aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authormoneromooo-monero <moneromooo-monero@users.noreply.github.com>2016-05-13 20:45:20 +0100
committermoneromooo-monero <moneromooo-monero@users.noreply.github.com>2016-08-28 21:26:54 +0100
commit9b1afe5f2d488c64e3fb5e087055cf66d2165391 (patch)
treea61056d713db439c80617296b9b3031cb67bd744
parentMerge pull request #991 (diff)
downloadmonero-9b1afe5f2d488c64e3fb5e087055cf66d2165391.tar.xz
ringct: import of Shen Noether's ring confidential transactions
Diffstat
-rw-r--r--src/CMakeLists.txt1
-rw-r--r--src/crypto/crypto-ops.c14
-rw-r--r--src/crypto/crypto-ops.h8
-rw-r--r--src/crypto/crypto.h16
-rw-r--r--src/crypto/keccak.c6
-rw-r--r--src/crypto/keccak.h4
-rw-r--r--src/ringct/CMakeLists.txt59
-rw-r--r--src/ringct/rctCryptoOps.c221
-rw-r--r--src/ringct/rctCryptoOps.h37
-rw-r--r--src/ringct/rctOps.cpp741
-rw-r--r--src/ringct/rctOps.h163
-rw-r--r--src/ringct/rctSigs.cpp533
-rw-r--r--src/ringct/rctSigs.h144
-rw-r--r--src/ringct/rctTypes.cpp209
-rw-r--r--src/ringct/rctTypes.h267
15 files changed, 2410 insertions, 13 deletions
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index dfa31aa72..70bb215d0 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -91,6 +91,7 @@ endfunction ()
add_subdirectory(common)
add_subdirectory(crypto)
+add_subdirectory(ringct)
add_subdirectory(cryptonote_core)
add_subdirectory(blockchain_db)
add_subdirectory(mnemonics)
diff --git a/src/crypto/crypto-ops.c b/src/crypto/crypto-ops.c
index a9b659a6b..1b390e402 100644
--- a/src/crypto/crypto-ops.c
+++ b/src/crypto/crypto-ops.c
@@ -40,17 +40,15 @@ DISABLE_VS_WARNINGS(4146 4244)
static void fe_mul(fe, const fe, const fe);
static void fe_sq(fe, const fe);
-static void fe_tobytes(unsigned char *, const fe);
static void ge_madd(ge_p1p1 *, const ge_p3 *, const ge_precomp *);
static void ge_msub(ge_p1p1 *, const ge_p3 *, const ge_precomp *);
static void ge_p2_0(ge_p2 *);
static void ge_p3_dbl(ge_p1p1 *, const ge_p3 *);
-static void ge_sub(ge_p1p1 *, const ge_p3 *, const ge_cached *);
static void fe_divpowm1(fe, const fe, const fe);
/* Common functions */
-static uint64_t load_3(const unsigned char *in) {
+uint64_t load_3(const unsigned char *in) {
uint64_t result;
result = (uint64_t) in[0];
result |= ((uint64_t) in[1]) << 8;
@@ -58,7 +56,7 @@ static uint64_t load_3(const unsigned char *in) {
return result;
}
-static uint64_t load_4(const unsigned char *in)
+uint64_t load_4(const unsigned char *in)
{
uint64_t result;
result = (uint64_t) in[0];
@@ -120,7 +118,7 @@ Postconditions:
|h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
*/
-static void fe_add(fe h, const fe f, const fe g) {
+void fe_add(fe h, const fe f, const fe g) {
int32_t f0 = f[0];
int32_t f1 = f[1];
int32_t f2 = f[2];
@@ -258,7 +256,7 @@ static void fe_copy(fe h, const fe f) {
/* From fe_invert.c */
-static void fe_invert(fe out, const fe z) {
+void fe_invert(fe out, const fe z) {
fe t0;
fe t1;
fe t2;
@@ -1031,7 +1029,7 @@ Proof:
so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
*/
-static void fe_tobytes(unsigned char *s, const fe h) {
+void fe_tobytes(unsigned char *s, const fe h) {
int32_t h0 = h[0];
int32_t h1 = h[1];
int32_t h2 = h[2];
@@ -1591,7 +1589,7 @@ void ge_scalarmult_base(ge_p3 *h, const unsigned char *a) {
r = p - q
*/
-static void ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
+void ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
fe t0;
fe_add(r->X, p->Y, p->X);
fe_sub(r->Y, p->Y, p->X);
diff --git a/src/crypto/crypto-ops.h b/src/crypto/crypto-ops.h
index cdc5ac1ee..4986499f4 100644
--- a/src/crypto/crypto-ops.h
+++ b/src/crypto/crypto-ops.h
@@ -143,3 +143,11 @@ void sc_sub(unsigned char *, const unsigned char *, const unsigned char *);
void sc_mulsub(unsigned char *, const unsigned char *, const unsigned char *, const unsigned char *);
int sc_check(const unsigned char *);
int sc_isnonzero(const unsigned char *); /* Doesn't normalize */
+
+// internal
+uint64_t load_3(const unsigned char *in);
+uint64_t load_4(const unsigned char *in);
+void ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q);
+void fe_add(fe h, const fe f, const fe g);
+void fe_tobytes(unsigned char *, const fe);
+void fe_invert(fe out, const fe z);
diff --git a/src/crypto/crypto.h b/src/crypto/crypto.h
index fa55c2aab..aa437d57d 100644
--- a/src/crypto/crypto.h
+++ b/src/crypto/crypto.h
@@ -64,6 +64,22 @@ namespace crypto {
friend class crypto_ops;
};
+ POD_CLASS public_keyV {
+ std::vector<public_key> keys;
+ int rows;
+ };
+
+ POD_CLASS secret_keyV {
+ std::vector<secret_key> keys;
+ int rows;
+ };
+
+ POD_CLASS public_keyM {
+ int cols;
+ int rows;
+ std::vector<secret_keyV> column_vectors;
+ };
+
POD_CLASS key_derivation: ec_point {
friend class crypto_ops;
};
diff --git a/src/crypto/keccak.c b/src/crypto/keccak.c
index 3ee2a887c..090d563a2 100644
--- a/src/crypto/keccak.c
+++ b/src/crypto/keccak.c
@@ -73,11 +73,11 @@ void keccakf(uint64_t st[25], int rounds)
// compute a keccak hash (md) of given byte length from "in"
typedef uint64_t state_t[25];
-int keccak(const uint8_t *in, int inlen, uint8_t *md, int mdlen)
+int keccak(const uint8_t *in, size_t inlen, uint8_t *md, int mdlen)
{
state_t st;
uint8_t temp[144];
- int i, rsiz, rsizw;
+ size_t i, rsiz, rsizw;
rsiz = sizeof(state_t) == mdlen ? HASH_DATA_AREA : 200 - 2 * mdlen;
rsizw = rsiz / 8;
@@ -106,7 +106,7 @@ int keccak(const uint8_t *in, int inlen, uint8_t *md, int mdlen)
return 0;
}
-void keccak1600(const uint8_t *in, int inlen, uint8_t *md)
+void keccak1600(const uint8_t *in, size_t inlen, uint8_t *md)
{
keccak(in, inlen, md, sizeof(state_t));
}
diff --git a/src/crypto/keccak.h b/src/crypto/keccak.h
index 4f7f85729..fbd8e1904 100644
--- a/src/crypto/keccak.h
+++ b/src/crypto/keccak.h
@@ -16,11 +16,11 @@
#endif
// compute a keccak hash (md) of given byte length from "in"
-int keccak(const uint8_t *in, int inlen, uint8_t *md, int mdlen);
+int keccak(const uint8_t *in, size_t inlen, uint8_t *md, int mdlen);
// update the state
void keccakf(uint64_t st[25], int norounds);
-void keccak1600(const uint8_t *in, int inlen, uint8_t *md);
+void keccak1600(const uint8_t *in, size_t inlen, uint8_t *md);
#endif
diff --git a/src/ringct/CMakeLists.txt b/src/ringct/CMakeLists.txt
new file mode 100644
index 000000000..078199bb0
--- /dev/null
+++ b/src/ringct/CMakeLists.txt
@@ -0,0 +1,59 @@
+# Copyright (c) 2016, The Monero Project
+#
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without modification, are
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this list of
+# conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright notice, this list
+# of conditions and the following disclaimer in the documentation and/or other
+# materials provided with the distribution.
+#
+# 3. Neither the name of the copyright holder nor the names of its contributors may be
+# used to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+# THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+set(ringct_sources
+ rctOps.cpp
+ rctSigs.cpp
+ rctTypes.cpp
+ rctCryptoOps.c)
+
+set(ringct_headers)
+
+set(ringct_private_headers
+ rctOps.h
+ rctSigs.h
+ rctTypes.h)
+
+bitmonero_private_headers(ringct
+ ${crypto_private_headers})
+bitmonero_add_library(ringct
+ ${ringct_sources}
+ ${ringct_headers}
+ ${ringct_private_headers})
+target_link_libraries(ringct
+ LINK_PUBLIC
+ common
+ crypto
+ ${Boost_DATE_TIME_LIBRARY}
+ ${Boost_PROGRAM_OPTIONS_LIBRARY}
+ ${Boost_SERIALIZATION_LIBRARY}
+ LINK_PRIVATE
+ ${Boost_FILESYSTEM_LIBRARY}
+ ${Boost_SYSTEM_LIBRARY}
+ ${Boost_THREAD_LIBRARY}
+ ${EXTRA_LIBRARIES})
diff --git a/src/ringct/rctCryptoOps.c b/src/ringct/rctCryptoOps.c
new file mode 100644
index 000000000..9bb9a6891
--- /dev/null
+++ b/src/ringct/rctCryptoOps.c
@@ -0,0 +1,221 @@
+// Copyright (c) 2014-2016, The Monero Project
+//
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+// conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+// of conditions and the following disclaimer in the documentation and/or other
+// materials provided with the distribution.
+//
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+// used to endorse or promote products derived from this software without specific
+// prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+// Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers
+
+#include <assert.h>
+#include <stdint.h>
+
+#include "crypto/crypto-ops.h"
+
+//DISABLE_VS_WARNINGS(4146 4244)
+
+void sc_reduce32copy(unsigned char * scopy, const unsigned char *s) {
+ int64_t s0 = 2097151 & load_3(s);
+ int64_t s1 = 2097151 & (load_4(s + 2) >> 5);
+ int64_t s2 = 2097151 & (load_3(s + 5) >> 2);
+ int64_t s3 = 2097151 & (load_4(s + 7) >> 7);
+ int64_t s4 = 2097151 & (load_4(s + 10) >> 4);
+ int64_t s5 = 2097151 & (load_3(s + 13) >> 1);
+ int64_t s6 = 2097151 & (load_4(s + 15) >> 6);
+ int64_t s7 = 2097151 & (load_3(s + 18) >> 3);
+ int64_t s8 = 2097151 & load_3(s + 21);
+ int64_t s9 = 2097151 & (load_4(s + 23) >> 5);
+ int64_t s10 = 2097151 & (load_3(s + 26) >> 2);
+ int64_t s11 = (load_4(s + 28) >> 7);
+ int64_t s12 = 0;
+ int64_t carry0;
+ int64_t carry1;
+ int64_t carry2;
+ int64_t carry3;
+ int64_t carry4;
+ int64_t carry5;
+ int64_t carry6;
+ int64_t carry7;
+ int64_t carry8;
+ int64_t carry9;
+ int64_t carry10;
+ int64_t carry11;
+
+ carry0 = (s0 + (1<<20)) >> 21;
+ s1 += carry0;
+ s0 -= carry0 << 21;
+ carry2 = (s2 + (1<<20)) >> 21;
+ s3 += carry2;
+ s2 -= carry2 << 21;
+ carry4 = (s4 + (1<<20)) >> 21;
+ s5 += carry4;
+ s4 -= carry4 << 21;
+ carry6 = (s6 + (1<<20)) >> 21;
+ s7 += carry6;
+ s6 -= carry6 << 21;
+ carry8 = (s8 + (1<<20)) >> 21;
+ s9 += carry8;
+ s8 -= carry8 << 21;
+ carry10 = (s10 + (1<<20)) >> 21;
+ s11 += carry10;
+ s10 -= carry10 << 21;
+
+ carry1 = (s1 + (1<<20)) >> 21;
+ s2 += carry1;
+ s1 -= carry1 << 21;
+ carry3 = (s3 + (1<<20)) >> 21;
+ s4 += carry3;
+ s3 -= carry3 << 21;
+ carry5 = (s5 + (1<<20)) >> 21;
+ s6 += carry5;
+ s5 -= carry5 << 21;
+ carry7 = (s7 + (1<<20)) >> 21;
+ s8 += carry7;
+ s7 -= carry7 << 21;
+ carry9 = (s9 + (1<<20)) >> 21;
+ s10 += carry9;
+ s9 -= carry9 << 21;
+ carry11 = (s11 + (1<<20)) >> 21;
+ s12 += carry11;
+ s11 -= carry11 << 21;
+
+ s0 += s12 * 666643;
+ s1 += s12 * 470296;
+ s2 += s12 * 654183;
+ s3 -= s12 * 997805;
+ s4 += s12 * 136657;
+ s5 -= s12 * 683901;
+ s12 = 0;
+
+ carry0 = s0 >> 21;
+ s1 += carry0;
+ s0 -= carry0 << 21;
+ carry1 = s1 >> 21;
+ s2 += carry1;
+ s1 -= carry1 << 21;
+ carry2 = s2 >> 21;
+ s3 += carry2;
+ s2 -= carry2 << 21;
+ carry3 = s3 >> 21;
+ s4 += carry3;
+ s3 -= carry3 << 21;
+ carry4 = s4 >> 21;
+ s5 += carry4;
+ s4 -= carry4 << 21;
+ carry5 = s5 >> 21;
+ s6 += carry5;
+ s5 -= carry5 << 21;
+ carry6 = s6 >> 21;
+ s7 += carry6;
+ s6 -= carry6 << 21;
+ carry7 = s7 >> 21;
+ s8 += carry7;
+ s7 -= carry7 << 21;
+ carry8 = s8 >> 21;
+ s9 += carry8;
+ s8 -= carry8 << 21;
+ carry9 = s9 >> 21;
+ s10 += carry9;
+ s9 -= carry9 << 21;
+ carry10 = s10 >> 21;
+ s11 += carry10;
+ s10 -= carry10 << 21;
+ carry11 = s11 >> 21;
+ s12 += carry11;
+ s11 -= carry11 << 21;
+
+ s0 += s12 * 666643;
+ s1 += s12 * 470296;
+ s2 += s12 * 654183;
+ s3 -= s12 * 997805;
+ s4 += s12 * 136657;
+ s5 -= s12 * 683901;
+
+ carry0 = s0 >> 21;
+ s1 += carry0;
+ s0 -= carry0 << 21;
+ carry1 = s1 >> 21;
+ s2 += carry1;
+ s1 -= carry1 << 21;
+ carry2 = s2 >> 21;
+ s3 += carry2;
+ s2 -= carry2 << 21;
+ carry3 = s3 >> 21;
+ s4 += carry3;
+ s3 -= carry3 << 21;
+ carry4 = s4 >> 21;
+ s5 += carry4;
+ s4 -= carry4 << 21;
+ carry5 = s5 >> 21;
+ s6 += carry5;
+ s5 -= carry5 << 21;
+ carry6 = s6 >> 21;
+ s7 += carry6;
+ s6 -= carry6 << 21;
+ carry7 = s7 >> 21;
+ s8 += carry7;
+ s7 -= carry7 << 21;
+ carry8 = s8 >> 21;
+ s9 += carry8;
+ s8 -= carry8 << 21;
+ carry9 = s9 >> 21;
+ s10 += carry9;
+ s9 -= carry9 << 21;
+ carry10 = s10 >> 21;
+ s11 += carry10;
+ s10 -= carry10 << 21;
+
+ scopy[0] = s0 >> 0;
+ scopy[1] = s0 >> 8;
+ scopy[2] = (s0 >> 16) | (s1 << 5);
+ scopy[3] = s1 >> 3;
+ scopy[4] = s1 >> 11;
+ scopy[5] = (s1 >> 19) | (s2 << 2);
+ scopy[6] = s2 >> 6;
+ scopy[7] = (s2 >> 14) | (s3 << 7);
+ scopy[8] = s3 >> 1;
+ scopy[9] = s3 >> 9;
+ scopy[10] = (s3 >> 17) | (s4 << 4);
+ scopy[11] = s4 >> 4;
+ scopy[12] = s4 >> 12;
+ scopy[13] = (s4 >> 20) | (s5 << 1);
+ scopy[14] = s5 >> 7;
+ scopy[15] = (s5 >> 15) | (s6 << 6);
+ scopy[16] = s6 >> 2;
+ scopy[17] = s6 >> 10;
+ scopy[18] = (s6 >> 18) | (s7 << 3);
+ scopy[19] = s7 >> 5;
+ scopy[20] = s7 >> 13;
+ scopy[21] = s8 >> 0;
+ scopy[22] = s8 >> 8;
+ scopy[23] = (s8 >> 16) | (s9 << 5);
+ scopy[24] = s9 >> 3;
+ scopy[25] = s9 >> 11;
+ scopy[26] = (s9 >> 19) | (s10 << 2);
+ scopy[27] = s10 >> 6;
+ scopy[28] = (s10 >> 14) | (s11 << 7);
+ scopy[29] = s11 >> 1;
+ scopy[30] = s11 >> 9;
+ scopy[31] = s11 >> 17;
+}
diff --git a/src/ringct/rctCryptoOps.h b/src/ringct/rctCryptoOps.h
new file mode 100644
index 000000000..58c6964d8
--- /dev/null
+++ b/src/ringct/rctCryptoOps.h
@@ -0,0 +1,37 @@
+// Copyright (c) 2014-2016, The Monero Project
+//
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+// conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+// of conditions and the following disclaimer in the documentation and/or other
+// materials provided with the distribution.
