From 11ab985bc6ffea14ac2eb12ee020639958a66f3b Mon Sep 17 00:00:00 2001
From: sowle <crypto.sowle@gmail.com>
Date: Wed, 6 Jul 2022 18:52:24 +0200
Subject: [PATCH] crypto: bpp minor refactoring (mostly prototypes), minor
 improvements, compilation fixes

---
 src/crypto/range_proof_bpp.h                | 35 ++++++++++-----------
 src/crypto/range_proof_bppe.h               |  9 ++++--
 src/crypto/range_proofs.h                   |  9 ++++++
 src/currency_core/currency_format_utils.cpp |  6 ++++
 4 files changed, 37 insertions(+), 22 deletions(-)

diff --git a/src/crypto/range_proof_bpp.h b/src/crypto/range_proof_bpp.h
index cd61ca85..08e2dc57 100644
--- a/src/crypto/range_proof_bpp.h
+++ b/src/crypto/range_proof_bpp.h
@@ -23,16 +23,18 @@ namespace crypto
     scalar_t delta;
   };
 
-#define DBG_VAL_PRINT(x) std::cout << #x ": " << x << ENDL
-#define DBG_PRINT(x) std::cout << x << ENDL
+#define DBG_VAL_PRINT(x) (void(0)) // std::cout << #x ": " << x << ENDL
+#define DBG_PRINT(x)     (void(0)) // std::cout << x << ENDL
+
+#define CHECK_AND_FAIL_WITH_ERROR_IF_FALSE(cond, err_code) \
+  if (!(cond)) { LOG_PRINT_RED("bpp_gen: \"" << #cond << "\" is false at " << LOCATION_SS << ENDL << "error code = " << err_code, LOG_LEVEL_3); \
+  if (p_err) { *p_err = err_code; } return false; }
+
 
   template<typename CT>
-  bool bpp_gen(const scalar_vec_t& values, const scalar_vec_t& masks, bpp_signature& sig, std::vector<point_t>& commitments, uint8_t* p_err = nullptr)
+  bool bpp_gen(const scalar_vec_t& values, const scalar_vec_t& masks, bpp_signature& sig, const std::vector<crypto::public_key*>& commitments_1div8, uint8_t* p_err = nullptr)
   {
-#define CHECK_AND_FAIL_WITH_ERROR_IF_FALSE(cond, err_code) \
-    if (!(cond)) { LOG_PRINT_RED("bpp_gen: \"" << #cond << "\" is false at " << LOCATION_SS << ENDL << "error code = " << err_code, LOG_LEVEL_3); \
-    if (p_err) { *p_err = err_code; } return false; }
-
+    // Note: commitments_1div8 are supposed to be already calculated
     static_assert(CT::c_bpp_n <= 255, "too big N");
     CHECK_AND_FAIL_WITH_ERROR_IF_FALSE(values.size() > 0 && values.size() <= CT::c_bpp_values_max && values.size() == masks.size(), 1);
     CHECK_AND_FAIL_WITH_ERROR_IF_FALSE(masks.is_reduced(), 3);
@@ -42,15 +44,6 @@ namespace crypto
     const size_t c_bpp_mn = c_bpp_m * CT::c_bpp_n;
     const size_t c_bpp_log2_mn = c_bpp_log2_m + CT::c_bpp_log2_n;
 
-    // pre-multiply all output points by c_scalar_1div8
-    // in order to enforce these points to be in the prime-order subgroup (after mul by 8 in bpp_verify())
-
-    // calc commitments vector as commitments[i] = 1/8 * values[i] * G + 1/8 * masks[i] * H
-    commitments.resize(values.size());
-    for (size_t i = 0; i < values.size(); ++i)
-      CT::calc_pedersen_commitment(values[i] * c_scalar_1div8, masks[i] * c_scalar_1div8, commitments[i]);
-
-
     // s.a. BP+ paper, page 15, eq. 11
     // decompose v into aL and aR:
     //   v = aL o (1, 2, 2^2, ..., 2^n-1),  o - component-wise product aka Hadamard product
@@ -85,7 +78,7 @@ namespace crypto
     DBG_PRINT("initial transcript: " << e);
 
     hash_helper_t::hs_t hsc;
-    CT::update_transcript(hsc, e, commitments);
+    CT::update_transcript(hsc, e, commitments_1div8);
 
     // BP+ paper, page 15: The prover begins with sending A = g^aL h^aR h^alpha (group element)
     // so we calculate A0 = alpha * H + SUM(aL_i * G_i) + SUM(aR_i * H_i)
@@ -96,7 +89,8 @@ namespace crypto
     for (size_t i = 0; i < c_bpp_mn; ++i)
       A0 += aLs[i] * CT::get_generator(false, i) + aRs[i] * CT::get_generator(true, i);
 
