1 files changed, 130 insertions, 4 deletions

diff --git a/src/crypto/crypto.cpp b/src/crypto/crypto.cpp
index 98da466cc..1c7adff3b 100644
--- a/src/crypto/crypto.cpp
+++ b/src/crypto/crypto.cpp
@@ -81,12 +81,16 @@ namespace crypto {
   }
 
   /* generate a random 32-byte (256-bit) integer and copy it to res */
-  static inline void random_scalar(ec_scalar &res) {
+  static inline void random_scalar_not_thread_safe(ec_scalar &res) {
     unsigned char tmp[64];
     generate_random_bytes_not_thread_safe(64, tmp);
     sc_reduce(tmp);
     memcpy(&res, tmp, 32);
   }
+  static inline void random_scalar(ec_scalar &res) {
+    boost::lock_guard<boost::mutex> lock(random_lock);
+    random_scalar_not_thread_safe(res);
+  }
 
   static inline void hash_to_scalar(const void *data, size_t length, ec_scalar &res) {
     cn_fast_hash(data, length, reinterpret_cast<hash &>(res));
@@ -99,7 +103,6 @@ namespace crypto {
    * 
    */
   secret_key crypto_ops::generate_keys(public_key &pub, secret_key &sec, const secret_key& recovery_key, bool recover) {
-    boost::lock_guard<boost::mutex> lock(random_lock);
     ge_p3 point;
 
     secret_key rng;
@@ -197,8 +200,14 @@ namespace crypto {
     ec_point comm;
   };
 
+  struct s_comm_2 {
+    hash msg;
+    ec_point D;
+    ec_point X;
+    ec_point Y;
+  };
+
   void crypto_ops::generate_signature(const hash &prefix_hash, const public_key &pub, const secret_key &sec, signature &sig) {
-    boost::lock_guard<boost::mutex> lock(random_lock);
     ge_p3 tmp3;
     ec_scalar k;
     s_comm buf;
@@ -242,6 +251,124 @@ namespace crypto {
     return sc_isnonzero(&c) == 0;
   }
 
