def unblind_int(self, v, k, AKout): AKout = crypto.hash_to_scalar(AKout) k = crypto.sc_sub(crypto.decodeint(k), AKout) AKout = crypto.hash_to_scalar(crypto.encodeint(AKout)) v = crypto.sc_sub(crypto.decodeint(v), AKout) return v, k, AKout
def check_ring_singature(prefix_hash, image, pubs, sig): """ Checks ring signature generated with generate_ring_signature """ image_unp = crypto.ge_frombytes_vartime(image) image_pre = crypto.ge_dsm_precomp(image_unp) buff_off = len(prefix_hash) buff = bytearray(buff_off + 2 * 32 * len(pubs)) memcpy(buff, 0, prefix_hash, 0, buff_off) mvbuff = memoryview(buff) sum = crypto.sc_0() for i in range(len(pubs)): if crypto.sc_check(sig[i][0]) != 0 or crypto.sc_check(sig[i][1]) != 0: return False tmp3 = crypto.ge_frombytes_vartime(pubs[i]) tmp2 = crypto.ge_double_scalarmult_base_vartime( sig[i][0], tmp3, sig[i][1]) crypto.encodepoint_into(mvbuff[buff_off:buff_off + 32], tmp2) buff_off += 32 tmp3 = crypto.hash_to_point(crypto.encodepoint(pubs[i])) tmp2 = crypto.ge_double_scalarmult_precomp_vartime( sig[i][1], tmp3, sig[i][0], image_pre) crypto.encodepoint_into(mvbuff[buff_off:buff_off + 32], tmp2) buff_off += 32 sum = crypto.sc_add(sum, sig[i][0]) h = crypto.hash_to_scalar(buff) h = crypto.sc_sub(h, sum) return crypto.sc_isnonzero(h) == 0
def check_ring_singature(prefix_hash, image, pubs, sig): """ Checks ring signature generated with generate_ring_signature :param prefix_hash: :param image: :param pubs: :param sig: :return: """ image_unp = crypto.ge_frombytes_vartime(image) image_pre = crypto.ge_dsm_precomp(image_unp) buff = b"" + prefix_hash sum = crypto.sc_0() for i in range(len(pubs)): if crypto.sc_check(sig[i][0]) != 0 or crypto.sc_check(sig[i][1]) != 0: return False tmp3 = crypto.ge_frombytes_vartime(pubs[i]) tmp2 = crypto.ge_double_scalarmult_base_vartime( sig[i][0], tmp3, sig[i][1]) buff += crypto.encodepoint(tmp2) tmp3 = crypto.hash_to_ec(crypto.encodepoint(pubs[i])) tmp2 = crypto.ge_double_scalarmult_precomp_vartime( sig[i][1], tmp3, sig[i][0], image_pre) buff += crypto.encodepoint(tmp2) sum = crypto.sc_add(sum, sig[i][0]) h = crypto.hash_to_scalar(buff) h = crypto.sc_sub(h, sum) return crypto.sc_isnonzero(h) == 0
def poc2(self): print('[+] PoC Ledger-app-Monero 1.4.2 spend key extraction, v2') self.reset() self.set_mode() self.open_tx() # 1. get A, find x, s.t.: [8*a*x*G]_pt == [8*a*x*G]_sc A = self.scalarmult(self.fake_a) Apt = crypto.decodepoint(A) x, A8x = self.find_confusion(Apt) Gx = crypto.encodepoint(crypto.scalarmult_base(crypto.sc_init(x))) print(' 1. Confusion found, x: %d' % (x, )) print(' 8xA: %s' % binascii.hexlify(A8x).decode('ascii')) print(' A: %s' % binascii.hexlify(A).decode('ascii')) print(' xG: %s' % binascii.hexlify(Gx).decode('ascii')) # 2. gen_deriv (8*a*x*G) = enc(8x*A) = enc(P); we know {P, enc(P)}; # It holds that P=8xA is also a valid scalar value, from the step above. P = self.gen_derivation(Gx, self.fake_a) print(' 2. P: %s' % (self.fmtkey(P).decode('ascii'), )) # 3. get_secret_key: s1 = Hs(P||0) + s sp = self.derive_secret_key(P, 0, self.fake_b) print(' 3. sp: %s' % (self.fmtkey(sp).decode('ascii'), )) # 4. mlsag_hash(p2=1, opt=0x80) = c c = self.mlsag_hash() print(' 4. c: %s' % (binascii.hexlify(c).decode('ascii'), )) # 5. mlsag_sign(s1, enc(P)), r1 = enc(s1 - Pc) = enc(Hs(P||0) + s - Pc); # We have R = Hs(P||0) + s - Pc -> R - Hs(P||0) + Pc = s r = self.mlsag_sign_s(P, sp) print(' 5. r: %s' % (binascii.hexlify(r[0]).decode('ascii'), )) # Extract