def test_h_pow(self):
hp = crypto.gen_Hpow(10)
self.assertEqual(crypto.encodepoint(hp[0]), crypto.encodepoint(crypto.gen_H()))
for i in range(1, 10):
crypto.check_ed25519point(hp[i])
self.assertEqual(
crypto.encodepoint(hp[i]),
crypto.encodepoint(
crypto.scalarmult(crypto.gen_H(), crypto.sc_init(2 ** i))
),
)
def ver_range(C=None, rsig=None, use_asnl=False, decode=True):
"""
Verifies that \sum Ci = C and that each Ci is a commitment to 0 or 2^i
:param C:
:param rsig:
:param use_asnl: use ASNL, used before Borromean, insecure!
:param decode: decodes encoded range proof
:return:
"""
n = ATOMS
CiH = [None] * n
C_tmp = crypto.identity()
c_H = crypto.gen_H()
if decode:
rsig = monero.recode_rangesig(rsig, encode=False, copy=True)
for i in range(0, n):
CiH[i] = crypto.point_sub(rsig.Ci[i], c_H)
C_tmp = crypto.point_add(C_tmp, rsig.Ci[i])
c_H = crypto.point_double(c_H)
if C is not None and not crypto.point_eq(C_tmp, C):
return 0
if use_asnl:
return asnl.ver_asnl(rsig.Ci, CiH, rsig.asig.s0, rsig.asig.s1,
rsig.asig.ee)
else:
return mlsag2.ver_borromean(rsig.Ci, CiH, rsig.asig.s0, rsig.asig.s1,
rsig.asig.ee)
def ecdh_decode_simple(rv, sk, i):
"""
Decodes ECDH from the transaction, checks mask (decoding validity).
:param rv:
:param sk:
:param i:
:return:
"""
if i >= len(rv.ecdhInfo):
raise ValueError("Bad index")
if len(rv.outPk) != len(rv.ecdhInfo):
raise ValueError("outPk vs ecdhInfo mismatch")
ecdh_info = rv.ecdhInfo[i]
ecdh_info = recode_ecdh(ecdh_info, False)
ecdh_info = ring_ct.ecdh_decode(ecdh_info, derivation=crypto.encodeint(sk))
c_tmp = crypto.add_keys2(ecdh_info.mask, ecdh_info.amount, crypto.gen_H())
if not crypto.point_eq(c_tmp, crypto.decodepoint(rv.outPk[i].mask)):
raise ValueError("Amount decoded incorrectly")
return ecdh_info.amount, ecdh_info.mask
def decode_rct(rv, sk, i):
"""
c.f. http:#eprint.iacr.org/2015/1098 section 5.1.1
Uses the attached ecdh info to find the amounts represented by each output commitment
must know the destination private key to find the correct amount, else will return a random number
:param rv:
:param sk:
:param i:
:return:
"""
decodedTuple = ecdh_decode(rv.ecdhInfo[i], sk)
mask = decodedTuple.mask
amount = decodedTuple.amount
C = rv.outPk[i].mask
H = crypto.gen_H()
Ctmp = crypto.point_add(crypto.scalarmult_base(mask),
crypto.scalarmult(H, amount))
if not crypto.point_eq(crypto.point_sub(C, Ctmp), crypto.identity()):
logger.warning(
"warning, amount decoded incorrectly, will be unable to spend")
return amount
def test_h(self):
H = bytes(
[
0x8b,
0x65,
0x59,
0x70,
0x15,
0x37,
0x99,
0xaf,
0x2a,
0xea,
0xdc,
0x9f,
0xf1,
0xad,
0xd0,
0xea,
0x6c,
0x72,
0x51,
0xd5,
0x41,
0x54,
0xcf,
0xa9,
0x2c,
0x17,
0x3a,
0x0d,
0xd3,
0x9c,
0x1f,
0x94,
]
)
self.assertEqual(crypto.encodepoint(crypto.gen_H()), H)
def prove_range_mem(amount, last_mask=None):
"""
Memory optimized range proof.
Gives C, and mask such that \sumCi = C
c.f. http:#eprint.iacr.org/2015/1098 section 5.1
Ci is a commitment to either 0 or 2^i, i=0,...,63
thus this proves that "amount" is in [0, 2^ATOMS]
mask is a such that C = aG + bH, and b = amount
:param amount:
:param last_mask: ai[ATOMS-1] will be computed as \sum_{i=0}^{ATOMS-2} a_i - last_mask
:param use_asnl: use ASNL, used before Borromean
:return: sumCi, mask, RangeSig.
sumCi is Pedersen commitment on the amount value. sumCi = aG + amount*H
mask is "a" from the Pedersent commitment above.
"""
n = ATOMS
bb = d2b(amount, n) # gives binary form of bb in "digits" binary digits
ai = [None] * len(bb)
Ci = [None] * len(bb)
a = crypto.sc_0()
C = crypto.identity()
alpha = mlsag2.key_zero_vector(n)
s1 = mlsag2.key_zero_vector(n)
c_H = crypto.gen_H()
kck = crypto.get_keccak() # ee computation
# First pass, generates: ai, alpha, Ci, ee, s1
for ii in range(n):
ai[ii] = crypto.random_scalar()
if last_mask is not None and ii == ATOMS - 1:
ai[ii] = crypto.sc_sub(last_mask, a)
a = crypto.sc_add(
a, ai[ii]
) # creating the total mask since you have to pass this to receiver...
alpha[ii] = crypto.random_scalar()
L = crypto.scalarmult_base(alpha[ii])
if bb[ii] == 0:
Ci[ii] = crypto.scalarmult_base(ai[ii])
else:
Ci[ii] = crypto.point_add(crypto.scalarmult_base(ai[ii]), c_H)
C = crypto.point_add(C, Ci[ii])
if bb[ii] == 0:
s1[ii] = crypto.random_scalar()
c = crypto.hash_to_scalar(crypto.encodepoint(L))
L = crypto.add_keys2(s1[ii], c, crypto.point_sub(Ci[ii], c_H))
kck.update(crypto.encodepoint(L))
else:
kck.update(crypto.encodepoint(L))
c_H = crypto.point_double(c_H)
# Compute ee, memory cleanup
ee = crypto.sc_reduce32(crypto.decodeint(kck.digest()))
del kck
# Second phase computes: s0, s1
c_H = crypto.gen_H()
s0 = mlsag2.key_zero_vector(n)
for jj in range(n):
if not bb[jj]:
s0[jj] = crypto.sc_mulsub(ai[jj], ee, alpha[jj])
else:
s0[jj] = crypto.random_scalar()
LL = crypto.add_keys2(s0[jj], ee, Ci[jj])
cc = crypto.hash_to_scalar(crypto.encodepoint(LL))
s1[jj] = crypto.sc_mulsub(ai[jj], cc, alpha[jj])
c_H = crypto.point_double(c_H)
A = xmrtypes.BoroSig()
A.s0, A.s1, A.ee = s0, s1, ee
R = xmrtypes.RangeSig()
R.asig = A
R.Ci = Ci
return C, a, R