You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2682 lines
77 KiB
2682 lines
77 KiB
// Copyright (c) 2014-2018, MyMonero.com
|
|
//
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without modification, are
|
|
// permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this list of
|
|
// conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice, this list
|
|
// of conditions and the following disclaimer in the documentation and/or other
|
|
// materials provided with the distribution.
|
|
//
|
|
// 3. Neither the name of the copyright holder nor the names of its contributors may be
|
|
// used to endorse or promote products derived from this software without specific
|
|
// prior written permission.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
|
|
// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
|
|
// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
|
|
// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
// Original Author: Lucas Jones
|
|
// Modified to remove jQuery dep and support modular inclusion of deps by Paul Shapiro (2016)
|
|
// Modified to add RingCT support by luigi1111 (2017)
|
|
//
|
|
// v--- These should maybe be injected into a context and supplied to currencyConfig for future platforms
|
|
const JSBigInt = require("./biginteger").BigInteger;
|
|
const cnBase58 = require("./cryptonote_base58").cnBase58;
|
|
const CNCrypto = require("./cryptonote_crypto_EMSCRIPTEN");
|
|
const mnemonic = require("./mnemonic");
|
|
const nacl = require("./nacl-fast-cn");
|
|
const sha3 = require("./sha3");
|
|
const nettype_utils = require("./nettype");
|
|
|
|
var cnUtil = function(currencyConfig) {
|
|
var config = {}; // shallow copy of initConfig
|
|
for (var key in currencyConfig) {
|
|
config[key] = currencyConfig[key];
|
|
}
|
|
|
|
config.coinUnits = new JSBigInt(10).pow(config.coinUnitPlaces);
|
|
|
|
var HASH_STATE_BYTES = 200;
|
|
var HASH_SIZE = 32;
|
|
var ADDRESS_CHECKSUM_SIZE = 4;
|
|
var INTEGRATED_ID_SIZE = 8;
|
|
var ENCRYPTED_PAYMENT_ID_TAIL = 141;
|
|
//
|
|
var UINT64_MAX = new JSBigInt(2).pow(64);
|
|
var CURRENT_TX_VERSION = 2;
|
|
var OLD_TX_VERSION = 1;
|
|
var RCTTypeFull = 1;
|
|
var RCTTypeSimple = 2;
|
|
var TX_EXTRA_NONCE_MAX_COUNT = 255;
|
|
var TX_EXTRA_TAGS = {
|
|
PADDING: "00",
|
|
PUBKEY: "01",
|
|
NONCE: "02",
|
|
MERGE_MINING: "03",
|
|
};
|
|
var TX_EXTRA_NONCE_TAGS = {
|
|
PAYMENT_ID: "00",
|
|
ENCRYPTED_PAYMENT_ID: "01",
|
|
};
|
|
var KEY_SIZE = 32;
|
|
var STRUCT_SIZES = {
|
|
GE_P3: 160,
|
|
GE_P2: 120,
|
|
GE_P1P1: 160,
|
|
GE_CACHED: 160,
|
|
EC_SCALAR: 32,
|
|
EC_POINT: 32,
|
|
KEY_IMAGE: 32,
|
|
GE_DSMP: 160 * 8, // ge_cached * 8
|
|
SIGNATURE: 64, // ec_scalar * 2
|
|
};
|
|
|
|
//RCT vars
|
|
var H = "8b655970153799af2aeadc9ff1add0ea6c7251d54154cfa92c173a0dd39c1f94"; //base H for amounts
|
|
var l = JSBigInt(
|
|
"7237005577332262213973186563042994240857116359379907606001950938285454250989",
|
|
); //curve order (not RCT specific)
|
|
var I = "0100000000000000000000000000000000000000000000000000000000000000"; //identity element
|
|
var Z = "0000000000000000000000000000000000000000000000000000000000000000"; //zero scalar
|
|
//H2 object to speed up some operations
|
|
var H2 = [
|
|
"8b655970153799af2aeadc9ff1add0ea6c7251d54154cfa92c173a0dd39c1f94",
|
|
"8faa448ae4b3e2bb3d4d130909f55fcd79711c1c83cdbccadd42cbe1515e8712",
|
|
"12a7d62c7791654a57f3e67694ed50b49a7d9e3fc1e4c7a0bde29d187e9cc71d",
|
|
"789ab9934b49c4f9e6785c6d57a498b3ead443f04f13df110c5427b4f214c739",
|
|
"771e9299d94f02ac72e38e44de568ac1dcb2edc6edb61f83ca418e1077ce3de8",
|
|
"73b96db43039819bdaf5680e5c32d741488884d18d93866d4074a849182a8a64",
|
|
"8d458e1c2f68ebebccd2fd5d379f5e58f8134df3e0e88cad3d46701063a8d412",
|
|
"09551edbe494418e81284455d64b35ee8ac093068a5f161fa6637559177ef404",
|
|
"d05a8866f4df8cee1e268b1d23a4c58c92e760309786cdac0feda1d247a9c9a7",
|
|
"55cdaad518bd871dd1eb7bc7023e1dc0fdf3339864f88fdd2de269fe9ee1832d",
|
|
"e7697e951a98cfd5712b84bbe5f34ed733e9473fcb68eda66e3788df1958c306",
|
|
"f92a970bae72782989bfc83adfaa92a4f49c7e95918b3bba3cdc7fe88acc8d47",
|
|
"1f66c2d491d75af915c8db6a6d1cb0cd4f7ddcd5e63d3ba9b83c866c39ef3a2b",
|
|
"3eec9884b43f58e93ef8deea260004efea2a46344fc5965b1a7dd5d18997efa7",
|
|
"b29f8f0ccb96977fe777d489d6be9e7ebc19c409b5103568f277611d7ea84894",
|
|
"56b1f51265b9559876d58d249d0c146d69a103636699874d3f90473550fe3f2c",
|
|
"1d7a36575e22f5d139ff9cc510fa138505576b63815a94e4b012bfd457caaada",
|
|
"d0ac507a864ecd0593fa67be7d23134392d00e4007e2534878d9b242e10d7620",
|
|
"f6c6840b9cf145bb2dccf86e940be0fc098e32e31099d56f7fe087bd5deb5094",
|
|
"28831a3340070eb1db87c12e05980d5f33e9ef90f83a4817c9f4a0a33227e197",
|
|
"87632273d629ccb7e1ed1a768fa2ebd51760f32e1c0b867a5d368d5271055c6e",
|
|
"5c7b29424347964d04275517c5ae14b6b5ea2798b573fc94e6e44a5321600cfb",
|
|
"e6945042d78bc2c3bd6ec58c511a9fe859c0ad63fde494f5039e0e8232612bd5",
|
|
"36d56907e2ec745db6e54f0b2e1b2300abcb422e712da588a40d3f1ebbbe02f6",
|
|
"34db6ee4d0608e5f783650495a3b2f5273c5134e5284e4fdf96627bb16e31e6b",
|
|
"8e7659fb45a3787d674ae86731faa2538ec0fdf442ab26e9c791fada089467e9",
|
|
"3006cf198b24f31bb4c7e6346000abc701e827cfbb5df52dcfa42e9ca9ff0802",
|
|
"f5fd403cb6e8be21472e377ffd805a8c6083ea4803b8485389cc3ebc215f002a",
|
|
"3731b260eb3f9482e45f1c3f3b9dcf834b75e6eef8c40f461ea27e8b6ed9473d",
|
|
"9f9dab09c3f5e42855c2de971b659328a2dbc454845f396ffc053f0bb192f8c3",
|
|
"5e055d25f85fdb98f273e4afe08464c003b70f1ef0677bb5e25706400be620a5",
|
|
"868bcf3679cb6b500b94418c0b8925f9865530303ae4e4b262591865666a4590",
|
|
"b3db6bd3897afbd1df3f9644ab21c8050e1f0038a52f7ca95ac0c3de7558cb7a",
|
|
"8119b3a059ff2cac483e69bcd41d6d27149447914288bbeaee3413e6dcc6d1eb",
|
|
"10fc58f35fc7fe7ae875524bb5850003005b7f978c0c65e2a965464b6d00819c",
|
|
"5acd94eb3c578379c1ea58a343ec4fcff962776fe35521e475a0e06d887b2db9",
|
|
"33daf3a214d6e0d42d2300a7b44b39290db8989b427974cd865db011055a2901",
|
|
"cfc6572f29afd164a494e64e6f1aeb820c3e7da355144e5124a391d06e9f95ea",
|
|
"d5312a4b0ef615a331f6352c2ed21dac9e7c36398b939aec901c257f6cbc9e8e",
|
|
"551d67fefc7b5b9f9fdbf6af57c96c8a74d7e45a002078a7b5ba45c6fde93e33",
|
|
"d50ac7bd5ca593c656928f38428017fc7ba502854c43d8414950e96ecb405dc3",
|
|
"0773e18ea1be44fe1a97e239573cfae3e4e95ef9aa9faabeac1274d3ad261604",
|
|
"e9af0e7ca89330d2b8615d1b4137ca617e21297f2f0ded8e31b7d2ead8714660",
|
|
"7b124583097f1029a0c74191fe7378c9105acc706695ed1493bb76034226a57b",
|
|
"ec40057b995476650b3db98e9db75738a8cd2f94d863b906150c56aac19caa6b",
|
|
"01d9ff729efd39d83784c0fe59c4ae81a67034cb53c943fb818b9d8ae7fc33e5",
|
|
"00dfb3c696328c76424519a7befe8e0f6c76f947b52767916d24823f735baf2e",
|
|
"461b799b4d9ceea8d580dcb76d11150d535e1639d16003c3fb7e9d1fd13083a8",
|
|
"ee03039479e5228fdc551cbde7079d3412ea186a517ccc63e46e9fcce4fe3a6c",
|
|
"a8cfb543524e7f02b9f045acd543c21c373b4c9b98ac20cec417a6ddb5744e94",
|
|
"932b794bf89c6edaf5d0650c7c4bad9242b25626e37ead5aa75ec8c64e09dd4f",
|
|
"16b10c779ce5cfef59c7710d2e68441ea6facb68e9b5f7d533ae0bb78e28bf57",
|
|
"0f77c76743e7396f9910139f4937d837ae54e21038ac5c0b3fd6ef171a28a7e4",
|
|
"d7e574b7b952f293e80dde905eb509373f3f6cd109a02208b3c1e924080a20ca",
|
|
"45666f8c381e3da675563ff8ba23f83bfac30c34abdde6e5c0975ef9fd700cb9",
|
|
"b24612e454607eb1aba447f816d1a4551ef95fa7247fb7c1f503020a7177f0dd",
|
|
"7e208861856da42c8bb46a7567f8121362d9fb2496f131a4aa9017cf366cdfce",
|
|
"5b646bff6ad1100165037a055601ea02358c0f41050f9dfe3c95dccbd3087be0",
|
|
"746d1dccfed2f0ff1e13c51e2d50d5324375fbd5bf7ca82a8931828d801d43ab",
|
|
"cb98110d4a6bb97d22feadbc6c0d8930c5f8fc508b2fc5b35328d26b88db19ae",
|
|
"60b626a033b55f27d7676c4095eababc7a2c7ede2624b472e97f64f96b8cfc0e",
|
|
"e5b52bc927468df71893eb8197ef820cf76cb0aaf6e8e4fe93ad62d803983104",
|
|
"056541ae5da9961be2b0a5e895e5c5ba153cbb62dd561a427bad0ffd41923199",
|
|
"f8fef05a3fa5c9f3eba41638b247b711a99f960fe73aa2f90136aeb20329b888",
|
|
];
|
|
|
|
//begin rct new functions
|
|
//creates a Pedersen commitment from an amount (in scalar form) and a mask
|
|
//C = bG + aH where b = mask, a = amount
|
|
function commit(amount, mask) {
|
|
if (
|
|
!valid_hex(mask) ||
|
|
mask.length !== 64 ||
|
|
!valid_hex(amount) ||
|
|
amount.length !== 64
|
|
) {
|
|
throw "invalid amount or mask!";
|
|
}
|
|
var C = this.ge_double_scalarmult_base_vartime(amount, H, mask);
|
|
return C;
|
|
}
|
|
|
|
function zeroCommit(amount) {
|
|
if (!valid_hex(amount) || amount.length !== 64) {
|
|
throw "invalid amount!";
|
|
}
|
|
var C = this.ge_double_scalarmult_base_vartime(amount, H, I);
|
|
return C;
|
|
}
|
|
|
|
this.decode_rct_ecdh = function(ecdh, key) {
|
|
var first = this.hash_to_scalar(key);
|
|
var second = this.hash_to_scalar(first);
|
|
return {
|
|
mask: this.sc_sub(ecdh.mask, first),
|
|
amount: this.sc_sub(ecdh.amount, second),
|
|
};
|
|
};
|
|
|
|
this.encode_rct_ecdh = function(ecdh, key) {
|
|
var first = this.hash_to_scalar(key);
|
|
var second = this.hash_to_scalar(first);
|
|
return {
|
|
mask: this.sc_add(ecdh.mask, first),
|
|
amount: this.sc_add(ecdh.amount, second),
|
|
};
|
|
};
|
|
|
|
//switch byte order for hex string
|
|
function swapEndian(hex) {
|
|
if (hex.length % 2 !== 0) {
|
|
return "length must be a multiple of 2!";
|
|
}
|
|
var data = "";
|
|
for (var i = 1; i <= hex.length / 2; i++) {
|
|
data += hex.substr(0 - 2 * i, 2);
|
|
}
|
|
return data;
|
|
}
|
|
|
|
//switch byte order charwise
|
|
function swapEndianC(string) {
|
|
var data = "";
|
|
for (var i = 1; i <= string.length; i++) {
|
|
data += string.substr(0 - i, 1);
|
|
}
|
|
return data;
|
|
}
|
|
|
|
//for most uses you'll also want to swapEndian after conversion
|
|
//mainly to convert integer "scalars" to usable hexadecimal strings
|
|
function d2h(integer) {
|
|
if (typeof integer !== "string" && integer.toString().length > 15) {
|
|
throw "integer should be entered as a string for precision";
|
|
}
|
|
var padding = "";
|
|
for (i = 0; i < 63; i++) {
|
|
padding += "0";
|
|
}
|
|
return (
|
|
padding +
|
|
JSBigInt(integer)
|
|
.toString(16)
|
|
.toLowerCase()
|
|
).slice(-64);
|
|
}
|
|
|
|
//integer (string) to scalar
|
|
function d2s(integer) {
|
|
return swapEndian(d2h(integer));
|
|
}
|
|
|
|
//scalar to integer (string)
|
|
function s2d(scalar) {
|
|
return JSBigInt.parse(swapEndian(scalar), 16).toString();
|
|
}
|
|
|
|
//convert integer string to 64bit "binary" little-endian string
|
|
function d2b(integer) {
|
|
