You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

689 lines
25 KiB

9 years ago
/******************************************************************************
8 years ago
* Copyright © 2014-2017 The SuperNET Developers. *
9 years ago
* *
* See the AUTHORS, DEVELOPER-AGREEMENT and LICENSE files at *
* the top-level directory of this distribution for the individual copyright *
* holder information and the developer policies on copyright and licensing. *
* *
* Unless otherwise agreed in a custom licensing agreement, no part of the *
* SuperNET software, including this file may be copied, modified, propagated *
* or distributed except according to the terms contained in the LICENSE file *
* *
* Removal or modification of this copyright notice is prohibited. *
* *
******************************************************************************/
#include <ctype.h>
#include <string.h>
9 years ago
#include <stdio.h>
9 years ago
#include <stdlib.h>
9 years ago
#include "../includes/curve25519.h"
9 years ago
#include "secp256k1/include/secp256k1.h"
9 years ago
#include "secp256k1/include/secp256k1_ecdh.h"
#include "secp256k1/include/secp256k1_schnorr.h"
#include "secp256k1/include/secp256k1_rangeproof.h"
9 years ago
#include "secp256k1/include/secp256k1_recovery.h"
9 years ago
SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_rfc6979;
9 years ago
#define bits256_nonz(a) (((a).ulongs[0] | (a).ulongs[1] | (a).ulongs[2] | (a).ulongs[3]) != 0)
9 years ago
9 years ago
#define SECP_ENSURE_CTX int32_t flag = 0; if ( ctx == 0 ) { ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); secp256k1_pedersen_context_initialize(ctx); secp256k1_rangeproof_context_initialize(ctx); flag++; } else flag = 0; if ( ctx != 0 )
#define ENDSECP_ENSURE_CTX if ( flag != 0 ) secp256k1_context_destroy(ctx);
9 years ago
9 years ago
int32_t bitcoin_pubkeylen(const uint8_t *pubkey)
{
if ( pubkey[0] == 2 || pubkey[0] == 3 )
return(33);
else if ( pubkey[0] == 4 )
return(65);
8 years ago
else
{
8 years ago
//printf("illegal pubkey.[%02x] %llx\n",pubkey[0],*(long long *)pubkey);
8 years ago
return(-1);
}
9 years ago
}
9 years ago
bits256 bitcoin_randkey(secp256k1_context *ctx)
{
9 years ago
int32_t i; bits256 privkey;
SECP_ENSURE_CTX
9 years ago
{
for (i=0; i<100; i++)
{
privkey = rand256(0);
9 years ago
if ( secp256k1_ec_seckey_verify(ctx,privkey.bytes) != 0 )
9 years ago
{
9 years ago
ENDSECP_ENSURE_CTX
9 years ago
return(privkey);
}
}
9 years ago
ENDSECP_ENSURE_CTX
9 years ago
}
fprintf(stderr,"couldnt generate valid bitcoin privkey. something is REALLY wrong. exiting\n");
exit(-1);
}
9 years ago
bits256 bitcoin_pubkey33(secp256k1_context *ctx,uint8_t *data,bits256 privkey)
9 years ago
{
9 years ago
size_t plen; bits256 pubkey; secp256k1_pubkey secppub;
9 years ago
memset(pubkey.bytes,0,sizeof(pubkey));
9 years ago
SECP_ENSURE_CTX
9 years ago
{
if ( secp256k1_ec_seckey_verify(ctx,privkey.bytes) == 0 )
{
8 years ago
//printf("bitcoin_sign illegal privkey\n");
return(pubkey);
}
9 years ago
if ( secp256k1_ec_pubkey_create(ctx,&secppub,privkey.bytes) != 0 )
9 years ago
{
