Skip to content

Commit edb879f

Browse files
apoelstrareal-or-random
apoelstra
authored and
real-or-random
committed
rangeproof: verify correctness of pedersen commitments when parsing
1 parent fca4c3b commit edb879f

File tree

2 files changed

+24
-10
lines changed

2 files changed

+24
-10
lines changed

include/secp256k1_rangeproof.h

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -14,15 +14,13 @@ extern "C" {
1414
*
1515
* The exact representation of data inside is implementation defined and not
1616
* guaranteed to be portable between different platforms or versions. It is
17-
* however guaranteed to be 33 bytes in size, and can be safely copied/moved.
18-
* If you need to convert to a format suitable for storage or transmission, use
19-
* secp256k1_pedersen_commitment_serialize and secp256k1_pedersen_commitment_parse.
20-
*
21-
* Furthermore, it is guaranteed to identical signatures will have identical
22-
* representation, so they can be memcmp'ed.
17+
* however guaranteed to be 64 bytes in size, and can be safely copied/moved.
18+
* If you need to convert to a format suitable for storage, transmission, or
19+
* comparison, use secp256k1_pedersen_commitment_serialize and
20+
* secp256k1_pedersen_commitment_parse.
2321
*/
2422
typedef struct {
25-
unsigned char data[33];
23+
unsigned char data[64];
2624
} secp256k1_pedersen_commitment;
2725

2826
/**

src/modules/rangeproof/main_impl.h

Lines changed: 19 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -44,22 +44,38 @@ static void secp256k1_pedersen_commitment_save(secp256k1_pedersen_commitment* co
4444
}
4545

4646
int secp256k1_pedersen_commitment_parse(const secp256k1_context* ctx, secp256k1_pedersen_commitment* commit, const unsigned char *input) {
47+
secp256k1_fe x;
48+
secp256k1_ge ge;
49+
4750
VERIFY_CHECK(ctx != NULL);
4851
ARG_CHECK(commit != NULL);
4952
ARG_CHECK(input != NULL);
5053
(void) ctx;
51-
if ((input[0] & 0xFE) != 8) {
54+
55+
if ((input[0] & 0xFE) != 8 ||
56+
!secp256k1_fe_set_b32(&x, &input[1]) ||
57+
!secp256k1_ge_set_xquad(&ge, &x)) {
5258
return 0;
5359
}
54-
memcpy(commit->data, input, sizeof(commit->data));
60+
if (input[0] & 1) {
61+
secp256k1_ge_neg(&ge, &ge);
62+
}
63+
secp256k1_pedersen_commitment_save(commit, &ge);
5564
return 1;
5665
}
5766

5867
int secp256k1_pedersen_commitment_serialize(const secp256k1_context* ctx, unsigned char *output, const secp256k1_pedersen_commitment* commit) {
68+
secp256k1_ge ge;
69+
5970
VERIFY_CHECK(ctx != NULL);
6071
ARG_CHECK(output != NULL);
6172
ARG_CHECK(commit != NULL);
62-
memcpy(output, commit->data, sizeof(commit->data));
73+
74+
secp256k1_pedersen_commitment_load(&ge, commit);
75+
76+
output[0] = 11 ^ secp256k1_fe_is_quad_var(&ge.y);
77+
secp256k1_fe_normalize_var(&ge.x);
78+
secp256k1_fe_get_b32(&output[1], &ge.x);
6379
return 1;
6480
}
6581

0 commit comments

Comments
 (0)