the spend key hs0 = crypto.hash_to_scalar(bytearray(A8x) + bytearray(1)) rsc = crypto.decodeint(r[0]) rsc = crypto.sc_sub(rsc, hs0) bsc = crypto.sc_add( rsc, crypto.sc_mul(crypto.decodeint(c), crypto.decodeint(A8x))) b = crypto.encodeint(bsc) print(' 5. b: %s' % binascii.hexlify(b).decode('ascii')) B = crypto.scalarmult_base(bsc) print(' 5. B: %s' % binascii.hexlify(crypto.encodepoint(B)).decode('ascii')) # 6. Verify BB = self.scalarmult(self.fake_b) print(' 6. bG: %s\n' % binascii.hexlify(BB).decode('ascii')) if BB == crypto.encodepoint(B): print('[+] PoC successful') else: print('[-] PoC not working') print('\nCommands: ') for x in self.commands: print(' %s' % x)
def extra_poc(self, zero, hs0, B): # --- Extra --- # Extract view key and address reconstruction. # Not needed for the PoC print('\nExtracting view-key...') encr = self.derive_secret_key(zero, 0, self.fake_a) r = self.mlsag_sign_s(zero, encr) rsc = crypto.decodeint(r[0]) asc = crypto.sc_sub(rsc, hs0) a = crypto.encodeint(asc) print(' a: %s' % binascii.hexlify(a).decode('ascii')) A = crypto.scalarmult_base(asc) print(' A: %s' % binascii.hexlify(crypto.encodepoint(A)).decode('ascii')) AA = self.scalarmult(self.fake_a) print(' aG: %s' % binascii.hexlify(AA).decode('ascii')) main_addr = addr.encode_addr( xmr_net.net_version(xmr_net.NetworkTypes.MAINNET), crypto.encodepoint(B), crypto.encodepoint(A), ) test_addr = addr.encode_addr( xmr_net.net_version(xmr_net.NetworkTypes.TESTNET), crypto.encodepoint(B), crypto.encodepoint(A), ) print('Mainnet address: %s' % main_addr.decode('ascii')) print('Testnet address: %s' % test_addr.decode('ascii'))
def ecdh_decode(masked, receiver_sk=None, derivation=None): """ Elliptic Curve Diffie-Helman: encodes and decodes the amount b and mask a where C= aG + bH """ rv = xmrtypes.EcdhTuple() if derivation is None: derivation = crypto.scalarmult(masked.senderPk, receiver_sk) sharedSec1 = crypto.hash_to_scalar(derivation) sharedSec2 = crypto.hash_to_scalar(crypto.encodeint(sharedSec1)) rv.mask = crypto.sc_sub(masked.mask, sharedSec1) rv.amount = crypto.sc_sub(masked.amount, sharedSec2) return rv
def prove_rct_mg_simple(message, pubs, in_sk, a, cout, kLRki, mscout, index): """ Simple version for when we assume only post rct inputs here pubs is a vector of (P, C) length mixin :param message: :param pubs: vector of CtKeys, public, point values, encoded form. (dest, mask) = (P, C) :param in_sk: CtKey, private. (spending private key, input commitment mask (original)) :param a: mask from the pseudo_output commitment (alpha) :param cout: point, decoded. Pseudo output public key. :param kLRki: :param mscout: lambda accepting c :param index: :return: """ rows = 1 cols = len(pubs) if cols == 0: raise ValueError("Empty pubs") if (not kLRki or not mscout) and (kLRki and mscout): raise ValueError("Only one of kLRki/mscout is present") sk = key_vector(rows + 1) M = key_matrix(rows + 1, cols) sk[0] = in_sk.dest sk[1] = crypto.sc_sub(in_sk.mask, a) for i in range(cols): M[i][0] = crypto.decodepoint(pubs[i].dest) M[i][1] = crypto.point_sub(crypto.decodepoint(pubs[i].commitment), cout) return gen_mlsag_ext(message, M, sk, kLRki, mscout, index, rows)
