olegabu / go-mimblewimble Goto Github PK

View Code? Open in Web Editor NEW

2.0 2.0 0.0 928 KB

Library for forming and validating transactions in mimblewimble protocol

License: Apache License 2.0

Go 99.39% Shell 0.61%

blockchain hyperledger-fabric mimblewimble tendermint zero-knowledge

go-mimblewimble's People

Contributors

Stargazers

Watchers

go-mimblewimble's Issues

Test version of Context

For testing purposes a special version of Context is needed, particularly a trivial key generator is needed instead of a random one. As of now the Context is a struct, so neither extending nor overloading is available. It might be useful to make Context an interface to be able to overload it for special cases. The same idea is implemented in Grin wallet/core.

Port unit tests for bulletproofs from C to Go

Error when Tendermint node starts

E[2020-04-22|13:33:48.155] Error on catchup replay. Proceeding to start ConsensusState anyway module=consensus err="WAL should not contain #ENDHEIGHT 1"
E[2020-04-22|13:33:48.155] Failed to save AddrBook to file              module=p2p book=config/addrbook.json file=config/addrbook.json err="open config/write-file-atomic-02577231406141211588: no such file or directory"

Multisig output

Alice has an input AIC with value vai with blinding factor rai
Bob has and input BIC with value vib with blinding factor rbi
They generate a multisig (output) commitment MC with a blinding factor rm = ram + rbm, such that MC = H*(vam+vbm) + G*(ram+rbm) = H*vm + MR = APC + BPC. Besides from multisig Alice and Bob create change outputs CAO, CBO

Alice calculates partial commitment APC = H * vam + G * ram, bulletproof for ACO = ACO_proof, partial excess = G*(ram+rac-rai)
Alice calculates partial signature APS = (ka*G,ka + e*(ram+rac-rai))
Alice calculate common nonce CN for later bulletproofs generation
Alice sends Bob APC,APS, CN
Bob calculates partial commitment BPC = H * vbm + G * rbm
Bob calculates MC = APC + BPC, bulletproof for BCO = BCO_proof
Bob calculates TB1,TB2 = bullet_proof_multisig(MC, CN, rbm)
Bob sends TB1, TB2, MC to Alice
Alice calculates TA1,TA2 = bullet_proof_multisig(MC, CN, ram)
Alice calculates Tau_X_A = bullet_proof_multisig(MC, CN, ram)
Alice sends Tau_X_A,ACO_proof to Bob
Bob calculates Tau_X_B
Bob calculate Tau_X = Tau_X_A + Tau_X_B
Bob calculates partial signature BPS = (kb*G,kb + e*(rbm+rbc-rbi))
Bob calculates final signature FS = BPS + APS
Bob publishes TX:

{
    "Inputs": ["AIC", "BIC"],
    "Outputs" : [{
        "Commitment":"MC",
        "proof":"Tau_X"
    },
    {
        "Commitment":"ACO",
        "proof:":"CAO_proof"
    },
    {
        "Commitment":"BCO",
        "proof":"CBO_proof"
    }],
    "Kernel" :{
        "Signature":"FS",
        "excess":"excess"
    }
}

Fix aggsig.sign_single

Validate transaction

Validate transaction submitted to the network. Use an existing transaction from Grin explorer to test.

Error closing connection

E[2020-04-22|13:54:30.242] Error closing connection module=rpc-server protocol=websocket remote=127.0.0.1:60690 err="close tcp 127.0.0.1:26657->127.0.0.1:60690: use of closed network connection"

create slate test

Create a test wallet (context, inputs, purchases, expenses, fee) Slate, PrivateOutput[], Error
Provided with typical set of arguments the function must calculate output values, generate secrets, create a serializable version of a slate to be sent to the counterparty

Atomic DVP

Вместо генерации точки H необходимо генерировать точки H_1,...,H_n по количеству токенов
Для каждой точки H_i вычислять Token Commitment TC_i = H_i + r_TC_i * G, где r_i - blinding factor для типа токена, который выбирает его владелец при формировании транзакции (его необходимо хранить, как и blinding factor для value)
Модифицировать формат транзакции Transfer

{
    "Inputs": [
    {
        "Commitment": " ",
        "Token Commitment": " "
    },
    {
        "Commitment": " ",
        "Token Commitment": " "
    }],
    "Outputs" : [
    {
        "Commitment": " ",
        "Token Commitment": " ",
        "proof": " ",
        "surjectionproof": " "
    },
    {
        "Commitment": " ",
        "Token Commitment": " ",
        "proof": " ",
        "surjectionproof": " "
    }}],
    "Kernel" :{
        "Signature": " ",
        "excess": " "
    }
}

