Beispiel #1
0
def MLSAG_Ver(pk, I, c0, s):
    rows = len(pk[0])
    cols = len(pk)
    print("verifying MG sig of dimensions ", rows, "x ", cols)
    c = [None] * (cols + 1)
    c[0] = c0
    L = keyMatrix(rows, cols)
    R = keyMatrix(rows, cols)
    m = ''.join(pk[0])
    for i in range(1, cols):
        m = m + ''.join(pk[i])
    i = 0
    while i < cols:
        L[i] = [
            MiniNero.addKeys1(s[i][j], c[i], pk[i][j]) for j in range(0, rows)
        ]

        Hi = hashKeyVector(pk[i])
        R[i] = [
            MiniNero.addKeys2(s[i][j], Hi[j], c[i], I[j])
            for j in range(0, rows)
        ]

        oldi = i
        i = i + 1
        c[i] = MiniNero.cn_fast_hash(m + ''.join(L[oldi]) + ''.join(R[oldi]))
    print("L", L)
    print("R", R)
    print("c", c)

    return (c0 == c[cols])
Beispiel #2
0
def genRCTSig(sk_x, sk_in, sk_out, Pk, CIn, COut, ExpIn, ExpOut, index):
    #sk_x is private keys of addresses (vector)
    #sk_in is masks of input commitments (vector)
    #sk_out is masks of output commitments (vector)
    #Pk is public key list (2d array)
    #CIn is input commitments (2d array)
    #COut is output commitments (vector)
    #ExpIn is exponents for the input commitments (2d array)
    #so each row of this is going to correspond to a column in the actual mlsag..
    #ExpOut is exponents for the output commitments
    #index is the secret index
    sk = sk_x[:]
    sk.append(
        MiniNero.sc_sub_keys(MiniNero.sc_add(sk_in, ExpIn[index]),
                             MiniNero.sc_add(sk_out, ExpOut)))
    CRow = [None] * len(CIn)  #commitments row of public keys Cin - Cout
    COutSum = sumCiExp(COut, ExpOut)  #Cout1*10^i_1 + Cout2 * 10^{i_2}..
    tmp = MiniNero.identity()
    pk = [None] * (len(sk_x) + 1)  #generalize later...
    pk[0] = Pk
    for i in range(0, len(CIn)):
        CRow[i] = MiniNero.subKeys(sumCiExp(CIn[i], ExpIn[i]), COutSum)
    pk[1] = CRow
    II, cc, ssVal = MLSAG.MLSAG_Sign(pk, sk, index)
    return pk, II, cc, ssVal
Beispiel #3
0
def sumCiExp(Cis, Exp):
    #Cis is a vector
    #Exp is a vector
    CSum = MiniNero.identity()
    for i in range(0, len(Cis)):
        CSum = MiniNero.addKeys(CSum, MiniNero.scalarmultKey(Cis[i], MiniNero.intToHex(10 ** Exp[i])))
    return CSum
Beispiel #4
0
def MLSAG_Ver(pk, I, c0, s ):
    rows = len(pk)
    cols = len(pk[0])
    print("verifying MG sig of dimensions ",rows ,"x ", cols)
    c= [None] * (cols + 1)
    c[0] = c0
    L = keyMatrix(rows, cols)
    R = keyMatrix(rows, cols)
    m = ''.join(pk[0])
    for i in range(1, cols):
        m = m + ''.join(pk[i])
    i = 0
    while i < cols:
        L[i] = [MiniNero.addKeys1(s[i][j], c[i], pk[i][j]) for j in range(0, rows)]

        Hi = hashKeyVector(pk[i])
        R[i] = [MiniNero.addKeys2( s[i][j], Hi[j], c[i], I[j]) for j in range(0, rows)]

        oldi = i
        i = i + 1
        c[i] = MiniNero.cn_fast_hash(m+''.join(L[oldi]) + ''.join(R[oldi]))
    print("L", L)
    print("R", R) 
    print("c", c)

