void curve25519_donna(u8 *mypublic, const u8 *secret, const u8 *basepoint) {
felem bp[10], x[10], z[10], zmone[10];
fexpand(bp, basepoint);
cmult(x, z, secret, bp);
crecip(zmone, z);
fmul(z, x, zmone);
fcontract(mypublic, z);
}
bits256 cards777_initcrypt(bits256 data,bits256 privkey,bits256 pubkey,int32_t invert)
{
bits256 hash; bits320 hexp;
hash = curve25519_shared(privkey,pubkey);
hexp = fexpand(hash);
if ( invert != 0 )
hexp = crecip(hexp);
return(fcontract(fmul(fexpand(data),hexp)));
}
int
crypto_scalarmult(u8 *mypublic, const u8 *secret, const u8 *basepoint) {
felem bp[5], x[5], z[5], zmone[5];
unsigned char e[32];
int i;
for (i = 0;i < 32;++i) e[i] = secret[i];
e[0] &= 248;
e[31] &= 127;
e[31] |= 64;
fexpand(bp, basepoint);
cmult(x, z, e, bp);
crecip(zmone, z);
fmul(z, x, zmone);
fcontract(mypublic, z);
return 0;
}
std::string hex(const felem e)
{
bytestring s(32, 0);
fcontract(&s[0], e);
return hex(s);
}
void operator()(std::map<uint64_t, uint64_t> &accounts, std::string thread_seed) {
// Our approach is to pick a random point and repeatedly double it.
// This is cheaper than the more naive approach of multiplying the
// generator point times random exponents.
// We work in batches because our point doubling algorithm requires a
// modular inversion which is more efficiently computed in batches.
const int n = BATCH_SIZE;
felem xs[BATCH_SIZE], zs[BATCH_SIZE];
std::vector<bytestring> exponents;
static const unsigned char generator[32] = {9};
for ( int i = 0; i < n; i++ ) {
bytestring exponent(32, 0);
std::string exponent_seed = boost::str(boost::format("%1%:%2%") % thread_seed % i);
sha256((unsigned char*) &exponent_seed[0], exponent_seed.size(), &exponent[0]);
// transform initial exponent according to curve25519 tweaks
exponent[0] &= 248;
exponent[31] &= 127;
exponent[31] |= 64;
uint8_t pubkey[32];
curve25519_donna(pubkey, &exponent[0], generator);
fexpand(xs[i], pubkey);
exponents.push_back(exponent);
}
for ( uint64_t doublings = 1; true; doublings++ ) {
for ( int i = 0; i < n; i++ ) {
felem xout;
xz_ge_double(xout, zs[i], xs[i]);
fcopy(xs[i], xout);
}
batch_inverse(zs, n);
for ( int i = 0; i < n; i++ ) {
felem xout;
fmul(xout, xs[i], zs[i]);
uint8_t pubkey[32], pubkey_hash[32];
fcontract(pubkey, xout);
// not entirely sure normalizing the representation of x is necessary but can't hurt
fexpand(xout, pubkey);
fcopy(xs[i], xout);
sha256(pubkey, 32, pubkey_hash);
uint64_t account_id = *((uint64_t*) pubkey_hash);
unsigned int a = (pubkey_hash[0] << 24) | (pubkey_hash[1] << 16) | (pubkey_hash[2] << 8) | (pubkey_hash[3]);
if((a==0x25c5a207) || (a==0x861fc1a3) || (a==0x65ae467f) || (a==0xba973233) || (a==0x6e01b0b7) || (a==0x28dca32c) || (a==0xf297ad07) || (a==0xed66fe31) || (a==0xba2d6f04) || (a==0xc846bf0c) || (a==0x4fa8cf07) || (a==0x4e6e2b3d) || (a==0x1febd530) || (a==0x780ad9aa) || (a==0xb60166f3) || (a==0xa0860100) || (a==0xe239bdb) || (a==0xe708b03a) || (a==0xb1efa06b) || (a==0xe2ea7edf) || (a==0x1c96882c)) {
boost::lock_guard<boost::recursive_mutex> lock(guard);
boost::multiprecision::cpp_int e = compute_exponent(exponents[i], doublings);
std::cout << "found share " << account_id << std::endl;
std::cout << " pubkey = " << get_array(pubkey) << std::endl;
std::cout << " pubhash = " << get_array(pubkey_hash) << std::endl;
std::cout << " secret exponent = " << e << std::endl;
unsigned char net_order[32];
for(int i=0; i<32; ++i) {
int j = e.convert_to<int>();
net_order[31-i] = j & 0xFF;
e = e >> 8;
}
submit_share(account,get_array(net_order));
}
}
checked += n;
}
void zktest()
