core/go-blockchain
8
0
Fork 0
Code Issues 5 Pull requests Projects Releases Packages Wiki Activity Actions 2
go-blockchain/crypto/clsag.go

150 lines
4.7 KiB
Go
Raw Permalink Normal View History

feat(crypto): CLSAG ring signatures (GG/GGX/GGXXG) and proof verification stubs CLSAG_GG generation and verification with flat-buffer ring marshalling. Cofactor helpers (PointMul8/PointDiv8) for 1/8 premultiplication handling. CLSAG_GGX and CLSAG_GGXXG verify-only bindings (GGX sig size tests). Bulletproofs+, BGE, and Zarcanum verification stubs — implementation deferred to Phase 4 when RPC provides real on-chain proof data. 19 tests pass, 3 skipped (proof stubs), all clean with -race. Co-Authored-By: Charon <charon@lethean.io>
2026-02-20 18:47:08 +00:00
// SPDX-Licence-Identifier: EUPL-1.2
package crypto
/*
#include "bridge.h"
*/
import "C"
import (
"unsafe"
refactor: complete coreerr.E() conversion across all packages Convert all remaining fmt.Errorf and errors.New in production code to coreerr.E(). Covers crypto/ (keygen, signature, clsag, keyimage, pow), consensus/block, and chain/ring. Only sentinel error definitions in errors.go and varint.go retain errors.New (correct usage). Co-Authored-By: Charon <charon@lethean.io>
2026-03-16 23:42:51 +00:00
refactor: migrate module path to dappco.re/go/core/blockchain Update go.mod module line, all require/replace directives, and every .go import path from forge.lthn.ai/core/go-blockchain to dappco.re/go/core/blockchain. Add replace directives to bridge dappco.re paths to existing forge.lthn.ai registry during migration. Update CLAUDE.md, README, and docs to reflect the new module path. Co-Authored-By: Virgil <virgil@lethean.io>
2026-03-22 01:49:26 +00:00
coreerr "dappco.re/go/core/log"
feat(crypto): CLSAG ring signatures (GG/GGX/GGXXG) and proof verification stubs CLSAG_GG generation and verification with flat-buffer ring marshalling. Cofactor helpers (PointMul8/PointDiv8) for 1/8 premultiplication handling. CLSAG_GGX and CLSAG_GGXXG verify-only bindings (GGX sig size tests). Bulletproofs+, BGE, and Zarcanum verification stubs — implementation deferred to Phase 4 when RPC provides real on-chain proof data. 19 tests pass, 3 skipped (proof stubs), all clean with -race. Co-Authored-By: Charon <charon@lethean.io>
2026-02-20 18:47:08 +00:00
)
// PointMul8 multiplies a curve point by the cofactor 8.
func PointMul8(pk [32]byte) ([32]byte, error) {
var result [32]byte
rc := C.cn_point_mul8(
(*C.uint8_t)(unsafe.Pointer(&pk[0])),
(*C.uint8_t)(unsafe.Pointer(&result[0])),
)
if rc != 0 {
refactor: complete coreerr.E() conversion across all packages Convert all remaining fmt.Errorf and errors.New in production code to coreerr.E(). Covers crypto/ (keygen, signature, clsag, keyimage, pow), consensus/block, and chain/ring. Only sentinel error definitions in errors.go and varint.go retain errors.New (correct usage). Co-Authored-By: Charon <charon@lethean.io>
2026-03-16 23:42:51 +00:00
return result, coreerr.E("PointMul8", "point_mul8 failed", nil)
feat(crypto): CLSAG ring signatures (GG/GGX/GGXXG) and proof verification stubs CLSAG_GG generation and verification with flat-buffer ring marshalling. Cofactor helpers (PointMul8/PointDiv8) for 1/8 premultiplication handling. CLSAG_GGX and CLSAG_GGXXG verify-only bindings (GGX sig size tests). Bulletproofs+, BGE, and Zarcanum verification stubs — implementation deferred to Phase 4 when RPC provides real on-chain proof data. 19 tests pass, 3 skipped (proof stubs), all clean with -race. Co-Authored-By: Charon <charon@lethean.io>
2026-02-20 18:47:08 +00:00
}
return result, nil
}
// PointDiv8 premultiplies a curve point by 1/8 (cofactor inverse).