if (typeof integer !== "string" && integer.toString().length > 15) {
|
|
throw "integer should be entered as a string for precision";
|
|
}
|
|
var padding = "";
|
|
for (i = 0; i < 63; i++) {
|
|
padding += "0";
|
|
}
|
|
var a = new JSBigInt(integer);
|
|
if (a.toString(2).length > 64) {
|
|
throw "amount overflows uint64!";
|
|
}
|
|
return swapEndianC((padding + a.toString(2)).slice(-64));
|
|
}
|
|
|
|
//convert integer string to 64bit base 4 little-endian string
|
|
function d2b4(integer) {
|
|
if (typeof integer !== "string" && integer.toString().length > 15) {
|
|
throw "integer should be entered as a string for precision";
|
|
}
|
|
var padding = "";
|
|
for (i = 0; i < 31; i++) {
|
|
padding += "0";
|
|
}
|
|
var a = new JSBigInt(integer);
|
|
if (a.toString(2).length > 64) {
|
|
throw "amount overflows uint64!";
|
|
}
|
|
return swapEndianC((padding + a.toString(4)).slice(-32));
|
|
}
|
|
//end rct new functions
|
|
|
|
this.valid_hex = function(hex) {
|
|
var exp = new RegExp("[0-9a-fA-F]{" + hex.length + "}");
|
|
return exp.test(hex);
|
|
};
|
|
|
|
//simple exclusive or function for two hex inputs
|
|
this.hex_xor = function(hex1, hex2) {
|
|
if (
|
|
!hex1 ||
|
|
!hex2 ||
|
|
hex1.length !== hex2.length ||
|
|
hex1.length % 2 !== 0 ||
|
|
hex2.length % 2 !== 0
|
|
) {
|
|
throw "Hex string(s) is/are invalid!";
|
|
}
|
|
var bin1 = hextobin(hex1);
|
|
var bin2 = hextobin(hex2);
|
|
var xor = new Uint8Array(bin1.length);
|
|
for (i = 0; i < xor.length; i++) {
|
|
xor[i] = bin1[i] ^ bin2[i];
|
|
}
|
|
return bintohex(xor);
|
|
};
|
|
|
|
function hextobin(hex) {
|
|
if (hex.length % 2 !== 0) throw "Hex string has invalid length!";
|
|
var res = new Uint8Array(hex.length / 2);
|
|
for (var i = 0; i < hex.length / 2; ++i) {
|
|
res[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
|
|
}
|
|
return res;
|
|
}
|
|
|
|
function bintohex(bin) {
|
|
var out = [];
|
|
for (var i = 0; i < bin.length; ++i) {
|
|
out.push(("0" + bin[i].toString(16)).slice(-2));
|
|
}
|
|
return out.join("");
|
|
}
|
|
|
|
// Generate a 256-bit / 64-char / 32-byte crypto random
|
|
this.rand_32 = function() {
|
|
return mnemonic.mn_random(256);
|
|
};
|
|
|
|
// Generate a 128-bit / 32-char / 16-byte crypto random
|
|
this.rand_16 = function() {
|
|
return mnemonic.mn_random(128);
|
|
};
|
|
|
|
// Generate a 64-bit / 16-char / 8-byte crypto random
|
|
this.rand_8 = function() {
|
|
return mnemonic.mn_random(64);
|
|
};
|
|
|
|
this.encode_varint = function(i) {
|
|
i = new JSBigInt(i);
|
|
var out = "";
|
|
// While i >= b10000000
|
|
while (i.compare(0x80) >= 0) {
|
|
// out.append i & b01111111 | b10000000
|
|
out += ("0" + ((i.lowVal() & 0x7f) | 0x80).toString(16)).slice(-2);
|
|
i = i.divide(new JSBigInt(2).pow(7));
|
|
}
|
|
out += ("0" + i.toJSValue().toString(16)).slice(-2);
|
|
return out;
|
|
};
|
|
|
|
this.sc_reduce = function(hex) {
|
|
var input = hextobin(hex);
|
|
if (input.length !== 64) {
|
|
throw "Invalid input length";
|
|
}
|
|
var mem = CNCrypto._malloc(64);
|
|
CNCrypto.HEAPU8.set(input, mem);
|
|
CNCrypto.ccall("sc_reduce", "void", ["number"], [mem]);
|
|
var output = CNCrypto.HEAPU8.subarray(mem, mem + 64);
|
|
CNCrypto._free(mem);
|
|
return bintohex(output);
|
|
};
|
|
|
|
this.sc_reduce32 = function(hex) {
|
|
var input = hextobin(hex);
|
|
if (input.length !== 32) {
|
|
throw "Invalid input length";
|
|
}
|
|
var mem = CNCrypto._malloc(32);
|
|
CNCrypto.HEAPU8.set(input, mem);
|
|
CNCrypto.ccall("sc_reduce32", "void", ["number"], [mem]);
|
|
var output = CNCrypto.HEAPU8.subarray(mem, mem + 32);
|
|
CNCrypto._free(mem);
|
|
return bintohex(output);
|
|
};
|
|
|
|
this.cn_fast_hash = function(input, inlen) {
|
|
/*if (inlen === undefined || !inlen) {
|
|
inlen = Math.floor(input.length / 2);
|
|
}*/
|
|
if (input.length % 2 !== 0 || !this.valid_hex(input)) {
|
|
throw "Input invalid";
|
|
}
|
|
//update to use new keccak impl (approx 45x faster)
|
|
//var state = this.keccak(input, inlen, HASH_STATE_BYTES);
|
|
//return state.substr(0, HASH_SIZE * 2);
|
|
return sha3.keccak_256(hextobin(input));
|
|
};
|
|
|
|
//many functions below are commented out now, and duplicated with the faster nacl impl --luigi1111
|
|
// to be removed completely later
|
|
/*this.sec_key_to_pub = function(sec) {
|
|
var input = hextobin(sec);
|
|
if (input.length !== 32) {
|
|
throw "Invalid input length";
|
|
}
|
|
var input_mem = CNCrypto._malloc(KEY_SIZE);
|
|
CNCrypto.HEAPU8.set(input, input_mem);
|
|
var ge_p3 = CNCrypto._malloc(STRUCT_SIZES.GE_P3);
|
|
var out_mem = CNCrypto._malloc(KEY_SIZE);
|
|
CNCrypto.ccall('ge_scalarmult_base', 'void', ['number', 'number'], [ge_p3, input_mem]);
|
|
CNCrypto.ccall('ge_p3_tobytes', 'void', ['number', 'number'], [out_mem, ge_p3]);
|
|
var output = CNCrypto.HEAPU8.subarray(out_mem, out_mem + KEY_SIZE);
|
|
CNCrypto._free(ge_p3);
|
|
CNCrypto._free(input_mem);
|
|
CNCrypto._free(out_mem);
|
|
return bintohex(output);
|
|
};*/
|
|
|
|
this.sec_key_to_pub = function(sec) {
|
|
if (sec.length !== 64) {
|
|
throw "Invalid sec length";
|
|
}
|
|
return bintohex(nacl.ll.ge_scalarmult_base(hextobin(sec)));
|
|
};
|
|
|
|
//alias
|
|
this.ge_scalarmult_base = function(sec) {
|
|
return this.sec_key_to_pub(sec);
|
|
};
|
|
|
|
//accepts arbitrary point, rather than G
|
|
/*this.ge_scalarmult = function(pub, sec) {
|
|
if (pub.length !== 64 || sec.length !== 64) {
|
|
throw "Invalid input length";
|
|
}
|
|
var pub_b = hextobin(pub);
|
|
var sec_b = hextobin(sec);
|
|
var pub_m = CNCrypto._malloc(KEY_SIZE);
|
|
CNCrypto.HEAPU8.set(pub_b, pub_m);
|
|
var sec_m = CNCrypto._malloc(KEY_SIZE);
|
|
CNCrypto.HEAPU8.set(sec_b, sec_m);
|
|
var ge_p3_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3);
|
|
var ge_p2_m = CNCrypto._malloc(STRUCT_SIZES.GE_P2);
|
|
if (CNCrypto.ccall("ge_frombytes_vartime", "bool", ["number", "number"], [ge_p3_m, pub_m]) !== 0) {
|
|
throw "ge_frombytes_vartime returned non-zero error code";
|
|
}
|
|
CNCrypto.ccall("ge_scalarmult", "void", ["number", "number", "number"], [ge_p2_m, sec_m, ge_p3_m]);
|
|
var derivation_m = CNCrypto._malloc(KEY_SIZE);
|
|
CNCrypto.ccall("ge_tobytes", "void", ["number", "number"], [derivation_m, ge_p2_m]);
|
|
var res = CNCrypto.HEAPU8.subarray(derivation_m, derivation_m + KEY_SIZE);
|
|
CNCrypto._free(pub_m);
|
|
CNCrypto._free(sec_m);
|
|
CNCrypto._free(ge_p3_m);
|
|
CNCrypto._free(ge_p2_m);
|
|
CNCrypto._free(derivation_m);
|
|
return bintohex(res);
|
|
};*/
|
|
this.ge_scalarmult = function(pub, sec) {
|
|
if (pub.length !== 64 || sec.length !== 64) {
|
|
throw "Invalid input length";
|
|
}
|
|
return bintohex(nacl.ll.ge_scalarmult(hextobin(pub), hextobin(sec)));
|
|
};
|
|
|
|
this.pubkeys_to_string = function(spend, view, nettype) {
|
|
var prefix = this.encode_varint(
|
|
nettype_utils.cryptonoteBase58PrefixForStandardAddressOn(nettype),
|
|
);
|
|
var data = prefix + spend + view;
|
|
var checksum = this.cn_fast_hash(data);
|
|
return cnBase58.encode(
|
|
data + checksum.slice(0, ADDRESS_CHECKSUM_SIZE * 2),
|
|
);
|
|
};
|
|
|
|
this.new__int_addr_from_addr_and_short_pid = function(
|
|
address,
|
|
short_pid,
|
|
nettype,
|
|
) {
|
|
// throws
|
|
let decoded_address = this.decode_address(
|
|
address, // TODO/FIXME: not super happy about having to decode just to re-encode… this was a quick hack
|
|
nettype,
|
|
); // throws
|
|
if (!short_pid || short_pid.length != 16) {
|
|
throw "expected valid short_pid";
|
|
}
|
|
var prefix = this.encode_varint(
|
|
nettype_utils.cryptonoteBase58PrefixForIntegratedAddressOn(nettype),
|
|
);
|
|
var data =
|
|
prefix + decoded_address.spend + decoded_address.view + short_pid;
|
|
var checksum = this.cn_fast_hash(data);
|
|
var encodable__data =
|
|
data + checksum.slice(0, ADDRESS_CHECKSUM_SIZE * 2);
|
|
//
|
|
return cnBase58.encode(encodable__data);
|
|
};
|
|
|
|
// Generate keypair from seed
|
|
this.generate_keys = function(seed) {
|
|
if (seed.length !== 64) throw "Invalid input length!";
|
|
var sec = this.sc_reduce32(seed);
|
|
var pub = this.sec_key_to_pub(sec);
|
|
return {
|
|
sec: sec,
|
|
pub: pub,
|
|
};
|
|
};
|
|
|
|
this.random_keypair = function() {
|
|
return this.generate_keys(this.rand_32());
|
|
};
|
|
|
|
// Random 32-byte ec scalar
|
|
this.random_scalar = function() {
|
|
//var rand = this.sc_reduce(mnemonic.mn_random(64 * 8));
|
|
//return rand.slice(0, STRUCT_SIZES.EC_SCALAR * 2);
|
|
return this.sc_reduce32(this.rand_32());
|
|
};
|
|
|
|
/* no longer used
|
|
this.keccak = function(hex, inlen, outlen) {
|
|
var input = hextobin(hex);
|
|
if (input.length !== inlen) {
|
|
throw "Invalid input length";
|
|
}
|
|
if (outlen <= 0) {
|
|
throw "Invalid output length";
|
|
}
|
|
var input_mem = CNCrypto._malloc(inlen);
|
|
CNCrypto.HEAPU8.set(input, input_mem);
|
|
var out_mem = CNCrypto._malloc(outlen);
|
|
CNCrypto._keccak(input_mem, inlen | 0, out_mem, outlen | 0);
|
|
var output = CNCrypto.HEAPU8.subarray(out_mem, out_mem + outlen);
|
|
CNCrypto._free(input_mem);
|
|
CNCrypto._free(out_mem);
|
|
return bintohex(output);
|
|
};*/
|
|
|
|
this.create_address = function(seed, nettype) {
|
|
var keys = {};
|
|
// updated by Luigi and PS to support reduced and non-reduced seeds
|
|
var first;
|
|
if (seed.length !== 64) {
|
|
first = this.cn_fast_hash(seed);
|
|
} else {
|
|
first = this.sc_reduce32(seed);
|
|
}
|
|
keys.spend = this.generate_keys(first);
|
|
var second = this.cn_fast_hash(first);
|
|
keys.view = this.generate_keys(second);
|
|
keys.public_addr = this.pubkeys_to_string(
|
|
keys.spend.pub,
|
|
keys.view.pub,
|
|
nettype,
|
|
);
|
|
return keys;
|
|
};
|
|
|
|
this.create_addr_prefix = function(seed, nettype) {
|
|
var first;
|
|
if (seed.length !== 64) {
|
|
first = this.cn_fast_hash(seed);
|
|
} else {
|
|
first = seed;
|
|
}
|
|
var spend = this.generate_keys(first);
|
|
var prefix = this.encode_varint(
|
|
nettype_utils.cryptonoteBase58PrefixForStandardAddressOn(nettype),
|
|
);
|
|
return cnBase58.encode(prefix + spend.pub).slice(0, 44);
|
|
};
|
|
|
|
this.decode_address = function(address, nettype) {
|
|
var dec = cnBase58.decode(address);
|
|
var expectedPrefix = this.encode_varint(
|
|
nettype_utils.cryptonoteBase58PrefixForStandardAddressOn(nettype),
|
|
);
|
|
var expectedPrefixInt = this.encode_varint(
|
|
nettype_utils.cryptonoteBase58PrefixForIntegratedAddressOn(nettype),
|
|
);
|
|
