diff --git a/cryptonote_utils/cryptonote_utils.js b/cryptonote_utils/cryptonote_utils.js index b2cc14e..be568b9 100644 --- a/cryptonote_utils/cryptonote_utils.js +++ b/cryptonote_utils/cryptonote_utils.js @@ -32,10 +32,7 @@ // // v--- These should maybe be injected into a context and supplied to currencyConfig for future platforms const JSBigInt = require("./biginteger").BigInteger; -const cnBase58 = require("./cryptonote_base58").cnBase58; const mnemonic = require("./mnemonic"); -const nacl = require("./nacl-fast-cn"); -const sha3 = require("./sha3"); const nettype_utils = require("./nettype"); var cnUtil = function(currencyConfig) @@ -118,2745 +115,146 @@ var cnUtil = function(currencyConfig) this.moduleReadyFns = [] // flash/free }); // - var config = {}; // shallow copy of initConfig - for (var key in currencyConfig) { - config[key] = currencyConfig[key]; - } - - var HASH_STATE_BYTES = 200; - var HASH_SIZE = 32; - var ADDRESS_CHECKSUM_SIZE = 4; - var INTEGRATED_ID_SIZE = 8; - var ENCRYPTED_PAYMENT_ID_TAIL = 141; - // - var UINT64_MAX = new JSBigInt(2).pow(64); - var CURRENT_TX_VERSION = 2; - var OLD_TX_VERSION = 1; - var RCTTypeFull = 1; - var RCTTypeSimple = 2; - var TX_EXTRA_NONCE_MAX_COUNT = 255; - var TX_EXTRA_TAGS = { - PADDING: "00", - PUBKEY: "01", - NONCE: "02", - MERGE_MINING: "03", - }; - var TX_EXTRA_NONCE_TAGS = { - PAYMENT_ID: "00", - ENCRYPTED_PAYMENT_ID: "01", - }; - var KEY_SIZE = 32; - var STRUCT_SIZES = { - GE_P3: 160, - GE_P2: 120, - GE_P1P1: 160, - GE_CACHED: 160, - EC_SCALAR: 32, - EC_POINT: 32, - KEY_IMAGE: 32, - GE_DSMP: 160 * 8, // ge_cached * 8 - SIGNATURE: 64, // ec_scalar * 2 - }; - - //RCT vars - var H = "8b655970153799af2aeadc9ff1add0ea6c7251d54154cfa92c173a0dd39c1f94"; //base H for amounts - this.H = H; - var l = JSBigInt( - "7237005577332262213973186563042994240857116359379907606001950938285454250989", - ); //curve order (not RCT specific) - - var I = "0100000000000000000000000000000000000000000000000000000000000000"; //identity element - this.I = I; - this.identity = function() { - return I; - }; - - var Z = "0000000000000000000000000000000000000000000000000000000000000000"; //zero scalar - this.Z = Z; - - //H2 object to speed up some operations - var H2 = [ - "8b655970153799af2aeadc9ff1add0ea6c7251d54154cfa92c173a0dd39c1f94", - "8faa448ae4b3e2bb3d4d130909f55fcd79711c1c83cdbccadd42cbe1515e8712", - "12a7d62c7791654a57f3e67694ed50b49a7d9e3fc1e4c7a0bde29d187e9cc71d", - "789ab9934b49c4f9e6785c6d57a498b3ead443f04f13df110c5427b4f214c739", - "771e9299d94f02ac72e38e44de568ac1dcb2edc6edb61f83ca418e1077ce3de8", - "73b96db43039819bdaf5680e5c32d741488884d18d93866d4074a849182a8a64", - "8d458e1c2f68ebebccd2fd5d379f5e58f8134df3e0e88cad3d46701063a8d412", - "09551edbe494418e81284455d64b35ee8ac093068a5f161fa6637559177ef404", - "d05a8866f4df8cee1e268b1d23a4c58c92e760309786cdac0feda1d247a9c9a7", - "55cdaad518bd871dd1eb7bc7023e1dc0fdf3339864f88fdd2de269fe9ee1832d", - "e7697e951a98cfd5712b84bbe5f34ed733e9473fcb68eda66e3788df1958c306", - "f92a970bae72782989bfc83adfaa92a4f49c7e95918b3bba3cdc7fe88acc8d47", - "1f66c2d491d75af915c8db6a6d1cb0cd4f7ddcd5e63d3ba9b83c866c39ef3a2b", - "3eec9884b43f58e93ef8deea260004efea2a46344fc5965b1a7dd5d18997efa7", - "b29f8f0ccb96977fe777d489d6be9e7ebc19c409b5103568f277611d7ea84894", - "56b1f51265b9559876d58d249d0c146d69a103636699874d3f90473550fe3f2c", - "1d7a36575e22f5d139ff9cc510fa138505576b63815a94e4b012bfd457caaada", - "d0ac507a864ecd0593fa67be7d23134392d00e4007e2534878d9b242e10d7620", - "f6c6840b9cf145bb2dccf86e940be0fc098e32e31099d56f7fe087bd5deb5094", - "28831a3340070eb1db87c12e05980d5f33e9ef90f83a4817c9f4a0a33227e197", - "87632273d629ccb7e1ed1a768fa2ebd51760f32e1c0b867a5d368d5271055c6e", - "5c7b29424347964d04275517c5ae14b6b5ea2798b573fc94e6e44a5321600cfb", - "e6945042d78bc2c3bd6ec58c511a9fe859c0ad63fde494f5039e0e8232612bd5", - "36d56907e2ec745db6e54f0b2e1b2300abcb422e712da588a40d3f1ebbbe02f6", - "34db6ee4d0608e5f783650495a3b2f5273c5134e5284e4fdf96627bb16e31e6b", - "8e7659fb45a3787d674ae86731faa2538ec0fdf442ab26e9c791fada089467e9", - "3006cf198b24f31bb4c7e6346000abc701e827cfbb5df52dcfa42e9ca9ff0802", - "f5fd403cb6e8be21472e377ffd805a8c6083ea4803b8485389cc3ebc215f002a", - "3731b260eb3f9482e45f1c3f3b9dcf834b75e6eef8c40f461ea27e8b6ed9473d", - "9f9dab09c3f5e42855c2de971b659328a2dbc454845f396ffc053f0bb192f8c3", - "5e055d25f85fdb98f273e4afe08464c003b70f1ef0677bb5e25706400be620a5", - "868bcf3679cb6b500b94418c0b8925f9865530303ae4e4b262591865666a4590", - "b3db6bd3897afbd1df3f9644ab21c8050e1f0038a52f7ca95ac0c3de7558cb7a", - "8119b3a059ff2cac483e69bcd41d6d27149447914288bbeaee3413e6dcc6d1eb", - "10fc58f35fc7fe7ae875524bb5850003005b7f978c0c65e2a965464b6d00819c", - "5acd94eb3c578379c1ea58a343ec4fcff962776fe35521e475a0e06d887b2db9", - "33daf3a214d6e0d42d2300a7b44b39290db8989b427974cd865db011055a2901", - "cfc6572f29afd164a494e64e6f1aeb820c3e7da355144e5124a391d06e9f95ea", - "d5312a4b0ef615a331f6352c2ed21dac9e7c36398b939aec901c257f6cbc9e8e", - "551d67fefc7b5b9f9fdbf6af57c96c8a74d7e45a002078a7b5ba45c6fde93e33", - "d50ac7bd5ca593c656928f38428017fc7ba502854c43d8414950e96ecb405dc3", - "0773e18ea1be44fe1a97e239573cfae3e4e95ef9aa9faabeac1274d3ad261604", - "e9af0e7ca89330d2b8615d1b4137ca617e21297f2f0ded8e31b7d2ead8714660", - "7b124583097f1029a0c74191fe7378c9105acc706695ed1493bb76034226a57b", - "ec40057b995476650b3db98e9db75738a8cd2f94d863b906150c56aac19caa6b", - "01d9ff729efd39d83784c0fe59c4ae81a67034cb53c943fb818b9d8ae7fc33e5", - "00dfb3c696328c76424519a7befe8e0f6c76f947b52767916d24823f735baf2e", - "461b799b4d9ceea8d580dcb76d11150d535e1639d16003c3fb7e9d1fd13083a8", - "ee03039479e5228fdc551cbde7079d3412ea186a517ccc63e46e9fcce4fe3a6c", - "a8cfb543524e7f02b9f045acd543c21c373b4c9b98ac20cec417a6ddb5744e94", - "932b794bf89c6edaf5d0650c7c4bad9242b25626e37ead5aa75ec8c64e09dd4f", - "16b10c779ce5cfef59c7710d2e68441ea6facb68e9b5f7d533ae0bb78e28bf57", - "0f77c76743e7396f9910139f4937d837ae54e21038ac5c0b3fd6ef171a28a7e4", - "d7e574b7b952f293e80dde905eb509373f3f6cd109a02208b3c1e924080a20ca", - "45666f8c381e3da675563ff8ba23f83bfac30c34abdde6e5c0975ef9fd700cb9", - "b24612e454607eb1aba447f816d1a4551ef95fa7247fb7c1f503020a7177f0dd", - "7e208861856da42c8bb46a7567f8121362d9fb2496f131a4aa9017cf366cdfce", - "5b646bff6ad1100165037a055601ea02358c0f41050f9dfe3c95dccbd3087be0", - "746d1dccfed2f0ff1e13c51e2d50d5324375fbd5bf7ca82a8931828d801d43ab", - "cb98110d4a6bb97d22feadbc6c0d8930c5f8fc508b2fc5b35328d26b88db19ae", - "60b626a033b55f27d7676c4095eababc7a2c7ede2624b472e97f64f96b8cfc0e", - "e5b52bc927468df71893eb8197ef820cf76cb0aaf6e8e4fe93ad62d803983104", - "056541ae5da9961be2b0a5e895e5c5ba153cbb62dd561a427bad0ffd41923199", - "f8fef05a3fa5c9f3eba41638b247b711a99f960fe73aa2f90136aeb20329b888", - ]; - - this.H2 = H2; - - //begin rct new functions - //creates a Pedersen commitment from an amount (in scalar form) and a mask - //C = bG + aH where b = mask, a = amount - function commit(amount, mask) { - if ( - !valid_hex(mask) || - mask.length !== 64 || - !valid_hex(amount) || - amount.length !== 64 - ) { - throw "invalid amount or mask!"; - } - var C = this.ge_double_scalarmult_base_vartime(amount, H, mask); - return C; - } - - function zeroCommit(amount) { - if (!valid_hex(amount) || amount.length !== 64) { - throw "invalid amount!"; - } - var C = this.ge_double_scalarmult_base_vartime(amount, H, I); - return C; - } - - this.decode_rct_ecdh = function(ecdh, key) { - var first = this.hash_to_scalar(key); - var second = this.hash_to_scalar(first); - return { - mask: this.sc_sub(ecdh.mask, first), - amount: this.sc_sub(ecdh.amount, second), - }; - }; - - this.encode_rct_ecdh = function(ecdh, key) { - var first = this.hash_to_scalar(key); - var second = this.hash_to_scalar(first); - return { - mask: this.sc_add(ecdh.mask, first), - amount: this.sc_add(ecdh.amount, second), - }; - }; - - //switch byte order for hex string - function swapEndian(hex) { - if (hex.length % 2 !== 0) { - return "length must be a multiple of 2!"; - } - var data = ""; - for (var i = 1; i <= hex.length / 2; i++) { - data += hex.substr(0 - 2 * i, 2); - } - return data; - } - - //switch byte order charwise - function swapEndianC(string) { - var data = ""; - for (var i = 1; i <= string.length; i++) { - data += string.substr(0 - i, 1); - } - return data; - } - - //for most uses you'll also want to swapEndian after conversion - //mainly to convert integer "scalars" to usable hexadecimal strings - //uint long long to 32 byte key - function d2h(integer) { - if (typeof integer !== "string" && integer.toString().length > 15) { - throw "integer should be entered as a string for precision"; - } - var padding = ""; - for (var i = 0; i < 63; i++) { - padding += "0"; - } - return ( - padding + - JSBigInt(integer) - .toString(16) - .toLowerCase() - ).slice(-64); - } - this.d2h = d2h; - - //integer (string) to scalar - function d2s(integer) { - return swapEndian(d2h(integer)); - } - - this.d2s = d2s; - //scalar to integer (string) - function s2d(scalar) { - return JSBigInt.parse(swapEndian(scalar), 16).toString(); - } - - //convert integer string to 64bit "binary" little-endian string - function d2b(integer) { - if (typeof integer !== "string" && integer.toString().length > 15) { - throw "integer should be entered as a string for precision"; - } - var padding = ""; - for (var i = 0; i < 63; i++) { - padding += "0"; - } - var a = new JSBigInt(integer); - if (a.toString(2).length > 64) { - throw "amount overflows uint64!"; - } - return swapEndianC((padding + a.toString(2)).slice(-64)); - } - - //convert integer string to 64bit base 4 little-endian string - function d2b4(integer) { - if (typeof integer !== "string" && integer.toString().length > 15) { - throw "integer should be entered as a string for precision"; - } - var padding = ""; - for (var i = 0; i < 31; i++) { - padding += "0"; - } - var a = new JSBigInt(integer); - if (a.toString(2).length > 64) { - throw "amount overflows uint64!"; - } - return swapEndianC((padding + a.toString(4)).slice(-32)); - } - //end rct new functions - - this.valid_hex = function(hex) { - var exp = new RegExp("[0-9a-fA-F]{" + hex.length + "}"); - return exp.test(hex); - }; - - //simple exclusive or function for two hex inputs - this.hex_xor = function(hex1, hex2) { - if ( - !hex1 || - !hex2 || - hex1.length !== hex2.length || - hex1.length % 2 !== 0 || - hex2.length % 2 !== 0 - ) { - throw "Hex string(s) is/are invalid!"; - } - var bin1 = hextobin(hex1); - var bin2 = hextobin(hex2); - var xor = new Uint8Array(bin1.length); - for (var i = 0; i < xor.length; i++) { - xor[i] = bin1[i] ^ bin2[i]; - } - return bintohex(xor); - }; - - function hextobin(hex) { - if (hex.length % 2 !== 0) throw "Hex string has invalid length!"; - var res = new Uint8Array(hex.length / 2); - for (var i = 0; i < hex.length / 2; ++i) { - res[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16); - } - return res; - } - this.hextobin = hextobin; - - function bintohex(bin) { - var out = []; - for (var i = 0; i < bin.length; ++i) { - out.push(("0" + bin[i].toString(16)).slice(-2)); - } - return out.join(""); - } - - // Generate a 256-bit / 64-char / 32-byte crypto random - this.rand_32 = function() { - return mnemonic.mn_random(256); - }; - - // Generate a 128-bit / 32-char / 16-byte crypto random - this.rand_16 = function() { - return mnemonic.mn_random(128); - }; - - // Generate a 64-bit / 16-char / 8-byte crypto random - this.rand_8 = function() { - return mnemonic.mn_random(64); - }; - - this.encode_varint = function(i) { - i = new JSBigInt(i); - var out = ""; - // While i >= b10000000 - while (i.compare(0x80) >= 0) { - // out.append i & b01111111 | b10000000 - out += ("0" + ((i.lowVal() & 0x7f) | 0x80).toString(16)).slice(-2); - i = i.divide(new JSBigInt(2).pow(7)); - } - out += ("0" + i.toJSValue().toString(16)).slice(-2); - return out; - }; - - this.sc_reduce = function(hex) { - var input = hextobin(hex); - if (input.length !