def LLW_Sig(pk, xx, index):
n = len(pk)
print("Generating LLW sig of length ", n)
L = [None] * n
R = [None] * n
c = [None] * n
s = [PaperWallet.skGen() for i in range(0, n)]
HP = [MiniNero.hashToPoint_ct(i) for i in pk]
pj = ''.join(pk)
keyimage = keyImage(xx) #ok
s[index] = MiniNero.mul_8(s[index])
L[index] = MiniNero.scalarmultBase(s[index])
R[index] = MiniNero.scalarmultKey(HP[index], s[index]) #aH
j = (index + 1) % n
c[j] = MiniNero.cn_fast_hash(pj + L[index] + R[index])
while j != index:
L[j] = MiniNero.addKeys(MiniNero.scalarmultBase(s[j]),
MiniNero.scalarmultKey(pk[j],
c[j])) #Lj = sG + cxG
R[j] = MiniNero.addKeys(MiniNero.scalarmultKey(HP[j], s[j]),
MiniNero.scalarmultKey(keyimage,
c[j])) #Rj = sH + cxH
cj = (j + 1) % n
c[cj] = MiniNero.cn_fast_hash(pj + L[j] +
R[j]) #c j+1 = H(pk + Lj + Rj
j = cj #increment j
s[index] = MiniNero.sc_mulsub_keys(s[index], c[index],
xx) #si = a - c x so a = s + c x
print("sigma = ", keyimage, c[0], s[:])
return keyimage, c[0], s[:]
def MLSAG_Ver(pk, keyimage, c1, s ):
rows = len(pk)
cols = len(pk[0])
print("verifying MLSAG sig of dimensions ",rows ,"x ", cols)
L = [[None]*cols]
R = [[None]*cols]
pj = ''.join(pk[0])
for i in range(1, rows):
L.append([None] * cols)
R.append([None] * cols)
pj = pj + ''.join(pk[i])
c= [None]*(cols+1) #you do an extra one, and then check the wrap around
HP = [[MiniNero.hashToPoint_cn(i) for i in pk[0]]]
for j in range(1, rows):
HP.append([MiniNero.hashToPoint_cn(i) for i in pk[j]])
c[0] = c1
j = 0
while j < cols:
tohash = pj
for i in range(0, rows):
L[i][j] = MiniNero.addKeys(MiniNero.scalarmultBase(s[i][j]), MiniNero.scalarmultKey(pk[i][j], c[j]))
R[i][j] = MiniNero.addKeys(MiniNero.scalarmultKey(HP[i][j], s[i][j]), MiniNero.scalarmultKey(keyimage[i], c[j]))
tohash = tohash + L[i][j] + R[i][j]
j = j + 1
c[j] = MiniNero.cn_fast_hash(tohash)
rv = (c[0] == c[cols])
print("c", c)
print("sig verifies?", rv)
return rv
def VerSchnorrNonLinkable(P1, P2, L1, s1, s2):
c2 = MiniNero.cn_fast_hash(L1)
L2 = MiniNero.addKeys(MiniNero.scalarmultBase(s2), MiniNero.scalarmultKey(P2, c2))
c1 = MiniNero.cn_fast_hash(L2)
L1p = MiniNero.addKeys(MiniNero.scalarmultBase(s1), MiniNero.scalarmultKey(P1, c1))
if L1 == L1p:
print"Verified"
return 0
else:
print "Didn't verify"
print(L1,"!=", L1p)
return -1
def VerSchnorrNonLinkable(P1, P2, L1, s1, s2):
c2 = MiniNero.cn_fast_hash(L1)
L2 = MiniNero.addKeys(MiniNero.scalarmultBase(s2),
MiniNero.scalarmultKey(P2, c2))
c1 = MiniNero.cn_fast_hash(L2)
L1p = MiniNero.addKeys(MiniNero.scalarmultBase(s1),
MiniNero.scalarmultKey(P1, c1))
if L1 == L1p:
print "Verified"
return 0
else:
print "Didn't verify"
print(L1, "!=", L1p)
return -1
def sumCiExp(Cis, Exp):
#Cis is a vector
#Exp is a vector
CSum = MiniNero.identity()
for i in range(0, len(Cis)):
CSum = MiniNero.addKeys(CSum, MiniNero.scalarmultKey(Cis[i], MiniNero.intToHex(10 ** Exp[i])))
return CSum
def VerSchnorr(hash_prefix, pub, r, c):
#hash_prefix = binascii.hexlify(prefix)
check1 = MiniNero.toPoint(pub)
comm = MiniNero.addKeys(MiniNero.scalarmultKey(pub,c), MiniNero.scalarmultBase(r))
c2 = MiniNero.cn_fast_hash(hash_prefix + pub + comm)
print(MiniNero.sc_sub_keys(c, c2) == "0000000000000000000000000000000000000000000000000000000000000000")
return (MiniNero.sc_sub_keys(c, c2) == "0000000000000000000000000000000000000000000000000000000000000000")
def proveRange(amount):
bb = d2b(amount, ATOMS) #gives binary form of bb in "digits" binary digits
print("amount, amount in binary", amount, bb)
ai = [None] * len(bb)
Ci = [None] * len(bb)
CiH = [None] * len(bb) #this is like Ci - 2^i H
H2 = getH2ForCT()
a = MiniNero.sc_0()
ii = [None] * len(bb)
indi = [None] * len(bb)
for i in range(0, ATOMS):
ai[i] = PaperWallet.skGen()
a = MiniNero.addScalars(
a, ai[i]
) #creating the total mask since you have to pass this to receiver...