def gen_clsag_sig(self, ring_size=11, index=None): msg = bytearray(random.getrandbits(8) for _ in range(32)) amnt = crypto.sc_init(random.randint(0, 0xFFFFFF) + 12) priv = crypto.random_scalar() msk = crypto.random_scalar() alpha = crypto.random_scalar() P = crypto.scalarmult_base(priv) C = crypto.add_keys2(msk, amnt, crypto.xmr_H()) Cp = crypto.add_keys2(alpha, amnt, crypto.xmr_H()) ring = [] for i in range(ring_size - 1): tk = TmpKey( crypto.encodepoint( crypto.scalarmult_base(crypto.random_scalar())), crypto.encodepoint( crypto.scalarmult_base(crypto.random_scalar())), ) ring.append(tk) index = index if index is not None else random.randint(0, len(ring)) ring.insert(index, TmpKey(crypto.encodepoint(P), crypto.encodepoint(C))) ring2 = list(ring) mg_buffer = [] self.assertTrue( crypto.point_eq(crypto.scalarmult_base(priv), crypto.decodepoint(ring[index].dest))) self.assertTrue( crypto.point_eq( crypto.scalarmult_base(crypto.sc_sub(msk, alpha)), crypto.point_sub(crypto.decodepoint(ring[index].commitment), Cp), )) mlsag2.generate_clsag_simple( msg, ring, CtKey(dest=priv, mask=msk), alpha, Cp, index, mg_buffer, ) sD = crypto.decodepoint(mg_buffer[-1]) sc1 = crypto.decodeint(mg_buffer[-2]) scalars = [crypto.decodeint(x) for x in mg_buffer[1:-2]] H = crypto.new_point() sI = crypto.new_point() crypto.hash_to_point_into(H, crypto.encodepoint(P)) crypto.scalarmult_into(sI, H, priv) # I = p*H return msg, scalars, sc1, sI, sD, ring2, Cp
def prove_range_orig(amount, last_mask=None, use_asnl=False): """ Gives C, and mask such that \sumCi = C c.f. http:#eprint.iacr.org/2015/1098 section 5.1 Ci is a commitment to either 0 or 2^i, i=0,...,63 thus this proves that "amount" is in [0, 2^ATOMS] mask is a such that C = aG + bH, and b = amount :param amount: :param last_mask: ai[ATOMS-1] will be computed as \sum_{i=0}^{ATOMS-2} a_i - last_mask :param use_asnl: use ASNL, used before Borromean, insecure :return: sumCi, mask, RangeSig. sumCi is Pedersen commitment on the amount value. sumCi = aG + amount*H mask is "a" from the Pedersent commitment above. """ bb = d2b(amount, ATOMS) # gives binary form of bb in "digits" binary digits logger.info("amount, amount in binary %s %s" % (amount, bb)) ai = [None] * len(bb) Ci = [None] * len(bb) CiH = [None] * len(bb) # this is like Ci - 2^i H H2 = crypto.gen_Hpow(ATOMS) a = crypto.sc_0() for i in range(0, ATOMS): ai[i] = crypto.random_scalar() if last_mask is not None and i == ATOMS - 1: ai[i] = crypto.sc_sub(last_mask, a) a = crypto.sc_add( a, ai[i] ) # creating the total mask since you have to pass this to receiver... if bb[i] == 0: Ci[i] = crypto.scalarmult_base(ai[i]) if bb[i] == 1: Ci[i] = crypto.point_add(crypto.scalarmult_base(ai[i]), H2[i]) CiH[i] = crypto.point_sub(Ci[i], H2[i]) A = xmrtypes.BoroSig() if use_asnl: A.s0, A.s1, A.ee = asnl.gen_asnl(ai, Ci, CiH, bb) else: A.s0, A.s1, A.ee = mlsag2.gen_borromean(ai, Ci, CiH, bb) R = xmrtypes.RangeSig() R.asig = A R.Ci = Ci C = sum_Ci(Ci) return C, a, R
def poc(self): print('[+] PoC Ledger-app-Monero 1.4.2 spend key extraction') self.reset() self.set_mode() self.open_tx() # 1. call `monero_apdu_generate_keypair()`, obtain `{enc(x), hmac(enx(x))}`, where `x` is unknown. _, sec = self.gen_kp() print(' 1. rsec: %s' % self.fmtkey(sec).decode('ascii')) # 2. call `sc_sub(enc(x), hmac(enc(x)), enc(x), hmac(enc(x)))`, obtain `{enc(0), hmac(enc(0))}` zero = self.sc_sub(sec, sec) print(' 2. zero: %s' % self.fmtkey(zero).decode('ascii')) # 3. call `monero_apdu_derive_secret_key( # enc(0), hmac(enc(0)), 0, C_FAKE_SEC_SPEND_KEY, hmac(C_FAKE_SEC_SPEND_KEY))`, # obtain `{enc(r), hmac(enc(r))}` encr = self.derive_secret_key(zero, 0, self.fake_b) print(' 3. encr: %s' % self.fmtkey(encr).decode('ascii')) # 