    return (c0 == c[cols])
Beispiel #5
0
def getHForCT():
    return "8b655970153799af2aeadc9ff1add0ea6c7251d54154cfa92c173a0dd39c1f94"
    A = MiniNero.publicFromInt(1)
    H = MiniNero.hashToPoint_ct(A)
    Translator.hexToC(H) 
    print(H)
    return H
Beispiel #6
0
def keyImage(x, rows):
    HP = keyVector(rows)
    KeyImage = keyVector(rows)
    for i in range(0, rows):
      HP[i] = MiniNero.hashToPoint_cn(MiniNero.scalarmultBase(x[i]))
      KeyImage[i] = MiniNero.scalarmultKey(HP[i], x[i])
    return KeyImage
Beispiel #7
0
def getHForCT():
    return "8b655970153799af2aeadc9ff1add0ea6c7251d54154cfa92c173a0dd39c1f94"
    A = MiniNero.publicFromInt(1)
    H = MiniNero.hashToPoint_ct(A)
    Translator.hexToC(H)
    print(H)
    return H
Beispiel #8
0
def keyImageV(x):
    #takes as input a keyvector, returns the keyimage-vector
    return [
        MiniNero.scalarmultKey(
            MiniNero.hashToPointCN(MiniNero.scalarmultBase(xx)), xx)
        for xx in x
    ]
Beispiel #9
0
def importMM(wordlist):
    print("for testing purposes only!")
    sk = MiniNero.recoverSK(wordlist)
    print("vk", vk)
    print("pvk", MiniNero.publicFromSecret(vk))
    key = mnemonic.mn_encode(sk)
    cks = MiniNero.electrumChecksum(key)
    print(key + " "+cks)
Beispiel #10
0
def importMM(wordlist):
    print("for testing purposes only!")
    sk = MiniNero.recoverSK(wordlist)
    print("vk", vk)
    print("pvk", MiniNero.publicFromSecret(vk))
    key = mnemonic.mn_encode(sk)
    cks = MiniNero.electrumChecksum(key)
    print(key + " "+cks)
Beispiel #11
0
def ecdhDecode(masked, receiverSk):
    rv = ecdhTuple()
    #compute shared secret
    sharedSec1 = MiniNero.cn_fast_hash(MiniNero.scalarmultKey(masked.senderPk, receiverSk))
    sharedSec2 = MiniNero.cn_fast_hash(sharedSec1)
    #encode
    rv.mask = MiniNero.sc_sub_keys(masked.mask, sharedSec1)
    rv.amount = MiniNero.sc_sub_keys(masked.amount, sharedSec1)
    return rv
Beispiel #12
0
def ctskpkGen(amount):
    sk = ctkey()
    pk = ctkey()
    sk.dest, pk.dest = PaperWallet.skpkGen()
    sk.mask, pk.mask = PaperWallet.skpkGen()
    am = MiniNero.intToHex(amount)
    aH = MiniNero.scalarmultKey(getHForCT(), am)
    pk.mask = MiniNero.addKeys(pk.mask, aH)
    return sk, pk
Beispiel #13
0
def ctskpkGen(amount):
    sk = ctkey()
    pk = ctkey()
    sk.dest, pk.dest = PaperWallet.skpkGen()
    sk.mask, pk.mask = PaperWallet.skpkGen()
    am = MiniNero.intToHex(amount)
    aH = MiniNero.scalarmultKey(getHForCT(), am)
    pk.mask = MiniNero.addKeys(pk.mask, aH)
    return sk, pk
Beispiel #14
0
def sumCiExp(Cis, Exp):
    #Cis is a vector
    #Exp is a vector
    CSum = MiniNero.identity()
    for i in range(0, len(Cis)):
        CSum = MiniNero.addKeys(
            CSum, MiniNero.scalarmultKey(Cis[i],
                                         MiniNero.intToHex(10**Exp[i])))
    return CSum
Beispiel #15
0
def getH2ForCT():
    A = MiniNero.publicFromInt(1)
    HPow2 = MiniNero.hashToPoint_ct(A)
    two = MiniNero.intToHex(2)
    H2 = [None] * 64
    for i in range(0, 64):
        Translator.hexToCComma(HPow2)
        H2[i] = HPow2
        HPow2 = MiniNero.scalarmultKey(HPow2, two)
    return H2
Beispiel #16
0
def getH2ForCT():
    A = MiniNero.publicFromInt(1)
    HPow2 = MiniNero.hashToPoint_ct(A)
    two = MiniNero.intToHex(2)
    H2 = [None] * ATOMS
    for i in range(0, ATOMS):
        #Translator.hexToCComma(HPow2) 
        H2[i] = HPow2
        HPow2 = MiniNero.scalarmultKey(HPow2, two)
    return H2
Beispiel #17
0
def ecdhEncode(unmasked, receiverPk):
    rv = ecdhTuple()
    #compute shared secret
    esk, rv.senderPk = PaperWallet.skpkGen()
    sharedSec1 = MiniNero.cn_fast_hash(MiniNero.scalarmultKey(receiverPk, esk))
    sharedSec2 = MiniNero.cn_fast_hash(sharedSec1)
    #encode
    rv.mask = MiniNero.sc_add_keys(unmasked.mask, sharedSec1)
    rv.amount = MiniNero.sc_add_keys(unmasked.amount, sharedSec1)
    return rv
Beispiel #18
0
def ecdhEncode(unmasked, receiverPk):    
    rv = ecdhTuple()
    #compute shared secret
    esk, rv.senderPk =  PaperWallet.skpkGen()
    sharedSec1 = MiniNero.cn_fast_hash(MiniNero.scalarmultKey(receiverPk, esk));
    sharedSec2 = MiniNero.cn_fast_hash(sharedSec1)
    #encode
    rv.mask = MiniNero.sc_add_keys(unmasked.mask, sharedSec1)
    rv.amount = MiniNero.sc_add_keys(unmasked.amount, sharedSec1)
    return rv
Beispiel #19
0
def verRangeProof(Ci, L1, s2, s):
    n = len(
        Ci
    )  #note there will be some fixed length eventually so you can't just get the top digit
    CiH = [None] * n
    for i in range(0, n):
        CiH[i] = MiniNero.subKeys(
            Ci[i], MiniNero.scalarmultKey(getHForCT(),
                                          MiniNero.intToHex(2**i)))
    return ASNL.VerASNL(Ci, CiH, L1, s2, s)
Beispiel #20
0
def ecdhDecode(masked, receiverSk):
    rv = ecdhTuple()
    #compute shared secret
    sharedSec1 = MiniNero.cn_fast_hash(
        MiniNero.scalarmultKey(masked.senderPk, receiverSk))
    sharedSec2 = MiniNero.cn_fast_hash(sharedSec1)
    #encode
    rv.mask = MiniNero.sc_sub_keys(masked.mask, sharedSec1)
    rv.amount = MiniNero.sc_sub_keys(masked.amount, sharedSec1)
    return rv
Beispiel #21
0
def MLSAG_Ver(pk, keyimage, c1, s ):
    rows = len(pk)
    cols = len(pk[0])
    print("verifying MLSAG sig of dimensions ",rows ,"x ", cols)
    L = [[None]*cols]
    R = [[None]*cols]
    pj = ''.join(pk[0])
    for i in range(1, rows):
      L.append([None] * cols)
      R.append([None] * cols)
      pj = pj + ''.join(pk[i])
    c= [None]*(cols+1) #you do an extra one, and then check the wrap around 
    HP = [[MiniNero.hashToPoint_cn(i) for i in pk[0]]]
    for j in range(1, rows):
      HP.append([MiniNero.hashToPoint_cn(i) for i in pk[j]])
    c[0] = c1
    j = 0
    while j < cols:
      tohash = pj
      for i in range(0, rows):
        L[i][j] = MiniNero.addKeys(MiniNero.scalarmultBase(s[i][j]), MiniNero.scalarmultKey(pk[i][j], c[j]))
        R[i][j] = MiniNero.addKeys(MiniNero.scalarmultKey(HP[i][j], s[i][j]), MiniNero.scalarmultKey(keyimage[i], c[j]))
        tohash = tohash + L[i][j] + R[i][j]
      j = j + 1
      c[j] = MiniNero.cn_fast_hash(tohash)

