Delivery-date: Sat, 26 Oct 2024 02:05:32 -0700
Received: from mail-yb1-f187.google.com ([209.85.219.187])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDI23FE35EIBBUXB6K4AMGQE5SZ2CKA@googlegroups.com>)
id 1t4cjj-0005br-0a
for bitcoindev@gnusha.org; Sat, 26 Oct 2024 02:05:31 -0700
Received: by mail-yb1-f187.google.com with SMTP id 3f1490d57ef6-e26067b727asf688280276.2
for <bitcoindev@gnusha.org>; Sat, 26 Oct 2024 02:05:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1729933524; x=1730538324; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:sender:from
:to:cc:subject:date:message-id:reply-to;
bh=+RyNSCcS5zG75T4Inss7y8dcNBiTC0vXyE80cgniODA=;
b=NjEuUgpASzn9X9z8cczx3k0srO/Ll0wMSx+mDza72a4CGsXOIoG7rEl/1P0EtT0RLV
JVMhOciNBujA71yp4Qt8nEhAEWoRUKPmM8YLJvBqC4/68sl/wFfJi3CR4CJ8MV4MU0OE
5fzhlV1fQg4/KqUsBwvUVhvDD0zmOKAZ+yCqSGg0+0B2dnecaot4LCQUTBHotovM+qTm
Vn5l3eC+EMwm2uzhd4tMgk+Ok3lnF4/YB2uo+Rx+9hbCaKWzXhlN43ynVKwB6Ta/pokw
5RbDnkp9n9QGbMFmgRBjdD2Z2CFlLhl/+eOr3ISGAokJb80DLtKL8wv/S0Wxt43hF5eQ
K/HA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1729933524; x=1730538324; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:from:to:cc
:subject:date:message-id:reply-to;
bh=+RyNSCcS5zG75T4Inss7y8dcNBiTC0vXyE80cgniODA=;
b=H1k9orvhAtHXbpC+PXznvAl5wG2NcsJ0V6eSj0yex0tIbFqKNe2i9DVHpb9MYQQiFC
qz9JMrUIFhA1XX8leFhee16POQXN3REKRJ76tZPPLB70ihjqgCtxP+BprMpdfWRo80Sy
cndvQkXcxdtaIagHp8dYbU1+DLUjtyGrc+iIQylCsJ1DVc8WjYNS2FOPlztcg20TRoFy
JhydlNDu/Yg+pPq3IVvgrQmZlab9iWEuEOfYocubNiO0+8JpPtq9D7ON3JAvqb8zfdAU
0DQGXZhL4Ny/lD8vvB/WE57bsnpR5YpZGTqKwNsjzDzVXEwH9CCu1NYyMvuBjD6uF7gs
wExw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1729933524; x=1730538324;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:x-beenthere
:x-gm-message-state:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=+RyNSCcS5zG75T4Inss7y8dcNBiTC0vXyE80cgniODA=;
b=SU2ElyJqV0tvA9p46V7CedI8m44ZjKOuLNz7PkXbQ/tvst4ISAs00+EstXPlYkLlFi
Vi/UdQS07Nb2bSt6ifXHibjFsCueJh/9XQ2bWd4FWNNKIvk88kLdaGsUVZo1LadC69bP
c7ILmaPIjkfN+/yYjFGiRTDxAbZE8Db6AQ2zZnc33IkKpRkmQMn/qV8r0mgUqZwz7diL
xWjYLC1pP8TQLPWm+J1KZbvZgqh4MV9y+q/lchlxTpUwnKu/FJ/ZX0pjQpj54GOQ2BTZ
39+UZ3TGbP/uy6H1rq6uGnEJFgknHSlgNktnOK5eFoOPSG4LQ0AMKV9hqsGGYdv0r6k7
u7Gg==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=1; AJvYcCUQLpTf2XLQQtxF2XdEUCkLRv13ttwjBj3s4GulzdovhrSNSwoF/wuB8sGo2X9gF/cHrHLxDa1aORwa@gnusha.org
X-Gm-Message-State: AOJu0Ywbi1NjOBVPyJ7c9CuBt2WLyZyTDkcw7gJPjywku4NOkW5u4RDY
LU+ErfCnCCk54gDrEQnpnzjSPGORVC500BSGptJMnEWMnyUrh1TD
X-Google-Smtp-Source: AGHT+IG8Kpvq4PmuI/bTLEKgXv7RCfe35JXD+6WrTVLY4Qle9CZUlLDQMhrOULhi3QNo9qNAeMH9vA==
X-Received: by 2002:a05:6902:2087:b0:e29:60a0:cd33 with SMTP id 3f1490d57ef6-e3087c35ff9mr730601276.10.1729933524446;
Sat, 26 Oct 2024 02:05:24 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a05:6902:188c:b0:e1c:eeec:3175 with SMTP id
3f1490d57ef6-e2e4a77e8fdls116955276.1.-pod-prod-02-us; Sat, 26 Oct 2024
