Skip to content

Commit 050d9b2

Browse files
jonasnickjonasnick
committed
Merge #226: bppp: align terminology with paper
2c63d17 bppp: align terminology with paper (gamma) (Jonas Nick) dbf2e4d bppp: align terminology with paper (mu, rho) (Jonas Nick) Pull request description: ACKs for top commit: real-or-random: utACK 2c63d17 Tree-SHA512: 494db14717acf95de74ca14cdbd4908b31a2e81562ca18b8e3ddd795d40f60cd8ea8d7472c348da108db7d314d510f7366dc594809cf29c0c044c701c56119cc
2 parents f4dd041 + 2c63d17 commit 050d9b2

File tree

2 files changed

+122
-122
lines changed

2 files changed

+122
-122
lines changed

src/modules/bppp/bppp_norm_product_impl.h

+80-80
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ static int secp256k1_scalar_inner_product(
4343
/* Computes the q-weighted inner product of two vectors of scalars
4444
* for elements starting from offset a and offset b respectively with the
4545
* given step.
46-
* Returns: Sum_{i=0..len-1}(a[offset_a + step*i] * b[offset_b2 + step*i]*q^(i+1)) */
46+
* Returns: Sum_{i=0..len-1}(a[offset_a + step*i] * b[offset_b2 + step*i]*mu^(i+1)) */
4747
static int secp256k1_weighted_scalar_inner_product(
4848
secp256k1_scalar* res,
4949
const secp256k1_scalar* a_vec,
@@ -52,29 +52,29 @@ static int secp256k1_weighted_scalar_inner_product(
5252
const size_t b_offset,
5353
const size_t step,
5454
const size_t len,
55-
const secp256k1_scalar* q
55+
const secp256k1_scalar* mu
5656
) {
57-
secp256k1_scalar q_pow;
57+
secp256k1_scalar mu_pow;
5858
size_t i;
5959
secp256k1_scalar_set_int(res, 0);
60-
q_pow = *q;
60+
mu_pow = *mu;
6161
for (i = 0; i < len; i++) {
6262
secp256k1_scalar term;
6363
secp256k1_scalar_mul(&term, &a_vec[a_offset + step*i], &b_vec[b_offset + step*i]);
64-
secp256k1_scalar_mul(&term, &term, &q_pow);
65-
secp256k1_scalar_mul(&q_pow, &q_pow, q);
64+
secp256k1_scalar_mul(&term, &term, &mu_pow);
65+
secp256k1_scalar_mul(&mu_pow, &mu_pow, mu);
6666
secp256k1_scalar_add(res, res, &term);
6767
}
6868
return 1;
6969
}
7070

71-
/* Compute the powers of r as r, r^2, r^4 ... r^(2^(n-1)) */
72-
static void secp256k1_bppp_powers_of_r(secp256k1_scalar *powers, const secp256k1_scalar *r, size_t n) {
71+
/* Compute the powers of rho as rho, rho^2, rho^4 ... rho^(2^(n-1)) */
72+
static void secp256k1_bppp_powers_of_rho(secp256k1_scalar *powers, const secp256k1_scalar *rho, size_t n) {
7373
size_t i;
7474
if (n == 0) {
7575
return;
7676
}
77-
powers[0] = *r;
77+
powers[0] = *rho;
7878
for (i = 1; i < n; i++) {
7979
secp256k1_scalar_sqr(&powers[i], &powers[i - 1]);
8080
}
@@ -99,7 +99,7 @@ static int ecmult_bp_commit_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t id
9999
}
100100

101101
/* Create a commitment `commit` = vG + n_vec*G_vec + l_vec*H_vec where
102-
v = |n_vec*n_vec|_q + <l_vec, c_vec>. |w|_q denotes q-weighted norm of w and
102+
v = |n_vec*n_vec|_mu + <l_vec, c_vec>. |w|_mu denotes mu-weighted norm of w and
103103
<l, r> denotes inner product of l and r.
104104
*/
105105
static int secp256k1_bppp_commit(
@@ -113,7 +113,7 @@ static int secp256k1_bppp_commit(
113113
size_t l_vec_len,
114114
const secp256k1_scalar* c_vec,
115115
size_t c_vec_len,
116-
const secp256k1_scalar* q
116+
const secp256k1_scalar* mu
117117
) {
118118
secp256k1_scalar v, l_c;
119119
/* First n_vec_len generators are Gs, rest are Hs*/
@@ -125,8 +125,8 @@ static int secp256k1_bppp_commit(
125125
VERIFY_CHECK(secp256k1_is_power_of_two(n_vec_len));
126126
VERIFY_CHECK(secp256k1_is_power_of_two(c_vec_len));
127127

