def ecdhEncode(unmasked, receiverPk): rv = ecdhTuple() #compute shared secret esk, rv.senderPk = PaperWallet.skpkGen() sharedSec1 = MiniNero.cn_fast_hash(MiniNero.scalarmultKey(receiverPk, esk)) sharedSec2 = MiniNero.cn_fast_hash(sharedSec1) #encode rv.mask = MiniNero.sc_add_keys(unmasked.mask, sharedSec1) rv.amount = MiniNero.sc_add_keys(unmasked.amount, sharedSec1) return rv
def ecdhEncode(unmasked, receiverPk): rv = ecdhTuple() #compute shared secret esk, rv.senderPk = PaperWallet.skpkGen() sharedSec1 = MiniNero.cn_fast_hash(MiniNero.scalarmultKey(receiverPk, esk)); sharedSec2 = MiniNero.cn_fast_hash(sharedSec1) #encode rv.mask = MiniNero.sc_add_keys(unmasked.mask, sharedSec1) rv.amount = MiniNero.sc_add_keys(unmasked.amount, sharedSec1) return rv
def proveRctMG(pubs, inSk, outSk, outPk, index): #pubs is a matrix of ctkeys [P, C] #inSk is the keyvector of [x, mask] secret keys #outMasks is a keyvector of masks for outputs #outPk is a list of output ctkeys [P, C] #index is secret index of where you are signing (integer) #returns a list (mgsig) [ss, cc, II] where ss is keymatrix, cc is key, II is keyVector of keyimages #so we are calling MLSAG2.MLSAG_Gen from here, we need a keymatrix made from pubs #we also need a keyvector made from inSk rows = len(pubs[0]) cols = len(pubs) print("rows in mg", rows) print("cols in mg", cols) M = MLSAG2.keyMatrix(rows + 1, cols) #just a simple way to initialize a keymatrix, doesn't need to be random.. sk = MLSAG2.keyVector(rows + 1) for j in range(0, cols): M[j][rows] = MiniNero.identity() sk[rows] = MiniNero.sc_0() for i in range(0, rows): sk[i] = inSk[i].dest #get the destination part sk[rows] = MiniNero.sc_add_keys(sk[rows], inSk[i].mask) #add commitment part for j in range(0, cols): M[j][i] = pubs[j][i].dest # get the destination part M[j][rows] = MiniNero.addKeys(M[j][rows], pubs[j][i].mask) #add commitment part #next need to subtract the commitment part of all outputs.. for j in range(0, len(outSk)): sk[rows] = MiniNero.sc_sub_keys(sk[rows], outSk[j].mask) for i in range(0, len(outPk)): M[j][rows] = MiniNero.subKeys(M[j][rows], outPk[i].mask) # subtract commitment part MG = mgSig() MG.II, MG.cc, MG.ss = MLSAG2.MLSAG_Gen(M, sk, index) return MG #mgSig
def GenASNL(x, P1, P2, indices): #Aggregate Schnorr Non-Linkable #x, P1, P2, are key vectors here, but actually you #indices specifices which column of the given row of the key vector you sign. #the key vector with the first or second key n = len(x) print("Generating Aggregate Schnorr Non-linkable Ring Signature") L1 = [None] * n s1 = [None] * n s2 = [None] * n s = MiniNero.intToHex(0) for j in range(0, n): L1[j], s1[j], s2[j] = GenSchnorrNonLinkable(x[j], P1[j], P2[j], indices[j]) s = MiniNero.sc_add_keys(s, s1[j]) return L1, s2, s
def GenASNL(x, P1, P2, indices): #Aggregate Schnorr Non-Linkable #x, P1, P2, are key vectors here, but actually you #indices specifices which column of the given row of the key vector you sign. #the key vector with the first or second key n = len(x) print("Generating Aggregate Schnorr Non-linkable Ring Signature") L1 = [None] * n s1 = [None] * n s2 = [None] * n s = MiniNero.intToHex(0) for j in range(0, n): L1[j], s1[j], s2[j] = GenSchnorrNonLinkable(x[j], P1[j], P2[j], indices[j]) s = MiniNero.sc_add_keys(s, s1[j]) return L1, s2, s