02:05:22 -0700 (PDT)
X-Received: by 2002:a05:690c:c:b0:6e2:4c7b:e379 with SMTP id 00721157ae682-6e9d89abf2bmr24913377b3.19.1729933522386;
Sat, 26 Oct 2024 02:05:22 -0700 (PDT)
Received: by 2002:a81:fb01:0:b0:6dd:c9c1:7a16 with SMTP id 00721157ae682-6e7eed5a03cms7b3;
Fri, 25 Oct 2024 07:49:03 -0700 (PDT)
X-Received: by 2002:a05:690c:f96:b0:6e2:ac0a:890e with SMTP id 00721157ae682-6e7f0df6366mr114031317b3.6.1729867742797;
Fri, 25 Oct 2024 07:49:02 -0700 (PDT)
Date: Fri, 25 Oct 2024 07:49:02 -0700 (PDT)
From: waxwing/ AdamISZ <ekaggata@gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <77ad84ed-2ff8-4929-b8da-d940c95d18a7n@googlegroups.com>
In-Reply-To: <b0f40eab-42f3-4153-8083-b455fbd17e19n@googlegroups.com>
References: <b0f40eab-42f3-4153-8083-b455fbd17e19n@googlegroups.com>
Subject: [bitcoindev] Re: BIP: DLEQ
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_74722_461499448.1729867742479"
X-Original-Sender: ekaggata@gmail.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)
------=_Part_74722_461499448.1729867742479
Content-Type: multipart/alternative;
boundary="----=_Part_74723_787826626.1729867742479"
------=_Part_74723_787826626.1729867742479
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
First, thanks for doing that; this is a nice thing to standardize!
My enthusiasm really comes from the idea that it may be used in several=20
protocols in future (well, and currently), so I'd be keen to see it be=20
sufficiently flexible. Which motivates my reading of it here:
I have a couple of general questions/comments on the design:
Why doesn't the Fiat Shamir challenge (e) include space for a message m?=20
Just like other ZkPoKs that can be really useful, considering that they are=
=20
transferrable.
While it's understandable that you focus on the case of 1 generator being G=
=20
(secp default), it seems like an unnecessary restriction. It's easy to=20
imagine a more complex protocol requiring DLEQs across other pairs of=20
bases. In this case you'd want to include the other base in the Fiat Shamir=
=20
challenge (even if it *is* G). **
I guess no comments on the basic algorithm or the choice of (e,s) vs (R1,=
=20
R2,s) proof encoding (as you've chosen exactly the same as what I chose 8=
=20
years ago for Joinmarket :) ). The handling of k-generation is obviously a=
=20
big step up though.
(**) It's orthogonal to this BIP almost certainly, but it makes me think:=
=20
since we have tons of uses for NUMS generator .. generation in various=20
bitcoin protocols, maybe we should have a BIP just for that? The only=20
reason I suggest that slightly weird idea is, it's explicitly necessary for=
=20
counterparties to be able to reproduce them and it's probably wasteful to=
=20
constantly redefine these other NUMS generators that we're going to use.=20
It's even mentioned in BIP341 for the whole provably unspendable paths=20
thing.
