Merge main into develop

Author: hdevalence

CHANGELOG.md

@@ -2,6 +2,15 @@
 
 Entries are listed in reverse chronological order.
 
+## 1.0.2
+
+* Updates the library to use the renamed functions in Merlin 1.1.
+* Adds additional validation checks to prevent identity points being used as
+  part of a proof.  This does not appear to have security content, but is
+  intended as a defense-in-depth mechanism.  
+  See [this comment][identity_comment] for more motivation.
+* Documentation tweaks.
+
 ## 1.0.1
 
 * Tweaks to crate metadata.
@@ -20,3 +29,4 @@ Entries are listed in reverse chronological order.
 Initial prerelease version, supporting single and aggregated range proofs, and
 multiparty proof aggregation.
 
+[identity_comment]: https://github.com/dalek-cryptography/bulletproofs/pull/248#discussion_r251916724

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "bulletproofs"
-version = "1.0.1"
+version = "1.0.2"
 authors = ["Cathie Yun <[email protected]>", 
            "Henry de Valence <[email protected]>",
            "Oleg Andreev <[email protected]>"]
@@ -12,7 +12,7 @@ keywords = ["cryptography", "ristretto", "zero-knowledge", "bulletproofs"]
 description = "A pure-Rust implementation of Bulletproofs using Ristretto"
 
 [dependencies]
-curve25519-dalek = { version = "1", features = ["serde"] }
+curve25519-dalek = { version = "1.0.3", features = ["serde"] }
 subtle = "2"
 sha3 = "0.8"
 digest = "0.8"
@@ -21,7 +21,7 @@ byteorder = "1"
 serde = "1"
 serde_derive = "1"
 failure = "0.1"
-merlin = "1"
+merlin = "1.1"
 clear_on_drop = "0.2"
 
 [dev-dependencies]

README.md

@@ -2,7 +2,7 @@
 
 <img
  width="100%"
- src="https://user-images.githubusercontent.com/698/46373713-9cc40280-c643-11e8-9bfe-2b0586e40369.png"
+ src="https://doc.dalek.rs/assets/bulletproofs-rangeproof.png"
 />
 
