Qortal/pirate-librustzcash
3
0
Fork 0
mirror of https://github.com/Qortal/pirate-librustzcash.git synced 2025-02-23 22:15:52 +00:00
Code Issues Projects Releases Wiki Activity
pirate-librustzcash/src/rustzcash.rs

1014 lines
29 KiB
Rust
Raw Normal View History

Apply rustfmt
2018-04-17 14:22:35 -06:00
extern crate bellman;
Implement Equihash validator Follows Zcash implementation as closely as possible.
2017-12-30 23:36:23 +01:00
extern crate blake2_rfc;
Implementation of Sprout proving and verifying
2018-05-08 16:58:43 -06:00
extern crate byteorder;
Initial commit.
2017-03-17 11:07:23 -06:00
extern crate libc;
Expose API for init/free of parameters and, to test, a merkle tree hash invocation.
2018-04-11 21:51:30 -06:00
extern crate pairing;
Implementation of Sprout proving and verifying
2018-05-08 16:58:43 -06:00
extern crate rand;
Apply rustfmt
2018-04-17 14:22:35 -06:00
extern crate sapling_crypto;
Add sapling-crypto to dependencies
2018-04-09 18:28:42 -06:00
Use lazy_static to initialize the Jubjub parameters, to avoid passing parameters around.
2018-04-12 18:38:25 -06:00
#[macro_use]
extern crate lazy_static;
Implementation of Sapling transaction verification.
2018-05-07 19:22:07 -06:00
use pairing::{BitIterator, Field, PrimeField, PrimeFieldRepr, bls12_381::{Bls12, Fr, FrRepr}};
Expose API for init/free of parameters and, to test, a merkle tree hash invocation.
2018-04-11 21:51:30 -06:00
Add crh_ivk
2018-05-14 21:23:21 -07:00
use sapling_crypto::{circuit::multipack, constants::CRH_IVK_PERSONALIZATION,
Add to_scalar call
2018-05-09 06:51:19 -07:00
jubjub::{edwards, FixedGenerators, JubjubBls12, JubjubEngine, JubjubParams,
Add ffi and computation for Sapling note commitment.
2018-05-21 14:46:31 -07:00
PrimeOrder, ToUniform, Unknown, fs::{Fs, FsRepr}},
Switch to little endian encoding for everything.
2018-05-17 01:22:15 -06:00
pedersen_hash::{pedersen_hash, Personalization}, redjubjub::{self, Signature}};
Support loading zk-SNARK parameters
2018-04-17 14:16:14 -06:00
Implementation of Sprout proving and verifying
2018-05-08 16:58:43 -06:00
use sapling_crypto::circuit::sprout::{self, TREE_DEPTH as SPROUT_TREE_DEPTH};
use bellman::groth16::{create_random_proof, prepare_verifying_key, verify_proof, Parameters,
PreparedVerifyingKey, Proof, VerifyingKey};
Add crh_ivk
2018-05-14 21:23:21 -07:00
use blake2_rfc::blake2s::Blake2s;
Implementation of Sprout proving and verifying
2018-05-08 16:58:43 -06:00
use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt};
Add ffi and computation for Sapling note commitment.
2018-05-21 14:46:31 -07:00
use rand::{OsRng, Rng};
Add test vectors for Sapling generators
2018-05-18 19:59:23 +12:00
use std::io::BufReader;
Apply rustfmt
2018-04-17 14:22:35 -06:00
Implement Equihash validator Follows Zcash implementation as closely as possible.
2017-12-30 23:36:23 +01:00
use libc::{c_char, c_uchar, size_t, int64_t, uint32_t, uint64_t};
Support loading zk-SNARK parameters
2018-04-17 14:16:14 -06:00
use std::ffi::CStr;
use std::fs::File;
Implement Equihash validator Follows Zcash implementation as closely as possible.
2017-12-30 23:36:23 +01:00
use std::slice;
Add function librustzcash_sapling_compute_nf. Also add function priv_get_note to refactor common code from librustzcash_sapling_compute_cm.
2018-06-07 10:36:52 -07:00
use sapling_crypto::primitives::ViewingKey;
Implement Equihash validator Follows Zcash implementation as closely as possible.
2017-12-30 23:36:23 +01:00
pub mod equihash;
Expose API for init/free of parameters and, to test, a merkle tree hash invocation.
2018-04-11 21:51:30 -06:00
Add test vectors for Sapling generators
2018-05-18 19:59:23 +12:00
#[cfg(test)]
mod tests;
Use lazy_static to initialize the Jubjub parameters, to avoid passing parameters around.
2018-04-12 18:38:25 -06:00
lazy_static! {
Apply rustfmt
2018-04-17 14:22:35 -06:00
static ref JUBJUB: JubjubBls12 = { JubjubBls12::new() };
Expose API for init/free of parameters and, to test, a merkle tree hash invocation.
2018-04-11 21:51:30 -06:00
}
Support loading zk-SNARK parameters
2018-04-17 14:16:14 -06:00
static mut SAPLING_SPEND_VK: Option<PreparedVerifyingKey<Bls12>> = None;
static mut SAPLING_OUTPUT_VK: Option<PreparedVerifyingKey<Bls12>> = None;
static mut SPROUT_GROTH16_VK: Option<PreparedVerifyingKey<Bls12>> = None;
static mut SAPLING_SPEND_PARAMS: Option<Parameters<Bls12>> = None;
static mut SAPLING_OUTPUT_PARAMS: Option<Parameters<Bls12>> = None;
static mut SPROUT_GROTH16_PARAMS_PATH: Option<String> = None;
Switch to little endian encoding for everything.