On Wednesday, October 23, 2024 at 8:06:59=E2=80=AFPM UTC-6 Andrew Toth wrot=
e:
> This BIP specifies a standard way to generate and verify DLEQ proofs. Thi=
s=20
> is motivated by sending to silent payments in PSBTs. However, there are=
=20
> also other uses where DLEQs could be useful, so it would be good to have=
=20
> this BIP for others to reference.
>
> This is inspired by=20
> https://github.com/discreetlogcontracts/dlcspecs/blob/master/ECDSA-adapto=
r.md#proof-of-discrete-logarithm-equality,=20
> but is a little more specific.
> There is an implementation of that already at=20
> https://github.com/BlockstreamResearch/secp256k1-zkp/blob/master/src/modu=
les/ecdsa_adaptor/dleq_impl.h,=20
> which this BIP attempts to be compatible with.
>
> Pull request here https://github.com/bitcoin/bips/pull/1689
>
>
> <pre>
> BIP: ?
> Title: Discrete Log Equality Proofs over secp256k1
> Author: Andrew Toth <andre...@gmail.com>
> Ruben Somsen <rso...@gmail.com>
> Comments-URI: TBD
> Status: Draft
> Type: Standards Track
> License: BSD-2-Clause
> Created: 2024-06-29
> Post-History: TBD
> </pre>
>
> =3D=3D Introduction =3D=3D
>
> =3D=3D=3D Abstract =3D=3D=3D
>
> This document proposes a standard for 64-byte zero-knowledge ''discrete=
=20
> logarithm equality proofs'' (DLEQ proofs) over the elliptic curve=20
> ''secp256k1''. For given elliptic curve points ''A'', ''B'', and ''C'', t=
he=20
> prover proves knowledge of a scalar ''a'' such that ''A =3D a=E2=8B=85G''=
and ''C =3D=20
> a=E2=8B=85B'' without revealing anything about ''a''. This can, for insta=
nce, be=20
> useful in ECDH: if ''A'' and ''B'' are ECDH public keys, and ''C'' is the=
ir=20
> ECDH shared secret computed as ''C =3D a=E2=8B=85B'', the proof establish=
es that the=20
> same secret key ''a'' is used for generating both ''A'' and ''C'' without=
=20
> revealing ''a''.
>
> =3D=3D=3D Copyright =3D=3D=3D
>
> This document is licensed under the 2-clause BSD license.
>
> =3D=3D=3D Motivation =3D=3D=3D
>
> [
> https://github.com/bitcoin/bips/blob/master/bip-0352.mediawiki#specificat=
ion=20
> BIP352] requires senders to compute output scripts using ECDH shared=20
> secrets from the same secret keys used to sign the inputs. Generating an=
=20
> incorrect signature will produce an invalid transaction that will be=20
> rejected by consensus. An incorrectly generated output script can still b=
e=20
> consensus-valid, meaning funds may be lost if it gets broadcast.
> By producing a DLEQ proof for the generated ECDH shared secrets, the=20
> signing entity can prove to other entities that the output scripts have=
=20
> been generated correctly without revealing the private keys.
>
> =3D=3D Specification =3D=3D
>
> All conventions and notations are used as defined in [
> https://github.com/bitcoin/bips/blob/master/bip-0327.mediawiki#user-conte=
nt-Notation=20
> BIP327].
>
> =3D=3D=3D DLEQ Proof Generation =3D=3D=3D
>
> Input:
> * The secret key ''a'': a 256-bit unsigned integer
> * The public key ''B'': a point on the curve
> * Auxiliary random data ''r'': a 32-byte array
>
> The algorithm ''Prove(a, B, r)'' is defined as:
> * Fail if ''a =3D 0'' or ''a ≥ n''.
