2021-05-06 07:58:38 -07:00
|
|
|
#!/usr/bin/env python3
|
|
|
|
import sys; assert sys.version_info[0] >= 3, "Python 3 required."
|
|
|
|
|
2022-01-07 06:52:55 -08:00
|
|
|
from ..ff1 import ff1_aes256_encrypt
|
|
|
|
from ..sapling.key_components import prf_expand
|
2024-11-01 21:57:07 -07:00
|
|
|
from ..zip_0032 import CKDh, HardenedOnlyContext, MKGh
|
2021-05-06 07:58:38 -07:00
|
|
|
|
2022-01-07 06:52:55 -08:00
|
|
|
from .generators import NULLIFIER_K_BASE, SPENDING_KEY_BASE, group_hash
|
|
|
|
from .pallas import Fp, Scalar, Point
|
|
|
|
from . import poseidon
|
|
|
|
from .commitments import commit_ivk
|
|
|
|
from ..utils import i2leosp, i2lebsp, lebs2osp
|
|
|
|
from .utils import to_base, to_scalar
|
|
|
|
from ..output import render_args, render_tv
|
2021-05-06 07:58:38 -07:00
|
|
|
|
|
|
|
#
|
|
|
|
# PRFs and hashes
|
|
|
|
#
|
|
|
|
|
|
|
|
def diversify_hash(d):
|
|
|
|
P = group_hash(b'z.cash:Orchard-gd', d)
|
|
|
|
if P == Point.identity():
|
|
|
|
P = group_hash(b'z.cash:Orchard-gd', b'')
|
|
|
|
return P
|
|
|
|
|
2021-05-08 22:14:21 -07:00
|
|
|
def prf_nf_orchard(nk, rho):
|
2022-01-07 06:52:55 -08:00
|
|
|
return poseidon.hash(nk, rho)
|
2021-05-08 22:14:21 -07:00
|
|
|
|
|
|
|
def derive_nullifier(nk, rho: Fp, psi: Fp, cm):
|
2021-05-08 22:36:20 -07:00
|
|
|
scalar = prf_nf_orchard(nk, rho) + psi # addition mod p
|
2021-05-08 22:39:27 -07:00
|
|
|
point = NULLIFIER_K_BASE * Scalar(scalar.s) + cm
|
2021-05-08 22:14:21 -07:00
|
|
|
return point.extract()
|
|
|
|
|
2021-05-06 07:58:38 -07:00
|
|
|
#
|
|
|
|
# Key components
|
|
|
|
#
|
|
|
|
|
2022-02-10 14:56:33 -08:00
|
|
|
class SpendingKey(object):
|
2021-05-06 07:58:38 -07:00
|
|
|
def __init__(self, data):
|
|
|
|
self.data = data
|
|
|
|
|
|
|
|
self.ask = to_scalar(prf_expand(self.data, b'\x06'))
|
|
|
|
self.nk = to_base(prf_expand(self.data, b'\x07'))
|
|
|
|
self.rivk = to_scalar(prf_expand(self.data, b'\x08'))
|
|
|
|
if self.ask == Scalar.ZERO:
|
|
|
|
raise ValueError("invalid spending key")
|
|
|
|
|
|
|
|
self.akP = SPENDING_KEY_BASE * self.ask
|
|
|
|
if bytes(self.akP)[-1] & 0x80 != 0:
|
|
|
|
self.ask = -self.ask
|
|
|
|
|
|
|
|
self.ak = self.akP.extract()
|
2021-05-25 22:30:52 -07:00
|
|
|
assert commit_ivk(self.rivk, self.ak, self.nk) is not None
|
2021-05-06 07:58:38 -07:00
|
|
|
|
|
|
|
|
2022-02-10 14:56:33 -08:00
|
|
|
class ExtendedSpendingKey(SpendingKey):
|
2024-11-01 21:57:07 -07:00
|
|
|
Orchard = HardenedOnlyContext(b'ZcashIP32Orchard', b'\x81')
|
|
|
|
|
2022-02-10 14:56:33 -08:00
|
|
|
def __init__(self, chaincode, data):
|
|
|
|
SpendingKey.__init__(self, data)
|
|
|
|
self.chaincode = chaincode
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
