2018-04-17 14:22:35 -06:00
|
|
|
extern crate bellman;
|
2018-05-08 16:58:43 -06:00
|
|
|
extern crate byteorder;
|
2017-03-17 11:07:23 -06:00
|
|
|
extern crate libc;
|
2018-04-11 21:51:30 -06:00
|
|
|
extern crate pairing;
|
2018-05-08 16:58:43 -06:00
|
|
|
extern crate rand;
|
2018-04-17 14:22:35 -06:00
|
|
|
extern crate sapling_crypto;
|
2018-04-09 18:28:42 -06:00
|
|
|
|
2018-04-12 18:38:25 -06:00
|
|
|
#[macro_use]
|
|
|
|
|
extern crate lazy_static;
|
|
|
|
|
|
2018-05-07 19:22:07 -06:00
|
|
|
use pairing::{BitIterator, Field, PrimeField, PrimeFieldRepr, bls12_381::{Bls12, Fr, FrRepr}};
|
2018-04-11 21:51:30 -06:00
|
|
|
|
2018-05-07 19:22:07 -06:00
|
|
|
use sapling_crypto::{circuit::multipack,
|
|
|
|
|
jubjub::{edwards, FixedGenerators, JubjubBls12, JubjubParams, Unknown,
|
|
|
|
|
fs::FsRepr},
|
|
|
|
|
pedersen_hash::{pedersen_hash, Personalization},
|
|
|
|
|
redjubjub::{self, Signature}, util::swap_bits_u64};
|
2018-04-17 14:16:14 -06:00
|
|
|
|
2018-05-08 16:58:43 -06:00
|
|
|
use sapling_crypto::circuit::sprout::{self, TREE_DEPTH as SPROUT_TREE_DEPTH};
|
|
|
|
|
|
|
|
|
|
use bellman::groth16::{create_random_proof, prepare_verifying_key, verify_proof, Parameters,
|
|
|
|
|
PreparedVerifyingKey, Proof, VerifyingKey};
|
|
|
|
|
|
|
|
|
|
use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt};
|
|
|
|
|
|
|
|
|
|
use std::io::BufReader;
|
|
|
|
|
use rand::OsRng;
|
2018-04-17 14:22:35 -06:00
|
|
|
|
2018-05-07 19:22:07 -06:00
|
|
|
use libc::{c_char, c_uchar, size_t, int64_t, uint64_t};
|
2018-04-17 14:16:14 -06:00
|
|
|
use std::ffi::CStr;
|
|
|
|
|
use std::fs::File;
|
2018-04-11 21:51:30 -06:00
|
|
|
|
2018-04-12 18:38:25 -06:00
|
|
|
lazy_static! {
|
2018-04-17 14:22:35 -06:00
|
|
|
static ref JUBJUB: JubjubBls12 = { JubjubBls12::new() };
|
2018-04-11 21:51:30 -06:00
|
|
|
}
|
|
|
|
|
|
2018-04-17 14:16:14 -06:00
|
|
|
static mut SAPLING_SPEND_VK: Option<PreparedVerifyingKey<Bls12>> = None;
|
|
|
|
|
static mut SAPLING_OUTPUT_VK: Option<PreparedVerifyingKey<Bls12>> = None;
|
|
|
|
|
static mut SPROUT_GROTH16_VK: Option<PreparedVerifyingKey<Bls12>> = None;
|
|
|
|
|
|
|
|
|
|
static mut SAPLING_SPEND_PARAMS: Option<Parameters<Bls12>> = None;
|
|
|
|
|
static mut SAPLING_OUTPUT_PARAMS: Option<Parameters<Bls12>> = None;
|
|
|
|
|
static mut SPROUT_GROTH16_PARAMS_PATH: Option<String> = None;
|
|
|
|
|
|
2018-05-14 16:23:34 -06:00
|
|
|
fn is_small_order<Order>(
|
|
|
|
|
p: &edwards::Point<Bls12, Order>
|
|
|
|
|
) -> bool {
|
|
|
|
|
p.double(&JUBJUB).double(&JUBJUB).double(&JUBJUB) == edwards::Point::zero()
|
|
|
|
|
}
|
|
|
|
|
|
2018-05-07 18:06:53 -06:00
|
|
|
/// Writes an FrRepr to [u8] of length 32
|
|
|
|
|
fn write_le(mut f: FrRepr, to: &mut [u8]) {
|
|
|
|
|
assert_eq!(to.len(), 32);
|
|
|
|
|
|
|
|
|
|
f.as_mut().reverse();
|
|
|
|
|
for b in f.as_mut() {
|
|
|
|
|
*b = swap_bits_u64(*b);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
f.write_be(to).expect("length is 32 bytes");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Reads an FrRepr from a [u8] of length 32.
|
|
|
|
|
/// This will panic (abort) if length provided is
|
|
|
|
|
/// not correct.
