Git-Mirrors/xmr-btc-swap
1
0
Fork 0
mirror of https://github.com/comit-network/xmr-btc-swap.git synced 2025-02-22 07:39:56 -05:00
Code Issues Packages Projects Releases Wiki Activity

Change sign API back to taking signing key separately

Browse Source
This commit is contained in:
Thomas Eizinger 2021-05-13 17:28:06 +10:00
parent 7d3633e3ac
commit 507e2670ac
No known key found for this signature in database
GPG Key ID: 651AC83A6C6C8B96
3 changed files with 15 additions and 179 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

150
monero-adaptor/src/clsag.rs
View File

@ -13,87 +13,13 @@ const INV_EIGHT: Scalar = Scalar::from_bits([
pub fn sign( pub fn sign(
msg: &[u8; 32], msg: &[u8; 32],
H_p_pk: EdwardsPoint, signing_key: Scalar,
alpha: Scalar,
ring: &[EdwardsPoint; RING_SIZE],
commitment_ring: &[EdwardsPoint; RING_SIZE],
mut responses: [Scalar; RING_SIZE],
signing_key_index: usize, signing_key_index: usize,
z: Scalar,
pseudo_output_commitment: EdwardsPoint,
L: EdwardsPoint,
R: EdwardsPoint,
I: EdwardsPoint,
) -> Signature {
let D = z * H_p_pk;
let D_inv_8 = D * INV_EIGHT;
let mu_P = hash_to_scalar!(
b"CLSAG_agg_0" || ring || commitment_ring || I || D_inv_8 || pseudo_output_commitment
);
let mu_C = hash_to_scalar!(
b"CLSAG_agg_1" || ring || commitment_ring || I || D_inv_8 || pseudo_output_commitment
);
let adjusted_commitment_ring = commitment_ring.map(|point| point - pseudo_output_commitment);
let compute_ring_element = |L: EdwardsPoint, R: EdwardsPoint| {
hash_to_scalar!(
b"CLSAG_round" || ring || commitment_ring || pseudo_output_commitment || msg || L || R
)
};
let h_signing_index = compute_ring_element(L, R);
let mut h_prev = h_signing_index;
let mut i = (signing_key_index + 1) % RING_SIZE;
let mut h_0 = Scalar::zero();
if i == 0 {
h_0 = h_signing_index
}
while i != signing_key_index {
let L_i = compute_L(
h_prev,
mu_P,
mu_C,
responses[i],
ring[i],
adjusted_commitment_ring[i],
);
let R_i = compute_R(h_prev, mu_P, mu_C, responses[i], ring[i], I, D);
let h = compute_ring_element(L_i, R_i);
i = (i + 1) % RING_SIZE;
if i == 0 {
h_0 = h
}
h_prev = h
}
responses[signing_key_index] =
alpha - h_prev * ((mu_P * responses[signing_key_index]) + (mu_C * z));
Signature {
responses,
h_0,
I,
D: D_inv_8,
}
}
fn sign2(
msg: &[u8; 32],
H_p_pk: EdwardsPoint, H_p_pk: EdwardsPoint,
alpha: Scalar, alpha: Scalar,
ring: &[EdwardsPoint; RING_SIZE], ring: &[EdwardsPoint; RING_SIZE],
commitment_ring: &[EdwardsPoint; RING_SIZE], commitment_ring: &[EdwardsPoint; RING_SIZE],
fake_responses: [Scalar; RING_SIZE - 1], fake_responses: [Scalar; RING_SIZE - 1],
signing_key: Scalar,
signing_key_index: usize,
z: Scalar, z: Scalar,
pseudo_output_commitment: EdwardsPoint, pseudo_output_commitment: EdwardsPoint,
L: EdwardsPoint, L: EdwardsPoint,
@ -362,79 +288,15 @@ mod tests {
let pseudo_output_commitment = fee_key + out_pk; let pseudo_output_commitment = fee_key + out_pk;
let mut responses = random_array(|| Scalar::random(&mut rng));
responses[signing_key_index] = signing_key;
let signature = sign( let signature = sign(
msg_to_sign, msg_to_sign,
H_p_pk,
alpha,
&ring,
&commitment_ring,
responses,
signing_key_index,
real_commitment_blinding - out_pk_blinding,
pseudo_output_commitment,
alpha * ED25519_BASEPOINT_POINT,
alpha * H_p_pk,
signing_key * H_p_pk,
);
assert!(verify(
&signature,
msg_to_sign,
&ring,
&commitment_ring,
pseudo_output_commitment
))
}
}
#[test]
fn sign2_and_verify_at_every_index() {
for signing_key_index in 0..11 {
let mut rng = rand::rngs::StdRng::from_seed([0u8; 32]);
let msg_to_sign = b"hello world, monero is amazing!!";
let signing_key = Scalar::random(&mut rng);
let signing_pk = signing_key * ED25519_BASEPOINT_POINT;
let H_p_pk = hash_point_to_point(signing_pk);
let alpha = Scalar::random(&mut rng);
let amount_to_spend = 1000000u32;
let fee = 10000u32;
let output_amount = amount_to_spend - fee;
let mut ring = random_array(|| Scalar::random(&mut rng) * ED25519_BASEPOINT_POINT);
ring[signing_key_index] = signing_pk;
let real_commitment_blinding = Scalar::random(&mut rng);
let mut commitment_ring =
random_array(|| Scalar::random(&mut rng) * ED25519_BASEPOINT_POINT);
commitment_ring[signing_key_index] = real_commitment_blinding * ED25519_BASEPOINT_POINT
+ Scalar::from(amount_to_spend) * H.point.decompress().unwrap();
let fee_key = Scalar::from(fee) * H.point.decompress().unwrap();
let out_pk_blinding = Scalar::random(&mut rng);
let out_pk = out_pk_blinding * ED25519_BASEPOINT_POINT
+ Scalar::from(output_amount) * H.point.decompress().unwrap();
let pseudo_output_commitment = fee_key + out_pk;
let responses = random_array(|| Scalar::random(&mut rng));
let signature = sign2(
msg_to_sign,
H_p_pk,
alpha,
&ring,
&commitment_ring,
responses,
signing_key, signing_key,
signing_key_index, signing_key_index,
H_p_pk,
alpha,
&ring,
&commitment_ring,
random_array(|| Scalar::random(&mut rng)),
real_commitment_blinding - out_pk_blinding, real_commitment_blinding - out_pk_blinding,
pseudo_output_commitment, pseudo_output_commitment,
alpha * ED25519_BASEPOINT_POINT, alpha * ED25519_BASEPOINT_POINT,