+  void crypto_ops::generate_tx_proof(const hash &prefix_hash, const public_key &R, const public_key &A, const public_key &D, const secret_key &r, signature &sig) {
+    // sanity check
+    ge_p3 R_p3;
+    ge_p3 A_p3;
+    ge_p3 D_p3;
+    if (ge_frombytes_vartime(&R_p3, &R) != 0) throw std::runtime_error("tx pubkey is invalid");
+    if (ge_frombytes_vartime(&A_p3, &A) != 0) throw std::runtime_error("recipient view pubkey is invalid");
+    if (ge_frombytes_vartime(&D_p3, &D) != 0) throw std::runtime_error("key derivation is invalid");
+#if !defined(NDEBUG)
+    {
+      assert(sc_check(&r) == 0);
+      // check R == r*G
+      ge_p3 dbg_R_p3;
+      ge_scalarmult_base(&dbg_R_p3, &r);
+      public_key dbg_R;
+      ge_p3_tobytes(&dbg_R, &dbg_R_p3);
+      assert(R == dbg_R);
+      // check D == r*A
+      ge_p2 dbg_D_p2;
+      ge_scalarmult(&dbg_D_p2, &r, &A_p3);
+      public_key dbg_D;
+      ge_tobytes(&dbg_D, &dbg_D_p2);
+      assert(D == dbg_D);
+    }
+#endif
+
+    // pick random k
+    ec_scalar k;
+    random_scalar(k);
+    
+    // compute X = k*G
+    ge_p3 X_p3;
+    ge_scalarmult_base(&X_p3, &k);
+    
+    // compute Y = k*A
+    ge_p2 Y_p2;
+    ge_scalarmult(&Y_p2, &k, &A_p3);
+
+    // sig.c = Hs(Msg || D || X || Y)
+    s_comm_2 buf;
+    buf.msg = prefix_hash;
+    buf.D = D;
+    ge_p3_tobytes(&buf.X, &X_p3);
+    ge_tobytes(&buf.Y, &Y_p2);
+    hash_to_scalar(&buf, sizeof(s_comm_2), sig.c);
+
+    // sig.r = k - sig.c*r
+    sc_mulsub(&sig.r, &sig.c, &r, &k);
+  }
+
+  bool crypto_ops::check_tx_proof(const hash &prefix_hash, const public_key &R, const public_key &A, const public_key &D, const signature &sig) {
+    // sanity check
+    ge_p3 R_p3;
+    ge_p3 A_p3;
+    ge_p3 D_p3;
+    if (ge_frombytes_vartime(&R_p3, &R) != 0) return false;
+    if (ge_frombytes_vartime(&A_p3, &A) != 0) return false;
+    if (ge_frombytes_vartime(&D_p3, &D) != 0) return false;
+    if (sc_check(&sig.c) != 0 || sc_check(&sig.r) != 0) return false;
+
+    // compute sig.c*R
+    ge_p2 cR_p2;
+    ge_scalarmult(&cR_p2, &sig.c, &R_p3);
+
+    // compute sig.r*G
+    ge_p3 rG_p3;
+    ge_scalarmult_base(&rG_p3, &sig.r);
+
+    // compute sig.c*D
+    ge_p2 cD_p2;
+    ge_scalarmult(&cD_p2, &sig.c, &D_p3);
+
+    // compute sig.r*A
+    ge_p2 rA_p2;
+    ge_scalarmult(&rA_p2, &sig.r, &A_p3);
+
+    // compute X = sig.c*R + sig.r*G
+    public_key cR;
+    ge_tobytes(&cR, &cR_p2);
+    ge_p3 cR_p3;
+    if (ge_frombytes_vartime(&cR_p3, &cR) != 0) return false;
+    ge_cached rG_cached;
+    ge_p3_to_cached(&rG_cached, &rG_p3);
+    ge_p1p1 X_p1p1;
+    ge_add(&X_p1p1, &cR_p3, &rG_cached);
+    ge_p2 X_p2;
+    ge_p1p1_to_p2(&X_p2, &X_p1p1);
+
+    // compute Y = sig.c*D + sig.r*A
+    public_key cD;
+    public_key rA;
+    ge_tobytes(&cD, &cD_p2);
+    ge_tobytes(&rA, &rA_p2);
+    ge_p3 cD_p3;
+    ge_p3 rA_p3;
+    if (ge_frombytes_vartime(&cD_p3, &cD) != 0) return false;
+    if (ge_frombytes_vartime(&rA_p3, &rA) != 0) return false;
+    ge_cached rA_cached;
+    ge_p3_to_cached(&rA_cached, &rA_p3);
+    ge_p1p1 Y_p1p1;
+    ge_add(&Y_p1p1, &cD_p3, &rA_cached);
+    ge_p2 Y_p2;
+    ge_p1p1_to_p2(&Y_p2, &Y_p1p1);
+
+    // compute c2 = Hs(Msg || D || X || Y)
+    s_comm_2 buf;
+    buf.msg = prefix_hash;
+    buf.D = D;
+    ge_tobytes(&buf.X, &X_p2);
+    ge_tobytes(&buf.Y, &Y_p2);
+    ec_scalar c2;
+    hash_to_scalar(&buf, sizeof(s_comm_2), c2);
+
+    // test if c2 == sig.c
+    sc_sub(&c2, &c2, &sig.c);
+    return sc_isnonzero(&c2) == 0;
+  }
+
   static void hash_to_ec(const public_key &key, ge_p3 &res) {
     hash h;
     ge_p2 point;
@@ -280,7 +407,6 @@ POP_WARNINGS
     const public_key *const *pubs, size_t pubs_count,
     const secret_key &sec, size_t sec_index,
     signature *sig) {
-    boost::lock_guard<boost::mutex> lock(random_lock);
     size_t i;
     ge_p3 image_unp;
     ge_dsmp image_pre;