== 64) { - throw "Invalid input length"; - } - const CNCrypto = loaded_CNCrypto(); - var mem = CNCrypto._malloc(64); - CNCrypto.HEAPU8.set(input, mem); - CNCrypto.ccall("sc_reduce", "void", ["number"], [mem]); - var output = CNCrypto.HEAPU8.subarray(mem, mem + 64); - CNCrypto._free(mem); - return bintohex(output); - }; - - this.sc_reduce32 = function(hex) { - var input = hextobin(hex); - if (input.length !== 32) { - throw "Invalid input length"; - } - const CNCrypto = loaded_CNCrypto(); - var mem = CNCrypto._malloc(32); - CNCrypto.HEAPU8.set(input, mem); - CNCrypto.ccall("sc_reduce32", "void", ["number"], [mem]); - var output = CNCrypto.HEAPU8.subarray(mem, mem + 32); - CNCrypto._free(mem); - return bintohex(output); - }; - - this.cn_fast_hash = function(input, inlen) { - /*if (inlen === undefined || !inlen) { - inlen = Math.floor(input.length / 2); - }*/ - if (input.length % 2 !== 0 || !this.valid_hex(input)) { - throw "Input invalid"; - } - //update to use new keccak impl (approx 45x faster) - //var state = this.keccak(input, inlen, HASH_STATE_BYTES); - //return state.substr(0, HASH_SIZE * 2); - return sha3.keccak_256(hextobin(input)); - }; - - //many functions below are commented out now, and duplicated with the faster nacl impl --luigi1111 - // to be removed completely later - /*this.sec_key_to_pub = function(sec) { - var input = hextobin(sec); - if (input.length !== 32) { - throw "Invalid input length"; - } - const CNCrypto = loaded_CNCrypto(); - var input_mem = CNCrypto._malloc(KEY_SIZE); - CNCrypto.HEAPU8.set(input, input_mem); - var ge_p3 = CNCrypto._malloc(STRUCT_SIZES.GE_P3); - var out_mem = CNCrypto._malloc(KEY_SIZE); - CNCrypto.ccall('ge_scalarmult_base', 'void', ['number', 'number'], [ge_p3, input_mem]); - CNCrypto.ccall('ge_p3_tobytes', 'void', ['number', 'number'], [out_mem, ge_p3]); - var output = CNCrypto.HEAPU8.subarray(out_mem, out_mem + KEY_SIZE); - CNCrypto._free(ge_p3); - CNCrypto._free(input_mem); - CNCrypto._free(out_mem); - return bintohex(output); - };*/ - - this.sec_key_to_pub = function(sec) { - if (sec.length !== 64) { - throw "Invalid sec length"; - } - return bintohex(nacl.ll.ge_scalarmult_base(hextobin(sec))); - }; - - //alias - this.ge_scalarmult_base = function(sec) { - return this.sec_key_to_pub(sec); - }; - - //accepts arbitrary point, rather than G - /*this.ge_scalarmult = function(pub, sec) { - if (pub.length !== 64 || sec.length !== 64) { - throw "Invalid input length"; - } - var pub_b = hextobin(pub); - var sec_b = hextobin(sec); - const CNCrypto = loaded_CNCrypto(); - var pub_m = CNCrypto._malloc(KEY_SIZE); - CNCrypto.HEAPU8.set(pub_b, pub_m); - var sec_m = CNCrypto._malloc(KEY_SIZE); - CNCrypto.HEAPU8.set(sec_b, sec_m); - var ge_p3_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3); - var ge_p2_m = CNCrypto._malloc(STRUCT_SIZES.GE_P2); - if (CNCrypto.ccall("ge_frombytes_vartime", "bool", ["number", "number"], [ge_p3_m, pub_m]) !== 0) { - throw "ge_frombytes_vartime returned non-zero error code"; - } - CNCrypto.ccall("ge_scalarmult", "void", ["number", "number", "number"], [ge_p2_m, sec_m, ge_p3_m]); - var derivation_m = CNCrypto._malloc(KEY_SIZE); - CNCrypto.ccall("ge_tobytes", "void", ["number", "number"], [derivation_m, ge_p2_m]); - var res = CNCrypto.HEAPU8.subarray(derivation_m, derivation_m + KEY_SIZE); - CNCrypto._free(pub_m); - CNCrypto._free(sec_m); - CNCrypto._free(ge_p3_m); - CNCrypto._free(ge_p2_m); - CNCrypto._free(derivation_m); - return bintohex(res); - };*/ - this.ge_scalarmult = function(pub, sec) { - if (pub.length !== 64 || sec.length !== 64) { - throw "Invalid input length"; - } - return bintohex(nacl.ll.ge_scalarmult(hextobin(pub), hextobin(sec))); - }; - - this.pubkeys_to_string = function(spend, view, nettype) { - var prefix = this.encode_varint( - nettype_utils.cryptonoteBase58PrefixForStandardAddressOn(nettype), - ); - var data = prefix + spend + view; - var checksum = this.cn_fast_hash(data); - return cnBase58.encode( - data + checksum.slice(0, ADDRESS_CHECKSUM_SIZE * 2), - ); - }; - - this.new__int_addr_from_addr_and_short_pid = function( - address, - short_pid, - nettype, - ) { - // throws - let decoded_address = this.decode_address( - address, // TODO/FIXME: not super happy about having to decode just to re-encodeā€¦ this was a quick hack - nettype, - ); // throws - if (!short_pid || short_pid.length != 16) { - throw "expected valid short_pid"; - } - var prefix = this.encode_varint( - nettype_utils.cryptonoteBase58PrefixForIntegratedAddressOn(nettype), - ); - var data = - prefix + decoded_address.spend + decoded_address.view + short_pid; - var checksum = this.cn_fast_hash(data); - var encodable__data = - data + checksum.slice(0, ADDRESS_CHECKSUM_SIZE * 2); - // - return cnBase58.encode(encodable__data); - }; - - // Generate keypair from seed - this.generate_keys = function(seed) { - if (seed.length !== 64) throw "Invalid input length!"; - var sec = this.sc_reduce32(seed); - var pub = this.sec_key_to_pub(sec); - return { - sec: sec, - pub: pub, - }; - }; - - this.random_keypair = function() { - return this.generate_keys(this.rand_32()); - }; - - // Random 32-byte ec scalar - this.random_scalar = function() { - //var rand = this.sc_reduce(mnemonic.mn_random(64 * 8)); - //return rand.slice(0, STRUCT_SIZES.EC_SCALAR * 2); - return this.sc_reduce32(this.rand_32()); - }; - - // alias - this.skGen = random_scalar; - /* no longer used - this.keccak = function(hex, inlen, outlen) { - var input = hextobin(hex); - if (input.length !== inlen) { - throw "Invalid input length"; - } - if (outlen <= 0) { - throw "Invalid output length"; - } - const CNCrypto = loaded_CNCrypto(); - var input_mem = CNCrypto._malloc(inlen); - CNCrypto.HEAPU8.set(input, input_mem); - var out_mem = CNCrypto._malloc(outlen); - CNCrypto._keccak(input_mem, inlen | 0, out_mem, outlen | 0); - var output = CNCrypto.HEAPU8.subarray(out_mem, out_mem + outlen); - CNCrypto._free(input_mem); - CNCrypto._free(out_mem); - return bintohex(output); - };*/ - - this.create_address = function(seed, nettype) { - var keys = {}; - // updated by Luigi and PS to support reduced and non-reduced seeds - var first; - if (seed.length !== 64) { - first = this.cn_fast_hash(seed); - } else { - first = this.sc_reduce32(seed); - } - keys.spend = this.generate_keys(first); - var second = this.cn_fast_hash(first); - keys.view = this.generate_keys(second); - keys.public_addr = this.pubkeys_to_string( - keys.spend.pub, - keys.view.pub, - nettype, - ); - return keys; - }; - - this.create_addr_prefix = function(seed, nettype) { - var first; - if (seed.length !== 64) { - first = this.cn_fast_hash(seed); - } else { - first = seed; - } - var spend = this.generate_keys(first); - var prefix = this.encode_varint( - nettype_utils.cryptonoteBase58PrefixForStandardAddressOn(nettype), - ); - return cnBase58.encode(prefix + spend.pub).slice(0, 44); - }; - - this.decode_address = function(address, nettype) { - var dec = cnBase58.decode(address); - var expectedPrefix = this.encode_varint( - nettype_utils.cryptonoteBase58PrefixForStandardAddressOn(nettype), - ); - var expectedPrefixInt = this.encode_varint( - nettype_utils.cryptonoteBase58PrefixForIntegratedAddressOn(nettype), - ); - var expectedPrefixSub = this.encode_varint( - nettype_utils.cryptonoteBase58PrefixForSubAddressOn(nettype), - ); - var prefix = dec.slice(0, expectedPrefix.length); - if ( - prefix !== expectedPrefix && - prefix !== expectedPrefixInt && - prefix !== expectedPrefixSub - ) { - throw "Invalid address prefix"; - } - dec = dec.slice(expectedPrefix.length); - var spend = dec.slice(0, 64); - var view = dec.slice(64, 128); - if (prefix === expectedPrefixInt) { - var intPaymentId = dec.slice(128, 128 + INTEGRATED_ID_SIZE * 2); - var checksum = dec.slice( - 128 + INTEGRATED_ID_SIZE * 2, - 128 + INTEGRATED_ID_SIZE * 2 + ADDRESS_CHECKSUM_SIZE * 2, - ); - var expectedChecksum = this.cn_fast_hash( - prefix + spend + view + intPaymentId, - ).slice(0, ADDRESS_CHECKSUM_SIZE * 2); - } else { - var checksum = dec.slice(128, 128 + ADDRESS_CHECKSUM_SIZE * 2); - var expectedChecksum = this.cn_fast_hash( - prefix + spend + view, - ).slice(0, ADDRESS_CHECKSUM_SIZE * 2); - } - if (checksum !== expectedChecksum) { - throw "Invalid checksum"; - } - if (intPaymentId) { - return { - spend: spend, - view: view, - intPaymentId: intPaymentId, - }; - } else { - return { - spend: spend, - view: view, - }; - } - }; - - this.is_subaddress = function(addr, nettype) { - var decoded = cnBase58.decode(addr); - var subaddressPrefix = this.encode_varint( - nettype_utils.cryptonoteBase58PrefixForSubAddressOn(nettype), - ); - var prefix = decoded.slice(0, subaddressPrefix.length); - return prefix === subaddressPrefix; - }; - - this.valid_keys = function(view_pub, view_sec, spend_pub, spend_sec) { - var expected_view_pub = this.sec_key_to_pub(view_sec); - var expected_spend_pub = this.sec_key_to_pub(spend_sec); - return ( - expected_spend_pub === spend_pub && expected_view_pub === view_pub - ); - }; - - this.hash_to_scalar = function(buf) { - var hash = this.cn_fast_hash(buf); - var scalar = this.sc_reduce32(hash); - return scalar; - }; - - /*this.generate_key_derivation = function(pub, sec) { - if (pub.length !== 64 || sec.length !== 64) { - throw "Invalid input length"; - } - var pub_b = hextobin(pub); - var sec_b = hextobin(sec); - const CNCrypto = loaded_CNCrypto(); - var pub_m = CNCrypto._malloc(KEY_SIZE); - CNCrypto.HEAPU8.set(pub_b, pub_m); - var sec_m = CNCrypto._malloc(KEY_SIZE); - CNCrypto.HEAPU8.set(sec_b, sec_m); - var ge_p3_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3); - var ge_p2_m = CNCrypto._malloc(STRUCT_SIZES.GE_P2); - var ge_p1p1_m = CNCrypto._malloc(STRUCT_SIZES.GE_P1P1); - if (CNCrypto.ccall("ge_frombytes_vartime", "bool", ["number", "number"], [ge_p3_m, pub_m]) !== 0) { - throw "ge_frombytes_vartime returned non-zero error code"; - } - CNCrypto.ccall("ge_scalarmult", "void", ["number", "number", "number"], [ge_p2_m, sec_m, ge_p3_m]); - CNCrypto.ccall("ge_mul8", "void", ["number", "number"], [ge_p1p1_m, ge_p2_m]); - CNCrypto.ccall("ge_p1p1_to_p2", "void", ["number", "number"], [ge_p2_m, ge_p1p1_m]); - var derivation_m = CNCrypto._malloc(KEY_SIZE); - CNCrypto.ccall("ge_tobytes", "void", ["number", "number"], [derivation_m, ge_p2_m]); - var res = CNCrypto.HEAPU8.subarray(derivation_m, derivation_m + KEY_SIZE); - CNCrypto._free(pub_m); - CNCrypto._free(sec_m); - CNCrypto._free(ge_p3_m); - CNCrypto._free(ge_p2_m); - CNCrypto._free(ge_p1p1_m); - CNCrypto._free(derivation_m); - return bintohex(res); - };*/ - - this.generate_key_derivation = function(pub, sec) { - if (pub.length !== 64 || sec.length !== 64) { - throw "Invalid input length"; - } - var P = this.ge_scalarmult(pub, sec); - return this.ge_scalarmult(P, d2s(8)); //mul8 to ensure group - }; - - this.derivation_to_scalar = function(derivation, output_index) { - var buf = ""; - if (derivation.length !