def __init__(self, trezor=None, creds=None, state=None, **kwargs):
self.trezor = trezor
self.creds = creds
self.key_master = None
self.key_hmac = None
self.key_enc = None
self.r = None # txkey
self.r_pub = None
self.state = None
self.multi_sig = False
self.need_additional_txkeys = False
self.use_bulletproof = False
self.use_rct = True
self.use_simple_rct = False
self.input_count = 0
self.output_count = 0
self.output_change = None
self.mixin = 0
self.fee = 0
self.additional_tx_private_keys = []
self.additional_tx_public_keys = []
self.inp_idx = -1
self.out_idx = -1
self.summary_inputs_money = 0
self.summary_outs_money = 0
self.input_secrets = []
self.input_alphas = []
self.input_pseudo_outs = []
self.output_sk = []
self.output_pk = []
self.sumout = crypto.sc_0()
self.sumpouts_alphas = crypto.sc_0()
self.subaddresses = {}
self.tx = None
self.source_permutation = [] # sorted by key images
self.tx_prefix_hasher = None
self.tx_prefix_hash = None
self.full_message_hasher = None
self.full_message = None
self.exp_tx_prefix_hash = None
if state is None:
self._init()
else:
self.state_load(state)
def ver_asnl(P1, P2, L1, s2, s):
"""
Aggregate Schnorr Non-Linkable
:param P1:
:param P2:
:param L1:
:param s2:
:param s:
:return:
"""
logger.info("Verifying Aggregate Schnorr Non-linkable Ring Signature")
n = len(P1)
LHS = crypto.scalarmult_base(crypto.sc_0())
RHS = crypto.scalarmult_base(s)
for j in range(0, n):
c2 = crypto.hash_to_scalar(crypto.encodepoint(L1[j]))
L2 = crypto.point_add(crypto.scalarmult_base(s2[j]),
crypto.scalarmult(P2[j], c2))
LHS = crypto.point_add(LHS, L1[j])
c1 = crypto.hash_to_scalar(crypto.encodepoint(L2))
RHS = crypto.point_add(RHS, crypto.scalarmult(P1[j], c1))
if crypto.point_eq(LHS, RHS):
return 1
else:
logger.warning("Didn't verify L1: %s, L1p: %s" %
(crypto.encodepoint(LHS), crypto.encodepoint(RHS)))
return 0
def gen_asnl(x, P1, P2, indices):
"""
Aggregate Schnorr Non-Linkable
x, P1, P2, are key vectors here, but actually you
indices specifices which column of the given row of the key vector you sign.
the key vector with the first or second key
:param x:
:param P1:
:param P2:
:param indices:
:return:
"""
n = len(x)
logger.info("Generating Aggregate Schnorr Non-linkable Ring Signature")
L1 = [None] * n
s1 = [None] * n
s2 = [None] * n
s = crypto.sc_0()
for j in range(0, n):
L1[j], s1[j], s2[j] = gen_schnorr_non_linkable(x[j], P1[j], P2[j],
indices[j])
s = crypto.sc_add(s, s1[j])
return L1, s2, s
def check_ring_singature(prefix_hash, image, pubs, sig):
"""
Checks ring signature generated with generate_ring_signature
"""
image_unp = crypto.ge_frombytes_vartime(image)
image_pre = crypto.ge_dsm_precomp(image_unp)
buff_off = len(prefix_hash)
buff = bytearray(buff_off + 2 * 32 * len(pubs))
memcpy(buff, 0, prefix_hash, 0, buff_off)
mvbuff = memoryview(buff)
sum = crypto.sc_0()