def master(cls, S):
|
2024-11-01 21:57:07 -07:00
|
|
|
(sk, chaincode) = MKGh(cls.Orchard, S)
|
|
|
|
return cls(chaincode, sk)
|
2022-02-10 14:56:33 -08:00
|
|
|
|
|
|
|
def child(self, i):
|
2024-11-01 21:57:07 -07:00
|
|
|
(sk_i, c_i) = CKDh(self.Orchard, self.data, self.chaincode, i)
|
|
|
|
return self.__class__(c_i, sk_i)
|
2022-02-10 14:56:33 -08:00
|
|
|
|
|
|
|
|
2021-05-06 07:58:38 -07:00
|
|
|
class FullViewingKey(object):
|
2022-02-01 07:54:50 -08:00
|
|
|
def __init__(self, rivk, ak, nk):
|
|
|
|
(self.rivk, self.ak, self.nk) = (rivk, ak, nk)
|
2021-05-06 07:58:38 -07:00
|
|
|
K = i2leosp(256, self.rivk.s)
|
|
|
|
R = prf_expand(K, b'\x82' + i2leosp(256, self.ak.s) + i2leosp(256, self.nk.s))
|
|
|
|
self.dk = R[:32]
|
|
|
|
self.ovk = R[32:]
|
|
|
|
|
2022-02-01 07:54:50 -08:00
|
|
|
@classmethod
|
|
|
|
def from_spending_key(cls, sk):
|
|
|
|
return cls(sk.rivk, sk.ak, sk.nk)
|
|
|
|
|
2021-05-06 07:58:38 -07:00
|
|
|
def ivk(self):
|
|
|
|
return commit_ivk(self.rivk, self.ak, self.nk)
|
|
|
|
|
2022-02-10 14:56:33 -08:00
|
|
|
def diversifier(self, j):
|
|
|
|
return lebs2osp(ff1_aes256_encrypt(self.dk, b'', i2lebsp(88, j)))
|
|
|
|
|
2021-05-06 07:58:38 -07:00
|
|
|
def default_d(self):
|
2022-02-10 14:56:33 -08:00
|
|
|
return self.diversifier(0)
|
|
|
|
|
|
|
|
def g_d(self, j):
|
|
|
|
return diversify_hash(self.diversifier(j))
|
2021-05-06 07:58:38 -07:00
|
|
|
|
2022-02-10 14:56:33 -08:00
|
|
|
def pk_d(self, j):
|
|
|
|
return self.g_d(j) * Scalar(self.ivk().s)
|
2021-05-25 22:30:52 -07:00
|
|
|
|
2021-05-06 07:58:38 -07:00
|
|
|
def default_pkd(self):
|
2022-02-10 14:56:33 -08:00
|
|
|
return self.pk_d(0)
|
2021-05-06 07:58:38 -07:00
|
|
|
|
2022-01-31 12:35:42 -08:00
|
|
|
def internal(self):
|
|
|
|
K = i2leosp(256, self.rivk.s)
|
|
|
|
rivk_internal = to_scalar(prf_expand(K, b'\x83' + i2leosp(256, self.ak.s) + i2leosp(256, self.nk.s)))
|
2022-02-01 07:54:50 -08:00
|
|
|
return self.__class__(rivk_internal, self.ak, self.nk)
|
2022-01-31 12:35:42 -08:00
|
|
|
|
2021-05-06 07:58:38 -07:00
|
|
|
|
|
|
|
def main():
|
|
|
|
args = render_args()
|
|
|
|
|
2022-01-07 06:52:55 -08:00
|
|
|
from .note import OrchardNote
|
2021-05-25 22:30:52 -07:00
|
|
|
from random import Random
|
2022-02-10 14:56:33 -08:00
|
|
|
from ..rand import Rand
|
2021-05-25 22:30:52 -07:00
|
|
|
|
|
|
|
rng = Random(0xabad533d)
|
|
|
|
def randbytes(l):
|
|
|
|
ret = []
|
|
|
|
while len(ret) < l:
|
|
|
|
ret.append(rng.randrange(0, 256))
|
|
|
|
return bytes(ret)
|
|
|
|
rand = Rand(randbytes)
|
|
|
|
|
2021-05-06 07:58:38 -07:00
|
|
|
test_vectors = []
|
2021-05-25 22:30:52 -07:00
|
|
|
for _ in range(0, 10):
|
|
|
|
sk = SpendingKey(rand.b(32))
