trezor-firmware icon indicating copy to clipboard operation
trezor-firmware copied to clipboard

Published 20 hours ago verified publisher icon trezor

core/secp256k1_zkp: add blinding and rangeproof API

Open romanz opened this issue 6 years ago • 7 comments

Allows rangeproof generation and rewinding, surjection proof generaion and Pedersen commitments' balancing on the device.

Notes to reviewers:

  • The current code requires significant stack size increase (to ~40kB), so it depends on https://github.com/trezor/trezor-firmware/issues/174 (or increasing the stack size via memory_T.ld) to run on the TREZOR T.
  • The tests can run on the emulator via:
$ make build_unix
$ ./tests/run_tests.sh test_trezor.crypto.curve.secp256k1.py

romanz avatar Jul 08 '19 13:07 romanz

^ Rebased and force-pushed (to fix a merge conflict).

romanz avatar Jul 12 '19 16:07 romanz

Updated and rebased secp256k1_zkp/blind. I have disabled range-proof & surjection-proof generation on device, since it can be done on the host without loss of privacy (since the host already knows the amounts and the assets being sent).

If the device allows generating ECDH nonce (for range-proofs), blinding/unblinding can happen on the host, after the device signs the transaction. See https://github.com/trezor/trezor-firmware/compare/master...romanz:elements/wip for a proof-of-concept implementation.

romanz avatar Jan 18 '20 11:01 romanz

I have disabled range-proof & surjection-proof generation on device, since it can be done on the host without loss of privacy (since the host already knows the amounts and the assets being sent).

There is an security issue with the "offloading" approach above - nothing prevents the host to use a different nonce when generating the rangeproof. In that case, the recipient won't be able to rewind it - causing the output to be unspendable. Therefore, we need to generate the rangeproof on the device - so I'm updating the PR (with an increased stack size, following https://github.com/trezor/trezor-firmware/issues/174#issuecomment-565789336).

romanz avatar Feb 13 '20 10:02 romanz

We can estimate the actual stack size used by instrumenting secp256k1_zkp library, similarly to how it's done at elements/stack branch (commit) for the emulator.

romanz avatar Feb 13 '20 10:02 romanz

Changes look good to me. :+1:

real-or-random avatar Feb 21 '20 08:02 real-or-random

Thanks :) Squashed and rebased over master.

romanz avatar Feb 21 '20 11:02 romanz

Hi there, thank you for your PR. I just wanted to give you a quick update from our side. We are interested in adding this to our firmware but we just don't have enough capacity to review it right now. We would be more than happy to take a closer look at it later, when our capacity frees up a little, likely during the course of 2021. Thank you for your understanding.

tsusanka avatar Aug 04 '20 18:08 tsusanka