4. call `monero_apdu_mlsag_sign(enc(0), hmac(enc(0)), enc(r), hmac(enc(r)))`, obtain `r` r = self.mlsag_sign_s(zero, encr) print(' 4. r: %s' % self.fmtkey(r).decode('ascii')) # 5. compute b: `b = r - H_s(00....00 || varint(0))` hs0 = crypto.hash_to_scalar(bytearray(33)) rsc = crypto.decodeint(r[0]) bsc = crypto.sc_sub(rsc, hs0) b = crypto.encodeint(bsc) print(' 5. b: %s' % binascii.hexlify(b).decode('ascii')) B = crypto.scalarmult_base(bsc) print(' 5. B: %s' % binascii.hexlify(crypto.encodepoint(B)).decode('ascii')) # 6. Verify BB = self.scalarmult(self.fake_b) print(' 6. bG: %s' % binascii.hexlify(BB).decode('ascii')) if BB == crypto.encodepoint(B): print('[+] PoC successful') else: print('[-] PoC not working') if self.lite: return self.extra_poc(zero, hs0, B)
def ver_mlsag_ext(message, pk, rv, dsRows): """ Multilayered Spontaneous Anonymous Group Signatures (MLSAG signatures) c.f. http://eprint.iacr.org/2015/1098 section 2. keyImageV just does I[i] = xx[i] * Hash(xx[i] * G) for each i :param message: :param pk: matrix of EC points, point form. :param rv: :param dsRows: :return: """ rows, cols = ver_mlsag_assert(pk, rv, dsRows) c_old = rv.cc Ip = key_vector(dsRows) for i in range(dsRows): Ip[i] = crypto.precomp(rv.II[i]) i = 0 while i < cols: c = 0 hasher = hasher_message(message) for j in range(dsRows): L = crypto.add_keys2(rv.ss[i][j], c_old, pk[i][j]) Hi = crypto.hash_to_point(crypto.encodepoint( pk[i][j])) # originally hashToPoint() R = crypto.add_keys3(rv.ss[i][j], Hi, c_old, Ip[j]) hasher.update(crypto.encodepoint(pk[i][j])) hasher.update(crypto.encodepoint(L)) hasher.update(crypto.encodepoint(R)) for j in range(dsRows, rows): L = crypto.add_keys2(rv.ss[i][j], c_old, pk[i][j]) hasher.update(crypto.encodepoint(pk[i][j])) hasher.update(crypto.encodepoint(L)) c = crypto.decodeint(hasher.digest()) c_old = c i += 1 c = crypto.sc_sub(c_old, rv.cc) return not crypto.sc_isnonzero(c)
def generate_clsag_simple( message: bytes, pubs: List[MoneroRctKeyPublic], in_sk: CtKey, a: Sc25519, cout: Ge25519, index: int, mg_buff: List[bytes], ) -> List[bytes]: """ CLSAG for RctType.Simple https://eprint.iacr.org/2019/654.pdf Corresponds to proveRctCLSAGSimple in rctSigs.cpp :param message: the full message to be signed (actually its hash) :param pubs: vector of MoneroRctKey; this forms the ring; point values in encoded form; (dest, mask) = (P, C) :param in_sk: CtKey; spending private key with input commitment mask (original); better_name: input_secret_key :param a: mask from the pseudo output commitment; better name: pseudo_out_alpha :param cout: pseudo output commitment; point, decoded; better name: pseudo_out_c :param index: specifies corresponding public key to the `in_sk` in the pubs array :param mg_buff: buffer to store the signature to """ cols = len(pubs) if cols == 0: raise ValueError("Empty pubs") P = key_vector(cols) C_nonzero = key_vector(cols) p = in_sk.dest z = crypto.sc_sub(in_sk.mask, a) for i in range(cols): P[i] = pubs[i].dest C_nonzero[i] = pubs[i].commitment pubs[i] = None del pubs # gc.collect() return _generate_clsag(message, P, p, C_nonzero, z, cout, index, mg_buff)
