def ver_range(C=None, rsig=None, use_bulletproof=False, decode=True):
"""
Verifies that \sum Ci = C and that each Ci is a commitment to 0 or 2^i
:param C:
:param rsig:
:param use_bulletproof: bulletproof
:param decode: decodes encoded range proof
:return:
"""
n = ATOMS
CiH = [None] * n
C_tmp = crypto.identity()
c_H = crypto.xmr_H()
if decode and not use_bulletproof:
rsig = monero.recode_rangesig(rsig, encode=False, copy=True)
if not use_bulletproof:
for i in range(0, n):
CiH[i] = crypto.point_sub(rsig.Ci[i], c_H)
C_tmp = crypto.point_add(C_tmp, rsig.Ci[i])
c_H = crypto.point_double(c_H)
if C is not None and not crypto.point_eq(C_tmp, C):
return 0
if use_bulletproof:
bp = bulletproof.BulletProofBuilder()
return bp.verify(rsig)
return mlsag2.ver_borromean(rsig.Ci, CiH, rsig.asig.s0, rsig.asig.s1,
rsig.asig.ee)
def construct_pending_tsx(tx, cd):
"""
Dummy pending transaction record from real transaction + construction data.
Tx key is not sent to untrusted wallet.
Same logic as in wallet2.cpp:sign_tx
:param tx:
:param cd:
:return:
"""
pending = xmrtypes.PendingTransaction(
tx=tx,
dust=0,
fee=0,
dust_added_to_fee=False,
change_dts=cd.change_dts,
selected_transfers=cd.selected_transfers,
key_images="",
tx_key=crypto.identity(True),
additional_tx_keys=[],
dests=cd.dests,
multisig_sigs=[],
construction_data=cd,
)
return pending
def ver_range(C=None, rsig=None, use_asnl=False, decode=True):
"""
Verifies that \sum Ci = C and that each Ci is a commitment to 0 or 2^i
:param C:
:param rsig:
:param use_asnl: use ASNL, used before Borromean, insecure!
:param decode: decodes encoded range proof
:return:
"""
n = ATOMS
CiH = [None] * n
C_tmp = crypto.identity()
c_H = crypto.gen_H()
if decode:
rsig = monero.recode_rangesig(rsig, encode=False, copy=True)
for i in range(0, n):
CiH[i] = crypto.point_sub(rsig.Ci[i], c_H)
C_tmp = crypto.point_add(C_tmp, rsig.Ci[i])
c_H = crypto.point_double(c_H)
if C is not None and not crypto.point_eq(C_tmp, C):
return 0
if use_asnl:
return asnl.ver_asnl(rsig.Ci, CiH, rsig.asig.s0, rsig.asig.s1,
rsig.asig.ee)
else:
return mlsag2.ver_borromean(rsig.Ci, CiH, rsig.asig.s0, rsig.asig.s1,
rsig.asig.ee)
def scan_output(creds, tx, i, tx_scan_info, tx_money_got_in_outs, outs,
multisig):
"""
Wallet2::scan_output()
Computes spending key, key image, decodes ECDH info, amount, checks masks.
