Electroneum
rctOps.h
Go to the documentation of this file.
1 //#define DBG
2 // Copyright (c) 2016, Electroneum Research Labs
3 //
4 // Author: Shen Noether <shen.noether@gmx.com>
5 //
6 // All rights reserved.
7 //
8 // Redistribution and use in source and binary forms, with or without modification, are
9 // permitted provided that the following conditions are met:
10 //
11 // 1. Redistributions of source code must retain the above copyright notice, this list of
12 // conditions and the following disclaimer.
13 //
14 // 2. Redistributions in binary form must reproduce the above copyright notice, this list
15 // of conditions and the following disclaimer in the documentation and/or other
16 // materials provided with the distribution.
17 //
18 // 3. Neither the name of the copyright holder nor the names of its contributors may be
19 // used to endorse or promote products derived from this software without specific
20 // prior written permission.
21 //
22 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
23 // EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
24 // MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
25 // THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
26 // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
27 // PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
28 // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
30 // THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 
32 #pragma once
33 
34 #ifndef RCTOPS_H
35 #define RCTOPS_H
36 
37 #include <cstddef>
38 #include <tuple>
39 
40 #include "crypto/generic-ops.h"
41 
42 extern "C" {
43 #include "crypto/random.h"
44 #include "crypto/keccak.h"
45 #include "rctCryptoOps.h"
46 }
47 #include "crypto/crypto.h"
48 
49 #include "rctTypes.h"
50 
51 //Define this flag when debugging to get additional info on the console
52 #ifdef DBG
53 #define DP(x) dp(x)
54 #else
55 #define DP(x)
56 #endif
57 
58 namespace rct {
59 
60  //Various key initialization functions
61 
62  static const key Z = { {0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 } };
63  static const key I = { {0x01, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 } };
64  static const key L = { {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 } };
65  static const key G = { {0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66 } };
66  static const key EIGHT = { {0x08, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 } };
67  static const key INV_EIGHT = { { 0x79, 0x2f, 0xdc, 0xe2, 0x29, 0xe5, 0x06, 0x61, 0xd0, 0xda, 0x1c, 0x7d, 0xb3, 0x9d, 0xd3, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06 } };
68 
69  //Creates a zero scalar
70  inline key zero() { return Z; }
71  inline void zero(key &z) { memset(&z, 0, 32); }
72  //Creates a zero elliptic curve point
73  inline key identity() { return I; }
74  inline void identity(key &Id) { memcpy(&Id, &I, 32); }
75  //Creates a key equal to the curve order
76  inline key curveOrder() { return L; }
77  inline void curveOrder(key &l) { l = L; }
78  //copies a scalar or point
79  inline void copy(key &AA, const key &A) { memcpy(&AA, &A, 32); }
80  inline key copy(const key & A) { key AA; memcpy(&AA, &A, 32); return AA; }
81 
82  //initializes a key matrix;
83  //first parameter is rows,
84  //second is columns
85  keyM keyMInit(size_t rows, size_t cols);
86 
87  //Various key generation functions
88  bool toPointCheckOrder(ge_p3 *P, const unsigned char *data);
89 
90  //generates a random scalar which can be used as a secret key or mask
91  key skGen();
92  void skGen(key &);
93 
94  //generates a vector of secret keys of size "int"
95  keyV skvGen(size_t rows );
96 
97  //generates a random curve point (for testing)
98  key pkGen();
99  //generates a random secret and corresponding public key
100  void skpkGen(key &sk, key &pk);
101  std::tuple<key, key> skpkGen();
102  //generates a <secret , public> / Pedersen commitment to the amount
103  std::tuple<ctkey, ctkey> ctskpkGen(etn_amount amount);
104  //generates C =aG + bH from b, a is random
105  void genC(key & C, const key & a, etn_amount amount);
106  //this one is mainly for testing, can take arbitrary amounts..
