def _hasher_message(message):
"""
Returns incremental hasher for MLSAG
"""
ctx = crypto.get_keccak()
ctx.update(message)
return ctx
def __init__(self):
self.current_output = -1
self.num_outputs = 0
self.expected_hash = None
self.enc_key = None
self.creds = None
self.subaddresses = {}
self.hasher = crypto.get_keccak()
def compute_hash(rr: MoneroTransferDetails) -> bytes:
kck = crypto.get_keccak()
kck.update(rr.out_key)
kck.update(rr.tx_pub_key)
if rr.additional_tx_pub_keys:
for x in rr.additional_tx_pub_keys:
kck.update(x)
kck.update(dump_uvarint_b(rr.internal_output_index))
return kck.digest()
def hash_vct_to_scalar(dst, data):
dst = _ensure_dst_key(dst)
ctx = crypto.get_keccak()
for x in data:
ctx.update(x)
hsh = ctx.digest()
crypto.decodeint_into(tmp_sc_1, hsh)
crypto.encodeint_into(tmp_bf_1, tmp_sc_1)
copy_key(dst, tmp_bf_1)
return dst
def hash_cache_mash(dst, hash_cache, *args):
dst = _ensure_dst_key(dst)
ctx = crypto.get_keccak()
ctx.update(hash_cache)
for x in args:
if x is None:
break
ctx.update(x)
hsh = ctx.digest()
crypto.decodeint_into(tmp_sc_1, hsh)
crypto.encodeint_into(tmp_bf_1, tmp_sc_1)
copy_key(dst, tmp_bf_1)
copy_key(hash_cache, tmp_bf_1)
return dst
def __init__(self):
self.state = 0
self.kc_master = crypto.get_keccak()
self.rsig_hasher = crypto.get_keccak()
self.rtcsig_hasher = KeccakXmrArchive()
def _generate_clsag(
message: bytes,
P: List[bytes],
p: Sc25519,
C_nonzero: List[bytes],
z: Sc25519,
Cout: Ge25519,
index: int,
mg_buff: List[bytes],
) -> List[bytes]:
sI = crypto.new_point() # sig.I
sD = crypto.new_point() # sig.D
sc1 = crypto.new_scalar() # sig.c1
a = crypto.random_scalar()
H = crypto.new_point()
D = crypto.new_point()
Cout_bf = crypto.encodepoint(Cout)
tmp_sc = crypto.new_scalar()
tmp = crypto.new_point()
tmp_bf = bytearray(32)
crypto.hash_to_point_into(H, P[index])
crypto.scalarmult_into(sI, H, p) # I = p*H
crypto.scalarmult_into(D, H, z) # D = z*H
crypto.sc_mul_into(tmp_sc, z, crypto.sc_inv_eight()) # 1/8*z
crypto.scalarmult_into(sD, H, tmp_sc) # sig.D = 1/8*z*H
sD = crypto.encodepoint(sD)
hsh_P = crypto.get_keccak() # domain, I, D, P, C, C_offset
hsh_C = crypto.get_keccak() # domain, I, D, P, C, C_offset
hsh_P.update(_HASH_KEY_CLSAG_AGG_0)
hsh_C.update(_HASH_KEY_CLSAG_AGG_1)
def hsh_PC(x):
nonlocal hsh_P, hsh_C
hsh_P.update(x)
hsh_C.update(x)
for x in P:
hsh_PC(x)
for x in C_nonzero:
hsh_PC(x)
hsh_PC(crypto.encodepoint_into(tmp_bf, sI))
hsh_PC(sD)
hsh_PC(Cout_bf)
mu_P = crypto.decodeint(hsh_P.digest())
mu_C = crypto.decodeint(hsh_C.digest())
del (hsh_PC, hsh_P, hsh_C)
c_to_hash = crypto.get_keccak() # domain, P, C, C_offset, message, aG, aH
c_to_hash.update(_HASH_KEY_CLSAG_ROUND)
for i in range(len(P)):
c_to_hash.update(P[i])
for i in range(len(P)):
c_to_hash.update(C_nonzero[i])
c_to_hash.update(Cout_bf)
c_to_hash.update(message)
chasher = c_to_hash.copy()
crypto.scalarmult_base_into(tmp, a)
chasher.update(crypto.encodepoint_into(tmp_bf, tmp)) # aG
crypto.scalarmult_into(tmp, H, a)