== STRUCT_SIZES.EC_POINT * 2) { - throw "Invalid derivation length!"; - } - buf += derivation; - var enc = encode_varint(output_index); - if (enc.length > 10 * 2) { - throw "output_index didn't fit in 64-bit varint"; - } - buf += enc; - return this.hash_to_scalar(buf); - }; - - this.derive_secret_key = function(derivation, out_index, sec) { - if (derivation.length !== 64 || sec.length !== 64) { - throw "Invalid input length!"; - } - const CNCrypto = loaded_CNCrypto(); - var scalar_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR); - var scalar_b = hextobin( - this.derivation_to_scalar(derivation, out_index), - ); - CNCrypto.HEAPU8.set(scalar_b, scalar_m); - var base_m = CNCrypto._malloc(KEY_SIZE); - CNCrypto.HEAPU8.set(hextobin(sec), base_m); - var derived_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR); - CNCrypto.ccall( - "sc_add", - "void", - ["number", "number", "number"], - [derived_m, base_m, scalar_m], - ); - var res = CNCrypto.HEAPU8.subarray( - derived_m, - derived_m + STRUCT_SIZES.EC_SCALAR, - ); - CNCrypto._free(scalar_m); - CNCrypto._free(base_m); - CNCrypto._free(derived_m); - return bintohex(res); - }; - - /*this.derive_public_key = function(derivation, out_index, pub) { - if (derivation.length !== 64 || pub.length !== 64) { - throw "Invalid input length!"; - } - const CNCrypto = loaded_CNCrypto(); - var derivation_m = CNCrypto._malloc(KEY_SIZE); - var derivation_b = hextobin(derivation); - CNCrypto.HEAPU8.set(derivation_b, derivation_m); - var base_m = CNCrypto._malloc(KEY_SIZE); - var base_b = hextobin(pub); - CNCrypto.HEAPU8.set(base_b, base_m); - var point1_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3); - var point2_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3); - var point3_m = CNCrypto._malloc(STRUCT_SIZES.GE_CACHED); - var point4_m = CNCrypto._malloc(STRUCT_SIZES.GE_P1P1); - var point5_m = CNCrypto._malloc(STRUCT_SIZES.GE_P2); - var derived_key_m = CNCrypto._malloc(KEY_SIZE); - if (CNCrypto.ccall("ge_frombytes_vartime", "bool", ["number", "number"], [point1_m, base_m]) !== 0) { - throw "ge_frombytes_vartime returned non-zero error code"; - } - var scalar_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR); - var scalar_b = hextobin(this.derivation_to_scalar(bintohex(CNCrypto.HEAPU8.subarray(derivation_m, derivation_m + STRUCT_SIZES.EC_POINT)), out_index)); - CNCrypto.HEAPU8.set(scalar_b, scalar_m); - CNCrypto.ccall("ge_scalarmult_base", "void", ["number", "number"], [point2_m, scalar_m]); - CNCrypto.ccall("ge_p3_to_cached", "void", ["number", "number"], [point3_m, point2_m]); - CNCrypto.ccall("ge_add", "void", ["number", "number", "number"], [point4_m, point1_m, point3_m]); - CNCrypto.ccall("ge_p1p1_to_p2", "void", ["number", "number"], [point5_m, point4_m]); - CNCrypto.ccall("ge_tobytes", "void", ["number", "number"], [derived_key_m, point5_m]); - var res = CNCrypto.HEAPU8.subarray(derived_key_m, derived_key_m + KEY_SIZE); - CNCrypto._free(derivation_m); - CNCrypto._free(base_m); - CNCrypto._free(scalar_m); - CNCrypto._free(point1_m); - CNCrypto._free(point2_m); - CNCrypto._free(point3_m); - CNCrypto._free(point4_m); - CNCrypto._free(point5_m); - CNCrypto._free(derived_key_m); - return bintohex(res); - };*/ - - this.derive_public_key = function(derivation, out_index, pub) { - if (derivation.length !== 64 || pub.length !== 64) { - throw "Invalid input length!"; - } - var s = this.derivation_to_scalar(derivation, out_index); - return bintohex( - nacl.ll.ge_add(hextobin(pub), hextobin(this.ge_scalarmult_base(s))), - ); - }; - - // D' = P - Hs(aR|i)G - this.derive_subaddress_public_key = function( - output_key, - derivation, - out_index, - ) { - if (output_key.length !== 64 || derivation.length !== 64) { - throw "Invalid input length!"; - } - var scalar = this.derivation_to_scalar(derivation, out_index); - var point = this.ge_scalarmult_base(scalar); - return this.ge_sub(output_key, point); - }; - - this.hash_to_ec = function(key) { - if (key.length !== KEY_SIZE * 2) { - throw "Invalid input length"; - } - const CNCrypto = loaded_CNCrypto(); - var h_m = CNCrypto._malloc(HASH_SIZE); - var point_m = CNCrypto._malloc(STRUCT_SIZES.GE_P2); - var point2_m = CNCrypto._malloc(STRUCT_SIZES.GE_P1P1); - var res_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3); - var hash = hextobin(this.cn_fast_hash(key, KEY_SIZE)); - CNCrypto.HEAPU8.set(hash, h_m); - CNCrypto.ccall( - "ge_fromfe_frombytes_vartime", - "void", - ["number", "number"], - [point_m, h_m], - ); - CNCrypto.ccall( - "ge_mul8", - "void", - ["number", "number"], - [point2_m, point_m], - ); - CNCrypto.ccall( - "ge_p1p1_to_p3", - "void", - ["number", "number"], - [res_m, point2_m], - ); - var res = CNCrypto.HEAPU8.subarray(res_m, res_m + STRUCT_SIZES.GE_P3); - CNCrypto._free(h_m); - CNCrypto._free(point_m); - CNCrypto._free(point2_m); - CNCrypto._free(res_m); - return bintohex(res); - }; - - //returns a 32 byte point via "ge_p3_tobytes" rather than a 160 byte "p3", otherwise same as above; - this.hash_to_ec_2 = function(key) { - if (key.length !== KEY_SIZE * 2) { - throw "Invalid input length"; - } - const CNCrypto = loaded_CNCrypto(); - var h_m = CNCrypto._malloc(HASH_SIZE); - var point_m = CNCrypto._malloc(STRUCT_SIZES.GE_P2); - var point2_m = CNCrypto._malloc(STRUCT_SIZES.GE_P1P1); - var res_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3); - var hash = hextobin(this.cn_fast_hash(key, KEY_SIZE)); - var res2_m = CNCrypto._malloc(KEY_SIZE); - CNCrypto.HEAPU8.set(hash, h_m); - CNCrypto.ccall( - "ge_fromfe_frombytes_vartime", - "void", - ["number", "number"], - [point_m, h_m], - ); - CNCrypto.ccall( - "ge_mul8", - "void", - ["number", "number"], - [point2_m, point_m], - ); - CNCrypto.ccall( - "ge_p1p1_to_p3", - "void", - ["number", "number"], - [res_m, point2_m], - ); - CNCrypto.ccall( - "ge_p3_tobytes", - "void", - ["number", "number"], - [res2_m, res_m], - ); - var res = CNCrypto.HEAPU8.subarray(res2_m, res2_m + KEY_SIZE); - CNCrypto._free(h_m); - CNCrypto._free(point_m); - CNCrypto._free(point2_m); - CNCrypto._free(res_m); - CNCrypto._free(res2_m); - return bintohex(res); - }; - this.hashToPoint = hash_to_ec_2; - - this.generate_key_image_2 = function(pub, sec) { - if (!pub || !sec || pub.length !== 64 || sec.length !== 64) { - throw "Invalid input length"; - } - const CNCrypto = loaded_CNCrypto(); - var pub_m = CNCrypto._malloc(KEY_SIZE); - var sec_m = CNCrypto._malloc(KEY_SIZE); - CNCrypto.HEAPU8.set(hextobin(pub), pub_m); - CNCrypto.HEAPU8.set(hextobin(sec), sec_m); - if (CNCrypto.ccall("sc_check", "number", ["number"], [sec_m]) !== 0) { - throw "sc_check(sec) != 0"; - } - var point_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3); - var point2_m = CNCrypto._malloc(STRUCT_SIZES.GE_P2); - var point_b = hextobin(this.hash_to_ec(pub)); - CNCrypto.HEAPU8.set(point_b, point_m); - var image_m = CNCrypto._malloc(STRUCT_SIZES.KEY_IMAGE); - CNCrypto.ccall( - "ge_scalarmult", - "void", - ["number", "number", "number"], - [point2_m, sec_m, point_m], - ); - CNCrypto.ccall( - "ge_tobytes", - "void", - ["number", "number"], - [image_m, point2_m], - ); - var res = CNCrypto.HEAPU8.subarray( - image_m, - image_m + STRUCT_SIZES.KEY_IMAGE, - ); - CNCrypto._free(pub_m); - CNCrypto._free(sec_m); - CNCrypto._free(point_m); - CNCrypto._free(point2_m); - CNCrypto._free(image_m); - return bintohex(res); - }; - - this.generate_key_image = function( - tx_pub, - view_sec, - spend_pub, - spend_sec, - output_index, - ) { - if (tx_pub.length !== 64) { - throw "Invalid tx_pub length"; - } - if (view_sec.length !== 64) { - throw "Invalid view_sec length"; - } - if (spend_pub.length !== 64) { - throw "Invalid spend_pub length"; - } - if (spend_sec.length !== 64) { - throw "Invalid spend_sec length"; - } - var recv_derivation = this.generate_key_derivation(tx_pub, view_sec); - var ephemeral_pub = this.derive_public_key( - recv_derivation, - output_index, - spend_pub, - ); - var ephemeral_sec = this.derive_secret_key( - recv_derivation, - output_index, - spend_sec, - ); - var k_image = this.generate_key_image_2(ephemeral_pub, ephemeral_sec); - return { - ephemeral_pub: ephemeral_pub, - key_image: k_image, - }; - }; - - this.generate_key_image_helper_rct = function( - keys, - tx_pub_key, - out_index, - enc_mask, - ) { - var recv_derivation = this.generate_key_derivation( - tx_pub_key, - keys.view.sec, - ); - if (!recv_derivation) throw "Failed to generate key image"; - var mask = enc_mask - ? sc_sub( - enc_mask, - hash_to_scalar( - derivation_to_scalar(recv_derivation, out_index), - ), - ) - : I; //decode mask, or d2s(1) if no mask - var ephemeral_pub = this.derive_public_key( - recv_derivation, - out_index, - keys.spend.pub, - ); - if (!ephemeral_pub) throw "Failed to generate key image"; - var ephemeral_sec = this.derive_secret_key( - recv_derivation, - out_index, - keys.spend.sec, - ); - var image = this.generate_key_image_2(ephemeral_pub, ephemeral_sec); - return { - in_ephemeral: { - pub: ephemeral_pub, - sec: ephemeral_sec, - mask: mask, - }, - image: image, - }; - }; - - //curve and scalar functions; split out to make their host functions cleaner and more readable - //inverts X coordinate -- this seems correct ^_^ -luigi1111 - this.ge_neg = function(point) { - if (point.length !== 64) { - throw "expected 64 char hex string"; - } - return ( - point.slice(0, 62) + - ((parseInt(point.slice(62, 63), 16) + 8) % 16).toString(16) + - point.slice(63, 64) - ); - }; - - //adds two points together, order does not matter - /*this.ge_add2 = function(point1, point2) { - const CNCrypto = loaded_CNCrypto(); - var point1_m = CNCrypto._malloc(KEY_SIZE); - var point2_m = CNCrypto._malloc(KEY_SIZE); - var point1_m2 = CNCrypto._malloc(STRUCT_SIZES.GE_P3); - var point2_m2 = CNCrypto._malloc(STRUCT_SIZES.GE_P3); - CNCrypto.HEAPU8.set(hextobin(point1), point1_m); - CNCrypto.HEAPU8.set(hextobin(point2), point2_m); - if (CNCrypto.ccall("ge_frombytes_vartime", "bool", ["number", "number"], [point1_m2, point1_m]) !== 0) { - throw "ge_frombytes_vartime returned non-zero error code"; - } - if (CNCrypto.ccall("ge_frombytes_vartime", "bool", ["number", "number"], [point2_m2, point2_m]) !== 0) { - throw "ge_frombytes_vartime returned non-zero error code"; - } - var sum_m = CNCrypto._malloc(KEY_SIZE); - var p2_m = CNCrypto._malloc(STRUCT_SIZES.GE_P2); - var p1_m = CNCrypto._malloc(STRUCT_SIZES.GE_P1P1); - var p3_m = CNCrypto._malloc(STRUCT_SIZES.GE_CACHED); - CNCrypto.ccall("ge_p3_to_cached", "void", ["number", "number"], [p3_m, point2_m2]); - CNCrypto.ccall("ge_add", "void", ["number", "number", "number"], [p1_m, point1_m2, p3_m]); - CNCrypto.ccall("ge_p1p1_to_p2", "void", ["number", "number"], [p2_m, p1_m]); - CNCrypto.ccall("ge_tobytes", "void", ["number", "number"], [sum_m, p2_m]); - var res = CNCrypto.HEAPU8.subarray(sum_m, sum_m + KEY_SIZE); - CNCrypto._free(point1_m); - CNCrypto._free(point1_m2); - CNCrypto._free(point2_m); - CNCrypto._free(point2_m2); - CNCrypto._free(p2_m); - CNCrypto._free(p1_m); - CNCrypto._free(sum_m); - CNCrypto._free(p3_m); - return bintohex(res); - };*/ - - this.ge_add = function(p1, p2) { - if (p1.length !== 64 || p2.length !== 64) { - throw "Invalid input length!"; - } - return bintohex(nacl.ll.ge_add(hextobin(p1), hextobin(p2))); - }; - - //order matters - this.ge_sub = function(point1, point2) { - point2n = ge_neg(point2); - return ge_add(point1, point2n); - }; - - //adds two scalars together - this.sc_add = function(scalar1, scalar2) { - if (scalar1.length !