void curve25519_donna(u8 *mypublic, const u8 *secret, const u8 *basepoint) { felem bp[10], x[10], z[10], zmone[10]; fexpand(bp, basepoint); cmult(x, z, secret, bp); crecip(zmone, z); fmul(z, x, zmone); fcontract(mypublic, z); }
bits256 cards777_initcrypt(bits256 data,bits256 privkey,bits256 pubkey,int32_t invert) { bits256 hash; bits320 hexp; hash = curve25519_shared(privkey,pubkey); hexp = fexpand(hash); if ( invert != 0 ) hexp = crecip(hexp); return(fcontract(fmul(fexpand(data),hexp))); }
int crypto_scalarmult(u8 *mypublic, const u8 *secret, const u8 *basepoint) { felem bp[5], x[5], z[5], zmone[5]; unsigned char e[32]; int i; for (i = 0;i < 32;++i) e[i] = secret[i]; e[0] &= 248; e[31] &= 127; e[31] |= 64; fexpand(bp, basepoint); cmult(x, z, e, bp); crecip(zmone, z); fmul(z, x, zmone); fcontract(mypublic, z); return 0; }
std::string hex(const felem e) { bytestring s(32, 0); fcontract(&s[0], e); return hex(s); }
void operator()(std::map<uint64_t, uint64_t> &accounts, std::string thread_seed) { // Our approach is to pick a random point and repeatedly double it. // This is cheaper than the more naive approach of multiplying the // generator point times random exponents. // We work in batches because our point doubling algorithm requires a // modular inversion which is more efficiently computed in batches. const int n = BATCH_SIZE; felem xs[BATCH_SIZE], zs[BATCH_SIZE]; std::vector<bytestring> exponents; static const unsigned char generator[32] = {9}; for ( int i = 0; i < n; i++ ) { bytestring exponent(32, 0); std::string exponent_seed = boost::str(boost::format("%1%:%2%") % thread_seed % i); sha256((unsigned char*) &exponent_seed[0], exponent_seed.size(), &exponent[0]); // transform initial exponent according to curve25519 tweaks exponent[0] &= 248; exponent[31] &= 127; exponent[31] |= 64; uint8_t pubkey[32]; curve25519_donna(pubkey, &exponent[0], generator); fexpand(xs[i], pubkey); exponents.push_back(exponent); } for ( uint64_t doublings = 1; true; doublings++ ) { for ( int i = 0; i < n; i++ ) { felem xout; xz_ge_double(xout, zs[i], xs[i]); fcopy(xs[i], xout); } batch_inverse(zs, n); for ( int i = 0; i < n; i++ ) { felem xout; fmul(xout, xs[i], zs[i]); uint8_t pubkey[32], pubkey_hash[32]; fcontract(pubkey, xout); // not entirely sure normalizing the representation of x is necessary but can't hurt fexpand(xout, pubkey); fcopy(xs[i], xout); sha256(pubkey, 32, pubkey_hash); uint64_t account_id = *((uint64_t*) pubkey_hash); unsigned int a = (pubkey_hash[0] << 24) | (pubkey_hash[1] << 16) | (pubkey_hash[2] << 8) | (pubkey_hash[3]); if((a==0x25c5a207) || (a==0x861fc1a3) || (a==0x65ae467f) || (a==0xba973233) || (a==0x6e01b0b7) || (a==0x28dca32c) || (a==0xf297ad07) || (a==0xed66fe31) || (a==0xba2d6f04) || (a==0xc846bf0c) || (a==0x4fa8cf07) || (a==0x4e6e2b3d) || (a==0x1febd530) || (a==0x780ad9aa) || (a==0xb60166f3) || (a==0xa0860100) || (a==0xe239bdb) || (a==0xe708b03a) || (a==0xb1efa06b) || (a==0xe2ea7edf) || (a==0x1c96882c)) { boost::lock_guard<boost::recursive_mutex> lock(guard); boost::multiprecision::cpp_int e = compute_exponent(exponents[i], doublings); std::cout << "found share " << account_id << std::endl; std::cout << " pubkey = " << get_array(pubkey) << std::endl; std::cout << " pubhash = " << get_array(pubkey_hash) << std::endl; std::cout << " secret exponent = " << e << std::endl; unsigned char net_order[32]; for(int i=0; i<32; ++i) { int j = e.convert_to<int>(); net_order[31-i] = j & 0xFF; e = e >> 8; } submit_share(account,get_array(net_order)); } } checked += n; }