 The fastest [Bulletproofs][bp_website] implementation ever, featuring
@@ -145,6 +145,15 @@ assert!(
 );
 # }
 ```
+## Building
+
+To compile successfully, you will need to have nightly Rust installed, rather than stable.
+
+You can install nightly Rust with rustup:
+
+```text
+rustup default nightly
+```
 
 ## Tests and Benchmarks
 

src/inner_product_proof.rs

@@ -112,8 +112,8 @@ impl InnerProductProof {
             L_vec.push(L);
             R_vec.push(R);
 
-            transcript.commit_point(b"L", &L);
-            transcript.commit_point(b"R", &R);
+            transcript.append_point(b"L", &L);
+            transcript.append_point(b"R", &R);
 
             let u = transcript.challenge_scalar(b"u");
             let u_inv = u.invert();
@@ -162,8 +162,8 @@ impl InnerProductProof {
             L_vec.push(L);
             R_vec.push(R);
 
-            transcript.commit_point(b"L", &L);
-            transcript.commit_point(b"R", &R);
+            transcript.append_point(b"L", &L);
+            transcript.append_point(b"R", &R);
 
             let u = transcript.challenge_scalar(b"u");
             let u_inv = u.invert();
@@ -213,8 +213,8 @@ impl InnerProductProof {
 
         let mut challenges = Vec::with_capacity(lg_n);
         for (L, R) in self.L_vec.iter().zip(self.R_vec.iter()) {
-            transcript.commit_point(b"L", L);
-            transcript.commit_point(b"R", R);
+            transcript.validate_and_append_point(b"L", L)?;
+            transcript.validate_and_append_point(b"R", R)?;
             challenges.push(transcript.challenge_scalar(b"u"));
         }
 

src/r1cs/prover.rs

@@ -274,7 +274,7 @@ impl<'t, 'g> Prover<'t, 'g> {
 
         // Add the commitment to the transcript.
         let V = self.pc_gens.commit(v, v_blinding).compress();
-        self.transcript.commit_point(b"V", &V);
+        self.transcript.append_point(b"V", &V);
 
         (V, Variable::Committed(i))
     }
@@ -377,7 +377,7 @@ impl<'t, 'g> Prover<'t, 'g> {
         // We cannot do this in advance because user can commit variables one-by-one,
         // but this suffix provides safe disambiguation because each variable
         // is prefixed with a separate label.
-        self.transcript.commit_u64(b"m", self.v.len() as u64);
+        self.transcript.append_u64(b"m", self.v.len() as u64);
 
         // Create a `TranscriptRng` from the high-level witness data
         //
@@ -397,7 +397,7 @@ impl<'t, 'g> Prover<'t, 'g> {
 
             // Commit the blinding factors for the input wires
             for v_b in &self.v_blinding {
-                builder = builder.commit_witness_bytes(b"v_blinding", v_b.as_bytes());
+                builder = builder.rekey_with_witness_bytes(b"v_blinding", v_b.as_bytes());
             }
 
             use rand::thread_rng;
@@ -450,9 +450,9 @@ impl<'t, 'g> Prover<'t, 'g> {
         )
         .compress();
 
-        self.transcript.commit_point(b"A_I1", &A_I1);
-        self.transcript.commit_point(b"A_O1", &A_O1);
-        self.transcript.commit_point(b"S1", &S1);
+        self.transcript.append_point(b"A_I1", &A_I1);
+        self.transcript.append_point(b"A_O1", &A_O1);
+        self.transcript.append_point(b"S1", &S1);
 
         // Process the remaining constraints.
         self = self.create_randomized_constraints()?;
@@ -527,9 +527,9 @@ impl<'t, 'g> Prover<'t, 'g> {
             )
         };
 
-        self.transcript.commit_point(b"A_I2", &A_I2);
-        self.transcript.commit_point(b"A_O2", &A_O2);
-        self.transcript.commit_point(b"S2", &S2);
+        self.transcript.append_point(b"A_I2", &A_I2);
+        self.transcript.append_point(b"A_O2", &A_O2);
+        self.transcript.append_point(b"S2", &S2);
 
         // 4. Compute blinded vector polynomials l(x) and r(x)
 
@@ -582,11 +582,11 @@ impl<'t, 'g> Prover<'t, 'g> {
         let T_5 = self.pc_gens.commit(t_poly.t5, t_5_blinding).compress();
         let T_6 = self.pc_gens.commit(t_poly.t6, t_6_blinding).compress();
 
-        self.transcript.commit_point(b"T_1", &T_1);