"""
if multisig:
tx_scan_info.in_ephemeral = 0
tx_scan_info.ki = crypto.identity()
else:
out_dec = crypto.decodepoint(tx.vout[i].target.key)
res = generate_key_image_helper_precomp(creds, out_dec,
tx_scan_info.received[1], i,
tx_scan_info.received[0])
tx_scan_info.in_ephemeral, tx_scan_info.ki = res
if not tx_scan_info.ki:
raise ValueError("Key error generation failed")
outs.append(i)
if tx_scan_info.money_transfered == 0:
res2 = ecdh_decode_rv(tx.rct_signatures, tx_scan_info.received[1], i)
tx_scan_info.money_transfered, tx_scan_info.mask = res2
tx_scan_info.money_transfered = crypto.sc_get64(
tx_scan_info.money_transfered)
tx_money_got_in_outs[
tx_scan_info.received[0]] += tx_scan_info.money_transfered
tx_scan_info.amount = tx_scan_info.money_transfered
return tx_scan_info
def sum_Ci(Cis):
"""
Sums points
:param Cis:
:return:
"""
CSum = crypto.identity()
for i in Cis:
CSum = crypto.point_add(CSum, i)
return CSum
def decode_rct(rv, sk, i):
"""
c.f. http:#eprint.iacr.org/2015/1098 section 5.1.1
Uses the attached ecdh info to find the amounts represented by each output commitment
must know the destination private key to find the correct amount, else will return a random number
:param rv:
:param sk:
:param i:
:return:
"""
decodedTuple = ecdh_decode(rv.ecdhInfo[i], sk)
mask = decodedTuple.mask
amount = decodedTuple.amount
C = rv.outPk[i].mask
H = crypto.xmr_H()
Ctmp = crypto.point_add(crypto.scalarmult_base(mask), crypto.scalarmult(H, amount))
if not crypto.point_eq(crypto.point_sub(C, Ctmp), crypto.identity()):
logger.warning("warning, amount decoded incorrectly, will be unable to spend")
return amount
def ver_rct_mg(mg, pubs, out_pk, txn_fee_key, message):
"""
Verifies the above sig is created corretly
:param mg:
:param pubs: matrix of EC points, encoded
:param out_pk:
:param txn_fee_key:
:param message:
:return:
"""
cols = len(pubs)
if cols == 0:
raise ValueError("Empty pubs")
rows = len(pubs[0])
if rows == 0:
raise ValueError("Empty pubs[0]")
for i in range(cols):
if len(pubs[i]) != rows:
raise ValueError("pubs is not rectangular")
M = key_matrix(rows + 1, cols)
for i in range(cols):
M[i][rows] = crypto.identity()
for j in range(rows):
for i in range(cols):
M[i][j] = crypto.decodepoint(pubs[i][j].dest)
M[i][rows] = crypto.point_add(
M[i][rows], crypto.decodepoint(
pubs[i][j].commitment)) # add Ci in last row
for i in range(cols):
for j in range(len(out_pk)):
M[i][rows] = crypto.point_sub(
M[i][rows], crypto.decodepoint(
out_pk[j].mask)) # subtract output Ci's in last row
# subtract txn fee output in last row
M[i][rows] = crypto.point_sub(M[i][rows], txn_fee_key)
return ver_mlsag_ext(message, M, mg, rows)
async def verify_key(self):
priv = self._fetch_decrypt_key()
pub = crypto.decodepoint(self._fetch())
computed_pub = crypto.identity()
verified = 0
if self.c_p1 == 0:
computed_pub = crypto.scalarmult_base(priv)
elif self.c_p1 == 1:
pub = self.A
elif self.c_p1 == 2:
pub = self.B
else:
return SW_WRONG_P1P2
if crypto.point_eq(computed_pub, pub):
verified = 1
self._insert_u32(verified)
self._insert(self.creds.address)
return SW_OK
def prove_range_mem(amount, last_mask=None):
"""
Memory optimized range proof.
Gives C, and mask such that \sumCi = C
c.f. http:#eprint.iacr.org/2015/1098 section 5.1
Ci is a commitment to either 0 or 2^i, i=0,...,63
thus this proves that "amount" is in [0, 2^ATOMS]
mask is a such that C = aG + bH, and b = amount
:param amount:
:param last_mask: ai[ATOMS-1] will be computed as \sum_{i=0}^{ATOMS-2} a_i - last_mask
:return: sumCi, mask, RangeSig.
sumCi is Pedersen commitment on the amount value. sumCi = aG + amount*H
mask is "a" from the Pedersent commitment above.
