Electroneum
rctSigs.h
Go to the documentation of this file.
1 // Copyright (c) 2016, Electroneum Research Labs
2 //
3 // Author: Shen Noether <shen.noether@gmx.com>
4 //
5 // All rights reserved.
6 //
7 // Redistribution and use in source and binary forms, with or without modification, are
8 // permitted provided that the following conditions are met:
9 //
10 // 1. Redistributions of source code must retain the above copyright notice, this list of
11 // conditions and the following disclaimer.
12 //
13 // 2. Redistributions in binary form must reproduce the above copyright notice, this list
14 // of conditions and the following disclaimer in the documentation and/or other
15 // materials provided with the distribution.
16 //
17 // 3. Neither the name of the copyright holder nor the names of its contributors may be
18 // used to endorse or promote products derived from this software without specific
19 // prior written permission.
20 //
21 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
22 // EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
23 // MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
24 // THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25 // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 // PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
28 // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
29 // THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 
31 #pragma once
32 
33 //#define DBG
34 
35 #ifndef RCTSIGS_H
36 #define RCTSIGS_H
37 
38 #include <cstddef>
39 #include <vector>
40 #include <tuple>
41 
42 #include "crypto/generic-ops.h"
43 
44 extern "C" {
45 #include "crypto/random.h"
46 #include "crypto/keccak.h"
47 }
48 #include "crypto/crypto.h"
49 
50 
51 #include "rctTypes.h"
52 #include "rctOps.h"
53 
54 //Define this flag when debugging to get additional info on the console
55 #ifdef DBG
56 #define DP(x) dp(x)
57 #else
58 #define DP(x)
59 #endif
60 
61 namespace hw {
62  class device;
63 }
64 
65 
66 namespace rct {
67 
68  boroSig genBorromean(const key64 x, const key64 P1, const key64 P2, const bits indices);
69  bool verifyBorromean(const boroSig &bb, const key64 P1, const key64 P2);
70 
71  //Multilayered Spontaneous Anonymous Group Signatures (MLSAG signatures)
72  //These are aka MG signatutes in earlier drafts of the ring ct paper
73  // c.f. https://eprint.iacr.org/2015/1098 section 2.
74  // Gen creates a signature which proves that for some column in the keymatrix "pk"
75  // the signer knows a secret key for each row in that column
76  // Ver verifies that the MG sig was created correctly
77  mgSig MLSAG_Gen(const key &message, const keyM & pk, const keyV & xx, const multisig_kLRki *kLRki, key *mscout, const unsigned int index, size_t dsRows, hw::device &hwdev);
78  bool MLSAG_Ver(const key &message, const keyM &pk, const mgSig &sig, size_t dsRows);
79  //mgSig MLSAG_Gen_Old(const keyM & pk, const keyV & xx, const int index);
80 
81  //proveRange and verRange
82  //proveRange gives C, and mask such that \sumCi = C
83  // c.f. https://eprint.iacr.org/2015/1098 section 5.1
84  // and Ci is a commitment to either 0 or 2^i, i=0,...,63
85  // thus this proves that "amount" is in [0, 2^64]
86  // mask is a such that C = aG + bH, and b = amount
87  //verRange verifies that \sum Ci = C and that each Ci is a commitment to 0 or 2^i
88  rangeSig proveRange(key & C, key & mask, const etn_amount & amount);
89  bool verRange(const key & C, const rangeSig & as);
90 
91  //Ring-ct MG sigs
92  //Prove:
93  // c.f. https://eprint.iacr.org/2015/1098 section 4. definition 10.
94  // This does the MG sig on the "dest" part of the given key matrix, and
95  // the last row is the sum of input commitments from that column - sum output commitments
96  // this shows that sum inputs = sum outputs
97  //Ver:
98  // verifies the above sig is created corretly
99  mgSig proveRctMG(const ctkeyM & pubs, const ctkeyV & inSk, const keyV &outMasks, const ctkeyV & outPk, const multisig_kLRki *kLRki, key *mscout, unsigned int index, const key &txnFee, const key &message, hw::device &hwdev);
100  mgSig proveRctMGSimple(const key & message, const ctkeyV & pubs, const ctkey & inSk, const key &a , const key &Cout, const multisig_kLRki *kLRki, key *mscout, unsigned int index, hw::device &hwdev);
101  bool verRctMG(const mgSig &mg, const ctkeyM & pubs, const ctkeyV & outPk, const key &txnFee, const key &message);
102  bool verRctMGSimple(const key &message, const mgSig &mg, const ctkeyV & pubs, const key & C);
103 
104  //These functions get keys from blockchain
105  //replace these when connecting blockchain
106  //getKeyFromBlockchain grabs a key from the blockchain at "reference_index" to mix with
107  //populateFromBlockchain creates a keymatrix with "mixin" columns and one of the columns is inPk
108  // the return value are the key matrix, and the index where inPk was put (random).
