olegabu
diff --git a/Diff for: ‎secp256k1-zkp/include/secp256k1_surjectionproof.h
+62-4 b/Diff for: ‎secp256k1-zkp/include/secp256k1_surjectionproof.h
+62-4
diff --git a/Diff for: ‎secp256k1-zkp/src/modules/surjection/main_impl.h
+81-21 b/Diff for: ‎secp256k1-zkp/src/modules/surjection/main_impl.h
+81-21
diff --git a/Diff for: ‎secp256k1-zkp/src/modules/surjection/surjection_impl.h
+16-11 b/Diff for: ‎secp256k1-zkp/src/modules/surjection/surjection_impl.h
+16-11
@@ -11,6 +11,9 @@ extern "C" {
 /** Maximum number of inputs that may be given in a surjection proof */
 #define SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS 256
 
+/** Maximum number of inputs that may be used in a surjection proof */
+#define SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS 256
+
 /** Number of bytes a serialized surjection proof requires given the
  *  number of inputs and the number of used inputs.
  */
@@ -19,7 +22,7 @@ extern "C" {
 
 /** Maximum number of bytes a serialized surjection proof requires. */
 #define SECP256K1_SURJECTIONPROOF_SERIALIZATION_BYTES_MAX \
-    SECP256K1_SURJECTIONPROOF_SERIALIZATION_BYTES(SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS, SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS)
+    SECP256K1_SURJECTIONPROOF_SERIALIZATION_BYTES(SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS, SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS)
 
 /** Opaque data structure that holds a parsed surjection proof
  *
@@ -46,9 +49,10 @@ typedef struct {
     /** Bitmap of which input tags are used in the surjection proof */
     unsigned char used_inputs[SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS / 8];
     /** Borromean signature: e0, scalars */
-    unsigned char data[32 * (1 + SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS)];
+    unsigned char data[32 * (1 + SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS)];
 } secp256k1_surjectionproof;
 
+#ifndef USE_REDUCED_SURJECTION_PROOF_SIZE
 /** Parse a surjection proof
  *
  *  Returns: 1 when the proof could be parsed, 0 otherwise.
@@ -70,6 +74,7 @@ SECP256K1_API int secp256k1_surjectionproof_parse(
   const unsigned char *input,
   size_t inputlen
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+#endif
 
 /** Serialize a surjection proof
  *
@@ -134,6 +139,7 @@ SECP256K1_API size_t secp256k1_surjectionproof_serialized_size(
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
 
 /** Surjection proof initialization function; decides on inputs to use
+ *  To be used to initialize stack-allocated secp256k1_surjectionproof struct
  * Returns 0: inputs could not be selected
  *         n: inputs were selected after n iterations of random selection
  *
@@ -142,9 +148,14 @@ SECP256K1_API size_t secp256k1_surjectionproof_serialized_size(
  *                        e.g. in a coinjoin with others' inputs, an ephemeral tag can be given;
  *                        this won't match the output tag but might be used in the anonymity set.)
  *          n_input_tags: the number of entries in the fixed_input_tags array
- *      n_input_tags_to_use: the number of inputs to select randomly to put in the anonymity set
+ *   n_input_tags_to_use: the number of inputs to select randomly to put in the anonymity set
+ *                        Must be <= SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS
  *      fixed_output_tag: fixed output tag
- *      max_n_iterations: the maximum number of iterations to do before giving up
+ *      max_n_iterations: the maximum number of iterations to do before giving up. Because the
+ *                        maximum number of inputs (SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS) is
+ *                        limited to 256 the probability of giving up is smaller than
+ *                        (255/256)^(n_input_tags_to_use*max_n_iterations).
+ *
  *         random_seed32: a random seed to be used for input selection
  * Out:            proof: The proof whose bitvector will be initialized. In case of failure,
  *                        the state of the proof is undefined.
@@ -162,6 +173,51 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_surjectionproof_initial
   const unsigned char *random_seed32
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(7);
 
