Skip to content

Commit 53b5266

Browse files
hdevalencehdevalence
committed
Disentangle PedersenGens from BulletproofGens
1 parent d43f08b commit 53b5266

File tree

7 files changed

+190
-201
lines changed

7 files changed

+190
-201
lines changed

benches/bulletproofs.rs

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ extern crate criterion;
44
use criterion::Criterion;
55

66
extern crate rand;
7-
use rand::{rngs::OsRng, Rng};
7+
use rand::Rng;
88

99
extern crate curve25519_dalek;
1010
use curve25519_dalek::scalar::Scalar;
@@ -22,8 +22,9 @@ fn create_aggregated_rangeproof_helper(n: usize, c: &mut Criterion) {
2222
c.bench_function_over_inputs(
2323
&label,
2424
move |b, &&m| {
25-
let generators = BulletproofGens::new(PedersenGens::default(), n, m);
26-
let mut rng = OsRng::new().unwrap();
25+
let pc_gens = PedersenGens::default();
26+
let bp_gens = BulletproofGens::new(n, m);
27+
let mut rng = rand::thread_rng();
2728

2829
let (min, max) = (0u64, ((1u128 << n) - 1) as u64);
2930
let values: Vec<u64> = (0..m).map(|_| rng.gen_range(min, max)).collect();
@@ -34,9 +35,9 @@ fn create_aggregated_rangeproof_helper(n: usize, c: &mut Criterion) {
3435
let mut transcript = Transcript::new(b"AggregateRangeProofBenchmark");
3536

3637
RangeProof::prove_multiple(
37-
&generators,
38+
&bp_gens,
39+
&pc_gens,
3840
&mut transcript,
39-
&mut rng,
4041
&values,
4142
&blindings,
4243
n,
@@ -69,40 +70,39 @@ fn verify_aggregated_rangeproof_helper(n: usize, c: &mut Criterion) {
6970
c.bench_function_over_inputs(
7071
&label,
7172
move |b, &&m| {
72-
let generators = BulletproofGens::new(PedersenGens::default(), n, m);
73-
let mut rng = OsRng::new().unwrap();
73+
let pc_gens = PedersenGens::default();
74+
let bp_gens = BulletproofGens::new(n, m);
75+
let mut rng = rand::thread_rng();
7476

7577
let (min, max) = (0u64, ((1u128 << n) - 1) as u64);
7678
let values: Vec<u64> = (0..m).map(|_| rng.gen_range(min, max)).collect();
7779
let blindings: Vec<Scalar> = (0..m).map(|_| Scalar::random(&mut rng)).collect();
7880

7981
let mut transcript = Transcript::new(b"AggregateRangeProofBenchmark");
8082
let proof = RangeProof::prove_multiple(
81-
&generators,
83+
&bp_gens,
84+
&pc_gens,
8285
&mut transcript,
83-
&mut rng,
8486
&values,
8587
&blindings,
8688
n,
8789
).unwrap();
8890

89-
// XXX would be nice to have some convenience API for this
90-
let pg = &generators.pedersen_gens;
9191
let value_commitments: Vec<_> = values
9292
.iter()
9393
.zip(blindings.iter())
94-
.map(|(&v, &v_blinding)| pg.commit(Scalar::from(v), v_blinding))
94+
.map(|(&v, &v_blinding)| pc_gens.commit(v.into(), v_blinding))
9595
.collect();
9696

9797
b.iter(|| {
9898
// Each proof creation requires a clean transcript.
9999
let mut transcript = Transcript::new(b"AggregateRangeProofBenchmark");
100100

101101
proof.verify(
102-
&value_commitments,
103-
&generators,
102+
&bp_gens,
103+
&pc_gens,
104104
&mut transcript,
105-
&mut rng,
105+
&value_commitments,
106106
n,
107107
)
108108
});