var expectedPrefixSub = this.encode_varint(
|
|
nettype_utils.cryptonoteBase58PrefixForSubAddressOn(nettype),
|
|
);
|
|
var prefix = dec.slice(0, expectedPrefix.length);
|
|
if (
|
|
prefix !== expectedPrefix &&
|
|
prefix !== expectedPrefixInt &&
|
|
prefix !== expectedPrefixSub
|
|
) {
|
|
throw "Invalid address prefix";
|
|
}
|
|
dec = dec.slice(expectedPrefix.length);
|
|
var spend = dec.slice(0, 64);
|
|
var view = dec.slice(64, 128);
|
|
if (prefix === expectedPrefixInt) {
|
|
var intPaymentId = dec.slice(128, 128 + INTEGRATED_ID_SIZE * 2);
|
|
var checksum = dec.slice(
|
|
128 + INTEGRATED_ID_SIZE * 2,
|
|
128 + INTEGRATED_ID_SIZE * 2 + ADDRESS_CHECKSUM_SIZE * 2,
|
|
);
|
|
var expectedChecksum = this.cn_fast_hash(
|
|
prefix + spend + view + intPaymentId,
|
|
).slice(0, ADDRESS_CHECKSUM_SIZE * 2);
|
|
} else {
|
|
var checksum = dec.slice(128, 128 + ADDRESS_CHECKSUM_SIZE * 2);
|
|
var expectedChecksum = this.cn_fast_hash(
|
|
prefix + spend + view,
|
|
).slice(0, ADDRESS_CHECKSUM_SIZE * 2);
|
|
}
|
|
if (checksum !== expectedChecksum) {
|
|
throw "Invalid checksum";
|
|
}
|
|
if (intPaymentId) {
|
|
return {
|
|
spend: spend,
|
|
view: view,
|
|
intPaymentId: intPaymentId,
|
|
};
|
|
} else {
|
|
return {
|
|
spend: spend,
|
|
view: view,
|
|
};
|
|
}
|
|
};
|
|
|
|
this.is_subaddress = function(addr, nettype) {
|
|
var decoded = cnBase58.decode(addr);
|
|
var subaddressPrefix = this.encode_varint(
|
|
nettype_utils.cryptonoteBase58PrefixForSubAddressOn(nettype),
|
|
);
|
|
var prefix = decoded.slice(0, subaddressPrefix.length);
|
|
return prefix === subaddressPrefix;
|
|
};
|
|
|
|
this.valid_keys = function(view_pub, view_sec, spend_pub, spend_sec) {
|
|
var expected_view_pub = this.sec_key_to_pub(view_sec);
|
|
var expected_spend_pub = this.sec_key_to_pub(spend_sec);
|
|
return (
|
|
expected_spend_pub === spend_pub && expected_view_pub === view_pub
|
|
);
|
|
};
|
|
|
|
this.hash_to_scalar = function(buf) {
|
|
var hash = this.cn_fast_hash(buf);
|
|
var scalar = this.sc_reduce32(hash);
|
|
return scalar;
|
|
};
|
|
|
|
/*this.generate_key_derivation = function(pub, sec) {
|
|
if (pub.length !== 64 || sec.length !== 64) {
|
|
throw "Invalid input length";
|
|
}
|
|
var pub_b = hextobin(pub);
|
|
var sec_b = hextobin(sec);
|
|
var pub_m = CNCrypto._malloc(KEY_SIZE);
|
|
CNCrypto.HEAPU8.set(pub_b, pub_m);
|
|
var sec_m = CNCrypto._malloc(KEY_SIZE);
|
|
CNCrypto.HEAPU8.set(sec_b, sec_m);
|
|
var ge_p3_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3);
|
|
var ge_p2_m = CNCrypto._malloc(STRUCT_SIZES.GE_P2);
|
|
var ge_p1p1_m = CNCrypto._malloc(STRUCT_SIZES.GE_P1P1);
|
|
if (CNCrypto.ccall("ge_frombytes_vartime", "bool", ["number", "number"], [ge_p3_m, pub_m]) !== 0) {
|
|
throw "ge_frombytes_vartime returned non-zero error code";
|
|
}
|
|
CNCrypto.ccall("ge_scalarmult", "void", ["number", "number", "number"], [ge_p2_m, sec_m, ge_p3_m]);
|
|
CNCrypto.ccall("ge_mul8", "void", ["number", "number"], [ge_p1p1_m, ge_p2_m]);
|
|
CNCrypto.ccall("ge_p1p1_to_p2", "void", ["number", "number"], [ge_p2_m, ge_p1p1_m]);
|
|
var derivation_m = CNCrypto._malloc(KEY_SIZE);
|
|
CNCrypto.ccall("ge_tobytes", "void", ["number", "number"], [derivation_m, ge_p2_m]);
|
|
var res = CNCrypto.HEAPU8.subarray(derivation_m, derivation_m + KEY_SIZE);
|
|
CNCrypto._free(pub_m);
|
|
CNCrypto._free(sec_m);
|
|
CNCrypto._free(ge_p3_m);
|
|
CNCrypto._free(ge_p2_m);
|
|
CNCrypto._free(ge_p1p1_m);
|
|
CNCrypto._free(derivation_m);
|
|
return bintohex(res);
|
|
};*/
|
|
|
|
this.generate_key_derivation = function(pub, sec) {
|
|
if (pub.length !== 64 || sec.length !== 64) {
|
|
throw "Invalid input length";
|
|
}
|
|
var P = this.ge_scalarmult(pub, sec);
|
|
return this.ge_scalarmult(P, d2s(8)); //mul8 to ensure group
|
|
};
|
|
|
|
this.derivation_to_scalar = function(derivation, output_index) {
|
|
var buf = "";
|
|
if (derivation.length !== STRUCT_SIZES.EC_POINT * 2) {
|
|
throw "Invalid derivation length!";
|
|
}
|
|
buf += derivation;
|
|
var enc = encode_varint(output_index);
|
|
if (enc.length > 10 * 2) {
|
|
throw "output_index didn't fit in 64-bit varint";
|
|
}
|
|
buf += enc;
|
|
return this.hash_to_scalar(buf);
|
|
};
|
|
|
|
this.derive_secret_key = function(derivation, out_index, sec) {
|
|
if (derivation.length !== 64 || sec.length !== 64) {
|
|
throw "Invalid input length!";
|
|
}
|
|
var scalar_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR);
|
|
var scalar_b = hextobin(
|
|
this.derivation_to_scalar(derivation, out_index),
|
|
);
|
|
CNCrypto.HEAPU8.set(scalar_b, scalar_m);
|
|
var base_m = CNCrypto._malloc(KEY_SIZE);
|
|
CNCrypto.HEAPU8.set(hextobin(sec), base_m);
|
|
var derived_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR);
|
|
CNCrypto.ccall(
|
|
"sc_add",
|
|
"void",
|
|
["number", "number", "number"],
|
|
[derived_m, base_m, scalar_m],
|
|
);
|
|
var res = CNCrypto.HEAPU8.subarray(
|
|
derived_m,
|
|
derived_m + STRUCT_SIZES.EC_SCALAR,
|
|
);
|
|
CNCrypto._free(scalar_m);
|
|
CNCrypto._free(base_m);
|
|
CNCrypto._free(derived_m);
|
|
return bintohex(res);
|
|
};
|
|
|
|
/*this.derive_public_key = function(derivation, out_index, pub) {
|
|
if (derivation.length !== 64 || pub.length !== 64) {
|
|
throw "Invalid input length!";
|
|
}
|
|
var derivation_m = CNCrypto._malloc(KEY_SIZE);
|
|
var derivation_b = hextobin(derivation);
|
|
CNCrypto.HEAPU8.set(derivation_b, derivation_m);
|
|
var base_m = CNCrypto._malloc(KEY_SIZE);
|
|
var base_b = hextobin(pub);
|
|
CNCrypto.HEAPU8.set(base_b, base_m);
|
|
var point1_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3);
|
|
var point2_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3);
|
|
var point3_m = CNCrypto._malloc(STRUCT_SIZES.GE_CACHED);
|
|
var point4_m = CNCrypto._malloc(STRUCT_SIZES.GE_P1P1);
|
|
var point5_m = CNCrypto._malloc(STRUCT_SIZES.GE_P2);
|
|
var derived_key_m = CNCrypto._malloc(KEY_SIZE);
|
|
if (CNCrypto.ccall("ge_frombytes_vartime", "bool", ["number", "number"], [point1_m, base_m]) !== 0) {
|
|
throw "ge_frombytes_vartime returned non-zero error code";
|
|
}
|
|
var scalar_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR);
|
|
var scalar_b = hextobin(this.derivation_to_scalar(bintohex(CNCrypto.HEAPU8.subarray(derivation_m, derivation_m + STRUCT_SIZES.EC_POINT)), out_index));
|
|
CNCrypto.HEAPU8.set(scalar_b, scalar_m);
|
|
CNCrypto.ccall("ge_scalarmult_base", "void", ["number", "number"], [point2_m, scalar_m]);
|
|
CNCrypto.ccall("ge_p3_to_cached", "void", ["number", "number"], [point3_m, point2_m]);
|
|
CNCrypto.ccall("ge_add", "void", ["number", "number", "number"], [point4_m, point1_m, point3_m]);
|
|
CNCrypto.ccall("ge_p1p1_to_p2", "void", ["number", "number"], [point5_m, point4_m]);
|
|
CNCrypto.ccall("ge_tobytes", "void", ["number", "number"], [derived_key_m, point5_m]);
|
|
var res = CNCrypto.HEAPU8.subarray(derived_key_m, derived_key_m + KEY_SIZE);
|
|
CNCrypto._free(derivation_m);
|
|
CNCrypto._free(base_m);
|
|
CNCrypto._free(scalar_m);
|
|
CNCrypto._free(point1_m);
|
|
CNCrypto._free(point2_m);
|
|
CNCrypto._free(point3_m);
|
|
CNCrypto._free(point4_m);
|
|
CNCrypto._free(point5_m);
|
|
CNCrypto._free(derived_key_m);
|
|
return bintohex(res);
|
|
};*/
|
|
|
|
this.derive_public_key = function(derivation, out_index, pub) {
|
|
if (derivation.length !== 64 || pub.length !== 64) {
|
|
throw "Invalid input length!";
|
|
}
|
|
var s = this.derivation_to_scalar(derivation, out_index);
|
|
return bintohex(
|
|
nacl.ll.ge_add(hextobin(pub), hextobin(this.ge_scalarmult_base(s))),
|
|
);
|
|
};
|
|
|
|
// D' = P - Hs(aR|i)G
|
|
this.derive_subaddress_public_key = function(
|
|
output_key,
|
|
derivation,
|
|
out_index,
|
|
) {
|
|
if (output_key.length !== 64 || derivation.length !== 64) {
|
|
throw "Invalid input length!";
|
|
}
|
|
var scalar = this.derivation_to_scalar(derivation, out_index);
|
|
var point = this.ge_scalarmult_base(scalar);
|
|
return this.ge_sub(output_key, point);
|
|
};
|
|
|
|
this.hash_to_ec = function(key) {
|
|
if (key.length !== KEY_SIZE * 2) {
|
|
throw "Invalid input length";
|
|
}
|
|
var h_m = CNCrypto._malloc(HASH_SIZE);
|
|
var point_m = CNCrypto._malloc(STRUCT_SIZES.GE_P2);
|
|
var point2_m = CNCrypto._malloc(STRUCT_SIZES.GE_P1P1);
|
|
var res_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3);
|
|
var hash = hextobin(this.cn_fast_hash(key, KEY_SIZE));
|
|
CNCrypto.HEAPU8.set(hash, h_m);
|
|
CNCrypto.ccall(
|
|
"ge_fromfe_frombytes_vartime",
|
|
"void",
|
|
["number", "number"],
|
|
[point_m, h_m],
|
|
);
|
|
CNCrypto.ccall(
|
|
"ge_mul8",
|
|
"void",
|
|
["number", "number"],
|
|
[point2_m, point_m],
|
|
);
|
|
CNCrypto.ccall(
|
|
"ge_p1p1_to_p3",
|
|
"void",
|
|
["number", "number"],
|
|
[res_m, point2_m],
|
|
);
|
|
var res = CNCrypto.HEAPU8.subarray(res_m, res_m + STRUCT_SIZES.GE_P3);
|
|
CNCrypto._free(h_m);
|
|
CNCrypto._free(point_m);
|
|
CNCrypto._free(point2_m);
|
|
CNCrypto._free(res_m);
|
|
return bintohex(res);
|
|
};
|
|
|
|
//returns a 32 byte point via "ge_p3_tobytes" rather than a 160 byte "p3", otherwise same as above;
|
|
this.hash_to_ec_2 = function(key) {
|
|
if (key.length !== KEY_SIZE * 2) {
|
|
throw "Invalid input length";
|
|
}
|
|
var h_m = CNCrypto._malloc(HASH_SIZE);
|
|
var point_m = CNCrypto._malloc(STRUCT_SIZES.GE_P2);
|
|
var point2_m = CNCrypto._malloc(STRUCT_SIZES.GE_P1P1);
|
|
var res_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3);
|
|
var hash = hextobin(this.cn_fast_hash(key, KEY_SIZE));
|
|
var res2_m = CNCrypto._malloc(KEY_SIZE);
|
|
CNCrypto.HEAPU8.set(hash, h_m);
|
|
CNCrypto.ccall(
|
|
"ge_fromfe_frombytes_vartime",
|
|
"void",
|
|
["number", "number"],
|
|
[point_m, h_m],
|
|
);
|
|
CNCrypto.ccall(
|
|
"ge_mul8",
|
|
"void",
|
|
["number", "number"],
|
|
[point2_m, point_m],
|
|
);
|
|
CNCrypto.ccall(
|
|
"ge_p1p1_to_p3",
|
|
"void",
|
|
["number", "number"],
|
|
[res_m, point2_m],
|
|
);
|
|
CNCrypto.ccall(
|
|
"ge_p3_tobytes",
|
|
"void",
|
|
["number", "number"],
|
|
[res2_m, res_m],
|
|
);
|
|
var res = CNCrypto.HEAPU8.subarray(res2_m, res2_m + KEY_SIZE);
|
|
CNCrypto._free(h_m);
|
|
CNCrypto._free(point_m);
|
|
CNCrypto._free(point2_m);
|
|
CNCrypto._free(res_m);
|
|
CNCrypto._free(res2_m);
|
|
return bintohex(res);
|
|
};
|
|
|
|
this.generate_key_image_2 = function(pub, sec) {
|
|
if (!pub || !sec || pub.length !== 64 || sec.length !== 64) {
|
|
throw "Invalid input length";