2018-05-17 01:22:15 -06:00
fn is_small_order<Order>(p: &edwards::Point<Bls12, Order>) -> bool {
Check epk/rk/cv are not small order.
2018-05-14 16:23:34 -06:00
p.double(&JUBJUB).double(&JUBJUB).double(&JUBJUB) == edwards::Point::zero()
}
Use little endian encoding for Pedersen hash digest output.
2018-05-07 18:06:53 -06:00
/// Writes an FrRepr to [u8] of length 32
Switch to little endian encoding for everything.
2018-05-17 01:22:15 -06:00
fn write_le(f: FrRepr, to: &mut [u8]) {
Use little endian encoding for Pedersen hash digest output.
2018-05-07 18:06:53 -06:00
assert_eq!(to.len(), 32);
Switch to little endian encoding for everything.
2018-05-17 01:22:15 -06:00
f.write_le(to).expect("length is 32 bytes");
Use little endian encoding for Pedersen hash digest output.
2018-05-07 18:06:53 -06:00
}
/// Reads an FrRepr from a [u8] of length 32.
/// This will panic (abort) if length provided is
/// not correct.
Implementation of Sapling transaction verification.
2018-05-07 19:22:07 -06:00
fn read_le(from: &[u8]) -> FrRepr {
Use little endian encoding for Pedersen hash digest output.
2018-05-07 18:06:53 -06:00
assert_eq!(from.len(), 32);
let mut f = FrRepr::default();
Switch to little endian encoding for everything.
2018-05-17 01:22:15 -06:00
f.read_le(from).expect("length is 32 bytes");
Use little endian encoding for Pedersen hash digest output.
2018-05-07 18:06:53 -06:00
f
}
Add ask_to_ak and nsk_to_nk
2018-05-14 20:40:35 -07:00
/// Reads an FsRepr from [u8] of length 32
/// This will panic (abort) if length provided is
/// not correct
Add check_diversifier and ivk_to_pkd
2018-05-14 22:34:27 -07:00
fn read_fs(from: &[u8]) -> FsRepr {
Add ask_to_ak and nsk_to_nk
2018-05-14 20:40:35 -07:00
assert_eq!(from.len(), 32);
let mut f = <<Bls12 as JubjubEngine>::Fs as PrimeField>::Repr::default();
f.read_le(from).expect("length is 32 bytes");
Add check_diversifier and ivk_to_pkd
2018-05-14 22:34:27 -07:00
f
}
/// Reads an FsRepr from [u8] of length 32
/// and multiplies it by the given base.
/// This will panic (abort) if length provided is
/// not correct
fn fixed_scalar_mult(from: &[u8], p_g: FixedGenerators) -> edwards::Point<Bls12, PrimeOrder> {
let f = read_fs(from);
Add ask_to_ak and nsk_to_nk
2018-05-14 20:40:35 -07:00
JUBJUB.generator(p_g).mul(f, &JUBJUB)
}
Support loading zk-SNARK parameters
2018-04-17 14:16:14 -06:00
#[no_mangle]
pub extern "system" fn librustzcash_init_zksnark_params(
spend_path: *const c_char,
output_path: *const c_char,
Apply rustfmt
2018-04-17 14:22:35 -06:00
sprout_path: *const c_char,
) {
Initialize Jubjub parameters up front
2018-04-21 17:46:08 -06:00
// Initialize jubjub parameters here
lazy_static::initialize(&JUBJUB);
Support loading zk-SNARK parameters
2018-04-17 14:16:14 -06:00
// These should be valid CStr's, but the decoding may fail on Windows
// so we may need to use OSStr or something.
Apply rustfmt
2018-04-17 14:22:35 -06:00
let spend_path = unsafe { CStr::from_ptr(spend_path) }
.to_str()
.expect("parameter path encoding error")
.to_string();
let output_path = unsafe { CStr::from_ptr(output_path) }
.to_str()
.expect("parameter path encoding error")
.to_string();
let sprout_path = unsafe { CStr::from_ptr(sprout_path) }
.to_str()
.expect("parameter path encoding error")
.to_string();
Support loading zk-SNARK parameters
2018-04-17 14:16:14 -06:00
// Load from each of the paths
let mut spend_fs = File::open(spend_path).expect("couldn't load Sapling spend parameters file");
Apply rustfmt
2018-04-17 14:22:35 -06:00
let mut output_fs =
File::open(output_path).expect("couldn't load Sapling output parameters file");
let mut sprout_fs =
File::open(&sprout_path).expect("couldn't load Sprout groth16 parameters file");
Support loading zk-SNARK parameters
2018-04-17 14:16:14 -06:00
// Deserialize params
Apply rustfmt
2018-04-17 14:22:35 -06:00
let spend_params = Parameters::<Bls12>::read(&mut spend_fs, false)
.expect("couldn't deserialize Sapling spend parameters file");
let output_params = Parameters::<Bls12>::read(&mut output_fs, false)
.expect("couldn't deserialize Sapling spend parameters file");
let sprout_vk = VerifyingKey::<Bls12>::read(&mut sprout_fs)
.expect("couldn't deserialize Sprout Groth16 verifying key");
Support loading zk-SNARK parameters
2018-04-17 14:16:14 -06:00
// Prepare verifying keys
let spend_vk = prepare_verifying_key(&spend_params.vk);
let output_vk = prepare_verifying_key(&output_params.vk);
let sprout_vk = prepare_verifying_key(&sprout_vk);
// Caller is responsible for calling this function once, so
// these global mutations are safe.
unsafe {
SAPLING_SPEND_PARAMS = Some(spend_params);
SAPLING_OUTPUT_PARAMS = Some(output_params);
SPROUT_GROTH16_PARAMS_PATH = Some(sprout_path);
SAPLING_SPEND_VK = Some(spend_vk);
SAPLING_OUTPUT_VK = Some(output_vk);
SPROUT_GROTH16_VK = Some(sprout_vk);
}
}
Expose API for init/free of parameters and, to test, a merkle tree hash invocation.
