Merge #1038: PSET: Fix blinded coinjoins with 3 or more parties

3ac7e78 pset, rpc: Better error messages for imbalance failure conditions (Andrew Chow)
b2a7007 pset: verify blind value and asset proofs when signing (Andrew Chow)
a7ef9f3 pset, test: Test a PSET coinjoin workflow (Andrew Chow)
ac580db pset, rpc: Do not fail walletprocesspsbt if missing utxos when blinding (Andrew Chow)
9f94966 pset: Allow GetUnsignedTx to force unblinded values (Andrew Chow)
f9f084f pset: Add missing fields to merging and fix combinepsbt (Andrew Chow)
59f65a3 rpc, pset: Include blinded value and asset proofs in decodepsbt (Andrew Chow)
941c54f pset: Create explicit value and asset proofs during blinding (Andrew Chow)
63c007d pset: blind commitment proofs de/ser (Andrew Chow)
b9a08f3 doc, pset: Add blind commitment proofs (Andrew Chow)
9856f2c pset, doc: Remove requirement to remove blinded amounts and assets (Andrew Chow)
37c925f pset: Do not remove amounts after blinding (Andrew Chow)

Pull request description:

  In order for blinded coinjoins with 3 or more parties to work, some fields need to be added, amounts cannot be removed, and some bugs need fixing.

  First and foremost is to no longer remove amounts after blinding. Due to a miscommunication, I had believed that part of the goal of PSET was to hide semi private information (such as output amounts) from other parties in the transaction. However this causes the combiner to fail because the unique ID is dependent on those amounts and their commitments. If multiple parties had blinded just their own outputs, then the resulting PSETs would not combine because the amounts had be removed and so the unique ID calculated was incorrect. In order for this combining to work, amounts must be kept after blinding and the unique ID calculation must only use the computed unblinded transaction. This change has also been made to the spec document.

  Second is the addition of explicit value and asset proofs. In order to prove that the commitments commit to the given explicit value or asset, explicit value rangeproofs and explicit asset surjection proofs are added to PSET. Each blinded output must have an explicit value rangeproof and explict asset surjection proof after blinding. For issuances, explicit issuance value proofs and explicit reissuance value proofs must be added after blinding. These proofs are verified prior to signing.

  Thirdly, in order to make the coinjoin workflow work, a `blind` option is added `walletprocesspsbt` so that users can tell `walletprocesspsbt` to not attempt to blind. This is important because blinding requires all UTXOs to be present, and UTXOs can only be added via a call to `walletprocesspsbt`. Error messages have been added and improved so that users who do things in the wrong order will be less likely to end up with an unusable PSET.

  Lastly, a test case has been added for a 3 party coinjoin workflow.

  Fixes #1037

ACKs for top commit:
  apoelstra:
    ACK 3ac7e78

Tree-SHA512: b1fd848c72d8dd779b0f0640d9321b8085d62db494d25f81e3ec90e43c4a4edbe537dec404d8170a7ad057027c07f2b948980907d0849da693b2ca1bf0cf81f6

