aboutsummaryrefslogtreecommitdiff
path: root/src/crypto
diff options
context:
space:
mode:
Diffstat (limited to 'src/crypto')
-rw-r--r--src/crypto/crypto.cpp134
-rw-r--r--src/crypto/crypto.h14
-rw-r--r--src/crypto/slow-hash.c29
3 files changed, 157 insertions, 20 deletions
diff --git a/src/crypto/crypto.cpp b/src/crypto/crypto.cpp
index 98da466cc..1c7adff3b 100644
--- a/src/crypto/crypto.cpp
+++ b/src/crypto/crypto.cpp
@@ -81,12 +81,16 @@ namespace crypto {
}
/* generate a random 32-byte (256-bit) integer and copy it to res */
- static inline void random_scalar(ec_scalar &res) {
+ static inline void random_scalar_not_thread_safe(ec_scalar &res) {
unsigned char tmp[64];
generate_random_bytes_not_thread_safe(64, tmp);
sc_reduce(tmp);
memcpy(&res, tmp, 32);
}
+ static inline void random_scalar(ec_scalar &res) {
+ boost::lock_guard<boost::mutex> lock(random_lock);
+ random_scalar_not_thread_safe(res);
+ }
static inline void hash_to_scalar(const void *data, size_t length, ec_scalar &res) {
cn_fast_hash(data, length, reinterpret_cast<hash &>(res));
@@ -99,7 +103,6 @@ namespace crypto {
*
*/
secret_key crypto_ops::generate_keys(public_key &pub, secret_key &sec, const secret_key& recovery_key, bool recover) {
- boost::lock_guard<boost::mutex> lock(random_lock);
ge_p3 point;
secret_key rng;
@@ -197,8 +200,14 @@ namespace crypto {
ec_point comm;
};
+ struct s_comm_2 {
+ hash msg;
+ ec_point D;
+ ec_point X;
+ ec_point Y;
+ };
+
void crypto_ops::generate_signature(const hash &prefix_hash, const public_key &pub, const secret_key &sec, signature &sig) {
- boost::lock_guard<boost::mutex> lock(random_lock);
ge_p3 tmp3;
ec_scalar k;
s_comm buf;
@@ -242,6 +251,124 @@ namespace crypto {
return sc_isnonzero(&c) == 0;
}
+ void crypto_ops::generate_tx_proof(const hash &prefix_hash, const public_key &R, const public_key &A, const public_key &D, const secret_key &r, signature &sig) {
+ // sanity check
+ ge_p3 R_p3;
+ ge_p3 A_p3;
+ ge_p3 D_p3;
+ if (ge_frombytes_vartime(&R_p3, &R) != 0) throw std::runtime_error("tx pubkey is invalid");
+ if (ge_frombytes_vartime(&A_p3, &A) != 0) throw std::runtime_error("recipient view pubkey is invalid");
+ if (ge_frombytes_vartime(&D_p3, &D) != 0) throw std::runtime_error("key derivation is invalid");
+#if !defined(NDEBUG)
+ {
+ assert(sc_check(&r) == 0);
+ // check R == r*G
+ ge_p3 dbg_R_p3;
+ ge_scalarmult_base(&dbg_R_p3, &r);
+ public_key dbg_R;
+ ge_p3_tobytes(&dbg_R, &dbg_R_p3);
+ assert(R == dbg_R);
+ // check D == r*A
+ ge_p2 dbg_D_p2;
+ ge_scalarmult(&dbg_D_p2, &r, &A_p3);
+ public_key dbg_D;
+ ge_tobytes(&dbg_D, &dbg_D_p2);
+ assert(D == dbg_D);
+ }
+#endif
+
+ // pick random k
+ ec_scalar k;
+ random_scalar(k);
+
+ // compute X = k*G
+ ge_p3 X_p3;
+ ge_scalarmult_base(&X_p3, &k);
+
+ // compute Y = k*A
+ ge_p2 Y_p2;
+ ge_scalarmult(&Y_p2, &k, &A_p3);
+
+ // sig.c = Hs(Msg || D || X || Y)
+ s_comm_2 buf;
+ buf.msg = prefix_hash;
+ buf.D = D;
+ ge_p3_tobytes(&buf.X, &X_p3);
+ ge_tobytes(&buf.Y, &Y_p2);
+ hash_to_scalar(&buf, sizeof(s_comm_2), sig.c);
+
+ // sig.r = k - sig.c*r
+ sc_mulsub(&sig.r, &sig.c, &r, &k);
+ }
+
+ bool crypto_ops::check_tx_proof(const hash &prefix_hash, const public_key &R, const public_key &A, const public_key &D, const signature &sig) {
+ // sanity check
+ ge_p3 R_p3;
+ ge_p3 A_p3;
+ ge_p3 D_p3;
+ if (ge_frombytes_vartime(&R_p3, &R) != 0) return false;
+ if (ge_frombytes_vartime(&A_p3, &A) != 0) return false;
+ if (ge_frombytes_vartime(&D_p3, &D) != 0) return false;
+ if (sc_check(&sig.c) != 0 || sc_check(&sig.r) != 0) return false;
+
+ // compute sig.c*R
+ ge_p2 cR_p2;
+ ge_scalarmult(&cR_p2, &sig.c, &R_p3);
+
+ // compute sig.r*G
+ ge_p3 rG_p3;
