arnaucube
/
derosuite
mirror of https://github.com/arnaucube/derosuite.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
15 Commits
1 Branch
0 Tags
68 MiB
Tree: 7256a46293
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '7256a46293'
${ noResults }
derosuite/crypto/ringct/ringct.go

445 lines
12 KiB
Raw Normal View History

Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
  1. // Copyright 2017-2018 DERO Project. All rights reserved.
  2. // Use of this source code in any form is governed by RESEARCH license.
  3. // license can be found in the LICENSE file.
  4. // GPG: 0F39 E425 8C65 3947 702A 8234 08B2 0360 A03A 9DE8
  5. //
  6. //
  7. // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
  8. // EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
  9. // MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
  10. // THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  11. // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  12. // PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  13. // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  14. // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
  15. // THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  17. package ringct
  19. import "io"
  20. import "fmt"
  22. import "github.com/deroproject/derosuite/crypto"
  24. // enable debuggin mode within ringct
  25. // if true debugging mode enabled
  26. const DEBUGGING_MODE = false
  28. // TODO this package need serious love of atleast few weeks
  29. // but atleast the parser and serdes works
  30. // we neeed to expand everthing so as chances of a bug slippping in becomes very low
  31. // NOTE:DO NOT waste time implmenting pre-RCT code
  33. const (
  34. RCTTypeNull = iota
  35. RCTTypeFull
  36. RCTTypeSimple
  37. )
  39. // Pedersen Commitment is generated from this struct
  40. // C = aG + bH where a = mask and b = amount
  41. // senderPk is the one-time public key for ECDH exchange
  42. type ECdhTuple struct {
  43. Mask Key `msgpack:"M"`
  44. Amount Key `msgpack:"A"`
  45. // senderPk Key
  46. }
  48. // Range proof commitments
  49. type Key64 [64]Key
  51. // Range Signature
  52. // Essentially data for a Borromean Signature
  53. type RangeSig struct {
  54. asig BoroSig
  55. ci Key64
  56. }
  58. // Borromean Signature
  59. type BoroSig struct {
  60. s0 Key64
  61. s1 Key64
  62. ee Key
  63. }
  65. // MLSAG (Multilayered Linkable Spontaneous Anonymous Group) Signature
  66. type MlsagSig struct {
  67. ss [][]Key
  68. cc Key // this stores the starting point
  69. II []Key // this stores the keyimage, but is taken from the tx,it is NOT serialized
  70. }
  72. // Confidential Transaction Keys, mask is Pedersen Commitment
  73. // most of the time, it holds public keys, except (transaction making ) where it holds private keys
  74. type CtKey struct {
  75. Destination Key `msgpack:"D"` // this is the destination and needs to expanded from blockchain
  76. Mask Key `msgpack:"M"` // this is the public key amount/commitment homomorphic mask
  77. }
  79. // Ring Confidential Signature parts that we have to keep
  80. type RctSigBase struct {
  81. sigType uint8
  82. Message Key // transaction prefix hash
  83. MixRing [][]CtKey // this is not serialized
  84. pseudoOuts []Key
  85. ECdhInfo []ECdhTuple
  86. OutPk []CtKey // only mask amount is serialized
  87. txFee uint64
  89. Txid crypto.Hash // this field is extra and only used for logging purposes to track which txid was at fault
  90. }
  92. // Ring Confidential Signature parts that we can just prune later
  93. type RctSigPrunable struct {
  94. rangeSigs []RangeSig
  95. MlsagSigs []MlsagSig // there can be as many mlsagsigs as many vins
  96. }
  98. // Ring Confidential Signature struct that can verify everything
  99. type RctSig struct {
  100. RctSigBase
  101. RctSigPrunable
  102. }
  104. func (k *Key64) Serialize() (result []byte) {
  105. for _, key := range k {
  106. result = append(result, key[:]...)
  107. }
  108. return
  109. }
  111. func (b *BoroSig) Serialize() (result []byte) {
  112. result = append(b.s0.Serialize(), b.s1.Serialize()...)
  113. result = append(result, b.ee[:]...)
