aboutsummaryrefslogtreecommitdiff
path: root/src/crypto/crypto.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'src/crypto/crypto.cpp')
-rw-r--r--src/crypto/crypto.cpp135
1 files changed, 129 insertions, 6 deletions
diff --git a/src/crypto/crypto.cpp b/src/crypto/crypto.cpp
index 8a03f28bb..4cfe83d54 100644
--- a/src/crypto/crypto.cpp
+++ b/src/crypto/crypto.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2014-2019, The Monero Project
+// Copyright (c) 2014-2020, The Monero Project
//
// All rights reserved.
//
@@ -43,6 +43,8 @@
#include "crypto.h"
#include "hash.h"
+#include "cryptonote_config.h"
+
namespace {
static void local_abort(const char *msg)
{
@@ -261,11 +263,24 @@ namespace crypto {
ec_point comm;
};
+ // Used in v1 tx proofs
+ struct s_comm_2_v1 {
+ hash msg;
+ ec_point D;
+ ec_point X;
+ ec_point Y;
+ };
+
+ // Used in v1/v2 tx proofs
struct s_comm_2 {
hash msg;
ec_point D;
ec_point X;
ec_point Y;
+ hash sep; // domain separation
+ ec_point R;
+ ec_point A;
+ ec_point B;
};
void crypto_ops::generate_signature(const hash &prefix_hash, const public_key &pub, const secret_key &sec, signature &sig) {
@@ -321,6 +336,86 @@ namespace crypto {
return sc_isnonzero(&c) == 0;
}
+ // Generate a proof of knowledge of `r` such that (`R = rG` and `D = rA`) or (`R = rB` and `D = rA`) via a Schnorr proof
+ // This handles use cases for both standard addresses and subaddresses
+ //
+ // NOTE: This generates old v1 proofs, and is for TESTING ONLY
+ void crypto_ops::generate_tx_proof_v1(const hash &prefix_hash, const public_key &R, const public_key &A, const boost::optional<public_key> &B, const public_key &D, const secret_key &r, signature &sig) {
+ // sanity check
+ ge_p3 R_p3;
+ ge_p3 A_p3;
+ ge_p3 B_p3;
+ ge_p3 D_p3;
+ if (ge_frombytes_vartime(&R_p3, &R) != 0) throw std::runtime_error("tx pubkey is invalid");
+ if (ge_frombytes_vartime(&A_p3, &A) != 0) throw std::runtime_error("recipient view pubkey is invalid");
+ if (B && ge_frombytes_vartime(&B_p3, &*B) != 0) throw std::runtime_error("recipient spend pubkey is invalid");
+ if (ge_frombytes_vartime(&D_p3, &D) != 0) throw std::runtime_error("key derivation is invalid");
+#if !defined(NDEBUG)
+ {
+ assert(sc_check(&r) == 0);
+ // check R == r*G or R == r*B
+ public_key dbg_R;
+ if (B)
+ {
+ ge_p2 dbg_R_p2;
+ ge_scalarmult(&dbg_R_p2, &r, &B_p3);
+ ge_tobytes(&dbg_R, &dbg_R_p2);
+ }
+ else
+ {
+ ge_p3 dbg_R_p3;
+ ge_scalarmult_base(&dbg_R_p3, &r);
+ ge_p3_tobytes(&dbg_R, &dbg_R_p3);
+ }
+ assert(R == dbg_R);
+ // check D == r*A
+ ge_p2 dbg_D_p2;
+ ge_scalarmult(&dbg_D_p2, &r, &A_p3);
+ public_key dbg_D;
+ ge_tobytes(&dbg_D, &dbg_D_p2);
+ assert(D == dbg_D);
+ }
+#endif
+
+ // pick random k
+ ec_scalar k;
+ random_scalar(k);
+
+ s_comm_2_v1 buf;
+ buf.msg = prefix_hash;
+ buf.D = D;
+
+ if (B)
+ {
+ // compute X = k*B
+ ge_p2 X_p2;
+ ge_scalarmult(&X_p2, &k, &B_p3);
+ ge_tobytes(&buf.X, &X_p2);
+ }
+ else
+ {
+ // compute X = k*G
+ ge_p3 X_p3;
+ ge_scalarmult_base(&X_p3, &k);