|
2018-05-07 19:22:07 -06:00
|
|
|
fn read_le(from: &[u8]) -> FrRepr {
|
2018-05-07 18:06:53 -06:00
|
|
|
assert_eq!(from.len(), 32);
|
|
|
|
|
|
|
|
|
|
let mut f = FrRepr::default();
|
|
|
|
|
f.read_be(from).expect("length is 32 bytes");
|
|
|
|
|
|
|
|
|
|
f.as_mut().reverse();
|
|
|
|
|
for b in f.as_mut() {
|
|
|
|
|
*b = swap_bits_u64(*b);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
f
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-17 14:16:14 -06:00
|
|
|
#[no_mangle]
|
|
|
|
|
pub extern "system" fn librustzcash_init_zksnark_params(
|
|
|
|
|
spend_path: *const c_char,
|
|
|
|
|
output_path: *const c_char,
|
2018-04-17 14:22:35 -06:00
|
|
|
sprout_path: *const c_char,
|
|
|
|
|
) {
|
2018-04-21 17:46:08 -06:00
|
|
|
// Initialize jubjub parameters here
|
|
|
|
|
lazy_static::initialize(&JUBJUB);
|
|
|
|
|
|
2018-04-17 14:16:14 -06:00
|
|
|
// These should be valid CStr's, but the decoding may fail on Windows
|
|
|
|
|
// so we may need to use OSStr or something.
|
2018-04-17 14:22:35 -06:00
|
|
|
let spend_path = unsafe { CStr::from_ptr(spend_path) }
|
|
|
|
|
.to_str()
|
|
|
|
|
.expect("parameter path encoding error")
|
|
|
|
|
.to_string();
|
|
|
|
|
let output_path = unsafe { CStr::from_ptr(output_path) }
|
|
|
|
|
.to_str()
|
|
|
|
|
.expect("parameter path encoding error")
|
|
|
|
|
.to_string();
|
|
|
|
|
let sprout_path = unsafe { CStr::from_ptr(sprout_path) }
|
|
|
|
|
.to_str()
|
|
|
|
|
.expect("parameter path encoding error")
|
|
|
|
|
.to_string();
|
2018-04-17 14:16:14 -06:00
|
|
|
|
|
|
|
|
// Load from each of the paths
|
|
|
|
|
let mut spend_fs = File::open(spend_path).expect("couldn't load Sapling spend parameters file");
|
2018-04-17 14:22:35 -06:00
|
|
|
let mut output_fs =
|
|
|
|
|
File::open(output_path).expect("couldn't load Sapling output parameters file");
|
|
|
|
|
let mut sprout_fs =
|
|
|
|
|
File::open(&sprout_path).expect("couldn't load Sprout groth16 parameters file");
|
2018-04-17 14:16:14 -06:00
|
|
|
|
|
|
|
|
// Deserialize params
|
2018-04-17 14:22:35 -06:00
|
|
|
let spend_params = Parameters::<Bls12>::read(&mut spend_fs, false)
|
|
|
|
|
.expect("couldn't deserialize Sapling spend parameters file");
|
|
|
|
|
let output_params = Parameters::<Bls12>::read(&mut output_fs, false)
|
|
|
|
|
.expect("couldn't deserialize Sapling spend parameters file");
|
|
|
|
|
let sprout_vk = VerifyingKey::<Bls12>::read(&mut sprout_fs)
|
|
|
|
|
.expect("couldn't deserialize Sprout Groth16 verifying key");
|
2018-04-17 14:16:14 -06:00
|
|
|
|
|
|
|
|
// Prepare verifying keys
|
|
|
|
|
let spend_vk = prepare_verifying_key(&spend_params.vk);
|
|
|
|
|
let output_vk = prepare_verifying_key(&output_params.vk);
|
|
|
|
|
let sprout_vk = prepare_verifying_key(&sprout_vk);
|
|
|
|
|
|
|
|
|
|
// Caller is responsible for calling this function once, so
|
|
|
|
|
// these global mutations are safe.
|
|
|
|
|
unsafe {
|
|
|
|
|
SAPLING_SPEND_PARAMS = Some(spend_params);
|
|
|
|
|
SAPLING_OUTPUT_PARAMS = Some(output_params);
|
|
|
|
|
SPROUT_GROTH16_PARAMS_PATH = Some(sprout_path);
|
|
|
|
|
|
|
|
|
|
SAPLING_SPEND_VK = Some(spend_vk);
|
|
|
|
|
SAPLING_OUTPUT_VK = Some(output_vk);
|
|
|
|
|
SPROUT_GROTH16_VK = Some(sprout_vk);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-11 21:51:30 -06:00
|
|
|
#[no_mangle]
|
2018-04-17 14:22:35 -06:00
|
|
|
pub extern "system" fn librustzcash_tree_uncommitted(result: *mut [c_uchar; 32]) {
|
2018-04-12 18:38:25 -06:00
|
|
|
let tmp = sapling_crypto::primitives::Note::<Bls12>::uncommitted().into_repr();
|
2018-04-11 21:51:30 -06:00
|
|
|
|
2018-04-12 18:38:25 -06:00
|
|
|
// Should be okay, caller is responsible for ensuring the pointer
|
|
|
|
|
// is a valid pointer to 32 bytes that can be mutated.
