/****************************************************************************** * Copyright © 2014-2018 The SuperNET Developers. * * * * See the AUTHORS, DEVELOPER-AGREEMENT and LICENSE files at * * the top-level directory of this distribution for the individual copyright * * holder information and the developer policies on copyright and licensing. * * * * Unless otherwise agreed in a custom licensing agreement, no part of the * * SuperNET software, including this file may be copied, modified, propagated * * or distributed except according to the terms contained in the LICENSE file * * * * Removal or modification of this copyright notice is prohibited. * * * ******************************************************************************/ #include #include #include #include #include "../includes/curve25519.h" #include "secp256k1/include/secp256k1.h" #include "secp256k1/include/secp256k1_ecdh.h" #include "secp256k1/include/secp256k1_schnorr.h" #include "secp256k1/include/secp256k1_rangeproof.h" #include "secp256k1/include/secp256k1_recovery.h" SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_rfc6979; #define bits256_nonz(a) (((a).ulongs[0] | (a).ulongs[1] | (a).ulongs[2] | (a).ulongs[3]) != 0) #define SECP_ENSURE_CTX int32_t flag = 0; if ( ctx == 0 ) { ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); secp256k1_pedersen_context_initialize(ctx); secp256k1_rangeproof_context_initialize(ctx); flag++; } else flag = 0; if ( ctx != 0 ) #define ENDSECP_ENSURE_CTX if ( flag != 0 ) secp256k1_context_destroy(ctx); int32_t bitcoin_pubkeylen(const uint8_t *pubkey) { if ( pubkey[0] == 2 || pubkey[0] == 3 ) return(33); else if ( pubkey[0] == 4 ) return(65); else { //printf("illegal pubkey.[%02x] %llx\n",pubkey[0],*(long long *)pubkey); return(-1); } } bits256 bitcoin_randkey(secp256k1_context *ctx) { int32_t i; bits256 privkey; SECP_ENSURE_CTX { for (i=0; i<100; i++) { privkey = rand256(0); if ( secp256k1_ec_seckey_verify(ctx,privkey.bytes) != 0 ) { ENDSECP_ENSURE_CTX return(privkey); } } ENDSECP_ENSURE_CTX } fprintf(stderr,"couldnt generate valid bitcoin privkey. something is REALLY wrong. exiting\n"); exit(-1); } bits256 bitcoin_pubkey33(secp256k1_context *ctx,uint8_t *data,bits256 privkey) { size_t plen; bits256 pubkey; secp256k1_pubkey secppub; memset(pubkey.bytes,0,sizeof(pubkey)); SECP_ENSURE_CTX { if ( secp256k1_ec_seckey_verify(ctx,privkey.bytes) == 0 ) { //printf("bitcoin_sign illegal privkey\n"); return(pubkey); } if ( secp256k1_ec_pubkey_create(ctx,&secppub,privkey.bytes) != 0 ) { plen = 33; secp256k1_ec_pubkey_serialize(ctx,data,&plen,&secppub,SECP256K1_EC_COMPRESSED); if ( plen == 33 ) memcpy(pubkey.bytes,data+1,sizeof(pubkey)); } ENDSECP_ENSURE_CTX } return(pubkey); } bits256 bitcoin_pub256(void *ctx,bits256 *privkeyp,uint8_t odd_even) { bits256 pub256; uint8_t pubkey[33]; int32_t i; for (i=0; i<100; i++) { *privkeyp = rand256(0); pub256 = bitcoin_pubkey33(ctx,pubkey,*privkeyp); if ( pubkey[0] == odd_even+2 ) return(pub256); } printf("bitcoin_pub256 couldnt generate pubkey.