2018-04-11 21:51:30 -06:00
#[no_mangle]
Apply rustfmt
2018-04-17 14:22:35 -06:00
pub extern "system" fn librustzcash_tree_uncommitted(result: *mut [c_uchar; 32]) {
Use lazy_static to initialize the Jubjub parameters, to avoid passing parameters around.
2018-04-12 18:38:25 -06:00
let tmp = sapling_crypto::primitives::Note::<Bls12>::uncommitted().into_repr();
Expose API for init/free of parameters and, to test, a merkle tree hash invocation.
2018-04-11 21:51:30 -06:00
Use lazy_static to initialize the Jubjub parameters, to avoid passing parameters around.
2018-04-12 18:38:25 -06:00
// Should be okay, caller is responsible for ensuring the pointer
// is a valid pointer to 32 bytes that can be mutated.
let result = unsafe { &mut *result };
Use little endian encoding for Pedersen hash digest output.
2018-05-07 18:06:53 -06:00
write_le(tmp, &mut result[..]);
Expose API for init/free of parameters and, to test, a merkle tree hash invocation.
2018-04-11 21:51:30 -06:00
}
#[no_mangle]
pub extern "system" fn librustzcash_merkle_hash(
depth: size_t,
a: *const [c_uchar; 32],
b: *const [c_uchar; 32],
result: *mut [c_uchar; 32],
Apply rustfmt
2018-04-17 14:22:35 -06:00
) {
Expose API for init/free of parameters and, to test, a merkle tree hash invocation.
2018-04-11 21:51:30 -06:00
// Should be okay, because caller is responsible for ensuring
// the pointer is a valid pointer to 32 bytes, and that is the
// size of the representation
Use little endian encoding for Pedersen hash digest output.
2018-05-07 18:06:53 -06:00
let a_repr = read_le(unsafe { &(&*a)[..] });
Expose API for init/free of parameters and, to test, a merkle tree hash invocation.
2018-04-11 21:51:30 -06:00
// Should be okay, because caller is responsible for ensuring
// the pointer is a valid pointer to 32 bytes, and that is the
// size of the representation
Use little endian encoding for Pedersen hash digest output.
2018-05-07 18:06:53 -06:00
let b_repr = read_le(unsafe { &(&*b)[..] });
Expose API for init/free of parameters and, to test, a merkle tree hash invocation.
2018-04-11 21:51:30 -06:00
let mut lhs = [false; 256];
let mut rhs = [false; 256];
for (a, b) in lhs.iter_mut().rev().zip(BitIterator::new(a_repr)) {
*a = b;
}
for (a, b) in rhs.iter_mut().rev().zip(BitIterator::new(b_repr)) {
*a = b;
}
Apply rustfmt
2018-04-17 14:22:35 -06:00
Expose API for init/free of parameters and, to test, a merkle tree hash invocation.
2018-04-11 21:51:30 -06:00
let tmp = pedersen_hash::<Bls12, _>(
Personalization::MerkleTree(depth),
Apply rustfmt
2018-04-17 14:22:35 -06:00
lhs.iter()
.map(|&x| x)
Expose API for init/free of parameters and, to test, a merkle tree hash invocation.
2018-04-11 21:51:30 -06:00
.take(Fr::NUM_BITS as usize)
.chain(rhs.iter().map(|&x| x).take(Fr::NUM_BITS as usize)),
Apply rustfmt
2018-04-17 14:22:35 -06:00
&JUBJUB,
).into_xy()
.0
.into_repr();
Expose API for init/free of parameters and, to test, a merkle tree hash invocation.
2018-04-11 21:51:30 -06:00
// Should be okay, caller is responsible for ensuring the pointer
Fix typos
2018-04-12 15:01:48 -06:00
// is a valid pointer to 32 bytes that can be mutated.
Expose API for init/free of parameters and, to test, a merkle tree hash invocation.
2018-04-11 21:51:30 -06:00
let result = unsafe { &mut *result };
Use little endian encoding for Pedersen hash digest output.
2018-05-07 18:06:53 -06:00
write_le(tmp, &mut result[..]);
Expose API for init/free of parameters and, to test, a merkle tree hash invocation.
2018-04-11 21:51:30 -06:00
}
Initial commit.
2017-03-17 11:07:23 -06:00
Add to_scalar call
2018-05-09 06:51:19 -07:00
#[no_mangle] // ToScalar
pub extern "system" fn librustzcash_to_scalar(
input: *const [c_uchar; 64],
result: *mut [c_uchar; 32],
) {
// Should be okay, because caller is responsible for ensuring
// the pointer is a valid pointer to 32 bytes, and that is the
// size of the representation
let scalar = <Bls12 as JubjubEngine>::Fs::to_uniform(unsafe { &(&*input)[..] }).into_repr();
let result = unsafe { &mut *result };
scalar
.write_le(&mut result[..])