-    // part of 1/8 defense scheme
+    // pre-multiply all output points by c_scalar_1div8
+    // in order to enforce these points to be in the prime-order subgroup (after mul by 8 in bpp_verify())
     A0 *= c_scalar_1div8;
     A0.to_public_key(sig.A0);
 
@@ -147,7 +141,7 @@ namespace crypto
 
     // aL_hat = aL - 1*z
     scalar_vec_t aLs_hat = aLs - z;
-    // aL_hat = aR + d o y^leftarr + 1*z where y^leftarr = (y^n, y^(n-1), ..., y)  (BP+ paper, page 18, Fig. 3)
+    // aR_hat = aR + d o y^leftarr + 1*z where y^leftarr = (y^n, y^(n-1), ..., y)  (BP+ paper, page 18, Fig. 3)
     scalar_vec_t aRs_hat = aRs + z;
     for (size_t i = 0; i < c_bpp_mn; ++i)
       aRs_hat[i] += d[i] * y_powers[c_bpp_mn - i];
@@ -696,4 +690,7 @@ namespace crypto
 #undef CHECK_AND_FAIL_WITH_ERROR_IF_FALSE
   }
 
+#undef DBG_VAL_PRINT
+#undef DBG_PRINT
+
 } // namespace crypto
diff --git a/src/crypto/range_proof_bppe.h b/src/crypto/range_proof_bppe.h
index 7aaed80c..4b074dd9 100644
--- a/src/crypto/range_proof_bppe.h
+++ b/src/crypto/range_proof_bppe.h
@@ -24,8 +24,8 @@ namespace crypto
     scalar_t delta_2;
   };
 
-#define DBG_VAL_PRINT(x) std::cout << #x ": " << x << ENDL
-#define DBG_PRINT(x) std::cout << x << ENDL
+#define DBG_VAL_PRINT(x) (void(0)) // std::cout << #x ": " << x << ENDL
+#define DBG_PRINT(x)     (void(0)) // std::cout << x << ENDL
 
   template<typename CT>
   bool bppe_gen(const scalar_vec_t& values, const scalar_vec_t& masks, const scalar_vec_t& masks2, bppe_signature& sig, std::vector<point_t>& commitments, uint8_t* p_err = nullptr)
@@ -149,7 +149,7 @@ namespace crypto
 
     // aL_hat = aL - 1*z
     scalar_vec_t aLs_hat = aLs - z;
-    // aL_hat = aR + d o y^leftarr + 1*z where y^leftarr = (y^n, y^(n-1), ..., y)  (BP+ paper, page 18, Fig. 3)
+    // aR_hat = aR + d o y^leftarr + 1*z where y^leftarr = (y^n, y^(n-1), ..., y)  (BP+ paper, page 18, Fig. 3)
     scalar_vec_t aRs_hat = aRs + z;
     for (size_t i = 0; i < c_bpp_mn; ++i)
       aRs_hat[i] += d[i] * y_powers[c_bpp_mn - i];
@@ -716,4 +716,7 @@ namespace crypto
 #undef CHECK_AND_FAIL_WITH_ERROR_IF_FALSE
   }
 
+#undef DBG_VAL_PRINT
+#undef DBG_PRINT
+
 } // namespace crypto
diff --git a/src/crypto/range_proofs.h b/src/crypto/range_proofs.h
index bcd03393..c933ee2c 100644
--- a/src/crypto/range_proofs.h
+++ b/src/crypto/range_proofs.h
@@ -88,6 +88,15 @@ namespace crypto
       e = hsc.calc_hash();
     }
 
+    // assumes hsc is cleared
+    static void update_transcript(hash_helper_t::hs_t& hsc, scalar_t& e, const std::vector<public_key*>& pub_keys)
+    {
+      hsc.add_scalar(e);
+      for(auto p : pub_keys)
+        hsc.add_pub_key(*p);
+      e = hsc.calc_hash();
+    }
+
     // TODO: refactor with proper OOB handling
     static const point_t& get_generator(bool select_H, size_t index)
     {
diff --git a/src/currency_core/currency_format_utils.cpp b/src/currency_core/currency_format_utils.cpp
index b36a4417..cea28afc 100644
--- a/src/currency_core/currency_format_utils.cpp
+++ b/src/currency_core/currency_format_utils.cpp
@@ -2868,6 +2868,12 @@ namespace currency
       tv.details_view = tv.short_view;
       return true;
     }
+    bool operator()(const zarcanum_outs_range_proof& rp)
+    {
+      tv.type = "zarcanum_outs_range_proof";
+      tv.short_view = "outputs_count = " + std::to_string(rp.outputs_count);
+      return true;
+    }
   };
   //------------------------------------------------------------------
   template<class t_container>