|
|
}
|
|
var pub_m = CNCrypto._malloc(KEY_SIZE);
|
|
var sec_m = CNCrypto._malloc(KEY_SIZE);
|
|
CNCrypto.HEAPU8.set(hextobin(pub), pub_m);
|
|
CNCrypto.HEAPU8.set(hextobin(sec), sec_m);
|
|
if (CNCrypto.ccall("sc_check", "number", ["number"], [sec_m]) !== 0) {
|
|
throw "sc_check(sec) != 0";
|
|
}
|
|
var point_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3);
|
|
var point2_m = CNCrypto._malloc(STRUCT_SIZES.GE_P2);
|
|
var point_b = hextobin(this.hash_to_ec(pub));
|
|
CNCrypto.HEAPU8.set(point_b, point_m);
|
|
var image_m = CNCrypto._malloc(STRUCT_SIZES.KEY_IMAGE);
|
|
CNCrypto.ccall(
|
|
"ge_scalarmult",
|
|
"void",
|
|
["number", "number", "number"],
|
|
[point2_m, sec_m, point_m],
|
|
);
|
|
CNCrypto.ccall(
|
|
"ge_tobytes",
|
|
"void",
|
|
["number", "number"],
|
|
[image_m, point2_m],
|
|
);
|
|
var res = CNCrypto.HEAPU8.subarray(
|
|
image_m,
|
|
image_m + STRUCT_SIZES.KEY_IMAGE,
|
|
);
|
|
CNCrypto._free(pub_m);
|
|
CNCrypto._free(sec_m);
|
|
CNCrypto._free(point_m);
|
|
CNCrypto._free(point2_m);
|
|
CNCrypto._free(image_m);
|
|
return bintohex(res);
|
|
};
|
|
|
|
this.generate_key_image = function(
|
|
tx_pub,
|
|
view_sec,
|
|
spend_pub,
|
|
spend_sec,
|
|
output_index,
|
|
) {
|
|
if (tx_pub.length !== 64) {
|
|
throw "Invalid tx_pub length";
|
|
}
|
|
if (view_sec.length !== 64) {
|
|
throw "Invalid view_sec length";
|
|
}
|
|
if (spend_pub.length !== 64) {
|
|
throw "Invalid spend_pub length";
|
|
}
|
|
if (spend_sec.length !== 64) {
|
|
throw "Invalid spend_sec length";
|
|
}
|
|
var recv_derivation = this.generate_key_derivation(tx_pub, view_sec);
|
|
var ephemeral_pub = this.derive_public_key(
|
|
recv_derivation,
|
|
output_index,
|
|
spend_pub,
|
|
);
|
|
var ephemeral_sec = this.derive_secret_key(
|
|
recv_derivation,
|
|
output_index,
|
|
spend_sec,
|
|
);
|
|
var k_image = this.generate_key_image_2(ephemeral_pub, ephemeral_sec);
|
|
return {
|
|
ephemeral_pub: ephemeral_pub,
|
|
key_image: k_image,
|
|
};
|
|
};
|
|
|
|
this.generate_key_image_helper_rct = function(
|
|
keys,
|
|
tx_pub_key,
|
|
out_index,
|
|
enc_mask,
|
|
) {
|
|
var recv_derivation = this.generate_key_derivation(
|
|
tx_pub_key,
|
|
keys.view.sec,
|
|
);
|
|
if (!recv_derivation) throw "Failed to generate key image";
|
|
var mask = enc_mask
|
|
? sc_sub(
|
|
enc_mask,
|
|
hash_to_scalar(
|
|
derivation_to_scalar(recv_derivation, out_index),
|
|
),
|
|
)
|
|
: I; //decode mask, or d2s(1) if no mask
|
|
var ephemeral_pub = this.derive_public_key(
|
|
recv_derivation,
|
|
out_index,
|
|
keys.spend.pub,
|
|
);
|
|
if (!ephemeral_pub) throw "Failed to generate key image";
|
|
var ephemeral_sec = this.derive_secret_key(
|
|
recv_derivation,
|
|
out_index,
|
|
keys.spend.sec,
|
|
);
|
|
var image = this.generate_key_image_2(ephemeral_pub, ephemeral_sec);
|
|
return {
|
|
in_ephemeral: {
|
|
pub: ephemeral_pub,
|
|
sec: ephemeral_sec,
|
|
mask: mask,
|
|
},
|
|
image: image,
|
|
};
|
|
};
|
|
|
|
//curve and scalar functions; split out to make their host functions cleaner and more readable
|
|
//inverts X coordinate -- this seems correct ^_^ -luigi1111
|
|
this.ge_neg = function(point) {
|
|
if (point.length !== 64) {
|
|
throw "expected 64 char hex string";
|
|
}
|
|
return (
|
|
point.slice(0, 62) +
|
|
((parseInt(point.slice(62, 63), 16) + 8) % 16).toString(16) +
|
|
point.slice(63, 64)
|
|
);
|
|
};
|
|
|
|
//adds two points together, order does not matter
|
|
/*this.ge_add2 = function(point1, point2) {
|
|
var point1_m = CNCrypto._malloc(KEY_SIZE);
|
|
var point2_m = CNCrypto._malloc(KEY_SIZE);
|
|
var point1_m2 = CNCrypto._malloc(STRUCT_SIZES.GE_P3);
|
|
var point2_m2 = CNCrypto._malloc(STRUCT_SIZES.GE_P3);
|
|
CNCrypto.HEAPU8.set(hextobin(point1), point1_m);
|
|
CNCrypto.HEAPU8.set(hextobin(point2), point2_m);
|
|
if (CNCrypto.ccall("ge_frombytes_vartime", "bool", ["number", "number"], [point1_m2, point1_m]) !== 0) {
|
|
throw "ge_frombytes_vartime returned non-zero error code";
|
|
}
|
|
if (CNCrypto.ccall("ge_frombytes_vartime", "bool", ["number", "number"], [point2_m2, point2_m]) !== 0) {
|
|
throw "ge_frombytes_vartime returned non-zero error code";
|
|
}
|
|
var sum_m = CNCrypto._malloc(KEY_SIZE);
|
|
var p2_m = CNCrypto._malloc(STRUCT_SIZES.GE_P2);
|
|
var p1_m = CNCrypto._malloc(STRUCT_SIZES.GE_P1P1);
|
|
var p3_m = CNCrypto._malloc(STRUCT_SIZES.GE_CACHED);
|
|
CNCrypto.ccall("ge_p3_to_cached", "void", ["number", "number"], [p3_m, point2_m2]);
|
|
CNCrypto.ccall("ge_add", "void", ["number", "number", "number"], [p1_m, point1_m2, p3_m]);
|
|
CNCrypto.ccall("ge_p1p1_to_p2", "void", ["number", "number"], [p2_m, p1_m]);
|
|
CNCrypto.ccall("ge_tobytes", "void", ["number", "number"], [sum_m, p2_m]);
|
|
var res = CNCrypto.HEAPU8.subarray(sum_m, sum_m + KEY_SIZE);
|
|
CNCrypto._free(point1_m);
|
|
CNCrypto._free(point1_m2);
|
|
CNCrypto._free(point2_m);
|
|
CNCrypto._free(point2_m2);
|
|
CNCrypto._free(p2_m);
|
|
CNCrypto._free(p1_m);
|
|
CNCrypto._free(sum_m);
|
|
CNCrypto._free(p3_m);
|
|
return bintohex(res);
|
|
};*/
|
|
|
|
this.ge_add = function(p1, p2) {
|
|
if (p1.length !== 64 || p2.length !== 64) {
|
|
throw "Invalid input length!";
|
|
}
|
|
return bintohex(nacl.ll.ge_add(hextobin(p1), hextobin(p2)));
|
|
};
|
|
|
|
//order matters
|
|
this.ge_sub = function(point1, point2) {
|
|
point2n = ge_neg(point2);
|
|
return ge_add(point1, point2n);
|
|
};
|
|
|
|
//adds two scalars together
|
|
this.sc_add = function(scalar1, scalar2) {
|
|
if (scalar1.length !== 64 || scalar2.length !== 64) {
|
|
throw "Invalid input length!";
|
|
}
|
|
var scalar1_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR);
|
|
var scalar2_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR);
|
|
CNCrypto.HEAPU8.set(hextobin(scalar1), scalar1_m);
|
|
CNCrypto.HEAPU8.set(hextobin(scalar2), scalar2_m);
|
|
var derived_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR);
|
|
CNCrypto.ccall(
|
|
"sc_add",
|
|
"void",
|
|
["number", "number", "number"],
|
|
[derived_m, scalar1_m, scalar2_m],
|
|
);
|
|
var res = CNCrypto.HEAPU8.subarray(
|
|
derived_m,
|
|
derived_m + STRUCT_SIZES.EC_SCALAR,
|
|
);
|
|
CNCrypto._free(scalar1_m);
|
|
CNCrypto._free(scalar2_m);
|
|
CNCrypto._free(derived_m);
|
|
return bintohex(res);
|
|
};
|
|
|
|
//subtracts one scalar from another
|
|
this.sc_sub = function(scalar1, scalar2) {
|
|
if (scalar1.length !== 64 || scalar2.length !== 64) {
|
|
throw "Invalid input length!";
|
|
}
|
|
var scalar1_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR);
|
|
var scalar2_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR);
|
|
CNCrypto.HEAPU8.set(hextobin(scalar1), scalar1_m);
|
|
CNCrypto.HEAPU8.set(hextobin(scalar2), scalar2_m);
|
|
var derived_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR);
|
|
CNCrypto.ccall(
|
|
"sc_sub",
|
|
"void",
|
|
["number", "number", "number"],
|
|
[derived_m, scalar1_m, scalar2_m],
|
|
);
|
|
var res = CNCrypto.HEAPU8.subarray(
|
|
derived_m,
|
|
derived_m + STRUCT_SIZES.EC_SCALAR,
|
|
);
|
|
CNCrypto._free(scalar1_m);
|
|
CNCrypto._free(scalar2_m);
|
|
CNCrypto._free(derived_m);
|
|
return bintohex(res);
|
|
};
|
|
|
|
//fun mul function
|
|
this.sc_mul = function(scalar1, scalar2) {
|
|
if (scalar1.length !== 64 || scalar2.length !== 64) {
|
|
throw "Invalid input length!";
|
|
}
|
|
return d2s(
|
|
JSBigInt(s2d(scalar1))
|
|
.multiply(JSBigInt(s2d(scalar2)))
|
|
.remainder(l)
|
|
.toString(),
|
|
);
|
|
};
|
|
|
|
//res = c - (ab) mod l; argument names copied from the signature implementation
|
|
this.sc_mulsub = function(sigc, sec, k) {
|
|
if (
|
|
k.length !== KEY_SIZE * 2 ||
|
|
sigc.length !== KEY_SIZE * 2 ||
|
|
sec.length !== KEY_SIZE * 2 ||
|
|
!this.valid_hex(k) ||
|
|
!this.valid_hex(sigc) ||
|
|
!this.valid_hex(sec)
|
|
) {
|
|
throw "bad scalar";
|
|
}
|
|
var sec_m = CNCrypto._malloc(KEY_SIZE);
|
|
CNCrypto.HEAPU8.set(hextobin(sec), sec_m);
|
|
var sigc_m = CNCrypto._malloc(KEY_SIZE);
|
|
CNCrypto.HEAPU8.set(hextobin(sigc), sigc_m);
|
|
var k_m = CNCrypto._malloc(KEY_SIZE);
|
|
CNCrypto.HEAPU8.set(hextobin(k), k_m);
|
|
var res_m = CNCrypto._malloc(KEY_SIZE);
|
|
|
|
CNCrypto.ccall(
|
|
"sc_mulsub",
|
|
"void",
|
|
["number", "number", "number", "number"],
|
|
[res_m, sigc_m, sec_m, k_m],
|
|
);
|
|
res = CNCrypto.HEAPU8.subarray(res_m, res_m + KEY_SIZE);
|
|
CNCrypto._free(k_m);
|
|
CNCrypto._free(sec_m);
|
|
CNCrypto._free(sigc_m);
|
|
CNCrypto._free(res_m);
|
|
return bintohex(res);
|
|
};
|
|
|
|
//res = aB + cG; argument names copied from the signature implementation
|
|
/*this.ge_double_scalarmult_base_vartime = function(sigc, pub, sigr) {
|
|
var pub_m = CNCrypto._malloc(KEY_SIZE);
|
|
var pub2_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3);
|
|
CNCrypto.HEAPU8.set(hextobin(pub), pub_m);
|
|
if (CNCrypto.ccall("ge_frombytes_vartime", "void", ["number", "number"], [pub2_m, pub_m]) !== 0) {
|
|
throw "Failed to call ge_frombytes_vartime";
|
|
}
|
|
var sigc_m = CNCrypto._malloc(KEY_SIZE);
|
|
CNCrypto.HEAPU8.set(hextobin(sigc), sigc_m);
|
|
var sigr_m = CNCrypto._malloc(KEY_SIZE);
|
|
CNCrypto.HEAPU8.set(hextobin(sigr), sigr_m);
|
|
if (CNCrypto.ccall("sc_check", "number", ["number"], [sigc_m]) !== 0 || CNCrypto.ccall("sc_check", "number", ["number"], [sigr_m]) !== 0) {
|
|
throw "bad scalar(s)";
|
|
}
|
|
var tmp_m = CNCrypto._malloc(STRUCT_SIZES.GE_P2);
|
|
var res_m = CNCrypto._malloc(KEY_SIZE);
|
|
CNCrypto.ccall("ge_double_scalarmult_base_vartime", "void", ["number", "number", "number", "number"], [tmp_m, sigc_m, pub2_m, sigr_m]);
|
|
CNCrypto.ccall("ge_tobytes", "void", ["number", "number"], [res_m, tmp_m]);
|
|
var res = CNCrypto. HEAPU8.subarray(res_m, res_m + KEY_SIZE);
|
|
CNCrypto._free(pub_m);
|
|
CNCrypto._free(pub2_m);
|
|
CNCrypto._free(sigc_m);
|
|
CNCrypto._free(sigr_m);
|
|
CNCrypto._free(tmp_m);
|
|
CNCrypto._free(res_m);
|
|
return bintohex(res);
|
|
};*/
|
|
|
|
this.ge_double_scalarmult_base_vartime = function(c, P, r) {
|
|
if (c.length !== 64 || P.length !== 64 || r.length !== 64) {
|
|
throw "Invalid input length!";
|
|
}
|
|
return bintohex(
|
|
nacl.ll.ge_double_scalarmult_base_vartime(
|
|
hextobin(c),
|
|
hextobin(P),
|
|
hextobin(r),
|
|
),
|
|
);
|
|
};
|
|
|
|
//res = a * Hp(B) + c*D
|
|
//res = sigr * Hp(pub) + sigc * k_image; argument names also copied from the signature implementation; note precomp AND hash_to_ec are done internally!!