128-
/* Compute v = n_vec*n_vec*q + l_vec*c_vec */
129-
secp256k1_weighted_scalar_inner_product(&v, n_vec, 0 /*a offset */, n_vec, 0 /*b offset*/, 1 /*step*/, n_vec_len, q);
128+
/* Compute v = n_vec*n_vec*mu + l_vec*c_vec */
129+
secp256k1_weighted_scalar_inner_product(&v, n_vec, 0 /*a offset */, n_vec, 0 /*b offset*/, 1 /*step*/, n_vec_len, mu);
130130
secp256k1_scalar_inner_product(&l_c, l_vec, 0 /*a offset */, c_vec, 0 /*b offset*/, 1 /*step*/, l_vec_len);
131131
secp256k1_scalar_add(&v, &v, &l_c);
132132

@@ -150,8 +150,8 @@ typedef struct ecmult_x_cb_data {
150150
const secp256k1_scalar *n;
151151
const secp256k1_ge *g;
152152
const secp256k1_scalar *l;
153-
const secp256k1_scalar *r;
154-
const secp256k1_scalar *r_inv;
153+
const secp256k1_scalar *rho;
154+
const secp256k1_scalar *rho_inv;
155155
size_t G_GENS_LEN; /* Figure out initialization syntax so that this can also be const */
156156
size_t n_len;
157157
} ecmult_x_cb_data;
@@ -160,10 +160,10 @@ static int ecmult_x_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void
160160
ecmult_x_cb_data *data = (ecmult_x_cb_data*) cbdata;
161161
if (idx < data->n_len) {
162162
if (idx % 2 == 0) {
163-
secp256k1_scalar_mul(sc, &data->n[idx + 1], data->r);
163+
secp256k1_scalar_mul(sc, &data->n[idx + 1], data->rho);
164164
*pt = data->g[idx];
165165
} else {
166-
secp256k1_scalar_mul(sc, &data->n[idx - 1], data->r_inv);
166+
secp256k1_scalar_mul(sc, &data->n[idx - 1], data->rho_inv);
167167
*pt = data->g[idx];
168168
}
169169
} else {
@@ -201,11 +201,11 @@ static int ecmult_r_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void
201201
}
202202

203203
/* Recursively compute the norm argument proof satisfying the relation
204-
* <n_vec, n_vec>_q + <c_vec, l_vec> = v for some commitment
205-
* C = v*G + <n_vec, G_vec> + <l_vec, H_vec>. <x, x>_q is the weighted inner
206-
* product of x with itself, where the weights are the first n powers of q.
207-
* <x, x>_q = q*x_1^2 + q^2*x_2^2 + q^3*x_3^2 + ... + q^n*x_n^2.
208-
* The API computes q as square of the r challenge (`r^2`).
204+
* <n_vec, n_vec>_mu + <c_vec, l_vec> = v for some commitment
205+
* C = v*G + <n_vec, G_vec> + <l_vec, H_vec>. <x, x>_mu is the weighted inner
206+
* product of x with itself, where the weights are the first n powers of mu.
207+
* <x, x>_mu = mu*x_1^2 + mu^2*x_2^2 + mu^3*x_3^2 + ... + mu^n*x_n^2.
208+
* The API computes mu as square of the r challenge (`r^2`).
209209
*
210210
* The norm argument is not zero knowledge and does not operate on any secret data.
211211
* Thus the following code uses variable time operations while computing the proof.
@@ -222,7 +222,7 @@ static int secp256k1_bppp_rangeproof_norm_product_prove(
222222
unsigned char* proof,
223223
size_t *proof_len,
224224
secp256k1_sha256* transcript, /* Transcript hash of the parent protocol */
225-
const secp256k1_scalar* r,
225+
const secp256k1_scalar* rho,
226226
secp256k1_ge* g_vec,
227227
size_t g_vec_len,
228228
secp256k1_scalar* n_vec,
@@ -232,7 +232,7 @@ static int secp256k1_bppp_rangeproof_norm_product_prove(
232232
secp256k1_scalar* c_vec,
233233
size_t c_vec_len
234234
) {
235-
secp256k1_scalar q_f, r_f = *r;
235+
secp256k1_scalar mu_f, rho_f = *rho;
236236
size_t proof_idx = 0;
237237
ecmult_x_cb_data x_cb_data;
238238
ecmult_r_cb_data r_cb_data;
@@ -259,38 +259,38 @@ static int secp256k1_bppp_rangeproof_norm_product_prove(
259259
r_cb_data.g1 = g_vec;
260260
r_cb_data.l1 = l_vec;
261261
r_cb_data.G_GENS_LEN = G_GENS_LEN;
262-
secp256k1_scalar_sqr(&q_f, &r_f);
262+
secp256k1_scalar_sqr(&mu_f, &rho_f);
263263

