1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

/* This file is part of DarkFi (https://dark.fi)
 *
 * Copyright (C) 2020-2024 Dyne.org foundation
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */

use halo2_gadgets::ecc::chip::FixedPoint;
use pasta_curves::{arithmetic::CurveExt, pallas};

use super::{
    blind::ScalarBlind,
    constants::{
        fixed_bases::{
            VALUE_COMMITMENT_PERSONALIZATION, VALUE_COMMITMENT_R_BYTES, VALUE_COMMITMENT_V_BYTES,
        },
        NullifierK,
    },
    util::fp_mod_fv,
};

/// Pedersen commitment for a full-width base field element.
#[allow(non_snake_case)]
pub fn pedersen_commitment_base(value: pallas::Base, blind: ScalarBlind) -> pallas::Point {
    let hasher = pallas::Point::hash_to_curve(VALUE_COMMITMENT_PERSONALIZATION);
    let V = NullifierK.generator();
    let R = hasher(&VALUE_COMMITMENT_R_BYTES);

    V * fp_mod_fv(value) + R * blind.inner()
}

/// Pedersen commitment for a 64-bit value, in the base field.
#[allow(non_snake_case)]
pub fn pedersen_commitment_u64(value: u64, blind: ScalarBlind) -> pallas::Point {
    let hasher = pallas::Point::hash_to_curve(VALUE_COMMITMENT_PERSONALIZATION);
    let V = hasher(&VALUE_COMMITMENT_V_BYTES);
    let R = hasher(&VALUE_COMMITMENT_R_BYTES);

    V * fp_mod_fv(pallas::Base::from(value)) + R * blind.inner()
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn pedersen_commitment() {
        let a_value = pallas::Base::from(10);
        let a_blind = ScalarBlind::from(11);
        let b_value = pallas::Base::from(20);
        let b_blind = ScalarBlind::from(21);

        assert_eq!(
            pedersen_commitment_base(a_value, a_blind) + pedersen_commitment_base(b_value, b_blind),
            pedersen_commitment_base(a_value + b_value, &a_blind + &b_blind)
        );

        let a_value = 10;
        let b_value = 20;

        assert_eq!(
            pedersen_commitment_u64(a_value, a_blind) + pedersen_commitment_u64(b_value, b_blind),
            pedersen_commitment_u64(a_value + b_value, &a_blind + &b_blind)
        );
    }
}