Author: apoelstra

doc/pset.mediawiki

@@ -84,7 +84,7 @@ The currently defined elements per-input proprietary types are as folows:
 | None
 | No key data
 | <tt><64-bit int></tt>
-| The explicit little endian 64-bit integer for the value of this issuance. This is mutually exclusive with <tt>PSBT_ELEMENTS_IN_ISSUANCE_VALUE_COMMITMENT</tt>
+| The explicit little endian 64-bit integer for the value of this issuance.
 |
 | 0
 | 2
@@ -94,7 +94,7 @@ The currently defined elements per-input proprietary types are as folows:
 | None
 | No key data
 | <tt><33 byte commitment></tt>
-| The 33 byte Value Commitment. This is mutually exclusive with <tt>PSBT_IN_ISSUANCE_VALUE</tt>.
+| The 33 byte Value Commitment. If provided, <tt>PSBT_ELEMENTS_IN_ISSUANCE_BLIND_VALUE_PROOF</tt> must be provided too.
 |
 | 0
 | 2
@@ -184,7 +184,7 @@ The currently defined elements per-input proprietary types are as folows:
 | None
 | No key data
 | <tt><64-bit int></tt>
-| The value for the inflation keys output to set in this issuance. This is mutually exclusive with <tt>PSBT_ELEMENTS_IN_ISSUANCE_INFLATION_KEYS</tt>.
+| The value for the inflation keys output to set in this issuance.
 |
 | 0
 | 2
@@ -194,7 +194,7 @@ The currently defined elements per-input proprietary types are as folows:
 | None
 | No key data
 | <tt><33 byte commitment></tt>
-| The 33 byte commitment to the inflation keys output value in this issuance. This is mutually exclusive with <tt>PSBT_ELEMENTS_IN_ISSUANCE_INFLATION_KEYS</tt>
+| The 33 byte commitment to the inflation keys output value in this issuance. If provided, <tt>PSBT_ELEMENTS_IN_ISSUANCE_BLIND_INFLATION_KEYS_PROOF</tt> must be provided too.
 |
 | 0
 | 2
@@ -228,6 +228,26 @@ The currently defined elements per-input proprietary types are as folows:
 |
 | 0
 | 2
+|-
+| Issuance Blind Value Proof
+| <tt>PSBT_ELEMENTS_IN_ISSUANCE_BLIND_VALUE_PROOF = 0x0f</tt>
+| None
+| No key data
+| <tt><rangeproof></tt>
+| An explicit value rangeproof that proves that the value commitment in <tt>PSBT_ELEMENTS_IN_ISSUANCE_VALUE_COMMITMENT</tt> matches the explicit value in <tt>PSBT_ELEMENTS_IN_ISSUANCE_VALUE</tt>. If provided, <tt>PSBT_ELEMENTS_IN_ISSUANCE_VALUE_COMMITMENT</tt> must be provided too.
+|
+| 0
+| 2
+|-
+| Issuance Inflation Keys Blind Value Proof
+| <tt>PSBT_ELEMENTS_IN_ISSUANCE_BLIND_INFLATION_KEYS_PROOF = 0x10</tt>
+| None
+| No key data
+| <tt><rangeproof></tt>
+| An explicit value rangeproof that proves that the value commitment in <tt>PSBT_ELEMENTS_IN_ISSUANCE_INFLATION_KEYS_COMMITMENT</tt> matches the explicit value in <tt>PSBT_ELEMENTS_IN_ISSUANCE_INFLATION_KEYS</tt>. If provided, <tt>PSBT_ELEMENTS_IN_ISSUANCE_INFLATION_KEYS_COMMITMENT</tt> must be provided too.
+|
+| 0
+| 2
 |}
 
 The currently defined elements per-output proprietary types are as follows:
@@ -248,7 +268,7 @@ The currently defined elements per-output proprietary types are as follows:
 | None
 | No key data
 | <tt><33 byte commitment></tt>
-| The 33 byte Value Commitment for this output. This is mutually exclusive with <tt>PSBT_OUT_VALUE</tt>.
+| The 33 byte Value Commitment for this output. If provided, <tt>PSBT_ELEMENTS_OUT_BLIND_VALUE_PROOF</tt> must be provided too.
 |
 | 0
 | 2
@@ -258,7 +278,7 @@ The currently defined elements per-output proprietary types are as follows:
 | None
 | No key data
 | <tt><32 byte asset tag></tt>
-| The explicit 32 byte asset tag for this output. This is mutually exclusive with <tt>PSBT_ELEMENTS_OUT_ASSET_COMMITMENT</tt>.
+| The explicit 32 byte asset tag for this output.
 |
 | 0
 | 2
@@ -268,7 +288,7 @@ The currently defined elements per-output proprietary types are as follows:
 | None
 | No key data
 | <tt><33 byte commitment></tt>
-| The 33 byte Asset Commitment for this output. This is mutually exclusive with <tt>PSBT_ELEMENTS_OUT_ASSET</tt>.
+| The 33 byte Asset Commitment for this output. If provided, <tt>PSBT_ELEMENTS_OUT_BLIND_ASSET_PROOF</tt> must be provided too.
 |
 | 0
 | 2
@@ -322,10 +342,27 @@ The currently defined elements per-output proprietary types are as follows:
 |
 | 0
 | 2
+|-
+| Blind Value Proof
+| <tt>PSBT_ELEMENTS_OUT_BLIND_VALUE_PROOF = 0x09</tt>
+| None
+| No key data
+| <tt><rangeproof></tt>
+| An explicit value rangeproof that proves that the value commitment in <tt>PSBT_ELEMENTS_OUT_VALUE_COMMITMENT</tt> matches the explicit value in <tt>PSBT_OUT_VALUE</tt>. If provided, <tt>PSBT_ELEMENTS_OUT_VALUE_COMMITMENT</tt> must be provided too.
+|
+| 0
+| 2|-
+| Blind Asset Proof
+| <tt>PSBT_ELEMENTS_OUT_BLIND_ASSET_PROOF = 0x0a</tt>
+| None
+| No key data
+| <tt><proof></tt>
+| An asset surjection proof with this output's asset as the only asset in the input set in order to prove that the asset commitment in <tt>PSBT_ELEMENTS_OUT_ASSET_COMMITMENT</tt> matches the explicit asset in <tt>PSBT_ELEMENTS_OUT_ASSET</tt>. If provided, <tt>PSBT_ELEMENTS_OUT_ASSET_COMMITMENT</tt> must be provided too.
+|
+| 0
+| 2
 |}
 