if bb[i] == 0:
Ci[i] = MiniNero.scalarmultBase(ai[i])
if bb[i] == 1:
Ci[i] = MiniNero.addKeys(MiniNero.scalarmultBase(ai[i]), H2[i])
CiH[i] = MiniNero.subKeys(Ci[i], H2[i])
A = asnlSig()
A.L1, A.s2, A.s = AggregateSchnorr.GenASNL(ai, Ci, CiH, bb)
R = rangeSig()
R.asig = A
R.Ci = Ci
mask = a
C = sumCi(Ci)
return C, mask, R
def proveRctMG(pubs, inSk, outSk, outPk, index):
#pubs is a matrix of ctkeys [P, C]
#inSk is the keyvector of [x, mask] secret keys
#outMasks is a keyvector of masks for outputs
#outPk is a list of output ctkeys [P, C]
#index is secret index of where you are signing (integer)
#returns a list (mgsig) [ss, cc, II] where ss is keymatrix, cc is key, II is keyVector of keyimages
#so we are calling MLSAG2.MLSAG_Gen from here, we need a keymatrix made from pubs
#we also need a keyvector made from inSk
rows = len(pubs[0])
cols = len(pubs)
print("rows in mg", rows)
print("cols in mg", cols)
M = MLSAG2.keyMatrix(rows + 1, cols) #just a simple way to initialize a keymatrix, doesn't need to be random..
sk = MLSAG2.keyVector(rows + 1)
for j in range(0, cols):
M[j][rows] = MiniNero.identity()
sk[rows] = MiniNero.sc_0()
for i in range(0, rows):
sk[i] = inSk[i].dest #get the destination part
sk[rows] = MiniNero.sc_add_keys(sk[rows], inSk[i].mask) #add commitment part
for j in range(0, cols):
M[j][i] = pubs[j][i].dest # get the destination part
M[j][rows] = MiniNero.addKeys(M[j][rows], pubs[j][i].mask) #add commitment part
#next need to subtract the commitment part of all outputs..
for j in range(0, len(outSk)):
sk[rows] = MiniNero.sc_sub_keys(sk[rows], outSk[j].mask)
for i in range(0, len(outPk)):
M[j][rows] = MiniNero.subKeys(M[j][rows], outPk[i].mask) # subtract commitment part
MG = mgSig()
MG.II, MG.cc, MG.ss = MLSAG2.MLSAG_Gen(M, sk, index)
return MG #mgSig
def proveRange(amount):
bb = d2b(amount, ATOMS) #gives binary form of bb in "digits" binary digits
print("amount, amount in binary", amount, bb)
ai = [None] * len(bb)
Ci = [None] * len(bb)
CiH = [None] * len(bb) #this is like Ci - 2^i H
H2 = getH2ForCT()
a = MiniNero.sc_0()
ii = [None] * len(bb)
indi = [None] * len(bb)
for i in range(0, ATOMS):
ai[i] = PaperWallet.skGen()
a = MiniNero.addScalars(a, ai[i]) #creating the total mask since you have to pass this to receiver...
if bb[i] == 0:
Ci[i] = MiniNero.scalarmultBase(ai[i])
if bb[i] == 1:
Ci[i] = MiniNero.addKeys(MiniNero.scalarmultBase(ai[i]), H2[i])
CiH[i] = MiniNero.subKeys(Ci[i], H2[i])
A = asnlSig()
A.L1, A.s2, A.s = AggregateSchnorr.GenASNL(ai, Ci, CiH, bb)
R = rangeSig()
R.asig = A
R.Ci = Ci
mask = a
C = sumCi(Ci)
return C, mask, R
def ctskpkGen(amount):
sk = ctkey()
pk = ctkey()
sk.dest, pk.dest = PaperWallet.skpkGen()
sk.mask, pk.mask = PaperWallet.skpkGen()
am = MiniNero.intToHex(amount)
aH = MiniNero.scalarmultKey(getHForCT(), am)
pk.mask = MiniNero.addKeys(pk.mask, aH)
return sk, pk
def GenSchnorrNonLinkable(x, P1, P2, index):
if index == 0:
a = PaperWallet.skGen()
L1 = MiniNero.scalarmultBase(a)
s2 = PaperWallet.skGen()
c2 = MiniNero.cn_fast_hash(L1)
L2 = MiniNero.addKeys(MiniNero.scalarmultBase(s2), MiniNero.scalarmultKey(P2, c2))
c1 = MiniNero.cn_fast_hash(L2)
s1 = MiniNero.sc_mulsub_keys(a, x, c1)
if index == 1:
a = PaperWallet.skGen()
L2 = MiniNero.scalarmultBase(a)
s1 = PaperWallet.skGen()
c1 = MiniNero.cn_fast_hash(L2)
L1 = MiniNero.addKeys(MiniNero.scalarmultBase(s1), MiniNero.scalarmultKey(P1, c1))
c2 = MiniNero.cn_fast_hash(L1)
s2 = MiniNero.sc_mulsub_keys(a, x, c2)
return L1, s1, s2,
def sumCiExp(Cis, Exp):
#Cis is a vector
#Exp is a vector
CSum = MiniNero.identity()
for i in range(0, len(Cis)):
CSum = MiniNero.addKeys(
CSum, MiniNero.scalarmultKey(Cis[i],
MiniNero.intToHex(10**Exp[i])))
return CSum
def ctskpkGen(amount):
sk = ctkey()
pk = ctkey()
sk.dest, pk.dest = PaperWallet.skpkGen()
sk.mask, pk.mask = PaperWallet.skpkGen()
