def ctest_multiexp(self):
scalars = [0, 1, 2, 3, 4, 99]
point_base = [0, 2, 4, 7, 12, 18]
scalar_sc = [crypto.sc_init(x) for x in scalars]
points = [
crypto.scalarmult_base(crypto.sc_init(x)) for x in point_base
]
muex = bp.MultiExp(
scalars=[crypto.encodeint(x) for x in scalar_sc],
point_fnc=lambda i, d: crypto.encodepoint(points[i]))
self.assertEqual(len(muex), len(scalars))
res = bp.multiexp(None, muex)
res2 = bp.vector_exponent_custom(
A=bp.KeyVEval(
3, lambda i, d: crypto.encodepoint_into(
crypto.scalarmult_base(crypto.sc_init(point_base[i])), d)),
B=bp.KeyVEval(
3, lambda i, d: crypto.encodepoint_into(
crypto.scalarmult_base(crypto.sc_init(point_base[3 + i])),
d)),
a=bp.KeyVEval(
3,
lambda i, d: crypto.encodeint_into(crypto.sc_init(scalars[i]),
d),
),
b=bp.KeyVEval(
3, lambda i, d: crypto.encodeint_into(
crypto.sc_init(scalars[i + 3]), d)),
)
self.assertEqual(res, res2)
def test_signature(self):
for i in range(10):
priv = crypto.random_scalar()
data = crypto.cn_fast_hash(bytes(bytearray([i])))
c, r, pub = crypto.generate_signature(data, priv)
res = crypto.check_signature(data, c, r, pub)
self.assertEqual(res, 1)
res2 = crypto.check_signature(data,
crypto.sc_add(c, crypto.sc_init(1)),
r, pub)
self.assertEqual(res2, 0)
def test_range_proof2_old(self):
proof = ring_ct.prove_range(123456789,
use_asnl=True,
mem_opt=False,
decode=True)
res = ring_ct.ver_range(proof[0],
proof[2],
use_asnl=True,
decode=False)
self.assertTrue(res)
res = ring_ct.ver_range(
crypto.point_add(proof[0],
crypto.scalarmult_base(crypto.sc_init(4))),
proof[2],
use_asnl=True,
decode=False,
)
self.assertFalse(res)
def test_range_proof2(self):
amount = 17 + (1 << 60)
proof = ring_ct.prove_range(amount)
res = ring_ct.ver_range(proof[0], proof[2])
self.assertTrue(res)
self.assertTrue(
crypto.point_eq(
proof[0],
crypto.point_add(crypto.scalarmult_base(proof[1]),
crypto.scalarmult_h(amount)),
))
proof = ring_ct.prove_range(amount, mem_opt=False, decode=True)
res = ring_ct.ver_range(proof[0], proof[2], decode=False)
self.assertTrue(res)
res = ring_ct.ver_range(
crypto.point_add(proof[0],
crypto.scalarmult_base(crypto.sc_init(4))),
proof[2],
decode=False,
)
self.assertFalse(res)
def prove_range_chunked(amount, last_mask=None):
a = crypto.sc_init(0)
si = crypto.sc_init(0)
c = crypto.sc_init(0)
ee = crypto.sc_init(0)
tmp_ai = crypto.sc_init(0)
tmp_alpha = crypto.sc_init(0)
C_acc = crypto.identity()
C_h = crypto.xmr_H()
C_tmp = crypto.identity()
L = crypto.identity()
Zero = crypto.identity()
kck = crypto.get_keccak()
ai = bytearray(32 * 64)
alphai = bytearray(32 * 64)
