def LLW_Sig(pk, xx, index): n = len(pk) print("Generating LLW sig of length ", n) L = [None] * n R = [None] * n c = [None] * n s = [PaperWallet.skGen() for i in range(0, n)] HP = [MiniNero.hashToPoint_ct(i) for i in pk] pj = ''.join(pk) keyimage = keyImage(xx) #ok s[index] = MiniNero.mul_8(s[index]) L[index] = MiniNero.scalarmultBase(s[index]) R[index] = MiniNero.scalarmultKey(HP[index], s[index]) #aH j = (index + 1) % n c[j] = MiniNero.cn_fast_hash(pj + L[index] + R[index]) while j != index: L[j] = MiniNero.addKeys(MiniNero.scalarmultBase(s[j]), MiniNero.scalarmultKey(pk[j], c[j])) #Lj = sG + cxG R[j] = MiniNero.addKeys(MiniNero.scalarmultKey(HP[j], s[j]), MiniNero.scalarmultKey(keyimage, c[j])) #Rj = sH + cxH cj = (j + 1) % n c[cj] = MiniNero.cn_fast_hash(pj + L[j] + R[j]) #c j+1 = H(pk + Lj + Rj j = cj #increment j s[index] = MiniNero.sc_mulsub_keys(s[index], c[index], xx) #si = a - c x so a = s + c x print("sigma = ", keyimage, c[0], s[:]) return keyimage, c[0], s[:]
def MLSAG_Ver(pk, keyimage, c1, s ): rows = len(pk) cols = len(pk[0]) print("verifying MLSAG sig of dimensions ",rows ,"x ", cols) L = [[None]*cols] R = [[None]*cols] pj = ''.join(pk[0]) for i in range(1, rows): L.append([None] * cols) R.append([None] * cols) pj = pj + ''.join(pk[i]) c= [None]*(cols+1) #you do an extra one, and then check the wrap around HP = [[MiniNero.hashToPoint_cn(i) for i in pk[0]]] for j in range(1, rows): HP.append([MiniNero.hashToPoint_cn(i) for i in pk[j]]) c[0] = c1 j = 0 while j < cols: tohash = pj for i in range(0, rows): L[i][j] = MiniNero.addKeys(MiniNero.scalarmultBase(s[i][j]), MiniNero.scalarmultKey(pk[i][j], c[j])) R[i][j] = MiniNero.addKeys(MiniNero.scalarmultKey(HP[i][j], s[i][j]), MiniNero.scalarmultKey(keyimage[i], c[j])) tohash = tohash + L[i][j] + R[i][j] j = j + 1 c[j] = MiniNero.cn_fast_hash(tohash) rv = (c[0] == c[cols]) print("c", c) print("sig verifies?", rv) return rv
def VerSchnorrNonLinkable(P1, P2, L1, s1, s2): c2 = MiniNero.cn_fast_hash(L1) L2 = MiniNero.addKeys(MiniNero.scalarmultBase(s2), MiniNero.scalarmultKey(P2, c2)) c1 = MiniNero.cn_fast_hash(L2) L1p = MiniNero.addKeys(MiniNero.scalarmultBase(s1), MiniNero.scalarmultKey(P1, c1)) if L1 == L1p: print"Verified" return 0 else: print "Didn't verify" print(L1,"!=", L1p) return -1
def VerSchnorrNonLinkable(P1, P2, L1, s1, s2): c2 = MiniNero.cn_fast_hash(L1) L2 = MiniNero.addKeys(MiniNero.scalarmultBase(s2), MiniNero.scalarmultKey(P2, c2)) c1 = MiniNero.cn_fast_hash(L2) L1p = MiniNero.addKeys(MiniNero.scalarmultBase(s1), MiniNero.scalarmultKey(P1, c1)) if L1 == L1p: print "Verified" return 0 else: print "Didn't verify" print(L1, "!=", L1p) return -1
def sumCiExp(Cis, Exp): #Cis is a vector #Exp is a vector CSum = MiniNero.identity() for i in range(0, len(Cis)): CSum = MiniNero.addKeys(CSum, MiniNero.scalarmultKey(Cis[i], MiniNero.intToHex(10 ** Exp[i]))) return CSum
def VerSchnorr(hash_prefix, pub, r, c): #hash_prefix = binascii.hexlify(prefix) check1 = MiniNero.toPoint(pub) comm = MiniNero.addKeys(MiniNero.scalarmultKey(pub,c), MiniNero.scalarmultBase(r)) c2 = MiniNero.cn_fast_hash(hash_prefix + pub + comm) print(MiniNero.sc_sub_keys(c, c2) == "0000000000000000000000000000000000000000000000000000000000000000") return (MiniNero.sc_sub_keys(c, c2) == "0000000000000000000000000000000000000000000000000000000000000000")