.expect("length is 32 bytes");
}
Add ask_to_ak and nsk_to_nk
2018-05-14 20:40:35 -07:00
#[no_mangle]
pub extern "system" fn librustzcash_ask_to_ak(
ask: *const [c_uchar; 32],
result: *mut [c_uchar; 32],
) {
let ask = unsafe { &*ask };
let ak = fixed_scalar_mult(ask, FixedGenerators::SpendingKeyGenerator);
let result = unsafe { &mut *result };
ak.write(&mut result[..]).expect("length is 32 bytes");
}
#[no_mangle]
pub extern "system" fn librustzcash_nsk_to_nk(
nsk: *const [c_uchar; 32],
result: *mut [c_uchar; 32],
) {
let nsk = unsafe { &*nsk };
let nk = fixed_scalar_mult(nsk, FixedGenerators::ProofGenerationKey);
let result = unsafe { &mut *result };
nk.write(&mut result[..]).expect("length is 32 bytes");
}
Add crh_ivk
2018-05-14 21:23:21 -07:00
#[no_mangle]
pub extern "system" fn librustzcash_crh_ivk(
ak: *const [c_uchar; 32],
nk: *const [c_uchar; 32],
result: *mut [c_uchar; 32],
) {
let ak = unsafe { &*ak };
let nk = unsafe { &*nk };
let mut h = Blake2s::with_params(32, &[], &[], CRH_IVK_PERSONALIZATION);
h.update(ak);
h.update(nk);
let mut h = h.finalize().as_ref().to_vec();
// Drop the last five bits, so it can be interpreted as a scalar.
h[31] &= 0b0000_0111;
let result = unsafe { &mut *result };
result.copy_from_slice(&h);
}
Add check_diversifier and ivk_to_pkd
2018-05-14 22:34:27 -07:00
#[no_mangle]
pub extern "system" fn librustzcash_check_diversifier(diversifier: *const [c_uchar; 11]) -> bool {
let diversifier = sapling_crypto::primitives::Diversifier(unsafe { *diversifier });
diversifier.g_d::<Bls12>(&JUBJUB).is_some()
}
#[no_mangle]
pub extern "system" fn librustzcash_ivk_to_pkd(
ivk: *const [c_uchar; 32],
diversifier: *const [c_uchar; 11],
result: *mut [c_uchar; 32],
) -> bool {
let ivk = read_fs(unsafe { &*ivk });
let diversifier = sapling_crypto::primitives::Diversifier(unsafe { *diversifier });
if let Some(g_d) = diversifier.g_d::<Bls12>(&JUBJUB) {
let pk_d = g_d.mul(ivk, &JUBJUB);
let result = unsafe { &mut *result };
pk_d.write(&mut result[..]).expect("length is 32 bytes");
true
} else {
false
}
}
Add test for generating commitment randomness.
2018-06-01 12:20:22 -07:00
/// Test generation of commitment randomness
#[test]
fn test_gen_r() {
let mut r1 = [0u8; 32];
let mut r2 = [0u8; 32];
// Verify different r values are generated
librustzcash_sapling_generate_r(&mut r1);
librustzcash_sapling_generate_r(&mut r2);
assert_ne!(r1, r2);
// Verify r values are valid in the field
let mut repr = FsRepr::default();
repr.read_le(&r1[..]).expect("length is not 32 bytes");
let _ = Fs::from_repr(repr).unwrap();
repr.read_le(&r2[..]).expect("length is not 32 bytes");
let _ = Fs::from_repr(repr).unwrap();
}
Implementation of Sapling key agreement.
2018-06-12 15:32:20 -06:00
/// Return 32 byte random scalar, uniformly.
Add ffi and computation for Sapling note commitment.
2018-05-21 14:46:31 -07:00
#[no_mangle]
Add test for generating commitment randomness.
2018-06-01 12:20:22 -07:00
pub extern "system" fn librustzcash_sapling_generate_r(result: *mut [c_uchar; 32]) {
Add ffi and computation for Sapling note commitment.
2018-05-21 14:46:31 -07:00
// create random 64 byte buffer
let mut rng = OsRng::new().expect("should be able to construct RNG");
let mut buffer = [0u8; 64];
for i in 0..buffer.len() {
buffer[i] = rng.gen();
}
// reduce to uniform value
let r = <Bls12 as JubjubEngine>::Fs::to_uniform(&buffer[..]);
let result = unsafe { &mut *result };
r.into_repr()
.write_le(&mut result[..])
.expect("result must be 32 bytes");
}
Add function librustzcash_sapling_compute_nf. Also add function priv_get_note to refactor common code from librustzcash_sapling_compute_cm.
2018-06-07 10:36:52 -07:00
// Private utility function to get Note from C parameters
fn priv_get_note(
Add ffi and computation for Sapling note commitment.
2018-05-21 14:46:31 -07:00
diversifier: *const [c_uchar; 11],
pk_d: *const [c_uchar; 32],
value: uint64_t,
r: *const [c_uchar; 32],
Add function librustzcash_sapling_compute_nf. Also add function priv_get_note to refactor common code from librustzcash_sapling_compute_cm.
2018-06-07 10:36:52 -07:00
) -> Result<sapling_crypto::primitives::Note<Bls12>, ()> {
Add ffi and computation for Sapling note commitment.
2018-05-21 14:46:31 -07:00
let diversifier = sapling_crypto::primitives::Diversifier(unsafe { *diversifier });
let g_d = match diversifier.g_d::<Bls12>(&JUBJUB) {
Some(g_d) => g_d,
Add function librustzcash_sapling_compute_nf. Also add function priv_get_note to refactor common code from librustzcash_sapling_compute_cm.
2018-06-07 10:36:52 -07:00
None => return Err(()),
Add ffi and computation for Sapling note commitment.
2018-05-21 14:46:31 -07:00
};
let pk_d = match edwards::Point::<Bls12, Unknown>::read(&(unsafe { &*pk_d })[..], &JUBJUB) {
Ok(p) => p,
Add function librustzcash_sapling_compute_nf. Also add function priv_get_note to refactor common code from librustzcash_sapling_compute_cm.