264264

265265
while (g_len > 1 || h_len > 1) {
266266
size_t i, num_points;
267-
secp256k1_scalar q_sq, r_inv, c0_l1, c1_l0, x_v, c1_l1, r_v;
267+
secp256k1_scalar mu_sq, rho_inv, c0_l1, c1_l0, x_v, c1_l1, r_v;
268268
secp256k1_gej rj, xj;
269269
secp256k1_ge r_ge, x_ge;
270-
secp256k1_scalar e;
270+
secp256k1_scalar gamma;
271271

272-
secp256k1_scalar_inverse_var(&r_inv, &r_f);
273-
secp256k1_scalar_sqr(&q_sq, &q_f);
272+
secp256k1_scalar_inverse_var(&rho_inv, &rho_f);
273+
secp256k1_scalar_sqr(&mu_sq, &mu_f);
274274

275-
/* Compute the X commitment X = WIP(r_inv*n0,n1)_q2 * g + r<n1,G> + <r_inv*x0, G1> */
275+
/* Compute the X commitment X = WIP(rho_inv*n0,n1)_mu2 * g + r<n1,G> + <rho_inv*x0, G1> */
276276
secp256k1_scalar_inner_product(&c0_l1, c_vec, 0, l_vec, 1, 2, h_len/2);
277277
secp256k1_scalar_inner_product(&c1_l0, c_vec, 1, l_vec, 0, 2, h_len/2);
278-
secp256k1_weighted_scalar_inner_product(&x_v, n_vec, 0, n_vec, 1, 2, g_len/2, &q_sq);
279-
secp256k1_scalar_mul(&x_v, &x_v, &r_inv);
278+
secp256k1_weighted_scalar_inner_product(&x_v, n_vec, 0, n_vec, 1, 2, g_len/2, &mu_sq);
279+
secp256k1_scalar_mul(&x_v, &x_v, &rho_inv);
280280
secp256k1_scalar_add(&x_v, &x_v, &x_v);
281281
secp256k1_scalar_add(&x_v, &x_v, &c0_l1);
282282
secp256k1_scalar_add(&x_v, &x_v, &c1_l0);
283283

284-
x_cb_data.r = &r_f;
285-
x_cb_data.r_inv = &r_inv;
284+
x_cb_data.rho = &rho_f;
285+
x_cb_data.rho_inv = &rho_inv;
286286
x_cb_data.n_len = g_len >= 2 ? g_len : 0;
287287
num_points = x_cb_data.n_len + (h_len >= 2 ? h_len : 0);
288288

289289
if (!secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &xj, &x_v, ecmult_x_cb, (void*)&x_cb_data, num_points)) {
290290
return 0;
291291
}
292292

293-
secp256k1_weighted_scalar_inner_product(&r_v, n_vec, 1, n_vec, 1, 2, g_len/2, &q_sq);
293+
secp256k1_weighted_scalar_inner_product(&r_v, n_vec, 1, n_vec, 1, 2, g_len/2, &mu_sq);
294294
secp256k1_scalar_inner_product(&c1_l1, c_vec, 1, l_vec, 1, 2, h_len/2);
295295
secp256k1_scalar_add(&r_v, &r_v, &c1_l1);
296296