|
2022-02-01 07:54:50 -08:00
|
|
|
fvk = FullViewingKey.from_spending_key(sk)
|
2021-05-28 03:46:57 -07:00
|
|
|
default_d = fvk.default_d()
|
|
|
|
default_pk_d = fvk.default_pkd()
|
|
|
|
|
2021-05-25 22:30:52 -07:00
|
|
|
note_v = rand.u64()
|
|
|
|
note_rho = Fp.random(rand)
|
2021-05-28 03:46:57 -07:00
|
|
|
note_rseed = rand.b(32)
|
|
|
|
note = OrchardNote(
|
|
|
|
default_d,
|
|
|
|
default_pk_d,
|
2021-05-06 07:58:38 -07:00
|
|
|
note_v,
|
|
|
|
note_rho,
|
2021-05-28 03:46:57 -07:00
|
|
|
note_rseed,
|
|
|
|
)
|
|
|
|
note_cm = note.note_commitment()
|
|
|
|
note_nf = derive_nullifier(fvk.nk, note_rho, note.psi, note_cm)
|
|
|
|
|
2022-01-31 12:35:42 -08:00
|
|
|
internal = fvk.internal()
|
2021-05-06 07:58:38 -07:00
|
|
|
test_vectors.append({
|
|
|
|
'sk': sk.data,
|
|
|
|
'ask': bytes(sk.ask),
|
|
|
|
'ak': bytes(fvk.ak),
|
|
|
|
'nk': bytes(fvk.nk),
|
2021-05-28 03:46:57 -07:00
|
|
|
'rivk': bytes(fvk.rivk),
|
2021-05-06 07:58:38 -07:00
|
|
|
'ivk': bytes(fvk.ivk()),
|
2021-05-28 03:46:57 -07:00
|
|
|
'ovk': fvk.ovk,
|
|
|
|
'dk': fvk.dk,
|
|
|
|
'default_d': default_d,
|
|
|
|
'default_pk_d': bytes(default_pk_d),
|
2022-01-31 12:35:42 -08:00
|
|
|
'internal_rivk': bytes(internal.rivk),
|
|
|
|
'internal_ivk': bytes(internal.ivk()),
|
|
|
|
'internal_ovk': internal.ovk,
|
|
|
|
'internal_dk': internal.dk,
|
2021-05-06 07:58:38 -07:00
|
|
|
'note_v': note_v,
|
2021-05-28 03:46:57 -07:00
|
|
|
'note_rho': bytes(note_rho),
|
|
|
|
'note_rseed': bytes(note_rseed),
|
2021-05-06 07:58:38 -07:00
|
|
|
'note_cmx': bytes(note_cm.extract()),
|
2021-05-08 22:14:21 -07:00
|
|
|
'note_nf': bytes(note_nf),
|
2021-05-06 07:58:38 -07:00
|
|
|
})
|
|
|
|
|
|
|
|
render_tv(
|
|
|
|
args,
|
|
|
|
'orchard_key_components',
|
|
|
|
(
|
|
|
|
('sk', '[u8; 32]'),
|
|
|
|
('ask', '[u8; 32]'),
|
|
|
|
('ak', '[u8; 32]'),
|
|
|
|
('nk', '[u8; 32]'),
|
2021-05-28 03:46:57 -07:00
|
|
|
('rivk', '[u8; 32]'),
|
2021-05-06 07:58:38 -07:00
|
|
|
('ivk', '[u8; 32]'),
|
2021-05-28 03:46:57 -07:00
|
|
|
('ovk', '[u8; 32]'),
|
|
|
|
('dk', '[u8; 32]'),
|
2021-05-06 07:58:38 -07:00
|
|
|
('default_d', '[u8; 11]'),
|
|
|
|
('default_pk_d', '[u8; 32]'),
|
2022-01-31 12:35:42 -08:00
|
|
|
('internal_rivk', '[u8; 32]'),
|
|
|
|
('internal_ivk', '[u8; 32]'),
|
|
|
|
('internal_ovk', '[u8; 32]'),
|
|
|
|
('internal_dk', '[u8; 32]'),
|
2021-05-06 07:58:38 -07:00
|
|
|
('note_v', 'u64'),
|
2021-05-28 03:46:57 -07:00
|
|
|
('note_rho', '[u8; 32]'),
|
|
|
|
('note_rseed', '[u8; 32]'),
|
2021-05-06 07:58:38 -07:00
|
|
|
('note_cmx', '[u8; 32]'),
|
|
|
|
('note_nf', '[u8; 32]'),
|
|
|
|
),
|
|
|
|
test_vectors,
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
main()
|