buff = bytearray(32)
Cis = bytearray(32 * 64)
s0s = bytearray(32 * 64)
s1s = bytearray(32 * 64)
ee_bin = bytearray(32)
for ii in range(64):
crypto.random_scalar_into(tmp_ai)
if last_mask is not None and ii == 63:
crypto.sc_sub_into(tmp_ai, last_mask, a)
crypto.sc_add_into(a, a, tmp_ai)
crypto.random_scalar_into(tmp_alpha)
crypto.scalarmult_base_into(L, tmp_alpha)
crypto.scalarmult_base_into(C_tmp, tmp_ai)
# C_tmp += &Zero if BB(ii) == 0 else &C_h
crypto.point_add_into(C_tmp, C_tmp, Zero if
((amount >> ii) & 1) == 0 else C_h)
crypto.point_add_into(C_acc, C_acc, C_tmp)
# Set Ci[ii] to sigs
crypto.encodepoint_into(Cis, C_tmp, ii << 5)
crypto.encodeint_into(ai, tmp_ai, ii << 5)
crypto.encodeint_into(alphai, tmp_alpha, ii << 5)
if ((amount >> ii) & 1) == 0:
crypto.random_scalar_into(si)
crypto.encodepoint_into(buff, L)
crypto.hash_to_scalar_into(c, buff)
crypto.point_sub_into(C_tmp, C_tmp, C_h)
crypto.add_keys2_into(L, si, c, C_tmp)
crypto.encodeint_into(s1s, si, ii << 5)
crypto.encodepoint_into(buff, L)
kck.update(buff)
crypto.point_double_into(C_h, C_h)
# Compute ee
tmp_ee = kck.digest()
crypto.decodeint_into(ee, tmp_ee)
del (tmp_ee, kck)
C_h = crypto.xmr_H()
gc.collect()
# Second pass, s0, s1
for ii in range(64):
crypto.decodeint_into(tmp_alpha, alphai, ii << 5)
crypto.decodeint_into(tmp_ai, ai, ii << 5)
if ((amount >> ii) & 1) == 0:
crypto.sc_mulsub_into(si, tmp_ai, ee, tmp_alpha)
crypto.encodeint_into(s0s, si, ii << 5)
else:
crypto.random_scalar_into(si)
crypto.encodeint_into(s0s, si, ii << 5)
crypto.decodepoint_into(C_tmp, Cis, ii << 5)
crypto.add_keys2_into(L, si, ee, C_tmp)
crypto.encodepoint_into(buff, L)
crypto.hash_to_scalar_into(c, buff)
crypto.sc_mulsub_into(si, tmp_ai, c, tmp_alpha)
crypto.encodeint_into(s1s, si, ii << 5)
crypto.point_double_into(C_h, C_h)
crypto.encodeint_into(ee_bin, ee)
del (ai, alphai, buff, tmp_ai, tmp_alpha, si, c, ee, C_tmp, C_h, L, Zero)
gc.collect()
return C_acc, a, [s0s, s1s, ee_bin, Cis]
def test_prove_batch16(self):
bpi = bp.BulletProofBuilder()
sv = [crypto.sc_init(137 * i) for i in range(16)]
gamma = [crypto.sc_init(991 * i) for i in range(16)]
proof = bpi.prove_batch(sv, gamma)
bpi.verify_batch([proof])
def test_prove_batch(self):
bpi = bp.BulletProofBuilder()
sv = [crypto.sc_init(123), crypto.sc_init(768)]
gamma = [crypto.sc_init(456), crypto.sc_init(901)]
proof = bpi.prove_batch(sv, gamma)
bpi.verify_batch([proof])
async def gen_rct_header(self, destinations, outamounts):
"""
Initializes RV RctSig structure, processes outputs, computes range proofs, ecdh info masking.
Common to gen_rct and gen_rct_simple.