|
|
|
|
|
let result = unsafe { &mut *result };
|
|
|
|
|
|
2018-05-07 18:06:53 -06:00
|
|
|
write_le(tmp, &mut result[..]);
|
2018-04-11 21:51:30 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[no_mangle]
|
|
|
|
|
pub extern "system" fn librustzcash_merkle_hash(
|
|
|
|
|
depth: size_t,
|
|
|
|
|
a: *const [c_uchar; 32],
|
|
|
|
|
b: *const [c_uchar; 32],
|
|
|
|
|
result: *mut [c_uchar; 32],
|
2018-04-17 14:22:35 -06:00
|
|
|
) {
|
2018-04-11 21:51:30 -06:00
|
|
|
// Should be okay, because caller is responsible for ensuring
|
|
|
|
|
// the pointer is a valid pointer to 32 bytes, and that is the
|
|
|
|
|
// size of the representation
|
2018-05-07 18:06:53 -06:00
|
|
|
let a_repr = read_le(unsafe { &(&*a)[..] });
|
2018-04-11 21:51:30 -06:00
|
|
|
|
|
|
|
|
// Should be okay, because caller is responsible for ensuring
|
|
|
|
|
// the pointer is a valid pointer to 32 bytes, and that is the
|
|
|
|
|
// size of the representation
|
2018-05-07 18:06:53 -06:00
|
|
|
let b_repr = read_le(unsafe { &(&*b)[..] });
|
2018-04-11 21:51:30 -06:00
|
|
|
|
|
|
|
|
let mut lhs = [false; 256];
|
|
|
|
|
let mut rhs = [false; 256];
|
|
|
|
|
|
|
|
|
|
for (a, b) in lhs.iter_mut().rev().zip(BitIterator::new(a_repr)) {
|
|
|
|
|
*a = b;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (a, b) in rhs.iter_mut().rev().zip(BitIterator::new(b_repr)) {
|
|
|
|
|
*a = b;
|
|
|
|
|
}
|
2018-04-17 14:22:35 -06:00
|
|
|
|
2018-04-11 21:51:30 -06:00
|
|
|
let tmp = pedersen_hash::<Bls12, _>(
|
|
|
|
|
Personalization::MerkleTree(depth),
|
2018-04-17 14:22:35 -06:00
|
|
|
lhs.iter()
|
|
|
|
|
.map(|&x| x)
|
2018-04-11 21:51:30 -06:00
|
|
|
.take(Fr::NUM_BITS as usize)
|
|
|
|
|
.chain(rhs.iter().map(|&x| x).take(Fr::NUM_BITS as usize)),
|
2018-04-17 14:22:35 -06:00
|
|
|
&JUBJUB,
|
|
|
|
|
).into_xy()
|
|
|
|
|
.0
|
|
|
|
|
.into_repr();
|
2018-04-11 21:51:30 -06:00
|
|
|
|
|
|
|
|
// Should be okay, caller is responsible for ensuring the pointer
|
2018-04-12 15:01:48 -06:00
|
|
|
// is a valid pointer to 32 bytes that can be mutated.
|
2018-04-11 21:51:30 -06:00
|
|
|
let result = unsafe { &mut *result };
|
|
|
|
|
|
2018-05-07 18:06:53 -06:00
|
|
|
write_le(tmp, &mut result[..]);
|
2018-04-11 21:51:30 -06:00
|
|
|
}
|
2017-03-17 11:07:23 -06:00
|
|
|
|
|
|
|
|
/// XOR two uint64_t values and return the result, used
|
|
|
|
|
/// as a temporary mechanism for introducing Rust into
|
|
|
|
|
/// Zcash.
