Qortal/pirate-librustzcash
1
0
Fork 1
mirror of https://github.com/Qortal/pirate-librustzcash.git synced 2025-07-31 12:31:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Move redjubjub into zcash_primitives

Browse Source
This commit is contained in:
Jack Grigg
2019-05-04 17:47:18 +01:00
parent f931562431
commit 7ea6d10480
17 changed files with 36 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
zcash_primitives/Cargo.toml
View File

@@ -20,3 +20,6 @@ rand_core = "0.5"
rand_os = "0.2"
sapling-crypto = { path = "../sapling-crypto" }
sha2 = "0.8"
[dev-dependencies]
rand_xorshift = "0.2"

5
zcash_primitives/src/lib.rs
View File

@@ -15,6 +15,9 @@ extern crate rand_os;
extern crate sapling_crypto;
extern crate sha2;
#[cfg(test)]
extern crate rand_xorshift;
use sapling_crypto::jubjub::JubjubBls12;
pub mod block;
@@ -23,9 +26,11 @@ pub mod legacy;
pub mod merkle_tree;
pub mod note_encryption;
pub mod prover;
pub mod redjubjub;
pub mod sapling;
mod serialize;
pub mod transaction;
mod util;
pub mod zip32;
#[cfg(test)]

4
zcash_primitives/src/prover.rs
View File

@@ -4,11 +4,11 @@ use pairing::bls12_381::{Bls12, Fr};
use sapling_crypto::{
jubjub::{edwards, fs::Fs, Unknown},
primitives::{Diversifier, PaymentAddress, ProofGenerationKey},
redjubjub::{PublicKey, Signature},
};
use crate::{
merkle_tree::CommitmentTreeWitness,
redjubjub::{PublicKey, Signature},
sapling::Node,
transaction::components::{Amount, GROTH_PROOF_SIZE},
};
@@ -78,11 +78,11 @@ pub(crate) mod mock {
use sapling_crypto::{
jubjub::{edwards, fs::Fs, FixedGenerators, Unknown},
primitives::{Diversifier, PaymentAddress, ProofGenerationKey, ValueCommitment},
redjubjub::{PublicKey, Signature},
};
use crate::{
merkle_tree::CommitmentTreeWitness,
redjubjub::{PublicKey, Signature},
sapling::Node,
transaction::components::{Amount, GROTH_PROOF_SIZE},
JUBJUB,