+//
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+// used to endorse or promote products derived from this software without specific
+// prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+// Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers
+
+#pragma once
+
+extern "C" {
+#include "crypto/crypto-ops.h"
+}
+
+void sc_reduce32copy(unsigned char * scopy, const unsigned char *s);
diff --git a/src/ringct/rctOps.cpp b/src/ringct/rctOps.cpp
new file mode 100644
index 000000000..6853becb9
--- /dev/null
+++ b/src/ringct/rctOps.cpp
@@ -0,0 +1,741 @@
+// Copyright (c) 2016, Monero Research Labs
+//
+// Author: Shen Noether <shen.noether@gmx.com>
+//
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+// conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+// of conditions and the following disclaimer in the documentation and/or other
+// materials provided with the distribution.
+//
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+// used to endorse or promote products derived from this software without specific
+// prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#include "rctOps.h"
+using namespace crypto;
+using namespace std;
+
+namespace rct {
+
+ //Various key initialization functions
+
+ //Creates a zero scalar
+ void zero(key &zero) {
+ int i = 0;
+ for (i = 0; i < 32; i++) {
+ zero[i] = (unsigned char)(0x00);
+ }
+ }
+
+ //Creates a zero scalar
+ key zero() {
+ return{ {0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 } };
+ }
+
+ //Creates a zero elliptic curve point
+ void identity(key &Id) {
+ int i = 0;
+ Id[0] = (unsigned char)(0x01);
+ for (i = 1; i < 32; i++) {
+ Id[i] = (unsigned char)(0x00);
+ }
+ }
+
+ //Creates a zero elliptic curve point
+ key identity() {
+ key Id;
+ int i = 0;
+ Id[0] = (unsigned char)(0x01);
+ for (i = 1; i < 32; i++) {
+ Id[i] = (unsigned char)(0x00);
+ }
+ return Id;
+ }
+
+ //copies a scalar or point
+ void copy(key &AA, const key &A) {
+ int i = 0;
+ for (i = 0; i < 32; i++) {
+ AA[i] = A.bytes[i];
+ }
+ }
+
+ //copies a scalar or point
+ key copy(const key &A) {
+ int i = 0;
+ key AA;
+ for (i = 0; i < 32; i++) {
+ AA[i] = A.bytes[i];
+ }
+ return AA;
+ }
+
+
+ //initializes a key matrix;
+ //first parameter is rows,
+ //second is columns
+ keyM keyMInit(int rows, int cols) {
+ keyM rv(cols);
+ int i = 0;
+ for (i = 0 ; i < cols ; i++) {
+ rv[i] = keyV(rows);
+ }
+ return rv;
+ }
+
+
+
+
+ //Various key generation functions
+
+ //generates a random scalar which can be used as a secret key or mask
+ void skGen(key &sk) {
+ unsigned char tmp[64];
+ generate_random_bytes(64, tmp);
+ memcpy(sk.bytes, tmp, 32);
+ sc_reduce32(sk.bytes);
+ }
+
+ //generates a random scalar which can be used as a secret key or mask
+ key skGen() {
+ unsigned char tmp[64];
+ generate_random_bytes(64, tmp);
+ key sk;
+ memcpy(sk.bytes, tmp, 32);
+ sc_reduce32(sk.bytes);
+ return sk;
+ }
+
+ //Generates a vector of secret key
+ //Mainly used in testing
+ keyV skvGen(int rows ) {
+ keyV rv(rows);
+ int i = 0;
+ for (i = 0 ; i < rows ; i++) {
+ skGen(rv[i]);
+ }
+ return rv;
+ }
+
+ //generates a random curve point (for testing)
+ key pkGen() {
+ key sk = skGen();
+ key pk = scalarmultBase(sk);
+ return pk;
+ }
+
+ //generates a random secret and corresponding public key
+ void skpkGen(key &sk, key &pk) {
+ skGen(sk);
+ scalarmultBase(pk, sk);
+ }
+
+ //generates a random secret and corresponding public key
+ tuple<key, key> skpkGen() {
+ key sk = skGen();
+ key pk = scalarmultBase(sk);
+ return make_tuple(sk, pk);
+ }
+
+ //generates a <secret , public> / Pedersen commitment to the amount
+ tuple<ctkey, ctkey> ctskpkGen(xmr_amount amount) {
+ ctkey sk, pk;
+ skpkGen(sk.dest, pk.dest);
+ skpkGen(sk.mask, pk.mask);
+ key am = d2h(amount);
+ key aH = scalarmultH(am);
+ addKeys(pk.mask, pk.mask, aH);
+ return make_tuple(sk, pk);
+ }
+
+
+ //generates a <secret , public> / Pedersen commitment but takes bH as input
+ tuple<ctkey, ctkey> ctskpkGen(key bH) {
+ ctkey sk, pk;
+ skpkGen(sk.dest, pk.dest);
+ skpkGen(sk.mask, pk.mask);
+ //key am = d2h(amount);
+ //key aH = scalarmultH(am);
+ addKeys(pk.mask, pk.mask, bH);
+ return make_tuple(sk, pk);
+ }
+
+ //generates a random uint long long
+ xmr_amount randXmrAmount(xmr_amount upperlimit) {
+ return h2d(skGen()) % (upperlimit);
+ }
+
+ //Scalar multiplications of curve points
+
+ //does a * G where a is a scalar and G is the curve basepoint
+ void scalarmultBase(key &aG,const key &a) {
+ ge_p3 point;
+ sc_reduce32copy(aG.bytes, a.bytes); //do this beforehand!
+ ge_scalarmult_base(&point, aG.bytes);
+ ge_p3_tobytes(aG.bytes, &point);
+ }
+
+ //does a * G where a is a scalar and G is the curve basepoint
+ key scalarmultBase(const key & a) {
+ ge_p3 point;
+ key aG;
+ sc_reduce32copy(aG.bytes, a.bytes); //do this beforehand
+ ge_scalarmult_base(&point, aG.bytes);
+ ge_p3_tobytes(aG.bytes, &point);
+ return aG;
+ }
+
+ //does a * P where a is a scalar and P is an arbitrary point
+ void scalarmultKey(key & aP, const key &P, const key &a) {
+ ge_p3 A;
+ ge_p2 R;
+ ge_frombytes_vartime(&A, P.bytes);
+ ge_scalarmult(&R, a.bytes, &A);
+ ge_tobytes(aP.bytes, &R);
+ }
+
+ //does a * P where a is a scalar and P is an arbitrary point
+ key scalarmultKey(const key & P, const key & a) {
+ ge_p3 A;
+ ge_p2 R;
+ ge_frombytes_vartime(&A, P.bytes);
+ ge_scalarmult(&R, a.bytes, &A);
+ key aP;
+ ge_tobytes(aP.bytes, &R);
+ return aP;
+ }
+
+
+ //Computes aH where H= toPoint(cn_fast_hash(G)), G the basepoint
+ key scalarmultH(const key & a) {
+ ge_p3 A;
+ ge_p2 R;
+ key Htmp = { {0x8b, 0x65, 0x59, 0x70, 0x15, 0x37, 0x99, 0xaf, 0x2a, 0xea, 0xdc, 0x9f, 0xf1, 0xad, 0xd0, 0xea, 0x6c, 0x72, 0x51, 0xd5, 0x41, 0x54, 0xcf, 0xa9, 0x2c, 0x17, 0x3a, 0x0d, 0xd3, 0x9c, 0x1f, 0x94} };
+ ge_frombytes_vartime(&A, Htmp.bytes);
+ ge_scalarmult(&R, a.bytes, &A);
+ key aP;
+ ge_tobytes(aP.bytes, &R);
+ return aP;
+ }
+
+ //Curve addition / subtractions
+
+ //for curve points: AB = A + B
+ void addKeys(key &AB, const key &A, const key &B) {
+ ge_p3 B2, A2;
+ ge_frombytes_vartime(&B2, B.bytes);
+ ge_frombytes_vartime(&A2, A.bytes);
+ ge_cached tmp2;
+ ge_p3_to_cached(&tmp2, &B2);
+ ge_p1p1 tmp3;
+ ge_add(&tmp3, &A2, &tmp2);
+ ge_p1p1_to_p3(&A2, &tmp3);
+ ge_p3_tobytes(AB.bytes, &A2);
+ }
+
+
+ //addKeys1
+ //aGB = aG + B where a is a scalar, G is the basepoint, and B is a point
+ void addKeys1(key &aGB, const key &a, const key & B) {
+ key aG = scalarmultBase(a);
+ addKeys(aGB, aG, B);
+ }
+
+ //addKeys2
+ //aGbB = aG + bB where a, b are scalars, G is the basepoint and B is a point
+ void addKeys2(key &aGbB, const key &a, const key &b, const key & B) {
+ ge_p2 rv;
+ ge_p3 B2;
+ ge_frombytes_vartime(&B2, B.bytes);
+ ge_double_scalarmult_base_vartime(&rv, b.bytes, &B2, a.bytes);
+ ge_tobytes(aGbB.bytes, &rv);
+ }
+
+ //Does some precomputation to make addKeys3 more efficient
+ // input B a curve point and output a ge_dsmp which has precomputation applied
+ void precomp(ge_dsmp rv, const key & B) {
+ ge_p3 B2;
+ ge_frombytes_vartime(&B2, B.bytes);
+ ge_dsm_precomp(rv, &B2);
+ }
+
+ //addKeys3
+ //aAbB = a*A + b*B where a, b are scalars, A, B are curve points
+ //B must be input after applying "precomp"
+ void addKeys3(key &aAbB, const key &a, const key &A, const key &b, const ge_dsmp B) {
+ ge_p2 rv;
+ ge_p3 A2;
+ ge_frombytes_vartime(&A2, A.bytes);
+ ge_double_scalarmult_precomp_vartime(&rv, a.bytes, &A2, b.bytes, B);
+ ge_tobytes(aAbB.bytes, &rv);
+ }
+
+
+ //subtract Keys (subtracts curve points)
+ //AB = A - B where A, B are curve points
+ void subKeys(key & AB, const key &A, const key &B) {
+ ge_p3 B2, A2;
+ ge_frombytes_vartime(&B2, B.bytes);
+ ge_frombytes_vartime(&A2, A.bytes);
+ ge_cached tmp2;
+ ge_p3_to_cached(&tmp2, &B2);
+ ge_p1p1 tmp3;
+ ge_sub(&tmp3, &A2, &tmp2);
+ ge_p1p1_to_p3(&A2, &tmp3);
+ ge_p3_tobytes(AB.bytes, &A2);
+ }
+
+ //checks if A, B are equal as curve points
+ //without doing curve operations
+ bool equalKeys(const key & a, const key & b) {
+ key eqk;
+ sc_sub(eqk.bytes, cn_fast_hash(a).bytes, cn_fast_hash(b).bytes);
+ if (sc_isnonzero(eqk.bytes) ) {
+ //DP("eq bytes");
+ //DP(eqk);
+ return false;
+ }
+ return true;
+ }
+
+ //Hashing - cn_fast_hash
+ //be careful these are also in crypto namespace
+ //cn_fast_hash for arbitrary multiples of 32 bytes
+ void cn_fast_hash(key &hash, const void * data, const std::size_t l) {
+ uint8_t md2[32];
+ int j = 0;
+ keccak((uint8_t *)data, l, md2, 32);
+ for (j = 0; j < 32; j++) {
+ hash[j] = (unsigned char)md2[j];
+ }
+ }
+
+ void hash_to_scalar(key &hash, const void * data, const std::size_t l) {
+ cn_fast_hash(hash, data, l);
+ sc_reduce32(hash.bytes);
+ }
+
+ //cn_fast_hash for a 32 byte key
+ void cn_fast_hash(key & hash, const key & in) {
+ uint8_t md2[32];
+ int j = 0;
+ keccak((uint8_t *)in.bytes, 32, md2, 32);
+ for (j = 0; j < 32; j++) {
+ hash[j] = (unsigned char)md2[j];
+ }
+ }
+
+ void hash_to_scalar(key & hash, const key & in) {
+ cn_fast_hash(hash, in);
+ sc_reduce32(hash.bytes);
+ }
+
+ //cn_fast_hash for a 32 byte key
+ key cn_fast_hash(const key & in) {
+ uint8_t md2[32];
+ int j = 0;
+ key hash;
+ keccak((uint8_t *)in.bytes, 32, md2, 32);
+ for (j = 0; j < 32; j++) {
+ hash[j] = (unsigned char)md2[j];
+ }
+ return hash;
+ }
+
+ key hash_to_scalar(const key & in) {
+ key hash = cn_fast_hash(in);
+ sc_reduce32(hash.bytes);
+ return hash;
+ }
+
+ //cn_fast_hash for a 128 byte unsigned char
+ key cn_fast_hash128(const void * in) {
+ uint8_t md2[32];
+ int j = 0;
+ key hash;
+ keccak((uint8_t *)in, 128, md2, 32);
+ for (j = 0; j < 32; j++) {
+ hash[j] = (unsigned char)md2[j];
+ }
+ return hash;
+ }
+
+ key hash_to_scalar128(const void * in) {
+ key hash = cn_fast_hash128(in);
+ sc_reduce32(hash.bytes);
+ return hash;
+ }
+
+ //cn_fast_hash for multisig purpose
+ //This takes the outputs and commitments
+ //and hashes them into a 32 byte sized key
+ key cn_fast_hash(ctkeyV PC) {
+ key rv = identity();
+ std::size_t l = (std::size_t)PC.size();
+ size_t i = 0, j = 0;
+ vector<char> m(l * 64);
+ for (i = 0 ; i < l ; i++) {
+ for (j = 0 ; j < 32 ; j++) {
+ m[i * 64 + j] = PC[i].dest[j];
+ m[i * 64 + 32 + j] = PC[i].mask[j];
+ }
+ }
+ cn_fast_hash(rv, &m[0], l);
+ return rv;
+ }
+
+ key hash_to_scalar(ctkeyV PC) {
+ key rv = cn_fast_hash(PC);
+ sc_reduce32(rv.bytes);
+ return rv;
+ }
+
+ key hashToPointSimple(const key & hh) {
+ key pointk;
+ ge_p3 res;
+ key h = cn_fast_hash(hh);
+ ge_frombytes_vartime(&res, h.bytes);
+ ge_p3_tobytes(pointk.bytes, &res);
+ return pointk;
+ }
+
+ key hashToPoint(const key & hh) {
+ key pointk;
+ ge_p2 point;
+ ge_p1p1 point2;
+ ge_p3 res;
+ key h = cn_fast_hash(hh);
