// Copyright (c) 2014-2020, The Monero Project // // All rights reserved. // // Redistribution and use in source and binary forms, with or without modification, are // permitted provided that the following conditions are met: // // 1. Redistributions of source code must retain the above copyright notice, this list of // conditions and the following disclaimer. // // 2. Redistributions in binary form must reproduce the above copyright notice, this list // of conditions and the following disclaimer in the documentation and/or other // materials provided with the distribution. // // 3. Neither the name of the copyright holder nor the names of its contributors may be // used to endorse or promote products derived from this software without specific // prior written permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY // EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF // MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL // THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, // PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF // THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // // Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers #pragma once #include "ringct/rctSigs.h" #include "ringct/rctTypes.h" #include "device/device.hpp" using namespace rct; template<size_t a_N, size_t a_T, size_t a_w> class test_sig_clsag { public: static const size_t loop_count = 1000; static const size_t N = a_N; static const size_t T = a_T; static const size_t w = a_w; bool init() { pubs.reserve(N); pubs.resize(N); r = keyV(w); // M[l[u]] = Com(0,r[u]) a = keyV(w); // P[l[u]] = Com(a[u],s[u]) s = keyV(w); Q = keyV(T); // Q[j] = Com(b[j],t[j]) b = keyV(T); t = keyV(T); // Random keys key temp; for (size_t k = 0; k < N; k++) { skpkGen(temp,pubs[k].dest); skpkGen(temp,pubs[k].mask); } // Signing and commitment keys (assumes fixed signing indices 0,1,...,w-1 for this test) // TODO: random signing indices C_offsets = keyV(w); // P[l[u]] - C_offsets[u] = Com(0,s[u]-s1[u]) s1 = keyV(w); key a_sum = zero(); key s1_sum = zero(); messages = keyV(w); for (size_t u = 0; u < w; u++) { skpkGen(r[u],pubs[u].dest); // M[u] = Com(0,r[u]) a[u] = skGen(); // P[u] = Com(a[u],s[u]) s[u] = skGen(); addKeys2(pubs[u].mask,s[u],a[u],H); s1[u] = skGen(); // C_offsets[u] = Com(a[u],s1[u]) addKeys2(C_offsets[u],s1[u],a[u],H); sc_add(a_sum.bytes,a_sum.bytes,a[u].bytes); sc_add(s1_sum.bytes,s1_sum.bytes,s1[u].bytes); messages[u] = skGen(); } // Outputs key b_sum = zero(); key t_sum = zero(); for (size_t j = 0; j < T-1; j++) { b[j] = skGen(); // Q[j] = Com(b[j],t[j]) t[j] = skGen(); addKeys2(Q[j],t[j],b[j],H); sc_add(b_sum.bytes,b_sum.bytes,b[j].bytes); sc_add(t_sum.bytes,t_sum.bytes,t[j].bytes); } // Value/mask balance for Q[T-1] sc_sub(b[T-1].bytes,a_sum.bytes,b_sum.bytes); sc_sub(t[T-1].bytes,s1_sum.bytes,t_sum.bytes); addKeys2(Q[T-1],t[T-1],b[T-1],H); // Build proofs sigs.reserve(w); sigs.resize(0); ctkey sk; for (size_t u = 0; u < w; u++) { sk.dest = r[u]; sk.mask = s[u]; sigs.push_back(proveRctCLSAGSimple(messages[u],pubs,sk,s1[u],C_offsets[u],NULL,NULL,NULL,u,hw::get_device("default"))); } return true; } bool test() { for (size_t u = 0; u < w; u++) { if (!verRctCLSAGSimple(messages[u],sigs[u],pubs,C_offsets[u])) { return false; } } // Check balanace std::vector<MultiexpData> balance; balance.reserve(w + T); balance.resize(0); key ZERO = zero(); key ONE = identity(); key MINUS_ONE; sc_sub(MINUS_ONE.bytes,ZERO.bytes,ONE.bytes); for (size_t u = 0; u < w; u++) { balance.push_back({ONE,C_offsets[u]}); } for (size_t j = 0; j < T; j++) { balance.push_back({MINUS_ONE,Q[j]}); } if (!(straus(balance) == ONE)) // group identity { return false; } return true; } private: ctkeyV pubs; keyV Q; keyV r; keyV s; keyV s1; keyV t; keyV a; keyV b; keyV C_offsets; keyV messages; std::vector<clsag> sigs; };