zanocrypto

package
v0.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 10, 2025 License: MIT Imports: 18 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	CRYPTO_HDS_CLSAG_GGX_LAYER_0   = []byte("ZANO_HDS_CLSAG_GGX_LAYER_ZERO__\x00")
	CRYPTO_HDS_CLSAG_GGX_LAYER_1   = []byte("ZANO_HDS_CLSAG_GGX_LAYER_ONE___\x00")
	CRYPTO_HDS_CLSAG_GGX_LAYER_2   = []byte("ZANO_HDS_CLSAG_GGX_LAYER_TWO___\x00")
	CRYPTO_HDS_CLSAG_GGX_CHALLENGE = []byte("ZANO_HDS_CLSAG_GGX_CHALLENGE___\x00")
)
View Source 
var (
	/* A = 2 * (1 - d) / (1 + d) = 486662 */
	FeMa2   = must(FieldFromInt10([10]int64{-12721188, -3529, 0, 0, 0, 0, 0, 0, 0, 0}))                                                               // -A^2
	FeMa    = must(FieldFromInt10([10]int64{-486662, 0, 0, 0, 0, 0, 0, 0, 0, 0}))                                                                     // -A
	FeFffb1 = must(FieldFromInt10([10]int64{-31702527, -2466483, -26106795, -12203692, -12169197, -321052, 14850977, -10296299, -16929438, -407568})) // sqrt(-2 * A * (A + 2))
	FeFffb2 = must(FieldFromInt10([10]int64{8166131, -6741800, -17040804, 3154616, 21461005, 1466302, -30876704, -6368709, 10503587, -13363080}))     // sqrt(2 * A * (A + 2))
	FeFffb3 = must(FieldFromInt10([10]int64{-13620103, 14639558, 4532995, 7679154, 16815101, -15883539, -22863840, -14813421, 13716513, -6477756}))   // sqrt(-sqrt(-1) * A * (A + 2))
	FeFffb4 = must(FieldFromInt10([10]int64{-21786234, -12173074, 21573800, 4524538, -4645904, 16204591, 8012863, -8444712, 3212926, 6885324}))       // sqrt(sqrt(-1) * A * (A + 2))

	// sqrt(x) is such an integer y that 0 <= y <= p - 1, y % 2 = 0, and y^2 = x (mod p).
	// d = -121665 / 121666
	FeD      = must(FieldFromInt10([10]int64{-10913610, 13857413, -15372611, 6949391, 114729, -8787816, -6275908, -3247719, -18696448, -12055116})) // d
	FeSqrtM1 = must(FieldFromInt10([10]int64{-32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482}))     // sqrt(-1)
	FeD2     = must(FieldFromInt10([10]int64{-21827239, -5839606, -30745221, 13898782, 229458, 15978800, -12551817, -6495438, 29715968, 9444199}))  // 2 * d