am = MiniNero.intToHex(amount)
aH = MiniNero.scalarmultKey(getHForCT(), am)
pk.mask = MiniNero.addKeys(pk.mask, aH)
return sk, pk
def VerASNL(P1, P2, L1, s2, s):
#Aggregate Schnorr Non-Linkable
print("Verifying Aggregate Schnorr Non-linkable Ring Signature")
n = len(P1)
LHS = MiniNero.scalarmultBase(MiniNero.intToHex(0))
RHS = MiniNero.scalarmultBase(s)
for j in range(0, n):
c2 = MiniNero.cn_fast_hash(L1[j])
L2 = MiniNero.addKeys(MiniNero.scalarmultBase(s2[j]), MiniNero.scalarmultKey(P2[j], c2))
LHS = MiniNero.addKeys(LHS, L1[j])
c1 = MiniNero.cn_fast_hash(L2)
RHS = MiniNero.addKeys(RHS, MiniNero.scalarmultKey(P1[j], c1))
if LHS == RHS:
print"Verified"
return 0
else:
print "Didn't verify"
print(LHS,"!=", RHS)
return -1
def in_commitments(input_value, sk, masks):
#for now, assume there is one input, generalized after get that working
sum_masks = MiniNero.intToHex(sum([MiniNero.hexToInt(a) for a in masks]))
z = MiniNero.sc_sub_keys(sk,
sum_masks) # z + sum of input mask values = sk
C = MiniNero.addKeys(MiniNero.scalarmultBase(sk),
MiniNero.scalarmultKey(
H_ct,
input_value)) #input_value = sum output values
return C, z #z is the sk you need to sign for this commitment
def GenSchnorrNonLinkable(x, P1, P2, index):
if index == 0:
a = PaperWallet.skGen()
L1 = MiniNero.scalarmultBase(a)
s2 = PaperWallet.skGen()
c2 = MiniNero.cn_fast_hash(L1)
L2 = MiniNero.addKeys(MiniNero.scalarmultBase(s2),
MiniNero.scalarmultKey(P2, c2))
c1 = MiniNero.cn_fast_hash(L2)
s1 = MiniNero.sc_mulsub_keys(a, x, c1)
if index == 1:
a = PaperWallet.skGen()
L2 = MiniNero.scalarmultBase(a)
s1 = PaperWallet.skGen()
c1 = MiniNero.cn_fast_hash(L2)
L1 = MiniNero.addKeys(MiniNero.scalarmultBase(s1),
MiniNero.scalarmultKey(P1, c1))
c2 = MiniNero.cn_fast_hash(L1)
s2 = MiniNero.sc_mulsub_keys(a, x, c2)
return L1, s1, s2,
def VerSchnorr(hash_prefix, pub, r, c):
#hash_prefix = binascii.hexlify(prefix)
check1 = MiniNero.toPoint(pub)
comm = MiniNero.addKeys(MiniNero.scalarmultKey(pub, c),
MiniNero.scalarmultBase(r))
c2 = MiniNero.cn_fast_hash(hash_prefix + pub + comm)
print(
MiniNero.sc_sub_keys(c, c2) ==
"0000000000000000000000000000000000000000000000000000000000000000")
return (MiniNero.sc_sub_keys(c, c2) ==
"0000000000000000000000000000000000000000000000000000000000000000")
def VerASNL(P1, P2, L1, s2, s):
#Aggregate Schnorr Non-Linkable
print("Verifying Aggregate Schnorr Non-linkable Ring Signature")
n = len(P1)
LHS = MiniNero.scalarmultBase(MiniNero.intToHex(0))
RHS = MiniNero.scalarmultBase(s)
for j in range(0, n):
c2 = MiniNero.cn_fast_hash(L1[j])
L2 = MiniNero.addKeys(MiniNero.scalarmultBase(s2[j]),
MiniNero.scalarmultKey(P2[j], c2))
LHS = MiniNero.addKeys(LHS, L1[j])
c1 = MiniNero.cn_fast_hash(L2)
RHS = MiniNero.addKeys(RHS, MiniNero.scalarmultKey(P1[j], c1))
if LHS == RHS:
print "Verified"
return 0
else:
print "Didn't verify"
print(LHS, "!=", RHS)
return -1
def LLW_Ver(pk, keyimage, c1, s):
n= len(pk) #ok
print("verifying LLW sig of length", n)
L = [None]*n
R = [None]*n
c= [None]*(n+1)
pj = ''.join(pk)
HP = [MiniNero.hashToPoint_ct(i) for i in pk]
c[0] = c1
j = 0
while j < n:
L[j] = MiniNero.addKeys(MiniNero.scalarmultBase(s[j]), MiniNero.scalarmultKey(pk[j], c[j]))
R[j] = MiniNero.addKeys(MiniNero.scalarmultKey(HP[j], s[j]), MiniNero.scalarmultKey(keyimage, c[j]))
cj = j + 1
c[cj] = MiniNero.cn_fast_hash(pj + L[j] + R[j])
j = cj
rv = (c[0] == c[n])
print("sig verifies complete", rv)
print("c", c)
print("L", L)
print("R", R)
return rv
def MLSAG_Sign(pk, xx, index):
rows = len(xx)
cols = len(pk[0])
print("Generating MLSAG sig of dimensions ",rows ,"x ", cols)
L = [[None] * cols] #list of keyvectors? except it's indexed by cols... it's kind of internal actually
R = [[None] * cols]
s = [[PaperWallet.skGen() for i in range(0, cols)] ] #first index is rows, second is cols, wonder if I should switch that..
