arnaucube
/
derosuite
mirror of https://github.com/arnaucube/derosuite.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
68 MiB
 
Tree: a390b5e235
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a390b5e235'
${ noResults }
derosuite/crypto/ringct/range.go

159 lines
4.3 KiB
Raw Blame History

package ringct
//import "fmt"
const ATOMS = 64 // 64 bit in the amount field
type bits64 [ATOMS]bool
// implementation of d2b from rctTypes.cpp
// lays out the number from lowest bit at pos 0 and highest at bit 63
func d2b_uint64_to_bits(amount uint64)(bits64){
var bits bits64
for i := 0; amount != 0; i++ {
if (amount&1) == 1 {
bits[i] = true
}
amount = amount >> 1
}
return bits
}
//ProveRange and VerifyRange
//ProveRange gives C, and mask such that \sumCi = C
// c.f. http://eprint.iacr.org/2015/1098 section 5.1
// and Ci is a commitment to either 0 or 2^i, i=0,...,63
// thus this proves that "amount" is in [0, 2^64]
// mask is a such that C = aG + bH, and b = amount
//VerifyRange verifies that \sum Ci = C and that each Ci is a commitment to 0 or 2^i
// this function proves a range using Pedersen commitment and borromean signatures
// implemented in cryptonote rctSigs.cpp
func ProveRange (C *Key, mask *Key, amount uint64) ( *RangeSig){
Sc_0(mask)
copy(C[:], (*identity())[:]) // set C to identity
var ai Key64
var Cih Key64
var sig RangeSig
bits := d2b_uint64_to_bits(amount)
//fmt.Printf("bits %+v\n", bits)
for i := 0; i < ATOMS;i++{
ai[i] = *(RandomScalar()) // grab a random key
// Sc_0(&ai[i]); // make random key zero for tesing puprpose // BUG if line is uncommented
ScReduce32(&ai[i]) // reduce it
// fmt.Printf("ai[%2d] %x\n",i, ai[i])
sig.ci[i] = ScalarmultBase(ai[i])
// fmt.Printf("ci[%2d] %x\n",i, sig.ci[i])
if bits[i] {
AddKeys(&sig.ci[i],&sig.ci[i],&H2[i])
}
SubKeys(&Cih[i],&sig.ci[i],&H2[i])
ScAdd(mask,mask,&ai[i])
AddKeys(C,C,&sig.ci[i])
}
//fmt.Print("C %x\n", *C)
// TODO caculate Borromean signature here
sig.asig = GenerateBorromean(ai, sig.ci, Cih, bits);
return &sig
}
func VerifyRange(c *Key, as RangeSig) bool {
var CiH Key64
tmp := identity()
for i := 0; i < 64; i++ {
SubKeys(&CiH[i], &as.ci[i], &H2[i])
AddKeys(tmp, tmp, &as.ci[i])
}
// fmt.Printf("C %x\n", *c)
// fmt.Printf("tmp %x\n", *tmp)
if *c != *tmp {
return false
}
//return true
return VerifyBorromean(&as.asig, &as.ci, &CiH)
}
//Borromean (c.f. gmax/andytoshi's paper)
func GenerateBorromean(x Key64, P1 Key64, P2 Key64, indices bits64) (BoroSig){
var bb BoroSig
var alpha Key64
var L [2]Key64
var c Key
var data_bytes []byte
for ii := 0; ii < ATOMS;ii++{
var naught,prime int
if indices[ii]{
naught = 1
}else{
naught = 0
}
prime = (naught+1)%2 // basically it is the inverse of naught
alpha[ii] = skGen() // generate a new random scalar
L[naught][ii] = ScalarmultBase(alpha[ii])
if naught == 0 {
bb.s1[ii] = skGen()
c = *(HashToScalar(L[naught][ii][:]))
AddKeys2(&L[prime][ii], &bb.s1[ii], &c, &P2[ii])
}
// original cryptonote does NOT clear out some unset bytes, verify whether it may be a problem for them
data_bytes = append(data_bytes, L[1][ii][:]...)
}
// take the hash of the L1 keys all 64 of them
// we have been collecting them above
bb.ee = *(HashToScalar(data_bytes));
// fmt.Printf("bb.ee %x\n", bb.ee)
var LL, cc Key
for jj := 0 ; jj < ATOMS;jj++{
if indices[jj] == false {
ScMulSub(&bb.s0[jj], &x[jj], &bb.ee, &alpha[jj])
}else{
bb.s0[jj] = skGen()
AddKeys2(&LL, &bb.s0[jj], &bb.ee, &P1[jj])
cc = *(HashToScalar(LL[:]))
ScMulSub(&bb.s1[jj], &x[jj], &cc, &alpha[jj])
}
}
return bb
}
// Verify the Borromean sig
func VerifyBorromean(b *BoroSig, p1, p2 *Key64) bool {
var data []byte
tmp, tmp2 := new(Key), new(Key)
for i := 0; i < 64; i++ {
AddKeys2(tmp, &b.s0[i], &b.ee, &p1[i])
tmp3 := HashToScalar(tmp[:])
AddKeys2(tmp2, &b.s1[i], tmp3, &p2[i])
data = append(data, tmp2[:]...)
}
computed := HashToScalar(data)
// fmt.Printf("comp %x\n", computed)
return *computed == b.ee
}