:param destinations:
:param outamounts:
:return:
"""
rv = xmrtypes.RctSig()
rv.p = xmrtypes.RctSigPrunable()
rv.message = self.tx_prefix_hash
rv.outPk = [None] * len(destinations)
if self.use_bulletproof:
rv.p.bulletproofs = [None] * len(destinations)
else:
rv.p.rangeSigs = [None] * len(destinations)
rv.ecdhInfo = [None] * len(destinations)
# Output processing
sumout = crypto.sc_0()
out_sk = [None] * len(destinations)
for idx in range(len(destinations)):
rv.outPk[idx] = xmrtypes.CtKey(dest=crypto.encodepoint(destinations[idx]))
C, mask, rsig = None, 0, None
# Rangeproof
if self.use_bulletproof:
raise ValueError("Bulletproof not yet supported")
else:
C, mask, rsig = ring_ct.prove_range(outamounts[idx])
rv.p.rangeSigs[idx] = rsig
if __debug__:
assert ring_ct.ver_range(C, rsig)
assert crypto.point_eq(
C,
crypto.point_add(
crypto.scalarmult_base(mask),
crypto.scalarmult_h(outamounts[idx]),
),
)
# Mask sum
rv.outPk[idx].mask = crypto.encodepoint(C)
sumout = crypto.sc_add(sumout, mask)
out_sk[idx] = xmrtypes.CtKey(mask=mask)
# ECDH masking
amount_key = crypto.encodeint(self.output_secrets[idx][0])
rv.ecdhInfo[idx] = xmrtypes.EcdhTuple(
mask=mask, amount=crypto.sc_init(outamounts[idx])
)
rv.ecdhInfo[idx] = ring_ct.ecdh_encode(
rv.ecdhInfo[idx], derivation=amount_key
)
monero.recode_ecdh(rv.ecdhInfo[idx], encode=True)
return rv, sumout, out_sk
async def range_proof(self, idx, dest_pub_key, amount, amount_key):
"""
Computes rangeproof and related information - out_sk, out_pk, ecdh_info.
In order to optimize incremental transaction build, the mask computation is changed compared
to the official Monero code. In the official code, the input pedersen commitments are computed
after range proof in such a way summed masks for commitments (alpha) and rangeproofs (ai) are equal.
In order to save roundtrips we compute commitments randomly and then for the last rangeproof
a[63] = (\\sum_{i=0}^{num_inp}alpha_i - \\sum_{i=0}^{num_outs-1} amasks_i) - \\sum_{i=0}^{62}a_i
The range proof is incrementally hashed to the final_message.
:param idx:
:param dest_pub_key:
:param amount:
:param amount_key:
:return:
"""
from monero_glue.xmr import ring_ct
rsig = bytearray(32 * (64 + 64 + 64 + 1))
rsig_mv = memoryview(rsig)
out_pk = misc.StdObj(dest=dest_pub_key, mask=None)
is_last = idx + 1 == self.num_dests()
last_mask = (
None
if not is_last or not self.use_simple_rct
else crypto.sc_sub(self.sumpouts_alphas, self.sumout)
)
# Pedersen commitment on the value, mask from the commitment, range signature.
C, mask, rsig = None, 0, None
# Rangeproof
gc.collect()
if self.use_bulletproof:
raise ValueError("Bulletproof not yet supported")
else:
C, mask, rsig = ring_ct.prove_range(
amount, last_mask, backend_impl=True, byte_enc=True, rsig=rsig_mv
)
rsig = memoryview(rsig)
if __debug__:
rsig_bytes = monero.inflate_rsig(rsig)
self.assrt(ring_ct.ver_range(C, rsig_bytes))
self.assrt(
crypto.point_eq(
C,
crypto.point_add(
crypto.scalarmult_base(mask), crypto.scalarmult_h(amount)
),
),
"rproof",
)
# Incremental hashing
await self.full_message_hasher.rsig_val(
rsig, self.use_bulletproof, raw=True
)
gc.collect()
self._log_trace("rproof")
# Mask sum
out_pk.mask = crypto.encodepoint(C)