def proveRange(amount): bb = d2b(amount, ATOMS) #gives binary form of bb in "digits" binary digits print("amount, amount in binary", amount, bb) ai = [None] * len(bb) Ci = [None] * len(bb) CiH = [None] * len(bb) #this is like Ci - 2^i H H2 = getH2ForCT() a = MiniNero.sc_0() ii = [None] * len(bb) indi = [None] * len(bb) for i in range(0, ATOMS): ai[i] = PaperWallet.skGen() a = MiniNero.addScalars( a, ai[i] ) #creating the total mask since you have to pass this to receiver... if bb[i] == 0: Ci[i] = MiniNero.scalarmultBase(ai[i]) if bb[i] == 1: Ci[i] = MiniNero.addKeys(MiniNero.scalarmultBase(ai[i]), H2[i]) CiH[i] = MiniNero.subKeys(Ci[i], H2[i]) A = asnlSig() A.L1, A.s2, A.s = AggregateSchnorr.GenASNL(ai, Ci, CiH, bb) R = rangeSig() R.asig = A R.Ci = Ci mask = a C = sumCi(Ci) return C, mask, R
def proveRctMG(pubs, inSk, outSk, outPk, index): #pubs is a matrix of ctkeys [P, C] #inSk is the keyvector of [x, mask] secret keys #outMasks is a keyvector of masks for outputs #outPk is a list of output ctkeys [P, C] #index is secret index of where you are signing (integer) #returns a list (mgsig) [ss, cc, II] where ss is keymatrix, cc is key, II is keyVector of keyimages #so we are calling MLSAG2.MLSAG_Gen from here, we need a keymatrix made from pubs #we also need a keyvector made from inSk rows = len(pubs[0]) cols = len(pubs) print("rows in mg", rows) print("cols in mg", cols) M = MLSAG2.keyMatrix(rows + 1, cols) #just a simple way to initialize a keymatrix, doesn't need to be random.. sk = MLSAG2.keyVector(rows + 1) for j in range(0, cols): M[j][rows] = MiniNero.identity() sk[rows] = MiniNero.sc_0() for i in range(0, rows): sk[i] = inSk[i].dest #get the destination part sk[rows] = MiniNero.sc_add_keys(sk[rows], inSk[i].mask) #add commitment part for j in range(0, cols): M[j][i] = pubs[j][i].dest # get the destination part M[j][rows] = MiniNero.addKeys(M[j][rows], pubs[j][i].mask) #add commitment part #next need to subtract the commitment part of all outputs.. for j in range(0, len(outSk)): sk[rows] = MiniNero.sc_sub_keys(sk[rows], outSk[j].mask) for i in range(0, len(outPk)): M[j][rows] = MiniNero.subKeys(M[j][rows], outPk[i].mask) # subtract commitment part MG = mgSig() MG.II, MG.cc, MG.ss = MLSAG2.MLSAG_Gen(M, sk, index) return MG #mgSig
def proveRange(amount): bb = d2b(amount, ATOMS) #gives binary form of bb in "digits" binary digits print("amount, amount in binary", amount, bb) ai = [None] * len(bb) Ci = [None] * len(bb) CiH = [None] * len(bb) #this is like Ci - 2^i H H2 = getH2ForCT() a = MiniNero.sc_0() ii = [None] * len(bb) indi = [None] * len(bb) for i in range(0, ATOMS): ai[i] = PaperWallet.skGen() a = MiniNero.addScalars(a, ai[i]) #creating the total mask since you have to pass this to receiver... if bb[i] == 0: Ci[i] = MiniNero.scalarmultBase(ai[i]) if bb[i] == 1: Ci[i] = MiniNero.addKeys(MiniNero.scalarmultBase(ai[i]), H2[i]) CiH[i] = MiniNero.subKeys(Ci[i], H2[i]) A = asnlSig() A.L1, A.s2, A.s = AggregateSchnorr.GenASNL(ai, Ci, CiH, bb) R = rangeSig() R.asig = A R.Ci = Ci mask = a C = sumCi(Ci) return C, mask, R
def ctskpkGen(amount): sk = ctkey() pk = ctkey() sk.dest, pk.dest = PaperWallet.skpkGen() sk.mask, pk.mask = PaperWallet.skpkGen() am = MiniNero.intToHex(amount) aH = MiniNero.scalarmultKey(getHForCT(), am) pk.mask = MiniNero.addKeys(pk.mask, aH) return sk, pk