|
|
|
|
|
#[no_mangle]
|
2018-04-17 14:22:35 -06:00
|
|
|
pub extern "system" fn librustzcash_xor(a: uint64_t, b: uint64_t) -> uint64_t {
|
2017-03-17 11:07:23 -06:00
|
|
|
a ^ b
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[test]
|
|
|
|
|
fn test_xor() {
|
2018-04-17 14:22:35 -06:00
|
|
|
assert_eq!(
|
|
|
|
|
librustzcash_xor(0x0f0f0f0f0f0f0f0f, 0x1111111111111111),
|
|
|
|
|
0x1e1e1e1e1e1e1e1e
|
|
|
|
|
);
|
2017-03-17 11:07:23 -06:00
|
|
|
}
|
2018-05-07 19:22:07 -06:00
|
|
|
|
|
|
|
|
pub struct SaplingVerificationContext {
|
|
|
|
|
bvk: edwards::Point<Bls12, Unknown>,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[no_mangle]
|
|
|
|
|
pub extern "system" fn librustzcash_sapling_verification_ctx_init(
|
|
|
|
|
) -> *mut SaplingVerificationContext {
|
|
|
|
|
let ctx = Box::new(SaplingVerificationContext {
|
|
|
|
|
bvk: edwards::Point::zero(),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
Box::into_raw(ctx)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[no_mangle]
|
|
|
|
|
pub extern "system" fn librustzcash_sapling_verification_ctx_free(
|
|
|
|
|
ctx: *mut SaplingVerificationContext,
|
|
|
|
|
) {
|
|
|
|
|
drop(unsafe { Box::from_raw(ctx) });
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const GROTH_PROOF_SIZE: usize = 48 // π_A
|
|
|
|
|
+ 96 // π_B
|
|
|
|
|
+ 48; // π_C
|
|
|
|
|
|
|
|
|
|
#[no_mangle]
|
|
|
|
|
pub extern "system" fn librustzcash_sapling_check_spend(
|
|
|
|
|
ctx: *mut SaplingVerificationContext,
|
|
|
|
|
cv: *const [c_uchar; 32],
|
|
|
|
|
anchor: *const [c_uchar; 32],
|
|
|
|
|
nullifier: *const [c_uchar; 32],
|
|
|
|
|
rk: *const [c_uchar; 32],
|
|
|
|
|
zkproof: *const [c_uchar; GROTH_PROOF_SIZE],
|
|
|
|
|
spend_auth_sig: *const [c_uchar; 64],
|
|
|
|
|
sighash_value: *const [c_uchar; 32],
|
|
|
|
|
) -> bool {
|
|
|
|
|
// Deserialize the value commitment
|
|
|
|
|
let cv = match edwards::Point::<Bls12, Unknown>::read(&(unsafe { &*cv })[..], &JUBJUB) {
|
|
|
|
|
Ok(p) => p,
|
|
|
|
|
Err(_) => return false,
|
|
|
|
|
};
|
|
|
|
|
|
2018-05-14 16:23:34 -06:00
|
|
|
if is_small_order(&cv) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2018-05-07 19:22:07 -06:00
|
|
|
// Accumulate the value commitment in the context
|
|
|
|
|
{
|
|
|
|
|
let mut tmp = cv.clone();
|
|
|
|
|
tmp = tmp.add(&unsafe { &*ctx }.bvk, &JUBJUB);
|
|
|
|
|
|
|
|
|
|
// Update the context
|
|
|
|
|
unsafe { &mut *ctx }.bvk = tmp;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Deserialize the anchor, which should be an element
|
|
|
|
|
// of Fr.
|
|
|
|
|
let anchor = match Fr::from_repr(read_le(&(unsafe { &*anchor })[..])) {
|
|
|
|
|
Ok(a) => a,
|
|
|
|
|
Err(_) => return false,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Grab the nullifier as a sequence of bytes
|
|
|
|
|
let nullifier = &unsafe { &*nullifier }[..];
|
|
|
|
|
|
|
|
|
|
// Compute the signature's message for rk/spend_auth_sig
|
|
|
|
|
let mut data_to_be_signed = [0u8; 64];
|
|
|
|
|
(&mut data_to_be_signed[0..32]).copy_from_slice(&(unsafe { &*rk })[..]);
|
|
|
|
|
(&mut data_to_be_signed[32..64]).copy_from_slice(&(unsafe { &*sighash_value })[..]);
|
|
|
|
|
|
|
|
|
|
// Deserialize rk
|
|
|
|
|
let rk = match redjubjub::PublicKey::<Bls12>::read(&(unsafe { &*rk })[..], &JUBJUB) {
|
|
|
|
|
Ok(p) => p,
|
|
|
|
|
Err(_) => return false,
|
|
|
|
|
};
|
|
|
|
|
|
2018-05-14 16:23:34 -06:00
|
|
|
if is_small_order(&rk.0) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2018-05-07 19:22:07 -06:00
|
|
|
// Deserialize the signature
|
|
|
|
|
let spend_auth_sig = match Signature::read(&(unsafe { &*spend_auth_sig })[..]) {
|
|
|
|
|
Ok(sig) => sig,
|
|
|
|
|
Err(_) => return false,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Verify the spend_auth_sig
|
|
|
|
|
if !rk.verify(
|
|
|
|
|
&data_to_be_signed,
|
|
|
|
|
&spend_auth_sig,
|
|
|
|
|
FixedGenerators::SpendingKeyGenerator,
|
|
|
|
|
&JUBJUB,
|
|
|
|
|
) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Construct public input for circuit
|
|
|
|
|
let mut public_input = [Fr::zero(); 7];
|
|
|
|
|
{
|
|
|
|
|
let (x, y) = rk.0.into_xy();
|
|
|
|
|
public_input[0] = x;
|
|
|
|
|
public_input[1] = y;
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