> * Fail if ''is_infinite(B)''.
> * Let ''A =3D a=E2=8B=85G''.
> * Let ''C =3D a=E2=8B=85B''.
> * Let ''t'' be the byte-wise xor of ''bytes(32, a)'' and=20
> ''hash<sub>BIP?/aux</sub>(r)''.
> * Let ''rand =3D hash<sub>DLEQ</sub>(t || cbytes(A) || cytes(C))''.
> * Let ''k =3D int(rand) mod n''.
> * Fail if ''k =3D 0''.
> * Let ''R<sub>1</sub> =3D k=E2=8B=85G''.
> * Let ''R<sub>2</sub> =3D k=E2=8B=85B''.
> * Let ''e =3D int(hash<sub>DLEQ</sub>(cbytes(A) || cbytes(B) || cbytes(C)=
||=20
> cbytes(R<sub>1</sub>) || cbytes(R<sub>2</sub>)))''.
> * Let ''proof =3D bytes(32, e) || bytes(32, (k + ea) mod n)''.
> * If ''VerifyProof(A, B, C, proof)'' (see below) returns failure, abort.
> * Return the proof ''proof''.
>
> =3D=3D=3D DLEQ Proof Verification =3D=3D=3D
>
> Input:
> * The public key of the secret key used in the proof generation ''A'': a=
=20
> point on the curve
> * The public key used in the proof generation ''B'': a point on the curve
> * The result of multiplying the secret and public keys used in the proof=
=20
> generation ''C'': a point on the curve
> * A proof ''proof'': a 64-byte array
>
> The algorithm ''VerifyProof(A, B, C, proof)'' is defined as:
> * Let ''e =3D int(proof[0:32])''.
> * Let ''s =3D int(proof[32:64])''; fail if ''s ≥ n''.
> * Let ''R<sub>1</sub> =3D s=E2=8B=85G - e=E2=8B=85A''.
> * Fail if ''is_infinite(R<sub>1</sub>)''.
> * Fail if ''not has_even_y(R<sub>1</sub>)''.
> * Let ''R<sub>2</sub> =3D s=E2=8B=85B - e=E2=8B=85C''.
> * Fail if ''is_infinite(R<sub>2</sub>)''.
> * Fail if ''not has_even_y(R<sub>2</sub>)''.
> * Fail if ''e =E2=89=A0 int(hash<sub>BIP?/DLEQ</sub>(cbytes(A) || cbytes(=
B) ||=20
> cbytes(C) || cbytes(R<sub>1</sub>) || cbytes(R<sub>2</sub>)))''.
> * Return success iff no failure occurred before reaching this point.
>
> =3D=3D Test Vectors and Reference Code =3D=3D
>
> TBD
>
> =3D=3D Changelog =3D=3D
>
> TBD
>
> =3D=3D Footnotes =3D=3D
>
> <references />
>
> =3D=3D Acknowledgements =3D=3D
>
> TBD
>
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
77ad84ed-2ff8-4929-b8da-d940c95d18a7n%40googlegroups.com.
