tari icon indicating copy to clipboard operation
tari copied to clipboard
verified publisher icon tari-project

feat: commitment proofs

Open AaronFeickert opened this issue 1 year ago • 4 comments

Description

Adds commitment proofs, which prove knowledge of the opening of a commitment with an optional minimum value assertion.

Closes #6282. Supersedes #6348.

Motivation and Context

This PR adds commitment proofs. These proofs show that the prover knows the opening of a given commitment, optionally shows that the commitment binds to at least a specified minimum value, and bind to an arbitrary message to mitigate replay attacks.

Notably, they do not necessarily assert spend authority.

How Has This Been Tested?

This needs to be tested manually.

What process can a PR reviewer use to test or verify this change?

Test proof verification succeeds against valid values. Test proof verification fails against different commitments, minimum values, and messages.

AaronFeickert avatar Aug 12 '24 00:08 AaronFeickert

Test Results (CI)

    3 files    123 suites   39m 40s :stopwatch: 1 301 tests 1 301 :white_check_mark: 0 :zzz: 0 :x: 3 895 runs  3 895 :white_check_mark: 0 :zzz: 0 :x:

Results for commit 54f290cd.

github-actions[bot] avatar Aug 12 '24 00:08 github-actions[bot]

Test Results (Integration tests)

 2 files  + 2   1 errors  9 suites  +9   11m 33s :stopwatch: + 11m 33s 19 tests +19  18 :white_check_mark: +18  0 :zzz: ±0  1 :x: +1  20 runs  +20  19 :white_check_mark: +19  0 :zzz: ±0  1 :x: +1 

For more details on these parsing errors and failures, see this check.

Results for commit 54f290cd. ± Comparison against base commit 310a470f.

github-actions[bot] avatar Aug 12 '24 00:08 github-actions[bot]

@SWvheerden thanks for the review! This was originally based on the design in #6240, but certainly looks like it needs to be changed to be properly useful.

AaronFeickert avatar Aug 12 '24 14:08 AaronFeickert

then realized that the transcript is unique

Yep, this was very intentional. It's not possible to collide a commitment proof with a range proof. This is the case even in the "other direction", where an adversary tricks a user into including a malicious message in a commitment proof in an attempt to produce a valid range proof.

AaronFeickert avatar Aug 12 '24 14:08 AaronFeickert

Going to close this for now, we have the issue still open for this, and this needs to be reworked to make it useful

SWvheerden avatar Mar 04 '25 08:03 SWvheerden