    rv = (c[0] == c[cols])
    print("c", c)
    print("sig verifies?", rv)
    
    return rv
Beispiel #22
0
def rangeProof(C_out_i, masks_i):
    n = len(masks_i)
    I_Proofs = [None] * n
    c0s = [None] * n
    ss = [None] * n
    C_is = [None] * n
    for i in range(0, n):
        C_i = MiniNero.addKeys(MiniNero.scalarmultBase(masks_i[i]), MiniNero.scalarmultKey(H_ct, C_out_i[i])) # masks_i * G + C_out_i * H
        C_i_prime = MiniNero.subKeys(C_i, H_ct) #C_i - H
        C_is[i] = [C_i_prime, C_i]
        print("generating LLWsig for range proof from Cis, masks, couts", C_is[i], masks_i[i], C_out_i[i])
        I_Proofs[i], c0s[i], ss[i] = LLW_Sigs.LLW_Sig(C_is[i], masks_i[i], MiniNero.hexToInt(C_out_i[i]))
        #ring sig on the above, with sk masks_i
    return I_Proofs, c0s, ss, C_is
Beispiel #23
0
def CT_ring_sig(pk, C_in, C_out, xz, index):
    print("Generating Ct ring sig")
    n = len(pk)
    pk2 = [None] * 2
    for i in range(0, n):
        pk2[i] = MiniNero.addKeys(pk[i], C_in)
        for j in C_out:
            pk2[i] = MiniNero.subKeys(pk2[i], j)
    print("check validity", pk2[index], MiniNero.scalarmultBase(xz))
    if pk2[index] != MiniNero.scalarmultBase(xz):
        print("stop lying, you don't know a key")
        exit()
    I, c0, s = LLW_Sigs.LLW_Sig(pk2, xz, index)
    print("Ct ring sig generated")
    return I, c0, s, pk2
Beispiel #24
0
def GenASNL(x, P1, P2, indices):
    #Aggregate Schnorr Non-Linkable
    #x, P1, P2, are key vectors here, but actually you 
    #indices specifices which column of the given row of the key vector you sign.
    #the key vector with the first or second key
    n = len(x)
    print("Generating Aggregate Schnorr Non-linkable Ring Signature")
    L1 = [None] * n
    s1 = [None] * n
    s2 = [None] * n
    s = MiniNero.intToHex(0)
    for j in range(0, n):
        L1[j], s1[j], s2[j] = GenSchnorrNonLinkable(x[j], P1[j], P2[j], indices[j])
        s = MiniNero.sc_add_keys(s, s1[j])
    return L1, s2, s
Beispiel #25
0
def CT_ring_sig(pk, C_in, C_out, xz, index):
    print("Generating Ct ring sig")
    n = len(pk)
    pk2 = [None] * 2
    for i in range(0, n):
        pk2[i] = MiniNero.addKeys(pk[i], C_in)
        for j in C_out:
            pk2[i] = MiniNero.subKeys(pk2[i], j)
    print("check validity", pk2[index], MiniNero.scalarmultBase(xz))
    if pk2[index] != MiniNero.scalarmultBase(xz):
        print("stop lying, you don't know a key")
        exit()
    I, c0, s = LLW_Sigs.LLW_Sig(pk2, xz, index)
    print("Ct ring sig generated")
    return I, c0, s, pk2
Beispiel #26
0
def genRct(inSk, inPk, destinations, amounts, mixin):
    #inputs:
    #inSk is signers secret ctkeyvector 
    #inPk is signers public ctkeyvector 
    #destinations is a keyvector of output addresses 
    #amounts is a list of amounts corresponding to above output addresses
    #mixin is an integer which is the desired mixin 
    #outputs:
    #rctSig is a list [ rangesigs, MG, mixRing, ecdhInfo, outPk] 
    #rangesigs is a list of one rangeproof for each output
    #MG is the mgsig [ss, cc, II] 
    #mixRing is a ctkeyMatrix 
    #ecdhInfo is a list of masks / amounts for each output
    #outPk is a vector of ctkeys (since we have computed the commitment for each amount)
    rv = rctSig()
    rv.outPk = ctkeyV( len(destinations))
    rv.rangeSigs = [None] * len(destinations)
    outSk = ctkeyV(len(destinations))
    rv.ecdhInfo = [None] * len(destinations)
    for i in range(0, len(destinations)):
        rv.ecdhInfo[i] = ecdhTuple()
        rv.outPk[i] = ctkey()
        rv.outPk[i].dest = destinations[i]
        rv.outPk[i].mask, outSk[i].mask, rv.rangeSigs[i] = proveRange(amounts[i])
        #do ecdhinfo encode / decode 
        rv.ecdhInfo[i].mask = outSk[i].mask
        rv.ecdhInfo[i].amount = MiniNero.intToHex(amounts[i])
        rv.ecdhInfo[i] = ecdhEncode(rv.ecdhInfo[i], destinations[i])
    rv.mixRing, index = populateFromBlockchain(inPk, mixin)
    rv.MG = proveRctMG(rv.mixRing, inSk, outSk, rv.outPk, index)
    return rv
Beispiel #27
0
def verRange(Ci, ags):
    n = ATOMS
    CiH = [None] * n
    H2 = getH2ForCT()
    for i in range(0, n):
        CiH[i] = MiniNero.subKeys(ags.Ci[i], H2[i])
    return AggregateSchnorr.VerASNL(ags.Ci, CiH, ags.asig.L1, ags.asig.s2, ags.asig.s) 
Beispiel #28
0
def genRct(inSk, inPk, destinations, amounts, mixin):
    #inputs:
    #inSk is signers secret ctkeyvector
    #inPk is signers public ctkeyvector
    #destinations is a keyvector of output addresses
    #amounts is a list of amounts corresponding to above output addresses
    #mixin is an integer which is the desired mixin
    #outputs:
    #rctSig is a list [ rangesigs, MG, mixRing, ecdhInfo, outPk]
    #rangesigs is a list of one rangeproof for each output
    #MG is the mgsig [ss, cc, II]
    #mixRing is a ctkeyMatrix
    #ecdhInfo is a list of masks / amounts for each output
    #outPk is a vector of ctkeys (since we have computed the commitment for each amount)
    rv = rctSig()
    rv.outPk = ctkeyV(len(destinations))
    rv.rangeSigs = [None] * len(destinations)
    outSk = ctkeyV(len(destinations))
    rv.ecdhInfo = [None] * len(destinations)
    for i in range(0, len(destinations)):
        rv.ecdhInfo[i] = ecdhTuple()
        rv.outPk[i] = ctkey()
        rv.outPk[i].dest = destinations[i]
        rv.outPk[i].mask, outSk[i].mask, rv.rangeSigs[i] = proveRange(
            amounts[i])
        #do ecdhinfo encode / decode
        rv.ecdhInfo[i].mask = outSk[i].mask
        rv.ecdhInfo[i].amount = MiniNero.intToHex(amounts[i])
        rv.ecdhInfo[i] = ecdhEncode(rv.ecdhInfo[i], destinations[i])
    rv.mixRing, index = populateFromBlockchain(inPk, mixin)
    rv.MG = proveRctMG(rv.mixRing, inSk, outSk, rv.outPk, index)
    return rv
Beispiel #29
0
def GenASNL(x, P1, P2, indices):
    #Aggregate Schnorr Non-Linkable
    #x, P1, P2, are key vectors here, but actually you
    #indices specifices which column of the given row of the key vector you sign.
    #the key vector with the first or second key
    n = len(x)
    print("Generating Aggregate Schnorr Non-linkable Ring Signature")
    L1 = [None] * n
    s1 = [None] * n
    s2 = [None] * n
    s = MiniNero.intToHex(0)
    for j in range(0, n):
        L1[j], s1[j], s2[j] = GenSchnorrNonLinkable(x[j], P1[j], P2[j],
                                                    indices[j])
        s = MiniNero.sc_add_keys(s, s1[j])
    return L1, s2, s
Beispiel #30
0
def verRange(Ci, ags):
    n = ATOMS
    CiH = [None] * n
    H2 = getH2ForCT()
    for i in range(0, n):
        CiH[i] = MiniNero.subKeys(ags.Ci[i], H2[i])
    return AggregateSchnorr.VerASNL(ags.Ci, CiH, ags.asig.L1, ags.asig.s2,
                                    ags.asig.s)
Beispiel #31
0
def VerSchnorr(hash_prefix, pub, r, c):
    #hash_prefix = binascii.hexlify(prefix)
    check1 = MiniNero.toPoint(pub) 
    comm = MiniNero.addKeys(MiniNero.scalarmultKey(pub,c), MiniNero.scalarmultBase(r))
    c2 = MiniNero.cn_fast_hash(hash_prefix + pub + comm)
    print(MiniNero.sc_sub_keys(c, c2) == "0000000000000000000000000000000000000000000000000000000000000000")
    return (MiniNero.sc_sub_keys(c, c2) == "0000000000000000000000000000000000000000000000000000000000000000")
Beispiel #32
0
def MLSAG_Gen(pk, xx, index ):
    rows = len(xx)
    cols = len(pk[0])
    print("Generating MG sig of size ", rows, "x", cols)
    c= [None] * cols
    alpha = skvGen(rows)
    I = keyImageV(xx)
    L = keyMatrix(rows, cols)
    R = keyMatrix(rows, cols)
    s = keyMatrix(rows, cols)
    m = ''.join(pk[0])
    for i in range(1, cols):
        m = m + ''.join(pk[i])
    L[index] = [MiniNero.scalarmultBase(aa) for aa in alpha] #L = aG
    Hi = hashKeyVector(pk[index])
    R[index] = [MiniNero.scalarmultKey(Hi[ii], alpha[ii]) for ii in range(0, rows)] #R = aI
    oldi = index
    i = (index + 1) % cols
    c[i] = MiniNero.cn_fast_hash(m+''.join(L[oldi]) + ''.join(R[oldi]))
    