chasher.update(crypto.encodepoint_into(tmp_bf, tmp)) # aH
c = crypto.decodeint(chasher.digest())
del (chasher, H)
L = crypto.new_point()
R = crypto.new_point()
c_p = crypto.new_scalar()
c_c = crypto.new_scalar()
i = (index + 1) % len(P)
if i == 0:
crypto.sc_copy(sc1, c)
mg_buff.append(int_serialize.dump_uvarint_b(len(P)))
for _ in range(len(P)):
mg_buff.append(bytearray(32))
while i != index:
crypto.random_scalar(tmp_sc)
crypto.encodeint_into(mg_buff[i + 1], tmp_sc)
crypto.sc_mul_into(c_p, mu_P, c)
crypto.sc_mul_into(c_c, mu_C, c)
# L = tmp_sc * G + c_P * P[i] + c_c * C[i]
crypto.add_keys2_into(L, tmp_sc, c_p,
crypto.decodepoint_into(tmp, P[i]))
crypto.decodepoint_into(tmp, C_nonzero[i]) # C = C_nonzero - Cout
crypto.point_sub_into(tmp, tmp, Cout)
crypto.scalarmult_into(tmp, tmp, c_c)
crypto.point_add_into(L, L, tmp)
# R = tmp_sc * HP + c_p * I + c_c * D
crypto.hash_to_point_into(tmp, P[i])
crypto.add_keys3_into(R, tmp_sc, tmp, c_p, sI)
crypto.point_add_into(R, R, crypto.scalarmult_into(tmp, D, c_c))
chasher = c_to_hash.copy()
chasher.update(crypto.encodepoint_into(tmp_bf, L))
chasher.update(crypto.encodepoint_into(tmp_bf, R))
crypto.decodeint_into(c, chasher.digest())
P[i] = None
C_nonzero[i] = None
i = (i + 1) % len(P)
if i == 0:
crypto.sc_copy(sc1, c)
if i & 3 == 0:
gc.collect()
# Final scalar = a - c * (mu_P * p + mu_c * Z)
crypto.sc_mul_into(tmp_sc, mu_P, p)
crypto.sc_muladd_into(tmp_sc, mu_C, z, tmp_sc)
crypto.sc_mulsub_into(tmp_sc, c, tmp_sc, a)
crypto.encodeint_into(mg_buff[index + 1], tmp_sc)
mg_buff.append(crypto.encodeint(sc1))
mg_buff.append(sD)
return mg_buff
def prove_range_mem(amount, last_mask=None):
"""
Memory optimized range proof.
Gives C, and mask such that \sumCi = C
c.f. http:#eprint.iacr.org/2015/1098 section 5.1
Ci is a commitment to either 0 or 2^i, i=0,...,63
thus this proves that "amount" is in [0, 2^ATOMS]
mask is a such that C = aG + bH, and b = amount
:param amount:
:param last_mask: ai[ATOMS-1] will be computed as \sum_{i=0}^{ATOMS-2} a_i - last_mask
:param use_asnl: use ASNL, used before Borromean
:return: sumCi, mask, RangeSig.
sumCi is Pedersen commitment on the amount value. sumCi = aG + amount*H
mask is "a" from the Pedersent commitment above.
"""
res = bytearray(32 * (64 + 64 + 64 + 1))
mv = memoryview(res)
gc.collect()
def as0(mv, x, i):
crypto.encodeint_into(x, mv[32 * i:])
def as1(mv, x, i):
crypto.encodeint_into(x, mv[32 * 64 + 32 * i:])
def aci(mv, x, i):
crypto.encodepoint_into(x, mv[32 * 64 * 2 + 32 + 32 * i:])
n = 64
bb = d2b(amount, n) # gives binary form of bb in "digits" binary digits
ai = key_zero_vector(n)
a = crypto.sc_0()
C = crypto.identity()
alpha = key_zero_vector(n)
c_H = crypto.gen_H()
kck = crypto.get_keccak() # ee computation
# First pass, generates: ai, alpha, Ci, ee, s1
for ii in range(n):
ai[ii] = crypto.random_scalar()
if last_mask is not None and ii == 64 - 1:
ai[ii] = crypto.sc_sub(last_mask, a)
a = crypto.sc_add(
a, ai[ii]
) # creating the total mask since you have to pass this to receiver...