plen = 33;
secp256k1_ec_pubkey_serialize(ctx,data,&plen,&secppub,SECP256K1_EC_COMPRESSED);
9 years ago
if ( plen == 33 )
memcpy(pubkey.bytes,data+1,sizeof(pubkey));
}
9 years ago
ENDSECP_ENSURE_CTX
9 years ago
}
return(pubkey);
}
9 years ago
bits256 bitcoin_pub256(void *ctx,bits256 *privkeyp,uint8_t odd_even)
{
bits256 pub256; uint8_t pubkey[33]; int32_t i;
for (i=0; i<100; i++)
{
*privkeyp = rand256(0);
pub256 = bitcoin_pubkey33(ctx,pubkey,*privkeyp);
if ( pubkey[0] == odd_even+2 )
return(pub256);
}
printf("bitcoin_pub256 couldnt generate pubkey.%d\n",odd_even+2);
memset(pub256.bytes,0,sizeof(pub256));
return(pub256);
}
9 years ago
int32_t bitcoin_sign(void *ctx,char *symbol,uint8_t *sig,bits256 txhash2,bits256 privkey,int32_t recoverflag)
9 years ago
{
9 years ago
int32_t fCompressed = 1;
9 years ago
secp256k1_ecdsa_signature SIG; secp256k1_ecdsa_recoverable_signature rSIG; bits256 extra_entropy,seed; int32_t recid,retval = -1; size_t siglen = 72; secp256k1_pubkey SECPUB,CHECKPUB;
9 years ago
seed = rand256(0);
extra_entropy = rand256(0);
9 years ago
SECP_ENSURE_CTX
9 years ago
{
if ( secp256k1_ec_seckey_verify(ctx,privkey.bytes) == 0 )
{
8 years ago
//printf("bitcoin_sign illegal privkey\n");
return(-1);
}
9 years ago
if ( secp256k1_context_randomize(ctx,seed.bytes) != 0 )
9 years ago
{
9 years ago
if ( recoverflag != 0 )
9 years ago
{
9 years ago
if ( secp256k1_ecdsa_sign_recoverable(ctx,&rSIG,txhash2.bytes,privkey.bytes,secp256k1_nonce_function_rfc6979,extra_entropy.bytes) != 0 )
9 years ago
{
recid = -1;
secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx,sig+1,&recid,&rSIG);
9 years ago
if ( secp256k1_ecdsa_recover(ctx,&SECPUB,&rSIG,txhash2.bytes) != 0 )
9 years ago
{
9 years ago
if ( secp256k1_ec_pubkey_create(ctx,&CHECKPUB,privkey.bytes) != 0 )
9 years ago
{
if ( memcmp(&SECPUB,&CHECKPUB,sizeof(SECPUB)) == 0 )
{
sig[0] = 27 + recid + (fCompressed != 0 ? 4 : 0);
retval = 64 + 1;
8 years ago
//size_t i,plen = 33; uint8_t pubkey[33];
//secp256k1_ec_pubkey_serialize(ctx,pubkey,&plen,&CHECKPUB,SECP256K1_EC_COMPRESSED);
//for (i=0; i<33; i++)
// printf("%02x",pubkey[i]);
//printf(" bitcoin_sign's pubkey\n");
8 years ago
8 years ago
} //else printf("secpub mismatch\n");
9 years ago
} else printf("pubkey create error\n");
8 years ago
} //else printf("recover error\n");
9 years ago
} else printf("secp256k1_ecdsa_sign_recoverable error\n");
}
else
{
9 years ago
if ( secp256k1_ecdsa_sign(ctx,&SIG,txhash2.bytes,privkey.bytes,secp256k1_nonce_function_rfc6979,extra_entropy.bytes) != 0 )
9 years ago
{
9 years ago
if ( secp256k1_ecdsa_signature_serialize_der(ctx,sig,&siglen,&SIG) != 0 )
9 years ago
retval = (int32_t)siglen;
}
9 years ago
}
}
9 years ago
ENDSECP_ENSURE_CTX
9 years ago
}
return(retval);
}
8 years ago
int32_t bitcoin_recoververify(void *ctx,char *symbol,uint8_t *sig,bits256 messagehash2,uint8_t *pubkey,size_t plen)
9 years ago
{
8 years ago
int32_t retval = -1; secp256k1_pubkey PUB; secp256k1_ecdsa_signature SIG; secp256k1_ecdsa_recoverable_signature rSIG;
9 years ago
pubkey[0] = 0;
9 years ago
SECP_ENSURE_CTX
9 years ago
{