    while i != index:
        s[i] = skvGen(rows)
        L[i] = [MiniNero.addKeys1(s[i][j], c[i], pk[i][j]) for j in range(0, rows)]

        Hi = hashKeyVector(pk[i])
        R[i] = [MiniNero.addKeys2( s[i][j], Hi[j], c[i], I[j]) for j in range(0, rows)]
        oldi = i
        i = (i + 1) % cols
        c[i] = MiniNero.cn_fast_hash(m+''.join(L[oldi]) + ''.join(R[oldi]))
    print("L", L)
    print("R", R)
    s[index] = [MiniNero.sc_mulsub_keys(alpha[j], c[index], xx[j]) for j in range(0, rows)] #alpha - c * x
    return I, c[0], s
Beispiel #33
0
def VerSchnorrNonLinkable(P1, P2, L1, s1, s2):
    c2 = MiniNero.cn_fast_hash(L1)
    L2 = MiniNero.addKeys(MiniNero.scalarmultBase(s2), MiniNero.scalarmultKey(P2, c2))
    c1 = MiniNero.cn_fast_hash(L2)
    L1p = MiniNero.addKeys(MiniNero.scalarmultBase(s1), MiniNero.scalarmultKey(P1, c1))
    if L1 == L1p:
        print"Verified"
        return 0
    else:
        print "Didn't verify"
        print(L1,"!=",  L1p)
        return -1
Beispiel #34
0
def verRctMG(MG, pubs, outPk):
    #mg is an mgsig (list [ss, cc, II] of keymatrix ss, keyvector II and key cc]
    #pubs is a matrix of ctkeys [P, C]
    #outPk is a list of output ctkeys [P, C] for the transaction
    #returns true or false
    rows = len(pubs[0])
    cols = len(pubs)
    M = MLSAG2.keyMatrix(rows + 1, cols) #just a simple way to initialize a keymatrix, doesn't need to be random..
    for j in range(0, cols):
        M[j][rows] = MiniNero.identity()
    for i in range(0, rows): 
        for j in range(0, cols):
            M[j][i] = pubs[j][i].dest # get the destination part
            M[j][rows] = MiniNero.addKeys(M[j][rows], pubs[j][i].mask) #add commitment part
    #next need to subtract the commitment part of all outputs..
    for j in range(0, cols):
        for i in range(0, len(outPk)):
            M[j][rows] = MiniNero.subKeys(M[j][rows], outPk[i].mask) # subtract commitment part        
    return MLSAG2.MLSAG_Ver(M, MG.II, MG.cc, MG.ss)
Beispiel #35
0
def rangeProof(C_out_i, masks_i):
    n = len(masks_i)
    I_Proofs = [None] * n
    c0s = [None] * n
    ss = [None] * n
    C_is = [None] * n
    for i in range(0, n):
        C_i = MiniNero.addKeys(
            MiniNero.scalarmultBase(masks_i[i]),
            MiniNero.scalarmultKey(H_ct,
                                   C_out_i[i]))  # masks_i * G + C_out_i * H
        C_i_prime = MiniNero.subKeys(C_i, H_ct)  #C_i - H
        C_is[i] = [C_i_prime, C_i]
        print("generating LLWsig for range proof from Cis, masks, couts",
              C_is[i], masks_i[i], C_out_i[i])
        I_Proofs[i], c0s[i], ss[i] = LLW_Sigs.LLW_Sig(
            C_is[i], masks_i[i], MiniNero.hexToInt(C_out_i[i]))
        #ring sig on the above, with sk masks_i
    return I_Proofs, c0s, ss, C_is
Beispiel #36
0
def proveRctMG(pubs, inSk, outSk, outPk, index):
    #pubs is a matrix of ctkeys [P, C] 
    #inSk is the keyvector of [x, mask] secret keys
    #outMasks is a keyvector of masks for outputs
    #outPk is a list of output ctkeys [P, C]
    #index is secret index of where you are signing (integer)
    #returns a list (mgsig) [ss, cc, II] where ss is keymatrix, cc is key, II is keyVector of keyimages
    