2018-06-07 10:36:52 -07:00
Err(_) => return Err(()),
Add ffi and computation for Sapling note commitment.
2018-05-21 14:46:31 -07:00
};
let pk_d = match pk_d.as_prime_order(&JUBJUB) {
Some(pk_d) => pk_d,
Add function librustzcash_sapling_compute_nf. Also add function priv_get_note to refactor common code from librustzcash_sapling_compute_cm.
2018-06-07 10:36:52 -07:00
None => return Err(()),
Add ffi and computation for Sapling note commitment.
2018-05-21 14:46:31 -07:00
};
// Deserialize randomness
Implementation of Sapling key agreement.
2018-06-12 15:32:20 -06:00
let r = match Fs::from_repr(read_fs(&(unsafe { &*r })[..])) {
Ok(r) => r,
Add function librustzcash_sapling_compute_nf. Also add function priv_get_note to refactor common code from librustzcash_sapling_compute_cm.
2018-06-07 10:36:52 -07:00
Err(_) => return Err(()),
Add ffi and computation for Sapling note commitment.
2018-05-21 14:46:31 -07:00
};
let note = sapling_crypto::primitives::Note {
value,
g_d,
pk_d,
r,
};
Add function librustzcash_sapling_compute_nf. Also add function priv_get_note to refactor common code from librustzcash_sapling_compute_cm.
2018-06-07 10:36:52 -07:00
Ok(note)
}
/// Compute Sapling note nullifier.
#[no_mangle]
pub extern "system" fn librustzcash_sapling_compute_nf(
diversifier: *const [c_uchar; 11],
pk_d: *const [c_uchar; 32],
value: uint64_t,
r: *const [c_uchar; 32],
ak: *const [c_uchar; 32],
nk: *const [c_uchar; 32],
position: uint64_t,
result: *mut [c_uchar; 32],
) -> bool {
let note = match priv_get_note(diversifier, pk_d, value, r) {
Ok(p) => p,
Err(_) => return false,
};
let ak = match edwards::Point::<Bls12, Unknown>::read(&(unsafe { &*ak })[..], &JUBJUB) {
Ok(p) => p,
Err(_) => return false,
};
let ak = match ak.as_prime_order(&JUBJUB) {
Some(ak) => ak,
None => return false,
};
let nk = match edwards::Point::<Bls12, Unknown>::read(&(unsafe { &*nk })[..], &JUBJUB) {
Ok(p) => p,
Err(_) => return false,
};
let nk = match nk.as_prime_order(&JUBJUB) {
Some(nk) => nk,
None => return false,
};
let vk = ViewingKey { ak, nk };
let nf = note.nf(&vk, position, &JUBJUB);
let result = unsafe { &mut *result };
result.copy_from_slice(&nf);
true
}
/// Compute Sapling note commitment.
#[no_mangle]
pub extern "system" fn librustzcash_sapling_compute_cm(
diversifier: *const [c_uchar; 11],
pk_d: *const [c_uchar; 32],
value: uint64_t,
r: *const [c_uchar; 32],
result: *mut [c_uchar; 32],
) -> bool {
let note = match priv_get_note(diversifier, pk_d, value, r) {
Ok(p) => p,
Err(_) => return false,
};
Add ffi and computation for Sapling note commitment.
2018-05-21 14:46:31 -07:00
let result = unsafe { &mut *result };
write_le(note.cm(&JUBJUB).into_repr(), &mut result[..]);
true
}
Implementation of Sapling key agreement.
2018-06-12 15:32:20 -06:00
#[no_mangle]
pub extern "system" fn librustzcash_sapling_ka_agree(
p: *const [c_uchar; 32],
sk: *const [c_uchar; 32],
result: *mut [c_uchar; 32],
) -> bool {
// Deserialize p
let p = match edwards::Point::<Bls12, Unknown>::read(&(unsafe { &*p })[..], &JUBJUB) {
Ok(p) => p,
Err(_) => return false,
};
// Deserialize sk
let sk = match Fs::from_repr(read_fs(&(unsafe { &*sk })[..])) {
Ok(p) => p,
Err(_) => return false
};
// Multiply by 8
let p = p.mul_by_cofactor(&JUBJUB);
// Multiply by sk
let p = p.mul(sk, &JUBJUB);
// Produce result
let result = unsafe { &mut *result };
p.write(&mut result[..]).expect("length is not 32 bytes");
true
}
#[no_mangle]
pub extern "system" fn librustzcash_sapling_ka_derivepublic(
diversifier: *const [c_uchar; 11],
esk: *const [c_uchar; 32],
result: *mut [c_uchar; 32],
) -> bool {
let diversifier = sapling_crypto::primitives::Diversifier(unsafe { *diversifier });
// Compute g_d from the diversifier
let g_d = match diversifier.g_d::<Bls12>(&JUBJUB) {
Some(g) => g,
None => return false
};
// Deserialize esk
let esk = match Fs::from_repr(read_fs(&(unsafe { &*esk })[..])) {
Ok(p) => p,
Err(_) => return false,
};
let p = g_d.mul(esk, &JUBJUB);
let result = unsafe { &mut *result };
p.write(&mut result[..]).expect("length is not 32 bytes");
true
}
Implement Equihash validator Follows Zcash implementation as closely as possible.