358
zcash_primitives/src/redjubjub.rs Normal file
View File

@@ -0,0 +1,358 @@
//! Implementation of RedJubjub, a specialization of RedDSA to the Jubjub curve.
//! See section 5.4.6 of the Sapling protocol specification.
use ff::{Field, PrimeField, PrimeFieldRepr};
use rand_core::RngCore;
use sapling_crypto::jubjub::{
edwards::Point, FixedGenerators, JubjubEngine, JubjubParams, Unknown,
};
use std::io::{self, Read, Write};
use util::hash_to_scalar;
fn read_scalar<E: JubjubEngine, R: Read>(reader: R) -> io::Result<E::Fs> {
let mut s_repr = <E::Fs as PrimeField>::Repr::default();
s_repr.read_le(reader)?;
match E::Fs::from_repr(s_repr) {
Ok(s) => Ok(s),
Err(_) => Err(io::Error::new(
io::ErrorKind::InvalidInput,
"scalar is not in field",
)),
}
}
fn write_scalar<E: JubjubEngine, W: Write>(s: &E::Fs, writer: W) -> io::Result<()> {
s.into_repr().write_le(writer)
}
fn h_star<E: JubjubEngine>(a: &[u8], b: &[u8]) -> E::Fs {
hash_to_scalar::<E>(b"Zcash_RedJubjubH", a, b)
}
#[derive(Copy, Clone, Debug)]
pub struct Signature {
rbar: [u8; 32],
sbar: [u8; 32],
}
pub struct PrivateKey<E: JubjubEngine>(pub E::Fs);
#[derive(Debug)]
pub struct PublicKey<E: JubjubEngine>(pub Point<E, Unknown>);
impl Signature {
pub fn read<R: Read>(mut reader: R) -> io::Result<Self> {
let mut rbar = [0u8; 32];
let mut sbar = [0u8; 32];
reader.read_exact(&mut rbar)?;
reader.read_exact(&mut sbar)?;
Ok(Signature { rbar, sbar })
}
pub fn write<W: Write>(&self, mut writer: W) -> io::Result<()> {
writer.write_all(&self.rbar)?;
writer.write_all(&self.sbar)
}
}
impl<E: JubjubEngine> PrivateKey<E> {
pub fn randomize(&self, alpha: E::Fs) -> Self {
let mut tmp = self.0;
tmp.add_assign(&alpha);
PrivateKey(tmp)
}
pub fn read<R: Read>(reader: R) -> io::Result<Self> {
let pk = read_scalar::<E, R>(reader)?;
Ok(PrivateKey(pk))
}
pub fn write<W: Write>(&self, writer: W) -> io::Result<()> {
write_scalar::<E, W>(&self.0, writer)
}
pub fn sign<R: RngCore>(
&self,
msg: &[u8],
rng: &mut R,
p_g: FixedGenerators,
params: &E::Params,
) -> Signature {
// T = (l_H + 128) bits of randomness
// For H*, l_H = 512 bits
let mut t = [0u8; 80];
rng.fill_bytes(&mut t[..]);
// r = H*(T || M)
let r = h_star::<E>(&t[..], msg);
// R = r . P_G
let r_g = params.generator(p_g).mul(r, params);
let mut rbar = [0u8; 32];
r_g.write(&mut rbar[..])
.expect("Jubjub points should serialize to 32 bytes");
// S = r + H*(Rbar || M) . sk
let mut s = h_star::<E>(&rbar[..], msg);
s.mul_assign(&self.0);
s.add_assign(&r);
let mut sbar = [0u8; 32];
write_scalar::<E, &mut [u8]>(&s, &mut sbar[..])
.expect("Jubjub scalars should serialize to 32 bytes");
Signature { rbar, sbar }
}
}
impl<E: JubjubEngine> PublicKey<E> {
pub fn from_private(privkey: &PrivateKey<E>, p_g: FixedGenerators, params: &E::Params) -> Self {
let res = params.generator(p_g).mul(privkey.0, params).into();
PublicKey(res)
}
pub fn randomize(&self, alpha: E::Fs, p_g: FixedGenerators, params: &E::Params) -> Self {
let res: Point<E, Unknown> = params.generator(p_g).mul(alpha, params).into();
let res = res.add(&self.0, params);
PublicKey(res)
}
pub fn read<R: Read>(reader: R, params: &E::Params) -> io::Result<Self> {
let p = Point::read(reader, params)?;
Ok(PublicKey(p))
}
pub fn write<W: Write>(&self, writer: W) -> io::Result<()> {
self.0.write(writer)
}
pub fn verify(
&self,
msg: &[u8],
sig: &Signature,
p_g: FixedGenerators,
params: &E::Params,
) -> bool {
// c = H*(Rbar || M)
let c = h_star::<E>(&sig.rbar[..], msg);
// Signature checks:
// R != invalid
let r = match Point::read(&sig.rbar[..], params) {
Ok(r) => r,
Err(_) => return false,
};
// S < order(G)
// (E::Fs guarantees its representation is in the field)
let s = match read_scalar::<E, &[u8]>(&sig.sbar[..]) {
Ok(s) => s,
Err(_) => return false,
};
// 0 = h_G(-S . P_G + R + c . vk)
self.0.mul(c, params).add(&r, params).add(
&params.generator(p_g).mul(s, params).negate().into(),
params
).mul_by_cofactor(params).eq(&Point::zero())
}
}
pub struct BatchEntry<'a, E: JubjubEngine> {
vk: PublicKey<E>,
msg: &'a [u8],
sig: Signature,
}
// TODO: #82: This is a naive implementation currently,
// and doesn't use multiexp.
pub fn batch_verify<'a, E: JubjubEngine, R: RngCore>(
rng: &mut R,
batch: &[BatchEntry<'a, E>],
p_g: FixedGenerators,
params: &E::Params,
) -> bool
{
let mut acc = Point::<E, Unknown>::zero();
for entry in batch {
let mut r = match Point::<E, Unknown>::read(&entry.sig.rbar[..], params) {
Ok(r) => r,
Err(_) => return false,
};
let mut s = match read_scalar::<E, &[u8]>(&entry.sig.sbar[..]) {
Ok(s) => s,