109  void getKeyFromBlockchain(ctkey & a, size_t reference_index);
110  std::tuple<ctkeyM, etn_amount> populateFromBlockchain(ctkeyV inPk, int mixin);
111 
112  //RingCT protocol
113  //genRct:
114  // creates an rctSig with all data necessary to verify the rangeProofs and that the signer owns one of the
115  // columns that are claimed as inputs, and that the sum of inputs = sum of outputs.
116  // Also contains masked "amount" and "mask" so the receiver can see how much they received
117  //verRct:
118  // verifies that all signatures (rangeProogs, MG sig, sum inputs = outputs) are correct
119  //decodeRct: (c.f. https://eprint.iacr.org/2015/1098 section 5.1.1)
120  // uses the attached ecdh info to find the amounts represented by each output commitment
121  // must know the destination private key to find the correct amount, else will return a random number
122  rctSig genRct(const key &message, const ctkeyV & inSk, const keyV & destinations, const std::vector<etn_amount> & amounts, const ctkeyM &mixRing, const keyV &amount_keys, const multisig_kLRki *kLRki, multisig_out *msout, unsigned int index, ctkeyV &outSk, const RCTConfig &rct_config, hw::device &hwdev);
123  rctSig genRct(const key &message, const ctkeyV & inSk, const ctkeyV & inPk, const keyV & destinations, const std::vector<etn_amount> & amounts, const keyV &amount_keys, const multisig_kLRki *kLRki, multisig_out *msout, const int mixin, const RCTConfig &rct_config, hw::device &hwdev);
124  rctSig genRctSimple(const key & message, const ctkeyV & inSk, const ctkeyV & inPk, const keyV & destinations, const std::vector<etn_amount> & inamounts, const std::vector<etn_amount> & outamounts, const keyV &amount_keys, const std::vector<multisig_kLRki> *kLRki, multisig_out *msout, etn_amount txnFee, unsigned int mixin, const RCTConfig &rct_config, hw::device &hwdev);
125  rctSig genRctSimple(const key & message, const ctkeyV & inSk, const keyV & destinations, const std::vector<etn_amount> & inamounts, const std::vector<etn_amount> & outamounts, etn_amount txnFee, const ctkeyM & mixRing, const keyV &amount_keys, const std::vector<multisig_kLRki> *kLRki, multisig_out *msout, const std::vector<unsigned int> & index, ctkeyV &outSk, const RCTConfig &rct_config, hw::device &hwdev);
126  bool verRct(const rctSig & rv, bool semantics);
127  static inline bool verRct(const rctSig & rv) { return verRct(rv, true) && verRct(rv, false); }
128  bool verRctSemanticsSimple(const rctSig & rv);
129  bool verRctSemanticsSimple(const std::vector<const rctSig*> & rv);
130  bool verRctNonSemanticsSimple(const rctSig & rv);
131  static inline bool verRctSimple(const rctSig & rv) { return verRctSemanticsSimple(rv) && verRctNonSemanticsSimple(rv); }
132  etn_amount decodeRct(const rctSig & rv, const key & sk, unsigned int i, key & mask, hw::device &hwdev);
133  etn_amount decodeRct(const rctSig & rv, const key & sk, unsigned int i, hw::device &hwdev);
134  etn_amount decodeRctSimple(const rctSig & rv, const key & sk, unsigned int i, key & mask, hw::device &hwdev);
135  etn_amount decodeRctSimple(const rctSig & rv, const key & sk, unsigned int i, hw::device &hwdev);
136  key get_pre_mlsag_hash(const rctSig &rv, hw::device &hwdev);
137  bool signMultisig(rctSig &rv, const std::vector<unsigned int> &indices, const keyV &k, const multisig_out &msout, const key &secret_key);
138 }
139 #endif /* RCTSIGS_H */
140 
boroSig genBorromean(const key64 x, const key64 P1, const key64 P2, const bits indices)
Definition: rctSigs.cpp:109
