Skip to content

Commit

Permalink
Unify definition of generator H
Browse files Browse the repository at this point in the history
Fixes #24.
  • Loading branch information
thomaseizinger committed May 19, 2021
1 parent 9bfb444 commit 65f8786
Show file tree
Hide file tree
Showing 5 changed files with 15 additions and 27 deletions.
2 changes: 1 addition & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ subtle = { version = "2", default-features = false }
hash_edwards_to_edwards = { git = "https://github.com/comit-network/hash_edwards_to_edwards" }
integer-encoding = "3"
rand = { version = "0.7", optional = true }
lazy_static = "1"
conquer-once = "0.3"
clear_on_drop = { version = "0.2", default-features = false }
itertools = "0.10"

Expand Down
18 changes: 2 additions & 16 deletions src/bulletproof/generators.rs
Original file line number Diff line number Diff line change
@@ -1,29 +1,15 @@
//! The `generators` module contains API for producing a set of
//! generators for a rangeproof.
use crate::util::key::H;
use curve25519_dalek::constants::ED25519_BASEPOINT_POINT;
use curve25519_dalek::edwards::{CompressedEdwardsY, EdwardsPoint};
use curve25519_dalek::edwards::EdwardsPoint;
use curve25519_dalek::scalar::Scalar;
use curve25519_dalek::traits::MultiscalarMul;
use hash_edwards_to_edwards::hash_to_point;
use integer_encoding::VarInt;
use keccak_hash::keccak_256;

// TODO: Remove this
lazy_static::lazy_static! {
/// Alternate generator of ed25519.
///
/// Obtained by hashing `curve25519_dalek::constants::ED25519_BASEPOINT_POINT`.
/// Originally used in Monero Ring Confidential Transactions.
pub static ref H: EdwardsPoint = {
CompressedEdwardsY(hex_literal::hex!(
"8b655970153799af2aeadc9ff1add0ea6c7251d54154cfa92c173a0dd39c1f94"
))
.decompress()
.expect("edwards point")
};
}

/// Represents a pair of base points for Pedersen commitments.
///
/// The Bulletproofs implementation and API is designed to support
Expand Down
8 changes: 4 additions & 4 deletions src/clsag.rs
Original file line number Diff line number Diff line change
Expand Up @@ -93,13 +93,13 @@ mod tests {
let mut commitment_ring =
random_array(|| Scalar::random(&mut rng) * ED25519_BASEPOINT_POINT);
commitment_ring[signing_key_index] = real_commitment_blinding * ED25519_BASEPOINT_POINT
+ Scalar::from(amount_to_spend) * H.point.decompress().unwrap();
+ Scalar::from(amount_to_spend) * *H;

let fee_key = Scalar::from(fee) * H.point.decompress().unwrap();
let fee_key = Scalar::from(fee) * *H;

let out_pk_blinding = Scalar::random(&mut rng);
let out_pk = out_pk_blinding * ED25519_BASEPOINT_POINT
+ Scalar::from(output_amount) * H.point.decompress().unwrap();
let out_pk =
out_pk_blinding * ED25519_BASEPOINT_POINT + Scalar::from(output_amount) * *H;

let pseudo_output_commitment = fee_key + out_pk;

Expand Down
11 changes: 7 additions & 4 deletions src/util/key.rs
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ use thiserror::Error;
use crate::consensus::encode::{self, Decodable, Encodable};
use crate::cryptonote::hash;

use conquer_once::Lazy;
#[cfg(feature = "serde_support")]
use serde::{Deserialize, Serialize};

Expand Down Expand Up @@ -502,11 +503,13 @@ impl hash::Hashable for PublicKey {
/// Alternative generator `H` used for pedersen commitments, as defined in
/// [`rctTypes.h`](https://github.com/monero-project/monero/blob/master/src/ringct/rctTypes.h#L555)
/// in the Monero codebase.
pub const H: PublicKey = PublicKey {
point: CompressedEdwardsY(hex!(
pub static H: Lazy<EdwardsPoint> = Lazy::new(|| {
CompressedEdwardsY(hex!(
"8b655970153799af2aeadc9ff1add0ea6c7251d54154cfa92c173a0dd39c1f94"
)),
};
))
.decompress()
.unwrap()
});

/// Two private keys representing the view and the spend keys.
#[derive(Debug)]
Expand Down
3 changes: 1 addition & 2 deletions src/util/ringct.rs
Original file line number Diff line number Diff line change
Expand Up @@ -213,8 +213,7 @@ impl EcdhInfo {

let amount_scalar = Scalar::from(amount);

let expected_commitment = ED25519_BASEPOINT_POINT * blinding_factor
+ H.point.decompress().unwrap() * amount_scalar;
let expected_commitment = ED25519_BASEPOINT_POINT * blinding_factor + *H * amount_scalar;

if &expected_commitment != candidate_commitment {
return None;
Expand Down

0 comments on commit 65f8786

Please sign in to comment.