def generate_ring_signature(prefix_hash, image, pubs, sec, sec_idx, test=False): """ Generates ring signature with key image. void crypto_ops::generate_ring_signature() """ if test: t = crypto.scalarmult_base(sec) if not crypto.point_eq(t, pubs[sec_idx]): raise ValueError("Invalid sec key") k_i = monero.generate_key_image(crypto.encodepoint(pubs[sec_idx]), sec) if not crypto.point_eq(k_i, image): raise ValueError("Key image invalid") for k in pubs: crypto.ge_frombytes_vartime_check(k) image_unp = crypto.ge_frombytes_vartime(image) image_pre = crypto.ge_dsm_precomp(image_unp) buff_off = len(prefix_hash) buff = bytearray(buff_off + 2 * 32 * len(pubs)) memcpy(buff, 0, prefix_hash, 0, buff_off) mvbuff = memoryview(buff) sum = crypto.sc_0() k = crypto.sc_0() sig = [] for i in range(len(pubs)): sig.append([crypto.sc_0(), crypto.sc_0()]) # c, r for i in range(len(pubs)): if i == sec_idx: k = crypto.random_scalar() tmp3 = crypto.scalarmult_base(k) crypto.encodepoint_into(mvbuff[buff_off:buff_off + 32], tmp3) buff_off += 32 tmp3 = crypto.hash_to_point(crypto.encodepoint(pubs[i])) tmp2 = crypto.scalarmult(tmp3, k) crypto.encodepoint_into(mvbuff[buff_off:buff_off + 32], tmp2) buff_off += 32 else: sig[i] = [crypto.random_scalar(), crypto.random_scalar()] tmp3 = crypto.ge_frombytes_vartime(pubs[i]) tmp2 = crypto.ge_double_scalarmult_base_vartime( sig[i][0], tmp3, sig[i][1]) crypto.encodepoint_into(mvbuff[buff_off:buff_off + 32], tmp2) buff_off += 32 tmp3 = crypto.hash_to_point(crypto.encodepoint(tmp3)) tmp2 = crypto.ge_double_scalarmult_precomp_vartime( sig[i][1], tmp3, sig[i][0], image_pre) crypto.encodepoint_into(mvbuff[buff_off:buff_off + 32], tmp2) buff_off += 32 sum = crypto.sc_add(sum, sig[i][0]) h = crypto.hash_to_scalar(buff) sig[sec_idx][0] = crypto.sc_sub(h, sum) sig[sec_idx][1] = crypto.sc_mulsub(sig[sec_idx][0], sec, k) return sig
def prove_range_mem(amount, last_mask=None): """ Memory optimized range proof. Gives C, and mask such that \sumCi = C c.f. http:#eprint.iacr.org/2015/1098 section 5.1 Ci is a commitment to either 0 or 2^i, i=0,...,63 thus this proves that "amount" is in [0, 2^ATOMS] mask is a such that C = aG + bH, and b = amount :param amount: :param last_mask: ai[ATOMS-1] will be computed as \sum_{i=0}^{ATOMS-2} a_i - last_mask :return: sumCi, mask, RangeSig. sumCi is Pedersen commitment on the amount value. sumCi = aG + amount*H mask is "a" from the Pedersent commitment above. """ n = ATOMS bb = d2b(amount, n) # gives binary form of bb in "digits" binary digits ai = [None] * len(bb) Ci = [None] * len(bb) a = crypto.sc_0() C = crypto.identity() alpha = mlsag2.key_zero_vector(n) s1 = mlsag2.key_zero_vector(n) c_H = crypto.xmr_H() kck = crypto.get_keccak() # ee computation # First pass, generates: ai, alpha, Ci, ee, s1 for ii in range(n): ai[ii] = crypto.random_scalar() if last_mask is not None and ii == ATOMS - 1: ai[ii] = crypto.sc_sub(last_mask, a) a = crypto.sc_add( a, ai[ii] ) # creating the total mask since you have to pass this to receiver... alpha[ii] = crypto.random_scalar() L = crypto.scalarmult_base(alpha[ii]) if bb[ii] == 0: Ci[ii] = crypto.scalarmult_base(ai[ii]) else: Ci[ii] = crypto.point_add(crypto.scalarmult_base(ai[ii]), c_H) C = crypto.point_add(C, Ci[ii]) if bb[ii] == 0: s1[ii] = crypto.random_scalar() c = crypto.hash_to_scalar(crypto.encodepoint(L)) L = crypto.add_keys2(s1[ii], c, crypto.point_sub(Ci[ii], c_H)) kck.update(crypto.encodepoint(L)) else: kck.update(crypto.encodepoint(L)) c_H = crypto.point_double(c_H) # Compute ee, memory cleanup ee = crypto.decodeint(kck.digest()) del kck # Second phase computes: s0, s1 c_H = crypto.xmr_H() s0 = mlsag2.key_zero_vector(n) for jj in range(n): if not bb[jj]: s0[jj] = crypto.sc_mulsub(ai[jj], ee, alpha[jj]) else: s0[jj] = crypto.random_scalar() LL = crypto.add_keys2(s0[jj], ee, Ci[jj]) cc = crypto.hash_to_scalar(crypto.encodepoint(LL)) s1[jj] = crypto.sc_mulsub(ai[jj], cc, alpha[jj]) c_H = crypto.point_double(c_H) A = xmrtypes.BoroSig() A.s0, A.s1, A.ee = s0, s1, ee R = xmrtypes.RangeSig() R.asig = A R.Ci = Ci return C, a, R
