PRCYCoin  2.0.0.7rc1
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1 /**********************************************************************
2  * Copyright (c) 2018 Andrew Poelstra *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5  **********************************************************************/
6 
7 #ifndef SECP256K1_MODULE_BULLETPROOF_TESTS
8 #define SECP256K1_MODULE_BULLETPROOF_TESTS
9 
10 #include <string.h>
11 
12 #include "group.h"
13 #include "scalar.h"
14 #include "testrand.h"
15 #include "util.h"
16 
17 #include "include/secp256k1_bulletproofs.h"
18 
19 static void test1() {
20  secp256k1_context2 *none = secp256k1_context_create2(SECP256K1_CONTEXT_NONE);
21  secp256k1_context2 *sign = secp256k1_context_create2(SECP256K1_CONTEXT_SIGN);
22  secp256k1_context2 *vrfy = secp256k1_context_create2(SECP256K1_CONTEXT_VERIFY);
23  secp256k1_context2 *both = secp256k1_context_create2(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
24  secp256k1_scratch *scratch = secp256k1_scratch_space_create(ctx, 1024 * 1024);
25  secp256k1_generator value_gen;
26  secp256k1_bulletproof_generators *gens;
27  secp256k1_pedersen_commitment pcommit[4];
28  const secp256k1_pedersen_commitment *pcommit_arr[1];
29  unsigned char proof[2000];
30  const unsigned char *proof_ptr = proof;
31  const unsigned char blind[32] = " i am not a blinding factor ";
32  const unsigned char *blind_ptr[4];
33  size_t blindlen = sizeof(blind);
34  size_t plen = sizeof(proof);
35  uint64_t value[4] = { 1234, 4567, 8910, 1112 } ;
36  uint64_t min_value[4] = { 1000, 4567, 0, 5000 } ;
37  const uint64_t *mv_ptr = min_value;
38  unsigned char rewind_blind[32];
39  size_t rewind_v;
40 
41  int32_t ecount = 0;
42 
43  blind_ptr[0] = blind;
44  blind_ptr[1] = blind;
45  blind_ptr[2] = blind;
46  blind_ptr[3] = blind;
47  pcommit_arr[0] = pcommit;
48 
49  secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
50  secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount);
51  secp256k1_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount);
52  secp256k1_context_set_error_callback(both, counting_illegal_callback_fn, &ecount);
53  secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
54  secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount);
55  secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
56  secp256k1_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount);
57 
58  CHECK(secp256k1_generator_generate(both, &value_gen, blind) != 0);
59  CHECK(secp256k1_pedersen_commit(both, &pcommit[0], blind, value[0], &value_gen, &secp256k1_generator_const_h) != 0);
60  CHECK(secp256k1_pedersen_commit(both, &pcommit[1], blind, value[1], &value_gen, &secp256k1_generator_const_h) != 0);
61  CHECK(secp256k1_pedersen_commit(both, &pcommit[2], blind, value[2], &value_gen, &secp256k1_generator_const_h) != 0);
62  CHECK(secp256k1_pedersen_commit(both, &pcommit[3], blind, value[3], &value_gen, &secp256k1_generator_const_h) != 0);
63 
64  /* generators */
65  gens = secp256k1_bulletproof_generators_create(none, NULL, 256);
66  CHECK(gens == NULL && ecount == 1);
67  gens = secp256k1_bulletproof_generators_create(none, &secp256k1_generator_const_h, 256);
68  CHECK(gens != NULL && ecount == 1);
69 
70  /* rangeproof_prove */
71  ecount = 0;
72 
73  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, proof, &plen, value, min_value, blind_ptr, 1, &value_gen, 64, blind, blind, 32) == 1);
74 
75  /* rangeproof_verify */
76  /*ecount = 0;
77  CHECK(secp256k1_bulletproof_rangeproof_verify(none, scratch, gens, proof, plen, min_value, pcommit, 1, 64, &value_gen, blind, 32) == 0);
78  CHECK(ecount == 1);
79  CHECK(secp256k1_bulletproof_rangeproof_verify(sign, scratch, gens, proof, plen, min_value, pcommit, 1, 64, &value_gen, blind, 32) == 0);
80  CHECK(ecount == 2);*/
81  CHECK(secp256k1_bulletproof_rangeproof_verify(vrfy, scratch, gens, proof, plen, min_value, pcommit, 1, 64, &value_gen, blind, 32) == 1);
82  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 1, 64, &value_gen, blind, 32) == 1);
83 
84  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 1, 63, &value_gen, blind, 32) == 0);
85  CHECK(ecount == 2);
86  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen - 1, min_value, pcommit, 1, 63, &value_gen, blind, 32) == 0);
87  CHECK(ecount == 2);
88  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, 0, min_value, pcommit, 1, 63, &value_gen, blind, 32) == 0);
89  CHECK(ecount == 2);
90  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 1, 64, &value_gen, blind, 31) == 0);
91  CHECK(ecount == 2);
92  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 1, 64, &value_gen, NULL, 0) == 0);
93  CHECK(ecount == 2);
94  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 2, 64, &value_gen, blind, 32) == 0);
95  CHECK(ecount == 2);
96  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 4, 64, &value_gen, blind, 32) == 0);
97  CHECK(ecount == 3);
98 
99  CHECK(secp256k1_bulletproof_rangeproof_verify(both, NULL, gens, proof, plen, min_value, pcommit, 1, 64, &value_gen, blind, 32) == 0);
100  CHECK(ecount == 4);
101  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, NULL, proof, plen, min_value, pcommit, 1, 64, &value_gen, blind, 32) == 0);
102  CHECK(ecount == 5);
103  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, NULL, plen, min_value, pcommit, 1, 64, &value_gen, blind, 32) == 0);
104  CHECK(ecount == 6);
105  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, NULL, pcommit, 1, 64, &value_gen, blind, 32) == 0);
106  CHECK(ecount == 6);
107  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, NULL, 1, 64, &value_gen, blind, 32) == 0);
108  CHECK(ecount == 7);
109  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 0, 64, &value_gen, blind, 32) == 0);
110  CHECK(ecount == 8);
111  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 1, 65, &value_gen, blind, 32) == 0);
112  CHECK(ecount == 9);
113  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 1, 0, &value_gen, blind, 32) == 0);
114  CHECK(ecount == 10);
115  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 1, 64, NULL, blind, 32) == 0);
116  CHECK(ecount == 11);
117  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 1, 64, &value_gen, NULL, 32) == 0);
118  CHECK(ecount == 12);
119  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 1, 64, &value_gen, blind, 0) == 0);
120  CHECK(ecount == 12);
121 }
122 
123 void build_proof(const uint64_t* value, int size, unsigned char* proof, size_t* plen, secp256k1_pedersen_commitment* pcommit) {
124  secp256k1_context2 *both = secp256k1_context_create2(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
125  secp256k1_scratch *scratch = secp256k1_scratch_space_create(both, 1024 * 1024);
126  secp256k1_bulletproof_generators *gens;
127  const unsigned char *proof_ptr = proof;
128  const unsigned char blind[32] = " i am not a blinding factor ";
129  plen = 2000;
130  uint64_t min_value[4] = { 0, 0, 0, 5000 } ;
131  const unsigned char *blind_ptr[4];
132  blind_ptr[0] = blind;
133  blind_ptr[1] = blind;
134  blind_ptr[2] = blind;
135  blind_ptr[3] = blind;
136 
137  int32_t ecount = 0;
138 
139  CHECK(secp256k1_pedersen_commit(both, &pcommit[0], blind, value[0], &secp256k1_generator_const_g, &secp256k1_generator_const_h) != 0);
140  CHECK(secp256k1_pedersen_commit(both, &pcommit[1], blind, value[1], &secp256k1_generator_const_g, &secp256k1_generator_const_h) != 0);
141  CHECK(secp256k1_pedersen_commit(both, &pcommit[2], blind, value[2], &secp256k1_generator_const_g, &secp256k1_generator_const_h) != 0);
142  CHECK(secp256k1_pedersen_commit(both, &pcommit[3], blind, value[3], &secp256k1_generator_const_g, &secp256k1_generator_const_h) != 0);
143 
144  /* generators
145  // gens = secp256k1_bulletproof_generators_create(none, NULL, 256);
146  // CHECK(gens == NULL && ecount == 1);*/
147  gens = secp256k1_bulletproof_generators_create(both, &secp256k1_generator_const_h, 256);
148  CHECK(gens != NULL);
149 
150  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, proof, &plen, value, min_value, blind_ptr, 1, &secp256k1_generator_const_g, 64, blind, NULL, 0) == 1);
151 }
152 
153 void verify_proof(unsigned char* proof, size_t plen, secp256k1_pedersen_commitment* pcommit) {
154  secp256k1_context2 *both = secp256k1_context_create2(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
155  secp256k1_scratch *scratch = secp256k1_scratch_space_create(both, 1024 * 1024);
156  secp256k1_bulletproof_generators *gens;
157  const unsigned char *proof_ptr = proof;
158  const unsigned char blind[32] = " i am not a blinding factor ";
159  uint64_t min_value[4] = { 0, 0, 0, 5000 } ;
160  gens = secp256k1_bulletproof_generators_create(both, &secp256k1_generator_const_h, 256);
161  CHECK(gens != NULL);
162  /* rangeproof_verify */
163  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 1, 64, &secp256k1_generator_const_g, NULL, 0) == 1);
164 }
165 
166 static void test_build_verify() {
167  secp256k1_context2 *both = secp256k1_context_create2(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
168  secp256k1_scratch *scratch = secp256k1_scratch_space_create(both, 1024 * 1024);
169  secp256k1_generator value_gen;
170  secp256k1_bulletproof_generators *gens;
171  secp256k1_pedersen_commitment pcommit[4];
172  const secp256k1_pedersen_commitment *pcommit_arr[1];
173  unsigned char proof[2000];
174  const unsigned char *proof_ptr = proof;
175  const unsigned char blind[32] = " i am not a blinding factor ";
176  const unsigned char *blind_ptr[4];
177  size_t blindlen = sizeof(blind);
178  size_t plen = sizeof(proof);
179  uint64_t value[4] = { 1234, 4567, 8910, 1112 } ;
180  uint64_t min_value[4] = { 0, 0, 0, 5000 } ;
181  const uint64_t *mv_ptr = min_value;
182  unsigned char rewind_blind[32];
183  size_t rewind_v;
184 
185  int32_t ecount = 0;
186 
187  blind_ptr[0] = blind;
188  blind_ptr[1] = blind;
189  blind_ptr[2] = blind;
190  blind_ptr[3] = blind;
191  pcommit_arr[0] = pcommit;
192 
193  /*CHECK(secp256k1_generator_generate(both, &value_gen, blind) != 0);*/
194  CHECK(secp256k1_pedersen_commit(both, &pcommit[0], blind, value[0], &secp256k1_generator_const_g, &secp256k1_generator_const_h) != 0);