+ ge_fromfe_frombytes_vartime(&point, h.bytes);
+ ge_mul8(&point2, &point);
+ ge_p1p1_to_p3(&res, &point2);
+ ge_p3_tobytes(pointk.bytes, &res);
+ return pointk;
+ }
+
+void fe_mul(fe h,const fe f,const fe g)
+{
+ int32_t f0 = f[0];
+ int32_t f1 = f[1];
+ int32_t f2 = f[2];
+ int32_t f3 = f[3];
+ int32_t f4 = f[4];
+ int32_t f5 = f[5];
+ int32_t f6 = f[6];
+ int32_t f7 = f[7];
+ int32_t f8 = f[8];
+ int32_t f9 = f[9];
+ int32_t g0 = g[0];
+ int32_t g1 = g[1];
+ int32_t g2 = g[2];
+ int32_t g3 = g[3];
+ int32_t g4 = g[4];
+ int32_t g5 = g[5];
+ int32_t g6 = g[6];
+ int32_t g7 = g[7];
+ int32_t g8 = g[8];
+ int32_t g9 = g[9];
+ int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */
+ int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */
+ int32_t g3_19 = 19 * g3;
+ int32_t g4_19 = 19 * g4;
+ int32_t g5_19 = 19 * g5;
+ int32_t g6_19 = 19 * g6;
+ int32_t g7_19 = 19 * g7;
+ int32_t g8_19 = 19 * g8;
+ int32_t g9_19 = 19 * g9;
+ int32_t f1_2 = 2 * f1;
+ int32_t f3_2 = 2 * f3;
+ int32_t f5_2 = 2 * f5;
+ int32_t f7_2 = 2 * f7;
+ int32_t f9_2 = 2 * f9;
+ int64_t f0g0 = f0 * (int64_t) g0;
+ int64_t f0g1 = f0 * (int64_t) g1;
+ int64_t f0g2 = f0 * (int64_t) g2;
+ int64_t f0g3 = f0 * (int64_t) g3;
+ int64_t f0g4 = f0 * (int64_t) g4;
+ int64_t f0g5 = f0 * (int64_t) g5;
+ int64_t f0g6 = f0 * (int64_t) g6;
+ int64_t f0g7 = f0 * (int64_t) g7;
+ int64_t f0g8 = f0 * (int64_t) g8;
+ int64_t f0g9 = f0 * (int64_t) g9;
+ int64_t f1g0 = f1 * (int64_t) g0;
+ int64_t f1g1_2 = f1_2 * (int64_t) g1;
+ int64_t f1g2 = f1 * (int64_t) g2;
+ int64_t f1g3_2 = f1_2 * (int64_t) g3;
+ int64_t f1g4 = f1 * (int64_t) g4;
+ int64_t f1g5_2 = f1_2 * (int64_t) g5;
+ int64_t f1g6 = f1 * (int64_t) g6;
+ int64_t f1g7_2 = f1_2 * (int64_t) g7;
+ int64_t f1g8 = f1 * (int64_t) g8;
+ int64_t f1g9_38 = f1_2 * (int64_t) g9_19;
+ int64_t f2g0 = f2 * (int64_t) g0;
+ int64_t f2g1 = f2 * (int64_t) g1;
+ int64_t f2g2 = f2 * (int64_t) g2;
+ int64_t f2g3 = f2 * (int64_t) g3;
+ int64_t f2g4 = f2 * (int64_t) g4;
+ int64_t f2g5 = f2 * (int64_t) g5;
+ int64_t f2g6 = f2 * (int64_t) g6;
+ int64_t f2g7 = f2 * (int64_t) g7;
+ int64_t f2g8_19 = f2 * (int64_t) g8_19;
+ int64_t f2g9_19 = f2 * (int64_t) g9_19;
+ int64_t f3g0 = f3 * (int64_t) g0;
+ int64_t f3g1_2 = f3_2 * (int64_t) g1;
+ int64_t f3g2 = f3 * (int64_t) g2;
+ int64_t f3g3_2 = f3_2 * (int64_t) g3;
+ int64_t f3g4 = f3 * (int64_t) g4;
+ int64_t f3g5_2 = f3_2 * (int64_t) g5;
+ int64_t f3g6 = f3 * (int64_t) g6;
+ int64_t f3g7_38 = f3_2 * (int64_t) g7_19;
+ int64_t f3g8_19 = f3 * (int64_t) g8_19;
+ int64_t f3g9_38 = f3_2 * (int64_t) g9_19;
+ int64_t f4g0 = f4 * (int64_t) g0;
+ int64_t f4g1 = f4 * (int64_t) g1;
+ int64_t f4g2 = f4 * (int64_t) g2;
+ int64_t f4g3 = f4 * (int64_t) g3;
+ int64_t f4g4 = f4 * (int64_t) g4;
+ int64_t f4g5 = f4 * (int64_t) g5;
+ int64_t f4g6_19 = f4 * (int64_t) g6_19;
+ int64_t f4g7_19 = f4 * (int64_t) g7_19;
+ int64_t f4g8_19 = f4 * (int64_t) g8_19;
+ int64_t f4g9_19 = f4 * (int64_t) g9_19;
+ int64_t f5g0 = f5 * (int64_t) g0;
+ int64_t f5g1_2 = f5_2 * (int64_t) g1;
+ int64_t f5g2 = f5 * (int64_t) g2;
+ int64_t f5g3_2 = f5_2 * (int64_t) g3;
+ int64_t f5g4 = f5 * (int64_t) g4;
+ int64_t f5g5_38 = f5_2 * (int64_t) g5_19;
+ int64_t f5g6_19 = f5 * (int64_t) g6_19;
+ int64_t f5g7_38 = f5_2 * (int64_t) g7_19;
+ int64_t f5g8_19 = f5 * (int64_t) g8_19;
+ int64_t f5g9_38 = f5_2 * (int64_t) g9_19;
+ int64_t f6g0 = f6 * (int64_t) g0;
+ int64_t f6g1 = f6 * (int64_t) g1;
+ int64_t f6g2 = f6 * (int64_t) g2;
+ int64_t f6g3 = f6 * (int64_t) g3;
+ int64_t f6g4_19 = f6 * (int64_t) g4_19;
+ int64_t f6g5_19 = f6 * (int64_t) g5_19;
+ int64_t f6g6_19 = f6 * (int64_t) g6_19;
+ int64_t f6g7_19 = f6 * (int64_t) g7_19;
+ int64_t f6g8_19 = f6 * (int64_t) g8_19;
+ int64_t f6g9_19 = f6 * (int64_t) g9_19;
+ int64_t f7g0 = f7 * (int64_t) g0;
+ int64_t f7g1_2 = f7_2 * (int64_t) g1;
+ int64_t f7g2 = f7 * (int64_t) g2;
+ int64_t f7g3_38 = f7_2 * (int64_t) g3_19;
+ int64_t f7g4_19 = f7 * (int64_t) g4_19;
+ int64_t f7g5_38 = f7_2 * (int64_t) g5_19;
+ int64_t f7g6_19 = f7 * (int64_t) g6_19;
+ int64_t f7g7_38 = f7_2 * (int64_t) g7_19;
+ int64_t f7g8_19 = f7 * (int64_t) g8_19;
+ int64_t f7g9_38 = f7_2 * (int64_t) g9_19;
+ int64_t f8g0 = f8 * (int64_t) g0;
+ int64_t f8g1 = f8 * (int64_t) g1;
+ int64_t f8g2_19 = f8 * (int64_t) g2_19;
+ int64_t f8g3_19 = f8 * (int64_t) g3_19;
+ int64_t f8g4_19 = f8 * (int64_t) g4_19;
+ int64_t f8g5_19 = f8 * (int64_t) g5_19;
+ int64_t f8g6_19 = f8 * (int64_t) g6_19;
+ int64_t f8g7_19 = f8 * (int64_t) g7_19;
+ int64_t f8g8_19 = f8 * (int64_t) g8_19;
+ int64_t f8g9_19 = f8 * (int64_t) g9_19;
+ int64_t f9g0 = f9 * (int64_t) g0;
+ int64_t f9g1_38 = f9_2 * (int64_t) g1_19;
+ int64_t f9g2_19 = f9 * (int64_t) g2_19;
+ int64_t f9g3_38 = f9_2 * (int64_t) g3_19;
+ int64_t f9g4_19 = f9 * (int64_t) g4_19;
+ int64_t f9g5_38 = f9_2 * (int64_t) g5_19;
+ int64_t f9g6_19 = f9 * (int64_t) g6_19;
+ int64_t f9g7_38 = f9_2 * (int64_t) g7_19;
+ int64_t f9g8_19 = f9 * (int64_t) g8_19;
+ int64_t f9g9_38 = f9_2 * (int64_t) g9_19;
+ int64_t h0 = f0g0+f1g9_38+f2g8_19+f3g7_38+f4g6_19+f5g5_38+f6g4_19+f7g3_38+f8g2_19+f9g1_38;
+ int64_t h1 = f0g1+f1g0 +f2g9_19+f3g8_19+f4g7_19+f5g6_19+f6g5_19+f7g4_19+f8g3_19+f9g2_19;
+ int64_t h2 = f0g2+f1g1_2 +f2g0 +f3g9_38+f4g8_19+f5g7_38+f6g6_19+f7g5_38+f8g4_19+f9g3_38;
+ int64_t h3 = f0g3+f1g2 +f2g1 +f3g0 +f4g9_19+f5g8_19+f6g7_19+f7g6_19+f8g5_19+f9g4_19;
+ int64_t h4 = f0g4+f1g3_2 +f2g2 +f3g1_2 +f4g0 +f5g9_38+f6g8_19+f7g7_38+f8g6_19+f9g5_38;
+ int64_t h5 = f0g5+f1g4 +f2g3 +f3g2 +f4g1 +f5g0 +f6g9_19+f7g8_19+f8g7_19+f9g6_19;
+ int64_t h6 = f0g6+f1g5_2 +f2g4 +f3g3_2 +f4g2 +f5g1_2 +f6g0 +f7g9_38+f8g8_19+f9g7_38;
+ int64_t h7 = f0g7+f1g6 +f2g5 +f3g4 +f4g3 +f5g2 +f6g1 +f7g0 +f8g9_19+f9g8_19;
+ int64_t h8 = f0g8+f1g7_2 +f2g6 +f3g5_2 +f4g4 +f5g3_2 +f6g2 +f7g1_2 +f8g0 +f9g9_38;
+ int64_t h9 = f0g9+f1g8 +f2g7 +f3g6 +f4g5 +f5g4 +f6g3 +f7g2 +f8g1 +f9g0 ;
+ int64_t carry0;
+ int64_t carry1;
+ int64_t carry2;
+ int64_t carry3;
+ int64_t carry4;
+ int64_t carry5;
+ int64_t carry6;
+ int64_t carry7;
+ int64_t carry8;
+ int64_t carry9;
+
+ /*
+ |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38))
+ i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8
+ |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19))
+ i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9
+ */
+
+ carry0 = (h0 + (int64_t) (1<<25)) >> 26;
+ h1 += carry0;
+ h0 -= carry0 << 26;
+ carry4 = (h4 + (int64_t) (1<<25)) >> 26;
+ h5 += carry4;
+ h4 -= carry4 << 26;
+ /* |h0| <= 2^25 */
+ /* |h4| <= 2^25 */
+ /* |h1| <= 1.71*2^59 */
+ /* |h5| <= 1.71*2^59 */
+
+ carry1 = (h1 + (int64_t) (1<<24)) >> 25;
+ h2 += carry1;
+ h1 -= carry1 << 25;
+ carry5 = (h5 + (int64_t) (1<<24)) >> 25;
+ h6 += carry5;
+ h5 -= carry5 << 25;
+ /* |h1| <= 2^24; from now on fits into int32 */
+ /* |h5| <= 2^24; from now on fits into int32 */
+ /* |h2| <= 1.41*2^60 */
+ /* |h6| <= 1.41*2^60 */
+
+ carry2 = (h2 + (int64_t) (1<<25)) >> 26;
+ h3 += carry2;
+ h2 -= carry2 << 26;
+ carry6 = (h6 + (int64_t) (1<<25)) >> 26;
+ h7 += carry6;
+ h6 -= carry6 << 26;
+ /* |h2| <= 2^25; from now on fits into int32 unchanged */
+ /* |h6| <= 2^25; from now on fits into int32 unchanged */
+ /* |h3| <= 1.71*2^59 */
+ /* |h7| <= 1.71*2^59 */
+
+ carry3 = (h3 + (int64_t) (1<<24)) >> 25;
+ h4 += carry3;
+ h3 -= carry3 << 25;
+ carry7 = (h7 + (int64_t) (1<<24)) >> 25;
+ h8 += carry7;
+ h7 -= carry7 << 25;
+ /* |h3| <= 2^24; from now on fits into int32 unchanged */
+ /* |h7| <= 2^24; from now on fits into int32 unchanged */
+ /* |h4| <= 1.72*2^34 */
+ /* |h8| <= 1.41*2^60 */
+
+ carry4 = (h4 + (int64_t) (1<<25)) >> 26;
+ h5 += carry4;
+ h4 -= carry4 << 26;
+ carry8 = (h8 + (int64_t) (1<<25)) >> 26;
+ h9 += carry8;
+ h8 -= carry8 << 26;
+ /* |h4| <= 2^25; from now on fits into int32 unchanged */
+ /* |h8| <= 2^25; from now on fits into int32 unchanged */
+ /* |h5| <= 1.01*2^24 */
+ /* |h9| <= 1.71*2^59 */
+
+ carry9 = (h9 + (int64_t) (1<<24)) >> 25;
+ h0 += carry9 * 19;
+ h9 -= carry9 << 25;
+ /* |h9| <= 2^24; from now on fits into int32 unchanged */
+ /* |h0| <= 1.1*2^39 */
+
+ carry0 = (h0 + (int64_t) (1<<25)) >> 26;
+ h1 += carry0;
+ h0 -= carry0 << 26;
+ /* |h0| <= 2^25; from now on fits into int32 unchanged */
+ /* |h1| <= 1.01*2^24 */
+
+ h[0] = h0;
+ h[1] = h1;
+ h[2] = h2;
+ h[3] = h3;
+ h[4] = h4;
+ h[5] = h5;
+ h[6] = h6;
+ h[7] = h7;
+ h[8] = h8;
+ h[9] = h9;
+}
+
+
+
+void ge_tobytes2(unsigned char *s,const ge_p2 *h)
+{
+ fe recip;
+ fe x;
+ fe y;
+ fe_invert(recip,h->Z);
+ fe_mul(x,h->X,recip);
+ fe_mul(y,h->Y,recip);
+
+
+ fe_tobytes(s,y);
+}
+
+
+ key hashToPoint2(const key & hh) {
+ key pointk;
+ ge_p2 point;
+ key h = cn_fast_hash(hh);
+ ge_fromfe_frombytes_vartime(&point, h.bytes);
+ ge_tobytes2(pointk.bytes, &point);
+ return pointk;
+ }
+
+
+ void hashToPoint(key & pointk, const key & hh) {
+ ge_p2 point;
+ ge_p1p1 point2;
+ ge_p3 res;
+ key h = cn_fast_hash(hh);
+ ge_fromfe_frombytes_vartime(&point, h.bytes);
+ ge_mul8(&point2, &point);
+ ge_p1p1_to_p3(&res, &point2);
+ ge_p3_tobytes(pointk.bytes, &res);
+ }
+
+ //sums a vector of curve points (for scalars use sc_add)
+ void sumKeys(key & Csum, const keyV & Cis) {
+ identity(Csum);
+ size_t i = 0;
+ for (i = 0; i < Cis.size(); i++) {
+ addKeys(Csum, Csum, Cis[i]);
+ }
+ }
+
+ //Elliptic Curve Diffie Helman: encodes and decodes the amount b and mask a
+ // where C= aG + bH
+ void ecdhEncode(ecdhTuple & unmasked, const key & receiverPk) {
+ key esk;
+ //compute shared secret
+ skpkGen(esk, unmasked.senderPk);
+ key sharedSec1 = hash_to_scalar(scalarmultKey(receiverPk, esk));
+ key sharedSec2 = hash_to_scalar(sharedSec1);
+ //encode
+ sc_add(unmasked.mask.bytes, unmasked.mask.bytes, sharedSec1.bytes);
+ sc_add(unmasked.amount.bytes, unmasked.amount.bytes, sharedSec2.bytes);
+ }
+ void ecdhDecode(ecdhTuple & masked, const key & receiverSk) {
+ //compute shared secret
+ key sharedSec1 = hash_to_scalar(scalarmultKey(masked.senderPk, receiverSk));
+ key sharedSec2 = hash_to_scalar(sharedSec1);
+ //encode
+ sc_sub(masked.mask.bytes, masked.mask.bytes, sharedSec1.bytes);
+ sc_sub(masked.amount.bytes, masked.amount.bytes, sharedSec2.bytes);
+ }
+}
diff --git a/src/ringct/rctOps.h b/src/ringct/rctOps.h
new file mode 100644
index 000000000..e232dba29
--- /dev/null
+++ b/src/ringct/rctOps.h
@@ -0,0 +1,163 @@
+//#define DBG
+// Copyright (c) 2016, Monero Research Labs
+//
+// Author: Shen Noether <shen.noether@gmx.com>
+//
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+// conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+// of conditions and the following disclaimer in the documentation and/or other
+// materials provided with the distribution.