+
+/** Surjection proof allocation and initialization function; decides on inputs to use
+ * Returns 0: inputs could not be selected, or malloc failure
+ *         n: inputs were selected after n iterations of random selection
+ *
+ * In:               ctx: pointer to a context object
+ *           proof_out_p: a pointer to a pointer to `secp256k1_surjectionproof*`.
+ *                        the newly-allocated struct pointer will be saved here.
+ *      fixed_input_tags: fixed input tags `A_i` for all inputs. (If the fixed tag is not known,
+ *                        e.g. in a coinjoin with others' inputs, an ephemeral tag can be given;
+ *                        this won't match the output tag but might be used in the anonymity set.)
+ *          n_input_tags: the number of entries in the fixed_input_tags array
+ *      n_input_tags_to_use: the number of inputs to select randomly to put in the anonymity set
+ *      fixed_output_tag: fixed output tag
+ *      max_n_iterations: the maximum number of iterations to do before giving up. Because the
+ *                        maximum number of inputs (SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS) is
+ *                        limited to 256 the probability of giving up is smaller than
+ *                        (255/256)^(n_input_tags_to_use*max_n_iterations).
+ *
+ *         random_seed32: a random seed to be used for input selection
+ * Out:      proof_out_p: The pointer to newly-allocated proof whose bitvector will be initialized.
+ *                        In case of failure, the pointer will be NULL.
+ *          input_index: The index of the actual input that is secretly mapped to the output
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_surjectionproof_allocate_initialized(
+        const secp256k1_context* ctx,
+        secp256k1_surjectionproof** proof_out_p,
+        size_t *input_index,
+        const secp256k1_fixed_asset_tag* fixed_input_tags,
+        const size_t n_input_tags,
+        const size_t n_input_tags_to_use,
+        const secp256k1_fixed_asset_tag* fixed_output_tag,
+        const size_t n_max_iterations,
+        const unsigned char *random_seed32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(7);
+
+/** Surjection proof destroy function
+ *  deallocates the struct that was allocated with secp256k1_surjectionproof_allocate_initialized
+ *
+ * In:               proof: pointer to secp256k1_surjectionproof struct
+ */
+SECP256K1_API void secp256k1_surjectionproof_destroy(
+        secp256k1_surjectionproof* proof
+) SECP256K1_ARG_NONNULL(1);
+
 /** Surjection proof generation function
  * Returns 0: proof could not be created
  *         1: proof was successfully created
@@ -187,6 +243,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_surjectionproof_generat
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(7) SECP256K1_ARG_NONNULL(8);
 
 
+#ifndef USE_REDUCED_SURJECTION_PROOF_SIZE
 /** Surjection proof verification function
  * Returns 0: proof was invalid
  *         1: proof was valid
@@ -204,6 +261,7 @@ SECP256K1_API int secp256k1_surjectionproof_verify(
   size_t n_ephemeral_input_tags,
   const secp256k1_generator* ephemeral_output_tag
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5);
+#endif
 
 #ifdef __cplusplus
 }
 
@@ -9,11 +9,20 @@
 #include <assert.h>
 #include <string.h>
 
+#if defined HAVE_CONFIG_H
+#include "libsecp256k1-config.h"
+#endif
+
+#include "include/secp256k1_rangeproof.h"
+#include "include/secp256k1_surjectionproof.h"
 #include "modules/rangeproof/borromean.h"
 #include "modules/surjection/surjection_impl.h"
 #include "hash.h"
-#include "include/secp256k1_rangeproof.h"
-#include "include/secp256k1_surjectionproof.h"
+
+#ifdef USE_REDUCED_SURJECTION_PROOF_SIZE
+#undef SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS
+#define SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS 16
+#endif
 
 static size_t secp256k1_count_bits_set(const unsigned char* data, size_t count) {
     size_t ret = 0;
@@ -35,6 +44,9 @@ static size_t secp256k1_count_bits_set(const unsigned char* data, size_t count)
     return ret;
 }
 
+#ifdef USE_REDUCED_SURJECTION_PROOF_SIZE
+static
+#endif
 int secp256k1_surjectionproof_parse(const secp256k1_context* ctx, secp256k1_surjectionproof *proof, const unsigned char *input, size_t inputlen) {
     size_t n_inputs;
     size_t signature_len;
@@ -55,6 +67,15 @@ int secp256k1_surjectionproof_parse(const secp256k1_context* ctx, secp256k1_surj
         return 0;
     }
 