== 64 || scalar2.length !== 64) { - throw "Invalid input length!"; - } - const CNCrypto = loaded_CNCrypto(); - var scalar1_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR); - var scalar2_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR); - CNCrypto.HEAPU8.set(hextobin(scalar1), scalar1_m); - CNCrypto.HEAPU8.set(hextobin(scalar2), scalar2_m); - var derived_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR); - CNCrypto.ccall( - "sc_add", - "void", - ["number", "number", "number"], - [derived_m, scalar1_m, scalar2_m], - ); - var res = CNCrypto.HEAPU8.subarray( - derived_m, - derived_m + STRUCT_SIZES.EC_SCALAR, - ); - CNCrypto._free(scalar1_m); - CNCrypto._free(scalar2_m); - CNCrypto._free(derived_m); - return bintohex(res); - }; - - //subtracts one scalar from another - this.sc_sub = function(scalar1, scalar2) { - if (scalar1.length !== 64 || scalar2.length !== 64) { - throw "Invalid input length!"; - } - const CNCrypto = loaded_CNCrypto(); - var scalar1_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR); - var scalar2_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR); - CNCrypto.HEAPU8.set(hextobin(scalar1), scalar1_m); - CNCrypto.HEAPU8.set(hextobin(scalar2), scalar2_m); - var derived_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR); - CNCrypto.ccall( - "sc_sub", - "void", - ["number", "number", "number"], - [derived_m, scalar1_m, scalar2_m], - ); - var res = CNCrypto.HEAPU8.subarray( - derived_m, - derived_m + STRUCT_SIZES.EC_SCALAR, - ); - CNCrypto._free(scalar1_m); - CNCrypto._free(scalar2_m); - CNCrypto._free(derived_m); - return bintohex(res); - }; - - //fun mul function - this.sc_mul = function(scalar1, scalar2) { - if (scalar1.length !== 64 || scalar2.length !== 64) { - throw "Invalid input length!"; - } - return d2s( - JSBigInt(s2d(scalar1)) - .multiply(JSBigInt(s2d(scalar2))) - .remainder(l) - .toString(), - ); - }; - - //res = c - (ab) mod l; argument names copied from the signature implementation - this.sc_mulsub = function(sigc, sec, k) { - if ( - k.length !== KEY_SIZE * 2 || - sigc.length !== KEY_SIZE * 2 || - sec.length !== KEY_SIZE * 2 || - !this.valid_hex(k) || - !this.valid_hex(sigc) || - !this.valid_hex(sec) - ) { - throw "bad scalar"; - } - const CNCrypto = loaded_CNCrypto(); - var sec_m = CNCrypto._malloc(KEY_SIZE); - CNCrypto.HEAPU8.set(hextobin(sec), sec_m); - var sigc_m = CNCrypto._malloc(KEY_SIZE); - CNCrypto.HEAPU8.set(hextobin(sigc), sigc_m); - var k_m = CNCrypto._malloc(KEY_SIZE); - CNCrypto.HEAPU8.set(hextobin(k), k_m); - var res_m = CNCrypto._malloc(KEY_SIZE); - - CNCrypto.ccall( - "sc_mulsub", - "void", - ["number", "number", "number", "number"], - [res_m, sigc_m, sec_m, k_m], - ); - res = CNCrypto.HEAPU8.subarray(res_m, res_m + KEY_SIZE); - CNCrypto._free(k_m); - CNCrypto._free(sec_m); - CNCrypto._free(sigc_m); - CNCrypto._free(res_m); - return bintohex(res); - }; - - //res = aB + cG; argument names copied from the signature implementation - /*this.ge_double_scalarmult_base_vartime = function(sigc, pub, sigr) { - const CNCrypto = loaded_CNCrypto(); - var pub_m = CNCrypto._malloc(KEY_SIZE); - var pub2_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3); - CNCrypto.HEAPU8.set(hextobin(pub), pub_m); - if (CNCrypto.ccall("ge_frombytes_vartime", "void", ["number", "number"], [pub2_m, pub_m]) !== 0) { - throw "Failed to call ge_frombytes_vartime"; - } - var sigc_m = CNCrypto._malloc(KEY_SIZE); - CNCrypto.HEAPU8.set(hextobin(sigc), sigc_m); - var sigr_m = CNCrypto._malloc(KEY_SIZE); - CNCrypto.HEAPU8.set(hextobin(sigr), sigr_m); - if (CNCrypto.ccall("sc_check", "number", ["number"], [sigc_m]) !== 0 || CNCrypto.ccall("sc_check", "number", ["number"], [sigr_m]) !== 0) { - throw "bad scalar(s)"; - } - var tmp_m = CNCrypto._malloc(STRUCT_SIZES.GE_P2); - var res_m = CNCrypto._malloc(KEY_SIZE); - CNCrypto.ccall("ge_double_scalarmult_base_vartime", "void", ["number", "number", "number", "number"], [tmp_m, sigc_m, pub2_m, sigr_m]); - CNCrypto.ccall("ge_tobytes", "void", ["number", "number"], [res_m, tmp_m]); - var res = CNCrypto. HEAPU8.subarray(res_m, res_m + KEY_SIZE); - CNCrypto._free(pub_m); - CNCrypto._free(pub2_m); - CNCrypto._free(sigc_m); - CNCrypto._free(sigr_m); - CNCrypto._free(tmp_m); - CNCrypto._free(res_m); - return bintohex(res); - };*/ - - this.ge_double_scalarmult_base_vartime = function(c, P, r) { - if (c.length !== 64 || P.length !== 64 || r.length !== 64) { - throw "Invalid input length!"; - } - return bintohex( - nacl.ll.ge_double_scalarmult_base_vartime( - hextobin(c), - hextobin(P), - hextobin(r), - ), - ); - }; - - //res = a * Hp(B) + c*D - //res = sigr * Hp(pub) + sigc * k_image; argument names also copied from the signature implementation; note precomp AND hash_to_ec are done internally!! - /*this.ge_double_scalarmult_postcomp_vartime = function(sigr, pub, sigc, k_image) { - const CNCrypto = loaded_CNCrypto(); - var image_m = CNCrypto._malloc(STRUCT_SIZES.KEY_IMAGE); - CNCrypto.HEAPU8.set(hextobin(k_image), image_m); - var image_unp_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3); - var image_pre_m = CNCrypto._malloc(STRUCT_SIZES.GE_DSMP); - var tmp3_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3); - var sigr_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR); - var sigc_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR); - var tmp2_m = CNCrypto._malloc(STRUCT_SIZES.GE_P2); - var res_m = CNCrypto._malloc(STRUCT_SIZES.EC_POINT); - if (CNCrypto.ccall("ge_frombytes_vartime", "void", ["number", "number"], [image_unp_m, image_m]) !== 0) { - throw "Failed to call ge_frombytes_vartime"; - } - CNCrypto.ccall("ge_dsm_precomp", "void", ["number", "number"], [image_pre_m, image_unp_m]); - var ec = this.hash_to_ec(pub); - CNCrypto.HEAPU8.set(hextobin(ec), tmp3_m); - CNCrypto.HEAPU8.set(hextobin(sigc), sigc_m); - CNCrypto.HEAPU8.set(hextobin(sigr), sigr_m); - CNCrypto.ccall("ge_double_scalarmult_precomp_vartime", "void", ["number", "number", "number", "number", "number"], [tmp2_m, sigr_m, tmp3_m, sigc_m, image_pre_m]); - CNCrypto.ccall("ge_tobytes", "void", ["number", "number"], [res_m, tmp2_m]); - var res = CNCrypto. HEAPU8.subarray(res_m, res_m + STRUCT_SIZES.EC_POINT); - CNCrypto._free(image_m); - CNCrypto._free(image_unp_m); - CNCrypto._free(image_pre_m); - CNCrypto._free(tmp3_m); - CNCrypto._free(sigr_m); - CNCrypto._free(sigc_m); - CNCrypto._free(tmp2_m); - CNCrypto._free(res_m); - return bintohex(res); - };*/ - - this.ge_double_scalarmult_postcomp_vartime = function(r, P, c, I) { - if ( - c.length !== 64 || - P.length !== 64 || - r.length !== 64 || - I.length !== 64 - ) { - throw "Invalid input length!"; - } - var Pb = this.hash_to_ec_2(P); - return bintohex( - nacl.ll.ge_double_scalarmult_postcomp_vartime( - hextobin(r), - hextobin(Pb), - hextobin(c), - hextobin(I), - ), - ); - }; - - //begin RCT functions - - //xv: vector of secret keys, 1 per ring (nrings) - //pm: matrix of pubkeys, indexed by size first - //iv: vector of indexes, 1 per ring (nrings), can be a string - //size: ring size, default 2 - //nrings: number of rings, default 64 - //extensible borromean signatures - this.genBorromean = function(xv, pm, iv, size, nrings) { - if (xv.length !== nrings) { - throw "wrong xv length " + xv.length; - } - if (pm.length !== size) { - throw "wrong pm size " + pm.length; - } - for (var i = 0; i < pm.length; i++) { - if (pm[i].length !== nrings) { - throw "wrong pm[" + i + "] length " + pm[i].length; - } - } - if (iv.length !== nrings) { - throw "wrong iv length " + iv.length; - } - for (var i = 0; i < iv.length; i++) { - if (iv[i] >= size) { - throw "bad indices value at: " + i + ": " + iv[i]; - } - } - //signature struct - // in the case of size 2 and nrings 64 - // bb.s = [[64], [64]] - var bb = { - s: [], - ee: "", - }; - //signature pubkey matrix - var L = []; - //add needed sub vectors (1 per ring size) - for (var i = 0; i < size; i++) { - bb.s[i] = []; - L[i] = []; - } - //compute starting at the secret index to the last row - var index; - var alpha = []; - for (var i = 0; i < nrings; i++) { - index = parseInt(iv[i]); - alpha[i] = random_scalar(); - L[index][i] = ge_scalarmult_base(alpha[i]); - for (var j = index + 1; j < size; j++) { - bb.s[j][i] = random_scalar(); - var c = hash_to_scalar(L[j - 1][i]); - L[j][i] = ge_double_scalarmult_base_vartime( - c, - pm[j][i], - bb.s[j][i], - ); - } - } - //hash last row to create ee - var ltemp = ""; - for (var i = 0; i < nrings; i++) { - ltemp += L[size - 1][i]; - } - bb.ee = hash_to_scalar(ltemp); - //compute the rest from 0 to secret index - for (var i = 0; i < nrings; i++) { - var cc = bb.ee; - for (var j = 0; j < iv[i]; j++) { - bb.s[j][i] = random_scalar(); - var LL = ge_double_scalarmult_base_vartime( - cc, - pm[j][i], - bb.s[j][i], - ); - cc = hash_to_scalar(LL); - } - bb.s[j][i] = sc_mulsub(xv[i], cc, alpha[i]); - } - return bb; - }; - - this.verifyBorromean = function(bb, P1, P2) { - let Lv1 = []; - let chash; - let LL; - - let p2 = ""; - for (let ii = 0; ii < 64; ii++) { - p2 = this.ge_double_scalarmult_base_vartime( - bb.ee, - P1[ii], - bb.s[0][ii], - ); - LL = p2; - chash = this.hash_to_scalar(LL); - - p2 = this.ge_double_scalarmult_base_vartime( - chash, - P2[ii], - bb.s[1][ii], - ); - Lv1[ii] = p2; - } - const eeComputed = this.array_hash_to_scalar(Lv1); - const equalKeys = eeComputed === bb.ee; - console.log(`[verifyBorromean] Keys equal? ${equalKeys} - ${eeComputed} - ${bb.ee}`); - - return equalKeys; - }; - - //proveRange - //proveRange gives C, and mask such that \sumCi = C - // c.f. http://eprint.iacr.org/2015/1098 section 5.1 - // and Ci is a commitment to either 0 or s^i, i=0,...,n - // thus this proves that "amount" is in [0, s^n] (we assume s to be 4) (2 for now with v2 txes) - // mask is a such that C = aG + bH, and b = amount - //commitMaskObj = {C: commit, mask: mask} - this.proveRange = function( - commitMaskObj, - amount, - nrings, - enc_seed, - exponent, - ) { - var size = 2; - var C = I; //identity - var mask = Z; //zero scalar - var indices = d2b(amount); //base 2 for now - var sig = { - Ci: [], - //exp: exponent //doesn't exist for now - }; - /*payload stuff - ignore for now - seeds = new Array(3); - for (var i = 0; i < seeds.length; i++){ - seeds[i] = new Array(1); - } - genSeeds(seeds, enc_seed); - */ - var ai = []; - var PM = []; - for (var i = 0; i < size; i++) { - PM[i] = []; - } - var j; - //start at index and fill PM left and right -- PM[0] holds Ci - for (var i = 0; i < nrings; i++) { - ai[i] = random_scalar(); - j = indices[i]; - PM[j][i] = ge_scalarmult_base(ai[i]); - while (j > 0) { - j--; - PM[j][i] = ge_add(PM[j + 1][i], H2[i]); //will need to use i*2 for base 4 (or different object) - } - j = indices[i]; - while (j < size - 1) { - j++; - PM[j][i] = ge_sub(PM[j - 1][i], H2[i]); //will need to use i*2 for base 4 (or different object) - } - mask = sc_add(mask, ai[i]); - } - /* - * some more payload stuff here - */ - //copy commitments to sig and sum them to commitment - for (var i = 0; i < nrings; i++) { - //if (i < nrings - 1) //for later version - sig.Ci[i] = PM[0][i]; - C = ge_add(C, PM[0][i]); - } - /* exponent stuff - ignore for now - if (exponent){ - n = JSBigInt(10); - n = n.pow(exponent).toString(); - mask = sc_mul(mask, d2s(n)); //new sum - } - */ - sig.bsig = this.genBorromean(ai, PM, indices, size, nrings); - commitMaskObj.C = C; - commitMaskObj.mask = mask; - return sig; - }; - - //proveRange and verRange - //proveRange gives C, and mask such that \sumCi = C - // c.f. http://eprint.iacr.org/2015/1098 section 5.1 - // and Ci is a commitment to either 0 or 2^i, i=0,...,63 - // thus this proves that "amount" is in [0, 2^64] - // mask is a such that C = aG + bH, and b = amount - //verRange verifies that \sum Ci = C and that each Ci is a commitment to 0 or 2^i - - this.verRange = function(C, as, nrings = 64) { - try { - let CiH = []; // len 64 - let asCi = []; // len 64 - let Ctmp = this.identity(); - for (let i = 0; i < nrings; i++) { - CiH[i] = this.ge_sub(as.Ci[i], this.H2[i]); - asCi[i] = as.Ci[i]; - Ctmp = this.ge_add(Ctmp, as.Ci[i]); - } - const equalKeys = Ctmp === C; - console.log(`[verRange] Equal keys? ${equalKeys} - C: ${C} - Ctmp: ${Ctmp}`); - if (!equalKeys) { - return false; - } - - if (!this.verifyBorromean(as.bsig, asCi, CiH)) { - return false; - } - - return true; - } catch (e) { - console.error(`[verRange]`, e); - return false; - } - }; - - function array_hash_to_scalar(array) { - var buf = ""; - for (var i = 0; i < array.length; i++) { - if (typeof array[i] !