let (x, y) = cv.into_xy();
|
|
|
|
|
public_input[2] = x;
|
|
|
|
|
public_input[3] = y;
|
|
|
|
|
}
|
|
|
|
|
public_input[4] = anchor;
|
|
|
|
|
|
|
|
|
|
// Add the nullifier through multiscalar packing
|
|
|
|
|
{
|
|
|
|
|
let nullifier = multipack::bytes_to_bits(nullifier);
|
|
|
|
|
let nullifier = multipack::compute_multipacking::<Bls12>(&nullifier);
|
|
|
|
|
|
|
|
|
|
assert_eq!(nullifier.len(), 2);
|
|
|
|
|
|
|
|
|
|
public_input[5] = nullifier[0];
|
|
|
|
|
public_input[6] = nullifier[1];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Deserialize the proof
|
|
|
|
|
let zkproof = match Proof::<Bls12>::read(&(unsafe { &*zkproof })[..]) {
|
|
|
|
|
Ok(p) => p,
|
|
|
|
|
Err(_) => return false,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Verify the proof
|
|
|
|
|
match verify_proof(
|
|
|
|
|
unsafe { SAPLING_SPEND_VK.as_ref() }.unwrap(),
|
|
|
|
|
&zkproof,
|
|
|
|
|
&public_input[..],
|
|
|
|
|
) {
|
|
|
|
|
// No error, and proof verification successful
|
|
|
|
|
Ok(true) => true,
|
|
|
|
|
|
|
|
|
|
// Any other case
|
|
|
|
|
_ => false,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[no_mangle]
|
|
|
|
|
pub extern "system" fn librustzcash_sapling_check_output(
|
|
|
|
|
ctx: *mut SaplingVerificationContext,
|
|
|
|
|
cv: *const [c_uchar; 32],
|
|
|
|
|
cm: *const [c_uchar; 32],
|
|
|
|
|
epk: *const [c_uchar; 32],
|
|
|
|
|
zkproof: *const [c_uchar; GROTH_PROOF_SIZE],
|
|
|
|
|
) -> bool {
|
|
|
|
|
// Deserialize the value commitment
|
|
|
|
|
let cv = match edwards::Point::<Bls12, Unknown>::read(&(unsafe { &*cv })[..], &JUBJUB) {
|
|
|
|
|
Ok(p) => p,
|
|
|
|
|
Err(_) => return false,
|
|
|
|
|
};
|
|
|
|
|
|
2018-05-14 16:23:34 -06:00
|
|
|
if is_small_order(&cv) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2018-05-07 19:22:07 -06:00
|
|
|
// Accumulate the value commitment in the context
|
|
|
|
|
{
|
|
|
|
|
let mut tmp = cv.clone();
|
|
|
|
|
tmp.negate(); // Outputs subtract from the total.
|
|
|
|
|
tmp = tmp.add(&unsafe { &*ctx }.bvk, &JUBJUB);
|
|
|
|
|
|
|
|
|
|
// Update the context
|
|
|
|
|
unsafe { &mut *ctx }.bvk = tmp;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Deserialize the commitment, which should be an element
|
|
|
|
|
// of Fr.
|
|
|
|
|
let cm = match Fr::from_repr(read_le(&(unsafe { &*cm })[..])) {
|
|
|
|
|
Ok(a) => a,
|
|
|
|
|
Err(_) => return false,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Deserialize the ephemeral key
|
|
|
|
|
let epk = match edwards::Point::<Bls12, Unknown>::read(&(unsafe { &*epk })[..], &JUBJUB) {
|
|
|
|
|
Ok(p) => p,
|
|
|
|
|
Err(_) => return false,
|
|
|
|
|
};
|
|
|
|
|
|
2018-05-14 16:23:34 -06:00
|
|
|
if is_small_order(&epk) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2018-05-07 19:22:07 -06:00
|
|
|
// Construct public input for circuit
|
|
|
|
|
let mut public_input = [Fr::zero(); 5];
|
|
|
|
|
{
|
|
|
|
|
let (x, y) = cv.into_xy();
|
|
|
|
|
public_input[0] = x;
|
|
|
|
|
public_input[1] = y;
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
let (x, y) = epk.into_xy();
|
|
|
|
|
public_input[2] = x;
|
|
|
|
|
public_input[3] = y;
|
|
|
|
|
}
|
|
|
|
|
public_input[4] = cm;
|
|
|
|
|
|
|
|
|
|
// Deserialize the proof
|
|
|
|
|
let zkproof = match Proof::<Bls12>::read(&(unsafe { &*zkproof })[..]) {
|
|
|
|
|
Ok(p) => p,
|
|
|
|
|
Err(_) => return false,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Verify the proof
|
|
|
|
|
match verify_proof(
|
|
|
|
|
unsafe { SAPLING_OUTPUT_VK.as_ref() }.unwrap(),
|
|
|
|
|
&zkproof,
|
|
|
|
|
&public_input[..],
|
|
|
|
|
) {
|
|
|
|
|
// No error, and proof verification successful
|
|
|
|
|
Ok(true) => true,
|
|
|
|
|
|
|
|
|
|
// Any other case
|
|
|
|
|
_ => false,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// This function computes `value` in the exponent of the value commitment base
|
|
|
|
|
fn compute_value_balance(value: int64_t) -> Option<edwards::Point<Bls12, Unknown>> {
|
|
|
|
|
// Compute the absolute value (failing if -i64::MAX is
|
|
|
|
|
// the value)
|
|
|
|
|
let abs = match value.checked_abs() {
|
|
|
|
|
Some(a) => a as u64,
|
|
|
|
|
None => return None,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Is it negative? We'll have to negate later if so.