for i in range(len(pubs)):
if crypto.sc_check(sig[i][0]) != 0 or crypto.sc_check(sig[i][1]) != 0:
return False
tmp3 = crypto.ge_frombytes_vartime(pubs[i])
tmp2 = crypto.ge_double_scalarmult_base_vartime(
sig[i][0], tmp3, sig[i][1])
crypto.encodepoint_into(mvbuff[buff_off:buff_off + 32], tmp2)
buff_off += 32
tmp3 = crypto.hash_to_point(crypto.encodepoint(pubs[i]))
tmp2 = crypto.ge_double_scalarmult_precomp_vartime(
sig[i][1], tmp3, sig[i][0], image_pre)
crypto.encodepoint_into(mvbuff[buff_off:buff_off + 32], tmp2)
buff_off += 32
sum = crypto.sc_add(sum, sig[i][0])
h = crypto.hash_to_scalar(buff)
h = crypto.sc_sub(h, sum)
return crypto.sc_isnonzero(h) == 0
def check_ring_singature(prefix_hash, image, pubs, sig):
"""
Checks ring signature generated with generate_ring_signature
:param prefix_hash:
:param image:
:param pubs:
:param sig:
:return:
"""
image_unp = crypto.ge_frombytes_vartime(image)
image_pre = crypto.ge_dsm_precomp(image_unp)
buff = b"" + prefix_hash
sum = crypto.sc_0()
for i in range(len(pubs)):
if crypto.sc_check(sig[i][0]) != 0 or crypto.sc_check(sig[i][1]) != 0:
return False
tmp3 = crypto.ge_frombytes_vartime(pubs[i])
tmp2 = crypto.ge_double_scalarmult_base_vartime(
sig[i][0], tmp3, sig[i][1])
buff += crypto.encodepoint(tmp2)
tmp3 = crypto.hash_to_ec(crypto.encodepoint(pubs[i]))
tmp2 = crypto.ge_double_scalarmult_precomp_vartime(
sig[i][1], tmp3, sig[i][0], image_pre)
buff += crypto.encodepoint(tmp2)
sum = crypto.sc_add(sum, sig[i][0])
h = crypto.hash_to_scalar(buff)
h = crypto.sc_sub(h, sum)
return crypto.sc_isnonzero(h) == 0
def key_zero_vector(rows):
"""
Empty key vector
:param rows:
:return:
"""
vct = []
for i in range(rows):
vct.append(crypto.sc_0())
return vct
def prove_range_orig(amount, last_mask=None, use_asnl=False):
"""
Gives C, and mask such that \sumCi = C
c.f. http:#eprint.iacr.org/2015/1098 section 5.1
Ci is a commitment to either 0 or 2^i, i=0,...,63
thus this proves that "amount" is in [0, 2^ATOMS]
mask is a such that C = aG + bH, and b = amount
:param amount:
:param last_mask: ai[ATOMS-1] will be computed as \sum_{i=0}^{ATOMS-2} a_i - last_mask
:param use_asnl: use ASNL, used before Borromean, insecure
:return: sumCi, mask, RangeSig.
sumCi is Pedersen commitment on the amount value. sumCi = aG + amount*H
mask is "a" from the Pedersent commitment above.
"""
bb = d2b(amount,
ATOMS) # gives binary form of bb in "digits" binary digits
logger.info("amount, amount in binary %s %s" % (amount, bb))
ai = [None] * len(bb)
Ci = [None] * len(bb)
CiH = [None] * len(bb) # this is like Ci - 2^i H
H2 = crypto.gen_Hpow(ATOMS)
a = crypto.sc_0()
for i in range(0, ATOMS):
ai[i] = crypto.random_scalar()
if last_mask is not None and i == ATOMS - 1:
ai[i] = crypto.sc_sub(last_mask, a)
a = crypto.sc_add(
a, ai[i]
) # creating the total mask since you have to pass this to receiver...