== "string") { - throw "unexpected array element"; - } - buf += array[i]; - } - return hash_to_scalar(buf); - } - this.array_hash_to_scalar = array_hash_to_scalar; - - // Gen creates a signature which proves that for some column in the keymatrix "pk" - // the signer knows a secret key for each row in that column - // we presently only support matrices of 2 rows (pubkey, commitment) - // this is a simplied MLSAG_Gen function to reflect that - // because we don't want to force same secret column for all inputs - this.MLSAG_Gen = function(message, pk, xx, kimg, index) { - var cols = pk.length; //ring size - var i; - - // secret index - if (index >= cols) { - throw "index out of range"; - } - var rows = pk[0].length; //number of signature rows (always 2) - // [pub, com] = 2 - if (rows !== 2) { - throw "wrong row count"; - } - // check all are len 2 - for (i = 0; i < cols; i++) { - if (pk[i].length !== rows) { - throw "pk is not rectangular"; - } - } - if (xx.length !== rows) { - throw "bad xx size"; - } - - var c_old = ""; - var alpha = []; - - var rv = { - ss: [], - cc: null, - }; - for (i = 0; i < cols; i++) { - rv.ss[i] = []; - } - var toHash = []; //holds 6 elements: message, pubkey, dsRow L, dsRow R, commitment, ndsRow L - toHash[0] = message; - - //secret index (pubkey section) - - alpha[0] = random_scalar(); //need to save alphas for later - toHash[1] = pk[index][0]; //secret index pubkey - - // this is the keyimg anyway const H1 = this.hashToPoint(pk[index][0]) // Hp(K_in) - // rv.II[0] = this.ge_scalarmult(H1, xx[0]) // k_in.Hp(K_in) - - toHash[2] = ge_scalarmult_base(alpha[0]); //dsRow L, a.G - toHash[3] = generate_key_image_2(pk[index][0], alpha[0]); //dsRow R (key image check) - //secret index (commitment section) - alpha[1] = random_scalar(); - toHash[4] = pk[index][1]; //secret index commitment - toHash[5] = ge_scalarmult_base(alpha[1]); //ndsRow L - - c_old = array_hash_to_scalar(toHash); - - i = (index + 1) % cols; - if (i === 0) { - rv.cc = c_old; - } - while (i != index) { - rv.ss[i][0] = random_scalar(); //dsRow ss - rv.ss[i][1] = random_scalar(); //ndsRow ss - - //!secret index (pubkey section) - toHash[1] = pk[i][0]; - toHash[2] = ge_double_scalarmult_base_vartime( - c_old, - pk[i][0], - rv.ss[i][0], - ); - toHash[3] = ge_double_scalarmult_postcomp_vartime( - rv.ss[i][0], - pk[i][0], - c_old, - kimg, - ); - //!secret index (commitment section) - toHash[4] = pk[i][1]; - toHash[5] = ge_double_scalarmult_base_vartime( - c_old, - pk[i][1], - rv.ss[i][1], - ); - c_old = array_hash_to_scalar(toHash); //hash to get next column c - i = (i + 1) % cols; - if (i === 0) { - rv.cc = c_old; - } - } - for (i = 0; i < rows; i++) { - rv.ss[index][i] = sc_mulsub(c_old, xx[i], alpha[i]); - } - return rv; - }; - - this.MLSAG_ver = function(message, pk, rv, kimg) { - // we assume that col, row, rectangular checks are already done correctly - // in MLSAG_gen - const cols = pk.length; - let c_old = rv.cc; - let i = 0; - let toHash = []; - toHash[0] = message; - while (i < cols) { - //!secret index (pubkey section) - toHash[1] = pk[i][0]; - toHash[2] = ge_double_scalarmult_base_vartime( - c_old, - pk[i][0], - rv.ss[i][0], - ); - toHash[3] = ge_double_scalarmult_postcomp_vartime( - rv.ss[i][0], - pk[i][0], - c_old, - kimg, - ); - - //!secret index (commitment section) - toHash[4] = pk[i][1]; - toHash[5] = ge_double_scalarmult_base_vartime( - c_old, - pk[i][1], - rv.ss[i][1], - ); - - c_old = array_hash_to_scalar(toHash); - - i = i + 1; - } - - const c = this.sc_sub(c_old, rv.cc); - console.log(`[MLSAG_ver] - c_old: ${c_old} - rc.cc: ${rv.cc} - c: ${c}`); - - return Number(c) === 0; - }; - - //Ring-ct MG sigs - //Prove: - // c.f. http://eprint.iacr.org/2015/1098 section 4. definition 10. - // This does the MG sig on the "dest" part of the given key matrix, and - // the last row is the sum of input commitments from that column - sum output commitments - // this shows that sum inputs = sum outputs - //Ver: - // verifies the above sig is created corretly - this.proveRctMG = function(message, pubs, inSk, kimg, mask, Cout, index) { - var cols = pubs.length; - if (cols < 3) { - throw "cols must be > 2 (mixin)"; - } - var xx = []; - var PK = []; - //fill pubkey matrix (copy destination, subtract commitments) - for (var i = 0; i < cols; i++) { - PK[i] = []; - PK[i][0] = pubs[i].dest; - PK[i][1] = ge_sub(pubs[i].mask, Cout); - } - xx[0] = inSk.x; - xx[1] = sc_sub(inSk.a, mask); - return this.MLSAG_Gen(message, PK, xx, kimg, index); - }; - - //Ring-ct MG sigs - //Prove: - // c.f. http://eprint.iacr.org/2015/1098 section 4. definition 10. - // This does the MG sig on the "dest" part of the given key matrix, and - // the last row is the sum of input commitments from that column - sum output commitments - // this shows that sum inputs = sum outputs - //Ver: - // verifies the above sig is created corretly - - this.verRctMG = function(mg, pubs, outPk, txnFeeKey, message, kimg) { - const cols = pubs.length; - if (cols < 1) { - throw Error("Empty pubs"); - } - const rows = pubs[0].length; - if (rows < 1) { - throw Error("Empty pubs"); - } - for (let i = 0; i < cols.length; ++i) { - if (pubs[i].length !== rows) { - throw Error("Pubs is not rectangular"); - } - } - - // key matrix of (cols, tmp) - - let M = []; - console.log(pubs); - //create the matrix to mg sig - for (let i = 0; i < rows; i++) { - M[i] = []; - M[i][0] = pubs[0][i].dest; - M[i][1] = this.ge_add(M[i][1] || this.identity(), pubs[0][i].mask); // start with input commitment - for (let j = 0; j < outPk.length; j++) { - M[i][1] = this.ge_sub(M[i][1], outPk[j]); // subtract all output commitments - } - M[i][1] = this.ge_sub(M[i][1], txnFeeKey); // subtract txnfee - } - - console.log( - `[MLSAG_ver input]`, - JSON.stringify({ message, M, mg, kimg }, null, 1), - ); - return this.MLSAG_ver(message, M, mg, kimg); - }; - - // simple version, assuming only post Rct - - this.verRctMGSimple = function(message, mg, pubs, C, kimg) { - try { - const rows = 1; - const cols = pubs.len; - const M = []; - - for (let i = 0; i < cols; i++) { - M[i][0] = pubs[i].dest; - M[i][1] = this.ge_sub(pubs[i].mask, C); - } - - return MLSAG_ver(message, M, mg, kimg); - } catch (error) { - console.error("[verRctSimple]", error); - return false; - } - }; - - this.verBulletProof = function() { - throw Error("verBulletProof is not implemented"); - }; - - this.get_pre_mlsag_hash = function(rv) { - var hashes = ""; - hashes += rv.message; - hashes += this.cn_fast_hash(this.serialize_rct_base(rv)); - var buf = serialize_range_proofs(rv); - hashes += this.cn_fast_hash(buf); - return this.cn_fast_hash(hashes); - }; - - function serialize_range_proofs(rv) { - var buf = ""; - for (var i = 0; i < rv.p.rangeSigs.length; i++) { - for (var j = 0; j < rv.p.rangeSigs[i].bsig.s.length; j++) { - for (var l = 0; l < rv.p.rangeSigs[i].bsig.s[j].length; l++) { - buf += rv.p.rangeSigs[i].bsig.s[j][l]; - } - } - buf += rv.p.rangeSigs[i].bsig.ee; - for (j = 0; j < rv.p.rangeSigs[i].Ci.length; j++) { - buf += rv.p.rangeSigs[i].Ci[j]; - } - } - return buf; - } - - //message is normal prefix hash - //inSk is vector of x,a - //kimg is vector of kimg - //destinations is vector of pubkeys (we skip and proxy outAmounts instead) - //inAmounts is vector of strings - //outAmounts is vector of strings - //mixRing is matrix of pubkey, commit (dest, mask) - //amountKeys is vector of scalars - //indices is vector - //txnFee is string, with its endian not swapped (e.g d2s is not called before passing it in as an argument) - //to this function - this.genRct = function( - message, - inSk, - kimg, - /*destinations, */ inAmounts, - outAmounts, - mixRing, - amountKeys, - indices, - txnFee, - ) { - if (outAmounts.length !== amountKeys.length) { - throw "different number of amounts/amount_keys"; - } - for (var i = 0; i < mixRing.length; i++) { - if (mixRing[i].length <= indices[i]) { - throw "bad mixRing/index size"; - } - } - if (mixRing.length !== inSk.length) { - throw "mismatched mixRing/inSk"; - } - if (inAmounts.length !== inSk.length) { - throw "mismatched inAmounts/inSk"; - } - if (indices.length !== inSk.length) { - throw "mismatched indices/inSk"; - } - - rv = { - type: inSk.length === 1 ? RCTTypeFull : RCTTypeSimple, - message: message, - outPk: [], - p: { - rangeSigs: [], - MGs: [], - }, - ecdhInfo: [], - txnFee: txnFee.toString(), - pseudoOuts: [], - }; - - var sumout = Z; - var cmObj = { - C: null, - mask: null, - }; - var nrings = 64; //for base 2/current - var i; - //compute range proofs, etc - for (i = 0; i < outAmounts.length; i++) { - var teststart = new Date().getTime(); - rv.p.rangeSigs[i] = this.proveRange( - cmObj, - outAmounts[i], - nrings, - 0, - 0, - ); - var testfinish = new Date().getTime() - teststart; - console.log("Time take for range proof " + i + ": " + testfinish); - rv.outPk[i] = cmObj.C; - sumout = sc_add(sumout, cmObj.mask); - rv.ecdhInfo[i] = this.encode_rct_ecdh( - { mask: cmObj.mask, amount: d2s(outAmounts[i]) }, - amountKeys[i], - ); - } - - //simple - if (rv.type === 2) { - var ai = []; - var sumpouts = Z; - //create pseudoOuts - for (i = 0; i < inAmounts.length - 1; i++) { - ai[i] = random_scalar(); - sumpouts = sc_add(sumpouts, ai[i]); - rv.pseudoOuts[i] = commit(d2s(inAmounts[i]), ai[i]); - } - ai[i] = sc_sub(sumout, sumpouts); - rv.pseudoOuts[i] = commit(d2s(inAmounts[i]), ai[i]); - var full_message = this.get_pre_mlsag_hash(rv); - for (i = 0; i < inAmounts.length; i++) { - rv.p.MGs.push( - this.proveRctMG( - full_message, - mixRing[i], - inSk[i], - kimg[i], - ai[i], - rv.pseudoOuts[i], - indices[i], - ), - ); - } - } else { - var sumC = I; - //get sum of output commitments to use in MLSAG - for (i = 0; i < rv.outPk.length; i++) { - sumC = ge_add(sumC, rv.outPk[i]); - } - sumC = ge_add(sumC, ge_scalarmult(H, d2s(rv.txnFee))); - var full_message = this.get_pre_mlsag_hash(rv); - rv.p.MGs.push( - this.proveRctMG( - full_message, - mixRing[0], - inSk[0], - kimg[0], - sumout, - sumC, - indices[0], - ), - ); - } - return rv; - }; - - this.verRct = function(rv, semantics, mixRing, kimg) { - if (rv.type === 0x03) { - throw Error("Bulletproof validation not implemented"); - } - - // where RCTTypeFull is 0x01 and RCTTypeFullBulletproof is 0x03 - if (rv.type !