def GenSchnorrNonLinkable(x, P1, P2, index): if index == 0: a = PaperWallet.skGen() L1 = MiniNero.scalarmultBase(a) s2 = PaperWallet.skGen() c2 = MiniNero.cn_fast_hash(L1) L2 = MiniNero.addKeys(MiniNero.scalarmultBase(s2), MiniNero.scalarmultKey(P2, c2)) c1 = MiniNero.cn_fast_hash(L2) s1 = MiniNero.sc_mulsub_keys(a, x, c1) if index == 1: a = PaperWallet.skGen() L2 = MiniNero.scalarmultBase(a) s1 = PaperWallet.skGen() c1 = MiniNero.cn_fast_hash(L2) L1 = MiniNero.addKeys(MiniNero.scalarmultBase(s1), MiniNero.scalarmultKey(P1, c1)) c2 = MiniNero.cn_fast_hash(L1) s2 = MiniNero.sc_mulsub_keys(a, x, c2) return L1, s1, s2,
def sumCiExp(Cis, Exp): #Cis is a vector #Exp is a vector CSum = MiniNero.identity() for i in range(0, len(Cis)): CSum = MiniNero.addKeys( CSum, MiniNero.scalarmultKey(Cis[i], MiniNero.intToHex(10**Exp[i]))) return CSum
def VerASNL(P1, P2, L1, s2, s): #Aggregate Schnorr Non-Linkable print("Verifying Aggregate Schnorr Non-linkable Ring Signature") n = len(P1) LHS = MiniNero.scalarmultBase(MiniNero.intToHex(0)) RHS = MiniNero.scalarmultBase(s) for j in range(0, n): c2 = MiniNero.cn_fast_hash(L1[j]) L2 = MiniNero.addKeys(MiniNero.scalarmultBase(s2[j]), MiniNero.scalarmultKey(P2[j], c2)) LHS = MiniNero.addKeys(LHS, L1[j]) c1 = MiniNero.cn_fast_hash(L2) RHS = MiniNero.addKeys(RHS, MiniNero.scalarmultKey(P1[j], c1)) if LHS == RHS: print"Verified" return 0 else: print "Didn't verify" print(LHS,"!=", RHS) return -1
def in_commitments(input_value, sk, masks): #for now, assume there is one input, generalized after get that working sum_masks = MiniNero.intToHex(sum([MiniNero.hexToInt(a) for a in masks])) z = MiniNero.sc_sub_keys(sk, sum_masks) # z + sum of input mask values = sk C = MiniNero.addKeys(MiniNero.scalarmultBase(sk), MiniNero.scalarmultKey( H_ct, input_value)) #input_value = sum output values return C, z #z is the sk you need to sign for this commitment
def VerSchnorr(hash_prefix, pub, r, c): #hash_prefix = binascii.hexlify(prefix) check1 = MiniNero.toPoint(pub) comm = MiniNero.addKeys(MiniNero.scalarmultKey(pub, c), MiniNero.scalarmultBase(r)) c2 = MiniNero.cn_fast_hash(hash_prefix + pub + comm) print( MiniNero.sc_sub_keys(c, c2) == "0000000000000000000000000000000000000000000000000000000000000000") return (MiniNero.sc_sub_keys(c, c2) == "0000000000000000000000000000000000000000000000000000000000000000")
def VerASNL(P1, P2, L1, s2, s): #Aggregate Schnorr Non-Linkable print("Verifying Aggregate Schnorr Non-linkable Ring Signature") n = len(P1) LHS = MiniNero.scalarmultBase(MiniNero.intToHex(0)) RHS = MiniNero.scalarmultBase(s) for j in range(0, n): c2 = MiniNero.cn_fast_hash(L1[j]) L2 = MiniNero.addKeys(MiniNero.scalarmultBase(s2[j]), MiniNero.scalarmultKey(P2[j], c2)) LHS = MiniNero.addKeys(LHS, L1[j]) c1 = MiniNero.cn_fast_hash(L2) RHS = MiniNero.addKeys(RHS, MiniNero.scalarmultKey(P1[j], c1)) if LHS == RHS: print "Verified" return 0 else: print "Didn't verify" print(LHS, "!=", RHS) return -1
def LLW_Ver(pk, keyimage, c1, s): n= len(pk) #ok print("verifying LLW sig of length", n) L = [None]*n R = [None]*n c= [None]*(n+1) pj = ''.join(pk) HP = [MiniNero.hashToPoint_ct(i) for i in pk] c[0] = c1 j = 0 while j < n: L[j] = MiniNero.addKeys(MiniNero.scalarmultBase(s[j]), MiniNero.scalarmultKey(pk[j], c[j])) R[j] = MiniNero.addKeys(MiniNero.scalarmultKey(HP[j], s[j]), MiniNero.scalarmultKey(keyimage, c[j])) cj = j + 1 c[cj] = MiniNero.cn_fast_hash(pj + L[j] + R[j]) j = cj rv = (c[0] == c[n]) print("sig verifies complete", rv) print("c", c) print("L", L) print("R", R) return rv
