-
-
Notifications
You must be signed in to change notification settings - Fork 669
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Confidential Assets tracking issue #66
Comments
Hello Andrew! Thanks for contacting us and creating this tracking issue. We use our trezor-crypto library for both Trezor One and the new Model T. Monero support is being added in this pull request: trezor/trezor-crypto#162 Monero uses a different curve (Curve25519), so I don't think there's any way we could reuse Pedersen commitments and/or range proofs from this code. In order to get Confidential Assets working on Trezor, there are two different approaches:
I think option 1) is probably easier, although I am not sure how much of the new code would that need. Option 2) might be complicated, because we don't use malloc/free in our crypto environment and as far as I can tell secp256k1 uses these OS features. |
Hi @prusnak , Our current use of We also use malloc in our unit tests and benchmarks, which I assume doesn't matter. So I think option (2) is actually likely to be the simpler one. |
Is secp256k1-zkp a superset of libsecp256k1? If yes, I think it's worth the effort integrating secp256k1 into our stack.
|
Yes, secp256k1-zkp is a superset of libsecp256k1 - all the new code is in the The current use of I'll work with upstream libsecp to figure out the cleanest way to avoid malloc entirely. |
@prusnak because only one context is needed for the entire device, it's sufficient to replace |
Yes, that would work. I created a branch |
Ping? |
Hi, sorry for the delay. I had meant to work on this every day for the last 2 weeks but I didn't find the time. My plan today is to make a PR upstream to allow creating a context object from a user-provided byte array (and a utility function to determine how large the array needs). I'll pull that into secp256k1-zkp and then I'll work on integrating that. |
Sure, let me know if you need help with anything. |
Sorry for the continued delay, this was a bit harder than I expected because the precomputation requires not only memory for the context, but also extra scratch space memory that it only uses during the computation. So I need to think more carefully about how to make a comprehensible API -- questions like, how can signing precomp and verification precomp use the same scratch space; how can I make context cloning require enough memory for the new context but not enough for scratch; etc. I also got ratholed trying to redo some of the precomp algorithms to not use so much aux space.. |
No worries, take your time. I just wanted to make sure we are not blocking you in the development. |
With a bit of algebra I found a way to eliminate all of the scratch memory, so this API wart can be avoided entirely. |
With a bit of algebra I found a way to eliminate all of the scratch
memory, so this API wart can be avoided entirely.
Awesome!
|
Just a small update: We have a PR now that makes secp256k1 work with a block of caller-allocated memory: bitcoin-core/secp256k1#566 |
@real-or-random great news! |
I'm getting started working on the libsecp port but I think I'm doing something wrong. I have two unrelated build issues.
|
|
I'm am an an x86_64 system with the following gcc
|
@apoelstra I just removed all cached docker images, restarted the docker build and everything works for me. Try running We are using gcc-7 as can be seen from the Dockerfile. Most probably gcc-8 has more aggressive checks. You can either use gcc-7 or add |
Quick update on this because I realize we've been working somewhat in the background here. With the help of @romanz we've got the basic secp256k1 library working on the Trezor 1 and T. With some hacky stack measurement we've confirmed that we're far away from any resource limits. We're uncertain about our build commands or use of the micropython allocator but we think we're close. From here @real-or-random and I have been working on getting the rangeproof and surjection proof code. Our initial measurements indicate that we're using roughly 30Kb of 15Kb available stack space :) so over the next couple days I'm rewriting the core functions that implement rangeproof proving and verification to eliminate this overuse of stack space. We both have obtained physical devices that we can test on, since the simulator does not simulate memory limits. These functions are self-contained and I think the scope of this rewrite is very narrow and straightforward. I met with Greg Maxwell, who wrote the original code, a couple of days ago and he had a similar intuition. |
@apoelstra These are great news! Looking forward to working with you on merging the functionality into our tree. |
Okay, so we had a closer look at the code. It's possible to rewrite it to use less stack memory, we're not convinced that this is the best idea because it will probably almost double the (already noticeable) running time of the rangeproof creation. In our experiments, we overused the stack by about 15 KB, but the code worked fine (on the physical device). What exactly happens is that we use more stack than reserved by the firmware within micropython. But since this is FFI code, micropython does not check that we're using more stack and just let us run. But since the code actually works (so the memory is in fact available) and is the fastest way to create rangeproofs, we wonder what the best forward is. Specifically,
As I said it's possible to use less stack memory but we really would like to avoid it due to the performance hit. |
@jpochyla can you shed some light on stack limitations? |
Hi! Sorry about the delay. Seems like the best way to solve this would be to move the C stack into CCMRAM, that should give us 64KB space in total, instead of 16KB soft-limit. You can find the code here: https://github.com/trezor/trezor-core/tree/ccmram_stack 64KB should be enough, right? |
Thanks! 64KB ought to be enough for anybody. If none of our math was wrong, we'll need 32 KB altogether (current stack of 16KB plus ~15KB use over the current limit. We'll try our patches on top of your branch. |
Unfortunately, it seems that using the CCMRAM for the stack causes USB disconnection after running a
@jpochyla Could you please take a look? |
@romanz What do you see on the display? It seems the device stopped responding. |
@prusnak |
BTW, moving |
Following trezor#66 and trezor#398, it would allow receiving confidential transactions to addresses generated on the devices. Blinding, unblinding and signing will be added in separate PRs.
