def test_square_multiply(self):
for x in [2, 3, 16, 17, 31, 32]:
ss = crypto.random_scalar()
s1 = crypto.sc_copy(None, ss)
s2 = crypto.sc_copy(None, ss)
for i in range(1, x):
crypto.sc_mul_into(s1, s1, ss)
bp._sc_square_mult(s2, ss, x)
self.assertEqual(crypto.encodeint_into(None, s1),
crypto.encodeint_into(None, s2))
def e_xL(idx, d=None):
j, i = idx // bp._BP_N, idx % bp._BP_N
r = None
if j >= num_inp:
r = sc_mone
elif sv[j][i // 8] & (1 << i % 8):
r = sc_zero
else:
r = sc_mone
if d:
return crypto.sc_copy(d, r)
return r
def test_pow_back_skips(self):
MN = 128
y = unhexlify(
'60421950bee0aab949e63336db1eb9532dba6b4599c5cd9fb1dbde909114100e')
y_sc = crypto.decodeint_into(None, y)
yinv = bp._invert(None, y)
y_to_MN_1 = bp._sc_square_mult(None, y_sc, MN - 1)
ymax = crypto.sc_mul_into(None, y_to_MN_1, y_sc) ## y**MN
ymax2 = bp._sc_square_mult(None, y_sc, MN)
self.assertEqual(crypto.encodeint_into(None, ymax),
crypto.encodeint_into(None, ymax2))
size = MN + 1
ypow_back = bp.KeyVPowersBackwards(size,
y,
x_inv=yinv,
x_max=ymax,
raw=True)
self.assertEqual(crypto.encodeint_into(None, ymax),
crypto.encodeint_into(None, ypow_back[MN]))
for i in range(10):
_ = ypow_back[MN - i]
self.assertEqual(
crypto.encodeint_into(None, ypow_back[MN - 9]),
crypto.encodeint_into(None, bp._sc_square_mult(None, y_sc,
MN - 9)))
self.assertEqual(
crypto.encodeint_into(None, ypow_back[MN - 19]),
crypto.encodeint_into(None,
bp._sc_square_mult(None, y_sc, MN - 19)))
self.assertEqual(
crypto.encodeint_into(None, ypow_back[MN - 65]),
crypto.encodeint_into(None,
bp._sc_square_mult(None, y_sc, MN - 65)))
self.assertEqual(
crypto.encodeint_into(None, ypow_back[MN - 14]),
crypto.encodeint_into(None,
bp._sc_square_mult(None, y_sc, MN - 14)))
tmp = crypto.sc_copy(None,
ypow_back[MN - 64]) # another jump back and forth
_ = ypow_back[MN - 127]
self.assertEqual(crypto.encodeint_into(None, ypow_back[MN - 64]),
crypto.encodeint_into(None, tmp))
self.assertEqual(
crypto.encodeint_into(None, ypow_back[MN - 64]),
crypto.encodeint_into(None,
bp._sc_square_mult(None, y_sc, MN - 64)))
def test_dvct_skips(self):
z_sq = unhexlify(
b'e0408b528e9d35ccb8386b87f39b85c724740644f4db412483a8852cdb3ceb00'
)
d_vct0 = bp.VctD(64, 8, z_sq, raw=True)
d_vct1 = bp.VctD(64, 8, z_sq, raw=True)
tmp = crypto.Scalar()
# Linear scan vs jump
for i in range(65):
tmp = d_vct0[i]
self.assertEqual(crypto.encodeint_into(None, tmp),
crypto.encodeint_into(None, d_vct1[64]))
# Jumping around
_ = d_vct0[128]
self.assertEqual(crypto.encodeint_into(None, d_vct0[64]),
crypto.encodeint_into(None, d_vct1[64]))
# Sync on the same jump
self.assertEqual(crypto.encodeint_into(None, d_vct0[65]),
crypto.encodeint_into(None, d_vct1[65]))
self.assertEqual(crypto.encodeint_into(None, d_vct0[65]),
crypto.encodeint_into(None, d_vct1[65]))
# Jump vs linear again, move_one vs move_more
for i in range(1, 10):
tmp = d_vct0[65 + i]