src/generators.rs

Lines changed: 22 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -85,8 +85,6 @@ impl Iterator for GeneratorsChain {
8585
/// aggregating `m` range proofs of `n` bits each.
8686
#[derive(Clone)]
8787
pub struct BulletproofGens {
88-
/// Bases for Pedersen commitments
89-
pub pedersen_gens: PedersenGens,
9088
/// The maximum number of usable generators for each party.
9189
pub gens_capacity: usize,
9290
/// Number of values or parties
@@ -102,58 +100,46 @@ impl BulletproofGens {
102100
///
103101
/// # Inputs
104102
///
105-
/// * `pedersen_gens` is a pair of generators used for Pedersen
106-
/// commitments.
107103
/// * `gens_capacity` is the number of generators to precompute
108104
/// for each party. For rangeproofs, it is sufficient to pass
109105
/// `64`, the maximum bitsize of the rangeproofs. For circuit
110106
/// proofs, the capacity must be greater than the number of
111107
/// multipliers, rounded up to the next power of two.
112108
/// * `party_capacity` is the maximum number of parties that can
113109
/// produce an aggregated proof.
114-
pub fn new(
115-
pedersen_gens: PedersenGens,
116-
gens_capacity: usize,
117-
party_capacity: usize,
118-
) -> Self {
110+
pub fn new(gens_capacity: usize, party_capacity: usize) -> Self {
119111
use byteorder::{ByteOrder, LittleEndian};
120112

121-
let G_vec = (0..party_capacity)
122-
.map(|i| {
123-
let party_index = i as u32;
124-
let mut label = [b'G', 0, 0, 0, 0];
125-
LittleEndian::write_u32(&mut label[1..5], party_index);
126-
127-
GeneratorsChain::new(&label)
128-
.take(gens_capacity)
129-
.collect::<Vec<_>>()
130-
}).collect();
131-
132-
let H_vec = (0..party_capacity)
133-
.map(|i| {
134-
let party_index = i as u32;
135-
let mut label = [b'H', 0, 0, 0, 0];
136-
LittleEndian::write_u32(&mut label[1..5], party_index);
137-
138-
GeneratorsChain::new(&label)
139-
.take(gens_capacity)
140-
.collect::<Vec<_>>()
141-
}).collect();
142-
143113
BulletproofGens {
144-
pedersen_gens,
145114
gens_capacity,
146115
party_capacity,
147-
G_vec,
148-
H_vec,
116+
G_vec: (0..party_capacity)
117+
.map(|i| {
118+
let party_index = i as u32;
119+
let mut label = [b'G', 0, 0, 0, 0];
120+
LittleEndian::write_u32(&mut label[1..5], party_index);
121+
122+
GeneratorsChain::new(&label)
123+
.take(gens_capacity)
124+
.collect::<Vec<_>>()
125+
}).collect(),
126+
H_vec: (0..party_capacity)
127+
.map(|i| {
128+
let party_index = i as u32;
129+
let mut label = [b'H', 0, 0, 0, 0];
130+
LittleEndian::write_u32(&mut label[1..5], party_index);
131+
132+
GeneratorsChain::new(&label)
133+
.take(gens_capacity)
134+
.collect::<Vec<_>>()
135+
}).collect(),
149136
}
150137
}
151138

152139
/// Returns j-th share of generators, with an appropriate
153140
/// slice of vectors G and H for the j-th range proof.
154141
pub fn share(&self, j: usize) -> BulletproofGensShare {
155142
BulletproofGensShare {
156-
pedersen_gens: &self.pedersen_gens,
157143
gens: &self,
158144
share: j,
159145
}
@@ -221,8 +207,6 @@ impl<'a> Iterator for AggregatedGensIter<'a> {
221207
/// represents the generators for one of the `m` parties' shares.
222208
#[derive(Copy, Clone)]
223209
pub struct BulletproofGensShare<'a> {
224-
/// Bases for Pedersen commitments
225-
pub pedersen_gens: &'a PedersenGens,
226210
/// The parent object that this is a view into
227211
gens: &'a BulletproofGens,
228212
/// Which share we are
@@ -248,7 +232,7 @@ mod tests {
248232

249233
#[test]
250234
fn aggregated_gens_iter_matches_flat_map() {
251-
let gens = BulletproofGens::new(PedersenGens::default(), 64, 8);
235+
let gens = BulletproofGens::new(64, 8);
252236

253237
let helper = |n: usize, m: usize| {
254238
let agg_G: Vec<RistrettoPoint> = gens.G(n, m).cloned().collect();

src/inner_product_proof.rs

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -336,10 +336,10 @@ mod tests {
336336
fn test_helper_create(n: usize) {
337337
let mut rng = OsRng::new().unwrap();
338338