"""
n = ATOMS
bb = d2b(amount, n) # gives binary form of bb in "digits" binary digits
ai = [None] * len(bb)
Ci = [None] * len(bb)
a = crypto.sc_0()
C = crypto.identity()
alpha = mlsag2.key_zero_vector(n)
s1 = mlsag2.key_zero_vector(n)
c_H = crypto.xmr_H()
kck = crypto.get_keccak() # ee computation
# First pass, generates: ai, alpha, Ci, ee, s1
for ii in range(n):
ai[ii] = crypto.random_scalar()
if last_mask is not None and ii == ATOMS - 1:
ai[ii] = crypto.sc_sub(last_mask, a)
a = crypto.sc_add(
a, ai[ii]
) # creating the total mask since you have to pass this to receiver...
alpha[ii] = crypto.random_scalar()
L = crypto.scalarmult_base(alpha[ii])
if bb[ii] == 0:
Ci[ii] = crypto.scalarmult_base(ai[ii])
else:
Ci[ii] = crypto.point_add(crypto.scalarmult_base(ai[ii]), c_H)
C = crypto.point_add(C, Ci[ii])
if bb[ii] == 0:
s1[ii] = crypto.random_scalar()
c = crypto.hash_to_scalar(crypto.encodepoint(L))
L = crypto.add_keys2(s1[ii], c, crypto.point_sub(Ci[ii], c_H))
kck.update(crypto.encodepoint(L))
else:
kck.update(crypto.encodepoint(L))
c_H = crypto.point_double(c_H)
# Compute ee, memory cleanup
ee = crypto.decodeint(kck.digest())
del kck
# Second phase computes: s0, s1
c_H = crypto.xmr_H()
s0 = mlsag2.key_zero_vector(n)
for jj in range(n):
if not bb[jj]:
s0[jj] = crypto.sc_mulsub(ai[jj], ee, alpha[jj])
else:
s0[jj] = crypto.random_scalar()
LL = crypto.add_keys2(s0[jj], ee, Ci[jj])
cc = crypto.hash_to_scalar(crypto.encodepoint(LL))
s1[jj] = crypto.sc_mulsub(ai[jj], cc, alpha[jj])
c_H = crypto.point_double(c_H)
A = xmrtypes.BoroSig()
A.s0, A.s1, A.ee = s0, s1, ee
R = xmrtypes.RangeSig()
R.asig = A
R.Ci = Ci
return C, a, R
def prove_range_chunked(amount, last_mask=None):
a = crypto.sc_init(0)
si = crypto.sc_init(0)
c = crypto.sc_init(0)
ee = crypto.sc_init(0)
tmp_ai = crypto.sc_init(0)
tmp_alpha = crypto.sc_init(0)
C_acc = crypto.identity()
C_h = crypto.xmr_H()
C_tmp = crypto.identity()
L = crypto.identity()
Zero = crypto.identity()
kck = crypto.get_keccak()
ai = bytearray(32 * 64)
alphai = bytearray(32 * 64)
buff = bytearray(32)
Cis = bytearray(32 * 64)
s0s = bytearray(32 * 64)
s1s = bytearray(32 * 64)
ee_bin = bytearray(32)
for ii in range(64):
crypto.random_scalar_into(tmp_ai)
if last_mask is not None and ii == 63:
crypto.sc_sub_into(tmp_ai, last_mask, a)
crypto.sc_add_into(a, a, tmp_ai)
crypto.random_scalar_into(tmp_alpha)
crypto.scalarmult_base_into(L, tmp_alpha)
crypto.scalarmult_base_into(C_tmp, tmp_ai)
# C_tmp += &Zero if BB(ii) == 0 else &C_h
crypto.point_add_into(C_tmp, C_tmp, Zero if
((amount >> ii) & 1) == 0 else C_h)
crypto.point_add_into(C_acc, C_acc, C_tmp)
# Set Ci[ii] to sigs
crypto.encodepoint_into(Cis, C_tmp, ii << 5)
crypto.encodeint_into(ai, tmp_ai, ii << 5)
crypto.encodeint_into(alphai, tmp_alpha, ii << 5)
if ((amount >> ii) & 1) == 0:
crypto.random_scalar_into(si)
crypto.encodepoint_into(buff, L)
crypto.hash_to_scalar_into(c, buff)
crypto.point_sub_into(C_tmp, C_tmp, C_h)
crypto.add_keys2_into(L, si, c, C_tmp)
crypto.encodeint_into(s1s, si, ii << 5)