self.assertEqual(crypto.encodeint_into(None, tmp),
crypto.encodeint_into(None, d_vct1[74]))
_ = d_vct0[85]
_ = d_vct1[89] # different jump sizes, internal state management test
self.assertEqual(crypto.encodeint_into(None, d_vct0[95]),
crypto.encodeint_into(None, d_vct1[95]))
_ = d_vct0[
319] # move_one mults by z_sq then; enforce z component updates
self.assertEqual(crypto.encodeint_into(None, d_vct0[320]),
crypto.encodeint_into(None, d_vct1[320]))
tmp = crypto.sc_copy(None, d_vct0[64]) # another jump back and forth
_ = d_vct0[127]
self.assertEqual(crypto.encodeint_into(None, d_vct0[64]),
crypto.encodeint_into(None, tmp))
_ = d_vct0[0]
_ = d_vct1[0]
_ = d_vct0[64]
self.assertEqual(crypto.encodeint_into(None, d_vct0[5]),
crypto.encodeint_into(None, d_vct1[5]))
def _generate_clsag(
message: bytes,
P: List[bytes],
p: Sc25519,
C_nonzero: List[bytes],
z: Sc25519,
Cout: Ge25519,
index: int,
mg_buff: List[bytes],
) -> List[bytes]:
sI = crypto.new_point() # sig.I
sD = crypto.new_point() # sig.D
sc1 = crypto.new_scalar() # sig.c1
a = crypto.random_scalar()
H = crypto.new_point()
D = crypto.new_point()
Cout_bf = crypto.encodepoint(Cout)
tmp_sc = crypto.new_scalar()
tmp = crypto.new_point()
tmp_bf = bytearray(32)
crypto.hash_to_point_into(H, P[index])
crypto.scalarmult_into(sI, H, p) # I = p*H
crypto.scalarmult_into(D, H, z) # D = z*H
crypto.sc_mul_into(tmp_sc, z, crypto.sc_inv_eight()) # 1/8*z
crypto.scalarmult_into(sD, H, tmp_sc) # sig.D = 1/8*z*H
sD = crypto.encodepoint(sD)
hsh_P = crypto.get_keccak() # domain, I, D, P, C, C_offset
hsh_C = crypto.get_keccak() # domain, I, D, P, C, C_offset
hsh_P.update(_HASH_KEY_CLSAG_AGG_0)
hsh_C.update(_HASH_KEY_CLSAG_AGG_1)
def hsh_PC(x):
nonlocal hsh_P, hsh_C
hsh_P.update(x)
hsh_C.update(x)
for x in P:
hsh_PC(x)
for x in C_nonzero:
hsh_PC(x)
hsh_PC(crypto.encodepoint_into(tmp_bf, sI))
hsh_PC(sD)
hsh_PC(Cout_bf)
mu_P = crypto.decodeint(hsh_P.digest())
mu_C = crypto.decodeint(hsh_C.digest())
del (hsh_PC, hsh_P, hsh_C)
c_to_hash = crypto.get_keccak() # domain, P, C, C_offset, message, aG, aH
c_to_hash.update(_HASH_KEY_CLSAG_ROUND)
for i in range(len(P)):
c_to_hash.update(P[i])
for i in range(len(P)):
c_to_hash.update(C_nonzero[i])
c_to_hash.update(Cout_bf)
c_to_hash.update(message)
chasher = c_to_hash.copy()
crypto.scalarmult_base_into(tmp, a)
chasher.update(crypto.encodepoint_into(tmp_bf, tmp)) # aG
crypto.scalarmult_into(tmp, H, a)
chasher.update(crypto.encodepoint_into(tmp_bf, tmp)) # aH
c = crypto.decodeint(chasher.digest())
del (chasher, H)
L = crypto.new_point()
R = crypto.new_point()
c_p = crypto.new_scalar()
c_c = crypto.new_scalar()
i = (index + 1) % len(P)
if i == 0:
crypto.sc_copy(sc1, c)
mg_buff.append(int_serialize.dump_uvarint_b(len(P)))
for _ in range(len(P)):
mg_buff.append(bytearray(32))
while i != index:
crypto.random_scalar(tmp_sc)
crypto.encodeint_into(mg_buff[i + 1], tmp_sc)