+//
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+// used to endorse or promote products derived from this software without specific
+// prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#pragma once
+
+#ifndef RCTOPS_H
+#define RCTOPS_H
+
+#include <cstddef>
+#include <mutex>
+#include <vector>
+#include <tuple>
+
+#include "crypto/generic-ops.h"
+
+extern "C" {
+#include "crypto/random.h"
+#include "crypto/keccak.h"
+#include "rctCryptoOps.h"
+}
+#include "crypto/crypto.h"
+
+#include "rctTypes.h"
+
+//Define this flag when debugging to get additional info on the console
+#ifdef DBG
+#define DP(x) dp(x)
+#else
+#define DP(x)
+#endif
+
+using namespace std;
+using namespace crypto;
+
+namespace rct {
+
+ //Various key initialization functions
+
+ //Creates a zero scalar
+ key zero();
+ void zero(key &z);
+ //Creates a zero elliptic curve point
+ key identity();
+ void identity(key &Id);
+ //copies a scalar or point
+ void copy(key &AA, const key &A);
+ key copy(const key & AA);
+ //initializes a key matrix;
+ //first parameter is rows,
+ //second is columns
+ keyM keyMInit(int, int);
+
+ //Various key generation functions
+
+ //generates a random scalar which can be used as a secret key or mask
+ key skGen();
+ void skGen(key &);
+
+ //generates a vector of secret keys of size "int"
+ keyV skvGen(int );
+
+ //generates a random curve point (for testing)
+ key pkGen();
+ //generates a random secret and corresponding public key
+ void skpkGen(key &sk, key &pk);
+ tuple<key, key> skpkGen();
+ //generates a <secret , public> / Pedersen commitment to the amount
+ tuple<ctkey, ctkey> ctskpkGen(xmr_amount amount);
+ //this one is mainly for testing, can take arbitrary amounts..
+ tuple<ctkey, ctkey> ctskpkGen(key bH);
+ //generates a random uint long long
+ xmr_amount randXmrAmount(xmr_amount upperlimit);
+
+ //Scalar multiplications of curve points
+
+ //does a * G where a is a scalar and G is the curve basepoint
+ void scalarmultBase(key & aG, const key &a);
+ key scalarmultBase(const key & a);
+ //does a * P where a is a scalar and P is an arbitrary point
+ void scalarmultKey(key &aP, const key &P, const key &a);
+ key scalarmultKey(const key &P, const key &a);
+ //Computes aH where H= toPoint(cn_fast_hash(G)), G the basepoint
+ key scalarmultH(const key & a);
+
+ //Curve addition / subtractions
+
+ //for curve points: AB = A + B
+ void addKeys(key &AB, const key &A, const key &B);
+ //aGB = aG + B where a is a scalar, G is the basepoint, and B is a point
+ void addKeys1(key &aGB, const key &a, const key & B);
+ //aGbB = aG + bB where a, b are scalars, G is the basepoint and B is a point
+ void addKeys2(key &aGbB, const key &a, const key &b, const key &B);
+ //Does some precomputation to make addKeys3 more efficient
+ // input B a curve point and output a ge_dsmp which has precomputation applied
+ void precomp(ge_dsmp rv, const key &B);
+ //aAbB = a*A + b*B where a, b are scalars, A, B are curve points
+ //B must be input after applying "precomp"
+ void addKeys3(key &aAbB, const key &a, const key &A, const key &b, const ge_dsmp B);
+ //AB = A - B where A, B are curve points
+ void subKeys(key &AB, const key &A, const key &B);
+ //checks if A, B are equal as curve points
+ bool equalKeys(const key & A, const key & B);
+
+ //Hashing - cn_fast_hash
+ //be careful these are also in crypto namespace
+ //cn_fast_hash for arbitrary l multiples of 32 bytes
+ void cn_fast_hash(key &hash, const void * data, const size_t l);
+ void hash_to_scalar(key &hash, const void * data, const size_t l);
+ //cn_fast_hash for a 32 byte key
+ void cn_fast_hash(key &hash, const key &in);
+ void hash_to_scalar(key &hash, const key &in);
+ //cn_fast_hash for a 32 byte key
+ key cn_fast_hash(const key &in);
+ key hash_to_scalar(const key &in);
+ //for mg sigs
+ key cn_fast_hash128(const void * in);
+ key hash_to_scalar128(const void * in);
+ key cn_fast_hash(ctkeyV PC);
+ key hash_to_scalar(ctkeyV PC);
+
+ //returns hashToPoint as described in https://github.com/ShenNoether/ge_fromfe_writeup
+ key hashToPointSimple(const key &in);
+ key hashToPoint(const key &in);
+ key hashToPoint2(const key &in);
+ void hashToPoint(key &out, const key &in);
+
+ //sums a vector of curve points (for scalars use sc_add)
+ void sumKeys(key & Csum, const key &Cis);
+
+ //Elliptic Curve Diffie Helman: encodes and decodes the amount b and mask a
+ // where C= aG + bH
+ void ecdhEncode(ecdhTuple & unmasked, const key & receiverPk);
+ void ecdhDecode(ecdhTuple & masked, const key & receiverSk);
+}
+#endif /* RCTOPS_H */
diff --git a/src/ringct/rctSigs.cpp b/src/ringct/rctSigs.cpp
new file mode 100644
index 000000000..d26678165
--- /dev/null
+++ b/src/ringct/rctSigs.cpp
@@ -0,0 +1,533 @@
+// Copyright (c) 2016, Monero Research Labs
+//
+// Author: Shen Noether <shen.noether@gmx.com>
+//
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+// conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+// of conditions and the following disclaimer in the documentation and/or other
+// materials provided with the distribution.
+//
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+// used to endorse or promote products derived from this software without specific
+// prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#include "rctSigs.h"
+using namespace crypto;
+using namespace std;
+
+namespace rct {
+
+ //Schnorr Non-linkable
+ //Gen Gives a signature (L1, s1, s2) proving that the sender knows "x" such that xG = one of P1 or P2
+ //Ver Verifies that signer knows an "x" such that xG = one of P1 or P2
+ //These are called in the below ASNL sig generation
+
+ void GenSchnorrNonLinkable(key & L1, key & s1, key & s2, const key & x, const key & P1, const key & P2, int index) {
+ key c1, c2, L2;
+ key a = skGen();
+ if (index == 0) {
+ scalarmultBase(L1, a);
+ hash_to_scalar(c2, L1);
+ skGen(s2);
+ addKeys2(L2, s2, c2, P2);
+ hash_to_scalar(c1, L2);
+ sc_mulsub(s1.bytes, x.bytes, c1.bytes, a.bytes);
+ }
+ if (index == 1) {
+ scalarmultBase(L2, a);
+ skGen(s1);
+ hash_to_scalar(c1, L2);
+ addKeys2(L1, s1, c1, P1);
+ hash_to_scalar(c2, L1);
+ sc_mulsub(s2.bytes, x.bytes, c2.bytes, a.bytes);
+ }
+ }
+
+ //Schnorr Non-linkable
+ //Gen Gives a signature (L1, s1, s2) proving that the sender knows "x" such that xG = one of P1 or P2
+ //Ver Verifies that signer knows an "x" such that xG = one of P1 or P2
+ //These are called in the below ASNL sig generation
+ bool VerSchnorrNonLinkable(const key & P1, const key & P2, const key & L1, const key & s1, const key & s2) {
+ key c2, L2, c1, L1p;
+ hash_to_scalar(c2, L1);
+ addKeys2(L2, s2, c2, P2);
+ hash_to_scalar(c1, L2);
+ addKeys2(L1p, s1, c1, P1);
+
+ return equalKeys(L1, L1p);
+ }
+
+ //Aggregate Schnorr Non-linkable Ring Signature (ASNL)
+ // c.f. http://eprint.iacr.org/2015/1098 section 5.
+ // These are used in range proofs (alternatively Borromean could be used)
+ // Gen gives a signature which proves the signer knows, for each i,
+ // an x[i] such that x[i]G = one of P1[i] or P2[i]
+ // Ver Verifies the signer knows a key for one of P1[i], P2[i] at each i
+ asnlSig GenASNL(key64 x, key64 P1, key64 P2, bits indices) {
+ DP("Generating Aggregate Schnorr Non-linkable Ring Signature\n");
+ key64 s1;
+ int j = 0;
+ asnlSig rv;
+ rv.s = zero();
+ for (j = 0; j < ATOMS; j++) {
+ //void GenSchnorrNonLinkable(Bytes L1, Bytes s1, Bytes s2, const Bytes x, const Bytes P1,const Bytes P2, int index) {
+ GenSchnorrNonLinkable(rv.L1[j], s1[j], rv.s2[j], x[j], P1[j], P2[j], (int)indices[j]);
+ sc_add(rv.s.bytes, rv.s.bytes, s1[j].bytes);
+ }
+ return rv;
+ }
+
+ //Aggregate Schnorr Non-linkable Ring Signature (ASNL)
+ // c.f. http://eprint.iacr.org/2015/1098 section 5.
+ // These are used in range proofs (alternatively Borromean could be used)
+ // Gen gives a signature which proves the signer knows, for each i,
+ // an x[i] such that x[i]G = one of P1[i] or P2[i]
+ // Ver Verifies the signer knows a key for one of P1[i], P2[i] at each i
+ bool VerASNL(key64 P1, key64 P2, asnlSig &as) {
+ DP("Verifying Aggregate Schnorr Non-linkable Ring Signature\n");
+ key LHS = identity();
+ key RHS = scalarmultBase(as.s);
+ key c2, L2, c1;
+ int j = 0;
+ for (j = 0; j < ATOMS; j++) {
+ hash_to_scalar(c2, as.L1[j]);
+ addKeys2(L2, as.s2[j], c2, P2[j]);
+ addKeys(LHS, LHS, as.L1[j]);
+ hash_to_scalar(c1, L2);
+ addKeys(RHS, RHS, scalarmultKey(P1[j], c1));
+ }
+ key cc;
+ sc_sub(cc.bytes, LHS.bytes, RHS.bytes);
+ DP(cc);
+ return sc_isnonzero(cc.bytes) == 0;
+ }
+
+ //Multilayered Spontaneous Anonymous Group Signatures (MLSAG signatures)
+ //These are aka MG signatutes in earlier drafts of the ring ct paper
+ // c.f. http://eprint.iacr.org/2015/1098 section 2.
+ // keyImageV just does I[i] = xx[i] * Hash(xx[i] * G) for each i
+ // Gen creates a signature which proves that for some column in the keymatrix "pk"
+ // the signer knows a secret key for each row in that column
+ // Ver verifies that the MG sig was created correctly
+ keyV keyImageV(const keyV &xx) {
+ keyV II(xx.size());
+ size_t i = 0;
+ for (i = 0; i < xx.size(); i++) {
+ II[i] = scalarmultKey(hashToPoint(scalarmultBase(xx[i])), xx[i]);
+ }
+ return II;
+ }
+
+
+ //Multilayered Spontaneous Anonymous Group Signatures (MLSAG signatures)
+ //This is a just slghtly more efficient version than the ones described below
+ //(will be explained in more detail in Ring Multisig paper
+ //These are aka MG signatutes in earlier drafts of the ring ct paper
+ // c.f. http://eprint.iacr.org/2015/1098 section 2.
+ // keyImageV just does I[i] = xx[i] * Hash(xx[i] * G) for each i
+ // Gen creates a signature which proves that for some column in the keymatrix "pk"
+ // the signer knows a secret key for each row in that column
+ // Ver verifies that the MG sig was created correctly
+ mgSig MLSAG_Gen(key message, const keyM & pk, const keyV & xx, const int index) {
+ mgSig rv;
+ int rows = pk[0].size();
+ int cols = pk.size();
+ if (cols < 2) {
+ printf("Error! What is c if cols = 1!");
+ }
+ int i = 0, j = 0;
+ key c, c_old, L, R, Hi;
+ sc_0(c_old.bytes);
+ vector<geDsmp> Ip(rows);
+ rv.II = keyV(rows);
+ rv.ss = keyM(cols, rv.II);
+ keyV alpha(rows);
+ keyV aG(rows);
+ keyV aHP(rows);
+ key m2hash;
+ unsigned char m2[128];
+ memcpy(m2, message.bytes, 32);
+ DP("here1");
+ for (i = 0; i < rows; i++) {
+ skpkGen(alpha[i], aG[i]); //need to save alphas for later..