-In addition to these new types, the <tt>PSBT_OUT_AMOUNT</tt> field is no longer required so long as <tt>PSBT_ELEMENTS_OUT_VALUE_COMMITMENT</tt> is present.
-
 The PSET Magic Bytes are <tt>0x70736574</tt>
 
 ===Handling Duplicated Keys===
@@ -373,16 +410,15 @@ A single entity is likely to be both a Creator and Updater.
 PSET requires a role not present in PSBT, the Blinder. Blinders are similar to Signers and own inputs.
 The Blinder adds the blinding data to a transaction.
 
-If Bit 0 of <tt>PSBT_ELEMENTS_GLOBAL_TX_MODIFIABLE</tt> is 0, the Blinder must do nothing.
-
 For issuance inputs that belong to the Blinder, the Blinder should generate a random blinding factor and create a value commitment for the issuance value.
-It will then add the value commitment in the <tt>PSBT_ELEMENTS_IN_ISSUANCE_VALUE_COMMITMENT</tt>. When it does so, it must remove the <tt>PSBT_ELEMENTS_IN_ISSUANCE_VALUE</tt> field.
+It will then add the value commitment in the <tt>PSBT_ELEMENTS_IN_ISSUANCE_VALUE_COMMITMENT</tt>.
 The blinder will also add the issuance value rangeproof and the issuance keys rangeproof in their respective fields.
+The blinder will also add the issuance blind value and issuance keys blind value proofs in their respective fields.
 For ease of identifying the blinder for an issuance, the input the issuance is attached to must belong to the blinder for the issuance.
 
 For the Blinder's outputs that are to be blinded (i.e. they have a blinding pubkey), the Blinder will create value and asset commitments and put them in their respective fields.
-When they do so, the <tt>PSBT_ELEMENTS_OUT_VALUE</tt> and <tt>PSBT_ELEMENTS_OUT_ASSET</tt> fields must be removed.
 The Blinder will create the Value Rangeproof and Asset Surjection Proof and put them in their respective fields.
+The Blinder will create the blind value and blind asset proofs and put them in their respective fields.
 It will also add the ephemeral pubkey used for ECDH of the nonce for the rangeproof to the <tt>PSBT_ELEMENTS_OUT_ECDH_PUBKEY</tt> field.
 
 The blinder will then compute a scalar offset that will be added as a <tt>PSBT_ELEMENTS_GLOBAL_SCALAR</tt>.
@@ -400,17 +436,13 @@ It will then compute a final scalar offset.
 Then it will subtract all of the scalar offsets from the value blinding factor for the last output and the result is the value blinding factor to be used for that last output.
 The creation of the commitments, proofs, and other fields proceeds as usual.
 Once all outputs are blinded, all <tt>PSBT_ELEMENTS_GLOBAL_SCALAR</tt> fields must be removed from the PSET.
-Once all outputs are blinded, Bit 0 of <tt>PSBT_ELEMENTS_GLOBAL_TX_MODIFIABLE</tt> must be set to 0.
 
 A single entity is likely to be a Creator, Updater, and Blinder.
-In that case, the PSET should never be output with <tt>PSBT_ELEMENTS_IN_ISSUANCE_VALUE</tt>, <tt>PSBT_ELEMENTS_IN_ISSUANCE_INFLATION_KEYS</tt>, <tt>PSBT_ELEMENTS_OUT_VALUE</tt>, or <tt>PSBT_ELEMENTS_OUT_ASSET</tt> except for unblinded issuances and unblinded outputs.
 