2017-12-30 23:36:23 +01:00
#[no_mangle]
pub extern "system" fn librustzcash_eh_isvalid(
n: uint32_t,
k: uint32_t,
input: *const c_uchar,
input_len: size_t,
nonce: *const c_uchar,
nonce_len: size_t,
soln: *const c_uchar,
soln_len: size_t,
) -> bool {
if (k >= n) || (n % 8 != 0) || (soln_len != (1 << k) * ((n / (k + 1)) as usize + 1) / 8) {
return false;
}
let rs_input = unsafe { slice::from_raw_parts(input, input_len) };
let rs_nonce = unsafe { slice::from_raw_parts(nonce, nonce_len) };
let rs_soln = unsafe { slice::from_raw_parts(soln, soln_len) };
equihash::is_valid_solution(n, k, rs_input, rs_nonce, rs_soln)
}
Implementation of Sapling transaction verification.
2018-05-07 19:22:07 -06:00
pub struct SaplingVerificationContext {
bvk: edwards::Point<Bls12, Unknown>,
}
#[no_mangle]
pub extern "system" fn librustzcash_sapling_verification_ctx_init(
) -> *mut SaplingVerificationContext {
let ctx = Box::new(SaplingVerificationContext {
bvk: edwards::Point::zero(),
});
Box::into_raw(ctx)
}
#[no_mangle]
pub extern "system" fn librustzcash_sapling_verification_ctx_free(
ctx: *mut SaplingVerificationContext,
) {
drop(unsafe { Box::from_raw(ctx) });
}
const GROTH_PROOF_SIZE: usize = 48 // π_A
+ 96 // π_B
+ 48; // π_C
#[no_mangle]
pub extern "system" fn librustzcash_sapling_check_spend(
ctx: *mut SaplingVerificationContext,
cv: *const [c_uchar; 32],
anchor: *const [c_uchar; 32],
nullifier: *const [c_uchar; 32],
rk: *const [c_uchar; 32],
zkproof: *const [c_uchar; GROTH_PROOF_SIZE],
spend_auth_sig: *const [c_uchar; 64],
sighash_value: *const [c_uchar; 32],
) -> bool {
// Deserialize the value commitment
let cv = match edwards::Point::<Bls12, Unknown>::read(&(unsafe { &*cv })[..], &JUBJUB) {
Ok(p) => p,
Err(_) => return false,
};
Check epk/rk/cv are not small order.
2018-05-14 16:23:34 -06:00
if is_small_order(&cv) {
return false;
}
Implementation of Sapling transaction verification.
2018-05-07 19:22:07 -06:00
// Accumulate the value commitment in the context
{
let mut tmp = cv.clone();
tmp = tmp.add(&unsafe { &*ctx }.bvk, &JUBJUB);
// Update the context
unsafe { &mut *ctx }.bvk = tmp;
}
// Deserialize the anchor, which should be an element
// of Fr.
let anchor = match Fr::from_repr(read_le(&(unsafe { &*anchor })[..])) {
Ok(a) => a,
Err(_) => return false,
};
// Grab the nullifier as a sequence of bytes
let nullifier = &unsafe { &*nullifier }[..];
// Compute the signature's message for rk/spend_auth_sig
let mut data_to_be_signed = [0u8; 64];
(&mut data_to_be_signed[0..32]).copy_from_slice(&(unsafe { &*rk })[..]);
(&mut data_to_be_signed[32..64]).copy_from_slice(&(unsafe { &*sighash_value })[..]);
// Deserialize rk
let rk = match redjubjub::PublicKey::<Bls12>::read(&(unsafe { &*rk })[..], &JUBJUB) {
Ok(p) => p,
Err(_) => return false,
};
Check epk/rk/cv are not small order.
2018-05-14 16:23:34 -06:00
if is_small_order(&rk.0) {
return false;
}
Implementation of Sapling transaction verification.
2018-05-07 19:22:07 -06:00
// Deserialize the signature
let spend_auth_sig = match Signature::read(&(unsafe { &*spend_auth_sig })[..]) {
Ok(sig) => sig,
Err(_) => return false,
};
// Verify the spend_auth_sig
if !rk.verify(
&data_to_be_signed,
&spend_auth_sig,
FixedGenerators::SpendingKeyGenerator,
&JUBJUB,
) {
return false;
}
// Construct public input for circuit
let mut public_input = [Fr::zero(); 7];
{
let (x, y) = rk.0.into_xy();
public_input[0] = x;
public_input[1] = y;
}
{
let (x, y) = cv.into_xy();
public_input[2] = x;
public_input[3] = y;
}
public_input[4] = anchor;
// Add the nullifier through multiscalar packing
{
Switch to little endian encoding for everything.
2018-05-17 01:22:15 -06:00
let nullifier = multipack::bytes_to_bits_le(nullifier);
Implementation of Sapling transaction verification.
2018-05-07 19:22:07 -06:00
let nullifier = multipack::compute_multipacking::<Bls12>(&nullifier);
assert_eq!(nullifier.len(), 2);
public_input[5] = nullifier[0];
public_input[6] = nullifier[1];
}
// Deserialize the proof
let zkproof = match Proof::<Bls12>::read(&(unsafe { &*zkproof })[..]) {
Ok(p) => p,
Err(_) => return false,
};
// Verify the proof
match verify_proof(
unsafe { SAPLING_SPEND_VK.as_ref() }.unwrap(),
&zkproof,
&public_input[..],
) {
// No error, and proof verification successful
Ok(true) => true,
// Any other case
_ => false,
}
}
#[no_mangle]
pub extern "system" fn librustzcash_sapling_check_output(
ctx: *mut SaplingVerificationContext,
cv: *const [c_uchar; 32],
cm: *const [c_uchar; 32],
epk: *const [c_uchar; 32],
zkproof: *const [c_uchar; GROTH_PROOF_SIZE],
) -> bool {
// Deserialize the value commitment
let cv = match edwards::Point::<Bls12, Unknown>::read(&(unsafe { &*cv })[..], &JUBJUB) {
Ok(p) => p,
Err(_) => return false,
};
Check epk/rk/cv are not small order.