195  CHECK(secp256k1_pedersen_commit(both, &pcommit[1], blind, value[1], &secp256k1_generator_const_g, &secp256k1_generator_const_h) != 0);
196  CHECK(secp256k1_pedersen_commit(both, &pcommit[2], blind, value[2], &secp256k1_generator_const_g, &secp256k1_generator_const_h) != 0);
197  CHECK(secp256k1_pedersen_commit(both, &pcommit[3], blind, value[3], &secp256k1_generator_const_g, &secp256k1_generator_const_h) != 0);
198 
199  /* generators
200 // gens = secp256k1_bulletproof_generators_create(none, NULL, 256);
201 // CHECK(gens == NULL && ecount == 1);*/
202  gens = secp256k1_bulletproof_generators_create(both, &secp256k1_generator_const_h, 256);
203  CHECK(gens != NULL);
204 
205  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, proof, &plen, value, min_value, blind_ptr, 2, &secp256k1_generator_const_g, 64, blind, NULL, 0) == 1);
206 
207  /* rangeproof_verify */
208  ecount = 0;
209  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 2, 64, &secp256k1_generator_const_g, NULL, 0) == 1);
210 }
211 
212 static void test_bulletproof_api(void) {
213  secp256k1_context2 *none = secp256k1_context_create2(SECP256K1_CONTEXT_NONE);
214  secp256k1_context2 *sign = secp256k1_context_create2(SECP256K1_CONTEXT_SIGN);
215  secp256k1_context2 *vrfy = secp256k1_context_create2(SECP256K1_CONTEXT_VERIFY);
216  secp256k1_context2 *both = secp256k1_context_create2(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
217  secp256k1_scratch *scratch = secp256k1_scratch_space_create(both, 1024 * 1024);
218  secp256k1_generator value_gen;
219  secp256k1_bulletproof_generators *gens;
220  secp256k1_pedersen_commitment pcommit[4];
221  const secp256k1_pedersen_commitment *pcommit_arr[1];
222  unsigned char proof[2000];
223  const unsigned char *proof_ptr = proof;
224  const unsigned char blind[32] = " i am not a blinding factor ";
225  const unsigned char *blind_ptr[4];
226  size_t blindlen = sizeof(blind);
227  size_t plen = sizeof(proof);
228  uint64_t value[4] = { 1234, 4567, 8910, 1112 } ;
229  uint64_t min_value[4] = { 1000, 4567, 0, 5000 } ;
230  const uint64_t *mv_ptr = min_value;
231  unsigned char rewind_blind[32];
232  size_t rewind_v;
233 
234  const char circ_desc_good[] = "2,0,0,4; L0 = 17; 2*L1 - L0 = 21; O0 = 1; O1 = 1;";
235  const char circ_desc_bad[] = "2,0,0,4; L0 = 17; 2*L1 - L0 = 21; O0 = 1; O1 x 1;";
236  secp256k1_bulletproof_circuit *circ;
237  const secp256k1_bulletproof_circuit *constcirc;
238  secp256k1_bulletproof_circuit_assignment *assn;
239 
240  int32_t ecount = 0;
241 
242  blind_ptr[0] = blind;
243  blind_ptr[1] = blind;
244  blind_ptr[2] = blind;
245  blind_ptr[3] = blind;
246  pcommit_arr[0] = pcommit;
247 
248  secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
249  secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount);
250  secp256k1_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount);
251  secp256k1_context_set_error_callback(both, counting_illegal_callback_fn, &ecount);
252  secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
253  secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount);
254  secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
255  secp256k1_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount);
256 
257  CHECK(secp256k1_generator_generate(both, &value_gen, blind) != 0);
258  CHECK(secp256k1_pedersen_commit(both, &pcommit[0], blind, value[0], &value_gen, &secp256k1_generator_const_h) != 0);
259  CHECK(secp256k1_pedersen_commit(both, &pcommit[1], blind, value[1], &value_gen, &secp256k1_generator_const_h) != 0);
260  CHECK(secp256k1_pedersen_commit(both, &pcommit[2], blind, value[2], &value_gen, &secp256k1_generator_const_h) != 0);
261  CHECK(secp256k1_pedersen_commit(both, &pcommit[3], blind, value[3], &value_gen, &secp256k1_generator_const_h) != 0);
262 
263  /* generators */
264  gens = secp256k1_bulletproof_generators_create(none, NULL, 256);
265  CHECK(gens == NULL && ecount == 1);
266  gens = secp256k1_bulletproof_generators_create(none, &secp256k1_generator_const_h, 256);
267  CHECK(gens != NULL && ecount == 1);
268 
269  /* rangeproof_prove */
270  ecount = 0;
271  CHECK(secp256k1_bulletproof_rangeproof_prove(none, scratch, gens, proof, &plen, value, NULL, blind_ptr, 1, &value_gen, 64, blind, NULL, 0) == 0);
272  CHECK(ecount == 1);
273  CHECK(secp256k1_bulletproof_rangeproof_prove(sign, scratch, gens, proof, &plen, value, NULL, blind_ptr, 1, &value_gen, 64, blind, NULL, 0) == 0);
274  CHECK(ecount == 2);
275  CHECK(secp256k1_bulletproof_rangeproof_prove(vrfy, scratch, gens, proof, &plen, value, NULL, blind_ptr, 1, &value_gen, 64, blind, NULL, 0) == 0);
276  CHECK(ecount == 3);
277  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, proof, &plen, value, NULL, blind_ptr, 1, &value_gen, 64, blind, NULL, 0) == 1);
278  CHECK(ecount == 3);
279  plen = 2000;
280  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, proof, &plen, value, NULL, blind_ptr, 2, &value_gen, 64, blind, NULL, 0) == 1);
281  CHECK(ecount == 3);
282  plen = 2000;
283  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, proof, &plen, value, NULL, blind_ptr, 4, &value_gen, 64, blind, NULL, 0) == 0); /* too few gens */
284  CHECK(ecount == 4);
285 
286  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, proof, &plen, value, min_value, blind_ptr, 2, &value_gen, 64, blind, NULL, 0) == 1); /* mv = v, ok */
287  CHECK(ecount == 4);
288  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, proof, &plen, &value[1], &min_value[1], blind_ptr, 2, &value_gen, 64, blind, NULL, 0) == 1); /* mv = 0, ok */
289  CHECK(ecount == 4);
290  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, proof, &plen, &value[2], &min_value[2], blind_ptr, 2, &value_gen, 64, blind, NULL, 0) == 0); /* mv > v, !ok */
291  CHECK(ecount == 4);
292 
293  CHECK(secp256k1_bulletproof_rangeproof_prove(both, NULL, gens, proof, &plen, value, NULL, blind_ptr, 1, &value_gen, 64, blind, NULL, 0) == 0);
294  CHECK(ecount == 5);
295  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, NULL, proof, &plen, value, NULL, blind_ptr, 1, &value_gen, 64, blind, NULL, 0) == 0);
296  CHECK(ecount == 6);
297  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, NULL, &plen, value, NULL, blind_ptr, 1, &value_gen, 64, blind, NULL, 0) == 0);
298  CHECK(ecount == 7);
299  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, proof, NULL, value, NULL, blind_ptr, 1, &value_gen, 64, blind, NULL, 0) == 0);
300  CHECK(ecount == 8);
301  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, proof, &plen, NULL, NULL, blind_ptr, 1, &value_gen, 64, blind, NULL, 0) == 0);
302  CHECK(ecount == 9);
303  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, proof, &plen, value, NULL, NULL, 1, &value_gen, 64, blind, NULL, 0) == 0);
304  CHECK(ecount == 10);
305  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, proof, &plen, value, NULL, blind_ptr, 0, &value_gen, 64, blind, NULL, 0) == 0);
306  CHECK(ecount == 11);
307  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, proof, &plen, value, NULL, blind_ptr, 1, NULL, 64, blind, NULL, 0) == 0);
308  CHECK(ecount == 12);
309  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, proof, &plen, value, NULL, blind_ptr, 1, &value_gen, 0, blind, NULL, 0) == 0);
310  CHECK(ecount == 13);
311  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, proof, &plen, value, NULL, blind_ptr, 1, &value_gen, 65, blind, NULL, 0) == 0);
312  CHECK(ecount == 14);
313  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, proof, &plen, value, NULL, blind_ptr, 1, &value_gen, -1, blind, NULL, 0) == 0);
314  CHECK(ecount == 15);
315  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, proof, &plen, value, NULL, blind_ptr, 1, &value_gen, 64, NULL, NULL, 0) == 0);
316  CHECK(ecount == 16);
317  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, proof, &plen, value, NULL, blind_ptr, 1, &value_gen, 64, blind, blind, 0) == 1);
318  CHECK(ecount == 16);
319  CHECK(secp256k1_bulletproof_rangeproof_prove(both, scratch, gens, proof, &plen, value, min_value, blind_ptr, 1, &value_gen, 64, blind, blind, 32) == 1);
320  CHECK(ecount == 16);
321 
322  /* rangeproof_verify */
323  ecount = 0;
324  CHECK(secp256k1_bulletproof_rangeproof_verify(none, scratch, gens, proof, plen, min_value, pcommit, 1, 64, &value_gen, blind, 32) == 0);
325  CHECK(ecount == 1);
326  CHECK(secp256k1_bulletproof_rangeproof_verify(sign, scratch, gens, proof, plen, min_value, pcommit, 1, 64, &value_gen, blind, 32) == 0);
327  CHECK(ecount == 2);
328  CHECK(secp256k1_bulletproof_rangeproof_verify(vrfy, scratch, gens, proof, plen, min_value, pcommit, 1, 64, &value_gen, blind, 32) == 1);
329  CHECK(ecount == 2);
330  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 1, 64, &value_gen, blind, 32) == 1);
331  CHECK(ecount == 2);
332 
333  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 1, 63, &value_gen, blind, 32) == 0);
334  CHECK(ecount == 2);
335  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen - 1, min_value, pcommit, 1, 63, &value_gen, blind, 32) == 0);
336  CHECK(ecount == 2);
337  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, 0, min_value, pcommit, 1, 63, &value_gen, blind, 32) == 0);
338  CHECK(ecount == 2);
339  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 1, 64, &value_gen, blind, 31) == 0);
340  CHECK(ecount == 2);
341  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 1, 64, &value_gen, NULL, 0) == 0);
342  CHECK(ecount == 2);
343  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 2, 64, &value_gen, blind, 32) == 0);
344  CHECK(ecount == 2);
345  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 4, 64, &value_gen, blind, 32) == 0);
346  CHECK(ecount == 3);
347 
348  CHECK(secp256k1_bulletproof_rangeproof_verify(both, NULL, gens, proof, plen, min_value, pcommit, 1, 64, &value_gen, blind, 32) == 0);
349  CHECK(ecount == 4);
350  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, NULL, proof, plen, min_value, pcommit, 1, 64, &value_gen, blind, 32) == 0);
351  CHECK(ecount == 5);
352  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, NULL, plen, min_value, pcommit, 1, 64, &value_gen, blind, 32) == 0);
353  CHECK(ecount == 6);