  114. return
  115. }
  117. func (r *RangeSig) Serialize() (result []byte) {
  118. result = append(r.asig.Serialize(), r.ci.Serialize()...)
  119. return
  120. }
  122. func (m *MlsagSig) Serialize() (result []byte) {
  123. for i := 0; i < len(m.ss); i++ {
  124. for j := 0; j < len(m.ss[i]); j++ {
  125. result = append(result, m.ss[i][j][:]...)
  126. }
  127. }
  128. result = append(result, m.cc[:]...)
  129. return
  130. }
  132. func (r *RctSigBase) SerializeBase() (result []byte) {
  133. result = []byte{r.sigType}
  134. // Null type returns right away
  135. if r.sigType == RCTTypeNull {
  136. return
  137. }
  138. result = append(result, Uint64ToBytes(r.txFee)...)
  139. if r.sigType == RCTTypeSimple {
  140. for _, input := range r.pseudoOuts {
  141. result = append(result, input[:]...)
  142. }
  143. }
  144. for _, ecdh := range r.ECdhInfo {
  145. result = append(result, ecdh.Mask[:]...)
  146. result = append(result, ecdh.Amount[:]...)
  147. }
  148. for _, ctKey := range r.OutPk {
  149. result = append(result, ctKey.Mask[:]...)
  150. }
  151. return
  152. }
  154. func (r *RctSigBase) BaseHash() (result crypto.Hash) {
  155. result = crypto.Keccak256(r.SerializeBase())
  156. return
  157. }
  159. func (r *RctSig) SerializePrunable() (result []byte) {
  160. if r.sigType == RCTTypeNull {
  161. return
  162. }
  163. for _, rangeSig := range r.rangeSigs {
  164. result = append(result, rangeSig.Serialize()...)
  165. }
  166. for _, mlsagSig := range r.MlsagSigs {
  167. result = append(result, mlsagSig.Serialize()...)
  168. }
  169. return
  170. }
  172. func (r *RctSig) Get_Sig_Type() byte {
  173. return r.sigType
  174. }
  176. func (r *RctSig) Get_TX_Fee() (result uint64) {
  177. if r.sigType == RCTTypeNull {
  178. panic("RCTTypeNull cannot have TX fee")
  179. }
  180. return r.txFee
  181. }
  183. func (r *RctSig) PrunableHash() (result crypto.Hash) {
  184. if r.sigType == RCTTypeNull {
  185. return
  186. }
  187. result = crypto.Keccak256(r.SerializePrunable())
  188. return
  189. }
  191. // this is the function which should be used by external world
  192. // if any exceptions occur while handling, we simply return false
  193. // transaction must be expanded before verification
  194. // coinbase transactions are always success, since they are tied to PoW of block
  195. func (r *RctSig) Verify() (result bool) {
  197. result = false
  198. defer func() { // safety so if anything wrong happens, verification fails
  199. if r := recover(); r != nil {
  200. //connection.logger.Fatalf("Recovered while Verify transaction", r)
  201. fmt.Printf("Recovered while Verify transaction")
  202. result = false
  203. }
  204. }()
  206. switch r.sigType {
  207. case RCTTypeNull:
  208. return true /// this is only possible for miner tx
  209. case RCTTypeFull:
  210. return r.VerifyRctFull()
  211. case RCTTypeSimple:
  212. return r.VerifyRctSimple()
  214. default:
  215. return false
  216. }
  218. // can never reach here
  219. // return false
  220. }
  222. // Verify a RCTTypeSimple RingCT Signature
  223. func (r *RctSig) VerifyRctSimple() bool {
  224. sumOutPks := identity()
  225. for _, ctKey := range r.OutPk {
  226. AddKeys(sumOutPks, sumOutPks, &ctKey.Mask)
