2018-05-17 16:57:11 -07:00
|
|
|
#!/usr/bin/env python3
|
2018-07-21 03:24:50 -07:00
|
|
|
import sys; assert sys.version_info[0] >= 3, "Python 3 required."
|
|
|
|
|
2018-05-17 16:57:11 -07:00
|
|
|
from pyblake2 import blake2s
|
|
|
|
|
|
|
|
from sapling_jubjub import Point, JUBJUB_COFACTOR
|
2018-06-05 01:36:37 -07:00
|
|
|
from tv_output import render_args, render_tv
|
2021-05-06 07:53:12 -07:00
|
|
|
from utils import i2leosp
|
2018-05-17 16:57:11 -07:00
|
|
|
|
|
|
|
# First 64 bytes of the BLAKE2s input during group hash.
|
|
|
|
# This is chosen to be some random string that we couldn't have
|
|
|
|
# anticipated when we designed the algorithm, for rigidity purposes.
|
|
|
|
# We deliberately use an ASCII hex string of 32 bytes here.
|
2018-06-04 07:30:05 -07:00
|
|
|
URS = b'096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0'
|
2018-05-17 16:57:11 -07:00
|
|
|
|
2018-05-17 17:45:19 -07:00
|
|
|
|
|
|
|
#
|
|
|
|
# Group hash
|
|
|
|
#
|
|
|
|
|
|
|
|
def group_hash(D, M):
|
|
|
|
digest = blake2s(person=D)
|
2018-06-04 07:30:05 -07:00
|
|
|
digest.update(URS)
|
2018-05-17 17:45:19 -07:00
|
|
|
digest.update(M)
|
2018-05-17 16:57:11 -07:00
|
|
|
p = Point.from_bytes(digest.digest())
|
2019-02-22 14:10:57 -08:00
|
|
|
if p is None:
|
2018-05-17 16:57:11 -07:00
|
|
|
return None
|
|
|
|
q = p * JUBJUB_COFACTOR
|
|
|
|
if q == Point.ZERO:
|
|
|
|
return None
|
|
|
|
return q
|
|
|
|
|
2018-05-17 17:45:19 -07:00
|
|
|
def find_group_hash(D, M):
|
2018-05-17 16:57:11 -07:00
|
|
|
i = 0
|
|
|
|
while True:
|
2018-05-17 17:45:19 -07:00
|
|
|
p = group_hash(D, M + bytes([i]))
|
2019-02-22 14:10:57 -08:00
|
|
|
if p is not None:
|
2018-05-17 16:57:11 -07:00
|
|
|
return p
|
|
|
|
i += 1
|
2018-05-17 23:00:45 -07:00
|
|
|
assert i < 256
|
2018-05-17 16:57:11 -07:00
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Sapling generators
|
|
|
|
#
|
|
|
|
|
|
|
|
SPENDING_KEY_BASE = find_group_hash(b'Zcash_G_', b'')
|
|
|
|
PROVING_KEY_BASE = find_group_hash(b'Zcash_H_', b'')
|
2018-05-17 17:47:05 -07:00
|
|
|
NOTE_POSITION_BASE = find_group_hash(b'Zcash_J_', b'')
|
|
|
|
WINDOWED_PEDERSEN_RANDOMNESS_BASE = find_group_hash(b'Zcash_PH', b'r')
|
|
|
|
VALUE_COMMITMENT_VALUE_BASE = find_group_hash(b'Zcash_cv', b'v')
|
|
|
|
VALUE_COMMITMENT_RANDOMNESS_BASE = find_group_hash(b'Zcash_cv', b'r')
|
2018-05-17 23:28:00 -07:00
|
|
|
|
2018-06-04 07:30:52 -07:00
|
|
|
required_bases = 4
|
|
|
|
PEDERSEN_BASES = [find_group_hash(b'Zcash_PH', i2leosp(32, iminus1))
|
|
|
|
for iminus1 in range(0, required_bases)]
|
2018-05-17 23:28:00 -07:00
|
|
|
|
|
|
|
def main():
|
2018-06-05 01:36:37 -07:00
|
|
|
render_tv(
|
|
|
|
render_args(),
|
2018-06-04 21:32:30 -07:00
|
|
|
'sapling_generators',
|
|
|
|
(
|
|
|
|
('skb', '[u8; 32]'),
|
|
|
|
('pkb', '[u8; 32]'),
|
|
|
|
('npb', '[u8; 32]'),
|
|
|
|
('wprb', '[u8; 32]'),
|
|
|
|
('vcvb', '[u8; 32]'),
|
|
|
|
('vcrb', '[u8; 32]'),
|
2018-06-04 07:30:52 -07:00
|
|
|
('pb0', '[u8; 32]'),
|
|
|
|
('pb1', '[u8; 32]'),
|
|
|
|
('pb2', '[u8; 32]'),
|
|
|
|
('pb3', '[u8; 32]'),
|
2018-06-04 21:32:30 -07:00
|
|
|
),
|
|
|
|
{
|
|
|
|
'skb': bytes(SPENDING_KEY_BASE),
|
|
|
|
'pkb': bytes(PROVING_KEY_BASE),
|
|
|
|
'npb': bytes(NOTE_POSITION_BASE),
|
|
|
|
'wprb': bytes(WINDOWED_PEDERSEN_RANDOMNESS_BASE),
|
|
|
|
'vcvb': bytes(VALUE_COMMITMENT_VALUE_BASE),
|
|
|
|
'vcrb': bytes(VALUE_COMMITMENT_RANDOMNESS_BASE),
|
2018-06-04 07:30:52 -07:00
|
|
|
'pb0': bytes(PEDERSEN_BASES[0]),
|
|
|
|
'pb1': bytes(PEDERSEN_BASES[1]),
|
|
|
|
'pb2': bytes(PEDERSEN_BASES[2]),
|
|
|
|
'pb3': bytes(PEDERSEN_BASES[3]),
|
2018-06-04 21:32:30 -07:00
|
|
|
},
|
|
|
|
)
|
2018-05-17 23:28:00 -07:00
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
main()
|