354  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, NULL, pcommit, 1, 64, &value_gen, blind, 32) == 0);
355  CHECK(ecount == 6);
356  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, NULL, 1, 64, &value_gen, blind, 32) == 0);
357  CHECK(ecount == 7);
358  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 0, 64, &value_gen, blind, 32) == 0);
359  CHECK(ecount == 8);
360  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 1, 65, &value_gen, blind, 32) == 0);
361  CHECK(ecount == 9);
362  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 1, 0, &value_gen, blind, 32) == 0);
363  CHECK(ecount == 10);
364  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 1, 64, NULL, blind, 32) == 0);
365  CHECK(ecount == 11);
366  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 1, 64, &value_gen, NULL, 32) == 0);
367  CHECK(ecount == 12);
368  CHECK(secp256k1_bulletproof_rangeproof_verify(both, scratch, gens, proof, plen, min_value, pcommit, 1, 64, &value_gen, blind, 0) == 0);
369  CHECK(ecount == 12);
370 
371  /* verify_multi */
372  ecount = 0;
373  CHECK(secp256k1_bulletproof_rangeproof_verify_multi(none, scratch, gens, &proof_ptr, 1, plen, &mv_ptr, pcommit_arr, 1, 64, &value_gen, blind_ptr, &blindlen) == 0);
374  CHECK(ecount == 1);
375  CHECK(secp256k1_bulletproof_rangeproof_verify_multi(sign, scratch, gens, &proof_ptr, 1, plen, &mv_ptr, pcommit_arr, 1, 64, &value_gen, blind_ptr, &blindlen) == 0);
376  CHECK(ecount == 2);
377  CHECK(secp256k1_bulletproof_rangeproof_verify_multi(vrfy, scratch, gens, &proof_ptr, 1, plen, &mv_ptr, pcommit_arr, 1, 64, &value_gen, blind_ptr, &blindlen) == 1);
378  CHECK(ecount == 2);
379  CHECK(secp256k1_bulletproof_rangeproof_verify_multi(both, scratch, gens, &proof_ptr, 1, plen, &mv_ptr, pcommit_arr, 1, 64, &value_gen, blind_ptr, &blindlen) == 1);
380  CHECK(ecount == 2);
381 
382  CHECK(secp256k1_bulletproof_rangeproof_verify_multi(both, NULL, gens, &proof_ptr, 1, plen, &mv_ptr, pcommit_arr, 1, 64, &value_gen, blind_ptr, &blindlen) == 0);
383  CHECK(ecount == 3);
384  CHECK(secp256k1_bulletproof_rangeproof_verify_multi(both, scratch, NULL, &proof_ptr, 1, plen, &mv_ptr, pcommit_arr, 1, 64, &value_gen, blind_ptr, &blindlen) == 0);
385  CHECK(ecount == 4);
386  CHECK(secp256k1_bulletproof_rangeproof_verify_multi(both, scratch, gens, NULL, 1, plen, &mv_ptr, pcommit_arr, 1, 64, &value_gen, blind_ptr, &blindlen) == 0);
387  CHECK(ecount == 5);
388  CHECK(secp256k1_bulletproof_rangeproof_verify_multi(both, scratch, gens, &proof_ptr, 0, plen, &mv_ptr, pcommit_arr, 1, 64, &value_gen, blind_ptr, &blindlen) == 0);
389  CHECK(ecount == 6);
390  CHECK(secp256k1_bulletproof_rangeproof_verify_multi(both, scratch, gens, &proof_ptr, 1, plen, NULL, pcommit_arr, 1, 64, &value_gen, blind_ptr, &blindlen) == 0);
391  CHECK(ecount == 6);
392  CHECK(secp256k1_bulletproof_rangeproof_verify_multi(both, scratch, gens, &proof_ptr, 1, plen, &mv_ptr, NULL, 1, 64, &value_gen, blind_ptr, &blindlen) == 0);
393  CHECK(ecount == 7);
394  CHECK(secp256k1_bulletproof_rangeproof_verify_multi(both, scratch, gens, &proof_ptr, 1, plen, &mv_ptr, pcommit_arr, 1, 64, NULL, blind_ptr, &blindlen) == 0);
395  CHECK(ecount == 8);
396  CHECK(secp256k1_bulletproof_rangeproof_verify_multi(both, scratch, gens, &proof_ptr, 1, plen, &mv_ptr, pcommit_arr, 1, 64, &value_gen, NULL, &blindlen) == 0);
397  CHECK(ecount == 9);
398  CHECK(secp256k1_bulletproof_rangeproof_verify_multi(both, scratch, gens, &proof_ptr, 1, plen, &mv_ptr, pcommit_arr, 1, 64, &value_gen, blind_ptr, NULL) == 0);
399  CHECK(ecount == 10);
400  CHECK(secp256k1_bulletproof_rangeproof_verify_multi(both, scratch, gens, &proof_ptr, 1, plen, &mv_ptr, pcommit_arr, 1, 64, &value_gen, NULL, NULL) == 0);
401  CHECK(ecount == 10);
402 
403  CHECK(secp256k1_bulletproof_rangeproof_verify_multi(both, scratch, gens, &proof_ptr, 1, plen, &mv_ptr, pcommit_arr, 0, 64, &value_gen, blind_ptr, &blindlen) == 0);
404  CHECK(ecount == 11);
405  CHECK(secp256k1_bulletproof_rangeproof_verify_multi(both, scratch, gens, &proof_ptr, 1, plen, &mv_ptr, pcommit_arr, 1, 65, &value_gen, blind_ptr, &blindlen) == 0);
406  CHECK(ecount == 12);
407  CHECK(secp256k1_bulletproof_rangeproof_verify_multi(both, scratch, gens, &proof_ptr, 1, plen, &mv_ptr, pcommit_arr, 1, 63, &value_gen, blind_ptr, &blindlen) == 0);
408  CHECK(ecount == 12);
409  CHECK(secp256k1_bulletproof_rangeproof_verify_multi(both, scratch, gens, &proof_ptr, 1, plen, &mv_ptr, pcommit_arr, 1, 0, &value_gen, blind_ptr, &blindlen) == 0);
410  CHECK(ecount == 13);
411  CHECK(secp256k1_bulletproof_rangeproof_verify_multi(both, scratch, gens, &proof_ptr, 1, plen, &mv_ptr, pcommit_arr, 2, 64, &value_gen, blind_ptr, &blindlen) == 0);
412  CHECK(ecount == 13);
413  CHECK(secp256k1_bulletproof_rangeproof_verify_multi(both, scratch, gens, &proof_ptr, 1, plen, &mv_ptr, pcommit_arr, 4, 64, &value_gen, blind_ptr, &blindlen) == 0);
414  CHECK(ecount == 14);
415 
416  /* Rewind */
417  ecount = 0;
418  CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, rewind_blind, proof, plen, min_value[0], pcommit, &value_gen, blind, blind, 32) == 1);
419  CHECK(ecount == 0);
420  CHECK(secp256k1_bulletproof_rangeproof_rewind(none, NULL, &rewind_v, rewind_blind, proof, plen, min_value[0], pcommit, &value_gen, blind, blind, 32) == 0);
421  CHECK(ecount == 1);
422  CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, NULL, rewind_blind, proof, plen, min_value[0], pcommit, &value_gen, blind, blind, 32) == 0);
423  CHECK(ecount == 2);
424  CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, NULL, proof, plen, min_value[0], pcommit, &value_gen, blind, blind, 32) == 0);
425  CHECK(ecount == 3);
426  CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, rewind_blind, NULL, plen, min_value[0], pcommit, &value_gen, blind, blind, 32) == 0);
427  CHECK(ecount == 4);
428  CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, rewind_blind, proof, 0, min_value[0], pcommit, &value_gen, blind, blind, 32) == 0);
429  CHECK(ecount == 4);
430  CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, rewind_blind, proof, plen, 0, pcommit, &value_gen, blind, blind, 32) == 0);
431  CHECK(ecount == 4);
432  CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, rewind_blind, proof, plen, min_value[0], NULL, &value_gen, blind, blind, 32) == 0);
433  CHECK(ecount == 5);
434  CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, rewind_blind, proof, plen, min_value[0], pcommit, NULL, blind, blind, 32) == 0);
435  CHECK(ecount == 6);
436  CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, rewind_blind, proof, plen, min_value[0], pcommit, &value_gen, NULL, blind, 32) == 0);
437  CHECK(ecount == 7);
438  CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, rewind_blind, proof, plen, min_value[0], pcommit, &value_gen, blind, NULL, 32) == 0);
439  CHECK(ecount == 8);
440  CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, rewind_blind, proof, plen, min_value[0], pcommit, &value_gen, blind, blind, 0) == 0);
441  CHECK(ecount == 8);
442  CHECK(secp256k1_bulletproof_rangeproof_rewind(none, gens, &rewind_v, rewind_blind, proof, plen, min_value[0], pcommit, &value_gen, blind, NULL, 0) == 0);
443  CHECK(ecount == 8);
444 
445  /* Circuit stuff */
446  ecount = 0;
447  circ = secp256k1_bulletproof_circuit_parse(none, NULL);
448  CHECK(circ == NULL && ecount == 1);
449  circ = secp256k1_bulletproof_circuit_parse(none, circ_desc_bad);
450  CHECK(circ == NULL && ecount == 1);
451  circ = secp256k1_bulletproof_circuit_parse(none, circ_desc_good);
452  CHECK(circ != NULL && ecount == 1);
453  secp256k1_bulletproof_circuit_destroy(none, circ);
454  secp256k1_bulletproof_circuit_destroy(none, NULL);
455 
456  circ = secp256k1_bulletproof_circuit_decode(none, "src/modules/bulletproofs/bin_circuits/pedersen-3.filenotfound");
457  CHECK(circ == NULL && ecount == 1);
458  circ = secp256k1_bulletproof_circuit_decode(none, NULL);
459  CHECK(circ == NULL && ecount == 2);
460  circ = secp256k1_bulletproof_circuit_decode(none, "src/modules/bulletproofs/bin_circuits/pedersen-3.circ");
461  constcirc = circ;
462  CHECK(circ != NULL && ecount == 2);
463 
464  assn = secp256k1_bulletproof_circuit_assignment_decode(none, "src/modules/bulletproofs/bin_circuits/pedersen-3.filenotfound");
465  CHECK(assn == NULL && ecount == 2);
466  assn = secp256k1_bulletproof_circuit_assignment_decode(none, NULL);
467  CHECK(assn == NULL && ecount == 3);
468  assn = secp256k1_bulletproof_circuit_assignment_decode(none, "src/modules/bulletproofs/bin_circuits/pedersen-3.assn");
469  CHECK(assn != NULL && ecount == 3);
470 
471  plen = 2000;
472  CHECK(secp256k1_bulletproof_circuit_prove(none, scratch, gens, circ, proof, &plen, assn, NULL, 0, blind, &value_gen, blind, 32) == 0);
473  CHECK(ecount == 4);
474  CHECK(secp256k1_bulletproof_circuit_prove(sign, scratch, gens, circ, proof, &plen, assn, NULL, 0, blind, &value_gen, blind, 32) == 0);
475  CHECK(ecount == 5);
476  CHECK(secp256k1_bulletproof_circuit_prove(vrfy, scratch, gens, circ, proof, &plen, assn, NULL, 0, blind, &value_gen, blind, 32) == 1);
477  CHECK(ecount == 5);
478  CHECK(secp256k1_bulletproof_circuit_prove(both, scratch, gens, circ, proof, &plen, assn, NULL, 0, blind, &value_gen, blind, 32) == 1);
479  CHECK(ecount == 5);
480  CHECK(secp256k1_bulletproof_circuit_prove(both, scratch, gens, circ, proof, &plen, assn, NULL, 0, blind, &value_gen, NULL, 32) == 0);
481  CHECK(ecount == 6);
482  CHECK(secp256k1_bulletproof_circuit_prove(both, scratch, gens, circ, proof, &plen, assn, NULL, 0, blind, &value_gen, NULL, 0) == 1);
483  CHECK(ecount == 6);
484 
485  CHECK(secp256k1_bulletproof_circuit_prove(both, NULL, gens, circ, proof, &plen, assn, NULL, 0, blind, &value_gen, NULL, 0) == 0);
486  CHECK(ecount == 7);
487  CHECK(secp256k1_bulletproof_circuit_prove(both, scratch, NULL, circ, proof, &plen, assn, NULL, 0, blind, &value_gen, NULL, 0) == 0);
488  CHECK(ecount == 8);
489  CHECK(secp256k1_bulletproof_circuit_prove(both, scratch, gens, NULL, proof, &plen, assn, NULL, 0, blind, &value_gen, NULL, 0) == 0);
490  CHECK(ecount == 9);
491  CHECK(secp256k1_bulletproof_circuit_prove(both, scratch, gens, circ, NULL, &plen, assn, NULL, 0, blind, &value_gen, NULL, 0) == 0);