def MLSAG_Sign(pk, xx, index): rows = len(xx) cols = len(pk[0]) print("Generating MLSAG sig of dimensions ",rows ,"x ", cols) L = [[None] * cols] #list of keyvectors? except it's indexed by cols... it's kind of internal actually R = [[None] * cols] s = [[PaperWallet.skGen() for i in range(0, cols)] ] #first index is rows, second is cols, wonder if I should switch that.. HP = [[MiniNero.hashToPoint_cn(i) for i in pk[0]]] pj = ''.join(pk[0]) for i in range(1, rows): L.append([None] * cols) R.append([None] * cols) s.append([PaperWallet.skGen() for j in range(0, cols)]) HP.append([MiniNero.hashToPoint_cn(j) for j in pk[i]]) pj = pj + ''.join(pk[i]) c= [None] * cols #1-dimensional keyimage = keyImage(xx, rows) #ok for i in range(0, rows): L[i][index] = MiniNero.scalarmultBase(s[i][index]) #aG R[i][index] = MiniNero.scalarmultKey(HP[i][index], s[i][index]) #aH j = (index + 1) % cols tohash = pj for i in range(0, rows): tohash = tohash + L[i][index] + R[i][index] c[j] = MiniNero.cn_fast_hash(tohash) while j != index: tohash = pj for i in range(0, rows): L[i][j] = MiniNero.addKeys(MiniNero.scalarmultBase(s[i][j]), MiniNero.scalarmultKey(pk[i][j], c[j])) #Lj = sG + cxG R[i][j] = MiniNero.addKeys(MiniNero.scalarmultKey(HP[i][j], s[i][j]), MiniNero.scalarmultKey(keyimage[i], c[j])) #Rj = sH + cxH tohash = tohash + L[i][j] + R[i][j] j = (j + 1) % cols c[j] = MiniNero.cn_fast_hash(tohash) for i in range(0, rows): s[i][index] = MiniNero.sc_mulsub_keys(s[i][index], c[index], xx[i]) #si = a - c x so a = s + c x return keyimage, c[0], s
def rangeProof(C_out_i, masks_i): n = len(masks_i) I_Proofs = [None] * n c0s = [None] * n ss = [None] * n C_is = [None] * n for i in range(0, n): C_i = MiniNero.addKeys(MiniNero.scalarmultBase(masks_i[i]), MiniNero.scalarmultKey(H_ct, C_out_i[i])) # masks_i * G + C_out_i * H C_i_prime = MiniNero.subKeys(C_i, H_ct) #C_i - H C_is[i] = [C_i_prime, C_i] print("generating LLWsig for range proof from Cis, masks, couts", C_is[i], masks_i[i], C_out_i[i]) I_Proofs[i], c0s[i], ss[i] = LLW_Sigs.LLW_Sig(C_is[i], masks_i[i], MiniNero.hexToInt(C_out_i[i])) #ring sig on the above, with sk masks_i return I_Proofs, c0s, ss, C_is
def LLW_Ver(pk, keyimage, c1, s): n = len(pk) #ok print("verifying LLW sig of length", n) L = [None] * n R = [None] * n c = [None] * (n + 1) pj = ''.join(pk) HP = [MiniNero.hashToPoint_ct(i) for i in pk] c[0] = c1 j = 0 while j < n: L[j] = MiniNero.addKeys(MiniNero.scalarmultBase(s[j]), MiniNero.scalarmultKey(pk[j], c[j])) R[j] = MiniNero.addKeys(MiniNero.scalarmultKey(HP[j], s[j]), MiniNero.scalarmultKey(keyimage, c[j])) cj = j + 1 c[cj] = MiniNero.cn_fast_hash(pj + L[j] + R[j]) j = cj rv = (c[0] == c[n]) print("sig verifies complete", rv) print("c", c) print("L", L) print("R", R) return rv
def CT_ring_sig(pk, C_in, C_out, xz, index): print("Generating Ct ring sig") n = len(pk) pk2 = [None] * 2 for i in range(0, n): pk2[i] = MiniNero.addKeys(pk[i], C_in) for j in C_out: pk2[i] = MiniNero.subKeys(pk2[i], j) print("check validity", pk2[index], MiniNero.scalarmultBase(xz)) if pk2[index] != MiniNero.scalarmultBase(xz): print("stop lying, you don't know a key") exit() I, c0, s = LLW_Sigs.LLW_Sig(pk2, xz, index) print("Ct ring sig generated") return I, c0, s, pk2
