diff options
Diffstat (limited to 'src/crypto')
-rw-r--r-- | src/crypto/crypto.cpp | 125 | ||||
-rw-r--r-- | src/crypto/crypto.h | 14 |
2 files changed, 139 insertions, 0 deletions
diff --git a/src/crypto/crypto.cpp b/src/crypto/crypto.cpp index 98da466cc..6ae7e5f24 100644 --- a/src/crypto/crypto.cpp +++ b/src/crypto/crypto.cpp @@ -197,6 +197,13 @@ namespace crypto { ec_point comm; }; + struct s_comm_2 { + hash msg; + ec_point D; + ec_point X; + ec_point Y; + }; + void crypto_ops::generate_signature(const hash &prefix_hash, const public_key &pub, const secret_key &sec, signature &sig) { boost::lock_guard<boost::mutex> lock(random_lock); ge_p3 tmp3; @@ -242,6 +249,124 @@ namespace crypto { return sc_isnonzero(&c) == 0; } + void crypto_ops::generate_tx_proof(const hash &prefix_hash, const public_key &R, const public_key &A, const public_key &D, const secret_key &r, signature &sig) { + // sanity check + ge_p3 R_p3; + ge_p3 A_p3; + ge_p3 D_p3; + if (ge_frombytes_vartime(&R_p3, &R) != 0) throw std::runtime_error("tx pubkey is invalid"); + if (ge_frombytes_vartime(&A_p3, &A) != 0) throw std::runtime_error("recipient view pubkey is invalid"); + if (ge_frombytes_vartime(&D_p3, &D) != 0) throw std::runtime_error("key derivation is invalid"); +#if !defined(NDEBUG) + { + assert(sc_check(&r) == 0); + // check R == r*G + ge_p3 dbg_R_p3; + ge_scalarmult_base(&dbg_R_p3, &r); + public_key dbg_R; + ge_p3_tobytes(&dbg_R, &dbg_R_p3); + assert(R == dbg_R); + // check D == r*A + ge_p2 dbg_D_p2; + ge_scalarmult(&dbg_D_p2, &r, &A_p3); + public_key dbg_D; + ge_tobytes(&dbg_D, &dbg_D_p2); + assert(D == dbg_D); + } +#endif + + // pick random k + ec_scalar k; + random_scalar(k); + + // compute X = k*G + ge_p3 X_p3; + ge_scalarmult_base(&X_p3, &k); + + // compute Y = k*A + ge_p2 Y_p2; + ge_scalarmult(&Y_p2, &k, &A_p3); + + // sig.c = Hs(Msg || D || X || Y) + s_comm_2 buf; + buf.msg = prefix_hash; + buf.D = D; + ge_p3_tobytes(&buf.X, &X_p3); + ge_tobytes(&buf.Y, &Y_p2); + hash_to_scalar(&buf, sizeof(s_comm_2), sig.c); + + // sig.r = k - sig.c*r + sc_mulsub(&sig.r, &sig.c, &r, &k); + } + + bool crypto_ops::check_tx_proof(const hash &prefix_hash, const public_key &R, const public_key &A, const public_key &D, const signature &sig) { + // sanity check + ge_p3 R_p3; + ge_p3 A_p3; + ge_p3 D_p3; + if (ge_frombytes_vartime(&R_p3, &R) != 0) return false; + if (ge_frombytes_vartime(&A_p3, &A) != 0) return false; + if (ge_frombytes_vartime(&D_p3, &D) != 0) return false; + if (sc_check(&sig.c) != 0 || sc_check(&sig.r) != 0) return false; + + // compute sig.c*R + ge_p2 cR_p2; + ge_scalarmult(&cR_p2, &sig.c, &R_p3); + + // compute sig.r*G + ge_p3 rG_p3; + ge_scalarmult_base(&rG_p3, &sig.r); + + // compute sig.c*D + ge_p2 cD_p2; + ge_scalarmult(&cD_p2, &sig.c, &D_p3); + + // compute sig.r*A + ge_p2 rA_p2; + ge_scalarmult(&rA_p2, &sig.r, &A_p3); + + // compute X = sig.c*R + sig.r*G + public_key cR; + ge_tobytes(&cR, &cR_p2); + ge_p3 cR_p3; + if (ge_frombytes_vartime(&cR_p3, &cR) != 0) return false; + ge_cached rG_cached; + ge_p3_to_cached(&rG_cached, &rG_p3); + ge_p1p1 