+    /* Check that the bitvector of used inputs is of the claimed
+     * length; i.e. the final byte has no "padding bits" set */
+    if (n_inputs % 8 != 0) {
+        const unsigned char padding_mask = (~0U) << (n_inputs % 8);
+        if ((input[2 + (n_inputs + 7) / 8 - 1] & padding_mask) != 0) {
+            return 0;
+        }
+    }
+
     signature_len = 32 * (1 + secp256k1_count_bits_set(&input[2], (n_inputs + 7) / 8));
     if (inputlen != 2 + (n_inputs + 7) / 8 + signature_len) {
         return 0;
@@ -151,6 +172,48 @@ static size_t secp256k1_surjectionproof_csprng_next(secp256k1_surjectionproof_cs
     }
 }
 
+/* While '_allocate_initialized' may be a wordy suffix for this function, and '_create'
+ * may have been more appropriate, '_create' could be confused with '_generate',
+ * as the meanings for the words are close. Therefore, more wordy, but less
+ * ambiguous suffix was chosen. */
+int secp256k1_surjectionproof_allocate_initialized(const secp256k1_context* ctx, secp256k1_surjectionproof** proof_out_p, size_t *input_index, const secp256k1_fixed_asset_tag* fixed_input_tags, const size_t n_input_tags, const size_t n_input_tags_to_use, const secp256k1_fixed_asset_tag* fixed_output_tag, const size_t n_max_iterations, const unsigned char *random_seed32) {
+    int ret = 0;
+    secp256k1_surjectionproof* proof;
+
+    VERIFY_CHECK(ctx != NULL);
+
+    ARG_CHECK(proof_out_p != NULL);
+    *proof_out_p = 0;
+
+    proof = (secp256k1_surjectionproof*)checked_malloc(&ctx->error_callback, sizeof(secp256k1_surjectionproof));
+    if (proof != NULL) {
+        ret = secp256k1_surjectionproof_initialize(ctx, proof, input_index, fixed_input_tags, n_input_tags, n_input_tags_to_use, fixed_output_tag, n_max_iterations, random_seed32);
+        if (ret) {
+            *proof_out_p = proof;
+        }
+        else {
+            free(proof);
+        }
+    }
+    return ret;
+}
+
+/* secp256k1_surjectionproof structure may also be allocated on the stack,
+ * and initialized explicitly via secp256k1_surjectionproof_initialize().
+ * Supplying stack-allocated struct to _destroy() will result in calling
+ * free() with the pointer that points at the stack, with disasterous
+ * consequences. Thus, it is not advised to mix heap- and stack-allocating
+ * approaches to working with this struct. It is possible to detect this
+ * situation by using additional field in the struct that can be set to
+ * special value depending on the allocation path, and check it here.
+ * But currently, it is not seen as big enough concern to warrant this extra code .*/
+void secp256k1_surjectionproof_destroy(secp256k1_surjectionproof* proof) {
+    if (proof != NULL) {
+        VERIFY_CHECK(proof->n_inputs <= SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS);
+        free(proof);
+    }
+}
+
 int secp256k1_surjectionproof_initialize(const secp256k1_context* ctx, secp256k1_surjectionproof* proof, size_t *input_index, const secp256k1_fixed_asset_tag* fixed_input_tags, const size_t n_input_tags, const size_t n_input_tags_to_use, const secp256k1_fixed_asset_tag* fixed_output_tag, const size_t n_max_iterations, const unsigned char *random_seed32) {
     secp256k1_surjectionproof_csprng csprng;
     size_t n_iterations = 0;
@@ -162,6 +225,7 @@ int secp256k1_surjectionproof_initialize(const secp256k1_context* ctx, secp256k1
     ARG_CHECK(fixed_output_tag != NULL);
     ARG_CHECK(random_seed32 != NULL);
     ARG_CHECK(n_input_tags <= SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS);
+    ARG_CHECK(n_input_tags_to_use <= SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS);
     ARG_CHECK(n_input_tags_to_use <= n_input_tags);
     (void) ctx;
 