== 0x01 && rv.type !== 0x03) { - throw Error("verRct called on non-full rctSig"); - } - if (semantics) { - //RCTTypeFullBulletproof checks not implemented - // RCTTypeFull checks - if (rv.outPk.length !== rv.p.rangeSigs.length) { - throw Error("Mismatched sizes of outPk and rv.p.rangeSigs"); - } - if (rv.outPk.length !== rv.ecdhInfo.length) { - throw Error("Mismatched sizes of outPk and rv.ecdhInfo"); - } - if (rv.p.MGs.length !== 1) { - throw Error("full rctSig has not one MG"); - } - } else { - // semantics check is early, we don't have the MGs resolved yet - } - try { - if (semantics) { - const results = []; - for (let i = 0; i < rv.outPk.length; i++) { - // might want to parallelize this like its done in the c++ codebase - // via some abstraction library to support browser + node - if (rv.p.rangeSigs.length === 0) { - results[i] = this.verBulletproof(rv.p.bulletproofs[i]); - } else { - // mask -> C if public - results[i] = this.verRange( - rv.outPk[i], - rv.p.rangeSigs[i], - ); - } - } - - for (let i = 0; i < rv.outPk.length; i++) { - if (!results[i]) { - console.error( - "Range proof verification failed for output", - i, - ); - return false; - } - } - } else { - // compute txn fee - const txnFeeKey = this.ge_scalarmult(H, this.d2s(rv.txnFee)); - const mgVerd = this.verRctMG( - rv.p.MGs[0], - mixRing, - rv.outPk, - txnFeeKey, - this.get_pre_mlsag_hash(rv), - kimg, - ); - console.log("mg sig verified?", mgVerd); - if (!mgVerd) { - console.error("MG Signature verification failed"); - return false; - } - } - return true; - } catch (e) { - console.error("Error in verRct: ", e); - return false; - } - }; - //ver RingCT simple - //assumes only post-rct style inputs (at least for max anonymity) - this.verRctSimple = function(rv, semantics, mixRing, kimgs) { - try { - if (rv.type === 0x04) { - throw Error("Simple Bulletproof validation not implemented"); - } - - if (rv.type !== 0x02 && rv.type !== 0x04) { - throw Error("verRctSimple called on non simple rctSig"); - } - - if (semantics) { - if (rv.type == 0x04) { - throw Error( - "Simple Bulletproof validation not implemented", - ); - } else { - if (rv.outPk.length !== rv.p.rangeSigs.length) { - throw Error( - "Mismatched sizes of outPk and rv.p.rangeSigs", - ); - } - if (rv.pseudoOuts.length !== rv.p.MGs.length) { - throw Error( - "Mismatched sizes of rv.pseudoOuts and rv.p.MGs", - ); - } - // originally the check is rv.p.pseudoOuts.length, but this'll throw - // until p.pseudoOuts is added as a property to the rv object - if (rv.p.pseudoOuts) { - throw Error("rv.p.pseudoOuts must be empty"); - } - } - } else { - if (rv.type === 0x04) { - throw Error( - "Simple Bulletproof validation not implemented", - ); - } else { - // semantics check is early, and mixRing/MGs aren't resolved yet - if (rv.pseudoOuts.length !== mixRing.length) { - throw Error( - "Mismatched sizes of rv.pseudoOuts and mixRing", - ); - } - } - } - - // if bulletproof, then use rv.p.pseudoOuts, otherwise use rv.pseudoOuts - const pseudoOuts = - rv.type === 0x04 ? rv.p.pseudoOuts : rv.pseudoOuts; - - if (semantics) { - let sumOutpks = this.identity(); - for (let i = 0; i < rv.outPk.length; i++) { - sumOutpks = this.ge_add(sumOutpks, rv.outPk[i]); // add all of the output commitments - } - - const txnFeeKey = this.ge_scalarmult( - this.H, - this.d2s(rv.txnFee), - ); - sumOutpks = this.ge_add(txnFeeKey, sumOutpks); // add txnfeekey - - let sumPseudoOuts = this.identity(); - for (let i = 0; i < pseudoOuts.length; i++) { - sumPseudoOuts = this.ge_add(sumPseudoOuts, pseudoOuts[i]); // sum up all of the pseudoOuts - } - - if (sumOutpks !== sumPseudoOuts) { - console.error("Sum check failed"); - return false; - } - - const results = []; - for (let i = 0; i < rv.outPk.length; i++) { - // might want to parallelize this like its done in the c++ codebase - // via some abstraction library to support browser + node - if (rv.p.rangeSigs.length === 0) { - results[i] = this.verBulletproof(rv.p.bulletproofs[i]); - } else { - // mask -> C if public - results[i] = this.verRange( - rv.outPk[i], - rv.p.rangeSigs[i], - ); - } - } - - for (let i = 0; i < results.length; i++) { - if (!results[i]) { - console.error( - "Range proof verification failed for output", - i, - ); - return false; - } - } - } else { - const message = this.get_pre_mlsag_hash(rv); - const results = []; - for (let i = 0; i < mixRing.length; i++) { - results[i] = this.verRctMGSimple( - message, - rv.p.MGs[i], - mixRing[i], - pseudoOuts[i], - kimgs[i], - ); - } - - for (let i = 0; i < results.length; i++) { - if (!results[i]) { - console.error( - "Range proof verification failed for output", - i, - ); - return false; - } - } - } - - return true; - } catch (error) { - console.log("[verRctSimple]", error); - return false; - } - }; - - //decodeRct: (c.f. http://eprint.iacr.org/2015/1098 section 5.1.1) - // uses the attached ecdh info to find the amounts represented by each output commitment - // must know the destination private key to find the correct amount, else will return a random number - - this.decodeRct = function(rv, sk, i) { - // where RCTTypeFull is 0x01 and RCTTypeFullBulletproof is 0x03 - if (rv.type !== 0x01 && rv.type !== 0x03) { - throw Error("verRct called on non-full rctSig"); - } - if (i >= rv.ecdhInfo.length) { - throw Error("Bad index"); - } - if (rv.outPk.length !== rv.ecdhInfo.length) { - throw Error("Mismatched sizes of rv.outPk and rv.ecdhInfo"); - } - - // mask amount and mask - const ecdh_info = rv.ecdhInfo[i]; - const { mask, amount } = this.decode_rct_ecdh(ecdh_info, sk); - - const C = rv.outPk[i]; - const Ctmp = this.ge_double_scalarmult_base_vartime( - amount, - this.H, - mask, - ); - - console.log("[decodeRct]", C, Ctmp); - if (C !== Ctmp) { - throw Error( - "warning, amount decoded incorrectly, will be unable to spend", - ); - } - return { amount, mask }; - }; - - this.decodeRctSimple = function(rv, sk, i) { - if (rv.type !== 0x02 && rv.type !== 0x04) { - throw Error("verRct called on full rctSig"); - } - if (i >= rv.ecdhInfo.length) { - throw Error("Bad index"); - } - if (rv.outPk.length !== rv.ecdhInfo.length) { - throw Error("Mismatched sizes of rv.outPk and rv.ecdhInfo"); + function ret_val_boolstring_to_bool(boolstring) + { + if (typeof boolstring !== "string") { + throw "ret_val_boolstring_to_bool expected string input" } - - // mask amount and mask - const ecdh_info = rv.ecdhInfo[i]; - const { mask, amount } = this.decode_rct_ecdh(ecdh_info, sk); - - const C = rv.outPk[i]; - const Ctmp = this.ge_double_scalarmult_base_vartime( - amount, - this.H, - mask, - ); - - console.log("[decodeRctSimple]", C, Ctmp); - if (C !== Ctmp) { - throw Error( - "warning, amount decoded incorrectly, will be unable to spend", - ); + if (boolstring === "true") { + return true + } else if (boolstring === "false") { + return false } - return { amount, mask }; - }; + throw "ret_val_boolstring_to_bool given illegal input" + } + // + var config = {}; // shallow copy of initConfig + for (var key in currencyConfig) { + config[key] = currencyConfig[key]; + } - this.verBulletProof = function() { - throw Error("verBulletProof is not implemented"); - }; - //end RCT functions - this.add_pub_key_to_extra = function(extra, pubkey) { - if (pubkey.length !== 64) throw "Invalid pubkey length"; - // Append pubkey tag and pubkey - extra += TX_EXTRA_TAGS.PUBKEY + pubkey; - return extra; + // Generate a 256-bit / 64-char / 32-byte crypto random + this.rand_32 = function() { + return mnemonic.mn_random(256); }; - this.add_nonce_to_extra = function(extra, nonce) { - // Append extra nonce - if (nonce.length % 2 !== 0) { - throw "Invalid extra nonce"; - } - if (nonce.length / 2 > TX_EXTRA_NONCE_MAX_COUNT) { - throw "Extra nonce must be at most " + - TX_EXTRA_NONCE_MAX_COUNT + - " bytes"; - } - // Add nonce tag - extra += TX_EXTRA_TAGS.NONCE; - // Encode length of nonce - extra += ("0" + (nonce.length / 2).toString(16)).slice(-2); - // Write nonce - extra += nonce; - return extra; + // Generate a 128-bit / 32-char / 16-byte crypto random + this.rand_16 = function() { + return mnemonic.mn_random(128); }; - this.get_payment_id_nonce = function(payment_id, pid_encrypt) { - if (payment_id.length !== 64 && payment_id.length !== 16) { - throw "Invalid payment id"; - } - var res = ""; - if (pid_encrypt) { - res += TX_EXTRA_NONCE_TAGS.ENCRYPTED_PAYMENT_ID; - } else { - res += TX_EXTRA_NONCE_TAGS.PAYMENT_ID; - } - res += payment_id; - return res; + // Generate a 64-bit / 16-char / 8-byte crypto random + this.rand_8 = function() { + return mnemonic.mn_random(64); }; - this.abs_to_rel_offsets = function(offsets) { - if (offsets.length === 0) return offsets; - for (var i = offsets.length - 1; i >= 1; --i) { - offsets[i] = new JSBigInt(offsets[i]) - .subtract(offsets[i - 1]) - .toString(); + this.new__int_addr_from_addr_and_short_pid = function( + address, + short_pid, + nettype + ) { + // throws + if (!short_pid || short_pid.length != 16) { + throw "expected valid short_pid"; } - return offsets; - }; - - this.get_tx_prefix_hash = function(tx) { - var prefix = this.serialize_tx(tx, true); - return this.cn_fast_hash(prefix); - }; - - this.get_tx_hash = function(tx) { - if (typeof tx === "string") { - return this.cn_fast_hash(tx); - } else { - return this.cn_fast_hash(this.serialize_tx(tx)); + const args = + { + address: address, + short_pid: short_pid, + nettype_string: nettype_utils.nettype_to_API_string(nettype) + }; + const args_str = JSON.stringify(args); + const CNCrypto = loaded_CNCrypto(); + const ret_string = CNCrypto.new_integrated_address(args_str); + const ret = JSON.parse(ret_string); + if (typeof ret.err_msg !== 'undefined' && ret.err_msg) { + throw ret.err_msg // TODO: maybe return this somehow } + return ret.retVal; }; - this.serialize_tx = function(tx, headeronly) { - //tx: { - // version: uint64, - // unlock_time: uint64, - // extra: hex, - // vin: [{amount: uint64, k_image: hex, key_offsets: [uint64,..]},...], - // vout: [{amount: uint64, target: {key: hex}},...], - // signatures: [[s,s,...],...] - //} - if (headeronly === undefined) { - headeronly = false; - } - var buf = ""; - buf += this.encode_varint(tx.version); - buf += this.encode_varint(tx.unlock_time); - buf += this.encode_varint(tx.vin.length); - var i, j; - for (i = 0; i < tx.vin.length; i++) { - var vin = tx.vin[i]; - switch (vin.type) { - case "input_to_key": - buf += "02"; - buf += this.encode_varint(vin.amount); - buf += this.encode_varint(vin.key_offsets.length); - for (j = 0; j < vin.key_offsets.length; j++) { - buf += this.encode_varint(vin.key_offsets[j]); - } - buf += vin.k_image; - break; - default: - throw "Unhandled vin type: " + vin.type; - } - } - buf += this.encode_varint(tx.vout.length); - for (i = 0; i < tx.vout.length; i++) { - var vout = tx.vout[i]; - buf += this.encode_varint(vout.amount); - switch (vout.target.type) { - case "txout_to_key": - buf += "02"; - buf += vout.target.key; - break; - default: - throw "Unhandled txout target type: " + vout.target.type; - } - } - if (!this.valid_hex(tx.extra)) { - throw "Tx extra has invalid hex"; - } - buf += this.encode_varint(tx.extra.length / 2); - buf += tx.extra; - if (!headeronly) { - if (tx.vin.length !