+ Hi = hashToPoint(pk[index][i]);
+ aHP[i] = scalarmultKey(Hi, alpha[i]);
+ memcpy(m2+32, pk[index][i].bytes, 32);
+ memcpy(m2 + 64, aG[i].bytes, 32);
+ memcpy(m2 + 96, aHP[i].bytes, 32);
+ rv.II[i] = scalarmultKey(Hi, xx[i]);
+ precomp(Ip[i].k, rv.II[i]);
+ m2hash = hash_to_scalar128(m2);
+ sc_add(c_old.bytes, c_old.bytes, m2hash.bytes);
+ }
+
+ i = (index + 1) % cols;
+ if (i == 0) {
+ copy(rv.cc, c_old);
+ }
+ while (i != index) {
+
+ rv.ss[i] = skvGen(rows);
+ sc_0(c.bytes);
+ for (j = 0; j < rows; j++) {
+ addKeys2(L, rv.ss[i][j], c_old, pk[i][j]);
+ hashToPoint(Hi, pk[i][j]);
+ addKeys3(R, rv.ss[i][j], Hi, c_old, Ip[j].k);
+ memcpy(m2+32, pk[i][j].bytes, 32);
+ memcpy(m2 + 64, L.bytes, 32);
+ memcpy(m2 + 96, R.bytes, 32);
+ m2hash = hash_to_scalar128(m2);
+ sc_add(c.bytes, c.bytes, m2hash.bytes);
+ }
+ copy(c_old, c);
+ i = (i + 1) % cols;
+
+ if (i == 0) {
+ copy(rv.cc, c_old);
+ }
+ }
+ for (j = 0; j < rows; j++) {
+ sc_mulsub(rv.ss[index][j].bytes, c.bytes, xx[j].bytes, alpha[j].bytes);
+ }
+ return rv;
+ }
+
+ //Multilayered Spontaneous Anonymous Group Signatures (MLSAG signatures)
+ //This is a just slghtly more efficient version than the ones described below
+ //(will be explained in more detail in Ring Multisig paper
+ //These are aka MG signatutes in earlier drafts of the ring ct paper
+ // c.f. http://eprint.iacr.org/2015/1098 section 2.
+ // keyImageV just does I[i] = xx[i] * Hash(xx[i] * G) for each i
+ // Gen creates a signature which proves that for some column in the keymatrix "pk"
+ // the signer knows a secret key for each row in that column
+ // Ver verifies that the MG sig was created correctly
+ bool MLSAG_Ver(key message, keyM & pk, mgSig & rv) {
+
+ int rows = pk[0].size();
+ int cols = pk.size();
+ if (cols < 2) {
+ printf("Error! What is c if cols = 1!");
+ }
+ int i = 0, j = 0;
+ key c, L, R, Hi;
+ key c_old = copy(rv.cc);
+ vector<geDsmp> Ip(rows);
+ for (i= 0 ; i< rows ; i++) {
+ precomp(Ip[i].k, rv.II[i]);
+ }
+ unsigned char m2[128];
+ memcpy(m2, message.bytes, 32);
+
+ key m2hash;
+ i = 0;
+ while (i < cols) {
+ sc_0(c.bytes);
+ for (j = 0; j < rows; j++) {
+ addKeys2(L, rv.ss[i][j], c_old, pk[i][j]);
+ hashToPoint(Hi, pk[i][j]);
+ addKeys3(R, rv.ss[i][j], Hi, c_old, Ip[j].k);
+ memcpy(m2 + 32, pk[i][j].bytes, 32);
+ memcpy(m2 + 64, L.bytes, 32);
+ memcpy(m2 + 96, R.bytes, 32);
+ m2hash = hash_to_scalar128(m2);
+ sc_add(c.bytes, c.bytes, m2hash.bytes);
+ }
+ copy(c_old, c);
+ i = (i + 1);
+ }
+ DP("c0");
+ DP(rv.cc);
+ DP("c_old");
+ DP(c_old);
+ sc_sub(c.bytes, c_old.bytes, rv.cc.bytes);
+ return sc_isnonzero(c.bytes) == 0;
+ }
+
+
+
+ //proveRange and verRange
+ //proveRange gives C, and mask such that \sumCi = C
+ // c.f. http://eprint.iacr.org/2015/1098 section 5.1
+ // and Ci is a commitment to either 0 or 2^i, i=0,...,63
+ // thus this proves that "amount" is in [0, 2^64]
+ // mask is a such that C = aG + bH, and b = amount
+ //verRange verifies that \sum Ci = C and that each Ci is a commitment to 0 or 2^i
+ rangeSig proveRange(key & C, key & mask, const xmr_amount & amount) {
+ sc_0(mask.bytes);
+ identity(C);
+ bits b;
+ d2b(b, amount);
+ rangeSig sig;
+ key64 ai;
+ key64 CiH;
+ int i = 0;
+ for (i = 0; i < ATOMS; i++) {
+ sc_0(ai[i].bytes);
+ if (b[i] == 0) {
+ scalarmultBase(sig.Ci[i], ai[i]);
+ }
+ if (b[i] == 1) {
+ addKeys1(sig.Ci[i], ai[i], H2[i]);
+ }
+ subKeys(CiH[i], sig.Ci[i], H2[i]);
+ sc_add(mask.bytes, mask.bytes, ai[i].bytes);
+ addKeys(C, C, sig.Ci[i]);
+ }
+ sig.asig = GenASNL(ai, sig.Ci, CiH, b);
+ return sig;
+ }
+
+ //proveRange and verRange
+ //proveRange gives C, and mask such that \sumCi = C
+ // c.f. http://eprint.iacr.org/2015/1098 section 5.1
+ // and Ci is a commitment to either 0 or 2^i, i=0,...,63
+ // thus this proves that "amount" is in [0, 2^64]
+ // mask is a such that C = aG + bH, and b = amount
+ //verRange verifies that \sum Ci = C and that each Ci is a commitment to 0 or 2^i
+ bool verRange(key & C, rangeSig & as) {
+ key64 CiH;
+ int i = 0;
+ key Ctmp = identity();
+ for (i = 0; i < 64; i++) {
+ subKeys(CiH[i], as.Ci[i], H2[i]);
+ addKeys(Ctmp, Ctmp, as.Ci[i]);
+ }
+ bool reb = equalKeys(C, Ctmp);
+ DP("is sum Ci = C:");
+ DP(reb);
+ bool rab = VerASNL(as.Ci, CiH, as.asig);
+ DP("Is in range?");
+ DP(rab);
+ return (reb && rab);
+ }
+
+ //Ring-ct MG sigs
+ //Prove:
+ // c.f. http://eprint.iacr.org/2015/1098 section 4. definition 10.
+ // This does the MG sig on the "dest" part of the given key matrix, and
+ // the last row is the sum of input commitments from that column - sum output commitments
+ // this shows that sum inputs = sum outputs
+ //Ver:
+ // verifies the above sig is created corretly
+ mgSig proveRctMG(const ctkeyM & pubs, const ctkeyV & inSk, const ctkeyV &outSk, const ctkeyV & outPk, int index) {
+ mgSig mg;
+ //setup vars
+ int rows = pubs[0].size();
+ int cols = pubs.size();
+ keyV sk(rows + 1);
+ keyV tmp(rows + 1);
+ int i = 0, j = 0;
+ for (i = 0; i < rows + 1; i++) {
+ sc_0(sk[i].bytes);
+ identity(tmp[i]);
+ }
+ keyM M(cols, tmp);
+ //create the matrix to mg sig
+ for (i = 0; i < cols; i++) {
+ M[i][rows] = identity();
+ for (j = 0; j < rows; j++) {
+ M[i][j] = pubs[i][j].dest;
+ addKeys(M[i][rows], M[i][rows], pubs[i][j].mask);
+ }
+ }
+ sc_0(sk[rows].bytes);
+ for (j = 0; j < rows; j++) {
+ sk[j] = copy(inSk[j].dest);
+ sc_add(sk[rows].bytes, sk[rows].bytes, inSk[j].mask.bytes);
+ }
+ for (i = 0; i < cols; i++) {
+ for (size_t j = 0; j < outPk.size(); j++) {
+ subKeys(M[i][rows], M[i][rows], outPk[j].mask);
+ }
+ }
+ for (size_t j = 0; j < outPk.size(); j++) {
+ sc_sub(sk[rows].bytes, sk[rows].bytes, outSk[j].mask.bytes);
+ }
+ key message = cn_fast_hash(outPk);
+ return MLSAG_Gen(message, M, sk, index);
+ }
+
+
+ //Ring-ct MG sigs
+ //Prove:
+ // c.f. http://eprint.iacr.org/2015/1098 section 4. definition 10.
+ // This does the MG sig on the "dest" part of the given key matrix, and
+ // the last row is the sum of input commitments from that column - sum output commitments
+ // this shows that sum inputs = sum outputs
+ //Ver:
+ // verifies the above sig is created corretly
+ bool verRctMG(mgSig mg, ctkeyM & pubs, ctkeyV & outPk) {
+ //setup vars
+ int rows = pubs[0].size();
+ int cols = pubs.size();
+ keyV tmp(rows + 1);
+ int i = 0, j = 0;
+ for (i = 0; i < rows + 1; i++) {
+ identity(tmp[i]);
+ }
+ keyM M(cols, tmp);
+
+ //create the matrix to mg sig
+ for (j = 0; j < rows; j++) {
+ for (i = 0; i < cols; i++) {
+ M[i][j] = pubs[i][j].dest;
+ addKeys(M[i][rows], M[i][rows], pubs[i][j].mask);
+ }
+ }
+ for (size_t j = 0; j < outPk.size(); j++) {
+ for (i = 0; i < cols; i++) {
+ subKeys(M[i][rows], M[i][rows], outPk[j].mask);
+ }
+
+ }
+ key message = cn_fast_hash(outPk);
+ DP("message:");
+ DP(message);
+ return MLSAG_Ver(message, M, mg);
+
+ }
+
+ //These functions get keys from blockchain
+ //replace these when connecting blockchain
+ //getKeyFromBlockchain grabs a key from the blockchain at "reference_index" to mix with
+ //populateFromBlockchain creates a keymatrix with "mixin" columns and one of the columns is inPk
+ // the return value are the key matrix, and the index where inPk was put (random).
+ void getKeyFromBlockchain(ctkey & a, size_t reference_index) {
+ a.mask = pkGen();
+ a.dest = pkGen();
+ }
+
+ //These functions get keys from blockchain
+ //replace these when connecting blockchain
+ //getKeyFromBlockchain grabs a key from the blockchain at "reference_index" to mix with
+ //populateFromBlockchain creates a keymatrix with "mixin" columns and one of the columns is inPk
+ // the return value are the key matrix, and the index where inPk was put (random).
+ tuple<ctkeyM, xmr_amount> populateFromBlockchain(ctkeyV inPk, int mixin) {
+ int rows = inPk.size();
+ ctkeyM rv(mixin, inPk);
+ int index = randXmrAmount(mixin);
+ int i = 0, j = 0;
+ for (i = 0; i < mixin; i++) {
+ if (i != index) {
+ for (j = 0; j < rows; j++) {
+ getKeyFromBlockchain(rv[i][j], (size_t)randXmrAmount);
+ }
+ }
+ }
+ return make_tuple(rv, index);
+ }
+
+ //RingCT protocol
+ //genRct:
+ // creates an rctSig with all data necessary to verify the rangeProofs and that the signer owns one of the
+ // columns that are claimed as inputs, and that the sum of inputs = sum of outputs.
+ // Also contains masked "amount" and "mask" so the receiver can see how much they received
+ //verRct:
+ // verifies that all signatures (rangeProogs, MG sig, sum inputs = outputs) are correct
+ //decodeRct: (c.f. http://eprint.iacr.org/2015/1098 section 5.1.1)
+ // uses the attached ecdh info to find the amounts represented by each output commitment
+ // must know the destination private key to find the correct amount, else will return a random number
+ rctSig genRct(ctkeyV & inSk, ctkeyV & inPk, const keyV & destinations, const vector<xmr_amount> amounts, const int mixin) {
+ rctSig rv;
+ rv.outPk.resize(destinations.size());
+ rv.rangeSigs.resize(destinations.size());
+ rv.ecdhInfo.resize(destinations.size());
+
+ size_t i = 0;
+ keyV masks(destinations.size()); //sk mask..
+ ctkeyV outSk(destinations.size());
+ for (i = 0; i < destinations.size(); i++) {
+ //add destination to sig
+ rv.outPk[i].dest = copy(destinations[i]);
+ //compute range proof
+ rv.rangeSigs[i] = proveRange(rv.outPk[i].mask, outSk[i].mask, amounts[i]);
+ #ifdef DBG
+ verRange(rv.outPk[i].mask, rv.rangeSigs[i]);
+ #endif
+
+ //mask amount and mask
+ rv.ecdhInfo[i].mask = copy(outSk[i].mask);
+ rv.ecdhInfo[i].amount = d2h(amounts[i]);
+ ecdhEncode(rv.ecdhInfo[i], destinations[i]);
+
+ }
+
+ int index;
+ tie(rv.mixRing, index) = populateFromBlockchain(inPk, mixin);
+ rv.MG = proveRctMG(rv.mixRing, inSk, outSk, rv.outPk, index);
+ return rv;
+ }
+
+ //RingCT protocol
+ //genRct:
+ // creates an rctSig with all data necessary to verify the rangeProofs and that the signer owns one of the
+ // columns that are claimed as inputs, and that the sum of inputs = sum of outputs.
+ // Also contains masked "amount" and "mask" so the receiver can see how much they received
+ //verRct:
+ // verifies that all signatures (rangeProogs, MG sig, sum inputs = outputs) are correct
+ //decodeRct: (c.f. http://eprint.iacr.org/2015/1098 section 5.1.1)
+ // uses the attached ecdh info to find the amounts represented by each output commitment
+ // must know the destination private key to find the correct amount, else will return a random number
+ bool verRct(rctSig & rv) {
+ size_t i = 0;
+ bool rvb = true;
+ bool tmp;
+ DP("range proofs verified?");
+ for (i = 0; i < rv.outPk.size(); i++) {
+ tmp = verRange(rv.outPk[i].mask, rv.rangeSigs[i]);
+ DP(tmp);
+ rvb = (rvb && tmp);
+ }
+ bool mgVerd = verRctMG(rv.MG, rv.mixRing, rv.outPk);
+ DP("mg sig verified?");
+ DP(mgVerd);
+
+ return (rvb && mgVerd);
+ }
+
+ //RingCT protocol
+ //genRct:
+ // creates an rctSig with all data necessary to verify the rangeProofs and that the signer owns one of the
+ // columns that are claimed as inputs, and that the sum of inputs = sum of outputs.
