From 443fe7d092a58ed83084854f647569fb1261ab03 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Mon, 3 Feb 2020 19:35:31 +0000 Subject: [PATCH] Bring in librustzcash crate Source: https://github.com/zcash/librustzcash.git Revision: a57dc7f47807ea50cb0a5deec9b84b3e7da11bc0 --- src/rust/Cargo.toml | 36 + src/rust/README.md | 25 + src/rust/include/librustzcash.h | 312 +++++++ src/rust/src/rustzcash.rs | 1223 ++++++++++++++++++++++++++ src/rust/src/tests/key_agreement.rs | 76 ++ src/rust/src/tests/key_components.rs | 731 +++++++++++++++ src/rust/src/tests/mod.rs | 96 ++ src/rust/src/tests/notes.rs | 673 ++++++++++++++ src/rust/src/tests/signatures.rs | 514 +++++++++++ 9 files changed, 3686 insertions(+) create mode 100644 src/rust/Cargo.toml create mode 100644 src/rust/README.md create mode 100644 src/rust/include/librustzcash.h create mode 100644 src/rust/src/rustzcash.rs create mode 100644 src/rust/src/tests/key_agreement.rs create mode 100644 src/rust/src/tests/key_components.rs create mode 100644 src/rust/src/tests/mod.rs create mode 100644 src/rust/src/tests/notes.rs create mode 100644 src/rust/src/tests/signatures.rs diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml new file mode 100644 index 000000000..432222b00 --- /dev/null +++ b/src/rust/Cargo.toml @@ -0,0 +1,36 @@ +[package] +name = "librustzcash" +description = "Rust FFI used by the zcashd binary. Not an official API." +version = "0.2.0" +authors = [ + "Sean Bowe ", + "Jack Grigg ", + "Jay Graber ", + "Simon Liu " +] +homepage = "https://github.com/zcash/librustzcash" +repository = "https://github.com/zcash/librustzcash" +readme = "README.md" +license = "MIT OR Apache-2.0" +edition = "2018" + +[lib] +name = "rustzcash" +path = "src/rustzcash.rs" +crate-type = ["staticlib"] + +[dependencies] +bellman = { version = "0.2.0", path = "../bellman" } +blake2b_simd = "0.5" +blake2s_simd = "0.5" +ff = { version = "0.5.0", path = "../ff" } +libc = "0.2" +pairing = { version = "0.15.0", path = "../pairing" } +lazy_static = "1" +byteorder = "1" +rand_core = "0.5.1" +zcash_primitives = { version = "0.1.0", path = "../zcash_primitives" } +zcash_proofs = { version = "0.1.0", path = "../zcash_proofs" } + +[badges] +maintenance = { status = "deprecated" } diff --git a/src/rust/README.md b/src/rust/README.md new file mode 100644 index 000000000..0d6eeaed0 --- /dev/null +++ b/src/rust/README.md @@ -0,0 +1,25 @@ +# librustzcash + +`librustzcash` is an FFI library crate that exposes the Zcash Rust components to +the `zcashd` full node. + +The FFI API does not have any stability guarantees, and will change as required +by `zcashd`. + +## License + +Licensed under either of + + * Apache License, Version 2.0, ([LICENSE-APACHE](../LICENSE-APACHE) or + http://www.apache.org/licenses/LICENSE-2.0) + * MIT license ([LICENSE-MIT](../LICENSE-MIT) or http://opensource.org/licenses/MIT) + +at your option. + +### Contribution + +Unless you explicitly state otherwise, any contribution intentionally +submitted for inclusion in the work by you, as defined in the Apache-2.0 +license, shall be dual licensed as above, without any additional terms or +conditions. + diff --git a/src/rust/include/librustzcash.h b/src/rust/include/librustzcash.h new file mode 100644 index 000000000..a3ca5e8d3 --- /dev/null +++ b/src/rust/include/librustzcash.h @@ -0,0 +1,312 @@ +#ifndef LIBRUSTZCASH_INCLUDE_H_ +#define LIBRUSTZCASH_INCLUDE_H_ + +#include + +extern "C" { +#ifdef WIN32 + typedef uint16_t codeunit; +#else + typedef uint8_t codeunit; +#endif + + void librustzcash_to_scalar(const unsigned char *input, unsigned char *result); + + void librustzcash_ask_to_ak(const unsigned char *ask, unsigned char *result); + + void librustzcash_nsk_to_nk(const unsigned char *nsk, unsigned char *result); + + void librustzcash_crh_ivk(const unsigned char *ak, const unsigned char *nk, unsigned char *result); + + bool librustzcash_check_diversifier(const unsigned char *diversifier); + + bool librustzcash_ivk_to_pkd(const unsigned char *ivk, const unsigned char *diversifier, unsigned char *result); + + /// Loads the zk-SNARK parameters into memory and saves + /// paths as necessary. Only called once. + void librustzcash_init_zksnark_params( + const codeunit* spend_path, + size_t spend_path_len, + const char* spend_hash, + const codeunit* output_path, + size_t output_path_len, + const char* output_hash, + const codeunit* sprout_path, + size_t sprout_path_len, + const char* sprout_hash + ); + + /// Validates the provided Equihash solution against + /// the given parameters, input and nonce. + bool librustzcash_eh_isvalid( + uint32_t n, + uint32_t k, + const unsigned char* input, + size_t input_len, + const unsigned char* nonce, + size_t nonce_len, + const unsigned char* soln, + size_t soln_len + ); + + /// Writes the "uncommitted" note value for empty leaves + /// of the merkle tree. `result` must be a valid pointer + /// to 32 bytes which will be written. + void librustzcash_tree_uncommitted( + unsigned char *result + ); + + /// Computes a merkle tree hash for a given depth. + /// The `depth` parameter should not be larger than + /// 62. + /// + /// `a` and `b` each must be of length 32, and must each + /// be scalars of BLS12-381. + /// + /// The result of the merkle tree hash is placed in + /// `result`, which must also be of length 32. + void librustzcash_merkle_hash( + size_t depth, + const unsigned char *a, + const unsigned char *b, + unsigned char *result + ); + + /// Computes the signature for each Spend description, given the key + /// `ask`, the re-randomization `ar`, the 32-byte sighash `sighash`, + /// and an output `result` buffer of 64-bytes for the signature. + /// + /// This function will fail if the provided `ask` or `ar` are invalid. + bool librustzcash_sapling_spend_sig( + const unsigned char *ask, + const unsigned char *ar, + const unsigned char *sighash, + unsigned char *result + ); + + /// Creates a Sapling proving context. Please free this when you're done. + void * librustzcash_sapling_proving_ctx_init(); + + /// This function (using the proving context) constructs a Spend proof + /// given the necessary witness information. It outputs `cv` (the value + /// commitment) and `rk` (so that you don't have to compute it) along + /// with the proof. + bool librustzcash_sapling_spend_proof( + void *ctx, + const unsigned char *ak, + const unsigned char *nsk, + const unsigned char *diversifier, + const unsigned char *rcm, + const unsigned char *ar, + const uint64_t value, + const unsigned char *anchor, + const unsigned char *witness, + unsigned char *cv, + unsigned char *rk, + unsigned char *zkproof + ); + + /// This function (using the proving context) constructs an Output + /// proof given the necessary witness information. It outputs `cv` + /// and the `zkproof`. + bool librustzcash_sapling_output_proof( + void *ctx, + const unsigned char *esk, + const unsigned char *payment_address, + const unsigned char *rcm, + const uint64_t value, + unsigned char *cv, + unsigned char *zkproof + ); + + /// This function (using the proving context) constructs a binding + /// signature. You must provide the intended valueBalance so that + /// we can internally check consistency. + bool librustzcash_sapling_binding_sig( + const void *ctx, + int64_t valueBalance, + const unsigned char *sighash, + unsigned char *result + ); + + /// Frees a Sapling proving context returned from + /// `librustzcash_sapling_proving_ctx_init`. + void librustzcash_sapling_proving_ctx_free(void *); + + /// Creates a Sapling verification context. Please free this + /// when you're done. + void * librustzcash_sapling_verification_ctx_init(); + + /// Check the validity of a Sapling Spend description, + /// accumulating the value commitment into the context. + bool librustzcash_sapling_check_spend( + void *ctx, + const unsigned char *cv, + const unsigned char *anchor, + const unsigned char *nullifier, + const unsigned char *rk, + const unsigned char *zkproof, + const unsigned char *spendAuthSig, + const unsigned char *sighashValue + ); + + /// Check the validity of a Sapling Output description, + /// accumulating the value commitment into the context. + bool librustzcash_sapling_check_output( + void *ctx, + const unsigned char *cv, + const unsigned char *cm, + const unsigned char *ephemeralKey, + const unsigned char *zkproof + ); + + /// Finally checks the validity of the entire Sapling + /// transaction given valueBalance and the binding signature. + bool librustzcash_sapling_final_check( + void *ctx, + int64_t valueBalance, + const unsigned char *bindingSig, + const unsigned char *sighashValue + ); + + /// Frees a Sapling verification context returned from + /// `librustzcash_sapling_verification_ctx_init`. + void librustzcash_sapling_verification_ctx_free(void *); + + /// Compute a Sapling nullifier. + /// + /// The `diversifier` parameter must be 11 bytes in length. + /// The `pk_d`, `r`, `ak` and `nk` parameters must be of length 32. + /// The result is also of length 32 and placed in `result`. + /// Returns false if the diversifier or pk_d is not valid + bool librustzcash_sapling_compute_nf( + const unsigned char *diversifier, + const unsigned char *pk_d, + const uint64_t value, + const unsigned char *r, + const unsigned char *ak, + const unsigned char *nk, + const uint64_t position, + unsigned char *result + ); + + /// Compute a Sapling commitment. + /// + /// The `diversifier` parameter must be 11 bytes in length. + /// The `pk_d` and `r` parameters must be of length 32. + /// The result is also of length 32 and placed in `result`. + /// Returns false if the diversifier or pk_d is not valid + bool librustzcash_sapling_compute_cm( + const unsigned char *diversifier, + const unsigned char *pk_d, + const uint64_t value, + const unsigned char *r, + unsigned char *result + ); + + /// Compute [sk] [8] P for some 32-byte + /// point P, and 32-byte Fs. If P or sk + /// are invalid, returns false. Otherwise, + /// the result is written to the 32-byte + /// `result` buffer. + bool librustzcash_sapling_ka_agree( + const unsigned char *p, + const unsigned char *sk, + unsigned char *result + ); + + /// Compute g_d = GH(diversifier) and returns + /// false if the diversifier is invalid. + /// Computes [esk] g_d and writes the result + /// to the 32-byte `result` buffer. Returns + /// false if `esk` is not a valid scalar. + bool librustzcash_sapling_ka_derivepublic( + const unsigned char *diversifier, + const unsigned char *esk, + unsigned char *result + ); + + /// Generate uniformly random scalar in Jubjub. + /// The result is of length 32. + void librustzcash_sapling_generate_r( + unsigned char *result + ); + + /// Sprout JoinSplit proof generation. + void librustzcash_sprout_prove( + unsigned char *proof_out, + + const unsigned char *phi, + const unsigned char *rt, + const unsigned char *h_sig, + + const unsigned char *in_sk1, + uint64_t in_value1, + const unsigned char *in_rho1, + const unsigned char *in_r1, + const unsigned char *in_auth1, + + const unsigned char *in_sk2, + uint64_t in_value2, + const unsigned char *in_rho2, + const unsigned char *in_r2, + const unsigned char *in_auth2, + + const unsigned char *out_pk1, + uint64_t out_value1, + const unsigned char *out_r1, + + const unsigned char *out_pk2, + uint64_t out_value2, + const unsigned char *out_r2, + + uint64_t vpub_old, + uint64_t vpub_new + ); + + /// Sprout JoinSplit proof verification. + bool librustzcash_sprout_verify( + const unsigned char *proof, + const unsigned char *rt, + const unsigned char *h_sig, + const unsigned char *mac1, + const unsigned char *mac2, + const unsigned char *nf1, + const unsigned char *nf2, + const unsigned char *cm1, + const unsigned char *cm2, + uint64_t vpub_old, + uint64_t vpub_new + ); + + /// Derive the master ExtendedSpendingKey from a seed. + void librustzcash_zip32_xsk_master( + const unsigned char *seed, + size_t seedlen, + unsigned char *xsk_master + ); + + /// Derive a child ExtendedSpendingKey from a parent. + void librustzcash_zip32_xsk_derive( + const unsigned char *xsk_parent, + uint32_t i, + unsigned char *xsk_i + ); + + /// Derive a child ExtendedFullViewingKey from a parent. + bool librustzcash_zip32_xfvk_derive( + const unsigned char *xfvk_parent, + uint32_t i, + unsigned char *xfvk_i + ); + + /// Derive a PaymentAddress from an ExtendedFullViewingKey. + bool librustzcash_zip32_xfvk_address( + const unsigned char *xfvk, + const unsigned char *j, + unsigned char *j_ret, + unsigned char *addr_ret + ); +} + +#endif // LIBRUSTZCASH_INCLUDE_H_ diff --git a/src/rust/src/rustzcash.rs b/src/rust/src/rustzcash.rs new file mode 100644 index 000000000..fc8d3ef90 --- /dev/null +++ b/src/rust/src/rustzcash.rs @@ -0,0 +1,1223 @@ +// Catch documentation errors caused by code changes. +#![deny(intra_doc_link_resolution_failure)] + +use lazy_static; + +use ff::{PrimeField, PrimeFieldRepr}; +use pairing::bls12_381::{Bls12, Fr, FrRepr}; + +use zcash_primitives::{ + constants::CRH_IVK_PERSONALIZATION, + jubjub::{ + edwards, + fs::{Fs, FsRepr}, + FixedGenerators, JubjubEngine, JubjubParams, PrimeOrder, ToUniform, Unknown, + }, +}; + +use zcash_proofs::circuit::sapling::TREE_DEPTH as SAPLING_TREE_DEPTH; +use zcash_proofs::circuit::sprout::{self, TREE_DEPTH as SPROUT_TREE_DEPTH}; + +use bellman::gadgets::multipack; +use bellman::groth16::{ + create_random_proof, verify_proof, Parameters, PreparedVerifyingKey, Proof, +}; + +use blake2s_simd::Params as Blake2sParams; + +use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt}; + +use rand_core::{OsRng, RngCore}; +use std::io::BufReader; + +use libc::{c_char, c_uchar, size_t}; +use std::ffi::CStr; +use std::fs::File; +use std::path::{Path, PathBuf}; +use std::slice; + +#[cfg(not(target_os = "windows"))] +use std::ffi::OsStr; +#[cfg(not(target_os = "windows"))] +use std::os::unix::ffi::OsStrExt; + +#[cfg(target_os = "windows")] +use std::ffi::OsString; +#[cfg(target_os = "windows")] +use std::os::windows::ffi::OsStringExt; + +use zcash_primitives::{ + block::equihash, + merkle_tree::CommitmentTreeWitness, + note_encryption::sapling_ka_agree, + primitives::{Diversifier, Note, PaymentAddress, ProofGenerationKey, ViewingKey}, + redjubjub::{self, Signature}, + sapling::{merkle_hash, spend_sig}, + transaction::components::Amount, + zip32, JUBJUB, +}; +use zcash_proofs::{ + load_parameters, + sapling::{SaplingProvingContext, SaplingVerificationContext}, +}; + +#[cfg(test)] +mod tests; + +static mut SAPLING_SPEND_VK: Option> = None; +static mut SAPLING_OUTPUT_VK: Option> = None; +static mut SPROUT_GROTH16_VK: Option> = None; + +static mut SAPLING_SPEND_PARAMS: Option> = None; +static mut SAPLING_OUTPUT_PARAMS: Option> = None; +static mut SPROUT_GROTH16_PARAMS_PATH: Option = None; + +/// Writes an FrRepr to [u8] of length 32 +fn write_le(f: FrRepr, to: &mut [u8]) { + assert_eq!(to.len(), 32); + + f.write_le(to).expect("length is 32 bytes"); +} + +/// Reads an FrRepr from a [u8] of length 32. +/// This will panic (abort) if length provided is +/// not correct. +fn read_le(from: &[u8]) -> FrRepr { + assert_eq!(from.len(), 32); + + let mut f = FrRepr::default(); + f.read_le(from).expect("length is 32 bytes"); + + f +} + +/// Reads an FsRepr from [u8] of length 32 +/// This will panic (abort) if length provided is +/// not correct +fn read_fs(from: &[u8]) -> FsRepr { + assert_eq!