|
|
|
|
|
let is_negative = value.is_negative();
|
|
|
|
|
|
|
|
|
|
// Compute it in the exponent
|
|
|
|
|
let mut value_balance = JUBJUB
|
|
|
|
|
.generator(FixedGenerators::ValueCommitmentValue)
|
|
|
|
|
.mul(FsRepr::from(abs), &JUBJUB);
|
|
|
|
|
|
|
|
|
|
// Negate if necessary
|
|
|
|
|
if is_negative {
|
|
|
|
|
value_balance = value_balance.negate();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Convert to unknown order point
|
|
|
|
|
Some(value_balance.into())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[no_mangle]
|
|
|
|
|
pub extern "system" fn librustzcash_sapling_final_check(
|
|
|
|
|
ctx: *mut SaplingVerificationContext,
|
|
|
|
|
value_balance: int64_t,
|
|
|
|
|
binding_sig: *const [c_uchar; 64],
|
|
|
|
|
sighash_value: *const [c_uchar; 32],
|
|
|
|
|
) -> bool {
|
|
|
|
|
// Obtain current bvk from the context
|
|
|
|
|
let mut bvk = redjubjub::PublicKey(unsafe { &*ctx }.bvk.clone());
|
|
|
|
|
|
|
|
|
|
// Compute value balance
|
|
|
|
|
let mut value_balance = match compute_value_balance(value_balance) {
|
|
|
|
|
Some(a) => a,
|
|
|
|
|
None => return false,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Subtract value_balance from current bvk to get final bvk
|
|
|
|
|
value_balance = value_balance.negate();
|
|
|
|
|
bvk.0 = bvk.0.add(&value_balance, &JUBJUB);
|
|
|
|
|
|
|
|
|
|
// Compute the signature's message for bvk/binding_sig
|
|
|
|
|
let mut data_to_be_signed = [0u8; 64];
|
|
|
|
|
bvk.0
|
|
|
|
|
.write(&mut data_to_be_signed[0..32])
|
|
|
|
|
.expect("bvk is 32 bytes");
|
|
|
|
|
(&mut data_to_be_signed[32..64]).copy_from_slice(&(unsafe { &*sighash_value })[..]);
|
|
|
|
|
|
|
|
|
|
// Deserialize the signature
|
|
|
|
|
let binding_sig = match Signature::read(&(unsafe { &*binding_sig })[..]) {
|
|
|
|
|
Ok(sig) => sig,
|
|
|
|
|
Err(_) => return false,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Verify the binding_sig
|
|
|
|
|
if !bvk.verify(
|
|
|
|
|
&data_to_be_signed,
|
|
|
|
|
&binding_sig,
|
|
|
|
|
FixedGenerators::ValueCommitmentRandomness,
|
|
|
|
|
&JUBJUB,
|
|
|
|
|
) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
true
|
|
|
|
|
}
|
2018-05-08 16:58:43 -06:00
|
|
|
|
|
|
|
|
#[no_mangle]
|
|
|
|
|
pub extern "system" fn librustzcash_sprout_prove(
|
|
|
|
|
proof_out: *mut [c_uchar; GROTH_PROOF_SIZE],
|
|
|
|
|
|
|
|
|
|
phi: *const [c_uchar; 32],
|
|
|
|
|
rt: *const [c_uchar; 32],
|
|
|
|
|
h_sig: *const [c_uchar; 32],
|
|
|
|
|
|
|
|
|
|
// First input
|
|
|
|
|
in_sk1: *const [c_uchar; 32],
|
|
|
|
|
in_value1: uint64_t,
|
|
|
|
|
in_rho1: *const [c_uchar; 32],
|
|
|
|
|
in_r1: *const [c_uchar; 32],
|
|
|
|
|
in_auth1: *const [c_uchar; 1 + 33 * SPROUT_TREE_DEPTH + 8],
|
|
|
|
|
|
|
|
|
|
// Second input
|
|
|
|
|
in_sk2: *const [c_uchar; 32],
|
|
|
|
|
in_value2: uint64_t,
|
|
|
|
|
in_rho2: *const [c_uchar; 32],
|
|
|
|
|
in_r2: *const [c_uchar; 32],
|
|
|
|
|
in_auth2: *const [c_uchar; 1 + 33 * SPROUT_TREE_DEPTH + 8],
|
|
|
|
|
|
|
|
|
|
// First output
|
|
|
|
|
out_pk1: *const [c_uchar; 32],
|
|
|
|
|
out_value1: uint64_t,
|
|
|
|
|
out_r1: *const [c_uchar; 32],
|
|
|
|
|
|