+ // Also contains masked "amount" and "mask" so the receiver can see how much they received
+ //verRct:
+ // verifies that all signatures (rangeProogs, MG sig, sum inputs = outputs) are correct
+ //decodeRct: (c.f. http://eprint.iacr.org/2015/1098 section 5.1.1)
+ // uses the attached ecdh info to find the amounts represented by each output commitment
+ // must know the destination private key to find the correct amount, else will return a random number
+ xmr_amount decodeRct(rctSig & rv, key & sk, int i) {
+ //mask amount and mask
+ ecdhDecode(rv.ecdhInfo[i], sk);
+ key mask = rv.ecdhInfo[i].mask;
+ key amount = rv.ecdhInfo[i].amount;
+ key C = rv.outPk[i].mask;
+ DP("C");
+ DP(C);
+ key Ctmp;
+ addKeys2(Ctmp, mask, amount, H);
+ DP("Ctmp");
+ DP(Ctmp);
+ if (equalKeys(C, Ctmp) == false) {
+ printf("warning, amount decoded incorrectly, will be unable to spend");
+ }
+ return h2d(amount);
+ }
+
+}
diff --git a/src/ringct/rctSigs.h b/src/ringct/rctSigs.h
new file mode 100644
index 000000000..e25e98852
--- /dev/null
+++ b/src/ringct/rctSigs.h
@@ -0,0 +1,144 @@
+// Copyright (c) 2016, Monero Research Labs
+//
+// Author: Shen Noether <shen.noether@gmx.com>
+//
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+// conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+// of conditions and the following disclaimer in the documentation and/or other
+// materials provided with the distribution.
+//
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+// used to endorse or promote products derived from this software without specific
+// prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#pragma once
+
+//#define DBG
+
+#ifndef RCTSIGS_H
+#define RCTSIGS_H
+
+#include <cstddef>
+#include <mutex>
+#include <vector>
+#include <tuple>
+
+#include "crypto/generic-ops.h"
+
+extern "C" {
+#include "crypto/random.h"
+#include "crypto/keccak.h"
+}
+#include "crypto/crypto.h"
+
+
+#include "rctTypes.h"
+#include "rctOps.h"
+
+//Define this flag when debugging to get additional info on the console
+#ifdef DBG
+#define DP(x) dp(x)
+#else
+#define DP(x)
+#endif
+
+
+
+using namespace std;
+using namespace crypto;
+
+namespace rct {
+
+ //Schnorr Non-linkable
+ //Gen Gives a signature (L1, s1, s2) proving that the sender knows "x" such that xG = one of P1 or P2
+ //Ver Verifies that signer knows an "x" such that xG = one of P1 or P2
+ //These are called in the below ASNL sig generation
+ void GenSchnorrNonLinkable(key & L1, key & s1, key & s2, const key & x, const key & P1, const key & P2, int index);
+ bool VerSchnorrNonLinkable(const key & P1, const key & P2, const key & L1, const key & s1, const key & s2);
+
+ //Aggregate Schnorr Non-linkable Ring Signature (ASNL)
+ // c.f. http://eprint.iacr.org/2015/1098 section 5.
+ // These are used in range proofs (alternatively Borromean could be used)
+ // Gen gives a signature which proves the signer knows, for each i,
+ // an x[i] such that x[i]G = one of P1[i] or P2[i]
+ // Ver Verifies the signer knows a key for one of P1[i], P2[i] at each i
+ asnlSig GenASNL(key64 x, key64 P1, key64 P2, bits indices);
+ bool VerASNL(key64 P1, key64 P2, asnlSig &as);
+
+ //Multilayered Spontaneous Anonymous Group Signatures (MLSAG signatures)
+ //These are aka MG signatutes in earlier drafts of the ring ct paper
+ // c.f. http://eprint.iacr.org/2015/1098 section 2.
+ // keyImageV just does I[i] = xx[i] * HashToPoint(xx[i] * G) for each i
+ // Gen creates a signature which proves that for some column in the keymatrix "pk"
+ // the signer knows a secret key for each row in that column
+ // Ver verifies that the MG sig was created correctly
+ keyV keyImageV(const keyV &xx);
+ mgSig MLSAG_Gen(key message, const keyM & pk, const keyV & xx, const int index);
+ bool MLSAG_Ver(key message, keyM &pk, mgSig &sig);
+ //mgSig MLSAG_Gen_Old(const keyM & pk, const keyV & xx, const int index);
+
+ //proveRange and verRange
+ //proveRange gives C, and mask such that \sumCi = C
+ // c.f. http://eprint.iacr.org/2015/1098 section 5.1
+ // and Ci is a commitment to either 0 or 2^i, i=0,...,63
+ // thus this proves that "amount" is in [0, 2^64]
+ // mask is a such that C = aG + bH, and b = amount
+ //verRange verifies that \sum Ci = C and that each Ci is a commitment to 0 or 2^i
+ rangeSig proveRange(key & C, key & mask, const xmr_amount & amount);
+ bool verRange(key & C, rangeSig & as);
+
+ //Ring-ct MG sigs
+ //Prove:
+ // c.f. http://eprint.iacr.org/2015/1098 section 4. definition 10.
+ // This does the MG sig on the "dest" part of the given key matrix, and
+ // the last row is the sum of input commitments from that column - sum output commitments
+ // this shows that sum inputs = sum outputs
+ //Ver:
+ // verifies the above sig is created corretly
+ mgSig proveRctMG(const ctkeyM & pubs, const ctkeyV & inSk, const keyV &outMasks, const ctkeyV & outPk, int index);
+ bool verRctMG(mgSig mg, ctkeyM & pubs, ctkeyV & outPk);
+
+ //These functions get keys from blockchain
+ //replace these when connecting blockchain
+ //getKeyFromBlockchain grabs a key from the blockchain at "reference_index" to mix with
+ //populateFromBlockchain creates a keymatrix with "mixin" columns and one of the columns is inPk
+ // the return value are the key matrix, and the index where inPk was put (random).
+ void getKeyFromBlockchain(ctkey & a, size_t reference_index);
+ tuple<ctkeyM, xmr_amount> populateFromBlockchain(ctkeyV inPk, int mixin);
+
+ //RingCT protocol
+ //genRct:
+ // creates an rctSig with all data necessary to verify the rangeProofs and that the signer owns one of the
+ // columns that are claimed as inputs, and that the sum of inputs = sum of outputs.
+ // Also contains masked "amount" and "mask" so the receiver can see how much they received
+ //verRct:
+ // verifies that all signatures (rangeProogs, MG sig, sum inputs = outputs) are correct
+ //decodeRct: (c.f. http://eprint.iacr.org/2015/1098 section 5.1.1)
+ // uses the attached ecdh info to find the amounts represented by each output commitment
+ // must know the destination private key to find the correct amount, else will return a random number
+ rctSig genRct(ctkeyV & inSk, ctkeyV & inPk, const keyV & destinations, const vector<xmr_amount> amounts, const int mixin);
+ bool verRct(rctSig & rv);
+ xmr_amount decodeRct(rctSig & rv, key & sk, int i);
+
+
+
+}
+#endif /* RCTSIGS_H */
+
diff --git a/src/ringct/rctTypes.cpp b/src/ringct/rctTypes.cpp
new file mode 100644
index 000000000..b7979b0e7
--- /dev/null
+++ b/src/ringct/rctTypes.cpp
@@ -0,0 +1,209 @@
+// Copyright (c) 2016, Monero Research Labs
+//
+// Author: Shen Noether <shen.noether@gmx.com>
+//
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+// conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+// of conditions and the following disclaimer in the documentation and/or other
+// materials provided with the distribution.
+//
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+// used to endorse or promote products derived from this software without specific
+// prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#include "rctTypes.h"
+using namespace crypto;
+using namespace std;
+
+namespace rct {
+
+ //dp
+ //Debug printing for the above types
+ //Actually use DP(value) and #define DBG
+
+ void dp(key a) {
+ int j = 0;
+ printf("\"");
+ for (j = 0; j < 32; j++) {
+ printf("%02x", (unsigned char)a.bytes[j]);
+ }
+ printf("\"");
+ printf("\n");
+ }
+
+ void dp(bool a) {
+ printf(" ... %s ... ", a ? "true" : "false");
+ printf("\n");
+ }
+
+ void dp(const char * a, int l) {
+ int j = 0;
+ printf("\"");
+ for (j = 0; j < l; j++) {
+ printf("%02x", (unsigned char)a[j]);
+ }
+ printf("\"");
+ printf("\n");
+ }
+ void dp(keyV a) {
+ size_t j = 0;
+ printf("[");
+ for (j = 0; j < a.size(); j++) {
+ dp(a[j]);
+ if (j < a.size() - 1) {
+ printf(",");
+ }
+ }
+ printf("]");
+ printf("\n");
+ }
+ void dp(keyM a) {
+ size_t j = 0;
+ printf("[");
+ for (j = 0; j < a.size(); j++) {
+ dp(a[j]);
+ if (j < a.size() - 1) {
+ printf(",");
+ }
+ }
+ printf("]");
+ printf("\n");
+ }
+ void dp(xmr_amount vali) {
+ printf("x: ");
+ std::cout << vali;
+ printf("\n\n");
+ }
+
+ void dp(int vali) {
+ printf("x: %d\n", vali);
+ printf("\n");
+ }
+ void dp(bits amountb) {
+ for (int i = 0; i < 64; i++) {
+ printf("%d", amountb[i]);
+ }
+ printf("\n");
+
+ }
+
+ void dp(const char * st) {
+ printf("%s\n", st);
+ }
+
+ //Various Conversions
+
+ //uint long long to 32 byte key
+ void d2h(key & amounth, const xmr_amount in) {
+ sc_0(amounth.bytes);
+ xmr_amount val = in;
+ int i = 0;
+ while (val != 0) {
+ amounth[i] = (unsigned char)(val & 0xFF);
+ i++;
+ val /= (xmr_amount)256;
+ }
+ }
+
+ //uint long long to 32 byte key
+ key d2h(const xmr_amount in) {
+ key amounth;
+ sc_0(amounth.bytes);
+ xmr_amount val = in;
+ int i = 0;
+ while (val != 0) {
+ amounth[i] = (unsigned char)(val & 0xFF);
+ i++;
+ val /= (xmr_amount)256;
+ }
+ return amounth;
+ }
+
+ //uint long long to int[64]
+ void d2b(bits amountb, xmr_amount val) {
+ int i = 0;
+ while (val != 0) {
+ amountb[i] = val & 1;
+ i++;
+ val >>= 1;
+ }
+ while (i < 64) {
+ amountb[i] = 0;
+ i++;
+ }
+ }
+
+ //32 byte key to uint long long
+ // if the key holds a value > 2^64
+ // then the value in the first 8 bytes is returned
+ xmr_amount h2d(const key & test) {
+ xmr_amount vali = 0;
+ int j = 0;
+ for (j = 7; j >= 0; j--) {
+ vali = (xmr_amount)(vali * 256 + (unsigned char)test.bytes[j]);
+ }
+ return vali;
+ }
+
+ //32 byte key to int[64]
+ void h2b(bits amountb2, const key & test) {
+ int val = 0, i = 0, j = 0;
+ for (j = 0; j < 8; j++) {
+ val = (unsigned char)test.bytes[j];
+ i = 8 * j;
+ while (val != 0) {
+ amountb2[i] = val & 1;
+ i++;
+ val >>= 1;
+ }
+ while (i < 8 * (j + 1)) {
+ amountb2[i] = 0;
+ }
+ }
+ }
+
+ //int[64] to 32 byte key
+ void b2h(key & amountdh, const bits amountb2) {
+ int byte, i, j;
+ for (j = 0; j < 8; j++) {
+ byte = 0;
+ //val = (unsigned char) test[j];
+ i = 8 * j;
+ for (i = 7; i > -1; i--) {
+ byte = byte * 2 + amountb2[8 * j + i];
+ }
+ amountdh[j] = (unsigned char)byte;
+ }
+ for (j = 8; j < 32; j++) {
+ amountdh[j] = (unsigned char)(0x00);
+ }
+ }
+
+ //int[64] to uint long long
+ xmr_amount b2d(bits amountb) {
+ xmr_amount vali = 0;
+ int j = 0;
+ for (j = 63; j >= 0; j--) {
+ vali = (xmr_amount)(vali * 2 + amountb[j]);
+ }
+ return vali;
+ }
+
+}
diff --git a/src/ringct/rctTypes.h b/src/ringct/rctTypes.h
new file mode 100644
index 000000000..f3e8cb98a
--- /dev/null
+++ b/src/ringct/rctTypes.h
@@ -0,0 +1,267 @@
+// Copyright (c) 2016, Monero Research Labs
+//
+// Author: Shen Noether <shen.noether@gmx.com>
+//
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+// conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+// of conditions and the following disclaimer in the documentation and/or other
+// materials provided with the distribution.
+//
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+// used to endorse or promote products derived from this software without specific
+// prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#pragma once
+#ifndef RCT_TYPES_H
+#define RCT_TYPES_H
+
+#include <cstddef>
+#include <mutex>
+#include <vector>
+#include <tuple>
+#include <iostream>
+#include <cinttypes>
+
+extern "C" {
+#include "crypto/generic-ops.h"
+#include "crypto/crypto-ops.h"
+#include "crypto/random.h"
+#include "crypto/keccak.h"
+}
+#include "crypto/crypto.h"
+
+//Define this flag when debugging to get additional info on the console
+#ifdef DBG
+#define DP(x) dp(x)
+#else
+#define DP(x)
+#endif
+
+//atomic units of moneros
+#define ATOMS 64
+
+//for printing large ints
+
+using namespace std;
+using namespace crypto;
+
+//Namespace specifically for ring ct code
+namespace rct {
+ //basic ops containers
+ typedef unsigned char * Bytes;
+
+ // Can contain a secret or public key
+ // similar to secret_key / public_key of crypto-ops,
+ // but uses unsigned chars,
+ // also includes an operator for accessing the i'th byte.
+ struct key {
+ unsigned char & operator[](int i) {
+ return bytes[i];
+ }
+ unsigned char bytes[32];
+ };
+ typedef vector<key> keyV; //vector of keys
+ typedef vector<keyV> keyM; //matrix of keys (indexed by column first)
+
+ //containers For CT operations
+ //if it's representing a private ctkey then "dest" contains the secret key of the address
+ // while "mask" contains a where C = aG + bH is CT pedersen commitment and b is the amount
+ // (store b, the amount, separately
+ //if it's representing a public ctkey, then "dest" = P the address, mask = C the commitment
+ struct ctkey {
+ key dest;
+ key mask; //C here if public
+ };
+ typedef vector<ctkey> ctkeyV;
+ typedef vector<ctkeyV> ctkeyM;
+
+ //data for passing the amount to the receiver secretly
+ // If the pedersen commitment to an amount is C = aG + bH,
+ // "mask" contains a 32 byte key a
+ // "amount" contains a hex representation (in 32 bytes) of a 64 bit number
+ // "senderPk" is not the senders actual public key, but a one-time public key generated for
+ // the purpose of the ECDH exchange
+ struct ecdhTuple {
+ key mask;
+ key amount;
+ key senderPk;
+ };
+
+ //containers for representing amounts
+ typedef uint64_t xmr_amount;
+ typedef unsigned int bits[ATOMS];
+ typedef key key64[64];
+
+ //just contains the necessary keys to represent asnlSigs
+ //c.f. http://eprint.iacr.org/2015/1098
+ struct asnlSig {
+ key64 L1;
+ key64 s2;
+ key s;
+ };
+
+ //Container for precomp
+ struct geDsmp {
+ ge_dsmp k;
+ };
+
+ //just contains the necessary keys to represent MLSAG sigs
+ //c.f. http://eprint.iacr.org/2015/1098
+ struct mgSig {
+ keyM ss;
+ key cc;
+ keyV II;
+ };
+ //contains the data for an asnl sig
+ // also contains the "Ci" values such that
+ // \sum Ci = C
+ // and the signature proves that each Ci is either
+ // a Pedersen commitment to 0 or to 2^i
+ //thus proving that C is in the range of [0, 2^64]
+ struct rangeSig {
+ asnlSig asig;
+ key64 Ci;
+ };
+ //A container to hold all signatures necessary for RingCT
+ // rangeSigs holds all the rangeproof data of a transaction
+ // MG holds the MLSAG signature of a transaction
+ // mixRing holds all the public keypairs (P, C) for a transaction
+ // ecdhInfo holds an encoded mask / amount to be passed to each receiver
+ // outPk contains public keypairs which are destinations (P, C),
+ // P = address, C = commitment to amount
+ struct rctSig {
+ vector<rangeSig> rangeSigs;
+ mgSig MG;
+ ctkeyM mixRing; //the set of all pubkeys / copy
+ //pairs that you mix with
+ vector<ecdhTuple> ecdhInfo;
+ ctkeyV outPk;
+ };
+
+ struct rmsSig {
+ vector<rangeSig> rangeSigs;
+ mgSig MG;
+ ctkeyM mixRing;
+ vector<ecdhTuple> destinationEcdhInfo;
+ vector<ecdhTuple> participantEcdhInfo;
+ ctkeyV outPk;
+ };
+
+ //other basepoint H = toPoint(cn_fast_hash(G)), G the basepoint
+ static const key H = { {0x8b, 0x65, 0x59, 0x70, 0x15, 0x37, 0x99, 0xaf, 0x2a, 0xea, 0xdc, 0x9f, 0xf1, 0xad, 0xd0, 0xea, 0x6c, 0x72, 0x51, 0xd5, 0x41, 0x54, 0xcf, 0xa9, 0x2c, 0x17, 0x3a, 0x0d, 0xd3, 0x9c, 0x1f, 0x94} };
+
+ //H2 contains 2^i H in each index, i.e. H, 2H, 4H, 8H, ...