def verify_clsag(msg, ss, sc1, sI, sD, pubs, C_offset): n = len(pubs) c = crypto.new_scalar() D_8 = crypto.new_point() tmp_bf = bytearray(32) C_offset_bf = crypto.encodepoint(C_offset) crypto.sc_copy(c, sc1) crypto.point_mul8_into(D_8, sD) hsh_P = crypto.get_keccak() # domain, I, D, P, C, C_offset hsh_C = crypto.get_keccak() # domain, I, D, P, C, C_offset hsh_P.update(_HASH_KEY_CLSAG_AGG_0) hsh_C.update(_HASH_KEY_CLSAG_AGG_1) def hsh_PC(x): hsh_P.update(x) hsh_C.update(x) for x in pubs: hsh_PC(x.dest) for x in pubs: hsh_PC(x.commitment) hsh_PC(crypto.encodepoint_into(tmp_bf, sI)) hsh_PC(crypto.encodepoint_into(tmp_bf, sD)) hsh_PC(C_offset_bf) mu_P = crypto.decodeint(hsh_P.digest()) mu_C = crypto.decodeint(hsh_C.digest()) c_to_hash = crypto.get_keccak() # domain, P, C, C_offset, message, L, R c_to_hash.update(_HASH_KEY_CLSAG_ROUND) for i in range(len(pubs)): c_to_hash.update(pubs[i].dest) for i in range(len(pubs)): c_to_hash.update(pubs[i].commitment) c_to_hash.update(C_offset_bf) c_to_hash.update(msg) c_p = crypto.new_scalar() c_c = crypto.new_scalar() L = crypto.new_point() R = crypto.new_point() tmp_pt = crypto.new_point() i = 0 while i < n: crypto.sc_mul_into(c_p, mu_P, c) crypto.sc_mul_into(c_c, mu_C, c) C_P = crypto.point_sub( crypto.decodepoint_into(tmp_pt, pubs[i].commitment), C_offset) crypto.add_keys2_into(L, ss[i], c_p, crypto.decodepoint_into(tmp_pt, pubs[i].dest)) crypto.point_add_into(L, L, crypto.scalarmult_into(tmp_pt, C_P, c_c)) HP = crypto.hash_to_point(pubs[i].dest) crypto.add_keys3_into(R, ss[i], HP, c_p, sI) crypto.point_add_into(R, R, crypto.scalarmult_into(tmp_pt, D_8, c_c)) chasher = c_to_hash.copy() chasher.update(crypto.encodepoint_into(tmp_bf, L)) chasher.update(crypto.encodepoint_into(tmp_bf, R)) crypto.decodeint_into(c, chasher.digest()) i += 1 res = crypto.sc_sub(c, sc1) if not crypto.sc_eq(res, crypto.sc_0()): raise ValueError("Signature error")
def prove_rct_mg(message, pubs, in_sk, out_sk, out_pk, kLRki, mscout, index, txn_fee_key): """ c.f. http://eprint.iacr.org/2015/1098 section 4. definition 10. This does the MG sig on the "dest" part of the given key matrix, and the last row is the sum of input commitments from that column - sum output commitments this shows that sum inputs = sum outputs :param message: :param pubs: matrix of CtKeys. points are encoded. :param in_sk: :param out_sk: :param out_pk: :param kLRki: :param mscout: :param index: :param txn_fee_key: :return: """ cols = len(pubs) if cols == 0: raise ValueError("Empty pubs") rows = len(pubs[0]) if rows == 0: raise ValueError("Empty pub row") for i in range(cols): if len(pubs[i]) != rows: raise ValueError("pub is not rectangular") if len(in_sk) != rows: raise ValueError("Bad inSk size") if len(out_sk) != len(out_pk): raise ValueError("Bad outsk/putpk size") if (not kLRki or not mscout) and (kLRki and mscout): raise ValueError("Only one of kLRki/mscout is present") sk = key_vector(rows + 1) M = key_matrix(rows + 1, cols) for i in range(rows + 1): sk[i] = crypto.sc_0() for i in range(cols): M[i][rows] = crypto.identity() for j in range(rows): M[i][j] = crypto.decodepoint(pubs[i][j].dest) M[i][rows] = crypto.point_add( M[i][rows], crypto.decodepoint(pubs[i][j].commitment)) sk[rows] = crypto.sc_0() for