-
Notifications
You must be signed in to change notification settings - Fork 385
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch default bits of hiding to 52 #834
Conversation
@@ -178,8 +178,11 @@ bool GenerateRangeproof(std::vector<unsigned char>& rangeproof, const std::vecto | |||
memcpy(asset_message+32, asset_blindptrs[asset_blindptrs.size()-1], 32); | |||
|
|||
// Sign rangeproof | |||
int ct_exponent = std::min(std::max((int)gArgs.GetArg("-ct_exponent", 0), -1), 18); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
heh concept ACK
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's just taking the arguments out of the giant line. Nothing else changed. I don't fully understand the strange min max thing there. I suppose it's to get the values between -1 and 18.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ct_bits was also previously limited via this min/max construction. It was changed to just 52, I don't see why ct_exponent in this line could not be changed to just 0. The min/max limit for ct_bits was removed in #793 without any explanation, was it deemed useless ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ask because I'll need to adjust my lib accordingly, but I hesitate to remove the limitations without fully understanding the consequences. Changing the number of bits result in the change in the size of the proof, and it looks like this only affects the tx size and therefore fee estimation. Setting ct_bits outside sane range would mean the blinding will just not work and fail with error, is this change (removing min/max limitation) added to help detect incorrect settings rather than work with limited settings ? If this is the logic behind this change, then ct_exponent should not be min/max restricted, too, and then secp256k1_rangeproof_sign_impl
will just return 0 if incorrect exp
was supplied
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know if your reference to #793 was a typo, but that PR was superseded with this one and it just sets the default number of bits from 38 to 52. We did this because the 38 bits covered only up to 10^-3 BTC or something. Because some assets are issuing assets using the BTC amounts instead of satoshi, we did this to increase the default blinding about up to 45*10^6 BTC.
It's true that it will about double the tx size. But given that we're also reducing the tx fee rate for Liquid to 0.1 sat/byte, that more than compensates for that increase in tx size.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah you're probably right about the min(max(
construction of ct_exponent. Any wrong number will result in a failure on the secp side. It might be worth it to remove that construction, yes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reference to #793 was not a typo, the change of the value of ct_bits was not that my question was about. I asked why the std::min(std::max(...
is still applied to ct_exponent
, but not to ct_bits
anymore. If there was certain logic behind removing this for ct_bits
, the same logic should apply to ct_exponent
. I don't see why this min/max thing is needed for either of these two parameters, but I might be missing something, and it would be good to know the reasoning why min/max was there in the first place. I have this code ported to python, and I will need to sync the code, but I would like the code to be consistent, and having different approaches to ct_exponent
and ct_bits
does not seem consistent to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed that construction in followup PR. You were right that it was not needed in either position and it's actually a bit annoying.
utACK |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Didn't check DEFAULT_RANGEPROOF_SIZE
, otherwise ACK mod nit.
Note that we should urge users to update. With this change and the default minfee/fallbackfee changes, wallet fingerprinting is trivial. |
Yeah I'm sure Allen is taking care of that. Plus we're coordinating with Green to update at the same time. |
In line with elements update ElementsProject/elements#834 Also removed the min/max construct, again in line with elements
I got an e-mail with this comment from Dmitry, but I can't find it on
GitHub, was it removed?
What were a reason to choose CT_BITS=52 instead of 51, given that 51 bits
also cover amounts up to MAX_MONEY (2251799813685248), you can't have
outputs > MAX_MONEY in Elements, and MAX_MONEY is the same as in Core, 21000000
* COIN ?
Well, the reason to do this was not really to cover all Bitcoins. We won't
ever have that many Bitcoins in Liquid anyway. But the reason was that
people are issuing assets with bitcoin-like amounts (with 8 decimals). So
we needed to update to a high number to cover tokens with high amounts of
issuance. And we opted for 52 instead of 51 because it's a multiple of 4
and that made it easier to reason about the rangeproof size, because part
of it grows with the bits divided by 4, so 52 made more sense.
…On Wed, Mar 25, 2020 at 1:12 PM Dmitry Petukhov ***@***.***> wrote:
What were a reason to choose CT_BITS=52 instead of 51, given that 51 bits
also cover amounts up to MAX_MONEY (2251799813685248), you can't have
outputs > MAX_MONEY in Elements, and MAX_MONEY is the same as in Core, 21000000
* COIN ?
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#834 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGQLXGQSIEKGY4VRFXMB5DRJH7MNANCNFSM4LMPN7QQ>
.
|
I removed it because I got an answer (for a related question) from @instagibbs here: ElementsProject/elementsproject.github.io#127 (comment) |
Thanks for an explanation of the reasoning behind the decision! |
…ment edfa40e Remove the min(max( construction for the ct_exponent argument (Steven Roose) Pull request description: As per @dgpv's suggestion here: #834 (comment) @dgpv could you review? Tree-SHA512: 6c91a0a86a593f22ff42fb617aa96aeb97e2e5225e2b5b6980aa470f45ee613dab53de49dbbae20aecf7a4bf21cc005839be770917d55cfb2c9afd821c2d0231
In line with elements update ElementsProject/elements#834 Also removed the min/max construct, again in line with elements
Replaces #793 and is basically that MR but rebased. (I can't rebase on Greg's branch.)