+ //This is used for the range proofG
+ static const key64 H2 = { {0x8b, 0x65, 0x59, 0x70, 0x15, 0x37, 0x99, 0xaf, 0x2a, 0xea, 0xdc, 0x9f, 0xf1, 0xad, 0xd0, 0xea, 0x6c, 0x72, 0x51, 0xd5, 0x41, 0x54, 0xcf, 0xa9, 0x2c, 0x17, 0x3a, 0x0d, 0xd3, 0x9c, 0x1f, 0x94},
+ {0x8f, 0xaa, 0x44, 0x8a, 0xe4, 0xb3, 0xe2, 0xbb, 0x3d, 0x4d, 0x13, 0x09, 0x09, 0xf5, 0x5f, 0xcd, 0x79, 0x71, 0x1c, 0x1c, 0x83, 0xcd, 0xbc, 0xca, 0xdd, 0x42, 0xcb, 0xe1, 0x51, 0x5e, 0x87, 0x12},
+ {0x12, 0xa7, 0xd6, 0x2c, 0x77, 0x91, 0x65, 0x4a, 0x57, 0xf3, 0xe6, 0x76, 0x94, 0xed, 0x50, 0xb4, 0x9a, 0x7d, 0x9e, 0x3f, 0xc1, 0xe4, 0xc7, 0xa0, 0xbd, 0xe2, 0x9d, 0x18, 0x7e, 0x9c, 0xc7, 0x1d},
+ {0x78, 0x9a, 0xb9, 0x93, 0x4b, 0x49, 0xc4, 0xf9, 0xe6, 0x78, 0x5c, 0x6d, 0x57, 0xa4, 0x98, 0xb3, 0xea, 0xd4, 0x43, 0xf0, 0x4f, 0x13, 0xdf, 0x11, 0x0c, 0x54, 0x27, 0xb4, 0xf2, 0x14, 0xc7, 0x39},
+ {0x77, 0x1e, 0x92, 0x99, 0xd9, 0x4f, 0x02, 0xac, 0x72, 0xe3, 0x8e, 0x44, 0xde, 0x56, 0x8a, 0xc1, 0xdc, 0xb2, 0xed, 0xc6, 0xed, 0xb6, 0x1f, 0x83, 0xca, 0x41, 0x8e, 0x10, 0x77, 0xce, 0x3d, 0xe8},
+ {0x73, 0xb9, 0x6d, 0xb4, 0x30, 0x39, 0x81, 0x9b, 0xda, 0xf5, 0x68, 0x0e, 0x5c, 0x32, 0xd7, 0x41, 0x48, 0x88, 0x84, 0xd1, 0x8d, 0x93, 0x86, 0x6d, 0x40, 0x74, 0xa8, 0x49, 0x18, 0x2a, 0x8a, 0x64},
+ {0x8d, 0x45, 0x8e, 0x1c, 0x2f, 0x68, 0xeb, 0xeb, 0xcc, 0xd2, 0xfd, 0x5d, 0x37, 0x9f, 0x5e, 0x58, 0xf8, 0x13, 0x4d, 0xf3, 0xe0, 0xe8, 0x8c, 0xad, 0x3d, 0x46, 0x70, 0x10, 0x63, 0xa8, 0xd4, 0x12},
+ {0x09, 0x55, 0x1e, 0xdb, 0xe4, 0x94, 0x41, 0x8e, 0x81, 0x28, 0x44, 0x55, 0xd6, 0x4b, 0x35, 0xee, 0x8a, 0xc0, 0x93, 0x06, 0x8a, 0x5f, 0x16, 0x1f, 0xa6, 0x63, 0x75, 0x59, 0x17, 0x7e, 0xf4, 0x04},
+ {0xd0, 0x5a, 0x88, 0x66, 0xf4, 0xdf, 0x8c, 0xee, 0x1e, 0x26, 0x8b, 0x1d, 0x23, 0xa4, 0xc5, 0x8c, 0x92, 0xe7, 0x60, 0x30, 0x97, 0x86, 0xcd, 0xac, 0x0f, 0xed, 0xa1, 0xd2, 0x47, 0xa9, 0xc9, 0xa7},
+ {0x55, 0xcd, 0xaa, 0xd5, 0x18, 0xbd, 0x87, 0x1d, 0xd1, 0xeb, 0x7b, 0xc7, 0x02, 0x3e, 0x1d, 0xc0, 0xfd, 0xf3, 0x33, 0x98, 0x64, 0xf8, 0x8f, 0xdd, 0x2d, 0xe2, 0x69, 0xfe, 0x9e, 0xe1, 0x83, 0x2d},
+ {0xe7, 0x69, 0x7e, 0x95, 0x1a, 0x98, 0xcf, 0xd5, 0x71, 0x2b, 0x84, 0xbb, 0xe5, 0xf3, 0x4e, 0xd7, 0x33, 0xe9, 0x47, 0x3f, 0xcb, 0x68, 0xed, 0xa6, 0x6e, 0x37, 0x88, 0xdf, 0x19, 0x58, 0xc3, 0x06},
+ {0xf9, 0x2a, 0x97, 0x0b, 0xae, 0x72, 0x78, 0x29, 0x89, 0xbf, 0xc8, 0x3a, 0xdf, 0xaa, 0x92, 0xa4, 0xf4, 0x9c, 0x7e, 0x95, 0x91, 0x8b, 0x3b, 0xba, 0x3c, 0xdc, 0x7f, 0xe8, 0x8a, 0xcc, 0x8d, 0x47},
+ {0x1f, 0x66, 0xc2, 0xd4, 0x91, 0xd7, 0x5a, 0xf9, 0x15, 0xc8, 0xdb, 0x6a, 0x6d, 0x1c, 0xb0, 0xcd, 0x4f, 0x7d, 0xdc, 0xd5, 0xe6, 0x3d, 0x3b, 0xa9, 0xb8, 0x3c, 0x86, 0x6c, 0x39, 0xef, 0x3a, 0x2b},
+ {0x3e, 0xec, 0x98, 0x84, 0xb4, 0x3f, 0x58, 0xe9, 0x3e, 0xf8, 0xde, 0xea, 0x26, 0x00, 0x04, 0xef, 0xea, 0x2a, 0x46, 0x34, 0x4f, 0xc5, 0x96, 0x5b, 0x1a, 0x7d, 0xd5, 0xd1, 0x89, 0x97, 0xef, 0xa7},
+ {0xb2, 0x9f, 0x8f, 0x0c, 0xcb, 0x96, 0x97, 0x7f, 0xe7, 0x77, 0xd4, 0x89, 0xd6, 0xbe, 0x9e, 0x7e, 0xbc, 0x19, 0xc4, 0x09, 0xb5, 0x10, 0x35, 0x68, 0xf2, 0x77, 0x61, 0x1d, 0x7e, 0xa8, 0x48, 0x94},
+ {0x56, 0xb1, 0xf5, 0x12, 0x65, 0xb9, 0x55, 0x98, 0x76, 0xd5, 0x8d, 0x24, 0x9d, 0x0c, 0x14, 0x6d, 0x69, 0xa1, 0x03, 0x63, 0x66, 0x99, 0x87, 0x4d, 0x3f, 0x90, 0x47, 0x35, 0x50, 0xfe, 0x3f, 0x2c},
+ {0x1d, 0x7a, 0x36, 0x57, 0x5e, 0x22, 0xf5, 0xd1, 0x39, 0xff, 0x9c, 0xc5, 0x10, 0xfa, 0x13, 0x85, 0x05, 0x57, 0x6b, 0x63, 0x81, 0x5a, 0x94, 0xe4, 0xb0, 0x12, 0xbf, 0xd4, 0x57, 0xca, 0xaa, 0xda},
+ {0xd0, 0xac, 0x50, 0x7a, 0x86, 0x4e, 0xcd, 0x05, 0x93, 0xfa, 0x67, 0xbe, 0x7d, 0x23, 0x13, 0x43, 0x92, 0xd0, 0x0e, 0x40, 0x07, 0xe2, 0x53, 0x48, 0x78, 0xd9, 0xb2, 0x42, 0xe1, 0x0d, 0x76, 0x20},
+ {0xf6, 0xc6, 0x84, 0x0b, 0x9c, 0xf1, 0x45, 0xbb, 0x2d, 0xcc, 0xf8, 0x6e, 0x94, 0x0b, 0xe0, 0xfc, 0x09, 0x8e, 0x32, 0xe3, 0x10, 0x99, 0xd5, 0x6f, 0x7f, 0xe0, 0x87, 0xbd, 0x5d, 0xeb, 0x50, 0x94},
+ {0x28, 0x83, 0x1a, 0x33, 0x40, 0x07, 0x0e, 0xb1, 0xdb, 0x87, 0xc1, 0x2e, 0x05, 0x98, 0x0d, 0x5f, 0x33, 0xe9, 0xef, 0x90, 0xf8, 0x3a, 0x48, 0x17, 0xc9, 0xf4, 0xa0, 0xa3, 0x32, 0x27, 0xe1, 0x97},
+ {0x87, 0x63, 0x22, 0x73, 0xd6, 0x29, 0xcc, 0xb7, 0xe1, 0xed, 0x1a, 0x76, 0x8f, 0xa2, 0xeb, 0xd5, 0x17, 0x60, 0xf3, 0x2e, 0x1c, 0x0b, 0x86, 0x7a, 0x5d, 0x36, 0x8d, 0x52, 0x71, 0x05, 0x5c, 0x6e},
+ {0x5c, 0x7b, 0x29, 0x42, 0x43, 0x47, 0x96, 0x4d, 0x04, 0x27, 0x55, 0x17, 0xc5, 0xae, 0x14, 0xb6, 0xb5, 0xea, 0x27, 0x98, 0xb5, 0x73, 0xfc, 0x94, 0xe6, 0xe4, 0x4a, 0x53, 0x21, 0x60, 0x0c, 0xfb},
+ {0xe6, 0x94, 0x50, 0x42, 0xd7, 0x8b, 0xc2, 0xc3, 0xbd, 0x6e, 0xc5, 0x8c, 0x51, 0x1a, 0x9f, 0xe8, 0x59, 0xc0, 0xad, 0x63, 0xfd, 0xe4, 0x94, 0xf5, 0x03, 0x9e, 0x0e, 0x82, 0x32, 0x61, 0x2b, 0xd5},
+ {0x36, 0xd5, 0x69, 0x07, 0xe2, 0xec, 0x74, 0x5d, 0xb6, 0xe5, 0x4f, 0x0b, 0x2e, 0x1b, 0x23, 0x00, 0xab, 0xcb, 0x42, 0x2e, 0x71, 0x2d, 0xa5, 0x88, 0xa4, 0x0d, 0x3f, 0x1e, 0xbb, 0xbe, 0x02, 0xf6},
+ {0x34, 0xdb, 0x6e, 0xe4, 0xd0, 0x60, 0x8e, 0x5f, 0x78, 0x36, 0x50, 0x49, 0x5a, 0x3b, 0x2f, 0x52, 0x73, 0xc5, 0x13, 0x4e, 0x52, 0x84, 0xe4, 0xfd, 0xf9, 0x66, 0x27, 0xbb, 0x16, 0xe3, 0x1e, 0x6b},
+ {0x8e, 0x76, 0x59, 0xfb, 0x45, 0xa3, 0x78, 0x7d, 0x67, 0x4a, 0xe8, 0x67, 0x31, 0xfa, 0xa2, 0x53, 0x8e, 0xc0, 0xfd, 0xf4, 0x42, 0xab, 0x26, 0xe9, 0xc7, 0x91, 0xfa, 0xda, 0x08, 0x94, 0x67, 0xe9},
+ {0x30, 0x06, 0xcf, 0x19, 0x8b, 0x24, 0xf3, 0x1b, 0xb4, 0xc7, 0xe6, 0x34, 0x60, 0x00, 0xab, 0xc7, 0x01, 0xe8, 0x27, 0xcf, 0xbb, 0x5d, 0xf5, 0x2d, 0xcf, 0xa4, 0x2e, 0x9c, 0xa9, 0xff, 0x08, 0x02},
+ {0xf5, 0xfd, 0x40, 0x3c, 0xb6, 0xe8, 0xbe, 0x21, 0x47, 0x2e, 0x37, 0x7f, 0xfd, 0x80, 0x5a, 0x8c, 0x60, 0x83, 0xea, 0x48, 0x03, 0xb8, 0x48, 0x53, 0x89, 0xcc, 0x3e, 0xbc, 0x21, 0x5f, 0x00, 0x2a},
+ {0x37, 0x31, 0xb2, 0x60, 0xeb, 0x3f, 0x94, 0x82, 0xe4, 0x5f, 0x1c, 0x3f, 0x3b, 0x9d, 0xcf, 0x83, 0x4b, 0x75, 0xe6, 0xee, 0xf8, 0xc4, 0x0f, 0x46, 0x1e, 0xa2, 0x7e, 0x8b, 0x6e, 0xd9, 0x47, 0x3d},
+ {0x9f, 0x9d, 0xab, 0x09, 0xc3, 0xf5, 0xe4, 0x28, 0x55, 0xc2, 0xde, 0x97, 0x1b, 0x65, 0x93, 0x28, 0xa2, 0xdb, 0xc4, 0x54, 0x84, 0x5f, 0x39, 0x6f, 0xfc, 0x05, 0x3f, 0x0b, 0xb1, 0x92, 0xf8, 0xc3},
+ {0x5e, 0x05, 0x5d, 0x25, 0xf8, 0x5f, 0xdb, 0x98, 0xf2, 0x73, 0xe4, 0xaf, 0xe0, 0x84, 0x64, 0xc0, 0x03, 0xb7, 0x0f, 0x1e, 0xf0, 0x67, 0x7b, 0xb5, 0xe2, 0x57, 0x06, 0x40, 0x0b, 0xe6, 0x20, 0xa5},
+ {0x86, 0x8b, 0xcf, 0x36, 0x79, 0xcb, 0x6b, 0x50, 0x0b, 0x94, 0x41, 0x8c, 0x0b, 0x89, 0x25, 0xf9, 0x86, 0x55, 0x30, 0x30, 0x3a, 0xe4, 0xe4, 0xb2, 0x62, 0x59, 0x18, 0x65, 0x66, 0x6a, 0x45, 0x90},
+ {0xb3, 0xdb, 0x6b, 0xd3, 0x89, 0x7a, 0xfb, 0xd1, 0xdf, 0x3f, 0x96, 0x44, 0xab, 0x21, 0xc8, 0x05, 0x0e, 0x1f, 0x00, 0x38, 0xa5, 0x2f, 0x7c, 0xa9, 0x5a, 0xc0, 0xc3, 0xde, 0x75, 0x58, 0xcb, 0x7a},
+ {0x81, 0x19, 0xb3, 0xa0, 0x59, 0xff, 0x2c, 0xac, 0x48, 0x3e, 0x69, 0xbc, 0xd4, 0x1d, 0x6d, 0x27, 0x14, 0x94, 0x47, 0x91, 0x42, 0x88, 0xbb, 0xea, 0xee, 0x34, 0x13, 0xe6, 0xdc, 0xc6, 0xd1, 0xeb},