107  std::tuple<ctkey, ctkey> ctskpkGen(const key &bH);
108  // make a pedersen commitment with given key
109  key commit(etn_amount amount, const key &mask);
110  // make a pedersen commitment with zero key
111  key zeroCommit(etn_amount amount);
112  //generates a random uint long long
113  etn_amount randEtnAmount(etn_amount upperlimit);
114 
115  //Scalar multiplications of curve points
116 
117  //does a * G where a is a scalar and G is the curve basepoint
118  void scalarmultBase(key & aG, const key &a);
119  key scalarmultBase(const key & a);
120  //does a * P where a is a scalar and P is an arbitrary point
121  void scalarmultKey(key &aP, const key &P, const key &a);
122  key scalarmultKey(const key &P, const key &a);
123  //Computes aH where H= toPoint(cn_fast_hash(G)), G the basepoint
124  key scalarmultH(const key & a);
125  // multiplies a point by 8
126  key scalarmult8(const key & P);
127  // checks a is in the main subgroup (ie, not a small one)
128  bool isInMainSubgroup(const key & a);
129 
130  //Curve addition / subtractions
131 
132  //for curve points: AB = A + B
133  void addKeys(key &AB, const key &A, const key &B);
134  rct::key addKeys(const key &A, const key &B);
135  rct::key addKeys(const keyV &A);
136  //aGB = aG + B where a is a scalar, G is the basepoint, and B is a point
137  void addKeys1(key &aGB, const key &a, const key & B);
138  //aGbB = aG + bB where a, b are scalars, G is the basepoint and B is a point
139  void addKeys2(key &aGbB, const key &a, const key &b, const key &B);
140  //Does some precomputation to make addKeys3 more efficient
141  // input B a curve point and output a ge_dsmp which has precomputation applied
142  void precomp(ge_dsmp rv, const key &B);
143  //aAbB = a*A + b*B where a, b are scalars, A, B are curve points
144  //B must be input after applying "precomp"
145  void addKeys3(key &aAbB, const key &a, const key &A, const key &b, const ge_dsmp B);
146  void addKeys3(key &aAbB, const key &a, const ge_dsmp A, const key &b, const ge_dsmp B);
147  //AB = A - B where A, B are curve points
148  void subKeys(key &AB, const key &A, const key &B);
149  //checks if A, B are equal as curve points
150  bool equalKeys(const key & A, const key & B);
151 
152  //Hashing - cn_fast_hash
153  //be careful these are also in crypto namespace
154  //cn_fast_hash for arbitrary l multiples of 32 bytes
155  void cn_fast_hash(key &hash, const void * data, const size_t l);
156  void hash_to_scalar(key &hash, const void * data, const size_t l);
157  //cn_fast_hash for a 32 byte key
158  void cn_fast_hash(key &hash, const key &in);
159  void hash_to_scalar(key &hash, const key &in);
160  //cn_fast_hash for a 32 byte key
161  key cn_fast_hash(const key &in);
162  key hash_to_scalar(const key &in);
163  //for mg sigs
164  key cn_fast_hash128(const void * in);
165  key hash_to_scalar128(const void * in);
166  key cn_fast_hash(const ctkeyV &PC);
167  key hash_to_scalar(const ctkeyV &PC);
168  //for mg sigs
169  key cn_fast_hash(const keyV &keys);
170  key hash_to_scalar(const keyV &keys);
171  //for ANSL
172  key cn_fast_hash(const key64 keys);
173  key hash_to_scalar(const key64 keys);
174 
175  //returns hashToPoint as described in https://github.com/ShenNoether/ge_fromfe_writeup
176  key hashToPointSimple(const key &in);
177  key hashToPoint(const key &in);
178  void hashToPoint(key &out, const key &in);
179 
180  //sums a vector of curve points (for scalars use sc_add)