if bb[i] == 0:
Ci[i] = crypto.scalarmult_base(ai[i])
if bb[i] == 1:
Ci[i] = crypto.point_add(crypto.scalarmult_base(ai[i]), H2[i])
CiH[i] = crypto.point_sub(Ci[i], H2[i])
A = xmrtypes.BoroSig()
if use_asnl:
A.s0, A.s1, A.ee = asnl.gen_asnl(ai, Ci, CiH, bb)
else:
A.s0, A.s1, A.ee = mlsag2.gen_borromean(ai, Ci, CiH, bb)
R = xmrtypes.RangeSig()
R.asig = A
R.Ci = Ci
C = sum_Ci(Ci)
return C, a, R
async def ensure_watch_only(self):
"""
Ensures watch only wallet for monero exists
:return:
"""
if self.wallet_file is None:
return
key_file = "%s.keys" % self.wallet_file
if os.path.exists(key_file):
logger.debug("Watch only wallet key file exists: %s" % key_file)
match, addr = False, None
try:
addr, match = await self.check_existing_wallet_file(key_file)
except Exception as e:
logger.error("Wallet key file processing exception: %s" % e)
if not match:
logger.error("Key file address is not correct: %s" % addr)
print(
"Please, move the file so Agent can create correct key file"
)
sys.exit(2)
return
account_keys = xmrtypes.AccountKeys()
key_data = wallet.WalletKeyData()
wallet_data = wallet.WalletKeyFile()
wallet_data.key_data = key_data
wallet_data.watch_only = 1
wallet_data.testnet = self.network_type == monero.NetworkTypes.TESTNET
key_data.m_creation_timestamp = int(time.time())
key_data.m_keys = account_keys
account_keys.m_account_address = xmrtypes.AccountPublicAddress(
m_spend_public_key=crypto.encodepoint(self.pub_spend),
m_view_public_key=crypto.encodepoint(self.pub_view),
)
account_keys.m_spend_secret_key = crypto.encodeint(crypto.sc_0())
account_keys.m_view_secret_key = crypto.encodeint(self.priv_view)
await wallet.save_keys_file(key_file, self.wallet_password,
wallet_data)
logger.debug("Watch-only wallet keys generated: %s" % key_file)
def generate_ring_signature(prefix_hash,
image,
pubs,
sec,
sec_idx,
test=False):
"""
Generates ring signature with key image.
void crypto_ops::generate_ring_signature()
"""
if test:
t = crypto.scalarmult_base(sec)
if not crypto.point_eq(t, pubs[sec_idx]):
raise ValueError("Invalid sec key")
k_i = monero.generate_key_image(crypto.encodepoint(pubs[sec_idx]), sec)
if not crypto.point_eq(k_i, image):
raise ValueError("Key image invalid")
for k in pubs:
crypto.ge_frombytes_vartime_check(k)
image_unp = crypto.ge_frombytes_vartime(image)
image_pre = crypto.ge_dsm_precomp(image_unp)
buff_off = len(prefix_hash)
buff = bytearray(buff_off + 2 * 32 * len(pubs))
memcpy(buff, 0, prefix_hash, 0, buff_off)
mvbuff = memoryview(buff)
sum = crypto.sc_0()
k = crypto.sc_0()
sig = []
for i in range(len(pubs)):
sig.append([crypto.sc_0(), crypto.sc_0()]) # c, r
for i in range(len(pubs)):
if i == sec_idx:
k = crypto.random_scalar()
tmp3 = crypto.scalarmult_base(k)
crypto.encodepoint_into(mvbuff[buff_off:buff_off + 32], tmp3)
buff_off += 32
tmp3 = crypto.hash_to_point(crypto.encodepoint(pubs[i]))
tmp2 = crypto.scalarmult(tmp3, k)
crypto.encodepoint_into(mvbuff[buff_off:buff_off + 32], tmp2)
buff_off += 32
else:
sig[i] = [crypto.random_scalar(), crypto.random_scalar()]
tmp3 = crypto.ge_frombytes_vartime(pubs[i])
tmp2 = crypto.ge_double_scalarmult_base_vartime(
sig[i][0], tmp3, sig[i][1])
crypto.encodepoint_into(mvbuff[buff_off:buff_off + 32], tmp2)
buff_off += 32
tmp3 = crypto.hash_to_point(crypto.encodepoint(tmp3))
tmp2 = crypto.ge_double_scalarmult_precomp_vartime(
sig[i][1], tmp3, sig[i][0], image_pre)
crypto.encodepoint_into(mvbuff[buff_off:buff_off + 32], tmp2)
buff_off += 32
sum = crypto.sc_add(sum, sig[i][0])
h = crypto.hash_to_scalar(buff)
sig[sec_idx][0] = crypto.sc_sub(h, sum)
sig[sec_idx][1] = crypto.sc_mulsub(sig[sec_idx][0], sec, k)
return sig
def prove_range_mem(amount, last_mask=None):
"""
Memory optimized range proof.