HP = [[MiniNero.hashToPoint_cn(i) for i in pk[0]]]
pj = ''.join(pk[0])
for i in range(1, rows):
L.append([None] * cols)
R.append([None] * cols)
s.append([PaperWallet.skGen() for j in range(0, cols)])
HP.append([MiniNero.hashToPoint_cn(j) for j in pk[i]])
pj = pj + ''.join(pk[i])
c= [None] * cols #1-dimensional
keyimage = keyImage(xx, rows) #ok
for i in range(0, rows):
L[i][index] = MiniNero.scalarmultBase(s[i][index]) #aG
R[i][index] = MiniNero.scalarmultKey(HP[i][index], s[i][index]) #aH
j = (index + 1) % cols
tohash = pj
for i in range(0, rows):
tohash = tohash + L[i][index] + R[i][index]
c[j] = MiniNero.cn_fast_hash(tohash)
while j != index:
tohash = pj
for i in range(0, rows):
L[i][j] = MiniNero.addKeys(MiniNero.scalarmultBase(s[i][j]), MiniNero.scalarmultKey(pk[i][j], c[j])) #Lj = sG + cxG
R[i][j] = MiniNero.addKeys(MiniNero.scalarmultKey(HP[i][j], s[i][j]), MiniNero.scalarmultKey(keyimage[i], c[j])) #Rj = sH + cxH
tohash = tohash + L[i][j] + R[i][j]
j = (j + 1) % cols
c[j] = MiniNero.cn_fast_hash(tohash)
for i in range(0, rows):
s[i][index] = MiniNero.sc_mulsub_keys(s[i][index], c[index], xx[i]) #si = a - c x so a = s + c x
return keyimage, c[0], s
def rangeProof(C_out_i, masks_i):
n = len(masks_i)
I_Proofs = [None] * n
c0s = [None] * n
ss = [None] * n
C_is = [None] * n
for i in range(0, n):
C_i = MiniNero.addKeys(MiniNero.scalarmultBase(masks_i[i]), MiniNero.scalarmultKey(H_ct, C_out_i[i])) # masks_i * G + C_out_i * H
C_i_prime = MiniNero.subKeys(C_i, H_ct) #C_i - H
C_is[i] = [C_i_prime, C_i]
print("generating LLWsig for range proof from Cis, masks, couts", C_is[i], masks_i[i], C_out_i[i])
I_Proofs[i], c0s[i], ss[i] = LLW_Sigs.LLW_Sig(C_is[i], masks_i[i], MiniNero.hexToInt(C_out_i[i]))
#ring sig on the above, with sk masks_i
return I_Proofs, c0s, ss, C_is
def LLW_Ver(pk, keyimage, c1, s):
n = len(pk) #ok
print("verifying LLW sig of length", n)
L = [None] * n
R = [None] * n
c = [None] * (n + 1)
pj = ''.join(pk)
HP = [MiniNero.hashToPoint_ct(i) for i in pk]
c[0] = c1
j = 0
while j < n:
L[j] = MiniNero.addKeys(MiniNero.scalarmultBase(s[j]),
MiniNero.scalarmultKey(pk[j], c[j]))
R[j] = MiniNero.addKeys(MiniNero.scalarmultKey(HP[j], s[j]),
MiniNero.scalarmultKey(keyimage, c[j]))
cj = j + 1
c[cj] = MiniNero.cn_fast_hash(pj + L[j] + R[j])
j = cj
rv = (c[0] == c[n])
print("sig verifies complete", rv)
print("c", c)
print("L", L)
print("R", R)
return rv
def CT_ring_sig(pk, C_in, C_out, xz, index):
print("Generating Ct ring sig")
n = len(pk)
pk2 = [None] * 2
for i in range(0, n):
pk2[i] = MiniNero.addKeys(pk[i], C_in)
for j in C_out:
pk2[i] = MiniNero.subKeys(pk2[i], j)
print("check validity", pk2[index], MiniNero.scalarmultBase(xz))
if pk2[index] != MiniNero.scalarmultBase(xz):
print("stop lying, you don't know a key")
exit()
I, c0, s = LLW_Sigs.LLW_Sig(pk2, xz, index)
print("Ct ring sig generated")
return I, c0, s, pk2
def LLW_Sig(pk, xx, index ):
n = len(pk)
print("Generating LLW sig of length ", n)
L = [None] * n
R = [None] * n
c= [None] * n
s = [PaperWallet.skGen() for i in range(0, n)]
HP = [MiniNero.hashToPoint_ct(i) for i in pk]
pj = ''.join(pk)
keyimage = keyImage(xx) #ok
s[index] = MiniNero.mul_8(s[index])
L[index] = MiniNero.scalarmultBase(s[index])
R[index] = MiniNero.scalarmultKey(HP[index], s[index]) #aH