    #so we are calling MLSAG2.MLSAG_Gen from here, we need a keymatrix made from pubs
    #we also need a keyvector made from inSk
    rows = len(pubs[0])
    cols = len(pubs)
    print("rows in mg", rows)
    print("cols in mg", cols)
    M = MLSAG2.keyMatrix(rows + 1, cols) #just a simple way to initialize a keymatrix, doesn't need to be random..
    sk = MLSAG2.keyVector(rows + 1)
    
    for j in range(0, cols):
        M[j][rows] = MiniNero.identity()
    sk[rows] = MiniNero.sc_0()
    for i in range(0, rows): 
        sk[i] = inSk[i].dest #get the destination part
        sk[rows] = MiniNero.sc_add_keys(sk[rows], inSk[i].mask) #add commitment part
        for j in range(0, cols):
            M[j][i] = pubs[j][i].dest # get the destination part
            M[j][rows] = MiniNero.addKeys(M[j][rows], pubs[j][i].mask) #add commitment part
    #next need to subtract the commitment part of all outputs..
    for j in range(0, len(outSk)):
        sk[rows] = MiniNero.sc_sub_keys(sk[rows], outSk[j].mask)
        for i in range(0, len(outPk)):
            M[j][rows] = MiniNero.subKeys(M[j][rows], outPk[i].mask) # subtract commitment part
    MG = mgSig()
    MG.II, MG.cc, MG.ss = MLSAG2.MLSAG_Gen(M, sk, index)
    
    return MG #mgSig
Beispiel #37
0
def VerSchnorrNonLinkable(P1, P2, L1, s1, s2):
    c2 = MiniNero.cn_fast_hash(L1)
    L2 = MiniNero.addKeys(MiniNero.scalarmultBase(s2),
                          MiniNero.scalarmultKey(P2, c2))
    c1 = MiniNero.cn_fast_hash(L2)
    L1p = MiniNero.addKeys(MiniNero.scalarmultBase(s1),
                           MiniNero.scalarmultKey(P1, c1))
    if L1 == L1p:
        print "Verified"
        return 0
    else:
        print "Didn't verify"
        print(L1, "!=", L1p)
        return -1
Beispiel #38
0
def proveRange(amount):
    bb = d2b(amount, ATOMS)  #gives binary form of bb in "digits" binary digits
    print("amount, amount in binary", amount, bb)
    ai = [None] * len(bb)
    Ci = [None] * len(bb)
    CiH = [None] * len(bb)  #this is like Ci - 2^i H
    H2 = getH2ForCT()
    a = MiniNero.sc_0()
    ii = [None] * len(bb)
    indi = [None] * len(bb)
    for i in range(0, ATOMS):
        ai[i] = PaperWallet.skGen()
        a = MiniNero.addScalars(
            a, ai[i]
        )  #creating the total mask since you have to pass this to receiver...
        if bb[i] == 0:
            Ci[i] = MiniNero.scalarmultBase(ai[i])
        if bb[i] == 1:
            Ci[i] = MiniNero.addKeys(MiniNero.scalarmultBase(ai[i]), H2[i])
        CiH[i] = MiniNero.subKeys(Ci[i], H2[i])

    A = asnlSig()
    A.L1, A.s2, A.s = AggregateSchnorr.GenASNL(ai, Ci, CiH, bb)

    R = rangeSig()
    R.asig = A
    R.Ci = Ci

    mask = a
    C = sumCi(Ci)
    return C, mask, R
Beispiel #39
0
def proveRange(amount):
    bb = d2b(amount, ATOMS) #gives binary form of bb in "digits" binary digits
    print("amount, amount in binary", amount, bb)
    ai = [None] * len(bb)
    Ci = [None] * len(bb)
    CiH = [None] * len(bb) #this is like Ci - 2^i H
    H2 = getH2ForCT()
    a = MiniNero.sc_0()
    ii = [None] * len(bb)
    indi = [None] * len(bb)
    for i in range(0, ATOMS):
        ai[i] = PaperWallet.skGen()
        a = MiniNero.addScalars(a, ai[i]) #creating the total mask since you have to pass this to receiver...
        if bb[i] == 0:
            Ci[i] =  MiniNero.scalarmultBase(ai[i])
        if bb[i] == 1:
            Ci[i] = MiniNero.addKeys(MiniNero.scalarmultBase(ai[i]), H2[i])
        CiH[i] = MiniNero.subKeys(Ci[i], H2[i])
        