def proveRctMG(pubs, inSk, outSk, outPk, index): #pubs is a matrix of ctkeys [P, C] #inSk is the keyvector of [x, mask] secret keys #outMasks is a keyvector of masks for outputs #outPk is a list of output ctkeys [P, C] #index is secret index of where you are signing (integer) #returns a list (mgsig) [ss, cc, II] where ss is keymatrix, cc is key, II is keyVector of keyimages #so we are calling MLSAG2.MLSAG_Gen from here, we need a keymatrix made from pubs #we also need a keyvector made from inSk rows = len(pubs[0]) cols = len(pubs) print("rows in mg", rows) print("cols in mg", cols) M = MLSAG2.keyMatrix( rows + 1, cols ) #just a simple way to initialize a keymatrix, doesn't need to be random.. sk = MLSAG2.keyVector(rows + 1) for j in range(0, cols): M[j][rows] = MiniNero.identity() sk[rows] = MiniNero.sc_0() for i in range(0, rows): sk[i] = inSk[i].dest #get the destination part sk[rows] = MiniNero.sc_add_keys(sk[rows], inSk[i].mask) #add commitment part for j in range(0, cols): M[j][i] = pubs[j][i].dest # get the destination part M[j][rows] = MiniNero.addKeys( M[j][rows], pubs[j][i].mask) #add commitment part #next need to subtract the commitment part of all outputs.. for j in range(0, len(outSk)): sk[rows] = MiniNero.sc_sub_keys(sk[rows], outSk[j].mask) for i in range(0, len(outPk)): M[j][rows] = MiniNero.subKeys( M[j][rows], outPk[i].mask) # subtract commitment part MG = mgSig() MG.II, MG.cc, MG.ss = MLSAG2.MLSAG_Gen(M, sk, index) return MG #mgSig
#you += hash(pubkey || index) to both the private scalar and public point #<tacotime> [02:35:38] so to get priv_i and pub_i #<tacotime> [02:36:06] priv_i = (priv + hash) mod N #<tacotime> [02:37:17] pub_i = (pub + scalarbasemult(hash)) import MiniNero import PaperWallet sk, vk, pk, pvk, addr, wl, cks = PaperWallet.keysBoth() print("making keychain") for i in range(1, 600): index = MiniNero.intToHex(i) has = MiniNero.cn_fast_hash(pk + index) sk1 = MiniNero.sc_add_keys(sk, has) pk1 = MiniNero.addKeys(pk, MiniNero.scalarmultBase(has)) pk1_check = MiniNero.publicFromSecret(sk1) print("Check", pk1== pk1_check) print(sk1) #print("i, sk, pk", i, sk1, pk1)
print("outputs") b = 7000 Cib, L1b, s2b, sb, skb = RingCT.genRangeProof(7000, digits) c = 3000 Cic, L1c, s2c, sc, skc = RingCT.genRangeProof(3000, digits) print("verifying range proofs of outputs") RingCT.verRangeProof(Cib, L1b, s2b, sb) RingCT.verRangeProof(Cic, L1c, s2c, sc) x, P1 = PaperWallet.skpkGen() P2 = PaperWallet.pkGen() C2 = PaperWallet.pkGen() #some random commitment grabbed from the blockchain ind = 0 Ca = RingCT.sumCi(Cia) Cb = RingCT.sumCi(Cib) Cc = RingCT.sumCi(Cic) sk = [x, MiniNero.sc_sub_keys(ska, MiniNero.sc_add_keys(skb, skc))] pk = [[P1, P2], [MiniNero.subKeys(Ca, MiniNero.addKeys(Cb, Cc)), MiniNero.subKeys(C2, MiniNero.addKeys(Cb, Cc)) ] ] II, cc, ssVal = MLSAG.MLSAG_Sign(pk, sk, ind) print("Sig verified?", MLSAG.MLSAG_Ver(pk, II, cc, ssVal) ) print("Finding received amount corresponding to Cib") RingCT.ComputeReceivedAmount(pe, sr, MiniNero.addScalars(ss1, skb),MiniNero.addScalars(ss2, MiniNero.intToHex(b)), Cib, 9) print("Finding received amount corresponding to Cic") RingCT.ComputeReceivedAmount(pe, sr, MiniNero.addScalars(ss1, skc), MiniNero.addScalars(ss2, MiniNero.intToHex(c)), Cic, 9) if sys.argv[1] == "MLSAG": #below is example usage. Uncomment each line for testing N = 3 #cols R = 3 #rows x = [[None]*N] #just used to generate test public keys sk = [None] * R #vector of secret keys P = [[None]*N] #stores the public keys