%d\n",odd_even+2); memset(pub256.bytes,0,sizeof(pub256)); return(pub256); } int32_t bitcoin_sign(void *ctx,char *symbol,uint8_t *sig,bits256 txhash2,bits256 privkey,int32_t recoverflag) { int32_t fCompressed = 1; secp256k1_ecdsa_signature SIG; secp256k1_ecdsa_recoverable_signature rSIG; bits256 extra_entropy,seed; int32_t recid,retval = -1; size_t siglen = 72; secp256k1_pubkey SECPUB,CHECKPUB; seed = rand256(0); extra_entropy = rand256(0); SECP_ENSURE_CTX { if ( secp256k1_ec_seckey_verify(ctx,privkey.bytes) == 0 ) { //printf("bitcoin_sign illegal privkey\n"); return(-1); } if ( secp256k1_context_randomize(ctx,seed.bytes) != 0 ) { if ( recoverflag != 0 ) { if ( secp256k1_ecdsa_sign_recoverable(ctx,&rSIG,txhash2.bytes,privkey.bytes,secp256k1_nonce_function_rfc6979,extra_entropy.bytes) != 0 ) { recid = -1; secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx,sig+1,&recid,&rSIG); if ( secp256k1_ecdsa_recover(ctx,&SECPUB,&rSIG,txhash2.bytes) != 0 ) { if ( secp256k1_ec_pubkey_create(ctx,&CHECKPUB,privkey.bytes) != 0 ) { if ( memcmp(&SECPUB,&CHECKPUB,sizeof(SECPUB)) == 0 ) { sig[0] = 27 + recid + (fCompressed != 0 ? 4 : 0); retval = 64 + 1; //size_t i,plen = 33; uint8_t pubkey[33]; //secp256k1_ec_pubkey_serialize(ctx,pubkey,&plen,&CHECKPUB,SECP256K1_EC_COMPRESSED); //for (i=0; i<33; i++) // printf("%02x",pubkey[i]); //printf(" bitcoin_sign's pubkey\n"); } //else printf("secpub mismatch\n"); } else printf("pubkey create error\n"); } //else printf("recover error\n"); } else printf("secp256k1_ecdsa_sign_recoverable error\n"); } else { if ( secp256k1_ecdsa_sign(ctx,&SIG,txhash2.bytes,privkey.bytes,secp256k1_nonce_function_rfc6979,extra_entropy.bytes) != 0 ) { if ( secp256k1_ecdsa_signature_serialize_der(ctx,sig,&siglen,&SIG) != 0 ) retval = (int32_t)siglen; } } } ENDSECP_ENSURE_CTX } return(retval); } int32_t bitcoin_recoververify(void *ctx,char *symbol,uint8_t *sig,bits256 messagehash2,uint8_t *pubkey,size_t plen) { int32_t retval = -1; secp256k1_pubkey PUB; secp256k1_ecdsa_signature SIG; secp256k1_ecdsa_recoverable_signature rSIG; pubkey[0] = 0; SECP_ENSURE_CTX { if ( plen == 0 ) { plen = (sig[0] <= 31) ? 65 : 33; sig++; } secp256k1_ecdsa_recoverable_signature_parse_compact(ctx,&rSIG,sig,0); secp256k1_ecdsa_recoverable_signature_convert(ctx,&SIG,&rSIG); if ( secp256k1_ecdsa_recover(ctx,&PUB,&rSIG,messagehash2.bytes) != 0 ) { plen = 33; memset(pubkey,0,33); secp256k1_ec_pubkey_serialize(ctx,pubkey,&plen,&PUB,SECP256K1_EC_COMPRESSED);//plen == 65 ? SECP256K1_EC_UNCOMPRESSED : SECP256K1_EC_COMPRESSED); if ( secp256k1_ecdsa_verify(ctx,&SIG,messagehash2.bytes,&PUB) != 0 ) { retval = 0; /*if ( pubkey[0] == 4 ) // experimentally looks like 04 is set pubkey[0] = 2; else if ( pubkey[0] != 2 ) pubkey[0] = 3;*/ } else printf("secp256k1_ecdsa_verify error\n"); } else printf("secp256k1_ecdsa_recover error\n"); ENDSECP_ENSURE_CTX } return(retval); } int32_t bitcoin_verify(void *ctx,uint8_t *sig,int32_t siglen,bits256 txhash2,uint8_t *pubkey,int32_t plen) { int32_t retval = -1; secp256k1_pubkey PUB; secp256k1_ecdsa_signature SIG; SECP_ENSURE_CTX { if ( secp256k1_ec_pubkey_parse(ctx,&PUB,pubkey,plen) != 0 ) { secp256k1_ecdsa_signature_parse_der(ctx,&SIG,sig,siglen); if ( secp256k1_ecdsa_verify(ctx,&SIG,txhash2.bytes,&PUB) != 0 ) retval = 0; } ENDSECP_ENSURE_CTX } return(retval); } bits256 bitcoin_sharedsecret(void *ctx,bits256 