    A = asnlSig()
    A.L1, A.s2, A.s = AggregateSchnorr.GenASNL(ai, Ci, CiH, bb)
    
    R = rangeSig()
    R.asig = A
    R.Ci = Ci
    
    mask = a
    C = sumCi(Ci)
    return C, mask, R
Beispiel #40
0
def VerSchnorr(hash_prefix, pub, r, c):
    #hash_prefix = binascii.hexlify(prefix)
    check1 = MiniNero.toPoint(pub)
    comm = MiniNero.addKeys(MiniNero.scalarmultKey(pub, c),
                            MiniNero.scalarmultBase(r))
    c2 = MiniNero.cn_fast_hash(hash_prefix + pub + comm)
    print(
        MiniNero.sc_sub_keys(c, c2) ==
        "0000000000000000000000000000000000000000000000000000000000000000")
    return (MiniNero.sc_sub_keys(c, c2) ==
            "0000000000000000000000000000000000000000000000000000000000000000")
Beispiel #41
0
def point_decompress(s):
    #if len(s) != 32:
        #raise Exception("Invalid input length for decompression")
    #y = int.from_bytes(s, "little")
    y = MiniNero.hexToInt(s)
    sign = y >> 255
    y &= (1 << 255) - 1

    x = recover_x(y, sign)
    if x is None:
        return None
    else:
        return (x, y, 1, x*y % p)
Beispiel #42
0
def genRangeProof(b, digits):
    bb = binary(b, digits) #gives binary form of bb in "digits" binary digits
    print("b, b in binary", b, bb)
    ai = [None] * len(bb)
    Ci = [None] * len(bb)
    CiH = [None] * len(bb) #this is like Ci - 2^i H
    a = MiniNero.intToHex(0)
    ii = [None] * len(bb)
    indi = [None] * len(bb)
    for i in range(0, len(bb)):
        ai[i] = PaperWallet.skGen()
        a = MiniNero.addScalars(a, ai[i]) #creating the total mask since you have to pass this to receiver...
        Ci[i] = MiniNero.addKeys(MiniNero.scalarmultBase(ai[i]), MiniNero.scalarmultKey(getHForCT(), MiniNero.intToHex(bb[i] * 2 ** i)))
        CiH[i] = MiniNero.subKeys(Ci[i], MiniNero.scalarmultKey(getHForCT(), MiniNero.intToHex(2 ** i)))
    L1, s2, s = AggregateSchnorr.GenASNL(ai, Ci, CiH, bb)
    return sumCi(Ci), Ci, L1, s2, s, a
Beispiel #43
0
def genRCTSig(sk_x, sk_in, sk_out, Pk, CIn, COut, ExpIn, ExpOut, index):
    #sk_x is private keys of addresses (vector)
    #sk_in is masks of input commitments (vector)
    #sk_out is masks of output commitments (vector)
    #Pk is public key list (2d array)
    #CIn is input commitments (2d array)
    #COut is output commitments (vector)
    #ExpIn is exponents for the input commitments (2d array)
    #so each row of this is going to correspond to a column in the actual mlsag..
    #ExpOut is exponents for the output commitments
    #index is the secret index
    sk = sk_x[:]
    sk.append(MiniNero.sc_sub_keys(MiniNero.sc_add(sk_in, ExpIn[index]), MiniNero.sc_add(sk_out, ExpOut)))
    CRow = [None] * len(CIn) #commitments row of public keys Cin - Cout
    COutSum = sumCiExp(COut, ExpOut) #Cout1*10^i_1 + Cout2 * 10^{i_2}..
    tmp = MiniNero.identity()
    pk = [None] * (len(sk_x) + 1) #generalize later...
    pk[0] = Pk
    for i in range(0, len(CIn)):
        CRow[i] = MiniNero.subKeys(sumCiExp(CIn[i], ExpIn[i]), COutSum) 
    pk[1] = CRow
    II, cc, ssVal = MLSAG.MLSAG_Sign(pk, sk, index)
    return pk, II, cc, ssVal
Beispiel #44
0
def verRctMG(MG, pubs, outPk):
    #mg is an mgsig (list [ss, cc, II] of keymatrix ss, keyvector II and key cc]
    #pubs is a matrix of ctkeys [P, C]
    #outPk is a list of output ctkeys [P, C] for the transaction
    #returns true or false
    rows = len(pubs[0])
    cols = len(pubs)
    M = MLSAG2.keyMatrix(
        rows + 1, cols
    )  #just a simple way to initialize a keymatrix, doesn't need to be random..
    for j in range(0, cols):
        M[j][rows] = MiniNero.identity()
    for i in range(0, rows):
        for j in range(0, cols):
            M[j][i] = pubs[j][i].dest  # get the destination part
            M[j][rows] = MiniNero.addKeys(
                M[j][rows], pubs[j][i].mask)  #add commitment part
    #next need to subtract the commitment part of all outputs..
    for j in range(0, cols):
        for i in range(0, len(outPk)):
            M[j][rows] = MiniNero.subKeys(
                M[j][rows], outPk[i].mask)  # subtract commitment part
    return MLSAG2.MLSAG_Ver(M, MG.II, MG.cc, MG.ss)
Beispiel #45
0
def MLSAG_Gen(pk, xx, index):
    rows = len(xx)
    cols = len(pk)
    print("Generating MG sig of size ", rows, "x", cols)
    print("index is:", index)
    print("checking if I can actually sign")
    print(pk[index])
    print([MiniNero.scalarmultBase(x) for x in xx])
    c = [None] * cols
    alpha = skvGen(rows)
    I = keyImageV(xx)
    L = keyMatrix(rows, cols)
    R = keyMatrix(rows, cols)
    s = keyMatrix(rows, cols)
    m = ''.join(pk[0])
    for i in range(1, cols):
        m = m + ''.join(pk[i])
    L[index] = [MiniNero.scalarmultBase(aa) for aa in alpha]  #L = aG
    Hi = hashKeyVector(pk[index])
    R[index] = [
        MiniNero.scalarmultKey(Hi[ii], alpha[ii]) for ii in range(0, rows)
    ]  #R = aI
    oldi = index
    i = (index + 1) % cols
    c[i] = MiniNero.cn_fast_hash(m + ''.join(L[oldi]) + ''.join(R[oldi]))

    while i != index:
        s[i] = skvGen(rows)
        L[i] = [
            MiniNero.addKeys1(s[i][j], c[i], pk[i][j]) for j in range(0, rows)
        ]