|
|
/*this.ge_double_scalarmult_postcomp_vartime = function(sigr, pub, sigc, k_image) {
|
|
var image_m = CNCrypto._malloc(STRUCT_SIZES.KEY_IMAGE);
|
|
CNCrypto.HEAPU8.set(hextobin(k_image), image_m);
|
|
var image_unp_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3);
|
|
var image_pre_m = CNCrypto._malloc(STRUCT_SIZES.GE_DSMP);
|
|
var tmp3_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3);
|
|
var sigr_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR);
|
|
var sigc_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR);
|
|
var tmp2_m = CNCrypto._malloc(STRUCT_SIZES.GE_P2);
|
|
var res_m = CNCrypto._malloc(STRUCT_SIZES.EC_POINT);
|
|
if (CNCrypto.ccall("ge_frombytes_vartime", "void", ["number", "number"], [image_unp_m, image_m]) !== 0) {
|
|
throw "Failed to call ge_frombytes_vartime";
|
|
}
|
|
CNCrypto.ccall("ge_dsm_precomp", "void", ["number", "number"], [image_pre_m, image_unp_m]);
|
|
var ec = this.hash_to_ec(pub);
|
|
CNCrypto.HEAPU8.set(hextobin(ec), tmp3_m);
|
|
CNCrypto.HEAPU8.set(hextobin(sigc), sigc_m);
|
|
CNCrypto.HEAPU8.set(hextobin(sigr), sigr_m);
|
|
CNCrypto.ccall("ge_double_scalarmult_precomp_vartime", "void", ["number", "number", "number", "number", "number"], [tmp2_m, sigr_m, tmp3_m, sigc_m, image_pre_m]);
|
|
CNCrypto.ccall("ge_tobytes", "void", ["number", "number"], [res_m, tmp2_m]);
|
|
var res = CNCrypto. HEAPU8.subarray(res_m, res_m + STRUCT_SIZES.EC_POINT);
|
|
CNCrypto._free(image_m);
|
|
CNCrypto._free(image_unp_m);
|
|
CNCrypto._free(image_pre_m);
|
|
CNCrypto._free(tmp3_m);
|
|
CNCrypto._free(sigr_m);
|
|
CNCrypto._free(sigc_m);
|
|
CNCrypto._free(tmp2_m);
|
|
CNCrypto._free(res_m);
|
|
return bintohex(res);
|
|
};*/
|
|
|
|
this.ge_double_scalarmult_postcomp_vartime = function(r, P, c, I) {
|
|
if (
|
|
c.length !== 64 ||
|
|
P.length !== 64 ||
|
|
r.length !== 64 ||
|
|
I.length !== 64
|
|
) {
|
|
throw "Invalid input length!";
|
|
}
|
|
var Pb = this.hash_to_ec_2(P);
|
|
return bintohex(
|
|
nacl.ll.ge_double_scalarmult_postcomp_vartime(
|
|
hextobin(r),
|
|
hextobin(Pb),
|
|
hextobin(c),
|
|
hextobin(I),
|
|
),
|
|
);
|
|
};
|
|
|
|
//begin RCT functions
|
|
|
|
//xv: vector of secret keys, 1 per ring (nrings)
|
|
//pm: matrix of pubkeys, indexed by size first
|
|
//iv: vector of indexes, 1 per ring (nrings), can be a string
|
|
//size: ring size
|
|
//nrings: number of rings
|
|
//extensible borromean signatures
|
|
this.genBorromean = function(xv, pm, iv, size, nrings) {
|
|
if (xv.length !== nrings) {
|
|
throw "wrong xv length " + xv.length;
|
|
}
|
|
if (pm.length !== size) {
|
|
throw "wrong pm size " + pm.length;
|
|
}
|
|
for (var i = 0; i < pm.length; i++) {
|
|
if (pm[i].length !== nrings) {
|
|
throw "wrong pm[" + i + "] length " + pm[i].length;
|
|
}
|
|
}
|
|
if (iv.length !== nrings) {
|
|
throw "wrong iv length " + iv.length;
|
|
}
|
|
for (var i = 0; i < iv.length; i++) {
|
|
if (iv[i] >= size) {
|
|
throw "bad indices value at: " + i + ": " + iv[i];
|
|
}
|
|
}
|
|
//signature struct
|
|
var bb = {
|
|
s: [],
|
|
ee: "",
|
|
};
|
|
//signature pubkey matrix
|
|
var L = [];
|
|
//add needed sub vectors (1 per ring size)
|
|
for (var i = 0; i < size; i++) {
|
|
bb.s[i] = [];
|
|
L[i] = [];
|
|
}
|
|
//compute starting at the secret index to the last row
|
|
var index;
|
|
var alpha = [];
|
|
for (var i = 0; i < nrings; i++) {
|
|
index = parseInt(iv[i]);
|
|
alpha[i] = random_scalar();
|
|
L[index][i] = ge_scalarmult_base(alpha[i]);
|
|
for (var j = index + 1; j < size; j++) {
|
|
bb.s[j][i] = random_scalar();
|
|
var c = hash_to_scalar(L[j - 1][i]);
|
|
L[j][i] = ge_double_scalarmult_base_vartime(
|
|
c,
|
|
pm[j][i],
|
|
bb.s[j][i],
|
|
);
|
|
}
|
|
}
|
|
//hash last row to create ee
|
|
var ltemp = "";
|
|
for (var i = 0; i < nrings; i++) {
|
|
ltemp += L[size - 1][i];
|
|
}
|
|
bb.ee = hash_to_scalar(ltemp);
|
|
//compute the rest from 0 to secret index
|
|
for (var i = 0; i < nrings; i++) {
|
|
var cc = bb.ee;
|
|
for (var j = 0; j < iv[i]; j++) {
|
|
bb.s[j][i] = random_scalar();
|
|
var LL = ge_double_scalarmult_base_vartime(
|
|
cc,
|
|
pm[j][i],
|
|
bb.s[j][i],
|
|
);
|
|
cc = hash_to_scalar(LL);
|
|
}
|
|
bb.s[j][i] = sc_mulsub(xv[i], cc, alpha[i]);
|
|
}
|
|
return bb;
|
|
};
|
|
|
|
//proveRange
|
|
//proveRange gives C, and mask such that \sumCi = C
|
|
// c.f. http://eprint.iacr.org/2015/1098 section 5.1
|
|
// and Ci is a commitment to either 0 or s^i, i=0,...,n
|
|
// thus this proves that "amount" is in [0, s^n] (we assume s to be 4) (2 for now with v2 txes)
|
|
// mask is a such that C = aG + bH, and b = amount
|
|
//commitMaskObj = {C: commit, mask: mask}
|
|
this.proveRange = function(
|
|
commitMaskObj,
|
|
amount,
|
|
nrings,
|
|
enc_seed,
|
|
exponent,
|
|
) {
|
|
var size = 2;
|
|
var C = I; //identity
|
|
var mask = Z; //zero scalar
|
|
var indices = d2b(amount); //base 2 for now
|
|
var sig = {
|
|
Ci: [],
|
|
//exp: exponent //doesn't exist for now
|
|
};
|
|
/*payload stuff - ignore for now
|
|
seeds = new Array(3);
|
|
for (var i = 0; i < seeds.length; i++){
|
|
seeds[i] = new Array(1);
|
|
}
|
|
genSeeds(seeds, enc_seed);
|
|
*/
|
|
var ai = [];
|
|
var PM = [];
|
|
for (var i = 0; i < size; i++) {
|
|
PM[i] = [];
|
|
}
|
|
var j;
|
|
//start at index and fill PM left and right -- PM[0] holds Ci
|
|
for (i = 0; i < nrings; i++) {
|
|
ai[i] = random_scalar();
|
|
j = indices[i];
|
|
PM[j][i] = ge_scalarmult_base(ai[i]);
|
|
while (j > 0) {
|
|
j--;
|
|
PM[j][i] = ge_add(PM[j + 1][i], H2[i]); //will need to use i*2 for base 4 (or different object)
|
|
}
|
|
j = indices[i];
|
|
while (j < size - 1) {
|
|
j++;
|
|
PM[j][i] = ge_sub(PM[j - 1][i], H2[i]); //will need to use i*2 for base 4 (or different object)
|
|
}
|
|
mask = sc_add(mask, ai[i]);
|
|
}
|
|
/*
|
|
* some more payload stuff here
|
|
*/
|
|
//copy commitments to sig and sum them to commitment
|
|
for (i = 0; i < nrings; i++) {
|
|
//if (i < nrings - 1) //for later version
|
|
sig.Ci[i] = PM[0][i];
|
|
C = ge_add(C, PM[0][i]);
|
|
}
|
|
/* exponent stuff - ignore for now
|
|
if (exponent){
|
|
n = JSBigInt(10);
|
|
n = n.pow(exponent).toString();
|
|
mask = sc_mul(mask, d2s(n)); //new sum
|
|
}
|
|
*/
|
|
sig.bsig = this.genBorromean(ai, PM, indices, size, nrings);
|
|
commitMaskObj.C = C;
|
|
commitMaskObj.mask = mask;
|
|
return sig;
|
|
};
|
|
|
|
function array_hash_to_scalar(array) {
|
|
var buf = "";
|
|
for (var i = 0; i < array.length; i++) {
|
|
if (typeof array[i] !== "string") {
|
|
throw "unexpected array element";
|
|
}
|
|
buf += array[i];
|
|
}
|
|
return hash_to_scalar(buf);
|
|
}
|
|
|
|
// Gen creates a signature which proves that for some column in the keymatrix "pk"
|
|
// the signer knows a secret key for each row in that column
|
|
// we presently only support matrices of 2 rows (pubkey, commitment)
|
|
// this is a simplied MLSAG_Gen function to reflect that
|
|
// because we don't want to force same secret column for all inputs
|
|
this.MLSAG_Gen = function(message, pk, xx, kimg, index) {
|
|
var cols = pk.length; //ring size
|
|
if (index >= cols) {
|
|
throw "index out of range";
|
|
}
|
|
var rows = pk[0].length; //number of signature rows (always 2)
|
|
if (rows !== 2) {
|
|
throw "wrong row count";
|
|
}
|
|
for (var i = 0; i < cols; i++) {
|
|
if (pk[i].length !== rows) {
|
|
throw "pk is not rectangular";
|
|
}
|
|
}
|
|
if (xx.length !== rows) {
|
|
throw "bad xx size";
|
|
}
|
|
|
|
var c_old = "";
|
|
var alpha = [];
|
|
|
|
var rv = {
|
|
ss: [],
|
|
cc: null,
|
|
};
|
|
for (i = 0; i < cols; i++) {
|
|
rv.ss[i] = [];
|
|
}
|
|
var toHash = []; //holds 6 elements: message, pubkey, dsRow L, dsRow R, commitment, ndsRow L
|
|
toHash[0] = message;
|
|
|
|
//secret index (pubkey section)
|
|
alpha[0] = random_scalar(); //need to save alphas for later
|
|
toHash[1] = pk[index][0]; //secret index pubkey
|
|
toHash[2] = ge_scalarmult_base(alpha[0]); //dsRow L
|
|
toHash[3] = generate_key_image_2(pk[index][0], alpha[0]); //dsRow R (key image check)
|
|
//secret index (commitment section)
|
|
alpha[1] = random_scalar();
|
|
toHash[4] = pk[index][1]; //secret index commitment
|
|
toHash[5] = ge_scalarmult_base(alpha[1]); //ndsRow L
|
|
|
|
c_old = array_hash_to_scalar(toHash);
|
|
|
|
i = (index + 1) % cols;
|
|
if (i === 0) {
|
|
rv.cc = c_old;
|
|
}
|
|
while (i != index) {
|
|
rv.ss[i][0] = random_scalar(); //dsRow ss
|
|
rv.ss[i][1] = random_scalar(); //ndsRow ss
|
|
|
|
//!secret index (pubkey section)
|
|
toHash[1] = pk[i][0];
|
|
toHash[2] = ge_double_scalarmult_base_vartime(
|
|
c_old,
|
|
pk[i][0],
|
|
rv.ss[i][0],
|
|
);
|
|
toHash[3] = ge_double_scalarmult_postcomp_vartime(
|
|
rv.ss[i][0],
|
|
pk[i][0],
|
|
c_old,
|
|
kimg,
|
|
);
|
|
//!secret index (commitment section)
|
|
toHash[4] = pk[i][1];
|
|
toHash[5] = ge_double_scalarmult_base_vartime(
|
|
c_old,
|
|
pk[i][1],
|
|
rv.ss[i][1],
|
|
);
|
|
c_old = array_hash_to_scalar(toHash); //hash to get next column c
|
|
i = (i + 1) % cols;
|
|
if (i === 0) {
|
|
rv.cc = c_old;
|
|
}
|
|
}
|
|
for (i = 0; i < rows; i++) {
|
|
rv.ss[index][i] = sc_mulsub(c_old, xx[i], alpha[i]);
|
|
}
|
|
return rv;
|
|
};
|
|
|
|
//prepares for MLSAG_Gen
|
|
this.proveRctMG = function(message, pubs, inSk, kimg, mask, Cout, index) {
|
|
var cols = pubs.length;
|
|
if (cols < 3) {
|
|
throw "cols must be > 2 (mixin)";
|
|
}
|
|
var xx = [];
|
|
var PK = [];
|
|
//fill pubkey matrix (copy destination, subtract commitments)
|
|
for (var i = 0; i < cols; i++) {
|
|
PK[i] = [];
|
|
PK[i][0] = pubs[i].dest;
|
|
PK[i][1] = ge_sub(pubs[i].mask, Cout);
|
|
}
|
|
xx[0] = inSk.x;
|
|
xx[1] = sc_sub(inSk.a, mask);
|
|
return this.MLSAG_Gen(message, PK, xx, kimg, index);
|
|
};
|
|
|
|
this.get_pre_mlsag_hash = function(rv) {
|
|
var hashes = "";
|
|
hashes += rv.message;
|
|
hashes += this.cn_fast_hash(this.serialize_rct_base(rv));
|
|
var buf = serialize_range_proofs(rv);
|
|
hashes += this.cn_fast_hash(buf);
|
|
return this.cn_fast_hash(hashes);
|
|
};
|
|
|
|
function serialize_range_proofs(rv) {
|
|
var buf = "";
|
|
for (var i = 0; i < rv.p.rangeSigs.length; i++) {
|
|
for (var j = 0; j < rv.p.rangeSigs[i].bsig.s.length; j++) {
|
|
for (var l = 0; l < rv.p.rangeSigs[i].bsig.s[j].length; l++) {
|
|
buf += rv.p.rangeSigs[i].bsig.s[j][l];
|
|
}
|
|
}
|
|
buf += rv.p.rangeSigs[i].bsig.ee;
|
|
for (j = 0; j < rv.p.rangeSigs[i].Ci.length; j++) {
|
|
buf += rv.p.rangeSigs[i].Ci[j];
|
|
}
|
|
}
|
|