492  CHECK(ecount == 10);
493  CHECK(secp256k1_bulletproof_circuit_prove(both, scratch, gens, circ, proof, NULL, assn, NULL, 0, blind, &value_gen, NULL, 0) == 0);
494  CHECK(ecount == 11);
495  CHECK(secp256k1_bulletproof_circuit_prove(both, scratch, gens, circ, proof, &plen, NULL, NULL, 0, blind, &value_gen, NULL, 0) == 0);
496  CHECK(ecount == 12);
497  CHECK(secp256k1_bulletproof_circuit_prove(both, scratch, gens, circ, proof, &plen, assn, NULL, 0, NULL, &value_gen, NULL, 0) == 0);
498  CHECK(ecount == 13);
499  CHECK(secp256k1_bulletproof_circuit_prove(both, scratch, gens, circ, proof, &plen, assn, NULL, 0, blind, NULL, NULL, 0) == 0);
500  CHECK(ecount == 14);
501 
502  CHECK(secp256k1_bulletproof_circuit_prove(both, scratch, gens, circ, proof, &plen, assn, NULL, 0, blind, &value_gen, blind, 32) == 1);
503  CHECK(ecount == 14);
504 
505  CHECK(secp256k1_bulletproof_circuit_verify(none, scratch, gens, circ, proof, plen, NULL, 0, &value_gen, blind, 32) == 0);
506  CHECK(ecount == 15);
507  CHECK(secp256k1_bulletproof_circuit_verify(sign, scratch, gens, circ, proof, plen, NULL, 0, &value_gen, blind, 32) == 0);
508  CHECK(ecount == 16);
509  CHECK(secp256k1_bulletproof_circuit_verify(vrfy, scratch, gens, circ, proof, plen, NULL, 0, &value_gen, blind, 32) == 1);
510  CHECK(ecount == 16);
511  CHECK(secp256k1_bulletproof_circuit_verify(both, scratch, gens, circ, proof, plen, NULL, 0, &value_gen, blind, 32) == 1);
512  CHECK(ecount == 16);
513 
514  CHECK(secp256k1_bulletproof_circuit_verify(both, NULL, gens, circ, proof, plen, NULL, 0, &value_gen, blind, 32) == 0);
515  CHECK(ecount == 17);
516  CHECK(secp256k1_bulletproof_circuit_verify(both, scratch, NULL, circ, proof, plen, NULL, 0, &value_gen, blind, 32) == 0);
517  CHECK(ecount == 18);
518  CHECK(secp256k1_bulletproof_circuit_verify(both, scratch, gens, NULL, proof, plen, NULL, 0, &value_gen, blind, 32) == 0);
519  CHECK(ecount == 19);
520  CHECK(secp256k1_bulletproof_circuit_verify(both, scratch, gens, circ, NULL, plen, NULL, 0, &value_gen, blind, 32) == 0);
521  CHECK(ecount == 20);
522  CHECK(secp256k1_bulletproof_circuit_verify(both, scratch, gens, circ, proof, 0, NULL, 0, &value_gen, blind, 32) == 0);
523  CHECK(ecount == 20);
524  CHECK(secp256k1_bulletproof_circuit_verify(both, scratch, gens, circ, proof, plen - 1, NULL, 0, &value_gen, blind, 32) == 0);
525  CHECK(ecount == 20);
526  CHECK(secp256k1_bulletproof_circuit_verify(both, scratch, gens, circ, proof, plen, NULL, 0, NULL, blind, 32) == 0);
527  CHECK(ecount == 21);
528  CHECK(secp256k1_bulletproof_circuit_verify(both, scratch, gens, circ, proof, plen, NULL, 0, &value_gen, NULL, 32) == 0);
529  CHECK(ecount == 22);
530  CHECK(secp256k1_bulletproof_circuit_verify(both, scratch, gens, circ, proof, plen, NULL, 0, &value_gen, NULL, 0) == 0);
531  CHECK(ecount == 22);
532 
533  CHECK(secp256k1_bulletproof_circuit_verify_multi(none, scratch, gens, &constcirc, &proof_ptr, 1, plen, NULL, NULL, &value_gen, blind_ptr, &blindlen) == 0);
534  CHECK(ecount == 23);
535  CHECK(secp256k1_bulletproof_circuit_verify_multi(sign, scratch, gens, &constcirc, &proof_ptr, 1, plen, NULL, NULL, &value_gen, blind_ptr, &blindlen) == 0);
536  CHECK(ecount == 24);
537  CHECK(secp256k1_bulletproof_circuit_verify_multi(vrfy, scratch, gens, &constcirc, &proof_ptr, 1, plen, NULL, NULL, &value_gen, blind_ptr, &blindlen) == 1);
538  CHECK(ecount == 24);
539  CHECK(secp256k1_bulletproof_circuit_verify_multi(both, scratch, gens, &constcirc, &proof_ptr, 1, plen, NULL, NULL, &value_gen, blind_ptr, &blindlen) == 1);
540  CHECK(ecount == 24);
541 
542  CHECK(secp256k1_bulletproof_circuit_verify_multi(both, NULL, gens, &constcirc, &proof_ptr, 1, plen, NULL, NULL, &value_gen, blind_ptr, &blindlen) == 0);
543  CHECK(ecount == 25);
544  CHECK(secp256k1_bulletproof_circuit_verify_multi(both, scratch, NULL, &constcirc, &proof_ptr, 1, plen, NULL, NULL, &value_gen, blind_ptr, &blindlen) == 0);
545  CHECK(ecount == 26);
546  CHECK(secp256k1_bulletproof_circuit_verify_multi(both, scratch, gens, NULL, &proof_ptr, 1, plen, NULL, NULL, &value_gen, blind_ptr, &blindlen) == 0);
547  CHECK(ecount == 27);
548  CHECK(secp256k1_bulletproof_circuit_verify_multi(both, scratch, gens, &constcirc, NULL, 1, plen, NULL, NULL, &value_gen, blind_ptr, &blindlen) == 0);
549  CHECK(ecount == 28);
550  /* TODO should n_proofs = 0 succeed ? */
551  CHECK(secp256k1_bulletproof_circuit_verify_multi(both, scratch, gens, &constcirc, &proof_ptr, 0, plen, NULL, NULL, &value_gen, blind_ptr, &blindlen) == 1);
552  CHECK(ecount == 28);
553  CHECK(secp256k1_bulletproof_circuit_verify_multi(both, scratch, gens, &constcirc, &proof_ptr, 1, 0, NULL, NULL, &value_gen, blind_ptr, &blindlen) == 0);
554  CHECK(ecount == 28);
555  CHECK(secp256k1_bulletproof_circuit_verify_multi(both, scratch, gens, &constcirc, &proof_ptr, 1, plen - 1, NULL, NULL, &value_gen, blind_ptr, &blindlen) == 0);
556  CHECK(ecount == 28);
557  CHECK(secp256k1_bulletproof_circuit_verify_multi(both, scratch, gens, &constcirc, &proof_ptr, 1, plen, NULL, NULL, NULL, blind_ptr, &blindlen) == 0);
558  CHECK(ecount == 29);
559  CHECK(secp256k1_bulletproof_circuit_verify_multi(both, scratch, gens, &constcirc, &proof_ptr, 1, plen, NULL, NULL, &value_gen, NULL, &blindlen) == 0);
560  CHECK(ecount == 30);
561  CHECK(secp256k1_bulletproof_circuit_verify_multi(both, scratch, gens, &constcirc, &proof_ptr, 1, plen, NULL, NULL, &value_gen, blind_ptr, NULL) == 0);
562  CHECK(ecount == 31);
563  CHECK(secp256k1_bulletproof_circuit_verify_multi(both, scratch, gens, &constcirc, &proof_ptr, 1, plen, NULL, NULL, &value_gen, NULL, NULL) == 0);
564  CHECK(ecount == 31);
565 
566  secp256k1_bulletproof_circuit_destroy(none, circ);
567  secp256k1_bulletproof_circuit_assignment_destroy(none, assn);
568  secp256k1_bulletproof_circuit_assignment_destroy(none, NULL);
569 
570  secp256k1_bulletproof_generators_destroy(none, gens);
571  secp256k1_bulletproof_generators_destroy(none, NULL);
572  secp256k1_scratch_destroy(scratch);
573  secp256k1_context_destroy(none);
574  secp256k1_context_destroy(sign);
575  secp256k1_context_destroy(vrfy);
576  secp256k1_context_destroy(both);
577 }
578 
579 #define MAX_WIDTH (1ul << 20)
580 typedef struct {
581  const secp256k1_scalar *a;
582  const secp256k1_scalar *b;
583  const secp256k1_ge *g;
584  const secp256k1_ge *h;
585  size_t n;
586 } test_bulletproof_ecmult_context;
587 
588 static int test_bulletproof_ecmult_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data) {
589  test_bulletproof_ecmult_context *ecctx = (test_bulletproof_ecmult_context *) data;
590  if (idx < ecctx->n) {
591  *sc = ecctx->a[idx];
592  *pt = ecctx->g[idx];
593  } else {
594  VERIFY_CHECK(idx < 2*ecctx->n);
595  *sc = ecctx->b[idx - ecctx->n];
596  *pt = ecctx->h[idx - ecctx->n];
597  }
598  return 1;
599 }
600 
601 typedef struct {
602  secp256k1_scalar offs;
603  secp256k1_scalar ext_sc;
604  secp256k1_scalar skew_sc;
605  secp256k1_ge ext_pt;
606  secp256k1_ge p;
607  size_t n;
608  int parity;
609 } test_bulletproof_offset_context;
610 
611 static int test_bulletproof_offset_vfy_callback(secp256k1_scalar *sc, secp256k1_ge *pt, secp256k1_scalar *randomizer, size_t idx, void *data) {
612  test_bulletproof_offset_context *ecctx = (test_bulletproof_offset_context *) data;
613  secp256k1_scalar_set_int(&ecctx->offs, 1);
614  if (idx < 2 * ecctx->n) {
615  secp256k1_scalar idxsc;
616  secp256k1_scalar_set_int(&idxsc, idx);
617  secp256k1_scalar_mul(sc, &ecctx->skew_sc, &idxsc);
618  } else {
619  if (ecctx->parity) {
620  *sc = ecctx->ext_sc;
621  *pt = ecctx->ext_pt;
622  } else {
623  secp256k1_scalar_set_int(sc, 1);
624  *pt = ecctx->p;
625  }
626  }
627  secp256k1_scalar_mul(sc, sc, randomizer);
628  ecctx->parity = !ecctx->parity;
629  return 1;
630 }
631 
632 typedef struct {
633  const secp256k1_scalar *a_arr;
634  const secp256k1_scalar *b_arr;
635 } secp256k1_bulletproof_ip_test_abgh_data;
636 
637 
638 static int secp256k1_bulletproof_ip_test_abgh_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data) {
639  secp256k1_bulletproof_ip_test_abgh_data *cbctx = (secp256k1_bulletproof_ip_test_abgh_data *) data;
640  const int is_g = idx % 2 == 0;
641 
642  (void) pt;
643  if (is_g) {
644  *sc = cbctx->a_arr[idx / 2];
645  } else {
646  *sc = cbctx->b_arr[idx / 2];
647  }
648  return 1;
649 }
650 
651 void test_bulletproof_inner_product(size_t n, const secp256k1_bulletproof_generators *gens) {
652  const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0,0,0,0,0,0,0,0);
653  secp256k1_gej pj;
654  secp256k1_gej tmpj, tmpj2;
655  secp256k1_scalar *a_arr = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, n * sizeof(*a_arr));
656  secp256k1_scalar *b_arr = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, n * sizeof(*b_arr));
657  unsigned char commit[32] = "hash of P, c, etc. all that jazz";
658  secp256k1_scalar one;
659  size_t j;
660  test_bulletproof_offset_context offs_ctx;
661  secp256k1_bulletproof_ip_test_abgh_data abgh_data;
662  secp256k1_bulletproof_innerproduct_context innp_ctx;
663  unsigned char proof[2000];
664  size_t plen = sizeof(proof);
665 
666  secp256k1_scratch *scratch = secp256k1_scratch_space_create(ctx, 100000 + 256 * (2 * n + 2));
667 
668  for (j = 0; j < n; j++) {
669  random_scalar_order(&a_arr[j]);
670  random_scalar_order(&b_arr[j]);
671  }
672 
673  abgh_data.a_arr = a_arr;
674  abgh_data.b_arr = b_arr;
675 
676  random_group_element_test(&offs_ctx.ext_pt);
677  random_scalar_order(&offs_ctx.ext_sc);
678  secp256k1_scalar_clear(&offs_ctx.skew_sc);
679  offs_ctx.n = n;
680 
681  secp256k1_scalar_set_int(&one, 1);
682  CHECK(secp256k1_bulletproof_inner_product_prove_impl(&ctx->ecmult_ctx, scratch, proof, &plen, gens, &one, n, secp256k1_bulletproof_ip_test_abgh_callback, (void *) &abgh_data, commit) == 1);
683 
684  innp_ctx.proof = proof;
685  memcpy(innp_ctx.commit, commit, 32);
686  secp256k1_scalar_set_int(&innp_ctx.yinv, 1);
687  innp_ctx.n_extra_rangeproof_points = 1;
688  innp_ctx.rangeproof_cb = test_bulletproof_offset_vfy_callback;
689  innp_ctx.rangeproof_cb_data = (void *) &offs_ctx;
690 
691  /* Manually do the multiexp to obtain the point P which commits to the inner product.