        Hi = hashKeyVector(pk[i])
        R[i] = [
            MiniNero.addKeys2(s[i][j], Hi[j], c[i], I[j])
            for j in range(0, rows)
        ]
        oldi = i
        i = (i + 1) % cols
        c[i] = MiniNero.cn_fast_hash(m + ''.join(L[oldi]) + ''.join(R[oldi]))
    print("L", L)
    print("R", R)
    s[index] = [
        MiniNero.sc_mulsub_keys(alpha[j], c[index], xx[j])
        for j in range(0, rows)
    ]  #alpha - c * x
    return I, c[0], s
Beispiel #46
0
def in_commitments(input_value, sk, masks):
    #for now, assume there is one input, generalized after get that working
    sum_masks = MiniNero.intToHex(sum([MiniNero.hexToInt(a) for a in masks]))
    z = MiniNero.sc_sub_keys(sk,
                             sum_masks)  # z +  sum of input mask values = sk
    C = MiniNero.addKeys(MiniNero.scalarmultBase(sk),
                         MiniNero.scalarmultKey(
                             H_ct,
                             input_value))  #input_value = sum output values
    return C, z  #z is the sk you need to sign for this commitment
Beispiel #47
0
def out_commitments(values):
    #do this first
    n = len(values)
    values2 = [None] * n
    for i in range(0, n):
        values2[i] = [MiniNero.intToHex(j) for j in binary(MiniNero.hexToInt(values[i]))]
    #returns a list of commitments C_i = y_iG + value_i * H for outputs (these masks are created randomly)
    masks = [None] * n 
    sumMasks = [None] * n
    for i in range(0, n):
        masks[i] = [PaperWallet.skGen() for jj in values2[i]] #binary decomposition for range proofs (could also use another base)
        sumMasks[i] = MiniNero.intToHex(sum([MiniNero.hexToInt(a) for a in masks[i]])) #sum is what actually goes into the ring..
    C = [None] * n
    for i in range(0, n):
        C[i] = MiniNero.addKeys(MiniNero.scalarmultBase(sumMasks[i]), MiniNero.scalarmultKey(H_ct, values[i]))
    return C, masks, sumMasks, values2
Beispiel #48
0
def genRangeProof(b, digits):
    bb = binary(b, digits)  #gives binary form of bb in "digits" binary digits
    print("b, b in binary", b, bb)
    ai = [None] * len(bb)
    Ci = [None] * len(bb)
    CiH = [None] * len(bb)  #this is like Ci - 2^i H
    a = MiniNero.intToHex(0)
    ii = [None] * len(bb)
    indi = [None] * len(bb)
    for i in range(0, len(bb)):
        ai[i] = PaperWallet.skGen()
        a = MiniNero.addScalars(
            a, ai[i]
        )  #creating the total mask since you have to pass this to receiver...
        Ci[i] = MiniNero.addKeys(
            MiniNero.scalarmultBase(ai[i]),
            MiniNero.scalarmultKey(getHForCT(),
                                   MiniNero.intToHex(bb[i] * 2**i)))
        CiH[i] = MiniNero.subKeys(
            Ci[i], MiniNero.scalarmultKey(getHForCT(),
                                          MiniNero.intToHex(2**i)))
    L1, s2, s = ASNL.GenASNL(ai, Ci, CiH, bb)
    return sumCi(Ci), Ci, L1, s2, s, a
Beispiel #49
0
def ComputeReceivedAmount(senderEphemPk, receiverSK, maskedMask, maskedAmount, Ci, exponent):
    ss1, ss2 = ecdh.ecdhretrieve(receiverSK, senderEphemPk)
    mask = MiniNero.sc_sub_keys(maskedMask, ss1)
    CSum = sumCi(Ci)
    bH = MiniNero.subKeys(CSum, MiniNero.scalarmultBase(mask)) #bH = C - aG
    b = MiniNero.sc_sub_keys(maskedAmount, ss2)
    print("received amount:", 10 ** exponent * MiniNero.hexToInt(b))
    H = getHForCT()
    bHTent = MiniNero.scalarmultKey(H, b)
    print(bHTent,"=?", bH)
    if bHTent != bH:
        print("wrong amount sent!")
        return -1
    return 0
Beispiel #50
0
def LLW_Ver(pk, keyimage, c1, s):
    n= len(pk) #ok
    print("verifying LLW sig of length", n)
    L = [None]*n
    R = [None]*n
    c= [None]*(n+1)
    pj = ''.join(pk)
    HP = [MiniNero.hashToPoint_ct(i) for i in pk]
    c[0] = c1
    j = 0
    while j < n:
        L[j] = MiniNero.addKeys(MiniNero.scalarmultBase(s[j]), MiniNero.scalarmultKey(pk[j], c[j]))
        R[j] = MiniNero.addKeys(MiniNero.scalarmultKey(HP[j], s[j]), MiniNero.scalarmultKey(keyimage, c[j]))
        cj = j + 1
        c[cj] = MiniNero.cn_fast_hash(pj + L[j] + R[j])
        j = cj
    rv = (c[0] == c[n])
    print("sig verifies complete", rv)
    print("c", c)
    print("L", L)
    print("R", R)
    return rv
Beispiel #51
0
def ComputeReceivedAmount(senderEphemPk, receiverSK, maskedMask, maskedAmount,
                          Ci, exponent):
    ss1, ss2 = Ecdh.ecdhRetrieve(receiverSK, senderEphemPk)
    mask = MiniNero.sc_sub_keys(maskedMask, ss1)
    CSum = sumCi(Ci)
    bH = MiniNero.subKeys(CSum, MiniNero.scalarmultBase(mask))  #bH = C - aG
    b = MiniNero.sc_sub_keys(maskedAmount, ss2)
    print("received amount:", 10**exponent * MiniNero.hexToInt(b))
    H = getHForCT()
    bHTent = MiniNero.scalarmultKey(H, b)
    print(bHTent, "=?", bH)
    if bHTent != bH:
        print("wrong amount sent!")
        return -1
    return 0
Beispiel #52
0
def keysBoth():
    print("This is for private testing purposes only, use at your own risk!")
    print(
        "this function will generate an address that is compatible both with the main client and with MyByteRub"
    )
    print("shen noether- mrl")
    print(" ")
    while True:
        print('.'),
        sk = skGen()

