[Sapling] prf integrated.

furszy · furszy · commit fe08568141fc · 2020-08-02T23:03:31.000-03:00
diff --git a/configure.ac b/configure.ac
@@ -1133,6 +1133,8 @@ else
   fi
 fi
 
+LIBSAPLING_LIBS="-lgmp -lboost_system-mt -lcrypto -lsodium"
+
 dnl univalue check
 
 need_bundled_univalue=yes
@@ -1187,7 +1189,7 @@ BITCOIN_QT_PATH_PROGS([PROTOC], [protoc],$protoc_bin_path)
 AX_CHECK_COMPILE_FLAG([-fno-strict-aliasing],[CXXFLAGS="$CXXFLAGS -fno-strict-aliasing"])
 AX_CHECK_COMPILE_FLAG([-Wno-builtin-declaration-mismatch],[CXXFLAGS="$CXXFLAGS -Wno-builtin-declaration-mismatch"],,[[$CXXFLAG_WERROR]])
 
-LIBZCASH_LIBS="$BOOST_SYSTEM_LIB -lcrypto -lrustzcash"
+LIBZCASH_LIBS="$BOOST_SYSTEM_LIB -lcrypto -lsodium -lrustzcash"
 
 AC_MSG_CHECKING([whether to build pivxd])
 AM_CONDITIONAL([BUILD_BITCOIND], [test x$build_bitcoind = xyes])
@@ -1438,6 +1440,7 @@ AC_SUBST(SSL_LIBS)
 AC_SUBST(EVENT_LIBS)
 AC_SUBST(EVENT_PTHREADS_LIBS)
 AC_SUBST(ZMQ_LIBS)
+AC_SUBST(LIBSAPLING_LIBS)
 AC_SUBST(LIBZCASH_LIBS)
 AC_SUBST(PROTOBUF_LIBS)
 AC_SUBST(QR_LIBS)
diff --git a/src/Makefile.am b/src/Makefile.am
@@ -33,6 +33,7 @@ LIBBITCOIN_CRYPTO=crypto/libbitcoin_crypto.a
 LIBBITCOIN_ZEROCOIN=libzerocoin/libbitcoin_zerocoin.a
 LIBBITCOINQT=qt/libbitcoinqt.a
 LIBSECP256K1=secp256k1/libsecp256k1.la
+LIBSAPLING=libsapling.a
 
 if ENABLE_ZMQ
 LIBBITCOIN_ZMQ=libbitcoin_zmq.a
@@ -57,7 +58,8 @@ EXTRA_LIBRARIES += \
   $(LIBBITCOIN_SERVER) \
   $(LIBBITCOIN_CLI) \
   $(LIBBITCOIN_WALLET) \
-  $(LIBBITCOIN_ZMQ)
+  $(LIBBITCOIN_ZMQ) \
+  $(LIBSAPLING)
 
 lib_LTLIBRARIES = $(LIBBITCOINCONSENSUS)
 
@@ -74,6 +76,9 @@ if BUILD_BITCOIN_UTILS
   bin_PROGRAMS += pivx-cli pivx-tx
 endif
 
+LIBSAPLING_H = \
+  sapling/prf.h
+
 .PHONY: FORCE check-symbols check-security
 # pivx core #
 BITCOIN_CORE_H = \
@@ -188,6 +193,7 @@ BITCOIN_CORE_H = \
   guiinterface.h \
   guiinterfaceutil.h \
   uint256.h \
+  sapling/uint252.h \
   uint512.h \
   blob_uint256.h \
   undo.h \
@@ -267,7 +273,8 @@ libbitcoin_server_a_SOURCES = \
   txmempool.cpp \
   validationinterface.cpp \
   zpivchain.cpp \
-  $(BITCOIN_CORE_H)
+  $(BITCOIN_CORE_H) \
+  $(LIBSAPLING_H)
 
 if ENABLE_ZMQ
 libbitcoin_zmq_a_CPPFLAGS = $(BITCOIN_INCLUDES) $(ZMQ_CFLAGS)
@@ -317,7 +324,8 @@ libbitcoin_wallet_a_SOURCES = \
   stakeinput.cpp \
   zpiv/zpivmodule.cpp \
   zpiv/zpos.cpp \
-  $(BITCOIN_CORE_H)
+  $(BITCOIN_CORE_H) \
+  $(LIBSAPLING_H)
 