Gives C, and mask such that \sumCi = C
c.f. http:#eprint.iacr.org/2015/1098 section 5.1
Ci is a commitment to either 0 or 2^i, i=0,...,63
thus this proves that "amount" is in [0, 2^ATOMS]
mask is a such that C = aG + bH, and b = amount
:param amount:
:param last_mask: ai[ATOMS-1] will be computed as \sum_{i=0}^{ATOMS-2} a_i - last_mask
:return: sumCi, mask, RangeSig.
sumCi is Pedersen commitment on the amount value. sumCi = aG + amount*H
mask is "a" from the Pedersent commitment above.
"""
n = ATOMS
bb = d2b(amount, n) # gives binary form of bb in "digits" binary digits
ai = [None] * len(bb)
Ci = [None] * len(bb)
a = crypto.sc_0()
C = crypto.identity()
alpha = mlsag2.key_zero_vector(n)
s1 = mlsag2.key_zero_vector(n)
c_H = crypto.xmr_H()
kck = crypto.get_keccak() # ee computation
# First pass, generates: ai, alpha, Ci, ee, s1
for ii in range(n):
ai[ii] = crypto.random_scalar()
if last_mask is not None and ii == ATOMS - 1:
ai[ii] = crypto.sc_sub(last_mask, a)
a = crypto.sc_add(
a, ai[ii]
) # creating the total mask since you have to pass this to receiver...
alpha[ii] = crypto.random_scalar()
L = crypto.scalarmult_base(alpha[ii])
if bb[ii] == 0:
Ci[ii] = crypto.scalarmult_base(ai[ii])
else:
Ci[ii] = crypto.point_add(crypto.scalarmult_base(ai[ii]), c_H)
C = crypto.point_add(C, Ci[ii])
if bb[ii] == 0:
s1[ii] = crypto.random_scalar()
c = crypto.hash_to_scalar(crypto.encodepoint(L))
L = crypto.add_keys2(s1[ii], c, crypto.point_sub(Ci[ii], c_H))
kck.update(crypto.encodepoint(L))
else:
kck.update(crypto.encodepoint(L))
c_H = crypto.point_double(c_H)
# Compute ee, memory cleanup
ee = crypto.decodeint(kck.digest())
del kck
# Second phase computes: s0, s1
c_H = crypto.xmr_H()
s0 = mlsag2.key_zero_vector(n)
for jj in range(n):
if not bb[jj]:
s0[jj] = crypto.sc_mulsub(ai[jj], ee, alpha[jj])
else:
s0[jj] = crypto.random_scalar()
LL = crypto.add_keys2(s0[jj], ee, Ci[jj])
cc = crypto.hash_to_scalar(crypto.encodepoint(LL))
s1[jj] = crypto.sc_mulsub(ai[jj], cc, alpha[jj])
c_H = crypto.point_double(c_H)
A = xmrtypes.BoroSig()
A.s0, A.s1, A.ee = s0, s1, ee
R = xmrtypes.RangeSig()
R.asig = A
R.Ci = Ci
return C, a, R
def verify_clsag(msg, ss, sc1, sI, sD, pubs, C_offset):
n = len(pubs)
c = crypto.new_scalar()
D_8 = crypto.new_point()
tmp_bf = bytearray(32)
C_offset_bf = crypto.encodepoint(C_offset)
crypto.sc_copy(c, sc1)
crypto.point_mul8_into(D_8, sD)
hsh_P = crypto.get_keccak() # domain, I, D, P, C, C_offset
hsh_C = crypto.get_keccak() # domain, I, D, P, C, C_offset
hsh_P.update(_HASH_KEY_CLSAG_AGG_0)
hsh_C.update(_HASH_KEY_CLSAG_AGG_1)
def hsh_PC(x):
hsh_P.update(x)
hsh_C.update(x)
for x in pubs:
hsh_PC(x.dest)
for x in pubs:
hsh_PC(x.commitment)
hsh_PC(crypto.encodepoint_into(tmp_bf, sI))
hsh_PC(crypto.encodepoint_into(tmp_bf, sD))
hsh_PC(C_offset_bf)
mu_P = crypto.decodeint(hsh_P.digest())
mu_C = crypto.decodeint(hsh_C.digest())
c_to_hash = crypto.get_keccak() # domain, P, C, C_offset, message, L, R
c_to_hash.update(_HASH_KEY_CLSAG_ROUND)
for i in range(len(pubs)):
c_to_hash.update(pubs[i].dest)