(from.len(), 32); + + let mut f = <::Fs as PrimeField>::Repr::default(); + f.read_le(from).expect("length is 32 bytes"); + + f +} + +/// Reads an FsRepr from [u8] of length 32 +/// and multiplies it by the given base. +/// This will panic (abort) if length provided is +/// not correct +fn fixed_scalar_mult(from: &[u8], p_g: FixedGenerators) -> edwards::Point { + let f = read_fs(from); + + JUBJUB.generator(p_g).mul(f, &JUBJUB) +} + +#[cfg(not(target_os = "windows"))] +#[no_mangle] +pub extern "system" fn librustzcash_init_zksnark_params( + spend_path: *const u8, + spend_path_len: usize, + spend_hash: *const c_char, + output_path: *const u8, + output_path_len: usize, + output_hash: *const c_char, + sprout_path: *const u8, + sprout_path_len: usize, + sprout_hash: *const c_char, +) { + let spend_path = Path::new(OsStr::from_bytes(unsafe { + slice::from_raw_parts(spend_path, spend_path_len) + })); + let output_path = Path::new(OsStr::from_bytes(unsafe { + slice::from_raw_parts(output_path, output_path_len) + })); + let sprout_path = if sprout_path.is_null() { + None + } else { + Some(Path::new(OsStr::from_bytes(unsafe { + slice::from_raw_parts(sprout_path, sprout_path_len) + }))) + }; + + init_zksnark_params( + spend_path, + spend_hash, + output_path, + output_hash, + sprout_path, + sprout_hash, + ) +} + +#[cfg(target_os = "windows")] +#[no_mangle] +pub extern "system" fn librustzcash_init_zksnark_params( + spend_path: *const u16, + spend_path_len: usize, + spend_hash: *const c_char, + output_path: *const u16, + output_path_len: usize, + output_hash: *const c_char, + sprout_path: *const u16, + sprout_path_len: usize, + sprout_hash: *const c_char, +) { + let spend_path = + OsString::from_wide(unsafe { slice::from_raw_parts(spend_path, spend_path_len) }); + let output_path = + OsString::from_wide(unsafe { slice::from_raw_parts(output_path, output_path_len) }); + let sprout_path = if sprout_path.is_null() { + None + } else { + Some(OsString::from_wide(unsafe { + slice::from_raw_parts(sprout_path, sprout_path_len) + })) + }; + + init_zksnark_params( + Path::new(&spend_path), + spend_hash, + Path::new(&output_path), + output_hash, + sprout_path.as_ref().map(|p| Path::new(p)), + sprout_hash, + ) +} + +fn init_zksnark_params( + spend_path: &Path, + spend_hash: *const c_char, + output_path: &Path, + output_hash: *const c_char, + sprout_path: Option<&Path>, + sprout_hash: *const c_char, +) { + // Initialize jubjub parameters here + lazy_static::initialize(&JUBJUB); + + let spend_hash = unsafe { CStr::from_ptr(spend_hash) } + .to_str() + .expect("hash should be a valid string"); + + let output_hash = unsafe { CStr::from_ptr(output_hash) } + .to_str() + .expect("hash should be a valid string"); + + let sprout_hash = if sprout_path.is_none() { + None + } else { + Some( + unsafe { CStr::from_ptr(sprout_hash) } + .to_str() + .expect("hash should be a valid string"), + ) + }; + + // Load params + let (spend_params, spend_vk, output_params, output_vk, sprout_vk) = load_parameters( + spend_path, + spend_hash, + output_path, + output_hash, + sprout_path, + sprout_hash, + ); + + // Caller is responsible for calling this function once, so + // these global mutations are safe. + unsafe { + SAPLING_SPEND_PARAMS = Some(spend_params); + SAPLING_OUTPUT_PARAMS = Some(output_params); + SPROUT_GROTH16_PARAMS_PATH = sprout_path.map(|p| p.to_owned()); + + SAPLING_SPEND_VK = Some(spend_vk); + SAPLING_OUTPUT_VK = Some(output_vk); + SPROUT_GROTH16_VK = sprout_vk; + } +} + +#[no_mangle] +pub extern "system" fn librustzcash_tree_uncommitted(result: *mut [c_uchar; 32]) { + let tmp = Note::::uncommitted().into_repr(); + + // Should be okay, caller is responsible for ensuring the pointer + // is a valid pointer to 32 bytes that can be mutated. + let result = unsafe { &mut *result }; + + write_le(tmp, &mut result[..]); +} + +#[no_mangle] +pub extern "system" fn librustzcash_merkle_hash( + depth: size_t, + a: *const [c_uchar; 32], + b: *const [c_uchar; 32], + result: *mut [c_uchar; 32], +) { + // Should be okay, because caller is responsible for ensuring + // the pointer is a valid pointer to 32 bytes, and that is the + // size of the representation + let a_repr = read_le(unsafe { &(&*a)[..] }); + + // Should be okay, because caller is responsible for ensuring + // the pointer is a valid pointer to 32 bytes, and that is the + // size of the representation + let b_repr = read_le(unsafe { &(&*b)[..] }); + + let tmp = merkle_hash(depth, &a_repr, &b_repr); + + // Should be okay, caller is responsible for ensuring the pointer + // is a valid pointer to 32 bytes that can be mutated. + let result = unsafe { &mut *result }; + + write_le(tmp, &mut result[..]); +} + +#[no_mangle] // ToScalar +pub extern "system" fn librustzcash_to_scalar( + input: *const [c_uchar; 64], + result: *mut [c_uchar; 32], +) { + // Should be okay, because caller is responsible for ensuring + // the pointer is a valid pointer to 32 bytes, and that is the + // size of the representation + let scalar = ::Fs::to_uniform(unsafe { &(&*input)[..] }).into_repr(); + + let result = unsafe { &mut *result }; + + scalar + .write_le(&mut result[..]) + .expect("length is 32 bytes"); +} + +#[no_mangle] +pub extern "system" fn librustzcash_ask_to_ak( + ask: *const [c_uchar; 32], + result: *mut [c_uchar; 32], +) { + let ask = unsafe { &*ask }; + let ak = fixed_scalar_mult(ask, FixedGenerators::SpendingKeyGenerator); + + let result = unsafe { &mut *result }; + + ak.write(&mut result[..]).expect("length is 32 bytes"); +} + +#[no_mangle] +pub extern "system" fn librustzcash_nsk_to_nk( + nsk: *const [c_uchar; 32], + result: *mut [c_uchar; 32], +) { + let nsk = unsafe { &*nsk }; + let nk = fixed_scalar_mult(nsk, FixedGenerators::ProofGenerationKey); + + let result = unsafe { &mut *result }; + + nk.write(&mut result[..]).expect("length is 32 bytes"); +} + +#[no_mangle] +pub extern "system" fn librustzcash_crh_ivk( + ak: *const [c_uchar; 32], + nk: *const [c_uchar; 32], + result: *mut [c_uchar; 32], +) { + let ak = unsafe { &*ak }; + let nk = unsafe { &*nk }; + + let mut h = Blake2sParams::new() + .hash_length(32) + .personal(CRH_IVK_PERSONALIZATION) + .to_state(); + h.update(ak); + h.update(nk); + let mut h = h.finalize().as_ref().to_vec(); + + // Drop the last five bits, so it can be interpreted as a scalar. + h[31] &= 0b0000_0111; + + let result = unsafe { &mut *result }; + + result.copy_from_slice(&h); +} + +#[no_mangle] +pub extern "system" fn librustzcash_check_diversifier(diversifier: *const [c_uchar; 11]) -> bool { + let diversifier = Diversifier(unsafe { *diversifier }); + diversifier.g_d::(&JUBJUB).is_some() +} + +#[no_mangle] +pub extern "system" fn librustzcash_ivk_to_pkd( + ivk: *const [c_uchar; 32], + diversifier: *const [c_uchar; 11], + result: *mut [c_uchar; 32], +) -> bool { + let ivk = read_fs(unsafe { &*ivk }); + let diversifier = Diversifier(unsafe { *diversifier }); + if let Some(g_d) = diversifier.g_d::(&JUBJUB) { + let pk_d = g_d.mul(ivk, &JUBJUB); + + let result = unsafe { &mut *result }; + + pk_d.write(&mut result[..]).expect("length is 32 bytes"); + + true + } else { + false + } +} + +/// Test generation of commitment randomness +#[test] +fn test_gen_r() { + let mut r1 = [0u8; 32]; + let mut r2 = [0u8; 32]; + + // Verify different r values are generated + librustzcash_sapling_generate_r(&mut r1); + librustzcash_sapling_generate_r(&mut r2); + assert_ne!(r1, r2); + + // Verify r values are valid in the field + let mut repr = FsRepr::default(); + repr.read_le(&r1[..]).expect("length is not 32 bytes"); + let _ = Fs::from_repr(repr).unwrap(); + repr.read_le(&r2[..]).expect("length is not 32 bytes"); + let _ = Fs::from_repr(repr).unwrap(); +} + +/// Return 32 byte random scalar, uniformly. +#[no_mangle] +pub extern "system" fn librustzcash_sapling_generate_r(result: *mut [c_uchar; 32]) { + // create random 64 byte buffer + let mut rng = OsRng; + let mut buffer = [0u8; 64]; + rng.fill_bytes(&mut buffer); + + // reduce to uniform value + let r = ::Fs::to_uniform(&buffer[..]); + let result = unsafe { &mut *result }; + r.into_repr() + .write_le(&mut result[..]) + .expect("result must be 32 bytes"); +} + +// Private utility function to get Note from C parameters +fn priv_get_note( + diversifier: *const [c_uchar; 11], + pk_d: *const [c_uchar; 32], + value: u64, + r: *const [c_uchar; 32], +) -> Result, ()> { + let diversifier = Diversifier(unsafe { *diversifier }); + let g_d = match diversifier.g_d::(&JUBJUB) { + Some(g_d) => g_d, + None => return Err(()), + }; + + let pk_d = match edwards::Point::::read(&(unsafe { &*pk_d })[..], &JUBJUB) { + Ok(p) => p, + Err(_) => return Err(()), + }; + + let pk_d = match pk_d.as_prime_order(&JUBJUB) { + Some(pk_d) => pk_d, + None => return Err(()), + }; + + // Deserialize randomness + let r = match Fs::from_repr(read_fs(&(unsafe { &*r })[..])) { + Ok(r) => r, + Err(_) => return Err(()), + }; + + let note = Note { + value, + g_d, + pk_d, + r, + }; + + Ok(note) +} + +/// Compute Sapling note nullifier. +#[no_mangle] +pub extern "system" fn librustzcash_sapling_compute_nf( + diversifier: *const [c_uchar; 11], + pk_d: *const [c_uchar; 32], + value: u64, + r: *const [c_uchar; 32], + ak: *const [c_uchar; 32], + nk: *const [c_uchar; 32], + position: u64, + result: *mut [c_uchar; 32], +) -> bool { + let note = match priv_get_note(diversifier, pk_d, value, r) { + Ok(p) => p, + Err(_) => return false, + }; + + let ak = match edwards::Point::::read(&(unsafe { &*ak })[..], &JUBJUB) { + Ok(p) => p, + Err(_) => return false, + }; + + let ak = match ak.as_prime_order(&JUBJUB) { + Some(ak) => ak, + None => return false, + }; + + let nk = match edwards::Point::::read(&(unsafe { &*nk })[..], &JUBJUB) { + Ok(p) => p, + Err(_) => return false, + }; + + let nk = match nk.as_prime_order(&JUBJUB) { + Some(nk) => nk, + None => return false, + }; + + let vk = ViewingKey { ak, nk }; + let nf = note.nf(&vk, position, &JUBJUB); + let result = unsafe { &mut *result }; + result.copy_from_slice(&nf); + + true +} + +/// Compute Sapling note commitment. +#[no_mangle] +pub extern "system" fn librustzcash_sapling_compute_cm( + diversifier: *const [c_uchar; 11], + pk_d: *const [c_uchar; 32], + value: u64, + r: *const [c_uchar; 32], + result: *mut [c_uchar; 32], +) -> bool { + let note = match priv_get_note(diversifier, pk_d, value, r) { + Ok(p) => p, + Err(_) => return false, + }; + + let result = unsafe { &mut *result }; + write_le(note.cm(&JUBJUB).into_repr(), &mut result[..]); + + true +} + +#[no_mangle] +pub extern "system" fn librustzcash_sapling_ka_agree( + p: *const [c_uchar; 32], + sk: *const [c_uchar; 32], + result: *mut [c_uchar; 32], +) -> bool { + // Deserialize p + let p = match edwards::Point::::read(&(unsafe { &*p })[..], &JUBJUB) { + Ok(p) => p, + Err(_) => return false, + }; + + // Deserialize sk + let sk = match Fs::from_repr(read_fs(&(unsafe { &*sk })[..])) { + Ok(p) => p, + Err(_) => return false, + }; + + // Compute key agreement + let ka = sapling_ka_agree(&sk, &p); + + // Produce result + let result = unsafe { &mut *result }; + ka.write(&mut result[..]).expect("length is not 32 bytes"); + + true +} + +#[no_mangle] +pub extern "system" fn librustzcash_sapling_ka_derivepublic( + diversifier: *const [c_uchar; 11], + esk: *const [c_uchar; 32], + result: *mut [c_uchar; 32], +) -> bool { + let diversifier = Diversifier(unsafe { *diversifier }); + + // Compute g_d from the diversifier + let g_d = match diversifier.g_d::(&JUBJUB) { + Some(g) => g, + None => return false, + }; + + // Deserialize esk + let esk = match Fs::from_repr(read_fs(&(unsafe { &*esk })[..])) { + Ok(p) => p, + Err(_) => return false, + }; + + let p = g_d.mul(esk, &JUBJUB); + + let result = unsafe { &mut *result }; + p.write(&mut result[..]).expect("length is not 32 bytes"); + + true +} + +#[no_mangle] +pub extern "system" fn librustzcash_eh_isvalid( + n: u32, + k: u32, + input: *const c_uchar, + input_len: size_t, + nonce: *const c_uchar, + nonce_len: size_t, + soln: *const c_uchar, + soln_len: size_t, +) -> bool { + if (k >= n) || (n % 8 != 0) || (soln_len != (1 << k) * ((n / (k + 1)) as usize + 1) / 8) { + return false; + } + let rs_input = unsafe { slice::from_raw_parts(input, input_len) }; + let rs_nonce = unsafe { slice::from_raw_parts(nonce, nonce_len) }; + let rs_soln = unsafe { slice::from_raw_parts(soln, soln_len) }; + equihash::is_valid_solution(n, k, rs_input, rs_nonce, rs_soln) +} + +#[no_mangle] +pub extern "system" fn librustzcash_sapling_verification_ctx_init( +) -> *mut SaplingVerificationContext { + let ctx = Box::new(SaplingVerificationContext::new()); + + Box::into_raw(ctx) +} + +#[no_mangle] +pub extern "system" fn librustzcash_sapling_verification_ctx_free( + ctx: *mut SaplingVerificationContext, +) { + drop(unsafe { Box::from_raw(ctx) }); +} + +const GROTH_PROOF_SIZE: usize = 48 // π_A + + 96 // π_B + + 48; // π_C + +#[no_mangle] +pub extern "system" fn librustzcash_sapling_check_spend( + ctx: *mut SaplingVerificationContext, + cv: *const [c_uchar; 32], + anchor: *const [c_uchar; 32], + nullifier: *const [c_uchar; 32], + rk: *const [c_uchar; 32], + zkproof: *const [c_uchar; GROTH_PROOF_SIZE], + spend_auth_sig: *const [c_uchar; 64], + sighash_value: *const [c_uchar; 32], +) -> bool { + // Deserialize the value commitment + let cv = match edwards::Point::::read(&(unsafe { &*cv })[..], &JUBJUB) { + Ok(p) => p, + Err(_) => return false, + }; + + // Deserialize the anchor, which should be an element + // of Fr. + let anchor = match Fr::from_repr(read_le(&(unsafe { &*anchor })[..])) { + Ok(a) => a, + Err(_) => return false, + }; + + // Deserialize rk + let rk = match redjubjub::PublicKey::::read(&(unsafe { &*rk })[..], &JUBJUB) { + Ok(p) => p, + Err(_) => return false, + }; + + // Deserialize the signature + let spend_auth_sig = match Signature::read(&(unsafe { &*spend_auth_sig })[..]) { + Ok(sig) => sig, + Err(_) => return false, + }; + + // Deserialize the proof + let zkproof = match Proof::::read(&(unsafe { &*zkproof })[..]) { + Ok(p) => p, + Err(_) => return false, + }; + + unsafe { &mut *ctx }.check_spend( + cv, + anchor, + unsafe { &*nullifier }, + rk, + unsafe { &*sighash_value }, + spend_auth_sig, + zkproof, + unsafe { SAPLING_SPEND_VK.as_ref() }.unwrap(), + &JUBJUB, + ) +} + +#[no_mangle] +pub extern "system" fn librustzcash_sapling_check_output( + ctx: *mut SaplingVerificationContext, + cv: *const [c_uchar; 32], + cm: *const [c_uchar; 32], + epk: *const [c_uchar; 32], + zkproof: *const [c_uchar; GROTH_PROOF_SIZE], +) -> bool { + // Deserialize the value commitment + let cv = match edwards::Point::::read(&(unsafe { &*cv })[..], &JUBJUB) { + Ok(p) => p, + Err(_) => return false, + }; + + // Deserialize the commitment, which should be an element + // of Fr. + let cm = match Fr::from_repr(read_le(&(unsafe { &*cm })[..])) { + Ok(a) => a, + Err(_) => return false, + }; + + // Deserialize the ephemeral key + let epk = match edwards::Point::::read(&(unsafe { &*epk })[..], &JUBJUB) { + Ok(p) => p, + Err(_) => return false, + }; + + // Deserialize the proof + let zkproof = match Proof::::read(&(unsafe { &*zkproof })[..]) { + Ok(p) => p, + Err(_) => return false, + }; + + unsafe { &mut *ctx }.check_output( + cv, + cm, + epk, + zkproof, + unsafe { SAPLING_OUTPUT_VK.as_ref() }.unwrap(), + &JUBJUB, + ) +} + +#[no_mangle] +pub extern "system" fn librustzcash_sapling_final_check( + ctx: *mut SaplingVerificationContext, + value_balance: i64, + binding_sig: *const [c_uchar; 64], + sighash_value: *const [c_uchar; 32], +) -> bool { + let value_balance = match Amount::from_i64(value_balance) { + Ok(vb) => vb, + Err(()) => return false, + }; + + // Deserialize the signature + let binding_sig = match Signature::read(&(unsafe { &*binding_sig })[..]) { + Ok(sig) => sig, + Err(_) => return false, + }; + + unsafe { &*ctx }.final_check( + value_balance, + unsafe { &*sighash_value }, + binding_sig, + &JUBJUB, + ) +} + +#[no_mangle] +pub extern "system" fn librustzcash_sprout_prove( + proof_out: *mut [c_uchar; GROTH_PROOF_SIZE], + + phi: *const [c_uchar; 32], + rt: *const [c_uchar; 32], + h_sig: *const [c_uchar; 32], + + // First input + in_sk1: *const [c_uchar; 32], + in_value1: u64, + in_rho1: *const [c_uchar; 32], + in_r1: *const [c_uchar; 32], + in_auth1: *const [c_uchar; 1 + 33 * SPROUT_TREE_DEPTH + 8], + + // Second input + in_sk2: *const [c_uchar; 32], + in_value2: u64, + in_rho2: *const [c_uchar; 32], + in_r2: *const [c_uchar; 32], + in_auth2: *const [c_uchar; 1 + 33 * SPROUT_TREE_DEPTH + 8], + + // First output + out_pk1: *const [c_uchar; 32], + out_value1: u64, + out_r1: *const [c_uchar; 32], + + // Second output + out_pk2: *const [c_uchar; 32], + out_value2: u64, + out_r2: *const [c_uchar; 32], + + // Public value + vpub_old: u64, + vpub_new: u64, +) { + let phi = unsafe { *phi }; + let rt = unsafe { *rt }; + let h_sig = unsafe { *h_sig }; + let in_sk1 = unsafe { *in_sk1 }; + let in_rho1 = unsafe { *in_rho1 }; + let in_r1 = unsafe { *in_r1 }; + let in_auth1 = unsafe { *in_auth1 }; + let in_sk2 = unsafe { *in_sk2 }; + let in_rho2 = unsafe { *in_rho2 }; + let in_r2 = unsafe { *in_r2 }; + let in_auth2 = unsafe { *in_auth2 }; + let out_pk1 = unsafe { *out_pk1 }; + let out_r1 = unsafe { *out_r1 }; + let out_pk2 = unsafe { *out_pk2 }; + let out_r2 = unsafe { *out_r2 }; + + let mut inputs = Vec::with_capacity(2); + { + let mut handle_input = |sk, value, rho, r, mut auth: &[u8]| { + let value = Some(value); + let rho = Some(sprout::UniqueRandomness(rho)); + let r = Some(sprout::CommitmentRandomness(r)); + let a_sk = Some(sprout::SpendingKey(sk)); + + // skip the first byte + assert_eq!