@@ -219,10 +283,8 @@ int secp256k1_surjectionproof_generate(const secp256k1_context* ctx, secp256k1_s
     size_t n_total_pubkeys;
     size_t n_used_pubkeys;
     size_t ring_input_index = 0;
-    secp256k1_gej ring_pubkeys[SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS];
-    secp256k1_scalar borromean_s[SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS];
-    secp256k1_ge inputs[SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS];
-    secp256k1_ge output;
+    secp256k1_gej ring_pubkeys[SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS];
+    secp256k1_scalar borromean_s[SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS];
     unsigned char msg32[32];
 
     VERIFY_CHECK(ctx != NULL);
@@ -261,17 +323,14 @@ int secp256k1_surjectionproof_generate(const secp256k1_context* ctx, secp256k1_s
         return 0;
     }
 
-    secp256k1_generator_load(&output, ephemeral_output_tag);
-    for (i = 0; i < n_total_pubkeys; i++) {
-        secp256k1_generator_load(&inputs[i], &ephemeral_input_tags[i]);
+    if (secp256k1_surjection_compute_public_keys(ring_pubkeys, n_used_pubkeys, ephemeral_input_tags, n_total_pubkeys, proof->used_inputs, ephemeral_output_tag, input_index, &ring_input_index) == 0) {
+        return 0;
     }
 
-    secp256k1_surjection_compute_public_keys(ring_pubkeys, n_used_pubkeys, inputs, n_total_pubkeys, proof->used_inputs, &output, input_index, &ring_input_index);
-
     /* Produce signature */
     rsizes[0] = (int) n_used_pubkeys;
     indices[0] = (int) ring_input_index;
-    secp256k1_surjection_genmessage(msg32, inputs, n_total_pubkeys, &output);
+    secp256k1_surjection_genmessage(msg32, ephemeral_input_tags, n_total_pubkeys, ephemeral_output_tag);
     if (secp256k1_surjection_genrand(borromean_s, n_used_pubkeys, &blinding_key) == 0) {
         return 0;
     }
@@ -289,15 +348,16 @@ int secp256k1_surjectionproof_generate(const secp256k1_context* ctx, secp256k1_s
     return 1;
 }
 
+#ifdef USE_REDUCED_SURJECTION_PROOF_SIZE
+static
+#endif
 int secp256k1_surjectionproof_verify(const secp256k1_context* ctx, const secp256k1_surjectionproof* proof, const secp256k1_generator* ephemeral_input_tags, size_t n_ephemeral_input_tags, const secp256k1_generator* ephemeral_output_tag) {
     size_t rsizes[1];    /* array needed for borromean sig API */
     size_t i;
     size_t n_total_pubkeys;
     size_t n_used_pubkeys;
-    secp256k1_gej ring_pubkeys[SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS];
-    secp256k1_scalar borromean_s[SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS];
-    secp256k1_ge inputs[SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS];
-    secp256k1_ge output;
+    secp256k1_gej ring_pubkeys[SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS];
+    secp256k1_scalar borromean_s[SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS];
     unsigned char msg32[32];
 
     VERIFY_CHECK(ctx != NULL);
@@ -313,12 +373,12 @@ int secp256k1_surjectionproof_verify(const secp256k1_context* ctx, const secp256
         return 0;
     }
 
-    secp256k1_generator_load(&output, ephemeral_output_tag);
-    for (i = 0; i < n_total_pubkeys; i++) {
-        secp256k1_generator_load(&inputs[i], &ephemeral_input_tags[i]);
+    /* Reject proofs with too many used inputs in USE_REDUCED_SURJECTION_PROOF_SIZE mode */
+    if (n_used_pubkeys > SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS) {
+        return 0;
     }
 
-    if (secp256k1_surjection_compute_public_keys(ring_pubkeys, n_used_pubkeys, inputs, n_total_pubkeys, proof->used_inputs, &output, 0, NULL) == 0) {
+    if (secp256k1_surjection_compute_public_keys(ring_pubkeys, n_used_pubkeys, ephemeral_input_tags, n_total_pubkeys, proof->used_inputs, ephemeral_output_tag, 0, NULL) == 0) {
         return 0;
     }
 
@@ -331,7 +391,7 @@ int secp256k1_surjectionproof_verify(const secp256k1_context* ctx, const secp256
             return 0;
         }
     }
-    secp256k1_surjection_genmessage(msg32, inputs, n_total_pubkeys, &output);
+    secp256k1_surjection_genmessage(msg32, ephemeral_input_tags, n_total_pubkeys, ephemeral_output_tag);
     return secp256k1_borromean_verify(&ctx->ecmult_ctx, NULL, &proof->data[0], borromean_s, ring_pubkeys, rsizes, 1, msg32, 32);
 }
 
