Skip to content

Commit 83609a7

Browse files
mmakermmaker
committed
chore: update range proof.
Thanks to Ian for spotting the missing trivial optimization.
1 parent 23f0d7b commit 83609a7

File tree

1 file changed

+14
-13
lines changed

1 file changed

+14
-13
lines changed

src/tests/test_relations.rs

Lines changed: 14 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -223,34 +223,35 @@ pub fn range_instance_generation<G: PrimeGroup, R: RngCore>(
223223
let [var_G, var_H] = instance.allocate_elements();
224224
let [var_x, var_r] = instance.allocate_scalars();
225225
let vars_b = instance.allocate_scalars_vec(bases.len());
226-
let vars_s = instance.allocate_scalars_vec(bases.len());
226+
let vars_s = instance.allocate_scalars_vec(bases.len() - 1);
227227
let var_s2 = instance.allocate_scalars_vec(bases.len());
228228
let var_Ds = instance.allocate_elements_vec(bases.len());
229229

230-
// `var_Ds[i]` are bit commitments.
231-
for i in 0..bases.len() {
230+
// `var_C` is a Pedersen commitment to `var_x`.
231+
let var_C = instance.allocate_eq(var_x * var_G + var_r * var_H);
232+
// `var_Ds[i]` are bit commitments...
233+
for i in 1..bases.len() {
232234
instance.append_equation(var_Ds[i], vars_b[i] * var_G + vars_s[i] * var_H);
233235
instance.append_equation(var_Ds[i], vars_b[i] * var_Ds[i] + var_s2[i] * var_H);
234236
}
235-
// `var_C` is a Pedersen commitment to `var_x`.
236-
let var_C = instance.allocate_eq(var_x * var_G + var_r * var_H);
237-
// `var_x` = sum(bases[i] * var_b[i])
238-
// This equation is "trivial", in that it does not contain any scalar var.
239-
// Our linear relation is smart enough to check this outside of the proof,
240-
// which is what a normal implementation would do.
237+
// ... satisfying that sum(Ds[i] * bases[i]) = C
241238
instance.append_equation(
242-
var_C,
243-
var_G * G::Scalar::from(range.start)
244-
+ (0..bases.len())
239+
var_Ds[0],
240+
var_C
241+
- var_G * G::Scalar::from(range.start)
242+
- (1..bases.len())
245243
.map(|i| var_Ds[i] * G::Scalar::from(bases[i]))
246244
.sum::<Sum<_>>(),
247245
);
246+
instance.append_equation(var_Ds[0], vars_b[0] * var_Ds[0] + var_s2[0] * var_H);
248247

248+
// Compute the witness
249249
let r = G::Scalar::random(&mut rng);
250250
let x = G::Scalar::from(input);
251251

252+
// IMPORTANT: this segment of the witness generation is NOT constant-time.
253+
// See PR #80 for details.
252254
let b = {
253-
// XXX Make this constant time
254255
let mut rest = input - range.start;
255256
let mut b = vec![G::Scalar::ZERO; bases.len()];
256257
assert!(rest < delta);

0 commit comments

Comments
 (0)