zcash-hackworks
/
zcash-patched-for-explorer
mirror of https://github.com/zcash-hackworks/zcash-patched-for-explorer.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Auto merge of #976 - ebfull:implement-joinsplit-signatures, r=ebfull 

Signing pours with ed25519

This is an alternative to #964 which uses ed25519 instead of secp256k1, and avoids the separate hash for fitting the public key into the `h_sig` block. It's based on @defuse's work in that branch.

Closes #808.
This commit is contained in:
zkbot 2016-05-31 03:46:30 +00:00
parent 212cdc4fa4 7c68cc0747
commit 19769ba6c5
11 changed files with 676 additions and 536 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
src/main.cpp
View File

@ -5,6 +5,8 @@
#include "main.h"
#include "sodium.h"
#include "addrman.h"
#include "alert.h"
#include "arith_uint256.h"
@ -31,6 +33,7 @@
#include <boost/filesystem/fstream.hpp>
#include <boost/math/distributions/poisson.hpp>
#include <boost/thread.hpp>
#include <boost/static_assert.hpp>
using namespace std;
@ -840,7 +843,30 @@ unsigned int GetP2SHSigOpCount(const CTransaction& tx, const CCoinsViewCache& in
// Taken from
// https://github.com/jedisct1/libsodium/commit/4099618de2cce5099ac2ec5ce8f2d80f4585606e
// which was removed to maintain backwards compatibility in
// https://github.com/jedisct1/libsodium/commit/cb07df046f19ee0d5ad600c579df97aaa4295cc3
static int
crypto_sign_check_S_lt_l(const unsigned char *S)
{
static const unsigned char l[32] =
{ 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 };
unsigned char c = 0;
unsigned char n = 1;
unsigned int i = 32;
do {
i--;
c |= ((S[i] - l[i]) >> 8) & n;
n &= ((S[i] ^ l[i]) - 1) >> 8;
} while (i != 0);
return -(c == 0);
}
@ -956,16 +982,39 @@ bool CheckTransaction(const CTransaction& tx, CValidationState &state)
return state.DoS(10, error("CheckTransaction(): prevout is null"),
REJECT_INVALID, "bad-txns-prevout-null");
// Ensure that zk-SNARKs verify
if (tx.vpour.size() > 0) {
// TODO: #966.
static const uint256 one(uint256S("0000000000000000000000000000000000000000000000000000000000000001"));
// Empty output script.
CScript scriptCode;
uint256 dataToBeSigned = SignatureHash(scriptCode, tx, NOT_AN_INPUT, SIGHASH_ALL);
if (dataToBeSigned == one) {
return state.DoS(100, error("CheckTransaction(): error computing signature hash"),
REJECT_INVALID, "error-computing-signature-hash");
}
if (state.PerformPourVerification()) {
BOOST_FOREACH(const CPourTx &pour, tx.vpour) {
// TODO: #808
uint256 pubKeyHash;
BOOST_STATIC_ASSERT(crypto_sign_PUBLICKEYBYTES == 32);
if (!pour.Verify(*pzcashParams, pubKeyHash)) {
return state.DoS(100, error("CheckTransaction(): pour does not verify"),
REJECT_INVALID, "bad-txns-pour-verification-failed");
if (crypto_sign_verify_detached(&tx.joinSplitSig[0],
dataToBeSigned.begin(), 32,
tx.joinSplitPubKey.begin()
) != 0) {
return state.DoS(100, error("CheckTransaction(): invalid joinsplit signature"),
REJECT_INVALID, "bad-txns-invalid-joinsplit-signature");
}
if (crypto_sign_check_S_lt_l(&tx.joinSplitSig[32]) != 0) {
return state.DoS(100, error("CheckTransaction(): non-canonical ed25519 signature"),
REJECT_INVALID, "non-canonical-ed25519-signature");
}
if (state.PerformPourVerification()) {
// Ensure that zk-SNARKs verify
BOOST_FOREACH(const CPourTx &pour, tx.vpour) {
if (!pour.Verify(*pzcashParams, tx.joinSplitPubKey)) {
return state.DoS(100, error("CheckTransaction(): pour does not verify"),
REJECT_INVALID, "bad-txns-pour-verification-failed");
}
}
}
}