for i in range(len(pubs)):
c_to_hash.update(pubs[i].commitment)
c_to_hash.update(C_offset_bf)
c_to_hash.update(msg)
c_p = crypto.new_scalar()
c_c = crypto.new_scalar()
L = crypto.new_point()
R = crypto.new_point()
tmp_pt = crypto.new_point()
i = 0
while i < n:
crypto.sc_mul_into(c_p, mu_P, c)
crypto.sc_mul_into(c_c, mu_C, c)
C_P = crypto.point_sub(
crypto.decodepoint_into(tmp_pt, pubs[i].commitment), C_offset)
crypto.add_keys2_into(L, ss[i], c_p,
crypto.decodepoint_into(tmp_pt, pubs[i].dest))
crypto.point_add_into(L, L, crypto.scalarmult_into(tmp_pt, C_P, c_c))
HP = crypto.hash_to_point(pubs[i].dest)
crypto.add_keys3_into(R, ss[i], HP, c_p, sI)
crypto.point_add_into(R, R, crypto.scalarmult_into(tmp_pt, D_8, c_c))
chasher = c_to_hash.copy()
chasher.update(crypto.encodepoint_into(tmp_bf, L))
chasher.update(crypto.encodepoint_into(tmp_bf, R))
crypto.decodeint_into(c, chasher.digest())
i += 1
res = crypto.sc_sub(c, sc1)
if not crypto.sc_eq(res, crypto.sc_0()):
raise ValueError("Signature error")
def prove_rct_mg(message, pubs, in_sk, out_sk, out_pk, kLRki, mscout, index,
txn_fee_key):
"""
c.f. http://eprint.iacr.org/2015/1098 section 4. definition 10.
This does the MG sig on the "dest" part of the given key matrix, and
the last row is the sum of input commitments from that column - sum output commitments
this shows that sum inputs = sum outputs
:param message:
:param pubs: matrix of CtKeys. points are encoded.
:param in_sk:
:param out_sk:
:param out_pk:
:param kLRki:
:param mscout:
:param index:
:param txn_fee_key:
:return:
"""
cols = len(pubs)
if cols == 0:
raise ValueError("Empty pubs")
rows = len(pubs[0])
if rows == 0:
raise ValueError("Empty pub row")
for i in range(cols):
if len(pubs[i]) != rows:
raise ValueError("pub is not rectangular")
if len(in_sk) != rows:
raise ValueError("Bad inSk size")
if len(out_sk) != len(out_pk):
raise ValueError("Bad outsk/putpk size")
if (not kLRki or not mscout) and (kLRki and mscout):
raise ValueError("Only one of kLRki/mscout is present")
sk = key_vector(rows + 1)
M = key_matrix(rows + 1, cols)
for i in range(rows + 1):
sk[i] = crypto.sc_0()
for i in range(cols):
M[i][rows] = crypto.identity()
for j in range(rows):
M[i][j] = crypto.decodepoint(pubs[i][j].dest)
M[i][rows] = crypto.point_add(
M[i][rows], crypto.decodepoint(pubs[i][j].commitment))
sk[rows] = crypto.sc_0()
for j in range(rows):
sk[j] = in_sk[j].dest
sk[rows] = crypto.sc_add(sk[rows],
in_sk[j].mask) # add masks in last row
for i in range(cols):
for j in range(len(out_pk)):
M[i][rows] = crypto.point_sub(
M[i][rows], crypto.decodepoint(
out_pk[j].mask)) # subtract output Ci's in last row
# Subtract txn fee output in last row
M[i][rows] = crypto.point_sub(M[i][rows], txn_fee_key)
for j in range(len(out_pk)):
sk[rows] = crypto.sc_sub(
sk[rows], out_sk[j].mask) # subtract output masks in last row
return gen_mlsag_ext(message, M, sk, kLRki, mscout, index, rows)
async def gen_rct_simple(
self,
in_sk,
destinations,
inamounts,
outamounts,
txn_fee,
mix_ring,
kLRki,
msout,
index,
):
"""
Generate simple RCT signature.