+ ge_p3_tobytes(&buf.X, &X_p3);
+ }
+
+ // compute Y = k*A
+ ge_p2 Y_p2;
+ ge_scalarmult(&Y_p2, &k, &A_p3);
+ ge_tobytes(&buf.Y, &Y_p2);
+
+ // sig.c = Hs(Msg || D || X || Y)
+ hash_to_scalar(&buf, sizeof(buf), sig.c);
+
+ // sig.r = k - sig.c*r
+ sc_mulsub(&sig.r, &sig.c, &unwrap(r), &k);
+ }
+
+ // Generate a proof of knowledge of `r` such that (`R = rG` and `D = rA`) or (`R = rB` and `D = rA`) via a Schnorr proof
+ // This handles use cases for both standard addresses and subaddresses
+ //
+ // Generates only proofs for InProofV2 and OutProofV2
void crypto_ops::generate_tx_proof(const hash &prefix_hash, const public_key &R, const public_key &A, const boost::optional<public_key> &B, const public_key &D, const secret_key &r, signature &sig) {
// sanity check
ge_p3 R_p3;
@@ -362,10 +457,20 @@ namespace crypto {
ec_scalar k;
random_scalar(k);
+ // if B is not present
+ static const ec_point zero = {{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }};
+
s_comm_2 buf;
buf.msg = prefix_hash;
buf.D = D;
-
+ buf.R = R;
+ buf.A = A;
+ if (B)
+ buf.B = *B;
+ else
+ buf.B = zero;
+ cn_fast_hash(config::HASH_KEY_TXPROOF_V2, sizeof(config::HASH_KEY_TXPROOF_V2)-1, buf.sep);
+
if (B)
{
// compute X = k*B
@@ -386,7 +491,7 @@ namespace crypto {
ge_scalarmult(&Y_p2, &k, &A_p3);
ge_tobytes(&buf.Y, &Y_p2);
- // sig.c = Hs(Msg || D || X || Y)
+ // sig.c = Hs(Msg || D || X || Y || sep || R || A || B)
hash_to_scalar(&buf, sizeof(buf), sig.c);
// sig.r = k - sig.c*r
@@ -395,7 +500,8 @@ namespace crypto {
memwipe(&k, sizeof(k));
}
- bool crypto_ops::check_tx_proof(const hash &prefix_hash, const public_key &R, const public_key &A, const boost::optional<public_key> &B, const public_key &D, const signature &sig) {
+ // Verify a proof: either v1 (version == 1) or v2 (version == 2)
+ bool crypto_ops::check_tx_proof(const hash &prefix_hash, const public_key &R, const public_key &A, const boost::optional<public_key> &B, const public_key &D, const signature &sig, const int version) {
// sanity check
ge_p3 R_p3;
ge_p3 A_p3;
@@ -467,14 +573,31 @@ namespace crypto {
ge_p2 Y_p2;
ge_p1p1_to_p2(&Y_p2, &Y_p1p1);
- // compute c2 = Hs(Msg || D || X || Y)
+ // Compute hash challenge
+ // for v1, c2 = Hs(Msg || D || X || Y)
+ // for v2, c2 = Hs(Msg || D || X || Y || sep || R || A || B)
+
+ // if B is not present
+ static const ec_point zero = {{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }};
+
s_comm_2 buf;
buf.msg = prefix_hash;
buf.D = D;
+ buf.R = R;
+ buf.A = A;
+ if (B)
+ buf.B = *B;
+ else
+ buf.B = zero;
+ cn_fast_hash(config::HASH_KEY_TXPROOF_V2, sizeof(config::HASH_KEY_TXPROOF_V2)-1, buf.sep);
ge_tobytes(&buf.X, &X_p2);
ge_tobytes(&buf.Y, &Y_p2);
ec_scalar c2;
- hash_to_scalar(&buf, sizeof(s_comm_2), c2);
+
+ // Hash depends on version
+ if (version == 1) hash_to_scalar(&buf, sizeof(s_comm_2) - 3*sizeof(ec_point) - sizeof(hash), c2);
+ else if (version == 2) hash_to_scalar(&buf, sizeof(s_comm_2), c2);
+ else return false;
// test if c2 == sig.c
sc_sub(&c2, &c2, &sig.c);