feat: add extended ristretto commitment factory and pedersen generators #99
Conversation
Add extended commitment factory Added extended ristretto commitment factory for Pedersen commitments making use of the extended Pedersen generators in the Tari Bulletproofs+ library.
hansieodendaal
changed the title
src/ristretto/constants.rs
Outdated
| let mut data = b"TARI CRYPTO - ".to_vec(); | ||
| data.append(&mut i.to_le_bytes().to_vec()); | ||
| data.append(&mut val.to_vec()); |
There was a problem hiding this comment.
Is there a particular reason to bind the base point to these generators? They're still NUMS if you simply use an indexed hash. I also recommend using a more descriptive domain separator that makes the intent of the generators more clear.
Depending on efficiency, you could also use Blake2b, which has specific safe functionality for domain separation (the persona parameter) and index-type functionality (the salt parameter, or simply passing the index as fixed-encoding input).
There was a problem hiding this comment.
Updated as suggested, although I did not change the hash function as hashing performance is not an issue for the test case that generates the test vector for the NUMS constants.
| fn zero(&self) -> PedersenCommitment { | ||
| let extension_degree = self.0.extension_degree as usize; | ||
| let zero = vec![Scalar::zero(); extension_degree + 1]; | ||
| let mut points = Vec::with_capacity(extension_degree + 1); | ||
| points.push(self.0.h_base); | ||
| points.append(&mut self.0.g_base_vec.clone()); | ||
| let c = RistrettoPoint::multiscalar_mul(&zero, &self.0.g_base_vec); | ||
| HomomorphicCommitment(RistrettoPublicKey::new_from_pk(c)) | ||
| } |
There was a problem hiding this comment.
This must always return the group identity, so there's no need to compute this multiscalar multiplication.
There was a problem hiding this comment.
Updated and added a specific test case for it
There was a problem hiding this comment.
It may be useful to add a test that asserts the NUMS points are unique and all non-zero, to catch the case where the hashing implementation has failed catastrophically. This isn't sufficient to guarantee the generators are sufficiently independent, but the failure of such a test would immediately imply commitments are trivially non-binding.
hansieodendaal
changed the title
…ent_factory-patch fix: use a slice directly in the extended_commitment_factory
hansieodendaal
changed the title
| impl ExtendedPedersenCommitmentFactory { | ||
| /// Create a new Extended Pedersen Ristretto Commitment factory for the required extension degree using | ||
| /// pre-calculated compressed constants - we only hold references to the static generator points. | ||
| pub fn new_with_extension_degree(extension_degree: ExtensionDegree) -> Result<Self, CommitmentError> { |
There was a problem hiding this comment.
I'm not too fond of the use of ExtensionDegree here. The type is in the bulletproofs_plus crate, meaning that you can't use this crate without Bulletproofs, for example, if it were hidden behind a feature flag. PedersonGens is perhaps in the wrong crate, or perhaps we should use a field in the ExtendedPedersonCommitmentFactory gens: Vec<RistrettoPoint>
There was a problem hiding this comment.
As we are dependent on
use bulletproofs_plus::{generators::pedersen_gens::ExtensionDegree, PedersenGens};
here and if we need to remove the dependency I think the most elegant solution would be to completely move generators out of bulletproofs_plus into its own crate.
If that solution is acceptable I propose we deal with that as a separate series of PRs.
There was a problem hiding this comment.
Good point. Would it be better to rewrite ExtensionDegree as a newtype around u64 rather than an enum, since the code in bp+ always converts it to an int anyway.
You could then add an adapter type in tari_crypto to resolve the dependency issue.
hansieodendaal
changed the title
hansieodendaal
changed the title
Added extended ristretto commitment factory for Pedersen commitments making use of the extended Pedersen generators in the Tari Bulletproofs+ library.
Notes:
RISTRETTO_NUMS_POINTShave been updated by sequentially hashing the domain separated Ristretto255 generator point instead of sequentially hashing the generator point only. Domain separated hashing is less likely to result in unintended collisions or reuse elsewhere.ExtendedHomomorphicCommitmentFactorytrait has been addedristretto/pedersenhas been changed into a module that definespedersen/commitment_factoryandpedersen/extended_commitment_factoryPedersenCommitmentFactoryandExtendedPedersenCommitmentFactoryuse the same baseGandHgenerator points so that each factory produces the same commitments for their default implementation.ExtendedPedersenCommitmentFactory:ExtensionDegree::Zero'Ord' and 'PartialOrd' are undefined for extended commitments other thanExtensionDegree::ZeroHomomorphicCommitmentFactoryhas also been implemented forExtendedPedersenCommitmentFactoryso that its default invocation is compatible with all methods ofPedersenCommitmentFactory.The next PR will include the
ExtendedRangeProofServicetrait andBulletProofsPlusService.