j in range(rows): sk[j] = in_sk[j].dest sk[rows] = crypto.sc_add(sk[rows], in_sk[j].mask) # add masks in last row for i in range(cols): for j in range(len(out_pk)): M[i][rows] = crypto.point_sub( M[i][rows], crypto.decodepoint( out_pk[j].mask)) # subtract output Ci's in last row # Subtract txn fee output in last row M[i][rows] = crypto.point_sub(M[i][rows], txn_fee_key) for j in range(len(out_pk)): sk[rows] = crypto.sc_sub( sk[rows], out_sk[j].mask) # subtract output masks in last row return gen_mlsag_ext(message, M, sk, kLRki, mscout, index, rows)
def generate_ring_signature(prefix_hash, image, pubs, sec, sec_idx, test=False): """ Generates ring signature with key image. void crypto_ops::generate_ring_signature() :param prefix_hash: :param image: :param pubs: :param sec: :param sec_idx: :param test: :return: """ if test: t = crypto.scalarmult_base(sec) if not crypto.point_eq(t, pubs[sec_idx]): raise ValueError("Invalid sec key") k_i = monero.generate_key_image(crypto.encodepoint(pubs[sec_idx]), sec) if not crypto.point_eq(k_i, image): raise ValueError("Key image invalid") for k in pubs: crypto.ge_frombytes_vartime_check(k) image_unp = crypto.ge_frombytes_vartime(image) image_pre = crypto.ge_dsm_precomp(image_unp) buff = b"" + prefix_hash sum = crypto.sc_0() k = crypto.sc_0() sig = [] for i in range(len(pubs)): sig.append([crypto.sc_0(), crypto.sc_0()]) # c, r for i in range(len(pubs)): if i == sec_idx: k = crypto.random_scalar() tmp3 = crypto.scalarmult_base(k) buff += crypto.encodepoint(tmp3) tmp3 = crypto.hash_to_ec(crypto.encodepoint(pubs[i])) tmp2 = crypto.scalarmult(tmp3, k) buff += crypto.encodepoint(tmp2) else: sig[i] = [crypto.random_scalar(), crypto.random_scalar()] tmp3 = crypto.ge_frombytes_vartime(pubs[i]) tmp2 = crypto.ge_double_scalarmult_base_vartime( sig[i][0], tmp3, sig[i][1]) buff += crypto.encodepoint(tmp2) tmp3 = crypto.hash_to_ec(crypto.encodepoint(tmp3)) tmp2 = crypto.ge_double_scalarmult_precomp_vartime( sig[i][1], tmp3, sig[i][0], image_pre) buff += crypto.encodepoint(tmp2) sum = crypto.sc_add(sum, sig[i][0]) h = crypto.hash_to_scalar(buff) sig[sec_idx][0] = crypto.sc_sub(h, sum) sig[sec_idx][1] = crypto.sc_mulsub(sig[sec_idx][0], sec, k) return sig
async def sc_sub(self): s1 = crypto.decodeint(self._fetch()) s2 = crypto.decodeint(self._fetch()) self._insert(crypto.encodeint(crypto.sc_sub(s1, s2))) return SW_OK
async def gen_rct_simple( self, in_sk, destinations, inamounts, outamounts, txn_fee, mix_ring, kLRki, msout, index, ): """ Generate simple RCT signature. :param in_sk: :param destinations: :param inamounts: :param outamounts: :param txn_fee: :param mix_ring: :param kLRki: :param msout: :param index: :param out_sk: :return: """ if len(inamounts) == 0: raise ValueError("Empty inamounts") if len(inamounts) != len(in_sk): raise ValueError("Different number of inamounts/inSk") if len(outamounts) != len(destinations): raise ValueError("Different number of amounts/destinations") if len(self.output_secrets) != len(destinations): raise ValueError("Different number of amount_keys/destinations") if len(index) != len(in_sk): raise ValueError("Different number of index/inSk") if len(mix_ring) != len(in_sk): raise ValueError("Different number of mixRing/inSk") for idx in range(len(mix_ring)): if index[idx] >= len(mix_ring[idx]): raise ValueError("Bad index into mixRing") rv, sumout, out_sk = await