339-
use generators::{BulletproofGens, PedersenGens};
340-
let gens = BulletproofGens::new(PedersenGens::default(), n, 1);
341-
let G: Vec<RistrettoPoint> = gens.share(0).G(n).cloned().collect();
342-
let H: Vec<RistrettoPoint> = gens.share(0).H(n).cloned().collect();
339+
use generators::BulletproofGens;
340+
let bp_gens = BulletproofGens::new(n, 1);
341+
let G: Vec<RistrettoPoint> = bp_gens.share(0).G(n).cloned().collect();
342+
let H: Vec<RistrettoPoint> = bp_gens.share(0).H(n).cloned().collect();
343343

344344
// Q would be determined upstream in the protocol, so we pick a random one.
345345
let Q = RistrettoPoint::hash_from_bytes::<Sha3_512>(b"test point");

src/range_proof/dealer.rs

Lines changed: 32 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -7,10 +7,9 @@
77
use curve25519_dalek::ristretto::RistrettoPoint;
88
use curve25519_dalek::scalar::Scalar;
99
use merlin::Transcript;
10-
use rand::{CryptoRng, Rng};
1110

1211
use errors::MPCError;
13-
use generators::BulletproofGens;
12+
use generators::{BulletproofGens, PedersenGens};
1413
use inner_product_proof;
1514
use range_proof::RangeProof;
1615
use transcript::TranscriptProtocol;
@@ -25,21 +24,22 @@ pub struct Dealer {}
2524
impl Dealer {
2625
/// Creates a new dealer coordinating `m` parties proving `n`-bit ranges.
2726
pub fn new<'a, 'b>(
28-
gens: &'b BulletproofGens,
27+
bp_gens: &'b BulletproofGens,
28+
pc_gens: &'b PedersenGens,
29+
transcript: &'a mut Transcript,
2930
n: usize,
3031
m: usize,
31-
transcript: &'a mut Transcript,
3232
) -> Result<DealerAwaitingValueCommitments<'a, 'b>, MPCError> {
3333
if !(n == 8 || n == 16 || n == 32 || n == 64) {
3434
return Err(MPCError::InvalidBitsize);
3535
}
3636
if !m.is_power_of_two() {
3737
return Err(MPCError::InvalidAggregation);
3838
}
39-
if gens.gens_capacity < n {
39+
if bp_gens.gens_capacity < n {
4040
return Err(MPCError::InvalidGeneratorsLength);
4141
}
42-
if gens.party_capacity < m {
42+
if bp_gens.party_capacity < m {
4343
return Err(MPCError::InvalidGeneratorsLength);
4444
}
4545

@@ -60,25 +60,27 @@ impl Dealer {
6060
transcript.rangeproof_domain_sep(n as u64, m as u64);
6161

6262
Ok(DealerAwaitingValueCommitments {
63-
n,
64-
m,
63+
bp_gens,
64+
pc_gens,
6565
transcript,
6666
initial_transcript,
67-
gens,
67+
n,
68+
m,
6869
})
6970
}
7071
}
7172

7273
/// The initial dealer state, waiting for the parties to send value
7374
/// commitments.
7475
pub struct DealerAwaitingValueCommitments<'a, 'b> {
75-
n: usize,
76-
m: usize,
76+
bp_gens: &'b BulletproofGens,
77+
pc_gens: &'b PedersenGens,
7778
transcript: &'a mut Transcript,
7879
/// The dealer keeps a copy of the initial transcript state, so
7980
/// that it can attempt to verify the aggregated proof at the end.
8081
initial_transcript: Transcript,
81-
gens: &'b BulletproofGens,
82+
n: usize,
83+
m: usize,
8284
}
8385