return buf;
|
|
}
|
|
|
|
//message is normal prefix hash
|
|
//inSk is vector of x,a
|
|
//kimg is vector of kimg
|
|
//destinations is vector of pubkeys (we skip and proxy outAmounts instead)
|
|
//inAmounts is vector of strings
|
|
//outAmounts is vector of strings
|
|
//mixRing is matrix of pubkey, commit (dest, mask)
|
|
//amountKeys is vector of scalars
|
|
//indices is vector
|
|
//txnFee is string
|
|
this.genRct = function(
|
|
message,
|
|
inSk,
|
|
kimg,
|
|
/*destinations, */ inAmounts,
|
|
outAmounts,
|
|
mixRing,
|
|
amountKeys,
|
|
indices,
|
|
txnFee,
|
|
) {
|
|
if (outAmounts.length !== amountKeys.length) {
|
|
throw "different number of amounts/amount_keys";
|
|
}
|
|
for (var i = 0; i < mixRing.length; i++) {
|
|
if (mixRing[i].length <= indices[i]) {
|
|
throw "bad mixRing/index size";
|
|
}
|
|
}
|
|
if (mixRing.length !== inSk.length) {
|
|
throw "mismatched mixRing/inSk";
|
|
}
|
|
if (inAmounts.length !== inSk.length) {
|
|
throw "mismatched inAmounts/inSk";
|
|
}
|
|
if (indices.length !== inSk.length) {
|
|
throw "mismatched indices/inSk";
|
|
}
|
|
|
|
rv = {
|
|
type: inSk.length === 1 ? RCTTypeFull : RCTTypeSimple,
|
|
message: message,
|
|
outPk: [],
|
|
p: {
|
|
rangeSigs: [],
|
|
MGs: [],
|
|
},
|
|
ecdhInfo: [],
|
|
txnFee: txnFee.toString(),
|
|
pseudoOuts: [],
|
|
};
|
|
|
|
var sumout = Z;
|
|
var cmObj = {
|
|
C: null,
|
|
mask: null,
|
|
};
|
|
var nrings = 64; //for base 2/current
|
|
//compute range proofs, etc
|
|
for (i = 0; i < outAmounts.length; i++) {
|
|
var teststart = new Date().getTime();
|
|
rv.p.rangeSigs[i] = this.proveRange(
|
|
cmObj,
|
|
outAmounts[i],
|
|
nrings,
|
|
0,
|
|
0,
|
|
);
|
|
var testfinish = new Date().getTime() - teststart;
|
|
console.log("Time take for range proof " + i + ": " + testfinish);
|
|
rv.outPk[i] = cmObj.C;
|
|
sumout = sc_add(sumout, cmObj.mask);
|
|
rv.ecdhInfo[i] = this.encode_rct_ecdh(
|
|
{ mask: cmObj.mask, amount: d2s(outAmounts[i]) },
|
|
amountKeys[i],
|
|
);
|
|
}
|
|
|
|
//simple
|
|
if (rv.type === 2) {
|
|
var ai = [];
|
|
var sumpouts = Z;
|
|
//create pseudoOuts
|
|
for (i = 0; i < inAmounts.length - 1; i++) {
|
|
ai[i] = random_scalar();
|
|
sumpouts = sc_add(sumpouts, ai[i]);
|
|
rv.pseudoOuts[i] = commit(d2s(inAmounts[i]), ai[i]);
|
|
}
|
|
ai[i] = sc_sub(sumout, sumpouts);
|
|
rv.pseudoOuts[i] = commit(d2s(inAmounts[i]), ai[i]);
|
|
var full_message = this.get_pre_mlsag_hash(rv);
|
|
for (i = 0; i < inAmounts.length; i++) {
|
|
rv.p.MGs.push(
|
|
this.proveRctMG(
|
|
full_message,
|
|
mixRing[i],
|
|
inSk[i],
|
|
kimg[i],
|
|
ai[i],
|
|
rv.pseudoOuts[i],
|
|
indices[i],
|
|
),
|
|
);
|
|
}
|
|
} else {
|
|
var sumC = I;
|
|
//get sum of output commitments to use in MLSAG
|
|
for (i = 0; i < rv.outPk.length; i++) {
|
|
sumC = ge_add(sumC, rv.outPk[i]);
|
|
}
|
|
sumC = ge_add(sumC, ge_scalarmult(H, d2s(rv.txnFee)));
|
|
var full_message = this.get_pre_mlsag_hash(rv);
|
|
rv.p.MGs.push(
|
|
this.proveRctMG(
|
|
full_message,
|
|
mixRing[0],
|
|
inSk[0],
|
|
kimg[0],
|
|
sumout,
|
|
sumC,
|
|
indices[0],
|
|
),
|
|
);
|
|
}
|
|
return rv;
|
|
};
|
|
|
|
//end RCT functions
|
|
|
|
this.add_pub_key_to_extra = function(extra, pubkey) {
|
|
if (pubkey.length !== 64) throw "Invalid pubkey length";
|
|
// Append pubkey tag and pubkey
|
|
extra += TX_EXTRA_TAGS.PUBKEY + pubkey;
|
|
return extra;
|
|
};
|
|
|
|
this.add_nonce_to_extra = function(extra, nonce) {
|
|
// Append extra nonce
|
|
if (nonce.length % 2 !== 0) {
|
|
throw "Invalid extra nonce";
|
|
}
|
|
if (nonce.length / 2 > TX_EXTRA_NONCE_MAX_COUNT) {
|
|
throw "Extra nonce must be at most " +
|
|
TX_EXTRA_NONCE_MAX_COUNT +
|
|
" bytes";
|
|
}
|
|
// Add nonce tag
|
|
extra += TX_EXTRA_TAGS.NONCE;
|
|
// Encode length of nonce
|
|
extra += ("0" + (nonce.length / 2).toString(16)).slice(-2);
|
|
// Write nonce
|
|
extra += nonce;
|
|
return extra;
|
|
};
|
|
|
|
this.get_payment_id_nonce = function(payment_id, pid_encrypt) {
|
|
if (payment_id.length !== 64 && payment_id.length !== 16) {
|
|
throw "Invalid payment id";
|
|
}
|
|
var res = "";
|
|
if (pid_encrypt) {
|
|
res += TX_EXTRA_NONCE_TAGS.ENCRYPTED_PAYMENT_ID;
|
|
} else {
|
|
res += TX_EXTRA_NONCE_TAGS.PAYMENT_ID;
|
|
}
|
|
res += payment_id;
|
|
return res;
|
|
};
|
|
|
|
this.abs_to_rel_offsets = function(offsets) {
|
|
if (offsets.length === 0) return offsets;
|
|
for (var i = offsets.length - 1; i >= 1; --i) {
|
|
offsets[i] = new JSBigInt(offsets[i])
|
|
.subtract(offsets[i - 1])
|
|
.toString();
|
|
}
|
|
return offsets;
|
|
};
|
|
|
|
this.get_tx_prefix_hash = function(tx) {
|
|
var prefix = this.serialize_tx(tx, true);
|
|
return this.cn_fast_hash(prefix);
|
|
};
|
|
|
|
this.get_tx_hash = function(tx) {
|
|
if (typeof tx === "string") {
|
|
return this.cn_fast_hash(tx);
|
|
} else {
|
|
return this.cn_fast_hash(this.serialize_tx(tx));
|
|
}
|
|
};
|
|
|
|
this.serialize_tx = function(tx, headeronly) {
|
|
//tx: {
|
|
// version: uint64,
|
|
// unlock_time: uint64,
|
|
// extra: hex,
|
|
// vin: [{amount: uint64, k_image: hex, key_offsets: [uint64,..]},...],
|
|
// vout: [{amount: uint64, target: {key: hex}},...],
|
|
// signatures: [[s,s,...],...]
|
|
//}
|
|
if (headeronly === undefined) {
|
|
headeronly = false;
|
|
}
|
|
var buf = "";
|
|
buf += this.encode_varint(tx.version);
|
|
buf += this.encode_varint(tx.unlock_time);
|
|
buf += this.encode_varint(tx.vin.length);
|
|
var i, j;
|
|
for (i = 0; i < tx.vin.length; i++) {
|
|
var vin = tx.vin[i];
|
|
switch (vin.type) {
|
|
case "input_to_key":
|
|
buf += "02";
|
|
buf += this.encode_varint(vin.amount);
|
|
buf += this.encode_varint(vin.key_offsets.length);
|
|
for (j = 0; j < vin.key_offsets.length; j++) {
|
|
buf += this.encode_varint(vin.key_offsets[j]);
|
|
}
|
|
buf += vin.k_image;
|
|
break;
|
|
default:
|
|
throw "Unhandled vin type: " + vin.type;
|
|
}
|
|
}
|
|
buf += this.encode_varint(tx.vout.length);
|
|
for (i = 0; i < tx.vout.length; i++) {
|
|
var vout = tx.vout[i];
|
|
buf += this.encode_varint(vout.amount);
|
|
switch (vout.target.type) {
|
|
case "txout_to_key":
|
|
buf += "02";
|
|
buf += vout.target.key;
|
|
break;
|
|
default:
|
|
throw "Unhandled txout target type: " + vout.target.type;
|
|
}
|
|
}
|
|
if (!this.valid_hex(tx.extra)) {
|
|
throw "Tx extra has invalid hex";
|
|
}
|
|
buf += this.encode_varint(tx.extra.length / 2);
|
|
buf += tx.extra;
|
|
if (!headeronly) {
|
|
if (tx.vin.length !== tx.signatures.length) {
|
|
throw "Signatures length != vin length";
|
|
}
|
|
for (i = 0; i < tx.vin.length; i++) {
|
|
for (j = 0; j < tx.signatures[i].length; j++) {
|
|
buf += tx.signatures[i][j];
|
|
}
|
|
}
|
|
}
|
|
return buf;
|
|
};
|
|
|
|
this.serialize_rct_tx_with_hash = function(tx) {
|
|
var hashes = "";
|
|
var buf = "";
|
|
buf += this.serialize_tx(tx, true);
|
|
hashes += this.cn_fast_hash(buf);
|
|
var buf2 = this.serialize_rct_base(tx.rct_signatures);
|
|
hashes += this.cn_fast_hash(buf2);
|
|
buf += buf2;
|
|
var buf3 = serialize_range_proofs(tx.rct_signatures);
|
|
//add MGs
|
|
for (var i = 0; i < tx.rct_signatures.p.MGs.length; i++) {
|
|
for (var j = 0; j < tx.rct_signatures.p.MGs[i].ss.length; j++) {
|
|
buf3 += tx.rct_signatures.p.MGs[i].ss[j][0];
|
|
buf3 += tx.rct_signatures.p.MGs[i].ss[j][1];
|
|
}
|
|
buf3 += tx.rct_signatures.p.MGs[i].cc;
|
|
}
|
|
hashes += this.cn_fast_hash(buf3);
|
|
buf += buf3;
|
|
var hash = this.cn_fast_hash(hashes);
|
|
return {
|
|
raw: buf,
|
|
hash: hash,
|
|
};
|
|
};
|
|
|
|
this.serialize_rct_base = function(rv) {
|
|
var buf = "";
|
|
buf += this.encode_varint(rv.type);
|
|
buf += this.encode_varint(rv.txnFee);
|
|
if (rv.type === 2) {
|
|
for (var i = 0; i < rv.pseudoOuts.length; i++) {
|
|
buf += rv.pseudoOuts[i];
|
|
}
|
|
}
|
|
if (rv.ecdhInfo.length !== rv.outPk.length) {
|
|
throw "mismatched outPk/ecdhInfo!";
|
|
}
|
|
for (i = 0; i < rv.ecdhInfo.length; i++) {
|
|
buf += rv.ecdhInfo[i].mask;
|
|
buf += rv.ecdhInfo[i].amount;
|
|
}
|
|
for (i = 0; i < rv.outPk.length; i++) {
|
|
buf += rv.outPk[i];
|
|
}
|
|
return buf;
|
|
};
|
|
|
|
this.generate_ring_signature = function(
|
|
prefix_hash,
|
|
k_image,
|
|
keys,
|
|
sec,
|
|
real_index,
|
|
) {
|
|
if (k_image.length !== STRUCT_SIZES.KEY_IMAGE * 2) {
|
|
throw "invalid key image length";
|
|
}
|
|
if (sec.length !== KEY_SIZE * 2) {
|
|
throw "Invalid secret key length";
|
|
}
|
|
if (
|
|
prefix_hash.length !== HASH_SIZE * 2 ||
|
|
!this.valid_hex(prefix_hash)
|
|
) {
|
|
throw "Invalid prefix hash";
|
|
}
|
|
if (real_index >= keys.length || real_index < 0) {
|
|
throw "real_index is invalid";
|
|
}
|
|
var _ge_tobytes = CNCrypto.cwrap("ge_tobytes", "void", [
|
|
"number",
|
|
"number",
|
|
]);
|
|
var _ge_p3_tobytes = CNCrypto.cwrap("ge_p3_tobytes", "void", [
|
|
"number",
|
|
"number",
|
|
]);
|
|
var _ge_scalarmult_base = CNCrypto.cwrap("ge_scalarmult_base", "void", [
|
|
"number",
|
|
"number",
|
|
]);
|
|
var _ge_scalarmult = CNCrypto.cwrap("ge_scalarmult", "void", [
|
|
"number",
|
|
"number",
|
|
"number",
|
|
]);
|
|
var _sc_add = CNCrypto.cwrap("sc_add", "void", [
|
|
"number",
|
|
"number",
|
|
"number",
|
|
]);
|
|
var _sc_sub = CNCrypto.cwrap("sc_sub", "void", [
|
|
"number",
|
|
"number",
|
|
"number",
|
|
]);
|
|
var _sc_mulsub = CNCrypto.cwrap("sc_mulsub", "void", [
|
|
"number",
|
|
"number",
|
|
"number",
|
|
"number",
|
|
]);
|
|
var _sc_0 = CNCrypto.cwrap("sc_0", "void", ["number"]);
|
|
var _ge_double_scalarmult_base_vartime = CNCrypto.cwrap(
|
|
"ge_double_scalarmult_base_vartime",
|
|
"void",
|
|
["number", "number", "number", "number"],
|
|
);
|
|
var _ge_double_scalarmult_precomp_vartime = CNCrypto.cwrap(
|
|
"ge_double_scalarmult_precomp_vartime",
|
|
"void",
|
|
["number", "number", "number", "number", "number"],
|
|
);
|
|
var _ge_frombytes_vartime = CNCrypto.cwrap(
|
|
"ge_frombytes_vartime",
|
|
"number",
|
|
["number", "number"],
|
|
);
|
|
var _ge_dsm_precomp = CNCrypto.cwrap("ge_dsm_precomp", "void", [
|
|
"number",
|
|
"number",
|
|
]);
|
|
|
|
var buf_size = STRUCT_SIZES.EC_POINT * 2 * keys.length;
|
|
var buf_m = CNCrypto._malloc(buf_size);
|
|
var sig_size = STRUCT_SIZES.SIGNATURE * keys.length;
|
|
var sig_m = CNCrypto._malloc(sig_size);
|
|
|
|
// Struct pointer helper functions
|
|
function buf_a(i) {
|
|
return buf_m + STRUCT_SIZES.EC_POINT * (2 * i);
|
|
}
|
|
function buf_b(i) {
|
|
return buf_m + STRUCT_SIZES.EC_POINT * (2 * i + 1);
|
|
}
|
|
function sig_c(i) {
|
|