-        self.transcript.commit_point(b"T_3", &T_3);
-        self.transcript.commit_point(b"T_4", &T_4);
-        self.transcript.commit_point(b"T_5", &T_5);
-        self.transcript.commit_point(b"T_6", &T_6);
+        self.transcript.append_point(b"T_1", &T_1);
+        self.transcript.append_point(b"T_3", &T_3);
+        self.transcript.append_point(b"T_4", &T_4);
+        self.transcript.append_point(b"T_5", &T_5);
+        self.transcript.append_point(b"T_6", &T_6);
 
         let u = self.transcript.challenge_scalar(b"u");
         let x = self.transcript.challenge_scalar(b"x");
@@ -628,10 +628,10 @@ impl<'t, 'g> Prover<'t, 'g> {
 
         let e_blinding = x * (i_blinding + x * (o_blinding + x * s_blinding));
 
-        self.transcript.commit_scalar(b"t_x", &t_x);
+        self.transcript.append_scalar(b"t_x", &t_x);
         self.transcript
-            .commit_scalar(b"t_x_blinding", &t_x_blinding);
-        self.transcript.commit_scalar(b"e_blinding", &e_blinding);
+            .append_scalar(b"t_x_blinding", &t_x_blinding);
+        self.transcript.append_scalar(b"e_blinding", &e_blinding);
 
         // Get a challenge value to combine statements for the IPP
         let w = self.transcript.challenge_scalar(b"w");

src/r1cs/verifier.rs

@@ -229,7 +229,7 @@ impl<'t> Verifier<'t> {
         self.V.push(commitment);
 
         // Add the commitment to the transcript.
-        self.transcript.commit_point(b"V", &commitment);
+        self.transcript.append_point(b"V", &commitment);
 
         Variable::Committed(i)
     }
@@ -328,12 +328,12 @@ impl<'t> Verifier<'t> {
         // We cannot do this in advance because user can commit variables one-by-one,
         // but this suffix provides safe disambiguation because each variable
         // is prefixed with a separate label.
-        self.transcript.commit_u64(b"m", self.V.len() as u64);
+        self.transcript.append_u64(b"m", self.V.len() as u64);
 
         let n1 = self.num_vars;
-        self.transcript.commit_point(b"A_I1", &proof.A_I1);
-        self.transcript.commit_point(b"A_O1", &proof.A_O1);
-        self.transcript.commit_point(b"S1", &proof.S1);
+        self.transcript.append_point(b"A_I1", &proof.A_I1);
+        self.transcript.append_point(b"A_O1", &proof.A_O1);
+        self.transcript.append_point(b"S1", &proof.S1);
 
         // Process the remaining constraints.
         self = self.create_randomized_constraints()?;
@@ -354,27 +354,27 @@ impl<'t> Verifier<'t> {
         // We are performing a single-party circuit proof, so party index is 0.
         let gens = bp_gens.share(0);
 
-        self.transcript.commit_point(b"A_I2", &proof.A_I2);
-        self.transcript.commit_point(b"A_O2", &proof.A_O2);
-        self.transcript.commit_point(b"S2", &proof.S2);
+        self.transcript.append_point(b"A_I2", &proof.A_I2);
+        self.transcript.append_point(b"A_O2", &proof.A_O2);
+        self.transcript.append_point(b"S2", &proof.S2);
 
         let y = self.transcript.challenge_scalar(b"y");
         let z = self.transcript.challenge_scalar(b"z");
 
-        self.transcript.commit_point(b"T_1", &proof.T_1);
-        self.transcript.commit_point(b"T_3", &proof.T_3);
-        self.transcript.commit_point(b"T_4", &proof.T_4);
-        self.transcript.commit_point(b"T_5", &proof.T_5);
-        self.transcript.commit_point(b"T_6", &proof.T_6);
+        self.transcript.append_point(b"T_1", &proof.T_1);
+        self.transcript.append_point(b"T_3", &proof.T_3);
+        self.transcript.append_point(b"T_4", &proof.T_4);
+        self.transcript.append_point(b"T_5", &proof.T_5);
+        self.transcript.append_point(b"T_6", &proof.T_6);
 
         let u = self.transcript.challenge_scalar(b"u");
         let x = self.transcript.challenge_scalar(b"x");
 
-        self.transcript.commit_scalar(b"t_x", &proof.t_x);
+        self.transcript.append_scalar(b"t_x", &proof.t_x);
         self.transcript
-            .commit_scalar(b"t_x_blinding", &proof.t_x_blinding);
+            .append_scalar(b"t_x_blinding", &proof.t_x_blinding);