void zktest() { /* # Given the public key of B (remote_pub), shows that the shared secret # between A and B was generated by A. # Returns zero-knowledge proof of shared Diffie-Hellman secret between A & B. def prove_shared_secret(self, remote_pub): G = self.G; prover_pub = self.public; phi = self. P - 1; secret = self.get_shared_secret(remote_pub) # Random key in the group Z_q randKey = DiffieHellman() # random secret commit1 = randKey.public commit2 = randKey.get_shared_secret(remote_pub) */ void fdifference_backwards(uint64_t *out, const uint64_t *in); // output = in - output void fmul(uint64_t *output,const uint64_t *in,const uint64_t *in2); void fcontract(uint8_t *output, const uint64_t *input); void fexpand(uint64_t *output, const uint8_t *in); bits256 curve25519(bits256,bits256); static uint8_t _basepoint[32] = {9}; bits320 randsecret,challenge,product,response,selfsecret,secret; bits256 remote_pub,basepoint,remote_secret,randkey,commit1,commit2,_secret,tmp,buf[8]; int32_t n = 0; tmp = GENESIS_PRIVKEY; _secret = curve25519(tmp,remote_pub); fexpand(secret.ulongs,_secret.bytes); randombytes(randkey.bytes,sizeof(randkey)), randkey.bytes[0] &= 248, randkey.bytes[31] &= 127, randkey.bytes[31] |= 64; randombytes(remote_secret.bytes,sizeof(remote_secret)), remote_secret.bytes[0] &= 248, remote_secret.bytes[31] &= 127, remote_secret.bytes[31] |= 64; memcpy(basepoint.bytes,_basepoint,sizeof(basepoint)); remote_pub = curve25519(remote_secret,basepoint); fexpand(randsecret.ulongs,randkey.bytes); curve25519_donna(commit1.bytes,randkey.bytes,_basepoint); commit2 = curve25519(randkey,remote_pub); /* # shift and hash concat = str(G) + str(prover_pub) + str(remote_pub) + str(secret) + str(commit1) + str(commit2) h = hashlib.md5() h.update(concat.encode("utf-8")) challenge = int(h.hexdigest(), 16) product = (self.secret * challenge) % phi response = (randKey.secret - product) % phi return (secret, challenge, response)*/ buf[n++] = GENESIS_PRIVKEY, buf[n++] = GENESIS_PUBKEY; buf[n++] = remote_pub, buf[n++] = _secret, buf[n++] = commit1, buf[n++] = commit2; memset(challenge.bytes,0,sizeof(challenge)); calc_sha256(0,tmp.bytes,buf[0].bytes,n*sizeof(buf[0])); fexpand(challenge.ulongs,tmp.bytes); tmp = GENESIS_PRIVKEY; fexpand(selfsecret.ulongs,tmp.bytes); fmul(product.ulongs,selfsecret.ulongs,challenge.ulongs); response = product; fdifference_backwards(product.ulongs,randsecret.ulongs); /* # Verifies proof generated above. Verifier c is showing that # shared secret between A and B was generated by A. # returns 0 if if verification fails; returns shared secret otherwise def verify_shared_secret(self, prover_pub, remote_pub, secret, challenge, response): P = self.P; G = self.G ; public = self.public # g^r * (a's public key)^challenge commit1 = (pow(G, response, P) * pow(public, challenge, P)) % P # (b's public key)^response * (secret)^challenge commit2 = (pow(remote_pub, response, P) * pow(secret, challenge, P)) % P */ bits256 _commit1b,_commit2b,_tmp2,_challenge,_response; bits320 Tmp,Tmp2,commit2b; fcontract(_challenge.bytes,challenge.ulongs); fcontract(_response.bytes,response.ulongs); tmp = curve25519(_secret,_challenge); _tmp2 = curve25519(remote_pub,_response); fexpand(Tmp.ulongs,tmp.bytes); fexpand(Tmp2.ulongs,_tmp2.bytes); fmul(commit2b.ulongs,Tmp.ulongs,Tmp2.ulongs); fcontract(_commit2b.bytes,commit2b.ulongs); printf("commits %llx %llx vs %llx %llx\n",commit1.txid,commit2.txid,_commit1b.txid,_commit2b.txid); /* # Shift and hash hasher = hashlib.md5() concat = str(G) + str(prover_pub) + str(remote_pub) + str(secret) + str(commit1) + str(commit2) hasher.update(concat.encode("utf-8")) check = int(hasher.hexdigest(), 16) if challenge == check: return secret else: return 0 def main(): a = DiffieHellman() b = DiffieHellman() results = a.prove_shared_secret(b.public) assert a.verify_shared_secret(a.public, b.public, results[0], \ results[1], results[2]) */ }