== tx.signatures.length) { - throw "Signatures length != vin length"; - } - for (i = 0; i < tx.vin.length; i++) { - for (j = 0; j < tx.signatures[i].length; j++) { - buf += tx.signatures[i][j]; - } - } - } - return buf; + this.create_address = function(seed, nettype) + { + // TODO: }; - this.serialize_rct_tx_with_hash = function(tx) { - var hashes = ""; - var buf = ""; - buf += this.serialize_tx(tx, true); - hashes += this.cn_fast_hash(buf); - var buf2 = this.serialize_rct_base(tx.rct_signatures); - hashes += this.cn_fast_hash(buf2); - buf += buf2; - var buf3 = serialize_range_proofs(tx.rct_signatures); - //add MGs - for (var i = 0; i < tx.rct_signatures.p.MGs.length; i++) { - for (var j = 0; j < tx.rct_signatures.p.MGs[i].ss.length; j++) { - buf3 += tx.rct_signatures.p.MGs[i].ss[j][0]; - buf3 += tx.rct_signatures.p.MGs[i].ss[j][1]; - } - buf3 += tx.rct_signatures.p.MGs[i].cc; - } - hashes += this.cn_fast_hash(buf3); - buf += buf3; - var hash = this.cn_fast_hash(hashes); - return { - raw: buf, - hash: hash, + this.decode_address = function(address, nettype) + { + const args = + { + address: address, + nettype_string: nettype_utils.nettype_to_API_string(nettype) }; - }; - - this.serialize_rct_base = function(rv) { - var buf = ""; - buf += this.encode_varint(rv.type); - buf += this.encode_varint(rv.txnFee); - var i; - if (rv.type === 2) { - for (var i = 0; i < rv.pseudoOuts.length; i++) { - buf += rv.pseudoOuts[i]; - } - } - if (rv.ecdhInfo.length !== rv.outPk.length) { - throw "mismatched outPk/ecdhInfo!"; - } - for (i = 0; i < rv.ecdhInfo.length; i++) { - buf += rv.ecdhInfo[i].mask; - buf += rv.ecdhInfo[i].amount; + const args_str = JSON.stringify(args); + const CNCrypto = loaded_CNCrypto(); + const ret_string = CNCrypto.decode_address(args_str); + const ret = JSON.parse(ret_string); + if (typeof ret.err_msg !== 'undefined' && ret.err_msg) { + throw ret.err_msg // TODO: maybe return this somehow } - for (i = 0; i < rv.outPk.length; i++) { - buf += rv.outPk[i]; + return { + spend: ret.pub_spendKey_string, + view: ret.pub_viewKey_string, + intPaymentId: ret.paymentID_string, // may be undefined + isSubaddress: ret.isSubaddress } - return buf; }; - this.generate_ring_signature = function( - prefix_hash, - k_image, - keys, - sec, - real_index, - ) { - if (k_image.length !== STRUCT_SIZES.KEY_IMAGE * 2) { - throw "invalid key image length"; - } - if (sec.length !== KEY_SIZE * 2) { - throw "Invalid secret key length"; - } - if ( - prefix_hash.length !== HASH_SIZE * 2 || - !this.valid_hex(prefix_hash) - ) { - throw "Invalid prefix hash"; - } - if (real_index >= keys.length || real_index < 0) { - throw "real_index is invalid"; - } + this.is_subaddress = function(addr, nettype) { + const args = + { + address: addr, + nettype_string: nettype_utils.nettype_to_API_string(nettype) + }; + const args_str = JSON.stringify(args); const CNCrypto = loaded_CNCrypto(); - var _ge_tobytes = CNCrypto.cwrap("ge_tobytes", "void", [ - "number", - "number", - ]); - var _ge_p3_tobytes = CNCrypto.cwrap("ge_p3_tobytes", "void", [ - "number", - "number", - ]); - var _ge_scalarmult_base = CNCrypto.cwrap("ge_scalarmult_base", "void", [ - "number", - "number", - ]); - var _ge_scalarmult = CNCrypto.cwrap("ge_scalarmult", "void", [ - "number", - "number", - "number", - ]); - var _sc_add = CNCrypto.cwrap("sc_add", "void", [ - "number", - "number", - "number", - ]); - var _sc_sub = CNCrypto.cwrap("sc_sub", "void", [ - "number", - "number", - "number", - ]); - var _sc_mulsub = CNCrypto.cwrap("sc_mulsub", "void", [ - "number", - "number", - "number", - "number", - ]); - var _sc_0 = CNCrypto.cwrap("sc_0", "void", ["number"]); - var _ge_double_scalarmult_base_vartime = CNCrypto.cwrap( - "ge_double_scalarmult_base_vartime", - "void", - ["number", "number", "number", "number"], - ); - var _ge_double_scalarmult_precomp_vartime = CNCrypto.cwrap( - "ge_double_scalarmult_precomp_vartime", - "void", - ["number", "number", "number", "number", "number"], - ); - var _ge_frombytes_vartime = CNCrypto.cwrap( - "ge_frombytes_vartime", - "number", - ["number", "number"], - ); - var _ge_dsm_precomp = CNCrypto.cwrap("ge_dsm_precomp", "void", [ - "number", - "number", - ]); - - var buf_size = STRUCT_SIZES.EC_POINT * 2 * keys.length; - var buf_m = CNCrypto._malloc(buf_size); - var sig_size = STRUCT_SIZES.SIGNATURE * keys.length; - var sig_m = CNCrypto._malloc(sig_size); - - // Struct pointer helper functions - function buf_a(i) { - return buf_m + STRUCT_SIZES.EC_POINT * (2 * i); - } - function buf_b(i) { - return buf_m + STRUCT_SIZES.EC_POINT * (2 * i + 1); - } - function sig_c(i) { - return sig_m + STRUCT_SIZES.EC_SCALAR * (2 * i); + const ret_string = CNCrypto.is_subaddress(args_str); + const ret = JSON.parse(ret_string); + if (typeof ret.err_msg !== 'undefined' && ret.err_msg) { + throw ret.err_msg // TODO: maybe return this somehow } - function sig_r(i) { - return sig_m + STRUCT_SIZES.EC_SCALAR * (2 * i + 1); - } - var image_m = CNCrypto._malloc(STRUCT_SIZES.KEY_IMAGE); - CNCrypto.HEAPU8.set(hextobin(k_image), image_m); - var i; - var image_unp_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3); - var image_pre_m = CNCrypto._malloc(STRUCT_SIZES.GE_DSMP); - var sum_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR); - var k_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR); - var h_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR); - var tmp2_m = CNCrypto._malloc(STRUCT_SIZES.GE_P2); - var tmp3_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3); - var pub_m = CNCrypto._malloc(KEY_SIZE); - var sec_m = CNCrypto._malloc(KEY_SIZE); - CNCrypto.HEAPU8.set(hextobin(sec), sec_m); - if (_ge_frombytes_vartime(image_unp_m, image_m) != 0) { - throw "failed to call ge_frombytes_vartime"; - } - _ge_dsm_precomp(image_pre_m, image_unp_m); - _sc_0(sum_m); - for (i = 0; i < keys.length; i++) { - if (i === real_index) { - // Real key - var rand = this.random_scalar(); - CNCrypto.HEAPU8.set(hextobin(rand), k_m); - _ge_scalarmult_base(tmp3_m, k_m); - _ge_p3_tobytes(buf_a(i), tmp3_m); - var ec = this.hash_to_ec(keys[i]); - CNCrypto.HEAPU8.set(hextobin(ec), tmp3_m); - _ge_scalarmult(tmp2_m, k_m, tmp3_m); - _ge_tobytes(buf_b(i), tmp2_m); - } else { - CNCrypto.HEAPU8.set(hextobin(this.random_scalar()), sig_c(i)); - CNCrypto.HEAPU8.set(hextobin(this.random_scalar()), sig_r(i)); - CNCrypto.HEAPU8.set(hextobin(keys[i]), pub_m); - if ( - CNCrypto.ccall( - "ge_frombytes_vartime", - "void", - ["number", "number"], - [tmp3_m, pub_m], - ) !== 0 - ) { - throw "Failed to call ge_frombytes_vartime"; - } - _ge_double_scalarmult_base_vartime( - tmp2_m, - sig_c(i), - tmp3_m, - sig_r(i), - ); - _ge_tobytes(buf_a(i), tmp2_m); - var ec = this.hash_to_ec(keys[i]); - CNCrypto.HEAPU8.set(hextobin(ec), tmp3_m); - _ge_double_scalarmult_precomp_vartime( - tmp2_m, - sig_r(i), - tmp3_m, - sig_c(i), - image_pre_m, - ); - _ge_tobytes(buf_b(i), tmp2_m); - _sc_add(sum_m, sum_m, sig_c(i)); - } - } - var buf_bin = CNCrypto.HEAPU8.subarray(buf_m, buf_m + buf_size); - var scalar = this.hash_to_scalar(prefix_hash + bintohex(buf_bin)); - CNCrypto.HEAPU8.set(hextobin(scalar), h_m); - _sc_sub(sig_c(real_index), h_m, sum_m); - _sc_mulsub(sig_r(real_index), sig_c(real_index), sec_m, k_m); - var sig_data = bintohex( - CNCrypto.HEAPU8.subarray(sig_m, sig_m + sig_size), - ); - var sigs = []; - for (var k = 0; k < keys.length; k++) { - sigs.push( - sig_data.slice( - STRUCT_SIZES.SIGNATURE * 2 * k, - STRUCT_SIZES.SIGNATURE * 2 * (k + 1), - ), - ); - } - CNCrypto._free(image_m); - CNCrypto._free(image_unp_m); - CNCrypto._free(image_pre_m); - CNCrypto._free(sum_m); - CNCrypto._free(k_m); - CNCrypto._free(h_m); - CNCrypto._free(tmp2_m); - CNCrypto._free(tmp3_m); - CNCrypto._free(buf_m); - CNCrypto._free(sig_m); - CNCrypto._free(pub_m); - CNCrypto._free(sec_m); - return sigs; + return ret_val_boolstring_to_bool(ret.retVal) }; - this.construct_tx = function( - keys, - sources, - dsts, - fee_amount, - payment_id, - pid_encrypt, - realDestViewKey, - unlock_time, - rct, - nettype, + this.generate_key_image = function( + tx_pub, + view_sec, + spend_pub, + spend_sec, + output_index ) { - //we move payment ID stuff here, because we need txkey to encrypt - var txkey = this.random_keypair(); - console.log(txkey); - var extra = ""; - if (payment_id) { - if (pid_encrypt && payment_id.length !== INTEGRATED_ID_SIZE * 2) { - throw "payment ID must be " + - INTEGRATED_ID_SIZE + - " bytes to be encrypted!"; - } - console.log("Adding payment id: " + payment_id); - if (pid_encrypt) { - //get the derivation from our passed viewkey, then hash that + tail to get encryption key - var pid_key = this.cn_fast_hash( - this.generate_key_derivation(realDestViewKey, txkey.sec) + - ENCRYPTED_PAYMENT_ID_TAIL.toString(16), - ).slice(0, INTEGRATED_ID_SIZE * 2); - console.log("Txkeys:", txkey, "Payment ID key:", pid_key); - payment_id = this.hex_xor(payment_id, pid_key); - } - var nonce = this.get_payment_id_nonce(payment_id, pid_encrypt); - console.log("Extra nonce: " + nonce); - extra = this.add_nonce_to_extra(extra, nonce); - } - var tx = { - unlock_time: unlock_time, - version: rct ? CURRENT_TX_VERSION : OLD_TX_VERSION, - extra: extra, - vin: [], - vout: [], - }; - if (rct) { - tx.rct_signatures = {}; - } else { - tx.signatures = []; - } - - var in_contexts = []; - var inputs_money = JSBigInt.ZERO; - var i, j; - console.log("Sources: "); - //run the for loop twice to sort ins by key image - //first generate key image and other construction data to sort it all in one go - for (i = 0; i < sources.length; i++) { - console.log(i + ": " + currency_amount_format_utils.formatMoneyFull(sources[i].amount)); - if (sources[i].real_out >= sources[i].outputs.length) { - throw "real index >= outputs.length"; - } - var res = this.generate_key_image_helper_rct( - keys, - sources[i].real_out_tx_key, - sources[i].real_out_in_tx, - sources[i].mask, - ); //mask will be undefined for non-rct - if ( - res.in_ephemeral.pub !== - sources[i].outputs[sources[i].real_out].key - ) { - throw "in_ephemeral.pub != source.real_out.key"; - } - sources[i].key_image = res.image; - sources[i].in_ephemeral = res.in_ephemeral; + if (tx_pub.length !== 64) { + throw "Invalid tx_pub length"; } - //sort ins - sources.sort(function(a, b) { - return ( - JSBigInt.parse(a.key_image, 16).compare( - JSBigInt.parse(b.key_image, 16), - ) * -1 - ); - }); - //copy the sorted sources data to tx - for (i = 0; i < sources.length; i++) { - inputs_money = inputs_money.add(sources[i].amount); - in_contexts.push(sources[i].in_ephemeral); - var input_to_key = {}; - input_to_key.type = "input_to_key"; - input_to_key.amount = sources[i].amount; - input_to_key.k_image = sources[i].key_image; - input_to_key.key_offsets = []; - for (j = 0; j < sources[i].outputs.length; ++j) { - input_to_key.key_offsets.push(sources[i].outputs[j].index); - } - input_to_key.key_offsets = this.abs_to_rel_offsets( - input_to_key.key_offsets, - ); - tx.vin.push(input_to_key); + if (view_sec.length !== 64) { + throw "Invalid view_sec length"; } - var outputs_money = JSBigInt.ZERO; - var out_index = 0; - var amountKeys = []; //rct only - for (i = 0; i < dsts.length; ++i) { - if (new JSBigInt(dsts[i].amount).compare(0) < 0) { - throw "dst.amount < 0"; //amount can be zero if no change - } - dsts[i].keys = this.decode_address(dsts[i].address, nettype); - - // R = rD for subaddresses - if (this.is_subaddress(dsts[i].address, nettype)) { - if (typeof payment_id !