@@ -314,22 +314,22 @@ static int secp256k1_bppp_rangeproof_norm_product_prove(
314314
secp256k1_bppp_serialize_points(&proof[proof_idx], &x_ge, &r_ge);
315315
proof_idx += 65;
316316

317-
/* Obtain challenge e for the the next round */
317+
/* Obtain challenge gamma for the the next round */
318318
secp256k1_sha256_write(transcript, &proof[proof_idx - 65], 65);
319-
secp256k1_bppp_challenge_scalar(&e, transcript, 0);
319+
secp256k1_bppp_challenge_scalar(&gamma, transcript, 0);
320320

321321
if (g_len > 1) {
322322
for (i = 0; i < g_len; i = i + 2) {
323323
secp256k1_scalar nl, nr;
324324
secp256k1_gej gl, gr;
325-
secp256k1_scalar_mul(&nl, &n_vec[i], &r_inv);
326-
secp256k1_scalar_mul(&nr, &n_vec[i + 1], &e);
325+
secp256k1_scalar_mul(&nl, &n_vec[i], &rho_inv);
326+
secp256k1_scalar_mul(&nr, &n_vec[i + 1], &gamma);
327327
secp256k1_scalar_add(&n_vec[i/2], &nl, &nr);
328328

329329
secp256k1_gej_set_ge(&gl, &g_vec[i]);
330-
secp256k1_ecmult(&gl, &gl, &r_f, NULL);
330+
secp256k1_ecmult(&gl, &gl, &rho_f, NULL);
331331
secp256k1_gej_set_ge(&gr, &g_vec[i + 1]);
332-
secp256k1_ecmult(&gr, &gr, &e, NULL);
332+
secp256k1_ecmult(&gr, &gr, &gamma, NULL);
333333
secp256k1_gej_add_var(&gl, &gl, &gr, NULL);
334334
secp256k1_ge_set_gej_var(&g_vec[i/2], &gl);
335335
}
@@ -339,22 +339,22 @@ static int secp256k1_bppp_rangeproof_norm_product_prove(
339339
for (i = 0; i < h_len; i = i + 2) {
340340
secp256k1_scalar temp1;
341341
secp256k1_gej grj;
342-
secp256k1_scalar_mul(&temp1, &c_vec[i + 1], &e);
342+
secp256k1_scalar_mul(&temp1, &c_vec[i + 1], &gamma);
343343
secp256k1_scalar_add(&c_vec[i/2], &c_vec[i], &temp1);
344344

345-
secp256k1_scalar_mul(&temp1, &l_vec[i + 1], &e);
345+
secp256k1_scalar_mul(&temp1, &l_vec[i + 1], &gamma);
346346
secp256k1_scalar_add(&l_vec[i/2], &l_vec[i], &temp1);
347347

348348
secp256k1_gej_set_ge(&grj, &g_vec[G_GENS_LEN + i + 1]);
349-
secp256k1_ecmult(&grj, &grj, &e, NULL);
349+
secp256k1_ecmult(&grj, &grj, &gamma, NULL);
350350
secp256k1_gej_add_ge_var(&grj, &grj, &g_vec[G_GENS_LEN + i], NULL);
351351
secp256k1_ge_set_gej_var(&g_vec[G_GENS_LEN + i/2], &grj);
352352
}
353353
}
354354
g_len = g_len / 2;
355355
h_len = h_len / 2;
356-
r_f = q_f;
357-
q_f = q_sq;
356+
rho_f = mu_f;
357+
mu_f = mu_sq;
358358
}
359359

360360
secp256k1_scalar_get_b32(&proof[proof_idx], &n_vec[0]);
@@ -367,7 +367,7 @@ static int secp256k1_bppp_rangeproof_norm_product_prove(
367367
typedef struct ec_mult_verify_cb_data1 {
368368
const unsigned char *proof;
369369
const secp256k1_ge *commit;
370-
const secp256k1_scalar *challenges;
370+
const secp256k1_scalar *gammas;
371371
} ec_mult_verify_cb_data1;
372372