------=_Part_74723_787826626.1729867742479
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div>First, thanks for doing that; this is a nice thing to standardize!</di=
v><div><br /></div><div>My enthusiasm really comes from the idea that it ma=
y be used in several protocols in future (well, and currently), so I'd be k=
een to see it be sufficiently flexible. Which motivates my reading of it he=
re:</div><div><br /></div><div>I have a couple of general questions/comment=
s on the design:</div><div><br /></div><div>Why doesn't the Fiat Shamir cha=
llenge (e) include space for a message m? Just like other ZkPoKs that can b=
e really useful, considering that they are transferrable.</div><div><br /><=
/div><div>While it's understandable that you focus on the case of 1 generat=
or being G (secp default), it seems like an unnecessary restriction. It's e=
asy to imagine a more complex protocol requiring DLEQs across other pairs o=
f bases. In this case you'd want to include the other base in the Fiat Sham=
ir challenge (even if it *is* G). **<br /></div><div><br /></div><div>I gue=
ss no comments on the basic algorithm or the choice of (e,s) vs (R1, R2,s) =
proof encoding (as you've chosen exactly the same as what I chose 8 years a=
go for Joinmarket :) ). The handling of k-generation is obviously a big ste=
p up though.</div><div><br /></div><div>(**) It's orthogonal to this BIP al=
most certainly, but it makes me think: since we have tons of uses for NUMS =
generator .. generation in various bitcoin protocols, maybe we should have =
a BIP just for that? The only reason I suggest that slightly weird idea is,=
it's explicitly necessary for counterparties to be able to reproduce them =
and it's probably wasteful to constantly redefine these other NUMS generato=
rs that we're going to use. It's even mentioned in BIP341 for the whole pro=
vably unspendable paths thing.<br /></div><br /><div class=3D"gmail_quote">=
<div dir=3D"auto" class=3D"gmail_attr">On Wednesday, October 23, 2024 at 8:=
06:59=E2=80=AFPM UTC-6 Andrew Toth wrote:<br/></div><blockquote class=3D"gm=
ail_quote" style=3D"margin: 0 0 0 0.8ex; border-left: 1px solid rgb(204, 20=
4, 204); padding-left: 1ex;"><div>
<div>
=20
<span>
<div>
<p dir=3D"auto">This BIP specifies a standard way to generate and=20
verify DLEQ proofs. This is motivated by sending to silent payments in=20
PSBTs. However, there are also other uses where DLEQs could be useful,=20
so it would be good to have this BIP for others to reference.</p>
<p dir=3D"auto">This is inspired by <a href=3D"https://github.com/discreetl=
ogcontracts/dlcspecs/blob/master/ECDSA-adaptor.md#proof-of-discrete-logarit=
hm-equality" target=3D"_blank" rel=3D"nofollow" data-saferedirecturl=3D"htt=
ps://www.google.com/url?hl=3Den&q=3Dhttps://github.com/discreetlogcontr=
acts/dlcspecs/blob/master/ECDSA-adaptor.md%23proof-of-discrete-logarithm-eq=
uality&source=3Dgmail&ust=3D1729952621492000&usg=3DAOvVaw2XRiw2=
TID36ASfHkZYYMcy">https://github.com/discreetlogcontracts/dlcspecs/blob/mas=
ter/ECDSA-adaptor.md#proof-of-discrete-logarithm-equality</a>, but is a lit=
tle more specific.<br>
There is an implementation of that already at <a href=3D"https://github.com=
/BlockstreamResearch/secp256k1-zkp/blob/master/src/modules/ecdsa_adaptor/dl=