	SqrtM1 = must(FieldFromInt10([10]int64{-32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482}))
)
View Source 
var (
	C_point_0 = precompHelper(
		[10]int64{0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
		[10]int64{1, 0, 0, 0, 0, 0, 0, 0, 0, 0},
		[10]int64{1, 0, 0, 0, 0, 0, 0, 0, 0, 0},
		[10]int64{0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
	)
	C_point_G = precompHelper(
		[10]int64{25485296, 5318399, 8791791, -8299916, -14349720, 6939349, -3324311, -7717049, 7287234, -6577708},
		[10]int64{-758052, -1832720, 13046421, -4857925, 6576754, 14371947, -13139572, 6845540, -2198883, -4003719},
		[10]int64{-947565, 6097708, -469190, 10704810, -8556274, -15589498, -16424464, -16608899, 14028613, -5004649},
		[10]int64{6966464, -2456167, 7033433, 6781840, 28785542, 12262365, -2659449, 13959020, -21013759, -5262166},
	)
	C_point_H = precompHelper(
		[10]int64{20574939, 16670001, -29137604, 14614582, 24883426, 3503293, 2667523, 420631, 2267646, -4769165},
		[10]int64{-11764015, -12206428, -14187565, -2328122, -16242653, -788308, -12595746, -8251557, -10110987, 853396},
		[10]int64{-4982135, 6035602, -21214320, 16156349, 977218, 2807645, 31002271, 5694305, -16054128, 5644146},
		[10]int64{-15047429, -568775, -22568195, -8089957, -27721961, -10101877, -29459620, -13359100, -31515170, -6994674},
	)
	NativeCoinAssetIdPt = C_point_H
	C_point_H2          = precompHelper(
		[10]int64{1318371, 14804112, 12545972, -13482561, -12089798, -16020744, -21221907, -8410994, -33080606, 11275578},
		[10]int64{3807637, 11185450, -23227561, -12892068, 1356866, -1025012, -8022738, -8139671, -20315029, -13916324},
		[10]int64{-6475650, -7025596, 12403179, -5139984, -12068178, 10445584, -14826705, -4927780, 13964546, 12525942},
		[10]int64{-2314107, -10566315, 32243863, 15603849, 5154154, 4276633, -20918372, -15718796, -26386151, 8434696},
	)
	C_point_U = precompHelper(
		[10]int64{30807552, 984924, 23426137, -5598760, 7545909, 16325843, 993742, 2594106, -31962071, -959867},
		[10]int64{16454190, -4091093, 1197656, 13586872, -9269020, -14133290, 1869274, 13360979, -24627258, -10663086},
		[10]int64{2212027, 1198856, 20515811, 15870563, -23833732, 9839517, -19416306, 11567295, -4212053, 348531},
		[10]int64{-2671541, 484270, -19128078, 1236698, -16002690, 9321345, 9776066, 10711838, 11187722, -16371275},
	)
	C_point_X = precompHelper(
		[10]int64{25635916, -5459446, 5768861, 5666160, -6357364, -12939311, 29490001, -4543704, -31266450, -2582476},
		[10]int64{23705213, 9562626, -716512, 16560168, 7947407, 2039790, -2752711, 4742449, 3356761, 16338966},
		[10]int64{17303421, -5790717, -5684800, 12062431, -3307947, 8139265, -26544839, 12058874, 3452748, 3359034},
		[10]int64{26514848, -6060876, 31255039, 11154418, -21741975, -3782423, -19871841, 5729859, 21754676, -12454027},
	)
	C_point_H_plus_G = precompHelper(
		[10]int64{12291435, 3330843, -3390294, 13894858, -1099584, -6848191, 12040668, -15950068, -7494633, 12566672},
		[10]int64{-5526901, -16645799, -31081168, -1095427, -13082463, 4573480, -11255691, 4344628, 33477173, 11137213},
		[10]int64{-3837023, -12436594, -8471924, -814016, 10785607, 9492721, 10992667, 7406385, -5687296, -127915},
		[10]int64{-6229107, -9324867, 558657, 6493750, 4895261, 12642545, 9549220, 696086, 21894285, -10521807},
	)
	C_point_H_minus_G = precompHelper(
		[10]int64{-28347682, 3523701, -3380175, -14453727, 4238027, -6032522, 20235758, 4091609, 12557126, -8064113},
		[10]int64{4212476, -13419094, -114185, -7650727, -24238, 16663404, 23676363, -6819610, 18286466, 8714527},
		[10]int64{-3837023, -12436594, -8471924, -814016, 10785607, 9492721, 10992667, 7406385, -5687296, -127915},
		[10]int64{-20450317, 13815641, -11604061, -447489, 27380225, 9400847, -8551293, -1173627, -28110171, 14241295},
	)
)
View Source 
var (
	ScZero  = initSc([32]byte{})
	ScOne   = initSc([32]byte{1})
	ScM1    = new(edwards25519.Scalar).Negate(ScOne)
	Sc1div8 = initSc([32]byte{
		0x79, 0x2f, 0xdc, 0xe2, 0x29, 0xe5, 0x06, 0x61,
		0xd0, 0xda, 0x1c, 0x7d, 0xb3, 0x9d, 0xd3, 0x07,
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06,
	})
	Sc2p64 = initSc([32]byte{
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	})
	/*
		// Cannot set a scalar to L because that is the maximum value + 1
		ScL = initSc([32]byte{
			0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
			0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10,
		})*/
	ScLm1 = initSc([32]byte{
		0xec, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
		0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10,
	})
)
View Source 
var (
	TraitZCout    = makeTrait("UGX", 64, 32)
	TraitZarcanum = makeTrait("HGX", 128, 16)
)