8 years ago
if ( plen == 0 )
{
plen = (sig[0] <= 31) ? 65 : 33;
sig++;
}
secp256k1_ecdsa_recoverable_signature_parse_compact(ctx,&rSIG,sig,0);
9 years ago
secp256k1_ecdsa_recoverable_signature_convert(ctx,&SIG,&rSIG);
9 years ago
if ( secp256k1_ecdsa_recover(ctx,&PUB,&rSIG,messagehash2.bytes) != 0 )
9 years ago
{
9 years ago
plen = 33;
8 years ago
memset(pubkey,0,33);
9 years ago
secp256k1_ec_pubkey_serialize(ctx,pubkey,&plen,&PUB,SECP256K1_EC_COMPRESSED);//plen == 65 ? SECP256K1_EC_UNCOMPRESSED : SECP256K1_EC_COMPRESSED);
9 years ago
if ( secp256k1_ecdsa_verify(ctx,&SIG,messagehash2.bytes,&PUB) != 0 )
9 years ago
{
9 years ago
retval = 0;
9 years ago
/*if ( pubkey[0] == 4 ) // experimentally looks like 04 is set
9 years ago
pubkey[0] = 2;
else if ( pubkey[0] != 2 )
9 years ago
pubkey[0] = 3;*/
8 years ago
} else printf("secp256k1_ecdsa_verify error\n");
9 years ago
} else printf("secp256k1_ecdsa_recover error\n");
9 years ago
ENDSECP_ENSURE_CTX
9 years ago
}
return(retval);
}
int32_t bitcoin_verify(void *ctx,uint8_t *sig,int32_t siglen,bits256 txhash2,uint8_t *pubkey,int32_t plen)
{
9 years ago
int32_t retval = -1; secp256k1_pubkey PUB; secp256k1_ecdsa_signature SIG;
SECP_ENSURE_CTX
{
9 years ago
if ( secp256k1_ec_pubkey_parse(ctx,&PUB,pubkey,plen) != 0 )
{
secp256k1_ecdsa_signature_parse_der(ctx,&SIG,sig,siglen);
9 years ago
if ( secp256k1_ecdsa_verify(ctx,&SIG,txhash2.bytes,&PUB) != 0 )
retval = 0;
}
9 years ago
ENDSECP_ENSURE_CTX
}
return(retval);
}
bits256 bitcoin_sharedsecret(void *ctx,bits256 privkey,uint8_t *pubkey,int32_t plen)
{
int32_t retval = -1; bits256 shared; secp256k1_pubkey PUB;
memset(shared.bytes,0,sizeof(shared));
SECP_ENSURE_CTX
{
9 years ago
if ( secp256k1_ec_pubkey_parse(ctx,&PUB,pubkey,plen) != 0 )
9 years ago
{
9 years ago
if ( secp256k1_ecdh(ctx,shared.bytes,&PUB,privkey.bytes) != 0 )
9 years ago
retval = 0;
else memset(shared.bytes,0,sizeof(shared));
}
ENDSECP_ENSURE_CTX
}
return(shared);
}
int32_t bitcoin_schnorr_sign(void *ctx,uint8_t *sig64,bits256 txhash2,bits256 privkey)
{
9 years ago
int32_t retval = -1; bits256 seed;
9 years ago
SECP_ENSURE_CTX
{
9 years ago
seed = rand256(0);
9 years ago
if ( secp256k1_schnorr_sign(ctx,sig64,txhash2.bytes,privkey.bytes,secp256k1_nonce_function_rfc6979,seed.bytes) != 0 )
9 years ago
retval = 0;
ENDSECP_ENSURE_CTX
}
return(retval);
}
int32_t bitcoin_schnorr_verify(void *ctx,uint8_t *sig64,bits256 txhash2,uint8_t *pubkey,int32_t plen)
{
int32_t retval = -1; secp256k1_pubkey PUB;
SECP_ENSURE_CTX
{
9 years ago
if ( secp256k1_ec_pubkey_parse(ctx,&PUB,pubkey,plen) != 0 )
9 years ago
{
9 years ago
if ( secp256k1_schnorr_verify(ctx,sig64,txhash2.bytes,&PUB) != 0 )
9 years ago
retval = 0;
}
ENDSECP_ENSURE_CTX
}
return(retval);
}
int32_t bitcoin_schnorr_recover(void *ctx,uint8_t *pubkey,uint8_t *sig64,bits256 txhash2)
{
int32_t retval = -1; secp256k1_pubkey PUB; size_t plen;
SECP_ENSURE_CTX
{
9 years ago
if ( secp256k1_schnorr_recover(ctx,&PUB,sig64,txhash2.bytes) != 0 )
9 years ago
{
plen = 33;
secp256k1_ec_pubkey_serialize(ctx,pubkey,&plen,&PUB,SECP256K1_EC_COMPRESSED);
retval = 0;