692  * The prover never computes this because it is implicit in the range/circuit proofs. */
693  {
694  test_bulletproof_ecmult_context ecmult_data;
695  ecmult_data.n = n;
696  ecmult_data.a = a_arr;
697  ecmult_data.b = b_arr;
698  ecmult_data.g = gens->gens;
699  ecmult_data.h = gens->gens + gens->n/2;
700  CHECK(secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &pj, &zero, test_bulletproof_ecmult_callback, (void*) &ecmult_data, 2 * n));
701  secp256k1_ge_set_gej(&offs_ctx.p, &pj);
702  }
703 
704  /* Check proof with no offsets or other baubles */
705  offs_ctx.parity = 0;
706  secp256k1_scalar_clear(&innp_ctx.p_offs);
707  CHECK(secp256k1_bulletproof_inner_product_verify_impl(&ctx->ecmult_ctx, scratch, gens, n, &innp_ctx, 1, plen, 1) == 1);
708 
709  /* skew P by a random amount and instruct the verifier to offset it */
710  random_scalar_order(&innp_ctx.p_offs);
711  secp256k1_gej_set_ge(&tmpj2, &gens->blinding_gen[0]);
712  secp256k1_ecmult(&ctx->ecmult_ctx, &tmpj, &tmpj2, &innp_ctx.p_offs, &zero);
713  secp256k1_gej_add_var(&pj, &pj, &tmpj, NULL);
714  secp256k1_ge_set_gej(&offs_ctx.p, &pj);
715 
716  /* wrong p_offs should fail */
717  offs_ctx.parity = 0;
718  CHECK(secp256k1_bulletproof_inner_product_verify_impl(&ctx->ecmult_ctx, scratch, gens, n, &innp_ctx, 1, plen, 1) == 0);
719 
720  secp256k1_scalar_negate(&innp_ctx.p_offs, &innp_ctx.p_offs);
721 
722  offs_ctx.parity = 0;
723  CHECK(secp256k1_bulletproof_inner_product_verify_impl(&ctx->ecmult_ctx, scratch, gens, n, &innp_ctx, 1, plen, 1) == 1);
724  /* check that verification did not trash anything */
725  offs_ctx.parity = 0;
726  CHECK(secp256k1_bulletproof_inner_product_verify_impl(&ctx->ecmult_ctx, scratch, gens, n, &innp_ctx, 1, plen, 1) == 1);
727  /* check that adding a no-op rangeproof skew function doesn't break anything */
728  offs_ctx.parity = 0;
729  CHECK(secp256k1_bulletproof_inner_product_verify_impl(&ctx->ecmult_ctx, scratch, gens, n, &innp_ctx, 1, plen, 1) == 1);
730 
731  /* Offset P by some random point and then try to undo this in the verification */
732  secp256k1_gej_set_ge(&tmpj2, &offs_ctx.ext_pt);
733  secp256k1_ecmult(&ctx->ecmult_ctx, &tmpj, &tmpj2, &offs_ctx.ext_sc, &zero);
734  secp256k1_gej_neg(&tmpj, &tmpj);
735  secp256k1_gej_add_ge_var(&tmpj, &tmpj, &offs_ctx.p, NULL);
736  secp256k1_ge_set_gej(&offs_ctx.p, &tmpj);
737  offs_ctx.parity = 0;
738  innp_ctx.n_extra_rangeproof_points = 2;
739  CHECK(secp256k1_bulletproof_inner_product_verify_impl(&ctx->ecmult_ctx, scratch, gens, n, &innp_ctx, 1, plen, 1) == 1);
740 
741  /* Offset each basis by some random point and try to undo this in the verification */
742  secp256k1_gej_set_infinity(&tmpj2);
743  for (j = 0; j < n; j++) {
744  size_t k;
745  /* Offset by k-times the kth G basis and (k+n)-times the kth H basis */
746  for (k = 0; k < j; k++) {
747  secp256k1_gej_add_ge_var(&tmpj2, &tmpj2, &gens->gens[j], NULL);
748  secp256k1_gej_add_ge_var(&tmpj2, &tmpj2, &gens->gens[j + gens->n/2], NULL);
749  }
750  for (k = 0; k < n; k++) {
751  secp256k1_gej_add_ge_var(&tmpj2, &tmpj2, &gens->gens[j + gens->n/2], NULL);
752  }
753  }
754  random_scalar_order(&offs_ctx.skew_sc);
755  secp256k1_ecmult(&ctx->ecmult_ctx, &tmpj, &tmpj2, &offs_ctx.skew_sc, &zero);
756  secp256k1_gej_add_ge_var(&tmpj, &tmpj, &offs_ctx.p, NULL);
757  secp256k1_ge_set_gej(&offs_ctx.p, &tmpj);
758  secp256k1_scalar_negate(&offs_ctx.skew_sc, &offs_ctx.skew_sc);
759 
760  offs_ctx.parity = 0;
761  CHECK(secp256k1_bulletproof_inner_product_verify_impl(&ctx->ecmult_ctx, scratch, gens, n, &innp_ctx, 1, plen, 1) == 1);
762 
763  /* Try to validate the same proof twice */
764 {
765  test_bulletproof_offset_context offs_ctxs[2];
766  secp256k1_bulletproof_innerproduct_context innp_ctxs[2];
767  offs_ctx.parity = 1; /* set parity to 1 so the common point will be returned first, as required by the multi-proof verifier */
768  memcpy(&innp_ctxs[0], &innp_ctx, sizeof(innp_ctx));
769  memcpy(&innp_ctxs[1], &innp_ctx, sizeof(innp_ctx));
770  memcpy(&offs_ctxs[0], &offs_ctx, sizeof(offs_ctx));
771  memcpy(&offs_ctxs[1], &offs_ctx, sizeof(offs_ctx));
772  innp_ctxs[0].rangeproof_cb_data = (void *)&offs_ctxs[0];
773  innp_ctxs[1].rangeproof_cb_data = (void *)&offs_ctxs[1];
774  CHECK(secp256k1_bulletproof_inner_product_verify_impl(&ctx->ecmult_ctx, scratch, gens, n, innp_ctxs, 2, plen, 1) == 1);
775  CHECK(secp256k1_bulletproof_inner_product_verify_impl(&ctx->ecmult_ctx, scratch, gens, n, innp_ctxs, 2, plen, 0) == 1);
776 }
777 
778  free(a_arr);
779  free(b_arr);
780  secp256k1_scratch_destroy(scratch);
781 }
782 
783 void test_bulletproof_rangeproof(size_t nbits, size_t expected_size, const secp256k1_bulletproof_generators *gens) {
784  secp256k1_scalar blind;
785  secp256k1_scalar blind_recovered;
786  unsigned char proof[1024];
787  unsigned char proof2[1024];
788  unsigned char proof3[1024];
789  const unsigned char *proof_ptr[3];
790  size_t plen = sizeof(proof);
791  uint64_t v = 123456;
792  uint64_t v_recovered;
793  secp256k1_gej commitj;
794  secp256k1_ge commitp;
795  secp256k1_ge commitp2;
796  secp256k1_pedersen_commitment pcommit;
797  const secp256k1_ge *commitp_ptr[3];
798  secp256k1_ge value_gen[3];
799  unsigned char nonce[32] = "my kingdom for some randomness!!";
800 
801  secp256k1_scratch *scratch = secp256k1_scratch_space_create(ctx, 10000000);
802 
803  if (v >> nbits > 0) {
804  v = 0;
805  }
806 
807  printf("\nv=%llu\n", v);
808 
809  proof_ptr[0] = proof;
810  proof_ptr[1] = proof2;
811  proof_ptr[2] = proof3;
812 
813  secp256k1_generator_load(&value_gen[0], &secp256k1_generator_const_g);
814  secp256k1_generator_load(&value_gen[1], &secp256k1_generator_const_g);
815  secp256k1_generator_load(&value_gen[2], &secp256k1_generator_const_h);
816  random_scalar_order(&blind);
817 
818  secp256k1_pedersen_ecmult(&commitj, &blind, v, &value_gen[0], &gens->blinding_gen[0]);
819  secp256k1_ge_set_gej(&commitp, &commitj);
820  secp256k1_pedersen_ecmult(&commitj, &blind, v, &value_gen[2], &gens->blinding_gen[0]);
821  secp256k1_ge_set_gej(&commitp2, &commitj);
822  commitp_ptr[0] = commitp_ptr[1] = &commitp;
823  commitp_ptr[2] = &commitp2;
824  secp256k1_pedersen_commitment_save(&pcommit, &commitp);
825 
826  CHECK(secp256k1_bulletproof_rangeproof_prove_impl(&ctx->ecmult_ctx, scratch, proof, &plen, nbits, &v, NULL, &blind,
827  &commitp, 1, &value_gen[0], gens, nonce, NULL, 0) == 1);
828  CHECK(plen == expected_size);
829  nonce[0] ^= 1;
830  CHECK(secp256k1_bulletproof_rangeproof_prove_impl(&ctx->ecmult_ctx, scratch, proof2, &plen, nbits, &v, NULL, &blind,
831  &commitp, 1, &value_gen[1], gens, nonce, NULL, 0) == 1);
832  CHECK(plen == expected_size);
833  nonce[0] ^= 2;
834  CHECK(secp256k1_bulletproof_rangeproof_prove_impl(&ctx->ecmult_ctx, scratch, proof3, &plen, nbits, &v, NULL, &blind,
835  &commitp2, 1, &value_gen[2], gens, nonce, NULL, 0) == 1);
836  CHECK(plen == expected_size);
837  nonce[0] ^= 3;
838  /* Verify once */
839  CHECK(secp256k1_bulletproof_rangeproof_verify_impl(&ctx->ecmult_ctx, scratch, proof_ptr, 1, plen, nbits, NULL,
840  commitp_ptr, 1, value_gen, gens, NULL, 0) == 1);
841  /* Verify twice at once to test batch validation */
842  CHECK(secp256k1_bulletproof_rangeproof_verify_impl(&ctx->ecmult_ctx, scratch, proof_ptr, 2, plen, nbits, NULL, commitp_ptr, 1, value_gen, gens, NULL, 0) == 1);
843  /* Verify thrice at once where one has a different asset type */
844  CHECK(secp256k1_bulletproof_rangeproof_verify_impl(&ctx->ecmult_ctx, scratch, proof_ptr, 3, plen, nbits, NULL, commitp_ptr, 1, value_gen, gens, NULL, 0) == 1);
845 
846  /* Rewind */
847  CHECK(secp256k1_bulletproof_rangeproof_rewind_impl(&v_recovered, &blind_recovered, proof, plen, 0, &pcommit, &secp256k1_generator_const_g, gens->blinding_gen, nonce, NULL, 0) == 1);
848  CHECK(v_recovered == v);
849  CHECK(secp256k1_scalar_eq(&blind_recovered, &blind) == 1);
850 
851  nonce[0] ^= 111;
852  CHECK(secp256k1_bulletproof_rangeproof_rewind_impl(&v_recovered, &blind_recovered, proof, plen, 0, &pcommit, &secp256k1_generator_const_g, gens->blinding_gen, nonce, NULL, 0) == 0);
853 
854  secp256k1_scratch_destroy(scratch);
855 }
856 
857 void build_bulletproof_rangeproof_aggregate(size_t nbits, size_t n_commits) {
858  unsigned char proof[1024];
859  secp256k1_context2 *both = secp256k1_context_create2(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
860  secp256k1_bulletproof_generators *gens = secp256k1_bulletproof_generators_create(both, &secp256k1_generator_const_h, 32768);
861  const unsigned char *proof_ptr = proof;
862  size_t plen = sizeof(proof);
863  secp256k1_scalar *blind = (secp256k1_scalar *)checked_malloc(&both->error_callback, n_commits * sizeof(*blind));
864  uint64_t *v = (uint64_t *)checked_malloc(&both->error_callback, n_commits * sizeof(*v));
865  secp256k1_ge *commitp = (secp256k1_ge *)checked_malloc(&both->error_callback, n_commits * sizeof(*commitp));
866  const secp256k1_ge *constptr = commitp;
867  secp256k1_ge value_gen;
868  unsigned char commit[32] = {0};
869  size_t i;
870 
871  secp256k1_scratch *scratch = secp256k1_scratch_space_create(both, 10000000);
872 
873  secp256k1_generator_load(&value_gen, &secp256k1_generator_const_g);
874  for (i = 0; i < n_commits; i++) {
875  secp256k1_scalar vs;
876  secp256k1_gej commitj;
877 