373373
static int ec_mult_verify_cb1(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
@@ -381,7 +381,7 @@ static int ec_mult_verify_cb1(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx
381381
if (idx % 2 == 0) {
382382
unsigned char pk_buf[33];
383383
idx /= 2;
384-
*sc = data->challenges[idx];
384+
*sc = data->gammas[idx];
385385
pk_buf[0] = 2 | (data->proof[65*idx] >> 1);
386386
memcpy(&pk_buf[1], &data->proof[65*idx + 1], 32);
387387
if (!secp256k1_eckey_pubkey_parse(pt, pk_buf, sizeof(pk_buf))) {
@@ -393,7 +393,7 @@ static int ec_mult_verify_cb1(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx
393393
idx /= 2;
394394
secp256k1_scalar_set_int(&neg_one, 1);
395395
secp256k1_scalar_negate(&neg_one, &neg_one);
396-
*sc = data->challenges[idx];
396+
*sc = data->gammas[idx];
397397
secp256k1_scalar_sqr(sc, sc);
398398
secp256k1_scalar_add(sc, sc, &neg_one);
399399
pk_buf[0] = 2 | data->proof[65*idx];
@@ -432,15 +432,15 @@ static int secp256k1_bppp_rangeproof_norm_product_verify(
432432
const unsigned char* proof,
433433
size_t proof_len,
434434
secp256k1_sha256* transcript,
435-
const secp256k1_scalar* r,
435+
const secp256k1_scalar* rho,
436436
const secp256k1_bppp_generators* g_vec,
437437
size_t g_len,
438438
const secp256k1_scalar* c_vec,
439439
size_t c_vec_len,
440440
const secp256k1_ge* commit
441441
) {
442-
secp256k1_scalar r_f, q_f, v, n, l, r_inv, h_c;
443-
secp256k1_scalar *es, *s_g, *s_h, *r_inv_pows;
442+
secp256k1_scalar rho_f, mu_f, v, n, l, rho_inv, h_c;
443+
secp256k1_scalar *gammas, *s_g, *s_h, *rho_inv_pows;
444444
secp256k1_gej res1, res2;
445445
size_t i = 0, scratch_checkpoint;
446446
int overflow;
@@ -467,69 +467,69 @@ static int secp256k1_bppp_rangeproof_norm_product_verify(
467467
if (overflow) return 0;
468468
secp256k1_scalar_set_b32(&l, &proof[n_rounds*65 + 32], &overflow); /* l */
469469
if (overflow) return 0;
470-
if (secp256k1_scalar_is_zero(r)) return 0;
470+
if (secp256k1_scalar_is_zero(rho)) return 0;
471471

472-
/* Collect the challenges in a new vector */
472+
/* Collect the gammas in a new vector */
473473
scratch_checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
474-
es = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, n_rounds * sizeof(secp256k1_scalar));
474+
gammas = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, n_rounds * sizeof(secp256k1_scalar));
475475
s_g = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, g_len * sizeof(secp256k1_scalar));
476476
s_h = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, h_len * sizeof(secp256k1_scalar));
477-
r_inv_pows = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, log_g_len * sizeof(secp256k1_scalar));
478-
if (es == NULL || s_g == NULL || s_h == NULL || r_inv_pows == NULL) {
477+
rho_inv_pows = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, log_g_len * sizeof(secp256k1_scalar));
478+
if (gammas == NULL || s_g == NULL || s_h == NULL || rho_inv_pows == NULL) {
479479
secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, scratch_checkpoint);
480480
return 0;
481481
}
482482

483-
/* Compute powers of r_inv. Later used in g_factor computations*/
484-
secp256k1_scalar_inverse_var(&r_inv, r);
485-
secp256k1_bppp_powers_of_r(r_inv_pows, &r_inv, log_g_len);
483+
/* Compute powers of rho_inv. Later used in g_factor computations*/
484+
secp256k1_scalar_inverse_var(&rho_inv, rho);
485+
secp256k1_bppp_powers_of_rho(rho_inv_pows, &rho_inv, log_g_len);
486486

487-
/* Compute r_f = r^(2^log_g_len) */
488-
r_f = *r;
487+
/* Compute rho_f = rho^(2^log_g_len) */
488+
rho_f = *rho;
489489
for (i = 0; i < log_g_len; i++) {
490-
secp256k1_scalar_sqr(&r_f, &r_f);
490+
secp256k1_scalar_sqr(&rho_f, &rho_f);
491491
}
492492

