arnaucube
/
derosuite
mirror of https://github.com/arnaucube/derosuite.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10 Commits
1 Branch
0 Tags
68 MiB
Tree: 9687ad9cb4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9687ad9cb4'
${ noResults }
derosuite/crypto/ringct/mlsag.go

233 lines
7.5 KiB
Raw Normal View History

Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
Derosuite Status Update Release 2
6 years ago
Status update release 1
6 years ago
  1. package ringct
  3. import "fmt"
  4. import "github.com/deroproject/derosuite/crypto"
  6. // this file has license pending since it triggers a hard to find golang bug TODO add license after the golang bug is fixed
  7. /* This file implements MLSAG signatures for the transactions */
  9. // get the hash of the transaction which is used to create the mlsag later on, this hash is input to MLSAG
  10. // the hash is = hash( message + hash(basehash) + hash(pederson and borromean data))
  11. func Get_pre_mlsag_hash(sig *RctSig) crypto.Hash {
  13. message_hash := sig.Message
  14. base_hash := crypto.Keccak256(sig.SerializeBase())
  16. //fmt.Printf("Message hash %s\n", message_hash)
  17. //fmt.Printf("Base hash %s\n", base_hash)
  19. // now join the borromean signature and extract a sig
  20. var other_data []byte
  21. for i := range sig.rangeSigs {
  22. //other_data = append(other_data,sig.rangeSigs[i].asig.s0.Serialize()...)
  23. //other_data = append(other_data,sig.rangeSigs[i].asig.s1.Serialize()...)
  24. //other_data = append(other_data,sig.rangeSigs[i].asig.ee[:]...)
  25. //OR
  26. // other_data = append(other_data, sig.rangeSigs[i].asig.Serialize()...) // serialise borrosig
  27. // other_data = append(other_data, sig.rangeSigs[i].ci.Serialize()...)
  28. // OR
  29. other_data = append(other_data, sig.rangeSigs[i].Serialize()...) // range sig serialise
  30. }
  31. other_data_hash := crypto.Keccak256(other_data)
  33. //fmt.Printf("other hash %s\n", other_data_hash)
  35. // join all 3 hashes and hash them again to get the data
  36. final_data := append(message_hash[:], base_hash[:]...)
  37. final_data = append(final_data, other_data_hash[:]...)
  38. final_data_hash := crypto.Keccak256(final_data)
  40. if DEBUGGING_MODE {
  41. fmt.Printf("final_data_hash hash %s\n", final_data_hash)
  42. }
  44. return final_data_hash
  45. }
  47. //Multilayered Spontaneous Anonymous Group Signatures (MLSAG signatures)
  48. //This is a just slghtly more efficient version than the ones described below
  49. //(will be explained in more detail in Ring Multisig paper
  50. //These are aka MG signatutes in earlier drafts of the ring ct paper
  51. // c.f. http://eprint.iacr.org/2015/1098 section 2.
  52. // keyImageV just does I[i] = xx[i] * Hash(xx[i] * G) for each i
  53. // Gen creates a signature which proves that for some column in the keymatrix "pk"
  54. // the signer knows a secret key for each row in that column
  55. // Ver verifies that the MG sig was created correctly
  56. func MLSAG_Ver(message Key, pk [][]Key, rv *MlsagSig, dsRows int, r *RctSig) (result bool) {
  57. result = false
  58. cols := len(pk)
  59. if cols < 2 {
  60. if DEBUGGING_MODE {
  61. fmt.Printf("RingCT MLSAG_Ver must have cols > 1\n")
  62. }
  63. result = false
  64. return
  65. }
  67. rows := len(pk[0])
  68. if rows < 1 {
  69. if DEBUGGING_MODE {
  70. fmt.Printf("RingCT MLSAG_Ver must have rows > 0\n")
  71. }
  72. result = false
  73. return
  74. }
  76. for i := 0; i < cols; i++ {
  77. if len(pk[i]) != rows {
  78. if DEBUGGING_MODE {
  79. fmt.Printf("RingCT MLSAG_Ver pk matrix not rectangular\n")
  80. }
  81. result = false
  82. return
  83. }
  84. }
  86. if len(rv.II) != dsRows {
  87. if DEBUGGING_MODE {
  88. fmt.Printf("RingCT MLSAG_Ver Bad II size\n")
  89. }
  90. result = false
  91. return
  92. }
  94. if len(rv.ss) != cols {
  95. if DEBUGGING_MODE {
  96. fmt.Printf("RingCT MLSAG_Ver Bad rv.ss size len(rv.ss) = %d cols = %d\n", len(rv.ss), cols)
  97. }
  98. result = false
  99. return
  100. }
  102. for i := 0; i < cols; i++ {
  103. if len(rv.ss[i]) != rows {
  104. if DEBUGGING_MODE {
  105. fmt.Printf("RingCT MLSAG_Ver rv.ss is not rectangular\n")
  106. }
  107. result = false
  108. return
  109. }
  110. }
  112. if dsRows > rows {
  113. if DEBUGGING_MODE {
  114. fmt.Printf("RingCT MLSAG_Ver Bad dsRows value\n")
  115. }
  116. result = false
  117. return
  118. }
  120. for i := 0; i < len(rv.ss); i++ {