j = (index + 1) % n
c[j] = MiniNero.cn_fast_hash(pj+L[index]+R[index])
while j != index:
L[j] = MiniNero.addKeys(MiniNero.scalarmultBase(s[j]), MiniNero.scalarmultKey(pk[j], c[j])) #Lj = sG + cxG
R[j] = MiniNero.addKeys(MiniNero.scalarmultKey(HP[j], s[j]), MiniNero.scalarmultKey(keyimage, c[j])) #Rj = sH + cxH
cj = (j + 1) % n
c[cj] = MiniNero.cn_fast_hash(pj + L[j] + R[j]) #c j+1 = H(pk + Lj + Rj
j = cj #increment j
s[index] = MiniNero.sc_mulsub_keys(s[index], c[index], xx) #si = a - c x so a = s + c x
print("sigma = ", keyimage, c[0], s[:])
return keyimage, c[0], s[:]
def CT_ring_sig(pk, C_in, C_out, xz, index):
print("Generating Ct ring sig")
n = len(pk)
pk2 = [None] * 2
for i in range(0, n):
pk2[i] = MiniNero.addKeys(pk[i], C_in)
for j in C_out:
pk2[i] = MiniNero.subKeys(pk2[i], j)
print("check validity", pk2[index], MiniNero.scalarmultBase(xz))
if pk2[index] != MiniNero.scalarmultBase(xz):
print("stop lying, you don't know a key")
exit()
I, c0, s = LLW_Sigs.LLW_Sig(pk2, xz, index)
print("Ct ring sig generated")
return I, c0, s, pk2
def genRangeProof(b, digits):
bb = binary(b, digits) #gives binary form of bb in "digits" binary digits
print("b, b in binary", b, bb)
ai = [None] * len(bb)
Ci = [None] * len(bb)
CiH = [None] * len(bb) #this is like Ci - 2^i H
a = MiniNero.intToHex(0)
ii = [None] * len(bb)
indi = [None] * len(bb)
for i in range(0, len(bb)):
ai[i] = PaperWallet.skGen()
a = MiniNero.addScalars(a, ai[i]) #creating the total mask since you have to pass this to receiver...
Ci[i] = MiniNero.addKeys(MiniNero.scalarmultBase(ai[i]), MiniNero.scalarmultKey(getHForCT(), MiniNero.intToHex(bb[i] * 2 ** i)))
CiH[i] = MiniNero.subKeys(Ci[i], MiniNero.scalarmultKey(getHForCT(), MiniNero.intToHex(2 ** i)))
L1, s2, s = AggregateSchnorr.GenASNL(ai, Ci, CiH, bb)
return sumCi(Ci), Ci, L1, s2, s, a
def out_commitments(values):
#do this first
n = len(values)
values2 = [None] * n
for i in range(0, n):
values2[i] = [MiniNero.intToHex(j) for j in binary(MiniNero.hexToInt(values[i]))]
#returns a list of commitments C_i = y_iG + value_i * H for outputs (these masks are created randomly)
masks = [None] * n
sumMasks = [None] * n
for i in range(0, n):
masks[i] = [PaperWallet.skGen() for jj in values2[i]] #binary decomposition for range proofs (could also use another base)
sumMasks[i] = MiniNero.intToHex(sum([MiniNero.hexToInt(a) for a in masks[i]])) #sum is what actually goes into the ring..
C = [None] * n
for i in range(0, n):
C[i] = MiniNero.addKeys(MiniNero.scalarmultBase(sumMasks[i]), MiniNero.scalarmultKey(H_ct, values[i]))
return C, masks, sumMasks, values2
def verRctMG(MG, pubs, outPk):
#mg is an mgsig (list [ss, cc, II] of keymatrix ss, keyvector II and key cc]
#pubs is a matrix of ctkeys [P, C]
#outPk is a list of output ctkeys [P, C] for the transaction
#returns true or false
rows = len(pubs[0])
cols = len(pubs)
M = MLSAG2.keyMatrix(rows + 1, cols) #just a simple way to initialize a keymatrix, doesn't need to be random..
for j in range(0, cols):
M[j][rows] = MiniNero.identity()
for i in range(0, rows):
for j in range(0, cols):
M[j][i] = pubs[j][i].dest # get the destination part
M[j][rows] = MiniNero.addKeys(M[j][rows], pubs[j][i].mask) #add commitment part
#next need to subtract the commitment part of all outputs..
