[Some error I got when I am implementing commitment scheme based on lib sodium]
jscode017 opened this issue · comments
Hi I want to implement pedersen commitment ontop of lib sodium
Below is what I am trying to do:
comm1: m1G+r1H
comm2: m2G+r2H
comm3: (m1+m2)G+(r1+r2)H
comm4: comm1+comm2
and comm3 should equals comm4
And here is my code:
unsigned char x[crypto_core_ristretto255_HASHBYTES];
randombytes_buf(x, sizeof x);
unsigned char g[crypto_core_ristretto255_BYTES];
crypto_core_ristretto255_from_hash(g, x); //compute G
unsigned char h[crypto_core_ristretto255_BYTES];
unsigned char x2[crypto_core_ristretto255_HASHBYTES];
randombytes_buf(x2, sizeof x2);
crypto_core_ristretto255_from_hash(h, x2); //compute H
unsigned char r1[crypto_core_ristretto255_SCALARBYTES];
unsigned char hr1[crypto_core_ristretto255_BYTES];
unsigned char gm1[crypto_core_ristretto255_BYTES];
crypto_core_ristretto255_scalar_random(r1); //generate r1
if (crypto_scalarmult_ristretto255(hr1, r1, h) != 0) { //compute r1*H
return -1;
}
unsigned char m1[crypto_core_ristretto255_SCALARBYTES];
randombytes_buf(m1, sizeof m1); //generate m1
// Compute b = a^k
if (crypto_scalarmult_ristretto255(gm1, m1, g) != 0) { //compute m1*G
return -1;
}
unsigned char comm1[crypto_core_ristretto255_BYTES];
crypto_core_ristretto255_add(comm1, gm1, hr1); //compute comm1 = m1*G+r1*H
unsigned char r2[crypto_core_ristretto255_SCALARBYTES];
unsigned char hr2[crypto_core_ristretto255_BYTES];
unsigned char gm2[crypto_core_ristretto255_BYTES];
crypto_core_ristretto255_scalar_random(r2); //generate r2
if (crypto_scalarmult_ristretto255(hr2, r2, h) != 0) { //compute r2*H
return -1;
}
unsigned char m2[crypto_core_ristretto255_SCALARBYTES];
randombytes_buf(m2, sizeof m2); //generate m2
if (crypto_scalarmult_ristretto255(gm2, m2, g) != 0) { //compute m2*G
return -1;
}
unsigned char comm2[crypto_core_ristretto255_BYTES];
crypto_core_ristretto255_add(comm2, gm2, hr2); //compute comm2 = m2*G+r2*H
unsigned char r3[crypto_core_ristretto255_SCALARBYTES];
unsigned char hr3[crypto_core_ristretto255_BYTES];
unsigned char gm3[crypto_core_ristretto255_BYTES];
unsigned char m3[crypto_core_ristretto255_SCALARBYTES];
crypto_core_ristretto255_scalar_add(m3, m1, m2); //compute m3 = (m1+m2)
crypto_core_ristretto255_scalar_add(r3, r2, r1);//compute r3 = (r1+r2)
if (crypto_scalarmult_ristretto255(hr3, r3, h) != 0) { //compute r3*H
return -1;
}
if (crypto_scalarmult_ristretto255(gm3, m3, g) != 0) {//compute m3*G
return -1;
}
unsigned char comm3[crypto_core_ristretto255_BYTES];
crypto_core_ristretto255_add(comm3, gm3, hr3); //compute comm3 = m3*G+r3*H
unsigned char comm4[crypto_core_ristretto255_BYTES];
crypto_core_ristretto255_add(comm4, comm1, comm2); //compute comm4 = comm1+comm2
cout<<"sodium cmp: "<<sodium_memcmp(comm3, comm4, sizeof comm3)<<endl;
However, the does not equal 0
Would truly appreciate having someone provide some insight into any potential mistakes I might be making based on the information I provided above.
Sorry, found the issue, should use crypto_core_ristretto255_scalar_random(m) to get the random scalar m