  121. for j := 0; j < len(rv.ss[i]); j++ {
  122. if !ScValid(&rv.ss[i][j]) {
  123. if DEBUGGING_MODE {
  124. fmt.Printf("RingCT MLSAG_Ver Bad ss slot\n")
  125. }
  126. result = false
  127. return
  128. }
  129. }
  130. }
  132. if !ScValid(&rv.cc) {
  133. if DEBUGGING_MODE {
  134. fmt.Printf("RingCT MLSAG_Ver Bad r.cc slot\n")
  135. }
  136. result = false
  137. return
  138. }
  140. Ip := make([][8]CachedGroupElement, dsRows, dsRows) // do pre computation of key keyImage
  141. for i := 0; i < dsRows; i++ {
  142. key_image_point := new(ExtendedGroupElement)
  143. key_image_point.FromBytes(&rv.II[i])
  144. GePrecompute(&Ip[i], key_image_point)
  145. }
  147. ndsRows := 3 * dsRows //non Double Spendable Rows (see identity chains paper
  148. toHash := make([]Key, 1+3*dsRows+2*(rows-dsRows), 1+3*dsRows+2*(rows-dsRows))
  149. toHash[0] = message
  151. // golang does NOT allow to use casts without using unsafe, so we can be slow but safe
  152. toHash_bytes := make([]byte, 0, (1+3*dsRows+2*(rows-dsRows))*len(message))
  154. var c Key
  155. c_old := rv.cc
  156. for i := 0; i < cols; i++ {
  157. Sc_0(&c) // zero out c
  159. // BUG BUG BUG
  160. // DERO project has found a go bug
  161. // This bug affects all known golang supported platforms and architectures (arm/386/amd64/...?)
  162. // even the golang 1.10 release candidates are affected ( though tip has not been tested )
  163. //
  164. // if you comment the line below and uncomment similiar line in first loop, the bug triggers for 1 in 20000 RCT full transactions, this means the the entire block chain cannot be verified before the bug fails the crypto
  165. // this bug triggers at high probability when the affected code is executed by multiple goroutines simultaneously
  166. // since the bug is notoriously hard to trigger while execution
  167. // we have figured out an easy way to visibly demonstrate that the bug is present
  168. // if the variables are declared within first loop, second loop is able to access them without declaring them
  169. // this causes random memory to be used during CPU load, causing the transaction to fail since crypto checksums mark it as failure ( TODO detailed analysis)
  171. // this bug may be the source of several other random crash bugs and need to be given a detailed looked
  172. // this may be the source of the follown known but not-understood (cause not found) bugs
  173. // https://github.com/golang/go/issues/15658
  174. // https://github.com/golang/go/issues/20427
  175. // https://github.com/golang/go/issues/22988
  176. // https://github.com/golang/go/issues/20300 and even more
  177. // NOTE: for golang developers, this bug needs to studied and fixed correctly. Since, another bug seems to exists
  178. // which causes constants to flip ( yes consts ). However, we cannot be certain if its the same bug, once this gets quashed, we will test the other one too.
  179. var L, R, Hi Key // comment this line and uncomment similiar line in first loop to trigger BUG
  181. // first loop
  182. for j := 0; j < dsRows; j++ {
  183. //var L, R, Hi Key // uncomment this line to trigger golang compiler BUG ( atleast on linux amd64)
  184. AddKeys2(&L, &rv.ss[i][j], &c_old, &pk[i][j])
  185. Hi = pk[i][j].HashToPoint()
  186. AddKeys3(&R, &rv.ss[i][j], &Hi, &c_old, &Ip[j])
  188. toHash[3*j+1] = pk[i][j]
  189. toHash[3*j+2] = L
  190. toHash[3*j+3] = R
  191. }
  193. //second loop
  194. for j, ii := dsRows, 0; j < rows; j, ii = j+1, ii+1 {
  195. AddKeys2(&L, &rv.ss[i][j], &c_old, &pk[i][j]) // here L is getting used again
  196. toHash[ndsRows+2*ii+1] = pk[i][j]
  197. toHash[ndsRows+2*ii+2] = L
  198. }
  200. toHash_bytes = toHash_bytes[:0] // zero out everything
  201. for k := range toHash {
  202. toHash_bytes = append(toHash_bytes, toHash[k][:]...)
  203. }
  205. c = *(HashToScalar(toHash_bytes)) // hash_to_scalar(toHash);
  206. copy(c_old[:], c[:]) // flipping the args here, will cause all transactions to become valid
  208. }
  210. if DEBUGGING_MODE {
  211. //fmt.Printf("c %x\n",c)
  212. fmt.Printf("c_old %s\n", c_old)
  213. fmt.Printf("rv.ss %s\n", rv.cc)
  214. }
  216. // c = c_old-rv.cc
  217. ScSub(&c, &c_old, &rv.cc)
  219. // if 0 checksum verified, otherwise checksum failed
  220. result = ScIsZero(&c)
  222. if DEBUGGING_MODE {
  224. if result {
  225. fmt.Printf("RingCT MLSAG_Ver Success\n")
  226. } else {
  227. fmt.Printf("RingCT MLSAG_Ver verification failed\n")
  228. }
  229. }
  231. return
  233. }