return sig_m + STRUCT_SIZES.EC_SCALAR * (2 * i);
|
|
}
|
|
function sig_r(i) {
|
|
return sig_m + STRUCT_SIZES.EC_SCALAR * (2 * i + 1);
|
|
}
|
|
var image_m = CNCrypto._malloc(STRUCT_SIZES.KEY_IMAGE);
|
|
CNCrypto.HEAPU8.set(hextobin(k_image), image_m);
|
|
var i;
|
|
var image_unp_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3);
|
|
var image_pre_m = CNCrypto._malloc(STRUCT_SIZES.GE_DSMP);
|
|
var sum_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR);
|
|
var k_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR);
|
|
var h_m = CNCrypto._malloc(STRUCT_SIZES.EC_SCALAR);
|
|
var tmp2_m = CNCrypto._malloc(STRUCT_SIZES.GE_P2);
|
|
var tmp3_m = CNCrypto._malloc(STRUCT_SIZES.GE_P3);
|
|
var pub_m = CNCrypto._malloc(KEY_SIZE);
|
|
var sec_m = CNCrypto._malloc(KEY_SIZE);
|
|
CNCrypto.HEAPU8.set(hextobin(sec), sec_m);
|
|
if (_ge_frombytes_vartime(image_unp_m, image_m) != 0) {
|
|
throw "failed to call ge_frombytes_vartime";
|
|
}
|
|
_ge_dsm_precomp(image_pre_m, image_unp_m);
|
|
_sc_0(sum_m);
|
|
for (i = 0; i < keys.length; i++) {
|
|
if (i === real_index) {
|
|
// Real key
|
|
var rand = this.random_scalar();
|
|
CNCrypto.HEAPU8.set(hextobin(rand), k_m);
|
|
_ge_scalarmult_base(tmp3_m, k_m);
|
|
_ge_p3_tobytes(buf_a(i), tmp3_m);
|
|
var ec = this.hash_to_ec(keys[i]);
|
|
CNCrypto.HEAPU8.set(hextobin(ec), tmp3_m);
|
|
_ge_scalarmult(tmp2_m, k_m, tmp3_m);
|
|
_ge_tobytes(buf_b(i), tmp2_m);
|
|
} else {
|
|
CNCrypto.HEAPU8.set(hextobin(this.random_scalar()), sig_c(i));
|
|
CNCrypto.HEAPU8.set(hextobin(this.random_scalar()), sig_r(i));
|
|
CNCrypto.HEAPU8.set(hextobin(keys[i]), pub_m);
|
|
if (
|
|
CNCrypto.ccall(
|
|
"ge_frombytes_vartime",
|
|
"void",
|
|
["number", "number"],
|
|
[tmp3_m, pub_m],
|
|
) !== 0
|
|
) {
|
|
throw "Failed to call ge_frombytes_vartime";
|
|
}
|
|
_ge_double_scalarmult_base_vartime(
|
|
tmp2_m,
|
|
sig_c(i),
|
|
tmp3_m,
|
|
sig_r(i),
|
|
);
|
|
_ge_tobytes(buf_a(i), tmp2_m);
|
|
var ec = this.hash_to_ec(keys[i]);
|
|
CNCrypto.HEAPU8.set(hextobin(ec), tmp3_m);
|
|
_ge_double_scalarmult_precomp_vartime(
|
|
tmp2_m,
|
|
sig_r(i),
|
|
tmp3_m,
|
|
sig_c(i),
|
|
image_pre_m,
|
|
);
|
|
_ge_tobytes(buf_b(i), tmp2_m);
|
|
_sc_add(sum_m, sum_m, sig_c(i));
|
|
}
|
|
}
|
|
var buf_bin = CNCrypto.HEAPU8.subarray(buf_m, buf_m + buf_size);
|
|
var scalar = this.hash_to_scalar(prefix_hash + bintohex(buf_bin));
|
|
CNCrypto.HEAPU8.set(hextobin(scalar), h_m);
|
|
_sc_sub(sig_c(real_index), h_m, sum_m);
|
|
_sc_mulsub(sig_r(real_index), sig_c(real_index), sec_m, k_m);
|
|
var sig_data = bintohex(
|
|
CNCrypto.HEAPU8.subarray(sig_m, sig_m + sig_size),
|
|
);
|
|
var sigs = [];
|
|
for (var k = 0; k < keys.length; k++) {
|
|
sigs.push(
|
|
sig_data.slice(
|
|
STRUCT_SIZES.SIGNATURE * 2 * k,
|
|
STRUCT_SIZES.SIGNATURE * 2 * (k + 1),
|
|
),
|
|
);
|
|
}
|
|
CNCrypto._free(image_m);
|
|
CNCrypto._free(image_unp_m);
|
|
CNCrypto._free(image_pre_m);
|
|
CNCrypto._free(sum_m);
|
|
CNCrypto._free(k_m);
|
|
CNCrypto._free(h_m);
|
|
CNCrypto._free(tmp2_m);
|
|
CNCrypto._free(tmp3_m);
|
|
CNCrypto._free(buf_m);
|
|
CNCrypto._free(sig_m);
|
|
CNCrypto._free(pub_m);
|
|
CNCrypto._free(sec_m);
|
|
return sigs;
|
|
};
|
|
|
|
this.construct_tx = function(
|
|
keys,
|
|
sources,
|
|
dsts,
|
|
fee_amount,
|
|
payment_id,
|
|
pid_encrypt,
|
|
realDestViewKey,
|
|
unlock_time,
|
|
rct,
|
|
nettype,
|
|
) {
|
|
//we move payment ID stuff here, because we need txkey to encrypt
|
|
var txkey = this.random_keypair();
|
|
console.log(txkey);
|
|
var extra = "";
|
|
if (payment_id) {
|
|
if (pid_encrypt && payment_id.length !== INTEGRATED_ID_SIZE * 2) {
|
|
throw "payment ID must be " +
|
|
INTEGRATED_ID_SIZE +
|
|
" bytes to be encrypted!";
|
|
}
|
|
console.log("Adding payment id: " + payment_id);
|
|
if (pid_encrypt) {
|
|
//get the derivation from our passed viewkey, then hash that + tail to get encryption key
|
|
var pid_key = this.cn_fast_hash(
|
|
this.generate_key_derivation(realDestViewKey, txkey.sec) +
|
|
ENCRYPTED_PAYMENT_ID_TAIL.toString(16),
|
|
).slice(0, INTEGRATED_ID_SIZE * 2);
|
|
console.log("Txkeys:", txkey, "Payment ID key:", pid_key);
|
|
payment_id = this.hex_xor(payment_id, pid_key);
|
|
}
|
|
var nonce = this.get_payment_id_nonce(payment_id, pid_encrypt);
|
|
console.log("Extra nonce: " + nonce);
|
|
extra = this.add_nonce_to_extra(extra, nonce);
|
|
}
|
|
var tx = {
|
|
unlock_time: unlock_time,
|
|
version: rct ? CURRENT_TX_VERSION : OLD_TX_VERSION,
|
|
extra: extra,
|
|
vin: [],
|
|
vout: [],
|
|
};
|
|
if (rct) {
|
|
tx.rct_signatures = {};
|
|
} else {
|
|
tx.signatures = [];
|
|
}
|
|
|
|
var in_contexts = [];
|
|
var inputs_money = JSBigInt.ZERO;
|
|
var i, j;
|
|
console.log("Sources: ");
|
|
//run the for loop twice to sort ins by key image
|
|
//first generate key image and other construction data to sort it all in one go
|
|
for (i = 0; i < sources.length; i++) {
|
|
console.log(i + ": " + this.formatMoneyFull(sources[i].amount));
|
|
if (sources[i].real_out >= sources[i].outputs.length) {
|
|
throw "real index >= outputs.length";
|
|
}
|
|
var res = this.generate_key_image_helper_rct(
|
|
keys,
|
|
sources[i].real_out_tx_key,
|
|
sources[i].real_out_in_tx,
|
|
sources[i].mask,
|
|
); //mask will be undefined for non-rct
|
|
if (
|
|
res.in_ephemeral.pub !==
|
|
sources[i].outputs[sources[i].real_out].key
|
|
) {
|
|
throw "in_ephemeral.pub != source.real_out.key";
|
|
}
|
|
sources[i].key_image = res.image;
|
|
sources[i].in_ephemeral = res.in_ephemeral;
|
|
}
|
|
//sort ins
|
|
sources.sort(function(a, b) {
|
|
return (
|
|
JSBigInt.parse(a.key_image, 16).compare(
|
|
JSBigInt.parse(b.key_image, 16),
|
|
) * -1
|
|
);
|
|
});
|
|
//copy the sorted sources data to tx
|
|
for (i = 0; i < sources.length; i++) {
|
|
inputs_money = inputs_money.add(sources[i].amount);
|
|
in_contexts.push(sources[i].in_ephemeral);
|
|
var input_to_key = {};
|
|
input_to_key.type = "input_to_key";
|
|
input_to_key.amount = sources[i].amount;
|
|
input_to_key.k_image = sources[i].key_image;
|
|
input_to_key.key_offsets = [];
|
|
for (j = 0; j < sources[i].outputs.length; ++j) {
|
|
input_to_key.key_offsets.push(sources[i].outputs[j].index);
|
|
}
|
|
input_to_key.key_offsets = this.abs_to_rel_offsets(
|
|
input_to_key.key_offsets,
|
|
);
|
|
tx.vin.push(input_to_key);
|
|
}
|
|
var outputs_money = JSBigInt.ZERO;
|
|
var out_index = 0;
|
|
var amountKeys = []; //rct only
|
|
for (i = 0; i < dsts.length; ++i) {
|
|
if (new JSBigInt(dsts[i].amount).compare(0) < 0) {
|
|
throw "dst.amount < 0"; //amount can be zero if no change
|
|
}
|
|
dsts[i].keys = this.decode_address(dsts[i].address, nettype);
|
|
|
|
// R = rD for subaddresses
|
|
if (this.is_subaddress(dsts[i].address, nettype)) {
|
|
if (typeof payment_id !== "undefined" && payment_id) {
|
|
// this could stand to be placed earlier in the function but we save repeating a little algo time this way
|
|
throw "Payment ID must not be supplied when sending to a subaddress";
|
|
}
|
|
txkey.pub = this.ge_scalarmult(dsts[i].keys.spend, txkey.sec);
|
|
}
|
|
|
|
var out_derivation;
|
|
|
|
// send change to ourselves
|
|
if (dsts[i].keys.view == keys.view.pub) {
|
|
out_derivation = this.generate_key_derivation(
|
|
txkey.pub,
|
|
keys.view.sec,
|
|
);
|
|
} else {
|
|
out_derivation = this.generate_key_derivation(
|
|
dsts[i].keys.view,
|
|
txkey.sec,
|
|
);
|
|
}
|
|
|
|
if (rct) {
|
|
amountKeys.push(
|
|
this.derivation_to_scalar(out_derivation, out_index),
|
|
);
|
|
}
|
|
var out_ephemeral_pub = this.derive_public_key(
|
|
out_derivation,
|
|
out_index,
|
|
dsts[i].keys.spend,
|
|
);
|
|
var out = {
|
|
amount: dsts[i].amount.toString(),
|
|
};
|
|
// txout_to_key
|
|
out.target = {
|
|
type: "txout_to_key",
|
|
key: out_ephemeral_pub,
|
|
};
|
|
tx.vout.push(out);
|
|
++out_index;
|
|
outputs_money = outputs_money.add(dsts[i].amount);
|
|
}
|
|
|
|
// add pub key to extra after we know whether to use R = rG or R = rD
|
|
tx.extra = this.add_pub_key_to_extra(tx.extra, txkey.pub);
|
|
|
|
if (outputs_money.add(fee_amount).compare(inputs_money) > 0) {
|
|
throw "outputs money (" +
|
|
this.formatMoneyFull(outputs_money) +
|
|
") + fee (" +
|
|
this.formatMoneyFull(fee_amount) +
|
|
") > inputs money (" +
|
|
this.formatMoneyFull(inputs_money) +
|
|
")";
|
|
}
|
|
if (!rct) {
|
|
for (i = 0; i < sources.length; ++i) {
|
|
var src_keys = [];
|
|
for (j = 0; j < sources[i].outputs.length; ++j) {
|
|
src_keys.push(sources[i].outputs[j].key);
|
|
}
|
|
var sigs = this.generate_ring_signature(
|
|
this.get_tx_prefix_hash(tx),
|
|
tx.vin[i].k_image,
|
|
src_keys,
|
|
in_contexts[i].sec,
|
|
sources[i].real_out,
|
|
);
|
|
tx.signatures.push(sigs);
|
|
}
|
|
} else {
|
|
//rct
|
|
var txnFee = fee_amount;
|
|
var keyimages = [];
|
|
var inSk = [];
|
|
var inAmounts = [];
|
|
var mixRing = [];
|
|
var indices = [];
|
|
for (i = 0; i < tx.vin.length; i++) {
|
|
keyimages.push(tx.vin[i].k_image);
|
|
inSk.push({
|
|
x: in_contexts[i].sec,
|
|
a: in_contexts[i].mask,
|
|
});
|
|
inAmounts.push(tx.vin[i].amount);
|
|
if (in_contexts[i].mask !== I) {
|
|
//if input is rct (has a valid mask), 0 out amount
|
|
tx.vin[i].amount = "0";
|
|
}
|
|
mixRing[i] = [];
|
|
for (j = 0; j < sources[i].outputs.length; j++) {
|
|
mixRing[i].push({
|
|
dest: sources[i].outputs[j].key,
|
|
mask: sources[i].outputs[j].commit,
|
|
});
|
|
}
|
|
indices.push(sources[i].real_out);
|
|
}
|
|
var outAmounts = [];
|
|
for (i = 0; i < tx.vout.length; i++) {
|
|
outAmounts.push(tx.vout[i].amount);
|
|
tx.vout[i].amount = "0"; //zero out all rct outputs
|
|
}
|
|
var tx_prefix_hash = this.get_tx_prefix_hash(tx);
|
|
tx.rct_signatures = genRct(
|
|
tx_prefix_hash,
|
|
inSk,
|
|
keyimages,
|
|
/*destinations, */ inAmounts,
|
|
outAmounts,
|
|
mixRing,
|
|
amountKeys,
|
|
indices,
|
|
txnFee,
|
|
);
|
|
}
|
|
console.log(tx);
|
|
return tx;
|
|
};
|
|
|
|
this.create_transaction = function(
|
|
pub_keys,
|
|
sec_keys,
|
|
dsts,
|
|
outputs,
|
|
mix_outs,
|
|
fake_outputs_count,
|
|
fee_amount,
|
|
payment_id,
|
|
pid_encrypt,
|
|
realDestViewKey,
|
|
unlock_time,
|
|
rct,
|
|
nettype,
|
|
) {
|
|
unlock_time = unlock_time || 0;
|
|
mix_outs = mix_outs || [];
|
|
var i, j;
|
|
if (dsts.length === 0) {
|
|
throw "Destinations empty";
|
|
}
|
|
if (mix_outs.length !== outputs.length && fake_outputs_count !== 0) {
|
|
throw "Wrong number of mix outs provided (" +
|
|
outputs.length +
|
|
" outputs, " +