self.sumout = crypto.sc_add(self.sumout, mask)
self.output_sk.append(misc.StdObj(mask=mask))
# ECDH masking
from monero_glue.xmr.sub.recode import recode_ecdh
from monero_serialize.xmrtypes import EcdhTuple
ecdh_info = EcdhTuple(mask=mask, amount=crypto.sc_init(amount))
ecdh_info = ring_ct.ecdh_encode(
ecdh_info, derivation=crypto.encodeint(amount_key)
)
recode_ecdh(ecdh_info, encode=True)
gc.collect()
return rsig, out_pk, ecdh_info
async def test_node_transaction(self):
tx_j = pkg_resources.resource_string(
__name__, os.path.join("data", "tsx_01.json"))
tx_c = pkg_resources.resource_string(
__name__, os.path.join("data", "tsx_01_plain.txt"))
tx_u_c = pkg_resources.resource_string(
__name__, os.path.join("data", "tsx_01_uns.txt"))
tx_js = json.loads(tx_j.decode("utf8"))
reader = xmrserialize.MemoryReaderWriter(
bytearray(binascii.unhexlify(tx_c)))
ar = xmrserialize.Archive(reader, False, self._get_bc_ver())
tx = xmrtypes.Transaction()
await ar.message(tx)
reader = xmrserialize.MemoryReaderWriter(
bytearray(binascii.unhexlify(tx_u_c)))
ar = xmrserialize.Archive(reader, False, self._get_bc_ver())
uns = xmrtypes.UnsignedTxSet()
await ar.message(uns)
# Test message hash computation
tx_prefix_hash = await monero.get_transaction_prefix_hash(tx)
message = binascii.unhexlify(tx_js["tx_prefix_hash"])
self.assertEqual(tx_prefix_hash, message)
# RingCT, range sigs, hash
rv = tx.rct_signatures
rv.message = message
rv.mixRing = self.mixring(tx_js)
digest = await monero.get_pre_mlsag_hash(rv)
full_message = binascii.unhexlify(tx_js["pre_mlsag_hash"])
self.assertEqual(digest, full_message)
# Recompute missing data
monero.expand_transaction(tx)
# Unmask ECDH data, check range proofs
for i in range(len(tx_js["amount_keys"])):
ecdh = monero.copy_ecdh(rv.ecdhInfo[i])
monero.recode_ecdh(ecdh, encode=False)
ecdh = ring_ct.ecdh_decode(ecdh,
derivation=binascii.unhexlify(
tx_js["amount_keys"][i]))
self.assertEqual(crypto.sc_get64(ecdh.amount),
tx_js["outamounts"][i])
self.assertTrue(
crypto.sc_eq(
ecdh.mask,
crypto.decodeint(
binascii.unhexlify(tx_js["outSk"][i])[32:]),
))
C = crypto.decodepoint(rv.outPk[i].mask)
rsig = rv.p.rangeSigs[i]
res = ring_ct.ver_range(C, rsig)
self.assertTrue(res)
res = ring_ct.ver_range(
crypto.point_add(C, crypto.scalarmult_base(crypto.sc_init(3))),
rsig)
self.assertFalse(res)
is_simple = len(tx.vin) > 1
monero.recode_rct(rv, encode=False)
if is_simple:
for index in range(len(rv.p.MGs)):
pseudo_out = crypto.decodepoint(
binascii.unhexlify(
tx_js["tx"]["rct_signatures"]["pseudoOuts"][index]))
r = mlsag2.ver_rct_mg_simple(full_message, rv.p.MGs[index],
rv.mixRing[index], pseudo_out)
self.assertTrue(r)
r = mlsag2.ver_rct_mg_simple(full_message, rv.p.MGs[index],
rv.mixRing[index - 1], pseudo_out)
self.assertFalse(r)
else:
txn_fee_key = crypto.scalarmult_h(rv.txnFee)
r = mlsag2.ver_rct_mg(rv.p.MGs[0], rv.mixRing, rv.outPk,
txn_fee_key, digest)
self.assertTrue(r)
r = mlsag2.ver_rct_mg(
rv.p.MGs[0],
rv.mixRing,
rv.outPk,
crypto.scalarmult_h(rv.txnFee - 100),
digest,
)
self.assertFalse(r)
async def step(self, p1=0, p2=2, params=None, buffers=None):
if p1 == 0:
self.bpp(None) # clear old state
self.check_mem("+++BP START: %s; %s" % (p1, p2))
# gc.collect()
self.log_trace("BP START")