X_p1p1; + ge_add(&X_p1p1, &cR_p3, &rG_cached); + ge_p2 X_p2; + ge_p1p1_to_p2(&X_p2, &X_p1p1); + + // compute Y = sig.c*D + sig.r*A + public_key cD; + public_key rA; + ge_tobytes(&cD, &cD_p2); + ge_tobytes(&rA, &rA_p2); + ge_p3 cD_p3; + ge_p3 rA_p3; + if (ge_frombytes_vartime(&cD_p3, &cD) != 0) return false; + if (ge_frombytes_vartime(&rA_p3, &rA) != 0) return false; + ge_cached rA_cached; + ge_p3_to_cached(&rA_cached, &rA_p3); + ge_p1p1 Y_p1p1; + ge_add(&Y_p1p1, &cD_p3, &rA_cached); + ge_p2 Y_p2; + ge_p1p1_to_p2(&Y_p2, &Y_p1p1); + + // compute c2 = Hs(Msg || D || X || Y) + s_comm_2 buf; + buf.msg = prefix_hash; + buf.D = D; + ge_tobytes(&buf.X, &X_p2); + ge_tobytes(&buf.Y, &Y_p2); + ec_scalar c2; + hash_to_scalar(&buf, sizeof(s_comm_2), c2); + + // test if c2 == sig.c + sc_sub(&c2, &c2, &sig.c); + return sc_isnonzero(&c2) == 0; + } + static void hash_to_ec(const public_key &key, ge_p3 &res) { hash h; ge_p2 point; diff --git a/src/crypto/crypto.h b/src/crypto/crypto.h index 3b8c7996b..e99b6651f 100644 --- a/src/crypto/crypto.h +++ b/src/crypto/crypto.h @@ -123,6 +123,10 @@ namespace crypto { friend void generate_signature(const hash &, const public_key &, const secret_key &, signature &); static bool check_signature(const hash &, const public_key &, const signature &); friend bool check_signature(const hash &, const public_key &, const signature &); + static void generate_tx_proof(const hash &, const public_key &, const public_key &, const public_key &, const secret_key &, signature &); + friend void generate_tx_proof(const hash &, const public_key &, const public_key &, const public_key &, const secret_key &, signature &); + static bool check_tx_proof(const hash &, const public_key &, const public_key &, const public_key &, const signature &); + friend bool check_tx_proof(const hash &, const public_key &, const public_key &, const public_key &, const signature &); static void generate_key_image(const public_key &, const secret_key &, key_image &); friend void generate_key_image(const public_key &, const secret_key &, key_image &); static void generate_ring_signature(const hash &, const key_image &, @@ -200,6 +204,16 @@ namespace crypto { return crypto_ops::check_signature(prefix_hash, pub, sig); } + /* Generation and checking of a tx proof; given a tx pubkey R, the recipient's view pubkey A, and the key + * derivation D, the signature proves the knowledge of the tx secret key r such that R=r*G and D=r*A + */ + inline void generate_tx_proof(const hash &prefix_hash, const public_key &R, const public_key &A, const public_key &D, const secret_key &r, signature &sig) { + crypto_ops::generate_tx_proof(prefix_hash, R, A, D, r, sig); + } + inline bool check_tx_proof(const hash &prefix_hash, const public_key &R, const public_key &A, const public_key &D, const signature &sig) { + return crypto_ops::check_tx_proof(prefix_hash, R, A, D, sig); + } + /* To send money to a key: * * The sender generates an ephemeral key and includes it in transaction output. * * To spend the money, the receiver generates a key image from it. |