 # crypto primitives library
 crypto_libbitcoin_crypto_a_CPPFLAGS = $(AM_CPPFLAGS) $(PIC_FLAGS)
@@ -424,7 +432,8 @@ libbitcoin_common_a_SOURCES = \
   script/script_error.cpp \
   spork.cpp \
   sporkdb.cpp \
-  $(BITCOIN_CORE_H)
+  $(BITCOIN_CORE_H) \
+  $(LIBSAPLING_H)
 
 # util: shared between all executables.
 # This library *must* be included to make sure that the glibc
@@ -452,7 +461,8 @@ libbitcoin_util_a_SOURCES = \
   util/threadnames.cpp \
   utilstrencodings.cpp \
   utiltime.cpp \
-  $(BITCOIN_CORE_H)
+  $(BITCOIN_CORE_H) \
+  $(LIBSAPLING_H)
 
 if GLIBC_BACK_COMPAT
 libbitcoin_util_a_SOURCES += compat/glibc_compat.cpp
@@ -464,7 +474,8 @@ libbitcoin_cli_a_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
 libbitcoin_cli_a_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
 libbitcoin_cli_a_SOURCES = \
   rpc/client.cpp \
-  $(BITCOIN_CORE_H)
+  $(BITCOIN_CORE_H) \
+  $(LIBSAPLING_H)
 
 nodist_libbitcoin_util_a_SOURCES = $(srcdir)/obj/build.h
 #
@@ -487,6 +498,7 @@ pivxd_LDADD = \
   $(LIBBITCOIN_UTIL) \
   $(LIBBITCOIN_ZMQ) \
   $(LIBBITCOIN_CRYPTO) \
+  $(LIBSAPLING) \
   $(LIBLEVELDB) \
   $(LIBLEVELDB_SSE42) \
   $(LIBMEMENV) \
@@ -510,6 +522,7 @@ pivx_cli_LDADD = \
   $(LIBUNIVALUE) \
   $(LIBBITCOIN_UTIL) \
   $(LIBBITCOIN_CRYPTO) \
+  $(LIBSAPLING) \
   $(LIBZCASH_LIBS)
 
 pivx_cli_LDADD += $(BOOST_LIBS) $(SSL_LIBS) $(CRYPTO_LIBS) $(EVENT_LIBS)
@@ -532,11 +545,18 @@ pivx_tx_LDADD = \
   $(LIBBITCOIN_UTIL) \
   $(LIBBITCOIN_CRYPTO) \
   $(LIBSECP256K1) \
+  $(LIBSAPLING) \
   $(LIBZCASH_LIBS)
 
 pivx_tx_LDADD += $(BOOST_LIBS) $(CRYPTO_LIBS)
 #
 
+# sapling protocol primitives #
+libsapling_a_SOURCES = \
+  sapling/prf.cpp
+
+libsapling_a_CPPFLAGS = -fPIC -DCURVE_ALT_BN128 -DBOOST_SPIRIT_THREADSAFE -DHAVE_BUILD_INFO -D__STDC_FORMAT_MACROS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -std=c++11 -pipe -O2 -O0 -g -Wstack-protector -fstack-protector-all -fPIE -fvisibility=hidden -DSTATIC $(BITCOIN_INCLUDES)
+
 # bitcoinconsensus library #
 if BUILD_BITCOIN_LIBS
 include_HEADERS = script/bitcoinconsensus.h
diff --git a/src/Makefile.test.include b/src/Makefile.test.include
@@ -84,6 +84,7 @@ BITCOIN_TESTS =\
   test/uint256_tests.cpp \
   test/univalue_tests.cpp \
   test/util_tests.cpp \
+  test/sha256compress_tests.cpp \
   test/upgrades_tests.cpp
 