878  v[i] = 223 * (i + 1); /* dice-roll random # */
879 
880  secp256k1_scalar_set_u64(&vs, v[i]);
881  random_scalar_order(&blind[i]);
882  secp256k1_pedersen_ecmult(&commitj, &blind[i], v[i], &value_gen, &secp256k1_generator_const_h);
883  secp256k1_ge_set_gej(&commitp[i], &commitj);
884 
885  secp256k1_bulletproof_update_commit(commit, &commitp[i], &value_gen);
886  }
887 
888  CHECK(secp256k1_bulletproof_rangeproof_prove_impl(&both->ecmult_ctx, scratch, proof, &plen, nbits, v, NULL, blind, commitp, n_commits, &value_gen, gens, NULL, NULL, 0) == 1);
889  printf("plen = %d", plen);
890  secp256k1_scratch *scratch1 = secp256k1_scratch_space_create(ctx, 10000000);
891  CHECK(secp256k1_bulletproof_rangeproof_verify_impl(&ctx->ecmult_ctx, scratch1, &proof_ptr, 1, plen, nbits, NULL, &constptr, n_commits, &value_gen, gens, NULL, 0) == 1);
892 
893  secp256k1_scratch_destroy(scratch);
894  secp256k1_scratch_destroy(scratch1);
895  free(commitp);
896  free(v);
897  free(blind);
898 }
899 
900 void test_bulletproof_rangeproof_aggregate(size_t nbits, size_t n_commits, size_t expected_size, const secp256k1_bulletproof_generators *gens) {
901  unsigned char proof[1024];
902  secp256k1_context2 *both = secp256k1_context_create2(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
903  const unsigned char *proof_ptr = proof;
904  size_t plen = sizeof(proof);
905  secp256k1_scalar *blind = (secp256k1_scalar *)checked_malloc(&both->error_callback, n_commits * sizeof(*blind));
906  uint64_t *v = (uint64_t *)checked_malloc(&both->error_callback, n_commits * sizeof(*v));
907  secp256k1_ge *commitp = (secp256k1_ge *)checked_malloc(&both->error_callback, n_commits * sizeof(*commitp));
908  const secp256k1_ge *constptr = commitp;
909  secp256k1_ge value_gen;
910  unsigned char commit[32] = {0};
911  unsigned char nonce[32] = "mary, mary quite contrary how do";
912  size_t i;
913 
914  secp256k1_scratch *scratch = secp256k1_scratch_space_create(both, 10000000);
915 
916  secp256k1_generator_load(&value_gen, &secp256k1_generator_const_g);
917  for (i = 0; i < n_commits; i++) {
918  secp256k1_scalar vs;
919  secp256k1_gej commitj;
920 
921  v[i] = 223 * (i + 1); /* dice-roll random # */
922  if (v[i] >> nbits > 0) {
923  v[i] = 0;
924  }
925  printf("v[i] = %d", v[i]);
926  secp256k1_scalar_set_u64(&vs, v[i]);
927  random_scalar_order(&blind[i]);
928  secp256k1_pedersen_ecmult(&commitj, &blind[i], v[i], &value_gen, &gens->blinding_gen[0]);
929  secp256k1_ge_set_gej(&commitp[i], &commitj);
930 
931  secp256k1_bulletproof_update_commit(commit, &commitp[i], &value_gen);
932  }
933 
934  CHECK(secp256k1_bulletproof_rangeproof_prove_impl(&both->ecmult_ctx, scratch, proof, &plen, nbits, v, NULL, blind, commitp, n_commits, &value_gen, gens, nonce, NULL, 0) == 1);
935  printf("plen = %d", plen);
936  CHECK(plen == expected_size);
937  secp256k1_scratch *scratch1 = secp256k1_scratch_space_create(ctx, 10000000);
938  CHECK(secp256k1_bulletproof_rangeproof_verify_impl(&ctx->ecmult_ctx, scratch1, &proof_ptr, 1, plen, nbits, NULL, &constptr, n_commits, &value_gen, gens, NULL, 0) == 1);
939 
940  secp256k1_scratch_destroy(scratch);
941  secp256k1_scratch_destroy(scratch1);
942  free(commitp);
943  free(v);
944  free(blind);
945 }
946 
947 void test_bulletproof_circuit(const secp256k1_bulletproof_generators *gens) {
948  secp256k1_bulletproof_circuit_assignment assn;
949  unsigned char proof[2000];
950  const unsigned char nonce[32] = "ive got a bit won't tell u which";
951  const unsigned char *proof_ptr = proof;
952  size_t plen = sizeof(proof);
953  secp256k1_scalar one;
954  secp256k1_scalar challenge;
955  secp256k1_scalar answer;
956  secp256k1_scalar commitv;
957  secp256k1_gej commitj;
958  secp256k1_ge commitp;
959  const secp256k1_ge *commitp_ptr;
960  secp256k1_scratch *scratch = secp256k1_scratch_space_create(ctx, 10 * 1024 * 1024);
961  secp256k1_ge value_gen;
962 
963  static const char pedersen_3_desc[] = "8,0,3,11; "
964  "-L3 + L0 = 0; "
965  "-R3 + L1 = 0; "
966  "O3 + 43761614841181848836640060563436836929981077120207297347288494535014373124598*L4 + 32269103446714936439983769262136990710725469005847626272964912432556195438855*L0 + 53470148824566042419568143658779164645897136432324031591105781651996231383599*L1 = -29906057699896301565330867720293440045651680527210179749355355245466869592774; "
967  "R4 - 2*L2 = -1; "
968  "O4 - O5 = -5790157963784981660191168841374597722972181776698071254377150704077242214507; "
969  "R5 - 25758063836554693196908199229504721621729641941971332474184303138909611379443*L0 + 11291233376911191389536694739885054786695386896193593308033244950342020590185*L1 + 3363265264840957283186157428945612617240329097799939360463518825408167634185*L4 = -29614996938732799633661547612064662376197030231215982466591901560589852461284; "
970  "L5 - L6 = 0; "
971  "L5 - R6 = 0; "
972  "L5 - L7 = 0; "
973  "O6 + R7 - 51516127673109386393816398459009443243459283883942664948368606277819222758886*L0 + 22582466753822382779073389479770109573390773792387186616066489900684041180370*L1 + 6726530529681914566372314857891225234480658195599878720927037650816335268370*L4 = -25204003405338345315301650454981416603166816758113955371299998112889962854657; "
974  "O6 - 25758063836554693196908199229504721621729641941971332474184303138909611379443*L0 + 11291233376911191389536694739885054786695386896193593308033244950342020590185*L1 + 3363265264840957283186157428945612617240329097799939360463518825408167634185*L4 = 10482191031782654019194619252232560984851404783271171686897023817875267510226;";
975  secp256k1_scalar pedersen_3_al[8] = {
976  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
977  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
978  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
979  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
980  SECP256K1_SCALAR_CONST(0x8622f5f9, 0x83a711d6, 0x35530e80, 0x298ac2f1, 0x287824b2, 0xf76f6474, 0x7f4919d6, 0x2e300537),
981  SECP256K1_SCALAR_CONST(0x1fc757ec, 0xbddbbeb9, 0xd4f41473, 0xb24f6530, 0x743a1437, 0x46963ca9, 0x0a83f80c, 0x1ee5328b),
982  SECP256K1_SCALAR_CONST(0x1fc757ec, 0xbddbbeb9, 0xd4f41473, 0xb24f6530, 0x743a1437, 0x46963ca9, 0x0a83f80c, 0x1ee5328b),
983  SECP256K1_SCALAR_CONST(0x1fc757ec, 0xbddbbeb9, 0xd4f41473, 0xb24f6530, 0x743a1437, 0x46963ca9, 0x0a83f80c, 0x1ee5328b)
984  };
985  secp256k1_scalar pedersen_3_ar[8] = {
986  SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
987  SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
988  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
989  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
990  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
991  SECP256K1_SCALAR_CONST(0x31c8eae3, 0xf71d7572, 0x260f2848, 0xe9f7209d, 0x7366b59e, 0x073e490d, 0x279d8c48, 0x656e329f),
992  SECP256K1_SCALAR_CONST(0x1fc757ec, 0xbddbbeb9, 0xd4f41473, 0xb24f6530, 0x743a1437, 0x46963ca9, 0x0a83f80c, 0x1ee5328b),
993  SECP256K1_SCALAR_CONST(0x245cbdd4, 0xef485258, 0xba62e0d9, 0x26e672d2, 0x83d1988a, 0x3c3a1e2f, 0x6639ec10, 0x39c6a2b0)
994  };
995  secp256k1_scalar pedersen_3_ao[8] = {
996  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
997  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
998  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
999  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
1000  SECP256K1_SCALAR_CONST(0x8622f5f9, 0x83a711d6, 0x35530e80, 0x298ac2f1, 0x287824b2, 0xf76f6474, 0x7f4919d6, 0x2e300537),
1001  SECP256K1_SCALAR_CONST(0x92f012f8, 0xd76c6bd9, 0x7cdaa7c4, 0x6a848512, 0xed249960, 0xc58efb11, 0x48945d26, 0x186dada2),
1002  SECP256K1_SCALAR_CONST(0x8a6f1f26, 0x6b9c02e6, 0x8cb97c20, 0xd04aab71, 0xf4024826, 0xeb84f19f, 0xa13641ee, 0xe3f3db55),
1003  SECP256K1_SCALAR_CONST(0xc4e18e86, 0x9b53aabc, 0x22891520, 0x299684a8, 0x75ad4a2e, 0xc4e1e6af, 0x2556146f, 0xb25f219e)
1004  };
1005 
1006  const char inv_17_19_circ[] = "2,1,0,5; L0 = 17; 2*L1 - L0 = 21; O0 = 1; O1 = 1; V0 - L0 = 100;";
1007  secp256k1_bulletproof_circuit *simple = secp256k1_parse_circuit(ctx, inv_17_19_circ);
1008  secp256k1_bulletproof_circuit *pedersen_3 = secp256k1_parse_circuit(ctx, pedersen_3_desc);
1009  secp256k1_bulletproof_circuit *pedersen_3_bin = secp256k1_bulletproof_circuit_decode(ctx, "src/modules/bulletproofs/bin_circuits/pedersen-192-preimage.circ");
1010  secp256k1_bulletproof_circuit_assignment *pedersen_3_assn = secp256k1_bulletproof_circuit_assignment_decode(ctx, "src/modules/bulletproofs/bin_circuits/pedersen-192-preimage.assn");
1011 
1012  CHECK(simple != NULL);
1013  CHECK(pedersen_3 != NULL);
1014  CHECK(pedersen_3_bin != NULL);
1015 
1016  CHECK(secp256k1_scratch_allocate_frame (scratch, 3072 * sizeof(secp256k1_scalar), 3));
1017  assn.al = secp256k1_scratch_alloc(scratch, 1024 * sizeof(*assn.al));
1018  assn.ar = secp256k1_scratch_alloc(scratch, 1024 * sizeof(*assn.al));
1019  assn.ao = secp256k1_scratch_alloc(scratch, 1024 * sizeof(*assn.al));
1020 
1021  CHECK (simple != NULL);
1022 
1023  secp256k1_scalar_set_int(&challenge, 17);
1024  secp256k1_scalar_inverse(&answer, &challenge);
1025  secp256k1_scalar_set_int(&one, 1);
1026 
1027  /* Try to prove with input 0, 1, 0 */
1028  assn.al[0] = assn.al[1] = challenge;
1029  assn.ar[0] = assn.ar[1] = answer;
1030  assn.ao[0] = assn.ao[1] = one;
1031 
1032  secp256k1_scalar_set_int(&commitv, 117);