for j in range(0, cols):
for i in range(0, len(outPk)):
M[j][rows] = MiniNero.subKeys(M[j][rows], outPk[i].mask) # subtract commitment part
return MLSAG2.MLSAG_Ver(M, MG.II, MG.cc, MG.ss)
def rangeProof(C_out_i, masks_i):
n = len(masks_i)
I_Proofs = [None] * n
c0s = [None] * n
ss = [None] * n
C_is = [None] * n
for i in range(0, n):
C_i = MiniNero.addKeys(
MiniNero.scalarmultBase(masks_i[i]),
MiniNero.scalarmultKey(H_ct,
C_out_i[i])) # masks_i * G + C_out_i * H
C_i_prime = MiniNero.subKeys(C_i, H_ct) #C_i - H
C_is[i] = [C_i_prime, C_i]
print("generating LLWsig for range proof from Cis, masks, couts",
C_is[i], masks_i[i], C_out_i[i])
I_Proofs[i], c0s[i], ss[i] = LLW_Sigs.LLW_Sig(
C_is[i], masks_i[i], MiniNero.hexToInt(C_out_i[i]))
#ring sig on the above, with sk masks_i
return I_Proofs, c0s, ss, C_is
def decodeRct(rv, sk, i):
#inputs:
#rctSig is a list [ rangesigs, MG, mixRing, ecdhInfo, outPk]
#rangesigs is a list of one rangeproof for each output
#MG is the mgsig [ss, cc, II]
#mixRing is a ctkeyMatrix
#ecdhInfo is a list of masks / amounts for each output
#outPk is a vector of ctkeys (since we have computed the commitment for each amount)
#sk is the secret key of the receiver
#i is the index of the receiver in the rctSig (in case of multiple destinations)
#outputs:
#the amount received
decodedTuple = ecdhDecode(rv.ecdhInfo[i], sk)
mask = decodedTuple.mask
amount = decodedTuple.amount
C = rv.outPk[i].mask
H = getHForCT()
Ctmp = MiniNero.addKeys(MiniNero.scalarmultBase(mask), MiniNero.scalarmultKey(H, amount))
if (MiniNero.subKeys(C, Ctmp) != MiniNero.identity()):
print("warning, amount decoded incorrectly, will be unable to spend")
return MiniNero.hexToInt(amount)
def proveRctMG(pubs, inSk, outSk, outPk, index):
#pubs is a matrix of ctkeys [P, C]
#inSk is the keyvector of [x, mask] secret keys
#outMasks is a keyvector of masks for outputs
#outPk is a list of output ctkeys [P, C]
#index is secret index of where you are signing (integer)
#returns a list (mgsig) [ss, cc, II] where ss is keymatrix, cc is key, II is keyVector of keyimages
#so we are calling MLSAG2.MLSAG_Gen from here, we need a keymatrix made from pubs
#we also need a keyvector made from inSk
rows = len(pubs[0])
cols = len(pubs)
print("rows in mg", rows)
print("cols in mg", cols)
M = MLSAG2.keyMatrix(
rows + 1, cols
) #just a simple way to initialize a keymatrix, doesn't need to be random..
sk = MLSAG2.keyVector(rows + 1)
for j in range(0, cols):
M[j][rows] = MiniNero.identity()
sk[rows] = MiniNero.sc_0()
for i in range(0, rows):
sk[i] = inSk[i].dest #get the destination part
sk[rows] = MiniNero.sc_add_keys(sk[rows],
inSk[i].mask) #add commitment part
for j in range(0, cols):
M[j][i] = pubs[j][i].dest # get the destination part
M[j][rows] = MiniNero.addKeys(
M[j][rows], pubs[j][i].mask) #add commitment part
#next need to subtract the commitment part of all outputs..
for j in range(0, len(outSk)):
sk[rows] = MiniNero.sc_sub_keys(sk[rows], outSk[j].mask)
for i in range(0, len(outPk)):
M[j][rows] = MiniNero.subKeys(
M[j][rows], outPk[i].mask) # subtract commitment part
MG = mgSig()
MG.II, MG.cc, MG.ss = MLSAG2.MLSAG_Gen(M, sk, index)
return MG #mgSig
def decodeRct(rv, sk, i):
#inputs:
#rctSig is a list [ rangesigs, MG, mixRing, ecdhInfo, outPk]
#rangesigs is a list of one rangeproof for each output
#MG is the mgsig [ss, cc, II]
#mixRing is a ctkeyMatrix
#ecdhInfo is a list of masks / amounts for each output
#outPk is a vector of ctkeys (since we have computed the commitment for each amount)
#sk is the secret key of the receiver
#i is the index of the receiver in the rctSig (in case of multiple destinations)
#outputs:
#the amount received
decodedTuple = ecdhDecode(rv.ecdhInfo[i], sk)
mask = decodedTuple.mask
amount = decodedTuple.amount
C = rv.outPk[i].mask
H = getHForCT()
Ctmp = MiniNero.addKeys(MiniNero.scalarmultBase(mask),
MiniNero.scalarmultKey(H, amount))
if (MiniNero.subKeys(C, Ctmp) != MiniNero.identity()):
print("warning, amount decoded incorrectly, will be unable to spend")
return MiniNero.hexToInt(amount)
def out_commitments(values):
#do this first
n = len(values)
values2 = [None] * n
for i in range(0, n):
values2[i] = [
MiniNero.intToHex(j) for j in binary(MiniNero.hexToInt(values[i]))
]
#returns a list of commitments C_i = y_iG + value_i * H for outputs (these masks are created randomly)
masks = [None] * n
sumMasks = [None] * n
for i in range(0, n):
masks[i] = [
PaperWallet.skGen() for jj in values2[i]
] #binary decomposition for range proofs (could also use another base)
sumMasks[i] = MiniNero.intToHex(
sum([MiniNero.hexToInt(a) for a in masks[i]
])) #sum is what actually goes into the ring..