}
ENDSECP_ENSURE_CTX
}
return(retval);
}
bits256 bitcoin_schnorr_noncepair(void *ctx,uint8_t *pubnonce,bits256 txhash2,bits256 privkey) //exchange
{
9 years ago
int32_t retval = -1; size_t plen; secp256k1_pubkey PUB; bits256 privnonce,seed;
9 years ago
memset(privnonce.bytes,0,sizeof(privnonce));
pubnonce[0] = 0;
SECP_ENSURE_CTX
{
9 years ago
seed = rand256(0);
9 years ago
if ( secp256k1_schnorr_generate_nonce_pair(ctx,&PUB,privnonce.bytes,txhash2.bytes,privkey.bytes,secp256k1_nonce_function_rfc6979,seed.bytes) != 0 )
9 years ago
{
plen = 33;
secp256k1_ec_pubkey_serialize(ctx,pubnonce,&plen,&PUB,SECP256K1_EC_COMPRESSED);
retval = 0;
}
ENDSECP_ENSURE_CTX
}
return(privnonce);
}
9 years ago
int32_t bitcoin_pubkey_combine(void *ctx,uint8_t *combined_pub,uint8_t *skipkey,bits256 *evenkeys,int32_t n,bits256 *oddkeys,int32_t m)
{
int32_t i,num,iter,max,retval = -1; uint8_t pubkey[33]; size_t plen; secp256k1_pubkey PUBall,*PUBptrs[256],PUBkeys[256];
SECP_ENSURE_CTX
{
if ( n+m > 0 && n+m < sizeof(PUBptrs)/sizeof(*PUBptrs) )
{
for (iter=num=0; iter<2; iter++)
{
if ( (max= (iter == 0) ? n : m) != 0 )
{
for (i=0; i<max; i++)
{
PUBptrs[num] = &PUBkeys[num];
pubkey[0] = 2 + iter;
memcpy(pubkey+1,((iter == 0) ? evenkeys : oddkeys)[i].bytes,32);
if ( skipkey != 0 && memcmp(pubkey,skipkey,33) == 0 )
{
//printf("skipkey.%d\n",i);
continue;
}
if ( secp256k1_ec_pubkey_parse(ctx,PUBptrs[num],pubkey,33) == 0 )
{
int32_t j; for (j=0; j<33; j++)
printf("%02x",pubkey[j]);
printf(" error parsing pubkey iter.%d num.%d i.%d\n",iter,num,i);
break;
}
num++;
}
}
}
if ( secp256k1_ec_pubkey_combine(ctx,&PUBall,(void *)PUBptrs,num) != 0 )
{
plen = 33;
secp256k1_ec_pubkey_serialize(ctx,combined_pub,&plen,&PUBall,SECP256K1_EC_COMPRESSED);
retval = 0;
}
}
ENDSECP_ENSURE_CTX
}
return(retval);
}
9 years ago
int32_t bitcoin_schnorr_partialsign(void *ctx,uint8_t *sig64,uint8_t *combined_pub,bits256 txhash2,bits256 privkey,bits256 privnonce,uint8_t *pubptrs[],int32_t n) // generate and exchange
{
int32_t bitcoin_pubkeylen(const uint8_t *pubkey);
int32_t i,retval = -1; secp256k1_pubkey PUBall,**PUBptrs; size_t plen;
SECP_ENSURE_CTX
{
PUBptrs = calloc(n,sizeof(*PUBptrs));
for (i=0; i<n; i++)
{
PUBptrs[i] = calloc(1,sizeof(secp256k1_pubkey));
9 years ago
if ( secp256k1_ec_pubkey_parse(ctx,PUBptrs[i],pubptrs[i],bitcoin_pubkeylen(pubptrs[i])) != 0 )
9 years ago
break;
}
9 years ago
if ( n > 0 && secp256k1_ec_pubkey_combine(ctx,&PUBall,(void *)PUBptrs,n) != 0 )
9 years ago
{
plen = 33;
9 years ago
if ( secp256k1_schnorr_partial_sign(ctx,sig64,txhash2.bytes,privkey.bytes,&PUBall,privnonce.bytes) != 0 )
9 years ago
{
secp256k1_ec_pubkey_serialize(ctx,combined_pub,&plen,&PUBall,SECP256K1_EC_COMPRESSED);
retval = 0;
}
}
free(PUBptrs);
ENDSECP_ENSURE_CTX
}
return(retval);
}
int32_t bitcoin_schnorr_combine(void *ctx,uint8_t *sig64,uint8_t *allpub,uint8_t **sigs,int32_t n,bits256 txhash2)
{
int32_t rc,retval = -1;
SECP_ENSURE_CTX
{
9 years ago
if ( (rc= secp256k1_schnorr_partial_combine(ctx,sig64,(void *)sigs,n)) != 0 )
9 years ago
{
if ( bitcoin_schnorr_recover(ctx,allpub,sig64,txhash2) == 0 )