1033  secp256k1_scalar_set_int(&challenge, 19);
1034  secp256k1_scalar_inverse(&answer, &challenge);
1035  assn.al[1] = challenge;
1036  assn.ar[1] = answer;
1037  assn.v = &commitv;
1038  assn.n_gates = 2;
1039  assn.n_commits = 1;
1040 
1041  /* Use one as the blinding factor */
1042  secp256k1_generator_load(&value_gen, &secp256k1_generator_const_g);
1043  secp256k1_pedersen_ecmult(&commitj, &one, 117, &value_gen, &gens->blinding_gen[0]);
1044  secp256k1_ge_set_gej(&commitp, &commitj);
1045  commitp_ptr = &commitp;
1046 
1047  CHECK(secp256k1_bulletproof_relation66_prove_impl(
1048  &ctx->ecmult_ctx,
1049  scratch,
1050  proof, &plen,
1051  &assn,
1052  &commitp, &one, 1,
1053  &value_gen,
1054  simple,
1055  gens,
1056  nonce,
1057  NULL, 0
1058  ));
1059 
1060  CHECK(secp256k1_bulletproof_relation66_verify_impl(
1061  &ctx->ecmult_ctx,
1062  scratch,
1063  &proof_ptr, 1, plen,
1064  &commitp_ptr, &assn.n_commits,
1065  &value_gen,
1066  (const secp256k1_bulletproof_circuit* const*) &simple,
1067  gens,
1068  NULL, 0
1069  ));
1070 
1071  plen = 2000;
1072  assn.al = pedersen_3_al;
1073  assn.ar = pedersen_3_ar;
1074  assn.ao = pedersen_3_ao;
1075  assn.n_gates = pedersen_3->n_gates;
1076  assn.n_commits = 0;
1077  CHECK(secp256k1_bulletproof_relation66_prove_impl(
1078  &ctx->ecmult_ctx,
1079  scratch,
1080  proof, &plen,
1081  &assn,
1082  NULL, NULL, 0,
1083  &value_gen,
1084  pedersen_3,
1085  gens,
1086  nonce,
1087  NULL, 0
1088  ));
1089 
1090  CHECK(secp256k1_bulletproof_relation66_verify_impl(
1091  &ctx->ecmult_ctx,
1092  scratch,
1093  &proof_ptr, 1, plen,
1094  NULL, NULL,
1095  &value_gen,
1096  (const secp256k1_bulletproof_circuit* const*) &pedersen_3,
1097  gens,
1098  NULL, 0
1099  ));
1100 
1101  secp256k1_pedersen_ecmult_scalar(&commitj, &one, &pedersen_3_assn->v[0], &value_gen, &gens->blinding_gen[0]);
1102  secp256k1_ge_set_gej(&commitp, &commitj);
1103  commitp_ptr = &commitp;
1104  plen = 2000;
1105  CHECK(secp256k1_bulletproof_relation66_prove_impl(
1106  &ctx->ecmult_ctx,
1107  scratch,
1108  proof, &plen,
1109  pedersen_3_assn,
1110  &commitp, &one, 1,
1111  &value_gen,
1112  pedersen_3_bin,
1113  gens,
1114  nonce,
1115  NULL, 0
1116  ));
1117 
1118  CHECK(secp256k1_bulletproof_relation66_verify_impl(
1119  &ctx->ecmult_ctx,
1120  scratch,
1121  &proof_ptr, 1, plen,
1122  &commitp_ptr, &pedersen_3_bin->n_commits,
1123  &value_gen,
1124  (const secp256k1_bulletproof_circuit* const*) &pedersen_3_bin,
1125  gens,
1126  NULL, 0
1127  ));
1128 
1129  secp256k1_bulletproof_circuit_destroy(ctx, simple);
1130  secp256k1_bulletproof_circuit_destroy(ctx, pedersen_3);
1131  secp256k1_bulletproof_circuit_destroy(ctx, pedersen_3_bin);
1132  secp256k1_bulletproof_circuit_assignment_destroy(ctx, pedersen_3_assn);
1133  secp256k1_scratch_deallocate_frame(scratch);
1134  secp256k1_scratch_destroy(scratch);
1135 }
1136 
1137 void run_bulletproofs_tests(void) {
1138  size_t i;
1139  /* Make a ton of generators */
1140  secp256k1_bulletproof_generators *gens = secp256k1_bulletproof_generators_create(ctx, &secp256k1_generator_const_h, 32768);
1141  test_bulletproof_api();
1142 
1143  /* sanity checks */
1144  CHECK(secp256k1_bulletproof_innerproduct_proof_length(0) == 32); /* encoding of 1 */
1145  CHECK(secp256k1_bulletproof_innerproduct_proof_length(1) == 96); /* encoding a*b, a, b */
1146  CHECK(secp256k1_bulletproof_innerproduct_proof_length(2) == 160); /* dot prod, a, b, L, R, parity of L, R */
1147  CHECK(secp256k1_bulletproof_innerproduct_proof_length(4) == 225); /* dot prod, a, b, a, b, L, R, parity of L, R */
1148  CHECK(secp256k1_bulletproof_innerproduct_proof_length(8) == 289); /* dot prod, a, b, a, b, L, R, L, R, parity of L, R */
1149 
1150  printf("Testing bulletproof inner product\n");
1151  test_bulletproof_inner_product(0, gens);
1152  test_bulletproof_inner_product(1, gens);
1153  test_bulletproof_inner_product(2, gens);
1154  test_bulletproof_inner_product(4, gens);
1155  test_bulletproof_inner_product(8, gens);
1156  for (i = 0; i < (size_t) count; i++) {
1157  test_bulletproof_inner_product(32, gens);
1158  test_bulletproof_inner_product(64, gens);
1159  }
1160  test_bulletproof_inner_product(1024, gens);
1161  printf("Testing bulletproof range proof\n");
1162  /*test1();*/
1163  printf("testing verify");
1164  /*test_build_verify();*/
1165 
1166  test_bulletproof_rangeproof(1, 289, gens);
1167  test_bulletproof_rangeproof(2, 353, gens);
1168  test_bulletproof_rangeproof(16, 546, gens);
1169  test_bulletproof_rangeproof(32, 610, gens);
1170  test_bulletproof_rangeproof(64, 675, gens);
1171  printf("Testing bulletproof multi range proof\n");
1172  test_bulletproof_rangeproof_aggregate(64, 1, 675, gens);
1173  test_bulletproof_rangeproof_aggregate(64, 4, 803, gens);
1174  test_bulletproof_rangeproof_aggregate(8, 2, 546, gens);
1175  test_bulletproof_rangeproof_aggregate(8, 4, 610, gens);
1176  /*test_bulletproof_rangeproof_aggregate(8, 16, 610, gens);*/
1177 
1178  test_bulletproof_circuit(gens);
1179 
1180  secp256k1_bulletproof_generators_destroy(ctx, gens);
1181 }
1182 #undef MAX_WIDTH
1183 
1184 #endif
secp256k1_pedersen_commit
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_pedersen_commit(const secp256k1_context2 *ctx, secp256k1_pedersen_commitment *commit, const unsigned char *blind, uint64_t value, const secp256k1_generator *value_gen, const secp256k1_generator *blind_gen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6)
Generate a Pedersen commitment.
Definition: main_impl.h:93
secp256k1_scratch_space_struct2
Definition: scratch.h:14
secp256k1_bulletproof_rangeproof_rewind
SECP256K1_WARN_UNUSED_RESULT SECP256K1_API int secp256k1_bulletproof_rangeproof_rewind(const secp256k1_context2 *ctx, const secp256k1_bulletproof_generators *gens, uint64_t *value, unsigned char *blind, const unsigned char *proof, size_t plen, uint64_t min_value, const secp256k1_pedersen_commitment *commit, const secp256k1_generator *value_gen, const unsigned char *nonce, const unsigned char *extra_commit, size_t extra_commit_len) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(8) SECP256K1_ARG_NONNULL(9)
Extracts the value and blinding factor from a single-commit rangeproof given a secret nonce Returns: ...
Definition: main_impl.h:561
VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:61
test_bulletproof_ecmult_context
Definition: tests_impl.h:580
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Definition: secp256k1_2.h:169
secp256k1_bulletproof_circuit::n_commits
size_t n_commits
Definition: main_impl.h:33
test_bulletproof_ecmult_context::a
const secp256k1_scalar * a
Definition: tests_impl.h:581
secp256k1_bulletproof_generators_create
SECP256K1_API secp256k1_bulletproof_generators * secp256k1_bulletproof_generators_create(const secp256k1_context2 *ctx, const secp256k1_generator *blinding_gen, size_t n) SECP256K1_ARG_NONNULL(1)
Allocates and initializes a list of NUMS generators, along with precomputation data Returns a list of...
Definition: main_impl.h:427
secp256k1_bulletproof_circuit_assignment::al
secp256k1_scalar * al
Definition: main_impl.h:48
secp256k1_bulletproof_generators::n
size_t n
Definition: main_impl.h:55
test_bulletproof_rangeproof_aggregate
void test_bulletproof_rangeproof_aggregate(size_t nbits, size_t n_commits, size_t expected_size, const secp256k1_bulletproof_generators *gens)
Definition: tests_impl.h:900
secp256k1_bulletproof_circuit_assignment::ar
secp256k1_scalar * ar
Definition: main_impl.h:49
secp256k1_bulletproof_circuit_assignment::v
secp256k1_scalar * v
Definition: main_impl.h:51
secp256k1_bulletproof_innerproduct_context::commit
unsigned char commit[32]
Definition: inner_product_impl.h:77
secp256k1_bulletproof_innerproduct_context::p_offs
secp256k1_scalar p_offs
Definition: inner_product_impl.h:75
SECP256K1_SCALAR_CONST
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
tinyformat::printf
void printf(const char *fmt, const Args &... args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:975
secp256k1_scratch_space_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT secp256k1_scratch_space2 * secp256k1_scratch_space_create(const secp256k1_context2 *ctx, size_t max_size) SECP256K1_ARG_NONNULL(1)
Create a secp256k1 scratch space object.
Definition: secp256k1_2.c:135
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context2 *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1_2.c:127
secp256k1_bulletproof_innerproduct_context
Definition: inner_product_impl.h:73
memcpy
void * memcpy(void *a, const void *b, size_t c)
Definition: glibc_compat.cpp:15
secp256k1_bulletproof_innerproduct_context::proof
const unsigned char * proof
Definition: inner_product_impl.h:74
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context2 *ctx)
Destroy a secp256k1 context object.
Definition: secp256k1_2.c:110
secp256k1_bulletproof_circuit_assignment::n_gates
size_t n_gates
Definition: main_impl.h:46
secp256k1_context_struct2::ecmult_ctx
secp256k1_ecmult_context ecmult_ctx
Definition: secp256k1_types.h:16
secp256k1_bulletproof_generators::gens
secp256k1_ge * gens
Definition: main_impl.h:57
secp256k1_bulletproof_innerproduct_context::rangeproof_cb
secp256k1_bulletproof_vfy_callback * rangeproof_cb
Definition: inner_product_impl.h:78
secp256k1_generator
Opaque data structure that stores a base point.