14
src/primitives/transaction.cpp
View File

@ -110,7 +110,11 @@ std::string CTxOut::ToString() const
}
CMutableTransaction::CMutableTransaction() : nVersion(CTransaction::CURRENT_VERSION), nLockTime(0) {}
CMutableTransaction::CMutableTransaction(const CTransaction& tx) : nVersion(tx.nVersion), vin(tx.vin), vout(tx.vout), nLockTime(tx.nLockTime), vpour(tx.vpour) {}
CMutableTransaction::CMutableTransaction(const CTransaction& tx) : nVersion(tx.nVersion), vin(tx.vin), vout(tx.vout), nLockTime(tx.nLockTime),
vpour(tx.vpour), joinSplitPubKey(tx.joinSplitPubKey), joinSplitSig(tx.joinSplitSig)
{
}
uint256 CMutableTransaction::GetHash() const
{
@ -122,9 +126,11 @@ void CTransaction::UpdateHash() const
*const_cast<uint256*>(&hash) = SerializeHash(*this);
}
CTransaction::CTransaction() : nVersion(CTransaction::CURRENT_VERSION), vin(), vout(), nLockTime(0), vpour() { }
CTransaction::CTransaction() : nVersion(CTransaction::CURRENT_VERSION), vin(), vout(), nLockTime(0), vpour(), joinSplitPubKey(), joinSplitSig() { }
CTransaction::CTransaction(const CMutableTransaction &tx) : nVersion(tx.nVersion), vin(tx.vin), vout(tx.vout), nLockTime(tx.nLockTime), vpour(tx.vpour) {
CTransaction::CTransaction(const CMutableTransaction &tx) : nVersion(tx.nVersion), vin(tx.vin), vout(tx.vout), nLockTime(tx.nLockTime), vpour(tx.vpour),
joinSplitPubKey(tx.joinSplitPubKey), joinSplitSig(tx.joinSplitSig)
{
UpdateHash();
}
@ -134,6 +140,8 @@ CTransaction& CTransaction::operator=(const CTransaction &tx) {
*const_cast<std::vector<CTxOut>*>(&vout) = tx.vout;
*const_cast<unsigned int*>(&nLockTime) = tx.nLockTime;
*const_cast<std::vector<CPourTx>*>(&vpour) = tx.vpour;
*const_cast<uint256*>(&joinSplitPubKey) = tx.joinSplitPubKey;
*const_cast<joinsplit_sig_t*>(&joinSplitSig) = tx.joinSplitSig;
*const_cast<uint256*>(&hash) = tx.hash;
return *this;
}

14
src/primitives/transaction.h
View File

@ -290,6 +290,8 @@ private:
void UpdateHash() const;
public:
typedef boost::array<unsigned char, 64> joinsplit_sig_t;
static const int32_t CURRENT_VERSION=1;
// The local variables are made const to prevent unintended modification
@ -302,6 +304,8 @@ public:
const std::vector<CTxOut> vout;
const uint32_t nLockTime;
const std::vector<CPourTx> vpour;
const uint256 joinSplitPubKey;
const joinsplit_sig_t joinSplitSig;
/** Construct a CTransaction that qualifies as IsNull() */
CTransaction();
@ -322,6 +326,10 @@ public:
READWRITE(*const_cast<uint32_t*>(&nLockTime));
if (nVersion >= 2) {
READWRITE(*const_cast<std::vector<CPourTx>*>(&vpour));
if (vpour.size() > 0) {
READWRITE(*const_cast<uint256*>(&joinSplitPubKey));
READWRITE(*const_cast<joinsplit_sig_t*>(&joinSplitSig));
}
}
if (ser_action.ForRead())
UpdateHash();
@ -375,6 +383,8 @@ struct CMutableTransaction
std::vector<CTxOut> vout;
uint32_t nLockTime;
std::vector<CPourTx> vpour;
uint256 joinSplitPubKey;
CTransaction::joinsplit_sig_t joinSplitSig;
CMutableTransaction();
CMutableTransaction(const CTransaction& tx);
@ -390,6 +400,10 @@ struct CMutableTransaction
READWRITE(nLockTime);
if (nVersion >= 2) {
READWRITE(vpour);
if (vpour.size() > 0) {
READWRITE(joinSplitPubKey);
READWRITE(joinSplitSig);
}
}
}