|
|
|
|
// Second output
|
|
|
|
|
out_pk2: *const [c_uchar; 32],
|
|
|
|
|
out_value2: uint64_t,
|
|
|
|
|
out_r2: *const [c_uchar; 32],
|
|
|
|
|
|
|
|
|
|
// Public value
|
|
|
|
|
vpub_old: uint64_t,
|
|
|
|
|
vpub_new: uint64_t,
|
|
|
|
|
) {
|
|
|
|
|
let phi = unsafe { *phi };
|
|
|
|
|
let rt = unsafe { *rt };
|
|
|
|
|
let h_sig = unsafe { *h_sig };
|
|
|
|
|
let in_sk1 = unsafe { *in_sk1 };
|
|
|
|
|
let in_rho1 = unsafe { *in_rho1 };
|
|
|
|
|
let in_r1 = unsafe { *in_r1 };
|
|
|
|
|
let in_auth1 = unsafe { *in_auth1 };
|
|
|
|
|
let in_sk2 = unsafe { *in_sk2 };
|
|
|
|
|
let in_rho2 = unsafe { *in_rho2 };
|
|
|
|
|
let in_r2 = unsafe { *in_r2 };
|
|
|
|
|
let in_auth2 = unsafe { *in_auth2 };
|
|
|
|
|
let out_pk1 = unsafe { *out_pk1 };
|
|
|
|
|
let out_r1 = unsafe { *out_r1 };
|
|
|
|
|
let out_pk2 = unsafe { *out_pk2 };
|
|
|
|
|
let out_r2 = unsafe { *out_r2 };
|
|
|
|
|
|
|
|
|
|
let mut inputs = Vec::with_capacity(2);
|
|
|
|
|
{
|
|
|
|
|
let mut handle_input = |sk, value, rho, r, mut auth: &[u8]| {
|
|
|
|
|
let value = Some(value);
|
|
|
|
|
let rho = Some(sprout::UniqueRandomness(rho));
|
|
|
|
|
let r = Some(sprout::CommitmentRandomness(r));
|
|
|
|
|
let a_sk = Some(sprout::SpendingKey(sk));
|
|
|
|
|
|
|
|
|
|
// skip the first byte
|
|
|
|
|
assert_eq!(auth[0], SPROUT_TREE_DEPTH as u8);
|
|
|
|
|
auth = &auth[1..];
|
|
|
|
|
|
|
|
|
|
let mut auth_path = [None; SPROUT_TREE_DEPTH];
|
|
|
|
|
for i in (0..SPROUT_TREE_DEPTH).rev() {
|
|
|
|
|
// skip length of inner vector
|
|
|
|
|
assert_eq!(auth[0], 32);
|
|
|
|
|
auth = &auth[1..];
|
|
|
|
|
|
|
|
|
|
let mut sibling = [0u8; 32];
|
|
|
|
|
sibling.copy_from_slice(&auth[0..32]);
|
|
|
|
|
auth = &auth[32..];
|
|
|
|
|
|
|
|
|
|
auth_path[i] = Some((sibling, false));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let mut position = auth.read_u64::<LittleEndian>()
|
|
|
|
|
.expect("should have had index at the end");
|
|
|
|
|
|
|
|
|
|
for i in 0..SPROUT_TREE_DEPTH {
|
|
|
|
|
auth_path[i].as_mut().map(|p| p.1 = (position & 1) == 1);
|
|
|
|
|
|
|
|
|
|
position >>= 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
inputs.push(sprout::JSInput {
|
|
|
|
|
value: value,
|
|
|
|
|
a_sk: a_sk,
|
|
|
|
|
rho: rho,
|
|
|
|
|
r: r,
|
|
|
|
|
auth_path: auth_path,
|
|
|
|
|
});
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
handle_input(in_sk1, in_value1, in_rho1, in_r1, &in_auth1[..]);
|
|
|
|
|
handle_input(in_sk2, in_value2, in_rho2, in_r2, &in_auth2[..]);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let mut outputs = Vec::with_capacity(2);
|
|
|
|
|
{
|
|
|
|
|
let mut handle_output = |a_pk, value, r| {
|
|
|
|
|
outputs.push(sprout::JSOutput {
|
|
|
|
|
value: Some(value),
|
|
|
|
|
a_pk: Some(sprout::PayingKey(a_pk)),
|
|
|
|
|
r: Some(sprout::CommitmentRandomness(r)),
|
|
|
|
|
});
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
handle_output(out_pk1, out_value1, out_r1);
|
|
|
|
|
handle_output(out_pk2, out_value2, out_r2);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let js = sprout::JoinSplit {
|
|
|
|
|
vpub_old: Some(vpub_old),
|
|
|
|
|
vpub_new: Some(vpub_new),