  227. }
  228. //txFeeKey := ScalarMultH(d2h(r.txFee))
  229. txFeeKey := Commitment_From_Amount(r.txFee)
  230. AddKeys(sumOutPks, sumOutPks, &txFeeKey)
  231. sumPseudoOuts := identity()
  232. for _, pseudoOut := range r.pseudoOuts {
  233. AddKeys(sumPseudoOuts, sumPseudoOuts, &pseudoOut)
  234. }
  235. if *sumPseudoOuts != *sumOutPks {
  236. return false
  237. }
  238. for i, ctKey := range r.OutPk {
  239. if !VerifyRange(&ctKey.Mask, r.rangeSigs[i]) {
  240. return false
  241. }
  242. }
  244. return r.VerifyRCTSimple_Core()
  245. }
  247. func (r *RctSig) VerifyRctFull() bool {
  248. for i, ctKey := range r.OutPk {
  249. if !VerifyRange(&ctKey.Mask, r.rangeSigs[i]) {
  250. return false
  251. }
  252. }
  253. return r.VerifyRCTFull_Core()
  254. }
  256. func ParseCtKey(buf io.Reader) (result CtKey, err error) {
  257. if result.Mask, err = ParseKey(buf); err != nil {
  258. return
  259. }
  260. return
  261. }
  263. func ParseKey64(buf io.Reader) (result Key64, err error) {
  264. for i := 0; i < 64; i++ {
  265. if result[i], err = ParseKey(buf); err != nil {
  266. return
  267. }
  268. }
  269. return
  270. }
  272. // parse Borromean signature
  273. func ParseBoroSig(buf io.Reader) (result BoroSig, err error) {
  274. if result.s0, err = ParseKey64(buf); err != nil {
  275. return
  276. }
  277. if result.s1, err = ParseKey64(buf); err != nil {
  278. return
  279. }
  280. if result.ee, err = ParseKey(buf); err != nil {
  281. return
  282. }
  283. return
  284. }
  286. // range data consists of Single Borromean sig and 64 keys for 64 bits
  287. func ParseRangeSig(buf io.Reader) (result RangeSig, err error) {
  288. if result.asig, err = ParseBoroSig(buf); err != nil {
  289. return
  290. }
  291. if result.ci, err = ParseKey64(buf); err != nil {
  292. return
  293. }
  294. return
  295. }
  297. // parser for ringct signature
  298. // we need to be extra cautious as almost anything cam come as input
  299. func ParseRingCtSignature(buf io.Reader, nInputs, nOutputs, nMixin int) (result *RctSig, err error) {
  300. r := new(RctSig)
  301. sigType := make([]byte, 1)
  302. _, err = buf.Read(sigType)
  303. if err != nil {
  304. return
  305. }
  306. r.sigType = uint8(sigType[0])
  307. if r.sigType == RCTTypeNull {
  308. result = r
  309. return
  310. }
  312. /* This triggers go vet saying suspect OR
  313. if (r.sigType != RCTTypeFull) || (r.sigType != RCTTypeSimple) {
  314. err = fmt.Errorf("Bad signature Type %d", r.sigType)
  315. return
  316. }*/
  318. switch r.sigType {
  319. case RCTTypeFull:
  320. case RCTTypeSimple:
  321. default:
  322. err = fmt.Errorf("Bad signature Type %d", r.sigType)
  323. return
  325. }
  327. r.txFee, err = ReadVarInt(buf)
  328. if err != nil {
  329. return
  330. }
  331. var nMg, nSS int
  332. if r.sigType == RCTTypeSimple {
  333. nMg = nInputs
  334. nSS = 2
  335. r.pseudoOuts = make([]Key, nInputs)
  336. for i := 0; i < nInputs; i++ {
  337. if r.pseudoOuts[i], err = ParseKey(buf); err != nil {
  338. return
  339. }
  340. }
  341. } else {
  342. nMg = 1
  343. nSS = nInputs + 1
  344. }
  345. r.ECdhInfo = make([]ECdhTuple, nOutputs)
  346. for i := 0; i < nOutputs; i++ {
  347. if r.ECdhInfo[i].Mask, err = ParseKey(buf); err != nil {