(auth[0], SPROUT_TREE_DEPTH as u8); + auth = &auth[1..]; + + let mut auth_path = [None; SPROUT_TREE_DEPTH]; + for i in (0..SPROUT_TREE_DEPTH).rev() { + // skip length of inner vector + assert_eq!(auth[0], 32); + auth = &auth[1..]; + + let mut sibling = [0u8; 32]; + sibling.copy_from_slice(&auth[0..32]); + auth = &auth[32..]; + + auth_path[i] = Some((sibling, false)); + } + + let mut position = auth + .read_u64::() + .expect("should have had index at the end"); + + for i in 0..SPROUT_TREE_DEPTH { + auth_path[i].as_mut().map(|p| p.1 = (position & 1) == 1); + + position >>= 1; + } + + inputs.push(sprout::JSInput { + value: value, + a_sk: a_sk, + rho: rho, + r: r, + auth_path: auth_path, + }); + }; + + handle_input(in_sk1, in_value1, in_rho1, in_r1, &in_auth1[..]); + handle_input(in_sk2, in_value2, in_rho2, in_r2, &in_auth2[..]); + } + + let mut outputs = Vec::with_capacity(2); + { + let mut handle_output = |a_pk, value, r| { + outputs.push(sprout::JSOutput { + value: Some(value), + a_pk: Some(sprout::PayingKey(a_pk)), + r: Some(sprout::CommitmentRandomness(r)), + }); + }; + + handle_output(out_pk1, out_value1, out_r1); + handle_output(out_pk2, out_value2, out_r2); + } + + let js = sprout::JoinSplit { + vpub_old: Some(vpub_old), + vpub_new: Some(vpub_new), + h_sig: Some(h_sig), + phi: Some(phi), + inputs: inputs, + outputs: outputs, + rt: Some(rt), + }; + + // Load parameters from disk + let sprout_fs = File::open( + unsafe { &SPROUT_GROTH16_PARAMS_PATH } + .as_ref() + .expect("parameters should have been initialized"), + ) + .expect("couldn't load Sprout groth16 parameters file"); + + let mut sprout_fs = BufReader::with_capacity(1024 * 1024, sprout_fs); + + let params = Parameters::::read(&mut sprout_fs, false) + .expect("couldn't deserialize Sprout JoinSplit parameters file"); + + drop(sprout_fs); + + // Initialize secure RNG + let mut rng = OsRng; + + let proof = create_random_proof(js, ¶ms, &mut rng).expect("proving should not fail"); + + proof + .write(&mut (unsafe { &mut *proof_out })[..]) + .expect("should be able to serialize a proof"); +} + +#[no_mangle] +pub extern "system" fn librustzcash_sprout_verify( + proof: *const [c_uchar; GROTH_PROOF_SIZE], + rt: *const [c_uchar; 32], + h_sig: *const [c_uchar; 32], + mac1: *const [c_uchar; 32], + mac2: *const [c_uchar; 32], + nf1: *const [c_uchar; 32], + nf2: *const [c_uchar; 32], + cm1: *const [c_uchar; 32], + cm2: *const [c_uchar; 32], + vpub_old: u64, + vpub_new: u64, +) -> bool { + // Prepare the public input for the verifier + let mut public_input = Vec::with_capacity((32 * 8) + (8 * 2)); + public_input.extend(unsafe { &(&*rt)[..] }); + public_input.extend(unsafe { &(&*h_sig)[..] }); + public_input.extend(unsafe { &(&*nf1)[..] }); + public_input.extend(unsafe { &(&*mac1)[..] }); + public_input.extend(unsafe { &(&*nf2)[..] }); + public_input.extend(unsafe { &(&*mac2)[..] }); + public_input.extend(unsafe { &(&*cm1)[..] }); + public_input.extend(unsafe { &(&*cm2)[..] }); + public_input.write_u64::(vpub_old).unwrap(); + public_input.write_u64::(vpub_new).unwrap(); + + let public_input = multipack::bytes_to_bits(&public_input); + let public_input = multipack::compute_multipacking::(&public_input); + + let proof = match Proof::read(unsafe { &(&*proof)[..] }) { + Ok(p) => p, + Err(_) => return false, + }; + + // Verify the proof + match verify_proof( + unsafe { SPROUT_GROTH16_VK.as_ref() }.expect("parameters should have been initialized"), + &proof, + &public_input[..], + ) { + // No error, and proof verification successful + Ok(true) => true, + + // Any other case + _ => false, + } +} + +#[no_mangle] +pub extern "system" fn librustzcash_sapling_output_proof( + ctx: *mut SaplingProvingContext, + esk: *const [c_uchar; 32], + payment_address: *const [c_uchar; 43], + rcm: *const [c_uchar; 32], + value: u64, + cv: *mut [c_uchar; 32], + zkproof: *mut [c_uchar; GROTH_PROOF_SIZE], +) -> bool { + // Grab `esk`, which the caller should have constructed for the DH key exchange. + let esk = match Fs::from_repr(read_fs(&(unsafe { &*esk })[..])) { + Ok(p) => p, + Err(_) => return false, + }; + + // Grab the payment address from the caller + let payment_address = + match PaymentAddress::::from_bytes(unsafe { &*payment_address }, &JUBJUB) { + Some(pa) => pa, + None => return false, + }; + + // The caller provides the commitment randomness for the output note + let rcm = match Fs::from_repr(read_fs(&(unsafe { &*rcm })[..])) { + Ok(p) => p, + Err(_) => return false, + }; + + // Create proof + let (proof, value_commitment) = unsafe { &mut *ctx }.output_proof( + esk, + payment_address, + rcm, + value, + unsafe { SAPLING_OUTPUT_PARAMS.as_ref() }.unwrap(), + &JUBJUB, + ); + + // Write the proof out to the caller + proof + .write(&mut (unsafe { &mut *zkproof })[..]) + .expect("should be able to serialize a proof"); + + // Write the value commitment to the caller + value_commitment + .write(&mut (unsafe { &mut *cv })[..]) + .expect("should be able to serialize rcv"); + + true +} + +#[no_mangle] +pub extern "system" fn librustzcash_sapling_spend_sig( + ask: *const [c_uchar; 32], + ar: *const [c_uchar; 32], + sighash: *const [c_uchar; 32], + result: *mut [c_uchar; 64], +) -> bool { + // The caller provides the re-randomization of `ak`. + let ar = match Fs::from_repr(read_fs(&(unsafe { &*ar })[..])) { + Ok(p) => p, + Err(_) => return false, + }; + + // The caller provides `ask`, the spend authorizing key. + let ask = match redjubjub::PrivateKey::::read(&(unsafe { &*ask })[..]) { + Ok(p) => p, + Err(_) => return false, + }; + + // Initialize secure RNG + let mut rng = OsRng; + + // Do the signing + let sig = spend_sig(ask, ar, unsafe { &*sighash }, &mut rng, &JUBJUB); + + // Write out the signature + sig.write(&mut (unsafe { &mut *result })[..]) + .expect("result should be 64 bytes"); + + true +} + +#[no_mangle] +pub extern "system" fn librustzcash_sapling_binding_sig( + ctx: *const SaplingProvingContext, + value_balance: i64, + sighash: *const [c_uchar; 32], + result: *mut [c_uchar; 64], +) -> bool { + let value_balance = match Amount::from_i64(value_balance) { + Ok(vb) => vb, + Err(()) => return false, + }; + + // Sign + let sig = match unsafe { &*ctx }.binding_sig(value_balance, unsafe { &*sighash }, &JUBJUB) { + Ok(s) => s, + Err(_) => return false, + }; + + // Write out signature + sig.write(&mut (unsafe { &mut *result })[..]) + .expect("result should be 64 bytes"); + + true +} + +#[no_mangle] +pub extern "system" fn librustzcash_sapling_spend_proof( + ctx: *mut SaplingProvingContext, + ak: *const [c_uchar; 32], + nsk: *const [c_uchar; 32], + diversifier: *const [c_uchar; 11], + rcm: *const [c_uchar; 32], + ar: *const [c_uchar; 32], + value: u64, + anchor: *const [c_uchar; 32], + witness: *const [c_uchar; 1 + 33 * SAPLING_TREE_DEPTH + 8], + cv: *mut [c_uchar; 32], + rk_out: *mut [c_uchar; 32], + zkproof: *mut [c_uchar; GROTH_PROOF_SIZE], +) -> bool { + // Grab `ak` from the caller, which should be a point. + let ak = match edwards::Point::::read(&(unsafe { &*ak })[..], &JUBJUB) { + Ok(p) => p, + Err(_) => return false, + }; + + // `ak` should be prime order. + let ak = match ak.as_prime_order(&JUBJUB) { + Some(p) => p, + None => return false, + }; + + // Grab `nsk` from the caller + let nsk = match Fs::from_repr(read_fs(&(unsafe { &*nsk })[..])) { + Ok(p) => p, + Err(_) => return false, + }; + + // Construct the proof generation key + let proof_generation_key = ProofGenerationKey { + ak: ak.clone(), + nsk, + }; + + // Grab the diversifier from the caller + let diversifier = Diversifier(unsafe { *diversifier }); + + // The caller chooses the note randomness + let rcm = match Fs::from_repr(read_fs(&(unsafe { &*rcm })[..])) { + Ok(p) => p, + Err(_) => return false, + }; + + // The caller also chooses the re-randomization of ak + let ar = match Fs::from_repr(read_fs(&(unsafe { &*ar })[..])) { + Ok(p) => p, + Err(_) => return false, + }; + + // We need to compute the anchor of the Spend. + let anchor = match Fr::from_repr(read_le(unsafe { &(&*anchor)[..] })) { + Ok(p) => p, + Err(_) => return false, + }; + + // The witness contains the incremental tree witness information, in a + // weird serialized format. + let witness = match CommitmentTreeWitness::from_slice(unsafe { &(&*witness)[..] }) { + Ok(w) => w, + Err(_) => return false, + }; + + // Create proof + let (proof, value_commitment, rk) = unsafe { &mut *ctx } + .spend_proof( + proof_generation_key, + diversifier, + rcm, + ar, + value, + anchor, + witness, + unsafe { SAPLING_SPEND_PARAMS.as_ref() }.unwrap(), + unsafe { SAPLING_SPEND_VK.as_ref() }.unwrap(), + &JUBJUB, + ) + .expect("proving should not fail"); + + // Write value commitment to caller + value_commitment + .write(&mut unsafe { &mut *cv }[..]) + .expect("should be able to serialize cv"); + + // Write proof out to caller + proof + .write(&mut (unsafe { &mut *zkproof })[..]) + .expect("should be able to serialize a proof"); + + // Write out `rk` to the caller + rk.write(&mut unsafe { &mut *rk_out }[..]) + .expect("should be able to write to rk_out"); + + true +} + +#[no_mangle] +pub extern "system" fn librustzcash_sapling_proving_ctx_init() -> *mut SaplingProvingContext { + let ctx = Box::new(SaplingProvingContext::new()); + + Box::into_raw(ctx) +} + +#[no_mangle] +pub extern "system" fn librustzcash_sapling_proving_ctx_free(ctx: *mut SaplingProvingContext) { + drop(unsafe { Box::from_raw(ctx) }); +} + +#[no_mangle] +pub extern "system" fn librustzcash_zip32_xsk_master( + seed: *const c_uchar, + seedlen: size_t, + xsk_master: *mut [c_uchar; 169], +) { + let seed = unsafe { std::slice::from_raw_parts(seed, seedlen) }; + + let xsk = zip32::ExtendedSpendingKey::master(seed); + + xsk.write(&mut (unsafe { &mut *xsk_master })[..]) + .expect("should be able to serialize an ExtendedSpendingKey"); +} + +#[no_mangle] +pub extern "system" fn librustzcash_zip32_xsk_derive( + xsk_parent: *const [c_uchar; 169], + i: u32, + xsk_i: *mut [c_uchar; 169], +) { + let xsk_parent = zip32::ExtendedSpendingKey::read(&unsafe { *xsk_parent }[..]) + .expect("valid ExtendedSpendingKey"); + let i = zip32::ChildIndex::from_index(i); + + let xsk = xsk_parent.derive_child(i); + + xsk.write(&mut (unsafe { &mut *xsk_i })[..]) + .expect("should be able to serialize an ExtendedSpendingKey"); +} + +#[no_mangle] +pub extern "system" fn librustzcash_zip32_xfvk_derive( + xfvk_parent: *const [c_uchar; 169], + i: u32, + xfvk_i: *mut [c_uchar; 169], +) -> bool { + let xfvk_parent = zip32::ExtendedFullViewingKey::read(&unsafe { *xfvk_parent }[..]) + .expect("valid ExtendedFullViewingKey"); + let i = zip32::ChildIndex::from_index(i); + + let xfvk = match xfvk_parent.derive_child(i) { + Ok(xfvk) => xfvk, + Err(_) => return false, + }; + + xfvk.write(&mut (unsafe { &mut *xfvk_i })[..]) + .expect("should be able to serialize an ExtendedFullViewingKey"); + + true +} + +#[no_mangle] +pub extern "system" fn librustzcash_zip32_xfvk_address( + xfvk: *const [c_uchar; 169], + j: *const [c_uchar; 11], + j_ret: *mut [c_uchar; 11], + addr_ret: *mut [c_uchar; 43], +) -> bool { + let xfvk = zip32::ExtendedFullViewingKey::read(&unsafe { *xfvk }[..]) + .expect("valid ExtendedFullViewingKey"); + let j = zip32::DiversifierIndex(unsafe { *j }); + + let addr = match xfvk.address(j) { + Ok(addr) => addr, + Err(_) => return false, + }; + + let j_ret = unsafe { &mut *j_ret }; + let addr_ret = unsafe { &mut *addr_ret }; + + j_ret.copy_from_slice(&(addr.0).0); + addr_ret.copy_from_slice(&addr.1.to_bytes()); + + true +} diff --git a/src/rust/src/tests/key_agreement.rs b/src/rust/src/tests/key_agreement.rs new file mode 100644 index 000000000..c4f56a139 --- /dev/null +++ b/src/rust/src/tests/key_agreement.rs @@ -0,0 +1,76 @@ +use ff::{PrimeField, PrimeFieldRepr}; +use pairing::bls12_381::Bls12; +use rand_core::{OsRng, RngCore}; +use zcash_primitives::jubjub::{edwards, JubjubBls12}; +use zcash_primitives::primitives::{Diversifier, ViewingKey}; + +use crate::{ + librustzcash_sapling_generate_r, librustzcash_sapling_ka_agree, + librustzcash_sapling_ka_derivepublic, +}; + +#[test] +fn test_key_agreement() { + let params = JubjubBls12::new(); + let mut rng = OsRng; + + // Create random viewing key + let vk = ViewingKey:: { + ak: edwards::Point::rand(&mut rng, ¶ms).mul_by_cofactor(¶ms), + nk: edwards::Point::rand(&mut rng, ¶ms).mul_by_cofactor(¶ms), + }; + + // Create a random address with the viewing key + let addr = loop { + let mut d = [0; 11]; + rng.fill_bytes(&mut d); + match vk.to_payment_address(Diversifier(d), ¶ms) { + Some(a) => break a, + None => {} + } + }; + + // Grab ivk from our viewing key in serialized form + let ivk = vk.ivk(); + let mut ivk_serialized = [0u8; 32]; + ivk.into_repr().write_le(&mut ivk_serialized[..]).unwrap(); + + // Create random esk + let mut esk = [0u8; 32]; + librustzcash_sapling_generate_r(&mut esk); + + // The sender will create a shared secret with the recipient + // by multiplying the pk_d from their address with the esk + // we randomly generated + let mut shared_secret_sender = [0u8; 32]; + + // Serialize pk_d for the call to librustzcash_sapling_ka_agree + let mut addr_pk_d = [0u8; 32]; + addr.pk_d().write(&mut addr_pk_d[..]).unwrap(); + + assert!(librustzcash_sapling_ka_agree( + &addr_pk_d, + &esk, + &mut shared_secret_sender + )); + + // Create epk for the recipient, placed in the transaction. Computed + // using the diversifier and esk. + let mut epk = [0u8; 32]; + assert!(librustzcash_sapling_ka_derivepublic( + &addr.diversifier().0, + &esk, + &mut epk + )); + + // Create sharedSecret with ephemeral key + let mut shared_secret_recipient = [0u8; 32]; + assert!