 if ENABLE_WALLET
@@ -96,7 +97,7 @@ endif
 test_test_pivx_SOURCES = $(BITCOIN_TEST_SUITE) $(BITCOIN_TESTS) $(JSON_TEST_FILES) $(RAW_TEST_FILES)
 test_test_pivx_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES) -I$(builddir)/test/ $(TESTDEFS) $(EVENT_FLAGS)
 test_test_pivx_LDADD = $(LIBBITCOIN_SERVER) $(LIBBITCOIN_CLI) $(LIBBITCOIN_COMMON) $(LIBBITCOIN_UTIL) $(LIBBITCOIN_CRYPTO) $(LIBUNIVALUE) $(LIBBITCOIN_ZEROCOIN) \
-  $(LIBLEVELDB) $(LIBLEVELDB_SSE42) $(LIBMEMENV) $(BOOST_LIBS) $(BOOST_UNIT_TEST_FRAMEWORK_LIB) $(LIBSECP256K1) $(EVENT_LIBS) $(EVENT_PTHREADS_LIBS)
+  $(LIBLEVELDB) $(LIBLEVELDB_SSE42) $(LIBMEMENV) $(BOOST_LIBS) $(BOOST_UNIT_TEST_FRAMEWORK_LIB) $(LIBSECP256K1) $(LIBSAPLING) $(EVENT_LIBS) $(EVENT_PTHREADS_LIBS)
 if ENABLE_WALLET
 test_test_pivx_LDADD += $(LIBBITCOIN_WALLET)
 endif
diff --git a/src/sapling/prf.cpp b/src/sapling/prf.cpp
@@ -0,0 +1,111 @@
+// Copyright (c) 2016-2020 The ZCash developers
+// Copyright (c) 2020 The PIVX developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+
+#include "prf.h"
+#include "crypto/sha256.h"
+#include "hash.h"
+
+#include <array>
+#include <sodium.h>
+#include <librustzcash.h>
+
+const unsigned char ZCASH_EXPANDSEED_PERSONALIZATION[crypto_generichash_blake2b_PERSONALBYTES] = {'Z','c','a','s','h','_','E','x','p','a','n','d','S','e','e','d'};
+
+// Sapling 
+std::array<unsigned char, 64> PRF_expand(const uint256& sk, unsigned char t)
+{
+    std::array<unsigned char, 64> res;   
+    unsigned char blob[33];
+
+    memcpy(&blob[0], sk.begin(), 32);
+    blob[32] = t;
+        
+    crypto_generichash_blake2b_state state;
+    crypto_generichash_blake2b_init_salt_personal(&state, nullptr, 0, 64, nullptr, ZCASH_EXPANDSEED_PERSONALIZATION);
+    crypto_generichash_blake2b_update(&state, blob, 33);
+    crypto_generichash_blake2b_final(&state, res.data(), 64);
+    
+    return res;
+}
+
+uint256 PRF_ask(const uint256& sk)
+{
+    uint256 ask;
+    auto tmp = PRF_expand(sk, 0);
+    librustzcash_to_scalar(tmp.data(), ask.begin());
+    return ask;
+}
+
+uint256 PRF_nsk(const uint256& sk)
+{
+    uint256 nsk;
+    auto tmp = PRF_expand(sk, 1);
+    librustzcash_to_scalar(tmp.data(), nsk.begin());
+    return nsk;
+}
+
+uint256 PRF_ovk(const uint256& sk)
+{
+    uint256 ovk;
+    auto tmp = PRF_expand(sk, 2);
+    memcpy(ovk.begin(), tmp.data(), 32);
+    return ovk;
+}
+
+std::array<unsigned char, 11> default_diversifier(const uint256& sk)
+{
+    std::array<unsigned char, 11> res;   
+    unsigned char blob[34];
+
+    memcpy(&blob[0], sk.begin(), 32);
+    blob[32] = 3;
+    
+    blob[33] = 0;
+    while (true) {
+        crypto_generichash_blake2b_state state;
+        crypto_generichash_blake2b_init_salt_personal(&state, nullptr, 0, 64, nullptr, ZCASH_EXPANDSEED_PERSONALIZATION);
+        crypto_generichash_blake2b_update(&state, blob, 34);
+        crypto_generichash_blake2b_final(&state, res.data(), 11);
+        
+        if (librustzcash_check_diversifier(res.data())) {