alpha[ii] = crypto.random_scalar()
L = crypto.scalarmult_base(alpha[ii])
if bb[ii] == 0:
Ctmp = crypto.scalarmult_base(ai[ii])
else:
Ctmp = crypto.point_add(crypto.scalarmult_base(ai[ii]), c_H)
C = crypto.point_add(C, Ctmp)
aci(mv, Ctmp, ii)
if bb[ii] == 0:
si = crypto.random_scalar()
c = crypto.hash_to_scalar(crypto.encodepoint(L))
L = crypto.add_keys2(si, c, crypto.point_sub(Ctmp, c_H))
kck.update(crypto.encodepoint(L))
as1(mv, si, ii)
else:
kck.update(crypto.encodepoint(L))
c_H = crypto.point_double(c_H)
# Compute ee, memory cleanup
ee = crypto.sc_reduce32(crypto.decodeint(kck.digest()))
crypto.encodeint_into(ee, mv[64 * 32 * 2:])
del kck
gc.collect()
# Second phase computes: s0, s1
c_H = crypto.gen_H()
for jj in range(n):
if not bb[jj]:
s0 = crypto.sc_mulsub(ai[jj], ee, alpha[jj])
else:
s0 = crypto.random_scalar()
Ctmp = crypto.decodepoint(
mv[32 * 64 * 2 + 32 + 32 * jj:32 * 64 * 2 + 32 + 32 * jj + 32])
LL = crypto.add_keys2(s0, ee, Ctmp)
cc = crypto.hash_to_scalar(crypto.encodepoint(LL))
si = crypto.sc_mulsub(ai[jj], cc, alpha[jj])
as1(mv, si, jj)
as0(mv, s0, jj)
c_H = crypto.point_double(c_H)
gc.collect()
return C, a, res
def get_keccak_writer(ctx=None):
if ctx is None:
ctx = crypto.get_keccak()
return HashWriter(ctx)
def prove_range_borromean(amount, last_mask):
"""Calculates Borromean range proof"""
# The large chunks allocated first to avoid potential memory fragmentation issues.
ai = bytearray(32 * 64)
alphai = bytearray(32 * 64)
Cis = bytearray(32 * 64)
s0s = bytearray(32 * 64)
s1s = bytearray(32 * 64)
buff = bytearray(32)
ee_bin = bytearray(32)
a = crypto.sc_init(0)
si = crypto.sc_init(0)
c = crypto.sc_init(0)
ee = crypto.sc_init(0)
tmp_ai = crypto.sc_init(0)
tmp_alpha = crypto.sc_init(0)
C_acc = crypto.identity()
C_h = crypto.xmr_H()
C_tmp = crypto.identity()
L = crypto.identity()
kck = crypto.get_keccak()
for ii in range(64):
crypto.random_scalar(tmp_ai)
if last_mask is not None and ii == 63:
crypto.sc_sub_into(tmp_ai, last_mask, a)
crypto.sc_add_into(a, a, tmp_ai)
crypto.random_scalar(tmp_alpha)
crypto.scalarmult_base_into(L, tmp_alpha)
crypto.scalarmult_base_into(C_tmp, tmp_ai)
# if 0: C_tmp += Zero (nothing is added)
# if 1: C_tmp += 2^i*H
# 2^i*H is already stored in C_h
if (amount >> ii) & 1 == 1:
crypto.point_add_into(C_tmp, C_tmp, C_h)
crypto.point_add_into(C_acc, C_acc, C_tmp)
# Set Ci[ii] to sigs
crypto.encodepoint_into(Cis, C_tmp, ii << 5)
crypto.encodeint_into(ai, tmp_ai, ii << 5)
crypto.encodeint_into(alphai, tmp_alpha, ii << 5)
if ((amount >> ii) & 1) == 0:
crypto.random_scalar(si)
crypto.encodepoint_into(buff, L)
crypto.hash_to_scalar_into(c, buff)
crypto.point_sub_into(C_tmp, C_tmp, C_h)
crypto.add_keys2_into(L, si, c, C_tmp)
crypto.encodeint_into(s1s, si, ii << 5)
crypto.encodepoint_into(buff, L)
kck.update(buff)
crypto.point_double_into(C_h, C_h)
# Compute ee
tmp_ee = kck.digest()
crypto.decodeint_into(ee, tmp_ee)
del (tmp_ee, kck)
C_h = crypto.xmr_H()
gc.collect()
# Second pass, s0, s1
for ii in range(64):
crypto.decodeint_into(tmp_alpha, alphai, ii << 5)
crypto.decodeint_into(tmp_ai, ai, ii << 5)
if ((amount >> ii) & 1) == 0:
crypto.sc_mulsub_into(si, tmp_ai, ee, tmp_alpha)
crypto.encodeint_into(s0s, si, ii << 5)
else:
crypto.random_scalar(si)
crypto.encodeint_into(s0s, si, ii << 5)
crypto.decodepoint_into(C_tmp, Cis, ii << 5)
crypto.add_keys2_into(L, si, ee, C_tmp)
crypto.encodepoint_into(buff, L)
crypto.hash_to_scalar_into(c, buff)
crypto.sc_mulsub_into(si, tmp_ai, c, tmp_alpha)
crypto.encodeint_into(s1s, si, ii << 5)
crypto.point_double_into(C_h, C_h)
crypto.encodeint_into(ee_bin, ee)
del (ai, alphai, buff, tmp_ai, tmp_alpha, si, c, ee, C_tmp, C_h, L)
gc.collect()
return C_acc, a, [s0s, s1s, ee_bin, Cis]
def verify_clsag(self, msg, ss, sc1, sI, sD, pubs, C_offset):
n = len(pubs)
c = crypto.new_scalar()
D_8 = crypto.new_point()
tmp_bf = bytearray(32)
C_offset_bf = crypto.encodepoint(C_offset)
crypto.sc_copy(c, sc1)
crypto.point_mul8_into(D_8, sD)
hsh_P = crypto.get_keccak() # domain, I, D, P, C, C_offset
hsh_C = crypto.get_keccak() # domain, I, D, P, C, C_offset
hsh_P.update(mlsag._HASH_KEY_CLSAG_AGG_0)
hsh_C.update(mlsag._HASH_KEY_CLSAG_AGG_1)
def hsh_PC(x):
hsh_P.update(x)
hsh_C.update(x)
for x in pubs:
hsh_PC(x.dest)
for x in pubs:
hsh_PC(x.commitment)
hsh_PC(crypto.encodepoint_into(tmp_bf, sI))
hsh_PC(crypto.encodepoint_into(tmp_bf, sD))
hsh_PC(C_offset_bf)
mu_P = crypto.decodeint(hsh_P.digest())
mu_C = crypto.decodeint(hsh_C.digest())
c_to_hash = crypto.get_keccak(
) # domain, P, C, C_offset, message, L, R
c_to_hash.update(mlsag._HASH_KEY_CLSAG_ROUND)
for i in range(len(pubs)):
c_to_hash.update(pubs[i].dest)
for i in range(len(pubs)):
c_to_hash.update(pubs[i].commitment)
c_to_hash.update(C_offset_bf)
c_to_hash.update(msg)
c_p = crypto.new_scalar()
c_c = crypto.new_scalar()
L = crypto.new_point()
R = crypto.new_point()
tmp_pt = crypto.new_point()
i = 0
while i < n:
crypto.sc_mul_into(c_p, mu_P, c)
crypto.sc_mul_into(c_c, mu_C, c)
C_P = crypto.point_sub(
crypto.decodepoint_into(tmp_pt, pubs[i].commitment), C_offset)
crypto.add_keys2_into(
L, ss[i], c_p, crypto.decodepoint_into(tmp_pt, pubs[i].dest))
crypto.point_add_into(L, L,
crypto.scalarmult_into(tmp_pt, C_P, c_c))
HP = crypto.hash_to_point(pubs[i].dest)
crypto.add_keys3_into(R, ss[i], HP, c_p, sI)
crypto.point_add_into(R, R,
crypto.scalarmult_into(tmp_pt, D_8, c_c))
chasher = c_to_hash.copy()
chasher.update(crypto.encodepoint_into(tmp_bf, L))
chasher.update(crypto.encodepoint_into(tmp_bf, R))
crypto.decodeint_into(c, chasher.digest())
i += 1
res = crypto.sc_sub(c, sc1)
if not crypto.sc_eq(res, crypto.sc_0()):
raise ValueError("Signature error")