Definition: secp256k1_generator.h:20
secp256k1_bulletproof_rangeproof_verify_multi
SECP256K1_WARN_UNUSED_RESULT SECP256K1_API int secp256k1_bulletproof_rangeproof_verify_multi(const secp256k1_context2 *ctx, secp256k1_scratch_space2 *scratch, const secp256k1_bulletproof_generators *gens, const unsigned char *const *proof, size_t n_proofs, size_t plen, const uint64_t *const *min_value, const secp256k1_pedersen_commitment *const *commit, size_t n_commits, size_t nbits, const secp256k1_generator *value_gen, const unsigned char *const *extra_commit, size_t *extra_commit_len) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(8)
Batch-verifies multiple bulletproof (aggregate) rangeproofs of the same size using same generator Ret...
Definition: main_impl.h:516
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
random_scalar_order
void random_scalar_order(secp256k1_scalar_t *num)
Definition: tests.c:80
test_bulletproof_ecmult_context::b
const secp256k1_scalar * b
Definition: tests_impl.h:582
test_bulletproof_offset_context
Definition: tests_impl.h:601
build_proof
void build_proof(const uint64_t *value, int size, unsigned char *proof, size_t *plen, secp256k1_pedersen_commitment *pcommit)
Definition: tests_impl.h:123
secp256k1_bulletproof_rangeproof_prove
SECP256K1_WARN_UNUSED_RESULT SECP256K1_API int secp256k1_bulletproof_rangeproof_prove(const secp256k1_context2 *ctx, secp256k1_scratch_space2 *scratch, const secp256k1_bulletproof_generators *gens, unsigned char *proof, size_t *plen, const uint64_t *value, const uint64_t *min_value, const unsigned char *const *blind, size_t n_commits, const secp256k1_generator *value_gen, size_t nbits, const unsigned char *nonce, const unsigned char *extra_commit, size_t extra_commit_len) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6) SECP256K1_ARG_NONNULL(8) SECP256K1_ARG_NONNULL(10) SECP256K1_ARG_NONNULL(12)
Produces an aggregate Bulletproof rangeproof for a set of Pedersen commitments Returns: 1: rangeproof...
Definition: main_impl.h:582
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:24
build_bulletproof_rangeproof_aggregate
void build_bulletproof_rangeproof_aggregate(size_t nbits, size_t n_commits)
Definition: tests_impl.h:857
secp256k1_bulletproof_ip_test_abgh_data
Definition: tests_impl.h:632
secp256k1_bulletproof_innerproduct_proof_length
size_t secp256k1_bulletproof_innerproduct_proof_length(size_t n)
Definition: inner_product_impl.h:109
test_bulletproof_ecmult_context::g
const secp256k1_ge * g
Definition: tests_impl.h:583
verify_proof
void verify_proof(unsigned char *proof, size_t plen, secp256k1_pedersen_commitment *pcommit)
Definition: tests_impl.h:153
secp256k1_bulletproofs.h
secp256k1_bulletproof_innerproduct_context::rangeproof_cb_data
void * rangeproof_cb_data
Definition: inner_product_impl.h:79
test_bulletproof_offset_context::n
size_t n
Definition: tests_impl.h:607
secp256k1_bulletproof_rangeproof_verify
SECP256K1_WARN_UNUSED_RESULT SECP256K1_API int secp256k1_bulletproof_rangeproof_verify(const secp256k1_context2 *ctx, secp256k1_scratch_space2 *scratch, const secp256k1_bulletproof_generators *gens, const unsigned char *proof, size_t plen, const uint64_t *min_value, const secp256k1_pedersen_commitment *commit, size_t n_commits, size_t nbits, const secp256k1_generator *value_gen, const unsigned char *extra_commit, size_t extra_commit_len) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(7) SECP256K1_ARG_NONNULL(10)
Verifies a single bulletproof (aggregate) rangeproof Returns: 1: rangeproof was valid 0: rangeproof w...
Definition: main_impl.h:477
secp256k1_bulletproof_circuit_assignment::ao
secp256k1_scalar * ao
Definition: main_impl.h:50
test_bulletproof_offset_context::ext_pt
secp256k1_ge ext_pt
Definition: tests_impl.h:605
test_bulletproof_offset_context::p
secp256k1_ge p
Definition: tests_impl.h:606
test_bulletproof_offset_context::ext_sc
secp256k1_scalar ext_sc
Definition: tests_impl.h:603
test_bulletproof_rangeproof
void test_bulletproof_rangeproof(size_t nbits, size_t expected_size, const secp256k1_bulletproof_generators *gens)
Definition: tests_impl.h:783
secp256k1_bulletproof_circuit::n_gates
size_t n_gates
Definition: main_impl.h:32
secp256k1_bulletproof_circuit_verify
SECP256K1_API int secp256k1_bulletproof_circuit_verify(const secp256k1_context2 *ctx, secp256k1_scratch_space2 *scratch, const secp256k1_bulletproof_generators *gens, const secp256k1_bulletproof_circuit *circ, const unsigned char *proof, size_t plen, const secp256k1_pedersen_commitment *commit, size_t n_commits, const secp256k1_generator *value_gen, const unsigned char *extra_commit, size_t extra_commit_len) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(9)
Verifies a single bulletproof zero-knowledge proof (zkp) Returns: 1: zkp accepted 0: zkp did not acce...
Definition: main_impl.h:705
util.h
secp256k1_bulletproof_circuit_assignment_decode
SECP256K1_API secp256k1_bulletproof_circuit_assignment * secp256k1_bulletproof_circuit_assignment_decode(const secp256k1_context2 *ctx, const char *fname) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Decodes an accepting wire assignment which is serialized in an opaque binary format Returns a circuit...
Definition: main_impl.h:877
secp256k1_bulletproof_circuit_destroy
SECP256K1_API void secp256k1_bulletproof_circuit_destroy(const secp256k1_context2 *ctx, secp256k1_bulletproof_circuit *circ) SECP256K1_ARG_NONNULL(1)
Destroys a circuit Args: ctx: pointer to a context object (cannot be NULL) gen: pointer to the circui...
Definition: main_impl.h:964
secp256k1_bulletproof_circuit_assignment
Definition: main_impl.h:45
secp256k1_bulletproof_generators::blinding_gen
secp256k1_ge * blinding_gen
Definition: main_impl.h:62
secp256k1_context_struct2::error_callback
secp256k1_callback error_callback
Definition: secp256k1_types.h:19
run_bulletproofs_tests
void run_bulletproofs_tests(void)
Definition: tests_impl.h:1137
test_bulletproof_ecmult_context::n
size_t n
Definition: tests_impl.h:585
test_bulletproof_offset_context::offs
secp256k1_scalar offs
Definition: tests_impl.h:602
secp256k1_context_struct2
Definition: secp256k1_types.h:15
secp256k1_bulletproof_generators_destroy
SECP256K1_API void secp256k1_bulletproof_generators_destroy(const secp256k1_context2 *ctx, secp256k1_bulletproof_generators *gen) SECP256K1_ARG_NONNULL(1)
Destroys a list of NUMS generators, freeing allocated memory Args: ctx: pointer to a context object (...
Definition: main_impl.h:469
secp256k1_pedersen_commitment
Opaque data structure that stores a Pedersen commitment.
Definition: secp256k1_commitment.h:22
secp256k1_bulletproof_circuit_assignment_destroy
SECP256K1_API void secp256k1_bulletproof_circuit_assignment_destroy(const secp256k1_context2 *ctx, secp256k1_bulletproof_circuit_assignment *assn) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Destroys a circuit assignment Args: ctx: pointer to a context object (cannot be NULL) gen: pointer to...
Definition: main_impl.h:974
secp256k1_generator_const_g
const SECP256K1_API secp256k1_generator secp256k1_generator_const_g
Standard secp256k1 generator G.
Definition: main_impl.h:18
random_group_element_test
void random_group_element_test(secp256k1_ge_t *ge)
Definition: tests.c:45
secp256k1_bulletproof_ip_test_abgh_data::b_arr
const secp256k1_scalar * b_arr
Definition: tests_impl.h:634
secp256k1_bulletproof_circuit_assignment::n_commits
size_t n_commits
Definition: main_impl.h:47
secp256k1_generator_const_h
const SECP256K1_API secp256k1_generator secp256k1_generator_const_h
Alternate secp256k1 generator from Elements Alpha.
Definition: main_impl.h:32
secp256k1_bulletproof_innerproduct_context::n_extra_rangeproof_points
size_t n_extra_rangeproof_points
Definition: inner_product_impl.h:80
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context2 *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1_2.c:119
secp256k1_context_create2
SECP256K1_API secp256k1_context2 * secp256k1_context_create2(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object.
Definition: secp256k1_2.c:75
test_bulletproof_inner_product
void test_bulletproof_inner_product(size_t n, const secp256k1_bulletproof_generators *gens)
Definition: tests_impl.h:651
secp256k1_bulletproof_circuit
Definition: main_impl.h:31
test_bulletproof_offset_context::skew_sc
secp256k1_scalar skew_sc
Definition: tests_impl.h:604
test_bulletproof_ecmult_context::h
const secp256k1_ge * h
Definition: tests_impl.h:584
test_bulletproof_offset_context::parity
int parity
Definition: tests_impl.h:608
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create2.
Definition: secp256k1_2.h:167
secp256k1_bulletproof_circuit_verify_multi
SECP256K1_API int secp256k1_bulletproof_circuit_verify_multi(const secp256k1_context2 *ctx, secp256k1_scratch_space2 *scratch, const secp256k1_bulletproof_generators *gens, const secp256k1_bulletproof_circuit *const *circ, const unsigned char *const *proof, size_t n_proofs, size_t plen, const secp256k1_pedersen_commitment **commit, size_t *n_commits, const secp256k1_generator *value_gen, const unsigned char **extra_commit, size_t *extra_commit_len) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(10)
Batch-verifies multiple bulletproof zero-knowledge proofs of equally-sized circuits (zkp) Returns: 1:...
Definition: main_impl.h:750
secp256k1_bulletproof_innerproduct_context::yinv
secp256k1_scalar yinv
Definition: inner_product_impl.h:76
CHECK
#define CHECK(cond)
Definition: util.h:43
secp256k1_bulletproof_circuit_parse
SECP256K1_API secp256k1_bulletproof_circuit * secp256k1_bulletproof_circuit_parse(const secp256k1_context2 *ctx, const char *description) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Parses a circuit from an ad-hoc text string format Returns a circuit, or NULL on failure Args: ctx: p...
Definition: main_impl.h:633
secp256k1_bulletproof_circuit_decode
secp256k1_bulletproof_circuit * secp256k1_bulletproof_circuit_decode(const secp256k1_context2 *ctx, const char *fname)
Decodes a circuit which is serialized in an opaque binary format Returns a circuit,...
Definition: main_impl.h:813
secp256k1_bulletproof_ip_test_abgh_data::a_arr
const secp256k1_scalar * a_arr
Definition: tests_impl.h:633
test_bulletproof_circuit
void test_bulletproof_circuit(const secp256k1_bulletproof_generators *gens)
Definition: tests_impl.h:947
secp256k1_bulletproof_circuit_prove
SECP256K1_API int secp256k1_bulletproof_circuit_prove(const secp256k1_context2 *ctx, secp256k1_scratch_space2 *scratch, const secp256k1_bulletproof_generators *gens, const secp256k1_bulletproof_circuit *circ, unsigned char *proof, size_t *plen, const secp256k1_bulletproof_circuit_assignment *assn, const unsigned char **blind, size_t n_commits, const unsigned char *nonce, const secp256k1_generator *value_gen, const unsigned char *extra_commit, size_t extra_commit_len) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6) SECP256K1_ARG_NONNULL(7) SECP256K1_ARG_NONNULL(10) SECP256K1_ARG_NONNULL(11)
Produces a bulletproof zero-knowledge proof (zkp) Returns: 1: proof was successfully created 0: pro...
Definition: main_impl.h:639
secp256k1_ge
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:14
secp256k1_bulletproof_generators
Definition: main_impl.h:54
secp256k1_generator_generate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_generator_generate(const secp256k1_context2 *ctx, secp256k1_generator *gen, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Generate a generator for the curve.
Definition: main_impl.h:231
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1_2.h:168
Generated on Tue Apr 28 2026 00:02:57 for PRCYCoin by   doxygen 1.8.17