22
src/script/interpreter.cpp
View File

@ -1030,6 +1030,7 @@ public:
// Serialize the prevout
::Serialize(s, txTo.vin[nInput].prevout, nType, nVersion);
// Serialize the script
assert(nInput != NOT_AN_INPUT);
if (nInput != nIn)
// Blank out other inputs' signatures
::Serialize(s, CScript(), nType, nVersion);
@ -1073,22 +1074,19 @@ public:
// Serialize vpour
if (txTo.nVersion >= 2) {
// TODO:
//
// SIGHASH_* functions will hash portions of
// the transaction for use in signatures. This
// keeps the pour cryptographically bound to
// the transaction from the perspective of the
// inputs (but not from the perspective of the
// pour).
// keeps the JoinSplit cryptographically bound
// to the transaction.
//
// This must be rectified in the future.
// See zcash/#529
//
// It will be necessary to change this API to
// be abstract over whether an input script is
// being skipped or a pour is being skipped.
::Serialize(s, txTo.vpour, nType, nVersion);
if (txTo.vpour.size() > 0) {
::Serialize(s, txTo.joinSplitPubKey, nType, nVersion);
CTransaction::joinsplit_sig_t nullSig = {};
::Serialize(s, nullSig, nType, nVersion);
}
}
}
};
@ -1098,7 +1096,7 @@ public:
uint256 SignatureHash(const CScript& scriptCode, const CTransaction& txTo, unsigned int nIn, int nHashType)
{
static const uint256 one(uint256S("0000000000000000000000000000000000000000000000000000000000000001"));
if (nIn >= txTo.vin.size()) {
if (nIn >= txTo.vin.size() && nIn != NOT_AN_INPUT) {
// nIn out of range
return one;
}

4
src/script/interpreter.h
View File

@ -12,12 +12,16 @@
#include <vector>
#include <stdint.h>
#include <string>
#include <climits>
class CPubKey;
class CScript;
class CTransaction;
class uint256;
/** Special case nIn for signing JoinSplits. */
const unsigned int NOT_AN_INPUT = UINT_MAX;
/** Signature hash types/flags */
enum
{

1000
src/test/data/sighash.json
View File

File diff suppressed because one or more lines are too long

19
src/test/sighash_tests.cpp
View File

@ -81,6 +81,9 @@ uint256 static SignatureHashOld(CScript scriptCode, const CTransaction& txTo, un
txTmp.vin.resize(1);
}
// Blank out the joinsplit signature.
memset(&txTmp.joinSplitSig[0], 0, txTmp.joinSplitSig.size());
// Serialize and hash
CHashWriter ss(SER_GETHASH, 0);
ss << txTmp << nHashType;
@ -139,6 +142,22 @@ void static RandomTransaction(CMutableTransaction &tx, bool fSingle) {
tx.vpour.push_back(pourtx);
}
unsigned char joinSplitPrivKey[crypto_sign_SECRETKEYBYTES];
crypto_sign_keypair(tx.joinSplitPubKey.begin(), joinSplitPrivKey);
// TODO: #966.
static const uint256 one(uint256S("0000000000000000000000000000000000000000000000000000000000000001"));
// Empty output script.
CScript scriptCode;
CTransaction signTx(tx);
uint256 dataToBeSigned = SignatureHash(scriptCode, signTx, NOT_AN_INPUT, SIGHASH_ALL);
BOOST_CHECK(dataToBeSigned != one);
assert(crypto_sign_detached(&tx.joinSplitSig[0], NULL,
dataToBeSigned.begin(), 32,
joinSplitPrivKey
) == 0);
}
}

23
src/test/transaction_tests.cpp
View File

@ -16,6 +16,8 @@
#include "script/script_error.h"
#include "primitives/transaction.h"
#include "sodium.h"
#include <map>
#include <string>
@ -379,6 +381,9 @@ BOOST_AUTO_TEST_CASE(test_simple_pour_invalidity)
CMutableTransaction newTx(tx);
CValidationState state;
unsigned char joinSplitPrivKey[crypto_sign_SECRETKEYBYTES];
crypto_sign_keypair(newTx.joinSplitPubKey.begin(), joinSplitPrivKey);
state.SetPerformPourVerification(false); // don't verify the snark
// No pours, vin and vout, means it should be invalid.
@ -396,7 +401,23 @@ BOOST_AUTO_TEST_CASE(test_simple_pour_invalidity)
pourtx->serials[0] = GetRandHash();
pourtx->serials[1] = GetRandHash();
BOOST_CHECK_MESSAGE(CheckTransaction(newTx, state), state.GetRejectReason());
BOOST_CHECK(!CheckTransaction(newTx, state));
BOOST_CHECK(state.GetRejectReason() == "bad-txns-invalid-joinsplit-signature");
// TODO: #966.
static const uint256 one(uint256S("0000000000000000000000000000000000000000000000000000000000000001"));
// Empty output script.
CScript scriptCode;
CTransaction signTx(newTx);
uint256 dataToBeSigned = SignatureHash(scriptCode, signTx, NOT_AN_INPUT, SIGHASH_ALL);
BOOST_CHECK(dataToBeSigned != one);
assert(crypto_sign_detached(&newTx.joinSplitSig[0], NULL,
dataToBeSigned.begin(), 32,
joinSplitPrivKey
) == 0);
BOOST_CHECK(CheckTransaction(newTx, state));
}
{
// Ensure that values within the pour are well-formed.