# Crypto function call number reporting not implemented here
# It is in git: ph4r05/trezor-firmware/pr/bpoff-counting-exp
bpi, res = None, None
if p1 == 0:
# crypto.report_reset()
bp.set_prng(crypto.prng(bp.ZERO))
bpi = bp.BulletProofBuilder()
# bpi.gc_fnc = gc.collect
bpi.gc_trace = self.log_trace
sv = [crypto.sc_init(137 * i) for i in range(p2)]
gamma = [crypto.sc_init(991 * i) for i in range(p2)]
bpi.off_method = 2 if not params and len(
params) <= 1 else params[0]
if params and len(params) >= 4:
bpi.nprime_thresh = params[1]
bpi.off2_thresh = params[2]
bpi.batching = params[3]
res = bpi.prove_batch_off(sv, gamma, buffers)
# crypto.report()
state = bpi.dump_state()
# del (bp, bpi)
# gc.collect()
self.log_trace("BP STATE")
self.bpp((state, None))
# self.bpp((state, crypto.report_get()))
# del (crypto)
# gc.collect()
self.log_trace("BP STATE2")
else:
# crypto.report_reset()
state, fncs = self.bpp()
bpi = bp.BulletProofBuilder()
bpi.load_state(state)
del (state)
self.bpp(None)
# gc.collect()
self.log_trace("From state")
# bp.PRNG = crypto.prng(bp._ZERO)
# bpi.gc_fnc = gc.collect
bpi.gc_trace = self.log_trace
# crypto.report_reset()
# crypto.report_set(fncs)
res = bpi.prove_batch_off_step(buffers)
# crypto.report()
state = bpi.dump_state()
del bpi
# del (bp, bpi)
# gc.collect()
self.log_trace("BP STATE")
self.bpp((state, fncs))
# del (crypto)
# gc.collect()
self.log_trace("BP STATE2")
# gc.collect()
self.log_trace("BP STEP")
self.check_mem("+++BP STEP")
if isinstance(res, tuple) and res[0] == 1:
from monero_glue.hwtoken import misc as tmisc
B = res[1]
B2 = BulletproofFull()
B2.V = B.V
B2.S = B.S
B2.A = B.A
B2.T1 = B.T1
B2.T2 = B.T2
B2.taux = B.taux
B2.mu = B.mu
B2.L = B.L
B2.R = B.R
B2.a = B.a
B2.b = B.b
B2.t = B.t
res = await tmisc.dump_msg(B2)
msg = None
if res:
msg = res if isinstance(res, (list, tuple)) else [res]
return msg
def test_prove_batch(self):
self.skip_if_cannot_test()
bpi = bp.BulletProofBuilder()
sv = [
crypto.sc_init(123),
crypto.sc_init(768),
crypto.sc_init(1231),
crypto.sc_init(7681),
crypto.sc_init(1232),
crypto.sc_init(7682),
crypto.sc_init(1232),
crypto.sc_init(7682),
]
gamma = [
crypto.sc_init(456),
crypto.sc_init(901),
crypto.sc_init(4561),
crypto.sc_init(9011),
crypto.sc_init(4562),
crypto.sc_init(9012),
crypto.sc_init(4562),
crypto.sc_init(9012),
]
proof = bpi.prove_batch(sv, gamma)
bpi.verify_batch([proof])
async def gen_input(self,
value=1,
sub_major=None,
sub_minor=0,
additionals=False):
creds = self.src_keys
r = self.random_scalar()
R = crypto.scalarmult_base(r)
additional_keys = []
Additional = None
sub_major = sub_major if sub_major is not None else self.account_idx
is_sub = sub_major != 0 or sub_minor != 0
if sub_major != self.account_idx:
logger.warning(
"Generating input with different major subindex, cannot be spent in the resulting "
"transaction")
kssec = monero.get_subaddress_secret_key(creds.view_key_private,
major=sub_major,
minor=sub_minor)
kssub = crypto.sc_add(
kssec,
creds.spend_key_private) if is_sub else creds.spend_key_private
kvsub = crypto.sc_mul(creds.view_key_private,
kssub) if is_sub else creds.view_key_private
KSSUB, KVSUB = monero.generate_sub_address_keys(