crypto.sc_mul_into(c_p, mu_P, c)
crypto.sc_mul_into(c_c, mu_C, c)
# L = tmp_sc * G + c_P * P[i] + c_c * C[i]
crypto.add_keys2_into(L, tmp_sc, c_p,
crypto.decodepoint_into(tmp, P[i]))
crypto.decodepoint_into(tmp, C_nonzero[i]) # C = C_nonzero - Cout
crypto.point_sub_into(tmp, tmp, Cout)
crypto.scalarmult_into(tmp, tmp, c_c)
crypto.point_add_into(L, L, tmp)
# R = tmp_sc * HP + c_p * I + c_c * D
crypto.hash_to_point_into(tmp, P[i])
crypto.add_keys3_into(R, tmp_sc, tmp, c_p, sI)
crypto.point_add_into(R, R, crypto.scalarmult_into(tmp, D, c_c))
chasher = c_to_hash.copy()
chasher.update(crypto.encodepoint_into(tmp_bf, L))
chasher.update(crypto.encodepoint_into(tmp_bf, R))
crypto.decodeint_into(c, chasher.digest())
P[i] = None
C_nonzero[i] = None
i = (i + 1) % len(P)
if i == 0:
crypto.sc_copy(sc1, c)
if i & 3 == 0:
gc.collect()
# Final scalar = a - c * (mu_P * p + mu_c * Z)
crypto.sc_mul_into(tmp_sc, mu_P, p)
crypto.sc_muladd_into(tmp_sc, mu_C, z, tmp_sc)
crypto.sc_mulsub_into(tmp_sc, c, tmp_sc, a)
crypto.encodeint_into(mg_buff[index + 1], tmp_sc)
mg_buff.append(crypto.encodeint(sc1))
mg_buff.append(sD)
return mg_buff
def generate_mlsag(
message: bytes,
pk: KeyM,
xx: List[Sc25519],
index: int,
dsRows: int,
mg_buff: List[bytes],
) -> List[bytes]:
"""
Multilayered Spontaneous Anonymous Group Signatures (MLSAG signatures)
:param message: the full message to be signed (actually its hash)
:param pk: matrix of public keys and commitments
:param xx: input secret array composed of a private key and commitment mask
:param index: specifies corresponding public key to the `xx`'s private key in the `pk` array
:param dsRows: separates pubkeys from commitment
:param mg_buff: mg signature buffer
"""
rows, cols = gen_mlsag_assert(pk, xx, index, dsRows)
rows_b_size = int_serialize.uvarint_size(rows)
# Preallocation of the chunked buffer, len + cols + cc
for _ in range(1 + cols + 1):
mg_buff.append(None)
mg_buff[0] = int_serialize.dump_uvarint_b(cols)
cc = crypto.new_scalar() # rv.cc
c = crypto.new_scalar()
L = crypto.new_point()
R = crypto.new_point()
Hi = crypto.new_point()
# calculates the "first" c, key images and random scalars alpha
c_old, II, alpha = generate_first_c_and_key_images(message, pk, xx, index,
dsRows, rows, cols)
i = (index + 1) % cols
if i == 0:
crypto.sc_copy(cc, c_old)
ss = [crypto.new_scalar() for _ in range(rows)]
tmp_buff = bytearray(32)
while i != index:
hasher = _hasher_message(message)
# Serialize size of the row
mg_buff[i + 1] = bytearray(rows_b_size + 32 * rows)
int_serialize.dump_uvarint_b_into(rows, mg_buff[i + 1])
for x in ss:
crypto.random_scalar(x)
for j in range(dsRows):
# L = rv.ss[i][j] * G + c_old * pk[i][j]
crypto.add_keys2_into(L, ss[j], c_old,
crypto.decodepoint_into(Hi, pk[i][j]))
crypto.hash_to_point_into(Hi, pk[i][j])
# R = rv.ss[i][j] * H(pk[i][j]) + c_old * Ip[j]
crypto.add_keys3_into(R, ss[j], Hi, c_old, II[j])