(librustzcash_sapling_ka_agree( + &epk, + &ivk_serialized, + &mut shared_secret_recipient + )); + + assert!(!shared_secret_sender.iter().all(|&v| v == 0)); + assert_eq!(shared_secret_sender, shared_secret_recipient); +} diff --git a/src/rust/src/tests/key_components.rs b/src/rust/src/tests/key_components.rs new file mode 100644 index 000000000..5975e5eb1 --- /dev/null +++ b/src/rust/src/tests/key_components.rs @@ -0,0 +1,731 @@ +use ff::{PrimeField, PrimeFieldRepr}; +use pairing::bls12_381::Bls12; +use zcash_primitives::{ + jubjub::{fs::FsRepr, FixedGenerators, JubjubEngine, JubjubParams}, + primitives::{Diversifier, ProofGenerationKey}, +}; + +use super::JUBJUB; + +use crate::{ + librustzcash_ask_to_ak, librustzcash_check_diversifier, librustzcash_crh_ivk, + librustzcash_ivk_to_pkd, librustzcash_nsk_to_nk, +}; + +#[test] +fn key_components() { + #![allow(dead_code)] + struct TestVector { + sk: [u8; 32], + ask: [u8; 32], + nsk: [u8; 32], + ovk: [u8; 32], + ak: [u8; 32], + nk: [u8; 32], + ivk: [u8; 32], + default_d: [u8; 11], + default_pk_d: [u8; 32], + note_v: u64, + note_r: [u8; 32], + note_cm: [u8; 32], + note_pos: u64, + note_nf: [u8; 32], + }; + + // From https://github.com/zcash-hackworks/zcash-test-vectors/blob/master/sapling_key_components.py + let test_vectors = vec![ + TestVector { + sk: [ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, + ], + ask: [ + 0x85, 0x48, 0xa1, 0x4a, 0x47, 0x3e, 0xa5, 0x47, 0xaa, 0x23, 0x78, 0x40, 0x20, 0x44, + 0xf8, 0x18, 0xcf, 0x19, 0x11, 0xcf, 0x5d, 0xd2, 0x05, 0x4f, 0x67, 0x83, 0x45, 0xf0, + 0x0d, 0x0e, 0x88, 0x06, + ], + nsk: [ + 0x30, 0x11, 0x4e, 0xa0, 0xdd, 0x0b, 0xb6, 0x1c, 0xf0, 0xea, 0xea, 0xb6, 0xec, 0x33, + 0x31, 0xf5, 0x81, 0xb0, 0x42, 0x5e, 0x27, 0x33, 0x85, 0x01, 0x26, 0x2d, 0x7e, 0xac, + 0x74, 0x5e, 0x6e, 0x05, + ], + ovk: [ + 0x98, 0xd1, 0x69, 0x13, 0xd9, 0x9b, 0x04, 0x17, 0x7c, 0xab, 0xa4, 0x4f, 0x6e, 0x4d, + 0x22, 0x4e, 0x03, 0xb5, 0xac, 0x03, 0x1d, 0x7c, 0xe4, 0x5e, 0x86, 0x51, 0x38, 0xe1, + 0xb9, 0x96, 0xd6, 0x3b, + ], + ak: [ + 0xf3, 0x44, 0xec, 0x38, 0x0f, 0xe1, 0x27, 0x3e, 0x30, 0x98, 0xc2, 0x58, 0x8c, 0x5d, + 0x3a, 0x79, 0x1f, 0xd7, 0xba, 0x95, 0x80, 0x32, 0x76, 0x07, 0x77, 0xfd, 0x0e, 0xfa, + 0x8e, 0xf1, 0x16, 0x20, + ], + nk: [ + 0xf7, 0xcf, 0x9e, 0x77, 0xf2, 0xe5, 0x86, 0x83, 0x38, 0x3c, 0x15, 0x19, 0xac, 0x7b, + 0x06, 0x2d, 0x30, 0x04, 0x0e, 0x27, 0xa7, 0x25, 0xfb, 0x88, 0xfb, 0x19, 0xa9, 0x78, + 0xbd, 0x3f, 0xd6, 0xba, + ], + ivk: [ + 0xb7, 0x0b, 0x7c, 0xd0, 0xed, 0x03, 0xcb, 0xdf, 0xd7, 0xad, 0xa9, 0x50, 0x2e, 0xe2, + 0x45, 0xb1, 0x3e, 0x56, 0x9d, 0x54, 0xa5, 0x71, 0x9d, 0x2d, 0xaa, 0x0f, 0x5f, 0x14, + 0x51, 0x47, 0x92, 0x04, + ], + default_d: [ + 0xf1, 0x9d, 0x9b, 0x79, 0x7e, 0x39, 0xf3, 0x37, 0x44, 0x58, 0x39, + ], + default_pk_d: [ + 0xdb, 0x4c, 0xd2, 0xb0, 0xaa, 0xc4, 0xf7, 0xeb, 0x8c, 0xa1, 0x31, 0xf1, 0x65, 0x67, + 0xc4, 0x45, 0xa9, 0x55, 0x51, 0x26, 0xd3, 0xc2, 0x9f, 0x14, 0xe3, 0xd7, 0x76, 0xe8, + 0x41, 0xae, 0x74, 0x15, + ], + note_v: 0, + note_r: [ + 0x39, 0x17, 0x6d, 0xac, 0x39, 0xac, 0xe4, 0x98, 0x0e, 0xcc, 0x8d, 0x77, 0x8e, 0x89, + 0x86, 0x02, 0x55, 0xec, 0x36, 0x15, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, + ], + note_cm: [ + 0xcb, 0x3c, 0xf9, 0x15, 0x32, 0x70, 0xd5, 0x7e, 0xb9, 0x14, 0xc6, 0xc2, 0xbc, 0xc0, + 0x18, 0x50, 0xc9, 0xfe, 0xd4, 0x4f, 0xce, 0x08, 0x06, 0x27, 0x8f, 0x08, 0x3e, 0xf2, + 0xdd, 0x07, 0x64, 0x39, + ], + note_pos: 0, + note_nf: [ + 0x44, 0xfa, 0xd6, 0x56, 0x4f, 0xfd, 0xec, 0x9f, 0xa1, 0x9c, 0x43, 0xa2, 0x8f, 0x86, + 0x1d, 0x5e, 0xbf, 0x60, 0x23, 0x46, 0x00, 0x7d, 0xe7, 0x62, 0x67, 0xd9, 0x75, 0x27, + 0x47, 0xab, 0x40, 0x63, + ], + }, + TestVector { + sk: [ + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, + ], + ask: [ + 0xc9, 0x43, 0x56, 0x29, 0xbf, 0x8b, 0xff, 0xe5, 0x5e, 0x73, 0x35, 0xec, 0x07, 0x77, + 0x18, 0xba, 0x60, 0xba, 0x28, 0xd7, 0xac, 0x37, 0x94, 0xb7, 0x4f, 0x51, 0x2c, 0x31, + 0xaf, 0x0a, 0x53, 0x04, + ], + nsk: [ + 0x11, 0xac, 0xc2, 0xea, 0xd0, 0x7b, 0x5f, 0x00, 0x8c, 0x1f, 0x0f, 0x09, 0x0c, 0xc8, + 0xdd, 0xf3, 0x35, 0x23, 0x6f, 0xf4, 0xb2, 0x53, 0xc6, 0x49, 0x56, 0x95, 0xe9, 0xd6, + 0x39, 0xda, 0xcd, 0x08, + ], + ovk: [ + 0x3b, 0x94, 0x62, 0x10, 0xce, 0x6d, 0x1b, 0x16, 0x92, 0xd7, 0x39, 0x2a, 0xc8, 0x4a, + 0x8b, 0xc8, 0xf0, 0x3b, 0x72, 0x72, 0x3c, 0x7d, 0x36, 0x72, 0x1b, 0x80, 0x9a, 0x79, + 0xc9, 0xd6, 0xe4, 0x5b, + ], + ak: [ + 0x82, 0xff, 0x5e, 0xff, 0xc5, 0x27, 0xae, 0x84, 0x02, 0x0b, 0xf2, 0xd3, 0x52, 0x01, + 0xc1, 0x02, 0x19, 0x13, 0x19, 0x47, 0xff, 0x4b, 0x96, 0xf8, 0x81, 0xa4, 0x5f, 0x2e, + 0x8a, 0xe3, 0x05, 0x18, + ], + nk: [ + 0xc4, 0x53, 0x4d, 0x84, 0x8b, 0xb9, 0x18, 0xcf, 0x4a, 0x7f, 0x8b, 0x98, 0x74, 0x0a, + 0xb3, 0xcc, 0xee, 0x58, 0x67, 0x95, 0xff, 0x4d, 0xf6, 0x45, 0x47, 0xa8, 0x88, 0x8a, + 0x6c, 0x74, 0x15, 0xd2, + ], + ivk: [ + 0xc5, 0x18, 0x38, 0x44, 0x66, 0xb2, 0x69, 0x88, 0xb5, 0x10, 0x90, 0x67, 0x41, 0x8d, + 0x19, 0x2d, 0x9d, 0x6b, 0xd0, 0xd9, 0x23, 0x22, 0x05, 0xd7, 0x74, 0x18, 0xc2, 0x40, + 0xfc, 0x68, 0xa4, 0x06, + ], + default_d: [ + 0xae, 0xf1, 0x80, 0xf6, 0xe3, 0x4e, 0x35, 0x4b, 0x88, 0x8f, 0x81, + ], + default_pk_d: [ + 0xa6, 0xb1, 0x3e, 0xa3, 0x36, 0xdd, 0xb7, 0xa6, 0x7b, 0xb0, 0x9a, 0x0e, 0x68, 0xe9, + 0xd3, 0xcf, 0xb3, 0x92, 0x10, 0x83, 0x1e, 0xa3, 0xa2, 0x96, 0xba, 0x09, 0xa9, 0x22, + 0x06, 0x0f, 0xd3, 0x8b, + ], + note_v: 12227227834928555328, + note_r: [ + 0x47, 0x8b, 0xa0, 0xee, 0x6e, 0x1a, 0x75, 0xb6, 0x00, 0x03, 0x6f, 0x26, 0xf1, 0x8b, + 0x70, 0x15, 0xab, 0x55, 0x6b, 0xed, 0xdf, 0x8b, 0x96, 0x02, 0x38, 0x86, 0x9f, 0x89, + 0xdd, 0x80, 0x4e, 0x06, + ], + note_cm: [ + 0xb5, 0x78, 0x93, 0x50, 0x0b, 0xfb, 0x85, 0xdf, 0x2e, 0x8b, 0x01, 0xac, 0x45, 0x2f, + 0x89, 0xe1, 0x0e, 0x26, 0x6b, 0xcf, 0xa3, 0x1c, 0x31, 0xb2, 0x9a, 0x53, 0xae, 0x72, + 0xca, 0xd4, 0x69, 0x50, + ], + note_pos: 763714296, + note_nf: [ + 0x67, 0x9e, 0xb0, 0xc3, 0xa7, 0x57, 0xe2, 0xae, 0x83, 0xcd, 0xb4, 0x2a, 0x1a, 0xb2, + 0x59, 0xd7, 0x83, 0x88, 0x31, 0x54, 0x19, 0xad, 0xc7, 0x1d, 0x2e, 0x37, 0x63, 0x17, + 0x4c, 0x2e, 0x9d, 0x93, + ], + }, + TestVector { + sk: [ + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, + ], + ask: [ + 0xee, 0x1c, 0x3d, 0x7e, 0xfe, 0x0a, 0x78, 0x06, 0x3d, 0x6a, 0xf3, 0xd9, 0xd8, 0x12, + 0x12, 0xaf, 0x47, 0xb7, 0xc1, 0xb7, 0x61, 0xf8, 0x5c, 0xcb, 0x06, 0x6f, 0xc1, 0x1a, + 0x6a, 0x42, 0x17, 0x03, + ], + nsk: [ + 0x1d, 0x3b, 0x71, 0x37, 0x55, 0xd7, 0x48, 0x75, 0xe8, 0xea, 0x38, 0xfd, 0x16, 0x6e, + 0x76, 0xc6, 0x2a, 0x42, 0x50, 0x21, 0x6e, 0x6b, 0xbf, 0xe4, 0x8a, 0x5e, 0x2e, 0xab, + 0xad, 0x11, 0x7f, 0x0b, + ], + ovk: [ + 0x8b, 0xf4, 0x39, 0x0e, 0x28, 0xdd, 0xc9, 0x5b, 0x83, 0x02, 0xc3, 0x81, 0xd5, 0x81, + 0x0b, 0x84, 0xba, 0x8e, 0x60, 0x96, 0xe5, 0xa7, 0x68, 0x22, 0x77, 0x4f, 0xd4, 0x9f, + 0x49, 0x1e, 0x8f, 0x49, + ], + ak: [ + 0xab, 0x83, 0x57, 0x4e, 0xb5, 0xde, 0x85, 0x9a, 0x0a, 0xb8, 0x62, 0x9d, 0xec, 0x34, + 0xc7, 0xbe, 0xe8, 0xc3, 0xfc, 0x74, 0xdf, 0xa0, 0xb1, 0x9a, 0x3a, 0x74, 0x68, 0xd1, + 0x5d, 0xca, 0x64, 0xc6, + ], + nk: [ + 0x95, 0xd5, 0x80, 0x53, 0xe0, 0x59, 0x2e, 0x4a, 0x16, 0x9c, 0xc0, 0xb7, 0x92, 0x8a, + 0xaa, 0xc3, 0xde, 0x24, 0xef, 0x15, 0x31, 0xaa, 0x9e, 0xb6, 0xf4, 0xab, 0x93, 0x91, + 0x4d, 0xa8, 0xa0, 0x6e, + ], + ivk: [ + 0x47, 0x1c, 0x24, 0xa3, 0xdc, 0x87, 0x30, 0xe7, 0x50, 0x36, 0xc0, 0xa9, 0x5f, 0x3e, + 0x2f, 0x7d, 0xd1, 0xbe, 0x6f, 0xb9, 0x3a, 0xd2, 0x95, 0x92, 0x20, 0x3d, 0xef, 0x30, + 0x41, 0x95, 0x45, 0x05, + ], + default_d: [ + 0x75, 0x99, 0xf0, 0xbf, 0x9b, 0x57, 0xcd, 0x2d, 0xc2, 0x99, 0xb6, + ], + default_pk_d: [ + 0x66, 0x14, 0x17, 0x39, 0x51, 0x4b, 0x28, 0xf0, 0x5d, 0xef, 0x8a, 0x18, 0xee, 0xee, + 0x5e, 0xed, 0x4d, 0x44, 0xc6, 0x22, 0x5c, 0x3c, 0x65, 0xd8, 0x8d, 0xd9, 0x90, 0x77, + 0x08, 0x01, 0x2f, 0x5a, + ], + note_v: 6007711596147559040, + note_r: [ + 0x14, 0x7c, 0xf2, 0xb5, 0x1b, 0x4c, 0x7c, 0x63, 0xcb, 0x77, 0xb9, 0x9e, 0x8b, 0x78, + 0x3e, 0x5b, 0x51, 0x11, 0xdb, 0x0a, 0x7c, 0xa0, 0x4d, 0x6c, 0x01, 0x4a, 0x1d, 0x7d, + 0xa8, 0x3b, 0xae, 0x0a, + ], + note_cm: [ + 0xdb, 0x85, 0xa7, 0x0a, 0x98, 0x43, 0x7f, 0x73, 0x16, 0x7f, 0xc3, 0x32, 0xd5, 0xb7, + 0xb7, 0x40, 0x82, 0x96, 0x66, 0x17, 0x70, 0xb1, 0x01, 0xb0, 0xaa, 0x87, 0x83, 0x9f, + 0x4e, 0x55, 0xf1, 0x51, + ], + note_pos: 1527428592, + note_nf: [ + 0xe9, 0x8f, 0x6a, 0x8f, 0x34, 0xff, 0x49, 0x80, 0x59, 0xb3, 0xc7, 0x31, 0xb9, 0x1f, + 0x45, 0x11, 0x08, 0xc4, 0x95, 0x4d, 0x91, 0x94, 0x84, 0x36, 0x1c, 0xf9, 0xb4, 0x8f, + 0x59, 0xae, 0x1d, 0x14, + ], + }, + TestVector { + sk: [ + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + 0x03, 0x03, 0x03, 0x03, + ], + ask: [ + 0x00, 0xc3, 0xa1, 0xe1, 0xca, 0x8f, 0x4e, 0x04, 0x80, 0xee, 0x1e, 0xe9, 0x0c, 0xa7, + 0x51, 0x78, 0x79, 0xd3, 0xfc, 0x5c, 0x81, 0x5c, 0x09, 0x03, 0xe5, 0xee, 0xbc, 0x94, + 0xbb, 0x80, 0x95, 0x03, + ], + nsk: [ + 0xe6, 0x62, 0x85, 0xa5, 0xe9, 0xb6, 0x5e, 0x15, 0x7a, 0xd2, 0xfc, 0xd5, 0x43, 0xda, + 0xd9, 0x8c, 0x67, 0xa5, 0x8a, 0xbd, 0xf2, 0x87, 0xe0, 0x55, 0x06, 0xbd, 0x1c, 0x2e, + 0x59, 0xb0, 0x72, 0x0b, + ], + ovk: [ + 0x14, 0x76, 0x78, 0xe0, 0x55, 0x3b, 0x97, 0x82, 0x93, 0x47, 0x64, 0x7c, 0x5b, 0xc7, + 0xda, 0xb4, 0xcc, 0x22, 0x02, 0xb5, 0x4e, 0xc2, 0x9f, 0xd3, 0x1a, 0x3d, 0xe6, 0xbe, + 0x08, 0x25, 0xfc, 0x5e, + ], + ak: [ + 0x3c, 0x9c, 0xde, 0x7e, 0x5d, 0x0d, 0x38, 0xa8, 0x61, 0x0f, 0xaa, 0xdb, 0xcf, 0x4c, + 0x34, 0x3f, 0x5d, 0x3c, 0xfa, 0x31, 0x55, 0xa5, 0xb9, 0x46, 0x61, 0xa6, 0x75, 0x3e, + 0x96, 0xe8, 0x84, 0xea, + ], + nk: [ + 0xb7, 0x7d, 0x36, 0xf5, 0x08, 0x94, 0x1d, 0xbd, 0x61, 0xcf, 0xd0, 0xf1, 0x59, 0xee, + 0x05, 0xcf, 0xaa, 0x78, 0xa2, 0x6c, 0x94, 0x92, 0x90, 0x38, 0x06, 0xd8, 0x3b, 0x59, + 0x8d, 0x3c, 0x1c, 0x2a, + ], + ivk: [ + 0x63, 0x6a, 0xa9, 0x64, 0xbf, 0xc2, 0x3c, 0xe4, 0xb1, 0xfc, 0xf7, 0xdf, 0xc9, 0x91, + 0x79, 0xdd, 0xc4, 0x06, 0xff, 0x55, 0x40, 0x0c, 0x92, 0x95, 0xac, 0xfc, 0x14, 0xf0, + 0x31, 0xc7, 0x26, 0x00, + ], + default_d: [ + 0x1b, 0x81, 0x61, 0x4f, 0x1d, 0xad, 0xea, 0x0f, 0x8d, 0x0a, 0x58, + ], + default_pk_d: [ + 0x25, 0xeb, 0x55, 0xfc, 0xcf, 0x76, 0x1f, 0xc6, 0x4e, 0x85, 0xa5, 0x88, 0xef, 0xe6, + 0xea, 0xd7, 0x83, 0x2f, 0xb1, 0xf0, 0xf7, 0xa8, 0x31, 0x65, 0x89, 0x5b, 0xdf, 0xf9, + 0x42, 0x92, 0x5f, 0x5c, + ], + note_v: 18234939431076114368, + note_r: [ + 0x34, 0xa4, 0xb2, 0xa9, 0x14, 0x4f, 0xf5, 0xea, 0x54, 0xef, 0xee, 0x87, 0xcf, 0x90, + 0x1b, 0x5b, 0xed, 0x5e, 0x35, 0xd2, 0x1f, 0xbb, 0xd7, 0x88, 0xd5, 0xbd, 0x9d, 0x83, + 0x3e, 0x11, 0x28, 0x04, + ], + note_cm: [ + 0xe0, 0x8c, 0xe4, 0x82, 0xb3, 0xa8, 0xfb, 0x3b, 0x35, 0xcc, 0xdb, 0xe3, 0x43, 0x37, + 0xbd, 0x10, 0x5d, 0x88, 0x39, 0x21, 0x2e, 0x0d, 0x16, 0x44, 0xb9, 0xd5, 0x5c, 0xaa, + 0x60, 0xd1, 0x9b, 0x6c, + ], + note_pos: 2291142888, + note_nf: [ + 0x55, 0x47, 0xaa, 0x12, 0xff, 0x80, 0xa6, 0xb3, 0x30, 0x4e, 0x3b, 0x05, 0x86, 0x56, + 0x47, 0x2a, 0xbd, 0x2c, 0x81, 0x83, 0xb5, 0x9d, 0x07, 0x37, 0xb9, 0x3c, 0xee, 0x75, + 0x8b, 0xec, 0x47, 0xa1, + ], + }, + TestVector { + sk: [ + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, + ], + ask: [ + 0x82, 0x36, 0xd1, 0x9d, 0x32, 0x05, 0xd8, 0x55, 0x43, 0xa0, 0x68, 0x11, 0x34, 0x3f, + 0x82, 0x7b, 0x65, 0x63, 0x77, 0x0a, 0x49, 0xaa, 0x4d, 0x0c, 0xa0, 0x08, 0x18, 0x05, + 0xd4, 0xc8, 0xea, 0x0d, + ], + nsk: [ + 0x7e, 0xc1, 0xef, 0x0b, 0xed, 0x82, 0x71, 0x82, 0x72, 0xf0, 0xf4, 0x4f, 0x01, 0x7c, + 0x48, 0x41, 0x74, 0x51, 0x3d, 0x66, 0x1d, 0xd1, 0x68, 0xaf, 0x02, 0xd2, 0x09, 0x2a, + 0x1d, 0x8a, 0x05, 0x07, + ], + ovk: [ + 0x1b, 0x6e, 0x75, 0xec, 0xe3, 0xac, 0xe8, 0xdb, 0xa6, 0xa5, 0x41, 0x0d, 0x9a, 0xd4, + 0x75, 0x56, 0x68, 0xe4, 0xb3, 0x95, 0x85, 0xd6, 0x35, 0xec, 0x1d, 0xa7, 0xc8, 0xdc, + 0xfd, 0x5f, 0xc4, 0xed, + ], + ak: [ + 0x55, 0xe8, 0x83, 0x89, 0xbb, 0x7e, 0x41, 0xde, 0x13, 0x0c, 0xfa, 0x51, 0xa8, 0x71, + 0x5f, 0xde, 0x01, 0xff, 0x9c, 0x68, 0x76, 0x64, 0x7f, 0x01, 0x75, 0xad, 0x34, 0xf0, + 0x58, 0xdd, 0xe0, 0x1a, + ], + nk: [ + 0x72, 0x5d, 0x4a, 0xd6, 0xa1, 0x50, 0x21, 0xcd, 0x1c, 0x48, 0xc5, 0xee, 0x19, 0xde, + 0x6c, 0x1e, 0x76, 0x8a, 0x2c, 0xc0, 0xa9, 0xa7, 0x30, 0xa0, 0x1b, 0xb2, 0x1c, 0x95, + 0xe3, 0xd9, 0xe4, 0x3c, + ], + ivk: [ + 0x67, 0xfa, 0x2b, 0xf7, 0xc6, 0x7d, 0x46, 0x58, 0x24, 0x3c, 0x31, 0x7c, 0x0c, 0xb4, + 0x1f, 0xd3, 0x20, 0x64, 0xdf, 0xd3, 0x70, 0x9f, 0xe0, 0xdc, 0xb7, 0x24, 0xf1, 0x4b, + 0xb0, 0x1a, 0x1d, 0x04, + ], + default_d: [ + 0xfc, 0xfb, 0x68, 0xa4, 0x0d, 0x4b, 0xc6, 0xa0, 0x4b, 0x09, 0xc4, + ], + default_pk_d: [ + 0x8b, 0x2a, 0x33, 0x7f, 0x03, 0x62, 0x2c, 0x24, 0xff, 0x38, 0x1d, 0x4c, 0x54, 0x6f, + 0x69, 0x77, 0xf9, 0x05, 0x22, 0xe9, 0x2f, 0xde, 0x44, 0xc9, 0xd1, 0xbb, 0x09, 0x97, + 0x14, 0xb9, 0xdb, 0x2b, + ], + note_v: 12015423192295118080, + note_r: [ + 0xe5, 0x57, 0x85, 0x13, 0x55, 0x74, 0x7c, 0x09, 0xac, 0x59, 0x01, 0x3c, 0xbd, 0xe8, + 0x59, 0x80, 0x96, 0x4e, 0xc1, 0x84, 0x4d, 0x9c, 0x69, 0x67, 0xca, 0x0c, 0x02, 0x9c, + 0x84, 0x57, 0xbb, 0x04, + ], + note_cm: [ + 0xbd, 0xc8, 0x54, 0xbf, 0x3e, 0x7b, 0x00, 0x82, 0x1f, 0x3b, 0x8b, 0x85, 0x23, 0x8c, + 0xcf, 0x1e, 0x67, 0x15, 0xbf, 0xe7, 0x0b, 0x63, 0x2d, 0x04, 0x4b, 0x26, 0xfb, 0x2b, + 0xc7, 0x1b, 0x7f, 0x36, + ], + note_pos: 3054857184, + note_nf: [ + 0x8a, 0x9a, 0xbd, 0xa3, 0xd4, 0xef, 0x85, 0xca, 0xf2, 0x2b, 0xfa, 0xf2, 0xc4, 0x8f, + 0x62, 0x38, 0x2a, 0x73, 0xa1, 0x62, 0x4e, 0xb8, 0xeb, 0x2b, 0xd0, 0x0d, 0x27, 0x03, + 0x01, 0xbf, 0x3d, 0x13, + ], + }, + TestVector { + sk: [ + 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, + 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, + 0x05, 0x05, 0x05, 0x05, + ], + ask: [ + 0xea, 0xe6, 0x88, 0x4d, 0x76, 0x4a, 0x05, 0x40, 0x61, 0xa8, 0xf1, 0xc0, 0x07, 0x6c, + 0x62, 0x4d, 0xcb, 0x73, 0x87, 0x89, 0xf7, 0xad, 0x1e, 0x74, 0x08, 0xe3, 0x1f, 0x24, + 0xdf, 0xc8, 0x26, 0x07, + ], + nsk: [ + 0xfb, 0xe6, 0x10, 0xf4, 0x2a, 0x41, 0x74, 0x9f, 0x9b, 0x6e, 0x6e, 0x4a, 0x54, 0xb5, + 0xa3, 0x2e, 0xbf, 0xe8, 0xf4, 0x38, 0x00, 0x88, 0x1b, 0xa6, 0xcd, 0x13, 0xed, 0x0b, + 0x05, 0x29, 0x46, 0x01, + ], + ovk: [ + 0xc6, 0xbc, 0x1f, 0x39, 0xf0, 0xd7, 0x86, 0x31, 0x4c, 0xb2, 0x0b, 0xf9, 0xab, 0x22, + 0x85, 0x40, 0x91, 0x35, 0x55, 0xf9, 0x70, 0x69, 0x6b, 0x6d, 0x7c, 0x77, 0xbb, 0x33, + 0x23, 0x28, 0x37, 0x2a, + ], + ak: [ + 0xe6, 0x82, 0x76, 0x59, 0x14, 0xe3, 0x86, 0x4c, 0x33, 0x9e, 0x57, 0x82, 0xb8, 0x55, + 0xc0, 0xfd, 0xf4, 0x0e, 0x0d, 0xfc, 0xed, 0xb9, 0xe7, 0xb4, 0x7b, 0xc9, 0x4b, 0x90, + 0xb3, 0xa4, 0xc9, 0x88, + ], + nk: [ + 0x82, 0x25, 0x6b, 0x95, 0x62, 0x3c, 0x67, 0x02, 0x4b, 0x44, 0x24, 0xd9, 0x14, 0x00, + 0xa3, 0x70, 0xe7, 0xac, 0x8e, 0x4d, 0x15, 0x48, 0x2a, 0x37, 0x59, 0xe0, 0x0d, 0x21, + 0x97, 0x49, 0xda, 0xee, + ], + ivk: [ + 0xea, 0x3f, 0x1d, 0x80, 0xe4, 0x30, 0x7c, 0xa7, 0x3b, 0x9f, 0x37, 0x80, 0x1f, 0x91, + 0xfb, 0xa8, 0x10, 0xcc, 0x41, 0xd2, 0x79, 0xfc, 0x29, 0xf5, 0x64, 0x23, 0x56, 0x54, + 0xa2, 0x17, 0x8e, 0x03, + ], + default_d: [ + 0xeb, 0x51, 0x98, 0x82, 0xad, 0x1e, 0x5c, 0xc6, 0x54, 0xcd, 0x59, + ], + default_pk_d: [ + 0x6b, 0x27, 0xda, 0xcc, 0xb5, 0xa8, 0x20, 0x7f, 0x53, 0x2d, 0x10, 0xca, 0x23, 0x8f, + 0x97, 0x86, 0x64, 0x8a, 0x11, 0xb5, 0x96, 0x6e, 0x51, 0xa2, 0xf7, 0xd8, 0x9e, 0x15, + 0xd2, 0x9b, 0x8f, 0xdf, + ], + note_v: 5795906953514121792, + note_r: [ + 0x68, 0xf0, 0x61, 0x04, 0x60, 0x6b, 0x0c, 0x54, 0x49, 0x84, 0x5f, 0xf4, 0xc6, 0x5f, + 0x73, 0xe9, 0x0f, 0x45, 0xef, 0x5a, 0x43, 0xc9, 0xd7, 0x4c, 0xb2, 0xc8, 0x5c, 0xf5, + 0x6c, 0x94, 0xc0, 0x02, + ], + note_cm: [ + 0xe8, 0x26, 0x7d, 0x30, 0xac, 0x11, 0xc1, 0x00, 0xbc, 0x7a, 0x0f, 0xdf, 0x91, 0xf7, + 0x1d, 0x74, 0xc5, 0xbc, 0xf2, 0xe1, 0xef, 0x95, 0x66, 0x90, 0x44, 0x73, 0x01, 0x69, + 0xde, 0x1a, 0x5b, 0x4c, + ], + note_pos: 3818571480, + note_nf: [ + 0x33, 0x2a, 0xd9, 0x9e, 0xb9, 0xe9, 0x77, 0xeb, 0x62, 0x7a, 0x12, 0x2d, 0xbf, 0xb2, + 0xf2, 0x5f, 0xe5, 0x88, 0xe5, 0x97, 0x75, 0x3e, 0xc5, 0x58, 0x0f, 0xf2, 0xbe, 0x20, + 0xb6, 