 ===Signer===
 
 In addition to the BIP 370 PSBT Signer behavior, PSET specifies some addtional constraints.
 Before signing, the Signer must check whether blinding is complete. If any output contains a blinding pubkey but no commitments or proofs, then it must not sign.
-This is easily done by checking whether Bit 0 of <tt>PSBT_ELEMENTS_GLOBAL_TX_MODIFIABLE</tt> is 1.
-If so, the Signer must do nothing.
 
 ===Combiner===
 

src/blindpsbt.cpp

@@ -29,16 +29,18 @@ std::string GetBlindingStatusError(const BlindingStatus& status)
         return "Computed blinding factor is invalid";
     case BlindingStatus::ASP_UNABLE:
         return "Unable to create an asset surjection proof";
+    case BlindingStatus::NO_BLIND_OUTPUTS:
+        return "Transaction has blind inputs belonging to this blinder but does not have outputs to blind";
     }
     assert(false);
 }
 
 // Create surjection proof
-bool CreateAssetSurjectionProof(std::vector<unsigned char>& output_proof, const std::vector<secp256k1_fixed_asset_tag>& fixed_input_tags, const std::vector<secp256k1_generator>& ephemeral_input_tags, const std::vector<uint256>& input_asset_blinders, const uint256& output_asset_blinder, const secp256k1_generator& output_asset_tag, const CAsset& asset)
+bool CreateAssetSurjectionProof(std::vector<unsigned char>& output_proof, const std::vector<secp256k1_fixed_asset_tag>& fixed_input_tags, const std::vector<secp256k1_generator>& ephemeral_input_tags, const std::vector<uint256>& input_asset_blinders, const uint256& output_asset_blinder, const secp256k1_generator& output_asset_tag, const CAsset& asset, size_t num_targets)
 {
     int ret;
     // 1 to 3 targets
-    size_t inputs_to_select = std::min(MAX_SURJECTION_TARGETS, fixed_input_tags.size());
+    size_t inputs_to_select = std::min(num_targets, fixed_input_tags.size());
     unsigned char randseed[32];
     GetStrongRandBytes(randseed, 32);
     size_t input_index;
@@ -64,6 +66,21 @@ bool CreateAssetSurjectionProof(std::vector<unsigned char>& output_proof, const
     return true;
 }
 
+bool VerifyBlindAssetProof(const std::vector<unsigned char>& proof, const CConfidentialAsset& conf_asset)
+{
+    secp256k1_surjectionproof surj_proof;
+    if (secp256k1_surjectionproof_parse(secp256k1_blind_context, &surj_proof, proof.data(), proof.size()) == 0) {
+        return false;
+    }
+
+    secp256k1_generator gen;
+    if (secp256k1_generator_parse(secp256k1_blind_context, &gen, conf_asset.vchCommitment.data()) == 0) {
+        return false;
+    }
+
+    return secp256k1_surjectionproof_verify(secp256k1_blind_context, &surj_proof, &gen, 1, &gen) == 0;
+}
+
 uint256 GenerateRangeproofECDHKey(CPubKey& ephemeral_pubkey, const CPubKey blinding_pubkey)
 {
     // Generate ephemeral key for ECDH nonce generation
@@ -98,6 +115,43 @@ bool CreateValueRangeProof(std::vector<unsigned char>& rangeproof, const uint256
     return (res == 1);
 }
 