eq_impl.h" target=3D"_blank" rel=3D"nofollow" data-saferedirecturl=3D"https=
://www.google.com/url?hl=3Den&q=3Dhttps://github.com/BlockstreamResearc=
h/secp256k1-zkp/blob/master/src/modules/ecdsa_adaptor/dleq_impl.h&sourc=
e=3Dgmail&ust=3D1729952621492000&usg=3DAOvVaw2iWQZevsllLYMFrGlHX2-_=
">https://github.com/BlockstreamResearch/secp256k1-zkp/blob/master/src/modu=
les/ecdsa_adaptor/dleq_impl.h</a>, which this BIP attempts to be compatible=
with.</p><p dir=3D"auto">Pull request here <a href=3D"https://github.com/b=
itcoin/bips/pull/1689" target=3D"_blank" rel=3D"nofollow" data-saferedirect=
url=3D"https://www.google.com/url?hl=3Den&q=3Dhttps://github.com/bitcoi=
n/bips/pull/1689&source=3Dgmail&ust=3D1729952621492000&usg=3DAO=
vVaw21rGZjPuj6J-YdQkgNmiKl">https://github.com/bitcoin/bips/pull/1689</a></=
p><p dir=3D"auto"><br></p><pre><br>=C2=A0 BIP: ?<br>=C2=A0 Title: Dis=
crete Log Equality Proofs over secp256k1<br>=C2=A0 Author: Andrew Toth <=
<a href data-email-masked rel=3D"nofollow">andre...@gmail.com</a>><br>=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Ruben Somsen <<a href data-email-mask=
ed rel=3D"nofollow">rso...@gmail.com</a>><br>=C2=A0 Comments-URI: TBD<br=
>=C2=A0 Status: Draft<br>=C2=A0 Type: Standards Track<br>=C2=A0 License: BS=
D-2-Clause<br>=C2=A0 Created: 2024-06-29<br>=C2=A0 Post-History: TBD<br><=
;/pre><br><br>=3D=3D Introduction =3D=3D<br><br>=3D=3D=3D Abstract =3D=
=3D=3D<br><br>This document proposes a standard for 64-byte zero-knowledge =
''discrete logarithm equality proofs'' (DLEQ proofs) over t=
he elliptic curve ''secp256k1''. For given elliptic curve p=
oints ''A'', ''B'', and ''C'=
9;, the prover proves knowledge of a scalar ''a'' such that=
''A =3D a=E2=8B=85G'' and ''C =3D a=E2=8B=85B'=
' without revealing anything about ''a''. This can, for=
instance, be useful in ECDH: if ''A'' and ''B'=
' are ECDH public keys, and ''C'' is their ECDH shared =
secret computed as ''C =3D a=E2=8B=85B'', the proof establi=
shes that the same secret key ''a'' is used for generating =
both ''A'' and ''C'' without revealing '=
;'a''.<br><br>=3D=3D=3D Copyright =3D=3D=3D<br><br>This documen=
t is licensed under the 2-clause BSD license.<br><br>=3D=3D=3D Motivation =
=3D=3D=3D<br><br>[<a href=3D"https://github.com/bitcoin/bips/blob/master/bi=
p-0352.mediawiki#specification" target=3D"_blank" rel=3D"nofollow" data-saf=
eredirecturl=3D"https://www.google.com/url?hl=3Den&q=3Dhttps://github.c=
om/bitcoin/bips/blob/master/bip-0352.mediawiki%23specification&source=
=3Dgmail&ust=3D1729952621493000&usg=3DAOvVaw0qHBZpprb3hsSkjcaYE6lb"=
>https://github.com/bitcoin/bips/blob/master/bip-0352.mediawiki#specificati=
on</a> BIP352] requires senders to compute output scripts using ECDH shared=
secrets from the same secret keys used to sign the inputs. Generating an i=
ncorrect signature will produce an invalid transaction that will be rejecte=
d by consensus. An incorrectly generated output script can still be consens=
us-valid, meaning funds may be lost if it gets broadcast.<br>By producing a=
DLEQ proof for the generated ECDH shared secrets, the signing entity can p=
rove to other entities that the output scripts have been generated correctl=
y without revealing the private keys.<br><br>=3D=3D Specification =3D=3D<br=