def LLW_Sig(pk, xx, index ): n = len(pk) print("Generating LLW sig of length ", n) L = [None] * n R = [None] * n c= [None] * n s = [PaperWallet.skGen() for i in range(0, n)] HP = [MiniNero.hashToPoint_ct(i) for i in pk] pj = ''.join(pk) keyimage = keyImage(xx) #ok s[index] = MiniNero.mul_8(s[index]) L[index] = MiniNero.scalarmultBase(s[index]) R[index] = MiniNero.scalarmultKey(HP[index], s[index]) #aH j = (index + 1) % n c[j] = MiniNero.cn_fast_hash(pj+L[index]+R[index]) while j != index: L[j] = MiniNero.addKeys(MiniNero.scalarmultBase(s[j]), MiniNero.scalarmultKey(pk[j], c[j])) #Lj = sG + cxG R[j] = MiniNero.addKeys(MiniNero.scalarmultKey(HP[j], s[j]), MiniNero.scalarmultKey(keyimage, c[j])) #Rj = sH + cxH cj = (j + 1) % n c[cj] = MiniNero.cn_fast_hash(pj + L[j] + R[j]) #c j+1 = H(pk + Lj + Rj j = cj #increment j s[index] = MiniNero.sc_mulsub_keys(s[index], c[index], xx) #si = a - c x so a = s + c x print("sigma = ", keyimage, c[0], s[:]) return keyimage, c[0], s[:]
def genRangeProof(b, digits): bb = binary(b, digits) #gives binary form of bb in "digits" binary digits print("b, b in binary", b, bb) ai = [None] * len(bb) Ci = [None] * len(bb) CiH = [None] * len(bb) #this is like Ci - 2^i H a = MiniNero.intToHex(0) ii = [None] * len(bb) indi = [None] * len(bb) for i in range(0, len(bb)): ai[i] = PaperWallet.skGen() a = MiniNero.addScalars(a, ai[i]) #creating the total mask since you have to pass this to receiver... Ci[i] = MiniNero.addKeys(MiniNero.scalarmultBase(ai[i]), MiniNero.scalarmultKey(getHForCT(), MiniNero.intToHex(bb[i] * 2 ** i))) CiH[i] = MiniNero.subKeys(Ci[i], MiniNero.scalarmultKey(getHForCT(), MiniNero.intToHex(2 ** i))) L1, s2, s = AggregateSchnorr.GenASNL(ai, Ci, CiH, bb) return sumCi(Ci), Ci, L1, s2, s, a
def out_commitments(values): #do this first n = len(values) values2 = [None] * n for i in range(0, n): values2[i] = [MiniNero.intToHex(j) for j in binary(MiniNero.hexToInt(values[i]))] #returns a list of commitments C_i = y_iG + value_i * H for outputs (these masks are created randomly) masks = [None] * n sumMasks = [None] * n for i in range(0, n): masks[i] = [PaperWallet.skGen() for jj in values2[i]] #binary decomposition for range proofs (could also use another base) sumMasks[i] = MiniNero.intToHex(sum([MiniNero.hexToInt(a) for a in masks[i]])) #sum is what actually goes into the ring.. C = [None] * n for i in range(0, n): C[i] = MiniNero.addKeys(MiniNero.scalarmultBase(sumMasks[i]), MiniNero.scalarmultKey(H_ct, values[i])) return C, masks, sumMasks, values2
def verRctMG(MG, pubs, outPk): #mg is an mgsig (list [ss, cc, II] of keymatrix ss, keyvector II and key cc] #pubs is a matrix of ctkeys [P, C] #outPk is a list of output ctkeys [P, C] for the transaction #returns true or false rows = len(pubs[0]) cols = len(pubs) M = MLSAG2.keyMatrix(rows + 1, cols) #just a simple way to initialize a keymatrix, doesn't need to be random.. for j in range(0, cols): M[j][rows] = MiniNero.identity() for i in range(0, rows): for j in range(0, cols): M[j][i] = pubs[j][i].dest # get the destination part M[j][rows] = MiniNero.addKeys(M[j][rows], pubs[j][i].mask) #add commitment part #next need to subtract the commitment part of all outputs.. for j in range(0, cols): for i in range(0, len(outPk)): M[j][rows] = MiniNero.subKeys(M[j][rows], outPk[i].mask) # subtract commitment part return MLSAG2.MLSAG_Ver(M, MG.II, MG.cc, MG.ss)