crypto.encodepoint_into(buff, L)
kck.update(buff)
crypto.point_double_into(C_h, C_h)
# Compute ee
tmp_ee = kck.digest()
crypto.decodeint_into(ee, tmp_ee)
del (tmp_ee, kck)
C_h = crypto.xmr_H()
gc.collect()
# Second pass, s0, s1
for ii in range(64):
crypto.decodeint_into(tmp_alpha, alphai, ii << 5)
crypto.decodeint_into(tmp_ai, ai, ii << 5)
if ((amount >> ii) & 1) == 0:
crypto.sc_mulsub_into(si, tmp_ai, ee, tmp_alpha)
crypto.encodeint_into(s0s, si, ii << 5)
else:
crypto.random_scalar_into(si)
crypto.encodeint_into(s0s, si, ii << 5)
crypto.decodepoint_into(C_tmp, Cis, ii << 5)
crypto.add_keys2_into(L, si, ee, C_tmp)
crypto.encodepoint_into(buff, L)
crypto.hash_to_scalar_into(c, buff)
crypto.sc_mulsub_into(si, tmp_ai, c, tmp_alpha)
crypto.encodeint_into(s1s, si, ii << 5)
crypto.point_double_into(C_h, C_h)
crypto.encodeint_into(ee_bin, ee)
del (ai, alphai, buff, tmp_ai, tmp_alpha, si, c, ee, C_tmp, C_h, L, Zero)
gc.collect()
return C_acc, a, [s0s, s1s, ee_bin, Cis]
def prove_rct_mg(message, pubs, in_sk, out_sk, out_pk, kLRki, mscout, index,
txn_fee_key):
"""
c.f. http://eprint.iacr.org/2015/1098 section 4. definition 10.
This does the MG sig on the "dest" part of the given key matrix, and
the last row is the sum of input commitments from that column - sum output commitments
this shows that sum inputs = sum outputs
:param message:
:param pubs: matrix of CtKeys. points are encoded.
:param in_sk:
:param out_sk:
:param out_pk:
:param kLRki:
:param mscout:
:param index:
:param txn_fee_key:
:return:
"""
cols = len(pubs)
if cols == 0:
raise ValueError("Empty pubs")
rows = len(pubs[0])
if rows == 0:
raise ValueError("Empty pub row")
for i in range(cols):
if len(pubs[i]) != rows:
raise ValueError("pub is not rectangular")
if len(in_sk) != rows:
raise ValueError("Bad inSk size")
if len(out_sk) != len(out_pk):
raise ValueError("Bad outsk/putpk size")
if (not kLRki or not mscout) and (kLRki and mscout):
raise ValueError("Only one of kLRki/mscout is present")
sk = key_vector(rows + 1)
M = key_matrix(rows + 1, cols)
for i in range(rows + 1):
sk[i] = crypto.sc_0()
for i in range(cols):
M[i][rows] = crypto.identity()
for j in range(rows):
M[i][j] = crypto.decodepoint(pubs[i][j].dest)
M[i][rows] = crypto.point_add(
M[i][rows], crypto.decodepoint(pubs[i][j].commitment))
sk[rows] = crypto.sc_0()
for j in range(rows):
sk[j] = in_sk[j].dest
sk[rows] = crypto.sc_add(sk[rows],
in_sk[j].mask) # add masks in last row
for i in range(cols):
for j in range(len(out_pk)):
M[i][rows] = crypto.point_sub(
M[i][rows], crypto.decodepoint(
out_pk[j].mask)) # subtract output Ci's in last row
# Subtract txn fee output in last row
M[i][rows] = crypto.point_sub(M[i][rows], txn_fee_key)
for j in range(len(out_pk)):
sk[rows] = crypto.sc_sub(
sk[rows], out_sk[j].mask) # subtract output masks in last row
return gen_mlsag_ext(message, M, sk, kLRki, mscout, index, rows)
def __eq__(self, other):
if other == INFINITY:
return crypto.point_eq(self._key, crypto.identity())
return crypto.point_eq(self._key, other._key)