self.gen_rct_header(destinations, outamounts) rv.type = ( xmrtypes.RctType.SimpleBulletproof if self.use_bulletproof else xmrtypes.RctType.Simple ) rv.txnFee = txn_fee rv.mixRing = mix_ring # Pseudooutputs pseudo_outs = [None] * len(inamounts) rv.p.MGs = [None] * len(inamounts) sumpouts = crypto.sc_0() a = [] for idx in range(len(inamounts) - 1): a.append(crypto.random_scalar()) sumpouts = crypto.sc_add(sumpouts, a[idx]) pseudo_outs[idx] = crypto.gen_c(a[idx], inamounts[idx]) a.append(crypto.sc_sub(sumout, sumpouts)) pseudo_outs[-1] = crypto.gen_c(a[-1], inamounts[-1]) if self.use_bulletproof: rv.p.pseudoOuts = [crypto.encodepoint(x) for x in pseudo_outs] else: rv.pseudoOuts = [crypto.encodepoint(x) for x in pseudo_outs] full_message = await monero.get_pre_mlsag_hash(rv) # TODO: msout multisig for i in range(len(inamounts)): rv.p.MGs[i], msc = mlsag2.prove_rct_mg_simple( full_message, rv.mixRing[i], in_sk[i], a[i], pseudo_outs[i], kLRki[i] if kLRki else None, None, index[i], ) if __debug__: assert mlsag2.ver_rct_mg_simple( full_message, rv.p.MGs[i], rv.mixRing[i], pseudo_outs[i] ) return rv
def __sub__(self, other): return self.__class__(key=crypto.sc_sub(self._key, other._key))
async def range_proof(self, idx, dest_pub_key, amount, amount_key): """ Computes rangeproof and related information - out_sk, out_pk, ecdh_info. In order to optimize incremental transaction build, the mask computation is changed compared to the official Monero code. In the official code, the input pedersen commitments are computed after range proof in such a way summed masks for commitments (alpha) and rangeproofs (ai) are equal. In order to save roundtrips we compute commitments randomly and then for the last rangeproof a[63] = (\\sum_{i=0}^{num_inp}alpha_i - \\sum_{i=0}^{num_outs-1} amasks_i) - \\sum_{i=0}^{62}a_i The range proof is incrementally hashed to the final_message. :param idx: :param dest_pub_key: :param amount: :param amount_key: :return: """ from monero_glue.xmr import ring_ct rsig = bytearray(32 * (64 + 64 + 64 + 1)) rsig_mv = memoryview(rsig) out_pk = misc.StdObj(dest=dest_pub_key, mask=None) is_last = idx + 1 == self.num_dests() last_mask = ( None if not is_last or not self.use_simple_rct else crypto.sc_sub(self.sumpouts_alphas, self.sumout) ) # Pedersen commitment on the value, mask from the commitment, range signature. C, mask, rsig = None, 0, None # Rangeproof gc.collect() if self.use_bulletproof: raise ValueError("Bulletproof not yet supported") else: C, mask, rsig = ring_ct.prove_range( amount, last_mask, backend_impl=True, byte_enc=True, rsig=rsig_mv ) rsig = memoryview(rsig) if __debug__: rsig_bytes = monero.inflate_rsig(rsig) self.assrt(ring_ct.ver_range(C, rsig_bytes)) self.assrt( crypto.point_eq( C, crypto.point_add( crypto.scalarmult_base(mask), crypto.scalarmult_h(amount) ), ), "rproof", ) # Incremental hashing await self.full_message_hasher.rsig_val( rsig, self.use_bulletproof, raw=True ) gc.collect() self._log_trace("rproof") # Mask sum out_pk.mask = crypto.encodepoint(C) self.sumout = crypto.sc_add(self.sumout, mask) self.output_sk.append(misc.StdObj(mask=mask)) # ECDH masking from monero_glue.xmr.sub.recode import recode_ecdh from monero_serialize.xmrtypes import EcdhTuple ecdh_info = EcdhTuple(mask=mask, amount=crypto.sc_init(amount)) ecdh_info = ring_ct.ecdh_encode( ecdh_info, derivation=crypto.encodeint(amount_key) ) recode_ecdh(ecdh_info, encode=True) gc.collect() return rsig, out_pk, ecdh_info