+ ge_scalarmult_base(&rG_p3, &sig.r);
+
+ // compute sig.c*D
+ ge_p2 cD_p2;
+ ge_scalarmult(&cD_p2, &sig.c, &D_p3);
+
+ // compute sig.r*A
+ ge_p2 rA_p2;
+ ge_scalarmult(&rA_p2, &sig.r, &A_p3);
+
+ // compute X = sig.c*R + sig.r*G
+ public_key cR;
+ ge_tobytes(&cR, &cR_p2);
+ ge_p3 cR_p3;
+ if (ge_frombytes_vartime(&cR_p3, &cR) != 0) return false;
+ ge_cached rG_cached;
+ ge_p3_to_cached(&rG_cached, &rG_p3);
+ ge_p1p1 X_p1p1;
+ ge_add(&X_p1p1, &cR_p3, &rG_cached);
+ ge_p2 X_p2;
+ ge_p1p1_to_p2(&X_p2, &X_p1p1);
+
+ // compute Y = sig.c*D + sig.r*A
+ public_key cD;
+ public_key rA;
+ ge_tobytes(&cD, &cD_p2);
+ ge_tobytes(&rA, &rA_p2);
+ ge_p3 cD_p3;
+ ge_p3 rA_p3;
+ if (ge_frombytes_vartime(&cD_p3, &cD) != 0) return false;
+ if (ge_frombytes_vartime(&rA_p3, &rA) != 0) return false;
+ ge_cached rA_cached;
+ ge_p3_to_cached(&rA_cached, &rA_p3);
+ ge_p1p1 Y_p1p1;
+ ge_add(&Y_p1p1, &cD_p3, &rA_cached);
+ ge_p2 Y_p2;
+ ge_p1p1_to_p2(&Y_p2, &Y_p1p1);
+
+ // compute c2 = Hs(Msg || D || X || Y)
+ s_comm_2 buf;
+ buf.msg = prefix_hash;
+ buf.D = D;
+ ge_tobytes(&buf.X, &X_p2);
+ ge_tobytes(&buf.Y, &Y_p2);
+ ec_scalar c2;
+ hash_to_scalar(&buf, sizeof(s_comm_2), c2);
+
+ // test if c2 == sig.c
+ sc_sub(&c2, &c2, &sig.c);
+ return sc_isnonzero(&c2) == 0;
+ }
+
static void hash_to_ec(const public_key &key, ge_p3 &res) {
hash h;
ge_p2 point;
@@ -280,7 +407,6 @@ POP_WARNINGS
const public_key *const *pubs, size_t pubs_count,
const secret_key &sec, size_t sec_index,
signature *sig) {
- boost::lock_guard<boost::mutex> lock(random_lock);
size_t i;
ge_p3 image_unp;
ge_dsmp image_pre;
diff --git a/src/crypto/crypto.h b/src/crypto/crypto.h
index 3b8c7996b..e99b6651f 100644
--- a/src/crypto/crypto.h
+++ b/src/crypto/crypto.h
@@ -123,6 +123,10 @@ namespace crypto {
friend void generate_signature(const hash &, const public_key &, const secret_key &, signature &);
static bool check_signature(const hash &, const public_key &, const signature &);
friend bool check_signature(const hash &, const public_key &, const signature &);
+ static void generate_tx_proof(const hash &, const public_key &, const public_key &, const public_key &, const secret_key &, signature &);
+ friend void generate_tx_proof(const hash &, const public_key &, const public_key &, const public_key &, const secret_key &, signature &);
+ static bool check_tx_proof(const hash &, const public_key &, const public_key &, const public_key &, const signature &);
+ friend bool check_tx_proof(const hash &, const public_key &, const public_key &, const public_key &, const signature &);
static void generate_key_image(const public_key &, const secret_key &, key_image &);
friend void generate_key_image(const public_key &, const secret_key &, key_image &);
static void generate_ring_signature(const hash &, const key_image &,
@@ -200,6 +204,16 @@ namespace crypto {
return crypto_ops::check_signature(prefix_hash, pub, sig);
}
+ /* Generation and checking of a tx proof; given a tx pubkey R, the recipient's view pubkey A, and the key
+ * derivation D, the signature proves the knowledge of the tx secret key r such that R=r*G and D=r*A
+ */
+ inline void generate_tx_proof(const hash &prefix_hash, const public_key &R, const public_key &A, const public_key &D, const secret_key &r, signature &sig) {
+ crypto_ops::generate_tx_proof(prefix_hash, R, A, D, r, sig);
+ }
+ inline bool check_tx_proof(const hash &prefix_hash, const public_key &R, const public_key &A, const public_key &D, const signature &sig) {
+ return crypto_ops::check_tx_proof(prefix_hash, R, A, D, sig);
+ }
+
/* To send money to a key:
* * The sender generates an ephemeral key and includes it in transaction output.