Err(_) => return false,
};
let mut c = h_star::<E>(&entry.sig.rbar[..], entry.msg);
let z = E::Fs::random(rng);
s.mul_assign(&z);
s.negate();
r = r.mul(z, params);
c.mul_assign(&z);
acc = acc.add(&r, params);
acc = acc.add(&entry.vk.0.mul(c, params), params);
acc = acc.add(&params.generator(p_g).mul(s, params).into(), params);
}
acc = acc.mul_by_cofactor(params).into();
acc.eq(&Point::zero())
}
#[cfg(test)]
mod tests {
use pairing::bls12_381::Bls12;
use rand_core::SeedableRng;
use rand_xorshift::XorShiftRng;
use sapling_crypto::jubjub::{edwards, fs::Fs, JubjubBls12};
use super::*;
#[test]
fn test_batch_verify() {
let rng = &mut XorShiftRng::from_seed([
0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc,
0xe5,
]);
let params = &JubjubBls12::new();
let p_g = FixedGenerators::SpendingKeyGenerator;
let sk1 = PrivateKey::<Bls12>(Fs::random(rng));
let vk1 = PublicKey::from_private(&sk1, p_g, params);
let msg1 = b"Foo bar";
let sig1 = sk1.sign(msg1, rng, p_g, params);
assert!(vk1.verify(msg1, &sig1, p_g, params));
let sk2 = PrivateKey::<Bls12>(Fs::random(rng));
let vk2 = PublicKey::from_private(&sk2, p_g, params);
let msg2 = b"Foo bar";
let sig2 = sk2.sign(msg2, rng, p_g, params);
assert!(vk2.verify(msg2, &sig2, p_g, params));
let mut batch = vec![
BatchEntry { vk: vk1, msg: msg1, sig: sig1 },
BatchEntry { vk: vk2, msg: msg2, sig: sig2 }
];
assert!(batch_verify(rng, &batch, p_g, params));
batch[0].sig = sig2;
assert!(!batch_verify(rng, &batch, p_g, params));
}
#[test]
fn cofactor_check() {
let rng = &mut XorShiftRng::from_seed([
0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc,
0xe5,
]);
let params = &JubjubBls12::new();
let zero = edwards::Point::zero();
let p_g = FixedGenerators::SpendingKeyGenerator;
// Get a point of order 8
let p8 = loop {
let r = edwards::Point::<Bls12, _>::rand(rng, params).mul(Fs::char(), params);
let r2 = r.double(params);
let r4 = r2.double(params);
let r8 = r4.double(params);
if r2 != zero && r4 != zero && r8 == zero {
break r;
}
};
let sk = PrivateKey::<Bls12>(Fs::random(rng));
let vk = PublicKey::from_private(&sk, p_g, params);
// TODO: This test will need to change when #77 is fixed
let msg = b"Foo bar";
let sig = sk.sign(msg, rng, p_g, params);
assert!(vk.verify(msg, &sig, p_g, params));
let vktorsion = PublicKey(vk.0.add(&p8, params));
assert!(vktorsion.verify(msg, &sig, p_g, params));
}
#[test]
fn round_trip_serialization() {
let rng = &mut XorShiftRng::from_seed([
0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc,
0xe5,
]);
let p_g = FixedGenerators::SpendingKeyGenerator;
let params = &JubjubBls12::new();
for _ in 0..1000 {
let sk = PrivateKey::<Bls12>(Fs::random(rng));
let vk = PublicKey::from_private(&sk, p_g, params);
let msg = b"Foo bar";
let sig = sk.sign(msg, rng, p_g, params);
let mut sk_bytes = [0u8; 32];
let mut vk_bytes = [0u8; 32];
let mut sig_bytes = [0u8; 64];
sk.write(&mut sk_bytes[..]).unwrap();
vk.write(&mut vk_bytes[..]).unwrap();
sig.write(&mut sig_bytes[..]).unwrap();
let sk_2 = PrivateKey::<Bls12>::read(&sk_bytes[..]).unwrap();
let vk_2 = PublicKey::from_private(&sk_2, p_g, params);
let mut vk_2_bytes = [0u8; 32];
vk_2.write(&mut vk_2_bytes[..]).unwrap();
assert!(vk_bytes == vk_2_bytes);
let vk_2 = PublicKey::<Bls12>::read(&vk_bytes[..], params).unwrap();
let sig_2 = Signature::read(&sig_bytes[..]).unwrap();
assert!(vk.verify(msg, &sig_2, p_g, params));
assert!(vk_2.verify(msg, &sig, p_g, params));
assert!(vk_2.verify(msg, &sig_2, p_g, params));
}
}
#[test]
fn random_signatures() {
let rng = &mut XorShiftRng::from_seed([
0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc,
0xe5,
]);
let p_g = FixedGenerators::SpendingKeyGenerator;
let params = &JubjubBls12::new();
for _ in 0..1000 {
let sk = PrivateKey::<Bls12>(Fs::random(rng));
let vk = PublicKey::from_private(&sk, p_g, params);
let msg1 = b"Foo bar";
let msg2 = b"Spam eggs";
let sig1 = sk.sign(msg1, rng, p_g, params);
let sig2 = sk.sign(msg2, rng, p_g, params);
assert!(vk.verify(msg1, &sig1, p_g, params));
assert!(vk.verify(msg2, &sig2, p_g, params));
assert!(!vk.verify(msg1, &sig2, p_g, params));
assert!(!vk.verify(msg2, &sig1, p_g, params));
let alpha = Fs::random(rng);
let rsk = sk.randomize(alpha);
let rvk = vk.randomize(alpha, p_g, params);
let sig1 = rsk.sign(msg1, rng, p_g, params);
let sig2 = rsk.sign(msg2, rng, p_g, params);
assert!(rvk.verify(msg1, &sig1, p_g, params));
assert!(rvk.verify(msg2, &sig2, p_g, params));
assert!(!rvk.verify(msg1, &sig2, p_g, params));
assert!(!rvk.verify(msg2, &sig1, p_g, params));
}
}
}

