Bip Draft: Discrete Log Equality Proofs (DLEQ) #1689
+90
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
There was some previous discussion on this gist before making this PR |
theStack
reviewed
Oct 24, 2024
| * Let ''A = a⋅G''. | ||
| * Let ''C = a⋅B''. | ||
| * Let ''t'' be the byte-wise xor of ''bytes(32, a)'' and ''hash<sub>BIP?/aux</sub>(r)''. | ||
| * Let ''rand = hash<sub>DLEQ</sub>(t || cbytes(A) || cytes(C))''. |
There was a problem hiding this comment.
typo
Suggested change
| * Let ''rand = hash<sub>DLEQ</sub>(t || cbytes(A) || cytes(C))''. | |
| * Let ''rand = hash<sub>DLEQ</sub>(t || cbytes(A) || cbytes(C))''. |
| * Let ''s = int(proof[32:64])''; fail if ''s ≥ n''. | ||
| * Let ''R<sub>1</sub> = s⋅G - e⋅A''. | ||
| * Fail if ''is_infinite(R<sub>1</sub>)''. | ||
| * Fail if ''not has_even_y(R<sub>1</sub>)''. |
There was a problem hiding this comment.
that seems not necessary and would make roughly every second (valid) proof verification fail (probably a leftover from a previous variant where x-only pubkeys were used?), same as two lines below
Suggested change
| * Fail if ''not has_even_y(R<sub>1</sub>)''. |
jonatack
changed the title
jonatack
reviewed
Oct 24, 2024
|
|
||
| TBD | ||
|
|
||
| == Changelog == |
There was a problem hiding this comment.
Maybe add a section on backwards compatibility, run git grep -A2 Backward on the repo root for ideas.
jonatack
reviewed
Oct 24, 2024
| @@ -0,0 +1,90 @@ | |||
| <pre> | |||
| BIP: ? | |||
| Title: Discrete Log Equality Proofs over secp256k1 | |||
There was a problem hiding this comment.
Consider adding Layer: Applications above this line (run git grep -C6 "Layer: Applications" on the repository for info).
This was referenced Oct 24, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This BIP specifies a standard way to generate and verify DLEQ proofs. This is motivated by sending to silent payments in PSBTs. However, there are also other uses where DLEQs could be useful, so it would be good to have this BIP for others to reference.
This is inspired by https://github.com/discreetlogcontracts/dlcspecs/blob/master/ECDSA-adaptor.md#proof-of-discrete-logarithm-equality, but is a little more specific.
There is an implementation of that already at https://github.com/BlockstreamResearch/secp256k1-zkp/blob/master/src/modules/ecdsa_adaptor/dleq_impl.h, which this BIP attempts to be compatible with.
Inital ML post: https://groups.google.com/g/bitcoindev/c/MezoKV5md7s