+            break;
+        } else if (blob[33] == 255) {
+            throw std::runtime_error("librustzcash_check_diversifier did not return valid diversifier");
+        }
+        blob[33] += 1;
+    }
+        
+    return res;
+}
+
+// Sprout
+uint256 PRF(bool a, bool b, bool c, bool d,
+            const uint252& x,
+            const uint256& y)
+{
+    uint256 res;
+    unsigned char blob[64];
+
+    memcpy(&blob[0], x.begin(), 32);
+    memcpy(&blob[32], y.begin(), 32);
+
+    blob[0] &= 0x0F;
+    blob[0] |= (a ? 1 << 7 : 0) | (b ? 1 << 6 : 0) | (c ? 1 << 5 : 0) | (d ? 1 << 4 : 0);
+
+    CSHA256 hasher;
+    hasher.Write(blob, 64);
+    hasher.FinalizeNoPadding(res.begin());
+
+    return res;
+}
+
+uint256 PRF_addr(const uint252& a_sk, unsigned char t)
+{
+    uint256 y;
+    *(y.begin()) = t;
+
+    return PRF(1, 1, 0, 0, a_sk, y);
+}
diff --git a/src/sapling/prf.h b/src/sapling/prf.h
@@ -0,0 +1,26 @@
+// Copyright (c) 2016-2020 The ZCash developers
+// Copyright (c) 2020 The PIVX developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+/*
+// Zcash uses SHA256Compress as a PRF for various components
+// within the zkSNARK circuit.
+*/
+
+#ifndef ZC_PRF_H_
+#define ZC_PRF_H_
+
+#include "uint256.h"
+#include "sapling/uint252.h"
+
+#include <array>
+
+//! Sapling functions
+uint256 PRF_ask(const uint256& sk);
+uint256 PRF_nsk(const uint256& sk);
+uint256 PRF_ovk(const uint256& sk);
+
+std::array<unsigned char, 11> default_diversifier(const uint256& sk);
+
+#endif // ZC_PRF_H_
diff --git a/src/sapling/uint252.h b/src/sapling/uint252.h
@@ -0,0 +1,55 @@
+// Copyright (c) 2016-2020 The ZCash developers
+// Copyright (c) 2020 The PIVX developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#ifndef UINT252_H
+#define UINT252_H
+
+#include <vector>
+#include "uint256.h"
+#include "serialize.h"
+
+// Wrapper of uint256 with guarantee that first
+// four bits are zero.
+class uint252 {
+private:
+    uint256 contents;
+
+public:
+    ADD_SERIALIZE_METHODS;
+
+    template <typename Stream, typename Operation>
+    inline void SerializationOp(Stream& s, Operation ser_action, int nType, int nVersion) {
+        READWRITE(contents);
+
+        if ((*contents.begin()) & 0xF0) {
+            throw std::ios_base::failure("spending key has invalid leading bits");
+        }
+    }
+
+    const unsigned char* begin() const
+    {
+        return contents.begin();
+    }
+
+    const unsigned char* end() const
+    {
+        return contents.end();
+    }
+
+    uint252() : contents() {};
+    explicit uint252(const uint256& in) : contents(in) {
+        if (*contents.begin() & 0xF0) {
+            throw std::domain_error("leading bits are set in argument given to uint252 constructor");
+        }
+    }
+
+    uint256 inner() const {
+        return contents;
+    }
+
+    friend inline bool operator==(const uint252& a, const uint252& b) { return a.contents == b.contents; }
+};
+
+#endif
