def gen_mlsag_rows(message, rv, pk, xx, kLRki, index, dsRows, rows, cols): """ MLSAG computation - the part with secret keys :param message: :param rv: :param pk: :param xx: :param kLRki: :param index: :param dsRows: :param rows: :param cols: :return: """ Ip = key_vector(dsRows) rv.II = key_vector(dsRows) alpha = key_vector(rows) rv.ss = key_matrix(rows, cols) hasher = hasher_message(message) for i in range(dsRows): hasher.update(crypto.encodepoint(pk[index][i])) if kLRki: alpha[i] = kLRki.k rv.II[i] = kLRki.ki hasher.update(crypto.encodepoint(kLRki.L)) hasher.update(crypto.encodepoint(kLRki.R)) else: Hi = crypto.hash_to_point(crypto.encodepoint( pk[index][i])) # originally hashToPoint() alpha[i] = crypto.random_scalar() aGi = crypto.scalarmult_base(alpha[i]) aHPi = crypto.scalarmult(Hi, alpha[i]) rv.II[i] = crypto.scalarmult(Hi, xx[i]) hasher.update(crypto.encodepoint(aGi)) hasher.update(crypto.encodepoint(aHPi)) Ip[i] = crypto.precomp(rv.II[i]) for i in range(dsRows, rows): alpha[i] = crypto.random_scalar() aGi = crypto.scalarmult_base(alpha[i]) hasher.update(crypto.encodepoint(pk[index][i])) hasher.update(crypto.encodepoint(aGi)) c_old = hasher.digest() c_old = crypto.decodeint(c_old) return c_old, Ip, alpha
def ver_mlsag_ext(message, pk, rv, dsRows): """ Multilayered Spontaneous Anonymous Group Signatures (MLSAG signatures) c.f. http://eprint.iacr.org/2015/1098 section 2. keyImageV just does I[i] = xx[i] * Hash(xx[i] * G) for each i :param message: :param pk: matrix of EC points, point form. :param rv: :param dsRows: :return: """ rows, cols = ver_mlsag_assert(pk, rv, dsRows) c_old = rv.cc Ip = key_vector(dsRows) for i in range(dsRows): Ip[i] = crypto.precomp(rv.II[i]) i = 0 while i < cols: c = 0 hasher = hasher_message(message) for j in range(dsRows): L = crypto.add_keys2(rv.ss[i][j], c_old, pk[i][j]) Hi = crypto.hash_to_point(crypto.encodepoint( pk[i][j])) # originally hashToPoint() R = crypto.add_keys3(rv.ss[i][j], Hi, c_old, Ip[j]) hasher.update(crypto.encodepoint(pk[i][j])) hasher.update(crypto.encodepoint(L)) hasher.update(crypto.encodepoint(R)) for j in range(dsRows, rows): L = crypto.add_keys2(rv.ss[i][j], c_old, pk[i][j]) hasher.update(crypto.encodepoint(pk[i][j])) hasher.update(crypto.encodepoint(L)) c = crypto.decodeint(hasher.digest()) c_old = c i += 1 c = crypto.sc_sub(c_old, rv.cc) return not crypto.sc_isnonzero(c)