+ {0x10, 0xfc, 0x58, 0xf3, 0x5f, 0xc7, 0xfe, 0x7a, 0xe8, 0x75, 0x52, 0x4b, 0xb5, 0x85, 0x00, 0x03, 0x00, 0x5b, 0x7f, 0x97, 0x8c, 0x0c, 0x65, 0xe2, 0xa9, 0x65, 0x46, 0x4b, 0x6d, 0x00, 0x81, 0x9c},
+ {0x5a, 0xcd, 0x94, 0xeb, 0x3c, 0x57, 0x83, 0x79, 0xc1, 0xea, 0x58, 0xa3, 0x43, 0xec, 0x4f, 0xcf, 0xf9, 0x62, 0x77, 0x6f, 0xe3, 0x55, 0x21, 0xe4, 0x75, 0xa0, 0xe0, 0x6d, 0x88, 0x7b, 0x2d, 0xb9},
+ {0x33, 0xda, 0xf3, 0xa2, 0x14, 0xd6, 0xe0, 0xd4, 0x2d, 0x23, 0x00, 0xa7, 0xb4, 0x4b, 0x39, 0x29, 0x0d, 0xb8, 0x98, 0x9b, 0x42, 0x79, 0x74, 0xcd, 0x86, 0x5d, 0xb0, 0x11, 0x05, 0x5a, 0x29, 0x01},
+ {0xcf, 0xc6, 0x57, 0x2f, 0x29, 0xaf, 0xd1, 0x64, 0xa4, 0x94, 0xe6, 0x4e, 0x6f, 0x1a, 0xeb, 0x82, 0x0c, 0x3e, 0x7d, 0xa3, 0x55, 0x14, 0x4e, 0x51, 0x24, 0xa3, 0x91, 0xd0, 0x6e, 0x9f, 0x95, 0xea},
+ {0xd5, 0x31, 0x2a, 0x4b, 0x0e, 0xf6, 0x15, 0xa3, 0x31, 0xf6, 0x35, 0x2c, 0x2e, 0xd2, 0x1d, 0xac, 0x9e, 0x7c, 0x36, 0x39, 0x8b, 0x93, 0x9a, 0xec, 0x90, 0x1c, 0x25, 0x7f, 0x6c, 0xbc, 0x9e, 0x8e},
+ {0x55, 0x1d, 0x67, 0xfe, 0xfc, 0x7b, 0x5b, 0x9f, 0x9f, 0xdb, 0xf6, 0xaf, 0x57, 0xc9, 0x6c, 0x8a, 0x74, 0xd7, 0xe4, 0x5a, 0x00, 0x20, 0x78, 0xa7, 0xb5, 0xba, 0x45, 0xc6, 0xfd, 0xe9, 0x3e, 0x33},
+ {0xd5, 0x0a, 0xc7, 0xbd, 0x5c, 0xa5, 0x93, 0xc6, 0x56, 0x92, 0x8f, 0x38, 0x42, 0x80, 0x17, 0xfc, 0x7b, 0xa5, 0x02, 0x85, 0x4c, 0x43, 0xd8, 0x41, 0x49, 0x50, 0xe9, 0x6e, 0xcb, 0x40, 0x5d, 0xc3},
+ {0x07, 0x73, 0xe1, 0x8e, 0xa1, 0xbe, 0x44, 0xfe, 0x1a, 0x97, 0xe2, 0x39, 0x57, 0x3c, 0xfa, 0xe3, 0xe4, 0xe9, 0x5e, 0xf9, 0xaa, 0x9f, 0xaa, 0xbe, 0xac, 0x12, 0x74, 0xd3, 0xad, 0x26, 0x16, 0x04},
+ {0xe9, 0xaf, 0x0e, 0x7c, 0xa8, 0x93, 0x30, 0xd2, 0xb8, 0x61, 0x5d, 0x1b, 0x41, 0x37, 0xca, 0x61, 0x7e, 0x21, 0x29, 0x7f, 0x2f, 0x0d, 0xed, 0x8e, 0x31, 0xb7, 0xd2, 0xea, 0xd8, 0x71, 0x46, 0x60},
+ {0x7b, 0x12, 0x45, 0x83, 0x09, 0x7f, 0x10, 0x29, 0xa0, 0xc7, 0x41, 0x91, 0xfe, 0x73, 0x78, 0xc9, 0x10, 0x5a, 0xcc, 0x70, 0x66, 0x95, 0xed, 0x14, 0x93, 0xbb, 0x76, 0x03, 0x42, 0x26, 0xa5, 0x7b},
+ {0xec, 0x40, 0x05, 0x7b, 0x99, 0x54, 0x76, 0x65, 0x0b, 0x3d, 0xb9, 0x8e, 0x9d, 0xb7, 0x57, 0x38, 0xa8, 0xcd, 0x2f, 0x94, 0xd8, 0x63, 0xb9, 0x06, 0x15, 0x0c, 0x56, 0xaa, 0xc1, 0x9c, 0xaa, 0x6b},
+ {0x01, 0xd9, 0xff, 0x72, 0x9e, 0xfd, 0x39, 0xd8, 0x37, 0x84, 0xc0, 0xfe, 0x59, 0xc4, 0xae, 0x81, 0xa6, 0x70, 0x34, 0xcb, 0x53, 0xc9, 0x43, 0xfb, 0x81, 0x8b, 0x9d, 0x8a, 0xe7, 0xfc, 0x33, 0xe5},
+ {0x00, 0xdf, 0xb3, 0xc6, 0x96, 0x32, 0x8c, 0x76, 0x42, 0x45, 0x19, 0xa7, 0xbe, 0xfe, 0x8e, 0x0f, 0x6c, 0x76, 0xf9, 0x47, 0xb5, 0x27, 0x67, 0x91, 0x6d, 0x24, 0x82, 0x3f, 0x73, 0x5b, 0xaf, 0x2e},
+ {0x46, 0x1b, 0x79, 0x9b, 0x4d, 0x9c, 0xee, 0xa8, 0xd5, 0x80, 0xdc, 0xb7, 0x6d, 0x11, 0x15, 0x0d, 0x53, 0x5e, 0x16, 0x39, 0xd1, 0x60, 0x03, 0xc3, 0xfb, 0x7e, 0x9d, 0x1f, 0xd1, 0x30, 0x83, 0xa8},
+ {0xee, 0x03, 0x03, 0x94, 0x79, 0xe5, 0x22, 0x8f, 0xdc, 0x55, 0x1c, 0xbd, 0xe7, 0x07, 0x9d, 0x34, 0x12, 0xea, 0x18, 0x6a, 0x51, 0x7c, 0xcc, 0x63, 0xe4, 0x6e, 0x9f, 0xcc, 0xe4, 0xfe, 0x3a, 0x6c},
+ {0xa8, 0xcf, 0xb5, 0x43, 0x52, 0x4e, 0x7f, 0x02, 0xb9, 0xf0, 0x45, 0xac, 0xd5, 0x43, 0xc2, 0x1c, 0x37, 0x3b, 0x4c, 0x9b, 0x98, 0xac, 0x20, 0xce, 0xc4, 0x17, 0xa6, 0xdd, 0xb5, 0x74, 0x4e, 0x94},
+ {0x93, 0x2b, 0x79, 0x4b, 0xf8, 0x9c, 0x6e, 0xda, 0xf5, 0xd0, 0x65, 0x0c, 0x7c, 0x4b, 0xad, 0x92, 0x42, 0xb2, 0x56, 0x26, 0xe3, 0x7e, 0xad, 0x5a, 0xa7, 0x5e, 0xc8, 0xc6, 0x4e, 0x09, 0xdd, 0x4f},
+ {0x16, 0xb1, 0x0c, 0x77, 0x9c, 0xe5, 0xcf, 0xef, 0x59, 0xc7, 0x71, 0x0d, 0x2e, 0x68, 0x44, 0x1e, 0xa6, 0xfa, 0xcb, 0x68, 0xe9, 0xb5, 0xf7, 0xd5, 0x33, 0xae, 0x0b, 0xb7, 0x8e, 0x28, 0xbf, 0x57},
+ {0x0f, 0x77, 0xc7, 0x67, 0x43, 0xe7, 0x39, 0x6f, 0x99, 0x10, 0x13, 0x9f, 0x49, 0x37, 0xd8, 0x37, 0xae, 0x54, 0xe2, 0x10, 0x38, 0xac, 0x5c, 0x0b, 0x3f, 0xd6, 0xef, 0x17, 0x1a, 0x28, 0xa7, 0xe4},
+ {0xd7, 0xe5, 0x74, 0xb7, 0xb9, 0x52, 0xf2, 0x93, 0xe8, 0x0d, 0xde, 0x90, 0x5e, 0xb5, 0x09, 0x37, 0x3f, 0x3f, 0x6c, 0xd1, 0x09, 0xa0, 0x22, 0x08, 0xb3, 0xc1, 0xe9, 0x24, 0x08, 0x0a, 0x20, 0xca},
+ {0x45, 0x66, 0x6f, 0x8c, 0x38, 0x1e, 0x3d, 0xa6, 0x75, 0x56, 0x3f, 0xf8, 0xba, 0x23, 0xf8, 0x3b, 0xfa, 0xc3, 0x0c, 0x34, 0xab, 0xdd, 0xe6, 0xe5, 0xc0, 0x97, 0x5e, 0xf9, 0xfd, 0x70, 0x0c, 0xb9},
+ {0xb2, 0x46, 0x12, 0xe4, 0x54, 0x60, 0x7e, 0xb1, 0xab, 0xa4, 0x47, 0xf8, 0x16, 0xd1, 0xa4, 0x55, 0x1e, 0xf9, 0x5f, 0xa7, 0x24, 0x7f, 0xb7, 0xc1, 0xf5, 0x03, 0x02, 0x0a, 0x71, 0x77, 0xf0, 0xdd},
+ {0x7e, 0x20, 0x88, 0x61, 0x85, 0x6d, 0xa4, 0x2c, 0x8b, 0xb4, 0x6a, 0x75, 0x67, 0xf8, 0x12, 0x13, 0x62, 0xd9, 0xfb, 0x24, 0x96, 0xf1, 0x31, 0xa4, 0xaa, 0x90, 0x17, 0xcf, 0x36, 0x6c, 0xdf, 0xce},
+ {0x5b, 0x64, 0x6b, 0xff, 0x6a, 0xd1, 0x10, 0x01, 0x65, 0x03, 0x7a, 0x05, 0x56, 0x01, 0xea, 0x02, 0x35, 0x8c, 0x0f, 0x41, 0x05, 0x0f, 0x9d, 0xfe, 0x3c, 0x95, 0xdc, 0xcb, 0xd3, 0x08, 0x7b, 0xe0},
+ {0x74, 0x6d, 0x1d, 0xcc, 0xfe, 0xd2, 0xf0, 0xff, 0x1e, 0x13, 0xc5, 0x1e, 0x2d, 0x50, 0xd5, 0x32, 0x43, 0x75, 0xfb, 0xd5, 0xbf, 0x7c, 0xa8, 0x2a, 0x89, 0x31, 0x82, 0x8d, 0x80, 0x1d, 0x43, 0xab},
+ {0xcb, 0x98, 0x11, 0x0d, 0x4a, 0x6b, 0xb9, 0x7d, 0x22, 0xfe, 0xad, 0xbc, 0x6c, 0x0d, 0x89, 0x30, 0xc5, 0xf8, 0xfc, 0x50, 0x8b, 0x2f, 0xc5, 0xb3, 0x53, 0x28, 0xd2, 0x6b, 0x88, 0xdb, 0x19, 0xae},
+ {0x60, 0xb6, 0x26, 0xa0, 0x33, 0xb5, 0x5f, 0x27, 0xd7, 0x67, 0x6c, 0x40, 0x95, 0xea, 0xba, 0xbc, 0x7a, 0x2c, 0x7e, 0xde, 0x26, 0x24, 0xb4, 0x72, 0xe9, 0x7f, 0x64, 0xf9, 0x6b, 0x8c, 0xfc, 0x0e},
+ {0xe5, 0xb5, 0x2b, 0xc9, 0x27, 0x46, 0x8d, 0xf7, 0x18, 0x93, 0xeb, 0x81, 0x97, 0xef, 0x82, 0x0c, 0xf7, 0x6c, 0xb0, 0xaa, 0xf6, 0xe8, 0xe4, 0xfe, 0x93, 0xad, 0x62, 0xd8, 0x03, 0x98, 0x31, 0x04},
+ {0x05, 0x65, 0x41, 0xae, 0x5d, 0xa9, 0x96, 0x1b, 0xe2, 0xb0, 0xa5, 0xe8, 0x95, 0xe5, 0xc5, 0xba, 0x15, 0x3c, 0xbb, 0x62, 0xdd, 0x56, 0x1a, 0x42, 0x7b, 0xad, 0x0f, 0xfd, 0x41, 0x92, 0x31, 0x99} };
+
+ //Debug printing for the above types
+ //Actually use DP(value) and #define DBG
+ void dp(key a);
+ void dp(bool a);
+ void dp(const char * a, int l);
+ void dp(keyV a);
+ void dp(keyM a);
+ void dp(xmr_amount vali);
+ void dp(int vali);
+ void dp(bits amountb);
+ void dp(const char * st);
+
+ //various conversions
+
+ //uint long long to 32 byte key
+ void d2h(key & amounth, xmr_amount val);
+ key d2h(xmr_amount val);
+ //uint long long to int[64]
+ void d2b(bits amountb, xmr_amount val);
+ //32 byte key to uint long long
+ // if the key holds a value > 2^64
+ // then the value in the first 8 bytes is returned
+ xmr_amount h2d(const key &test);
+ //32 byte key to int[64]
+ void h2b(bits amountb2, key & test);
+ //int[64] to 32 byte key
+ void b2h(key & amountdh, bits amountb2);
+ //int[64] to uint long long
+ xmr_amount b2d(bits amountb);
+}
+
+#endif /* RCTTYPES_H */
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-15 16:37:58 +0000