+// Create an explicit value rangeproof which proves that the commitment commits to an explicit value
+bool CreateBlindValueProof(std::vector<unsigned char>& rangeproof, const uint256& value_blinder, const CAmount amount, const secp256k1_pedersen_commitment& value_commit, const secp256k1_generator& gen)
+{
+    // Prep rangeproof
+    size_t rangeproof_len = 5134;
+    rangeproof.resize(rangeproof_len);
+
+    // Generate a new random nonce
+    uint256 nonce;
+    GetStrongRandBytes(nonce.begin(), nonce.size());
+
+    // Make the rangeproof
+    int res = secp256k1_rangeproof_sign(secp256k1_blind_context, rangeproof.data(), &rangeproof_len, /* min_value */ amount, &value_commit, value_blinder.begin(), nonce.begin(), /* exp */ -1, /* min_bits */ 0, amount, /* message */ nullptr, /* message_len */ 0, /* extra_commit */ nullptr, /* extra_commit_len */ 0, &gen);
+    rangeproof.resize(rangeproof_len);
+    return res == 1;
+}
+
+bool VerifyBlindValueProof(CAmount value, const CConfidentialValue& conf_value, const std::vector<unsigned char>& proof, const CConfidentialAsset& conf_asset)
+{
+    secp256k1_pedersen_commitment value_commit;
+    if (secp256k1_pedersen_commitment_parse(secp256k1_blind_context, &value_commit, conf_value.vchCommitment.data()) == 0) {
+        return false;
+    }
+
+    secp256k1_generator gen;
+    if (secp256k1_generator_parse(secp256k1_blind_context, &gen, conf_asset.vchCommitment.data()) == 0) {
+        return false;
+    }
+
+    uint64_t min_value;
+    uint64_t max_value;
+    if (secp256k1_rangeproof_verify(secp256k1_blind_context, &min_value, &max_value, &value_commit, proof.data(), proof.size(), /* extra_commit */ nullptr, /* extra_commit_len */ 0, &gen) == 0) {
+        return false;
+    }
+    return min_value == (uint64_t)value;
+}
+
 void CreateAssetCommitment(CConfidentialAsset& conf_asset, secp256k1_generator& asset_gen, const CAsset& asset, const uint256& asset_blinder)
 {
     conf_asset.vchCommitment.resize(CConfidentialAsset::nCommittedSize);
@@ -310,14 +364,19 @@ BlindingStatus BlindPSBT(PartiallySignedTransaction& psbt, std::map<uint32_t, st
                         bool rangeresult = CreateValueRangeProof(rangeproof, value_blinder, nonce, value, CScript(), value_commit, asset_gen, asset, asset_blinder);
                         assert(rangeresult);
 
+                        // Create explicit value rangeproofs
+                        std::vector<unsigned char> blind_value_proof;
+                        rangeresult = CreateBlindValueProof(blind_value_proof, value_blinder, value, value_commit, asset_gen);
+                        assert(rangeresult);
+
                         if (blind_value) {
                             input.m_issuance_value_commitment = conf_value;
                             input.m_issuance_rangeproof = rangeproof;
-                            input.m_issuance_value = nullopt;
+                            input.m_blind_issuance_value_proof = blind_value_proof;
                         } else {
                             input.m_issuance_inflation_keys_commitment = conf_value;
                             input.m_issuance_inflation_keys_rangeproof = rangeproof;
-                            input.m_issuance_inflation_keys_amount = nullopt;
+                            input.m_blind_issuance_inflation_keys_proof = blind_value_proof;
                         }
                     }
                 }
@@ -327,10 +386,14 @@ BlindingStatus BlindPSBT(PartiallySignedTransaction& psbt, std::map<uint32_t, st
 
     uint256 output_scalar;
     bool did_last_blind = false;
+    int our_blinds = 0;
     for (uint32_t i : to_blind) {
         PSBTOutput& output = psbt.outputs[i];
 
-        if (output.IsFullyBlinded()) continue;
+        if (output.IsFullyBlinded()) {
+            our_blinds++;
+            continue;
+        }
 
         // Check this is our output to blind
         if (output.m_blinder_index == nullopt || our_input_data.count(*output.m_blinder_index) == 0) continue;
@@ -396,30 +459,45 @@ BlindingStatus BlindPSBT(PartiallySignedTransaction& psbt, std::map<uint32_t, st
         bool rangeresult = CreateValueRangeProof(rangeproof, value_blinder, nonce, *output.amount, *output.script, value_commit, asset_generator, asset, asset_blinder);
         assert(rangeresult);
 
+        // Create explicit value rangeproof
+        std::vector<unsigned char> blind_value_proof;
+        rangeresult = CreateBlindValueProof(blind_value_proof, value_blinder, *output.amount, value_commit, asset_generator);
+        assert(rangeresult);
+
         // Create surjection proof for this output
         if (!CreateAssetSurjectionProof(asp, fixed_input_tags, ephemeral_input_tags, input_asset_blinders, asset_blinder, asset_generator, asset)) {
             return BlindingStatus::ASP_UNABLE;
         }
 