def rangeProof(C_out_i, masks_i): n = len(masks_i) I_Proofs = [None] * n c0s = [None] * n ss = [None] * n C_is = [None] * n for i in range(0, n): C_i = MiniNero.addKeys( MiniNero.scalarmultBase(masks_i[i]), MiniNero.scalarmultKey(H_ct, C_out_i[i])) # masks_i * G + C_out_i * H C_i_prime = MiniNero.subKeys(C_i, H_ct) #C_i - H C_is[i] = [C_i_prime, C_i] print("generating LLWsig for range proof from Cis, masks, couts", C_is[i], masks_i[i], C_out_i[i]) I_Proofs[i], c0s[i], ss[i] = LLW_Sigs.LLW_Sig( C_is[i], masks_i[i], MiniNero.hexToInt(C_out_i[i])) #ring sig on the above, with sk masks_i return I_Proofs, c0s, ss, C_is
def decodeRct(rv, sk, i): #inputs: #rctSig is a list [ rangesigs, MG, mixRing, ecdhInfo, outPk] #rangesigs is a list of one rangeproof for each output #MG is the mgsig [ss, cc, II] #mixRing is a ctkeyMatrix #ecdhInfo is a list of masks / amounts for each output #outPk is a vector of ctkeys (since we have computed the commitment for each amount) #sk is the secret key of the receiver #i is the index of the receiver in the rctSig (in case of multiple destinations) #outputs: #the amount received decodedTuple = ecdhDecode(rv.ecdhInfo[i], sk) mask = decodedTuple.mask amount = decodedTuple.amount C = rv.outPk[i].mask H = getHForCT() Ctmp = MiniNero.addKeys(MiniNero.scalarmultBase(mask), MiniNero.scalarmultKey(H, amount)) if (MiniNero.subKeys(C, Ctmp) != MiniNero.identity()): print("warning, amount decoded incorrectly, will be unable to spend") return MiniNero.hexToInt(amount)
def proveRctMG(pubs, inSk, outSk, outPk, index): #pubs is a matrix of ctkeys [P, C] #inSk is the keyvector of [x, mask] secret keys #outMasks is a keyvector of masks for outputs #outPk is a list of output ctkeys [P, C] #index is secret index of where you are signing (integer) #returns a list (mgsig) [ss, cc, II] where ss is keymatrix, cc is key, II is keyVector of keyimages #so we are calling MLSAG2.MLSAG_Gen from here, we need a keymatrix made from pubs #we also need a keyvector made from inSk rows = len(pubs[0]) cols = len(pubs) print("rows in mg", rows) print("cols in mg", cols) M = MLSAG2.keyMatrix( rows + 1, cols ) #just a simple way to initialize a keymatrix, doesn't need to be random.. sk = MLSAG2.keyVector(rows + 1) for j in range(0, cols): M[j][rows] = MiniNero.identity() sk[rows] = MiniNero.sc_0() for i in range(0, rows): sk[i] = inSk[i].dest #get the destination part sk[rows] = MiniNero.sc_add_keys(sk[rows], inSk[i].mask) #add commitment part for j in range(0, cols): M[j][i] = pubs[j][i].dest # get the destination part M[j][rows] = MiniNero.addKeys( M[j][rows], pubs[j][i].mask) #add commitment part #next need to subtract the commitment part of all outputs.. for j in range(0, len(outSk)): sk[rows] = MiniNero.sc_sub_keys(sk[rows], outSk[j].mask) for i in range(0, len(outPk)): M[j][rows] = MiniNero.subKeys( M[j][rows], outPk[i].mask) # subtract commitment part MG = mgSig() MG.II, MG.cc, MG.ss = MLSAG2.MLSAG_Gen(M, sk, index) return MG #mgSig