  348. return
  349. }
  350. if r.ECdhInfo[i].Amount, err = ParseKey(buf); err != nil {
  351. return
  352. }
  353. }
  354. r.OutPk = make([]CtKey, nOutputs)
  355. for i := 0; i < nOutputs; i++ {
  356. if r.OutPk[i], err = ParseCtKey(buf); err != nil {
  357. return
  358. }
  359. }
  360. r.rangeSigs = make([]RangeSig, nOutputs)
  361. for i := 0; i < nOutputs; i++ {
  362. if r.rangeSigs[i], err = ParseRangeSig(buf); err != nil {
  363. return
  364. }
  365. }
  366. r.MlsagSigs = make([]MlsagSig, nMg)
  367. for i := 0; i < nMg; i++ {
  368. r.MlsagSigs[i].ss = make([][]Key, nMixin+1)
  369. for j := 0; j < nMixin+1; j++ {
  370. r.MlsagSigs[i].ss[j] = make([]Key, nSS)
  371. for k := 0; k < nSS; k++ {
  372. if r.MlsagSigs[i].ss[j][k], err = ParseKey(buf); err != nil {
  373. return
  374. }
  375. }
  376. }
  377. if r.MlsagSigs[i].cc, err = ParseKey(buf); err != nil {
  378. return
  379. }
  380. }
  381. result = r
  382. return
  383. }
  385. /*
  386. //Elliptic Curve Diffie Helman: encodes and decodes the amount b and mask a
  387. // where C= aG + bH
  388. void ecdhEncode(ecdhTuple & unmasked, const key & sharedSec) {
  389. key sharedSec1 = hash_to_scalar(sharedSec);
  390. key sharedSec2 = hash_to_scalar(sharedSec1);
  391. //encode
  392. sc_add(unmasked.mask.bytes, unmasked.mask.bytes, sharedSec1.bytes);
  393. sc_add(unmasked.amount.bytes, unmasked.amount.bytes, sharedSec2.bytes);
  394. }
  395. void ecdhDecode(ecdhTuple & masked, const key & sharedSec) {
  396. key sharedSec1 = hash_to_scalar(sharedSec);
  397. key sharedSec2 = hash_to_scalar(sharedSec1);
  398. //decode
  399. sc_sub(masked.mask.bytes, masked.mask.bytes, sharedSec1.bytes);
  400. sc_sub(masked.amount.bytes, masked.amount.bytes, sharedSec2.bytes);
  401. }
  402. */
  403. func ecdhEncode(tuple *ECdhTuple, shared_secret Key) {
  404. shared_secret1 := HashToScalar(shared_secret[:])
  405. shared_secret2 := HashToScalar(shared_secret1[:])
  407. // encode
  408. ScAdd(&tuple.Mask, &tuple.Mask, shared_secret1)
  409. ScAdd(&tuple.Amount, &tuple.Amount, shared_secret2)
  410. }
  412. func ecdhDecode(tuple *ECdhTuple, shared_secret Key) {
  413. shared_secret1 := HashToScalar(shared_secret[:])
  414. shared_secret2 := HashToScalar(shared_secret1[:])
  416. // encode
  417. ScSub(&tuple.Mask, &tuple.Mask, shared_secret1)
  418. ScSub(&tuple.Amount, &tuple.Amount, shared_secret2)
  419. }
  421. // decode and verify a previously encrypted tuple
  422. // the keys come in from the wallet
  423. // tuple is the encoded data
  424. // skey is the secret scalar key
  425. // outpk is public key used to verify whether the decode was sucessfull
  426. func Decode_Amount(tuple ECdhTuple, skey Key, outpk Key) (amount uint64, mask Key, result bool) {
  427. var Ctmp Key
  429. ecdhDecode(&tuple, skey) // decode the amounts
  431. // saniity check similiar to original one
  432. // addKeys2(Ctmp, mask, amount, H);
  433. AddKeys2(&Ctmp, &tuple.Mask, &tuple.Amount, &H)
  435. if Ctmp != outpk {
  436. fmt.Printf("warning, amount decoded incorrectly, will be unable to spend")
  437. result = false
  438. return
  439. }
  440. amount = h2d(tuple.Amount)
  441. mask = tuple.Mask
  443. result = true
  444. return
  445. }