rctSig genRctSimple(const key &message, const ctkeyV &inSk, const keyV &destinations, const vector< etn_amount > &inamounts, const vector< etn_amount > &outamounts, etn_amount txnFee, const ctkeyM &mixRing, const keyV &amount_keys, const std::vector< multisig_kLRki > *kLRki, multisig_out *msout, const std::vector< unsigned int > &index, ctkeyV &outSk, const RCTConfig &rct_config, hw::device &hwdev)
Definition: rctSigs.cpp:752
key get_pre_mlsag_hash(const rctSig &rv, hw::device &hwdev)
Definition: rctSigs.cpp:403
bool verRct(const rctSig &rv, bool semantics)
Definition: rctSigs.cpp:913
const char * key
Definition: hmac_keccak.cpp:39
bool verifyBorromean(const boroSig &bb, const ge_p3 P1[64], const ge_p3 P2[64])
Definition: rctSigs.cpp:140
epee::mlocked< tools::scrubbed< ec_scalar > > secret_key
Definition: crypto.h:82
void getKeyFromBlockchain(ctkey &a, size_t reference_index)
Definition: rctSigs.cpp:635
etn_amount decodeRct(const rctSig &rv, const key &sk, unsigned int i, key &mask, hw::device &hwdev)
Definition: rctSigs.cpp:1150
std::vector< key > keyV
Definition: rctTypes.h:88
mgSig proveRctMGSimple(const key &message, const ctkeyV &pubs, const ctkey &inSk, const key &a, const key &Cout, const multisig_kLRki *kLRki, key *mscout, unsigned int index, hw::device &hwdev)
Definition: rctSigs.cpp:528
uint64_t etn_amount
Definition: rctTypes.h:135
key key64[64]
Definition: rctTypes.h:137
std::vector< ctkey > ctkeyV
Definition: rctTypes.h:100
bool MLSAG_Ver(const key &message, const keyM &pk, const mgSig &rv, size_t dsRows)
Definition: rctSigs.cpp:271
tuple< ctkeyM, etn_amount > populateFromBlockchain(ctkeyV inPk, int mixin)
Definition: rctSigs.cpp:645
Definition: device.cpp:38
rctSig genRct(const key &message, const ctkeyV &inSk, const keyV &destinations, const vector< etn_amount > &amounts, const ctkeyM &mixRing, const keyV &amount_keys, const multisig_kLRki *kLRki, multisig_out *msout, unsigned int index, ctkeyV &outSk, const RCTConfig &rct_config, hw::device &hwdev)
Definition: rctSigs.cpp:690
bool signMultisig(rctSig &rv, const std::vector< unsigned int > &indices, const keyV &k, const multisig_out &msout, const key &secret_key)
Definition: rctSigs.cpp:1210
std::string message("Message requiring signing")
mgSig proveRctMG(const key &message, const ctkeyM &pubs, const ctkeyV &inSk, const ctkeyV &outSk, const ctkeyV &outPk, const multisig_kLRki *kLRki, key *mscout, unsigned int index, const key &txnFeeKey, hw::device &hwdev)
Definition: rctSigs.cpp:471
const GenericPointer< typename T::ValueType > T2 T::AllocatorType & a
Definition: pointer.h:1124
std::vector< keyV > keyM
Definition: rctTypes.h:89
rangeSig proveRange(key &C, key &mask, const etn_amount &amount)
Definition: rctSigs.cpp:336
bool verRctMG(const mgSig &mg, const ctkeyM &pubs, const ctkeyV &outPk, const key &txnFeeKey, const key &message)
Definition: rctSigs.cpp:559
bool verRctMGSimple(const key &message, const mgSig &mg, const ctkeyV &pubs, const key &C)
Definition: rctSigs.cpp:598
bool verRange(const key &C, const rangeSig &as)
Definition: rctSigs.cpp:368
bool verRctNonSemanticsSimple(const rctSig &rv)
Definition: rctSigs.cpp:1085
std::vector< ctkeyV > ctkeyM
Definition: rctTypes.h:101
unsigned int bits[ATOMS]
Definition: rctTypes.h:136
etn_amount decodeRctSimple(const rctSig &rv, const key &sk, unsigned int i, key &mask, hw::device &hwdev)
Definition: rctSigs.cpp:1180
bool verRctSemanticsSimple(const std::vector< const rctSig *> &rvv)
Definition: rctSigs.cpp:975
mgSig MLSAG_Gen(const key &message, const keyM &pk, const keyV &xx, const multisig_kLRki *kLRki, key *mscout, const unsigned int index, size_t dsRows, hw::device &hwdev)
Definition: rctSigs.cpp:174