* * To spend the money, the receiver generates a key image from it.
diff --git a/src/crypto/slow-hash.c b/src/crypto/slow-hash.c
index 6afa28934..b92b6e6c3 100644
--- a/src/crypto/slow-hash.c
+++ b/src/crypto/slow-hash.c
@@ -979,34 +979,31 @@ STATIC void cn_mul128(const uint64_t *a, const uint64_t *b, uint64_t *r)
r[1] = lo;
}
#else /* ARM32 */
-/* Can work as inline, but actually runs slower. Keep it separate */
#define mul(a, b, c) cn_mul128((const uint32_t *)a, (const uint32_t *)b, (uint32_t *)c)
-void cn_mul128(const uint32_t *aa, const uint32_t *bb, uint32_t *r)
+STATIC void cn_mul128(const uint32_t *aa, const uint32_t *bb, uint32_t *r)
{
- uint32_t t0, t1;
+ uint32_t t0, t1, t2=0, t3=0;
__asm__ __volatile__(
"umull %[t0], %[t1], %[a], %[b]\n\t"
- "str %[t0], [%[r], #8]\n\t"
+ "str %[t0], %[ll]\n\t"
// accumulating with 0 can never overflow/carry
- "mov %[t0], #0\n\t"
+ "eor %[t0], %[t0]\n\t"
"umlal %[t1], %[t0], %[a], %[B]\n\t"
- "mov %[a], #0\n\t"
- "umlal %[t1], %[a], %[A], %[b]\n\t"
- "str %[t1], [%[r], #12]\n\t"
+ "umlal %[t1], %[t2], %[A], %[b]\n\t"
+ "str %[t1], %[lh]\n\t"
- "mov %[b], #0\n\t"
- "umlal %[t0], %[b], %[A], %[B]\n\t"
+ "umlal %[t0], %[t3], %[A], %[B]\n\t"
// final add may have a carry
- "adds %[t0], %[t0], %[a]\n\t"
- "adc %[t1], %[b], #0\n\t"
+ "adds %[t0], %[t0], %[t2]\n\t"
+ "adc %[t1], %[t3], #0\n\t"
- "str %[t0], [%[r]]\n\t"
- "str %[t1], [%[r], #4]\n\t"
- : [t0]"=&r"(t0), [t1]"=&r"(t1), "=m"(r[0]), "=m"(r[1]), "=m"(r[2]), "=m"(r[3])
- : [A]"r"(aa[1]), [a]"r"(aa[0]), [B]"r"(bb[1]), [b]"r"(bb[0]), [r]"r"(r)
+ "str %[t0], %[hl]\n\t"
+ "str %[t1], %[hh]\n\t"
+ : [t0]"=&r"(t0), [t1]"=&r"(t1), [t2]"+r"(t2), [t3]"+r"(t3), [hl]"=m"(r[0]), [hh]"=m"(r[1]), [ll]"=m"(r[2]), [lh]"=m"(r[3])
+ : [A]"r"(aa[1]), [a]"r"(aa[0]), [B]"r"(bb[1]), [b]"r"(bb[0])
: "cc");
}
#endif /* !aarch64 */
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-14 05:10:42 +0000