2018-05-14 16:23:34 -06:00
if is_small_order(&cv) {
return false;
}
Implementation of Sapling transaction verification.
2018-05-07 19:22:07 -06:00
// Accumulate the value commitment in the context
{
let mut tmp = cv.clone();
tmp.negate(); // Outputs subtract from the total.
tmp = tmp.add(&unsafe { &*ctx }.bvk, &JUBJUB);
// Update the context
unsafe { &mut *ctx }.bvk = tmp;
}
// Deserialize the commitment, which should be an element
// of Fr.
let cm = match Fr::from_repr(read_le(&(unsafe { &*cm })[..])) {
Ok(a) => a,
Err(_) => return false,
};
// Deserialize the ephemeral key
let epk = match edwards::Point::<Bls12, Unknown>::read(&(unsafe { &*epk })[..], &JUBJUB) {
Ok(p) => p,
Err(_) => return false,
};
Check epk/rk/cv are not small order.
2018-05-14 16:23:34 -06:00
if is_small_order(&epk) {
return false;
}
Implementation of Sapling transaction verification.
2018-05-07 19:22:07 -06:00
// Construct public input for circuit
let mut public_input = [Fr::zero(); 5];
{
let (x, y) = cv.into_xy();
public_input[0] = x;
public_input[1] = y;
}
{
let (x, y) = epk.into_xy();
public_input[2] = x;
public_input[3] = y;
}
public_input[4] = cm;
// Deserialize the proof
let zkproof = match Proof::<Bls12>::read(&(unsafe { &*zkproof })[..]) {
Ok(p) => p,
Err(_) => return false,
};
// Verify the proof
match verify_proof(
unsafe { SAPLING_OUTPUT_VK.as_ref() }.unwrap(),
&zkproof,
&public_input[..],
) {
// No error, and proof verification successful
Ok(true) => true,
// Any other case
_ => false,
}
}
// This function computes `value` in the exponent of the value commitment base
fn compute_value_balance(value: int64_t) -> Option<edwards::Point<Bls12, Unknown>> {
// Compute the absolute value (failing if -i64::MAX is
// the value)
let abs = match value.checked_abs() {
Some(a) => a as u64,
None => return None,
};
// Is it negative? We'll have to negate later if so.
let is_negative = value.is_negative();
// Compute it in the exponent
let mut value_balance = JUBJUB
.generator(FixedGenerators::ValueCommitmentValue)
.mul(FsRepr::from(abs), &JUBJUB);
// Negate if necessary
if is_negative {
value_balance = value_balance.negate();
}
// Convert to unknown order point
Some(value_balance.into())
}
#[no_mangle]
pub extern "system" fn librustzcash_sapling_final_check(
ctx: *mut SaplingVerificationContext,
value_balance: int64_t,
binding_sig: *const [c_uchar; 64],
sighash_value: *const [c_uchar; 32],
) -> bool {
// Obtain current bvk from the context
let mut bvk = redjubjub::PublicKey(unsafe { &*ctx }.bvk.clone());
// Compute value balance
let mut value_balance = match compute_value_balance(value_balance) {
Some(a) => a,
None => return false,
};
// Subtract value_balance from current bvk to get final bvk
value_balance = value_balance.negate();
bvk.0 = bvk.0.add(&value_balance, &JUBJUB);
// Compute the signature's message for bvk/binding_sig
let mut data_to_be_signed = [0u8; 64];
bvk.0
.write(&mut data_to_be_signed[0..32])
.expect("bvk is 32 bytes");
(&mut data_to_be_signed[32..64]).copy_from_slice(&(unsafe { &*sighash_value })[..]);
// Deserialize the signature
let binding_sig = match Signature::read(&(unsafe { &*binding_sig })[..]) {
Ok(sig) => sig,
Err(_) => return false,
};
// Verify the binding_sig
if !bvk.verify(
&data_to_be_signed,
&binding_sig,
FixedGenerators::ValueCommitmentRandomness,
&JUBJUB,
) {
return false;
}
true
}
Implementation of Sprout proving and verifying
2018-05-08 16:58:43 -06:00
#[no_mangle]
pub extern "system" fn librustzcash_sprout_prove(
proof_out: *mut [c_uchar; GROTH_PROOF_SIZE],
phi: *const [c_uchar; 32],
rt: *const [c_uchar; 32],
h_sig: *const [c_uchar; 32],
// First input
in_sk1: *const [c_uchar; 32],
in_value1: uint64_t,
in_rho1: *const [c_uchar; 32],
in_r1: *const [c_uchar; 32],
in_auth1: *const [c_uchar; 1 + 33 * SPROUT_TREE_DEPTH + 8],
// Second input
in_sk2: *const [c_uchar; 32],
in_value2: uint64_t,
in_rho2: *const [c_uchar; 32],
in_r2: *const [c_uchar; 32],
in_auth2: *const [c_uchar; 1 + 33 * SPROUT_TREE_DEPTH + 8],
// First output
out_pk1: *const [c_uchar; 32],
out_value1: uint64_t,
out_r1: *const [c_uchar; 32],
// Second output
out_pk2: *const [c_uchar; 32],
out_value2: uint64_t,
out_r2: *const [c_uchar; 32],
// Public value
vpub_old: uint64_t,
vpub_new: uint64_t,
) {
let phi = unsafe { *phi };