0xc9, 0xa7, 0xe1, + ], + }, + TestVector { + sk: [ + 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, + 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, + 0x06, 0x06, 0x06, 0x06, + ], + ask: [ + 0xe8, 0xf8, 0x16, 0xb4, 0xbc, 0x08, 0xa7, 0xe5, 0x66, 0x75, 0x0c, 0xc2, 0x8a, 0xfe, + 0x82, 0xa4, 0xce, 0xa9, 0xc2, 0xbe, 0xf2, 0x44, 0xfa, 0x4b, 0x13, 0xc4, 0x73, 0x9b, + 0x28, 0x07, 0x4c, 0x0d, + ], + nsk: [ + 0x32, 0x61, 0x5b, 0x13, 0x7f, 0x28, 0x01, 0xed, 0x44, 0x6e, 0x48, 0x78, 0x1a, 0xb0, + 0x63, 0x45, 0x72, 0xe1, 0x8c, 0xfb, 0x06, 0x93, 0x72, 0x1b, 0x88, 0x03, 0xc0, 0x5b, + 0x82, 0x27, 0xd1, 0x07, + ], + ovk: [ + 0xf6, 0x2c, 0x05, 0xe8, 0x48, 0xa8, 0x73, 0xef, 0x88, 0x5e, 0x12, 0xb0, 0x8c, 0x5e, + 0x7c, 0xa2, 0xf3, 0x24, 0x24, 0xba, 0xcc, 0x75, 0x4c, 0xb6, 0x97, 0x50, 0x44, 0x4d, + 0x35, 0x5f, 0x51, 0x06, + ], + ak: [ + 0xff, 0x27, 0xdb, 0x07, 0x51, 0x94, 0x5d, 0x3e, 0xe4, 0xbe, 0x9c, 0xf1, 0x5c, 0x2e, + 0xa2, 0x11, 0xb2, 0x4b, 0x16, 0x4d, 0x5f, 0x2d, 0x7d, 0xdf, 0xf5, 0xe4, 0xa0, 0x70, + 0x8f, 0x10, 0xb9, 0x5e, + ], + nk: [ + 0x94, 0x38, 0x85, 0x95, 0x9d, 0x4e, 0xf8, 0xa9, 0xcf, 0xca, 0x07, 0xc4, 0x57, 0xf0, + 0x9e, 0xc7, 0x4b, 0x96, 0xf9, 0x93, 0xd8, 0xe0, 0xfa, 0x32, 0xb1, 0x9c, 0x03, 0xe3, + 0xb0, 0x7a, 0x42, 0x0f, + ], + ivk: [ + 0xb5, 0xc5, 0x89, 0x49, 0x43, 0x95, 0x69, 0x33, 0xc0, 0xe5, 0xc1, 0x2d, 0x31, 0x1f, + 0xc1, 0x2c, 0xba, 0x58, 0x35, 0x4b, 0x5c, 0x38, 0x9e, 0xdc, 0x03, 0xda, 0x55, 0x08, + 0x4f, 0x74, 0xc2, 0x05, + ], + default_d: [ + 0xbe, 0xbb, 0x0f, 0xb4, 0x6b, 0x8a, 0xaf, 0xf8, 0x90, 0x40, 0xf6, + ], + default_pk_d: [ + 0xd1, 0x1d, 0xa0, 0x1f, 0x0b, 0x43, 0xbd, 0xd5, 0x28, 0x8d, 0x32, 0x38, 0x5b, 0x87, + 0x71, 0xd2, 0x23, 0x49, 0x3c, 0x69, 0x80, 0x25, 0x44, 0x04, 0x3f, 0x77, 0xcf, 0x1d, + 0x71, 0xc1, 0xcb, 0x8c, + ], + note_v: 18023134788442677120, + note_r: [ + 0x49, 0xf9, 0x0b, 0x47, 0xfd, 0x52, 0xfe, 0xe7, 0xc1, 0xc8, 0x1f, 0x0d, 0xcb, 0x5b, + 0x74, 0xc3, 0xfb, 0x9b, 0x3e, 0x03, 0x97, 0x6f, 0x8b, 0x75, 0x24, 0xea, 0xba, 0xd0, + 0x08, 0x89, 0x21, 0x07, + ], + note_cm: [ + 0x57, 0x2b, 0xa2, 0x05, 0x25, 0xb0, 0xac, 0x4d, 0x6d, 0xc0, 0x1a, 0xc2, 0xea, 0x10, + 0x90, 0xb6, 0xe0, 0xf2, 0xf4, 0xbf, 0x4e, 0xc4, 0xa0, 0xdb, 0x5b, 0xbc, 0xcb, 0x5b, + 0x78, 0x3a, 0x1e, 0x55, + ], + note_pos: 287318480, + note_nf: [ + 0xfc, 0x74, 0xcd, 0x0e, 0x4b, 0xe0, 0x49, 0x57, 0xb1, 0x96, 0xcf, 0x87, 0x34, 0xae, + 0x99, 0x23, 0x96, 0xaf, 0x4c, 0xfa, 0x8f, 0xec, 0xbb, 0x86, 0xf9, 0x61, 0xe6, 0xb4, + 0x07, 0xd5, 0x1e, 0x11, + ], + }, + TestVector { + sk: [ + 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, + 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, + 0x07, 0x07, 0x07, 0x07, + ], + ask: [ + 0x74, 0xb4, 0x4a, 0x37, 0xf1, 0x50, 0x23, 0xc0, 0x60, 0x42, 0x7e, 0x1d, 0xae, 0xa3, + 0xf6, 0x43, 0x12, 0xdd, 0x8f, 0xeb, 0x7b, 0x2c, 0xed, 0xf0, 0xdd, 0x55, 0x44, 0x49, + 0x3f, 0x87, 0x2c, 0x06, + ], + nsk: [ + 0x07, 0x5c, 0x35, 0xdb, 0x8b, 0x1b, 0x25, 0x75, 0x42, 0x23, 0xec, 0xee, 0x34, 0xab, + 0x73, 0x0d, 0xdd, 0xd1, 0xf1, 0x4a, 0x6a, 0x54, 0xf4, 0xc6, 0xf4, 0x68, 0x45, 0x3c, + 0x3c, 0x6e, 0xd6, 0x0b, + ], + ovk: [ + 0xe9, 0xe0, 0xdc, 0x1e, 0xd3, 0x11, 0xda, 0xed, 0x64, 0xbd, 0x74, 0xda, 0x5d, 0x94, + 0xfe, 0x88, 0xa6, 0xea, 0x41, 0x4b, 0x73, 0x12, 0xde, 0x3d, 0x2a, 0x78, 0xf6, 0x46, + 0x32, 0xbb, 0xe3, 0x73, + ], + ak: [ + 0x28, 0x3f, 0x9a, 0xaf, 0xa9, 0xbc, 0xb3, 0xe6, 0xce, 0x17, 0xe6, 0x32, 0x12, 0x63, + 0x4c, 0xb3, 0xee, 0x55, 0x0c, 0x47, 0x6b, 0x67, 0x6b, 0xd3, 0x56, 0xa6, 0xdf, 0x8a, + 0xdf, 0x51, 0xd2, 0x5e, + ], + nk: [ + 0xdc, 0x4c, 0x67, 0xb1, 0x0d, 0x4b, 0x0a, 0x21, 0x8d, 0xc6, 0xe1, 0x48, 0x70, 0x66, + 0x74, 0x0a, 0x40, 0x93, 0x17, 0x86, 0x6c, 0x32, 0xe6, 0x64, 0xb5, 0x0e, 0x39, 0x7a, + 0xa8, 0x03, 0x89, 0xd4, + ], + ivk: [ + 0x87, 0x16, 0xc8, 0x28, 0x80, 0xe1, 0x36, 0x83, 0xe1, 0xbb, 0x05, 0x9d, 0xd0, 0x6c, + 0x80, 0xc9, 0x01, 0x34, 0xa9, 0x6d, 0x5a, 0xfc, 0xa8, 0xaa, 0xc2, 0xbb, 0xf6, 0x8b, + 0xb0, 0x5f, 0x84, 0x02, + ], + default_d: [ + 0xad, 0x6e, 0x2e, 0x18, 0x5a, 0x31, 0x00, 0xe3, 0xa6, 0xa8, 0xb3, + ], + default_pk_d: [ + 0x32, 0xcb, 0x28, 0x06, 0xb8, 0x82, 0xf1, 0x36, 0x8b, 0x0d, 0x4a, 0x89, 0x8f, 0x72, + 0xc4, 0xc8, 0xf7, 0x28, 0x13, 0x2c, 0xc1, 0x24, 0x56, 0x94, 0x6e, 0x7f, 0x4c, 0xb0, + 0xfb, 0x05, 0x8d, 0xa9, + ], + note_v: 11803618549661680832, + note_r: [ + 0x51, 0x65, 0xaf, 0xf2, 0x2d, 0xd4, 0xed, 0x56, 0xb4, 0xd8, 0x1d, 0x1f, 0x17, 0x1c, + 0xc3, 0xd6, 0x43, 0x2f, 0xed, 0x1b, 0xeb, 0xf2, 0x0a, 0x7b, 0xea, 0xb1, 0x2d, 0xb1, + 0x42, 0xf9, 0x4a, 0x0c, + ], + note_cm: [ + 0xab, 0x7f, 0xc5, 0x66, 0x87, 0x3c, 0xcd, 0xe6, 0x71, 0xf5, 0x98, 0x27, 0x67, 0x85, + 0x60, 0xa0, 0x06, 0xf8, 0x2b, 0xb7, 0xad, 0xcd, 0x75, 0x22, 0x3f, 0xa8, 0x59, 0x36, + 0xf7, 0x8c, 0x2b, 0x23, + ], + note_pos: 1051032776, + note_nf: [ + 0xd2, 0xe8, 0x87, 0xbd, 0x85, 0x4a, 0x80, 0x2b, 0xce, 0x85, 0x70, 0x53, 0x02, 0x0f, + 0x5d, 0x3e, 0x7c, 0x8a, 0xe5, 0x26, 0x7c, 0x5b, 0x65, 0x83, 0xb3, 0xd2, 0x12, 0xcc, + 0x8b, 0xb6, 0x98, 0x90, + ], + }, + TestVector { + sk: [ + 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, + 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, + 0x08, 0x08, 0x08, 0x08, + ], + ask: [ + 0x03, 0x9d, 0xd9, 0x3d, 0xf3, 0x11, 0xff, 0x8f, 0xba, 0xb3, 0xfe, 0x23, 0x02, 0x19, + 0xcd, 0x42, 0xac, 0x87, 0x94, 0x84, 0xf3, 0x0b, 0x90, 0x3a, 0x3c, 0x1e, 0x67, 0xcc, + 0xca, 0x5a, 0x7b, 0x0d, + ], + nsk: [ + 0x04, 0x9f, 0xa1, 0x4f, 0x48, 0x6c, 0x75, 0xb9, 0xfa, 0xd7, 0xe3, 0xb6, 0x73, 0xa4, + 0x43, 0xdd, 0x07, 0x4e, 0xaa, 0x96, 0xed, 0xcb, 0x2a, 0x53, 0xea, 0xaa, 0xbd, 0xaf, + 0x70, 0xff, 0xbb, 0x08, + ], + ovk: [ + 0x14, 0x7d, 0xd1, 0x1d, 0x77, 0xeb, 0xa1, 0xb1, 0x63, 0x6f, 0xd6, 0x19, 0x0c, 0x62, + 0xb9, 0xa5, 0xd0, 0x48, 0x1b, 0xee, 0x7e, 0x91, 0x7f, 0xab, 0x02, 0xe2, 0x18, 0x58, + 0x06, 0x3a, 0xb5, 0x04, + ], + ak: [ + 0x36, 0x40, 0x48, 0xee, 0xdb, 0xe8, 0xca, 0x20, 0x5e, 0xb7, 0xe7, 0xba, 0x0a, 0x90, + 0x12, 0x16, 0x6c, 0x7c, 0x7b, 0xd9, 0xeb, 0x22, 0x8e, 0x08, 0x48, 0x14, 0x48, 0xc4, + 0x88, 0xaa, 0x21, 0xd2, + ], + nk: [ + 0xed, 0x60, 0xaf, 0x1c, 0xe7, 0xdf, 0x38, 0x07, 0x0d, 0x38, 0x51, 0x43, 0x2a, 0x96, + 0x48, 0x0d, 0xb0, 0xb4, 0x17, 0xc3, 0x68, 0x2a, 0x1d, 0x68, 0xe3, 0xe8, 0x93, 0x34, + 0x23, 0x5c, 0x0b, 0xdf, + ], + ivk: [ + 0x99, 0xc9, 0xb4, 0xb8, 0x4f, 0x4b, 0x4e, 0x35, 0x0f, 0x78, 0x7d, 0x1c, 0xf7, 0x05, + 0x1d, 0x50, 0xec, 0xc3, 0x4b, 0x1a, 0x5b, 0x20, 0xd2, 0xd2, 0x13, 0x9b, 0x4a, 0xf1, + 0xf1, 0x60, 0xe0, 0x01, + ], + default_d: [ + 0x21, 0xc9, 0x0e, 0x1c, 0x65, 0x8b, 0x3e, 0xfe, 0x86, 0xaf, 0x58, + ], + default_pk_d: [ + 0x9e, 0x64, 0x17, 0x4b, 0x4a, 0xb9, 0x81, 0x40, 0x5c, 0x32, 0x3b, 0x5e, 0x12, 0x47, + 0x59, 0x45, 0xa4, 0x6d, 0x4f, 0xed, 0xf8, 0x06, 0x08, 0x28, 0x04, 0x1c, 0xd2, 0x0e, + 0x62, 0xfd, 0x2c, 0xef, + ], + note_v: 5584102310880684544, + note_r: [ + 0x8c, 0x3e, 0x56, 0x44, 0x9d, 0xc8, 0x63, 0x54, 0xd3, 0x3b, 0x02, 0x5e, 0xf2, 0x79, + 0x34, 0x60, 0xbc, 0xb1, 0x69, 0xf3, 0x32, 0x4e, 0x4a, 0x6b, 0x64, 0xba, 0xa6, 0x08, + 0x32, 0x31, 0x57, 0x04, + ], + note_cm: [ + 0x7b, 0x48, 0xa8, 0x37, 0x5d, 0x3e, 0xbd, 0x56, 0xbc, 0x64, 0x9b, 0xb5, 0xb5, 0x24, + 0x23, 0x36, 0xc2, 0xa0, 0x5a, 0x08, 0x03, 0x23, 0x9b, 0x5b, 0x88, 0xfd, 0x92, 0x07, + 0x8f, 0xea, 0x4d, 0x04, + ], + note_pos: 1814747072, + note_nf: [ + 0xa8, 0x2f, 0x17, 0x50, 0xcc, 0x5b, 0x2b, 0xee, 0x64, 0x9a, 0x36, 0x5c, 0x04, 0x20, + 0xed, 0x87, 0x07, 0x5b, 0x88, 0x71, 0xfd, 0xa4, 0xa7, 0xf5, 0x84, 0x0d, 0x6b, 0xbe, + 0xb1, 0x7c, 0xd6, 0x20, + ], + }, + TestVector { + sk: [ + 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, + 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, + 0x09, 0x09, 0x09, 0x09, + ], + ask: [ + 0xeb, 0xbb, 0x40, 0xa9, 0x80, 0xba, 0x3b, 0x88, 0x60, 0x94, 0x8d, 0x01, 0x1e, 0x1b, + 0xfb, 0x4a, 0xff, 0xe1, 0x6c, 0x65, 0x2e, 0x90, 0xe9, 0x82, 0x58, 0x30, 0x2f, 0x44, + 0x64, 0xc9, 0x1e, 0x0c, + ], + nsk: [ + 0x68, 0x43, 0x1b, 0x19, 0x91, 0x04, 0x21, 0x52, 0x00, 0xb9, 0x5e, 0xe5, 0xcb, 0x71, + 0xbf, 0x8b, 0x88, 0x3a, 0x3e, 0x95, 0xb7, 0x98, 0x9c, 0xad, 0x19, 0x70, 0x63, 0x14, + 0x1e, 0xbb, 0xfd, 0x00, + ], + ovk: [ + 0x57, 0x34, 0x67, 0xa7, 0xb3, 0x0e, 0xad, 0x6c, 0xcc, 0x50, 0x47, 0x44, 0xca, 0x9e, + 0x1a, 0x28, 0x1a, 0x0d, 0x1a, 0x08, 0x73, 0x8b, 0x06, 0xa0, 0x68, 0x4f, 0xea, 0xcd, + 0x1e, 0x9d, 0x12, 0x6d, + ], + ak: [ + 0x71, 0xc3, 0x52, 0x3e, 0xec, 0xa3, 0x53, 0x11, 0xfb, 0xd5, 0xd7, 0xe7, 0xd7, 0x0b, + 0x70, 0x9d, 0x6c, 0x35, 0xa2, 0x4f, 0x26, 0x2b, 0x34, 0xbf, 0x64, 0x05, 0x9b, 0xf2, + 0xc0, 0x2e, 0x0b, 0xa8, + ], + nk: [ + 0x62, 0x44, 0x00, 0x10, 0x3b, 0x65, 0x69, 0xb7, 0x35, 0x8f, 0xe8, 0x0f, 0x6f, 0x6c, + 0xad, 0x43, 0x25, 0xde, 0xfd, 0xa9, 0xd9, 0x49, 0x9c, 0x2b, 0x8f, 0x88, 0x6a, 0x62, + 0x69, 0xa2, 0xaa, 0x52, + ], + ivk: [ + 0xdb, 0x95, 0xea, 0x8b, 0xd9, 0xf9, 0x3d, 0x41, 0xb5, 0xab, 0x2b, 0xeb, 0xc9, 0x1a, + 0x38, 0xed, 0xd5, 0x27, 0x08, 0x3e, 0x2a, 0x6e, 0xf9, 0xf3, 0xc2, 0x97, 0x02, 0xd5, + 0xff, 0x89, 0xed, 0x00, + ], + default_d: [ + 0x23, 0x3c, 0x4a, 0xb8, 0x86, 0xa5, 0x5e, 0x3b, 0xa3, 0x74, 0xc0, + ], + default_pk_d: [ + 0xb6, 0x8e, 0x9e, 0xe0, 0xc0, 0x67, 0x8d, 0x7b, 0x30, 0x36, 0x93, 0x1c, 0x83, 0x1a, + 0x25, 0x25, 0x5f, 0x7e, 0xe4, 0x87, 0x38, 0x5a, 0x30, 0x31, 0x6e, 0x15, 0xf6, 0x48, + 0x2b, 0x87, 0x4f, 0xda, + ], + note_v: 17811330145809239872, + note_r: [ + 0x6e, 0xbb, 0xed, 0x74, 0x36, 0x19, 0xa2, 0x56, 0xf9, 0xad, 0x2e, 0x85, 0x88, 0x0c, + 0xfa, 0xa9, 0x09, 0x8a, 0x5f, 0xdb, 0x16, 0x29, 0x99, 0x0d, 0x9a, 0x7d, 0x3b, 0xb9, + 0x3f, 0xc9, 0x00, 0x03, + ], + note_cm: [ + 0xd3, 0x76, 0xa7, 0xbe, 0xe8, 0xce, 0x67, 0xf4, 0xef, 0xde, 0x56, 0xaa, 0x77, 0xcf, + 0x64, 0x41, 0x9b, 0x0e, 0x55, 0x0a, 0xbb, 0xcb, 0x8e, 0x2b, 0xcb, 0xda, 0x8b, 0x63, + 0xe4, 0x1d, 0xeb, 0x37, + ], + note_pos: 2578461368, + note_nf: [ + 0x65, 0x36, 0x74, 0x87, 0x3b, 0x3c, 0x67, 0x0c, 0x58, 0x85, 0x84, 0x73, 0xe7, 0xfe, + 0x72, 0x19, 0x72, 0xfb, 0x96, 0xe2, 0x15, 0xb8, 0x73, 0x77, 0xa1, 0x7c, 0xa3, 0x71, + 0x0d, 0x93, 0xc9, 0xe9, + ], + }, + ]; + + for tv in test_vectors { + let mut ask_repr = FsRepr::default(); + let mut nsk_repr = FsRepr::default(); + ask_repr.read_le(&tv.ask[..]).unwrap(); + nsk_repr.read_le(&tv.nsk[..]).unwrap(); + let nsk = ::Fs::from_repr(nsk_repr).unwrap(); + + let ak = JUBJUB + .generator(FixedGenerators::SpendingKeyGenerator) + .mul(ask_repr.clone(), &JUBJUB); + { + let mut vec = Vec::new(); + ak.write(&mut vec).unwrap(); + assert_eq!(&vec, &tv.ak); + } + { + let mut ak = [0u8; 32]; + librustzcash_ask_to_ak(&tv.ask, &mut ak); + assert_eq!(&ak, &tv.ak); + } + + let pgk = ProofGenerationKey { ak, nsk }; + let fvk = pgk.to_viewing_key(&JUBJUB); + { + let mut vec = Vec::new(); + fvk.nk.write(&mut vec).unwrap(); + assert_eq!(&vec, &tv.nk); + } + { + let mut nk = [0u8; 32]; + librustzcash_nsk_to_nk(&tv.nsk, &mut nk); + assert_eq!(&nk, &tv.nk); + } + + { + let mut vec = Vec::new(); + fvk.ivk().into_repr().write_le(&mut vec).unwrap(); + assert_eq!(&vec, &tv.ivk); + } + { + let mut ivk = [0u8; 32]; + librustzcash_crh_ivk(&tv.ak, &tv.nk, &mut ivk); + assert_eq!(&ivk, &tv.ivk); + } + + let diversifier = Diversifier(tv.default_d); + assert!(librustzcash_check_diversifier(&tv.default_d)); + + let addr = fvk.to_payment_address(diversifier, &JUBJUB).unwrap(); + { + let mut vec = Vec::new(); + addr.pk_d().write(&mut vec).unwrap(); + assert_eq!(&vec, &tv.default_pk_d); + } + { + let mut default_pk_d = [0u8; 32]; + librustzcash_ivk_to_pkd(&tv.ivk, &tv.default_d, &mut default_pk_d); + assert_eq!(&default_pk_d, &tv.default_pk_d); + } + + let mut note_r_repr = FsRepr::default(); + note_r_repr.read_le(&tv.note_r[..]).unwrap(); + let note_r = ::Fs::from_repr(note_r_repr).unwrap(); + let note = addr.create_note(tv.note_v, note_r, &JUBJUB).unwrap(); + { + let mut vec = Vec::new(); + note.cm(&JUBJUB).into_repr().write_le(&mut vec).unwrap(); + assert_eq!(&vec, &tv.note_cm); + } + + assert_eq!(note.nf(&fvk, tv.note_pos, &JUBJUB), tv.note_nf); + } +} diff --git a/src/rust/src/tests/mod.rs b/src/rust/src/tests/mod.rs new file mode 100644 index 000000000..dba738767 --- /dev/null +++ b/src/rust/src/tests/mod.rs @@ -0,0 +1,96 @@ +use zcash_primitives::jubjub::{FixedGenerators, JubjubParams}; + +use super::JUBJUB; + +mod key_agreement; +mod key_components; +mod notes; +mod signatures; + +#[test] +fn sapling_generators() { + struct SaplingGenerators { + skb: [u8; 32], + pkb: [u8; 32], + npb: [u8; 32], + wprb: [u8; 32], + vcvb: [u8; 32], + vcrb: [u8; 32], + }; + + // From https://github.com/zcash-hackworks/zcash-test-vectors/blob/master/sapling_generators.py + let sapling_generators = SaplingGenerators { + skb: [ + 0x30, 0xb5, 0xf2, 0xaa, 0xad, 0x32, 0x56, 0x30, 0xbc, 0xdd, 0xdb, 0xce, 0x4d, 0x67, + 0x65, 0x6d, 0x05, 0xfd, 0x1c, 0xc2, 0xd0, 0x37, 0xbb, 0x53, 0x75, 0xb6, 0xe9, 0x6d, + 0x9e, 0x01, 0xa1, 0xd7, + ], + pkb: [ + 0xe7, 0xe8, 0x5d, 0xe0, 0xf7, 0xf9, 0x7a, 0x46, 0xd2, 0x49, 0xa1, 0xf5, 0xea, 0x51, + 0xdf, 0x50, 0xcc, 0x48, 0x49, 0x0f, 0x84, 0x01, 0xc9, 0xde, 0x7a, 0x2a, 0xdf, 0x18, + 0x07, 0xd1, 0xb6, 0xd4, + ], + npb: [ + 0x65, 0x00, 0x2b, 0xc7, 0x36, 0xfa, 0xf7, 0xa3, 0x42, 0x2e, 0xff, 0xff, 0xe8, 0xb8, + 0x55, 0xe1, 0x8f, 0xba, 0x96, 0xa0, 0x15, 0x8a, 0x9e, 0xfc, 0xa5, 0x84, 0xbf, 0x40, + 0x54, 0x9d, 0x36, 0xe1, + ], + wprb: [ + 0xac, 0x77, 0x6c, 0x79, 0x65, 0x63, 0xfc, 0xd4, 0x4c, 0xc4, 0x9c, 0xfa, 0xea, 0x8b, + 0xb7, 0x96, 0x95, 0x2c, 0x26, 0x6e, 0x47, 0x77, 0x9d, 0x94, 0x57, 0x4c, 0x10, 0xad, + 0x01, 0x75, 0x4b, 0x11, + ], + vcvb: [ + 0xd7, 0xc8, 0x67, 0x06, 0xf5, 0x81, 0x7a, 0xa7, 0x18, 0xcd, 0x1c, 0xfa, 0xd0, 0x32, + 0x33, 0xbc, 0xd6, 0x4a, 0x77, 0x89, 0xfd, 0x94, 0x22, 0xd3, 0xb1, 0x7a, 0xf6, 0x82, + 0x3a, 0x7e, 0x6a, 0xc6, + ], + vcrb: [ + 0x8b, 0x6a, 0x0b, 0x38, 0xb9, 0xfa, 0xae, 0x3c, 0x3b, 0x80, 0x3b, 0x47, 0xb0, 0xf1, + 0x46, 0xad, 0x50, 0xab, 0x22, 0x1e, 0x6e, 0x2a, 0xfb, 0xe6, 0xdb, 0xde, 0x45, 0xcb, + 0xa9, 0xd3, 0x81, 0xed, + ], + }; + + { + let mut vec = Vec::new(); + let p = JUBJUB.generator(FixedGenerators::SpendingKeyGenerator); + p.write(&mut vec).unwrap(); + assert_eq!(&vec, &sapling_generators.skb); + } + + { + let mut vec = Vec::new(); + let p = JUBJUB.generator(FixedGenerators::ProofGenerationKey); + p.write(&mut vec).unwrap(); + assert_eq!(&vec, &sapling_generators.pkb); + } + + { + let mut vec = Vec::new(); + let p = JUBJUB.generator(FixedGenerators::NullifierPosition); + p.write(&mut vec).unwrap(); + assert_eq!(&vec, &sapling_generators.npb); + } + + { + let mut vec = Vec::new(); + let p = JUBJUB.generator(FixedGenerators::NoteCommitmentRandomness); + p.write(&mut vec).unwrap(); + assert_eq!(&vec, &sapling_generators.wprb); + } + + { + let mut vec = Vec::new(); + let p = JUBJUB.generator(FixedGenerators::ValueCommitmentValue); + p.write(&mut vec).unwrap(); + assert_eq!(&vec, &sapling_generators.vcvb); + } + + { + let mut vec = Vec::new(); + let p = JUBJUB.generator(FixedGenerators::ValueCommitmentRandomness); + p.write(&mut vec).unwrap(); + assert_eq!