2
zcash_primitives/src/sapling.rs
View File

@@ -7,11 +7,11 @@ use sapling_crypto::{
jubjub::{fs::Fs, FixedGenerators, JubjubBls12},
pedersen_hash::{pedersen_hash, Personalization},
primitives::Note,
redjubjub::{PrivateKey, PublicKey, Signature},
};
use std::io::{self, Read, Write};
use crate::merkle_tree::Hashable;
use crate::redjubjub::{PrivateKey, PublicKey, Signature};
use JUBJUB;
pub(crate) const SAPLING_COMMITMENT_TREE_DEPTH: usize =

2
zcash_primitives/src/transaction/builder.rs
View File

@@ -6,7 +6,6 @@ use rand::{rngs::OsRng, seq::SliceRandom, CryptoRng, RngCore};
use sapling_crypto::{
jubjub::fs::Fs,
primitives::{Diversifier, Note, PaymentAddress},
redjubjub::PrivateKey,
};
use zip32::ExtendedSpendingKey;
@@ -16,6 +15,7 @@ use crate::{
merkle_tree::{CommitmentTreeWitness, IncrementalWitness},
note_encryption::{generate_esk, Memo, SaplingNoteEncryption},
prover::TxProver,
redjubjub::PrivateKey,
sapling::{spend_sig, Node},
transaction::{
components::{amount::DEFAULT_FEE, Amount, OutputDescription, SpendDescription, TxOut},

6
zcash_primitives/src/transaction/components.rs
View File

@@ -1,13 +1,11 @@
use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt};
use ff::{PrimeField, PrimeFieldRepr};
use pairing::bls12_381::{Bls12, Fr, FrRepr};
use sapling_crypto::{
jubjub::{edwards, Unknown},
redjubjub::{PublicKey, Signature},
};
use sapling_crypto::jubjub::{edwards, Unknown};
use std::io::{self, Read, Write};
use legacy::Script;
use redjubjub::{PublicKey, Signature};
use JUBJUB;
pub mod amount;

2
zcash_primitives/src/transaction/mod.rs
View File

@@ -1,11 +1,11 @@
use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt};
use hex;
use sapling_crypto::redjubjub::Signature;
use sha2::{Digest, Sha256};
use std::fmt;
use std::io::{self, Read, Write};
use std::ops::Deref;
use redjubjub::Signature;
use serialize::Vector;
pub mod builder;

6
zcash_primitives/src/transaction/tests.rs
View File

@@ -1,13 +1,11 @@
use ff::Field;
use pairing::bls12_381::Bls12;
use rand_os::OsRng;
use sapling_crypto::{
jubjub::{fs::Fs, FixedGenerators},
redjubjub::PrivateKey,
};
use sapling_crypto::jubjub::{fs::Fs, FixedGenerators};
use super::{components::Amount, sighash::signature_hash, Transaction, TransactionData};
use legacy::Script;
use redjubjub::PrivateKey;
use JUBJUB;
#[test]

10
zcash_primitives/src/util.rs Normal file
View File

@@ -0,0 +1,10 @@
use blake2b_simd::Params;
use sapling_crypto::jubjub::{JubjubEngine, ToUniform};
pub fn hash_to_scalar<E: JubjubEngine>(persona: &[u8], a: &[u8], b: &[u8]) -> E::Fs {
let mut hasher = Params::new().hash_length(64).personal(persona).to_state();
hasher.update(a);
hasher.update(b);
let ret = hasher.finalize();
E::Fs::to_uniform(ret.as_ref())
}