Basic structure and point addition proofs #22
Conversation
Features: 1. Equality proofs for Pedersen commitments. 2. Opening proofs for scalars. 3. Multiplication proofs for scalars.
There's got to be a nicer way to do this: the From trait is probably the best way to go.
Also add derives for Clones + Copies because, quite frankly, the idea that operators take ownership is kinda stupid.
|
Looking good by a quick review! Will do a in-depth one later |
|
So I actually only need one thing from either / both of you: it works, and we can always refactor later. At the moment, we set up the transcript like this: Namely, we don't pass the randomness values into the transcript, only the Pedersen commitments themselves. Does this matter? I'm happy to add it, but I'm not sure if there's a strong theoretical reason why we need this. |
|
Hey Joe, nice job, looks good! The commitment objects look like they have the randomness as an attribute right? So you wouldn't want them in the transcript since they are part of the secret. Maybe I'm misreading the code but it seems the verifier gets the c1, c2 as input in the equality protocol for instance, which are PedersenComm objects. But you shouldn't need them since you can recover the values of the commitment via the transcript input. |
This is addressed in #25. |
This PR implements:
z = x * y)For both
T256andT384. The code also provides Pedersen commitments etc. We also have tests and some conversion functions from the arkworks curves to our curves (this was a real pain to get working!)Just to make it clearer: this PR essentially implements everything up to (the current) Section 4.1. Namely, this PR does not implement the Section 4.2 protocol yet.