><br>All conventions and notations are used as defined in [<a href=3D"https=
://github.com/bitcoin/bips/blob/master/bip-0327.mediawiki#user-content-Nota=
tion" target=3D"_blank" rel=3D"nofollow" data-saferedirecturl=3D"https://ww=
w.google.com/url?hl=3Den&q=3Dhttps://github.com/bitcoin/bips/blob/maste=
r/bip-0327.mediawiki%23user-content-Notation&source=3Dgmail&ust=3D1=
729952621493000&usg=3DAOvVaw1LTAW7cdWLumiTdy12ajIH">https://github.com/=
bitcoin/bips/blob/master/bip-0327.mediawiki#user-content-Notation</a> BIP32=
7].<br><br>=3D=3D=3D DLEQ Proof Generation =3D=3D=3D<br><br>Input:<br>* The=
secret key ''a'': a 256-bit unsigned integer<br>* The publ=
ic key ''B'': a point on the curve<br>* Auxiliary random da=
ta ''r'': a 32-byte array<br><br>The algorithm ''Pr=
ove(a, B, r)'' is defined as:<br>* Fail if ''a =3D 0'&#=
39; or ''a &ge; n''.<br>* Fail if ''is_infinite=
(B)''.<br>* Let ''A =3D a=E2=8B=85G''.<br>* Let =
9;'C =3D a=E2=8B=85B''.<br>* Let ''t'' be the b=
yte-wise xor of ''bytes(32, a)'' and ''hash<sub&=
gt;BIP?/aux</sub>(r)''.<br>* Let ''rand =3D hash<s=
ub>DLEQ</sub>(t || cbytes(A) || cytes(C))''.<br>* Let '=
;'k =3D int(rand) mod n''.<br>* Fail if ''k =3D 0'&=
#39;.<br>* Let ''R<sub>1</sub> =3D k=E2=8B=85G''=
;.<br>* Let ''R<sub>2</sub> =3D k=E2=8B=85B''.<=
br>* Let ''e =3D int(hash<sub>DLEQ</sub>(cbytes(A) || c=
bytes(B) || cbytes(C) || cbytes(R<sub>1</sub>) || cbytes(R<s=
ub>2</sub>)))''.<br>* Let ''proof =3D bytes(32, e)=
|| bytes(32, (k + ea) mod n)''.<br>* If ''VerifyProof(A, B=
, C, proof)'' (see below) returns failure, abort.<br>* Return the p=
roof ''proof''.<br><br>=3D=3D=3D DLEQ Proof Verification =
=3D=3D=3D<br><br>Input:<br>* The public key of the secret key used in the p=
roof generation ''A'': a point on the curve<br>* The public=
key used in the proof generation ''B'': a point on the cur=
ve<br>* The result of multiplying the secret and public keys used in the pr=
oof generation ''C'': a point on the curve<br>* A proof =
9;'proof'': a 64-byte array<br><br>The algorithm ''Veri=
fyProof(A, B, C, proof)'' is defined as:<br>* Let ''e =3D i=
nt(proof[0:32])''.<br>* Let ''s =3D int(proof[32:64])'&=
#39;; fail if ''s &ge; n''.<br>* Let ''R<sub=
>1</sub> =3D s=E2=8B=85G - e=E2=8B=85A''.<br>* Fail if =
9;'is_infinite(R<sub>1</sub>)''.<br>* Fail if '=
'not has_even_y(R<sub>1</sub>)''.<br>* Let '=
9;R<sub>2</sub> =3D s=E2=8B=85B - e=E2=8B=85C''.<br>* F=
ail if ''is_infinite(R<sub>2</sub>)''.<br>* Fai=
l if ''not has_even_y(R<sub>2</sub>)''.<br>* Fa=
il if ''e =E2=89=A0 int(hash<sub>BIP?/DLEQ</sub>(cbytes=
(A) || cbytes(B) || cbytes(C) || cbytes(R<sub>1</sub>) || cbyte=
s(R<sub>2</sub>)))''.<br>* Return success iff no failur=
e occurred before reaching this point.<br><br>=3D=3D Test Vectors and Refer=
ence Code =3D=3D<br><br>TBD<br><br>=3D=3D Changelog =3D=3D<br><br>TBD<br><b=
r>=3D=3D Footnotes =3D=3D<br><br><references /><br><br>=3D=3D Acknowl=
edgements =3D=3D<br><br>TBD</div>
</span>
=20
</div>
</div></blockquote></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/77ad84ed-2ff8-4929-b8da-d940c95d18a7n%40googlegroups.com?utm_med=
ium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitcoind=
ev/77ad84ed-2ff8-4929-b8da-d940c95d18a7n%40googlegroups.com</a>.<br />
------=_Part_74723_787826626.1729867742479--
------=_Part_74722_461499448.1729867742479--