(&vec, &sapling_generators.vcrb); + } +} diff --git a/src/rust/src/tests/notes.rs b/src/rust/src/tests/notes.rs new file mode 100644 index 000000000..6b48b5ff8 --- /dev/null +++ b/src/rust/src/tests/notes.rs @@ -0,0 +1,673 @@ +use crate::librustzcash_sapling_compute_cm; +use crate::librustzcash_sapling_compute_nf; + +#[test] +fn notes() { + #![allow(dead_code)] + struct TestVector { + sk: [u8; 32], + ask: [u8; 32], + nsk: [u8; 32], + ovk: [u8; 32], + ak: [u8; 32], + nk: [u8; 32], + ivk: [u8; 32], + default_d: [u8; 11], + default_pk_d: [u8; 32], + note_v: u64, + note_r: [u8; 32], + note_cm: [u8; 32], + note_pos: u64, + note_nf: [u8; 32], + }; + + // From https://github.com/zcash-hackworks/zcash-test-vectors/blob/master/sapling_key_components.py + let test_vectors = vec![ + TestVector { + sk: [ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, + ], + ask: [ + 0x85, 0x48, 0xa1, 0x4a, 0x47, 0x3e, 0xa5, 0x47, 0xaa, 0x23, 0x78, 0x40, 0x20, 0x44, + 0xf8, 0x18, 0xcf, 0x19, 0x11, 0xcf, 0x5d, 0xd2, 0x05, 0x4f, 0x67, 0x83, 0x45, 0xf0, + 0x0d, 0x0e, 0x88, 0x06, + ], + nsk: [ + 0x30, 0x11, 0x4e, 0xa0, 0xdd, 0x0b, 0xb6, 0x1c, 0xf0, 0xea, 0xea, 0xb6, 0xec, 0x33, + 0x31, 0xf5, 0x81, 0xb0, 0x42, 0x5e, 0x27, 0x33, 0x85, 0x01, 0x26, 0x2d, 0x7e, 0xac, + 0x74, 0x5e, 0x6e, 0x05, + ], + ovk: [ + 0x98, 0xd1, 0x69, 0x13, 0xd9, 0x9b, 0x04, 0x17, 0x7c, 0xab, 0xa4, 0x4f, 0x6e, 0x4d, + 0x22, 0x4e, 0x03, 0xb5, 0xac, 0x03, 0x1d, 0x7c, 0xe4, 0x5e, 0x86, 0x51, 0x38, 0xe1, + 0xb9, 0x96, 0xd6, 0x3b, + ], + ak: [ + 0xf3, 0x44, 0xec, 0x38, 0x0f, 0xe1, 0x27, 0x3e, 0x30, 0x98, 0xc2, 0x58, 0x8c, 0x5d, + 0x3a, 0x79, 0x1f, 0xd7, 0xba, 0x95, 0x80, 0x32, 0x76, 0x07, 0x77, 0xfd, 0x0e, 0xfa, + 0x8e, 0xf1, 0x16, 0x20, + ], + nk: [ + 0xf7, 0xcf, 0x9e, 0x77, 0xf2, 0xe5, 0x86, 0x83, 0x38, 0x3c, 0x15, 0x19, 0xac, 0x7b, + 0x06, 0x2d, 0x30, 0x04, 0x0e, 0x27, 0xa7, 0x25, 0xfb, 0x88, 0xfb, 0x19, 0xa9, 0x78, + 0xbd, 0x3f, 0xd6, 0xba, + ], + ivk: [ + 0xb7, 0x0b, 0x7c, 0xd0, 0xed, 0x03, 0xcb, 0xdf, 0xd7, 0xad, 0xa9, 0x50, 0x2e, 0xe2, + 0x45, 0xb1, 0x3e, 0x56, 0x9d, 0x54, 0xa5, 0x71, 0x9d, 0x2d, 0xaa, 0x0f, 0x5f, 0x14, + 0x51, 0x47, 0x92, 0x04, + ], + default_d: [ + 0xf1, 0x9d, 0x9b, 0x79, 0x7e, 0x39, 0xf3, 0x37, 0x44, 0x58, 0x39, + ], + default_pk_d: [ + 0xdb, 0x4c, 0xd2, 0xb0, 0xaa, 0xc4, 0xf7, 0xeb, 0x8c, 0xa1, 0x31, 0xf1, 0x65, 0x67, + 0xc4, 0x45, 0xa9, 0x55, 0x51, 0x26, 0xd3, 0xc2, 0x9f, 0x14, 0xe3, 0xd7, 0x76, 0xe8, + 0x41, 0xae, 0x74, 0x15, + ], + note_v: 0, + note_r: [ + 0x39, 0x17, 0x6d, 0xac, 0x39, 0xac, 0xe4, 0x98, 0x0e, 0xcc, 0x8d, 0x77, 0x8e, 0x89, + 0x86, 0x02, 0x55, 0xec, 0x36, 0x15, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, + ], + note_cm: [ + 0xcb, 0x3c, 0xf9, 0x15, 0x32, 0x70, 0xd5, 0x7e, 0xb9, 0x14, 0xc6, 0xc2, 0xbc, 0xc0, + 0x18, 0x50, 0xc9, 0xfe, 0xd4, 0x4f, 0xce, 0x08, 0x06, 0x27, 0x8f, 0x08, 0x3e, 0xf2, + 0xdd, 0x07, 0x64, 0x39, + ], + note_pos: 0, + note_nf: [ + 0x44, 0xfa, 0xd6, 0x56, 0x4f, 0xfd, 0xec, 0x9f, 0xa1, 0x9c, 0x43, 0xa2, 0x8f, 0x86, + 0x1d, 0x5e, 0xbf, 0x60, 0x23, 0x46, 0x00, 0x7d, 0xe7, 0x62, 0x67, 0xd9, 0x75, 0x27, + 0x47, 0xab, 0x40, 0x63, + ], + }, + TestVector { + sk: [ + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, + ], + ask: [ + 0xc9, 0x43, 0x56, 0x29, 0xbf, 0x8b, 0xff, 0xe5, 0x5e, 0x73, 0x35, 0xec, 0x07, 0x77, + 0x18, 0xba, 0x60, 0xba, 0x28, 0xd7, 0xac, 0x37, 0x94, 0xb7, 0x4f, 0x51, 0x2c, 0x31, + 0xaf, 0x0a, 0x53, 0x04, + ], + nsk: [ + 0x11, 0xac, 0xc2, 0xea, 0xd0, 0x7b, 0x5f, 0x00, 0x8c, 0x1f, 0x0f, 0x09, 0x0c, 0xc8, + 0xdd, 0xf3, 0x35, 0x23, 0x6f, 0xf4, 0xb2, 0x53, 0xc6, 0x49, 0x56, 0x95, 0xe9, 0xd6, + 0x39, 0xda, 0xcd, 0x08, + ], + ovk: [ + 0x3b, 0x94, 0x62, 0x10, 0xce, 0x6d, 0x1b, 0x16, 0x92, 0xd7, 0x39, 0x2a, 0xc8, 0x4a, + 0x8b, 0xc8, 0xf0, 0x3b, 0x72, 0x72, 0x3c, 0x7d, 0x36, 0x72, 0x1b, 0x80, 0x9a, 0x79, + 0xc9, 0xd6, 0xe4, 0x5b, + ], + ak: [ + 0x82, 0xff, 0x5e, 0xff, 0xc5, 0x27, 0xae, 0x84, 0x02, 0x0b, 0xf2, 0xd3, 0x52, 0x01, + 0xc1, 0x02, 0x19, 0x13, 0x19, 0x47, 0xff, 0x4b, 0x96, 0xf8, 0x81, 0xa4, 0x5f, 0x2e, + 0x8a, 0xe3, 0x05, 0x18, + ], + nk: [ + 0xc4, 0x53, 0x4d, 0x84, 0x8b, 0xb9, 0x18, 0xcf, 0x4a, 0x7f, 0x8b, 0x98, 0x74, 0x0a, + 0xb3, 0xcc, 0xee, 0x58, 0x67, 0x95, 0xff, 0x4d, 0xf6, 0x45, 0x47, 0xa8, 0x88, 0x8a, + 0x6c, 0x74, 0x15, 0xd2, + ], + ivk: [ + 0xc5, 0x18, 0x38, 0x44, 0x66, 0xb2, 0x69, 0x88, 0xb5, 0x10, 0x90, 0x67, 0x41, 0x8d, + 0x19, 0x2d, 0x9d, 0x6b, 0xd0, 0xd9, 0x23, 0x22, 0x05, 0xd7, 0x74, 0x18, 0xc2, 0x40, + 0xfc, 0x68, 0xa4, 0x06, + ], + default_d: [ + 0xae, 0xf1, 0x80, 0xf6, 0xe3, 0x4e, 0x35, 0x4b, 0x88, 0x8f, 0x81, + ], + default_pk_d: [ + 0xa6, 0xb1, 0x3e, 0xa3, 0x36, 0xdd, 0xb7, 0xa6, 0x7b, 0xb0, 0x9a, 0x0e, 0x68, 0xe9, + 0xd3, 0xcf, 0xb3, 0x92, 0x10, 0x83, 0x1e, 0xa3, 0xa2, 0x96, 0xba, 0x09, 0xa9, 0x22, + 0x06, 0x0f, 0xd3, 0x8b, + ], + note_v: 12227227834928555328, + note_r: [ + 0x47, 0x8b, 0xa0, 0xee, 0x6e, 0x1a, 0x75, 0xb6, 0x00, 0x03, 0x6f, 0x26, 0xf1, 0x8b, + 0x70, 0x15, 0xab, 0x55, 0x6b, 0xed, 0xdf, 0x8b, 0x96, 0x02, 0x38, 0x86, 0x9f, 0x89, + 0xdd, 0x80, 0x4e, 0x06, + ], + note_cm: [ + 0xb5, 0x78, 0x93, 0x50, 0x0b, 0xfb, 0x85, 0xdf, 0x2e, 0x8b, 0x01, 0xac, 0x45, 0x2f, + 0x89, 0xe1, 0x0e, 0x26, 0x6b, 0xcf, 0xa3, 0x1c, 0x31, 0xb2, 0x9a, 0x53, 0xae, 0x72, + 0xca, 0xd4, 0x69, 0x50, + ], + note_pos: 763714296, + note_nf: [ + 0x67, 0x9e, 0xb0, 0xc3, 0xa7, 0x57, 0xe2, 0xae, 0x83, 0xcd, 0xb4, 0x2a, 0x1a, 0xb2, + 0x59, 0xd7, 0x83, 0x88, 0x31, 0x54, 0x19, 0xad, 0xc7, 0x1d, 0x2e, 0x37, 0x63, 0x17, + 0x4c, 0x2e, 0x9d, 0x93, + ], + }, + TestVector { + sk: [ + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, + ], + ask: [ + 0xee, 0x1c, 0x3d, 0x7e, 0xfe, 0x0a, 0x78, 0x06, 0x3d, 0x6a, 0xf3, 0xd9, 0xd8, 0x12, + 0x12, 0xaf, 0x47, 0xb7, 0xc1, 0xb7, 0x61, 0xf8, 0x5c, 0xcb, 0x06, 0x6f, 0xc1, 0x1a, + 0x6a, 0x42, 0x17, 0x03, + ], + nsk: [ + 0x1d, 0x3b, 0x71, 0x37, 0x55, 0xd7, 0x48, 0x75, 0xe8, 0xea, 0x38, 0xfd, 0x16, 0x6e, + 0x76, 0xc6, 0x2a, 0x42, 0x50, 0x21, 0x6e, 0x6b, 0xbf, 0xe4, 0x8a, 0x5e, 0x2e, 0xab, + 0xad, 0x11, 0x7f, 0x0b, + ], + ovk: [ + 0x8b, 0xf4, 0x39, 0x0e, 0x28, 0xdd, 0xc9, 0x5b, 0x83, 0x02, 0xc3, 0x81, 0xd5, 0x81, + 0x0b, 0x84, 0xba, 0x8e, 0x60, 0x96, 0xe5, 0xa7, 0x68, 0x22, 0x77, 0x4f, 0xd4, 0x9f, + 0x49, 0x1e, 0x8f, 0x49, + ], + ak: [ + 0xab, 0x83, 0x57, 0x4e, 0xb5, 0xde, 0x85, 0x9a, 0x0a, 0xb8, 0x62, 0x9d, 0xec, 0x34, + 0xc7, 0xbe, 0xe8, 0xc3, 0xfc, 0x74, 0xdf, 0xa0, 0xb1, 0x9a, 0x3a, 0x74, 0x68, 0xd1, + 0x5d, 0xca, 0x64, 0xc6, + ], + nk: [ + 0x95, 0xd5, 0x80, 0x53, 0xe0, 0x59, 0x2e, 0x4a, 0x16, 0x9c, 0xc0, 0xb7, 0x92, 0x8a, + 0xaa, 0xc3, 0xde, 0x24, 0xef, 0x15, 0x31, 0xaa, 0x9e, 0xb6, 0xf4, 0xab, 0x93, 0x91, + 0x4d, 0xa8, 0xa0, 0x6e, + ], + ivk: [ + 0x47, 0x1c, 0x24, 0xa3, 0xdc, 0x87, 0x30, 0xe7, 0x50, 0x36, 0xc0, 0xa9, 0x5f, 0x3e, + 0x2f, 0x7d, 0xd1, 0xbe, 0x6f, 0xb9, 0x3a, 0xd2, 0x95, 0x92, 0x20, 0x3d, 0xef, 0x30, + 0x41, 0x95, 0x45, 0x05, + ], + default_d: [ + 0x75, 0x99, 0xf0, 0xbf, 0x9b, 0x57, 0xcd, 0x2d, 0xc2, 0x99, 0xb6, + ], + default_pk_d: [ + 0x66, 0x14, 0x17, 0x39, 0x51, 0x4b, 0x28, 0xf0, 0x5d, 0xef, 0x8a, 0x18, 0xee, 0xee, + 0x5e, 0xed, 0x4d, 0x44, 0xc6, 0x22, 0x5c, 0x3c, 0x65, 0xd8, 0x8d, 0xd9, 0x90, 0x77, + 0x08, 0x01, 0x2f, 0x5a, + ], + note_v: 6007711596147559040, + note_r: [ + 0x14, 0x7c, 0xf2, 0xb5, 0x1b, 0x4c, 0x7c, 0x63, 0xcb, 0x77, 0xb9, 0x9e, 0x8b, 0x78, + 0x3e, 0x5b, 0x51, 0x11, 0xdb, 0x0a, 0x7c, 0xa0, 0x4d, 0x6c, 0x01, 0x4a, 0x1d, 0x7d, + 0xa8, 0x3b, 0xae, 0x0a, + ], + note_cm: [ + 0xdb, 0x85, 0xa7, 0x0a, 0x98, 0x43, 0x7f, 0x73, 0x16, 0x7f, 0xc3, 0x32, 0xd5, 0xb7, + 0xb7, 0x40, 0x82, 0x96, 0x66, 0x17, 0x70, 0xb1, 0x01, 0xb0, 0xaa, 0x87, 0x83, 0x9f, + 0x4e, 0x55, 0xf1, 0x51, + ], + note_pos: 1527428592, + note_nf: [ + 0xe9, 0x8f, 0x6a, 0x8f, 0x34, 0xff, 0x49, 0x80, 0x59, 0xb3, 0xc7, 0x31, 0xb9, 0x1f, + 0x45, 0x11, 0x08, 0xc4, 0x95, 0x4d, 0x91, 0x94, 0x84, 0x36, 0x1c, 0xf9, 0xb4, 0x8f, + 0x59, 0xae, 0x1d, 0x14, + ], + }, + TestVector { + sk: [ + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + 0x03, 0x03, 0x03, 0x03, + ], + ask: [ + 0x00, 0xc3, 0xa1, 0xe1, 0xca, 0x8f, 0x4e, 0x04, 0x80, 0xee, 0x1e, 0xe9, 0x0c, 0xa7, + 0x51, 0x78, 0x79, 0xd3, 0xfc, 0x5c, 0x81, 0x5c, 0x09, 0x03, 0xe5, 0xee, 0xbc, 0x94, + 0xbb, 0x80, 0x95, 0x03, + ], + nsk: [ + 0xe6, 0x62, 0x85, 0xa5, 0xe9, 0xb6, 0x5e, 0x15, 0x7a, 0xd2, 0xfc, 0xd5, 0x43, 0xda, + 0xd9, 0x8c, 0x67, 0xa5, 0x8a, 0xbd, 0xf2, 0x87, 0xe0, 0x55, 0x06, 0xbd, 0x1c, 0x2e, + 0x59, 0xb0, 0x72, 0x0b, + ], + ovk: [ + 0x14, 0x76, 0x78, 0xe0, 0x55, 0x3b, 0x97, 0x82, 0x93, 0x47, 0x64, 0x7c, 0x5b, 0xc7, + 0xda, 0xb4, 0xcc, 0x22, 0x02, 0xb5, 0x4e, 0xc2, 0x9f, 0xd3, 0x1a, 0x3d, 0xe6, 0xbe, + 0x08, 0x25, 0xfc, 0x5e, + ], + ak: [ + 0x3c, 0x9c, 0xde, 0x7e, 0x5d, 0x0d, 0x38, 0xa8, 0x61, 0x0f, 0xaa, 0xdb, 0xcf, 0x4c, + 0x34, 0x3f, 0x5d, 0x3c, 0xfa, 0x31, 0x55, 0xa5, 0xb9, 0x46, 0x61, 0xa6, 0x75, 0x3e, + 0x96, 0xe8, 0x84, 0xea, + ], + nk: [ + 0xb7, 0x7d, 0x36, 0xf5, 0x08, 0x94, 0x1d, 0xbd, 0x61, 0xcf, 0xd0, 0xf1, 0x59, 0xee, + 0x05, 0xcf, 0xaa, 0x78, 0xa2, 0x6c, 0x94, 0x92, 0x90, 0x38, 0x06, 0xd8, 0x3b, 0x59, + 0x8d, 0x3c, 0x1c, 0x2a, + ], + ivk: [ + 0x63, 0x6a, 0xa9, 0x64, 0xbf, 0xc2, 0x3c, 0xe4, 0xb1, 0xfc, 0xf7, 0xdf, 0xc9, 0x91, + 0x79, 0xdd, 0xc4, 0x06, 0xff, 0x55, 0x40, 0x0c, 0x92, 0x95, 0xac, 0xfc, 0x14, 0xf0, + 0x31, 0xc7, 0x26, 0x00, + ], + default_d: [ + 0x1b, 0x81, 0x61, 0x4f, 0x1d, 0xad, 0xea, 0x0f, 0x8d, 0x0a, 0x58, + ], + default_pk_d: [ + 0x25, 0xeb, 0x55, 0xfc, 0xcf, 0x76, 0x1f, 0xc6, 0x4e, 0x85, 0xa5, 0x88, 0xef, 0xe6, + 0xea, 0xd7, 0x83, 0x2f, 0xb1, 0xf0, 0xf7, 0xa8, 0x31, 0x65, 0x89, 0x5b, 0xdf, 0xf9, + 0x42, 0x92, 0x5f, 0x5c, + ], + note_v: 18234939431076114368, + note_r: [ + 0x34, 0xa4, 0xb2, 0xa9, 0x14, 0x4f, 0xf5, 0xea, 0x54, 0xef, 0xee, 0x87, 0xcf, 0x90, + 0x1b, 0x5b, 0xed, 0x5e, 0x35, 0xd2, 0x1f, 0xbb, 0xd7, 0x88, 0xd5, 0xbd, 0x9d, 0x83, + 0x3e, 0x11, 0x28, 0x04, + ], + note_cm: [ + 0xe0, 0x8c, 0xe4, 0x82, 0xb3, 0xa8, 0xfb, 0x3b, 0x35, 0xcc, 0xdb, 0xe3, 0x43, 0x37, + 0xbd, 0x10, 0x5d, 0x88, 0x39, 0x21, 0x2e, 0x0d, 0x16, 0x44, 0xb9, 0xd5, 0x5c, 0xaa, + 0x60, 0xd1, 0x9b, 0x6c, + ], + note_pos: 2291142888, + note_nf: [ + 0x55, 0x47, 0xaa, 0x12, 0xff, 0x80, 0xa6, 0xb3, 0x30, 0x4e, 0x3b, 0x05, 0x86, 0x56, + 0x47, 0x2a, 0xbd, 0x2c, 0x81, 0x83, 0xb5, 0x9d, 0x07, 0x37, 0xb9, 0x3c, 0xee, 0x75, + 0x8b, 0xec, 0x47, 0xa1, + ], + }, + TestVector { + sk: [ + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, + ], + ask: [ + 0x82, 0x36, 0xd1, 0x9d, 0x32, 0x05, 0xd8, 0x55, 0x43, 0xa0, 0x68, 0x11, 0x34, 0x3f, + 0x82, 0x7b, 0x65, 0x63, 0x77, 0x0a, 0x49, 0xaa, 0x4d, 0x0c, 0xa0, 0x08, 0x18, 0x05, + 0xd4, 0xc8, 0xea, 0x0d, + ], + nsk: [ + 0x7e, 0xc1, 0xef, 0x0b, 0xed, 0x82, 0x71, 0x82, 0x72, 0xf0, 0xf4, 0x4f, 0x01, 0x7c, + 0x48, 0x41, 0x74, 0x51, 0x3d, 0x66, 0x1d, 0xd1, 0x68, 0xaf, 0x02, 0xd2, 0x09, 0x2a, + 0x1d, 0x8a, 0x05, 0x07, + ], + ovk: [ + 0x1b, 0x6e, 0x75, 0xec, 0xe3, 0xac, 0xe8, 0xdb, 0xa6, 0xa5, 0x41, 0x0d, 0x9a, 0xd4, + 0x75, 0x56, 0x68, 0xe4, 0xb3, 0x95, 0x85, 0xd6, 0x35, 0xec, 0x1d, 0xa7, 0xc8, 0xdc, + 0xfd, 0x5f, 0xc4, 0xed, + ], + ak: [ + 0x55, 0xe8, 0x83, 0x89, 0xbb, 0x7e, 0x41, 0xde, 0x13, 0x0c, 0xfa, 0x51, 0xa8, 0x71, + 0x5f, 0xde, 0x01, 0xff, 0x9c, 0x68, 0x76, 0x64, 0x7f, 0x01, 0x75, 0xad, 0x34, 0xf0, + 0x58, 0xdd, 0xe0, 0x1a, + ], + nk: [ + 0x72, 0x5d, 0x4a, 0xd6, 0xa1, 0x50, 0x21, 0xcd, 0x1c, 0x48, 0xc5, 0xee, 0x19, 0xde, + 0x6c, 0x1e, 0x76, 0x8a, 0x2c, 0xc0, 0xa9, 0xa7, 0x30, 0xa0, 0x1b, 0xb2, 0x1c, 0x95, + 0xe3, 0xd9, 0xe4, 0x3c, + ], + ivk: [ + 0x67, 0xfa, 0x2b, 0xf7, 0xc6, 0x7d, 0x46, 0x58, 0x24, 0x3c, 0x31, 0x7c, 0x0c, 0xb4, + 0x1f, 0xd3, 0x20, 0x64, 0xdf, 0xd3, 0x70, 0x9f, 0xe0, 0xdc, 0xb7, 0x24, 0xf1, 0x4b, + 0xb0, 0x1a, 0x1d, 0x04, + ], + default_d: [ + 0xfc, 0xfb, 0x68, 0xa4, 0x0d, 0x4b, 0xc6, 0xa0, 0x4b, 0x09, 0xc4, + ], + default_pk_d: [ + 0x8b, 0x2a, 0x33, 0x7f, 0x03, 0x62, 0x2c, 0x24, 0xff, 0x38, 0x1d, 0x4c, 0x54, 0x6f, + 0x69, 0x77, 0xf9, 0x05, 0x22, 0xe9, 0x2f, 0xde, 0x44, 0xc9, 0xd1, 0xbb, 0x09, 0x97, + 0x14, 0xb9, 0xdb, 0x2b, + ], + note_v: 12015423192295118080, + note_r: [ + 0xe5, 0x57, 0x85, 0x13, 0x55, 0x74, 0x7c, 0x09, 0xac, 0x59, 0x01, 0x3c, 0xbd, 0xe8, + 0x59, 0x80, 0x96, 0x4e, 0xc1, 0x84, 0x4d, 0x9c, 0x69, 0x67, 0xca, 0x0c, 0x02, 0x9c, + 0x84, 0x57, 0xbb, 0x04, + ], + note_cm: [ + 0xbd, 0xc8, 0x54, 0xbf, 0x3e, 0x7b, 0x00, 0x82, 0x1f, 0x3b, 0x8b, 0x85, 0x23, 0x8c, + 0xcf, 0x1e, 0x67, 0x15, 0xbf, 0xe7, 0x0b, 0x63, 0x2d, 0x04, 0x4b, 0x26, 0xfb, 0x2b, + 0xc7, 0x1b, 0x7f, 0x36, + ], + note_pos: 3054857184, + note_nf: [ + 0x8a, 0x9a, 0xbd, 0xa3, 0xd4, 0xef, 0x85, 0xca, 0xf2, 0x2b, 0xfa, 0xf2, 0xc4, 0x8f, + 0x62, 0x38, 0x2a, 0x73, 0xa1, 0x62, 0x4e, 0xb8, 0xeb, 0x2b, 0xd0, 0x0d, 0x27, 0x03, + 0x01, 0xbf, 0x3d, 0x13, + ], + }, + TestVector { + sk: [ + 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, + 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, + 0x05, 0x05, 0x05, 0x05, + ], + ask: [ + 0xea, 0xe6, 0x88, 0x4d, 0x76, 0x4a, 0x05, 0x40, 0x61, 0xa8, 0xf1, 0xc0, 0x07, 0x6c, + 0x62, 0x4d, 0xcb, 0x73, 0x87, 0x89, 0xf7, 0xad, 0x1e, 0x74, 0x08, 0xe3, 0x1f, 0x24, + 0xdf, 0xc8, 0x26, 0x07, + ], + nsk: [ + 0xfb, 0xe6, 0x10, 0xf4, 0x2a, 0x41, 0x74, 0x9f, 0x9b, 0x6e, 0x6e, 0x4a, 0x54, 0xb5, + 0xa3, 0x2e, 0xbf, 0xe8, 0xf4, 0x38, 0x00, 0x88, 0x1b, 0xa6, 0xcd, 0x13, 0xed, 0x0b, + 0x05, 0x29, 0x46, 0x01, + ], + ovk: [ + 0xc6, 0xbc, 0x1f, 0x39, 0xf0, 0xd7, 0x86, 0x31, 0x4c, 0xb2, 0x0b, 0xf9, 0xab, 0x22, + 0x85, 0x40, 0x91, 0x35, 0x55, 0xf9, 0x70, 0x69, 0x6b, 0x6d, 0x7c, 0x77, 0xbb, 0x33, + 0x23, 0x28, 0x37, 0x2a, + ], + ak: [ + 0xe6, 0x82, 0x76, 0x59, 0x14, 0xe3, 0x86, 0x4c, 0x33, 0x9e, 0x57, 0x82, 0xb8, 0x55, + 0xc0, 0xfd, 0xf4, 0x0e, 0x0d, 0xfc, 0xed, 0xb9, 0xe7, 0xb4, 0x7b, 0xc9, 0x4b, 0x90, + 0xb3, 0xa4, 0xc9, 0x88, + ], + nk: [ + 0x82, 0x25, 0x6b, 0x95, 0x62, 0x3c, 0x67, 0x02, 0x4b, 0x44, 0x24, 0xd9, 0x14, 0x00, + 0xa3, 0x70, 0xe7, 0xac, 0x8e, 0x4d, 0x15, 0x48, 0x2a, 0x37, 0x59, 0xe0, 0x0d, 0x21, + 0x97, 0x49, 0xda, 0xee, + ], + ivk: [ + 0xea, 0x3f, 0x1d, 0x80, 0xe4, 0x30, 0x7c, 0xa7, 0x3b, 0x9f, 0x37, 0x80, 0x1f, 0x91, + 0xfb, 0xa8, 0x10, 0xcc, 0x41, 0xd2, 0x79, 0xfc, 0x29, 0xf5, 0x64, 0x23, 0x56, 0x54, + 0xa2, 0x17, 0x8e, 0x03, + ], + default_d: [ + 0xeb, 0x51, 0x98, 0x82, 0xad, 0x1e, 0x5c, 0xc6, 0x54, 0xcd, 0x59, + ], + default_pk_d: [ + 0x6b, 0x27, 0xda, 0xcc, 0xb5, 0xa8, 0x20, 0x7f, 0x53, 0x2d, 0x10, 0xca, 0x23, 0x8f, + 0x97, 0x86, 0x64, 0x8a, 0x11, 0xb5, 0x96, 0x6e, 0x51, 0xa2, 0xf7, 0xd8, 0x9e, 0x15, + 0xd2, 0x9b, 0x8f, 0xdf, + ], + note_v: 5795906953514121792, + note_r: [ + 0x68, 0xf0, 0x61, 0x04, 0x60, 0x6b, 0x0c, 0x54, 0x49, 0x84, 0x5f, 0xf4, 0xc6, 0x5f, + 0x73, 0xe9, 0x0f, 0x45, 0xef, 0x5a, 0x43, 0xc9, 0xd7, 0x4c, 0xb2, 0xc8, 0x5c, 0xf5, + 0x6c, 0x94, 0xc0, 0x02, + ], + note_cm: [ + 0xe8, 0x26, 0x7d, 0x30, 0xac, 0x11, 0xc1, 0x00, 0xbc, 0x7a, 0x0f, 0xdf, 0x91, 0xf7, + 0x1d, 0x74, 0xc5, 0xbc, 0xf2, 0xe1, 0xef, 0x95, 0x66, 0x90, 0x44, 0x73, 0x01, 0x69, + 0xde, 0x1a, 0x5b, 0x4c, + ], + note_pos: 3818571480, + note_nf: [ + 0x33, 0x2a, 0xd9, 0x9e, 0xb9, 0xe9, 0x77, 0xeb, 0x62, 0x7a, 0x12, 0x2d, 0xbf, 0xb2, + 0xf2, 0x5f, 0xe5, 0x88, 0xe5, 0x97, 0x75, 0x3e, 0xc5, 0x58, 0x0f, 0xf2, 0xbe, 0x20, + 0xb6, 0xc9, 0xa7, 0xe1, + ], + }, + TestVector { + sk: [ + 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, + 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, + 0x06, 0x06, 0x06, 0x06, + ], + ask: [ + 0xe8, 0xf8, 0x16, 0xb4, 0xbc, 0x08, 0xa7, 0xe5, 0x66, 0x75, 0x0c, 0xc2, 0x8a, 0xfe, + 0x82, 0xa4, 0xce, 0xa9, 0xc2, 0xbe, 0xf2, 0x44, 0xfa, 0x4b, 0x13, 0xc4, 0x73, 0x9b, + 0x28, 0x07, 0x4c, 0x0d, + ], + nsk: [ + 0x32, 0x61, 0x5b, 0x13, 0x7f, 0x28, 0x01, 0xed, 0x44, 0x6e, 0x48, 0x78, 0x1a, 0xb0, + 0x63, 0x45, 0x72, 0xe1, 0x8c, 0xfb, 0x06, 0x93, 0x72, 0x1b, 0x88, 0x03, 0xc0, 0x5b, + 0x82, 0x27, 0xd1, 0x07, + ], + ovk: [ + 0xf6, 0x2c, 0x05, 0xe8, 0x48, 0xa8, 0x73, 0xef, 0x88, 0x5e, 0x12, 0xb0, 0x8c, 0x5e, + 0x7c, 0xa2, 0xf3, 0x24, 0x24, 0xba, 0xcc, 0x75, 0x4c, 0xb6, 0x97, 0x50, 0x44, 0x4d, + 0x35, 0x5f, 0x51, 0x06, + ], + ak: [ + 0xff, 0x27, 0xdb, 0x07, 0x51, 0x94, 0x5d, 0x3e, 0xe4, 0xbe, 0x9c, 0xf1, 0x5c, 0x2e, + 0xa2, 0x11, 0xb2, 0x4b, 0x16, 0x4d, 0x5f, 0x2d, 0x7d, 0xdf, 0xf5, 0xe4, 0xa0, 0x70, + 0x8f, 0x10, 0xb9, 0x5e, + ], + nk: [ + 0x94, 0x38, 0x85, 0x95, 0x9d, 0x4e, 0xf8, 0xa9, 0xcf, 0xca, 0x07, 0xc4, 0x57, 0xf0, + 0x9e, 0xc7, 0x4b, 0x96, 0xf9, 0x93, 0xd8, 0xe0, 0xfa, 0x32, 0xb1, 0x9c, 0x03, 0xe3, + 0xb0, 0x7a, 0x42, 0x0f, + ], + ivk: [ + 0xb5, 0xc5, 0x89, 0x49, 0x43, 0x95, 0x69, 0x33, 0xc0, 0xe5, 0xc1, 0x2d, 0x31, 0x1f, + 0xc1, 0x2c, 0xba, 0x58, 0x35, 0x4b, 0x5c, 0x38, 0x9e, 0xdc, 0x03, 0xda, 0x55, 0x08, + 0x4f, 0x74, 0xc2, 0x05, + ], + default_d: [ + 0xbe, 0xbb, 0x0f, 0xb4, 0x6b, 0x8a, 0xaf, 0xf8, 0x90, 0x40, 0xf6, + ], + default_pk_d: [ + 0xd1, 0x1d, 0xa0, 0x1f, 0x0b, 0x43, 0xbd, 0xd5, 0x28, 0x8d, 0x32, 0x38, 0x5b, 0x87, + 0x71, 0xd2, 0x23, 0x49, 0x3c, 0x69, 0x80, 0x25, 0x44, 0x04, 0x3f, 0x77, 0xcf, 0x1d, + 0x71, 0xc1, 0xcb, 0x8c, + ], + note_v: 18023134788442677120, + note_r: [ + 0x49, 0xf9, 0x0b, 0x47, 0xfd, 0x52, 0xfe, 0xe7, 0xc1, 0xc8, 0x1f, 0x0d, 0xcb, 0x5b, + 0x74, 0xc3, 0xfb, 0x9b, 0x3e, 0x03, 0x97, 0x6f, 0x8b, 0x75, 0x24, 0xea, 0xba, 0xd0, + 0x08, 0x89, 0x21, 0x07, + ], + note_cm: [ + 0x57, 0x2b, 0xa2, 0x05, 0x25, 0xb0, 0xac, 0x4d, 0x6d, 0xc0, 0x1a, 0xc2, 0xea, 0x10, + 0x90, 0xb6, 0xe0, 0xf2, 0xf4, 0xbf, 0x4e, 0xc4, 0xa0, 0xdb, 0x5b, 0xbc, 0xcb, 0x5b, + 0x78, 0x3a, 0x1e, 0x55, + ], + note_pos: 287318480, + note_nf: [ + 0xfc, 0x74, 0xcd, 0x0e, 0x4b, 0xe0, 0x49, 0x57, 0xb1, 0x96, 0xcf, 0x87, 0x34, 0xae, + 0x99, 0x23, 0x96, 0xaf, 0x4c, 0xfa, 0x8f, 0xec, 0xbb, 0x86, 0xf9, 0x61, 0xe6, 0xb4, + 0x07, 0xd5, 0x1e, 0x11, + ], + }, + TestVector { + sk: [ + 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, + 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, + 0x07, 0x07, 0x07, 0x07, + ], + ask: [ + 0x74, 0xb4, 0x4a, 0x37, 0xf1, 0x50, 0x23, 0xc0, 0x60, 0x42, 0x7e, 0x1d, 0xae, 0xa3, + 0xf6, 0x43, 0x12, 0xdd, 0x8f, 0xeb, 0x7b, 0x2c, 0xed, 0xf0, 0xdd, 0x55, 0x44, 0x49, + 0x3f, 0x87, 0x2c, 0x06, + ], + nsk: [ + 0x07, 0x5c, 0x35, 0xdb, 0x8b, 0x1b, 0x25, 0x75, 0x42, 0x23, 0xec, 0xee, 0x34, 0xab, + 0x73, 0x0d, 0xdd, 0xd1, 0xf1, 0x4a, 0x6a, 0x54, 0xf4, 0xc6, 0xf4, 0x68, 0x45, 0x3c, + 0x3c, 0x6e, 0xd6, 0x0b, + ], + ovk: [ + 0xe9, 0xe0, 0xdc, 0x1e, 0xd3, 0x11, 0xda, 0xed, 0x64, 0xbd, 0x74, 0xda, 0x5d, 0x94, + 0xfe, 0x88, 0xa6, 0xea, 0x41, 0x4b, 0x73, 0x12, 0xde, 0x3d, 0x2a, 0x78, 0xf6, 0x46, + 0x32, 0xbb, 0xe3, 0x73, + ], + ak: [ + 0x28, 0x3f, 0x9a, 0xaf, 0xa9, 0xbc, 0xb3, 0xe6, 0xce, 0x17, 0xe6, 0x32, 0x12, 0x63, + 0x4c, 0xb3, 0xee, 0x55, 0x0c, 0x47, 0x6b, 0x67, 0x6b, 0xd3, 0x56, 0xa6, 0xdf, 0x8a, + 0xdf, 0x51, 0xd2, 0x5e, + ], + nk: [ + 0xdc, 0x4c, 0x67, 0xb1, 0x0d, 0x4b, 0x0a, 0x21, 0x8d, 0xc6, 0xe1, 0x48, 0x70, 0x66, + 0x74, 0x0a, 0x40, 0x93, 0x17, 0x86, 0x6c, 0x32, 0xe6, 0x64, 0xb5, 0x0e, 0x39, 0x7a, + 0xa8, 0x03, 0x89, 0xd4, + ], + ivk: [ + 0x87, 0x16, 0xc8, 0x28, 0x80, 0xe1, 0x36, 0x83, 0xe1, 0xbb, 0x05, 0x9d, 0xd0, 0x6c, + 0x80, 0xc9, 0x01, 0x34, 0xa9, 0x6d, 0x5a, 0xfc, 0xa8, 0xaa, 0xc2, 0xbb, 0xf6, 0x8b, + 0xb0, 0x5f, 0x84, 0x02, + ], + default_d: [ + 0xad, 0x6e, 0x2e, 0x18, 0x5a, 0x31, 0x00, 0xe3, 0xa6, 0xa8, 0xb3, + ], + default_pk_d: [ + 0x32, 0xcb, 0x28, 0x06, 0xb8, 0x82, 0xf1, 0x36, 0x8b, 0x0d, 0x4a, 0x89, 0x8f, 0x72, + 0xc4, 0xc8, 0xf7, 0x28, 0x13, 0x2c, 0xc1, 0x24, 0x56, 0x94, 0x6e, 0x7f, 0x4c, 0xb0, + 0xfb, 0x05, 0x8d, 0xa9, + ], + note_v: 11803618549661680832, + note_r: [ + 0x51, 0x65, 0xaf, 0xf2, 0x2d, 0xd4, 0xed, 0x56, 0xb4, 0xd8, 0x1d, 0x1f, 0x17, 0x1c, + 0xc3, 0xd6, 0x43, 0x2f, 0xed, 0x1b, 0xeb, 0xf2, 0x0a, 0x7b, 0xea, 0xb1, 0x2d, 0xb1, + 0x42, 0xf9, 0x4a, 0x0c, + ], + note_cm: [ + 0xab, 0x7f, 0xc5, 0x66, 0x87, 0x3c, 0xcd, 0xe6, 0x71, 0xf5, 0x98, 0x27, 0x67, 0x85, + 0x60, 0xa0, 0x06, 0xf8, 0x2b, 0xb7, 0xad, 0xcd, 0x75, 0x22, 0x3f, 0xa8, 0x59, 0x36, + 0xf7, 0x8c, 0x2b, 0x23, + ], + note_pos: 1051032776, + note_nf: [ + 0xd2, 0xe8, 0x87, 0xbd, 0x85, 0x4a, 0x80, 0x2b, 0xce, 0x85, 0x70, 0x53, 0x02, 0x0f, + 0x5d, 0x3e, 0x7c, 0x8a, 0xe5, 0x26, 0x7c, 0x5b, 0x65, 0x83, 0xb3, 0xd2, 0x12, 0xcc, + 0x8b, 0xb6, 0x98, 0x90, + ], + }, + TestVector { + sk: [ + 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, + 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, + 0x08, 0x08, 0x08, 0x08, + ], + ask: [ + 0x03, 0x9d, 0xd9, 0x3d, 0xf3, 0x11, 0xff, 0x8f, 0xba, 0xb3, 0xfe, 0x23, 0x02, 0x19, + 0xcd, 0x42, 0xac, 0x87, 0x94, 0x84, 0xf3, 0x0b, 0x90, 0x3a, 0x3c, 0x1e, 0x67, 0xcc, + 0xca, 0x5a, 0x7b, 0x0d, + ], + nsk: [ + 0x04, 0x9f, 0xa1, 0x4f, 0x48, 0x6c, 0x75, 0xb9, 0xfa, 0xd7, 0xe3, 0xb6, 0x73, 0xa4, + 0x43, 0xdd, 0x07, 0x4e, 0xaa, 0x96, 0xed, 0xcb, 0x2a, 0x53, 0xea, 0xaa, 0xbd, 0xaf, + 0x70, 0xff, 0xbb, 0x08, + ], + ovk: [ + 0x14, 0x7d, 0xd1, 0x1d, 0x77, 0xeb, 0xa1, 0xb1, 0x63, 0x6f, 0xd6, 0x19, 0x0c, 0x62, + 0xb9, 0xa5, 0xd0, 0x48, 0x1b, 0xee, 0x7e, 0x91, 0x7f, 0xab, 0x02, 0xe2, 0x18, 0x58, + 0x06, 0x3a, 0xb5, 0x04, + ], + ak: [ + 0x36, 0x40, 0x48, 0xee, 0xdb, 0xe8, 0xca, 0x20, 0x5e, 0xb7, 0xe7, 0xba, 0x0a, 0x90, + 0x12, 0x16, 0x6c, 0x7c, 0x7b, 0xd9, 0xeb, 0x22, 0x8e, 0x08, 0x48, 0x14, 0x48, 0xc4, + 0x88, 0xaa, 0x21, 0xd2, + ], + nk: [ + 0xed, 0x60, 0xaf, 0x1c, 0xe7, 0xdf, 0x38, 0x07, 0x0d, 0x38, 0x51, 0x43, 0x2a, 0x96, + 0x48, 0x0d, 0xb0, 0xb4, 0x17, 0xc3, 0x68, 0x2a, 0x1d, 0x68, 0xe3, 0xe8, 0x93, 0x34, + 0x23, 0x5c, 0x0b, 0xdf, + ], + ivk: [ + 0x99, 0xc9, 0xb4, 0xb8, 0x4f, 0x4b, 0x4e, 0x35, 0x0f, 0x78, 0x7d, 0x1c, 0xf7, 0x05, + 0x1d, 0x50, 0xec, 0xc3, 0x4b, 0x1a, 0x5b, 0x20, 0xd2, 0xd2, 0x13, 0x9b, 0x4a, 0xf1, + 0xf1, 0x60, 0xe0, 0x01, + ], + default_d: [ + 0x21, 0xc9, 0x0e, 0x1c, 0x65, 0x8b, 0x3e, 0xfe, 0x86, 0xaf, 0x58, + ], + default_pk_d: [ + 0x9e, 0x64, 0x17, 0x4b, 0x4a, 0xb9, 0x81, 0x40, 0x5c, 0x32, 0x3b, 0x5e, 0x12, 0x47, + 0x59, 0x45, 0xa4, 0x6d, 0x4f, 0xed, 0xf8, 0x06, 0x08, 0x28, 0x04, 0x1c, 0xd2, 0x0e, + 0x62, 0xfd, 0x2c, 0xef, + ], + note_v: 5584102310880684544, + note_r: [ + 0x8c, 0x3e, 0x56, 0x44, 0x9d, 0xc8, 0x63, 0x54, 0xd3, 0x3b, 0x02, 0x5e, 0xf2, 0x79, + 0x34, 0x60, 0xbc, 0xb1, 0x69, 0xf3, 0x32, 0x4e, 0x4a, 0x6b, 0x64, 0xba, 0xa6, 0x08, + 0x32, 0x31, 0x57, 0x04, + ], + note_cm: [ + 0x7b, 0x48, 0xa8, 0x37, 0x5d, 0x3e, 0xbd, 0x56, 0xbc, 0x64, 0x9b, 0xb5, 0xb5, 0x24, + 0x23, 0x36, 0xc2, 0xa0, 0x5a, 0x08, 0x03, 0x23, 0x9b, 0x5b, 0x88, 0xfd, 0x92, 0x07, + 0x8f, 0xea, 0x4d, 0x04, + ], + note_pos: 1814747072, + note_nf: [ + 0xa8, 0x2f, 0x17, 0x50, 0xcc, 0x5b, 0x2b, 0xee, 0x64, 0x9a, 0x36, 0x5c, 0x04, 0x20, + 0xed, 0x87, 0x07, 0x5b, 0x88, 0x71, 0xfd, 0xa4, 0xa7, 0xf5, 0x84, 0x0d, 0x6b, 0xbe, + 0xb1, 0x7c, 0xd6, 0x20, + ], + }, + TestVector { + sk: [ + 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, + 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, + 0x09, 0x09, 0x09, 0x09, + ], + ask: [ + 0xeb, 0xbb, 0x40, 0xa9, 0x80, 0xba, 0x3b, 0x88, 0x60, 0x94, 0x8d, 0x01, 0x1e, 0x1b, + 0xfb, 0x4a, 0xff, 0xe1, 0x6c, 0x65, 0x2e, 0x90, 0xe9, 0x82, 0x58, 0x30, 0x2f, 0x44, + 0x64, 0xc9, 0x1e, 0x0c, + ], + nsk: [ + 0x68, 0x43, 0x1b, 0x19, 0x91, 0x04, 0x21, 0x52, 0x00, 0xb9, 0x5e, 0xe5, 0xcb, 0x71, + 0xbf, 0x8b, 0x88, 0x3a, 0x3e, 0x95, 0xb7, 0x98, 0x9c, 0xad, 0x19, 0x70, 0x63, 0x14, + 0x1e, 0xbb, 0xfd, 0x00, + ], + ovk: [ + 0x57, 0x34, 0x67, 0xa7, 0xb3, 0x0e, 0xad, 0x6c, 0xcc, 0x50, 0x47, 0x44, 0xca, 0x9e, + 0x1a, 0x28, 0x1a, 0x0d, 0x1a, 0x08, 0x73, 0x8b, 0x06, 0xa0, 0x68, 0x4f, 0xea, 0xcd, + 0x1e, 0x9d, 0x12, 0x6d, + ], + ak: [ + 0x71, 0xc3, 0x52, 0x3e, 0xec, 0xa3, 0x53, 0x11, 0xfb, 0xd5, 0xd7, 0xe7, 0xd7, 0x0b, + 0x70, 0x9d, 0x6c, 0x35, 0xa2, 0x4f, 0x26, 0x2b, 0x34, 0xbf, 0x64, 0x05, 0x9b, 0xf2, + 0xc0, 0x2e, 0x0b, 0xa8, + ], + nk: [ + 0x62, 0x44, 0x00, 0x10, 0x3b, 0x65, 0x69, 0xb7, 0x35, 0x8f, 0xe8, 0x0f, 0x6f, 0x6c, + 0xad, 0x43, 0x25, 0xde, 0xfd, 0xa9, 0xd9, 0x49, 0x9c, 0x2b, 0x8f, 0x88, 0x6a, 0x62, + 0x69, 0xa2, 0xaa, 0x52, + ], + ivk: [ + 0xdb, 0x95, 0xea, 0x8b, 0xd9, 0xf9, 0x3d, 0x41, 0xb5, 0xab, 0x2b, 0xeb, 0xc9, 0x1a, + 0x38, 0xed, 0xd5, 0x27, 0x08, 0x3e, 0x2a, 0x6e, 0xf9, 0xf3, 0xc2, 0x97, 0x02, 0xd5, + 0xff, 0x89, 0xed, 0x00, + ], + default_d: [ + 0x23, 0x3c, 0x4a, 0xb8, 0x86, 0xa5, 0x5e, 0x3b, 0xa3, 0x74, 0xc0, + ], + default_pk_d: [ + 0xb6, 0x8e, 0x9e, 0xe0, 0xc0, 0x67, 0x8d, 0x7b, 0x30, 0x36, 0x93, 0x1c, 0x83, 0x1a, + 0x25, 0x25, 0x5f, 0x7e, 0xe4, 0x87, 0x38, 0x5a, 0x30, 0x31, 0x6e, 0x15, 0xf6, 0x48, + 0x2b, 0x87, 0x4f, 0xda, + ], + note_v: 17811330145809239872, + note_r: [ + 0x6e, 0xbb, 0xed, 0x74, 0x36, 0x19, 0xa2, 0x56, 0xf9, 0xad, 0x2e, 0x85, 0x88, 0x0c, + 0xfa, 0xa9, 0x09, 0x8a, 0x5f, 0xdb, 0x16, 0x29, 0x99, 0x0d, 0x9a, 0x7d, 0x3b, 0xb9, + 0x3f, 0xc9, 0x00, 0x03, + ], + note_cm: [ + 0xd3, 0x76, 0xa7, 0xbe, 0xe8, 0xce, 0x67, 0xf4, 0xef, 0xde, 0x56, 0xaa, 0x77, 0xcf, + 0x64, 0x41, 0x9b, 0x0e, 0x55, 0x0a, 0xbb, 0xcb, 0x8e, 0x2b, 0xcb, 0xda, 0x8b, 0x63, + 0xe4, 0x1d, 0xeb, 0x37, + ], + note_pos: 2578461368, + note_nf: [ + 0x65, 0x36, 0x74, 0x87, 0x3b, 0x3c, 0x67, 0x0c, 0x58, 0x85, 0x84, 0x73, 0xe7, 0xfe, + 0x72, 0x19, 0x72, 0xfb, 0x96, 0xe2, 0x15, 0xb8, 0x73, 0x77, 0xa1, 0x7c, 0xa3, 0x71, + 0x0d, 0x93, 0xc9, 0xe9, + ], + }, + ]; + + for tv in test_vectors { + // Compute commitment and compare with test vector + let mut result = [0u8; 32]; + assert!(librustzcash_sapling_compute_cm( + &tv.default_d, + &tv.default_pk_d, + tv.note_v, + &tv.note_r, + &mut result + )); + assert_eq!(&result, &tv.note_cm); + + // Compute nullifier and compare with test vector + assert!(librustzcash_sapling_compute_nf( + &tv.default_d, + &tv.default_pk_d, + tv.note_v, + &tv.note_r, + &tv.ak, + &tv.nk, + tv.note_pos, + &mut result + )); + assert_eq!(&result, &tv.note_nf); + } +} diff --git a/src/rust/src/tests/signatures.rs b/src/rust/src/tests/signatures.rs new file mode 100644 index 000000000..68ac7997c --- /dev/null +++ b/src/rust/src/tests/signatures.rs @@ -0,0 +1,514 @@ +use ff::{PrimeField, PrimeFieldRepr}; +use pairing::bls12_381::Bls12; +use zcash_primitives::jubjub::{FixedGenerators, JubjubEngine}; +use zcash_primitives::redjubjub::{PrivateKey, PublicKey, Signature}; + +use super::JUBJUB; + +#[test] +fn redjubjub_signatures() { + struct TestVector { + sk: [u8; 32], + vk: [u8; 32], + alpha: [u8; 32], + rsk: [u8; 32], + rvk: [u8; 32], + m: [u8; 32], + sig: [u8; 64], + rsig: [u8; 64], + }; + + // From https://github.com/zcash-hackworks/zcash-test-vectors/blob/master/sapling_signatures.py + let test_vectors = vec![ + TestVector { + sk: [ + 0x18, 0xe2, 0x8d, 0xea, 0x5c, 0x11, 0x81, 0x7a, 0xee, 0xb2, 0x1a, 0x19, 0x98, 0x1d, + 0x28, 0x36, 0x8e, 0xc4, 0x38, 0xaf, 0xc2, 0x5a, 0x8d, 0xb9, 0x4e, 0xbe, 0x08, 0xd7, + 0xa0, 0x28, 0x8e, 0x09, + ], + vk: [ + 0x9b, 0x01, 0x53, 0xb0, 0x3d, 0x32, 0x0f, 0xe2, 0x3e, 0x28, 0x34, 0xd5, 0xd6, 0x1d, + 0xbb, 0x1f, 0x51, 0x9b, 0x3f, 0x41, 0xf8, 0xf9, 0x46, 0x15, 0x2b, 0xf0, 0xc3, 0xf2, + 0x47, 0xd1, 0x18, 0x07, + ], + alpha: [ + 0xff, 0xd1, 0xa1, 0x27, 0x32, 0x52, 0xb1, 0x87, 0xf4, 0xed, 0x32, 0x6d, 0xfc, 0x98, + 0x85, 0x3e, 0x29, 0x17, 0xc2, 0xb3, 0x63, 0x79, 0xb1, 0x75, 0xda, 0x63, 0xb9, 0xef, + 0x6d, 0xda, 0x6c, 0x08, + ], + rsk: [ + 0x60, 0x87, 0x38, 0x3b, 0x30, 0x55, 0x9b, 0x31, 0x60, 0x90, 0x85, 0xb9, 0x00, 0x96, + 0x45, 0xce, 0xb6, 0xa0, 0xc6, 0x61, 0x25, 0x99, 0xd7, 0x28, 0x80, 0x72, 0x8e, 0x61, + 0x24, 0x4e, 0x7d, 0x03, + ], + rvk: [ + 0xc1, 0xba, 0xbc, 0xb6, 0xea, 0xe2, 0xb9, 0x94, 0xee, 0x6d, 0x65, 0xc1, 0x0b, 0x9d, + 0xad, 0x59, 0x40, 0xdc, 0x73, 0x5b, 0x07, 0x50, 0x4d, 0xae, 0xd1, 0xe4, 0x6b, 0x07, + 0x09, 0xb4, 0x51, 0x36, + ], + m: [ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, + ], + sig: [ + 0xea, 0xa0, 0x57, 0x47, 0x6b, 0x4a, 0xb4, 0x82, 0x28, 0x8b, 0x93, 0xdf, 0x8f, 0xe0, + 0xc5, 0xce, 0x9d, 0x78, 0x83, 0x67, 0xf2, 0xbe, 0x55, 0x1b, 0x7f, 0x7a, 0x82, 0xa6, + 0xdb, 0x36, 0x04, 0x68, 0xde, 0xb9, 0xa7, 0xb7, 0xaf, 0xaa, 0xdf, 0xec, 0xa6, 0xf4, + 0x81, 0x19, 0x3d, 0xc6, 0x57, 0x57, 0x47, 0xf6, 0x0a, 0x1a, 0x8a, 0x48, 0xff, 0x0a, + 0xd7, 0x0c, 0xf8, 0xcb, 0x8d, 0x52, 0x8e, 0x08, + ], + rsig: [ + 0xd5, 0x6f, 0x0d, 0x91, 0xaf, 0x42, 0x4e, 0x1f, 0x1c, 0x7f, 0xb8, 0x6b, 0xa4, 0xee, + 0xd1, 0x43, 0xcc, 0x16, 0x66, 0x0c, 0x5f, 0xe8, 0xd7, 0xdc, 0x0d, 0x28, 0x4b, 0xcf, + 0x65, 0xa0, 0x89, 0xe9, 0x8b, 0x56, 0x1f, 0x9f, 0x20, 0x1a, 0x63, 0x3d, 0x70, 0x0c, + 0xd3, 0x98, 0x1e, 0x8c, 0xac, 0x07, 0xb5, 0xa8, 0x7e, 0xfa, 0x61, 0x86, 0x06, 0x2d, + 0xd8, 0xe5, 0xd6, 0x32, 0x5e, 0x7b, 0x82, 0x02, + ], + }, + TestVector { + sk: [ + 0x05, 0x96, 0x54, 0xf9, 0x61, 0x27, 0x3d, 0xaf, 0xda, 0x3b, 0x26, 0x77, 0xb3, 0x5c, + 0x18, 0xaf, 0x6b, 0x11, 0xad, 0xfb, 0x9e, 0xe9, 0x0b, 0x48, 0x93, 0x5e, 0x55, 0x7c, + 0x8d, 0x5d, 0x9c, 0x04, + ], + vk: [ + 0xfa, 0xf6, 0xc3, 0xb7, 0x37, 0xe8, 0xe6, 0x11, 0xaa, 0xfe, 0xa5, 0x2f, 0x03, 0xbb, + 0x27, 0x86, 0xe1, 0x83, 0x53, 0xeb, 0xe0, 0xd3, 0x13, 0x9e, 0x3c, 0x54, 0x49, 0x87, + 0x80, 0xc8, 0xc1, 0x99, + ], + alpha: [ + 0xc3, 0x0b, 0x96, 0x20, 0x8d, 0xa8, 0x00, 0xe1, 0x0a, 0xf0, 0x25, 0x42, 0xce, 0x69, + 0x4b, 0x7e, 0xd7, 0x6a, 0x28, 0x29, 0x9f, 0x85, 0x99, 0x8e, 0x5d, 0x61, 0x08, 0x12, + 0x68, 0x1b, 0xf0, 0x03, + ], + rsk: [ + 0xc8, 0xa1, 0xea, 0x19, 0xef, 0xcf, 0x3d, 0x90, 0xe5, 0x2b, 0x4c, 0xb9, 0x81, 0xc6, + 0x63, 0x2d, 0x43, 0x7c, 0xd5, 0x24, 0x3e, 0x6f, 0xa5, 0xd6, 0xf0, 0xbf, 0x5d, 0x8e, + 0xf5, 0x78, 0x8c, 0x08, + ], + rvk: [ + 0xd5, 0x24, 0xdc, 0xe7, 0x73, 0x40, 0x69, 0x75, 0x8a, 0x91, 0xf0, 0x07, 0xa8, 0x69, + 0x50, 0x5d, 0xfc, 0x4a, 0xba, 0x17, 0x20, 0x59, 0x4d, 0x4d, 0x74, 0xf0, 0x07, 0x70, + 0x0e, 0x62, 0xee, 0x00, + ], + m: [ + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, + ], + sig: [ + 0x22, 0x35, 0x54, 0x94, 0xa8, 0x31, 0x6a, 0xb1, 0x34, 0x73, 0xf5, 0x5e, 0x62, 0x66, + 0xb2, 0xfb, 0x41, 0x97, 0x31, 0x5e, 0xac, 0x62, 0xf8, 0x2c, 0xc7, 0x3d, 0xca, 0xca, + 0x19, 0x90, 0x90, 0xf1, 0x5b, 0xe1, 0x98, 0xce, 0x7d, 0x3f, 0x9f, 0xc8, 0xff, 0xf5, + 0x50, 0xe1, 0x08, 0x81, 0xec, 0x49, 0xff, 0x27, 0x36, 0x9e, 0x7d, 0x4f, 0xd9, 0x64, + 0x01, 0x53, 0x49, 0x2a, 0x0a, 0x06, 0x25, 0x08, + ], + rsig: [ + 0xf4, 0xb8, 0x94, 0xba, 0x84, 0xce, 0x1e, 0xc3, 0x8a, 0x63, 0x15, 0x2f, 0xc4, 0x09, + 0xf9, 0x47, 0xd6, 0x1a, 0xbb, 0x1f, 0x48, 0x91, 0x63, 0x6b, 0xc3, 0xee, 0x19, 0xef, + 0x6d, 0x4b, 0x30, 0xc0, 0xfd, 0x22, 0x86, 0x6b, 0x84, 0xff, 0xbc, 0x7e, 0x2a, 0x78, + 0xc4, 0x3f, 0x57, 0x83, 0xd2, 0xd2, 0xea, 0xd0, 0x78, 0x59, 0x55, 0x03, 0x74, 0x43, + 0xc2, 0xf4, 0xd5, 0x2f, 0x78, 0x5e, 0xee, 0x07, + ], + }, + TestVector { + sk: [ + 0xad, 0xe7, 0xab, 0xb5, 0x51, 0xc7, 0x9d, 0x0f, 0x0e, 0x42, 0xef, 0x7f, 0x12, 0x06, + 0xb8, 0x77, 0x12, 0xa8, 0x4a, 0x61, 0xde, 0xa3, 0xf3, 0x7b, 0x42, 0x49, 0x6d, 0x7e, + 0xfd, 0x12, 0x52, 0x0c, + ], + vk: [ + 0x36, 0x9e, 0xa7, 0x51, 0x76, 0x2f, 0x83, 0x9d, 0x25, 0x70, 0x1a, 0x5e, 0xeb, 0x55, + 0x1e, 0xc4, 0xf0, 0x6c, 0x12, 0x90, 0xb3, 0xb9, 0xc3, 0xa7, 0x24, 0x40, 0x2d, 0xec, + 0x02, 0x73, 0x92, 0x21, + ], + alpha: [ + 0x81, 0x92, 0x25, 0x29, 0xa6, 0x3e, 0xe7, 0x43, 0xfc, 0x4f, 0xbb, 0xac, 0x45, 0xc4, + 0x98, 0x83, 0x16, 0xbc, 0x9b, 0x6e, 0x42, 0x8b, 0x01, 0xa8, 0xd3, 0x1f, 0xc1, 0xc2, + 0xa6, 0xca, 0x62, 0x05, + ], + rsk: [ + 0x77, 0x4d, 0xda, 0x07, 0x99, 0xf7, 0xed, 0x82, 0x87, 0x81, 0xe2, 0x5f, 0xc4, 0xa9, + 0xe8, 0x54, 0x28, 0x29, 0xb2, 0xce, 0x1f, 0xf4, 0x8d, 0x1d, 0x6d, 0xb9, 0xfa, 0xdb, + 0xb9, 0x28, 0x37, 0x03, + ], + rvk: [ + 0x0d, 0x92, 0xad, 0x6d, 0x46, 0xed, 0xac, 0xd0, 0x23, 0xd4, 0xd2, 0xef, 0x70, 0x3a, + 0x6c, 0xa0, 0xa7, 0x92, 0xcf, 0xc4, 0xb7, 0xda, 0x11, 0xc2, 0x35, 0x3b, 0xc8, 0x45, + 0xa2, 0x7a, 0x97, 0x4d, + ], + m: [ + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, + ], + sig: [ + 0xdd, 0x65, 0x21, 0x01, 0x4d, 0xff, 0x70, 0x6e, 0x3a, 0x38, 0x52, 0x7a, 0x86, 0xb6, + 0xc1, 0x6e, 0x94, 0x14, 0x80, 0xe7, 0x33, 0xef, 0xf7, 0x9e, 0xbe, 0x0c, 0x43, 0x03, + 0x79, 0xd7, 0x57, 0x04, 0x9d, 0xb7, 0x90, 0xcd, 0x5e, 0x14, 0x44, 0x7c, 0x38, 0x6f, + 0x5f, 0xcb, 0x41, 0x9f, 0x27, 0xc4, 0x41, 0x3f, 0x35, 0x88, 0xfa, 0x21, 0x42, 0xd2, + 0xcf, 0xba, 0xed, 0x08, 0x2c, 0xc6, 0xdb, 0x07, + ], + rsig: [ + 0xd8, 0x94, 0x45, 0xcb, 0x9b, 0xd1, 0x03, 0x35, 0x69, 0x23, 0x1d, 0xd6, 0x28, 0xaa, + 0x62, 0x81, 0x09, 0xfe, 0x93, 0x50, 0x2b, 0xf2, 0x2f, 0x9a, 0x5f, 0x37, 0xb1, 0x4e, + 