{
if ( bitcoin_schnorr_verify(ctx,sig64,txhash2,allpub,33) == 0 )
retval = 0;
}
}
ENDSECP_ENSURE_CTX
}
return(retval);
}
9 years ago
int32_t bitcoin_pederson_commit(void *ctx,uint8_t *commit,bits256 blind,uint64_t value)
{
int32_t retval = -1;
SECP_ENSURE_CTX
{
9 years ago
if ( secp256k1_pedersen_commit(ctx,commit,blind.bytes,value) != 0 )
9 years ago
retval = 0;
ENDSECP_ENSURE_CTX
}
return(retval);
}
bits256 bitcoin_pederson_blindsum(void *ctx,bits256 **blindptrs,int32_t n,int32_t numpos)
{
bits256 blind_out;
memset(blind_out.bytes,0,sizeof(blind_out));
SECP_ENSURE_CTX
{
if ( secp256k1_pedersen_blind_sum(ctx,blind_out.bytes,(void *)blindptrs,n,numpos) == 0 )
memset(blind_out.bytes,0,sizeof(blind_out));
ENDSECP_ENSURE_CTX
}
return(blind_out);
}
int32_t bitcoin_pederson_tally(void *ctx,uint8_t **commits,int32_t n,int32_t numpos,int64_t excess)
{
int32_t retval = -1;
SECP_ENSURE_CTX
{
printf("bitcoin_pederson_tally: n.%d numpos.%d excess %lld\n",n,numpos,(long long)excess);
9 years ago
if ( secp256k1_pedersen_verify_tally(ctx,(void *)commits,numpos,(void *)&commits[numpos],n - numpos,excess) != 0 )
9 years ago
retval = 0;
ENDSECP_ENSURE_CTX
}
return(retval);
}
int32_t bitcoin_rangeproof_message(void *ctx,uint8_t *blind_out,uint8_t *message,uint64_t *valuep,bits256 nonce,uint64_t *min_valuep,uint64_t *max_valuep,uint8_t *commit,uint8_t *proof,int32_t prooflen)
{
int32_t outlen = 0,retval = -1;
SECP_ENSURE_CTX
{
9 years ago
if ( secp256k1_rangeproof_rewind(ctx,blind_out,valuep,message,&outlen,nonce.bytes,min_valuep,max_valuep,commit,proof,prooflen) != 0 )
9 years ago
retval = outlen;
ENDSECP_ENSURE_CTX
}
return(retval);
}
uint64_t bitcoin_rangeverify(void *ctx,int32_t *exponentp,int32_t *mantissap,uint64_t *min_valuep,uint8_t *commit,uint8_t *proof,int32_t prooflen)
{
uint64_t max_value,retval = 0;
max_value = *min_valuep = *exponentp = *mantissap = 0;
9 years ago
if ( secp256k1_rangeproof_info(ctx,exponentp,mantissap,min_valuep,&max_value,proof,prooflen) != 0 )
9 years ago
{
if ( commit != 0 )
{
9 years ago
if ( secp256k1_rangeproof_verify(ctx,min_valuep,&max_value,commit,proof,prooflen) != 0 )
9 years ago
retval = max_value;
} else retval = max_value;
}
return(retval);
}
int32_t bitcoin_rangeproof(void *ctx,uint8_t *proof,uint8_t *commit,bits256 blind,bits256 nonce,uint64_t value,uint64_t min_value,int32_t exponent,int32_t min_bits)
{
9 years ago
int32_t prooflen=0 ,retval = -1;
9 years ago
SECP_ENSURE_CTX
{
9 years ago
if ( secp256k1_rangeproof_sign(ctx,proof,&prooflen,min_value,commit,blind.bytes,nonce.bytes,exponent,min_bits,value) != 0 )
9 years ago
retval = prooflen;
ENDSECP_ENSURE_CTX
}
return(retval);
}
int32_t iguana_pederson_test(void *ctx)
{
uint8_t commits[100][33],*commitptrs[100],proofs[100][5138]; uint16_t vouts[100]; int64_t min_value,values[100],totalpos,totalneg; bits256 txids[100],nonces[100],blinds[100],*blindptrs[100],blindsum; int32_t prooflens[100],i,r,pos,neg,numpos,exponent,min_bits,n,N = 100;
srand(100);
for (i=numpos=n=0; i<N; i++)
{
values[i] = rand();
vouts[i] = (rand() % 300);
txids[i] = rand256(0);