C = [None] * n
for i in range(0, n):
C[i] = MiniNero.addKeys(MiniNero.scalarmultBase(sumMasks[i]),
MiniNero.scalarmultKey(H_ct, values[i]))
return C, masks, sumMasks, values2
def genRangeProof(b, digits):
bb = binary(b, digits) #gives binary form of bb in "digits" binary digits
print("b, b in binary", b, bb)
ai = [None] * len(bb)
Ci = [None] * len(bb)
CiH = [None] * len(bb) #this is like Ci - 2^i H
a = MiniNero.intToHex(0)
ii = [None] * len(bb)
indi = [None] * len(bb)
for i in range(0, len(bb)):
ai[i] = PaperWallet.skGen()
a = MiniNero.addScalars(
a, ai[i]
) #creating the total mask since you have to pass this to receiver...
Ci[i] = MiniNero.addKeys(
MiniNero.scalarmultBase(ai[i]),
MiniNero.scalarmultKey(getHForCT(),
MiniNero.intToHex(bb[i] * 2**i)))
CiH[i] = MiniNero.subKeys(
Ci[i], MiniNero.scalarmultKey(getHForCT(),
MiniNero.intToHex(2**i)))
L1, s2, s = ASNL.GenASNL(ai, Ci, CiH, bb)
return sumCi(Ci), Ci, L1, s2, s, a
def verRctMG(MG, pubs, outPk):
#mg is an mgsig (list [ss, cc, II] of keymatrix ss, keyvector II and key cc]
#pubs is a matrix of ctkeys [P, C]
#outPk is a list of output ctkeys [P, C] for the transaction
#returns true or false
rows = len(pubs[0])
cols = len(pubs)
M = MLSAG2.keyMatrix(
rows + 1, cols
) #just a simple way to initialize a keymatrix, doesn't need to be random..
for j in range(0, cols):
M[j][rows] = MiniNero.identity()
for i in range(0, rows):
for j in range(0, cols):
M[j][i] = pubs[j][i].dest # get the destination part
M[j][rows] = MiniNero.addKeys(
M[j][rows], pubs[j][i].mask) #add commitment part
#next need to subtract the commitment part of all outputs..
for j in range(0, cols):
for i in range(0, len(outPk)):
M[j][rows] = MiniNero.subKeys(
M[j][rows], outPk[i].mask) # subtract commitment part
return MLSAG2.MLSAG_Ver(M, MG.II, MG.cc, MG.ss)
#you += hash(pubkey || index) to both the private scalar and public point
#<tacotime> [02:35:38] so to get priv_i and pub_i
#<tacotime> [02:36:06] priv_i = (priv + hash) mod N
#<tacotime> [02:37:17] pub_i = (pub + scalarbasemult(hash))
import MiniNero
import PaperWallet
sk, vk, pk, pvk, addr, wl, cks = PaperWallet.keysBoth()
print("making keychain")
for i in range(1, 600):
index = MiniNero.intToHex(i)
has = MiniNero.cn_fast_hash(pk + index)
sk1 = MiniNero.sc_add_keys(sk, has)
pk1 = MiniNero.addKeys(pk, MiniNero.scalarmultBase(has))
pk1_check = MiniNero.publicFromSecret(sk1)
print("Check", pk1 == pk1_check)
print(sk1)
#print("i, sk, pk", i, sk1, pk1)
if len(sys.argv) >= 2:
if sys.argv[1] == "id":
Translator.hexToC(MiniNero.identity())
if sys.argv[1] == "smult":
a= "87a61352d86f5cb0e9d227542b6b4870b9a327d082d15ea64e0494b9a896c1ac"
aG = MiniNero.scalarmultBase(a)
print(aG)
print(MiniNero.scalarmultKey(aG, a))
if sys.argv[1] == "add":
#once it's good
A = PaperWallet.pkGen()
A = "75819750158570adc58ad6f932c3704661d6cd8eafd3a14818293a17790fbf71"
B = PaperWallet.pkGen()
B = "5fbc56c82c6e40596c673e301b63e100f08b97723ead425ed38f2b55c7a6454f"
AB = MiniNero.addKeys(A, B)
Translator.hexToC(A)
Translator.hexToC(B)
print(AB)
AAB = MiniNero.addKeys(AB, A)
print("AAB", AAB)
print("hash")
print(MiniNero.sc_reduce_key(MiniNero.cn_fast_hash(A)))
aAbB = MiniNero.addKeys(MiniNero.scalarmultKey(A, A), MiniNero.scalarmultKey(B, B))
print("testing addKeys3")
print(aAbB)
if sys.argv[1] == "rs":
#once it's good
sk = MiniNero.randomScalar()
if sys.argv[1] == "mn":
def sumCi(Cis):
CSum = MiniNero.identity()
for i in Cis:
CSum = MiniNero.addKeys(CSum, i)
return CSum
def sumCi(Cis):
CSum = MiniNero.identity()
for i in Cis:
CSum = MiniNero.addKeys(CSum, i)
return CSum
def in_commitments(input_value, sk, masks):
#for now, assume there is one input, generalized after get that working