{
/*
# Given the public key of B (remote_pub), shows that the shared secret
# between A and B was generated by A.
# Returns zero-knowledge proof of shared Diffie-Hellman secret between A & B.
def prove_shared_secret(self, remote_pub):
G = self.G; prover_pub = self.public; phi = self. P - 1;
secret = self.get_shared_secret(remote_pub)
# Random key in the group Z_q
randKey = DiffieHellman() # random secret
commit1 = randKey.public
commit2 = randKey.get_shared_secret(remote_pub)
*/
void fdifference_backwards(uint64_t *out, const uint64_t *in); // output = in - output
void fmul(uint64_t *output,const uint64_t *in,const uint64_t *in2);
void fcontract(uint8_t *output, const uint64_t *input);
void fexpand(uint64_t *output, const uint8_t *in);
bits256 curve25519(bits256,bits256);
static uint8_t _basepoint[32] = {9};
bits320 randsecret,challenge,product,response,selfsecret,secret;
bits256 remote_pub,basepoint,remote_secret,randkey,commit1,commit2,_secret,tmp,buf[8]; int32_t n = 0;
tmp = GENESIS_PRIVKEY;
_secret = curve25519(tmp,remote_pub);
fexpand(secret.ulongs,_secret.bytes);
randombytes(randkey.bytes,sizeof(randkey)), randkey.bytes[0] &= 248, randkey.bytes[31] &= 127, randkey.bytes[31] |= 64;
randombytes(remote_secret.bytes,sizeof(remote_secret)), remote_secret.bytes[0] &= 248, remote_secret.bytes[31] &= 127, remote_secret.bytes[31] |= 64;
memcpy(basepoint.bytes,_basepoint,sizeof(basepoint));
remote_pub = curve25519(remote_secret,basepoint);
fexpand(randsecret.ulongs,randkey.bytes);
curve25519_donna(commit1.bytes,randkey.bytes,_basepoint);
commit2 = curve25519(randkey,remote_pub);
/*
# shift and hash
concat = str(G) + str(prover_pub) + str(remote_pub) + str(secret) + str(commit1) + str(commit2)
h = hashlib.md5()
h.update(concat.encode("utf-8"))
challenge = int(h.hexdigest(), 16)
product = (self.secret * challenge) % phi
response = (randKey.secret - product) % phi
return (secret, challenge, response)*/
buf[n++] = GENESIS_PRIVKEY, buf[n++] = GENESIS_PUBKEY;
buf[n++] = remote_pub, buf[n++] = _secret, buf[n++] = commit1, buf[n++] = commit2;
memset(challenge.bytes,0,sizeof(challenge));
calc_sha256(0,tmp.bytes,buf[0].bytes,n*sizeof(buf[0]));
fexpand(challenge.ulongs,tmp.bytes);
tmp = GENESIS_PRIVKEY;
fexpand(selfsecret.ulongs,tmp.bytes);
fmul(product.ulongs,selfsecret.ulongs,challenge.ulongs);
response = product;
fdifference_backwards(product.ulongs,randsecret.ulongs);
/*
# Verifies proof generated above. Verifier c is showing that
# shared secret between A and B was generated by A.
# returns 0 if if verification fails; returns shared secret otherwise
def verify_shared_secret(self, prover_pub, remote_pub, secret, challenge,
response):
P = self.P; G = self.G ; public = self.public
# g^r * (a's public key)^challenge
commit1 = (pow(G, response, P) * pow(public, challenge, P)) % P
# (b's public key)^response * (secret)^challenge
commit2 = (pow(remote_pub, response, P) * pow(secret, challenge, P)) % P
*/
bits256 _commit1b,_commit2b,_tmp2,_challenge,_response; bits320 Tmp,Tmp2,commit2b;
fcontract(_challenge.bytes,challenge.ulongs);
fcontract(_response.bytes,response.ulongs);
tmp = curve25519(_secret,_challenge);
_tmp2 = curve25519(remote_pub,_response);
fexpand(Tmp.ulongs,tmp.bytes);
fexpand(Tmp2.ulongs,_tmp2.bytes);
fmul(commit2b.ulongs,Tmp.ulongs,Tmp2.ulongs);
fcontract(_commit2b.bytes,commit2b.ulongs);
printf("commits %llx %llx vs %llx %llx\n",commit1.txid,commit2.txid,_commit1b.txid,_commit2b.txid);
/*
# Shift and hash
hasher = hashlib.md5()
concat = str(G) + str(prover_pub) + str(remote_pub) + str(secret) + str(commit1) + str(commit2)
hasher.update(concat.encode("utf-8"))
check = int(hasher.hexdigest(), 16)
if challenge == check:
return secret
else:
return 0
def main():
a = DiffieHellman()
b = DiffieHellman()
results = a.prove_shared_secret(b.public)
assert a.verify_shared_secret(a.public, b.public, results[0], \
results[1], results[2])
*/
}