+        // Create explicit asset surjection proof
+        std::vector<unsigned char> blind_asset_proof;
+        if (!CreateAssetSurjectionProof(blind_asset_proof, fixed_input_tags, ephemeral_input_tags, input_asset_blinders, asset_blinder, asset_generator, asset, /* num_targets */ 1)) {
+            return BlindingStatus::ASP_UNABLE;
+        }
+
         // Fill output
         output.m_asset_commitment = asset_commitment;
         output.m_value_commitment = value_commitment;
         output.m_ecdh_pubkey = ecdh_key;
         output.m_value_rangeproof = rangeproof;
         output.m_asset_surjection_proof = asp;
+        output.m_blind_value_proof = blind_value_proof;
+        output.m_blind_asset_proof = blind_asset_proof;
 
-        // Drop explicit value and asset
-        output.amount = nullopt;
-        output.m_asset.SetNull();
+        our_blinds++;
     }
 
-    if (!did_last_blind) {
+    // Compute scalar and add to PSBT if it isn't null
+    if (!did_last_blind && !output_scalar.IsNull()) {
         // Subtract input scalar from output scalar
         if (!SubtractScalars(output_scalar, input_scalar)) return BlindingStatus::SCALAR_UNABLE;
-        // Now add the scalar to the PSBT if it isn't null
-        if (!output_scalar.IsNull()) {
-            psbt.m_scalar_offsets.insert(output_scalar);
-        }
+        // Add to PSBT
+        psbt.m_scalar_offsets.insert(output_scalar);
+    }
+
+    // Make sure that we blinded some outputs if we have blinded inputs
+    if (our_input_data.size() > 0 && our_blinds == 0) {
+        return BlindingStatus::NO_BLIND_OUTPUTS;
     }
 
     return BlindingStatus::OK;

src/blindpsbt.h

@@ -26,13 +26,17 @@ enum class BlindingStatus
     SCALAR_UNABLE,
     INVALID_BLINDER,
     ASP_UNABLE,
+    NO_BLIND_OUTPUTS,
 };
 
 std::string GetBlindingStatusError(const BlindingStatus& status);
 
-bool CreateAssetSurjectionProof(std::vector<unsigned char>& output_proof, const std::vector<secp256k1_fixed_asset_tag>& fixed_input_tags, const std::vector<secp256k1_generator>& ephemeral_input_tags, const std::vector<uint256>& input_asset_blinders, const uint256& output_asset_blinder, const secp256k1_generator& output_asset_tag, const CAsset& asset);
+bool CreateAssetSurjectionProof(std::vector<unsigned char>& output_proof, const std::vector<secp256k1_fixed_asset_tag>& fixed_input_tags, const std::vector<secp256k1_generator>& ephemeral_input_tags, const std::vector<uint256>& input_asset_blinders, const uint256& output_asset_blinder, const secp256k1_generator& output_asset_tag, const CAsset& asset, size_t num_targets = MAX_SURJECTION_TARGETS);
+bool VerifyBlindAssetProof(const std::vector<unsigned char>& proof, const CConfidentialAsset& conf_asset);
 uint256 GenerateRangeproofECDHKey(CPubKey& ephemeral_pubkey, const CPubKey blinding_pubkey);
 bool CreateValueRangeProof(std::vector<unsigned char>& rangeproof, const uint256& value_blinder, const uint256& nonce, const CAmount amount, const CScript& scriptPubKey, const secp256k1_pedersen_commitment& value_commit, const secp256k1_generator& gen, const CAsset& asset, const uint256& asset_blinder);
+bool CreateBlindValueProof(std::vector<unsigned char>& rangeproof, const uint256& value_blinder, const CAmount amount, const secp256k1_pedersen_commitment& value_commit, const secp256k1_generator& gen);
+bool VerifyBlindValueProof(CAmount value, const CConfidentialValue& conf_value, const std::vector<unsigned char>& proof, const CConfidentialAsset& conf_asset);
 void CreateAssetCommitment(CConfidentialAsset& conf_asset, secp256k1_generator& asset_gen, const CAsset& asset, const uint256& asset_blinder);
 void CreateValueCommitment(CConfidentialValue& conf_value, secp256k1_pedersen_commitment& value_commit, const uint256& value_blinder, const secp256k1_generator& asset_gen, const CAmount amount);
 BlindingStatus BlindPSBT(PartiallySignedTransaction& psbt, std::map<uint32_t, std::tuple<CAmount, CAsset, uint256, uint256>> our_input_data, std::map<uint32_t, std::pair<CKey, CKey>> our_issuances_to_blind);