Implementing the rangeproof part is challenging. Here are some notes about the use of rangeproofs in grin-wallet. It can contain faults or inconsistencies and it is certainly incomplete.
There is some previous work done on rangeproofs in Monero
There is a publication on a Monero Trezor implementation
Monero has switched to BP++.
There is also the Beam HW wallet implementation.
I haven’t studied these implementation in depth yet.
If someone knows related work regarding implementations of Bulletproofs on Ledger/Trezor, let me know.
In the following, I will give some comments on the rangeproof code, as it is used in Grin.
Other interesting parts in the Wallet layer:
Now for the bulletproof algorithm itself:
It derives a secret key, using the secp256k1 curve. (grin/proof.rs at 1b8acee72e7a4236cdf8561a7af5f894bfe11985 · mimblewimble/grin · GitHub) This should happen on the HW.
Private nonce is created using this method: grin/proof.rs at 1b8acee72e7a4236cdf8561a7af5f894bfe11985 · mimblewimble/grin · GitHub Likely this must happen on the HW (I’m not sure).
It then call the secp.bullet_proof(), using the FFI and the secp256k1 library. GitHub - mimblewimble/rust-secp256k1-zkp: ZKP fork for rust-secp256k1, adds wrappers for range proofs, pedersen commitments, etc
pub fn range_proof() rust-secp256k1-zkp/pedersen.rs at 4128f64505143859c48fab04158c25127a2a9858 · mimblewimble/rust-secp256k1-zkp · GitHub
ffi::secp256k1_rangeproof_sign() called: rust-secp256k1-zkp/pedersen.rs at 4128f64505143859c48fab04158c25127a2a9858 · mimblewimble/rust-secp256k1-zkp · GitHub
int secp256k1_rangeproof_sign() (secp256k1-zkp/main_impl.h at 8d1f5bb152580446a3438cd705caebacc2a5d850 · mimblewimble/secp256k1-zkp · GitHub) acts mainly as a checker for the arguments, to call secp256k1_rangeproof_prove(). blind is here the secret key. The normal case, with tau_x, t_one, t_two and commits equal to NULL, seems to be the simplest case.
secp256k1_rangeproof_prove() is here: secp256k1-zkp/main_impl.h at 8d1f5bb152580446a3438cd705caebacc2a5d850 · mimblewimble/secp256k1-zkp · GitHub
This note is certainly incomplete, especially the analysis of the Bulletproof algorithm itself.
The question I have is how to offload the part which uses the secret nonce and blinding factor to the HW. Perhaps studying related work will help here. If there are suggestions, they are very welcome.