_order(&r); - secp256k1_scalar_sqr(&q, &r); + random_scalar_order(&rho); + secp256k1_scalar_sqr(&mu, &rho); for (i = 0; i < n; i++) { random_scalar_order(&n_vec[i]); @@ -463,20 +463,20 @@ void norm_arg_test(unsigned int n, unsigned int m) { random_scalar_order(&c_vec[i]); } - res = secp256k1_bppp_commit(ctx, scratch, &commit, gs, n_vec, n, l_vec, m, c_vec, m, &q); + res = secp256k1_bppp_commit(ctx, scratch, &commit, gs, n_vec, n, l_vec, m, c_vec, m, &mu); CHECK(res == 1); - res = secp256k1_norm_arg_prove(scratch, proof, &plen, &r, gs, n_vec, n, l_vec, m, c_vec, m, &commit); + res = secp256k1_norm_arg_prove(scratch, proof, &plen, &rho, gs, n_vec, n, l_vec, m, c_vec, m, &commit); CHECK(res == 1); - res = secp256k1_norm_arg_verify(scratch, proof, plen, &r, gs, n, c_vec, m, &commit); + res = secp256k1_norm_arg_verify(scratch, proof, plen, &rho, gs, n, c_vec, m, &commit); CHECK(res == 1); /* Changing any of last two scalars should break the proof */ proof[plen - 1] ^= 1; - res = secp256k1_norm_arg_verify(scratch, proof, plen, &r, gs, n, c_vec, m, &commit); + res = secp256k1_norm_arg_verify(scratch, proof, plen, &rho, gs, n, c_vec, m, &commit); CHECK(res == 0); proof[plen - 1 - 32] ^= 1; - res = secp256k1_norm_arg_verify(scratch, proof, plen, &r, gs, n, c_vec, m, &commit); + res = secp256k1_norm_arg_verify(scratch, proof, plen, &rho, gs, n, c_vec, m, &commit); CHECK(res == 0); secp256k1_scratch_space_destroy(ctx, scratch); @@ -519,7 +519,7 @@ secp256k1_bppp_generators* bppp_generators_parse_regular(const unsigned char* da int norm_arg_verify_vectors_helper(secp256k1_scratch *scratch, const unsigned char *gens, const unsigned char *proof, size_t plen, const unsigned char *r32, size_t n_vec_len, const unsigned char c_vec32[][32], secp256k1_scalar *c_vec, size_t c_vec_len, const unsigned char *commit33) { secp256k1_sha256 transcript; secp256k1_bppp_generators *gs = bppp_generators_parse_regular(gens, 33*(n_vec_len + c_vec_len)); - secp256k1_scalar r; + secp256k1_scalar rho; secp256k1_ge commit; int overflow; int i; @@ -528,7 +528,7 @@ int norm_arg_verify_vectors_helper(secp256k1_scratch *scratch, const unsigned ch CHECK(gs != NULL); secp256k1_sha256_initialize(&transcript); - secp256k1_scalar_set_b32(&r, r32, &overflow); + secp256k1_scalar_set_b32(&rho, r32, &overflow); CHECK(!overflow); for (i = 0; i < (int)c_vec_len; i++) { @@ -536,7 +536,7 @@ int norm_arg_verify_vectors_helper(secp256k1_scratch *scratch, const unsigned ch CHECK(!overflow); } CHECK(secp256k1_eckey_pubkey_parse(&commit, commit33, 33)); - ret = secp256k1_bppp_rangeproof_norm_product_verify(ctx, scratch, proof, plen, &transcript, &r, gs, n_vec_len, c_vec, c_vec_len, &commit); + ret = secp256k1_bppp_rangeproof_norm_product_verify(ctx, scratch, proof, plen, &transcript, &rho, gs, n_vec_len, c_vec, c_vec_len, &commit); secp256k1_bppp_generators_destroy(ctx, gs); return ret;