493493
for (i = 0; i < n_rounds; i++) {
494-
secp256k1_scalar e;
494+
secp256k1_scalar gamma;
495495
secp256k1_sha256_write(transcript, &proof[i * 65], 65);
496-
secp256k1_bppp_challenge_scalar(&e, transcript, 0);
497-
es[i] = e;
496+
secp256k1_bppp_challenge_scalar(&gamma, transcript, 0);
497+
gammas[i] = gamma;
498498
}
499-
/* s_g[0] = n * \prod_{j=0}^{log_g_len - 1} r^(2^j)
500-
* = n * r^(2^log_g_len - 1)
501-
* = n * r_f * r_inv */
502-
secp256k1_scalar_mul(&s_g[0], &n, &r_f);
503-
secp256k1_scalar_mul(&s_g[0], &s_g[0], &r_inv);
499+
/* s_g[0] = n * \prod_{j=0}^{log_g_len - 1} rho^(2^j)
500+
* = n * rho^(2^log_g_len - 1)
501+
* = n * rho_f * rho_inv */
502+
secp256k1_scalar_mul(&s_g[0], &n, &rho_f);
503+
secp256k1_scalar_mul(&s_g[0], &s_g[0], &rho_inv);
504504
for (i = 1; i < g_len; i++) {
505505
size_t log_i = secp256k1_bppp_log2(i);
506506
size_t nearest_pow_of_two = (size_t)1 << log_i;
507-
/* This combines the two multiplications of challenges and r_invs in a
507+
/* This combines the two multiplications of gammas and rho_invs in a
508508
* single loop.
509509
* s_g[i] = s_g[i - nearest_pow_of_two]
510-
* * e[log_i] * r_inv^(2^log_i) */
511-
secp256k1_scalar_mul(&s_g[i], &s_g[i - nearest_pow_of_two], &es[log_i]);
512-
secp256k1_scalar_mul(&s_g[i], &s_g[i], &r_inv_pows[log_i]);
510+
* * e[log_i] * rho_inv^(2^log_i) */
511+
secp256k1_scalar_mul(&s_g[i], &s_g[i - nearest_pow_of_two], &gammas[log_i]);
512+
secp256k1_scalar_mul(&s_g[i], &s_g[i], &rho_inv_pows[log_i]);
513513
}
514514
s_h[0] = l;
515515
secp256k1_scalar_set_int(&h_c, 0);
516516
for (i = 1; i < h_len; i++) {
517517
size_t log_i = secp256k1_bppp_log2(i);
518518
size_t nearest_pow_of_two = (size_t)1 << log_i;
519-
secp256k1_scalar_mul(&s_h[i], &s_h[i - nearest_pow_of_two], &es[log_i]);
519+
secp256k1_scalar_mul(&s_h[i], &s_h[i - nearest_pow_of_two], &gammas[log_i]);
520520
}
521521
secp256k1_scalar_inner_product(&h_c, c_vec, 0 /* a_offset */ , s_h, 0 /* b_offset */, 1 /* step */, h_len);
522-
/* Compute v = n*n*q_f + l*h_c where q_f = r_f^2 */
523-
secp256k1_scalar_sqr(&q_f, &r_f);
522+
/* Compute v = n*n*mu_f + l*h_c where mu_f = rho_f^2 */
523+
secp256k1_scalar_sqr(&mu_f, &rho_f);
524524
secp256k1_scalar_mul(&v, &n, &n);
525-
secp256k1_scalar_mul(&v, &v, &q_f);
525+
secp256k1_scalar_mul(&v, &v, &mu_f);
526526
secp256k1_scalar_add(&v, &v, &h_c);
527527

528528
{
529529
ec_mult_verify_cb_data1 data;
530530
data.proof = proof;
531531
data.commit = commit;
532-
data.challenges = es;
532+
data.gammas = gammas;
533533

534534
if (!secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &res1, NULL, ec_mult_verify_cb1, &data, 2*n_rounds + 1)) {
535535
secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, scratch_checkpoint);

0 commit comments

Comments
 (0)