|
|
mix_outs.length +
|
|
" mix outs)";
|
|
}
|
|
for (i = 0; i < mix_outs.length; i++) {
|
|
if ((mix_outs[i].outputs || []).length < fake_outputs_count) {
|
|
throw "Not enough outputs to mix with";
|
|
}
|
|
}
|
|
var keys = {
|
|
view: {
|
|
pub: pub_keys.view,
|
|
sec: sec_keys.view,
|
|
},
|
|
spend: {
|
|
pub: pub_keys.spend,
|
|
sec: sec_keys.spend,
|
|
},
|
|
};
|
|
if (
|
|
!this.valid_keys(
|
|
keys.view.pub,
|
|
keys.view.sec,
|
|
keys.spend.pub,
|
|
keys.spend.sec,
|
|
)
|
|
) {
|
|
throw "Invalid secret keys!";
|
|
}
|
|
var needed_money = JSBigInt.ZERO;
|
|
for (i = 0; i < dsts.length; ++i) {
|
|
needed_money = needed_money.add(dsts[i].amount);
|
|
if (needed_money.compare(UINT64_MAX) !== -1) {
|
|
throw "Output overflow!";
|
|
}
|
|
}
|
|
var found_money = JSBigInt.ZERO;
|
|
var sources = [];
|
|
console.log("Selected transfers: ", outputs);
|
|
for (i = 0; i < outputs.length; ++i) {
|
|
found_money = found_money.add(outputs[i].amount);
|
|
if (found_money.compare(UINT64_MAX) !== -1) {
|
|
throw "Input overflow!";
|
|
}
|
|
var src = {
|
|
outputs: [],
|
|
};
|
|
src.amount = new JSBigInt(outputs[i].amount).toString();
|
|
if (mix_outs.length !== 0) {
|
|
// Sort fake outputs by global index
|
|
mix_outs[i].outputs.sort(function(a, b) {
|
|
return new JSBigInt(a.global_index).compare(b.global_index);
|
|
});
|
|
j = 0;
|
|
while (
|
|
src.outputs.length < fake_outputs_count &&
|
|
j < mix_outs[i].outputs.length
|
|
) {
|
|
var out = mix_outs[i].outputs[j];
|
|
if (out.global_index === outputs[i].global_index) {
|
|
console.log("got mixin the same as output, skipping");
|
|
j++;
|
|
continue;
|
|
}
|
|
var oe = {};
|
|
oe.index = out.global_index.toString();
|
|
oe.key = out.public_key;
|
|
if (rct) {
|
|
if (out.rct) {
|
|
oe.commit = out.rct.slice(0, 64); //add commitment from rct mix outs
|
|
} else {
|
|
if (outputs[i].rct) {
|
|
throw "mix rct outs missing commit";
|
|
}
|
|
oe.commit = zeroCommit(d2s(src.amount)); //create identity-masked commitment for non-rct mix input
|
|
}
|
|
}
|
|
src.outputs.push(oe);
|
|
j++;
|
|
}
|
|
}
|
|
var real_oe = {};
|
|
real_oe.index = new JSBigInt(
|
|
outputs[i].global_index || 0,
|
|
).toString();
|
|
real_oe.key = outputs[i].public_key;
|
|
if (rct) {
|
|
if (outputs[i].rct) {
|
|
real_oe.commit = outputs[i].rct.slice(0, 64); //add commitment for real input
|
|
} else {
|
|
real_oe.commit = zeroCommit(d2s(src.amount)); //create identity-masked commitment for non-rct input
|
|
}
|
|
}
|
|
var real_index = src.outputs.length;
|
|
for (j = 0; j < src.outputs.length; j++) {
|
|
if (
|
|
new JSBigInt(real_oe.index).compare(src.outputs[j].index) <
|
|
0
|
|
) {
|
|
real_index = j;
|
|
break;
|
|
}
|
|
}
|
|
// Add real_oe to outputs
|
|
src.outputs.splice(real_index, 0, real_oe);
|
|
src.real_out_tx_key = outputs[i].tx_pub_key;
|
|
// Real output entry index
|
|
src.real_out = real_index;
|
|
src.real_out_in_tx = outputs[i].index;
|
|
if (rct) {
|
|
if (outputs[i].rct) {
|
|
src.mask = outputs[i].rct.slice(64, 128); //encrypted
|
|
} else {
|
|
src.mask = null; //will be set by generate_key_image_helper_rct
|
|
}
|
|
}
|
|
sources.push(src);
|
|
}
|
|
console.log("sources: ", sources);
|
|
var change = {
|
|
amount: JSBigInt.ZERO,
|
|
};
|
|
var cmp = needed_money.compare(found_money);
|
|
if (cmp < 0) {
|
|
change.amount = found_money.subtract(needed_money);
|
|
if (change.amount.compare(fee_amount) !== 0) {
|
|
throw "early fee calculation != later";
|
|
}
|
|
} else if (cmp > 0) {
|
|
throw "Need more money than found! (have: " +
|
|
cnUtil.formatMoney(found_money) +
|
|
" need: " +
|
|
cnUtil.formatMoney(needed_money) +
|
|
")";
|
|
}
|
|
return this.construct_tx(
|
|
keys,
|
|
sources,
|
|
dsts,
|
|
fee_amount,
|
|
payment_id,
|
|
pid_encrypt,
|
|
realDestViewKey,
|
|
unlock_time,
|
|
rct,
|
|
nettype,
|
|
);
|
|
};
|
|
|
|
this.estimateRctSize = function(inputs, mixin, outputs) {
|
|
var size = 0;
|
|
// tx prefix
|
|
// first few bytes
|
|
size += 1 + 6;
|
|
size += inputs * (1 + 6 + (mixin + 1) * 3 + 32); // original C implementation is *2+32 but author advised to change 2 to 3 as key offsets are variable size and this constitutes a best guess
|
|
// vout
|
|
size += outputs * (6 + 32);
|
|
// extra
|
|
size += 40;
|
|
// rct signatures
|
|
// type
|
|
size += 1;
|
|
// rangeSigs
|
|
size += (2 * 64 * 32 + 32 + 64 * 32) * outputs;
|
|
// MGs
|
|
size += inputs * (32 * (mixin + 1) + 32);
|
|
// mixRing - not serialized, can be reconstructed
|
|
/* size += 2 * 32 * (mixin+1) * inputs; */
|
|
// pseudoOuts
|
|
size += 32 * inputs;
|
|
// ecdhInfo
|
|
size += 2 * 32 * outputs;
|
|
// outPk - only commitment is saved
|
|
size += 32 * outputs;
|
|
// txnFee
|
|
size += 4;
|
|
// const logStr = `estimated rct tx size for ${inputs} at mixin ${mixin} and ${outputs} : ${size} (${((32 * inputs/*+1*/) + 2 * 32 * (mixin+1) * inputs + 32 * outputs)}) saved)`
|
|
// console.log(logStr)
|
|
|
|
return size;
|
|
};
|
|
|
|
function trimRight(str, char) {
|
|
while (str[str.length - 1] == char) str = str.slice(0, -1);
|
|
return str;
|
|
}
|
|
|
|
function padLeft(str, len, char) {
|
|
while (str.length < len) {
|
|
str = char + str;
|
|
}
|
|
return str;
|
|
}
|
|
|
|
this.printDsts = function(dsts) {
|
|
for (var i = 0; i < dsts.length; i++) {
|
|
console.log(
|
|
dsts[i].address + ": " + this.formatMoneyFull(dsts[i].amount),
|
|
);
|
|
}
|
|
};
|
|
|
|
this.formatMoneyFull = function(units) {
|
|
units = units.toString();
|
|
var symbol = units[0] === "-" ? "-" : "";
|
|
if (symbol === "-") {
|
|
units = units.slice(1);
|
|
}
|
|
var decimal;
|
|
if (units.length >= config.coinUnitPlaces) {
|
|
decimal = units.substr(
|
|
units.length - config.coinUnitPlaces,
|
|
config.coinUnitPlaces,
|
|
);
|
|
} else {
|
|
decimal = padLeft(units, config.coinUnitPlaces, "0");
|
|
}
|
|
return (
|
|
symbol +
|
|
(units.substr(0, units.length - config.coinUnitPlaces) || "0") +
|
|
"." +
|
|
decimal
|
|
);
|
|
};
|
|
|
|
this.formatMoneyFullSymbol = function(units) {
|
|
return this.formatMoneyFull(units) + " " + config.coinSymbol;
|
|
};
|
|
|
|
this.formatMoney = function(units) {
|
|
var f = trimRight(this.formatMoneyFull(units), "0");
|
|
if (f[f.length - 1] === ".") {
|
|
return f.slice(0, f.length - 1);
|
|
}
|
|
return f;
|
|
};
|
|
|
|
this.formatMoneySymbol = function(units) {
|
|
return this.formatMoney(units) + " " + config.coinSymbol;
|
|
};
|
|
|
|
this.parseMoney = function(str) {
|
|
if (!str) return JSBigInt.ZERO;
|
|
var negative = str[0] === "-";
|
|
if (negative) {
|
|
str = str.slice(1);
|
|
}
|
|
var decimalIndex = str.indexOf(".");
|
|
if (decimalIndex == -1) {
|
|
if (negative) {
|
|
return JSBigInt.multiply(str, config.coinUnits).negate();
|
|
}
|
|
return JSBigInt.multiply(str, config.coinUnits);
|
|
}
|
|
if (decimalIndex + config.coinUnitPlaces + 1 < str.length) {
|
|
str = str.substr(0, decimalIndex + config.coinUnitPlaces + 1);
|
|
}
|
|
if (negative) {
|
|
return new JSBigInt(str.substr(0, decimalIndex))
|
|
.exp10(config.coinUnitPlaces)
|
|
.add(
|
|
new JSBigInt(str.substr(decimalIndex + 1)).exp10(
|
|
decimalIndex + config.coinUnitPlaces - str.length + 1,
|
|
),
|
|
).negate;
|
|
}
|
|
return new JSBigInt(str.substr(0, decimalIndex))
|
|
.exp10(config.coinUnitPlaces)
|
|
.add(
|
|
new JSBigInt(str.substr(decimalIndex + 1)).exp10(
|
|
decimalIndex + config.coinUnitPlaces - str.length + 1,
|
|
),
|
|
);
|
|
};
|
|
|
|
this.decompose_amount_into_digits = function(amount) {
|
|
/*if (dust_threshold === undefined) {
|
|
dust_threshold = config.dustThreshold;
|
|
}*/
|
|
amount = amount.toString();
|
|
var ret = [];
|
|
while (amount.length > 0) {
|
|
//split all the way down since v2 fork
|
|
/*var remaining = new JSBigInt(amount);
|
|
if (remaining.compare(config.dustThreshold) <= 0) {
|
|
if (remaining.compare(0) > 0) {
|
|
ret.push(remaining);
|
|
}
|
|
break;
|
|
}*/
|
|
//check so we don't create 0s
|
|
if (amount[0] !== "0") {
|
|
var digit = amount[0];
|
|
while (digit.length < amount.length) {
|
|
digit += "0";
|
|
}
|
|
ret.push(new JSBigInt(digit));
|
|
}
|
|
amount = amount.slice(1);
|
|
}
|
|
return ret;
|
|
};
|
|
|
|
this.decompose_tx_destinations = function(dsts, rct) {
|
|
var out = [];
|
|
if (rct) {
|
|
for (var i = 0; i < dsts.length; i++) {
|
|
out.push({
|
|
address: dsts[i].address,
|
|
amount: dsts[i].amount,
|
|
});
|
|
}
|
|
} else {
|
|
for (var i = 0; i < dsts.length; i++) {
|
|
var digits = this.decompose_amount_into_digits(dsts[i].amount);
|
|
for (var j = 0; j < digits.length; j++) {
|
|
if (digits[j].compare(0) > 0) {
|
|
out.push({
|
|
address: dsts[i].address,
|
|
amount: digits[j],
|
|
});
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return out.sort(function(a, b) {
|
|
return a["amount"] - b["amount"];
|
|
});
|
|
};
|
|
|
|
this.is_tx_unlocked = function(unlock_time, blockchain_height) {
|
|
if (!config.maxBlockNumber) {
|
|
throw "Max block number is not set in config!";
|
|
}
|
|
if (unlock_time < config.maxBlockNumber) {
|
|
// unlock time is block height
|
|
return blockchain_height >= unlock_time;
|
|
} else {
|
|
// unlock time is timestamp
|
|
var current_time = Math.round(new Date().getTime() / 1000);
|
|
return current_time >= unlock_time;
|
|
}
|
|
};
|
|
|
|
this.tx_locked_reason = function(unlock_time, blockchain_height) {
|
|
if (unlock_time < config.maxBlockNumber) {
|
|
// unlock time is block height
|
|
var numBlocks = unlock_time - blockchain_height;
|
|
if (numBlocks <= 0) {
|
|
return "Transaction is unlocked";
|
|
}
|
|
var unlock_prediction = moment().add(
|
|
numBlocks * config.avgBlockTime,
|
|
"seconds",
|
|
);
|
|
return (
|
|
"Will be unlocked in " +
|
|
numBlocks +
|
|
" blocks, ~" +
|
|
unlock_prediction.fromNow(true) +
|
|
", " +
|
|
unlock_prediction.calendar() +
|
|
""
|
|
);
|
|
} else {
|
|
// unlock time is timestamp
|
|
var current_time = Math.round(new Date().getTime() / 1000);
|
|
var time_difference = unlock_time - current_time;
|
|
if (time_difference <= 0) {
|
|
return "Transaction is unlocked";
|
|
}
|
|
var unlock_moment = moment(unlock_time * 1000);
|
|
return (
|
|
"Will be unlocked " +
|
|
unlock_moment.fromNow() +
|
|
", " +
|
|
unlock_moment.calendar()
|
|
);
|
|
}
|
|
};
|
|
|
|
function assert(stmt, val) {
|
|
if (!stmt) {
|
|
throw "assert failed" + (val !== undefined ? ": " + val : "");
|
|
}
|
|
}
|
|
|
|
return this;
|
|
};
|
|
exports.cnUtil = cnUtil;
|