let rt = unsafe { *rt };
let h_sig = unsafe { *h_sig };
let in_sk1 = unsafe { *in_sk1 };
let in_rho1 = unsafe { *in_rho1 };
let in_r1 = unsafe { *in_r1 };
let in_auth1 = unsafe { *in_auth1 };
let in_sk2 = unsafe { *in_sk2 };
let in_rho2 = unsafe { *in_rho2 };
let in_r2 = unsafe { *in_r2 };
let in_auth2 = unsafe { *in_auth2 };
let out_pk1 = unsafe { *out_pk1 };
let out_r1 = unsafe { *out_r1 };
let out_pk2 = unsafe { *out_pk2 };
let out_r2 = unsafe { *out_r2 };
let mut inputs = Vec::with_capacity(2);
{
let mut handle_input = |sk, value, rho, r, mut auth: &[u8]| {
let value = Some(value);
let rho = Some(sprout::UniqueRandomness(rho));
let r = Some(sprout::CommitmentRandomness(r));
let a_sk = Some(sprout::SpendingKey(sk));
// skip the first byte
assert_eq!(auth[0], SPROUT_TREE_DEPTH as u8);
auth = &auth[1..];
let mut auth_path = [None; SPROUT_TREE_DEPTH];
for i in (0..SPROUT_TREE_DEPTH).rev() {
// skip length of inner vector
assert_eq!(auth[0], 32);
auth = &auth[1..];
let mut sibling = [0u8; 32];
sibling.copy_from_slice(&auth[0..32]);
auth = &auth[32..];
auth_path[i] = Some((sibling, false));
}
let mut position = auth.read_u64::<LittleEndian>()
.expect("should have had index at the end");
for i in 0..SPROUT_TREE_DEPTH {
auth_path[i].as_mut().map(|p| p.1 = (position & 1) == 1);
position >>= 1;
}
inputs.push(sprout::JSInput {
value: value,
a_sk: a_sk,
rho: rho,
r: r,
auth_path: auth_path,
});
};
handle_input(in_sk1, in_value1, in_rho1, in_r1, &in_auth1[..]);
handle_input(in_sk2, in_value2, in_rho2, in_r2, &in_auth2[..]);
}
let mut outputs = Vec::with_capacity(2);
{
let mut handle_output = |a_pk, value, r| {
outputs.push(sprout::JSOutput {
value: Some(value),
a_pk: Some(sprout::PayingKey(a_pk)),
r: Some(sprout::CommitmentRandomness(r)),
});
};
handle_output(out_pk1, out_value1, out_r1);
handle_output(out_pk2, out_value2, out_r2);
}
let js = sprout::JoinSplit {
vpub_old: Some(vpub_old),
vpub_new: Some(vpub_new),
h_sig: Some(h_sig),
phi: Some(phi),
inputs: inputs,
outputs: outputs,
rt: Some(rt),
};
// Load parameters from disk
let sprout_fs = File::open(
unsafe { &SPROUT_GROTH16_PARAMS_PATH }
.as_ref()
.expect("parameters should have been initialized"),
).expect("couldn't load Sprout groth16 parameters file");
let mut sprout_fs = BufReader::with_capacity(1024 * 1024, sprout_fs);
let params = Parameters::<Bls12>::read(&mut sprout_fs, false)
.expect("couldn't deserialize Sprout JoinSplit parameters file");
drop(sprout_fs);
// Initialize secure RNG
let mut rng = OsRng::new().expect("should be able to construct RNG");
let proof = create_random_proof(js, &params, &mut rng).expect("proving should not fail");
proof
.write(&mut (unsafe { &mut *proof_out })[..])
.expect("should be able to serialize a proof");
}
#[no_mangle]
pub extern "system" fn librustzcash_sprout_verify(
proof: *const [c_uchar; GROTH_PROOF_SIZE],
rt: *const [c_uchar; 32],
h_sig: *const [c_uchar; 32],
mac1: *const [c_uchar; 32],
mac2: *const [c_uchar; 32],
nf1: *const [c_uchar; 32],
nf2: *const [c_uchar; 32],
cm1: *const [c_uchar; 32],
cm2: *const [c_uchar; 32],
vpub_old: uint64_t,
vpub_new: uint64_t,
) -> bool {
// Prepare the public input for the verifier
let mut public_input = Vec::with_capacity((32 * 8) + (8 * 2));
public_input.extend(unsafe { &(&*rt)[..] });
public_input.extend(unsafe { &(&*h_sig)[..] });
public_input.extend(unsafe { &(&*nf1)[..] });
public_input.extend(unsafe { &(&*mac1)[..] });
public_input.extend(unsafe { &(&*nf2)[..] });
public_input.extend(unsafe { &(&*mac2)[..] });
public_input.extend(unsafe { &(&*cm1)[..] });
public_input.extend(unsafe { &(&*cm2)[..] });
public_input.write_u64::<LittleEndian>(vpub_old).unwrap();
public_input.write_u64::<LittleEndian>(vpub_new).unwrap();
let public_input = multipack::bytes_to_bits(&public_input);
let public_input = multipack::compute_multipacking::<Bls12>(&public_input);
let proof = match Proof::read(unsafe { &(&*proof)[..] }) {
Ok(p) => p,
Err(_) => return false,
};
// Verify the proof
match verify_proof(
unsafe { SPROUT_GROTH16_VK.as_ref() }.expect("parameters should have been initialized"),
&proof,
&public_input[..],
) {
// No error, and proof verification successful
Ok(true) => true,
// Any other case
_ => false,
}
}
Reference in New Issue Copy Permalink