|
|
|
|
|
h_sig: Some(h_sig),
|
|
|
|
|
phi: Some(phi),
|
|
|
|
|
inputs: inputs,
|
|
|
|
|
outputs: outputs,
|
|
|
|
|
rt: Some(rt),
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Load parameters from disk
|
|
|
|
|
let sprout_fs = File::open(
|
|
|
|
|
unsafe { &SPROUT_GROTH16_PARAMS_PATH }
|
|
|
|
|
.as_ref()
|
|
|
|
|
.expect("parameters should have been initialized"),
|
|
|
|
|
).expect("couldn't load Sprout groth16 parameters file");
|
|
|
|
|
|
|
|
|
|
let mut sprout_fs = BufReader::with_capacity(1024 * 1024, sprout_fs);
|
|
|
|
|
|
|
|
|
|
let params = Parameters::<Bls12>::read(&mut sprout_fs, false)
|
|
|
|
|
.expect("couldn't deserialize Sprout JoinSplit parameters file");
|
|
|
|
|
|
|
|
|
|
drop(sprout_fs);
|
|
|
|
|
|
|
|
|
|
// Initialize secure RNG
|
|
|
|
|
let mut rng = OsRng::new().expect("should be able to construct RNG");
|
|
|
|
|
|
|
|
|
|
let proof = create_random_proof(js, ¶ms, &mut rng).expect("proving should not fail");
|
|
|
|
|
|
|
|
|
|
proof
|
|
|
|
|
.write(&mut (unsafe { &mut *proof_out })[..])
|
|
|
|
|
.expect("should be able to serialize a proof");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[no_mangle]
|
|
|
|
|
pub extern "system" fn librustzcash_sprout_verify(
|
|
|
|
|
proof: *const [c_uchar; GROTH_PROOF_SIZE],
|
|
|
|
|
rt: *const [c_uchar; 32],
|
|
|
|
|
h_sig: *const [c_uchar; 32],
|
|
|
|
|
mac1: *const [c_uchar; 32],
|
|
|
|
|
mac2: *const [c_uchar; 32],
|
|
|
|
|
nf1: *const [c_uchar; 32],
|
|
|
|
|
nf2: *const [c_uchar; 32],
|
|
|
|
|
cm1: *const [c_uchar; 32],
|
|
|
|
|
cm2: *const [c_uchar; 32],
|
|
|
|
|
vpub_old: uint64_t,
|
|
|
|
|
vpub_new: uint64_t,
|
|
|
|
|
) -> bool {
|
|
|
|
|
// Prepare the public input for the verifier
|
|
|
|
|
let mut public_input = Vec::with_capacity((32 * 8) + (8 * 2));
|
|
|
|
|
public_input.extend(unsafe { &(&*rt)[..] });
|
|
|
|
|
public_input.extend(unsafe { &(&*h_sig)[..] });
|
|
|
|
|
public_input.extend(unsafe { &(&*nf1)[..] });
|
|
|
|
|
public_input.extend(unsafe { &(&*mac1)[..] });
|
|
|
|
|
public_input.extend(unsafe { &(&*nf2)[..] });
|
|
|
|
|
public_input.extend(unsafe { &(&*mac2)[..] });
|
|
|
|
|
public_input.extend(unsafe { &(&*cm1)[..] });
|
|
|
|
|
public_input.extend(unsafe { &(&*cm2)[..] });
|
|
|
|
|
public_input.write_u64::<LittleEndian>(vpub_old).unwrap();
|
|
|
|
|
public_input.write_u64::<LittleEndian>(vpub_new).unwrap();
|
|
|
|
|
|
|
|
|
|
let public_input = multipack::bytes_to_bits(&public_input);
|
|
|
|
|
let public_input = multipack::compute_multipacking::<Bls12>(&public_input);
|
|
|
|
|
|
|
|
|
|
let proof = match Proof::read(unsafe { &(&*proof)[..] }) {
|
|
|
|
|
Ok(p) => p,
|
|
|
|
|
Err(_) => return false,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Verify the proof
|
|
|
|
|
match verify_proof(
|
|
|
|
|
unsafe { SPROUT_GROTH16_VK.as_ref() }.expect("parameters should have been initialized"),
|
|
|
|
|
&proof,
|
|
|
|
|
&public_input[..],
|
|
|
|
|
) {
|
|
|
|
|
// No error, and proof verification successful
|
|
|
|
|
Ok(true) => true,
|
|
|
|
|
|
|
|
|
|
// Any other case
|
|
|
|
|
_ => false,
|
|
|
|
|
}
|
|
|
|
|
}
|