Functions

func ChaCha8 

func ChaCha8(key, nonce, in []byte) ([]byte, error)

ChaCha8 applies the ChaCha8 stream cipher to `in` using the 32-byte key `key` and the 8-byte nonce `nonce`. It returns a new slice containing the result. This function both encrypts and decrypts (XOR cipher) in the same call.

func ChaCha8GenerateKey 

func ChaCha8GenerateKey(seed []byte) ([]byte, error)

func ComputeKeyImage 

func ComputeKeyImage(spendPriv *edwards25519.Scalar, spendPub *edwards25519.Point) (*edwards25519.Point, error)

ComputeKeyImage computes the key image for a given spend key.

func DerivationHint 

func DerivationHint(derivation *edwards25519.Point) uint16

func DerivePublicKey 

func DerivePublicKey(derivation []byte, outputIndex uint64, basePublic *edwards25519.Point) (*edwards25519.Point, error)

func DeriveSecretKey 

func DeriveSecretKey(derivation []byte, outputIndex uint64, baseSecret *edwards25519.Scalar) (*edwards25519.Scalar, error)

func FeDivPowM1 

func FeDivPowM1(u, z, y *field.Element) *field.Element

FeDivPowM1 sets u = z / y * (z / y)^((p-5)/8) in the field GF(2^255 - 19), following the "ref10" formula: 

t1 = 1 / y
t0 = z * t1                 // t0 = z / y
t0 = t0^((2^255) - 21)      // Pow22523(t0)
t0 = t0 * z                 // multiply by z
u = t0 * t1                 // multiply by (1 / y)

Note: Pow22523 implements raising the argument to the power (2^255 - 21), which is used in various places (e.g. sqrt checks, ratio calculations) in the Ed25519/Curve25519 reference code.

func FeToBytes 

func FeToBytes[T ~int32 | ~int64](s *[32]byte, h *[10]T)

FeToBytes marshals h to s. Preconditions: 

|h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.

Write p=2^255-19; q=floor(h/p). Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).

Proof: 

Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4.

Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
Then 0<y<1.

Write r=h-pq.
Have 0<=r<=p-1=2^255-20.
Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.

Write x=r+19(2^-255)r+y.
Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.

Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.

func FieldFromInt10 

func FieldFromInt10[T ~int32 | ~int64](f [10]T) (*field.Element, error)

func GenerateCLSAG_GGX 

func GenerateCLSAG_GGX(
	rnd io.Reader,
	m []byte,
	ring []CLSAG_GGXInputRef,
	ki *edwards25519.Point,
	pseudoOutAmountCommitment, pseudoOutBlindedAssetID *edwards25519.Point,
	secret0Xp, secret1F, secret2T *edwards25519.Scalar,
	secretIndex uint64,
) (*zanobase.CLSAG_Sig, error)

func GenerateDoubleSchnorrSig 

func GenerateDoubleSchnorrSig(rnd io.Reader, gen0, gen1 *edwards25519.Point, m []byte, A *edwards25519.Point, secret_a *edwards25519.Scalar, B *edwards25519.Point, secret_b *edwards25519.Scalar) (*zanobase.GenericDoubleSchnorrSig, error)

func GenerateKeyDerivation 

func GenerateKeyDerivation(pubKey *edwards25519.Point, secKey *edwards25519.Scalar) (*edwards25519.Point, error)

func GenerateKeyScalar 

func GenerateKeyScalar() *edwards25519.Scalar

func GenerateVectorUgAggregationProof 

func GenerateVectorUgAggregationProof(rnd io.Reader, contextHash []byte, uSecrets, gSecrets0, gSecrets1 []*edwards25519.Scalar, amountCommitments, amountCommitmentsForRpAggregation, blindedAssetIds []*edwards25519.Point) (*zanobase.UGAggProof, error)