         self.transcript
-            .commit_scalar(b"e_blinding", &proof.e_blinding);
+            .append_scalar(b"e_blinding", &proof.e_blinding);
 
         let w = self.transcript.challenge_scalar(b"w");
 

src/range_proof/dealer.rs

@@ -95,15 +95,15 @@ impl<'a, 'b> DealerAwaitingBitCommitments<'a, 'b> {
 
         // Commit each V_j individually
         for vc in bit_commitments.iter() {
-            self.transcript.commit_point(b"V", &vc.V_j);
+            self.transcript.append_point(b"V", &vc.V_j);
         }
 
         // Commit aggregated A_j, S_j
         let A: RistrettoPoint = bit_commitments.iter().map(|vc| vc.A_j).sum();
-        self.transcript.commit_point(b"A", &A.compress());
+        self.transcript.append_point(b"A", &A.compress());
 
         let S: RistrettoPoint = bit_commitments.iter().map(|vc| vc.S_j).sum();
-        self.transcript.commit_point(b"S", &S.compress());
+        self.transcript.append_point(b"S", &S.compress());
 
         let y = self.transcript.challenge_scalar(b"y");
         let z = self.transcript.challenge_scalar(b"z");
@@ -159,8 +159,8 @@ impl<'a, 'b> DealerAwaitingPolyCommitments<'a, 'b> {
         let T_1: RistrettoPoint = poly_commitments.iter().map(|pc| pc.T_1_j).sum();
         let T_2: RistrettoPoint = poly_commitments.iter().map(|pc| pc.T_2_j).sum();
 
-        self.transcript.commit_point(b"T_1", &T_1.compress());
-        self.transcript.commit_point(b"T_2", &T_2.compress());
+        self.transcript.append_point(b"T_1", &T_1.compress());
+        self.transcript.append_point(b"T_2", &T_2.compress());
 
         let x = self.transcript.challenge_scalar(b"x");
         let poly_challenge = PolyChallenge { x };
@@ -222,10 +222,10 @@ impl<'a, 'b> DealerAwaitingProofShares<'a, 'b> {
         let t_x_blinding: Scalar = proof_shares.iter().map(|ps| ps.t_x_blinding).sum();
         let e_blinding: Scalar = proof_shares.iter().map(|ps| ps.e_blinding).sum();
 
-        self.transcript.commit_scalar(b"t_x", &t_x);
+        self.transcript.append_scalar(b"t_x", &t_x);
         self.transcript
-            .commit_scalar(b"t_x_blinding", &t_x_blinding);
-        self.transcript.commit_scalar(b"e_blinding", &e_blinding);
+            .append_scalar(b"t_x_blinding", &t_x_blinding);
+        self.transcript.append_scalar(b"e_blinding", &e_blinding);
 
         // Get a challenge value to combine statements for the IPP
         let w = self.transcript.challenge_scalar(b"w");

src/range_proof/mod.rs

@@ -287,24 +287,27 @@ impl RangeProof {
         transcript.rangeproof_domain_sep(n as u64, m as u64);
 
         for V in value_commitments.iter() {
-            transcript.commit_point(b"V", V);
+            // Allow the commitments to be zero (0 value, 0 blinding)
+            // See https://github.com/dalek-cryptography/bulletproofs/pull/248#discussion_r255167177
+            transcript.append_point(b"V", V);
         }
-        transcript.commit_point(b"A", &self.A);
-        transcript.commit_point(b"S", &self.S);
+
+        transcript.validate_and_append_point(b"A", &self.A)?;
+        transcript.validate_and_append_point(b"S", &self.S)?;
 
         let y = transcript.challenge_scalar(b"y");
         let z = transcript.challenge_scalar(b"z");
         let zz = z * z;
         let minus_z = -z;
 
-        transcript.commit_point(b"T_1", &self.T_1);
-        transcript.commit_point(b"T_2", &self.T_2);
+        transcript.validate_and_append_point(b"T_1", &self.T_1)?;
+        transcript.validate_and_append_point(b"T_2", &self.T_2)?;
 
         let x = transcript.challenge_scalar(b"x");
 
-        transcript.commit_scalar(b"t_x", &self.t_x);
-        transcript.commit_scalar(b"t_x_blinding", &self.t_x_blinding);
-        transcript.commit_scalar(b"e_blinding", &self.e_blinding);
+        transcript.append_scalar(b"t_x", &self.t_x);
+        transcript.append_scalar(b"t_x_blinding", &self.t_x_blinding);
+        transcript.append_scalar(b"e_blinding", &self.e_blinding);
 
         let w = transcript.challenge_scalar(b"w");