Following trezor#66 and trezor#398, it would allow receiving confidential transactions to addresses generated on the devices. Blinding, unblinding and signing will be added in separate PRs.
Following trezor#66 and trezor#398, it would allow receiving confidential transactions to addresses generated on the devices. Blinding, unblinding and signing will be added in separate PRs.
Following trezor#66 and trezor#398, it would allow receiving confidential transactions to addresses generated on the devices. Blinding, unblinding and signing will be added in separate PRs.
Following trezor#66 and trezor#398, it would allow receiving confidential transactions to addresses generated on the devices. Blinding, unblinding and signing will be added in separate PRs.
Following trezor#66 and trezor#398, it would allow receiving confidential transactions to addresses generated on the devices. Blinding, unblinding and signing will be added in separate PRs.
Following trezor#66 and trezor#398, it would allow receiving confidential transactions to addresses generated on the devices. Blinding, unblinding and signing will be added in separate PRs.
Following trezor#66 and trezor#398, it would allow receiving confidential transactions to addresses generated on the devices. Blinding, unblinding and signing will be added in separate PRs.
Following trezor#66 and trezor#398, it would allow receiving confidential transactions to addresses generated on the devices. Blinding, unblinding and signing will be added in separate PRs.
Following trezor#66 and trezor#398, it would allow receiving confidential transactions to addresses generated on the devices. Blinding, unblinding and signing will be added in separate PRs.
Following trezor#66 and trezor#398, it would allow receiving confidential transactions to addresses generated on the devices. Blinding, unblinding and signing will be added in separate PRs.
Following trezor#66 and trezor#398, it would allow receiving confidential transactions to addresses generated on the devices. Blinding, unblinding and signing will be added in separate PRs.
It would be great to have support for Confidental Assets (CA), which is used in the Elements blockchain platform and in Liquid, the commercial sidechain based on Elements. I'm happy to help move this forward, and am available by email at apoelstra at blockstream.com for any clarification or guidance.
CA is described in this blog post: https://blockstream.com/2017/04/03/blockstream-releases-elements-confidential-assets.html
It is essentially the same as Confidential Transactions, which involves the use of Pedersen commitments in place of amounts, alongside rangeproofs, which I believe is already supported as part of Trezor's Monero support. CA mades one of the two EC generators variable and adds a new "asset surjection proof" which is described here: https://github.com/ElementsProject/secp256k1-zkp/blob/secp256k1-zkp/src/modules/surjection/surjection.md
We've implemented CA in full as part of libsecp256k1-zkp, our fork of the Bitcoin Core libsecp256k1 library.
For referenc, the API for making surjection proofs is here: https://github.com/ElementsProject/secp256k1-zkp/blob/secp256k1-zkp/include/secp256k1_surjectionproof.h
and the core crypto functionality is here:
https://github.com/ElementsProject/secp256k1-zkp/blob/secp256k1-zkp/src/modules/surjection/main_impl.h
https://github.com/ElementsProject/secp256k1-zkp/blob/secp256k1-zkp/src/modules/surjection/surjection_impl.h
Cheers
The text was updated successfully, but these errors were encountered: