def main():
args = render_args()
test_vectors = []
for i in range(0, 10):
sk = SpendingKey(bytes([i] * 32))
note_v = (2548793025584392057432895043257984320 * i) % 2**64
note_r = Fr(8890123457840276890326754358439057438290574382905).exp(i +
1)
note_cm = note_commit(note_r,
leos2bsp(bytes(diversify_hash(sk.default_d()))),
leos2bsp(bytes(sk.default_pkd())), note_v)
note_pos = (980705743285409327583205473820957432 * i) % 2**MERKLE_DEPTH
note_nf = note_nullifier(sk.nk(), note_cm, Fr(note_pos))
test_vectors.append({
'sk': sk.data,
'ask': bytes(sk.ask()),
'nsk': bytes(sk.nsk()),
'ovk': sk.ovk(),
'ak': bytes(sk.ak()),
'nk': bytes(sk.nk()),
'ivk': bytes(sk.ivk()),
'default_d': sk.default_d(),
'default_pk_d': bytes(sk.default_pkd()),
'note_v': note_v,
'note_r': bytes(note_r),
'note_cmu': bytes(note_cm.u),
'note_pos': note_pos,
'note_nf': note_nf,
})
render_tv(
args,
'sapling_key_components',
(
('sk', '[u8; 32]'),
('ask', '[u8; 32]'),
('nsk', '[u8; 32]'),
('ovk', '[u8; 32]'),
('ak', '[u8; 32]'),
('nk', '[u8; 32]'),
('ivk', '[u8; 32]'),
('default_d', '[u8; 11]'),
('default_pk_d', '[u8; 32]'),
('note_v', 'u64'),
('note_r', '[u8; 32]'),
('note_cmu', '[u8; 32]'),
('note_pos', 'u64'),
('note_nf', '[u8; 32]'),
),
test_vectors,
)
def verify(self, vk, M, sig):
mid = cldiv(self.l_G, 8)
(Rbar, Sbar) = (sig[:mid], sig[mid:]) # TODO: bitlength(r_j)
R = Point.from_bytes(Rbar)
S = leos2ip(Sbar)
c = h_star(Rbar + M)
return R and S < r_j and self.P_g * Fr(S) == R + vk * c
def encode_segment(Mi):
ki = len(Mi) // 3
Michunks = [Mi[i:i + 3] for i in range(0, len(Mi), 3)]
assert len(Michunks) == ki
return Fr(
sum([
encode_chunk(Michunks[j - 1]) * 2**(4 * (j - 1))
for j in range(1, ki + 1)
]))
def ivk(self):
return Fr(crh_ivk(bytes(self.ak()), bytes(self.nk())))
def to_scalar(buf):
return Fr(leos2ip(buf))
def h_star(B):
return Fr(leos2ip(H(B)))
def main():
print('''
struct TestVector {
sk: [u8; 32],
ask: [u8; 32],
nsk: [u8; 32],
ovk: [u8; 32],
ak: [u8; 32],
nk: [u8; 32],
ivk: [u8; 32],
default_d: [u8; 11],
default_pk_d: [u8; 32],
note_v: u64,
note_r: [u8; 32],
note_cm: [u8; 32],
note_pos: u64,
note_nf: [u8; 32],
};
// From https://github.com/zcash-hackworks/zcash-test-vectors/blob/master/sapling_key_components.py
let test_vectors = vec![''')
for i in range(0, 10):
sk = SpendingKey(bytes([i] * 32))
note_v = (2548793025584392057432895043257984320 * i) % 2**64
note_r = Fr(8890123457840276890326754358439057438290574382905).exp(i +
1)
note_cm = note_commit(
note_r, leos2bsp(bytes(group_hash(b'Zcash_gd', sk.default_d()))),
leos2bsp(bytes(sk.default_pkd())), note_v)
note_pos = (980705743285409327583205473820957432 * i) % 2**MERKLE_DEPTH
note_nf = note_nullifier(sk.nk(), note_cm, Fr(note_pos))
print(''' TestVector {
sk: [
%s
],
ask: [
%s
],
nsk: [
%s
],
ovk: [
%s
],
ak: [
%s
],
nk: [
%s
],
ivk: [
%s
],
default_d: [
%s
],
default_pk_d: [
%s
],
note_v: %s,
note_r: [
%s
],
note_cm: [
%s
],
note_pos: %s,
note_nf: [
%s
],
},''' % (
chunk(hexlify(sk.data)),
chunk(hexlify(bytes(sk.ask()))),
chunk(hexlify(bytes(sk.nsk()))),
chunk(hexlify(sk.ovk())),
chunk(hexlify(bytes(sk.ak()))),
chunk(hexlify(bytes(sk.nk()))),
chunk(hexlify(bytes(sk.ivk()))),
chunk(hexlify(sk.default_d())),
chunk(hexlify(bytes(sk.default_pkd()))),
note_v,
chunk(hexlify(bytes(note_r))),
chunk(hexlify(bytes(note_cm.u))),
note_pos,
chunk(hexlify(note_nf)),
))
print(' ];')
def nsk(self):
return Fr.from_bytes(prf_expand(self.data, b'\1'))
def main():
args = render_args()
from random import Random
rng = Random(0xabad533d)
def randbytes(l):
ret = []
while len(ret) < l:
ret.append(rng.randrange(0, 256))
return bytes(ret)
ne = SaplingNoteEncryption(randbytes)
test_vectors = []
for i in range(0, 10):
sk = SpendingKey(bytes([i] * 32))
pk_d = sk.default_pkd()
g_d = diversify_hash(sk.default_d())
np = SaplingNotePlaintext(
sk.default_d(),
100000000 * (i+1),
Fr(8890123457840276890326754358439057438290574382905).exp(i+1),
b'\xf6' + b'\x00'*511)
cv = VALUE_COMMITMENT_VALUE_BASE * Fr(np.v) + VALUE_COMMITMENT_RANDOMNESS_BASE * np.rcm
cm = note_commit(
np.rcm,
leos2bsp(bytes(g_d)),
leos2bsp(bytes(pk_d)),
np.v)
(
esk, epk,
shared_secret,
k_enc, p_enc, c_enc,
ock, op, c_out,
) = ne.encrypt(np, pk_d, g_d, cv, cm, sk.ovk())
test_vectors.append({
'ovk': sk.ovk(),
'ivk': bytes(sk.ivk()),
'default_d': sk.default_d(),
'default_pk_d': bytes(sk.default_pkd()),
'v': np.v,
'rcm': bytes(np.rcm),
'memo': np.memo,
'cv': bytes(cv),
'cmu': bytes(cm.u),
'esk': bytes(esk),
'epk': bytes(epk),
'shared_secret': bytes(shared_secret),
'k_enc': k_enc,
'p_enc': p_enc,
'c_enc': c_enc,
'ock': ock,
'op': op,
'c_out': c_out,
})
render_tv(
args,
'sapling_note_encryption',
(
('ovk', '[u8; 32]'),
('ivk', '[u8; 32]'),
('default_d', '[u8; 11]'),
('default_pk_d', '[u8; 32]'),
('v', 'u64'),
('rcm', '[u8; 32]'),
('memo', '[u8; 512]'),
('cv', '[u8; 32]'),
('cmu', '[u8; 32]'),
('esk', '[u8; 32]'),
('epk', '[u8; 32]'),
('shared_secret', '[u8; 32]'),
('k_enc', '[u8; 32]'),
('p_enc', '[u8; 564]'),
('c_enc', '[u8; 580]'),
('ock', '[u8; 32]'),
('op', '[u8; 64]'),
('c_out', '[u8; 80]'),
),
test_vectors,
)
def private(random):
return Fr(leos2ip(random(32)))