def out_commitments(values): #do this first n = len(values) values2 = [None] * n for i in range(0, n): values2[i] = [ MiniNero.intToHex(j) for j in binary(MiniNero.hexToInt(values[i])) ] #returns a list of commitments C_i = y_iG + value_i * H for outputs (these masks are created randomly) masks = [None] * n sumMasks = [None] * n for i in range(0, n): masks[i] = [ PaperWallet.skGen() for jj in values2[i] ] #binary decomposition for range proofs (could also use another base) sumMasks[i] = MiniNero.intToHex( sum([MiniNero.hexToInt(a) for a in masks[i] ])) #sum is what actually goes into the ring.. C = [None] * n for i in range(0, n): C[i] = MiniNero.addKeys(MiniNero.scalarmultBase(sumMasks[i]), MiniNero.scalarmultKey(H_ct, values[i])) return C, masks, sumMasks, values2
def genRangeProof(b, digits): bb = binary(b, digits) #gives binary form of bb in "digits" binary digits print("b, b in binary", b, bb) ai = [None] * len(bb) Ci = [None] * len(bb) CiH = [None] * len(bb) #this is like Ci - 2^i H a = MiniNero.intToHex(0) ii = [None] * len(bb) indi = [None] * len(bb) for i in range(0, len(bb)): ai[i] = PaperWallet.skGen() a = MiniNero.addScalars( a, ai[i] ) #creating the total mask since you have to pass this to receiver... Ci[i] = MiniNero.addKeys( MiniNero.scalarmultBase(ai[i]), MiniNero.scalarmultKey(getHForCT(), MiniNero.intToHex(bb[i] * 2**i))) CiH[i] = MiniNero.subKeys( Ci[i], MiniNero.scalarmultKey(getHForCT(), MiniNero.intToHex(2**i))) L1, s2, s = ASNL.GenASNL(ai, Ci, CiH, bb) return sumCi(Ci), Ci, L1, s2, s, a
def verRctMG(MG, pubs, outPk): #mg is an mgsig (list [ss, cc, II] of keymatrix ss, keyvector II and key cc] #pubs is a matrix of ctkeys [P, C] #outPk is a list of output ctkeys [P, C] for the transaction #returns true or false rows = len(pubs[0]) cols = len(pubs) M = MLSAG2.keyMatrix( rows + 1, cols ) #just a simple way to initialize a keymatrix, doesn't need to be random.. for j in range(0, cols): M[j][rows] = MiniNero.identity() for i in range(0, rows): for j in range(0, cols): M[j][i] = pubs[j][i].dest # get the destination part M[j][rows] = MiniNero.addKeys( M[j][rows], pubs[j][i].mask) #add commitment part #next need to subtract the commitment part of all outputs.. for j in range(0, cols): for i in range(0, len(outPk)): M[j][rows] = MiniNero.subKeys( M[j][rows], outPk[i].mask) # subtract commitment part return MLSAG2.MLSAG_Ver(M, MG.II, MG.cc, MG.ss)
#you += hash(pubkey || index) to both the private scalar and public point #<tacotime> [02:35:38] so to get priv_i and pub_i #<tacotime> [02:36:06] priv_i = (priv + hash) mod N #<tacotime> [02:37:17] pub_i = (pub + scalarbasemult(hash)) import MiniNero import PaperWallet sk, vk, pk, pvk, addr, wl, cks = PaperWallet.keysBoth() print("making keychain") for i in range(1, 600): index = MiniNero.intToHex(i) has = MiniNero.cn_fast_hash(pk + index) sk1 = MiniNero.sc_add_keys(sk, has) pk1 = MiniNero.addKeys(pk, MiniNero.scalarmultBase(has)) pk1_check = MiniNero.publicFromSecret(sk1) print("Check", pk1 == pk1_check) print(sk1) #print("i, sk, pk", i, sk1, pk1)
if len(sys.argv) >= 2: if sys.argv[1] == "id": Translator.hexToC(MiniNero.identity()) if sys.argv[1] == "smult": a= "87a61352d86f5cb0e9d227542b6b4870b9a327d082d15ea64e0494b9a896c1ac" aG = MiniNero.scalarmultBase(a) print(aG) print(MiniNero.scalarmultKey(aG, a)) if sys.argv[1] == "add": #once it's good A = PaperWallet.pkGen() A = "75819750158570adc58ad6f932c3704661d6cd8eafd3a14818293a17790fbf71" B = PaperWallet.pkGen() B = "5fbc56c82c6e40596c673e301b63e100f08b97723ead425ed38f2b55c7a6454f" AB = MiniNero.addKeys(A, B) Translator.hexToC(A) Translator.hexToC(B) print(AB) AAB = MiniNero.addKeys(AB, A) print("AAB", AAB) print("hash") print(MiniNero.sc_reduce_key(MiniNero.cn_fast_hash(A))) aAbB = MiniNero.addKeys(MiniNero.scalarmultKey(A, A), MiniNero.scalarmultKey(B, B)) print("testing addKeys3") print(aAbB) if sys.argv[1] == "rs": #once it's good sk = MiniNero.randomScalar() if sys.argv[1] == "mn":