Модифицировать процедуру валидации транзакции, добавив верификацию Type proofs

Суть транзакции - перевод:

v_1 токенов типа 1 (точка H_1, token commitment H_1a = H_1 + r_TCI_1 * G) от пользователя A (ACI = v_1 * H_1a + r_01 * G) к пользователю B,
v_2 токенов типа 2 (точка H_2, token commitment H_2b = H_2 + r_TCI_2 * G) от пользователя B (BCI = v_2 * H_2b + r_02 * G) к пользователю A.

1 раунд (действия A)

Выбрать nonce k_a, вычислить k_a * G = K_a
Выбрать blinding factor r_a2, вычислить R_a = (r_a2 - r_01) * G
Отправить B slate, содержащий: ACI, r_TCI_1, v_1, v_2, K_a, R_a

2 раунд (действия B)

Выбрать nonce k_b, вычислить k_b * G = K_b
Выбрать blinding factor r_b1, вычислить R_b = (r_b1 - r_02) * G
Выбрать blinding factor r_TC_1, вычислить token commitment H_1b = H_1 + r_TCO_1 * G
Вычислить BCO = v_1 * H_1b + r_b1 * G и RangeProof BCO_proof
Вычислить частичную подпись S_b = (k_b + e * (r_b1 - r_02), K_b)
Отправить A slate, содержащий: BCI, r_TCI_2, BCO, BCO_proof, H_1b, r_TCO_1, K_b, R_b, s_b

3 раунд (действия A)

Выбрать blinding factor r_TCO_2, вычислить token commitment H_2a = H_2 + r_TCO_2 * G
Вычислить ACO = v_2 * H_2a + r_a2 * G и RangeProof ACO_proof
Вычислить surjectionproofs H_2a_proof = surjectionproof_generate({H_1a,H_2b}, H_2a, input index (2), r_TCI_2, r_TCO_2 ), H_1b_proof = surjectionproof_generate({H_1a,H_2b}, H_1b, input index (1), r_TCI_1, r_TCO_1 )
Вычислить частичную подпись S_a = (k_a + e * (r_a2 - r_01), K_a)
Вычислить финальную подпись S = S_a + S_b
Вычислить excess R = R_a + R_b
Опубликовать транзакцию

{
    "Inputs": [
    {
        "Commitment": "ACI",
        "Token Commitment": "H_1a"
    },
    {
        "Commitment": "BCI",
        "Token Commitment": "H_2b"
    }],
    "Outputs" : [
    {
        "Commitment": "ACO",
        "Token Commitment": "H_2a",
        "proof": "ACO_proof",
        "surjectionproof": "H_2a_proof"
    },
    {
        "Commitment": "BCO",
        "Token Commitment": "H_1b",
        "proof": "BCO_proof",
        "surjectionproof": "H_1b_proof"
    }}],
    "Kernel" :{
        "Signature": "S",
        "excess": "R"
    }
}

Create bindings for surjection proof functions

Error when broadcast issue-1.json

E[2020-04-22|14:04:52.644] Failed to write response                     module=rpc-server protocol=websocket remote=127.0.0.1:60832 err="websocket: close sent"
E[2020-04-22|14:04:52.644] Error closing connection                     module=rpc-server protocol=websocket remote=127.0.0.1:60832 err="close tcp 127.0.0.1:26657->127.0.0.1:60832: use of closed network connection"

New commitment scheme

Consider rt - asset blinding factor, rv - value blinding factor, v - value, G - generator, H - generator for a specific asset type ( aka 'fixed asset tag')

With the concept of atomic multiasset DVP we bring a new way to hide asset type with via an 'ephemeral asset tag' = (H+rt*G)
Commitment scheme and excess formula must be changed correspondingly:

current:
Commitment = H*v+rv*G
public blinded excess = G* (Sum_for_all_inputs( rv ) - Sum_for_all_outputs ( outputBlinds))
dvp version:
Commitment = (H+rt*G)*v + rv*G
public blinded excess = G * ( Sum_for_all_inputs( v*rt + rv)- Sum_for_all_outputs( v*rt + rv))

Particularly, v*rt and + rv has to be made as scalar multiplication modulo p. This has to be done with built-in secp256k1 functions