nonces[i] = rand256(0);
blinds[i] = rand256(0);
if ( bitcoin_pederson_commit(ctx,commits[i],blinds[i],values[i]) < 0 )
break;
if ( ((r= rand()) % 2) == 0 )
values[i] = -values[i];
else
{
exponent = 0;
min_bits = 64;
min_value = 0;
prooflens[i] = bitcoin_rangeproof(ctx,proofs[i],commits[i],blinds[i],nonces[i],values[i],min_value,exponent,min_bits);
printf("%d ",prooflens[i]);
numpos++;
}
n++;
}
if ( i != N )
{
printf("commit failure i.%d of N.%d\n",i,N);
return(-1);
}
for (totalpos=i=pos=0; i<N; i++)
{
if ( values[i] > 0 )
{
commitptrs[pos] = commits[i];
blindptrs[pos] = &blinds[i];
totalpos += values[i];
pos++;
}
}
if ( pos != numpos )
{
printf("pos.%d != numpos.%d\n",pos,numpos);
return(-1);
}
for (totalneg=i=neg=0; i<N; i++)
{
if ( values[i] < 0 )
{
commitptrs[numpos + neg] = commits[i];
blindptrs[numpos + neg] = &blinds[i];
totalneg -= values[i];
neg++;
}
}
if ( numpos+neg != N )
{
printf("numpos.%d + neg.%d != N.%d\n",numpos,neg,N);
return(-1);
}
blindsum = bitcoin_pederson_blindsum(ctx,blindptrs,N,numpos);
if ( bits256_nonz(blindsum) == 0 )
{
printf("error doing blindsum numpos.%d N.%d\n",numpos,N);
return(-2);
}
if ( bitcoin_pederson_tally(ctx,commitptrs,N,numpos,totalneg - totalpos) == 0 )
{
printf("error doing pederson tally\n");
return(-3);
} else printf("pederson tally matches\n");
return(0);
}
int32_t iguana_schnorr_test(void *ctx)
{
bits256 privnonces[100],privkeys[100],txhash2; uint8_t *sigs[100],allpub[100][33],sig64[100][64],allsig64[100][64],combined_pub[100][33],pubnonces[100][33],*pubptrs[100]; int32_t i,j,N,n,errs = 0;
iguana_pederson_test(ctx);
SECP_ENSURE_CTX
{
N = 100;
txhash2 = rand256(0);
for (i=0; i<N; i++)
{
privkeys[i] = bitcoin_randkey(ctx);
privnonces[i] = bitcoin_schnorr_noncepair(ctx,pubnonces[i],txhash2,privkeys[i]);
}
if ( i != N )
{
printf("error getting nonce pair\n");
exit(-1);
}
for (i=0; i<N; i++)
{
for (j=n=0; j<N; j++)
if ( j != i )
pubptrs[n++] = pubnonces[j];
if ( N > 1 )
{
if ( bitcoin_schnorr_partialsign(ctx,sig64[i],combined_pub[i],txhash2,privkeys[i],privnonces[i],pubptrs,N-1) < 0 )
errs++;
}
else
{
if ( bitcoin_schnorr_sign(ctx,sig64[0],txhash2,privkeys[0]) < 0 )
errs++;
}
}
if ( errs != 0 )
printf("partialsign errs.%d\n",errs);
for (i=0; i<N; i++)
{
sigs[i] = sig64[i];
continue;
8 years ago
//for (j=0; j<64; j++)
// printf("%02x",sig64[i][j]);
//printf(" sig[%d]\n",i);
9 years ago
}
for (i=0; i<N; i++)
{
if ( bitcoin_schnorr_combine(ctx,allsig64[i],allpub[i],sigs,N,txhash2) < 0 )
errs++;
else if ( memcmp(allpub[i],allpub[0],33) != 0 )
errs++;
else if ( memcmp(allsig64[i],allsig64[0],33) != 0 )
errs++;
}
if ( errs != 0 )
printf("combine errs.%d\n",errs);
if ( bitcoin_schnorr_verify(ctx,allsig64[0],txhash2,allpub[0],33) < 0 )
errs++;
printf("schnorr errs.%d\n",errs);
ENDSECP_ENSURE_CTX
}
return(errs);
}
/*
We start by reminding the reader how confidential transactions work. First, the
amounts are coded by the following equation:
C = r*G + v*H
where C is a Pedersen commitment, G and H are fixed nothing-up-my-sleeve elliptic
curve group generators, v is the amount, and r is a secret random blinding key.