def sumCi(Cis): CSum = MiniNero.identity() for i in Cis: CSum = MiniNero.addKeys(CSum, i) return CSum
def in_commitments(input_value, sk, masks): #for now, assume there is one input, generalized after get that working sum_masks = MiniNero.intToHex(sum([MiniNero.hexToInt(a) for a in masks])) z = MiniNero.sc_sub_keys(sk, sum_masks) # z + sum of input mask values = sk C = MiniNero.addKeys(MiniNero.scalarmultBase(sk), MiniNero.scalarmultKey(H_ct, input_value)) #input_value = sum output values return C, z #z is the sk you need to sign for this commitment
if len(sys.argv) >= 2: if sys.argv[1] == "id": Translator.hexToC(MiniNero.identity()) if sys.argv[1] == "smult": a = "87a61352d86f5cb0e9d227542b6b4870b9a327d082d15ea64e0494b9a896c1ac" aG = MiniNero.scalarmultBase(a) print(aG) print(MiniNero.scalarmultKey(aG, a)) if sys.argv[1] == "add": #once it's good A = PaperWallet.pkGen() A = "75819750158570adc58ad6f932c3704661d6cd8eafd3a14818293a17790fbf71" B = PaperWallet.pkGen() B = "5fbc56c82c6e40596c673e301b63e100f08b97723ead425ed38f2b55c7a6454f" AB = MiniNero.addKeys(A, B) Translator.hexToC(A) Translator.hexToC(B) print(AB) AAB = MiniNero.addKeys(AB, A) print("AAB", AAB) print("hash") print(MiniNero.sc_reduce_key(MiniNero.cn_fast_hash(A))) aAbB = MiniNero.addKeys(MiniNero.scalarmultKey(A, A), MiniNero.scalarmultKey(B, B)) print("testing addKeys3") print(aAbB) if sys.argv[1] == "rs": #once it's good sk = MiniNero.randomScalar()
q = 2**255 - 19 l = 2**252 + 27742317777372353535851937790883648493 import MiniNero import PaperWallet a = 3655169758690262480859172686034352748701568204867449275194046101565641063400 b = 2196281112309589493539510630657048805544016132079821556435431458072258858680 c = 1680308020000391016811131033972168547846809685867129675902005632340344199616 d = 3102886190919558838979092227453570755967767872654511102581747930112259050736 e = a + b + c + d print(e, e % l) pk = MiniNero.publicFromSecret(MiniNero.intToHex(e)) pka = MiniNero.publicFromSecret(MiniNero.intToHex(a)) pkb = MiniNero.publicFromSecret(MiniNero.intToHex(b)) pkc = MiniNero.publicFromSecret(MiniNero.intToHex(c)) pkd = MiniNero.publicFromSecret(MiniNero.intToHex(d)) A = MiniNero.addKeys(pka, pkb) B = MiniNero.addKeys(A, pkc) C = MiniNero.addKeys(B, pkd) print(C) print(pk)
#you += hash(pubkey || index) to both the private scalar and public point #<tacotime> [02:35:38] so to get priv_i and pub_i #<tacotime> [02:36:06] priv_i = (priv + hash) mod N #<tacotime> [02:37:17] pub_i = (pub + scalarbasemult(hash)) import MiniNero import PaperWallet sk, vk, pk, pvk, addr, wl, cks = PaperWallet.keysBoth() print("making keychain") for i in range(1, 600): index = MiniNero.intToHex(i) has = MiniNero.cn_fast_hash(pk + index) sk1 = MiniNero.sc_add_keys(sk, has) pk1 = MiniNero.addKeys(pk, MiniNero.scalarmultBase(has)) pk1_check = MiniNero.publicFromSecret(sk1) print("Check", pk1== pk1_check) print(sk1) #print("i, sk, pk", i, sk1, pk1)