void PrivateCoin::mintCoinFast(const CoinDenomination denomination) {
// Generate a random serial number in the range 0...{q-1} where
// "q" is the order of the commitment group.
// And where the serial also doubles as a public key
CKey key;
CBigNum s;
bool isValid = false;
while (!isValid) {
isValid = GenerateKeyPair(this->params->coinCommitmentGroup.groupOrder, uint256(0), key, s);
}
// Generate a random number "r" in the range 0...{q-1}
CBigNum r = CBigNum::randBignum(this->params->coinCommitmentGroup.groupOrder);
// Manually compute a Pedersen commitment to the serial number "s" under randomness "r"
// C = g^s * h^r mod p
CBigNum commitmentValue = this->params->coinCommitmentGroup.g.pow_mod(s, this->params->coinCommitmentGroup.modulus).mul_mod(this->params->coinCommitmentGroup.h.pow_mod(r, this->params->coinCommitmentGroup.modulus), this->params->coinCommitmentGroup.modulus);
// Repeat this process up to MAX_COINMINT_ATTEMPTS times until
// we obtain a prime number
for (uint32_t attempt = 0; attempt < MAX_COINMINT_ATTEMPTS; attempt++) {
// First verify that the commitment is a prime number
// in the appropriate range. If not, we'll throw this coin
// away and generate a new one.
if (commitmentValue.isPrime(ZEROCOIN_MINT_PRIME_PARAM) &&
commitmentValue >= params->accumulatorParams.minCoinValue &&
commitmentValue <= params->accumulatorParams.maxCoinValue) {
// Found a valid coin. Store it.
this->serialNumber = s;
this->randomness = r;
this->publicCoin = PublicCoin(params, commitmentValue, denomination);
this->privkey = key.GetPrivKey();
this->version = 2;
// Success! We're done.
return;
}
// Generate a new random "r_delta" in 0...{q-1}
CBigNum r_delta = CBigNum::randBignum(this->params->coinCommitmentGroup.groupOrder);
// The commitment was not prime. Increment "r" and recalculate "C":
// r = r + r_delta mod q
// C = C * h mod p
r = (r + r_delta) % this->params->coinCommitmentGroup.groupOrder;
commitmentValue = commitmentValue.mul_mod(this->params->coinCommitmentGroup.h.pow_mod(r_delta, this->params->coinCommitmentGroup.modulus), this->params->coinCommitmentGroup.modulus);
}
// We only get here if we did not find a coin within
// MAX_COINMINT_ATTEMPTS. Throw an exception.
throw std::runtime_error("Unable to mint a new Zerocoin (too many attempts)");
}
void CzPIVWallet::SeedToZPIV(const uint512& seedZerocoin, CBigNum& bnValue, CBigNum& bnSerial, CBigNum& bnRandomness, CKey& key)
{
ZerocoinParams* params = Params().Zerocoin_Params(false);
//convert state seed into a seed for the private key
uint256 nSeedPrivKey = seedZerocoin.trim256();
bool isValidKey = false;
key = CKey();
while (!isValidKey) {
nSeedPrivKey = Hash(nSeedPrivKey.begin(), nSeedPrivKey.end());
isValidKey = libzerocoin::GenerateKeyPair(params->coinCommitmentGroup.groupOrder, nSeedPrivKey, key, bnSerial);
}
//hash randomness seed with Bottom 256 bits of seedZerocoin & attempts256 which is initially 0
uint256 randomnessSeed = uint512(seedZerocoin >> 256).trim256();
uint256 hashRandomness = Hash(randomnessSeed.begin(), randomnessSeed.end());
bnRandomness.setuint256(hashRandomness);
bnRandomness = bnRandomness % params->coinCommitmentGroup.groupOrder;
//See if serial and randomness make a valid commitment
// Generate a Pedersen commitment to the serial number
CBigNum commitmentValue = params->coinCommitmentGroup.g.pow_mod(bnSerial, params->coinCommitmentGroup.modulus).mul_mod(
params->coinCommitmentGroup.h.pow_mod(bnRandomness, params->coinCommitmentGroup.modulus),
params->coinCommitmentGroup.modulus);
CBigNum random;
uint256 attempts256 = 0;
// Iterate on Randomness until a valid commitmentValue is found
while (true) {
// Now verify that the commitment is a prime number
// in the appropriate range. If not, we'll throw this coin
// away and generate a new one.
if (IsValidCoinValue(commitmentValue)) {
bnValue = commitmentValue;
return;
}
//Did not create a valid commitment value.
//Change randomness to something new and random and try again
attempts256++;
hashRandomness = Hash(randomnessSeed.begin(), randomnessSeed.end(),
attempts256.begin(), attempts256.end());
random.setuint256(hashRandomness);
bnRandomness = (bnRandomness + random) % params->coinCommitmentGroup.groupOrder;
commitmentValue = commitmentValue.mul_mod(params->coinCommitmentGroup.h.pow_mod(random, params->coinCommitmentGroup.modulus), params->coinCommitmentGroup.modulus);
}
}