privkey,uint8_t *pubkey,int32_t plen) { int32_t retval = -1; bits256 shared; secp256k1_pubkey PUB; memset(shared.bytes,0,sizeof(shared)); SECP_ENSURE_CTX { if ( secp256k1_ec_pubkey_parse(ctx,&PUB,pubkey,plen) != 0 ) { if ( secp256k1_ecdh(ctx,shared.bytes,&PUB,privkey.bytes) != 0 ) retval = 0; else memset(shared.bytes,0,sizeof(shared)); } ENDSECP_ENSURE_CTX } return(shared); } int32_t bitcoin_schnorr_sign(void *ctx,uint8_t *sig64,bits256 txhash2,bits256 privkey) { int32_t retval = -1; bits256 seed; SECP_ENSURE_CTX { seed = rand256(0); if ( secp256k1_schnorr_sign(ctx,sig64,txhash2.bytes,privkey.bytes,secp256k1_nonce_function_rfc6979,seed.bytes) != 0 ) retval = 0; ENDSECP_ENSURE_CTX } return(retval); } int32_t bitcoin_schnorr_verify(void *ctx,uint8_t *sig64,bits256 txhash2,uint8_t *pubkey,int32_t plen) { int32_t retval = -1; secp256k1_pubkey PUB; SECP_ENSURE_CTX { if ( secp256k1_ec_pubkey_parse(ctx,&PUB,pubkey,plen) != 0 ) { if ( secp256k1_schnorr_verify(ctx,sig64,txhash2.bytes,&PUB) != 0 ) retval = 0; } ENDSECP_ENSURE_CTX } return(retval); } int32_t bitcoin_schnorr_recover(void *ctx,uint8_t *pubkey,uint8_t *sig64,bits256 txhash2) { int32_t retval = -1; secp256k1_pubkey PUB; size_t plen; SECP_ENSURE_CTX { if ( secp256k1_schnorr_recover(ctx,&PUB,sig64,txhash2.bytes) != 0 ) { plen = 33; secp256k1_ec_pubkey_serialize(ctx,pubkey,&plen,&PUB,SECP256K1_EC_COMPRESSED); retval = 0; } ENDSECP_ENSURE_CTX } return(retval); } bits256 bitcoin_schnorr_noncepair(void *ctx,uint8_t *pubnonce,bits256 txhash2,bits256 privkey) //exchange { int32_t retval = -1; size_t plen; secp256k1_pubkey PUB; bits256 privnonce,seed; memset(privnonce.bytes,0,sizeof(privnonce)); pubnonce[0] = 0; SECP_ENSURE_CTX { seed = rand256(0); if ( secp256k1_schnorr_generate_nonce_pair(ctx,&PUB,privnonce.bytes,txhash2.bytes,privkey.bytes,secp256k1_nonce_function_rfc6979,seed.bytes) != 0 ) { plen = 33; secp256k1_ec_pubkey_serialize(ctx,pubnonce,&plen,&PUB,SECP256K1_EC_COMPRESSED); retval = 0; } ENDSECP_ENSURE_CTX } return(privnonce); } int32_t bitcoin_pubkey_combine(void *ctx,uint8_t *combined_pub,uint8_t *skipkey,bits256 *evenkeys,int32_t n,bits256 *oddkeys,int32_t m) { int32_t i,num,iter,max,retval = -1; uint8_t pubkey[33]; size_t plen; secp256k1_pubkey PUBall,*PUBptrs[256],PUBkeys[256]; SECP_ENSURE_CTX { if ( n+m > 0 && n+m < sizeof(PUBptrs)/sizeof(*PUBptrs) ) { for (iter=num=0; iter<2; iter++) { if ( (max= (iter == 0) ? n : m) != 0 ) { for (i=0; i 0 && secp256k1_ec_pubkey_combine(ctx,&PUBall,(void *)PUBptrs,n) != 0 ) { plen = 33; if ( secp256k1_schnorr_partial_sign(ctx,sig64,txhash2.bytes,privkey.bytes,&PUBall,privnonce.bytes) != 0 ) { secp256k1_ec_pubkey_serialize(ctx,combined_pub,&plen,&PUBall,SECP256K1_EC_COMPRESSED); retval = 0; } } free(PUBptrs); ENDSECP_ENSURE_CTX } return(retval); } int32_t bitcoin_schnorr_combine(void *ctx,uint8_t *sig64,uint8_t *allpub,uint8_t **sigs,int32_t n,bits256 txhash2) { int32_t rc,retval = -1; SECP_ENSURE_CTX { if ( (rc= secp256k1_schnorr_partial_combine(ctx,sig64,(void *)sigs,n)) != 0 ) { if ( bitcoin_schnorr_recover(ctx,allpub,sig64,txhash2) == 0 ) { if ( bitcoin_schnorr_verify(ctx,sig64,txhash2,allpub,33) == 0 ) retval = 0; } } ENDSECP_ENSURE_CTX } return(retval); } int32_t bitcoin_pederson_commit(void *ctx,uint8_t *commit,bits256 blind,uint64_t value) { int32_t retval = -1; SECP_ENSURE_CTX { if ( secp256k1_pedersen_commit(ctx,commit,blind.bytes,value) != 0 ) retval = 0; ENDSECP_ENSURE_CTX } return(retval); } bits256 bitcoin_pederson_blindsum(void *ctx,bits256 **blindptrs,int32_t n,int32_t numpos) { bits256 blind_out; memset(blind_out.bytes,0,sizeof(blind_out)); SECP_ENSURE_CTX { if ( secp256k1_pedersen_blind_sum(ctx,blind_out.bytes,(void *)blindptrs,n,numpos) == 0 ) memset(blind_out.bytes,0,sizeof(blind_out)); ENDSECP_ENSURE_CTX } return(blind_out); } int32_t bitcoin_pederson_tally(void *ctx,uint8_t **commits,int32_t n,int32_t numpos,int64_t excess) { int32_t retval = -1; SECP_ENSURE_CTX { printf("bitcoin_pederson_tally: n.%d numpos.%d excess %lld\n",n,numpos,(long long)excess); if ( secp256k1_pedersen_verify_tally(ctx,(void *)commits,numpos,(void *)&commits[numpos],n - numpos,excess) != 0 ) retval = 0; ENDSECP_ENSURE_CTX } return(retval); } int32_t bitcoin_rangeproof_message(void *ctx,uint8_t *blind_out,uint8_t *message,uint64_t *valuep,bits256 nonce,uint64_t *min_valuep,uint64_t *max_valuep,uint8_t *commit,uint8_t *proof,int32_t prooflen) { int32_t outlen = 0,retval = -1; SECP_ENSURE_CTX { if ( secp256k1_rangeproof_rewind(ctx,blind_out,valuep,message,&outlen,nonce.bytes,min_valuep,max_valuep,commit,proof,prooflen) != 0 ) retval = outlen; ENDSECP_ENSURE_CTX } return(retval); } uint64_t bitcoin_rangeverify(void *ctx,int32_t *exponentp,int32_t *mantissap,uint64_t *min_valuep,uint8_t *commit,uint8_t *proof,int32_t prooflen) { uint64_t max_value,retval = 0; max_value = *min_valuep = *exponentp = *mantissap = 0; if ( secp256k1_rangeproof_info(ctx,exponentp,mantissap,min_valuep,&max_value,proof,prooflen) != 0 ) { if ( commit != 0 ) { if ( secp256k1_rangeproof_verify(ctx,min_valuep,&max_value,commit,proof,prooflen) != 0 ) retval = max_value; } else retval = max_value; } return(retval); } int32_t bitcoin_rangeproof(void *ctx,uint8_t *proof,uint8_t *commit,bits256 blind,bits256 nonce,uint64_t value,uint64_t min_value,int32_t exponent,int32_t min_bits) { int32_t prooflen=0 ,retval = -1; SECP_ENSURE_CTX { if ( secp256k1_rangeproof_sign(ctx,proof,&prooflen,min_value,commit,blind.bytes,nonce.bytes,exponent,min_bits,value) != 0 ) retval = prooflen; ENDSECP_ENSURE_CTX } return(retval); } int32_t iguana_pederson_test(void *ctx) { uint8_t commits[100][33],*commitptrs[100],proofs[100][5138]; uint16_t vouts[100]; int64_t min_value,values[100],totalpos,totalneg; bits256 txids[100],nonces[100],blinds[100],*blindptrs[100],blindsum; int32_t prooflens[100],i,r,pos,neg,numpos,exponent,min_bits,n,N = 100; srand(100); for (i=numpos=n=0; i 0 ) { commitptrs[pos] = commits[i]; blindptrs[pos] = &blinds[i]; totalpos += values[i]; pos++; } } if ( pos != numpos ) { printf("pos.%d != numpos.%d\n",pos,numpos); return(-1); } for (totalneg=i=neg=0; i 1 ) { if ( bitcoin_schnorr_partialsign(ctx,sig64[i],combined_pub[i],txhash2,privkeys[i],privnonces[i],pubptrs,N-1) < 0 ) errs++; } else { if ( bitcoin_schnorr_sign(ctx,sig64[0],txhash2,privkeys[0]) < 0 ) errs++; } } if ( errs != 0 ) printf("partialsign errs.%d\n",errs); for (i=0; i