hasher.update(pk[i][j])
_hash_point(hasher, L, tmp_buff)
_hash_point(hasher, R, tmp_buff)
for j in range(dsRows, rows):
# again, omitting R here as discussed above
crypto.add_keys2_into(L, ss[j], c_old,
crypto.decodepoint_into(Hi, pk[i][j]))
hasher.update(pk[i][j])
_hash_point(hasher, L, tmp_buff)
for si in range(rows):
crypto.encodeint_into(mg_buff[i + 1], ss[si],
rows_b_size + 32 * si)
crypto.decodeint_into(c, hasher.digest())
crypto.sc_copy(c_old, c)
pk[i] = None
i = (i + 1) % cols
if i == 0:
crypto.sc_copy(cc, c_old)
gc.collect()
del II
# Finalizing rv.ss by processing rv.ss[index]
mg_buff[index + 1] = bytearray(rows_b_size + 32 * rows)
int_serialize.dump_uvarint_b_into(rows, mg_buff[index + 1])
for j in range(rows):
crypto.sc_mulsub_into(ss[j], c, xx[j], alpha[j])
crypto.encodeint_into(mg_buff[index + 1], ss[j], rows_b_size + 32 * j)
# rv.cc
mg_buff[-1] = crypto.encodeint(cc)
return mg_buff
def verify_clsag(self, msg, ss, sc1, sI, sD, pubs, C_offset):
n = len(pubs)
c = crypto.Scalar()
D_8 = crypto.Point()
tmp_bf = bytearray(32)
C_offset_bf = crypto_helpers.encodepoint(C_offset)
crypto.sc_copy(c, sc1)
point_mul8_into(D_8, sD)
hsh_P = crypto_helpers.get_keccak() # domain, I, D, P, C, C_offset
hsh_C = crypto_helpers.get_keccak() # domain, I, D, P, C, C_offset
hsh_P.update(clsag._HASH_KEY_CLSAG_AGG_0)
hsh_C.update(clsag._HASH_KEY_CLSAG_AGG_1)
def hsh_PC(x):
hsh_P.update(x)
hsh_C.update(x)
for x in pubs:
hsh_PC(x.dest)
for x in pubs:
hsh_PC(x.commitment)
hsh_PC(crypto.encodepoint_into(tmp_bf, sI))
hsh_PC(crypto.encodepoint_into(tmp_bf, sD))
hsh_PC(C_offset_bf)
mu_P = crypto_helpers.decodeint(hsh_P.digest())
mu_C = crypto_helpers.decodeint(hsh_C.digest())
c_to_hash = crypto_helpers.get_keccak(
) # domain, P, C, C_offset, message, L, R
c_to_hash.update(clsag._HASH_KEY_CLSAG_ROUND)
for i in range(len(pubs)):
c_to_hash.update(pubs[i].dest)
for i in range(len(pubs)):
c_to_hash.update(pubs[i].commitment)
c_to_hash.update(C_offset_bf)
c_to_hash.update(msg)
c_p = crypto.Scalar()
c_c = crypto.Scalar()
L = crypto.Point()
R = crypto.Point()
tmp_pt = crypto.Point()
i = 0
while i < n:
crypto.sc_mul_into(c_p, mu_P, c)
crypto.sc_mul_into(c_c, mu_C, c)
C_P = crypto.point_sub_into(
None, crypto.decodepoint_into(tmp_pt, pubs[i].commitment),
C_offset)
crypto.add_keys2_into(
L, ss[i], c_p, crypto.decodepoint_into(tmp_pt, pubs[i].dest))
crypto.point_add_into(L, L,
crypto.scalarmult_into(tmp_pt, C_P, c_c))
HP = crypto.hash_to_point_into(None, pubs[i].dest)
crypto.add_keys3_into(R, ss[i], HP, c_p, sI)
crypto.point_add_into(R, R,
crypto.scalarmult_into(tmp_pt, D_8, c_c))
chasher = c_to_hash.copy()
chasher.update(crypto.encodepoint_into(tmp_bf, L))
chasher.update(crypto.encodepoint_into(tmp_bf, R))
crypto.decodeint_into(c, chasher.digest())
i += 1
res = crypto.sc_sub_into(None, c, sc1)
if not crypto.sc_eq(res, crypto.Scalar(0)):
raise ValueError("Signature error")