Attached to this output is a rangeproof which proves that v is in [0, 2^64], so
that user cannot exploit the blinding to produce overflow attacks, etc.
To validate a transaction, the verifer will add commitments for all outputs, plus
f*H (f here is the transaction fee which is given explicitly) and subtracts all
input commitments. The result must be 0, which proves that no amount was created
or destroyed overall.
We note that to create such a transaction, the user must know the sum of all the
values of r for commitments entries. Therefore, the r-values (and their sums) act
as secret keys. If we can make the r output values known only to the recipient,
then we have an authentication system! Unfortunately, if we keep the rule that
commits all add to 0, this is impossible, because the sender knows the sum of
all _his_ r values, and therefore knows the receipient's r values sum to the
negative of that. So instead, we allow the transaction to sum to a nonzero value
k*G, and require a signature of an empty string with this as key, to prove its
amount component is zero.
We let transactions have as many k*G values as they want, each with a signature,
and sum them during verification.
To create transactions sender and recipient do following ritual:
1. Sender and recipient agree on amount to be sent. Call this b.
2. Sender creates transaction with all inputs and change output(s), and gives
recipient the total blinding factor (r-value of change minus r-values of
inputs) along with this transaction. So the commitments sum to r*G - b*H.
3. Recipient chooses random r-values for his outputs, and values that sum
to b minus fee, and adds these to transaction (including range proof).
Now the commitments sum to k*G - fee*H for some k that only recipient
knows.
4. Recipient attaches signature with k to the transaction, and the explicit
fee. It has done.
*/
void test_mimblewimble(void *ctx)
{
uint8_t commits[100][33],*commitptrs[100]; int64_t inputs[8],inputsum,amount,change,txfee,totalpos,totalneg; bits256 nonces[100],blinds[100],*blindptrs[100],blindsum; int32_t i,r,numinputs;
OS_randombytes((void *)&r,sizeof(r));
srand(r);
inputs[0] = 100000000;
numinputs = 1;
inputsum = 0;
for (i=0; i<numinputs; i++)
inputsum += inputs[i];
txfee = 10000;
amount = 100000000 / 10;
change = inputsum - txfee - amount;
totalpos = change;
totalneg = inputsum;
for (i=0; i<numinputs+2; i++)
{
nonces[i] = rand256(0);
blinds[i] = rand256(0);
commitptrs[i] = commits[i];
blindptrs[i] = &blinds[i];
}
if ( bitcoin_pederson_commit(ctx,commits[0],blinds[0],change) < 0 )
{
printf("error getting change commit\n");
return;
}
for (i=1; i<=numinputs; i++)
{
if ( bitcoin_pederson_commit(ctx,commits[i],blinds[i],-inputs[i]) < 0 )
{
printf("error getting input.(%d) commit\n",i);
return;
}
}
blindsum = bitcoin_pederson_blindsum(ctx,blindptrs,numinputs+1,1);
if ( bits256_nonz(blindsum) == 0 )
{
printf("error doing blindsum\n");
return;
}
if ( bitcoin_pederson_tally(ctx,commitptrs,numinputs+1,1,totalneg - totalpos) == 0 )
{
printf("error doing pederson tally\n");
return;
} else printf("pederson tally matches\n");
getchar();
}