38
monero-adaptor/src/lib.rs
View File

@ -155,28 +155,15 @@ impl Alice0 {
msg.pi_b msg.pi_b
.verify(ED25519_BASEPOINT_POINT, msg.T_b, self.H_p_pk, msg.I_hat_b)?; .verify(ED25519_BASEPOINT_POINT, msg.T_b, self.H_p_pk, msg.I_hat_b)?;
let responses = [
self.s_prime_a,
self.fake_responses[0],
self.fake_responses[1],
self.fake_responses[2],
self.fake_responses[3],
self.fake_responses[4],
self.fake_responses[5],
self.fake_responses[6],
self.fake_responses[7],
self.fake_responses[8],
self.fake_responses[9],
];
let sig = clsag::sign( let sig = clsag::sign(
&self.msg, &self.msg,
self.s_prime_a,
0,
self.H_p_pk, self.H_p_pk,
self.alpha_a, self.alpha_a,
&self.ring, &self.ring,
&self.commitment_ring, &self.commitment_ring,
responses, self.fake_responses,
0,
z, z,
self.pseudo_output_commitment, self.pseudo_output_commitment,
self.T_a + msg.T_b + self.R_a, self.T_a + msg.T_b + self.R_a,
@ -341,29 +328,16 @@ impl Bob1 {
self.pi_a self.pi_a
.verify(ED25519_BASEPOINT_POINT, T_a, self.H_p_pk, I_hat_a)?; .verify(ED25519_BASEPOINT_POINT, T_a, self.H_p_pk, I_hat_a)?;
let responses = [
self.s_b,
fake_responses[0],
fake_responses[1],
fake_responses[2],
fake_responses[3],
fake_responses[4],
fake_responses[5],
fake_responses[6],
fake_responses[7],
fake_responses[8],
fake_responses[9],
];
let I = I_a + self.I_b; let I = I_a + self.I_b;
let sig = clsag::sign( let sig = clsag::sign(
&self.msg, &self.msg,
self.s_b,
0,
self.H_p_pk, self.H_p_pk,
self.alpha_b, self.alpha_b,
&self.ring, &self.ring,
&self.commitment_ring, &self.commitment_ring,
responses, fake_responses,
0,
z, z,
self.pseudo_output_commitment, self.pseudo_output_commitment,
T_a + self.T_b + self.R_a, T_a + self.T_b + self.R_a,

6
monero-adaptor/tests/integration_test.rs
View File

@ -239,8 +239,7 @@ async fn monerod_integration_test() {
let alpha = Scalar::random(&mut rng); let alpha = Scalar::random(&mut rng);
let mut responses = random_array(|| Scalar::random(&mut rng)); let responses = random_array(|| Scalar::random(&mut rng));
responses[signing_index] = actual_signing_key;
let out_pk = out_pk let out_pk = out_pk
.iter() .iter()
@ -305,12 +304,13 @@ async fn monerod_integration_test() {
let sig = monero_adaptor::clsag::sign( let sig = monero_adaptor::clsag::sign(
&message, &message,
actual_signing_key,
signing_index,
H_p_pk, H_p_pk,
alpha, alpha,
&ring, &ring,
&commitment_ring, &commitment_ring,
responses, responses,
signing_index,
real_commitment_blinder - (out_blinding_0 + out_blinding_1), // * Scalar::from(MONERO_MUL_FACTOR), TODO DOESN'T VERIFY WITH THIS real_commitment_blinder - (out_blinding_0 + out_blinding_1), // * Scalar::from(MONERO_MUL_FACTOR), TODO DOESN'T VERIFY WITH THIS
pseudo_out, pseudo_out,
alpha * ED25519_BASEPOINT_POINT, alpha * ED25519_BASEPOINT_POINT,