        #s = "3c817618dcbfed122a64e592bb441d73300da9123686224a84e0eab1f075117e"; for testing

        vk = MiniNero.getViewMM(sk)  #note this is the sc_reduced version..
        worked = 1
        #uncomment below lines to make viewkey a point..
        try:
            MiniNero.toPoint(vk)
        except:
            worked = 0
            print("bad vk")

        if vk == MiniNero.sc_reduce_key(vk) and worked == 1:  #already reduced
            break
    print("found key")
    print("secret spend key:", sk)
    print("secret view key:", vk)
    pk = MiniNero.publicFromSecret(sk)
    print("public spend key:", pk)
    pvk = MiniNero.publicFromSecret(vk)
    print("public view key:", pvk)
    addr = MiniNero.getAddrMM(sk)
    print("receiving address", addr)
    wl = mnemonic.mn_encode(sk)
    cks = MiniNero.electrumChecksum(wl)
    print(cks)
    print("mnemonic:", wl + " " + cks)
    return sk, vk, pk, pvk, addr, wl, cks
Beispiel #53
0
def moneroProofOfFile(fi):
    s = cnHashOfFile(fi)
    #s = MiniNero.sc_reduce_key(s) #if you are testing, insert
    #an s below this line

    sk = MiniNero.sc_reduce_key(s)
    print("secret spend key:", sk)
    vk = MiniNero.getView(sk)
    print("secret view key:", vk)
    pk = MiniNero.publicFromSecret(sk)
    print("public spend key:", pk)
    pvk = MiniNero.publicFromSecret(vk)
    print("public view key:", pvk)
    wl = mnemonic.mn_encode(s)
    cks = MiniNero.electrumChecksum(wl)
    print(cks)
    print("mnemonic:", wl + " " + cks)

    return MiniNero.encode_addr(MiniNero.netVersion(), pk, pvk)
Beispiel #54
0
def keysBoth():
    print("This is for private testing purposes only, use at your own risk!")
    print("this function will generate an address that is compatible both with the main client and with MyMonero")
    print("shen noether- mrl")
    print(" ")
    while True:
        print('.'),
        sk = skGen()

        #s = "3c817618dcbfed122a64e592bb441d73300da9123686224a84e0eab1f075117e"; for testing

        vk = MiniNero.getViewMM(sk) #note this is the sc_reduced version..
        worked = 1
        #uncomment below lines to make viewkey a point..
        try:
            MiniNero.toPoint(vk)
        except:
            worked =0
            print("bad vk")

        if vk == MiniNero.sc_reduce_key(vk) and worked == 1: #already reduced
            break
    print("found key")
    print("secret spend key:", sk)
    print("secret view key:", vk)
    pk = MiniNero.publicFromSecret(sk)
    print("public spend key:", pk)
    pvk = MiniNero.publicFromSecret(vk)
    print("public view key:", pvk)
    addr =  MiniNero.getAddrMM(sk)
    print("receiving address", addr)
    wl = mnemonic.mn_encode(sk)
    cks = MiniNero.electrumChecksum(wl)
    print(cks)
    print("mnemonic:", wl + " " + cks)
    return sk, vk, pk, pvk, addr, wl, cks
Beispiel #55
0
def LLW_Ver(pk, keyimage, c1, s):
    n = len(pk)  #ok
    print("verifying LLW sig of length", n)
    L = [None] * n
    R = [None] * n
    c = [None] * (n + 1)
    pj = ''.join(pk)
    HP = [MiniNero.hashToPoint_ct(i) for i in pk]
    c[0] = c1
    j = 0
    while j < n:
        L[j] = MiniNero.addKeys(MiniNero.scalarmultBase(s[j]),
                                MiniNero.scalarmultKey(pk[j], c[j]))
        R[j] = MiniNero.addKeys(MiniNero.scalarmultKey(HP[j], s[j]),
                                MiniNero.scalarmultKey(keyimage, c[j]))
        cj = j + 1
        c[cj] = MiniNero.cn_fast_hash(pj + L[j] + R[j])
        j = cj
    rv = (c[0] == c[n])
    print("sig verifies complete", rv)
    print("c", c)
    print("L", L)
    print("R", R)
    return rv
Beispiel #56
0
def decodeRct(rv, sk, i):
    #inputs:
    #rctSig is a list [ rangesigs, MG, mixRing, ecdhInfo, outPk] 
    #rangesigs is a list of one rangeproof for each output
    #MG is the mgsig [ss, cc, II] 
    #mixRing is a ctkeyMatrix 
    #ecdhInfo is a list of masks / amounts for each output
    #outPk is a vector of ctkeys (since we have computed the commitment for each amount)    
    #sk is the secret key of the receiver
    #i is the index of the receiver in the rctSig (in case of multiple destinations)
    #outputs: 
    #the amount received
    decodedTuple = ecdhDecode(rv.ecdhInfo[i], sk)
    mask = decodedTuple.mask
    amount = decodedTuple.amount
    C = rv.outPk[i].mask
    H = getHForCT()
    Ctmp = MiniNero.addKeys(MiniNero.scalarmultBase(mask), MiniNero.scalarmultKey(H, amount))
    if (MiniNero.subKeys(C, Ctmp) != MiniNero.identity()): 
        print("warning, amount decoded incorrectly, will be unable to spend")
    return MiniNero.hexToInt(amount)