181  void sumKeys(key & Csum, const key &Cis);
182 
183  //Elliptic Curve Diffie Helman: encodes and decodes the amount b and mask a
184  // where C= aG + bH
185  key genCommitmentMask(const key &sk);
186  void ecdhEncode(ecdhTuple & unmasked, const key & sharedSec, bool v2);
187  void ecdhDecode(ecdhTuple & masked, const key & sharedSec, bool v2);
188 }
189 #endif /* RCTOPS_H */
keyV skvGen(size_t rows)
Definition: rctOps.cpp:266
key curveOrder()
Definition: rctOps.h:76
void precomp(ge_dsmp rv, const key &B)
Definition: rctOps.cpp:476
bool isInMainSubgroup(const key &A)
Definition: rctOps.cpp:412
void addKeys1(key &aGB, const key &a, const key &B)
Definition: rctOps.cpp:459
key pkGen()
Definition: rctOps.cpp:277
void addKeys3(key &aAbB, const key &a, const key &A, const key &b, const ge_dsmp B)
Definition: rctOps.cpp:485
void scalarmultKey(key &aP, const key &P, const key &a)
Definition: rctOps.cpp:368
key commit(etn_amount amount, const key &mask)
Definition: rctOps.cpp:336
void sumKeys(key &Csum, const keyV &Cis)
Definition: rctOps.cpp:663
const char * key
Definition: hmac_keccak.cpp:39
key hash_to_scalar128(const void *in)
Definition: rctOps.cpp:571
tuple< ctkey, ctkey > ctskpkGen(etn_amount amount)
Definition: rctOps.cpp:302
key cn_fast_hash128(const void *in)
Definition: rctOps.cpp:565
void ecdhEncode(ecdhTuple &unmasked, const key &sharedSec, bool v2)
Definition: rctOps.cpp:697
key genCommitmentMask(const key &sk)
Definition: rctOps.cpp:687
void copy(key &AA, const key &A)
Definition: rctOps.h:79
bool toPointCheckOrder(ge_p3 *P, const unsigned char *data)
Definition: rctOps.cpp:241
keyM keyMInit(size_t rows, size_t cols)
Definition: rctOps.cpp:227
void cn_fast_hash(key &hash, const void *data, const std::size_t l)
Definition: rctOps.cpp:532
std::vector< key > keyV
Definition: rctTypes.h:88
uint64_t etn_amount
Definition: rctTypes.h:135
key key64[64]
Definition: rctTypes.h:137
std::vector< ctkey > ctkeyV
Definition: rctTypes.h:100
key scalarmultH(const key &a)
Definition: rctOps.cpp:389
void hash_to_scalar(key &hash, const void *data, const std::size_t l)
Definition: rctOps.cpp:536
void skGen(key &sk)
Definition: rctOps.cpp:253
void ecdhDecode(ecdhTuple &masked, const key &sharedSec, bool v2)
Definition: rctOps.cpp:712
etn_amount randEtnAmount(etn_amount upperlimit)
Definition: rctOps.cpp:343
const GenericPointer< typename T::ValueType > T2 T::AllocatorType & a
Definition: pointer.h:1124
void scalarmultBase(key &aG, const key &a)
Definition: rctOps.cpp:350
std::vector< keyV > keyM
Definition: rctTypes.h:89
ge_cached ge_dsmp[8]
Definition: crypto-ops.h:79
key identity()
Definition: rctOps.h:73
void * memcpy(void *a, const void *b, size_t c)
Matcher< T > A()
void subKeys(key &AB, const key &A, const key &B)
Definition: rctOps.cpp:505
void addKeys2(key &aGbB, const key &a, const key &b, const key &B)
Definition: rctOps.cpp:466
void skpkGen(key &sk, key &pk)
Definition: rctOps.cpp:284
key scalarmult8(const key &P)
Definition: rctOps.cpp:398
key hashToPoint(const key &hh)
Definition: rctOps.cpp:638
key zeroCommit(etn_amount amount)
Definition: rctOps.cpp:322
POD_CLASS hash
Definition: hash.h:50
void addKeys(key &AB, const key &A, const key &B)
Definition: rctOps.cpp:420
bool equalKeys(const key &a, const key &b)
Definition: rctOps.cpp:519
key zero()
Definition: rctOps.h:70
void genC(key &C, const key &a, etn_amount amount)
Definition: rctOps.cpp:297
key hashToPointSimple(const key &hh)
Definition: rctOps.cpp:624
int rows
Definition: crypto.h:86