b = 7000 Cib, L1b, s2b, sb, skb = RingCT.genRangeProof(7000, digits) c = 3000 Cic, L1c, s2c, sc, skc = RingCT.genRangeProof(3000, digits) print("verifying range proofs of outputs") RingCT.verRangeProof(Cib, L1b, s2b, sb) RingCT.verRangeProof(Cic, L1c, s2c, sc) x, P1 = PaperWallet.skpkGen() P2 = PaperWallet.pkGen() C2 = PaperWallet.pkGen( ) #some random commitment grabbed from the blockchain ind = 0 Ca = RingCT.sumCi(Cia) Cb = RingCT.sumCi(Cib) Cc = RingCT.sumCi(Cic) sk = [x, MiniNero.sc_sub_keys(ska, MiniNero.sc_add_keys(skb, skc))] pk = [[P1, P2], [ MiniNero.subKeys(Ca, MiniNero.addKeys(Cb, Cc)), MiniNero.subKeys(C2, MiniNero.addKeys(Cb, Cc)) ]] II, cc, ssVal = MLSAG.MLSAG_Sign(pk, sk, ind) print("Sig verified?", MLSAG.MLSAG_Ver(pk, II, cc, ssVal)) print("Finding received amount corresponding to Cib") RingCT.ComputeReceivedAmount( pe, sr, MiniNero.addScalars(ss1, skb), MiniNero.addScalars(ss2, MiniNero.intToHex(b)), Cib, 9) print("Finding received amount corresponding to Cic") RingCT.ComputeReceivedAmount( pe, sr, MiniNero.addScalars(ss1, skc), MiniNero.addScalars(ss2, MiniNero.intToHex(c)), Cic, 9)
#ring sig on the above, with sk masks_i return I_Proofs, c0s, ss, C_is H_ct = getHForCT() print("H", H_ct) a = MiniNero.intToHex(49) b1 = MiniNero.intToHex(30) b2 = MiniNero.intToHex(20) x_priv = PaperWallet.skGen() #our private key x_commit = PaperWallet.skGen() # our private commitment key #x_commit = x_priv #do with x_priv = x_commit first... , then modify by adding another mask Pk1 = MiniNero.scalarmultBase(x_priv) #our public key Pk2 = MiniNero.scalarmultBase(PaperWallet.skGen()) #other sk (we don't know it print("xpriv, Pk1, Pk2", x_priv, Pk1, Pk2) C_out, out_masks, sumMasks, values2 = out_commitments([b1, b2]) #testing rangeProofs print("testing range proofs") I_proofs, c0s, ss, Ci_s = rangeProof(values2[0], out_masks[0]) print("Iproofs, c0s, ss", I_proofs, c0s, ss) print("C_out, outmasks", C_out, sumMasks) C_in, z = in_commitments(a, x_commit, sumMasks) print("C_in, z", C_in, z) I, c0, s, PP = CT_ring_sig([Pk1, Pk2], C_in, C_out, MiniNero.sc_add_keys(x_priv, z), 0) LLW_Sigs.LLW_Ver(PP, I, c0, s)
#you += hash(pubkey || index) to both the private scalar and public point #<tacotime> [02:35:38] so to get priv_i and pub_i #<tacotime> [02:36:06] priv_i = (priv + hash) mod N #<tacotime> [02:37:17] pub_i = (pub + scalarbasemult(hash)) import MiniNero import PaperWallet sk, vk, pk, pvk, addr, wl, cks = PaperWallet.keysBoth() print("making keychain") for i in range(1, 600): index = MiniNero.intToHex(i) has = MiniNero.cn_fast_hash(pk + index) sk1 = MiniNero.sc_add_keys(sk, has) pk1 = MiniNero.addKeys(pk, MiniNero.scalarmultBase(has)) pk1_check = MiniNero.publicFromSecret(sk1) print("Check", pk1 == pk1_check) print(sk1) #print("i, sk, pk", i, sk1, pk1)
print("generating LLWsig for range proof from Cis, masks, couts", C_is[i], masks_i[i], C_out_i[i]) I_Proofs[i], c0s[i], ss[i] = LLW_Sigs.LLW_Sig(C_is[i], masks_i[i], MiniNero.hexToInt(C_out_i[i])) #ring sig on the above, with sk masks_i return I_Proofs, c0s, ss, C_is H_ct = getHForCT() print("H", H_ct) a = MiniNero.intToHex(49) b1 = MiniNero.intToHex(30) b2 = MiniNero.intToHex(20) x_priv = PaperWallet.skGen() #our private key x_commit = PaperWallet.skGen() # our private commitment key #x_commit = x_priv #do with x_priv = x_commit first... , then modify by adding another mask Pk1 = MiniNero.scalarmultBase(x_priv) #our public key Pk2 = MiniNero.scalarmultBase(PaperWallet.skGen()) #other sk (we don't know it print("xpriv, Pk1, Pk2", x_priv, Pk1, Pk2) C_out, out_masks, sumMasks, values2 = out_commitments([b1, b2]) #testing rangeProofs print("testing range proofs") I_proofs, c0s, ss, Ci_s = rangeProof(values2[0], out_masks[0]) print("Iproofs, c0s, ss", I_proofs, c0s, ss) print("C_out, outmasks", C_out, sumMasks) C_in, z = in_commitments(a, x_commit, sumMasks) print("C_in, z", C_in, z) I, c0, s, PP = CT_ring_sig([Pk1, Pk2], C_in, C_out, MiniNero.sc_add_keys(x_priv,z), 0) LLW_Sigs.LLW_Ver(PP, I, c0, s)