45
src/wallet/rpcwallet.cpp
View File

@ -18,6 +18,9 @@
#include "walletdb.h"
#include "primitives/transaction.h"
#include "zcbenchmarks.h"
#include "script/interpreter.h"
#include "sodium.h"
#include <stdint.h>
@ -2650,22 +2653,48 @@ Value zc_raw_pour(const json_spirit::Array& params, bool fHelp)
throw runtime_error("unsupported pour input/output counts");
}
// TODO: #808
uint256 pubKeyHash;
uint256 joinSplitPubKey;
unsigned char joinSplitPrivKey[crypto_sign_SECRETKEYBYTES];
crypto_sign_keypair(joinSplitPubKey.begin(), joinSplitPrivKey);
CMutableTransaction mtx(tx);
mtx.nVersion = 2;
mtx.joinSplitPubKey = joinSplitPubKey;
CPourTx pourtx(*pzcashParams,
pubKeyHash,
joinSplitPubKey,
anchor,
{vpourin[0], vpourin[1]},
{vpourout[0], vpourout[1]},
vpub_old,
vpub_new);
assert(pourtx.Verify(*pzcashParams, pubKeyHash));
assert(pourtx.Verify(*pzcashParams, joinSplitPubKey));
CMutableTransaction mtx(tx);
mtx.nVersion = 2;
mtx.vpour.push_back(pourtx);
// TODO: #966.
static const uint256 one(uint256S("0000000000000000000000000000000000000000000000000000000000000001"));
// Empty output script.
CScript scriptCode;
CTransaction signTx(mtx);
uint256 dataToBeSigned = SignatureHash(scriptCode, signTx, NOT_AN_INPUT, SIGHASH_ALL);
if (dataToBeSigned == one) {
throw runtime_error("SignatureHash failed");
}
// Add the signature
assert(crypto_sign_detached(&mtx.joinSplitSig[0], NULL,
dataToBeSigned.begin(), 32,
joinSplitPrivKey
) == 0);
// Sanity check
assert(crypto_sign_verify_detached(&mtx.joinSplitSig[0],
dataToBeSigned.begin(), 32,
mtx.joinSplitPubKey.begin()
) == 0);
CTransaction rawTx(mtx);
CDataStream ss(SER_NETWORK, PROTOCOL_VERSION);
@ -2678,7 +2707,7 @@ Value zc_raw_pour(const json_spirit::Array& params, bool fHelp)
ss2 << ((unsigned char) 0x00);
ss2 << pourtx.ephemeralKey;
ss2 << pourtx.ciphertexts[0];
ss2 << pourtx.h_sig(*pzcashParams, pubKeyHash);
ss2 << pourtx.h_sig(*pzcashParams, joinSplitPubKey);
encryptedBucket1 = HexStr(ss2.begin(), ss2.end());
}
@ -2687,7 +2716,7 @@ Value zc_raw_pour(const json_spirit::Array& params, bool fHelp)
ss2 << ((unsigned char) 0x01);
ss2 << pourtx.ephemeralKey;
ss2 << pourtx.ciphertexts[1];
ss2 << pourtx.h_sig(*pzcashParams, pubKeyHash);
ss2 << pourtx.h_sig(*pzcashParams, joinSplitPubKey);
encryptedBucket2 = HexStr(ss2.begin(), ss2.end());
}

4
src/zcash/JoinSplit.cpp
View File

@ -301,7 +301,7 @@ uint256 JoinSplit<NumInputs, NumOutputs>::h_sig(
const boost::array<uint256, NumInputs>& nullifiers,
const uint256& pubKeyHash
) {
unsigned char personalization[crypto_generichash_blake2b_PERSONALBYTES]
const unsigned char personalization[crypto_generichash_blake2b_PERSONALBYTES]
= {'Z','c','a','s','h','C','o','m','p','u','t','e','h','S','i','g'};
std::vector<unsigned char> block(randomSeed.begin(), randomSeed.end());
@ -349,4 +349,4 @@ JSInput::JSInput() : witness(ZCIncrementalMerkleTree().witness()),
template class JoinSplit<ZC_NUM_JS_INPUTS,
ZC_NUM_JS_OUTPUTS>;
}
}

2
src/zcbenchmarks.cpp
View File

@ -64,7 +64,6 @@ double benchmark_parameter_loading()
double benchmark_create_joinsplit()
{
// TODO: #808
uint256 pubKeyHash;
/* Get the anchor of an empty commitment tree. */
@ -87,7 +86,6 @@ double benchmark_create_joinsplit()
double benchmark_verify_joinsplit(const CPourTx &joinsplit)
{
timer_start();
// TODO: #808
uint256 pubKeyHash;
joinsplit.Verify(*pzcashParams, pubKeyHash);
return timer_stop();