Allow user to pass a list of values of arbitrary length to generate p…

…roof

Bulletproofs/MultiRangeProof/Prover.hs

@@ -34,7 +34,8 @@ generateProof upperBound vsAndvBlindings = do
      Nothing -> throwE $ NNotPowerOf2 upperBound
      Just n -> do
        unless (checkRanges n vs) $ throwE $ ValuesNotInRange vs
-       lift $ generateProofUnsafe upperBound vsAndvBlindings
+
+       lift $ generateProofUnsafe upperBound vsAndvBlindingsExp2
 
   where
     doubleLogM :: Maybe Integer
@@ -43,6 +44,10 @@ generateProof upperBound vsAndvBlindings = do
       logBase2M x
       pure x
     vs = fst <$> vsAndvBlindings
+    m = length vsAndvBlindings
+    residue = replicate (2 ^ log2Ceil m - m) (0, 0)
+    -- Vector of values passed must be of length 2^x
+    vsAndvBlindingsExp2 = vsAndvBlindings ++ residue
 
 
 -- | Generate range proof from valid inputs
@@ -94,7 +99,6 @@ generateProofUnsafe upperBound vsAndvBlindings = do
     panic "Error on: t1 = dotp l1 r0 + dotp l0 r1"
 
   let tBlinding = sum (zipWith (\vBlindingFq j -> fqPower z (j + 1) * vBlindingFq) vBlindingsFq [1..m])
-               {-foldl' (\acc (vBlindingFq, j) -> acc + (fqPower z (j+1) * vBlindingFq)) (Fq.new 0) (zip vBlindingsFq [1..m])-}
                 + (t2Blinding * fqSquare x)
                 + (t1Blinding * x)
       mu = aBlinding + (sBlinding * x)

Bulletproofs/MultiRangeProof/Verifier.hs

@@ -30,15 +30,19 @@ verifyProof
   -> Bool
 verifyProof upperBound vCommits proof@RangeProof{..}
   = and
-      [ verifyTPoly n vCommits proof x y z
-      , verifyLRCommitment n m proof x y z
+      [ verifyTPoly n vCommitsExp2 proof x y z
+      , verifyLRCommitment n mExp2 proof x y z
       ]
   where
     x = shamirX aCommit sCommit t1Commit t2Commit y z
     y = shamirY aCommit sCommit
     z = shamirZ aCommit sCommit y
     n = logBase2 upperBound
-    m = fromIntegral $ length vCommits
+    m = length vCommits
+    -- Vector of values passed must be of length 2^x
+    vCommitsExp2 = vCommits ++ residueCommits
+    residueCommits = replicate (2 ^ log2Ceil m - m) Crypto.PointO
+    mExp2 = fromIntegral $ length vCommitsExp2
 
 -- | Verify the constant term of the polynomial t
 -- t = t(x) = t0 + t1*x + t2*x^2

Bulletproofs/RangeProof/Internal.hs

@@ -126,7 +126,7 @@ obfuscateEncodedBits n aL aR y z
   where
     yN = powerVector y n
 
--- Convert obfuscateEncodedBits into aCommit sCommit single inner product.
+-- Convert obfuscateEncodedBits into a single inner product.
 -- We can afford for this factorization to leave terms “dangling”, but
 -- what’s important is that the aL , aR terms be kept inside
 -- (since they can’t be shared with the Verifier):
@@ -214,9 +214,6 @@ computeLRCommitment n m aCommit sCommit t tBlinding mu x y z hs'
     `addP`
     foldl' addP Crypto.PointO (zipWith mulP hExp hs')     -- (hExp Hs')
     `addP`
-    {-foldl' addP Crypto.PointO (zipWith mulP ((*) (fqSquare z) <$> powerVector 2 n) (sliceHs' 1))     -- (hExp Hs')-}
-    {-`addP`-}
-    {-foldl' addP Crypto.PointO (zipWith mulP ((*) (fqCube z) <$> powerVector 2 n) (sliceHs' 2))     -- (hExp Hs')-}
     foldl'
       (\acc j -> acc `addP` foldl' addP Crypto.PointO (zipWith mulP (hExp' j) (sliceHs' j)))
       Crypto.PointO
@@ -227,8 +224,7 @@ computeLRCommitment n m aCommit sCommit t tBlinding mu x y z hs'
     (t `mulP` u)
     where
       gsSum = foldl' addP Crypto.PointO (take (fromIntegral nm) gs)
-      hExp = ((*) z <$> powerVector y nm)
-              {-`fqAddV` ((*) (fqSquare z) <$> powerVector 2 n)-}
+      hExp = (*) z <$> powerVector y nm
       hExp' j = (*) (fqPower z (j+1)) <$> powerVector 2 n
       sliceHs' j = slice n j hs'
       uChallenge = shamirU tBlinding mu t

Bulletproofs/Utils.hs

@@ -13,7 +13,9 @@ module Bulletproofs.Utils (
   powerVector,
   logBase2,
   logBase2M,
-  slice
+  log2Ceil,
+  slice,
+  padToNearestPowerOfTwo
 ) where
 
 import Protolude
@@ -73,6 +75,33 @@ logBase2M x
 slice :: Integer -> Integer -> [a] -> [a]
 slice n j vs = take (fromIntegral $ j  * n - (j - 1)*n) (drop (fromIntegral $ (j - 1) * n) vs)
 
+-- | Append minimal amount of zeroes until the list has a length which
+-- is a power of two.
+padToNearestPowerOfTwo
+  :: Num f => [f] -> [f]
+padToNearestPowerOfTwo [] = []
+padToNearestPowerOfTwo xs = padToNearestPowerOfTwoOf (length xs) xs
+
+-- | Given n, append zeroes until the list has length 2^n.
+padToNearestPowerOfTwoOf
+  :: Num f
+  => Int -- ^ n
+  -> [f] -- ^ list which should have length <= 2^n
+  -> [f] -- ^ list which will have length 2^n
+padToNearestPowerOfTwoOf i xs = xs ++ replicate padLength 0
+  where
+    padLength = nearestPowerOfTwo - length xs
+    nearestPowerOfTwo = 2 ^ log2Ceil i
+
+-- | Calculate ceiling of log base 2 of an integer.
+log2Ceil :: Int -> Int
+log2Ceil x = floorLog + correction
+  where
+    floorLog = finiteBitSize x - 1 - countLeadingZeros x
+    correction = if countTrailingZeros x < floorLog
+                 then 1
+                 else 0
+
 --------------------------------------------------
 -- Fiat-Shamir transformations
 --------------------------------------------------

tests/TestProtocol.hs

@@ -10,7 +10,7 @@ import Test.QuickCheck
 import qualified Test.QuickCheck.Monadic as QCM
 
 import Crypto.Random.Types (MonadRandom(..))
-import Crypto.Number.Generate (generateMax)
+import Crypto.Number.Generate (generateMax, generateBetween)
 import qualified Crypto.PubKey.ECC.Generate as Crypto
 import qualified Crypto.PubKey.ECC.Prim as Crypto
 import qualified Crypto.PubKey.ECC.Types as Crypto
@@ -205,7 +205,7 @@ test_completeness :: TestTree
 test_completeness = localOption (QuickCheckTests 10) $
   testProperty "Test multi range proof completeness" $ QCM.monadicIO $ do
     n <- QCM.run $ (2 ^) <$> generateMax 8
-    m <- QCM.run $ (2 ^) <$> generateMax 3
+    m <- QCM.run $ generateBetween 1 10
     ctx <- QCM.run $ replicateM (fromIntegral m) (setupV n)
     let upperBound = getUpperBound n