:param in_sk:
:param destinations:
:param inamounts:
:param outamounts:
:param txn_fee:
:param mix_ring:
:param kLRki:
:param msout:
:param index:
:param out_sk:
:return:
"""
if len(inamounts) == 0:
raise ValueError("Empty inamounts")
if len(inamounts) != len(in_sk):
raise ValueError("Different number of inamounts/inSk")
if len(outamounts) != len(destinations):
raise ValueError("Different number of amounts/destinations")
if len(self.output_secrets) != len(destinations):
raise ValueError("Different number of amount_keys/destinations")
if len(index) != len(in_sk):
raise ValueError("Different number of index/inSk")
if len(mix_ring) != len(in_sk):
raise ValueError("Different number of mixRing/inSk")
for idx in range(len(mix_ring)):
if index[idx] >= len(mix_ring[idx]):
raise ValueError("Bad index into mixRing")
rv, sumout, out_sk = await self.gen_rct_header(destinations, outamounts)
rv.type = (
xmrtypes.RctType.SimpleBulletproof
if self.use_bulletproof
else xmrtypes.RctType.Simple
)
rv.txnFee = txn_fee
rv.mixRing = mix_ring
# Pseudooutputs
pseudo_outs = [None] * len(inamounts)
rv.p.MGs = [None] * len(inamounts)
sumpouts = crypto.sc_0()
a = []
for idx in range(len(inamounts) - 1):
a.append(crypto.random_scalar())
sumpouts = crypto.sc_add(sumpouts, a[idx])
pseudo_outs[idx] = crypto.gen_c(a[idx], inamounts[idx])
a.append(crypto.sc_sub(sumout, sumpouts))
pseudo_outs[-1] = crypto.gen_c(a[-1], inamounts[-1])
if self.use_bulletproof:
rv.p.pseudoOuts = [crypto.encodepoint(x) for x in pseudo_outs]
else:
rv.pseudoOuts = [crypto.encodepoint(x) for x in pseudo_outs]
full_message = await monero.get_pre_mlsag_hash(rv)
# TODO: msout multisig
for i in range(len(inamounts)):
rv.p.MGs[i], msc = mlsag2.prove_rct_mg_simple(
full_message,
rv.mixRing[i],
in_sk[i],
a[i],
pseudo_outs[i],
kLRki[i] if kLRki else None,
None,
index[i],
)
if __debug__:
assert mlsag2.ver_rct_mg_simple(
full_message, rv.p.MGs[i], rv.mixRing[i], pseudo_outs[i]
)
return rv
async def gen_rct_header(self, destinations, outamounts):
"""
Initializes RV RctSig structure, processes outputs, computes range proofs, ecdh info masking.
Common to gen_rct and gen_rct_simple.