func Generate_BGE_Proof 

func Generate_BGE_Proof(rnd io.Reader, contextHash []byte, ring []*edwards25519.Point, secret *edwards25519.Scalar, secretIndex int) (*zanobase.BGEProof, error)

func HashToEC 

func HashToEC(pubBytes []byte) (*edwards25519.Point, error)

func HashToPoint 

func HashToPoint(h []byte) *edwards25519.Point

HashToPoint is the Go equivalent of the C++ hash_to_point function.

func HashToScalar 

func HashToScalar(data []byte) *edwards25519.Scalar

hashToScalar is a helper that does: 

scalar = keccak256( data ) mod l

func Hp 

func Hp(in []byte) *edwards25519.Point

Hp does some extra stuff, and performs the hashing too

src/crypto/crypto-ops.c:4186 where Hp = 8 * ge_fromfe_frombytes_vartime(cn_fast_hash(data))

func HsB 

func HsB(vals ...byter) *edwards25519.Scalar

HsB performs HashToScalar on a slice of byters

func PreparePrefixHashForSign 

func PreparePrefixHashForSign(tx *zanobase.Transaction, inIndex int, txId []byte) ([]byte, error)

func PubFromPriv 

func PubFromPriv(priv *edwards25519.Scalar) *edwards25519.Point

func RandomScalar 

func RandomScalar(rand io.Reader) *edwards25519.Scalar

func ScalarInt 

func ScalarInt(v uint64) *edwards25519.Scalar

func TraitGetGenerator 

func TraitGetGenerator(select_H bool, index int) *edwards25519.Point

func TraitInitialTranscript 

func TraitInitialTranscript() *edwards25519.Scalar

func TraitUpdateTranscript 

func TraitUpdateTranscript(hsc *HashHelper, e *edwards25519.Scalar, pubKeys []*edwards25519.Point) *edwards25519.Scalar

Types

type CLSAG_GGXInputRef 

type CLSAG_GGXInputRef struct {
	StealthAddress   *edwards25519.Point
	AmountCommitment *edwards25519.Point
	BlindedAssetID   *edwards25519.Point
}

type HashHelper added in v0.0.2 

type HashHelper struct {
	// contains filtered or unexported fields
}

func NewHashHelper added in v0.0.2 

func NewHashHelper() *HashHelper

func (*HashHelper) Add added in v0.0.2 

func (c *HashHelper) Add(v ...byter)

func (*HashHelper) AddBytes added in v0.0.2 

func (c *HashHelper) AddBytes(b []byte)

func (*HashHelper) AddBytesModL added in v0.0.2 

func (c *HashHelper) AddBytesModL(b []byte)

func (*HashHelper) CalcHash added in v0.0.2 

func (c *HashHelper) CalcHash() *edwards25519.Scalar

func (*HashHelper) CalcHashKeep added in v0.0.2 

func (c *HashHelper) CalcHashKeep() *edwards25519.Scalar

CalcHashKeep is the same as calcHash but does not reset the state

func (*HashHelper) CalcRawHash added in v0.0.2 

func (c *HashHelper) CalcRawHash() []byte

type Trait 

type Trait struct {
	Type      string // UGX or HGX
	N         int
	ValuesMax int
	Log2N     int
	MNMax     int

	// NOTE! This notation follows the original BP+ whitepaper, see mapping to Zano's generators in range_proofs.cpp
	G  *edwards25519.Point
	H  *edwards25519.Point
	H2 *edwards25519.Point
}

func (*Trait) BPPGen 

func (trait *Trait) BPPGen(rnd io.Reader, values, masks []*edwards25519.Scalar, commitments_1div8 []*edwards25519.Point) (*zanobase.BPPSignature, error)

func (*Trait) CalcPedersenCommitment 

func (t *Trait) CalcPedersenCommitment(value, mask *edwards25519.Scalar) *edwards25519.Point

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.