2018-05-17 20:23:08 -07:00
|
|
|
#!/usr/bin/env python3
|
2018-07-21 03:24:50 -07:00
|
|
|
import sys; assert sys.version_info[0] >= 3, "Python 3 required."
|
|
|
|
|
2022-02-01 18:25:52 -08:00
|
|
|
from hashlib import blake2b
|
2018-05-17 20:23:08 -07:00
|
|
|
import os
|
|
|
|
|
2022-01-07 06:52:55 -08:00
|
|
|
from .generators import SPENDING_KEY_BASE
|
|
|
|
from .jubjub import Fr, Point, r_j
|
|
|
|
from .key_components import to_scalar
|
|
|
|
from ..utils import cldiv, leos2ip
|
|
|
|
from ..output import render_args, render_tv
|
2018-05-17 20:23:08 -07:00
|
|
|
|
|
|
|
|
|
|
|
def H(x):
|
|
|
|
digest = blake2b(person=b'Zcash_RedJubjubH')
|
|
|
|
digest.update(x)
|
|
|
|
return digest.digest()
|
|
|
|
|
|
|
|
def h_star(B):
|
|
|
|
return Fr(leos2ip(H(B)))
|
|
|
|
|
|
|
|
|
|
|
|
class RedJubjub(object):
|
|
|
|
l_G = 256 # l_J
|
|
|
|
l_H = 512
|
|
|
|
Public = Point
|
|
|
|
Private = Fr
|
|
|
|
Random = Fr
|
|
|
|
|
|
|
|
def __init__(self, P_g, random=os.urandom):
|
|
|
|
self.P_g = P_g
|
|
|
|
self._random = random
|
|
|
|
|
|
|
|
def gen_private(self):
|
2018-06-04 05:33:50 -07:00
|
|
|
return to_scalar(self._random(64))
|
2018-05-17 20:23:08 -07:00
|
|
|
|
|
|
|
def derive_public(self, sk):
|
|
|
|
return self.P_g * sk
|
|
|
|
|
|
|
|
def gen_random(self):
|
|
|
|
T = self._random((self.l_H + 128) // 8)
|
|
|
|
return h_star(T)
|
|
|
|
|
|
|
|
@staticmethod
|
|
|
|
def randomize_private(sk, alpha):
|
|
|
|
return sk + alpha
|
|
|
|
|
|
|
|
def randomize_public(self, vk, alpha):
|
|
|
|
return vk + self.P_g * alpha
|
|
|
|
|
|
|
|
def sign(self, sk, M):
|
|
|
|
T = self._random((self.l_H + 128) // 8)
|
|
|
|
r = h_star(T + M)
|
|
|
|
R = self.P_g * r
|
|
|
|
Rbar = bytes(R)
|
|
|
|
S = r + h_star(Rbar + M) * sk
|
|
|
|
Sbar = bytes(S) # TODO: bitlength(r_j)
|
|
|
|
return Rbar + Sbar
|
|
|
|
|
|
|
|
def verify(self, vk, M, sig):
|
|
|
|
mid = cldiv(self.l_G, 8)
|
|
|
|
(Rbar, Sbar) = (sig[:mid], sig[mid:]) # TODO: bitlength(r_j)
|
|
|
|
R = Point.from_bytes(Rbar)
|
2018-06-04 05:33:50 -07:00
|
|
|
S = leos2ip(Sbar)
|
2018-05-17 20:23:08 -07:00
|
|
|
c = h_star(Rbar + M)
|
2018-06-04 05:33:50 -07:00
|
|
|
return R and S < r_j and self.P_g * Fr(S) == R + vk * c
|
2018-05-17 20:23:08 -07:00
|
|
|
|
|
|
|
|
|
|
|
def main():
|
2018-06-05 01:36:37 -07:00
|
|
|
args = render_args()
|
|
|
|
|
2018-05-17 20:23:08 -07:00
|
|
|
from random import Random
|
|
|
|
rng = Random(0xabad533d)
|
|
|
|
def randbytes(l):
|
|
|
|
ret = []
|
|
|
|
while len(ret) < l:
|
|
|
|
ret.append(rng.randrange(0, 256))
|
|
|
|
return bytes(ret)
|
|
|
|
rj = RedJubjub(SPENDING_KEY_BASE, randbytes)
|
|
|
|
|
2018-06-04 22:06:05 -07:00
|
|
|
test_vectors = []
|
2018-05-17 20:23:08 -07:00
|
|
|
for i in range(0, 10):
|
|
|
|
sk = rj.gen_private()
|
|
|
|
vk = rj.derive_public(sk)
|
|
|
|
alpha = rj.gen_random()
|
|
|
|
rsk = rj.randomize_private(sk, alpha)
|
|
|
|
rvk = rj.randomize_public(vk, alpha)
|
|
|
|
|
|
|
|
M = bytes([i] * 32)
|
|
|
|
sig = rj.sign(sk, M)
|
|
|
|
rsig = rj.sign(rsk, M)
|
|
|
|
assert rj.verify(vk, M, sig)
|
|
|
|
assert rj.verify(rvk, M, rsig)
|
|
|
|
assert not rj.verify(vk, M, rsig)
|
|
|
|
assert not rj.verify(rvk, M, sig)
|
|
|
|
|
2018-06-04 22:06:05 -07:00
|
|
|
test_vectors.append({
|
|
|
|
'sk': bytes(sk),
|
|
|
|
'vk': bytes(vk),
|
|
|
|
'alpha': bytes(alpha),
|
|
|
|
'rsk': bytes(rsk),
|
|
|
|
'rvk': bytes(rvk),
|
|
|
|
'm': M,
|
|
|
|
'sig': sig,
|
|
|
|
'rsig': rsig,
|
|
|
|
})
|
|
|
|
|
2018-06-05 01:36:37 -07:00
|
|
|
render_tv(
|
|
|
|
args,
|
2018-06-04 22:06:05 -07:00
|
|
|
'sapling_signatures',
|
|
|
|
(
|
|
|
|
('sk', '[u8; 32]'),
|
|
|
|
('vk', '[u8; 32]'),
|
|
|
|
('alpha', '[u8; 32]'),
|
|
|
|
('rsk', '[u8; 32]'),
|
|
|
|
('rvk', '[u8; 32]'),
|
|
|
|
('m', '[u8; 32]'),
|
|
|
|
('sig', '[u8; 64]'),
|
|
|
|
('rsig', '[u8; 64]'),
|
|
|
|
),
|
|
|
|
test_vectors,
|
|
|
|
)
|
2018-05-17 20:23:08 -07:00
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
main()
|