8486
impl<'a, 'b> DealerAwaitingValueCommitments<'a, 'b> {
@@ -114,7 +116,8 @@ impl<'a, 'b> DealerAwaitingValueCommitments<'a, 'b> {
114116
m: self.m,
115117
transcript: self.transcript,
116118
initial_transcript: self.initial_transcript,
117-
gens: self.gens,
119+
bp_gens: self.bp_gens,
120+
pc_gens: self.pc_gens,
118121
value_challenge,
119122
value_commitments,
120123
A,
@@ -130,7 +133,8 @@ pub struct DealerAwaitingPolyCommitments<'a, 'b> {
130133
m: usize,
131134
transcript: &'a mut Transcript,
132135
initial_transcript: Transcript,
133-
gens: &'b BulletproofGens,
136+
bp_gens: &'b BulletproofGens,
137+
pc_gens: &'b PedersenGens,
134138
value_challenge: ValueChallenge,
135139
value_commitments: Vec<ValueCommitment>,
136140
/// Aggregated commitment to the parties' bits
@@ -164,7 +168,8 @@ impl<'a, 'b> DealerAwaitingPolyCommitments<'a, 'b> {
164168
m: self.m,
165169
transcript: self.transcript,
166170
initial_transcript: self.initial_transcript,
167-
gens: self.gens,
171+
bp_gens: self.bp_gens,
172+
pc_gens: self.pc_gens,
168173
value_challenge: self.value_challenge,
169174
value_commitments: self.value_commitments,
170175
A: self.A,
@@ -184,7 +189,8 @@ pub struct DealerAwaitingProofShares<'a, 'b> {
184189
m: usize,
185190
transcript: &'a mut Transcript,
186191
initial_transcript: Transcript,
187-
gens: &'b BulletproofGens,
192+
bp_gens: &'b BulletproofGens,
193+
pc_gens: &'b PedersenGens,
188194
value_challenge: ValueChallenge,
189195
value_commitments: Vec<ValueCommitment>,
190196
poly_challenge: PolyChallenge,
@@ -217,7 +223,7 @@ impl<'a, 'b> DealerAwaitingProofShares<'a, 'b> {
217223

218224
// Get a challenge value to combine statements for the IPP
219225
let w = self.transcript.challenge_scalar(b"w");
220-
let Q = w * self.gens.pedersen_gens.B;
226+
let Q = w * self.pc_gens.B;
221227

222228
let l_vec: Vec<Scalar> = proof_shares
223229
.iter()
@@ -232,8 +238,8 @@ impl<'a, 'b> DealerAwaitingProofShares<'a, 'b> {
232238
self.transcript,
233239
&Q,
234240
util::exp_iter(self.value_challenge.y.invert()),
235-
self.gens.G(self.n, self.m).cloned().collect(),
236-
self.gens.H(self.n, self.m).cloned().collect(),
241+
self.bp_gens.G(self.n, self.m).cloned().collect(),
242+
self.bp_gens.H(self.n, self.m).cloned().collect(),
237243
l_vec,
238244
r_vec,
239245
);
@@ -258,25 +264,25 @@ impl<'a, 'b> DealerAwaitingProofShares<'a, 'b> {
258264
/// error.
259265
///
260266
/// XXX define error types so we can surface the blame info
261-
pub fn receive_shares<R: Rng + CryptoRng>(
262-
mut self,
263-
rng: &mut R,
264-
proof_shares: &[ProofShare],
265-
) -> Result<RangeProof, MPCError> {
267+
pub fn receive_shares(mut self, proof_shares: &[ProofShare]) -> Result<RangeProof, MPCError> {
266268
let proof = self.assemble_shares(proof_shares)?;
267269

268270
let V: Vec<_> = self.value_commitments.iter().map(|vc| vc.V_j).collect();
269271

270272
// See comment in `Dealer::new` for why we use `initial_transcript`
271273
let transcript = &mut self.initial_transcript;
272-
if proof.verify(&V, self.gens, transcript, rng, self.n).is_ok() {
274+
if proof
275+
.verify(self.bp_gens, self.pc_gens, transcript, &V, self.n)
276+
.is_ok()
277+
{
273278
Ok(proof)
274279
} else {
275280
// Proof verification failed. Now audit the parties:
276281
let mut bad_shares = Vec::new();
277282
for j in 0..self.m {
278283
match proof_shares[j].audit_share(
279-
&self.gens,
284+
&self.bp_gens,
285+
&self.pc_gens,
280286
j,
281287
&self.value_commitments[j],
282288
&self.value_challenge,

0 commit comments

Comments
 (0)