:param destinations:
:param outamounts:
:return:
"""
rv = xmrtypes.RctSig()
rv.p = xmrtypes.RctSigPrunable()
rv.message = self.tx_prefix_hash
rv.outPk = [None] * len(destinations)
if self.use_bulletproof:
rv.p.bulletproofs = [None] * len(destinations)
else:
rv.p.rangeSigs = [None] * len(destinations)
rv.ecdhInfo = [None] * len(destinations)
# Output processing
sumout = crypto.sc_0()
out_sk = [None] * len(destinations)
for idx in range(len(destinations)):
rv.outPk[idx] = xmrtypes.CtKey(dest=crypto.encodepoint(destinations[idx]))
C, mask, rsig = None, 0, None
# Rangeproof
if self.use_bulletproof:
raise ValueError("Bulletproof not yet supported")
else:
C, mask, rsig = ring_ct.prove_range(outamounts[idx])
rv.p.rangeSigs[idx] = rsig
if __debug__:
assert ring_ct.ver_range(C, rsig)
assert crypto.point_eq(
C,
crypto.point_add(
crypto.scalarmult_base(mask),
crypto.scalarmult_h(outamounts[idx]),
),
)
# Mask sum
rv.outPk[idx].mask = crypto.encodepoint(C)
sumout = crypto.sc_add(sumout, mask)
out_sk[idx] = xmrtypes.CtKey(mask=mask)
# ECDH masking
amount_key = crypto.encodeint(self.output_secrets[idx][0])
rv.ecdhInfo[idx] = xmrtypes.EcdhTuple(
mask=mask, amount=crypto.sc_init(outamounts[idx])
)
rv.ecdhInfo[idx] = ring_ct.ecdh_encode(
rv.ecdhInfo[idx], derivation=amount_key
)
monero.recode_ecdh(rv.ecdhInfo[idx], encode=True)
return rv, sumout, out_sk
def generate_ring_signature(prefix_hash,
image,
pubs,
sec,
sec_idx,
test=False):
"""
Generates ring signature with key image.
void crypto_ops::generate_ring_signature()
:param prefix_hash:
:param image:
:param pubs:
:param sec:
:param sec_idx:
:param test:
:return:
"""
if test:
t = crypto.scalarmult_base(sec)
if not crypto.point_eq(t, pubs[sec_idx]):
raise ValueError("Invalid sec key")
k_i = monero.generate_key_image(crypto.encodepoint(pubs[sec_idx]), sec)
if not crypto.point_eq(k_i, image):
raise ValueError("Key image invalid")
for k in pubs:
crypto.ge_frombytes_vartime_check(k)
image_unp = crypto.ge_frombytes_vartime(image)
image_pre = crypto.ge_dsm_precomp(image_unp)
buff = b"" + prefix_hash
sum = crypto.sc_0()
k = crypto.sc_0()
sig = []
for i in range(len(pubs)):
sig.append([crypto.sc_0(), crypto.sc_0()]) # c, r
for i in range(len(pubs)):
if i == sec_idx:
k = crypto.random_scalar()
tmp3 = crypto.scalarmult_base(k)
buff += crypto.encodepoint(tmp3)
tmp3 = crypto.hash_to_ec(crypto.encodepoint(pubs[i]))
tmp2 = crypto.scalarmult(tmp3, k)
buff += crypto.encodepoint(tmp2)
else:
sig[i] = [crypto.random_scalar(), crypto.random_scalar()]
tmp3 = crypto.ge_frombytes_vartime(pubs[i])
tmp2 = crypto.ge_double_scalarmult_base_vartime(
sig[i][0], tmp3, sig[i][1])
buff += crypto.encodepoint(tmp2)
tmp3 = crypto.hash_to_ec(crypto.encodepoint(tmp3))
tmp2 = crypto.ge_double_scalarmult_precomp_vartime(
sig[i][1], tmp3, sig[i][0], image_pre)
buff += crypto.encodepoint(tmp2)
sum = crypto.sc_add(sum, sig[i][0])
h = crypto.hash_to_scalar(buff)
sig[sec_idx][0] = crypto.sc_sub(h, sum)
sig[sec_idx][1] = crypto.sc_mulsub(sig[sec_idx][0], sec, k)
return sig