sum_masks = MiniNero.intToHex(sum([MiniNero.hexToInt(a) for a in masks]))
z = MiniNero.sc_sub_keys(sk, sum_masks) # z + sum of input mask values = sk
C = MiniNero.addKeys(MiniNero.scalarmultBase(sk), MiniNero.scalarmultKey(H_ct, input_value)) #input_value = sum output values
return C, z #z is the sk you need to sign for this commitment
if len(sys.argv) >= 2:
if sys.argv[1] == "id":
Translator.hexToC(MiniNero.identity())
if sys.argv[1] == "smult":
a = "87a61352d86f5cb0e9d227542b6b4870b9a327d082d15ea64e0494b9a896c1ac"
aG = MiniNero.scalarmultBase(a)
print(aG)
print(MiniNero.scalarmultKey(aG, a))
if sys.argv[1] == "add":
#once it's good
A = PaperWallet.pkGen()
A = "75819750158570adc58ad6f932c3704661d6cd8eafd3a14818293a17790fbf71"
B = PaperWallet.pkGen()
B = "5fbc56c82c6e40596c673e301b63e100f08b97723ead425ed38f2b55c7a6454f"
AB = MiniNero.addKeys(A, B)
Translator.hexToC(A)
Translator.hexToC(B)
print(AB)
AAB = MiniNero.addKeys(AB, A)
print("AAB", AAB)
print("hash")
print(MiniNero.sc_reduce_key(MiniNero.cn_fast_hash(A)))
aAbB = MiniNero.addKeys(MiniNero.scalarmultKey(A, A),
MiniNero.scalarmultKey(B, B))
print("testing addKeys3")
print(aAbB)
if sys.argv[1] == "rs":
#once it's good
sk = MiniNero.randomScalar()
q = 2**255 - 19 l = 2**252 + 27742317777372353535851937790883648493 import MiniNero import PaperWallet a = 3655169758690262480859172686034352748701568204867449275194046101565641063400 b = 2196281112309589493539510630657048805544016132079821556435431458072258858680 c = 1680308020000391016811131033972168547846809685867129675902005632340344199616 d = 3102886190919558838979092227453570755967767872654511102581747930112259050736 e = a + b + c + d print(e, e % l) pk = MiniNero.publicFromSecret(MiniNero.intToHex(e)) pka = MiniNero.publicFromSecret(MiniNero.intToHex(a)) pkb = MiniNero.publicFromSecret(MiniNero.intToHex(b)) pkc = MiniNero.publicFromSecret(MiniNero.intToHex(c)) pkd = MiniNero.publicFromSecret(MiniNero.intToHex(d)) A = MiniNero.addKeys(pka, pkb) B = MiniNero.addKeys(A, pkc) C = MiniNero.addKeys(B, pkd) print(C) print(pk)
#you += hash(pubkey || index) to both the private scalar and public point
#<tacotime> [02:35:38] so to get priv_i and pub_i
#<tacotime> [02:36:06] priv_i = (priv + hash) mod N
#<tacotime> [02:37:17] pub_i = (pub + scalarbasemult(hash))
import MiniNero
import PaperWallet
sk, vk, pk, pvk, addr, wl, cks = PaperWallet.keysBoth()
print("making keychain")
for i in range(1, 600):
index = MiniNero.intToHex(i)
has = MiniNero.cn_fast_hash(pk + index)
sk1 = MiniNero.sc_add_keys(sk, has)
pk1 = MiniNero.addKeys(pk, MiniNero.scalarmultBase(has))
pk1_check = MiniNero.publicFromSecret(sk1)
print("Check", pk1== pk1_check)
print(sk1)
#print("i, sk, pk", i, sk1, pk1)
if len(sys.argv) >= 2:
if sys.argv[1] == "id":
Translator.hexToC(MiniNero.identity())
if sys.argv[1] == "smult":
a= "87a61352d86f5cb0e9d227542b6b4870b9a327d082d15ea64e0494b9a896c1ac"
aG = MiniNero.scalarmultBase(a)
print(aG)
print(MiniNero.scalarmultKey(aG, a))
if sys.argv[1] == "add":
#once it's good
A = PaperWallet.pkGen()
A = "75819750158570adc58ad6f932c3704661d6cd8eafd3a14818293a17790fbf71"
B = PaperWallet.pkGen()
B = "5fbc56c82c6e40596c673e301b63e100f08b97723ead425ed38f2b55c7a6454f"
AB = MiniNero.addKeys(A, B)
Translator.hexToC(A)
Translator.hexToC(B)
print(AB)
AAB = MiniNero.addKeys(AB, A)
print("AAB", AAB)
print("hash")
print(MiniNero.sc_reduce_key(MiniNero.cn_fast_hash(A)))
aAbB = MiniNero.addKeys(MiniNero.scalarmultKey(A, A), MiniNero.scalarmultKey(B, B))
print("testing addKeys3")
print(aAbB)
if sys.argv[1] == "rs":
#once it's good
sk = MiniNero.randomScalar()
if sys.argv[1] == "mn":