 
@@ -15,7 +15,7 @@
 #include "scalar.h"
 #include "hash.h"
 
-SECP256K1_INLINE static void secp256k1_surjection_genmessage(unsigned char *msg32, secp256k1_ge *ephemeral_input_tags, size_t n_input_tags, secp256k1_ge *ephemeral_output_tag) {
+SECP256K1_INLINE static void secp256k1_surjection_genmessage(unsigned char *msg32, const secp256k1_generator *ephemeral_input_tags, size_t n_input_tags, const secp256k1_generator *ephemeral_output_tag) {
     /* compute message */
     size_t i;
     unsigned char pk_ser[33];
@@ -24,12 +24,12 @@ SECP256K1_INLINE static void secp256k1_surjection_genmessage(unsigned char *msg3
 
     secp256k1_sha256_initialize(&sha256_en);
     for (i = 0; i < n_input_tags; i++) {
-        secp256k1_eckey_pubkey_serialize(&ephemeral_input_tags[i], pk_ser, &pk_len, 1);
-        assert(pk_len == sizeof(pk_ser));
+        pk_ser[0] = 2 + (ephemeral_input_tags[i].data[63] & 1);
+        memcpy(&pk_ser[1], &ephemeral_input_tags[i].data[0], 32);
         secp256k1_sha256_write(&sha256_en, pk_ser, pk_len);
     }
-    secp256k1_eckey_pubkey_serialize(ephemeral_output_tag, pk_ser, &pk_len, 1);
-    assert(pk_len == sizeof(pk_ser));
+    pk_ser[0] = 2 + (ephemeral_output_tag->data[63] & 1);
+    memcpy(&pk_ser[1], &ephemeral_output_tag->data[0], 32);
     secp256k1_sha256_write(&sha256_en, pk_ser, pk_len);
     secp256k1_sha256_finalize(&sha256_en, msg32);
 }
@@ -61,24 +61,29 @@ SECP256K1_INLINE static int secp256k1_surjection_genrand(secp256k1_scalar *s, si
     return 1;
 }
 
-SECP256K1_INLINE static int secp256k1_surjection_compute_public_keys(secp256k1_gej *pubkeys, size_t n_pubkeys, const secp256k1_ge *input_tags, size_t n_input_tags, const unsigned char *used_tags, const secp256k1_ge *output_tag, size_t input_index, size_t *ring_input_index) {
+SECP256K1_INLINE static int secp256k1_surjection_compute_public_keys(secp256k1_gej *pubkeys, size_t n_pubkeys, const secp256k1_generator *input_tags, size_t n_input_tags, const unsigned char *used_tags, const secp256k1_generator *output_tag, size_t input_index, size_t *ring_input_index) {
     size_t i;
     size_t j = 0;
     for (i = 0; i < n_input_tags; i++) {
         if (used_tags[i / 8] & (1 << (i % 8))) {
             secp256k1_ge tmpge;
-            secp256k1_ge_neg(&tmpge, &input_tags[i]);
+            secp256k1_generator_load(&tmpge, &input_tags[i]);
+            secp256k1_ge_neg(&tmpge, &tmpge);
+
+            VERIFY_CHECK(j < SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS);
+            VERIFY_CHECK(j < n_pubkeys);
             secp256k1_gej_set_ge(&pubkeys[j], &tmpge);
-            secp256k1_gej_add_ge_var(&pubkeys[j], &pubkeys[j], output_tag, NULL);
+
+            secp256k1_generator_load(&tmpge, output_tag);
+            secp256k1_gej_add_ge_var(&pubkeys[j], &pubkeys[j], &tmpge, NULL);
             if (ring_input_index != NULL && input_index == i) {
                 *ring_input_index = j;
             }
             j++;
-            if (j > n_pubkeys) {
-                return 0;
-            }
         }
     }
+    /* Caller needs to ensure that the number of set bits in used_tags (which we counted in j) equals n_pubkeys. */
+    VERIFY_CHECK(j == n_pubkeys);
     return 1;
 }