creds.view_key_private, creds.spend_key_public, sub_major,
sub_minor)
if not crypto.point_eq(KSSUB, crypto.scalarmult_base(kssub)):
raise ValueError("Invariant error")
oidx = self.prng.randint(0, 12)
additionals_cnt = self.prng.randint(oidx + 1, 2 * oidx + 1)
deriv = crypto.generate_key_derivation(KVSUB, r)
kout = crypto.derive_secret_key(deriv, oidx, kssub)
KOUT = crypto.derive_public_key(deriv, oidx, KSSUB)
if not crypto.point_eq(KOUT, crypto.scalarmult_base(kout)):
raise ValueError("Invariant error")
if additionals:
if is_sub:
Additional = crypto.scalarmult(KSSUB, r)
else:
Additional = crypto.scalarmult_base(r)
else:
if is_sub:
R = crypto.scalarmult(KSSUB, r)
amnt = crypto.sc_init(value)
msk = self.random_scalar() # commitment mask
C = crypto.add_keys2(msk, amnt, crypto.xmr_H())
ring = []
for i in range(self.ring_size - 1):
tk = CtKey(
dest=crypto.encodepoint(self.random_pub()),
mask=crypto.encodepoint(self.random_pub()),
)
ring.append(tk)
index = self.prng.randint(0, len(ring))
ring.insert(
index,
CtKey(dest=crypto.encodepoint(KOUT), mask=crypto.encodepoint(C)))
if additionals:
additional_keys = [
self.random_pub() for _ in range(additionals_cnt)
]
additional_keys[oidx] = Additional
src = TxSourceEntry()
src.outputs = [(self.random_glob_idx(), x) for x in ring]
src.real_output = index
src.real_out_tx_key = crypto.encodepoint(R)
src.real_out_additional_tx_keys = [
crypto.encodepoint(x) for x in additional_keys
]
src.real_output_in_tx_index = oidx
src.amount = value
src.rct = True
src.mask = crypto.encodeint(msk)
src.multisig_kLRki = MultisigKLRki(K=crypto.ZERO,
L=crypto.ZERO,
R=crypto.ZERO,
ki=crypto.ZERO)
td = TransferDetails()
td.m_internal_output_index = oidx
td.m_global_output_index = src.outputs[index][0]
td.m_mask = src.mask
td.m_amount = value
td.m_subaddr_index = SubaddressIndex(major=sub_major, minor=sub_minor)
td.m_rct = True
td.m_txid = self.random_bytes(32)
td.m_block_height = self.prng.randint(0, 0xFFFF)
td.m_spent = False
td.m_spent_height = 0
td.m_key_image_known = True
td.m_key_image_requested = False
td.m_key_image_partial = False
td.m_multisig_k = []
td.m_multisig_info = []
td.m_uses = []
td.m_pk_index = 0
td.m_tx = self.gen_tx_prefix(self.prng.randint(1, 10), additionals_cnt)
td.m_tx.vout[oidx].target.key = crypto.encodepoint(KOUT)
extras = []
extras.append(TxExtraNonce(nonce=self.random_bytes(8)))
extras.append(TxExtraPubKey(pub_key=src.real_out_tx_key))
if src.real_out_additional_tx_keys:
extras.append(
TxExtraAdditionalPubKeys(data=src.real_out_additional_tx_keys))
td.m_tx.extra = await self.dump_extra_fields(extras)
tmpsubs = {}
monero.compute_subaddresses(creds, sub_major, [sub_minor], tmpsubs)
xi, ki, rderiv = self.check_input(src, creds, tmpsubs)
if not crypto.sc_eq(xi, kout):
raise ValueError("Invariant error")
td.m_key_image = crypto.encodepoint(ki)
self.sources.append(src)
self.selected_transfers.append(len(self.transfers))
self.transfers.append(td)
self.sources_creds.append(creds)
if not crypto.point_eq(
crypto.decodepoint(src.outputs[src.real_output][1].dest),
crypto.scalarmult_base(kout)):
raise ValueError("Invariant error")
return self
def init_sc(self, x):
if x < (1 << 64):
return crypto.sc_init(x)
return crypto.decodeint(ec_py.encodeint(x))