== "undefined" && payment_id) { - // this could stand to be placed earlier in the function but we save repeating a little algo time this way - throw "Payment ID must not be supplied when sending to a subaddress"; - } - txkey.pub = this.ge_scalarmult(dsts[i].keys.spend, txkey.sec); - } - - var out_derivation; - - // send change to ourselves - if (dsts[i].keys.view == keys.view.pub) { - out_derivation = this.generate_key_derivation( - txkey.pub, - keys.view.sec, - ); - } else { - out_derivation = this.generate_key_derivation( - dsts[i].keys.view, - txkey.sec, - ); - } - - if (rct) { - amountKeys.push( - this.derivation_to_scalar(out_derivation, out_index), - ); - } - var out_ephemeral_pub = this.derive_public_key( - out_derivation, - out_index, - dsts[i].keys.spend, - ); - var out = { - amount: dsts[i].amount.toString(), - }; - // txout_to_key - out.target = { - type: "txout_to_key", - key: out_ephemeral_pub, - }; - tx.vout.push(out); - ++out_index; - outputs_money = outputs_money.add(dsts[i].amount); + if (spend_pub.length !== 64) { + throw "Invalid spend_pub length"; } - - // add pub key to extra after we know whether to use R = rG or R = rD - tx.extra = this.add_pub_key_to_extra(tx.extra, txkey.pub); - - if (outputs_money.add(fee_amount).compare(inputs_money) > 0) { - throw "outputs money (" + - currency_amount_format_utils.formatMoneyFull(outputs_money) + - ") + fee (" + - currency_amount_format_utils.formatMoneyFull(fee_amount) + - ") > inputs money (" + - currency_amount_format_utils.formatMoneyFull(inputs_money) + - ")"; + if (spend_sec.length !== 64) { + throw "Invalid spend_sec length"; } - if (!rct) { - for (i = 0; i < sources.length; ++i) { - var src_keys = []; - for (j = 0; j < sources[i].outputs.length; ++j) { - src_keys.push(sources[i].outputs[j].key); - } - var sigs = this.generate_ring_signature( - this.get_tx_prefix_hash(tx), - tx.vin[i].k_image, - src_keys, - in_contexts[i].sec, - sources[i].real_out, - ); - tx.signatures.push(sigs); - } - } else { - //rct - var txnFee = fee_amount; - var keyimages = []; - var inSk = []; - var inAmounts = []; - var mixRing = []; - var indices = []; - for (i = 0; i < tx.vin.length; i++) { - keyimages.push(tx.vin[i].k_image); - inSk.push({ - x: in_contexts[i].sec, - a: in_contexts[i].mask, - }); - inAmounts.push(tx.vin[i].amount); - if (in_contexts[i].mask !== I) { - //if input is rct (has a valid mask), 0 out amount - tx.vin[i].amount = "0"; - } - mixRing[i] = []; - for (j = 0; j < sources[i].outputs.length; j++) { - mixRing[i].push({ - dest: sources[i].outputs[j].key, - mask: sources[i].outputs[j].commit, - }); - } - indices.push(sources[i].real_out); - } - var outAmounts = []; - for (i = 0; i < tx.vout.length; i++) { - outAmounts.push(tx.vout[i].amount); - tx.vout[i].amount = "0"; //zero out all rct outputs - } - var tx_prefix_hash = this.get_tx_prefix_hash(tx); - tx.rct_signatures = genRct( - tx_prefix_hash, - inSk, - keyimages, - /*destinations, */ inAmounts, - outAmounts, - mixRing, - amountKeys, - indices, - txnFee, - ); + const args = + { + sec_viewKey_string: view_sec, + sec_spendKey_string: spend_sec, + pub_spendKey_string: spend_pub, + tx_pub_key: tx_pub, + out_index: "" + output_index + }; + const args_str = JSON.stringify(args); + const CNCrypto = loaded_CNCrypto(); + const ret_string = CNCrypto.generate_key_image(args_str); + const ret = JSON.parse(ret_string); + if (typeof ret.err_msg !== 'undefined' && ret.err_msg) { + throw ret.err_msg // TODO: maybe return this somehow } - console.log(tx); - return tx; + return ret.retVal; }; - this.create_transaction__IPCsafe = function( + this.create_signed_transaction__IPCsafe = function( pub_keys, sec_keys, serialized__dsts, // amounts are strings @@ -2875,7 +273,7 @@ var cnUtil = function(currencyConfig) i.amount = new JSBigInt(i.amount) return i }) - return this.create_transaction( + return this.create_signed_transaction( pub_keys, sec_keys, dsts, @@ -2892,7 +290,7 @@ var cnUtil = function(currencyConfig) ); } - this.create_transaction = function( + this.create_signed_transaction = function( pub_keys, sec_keys, dsts, @@ -2909,7 +307,6 @@ var cnUtil = function(currencyConfig) ) { unlock_time = unlock_time || 0; mix_outs = mix_outs || []; - var i, j; if (dsts.length === 0) { throw "Destinations empty"; } @@ -2925,163 +322,36 @@ var cnUtil = function(currencyConfig) throw "Not enough outputs to mix with"; } } - var keys = { - view: { - pub: pub_keys.view, - sec: sec_keys.view, - }, - spend: { - pub: pub_keys.spend, - sec: sec_keys.spend, - }, - }; - if ( - !this.valid_keys( - keys.view.pub, - keys.view.sec, - keys.spend.pub, - keys.spend.sec, - ) - ) { - throw "Invalid secret keys!"; - } - var needed_money = JSBigInt.ZERO; - for (i = 0; i < dsts.length; ++i) { - needed_money = needed_money.add(dsts[i].amount); - if (needed_money.compare(UINT64_MAX) !== -1) { - throw "Output overflow!"; - } - } - var found_money = JSBigInt.ZERO; - var sources = []; - console.log("Selected transfers: ", outputs); - for (i = 0; i < outputs.length; ++i) { - found_money = found_money.add(outputs[i].amount); - if (found_money.compare(UINT64_MAX) !== -1) { - throw "Input overflow!"; - } - var src = { - outputs: [], - }; - src.amount = new JSBigInt(outputs[i].amount).toString(); - if (mix_outs.length !== 0) { - // Sort fake outputs by global index - mix_outs[i].outputs.sort(function(a, b) { - return new JSBigInt(a.global_index).compare(b.global_index); - }); - j = 0; - while ( - src.outputs.length < fake_outputs_count && - j < mix_outs[i].outputs.length - ) { - var out = mix_outs[i].outputs[j]; - if (out.global_index === outputs[i].global_index) { - console.log("got mixin the same as output, skipping"); - j++; - continue; - } - var oe = {}; - oe.index = out.global_index.toString(); - oe.key = out.public_key; - if (rct) { - if (out.rct) { - oe.commit = out.rct.slice(0, 64); //add commitment from rct mix outs - } else { - if (outputs[i].rct) { - throw "mix rct outs missing commit"; - } - oe.commit = zeroCommit(d2s(src.amount)); //create identity-masked commitment for non-rct mix input - } - } - src.outputs.push(oe); - j++; - } - } - var real_oe = {}; - real_oe.index = new JSBigInt( - outputs[i].global_index || 0, - ).toString(); - real_oe.key = outputs[i].public_key; - if (rct) { - if (outputs[i].rct) { - real_oe.commit = outputs[i].rct.slice(0, 64); //add commitment for real input - } else { - real_oe.commit = zeroCommit(d2s(src.amount)); //create identity-masked commitment for non-rct input - } - } - var real_index = src.outputs.length; - for (j = 0; j < src.outputs.length; j++) { - if ( - new JSBigInt(real_oe.index).compare(src.outputs[j].index) < - 0 - ) { - real_index = j; - break; - } - } - // Add real_oe to outputs - src.outputs.splice(real_index, 0, real_oe); - src.real_out_tx_key = outputs[i].tx_pub_key; - // Real output entry index - src.real_out = real_index; - src.real_out_in_tx = outputs[i].index; - if (rct) { - if (outputs[i].rct) { - src.mask = outputs[i].rct.slice(64, 128); //encrypted - } else { - src.mask = null; //will be set by generate_key_image_helper_rct - } - } - sources.push(src); - } - console.log("sources: ", sources); - var change = { - amount: JSBigInt.ZERO, - }; - var cmp = needed_money.compare(found_money); - if (cmp < 0) { - change.amount = found_money.subtract(needed_money); - if (change.amount.compare(fee_amount) !== 0) { - throw "early fee calculation != later"; - } - } else if (cmp > 0) { - throw "Need more money than found! (have: " + - currency_amount_format_utils.formatMoney(found_money) + - " need: " + - currency_amount_format_utils.formatMoney(needed_money) + - ")"; - } - return this.construct_tx( - keys, - sources, - dsts, - fee_amount, - payment_id, - pid_encrypt, - realDestViewKey, - unlock_time, - rct, - nettype, - ); + + // TODO + }; - this.estimateRctSize = function(inputs, mixin, outputs) { + this.estimateRctSize = function(inputs, mixin, outputs, extra_size, bulletproof) + { + // keeping this in JS instead of C++ for now b/c it's much faster to access, and we don't have to make it asynchronous by waiting for the module to load + bulletproof = bulletproof == true ? true : false + extra_size = extra_size || 40 + // var size = 0; // tx prefix // first few bytes size += 1 + 6; - size += inputs * (1 + 6 + (mixin + 1) * 3 + 32); // original C implementation is *2+32 but author advised to change 2 to 3 as key offsets are variable size and this constitutes a best guess + size += inputs * (1 + 6 + (mixin + 1) * 3 + 32); // vout size += outputs * (6 + 32); // extra - size += 40; + size += extra_size; // rct signatures // type size += 1; // rangeSigs - size += (2 * 64 * 32 + 32 + 64 * 32) * outputs; + if (bulletproof) + size += ((2*6 + 4 + 5)*32 + 3) * outputs; + else + size += (2*64*32+32+64*32) * outputs; // MGs - size += inputs * (32 * (mixin + 1) + 32); + size += inputs * (64 * (mixin + 1) + 32); // mixRing - not serialized, can be reconstructed /* size += 2 * 32 * (mixin+1) * inputs; */ // pseudoOuts diff --git a/cryptonote_utils/nettype.js b/cryptonote_utils/nettype.js index 27ec4ff..8ca94e8 100644 --- a/cryptonote_utils/nettype.js +++ b/cryptonote_utils/nettype.js @@ -32,8 +32,26 @@ var network_type = { MAINNET: 0, TESTNET: 1, STAGENET: 2, + FAKECHAIN: 3, + UNDEFINED: 4 }; exports.network_type = network_type; +exports.nettype_to_API_string = function(nettype) +{ + switch (nettype) { + case network_type.MAINNET: + return "MAINNET" + case network_type.TESTNET: + return "TESTNET" + case network_type.STAGENET: + return "STAGENET" + case network_type.FAKECHAIN: + return "FAKECHAIN" + case network_type.UNDEFINED: + return "UNDEFINED" + } + throw "Unrecognized nettype" +} // var __MAINNET_CRYPTONOTE_PUBLIC_ADDRESS_BASE58_PREFIX = 18; var __MAINNET_CRYPTONOTE_PUBLIC_INTEGRATED_ADDRESS_BASE58_PREFIX = 19; diff --git a/monero_utils/monero_keyImage_cache_utils.js b/monero_utils/monero_keyImage_cache_utils.js index 6f84ef9..1418e01 100644 --- a/monero_utils/monero_keyImage_cache_utils.js +++ b/monero_utils/monero_keyImage_cache_utils.js @@ -53,7 +53,7 @@ const Lazy_KeyImage = function( spend_key__public, spend_key__private, out_index, - ).key_image; + ); // cache: mutable_keyImagesByCacheKey[cache_index] = key_image; // diff --git a/src/index.cpp b/src/index.cpp index 710ebba..17f5a1a 100644 --- a/src/index.cpp +++ b/src/index.cpp @@ -52,9 +52,10 @@ EMSCRIPTEN_BINDINGS(my_module) emscripten::function("seed_and_keys_from_mnemonic", &serial_bridge::seed_and_keys_from_mnemonic); emscripten::function("validate_components_for_login", &serial_bridge::validate_components_for_login); // - emscripten::function("estimate_rct_tx_size", &serial_bridge::estimate_rct_tx_size); - emscripten::function("calculate_fee", &serial_bridge::calculate_fee); - emscripten::function("estimated_tx_network_fee", &serial_bridge::estimated_tx_network_fee); + // keeping these in JS for now -- much more practical; don't have to async wait for the module to load + // emscripten::function("estimate_rct_tx_size", &serial_bridge::estimate_rct_tx_size); + // emscripten::function("calculate_fee", &serial_bridge::calculate_fee); + // emscripten::function("estimated_tx_network_fee", &serial_bridge::estimated_tx_network_fee); // emscripten::function("generate_key_image", &serial_bridge::generate_key_image); }