0x51, 0x7f, 0x9a, 0x20, 0x54, 0xae, 0xe3, 0xc8, 0x1b, 0x60, 0xb3, 0xf0, 0x55, 0x1e, + 0x32, 0xf7, 0x93, 0x5a, 0xbc, 0x2f, 0x37, 0xb9, 0x9a, 0xb3, 0xec, 0x99, 0x68, 0x02, + 0xef, 0xd6, 0x50, 0x69, 0xe1, 0x28, 0x12, 0x08, + ], + }, + TestVector { + sk: [ + 0xc9, 0xd2, 0xae, 0x1f, 0x6d, 0x32, 0xa6, 0x75, 0xd0, 0x9e, 0xb0, 0x82, 0x3f, 0x46, + 0x7f, 0xa9, 0x21, 0xb3, 0x28, 0x4a, 0xcb, 0x35, 0xfa, 0xbd, 0xfc, 0x99, 0x4d, 0xe5, + 0x49, 0xb8, 0x59, 0x0d, + ], + vk: [ + 0x2d, 0x2f, 0x31, 0x6e, 0x5c, 0x36, 0x9a, 0xe4, 0xdd, 0x2c, 0x82, 0x5f, 0x3d, 0x86, + 0x46, 0x00, 0x58, 0x40, 0x71, 0x84, 0x60, 0x3b, 0x21, 0x2c, 0xf3, 0x45, 0x9f, 0x36, + 0xc8, 0x69, 0x7f, 0xd8, + ], + alpha: [ + 0xeb, 0xbc, 0x89, 0x03, 0x11, 0x07, 0xc4, 0x4f, 0x47, 0x88, 0x9e, 0xd4, 0xd4, 0x37, + 0x5a, 0x41, 0x14, 0xcf, 0x8a, 0x75, 0xdd, 0x33, 0xb9, 0x62, 0xf2, 0xd7, 0x59, 0xd3, + 0xf4, 0xc6, 0xdf, 0x06, + ], + rsk: [ + 0xfd, 0x62, 0x41, 0x4c, 0x1f, 0x2b, 0xd3, 0xf4, 0x94, 0x16, 0x87, 0x8a, 0x80, 0x5d, + 0x71, 0x44, 0x35, 0x47, 0x7f, 0xbe, 0xa7, 0x2e, 0x4c, 0x1a, 0x46, 0xc2, 0x73, 0x53, + 0x54, 0xca, 0xbb, 0x05, + ], + rvk: [ + 0xf0, 0x43, 0x0e, 0x95, 0x3b, 0xe6, 0x0b, 0xf4, 0x38, 0xdb, 0xdc, 0xc2, 0x30, 0x3f, + 0x0e, 0x32, 0xa6, 0xf7, 0xce, 0x2f, 0xbe, 0xdf, 0xb1, 0x3a, 0xc5, 0x18, 0xf7, 0x5a, + 0x3f, 0xd1, 0x0e, 0xb5, + ], + m: [ + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + 0x03, 0x03, 0x03, 0x03, + ], + sig: [ + 0x72, 0x79, 0xa7, 0x5c, 0x01, 0x36, 0x75, 0xb3, 0x29, 0x84, 0xe5, 0xc7, 0x3a, 0x98, + 0x91, 0xeb, 0xf0, 0xb2, 0x29, 0xb1, 0x6e, 0x62, 0x35, 0xba, 0x36, 0xdf, 0xa1, 0xb5, + 0xa1, 0x0c, 0x5e, 0x44, 0x57, 0x81, 0x91, 0x89, 0x7c, 0x06, 0xb8, 0x52, 0x4a, 0x26, + 0x74, 0xaa, 0x7a, 0x0c, 0x8c, 0x23, 0x5f, 0x52, 0xd3, 0x3a, 0xc9, 0x2c, 0x70, 0x56, + 0xb2, 0xbe, 0x95, 0x3c, 0x3f, 0xaa, 0x3d, 0x07, + ], + rsig: [ + 0xaa, 0xd4, 0x82, 0x8c, 0xb3, 0x42, 0xcf, 0x09, 0xb0, 0x0e, 0x30, 0x2c, 0xbb, 0xe7, + 0xcc, 0x3e, 0x95, 0xfe, 0x1f, 0xf8, 0x28, 0x74, 0x8e, 0x5f, 0x5b, 0xc6, 0x9c, 0xbf, + 0xde, 0x6e, 0x27, 0x22, 0xd7, 0x64, 0x35, 0x68, 0x7e, 0x85, 0x0c, 0xd3, 0x07, 0xa9, + 0xc1, 0x82, 0xec, 0x10, 0xe6, 0x88, 0x1d, 0xd6, 0x5e, 0xed, 0xc1, 0x1f, 0xa7, 0xb4, + 0x6d, 0xe3, 0xa7, 0x19, 0x59, 0xce, 0xc0, 0x02, + ], + }, + TestVector { + sk: [ + 0x33, 0xbc, 0xd2, 0x86, 0x45, 0x41, 0xb8, 0xbb, 0x7f, 0xdc, 0x77, 0xa1, 0x9d, 0x97, + 0x0f, 0x92, 0x4e, 0xae, 0xec, 0xf4, 0x10, 0x3c, 0x38, 0xc8, 0xd2, 0xb0, 0x66, 0x81, + 0x42, 0xf2, 0x7d, 0x09, + ], + vk: [ + 0x74, 0x17, 0x94, 0xe6, 0x2c, 0xf9, 0x32, 0x0c, 0x58, 0xba, 0xc5, 0x94, 0xa2, 0xb9, + 0x0e, 0x34, 0x0a, 0x6d, 0x8a, 0x68, 0x05, 0x6f, 0x6e, 0xd5, 0xc7, 0x86, 0x8c, 0x5f, + 0xf3, 0xe4, 0xd6, 0x16, + ], + alpha: [ + 0x7c, 0xe7, 0x25, 0xa5, 0xfe, 0xf6, 0x1b, 0xd4, 0xa1, 0xe9, 0xc7, 0x73, 0x28, 0xe8, + 0x21, 0x0e, 0xb7, 0x29, 0x2d, 0x95, 0x4c, 0x64, 0xe9, 0x9e, 0x8b, 0xed, 0xd0, 0x7a, + 0xb3, 0xab, 0x0e, 0x0d, + ], + rsk: [ + 0xf8, 0x76, 0x01, 0x55, 0xe5, 0x29, 0x3d, 0xbf, 0x9e, 0xb5, 0x77, 0x48, 0x32, 0x5f, + 0xc9, 0xf9, 0x04, 0x9d, 0xe5, 0x88, 0x5c, 0x65, 0xba, 0x60, 0xb5, 0xee, 0x03, 0x97, + 0x0b, 0xe9, 0x0e, 0x08, + ], + rvk: [ + 0x66, 0x62, 0xba, 0x09, 0x95, 0x0a, 0xcc, 0xd2, 0xce, 0xa3, 0xc7, 0xa8, 0x12, 0x90, + 0xcd, 0x59, 0x78, 0xa6, 0x2b, 0x5a, 0xc5, 0xbb, 0xc4, 0x8d, 0x9f, 0x58, 0x19, 0xcd, + 0xc9, 0x64, 0x6f, 0x0a, + ], + m: [ + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, + ], + sig: [ + 0x51, 0x23, 0xb3, 0x1f, 0x84, 0xaf, 0x0c, 0x35, 0x5e, 0x13, 0xe7, 0x8a, 0x64, 0xd7, + 0xa3, 0xcd, 0xfd, 0x6b, 0xdf, 0xfd, 0xc7, 0x33, 0x38, 0xd9, 0x31, 0x7f, 0x73, 0x43, + 0x91, 0xa5, 0x5a, 0xe6, 0x25, 0x8f, 0x69, 0x80, 0xb9, 0xc7, 0xd1, 0x90, 0xcf, 0xa3, + 0x65, 0x81, 0xa9, 0xa4, 0x7a, 0x86, 0x3f, 0xd3, 0xbf, 0x76, 0x59, 0x42, 0x22, 0x95, + 0xb7, 0x5f, 0xd1, 0x22, 0xc3, 0xdd, 0x8a, 0x05, + ], + rsig: [ + 0x5b, 0xae, 0x25, 0x4f, 0xbd, 0xed, 0x60, 0x7a, 0x5c, 0x48, 0xb5, 0x30, 0x29, 0xf5, + 0x9b, 0xa7, 0x06, 0x32, 0x48, 0x79, 0xaa, 0x18, 0xd9, 0xc4, 0x73, 0x19, 0x00, 0x4b, + 0xe0, 0x2c, 0xec, 0xe0, 0xb8, 0xbb, 0x02, 0x4a, 0x7a, 0xab, 0xaa, 0x0a, 0x64, 0x0f, + 0x3a, 0x54, 0xdc, 0xda, 0xf2, 0x11, 0x31, 0x46, 0x9a, 0x50, 0x06, 0xbe, 0x27, 0x81, + 0xa5, 0x67, 0xff, 0xa6, 0x50, 0x3a, 0x35, 0x03, + ], + }, + TestVector { + sk: [ + 0xca, 0x35, 0x06, 0xd6, 0xaf, 0x77, 0x67, 0xb5, 0x79, 0x0e, 0xf0, 0xc5, 0x19, 0x0f, + 0xb3, 0xf3, 0x87, 0x7c, 0x4a, 0xab, 0x40, 0xe0, 0xdd, 0x65, 0x1a, 0xbb, 0xda, 0xcb, + 0x54, 0x4e, 0xd0, 0x05, + ], + vk: [ + 0xba, 0xb6, 0xcf, 0xb5, 0xc8, 0xea, 0x34, 0x91, 0x25, 0x1b, 0x46, 0xd5, 0x2a, 0xca, + 0x25, 0xd9, 0xe9, 0xaf, 0x69, 0xfa, 0xa9, 0xb4, 0xe4, 0x0b, 0x03, 0xad, 0x00, 0x86, + 0xde, 0x59, 0xb5, 0x1f, + ], + alpha: [ + 0xbe, 0xa3, 0x87, 0x20, 0x3f, 0x43, 0x76, 0x0a, 0xd3, 0x7d, 0x61, 0xde, 0x0e, 0xb5, + 0x9f, 0xca, 0x6c, 0xab, 0x75, 0x60, 0xdf, 0x64, 0xfa, 0xbb, 0x95, 0x11, 0x57, 0x9f, + 0x6f, 0x68, 0x26, 0x06, + ], + rsk: [ + 0x88, 0xd9, 0x8d, 0xf6, 0xee, 0xba, 0xdd, 0xbf, 0x4c, 0x8c, 0x51, 0xa4, 0x28, 0xc4, + 0x52, 0xbe, 0xf4, 0x27, 0xc0, 0x0b, 0x20, 0x45, 0xd8, 0x21, 0xb0, 0xcc, 0x31, 0x6b, + 0xc4, 0xb6, 0xf6, 0x0b, + ], + rvk: [ + 0x11, 0x26, 0x7d, 0x14, 0xd5, 0xe0, 0xb2, 0xbb, 0x3c, 0xe0, 0x99, 0xe8, 0xef, 0x84, + 0x49, 0x47, 0x1c, 0xbc, 0xfc, 0x69, 0x39, 0xa4, 0xb3, 0x48, 0xde, 0xa2, 0xc1, 0x73, + 0x56, 0xa1, 0xe8, 0xdd, + ], + m: [ + 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, + 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, + 0x05, 0x05, 0x05, 0x05, + ], + sig: [ + 0xdc, 0x18, 0xc8, 0x8d, 0x96, 0x44, 0x42, 0x40, 0x6d, 0x65, 0x0a, 0xa2, 0xff, 0xbd, + 0x83, 0xd1, 0x13, 0xbf, 0x6a, 0x19, 0xda, 0x78, 0xf2, 0x66, 0x5b, 0x29, 0x4f, 0xa5, + 0xfa, 0x45, 0x0b, 0x92, 0x81, 0xa0, 0x7e, 0x32, 0x0c, 0x1a, 0xa3, 0x1d, 0x32, 0x44, + 0x9e, 0x00, 0xc5, 0xc3, 0x2d, 0xb2, 0xf4, 0x13, 0xdf, 0x0b, 0x63, 0xd0, 0x72, 0x8f, + 0xa4, 0x09, 0x41, 0xa8, 0xda, 0x02, 0x4f, 0x01, + ], + rsig: [ + 0x59, 0xe2, 0xe8, 0x18, 0x76, 0x6c, 0x50, 0xfc, 0x8f, 0x38, 0x40, 0xb2, 0x72, 0xaf, + 0x9a, 0xd9, 0x47, 0x56, 0xc8, 0x41, 0x32, 0x95, 0xfc, 0x79, 0x5f, 0xaf, 0xbc, 0xc0, + 0x71, 0x8e, 0x6c, 0x08, 0x16, 0x9a, 0x00, 0xd5, 0x83, 0x02, 0x77, 0x2a, 0x28, 0x28, + 0x43, 0xe8, 0x88, 0xd9, 0x81, 0xfa, 0x04, 0x79, 0x5d, 0x01, 0x4c, 0xf9, 0xc8, 0xcd, + 0xb9, 0x07, 0xff, 0x1b, 0x43, 0x0d, 0x92, 0x00, + ], + }, + TestVector { + sk: [ + 0xbc, 0x27, 0x83, 0x8d, 0xe2, 0xa6, 0x14, 0xcf, 0xba, 0x6c, 0x3e, 0x92, 0x2a, 0x8f, + 0x84, 0x24, 0xd9, 0x85, 0x6f, 0x68, 0x16, 0xf3, 0xbc, 0x61, 0x02, 0x31, 0x3b, 0x7f, + 0xaf, 0x5c, 0x3a, 0x0c, + ], + vk: [ + 0xd7, 0x9b, 0xe9, 0xff, 0x22, 0x9a, 0x2e, 0x35, 0xf5, 0xbc, 0xa4, 0x48, 0xe5, 0xeb, + 0x4a, 0x8a, 0xa9, 0x7f, 0xb4, 0x18, 0x02, 0x91, 0x25, 0xcf, 0xba, 0xa7, 0x8a, 0x91, + 0xa3, 0x82, 0xb0, 0x94, + ], + alpha: [ + 0x21, 0xa7, 0x15, 0x0e, 0x19, 0x4f, 0xed, 0xfe, 0xf9, 0x0c, 0x5d, 0x10, 0xe4, 0x20, + 0x85, 0x8b, 0xca, 0x40, 0x04, 0x04, 0x0e, 0xb6, 0x81, 0xd1, 0x4e, 0x75, 0xc4, 0x47, + 0x13, 0x51, 0xcb, 0x02, + ], + rsk: [ + 0x26, 0xa2, 0xa1, 0xc4, 0x9c, 0xe7, 0x6a, 0xfd, 0x31, 0x69, 0xd3, 0xd5, 0x7a, 0x8f, + 0xa1, 0x09, 0xa3, 0x8b, 0x3f, 0x6b, 0x23, 0x6e, 0xd7, 0x2c, 0xa8, 0xf6, 0xcb, 0x61, + 0xd8, 0xf8, 0x87, 0x00, + ], + rvk: [ + 0x54, 0xbf, 0x1b, 0xe7, 0x2e, 0x6d, 0x41, 0x20, 0x8b, 0x8a, 0xec, 0x11, 0x61, 0xd3, + 0xba, 0x59, 0x51, 0x9f, 0xb9, 0x3d, 0xa0, 0x1a, 0x55, 0xe6, 0x78, 0xe2, 0x75, 0x20, + 0x06, 0x60, 0x36, 0xc9, + ], + m: [ + 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, + 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, + 0x06, 0x06, 0x06, 0x06, + ], + sig: [ + 0x9a, 0xf6, 0xf2, 0x80, 0x0f, 0x4b, 0x80, 0xf7, 0x93, 0xbe, 0x64, 0x8a, 0x43, 0x9f, + 0x86, 0xe5, 0x7d, 0xa1, 0xb9, 0x19, 0x99, 0x9e, 0x41, 0x91, 0x09, 0x99, 0xd4, 0x2e, + 0xd0, 0xf3, 0x89, 0x6d, 0xb7, 0x6e, 0x06, 0x38, 0x8b, 0x27, 0x2c, 0x99, 0x85, 0x8b, + 0x55, 0x04, 0xd0, 0x2e, 0xc6, 0xb4, 0xd5, 0x25, 0xb8, 0x71, 0x38, 0x10, 0x50, 0x5f, + 0x4f, 0xc0, 0x31, 0x08, 0x3a, 0x14, 0xbf, 0x09, + ], + rsig: [ + 0x3f, 0x7d, 0x50, 0x71, 0xb8, 0x76, 0x17, 0x49, 0x05, 0x71, 0xa8, 0xbe, 0x91, 0x74, + 0x9e, 0x69, 0xf6, 0xbc, 0xba, 0x5a, 0xb6, 0x26, 0xe4, 0x2f, 0xf9, 0x2d, 0x0d, 0x7d, + 0xab, 0x73, 0xf3, 0x03, 0x61, 0xe5, 0xa2, 0x24, 0x99, 0x8e, 0x1f, 0x5e, 0xa1, 0xe5, + 0xf8, 0x68, 0x9a, 0x06, 0xa2, 0x77, 0x48, 0xbf, 0x74, 0x19, 0x63, 0xef, 0x51, 0x33, + 0x22, 0xf4, 0xa1, 0xba, 0x99, 0xaa, 0x36, 0x03, + ], + }, + TestVector { + sk: [ + 0xb2, 0x08, 0x59, 0xb8, 0x8e, 0xe3, 0x33, 0x8a, 0x64, 0x95, 0x4f, 0x8a, 0x9e, 0x8e, + 0x9b, 0xf3, 0xe7, 0x11, 0x5a, 0xcf, 0x7c, 0x6e, 0x7f, 0x01, 0x43, 0x2c, 0x5f, 0x76, + 0x96, 0xd2, 0xd0, 0x05, + ], + vk: [ + 0xa8, 0x1f, 0xe6, 0x84, 0x6d, 0xbe, 0x0a, 0x75, 0xc0, 0xf4, 0x9b, 0x21, 0x32, 0x32, + 0xbe, 0xad, 0xd1, 0xf9, 0xa5, 0x64, 0x67, 0x3d, 0x25, 0xb9, 0x1e, 0xe0, 0xf1, 0x7c, + 0xe9, 0xca, 0xa3, 0x63, + ], + alpha: [ + 0x44, 0xd9, 0x08, 0xe1, 0xc1, 0x5e, 0x6b, 0xd9, 0x38, 0x0a, 0x8b, 0x23, 0x5a, 0xce, + 0x02, 0xfa, 0xc1, 0xc0, 0x87, 0x94, 0x45, 0x4b, 0xcd, 0xb4, 0xa6, 0xf4, 0x8c, 0xea, + 0x78, 0xa7, 0x4a, 0x04, + ], + rsk: [ + 0xf6, 0xe1, 0x61, 0x99, 0x50, 0x42, 0x9f, 0x63, 0x9d, 0x9f, 0xda, 0xad, 0xf8, 0x5c, + 0x9e, 0xed, 0xa9, 0xd2, 0xe1, 0x63, 0xc2, 0xb9, 0x4c, 0xb6, 0xe9, 0x20, 0xec, 0x60, + 0x0f, 0x7a, 0x1b, 0x0a, + ], + rvk: [ + 0x0b, 0x68, 0xd5, 0x0f, 0x91, 0x3c, 0xd1, 0xb7, 0x8b, 0x59, 0x92, 0x1e, 0x16, 0x56, + 0xd5, 0x76, 0xb0, 0xeb, 0x17, 0x1e, 0xd3, 0x87, 0x0d, 0x39, 0xfe, 0xc6, 0x94, 0x41, + 0xb3, 0x4b, 0x25, 0x38, + ], + m: [ + 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, + 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, + 0x07, 0x07, 0x07, 0x07, + ], + sig: [ + 0x64, 0x59, 0x67, 0x6a, 0x94, 0x16, 0x34, 0xec, 0xb6, 0x1e, 0x59, 0xb7, 0x9a, 0x98, + 0xab, 0xe5, 0x87, 0x6f, 0x35, 0x6f, 0x72, 0x8a, 0xa0, 0x9e, 0x0c, 0xca, 0x9e, 0xfe, + 0x05, 0x76, 0x1a, 0x33, 0x09, 0xaa, 0x88, 0xb2, 0xfa, 0x0e, 0xe2, 0xd0, 0x4c, 0x1c, + 0x46, 0xe9, 0xf2, 0xa0, 0x48, 0xd5, 0x9d, 0x55, 0x65, 0xaf, 0xa6, 0xc3, 0xf1, 0x5b, + 0xce, 0x70, 0x8d, 0xaa, 0xab, 0x7b, 0x34, 0x0e, + ], + rsig: [ + 0xc9, 0x66, 0x84, 0xec, 0x7e, 0xa6, 0x0b, 0xde, 0x87, 0x88, 0x22, 0xdd, 0xca, 0xf6, + 0xb8, 0xb0, 0xbd, 0x31, 0x98, 0x51, 0x54, 0xdf, 0x9a, 0xd4, 0xf6, 0x90, 0x7d, 0xf8, + 0xfe, 0xd9, 0x5c, 0x1d, 0x84, 0xfe, 0x67, 0xe6, 0x78, 0x75, 0xa5, 0x39, 0x55, 0x0e, + 0xb2, 0x51, 0x4f, 0x19, 0x3b, 0x8e, 0xd4, 0x57, 0x25, 0x6c, 0x8d, 0x30, 0x28, 0x1d, + 0x6f, 0x8b, 0xb9, 0x54, 0x49, 0x24, 0xca, 0x0c, + ], + }, + TestVector { + sk: [ + 0x32, 0x16, 0xae, 0x47, 0xe9, 0xf5, 0x3e, 0x8a, 0x52, 0x79, 0x6f, 0x24, 0xb6, 0x24, + 0x60, 0x77, 0x6b, 0xd5, 0xf2, 0x05, 0xa7, 0x8e, 0x15, 0x95, 0xbc, 0x8e, 0xfe, 0xdc, + 0x51, 0x9d, 0x36, 0x0b, + ], + vk: [ + 0xdf, 0x74, 0xbf, 0x04, 0x79, 0x61, 0xcc, 0x5c, 0xda, 0xc8, 0x28, 0x90, 0xc7, 0x6e, + 0xc6, 0x75, 0xbd, 0x4e, 0x89, 0xea, 0xd2, 0x80, 0xc9, 0x52, 0xd7, 0xc3, 0x3e, 0xea, + 0xf2, 0xb5, 0xa6, 0x6b, + ], + alpha: [ + 0xc9, 0x61, 0xf2, 0xdd, 0x93, 0x68, 0x2a, 0xdb, 0x93, 0xf5, 0xc0, 0x5a, 0x73, 0xfd, + 0xbc, 0x6d, 0x43, 0xc7, 0x0e, 0x1b, 0x15, 0xe8, 0xd5, 0x3e, 0x3f, 0x17, 0xa8, 0x24, + 0x94, 0xe3, 0xf2, 0x09, + ], + rsk: [ + 0x44, 0x4b, 0xa9, 0x4e, 0x1e, 0x50, 0xd2, 0x94, 0x63, 0x5e, 0x68, 0xb2, 0x95, 0x01, + 0xb5, 0x3e, 0xae, 0x61, 0xcd, 0x1f, 0xbb, 0x3b, 0x84, 0xcd, 0x52, 0xf6, 0x72, 0x9c, + 0xfb, 0xcb, 0xab, 0x06, + ], + rvk: [ + 0x0a, 0xfb, 0xe4, 0x06, 0xa8, 0x91, 0xc3, 0xb8, 0xc3, 0x10, 0xc2, 0x15, 0xbc, 0x68, + 0xa9, 0x13, 0xde, 0x7c, 0xda, 0x06, 0xaf, 0x29, 0x42, 0x00, 0x56, 0x46, 0x8d, 0x0c, + 0x08, 0x85, 0x5b, 0x28, + ], + m: [ + 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, + 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, + 0x08, 0x08, 0x08, 0x08, + ], + sig: [ + 0x24, 0x93, 0x2c, 0x1f, 0xaa, 0x01, 0x63, 0xca, 0x9a, 0x7f, 0xcd, 0xe4, 0x76, 0x11, + 0x29, 0xd2, 0xe5, 0xe9, 0x9c, 0xf5, 0xef, 0xa2, 0x5d, 0x27, 0x04, 0x58, 0x8e, 0x1c, + 0x75, 0x67, 0x7b, 0x5e, 0xeb, 0xe4, 0x55, 0x04, 0x8d, 0x7c, 0xe1, 0xb0, 0xd2, 0x01, + 0x27, 0x53, 0xf7, 0x1b, 0x27, 0x25, 0x01, 0x2e, 0xe1, 0x85, 0x49, 0x28, 0x73, 0x18, + 0xf9, 0xcd, 0x73, 0xf0, 0x7f, 0x0f, 0xb5, 0x02, + ], + rsig: [ + 0xf7, 0xfa, 0x26, 0xca, 0x22, 0xf3, 0x86, 0xc4, 0x3c, 0x19, 0x1a, 0x0b, 0x3e, 0xa6, + 0x57, 0x7e, 0x8e, 0xea, 0xa3, 0xf3, 0x6b, 0x9b, 0xd1, 0xa3, 0xac, 0x3d, 0xf6, 0xf8, + 0x83, 0xa3, 0xff, 0xdb, 0x31, 0x32, 0x0b, 0xde, 0x62, 0x7f, 0xf4, 0x6f, 0xc2, 0x26, + 0x4a, 0x32, 0x63, 0xb9, 0xab, 0x67, 0x12, 0x3b, 0xa5, 0xe1, 0x08, 0x43, 0x20, 0xd9, + 0x10, 0xb3, 0x94, 0xef, 0x8c, 0x65, 0xba, 0x09, + ], + }, + TestVector { + sk: [ + 0x85, 0x83, 0x6f, 0x98, 0x32, 0xb2, 0x8d, 0xe7, 0xc6, 0x36, 0x13, 0xe2, 0xa6, 0xed, + 0x36, 0xfb, 0x1a, 0xb4, 0x4f, 0xb0, 0xc1, 0x3f, 0xa8, 0x79, 0x8c, 0xd9, 0xcd, 0x30, + 0x30, 0xd4, 0x55, 0x03, + ], + vk: [ + 0xbf, 0xd5, 0xbc, 0x00, 0xc7, 0xc0, 0x22, 0xaa, 0x89, 0x01, 0xae, 0x08, 0x3c, 0x12, + 0xd5, 0x4b, 0x82, 0xf0, 0xdd, 0xff, 0x8e, 0xd6, 0xdb, 0x9a, 0x12, 0xd5, 0x9a, 0x5e, + 0xf6, 0xa5, 0xa2, 0xe0, + ], + alpha: [ + 0xa2, 0xe8, 0xb9, 0xe1, 0x6d, 0x6f, 0xf3, 0xca, 0x6c, 0x53, 0xd4, 0xe8, 0x8a, 0xbb, + 0xb9, 0x9b, 0xe7, 0xaf, 0x7e, 0x36, 0x59, 0x63, 0x1f, 0x1e, 0xae, 0x1e, 0xff, 0x23, + 0x87, 0x4d, 0x8e, 0x0c, + ], + rsk: [ + 0x70, 0x3f, 0x32, 0xa3, 0x41, 0x13, 0xea, 0xe1, 0xb0, 0x79, 0x1f, 0xfe, 0x9d, 0x88, + 0x88, 0xf0, 0x01, 0x29, 0x9a, 0xe5, 0x19, 0x68, 0x60, 0x91, 0x91, 0x48, 0x99, 0xef, + 0xcc, 0x6c, 0x66, 0x01, + ], + rvk: [ + 0xeb, 0x92, 0x97, 0x03, 0x6c, 0xf5, 0x17, 0xe1, 0x5e, 0x9e, 0xfe, 0x39, 0x75, 0x32, + 0x8d, 0xb4, 0x8e, 0xe7, 0xc2, 0x69, 0x4e, 0x94, 0x6d, 0xb2, 0x5f, 0x52, 0x87, 0x88, + 0xf6, 0xa1, 0xdb, 0x14, + ], + m: [ + 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, + 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, + 0x09, 0x09, 0x09, 0x09, + ], + sig: [ + 0x64, 0xab, 0xd1, 0x25, 0xbf, 0xc4, 0xc6, 0x54, 0xfa, 0xf2, 0xb6, 0xdd, 0x75, 0x3e, + 0xc6, 0x90, 0x22, 0x4d, 0xbc, 0xab, 0x8c, 0xd6, 0x32, 0xdd, 0x59, 0x3c, 0x91, 0xce, + 0x3a, 0xb0, 0xbc, 0xad, 0xca, 0x92, 0x76, 0x34, 0x02, 0x1c, 0x31, 0x47, 0x6c, 0x78, + 0xc5, 0xac, 0x7c, 0xcc, 0xab, 0xbd, 0x6f, 0x92, 0x7d, 0xf2, 0x05, 0xea, 0xa7, 0x07, + 0xcc, 0x00, 0xd4, 0x7d, 0x39, 0xf3, 0xe4, 0x0c, + ], + rsig: [ + 0xeb, 0x7a, 0x06, 0x5d, 0x75, 0xf8, 0x45, 0xdc, 0x09, 0x41, 0xb7, 0x09, 0xc0, 0xb1, + 0x49, 0xea, 0xfd, 0x80, 0x5e, 0xa5, 0x8f, 0x38, 0x0b, 0x92, 0xb9, 0xd3, 0x10, 0x8a, + 0x56, 0x1b, 0xda, 0x17, 0x85, 0xdf, 0x8f, 0x10, 0x1e, 0x0e, 0x14, 0x0f, 0xca, 0xee, + 0x99, 0xb7, 0xdb, 0xb7, 0xdf, 0xbf, 0x7e, 0x61, 0xf3, 0xa1, 0x2f, 0x46, 0x09, 0x50, + 0x69, 0xe0, 0x6e, 0x88, 0x96, 0xa9, 0xe4, 0x04, + ], + }, + ]; + + for tv in test_vectors { + let sk = PrivateKey::::read(&tv.sk[..]).unwrap(); + let vk = PublicKey::::read(&tv.vk[..], &JUBJUB).unwrap(); + let rvk = PublicKey::::read(&tv.rvk[..], &JUBJUB).unwrap(); + let sig = Signature::read(&tv.sig[..]).unwrap(); + let rsig = Signature::read(&tv.rsig[..]).unwrap(); + + let mut alpha_repr = <::Fs as PrimeField>::Repr::default(); + alpha_repr.read_le(&tv.alpha[..]).unwrap(); + let alpha = ::Fs::from_repr(alpha_repr).unwrap(); + + { + let mut vec = Vec::new(); + sk.randomize(alpha.clone()).write(&mut vec).unwrap(); + assert_eq!(&vec, &tv.rsk); + } + { + let mut vec = Vec::new(); + vk.randomize(alpha, FixedGenerators::SpendingKeyGenerator, &JUBJUB) + .write(&mut vec) + .unwrap(); + assert_eq!(&vec, &tv.rvk); + } + + assert!(vk.verify(&tv.m, &sig, FixedGenerators::SpendingKeyGenerator, &JUBJUB)); + assert!(rvk.verify(&tv.m, &rsig, FixedGenerators::SpendingKeyGenerator, &JUBJUB)); + assert!(!vk.verify(&tv.m, &rsig, FixedGenerators::SpendingKeyGenerator, &JUBJUB)); + assert!(!rvk.verify(&tv.m, &sig, FixedGenerators::SpendingKeyGenerator, &JUBJUB)); + } +}