// This is the on-chain storage form for commitments and key images.
func PointDiv8(pk [32]byte) ([32]byte, error) {
var result [32]byte
rc := C.cn_point_div8(
(*C.uint8_t)(unsafe.Pointer(&pk[0])),
(*C.uint8_t)(unsafe.Pointer(&result[0])),
)
if rc != 0 {
refactor: complete coreerr.E() conversion across all packages Convert all remaining fmt.Errorf and errors.New in production code to coreerr.E(). Covers crypto/ (keygen, signature, clsag, keyimage, pow), consensus/block, and chain/ring. Only sentinel error definitions in errors.go and varint.go retain errors.New (correct usage). Co-Authored-By: Charon <charon@lethean.io>
2026-03-16 23:42:51 +00:00
return result, coreerr.E("PointDiv8", "point_div8 failed", nil)
feat(crypto): CLSAG ring signatures (GG/GGX/GGXXG) and proof verification stubs CLSAG_GG generation and verification with flat-buffer ring marshalling. Cofactor helpers (PointMul8/PointDiv8) for 1/8 premultiplication handling. CLSAG_GGX and CLSAG_GGXXG verify-only bindings (GGX sig size tests). Bulletproofs+, BGE, and Zarcanum verification stubs — implementation deferred to Phase 4 when RPC provides real on-chain proof data. 19 tests pass, 3 skipped (proof stubs), all clean with -race. Co-Authored-By: Charon <charon@lethean.io>
2026-02-20 18:47:08 +00:00
}
return result, nil
}
feat(consensus): V2 Zarcanum signature and proof verification Add full V2 transaction verification pipeline: parse SignaturesRaw variant vector into structured ZC signature data, verify CLSAG GGX ring signatures per ZC input, verify BPP range proofs, and verify BGE asset surjection proofs with correct ring construction (mul8 point arithmetic). Fix three wire format bugs that caused V2 parsing failures: - RefTypeGlobalIndex (tag 0x1A) uses 8-byte LE, not varint - Raw uint64_t variant (tagUint64) uses 8-byte LE, not varint - zarcanum_tx_data_v1 fee uses FIELD() → 8-byte LE, not VARINT_FIELD() Add cn_point_sub to C++ bridge and Go wrapper for BGE ring construction. Add GetZCRingOutputs to chain for fetching ZC ring member data. Co-Authored-By: Charon <charon@lethean.io>
2026-02-22 00:06:10 +00:00
// PointSub computes a - b on the Ed25519 curve.
func PointSub(a, b [32]byte) ([32]byte, error) {
var result [32]byte
rc := C.cn_point_sub(
(*C.uint8_t)(unsafe.Pointer(&a[0])),
(*C.uint8_t)(unsafe.Pointer(&b[0])),
(*C.uint8_t)(unsafe.Pointer(&result[0])),
)
if rc != 0 {
refactor: complete coreerr.E() conversion across all packages Convert all remaining fmt.Errorf and errors.New in production code to coreerr.E(). Covers crypto/ (keygen, signature, clsag, keyimage, pow), consensus/block, and chain/ring. Only sentinel error definitions in errors.go and varint.go retain errors.New (correct usage). Co-Authored-By: Charon <charon@lethean.io>
2026-03-16 23:42:51 +00:00
return result, coreerr.E("PointSub", "point_sub failed", nil)
feat(consensus): V2 Zarcanum signature and proof verification Add full V2 transaction verification pipeline: parse SignaturesRaw variant vector into structured ZC signature data, verify CLSAG GGX ring signatures per ZC input, verify BPP range proofs, and verify BGE asset surjection proofs with correct ring construction (mul8 point arithmetic). Fix three wire format bugs that caused V2 parsing failures: - RefTypeGlobalIndex (tag 0x1A) uses 8-byte LE, not varint - Raw uint64_t variant (tagUint64) uses 8-byte LE, not varint - zarcanum_tx_data_v1 fee uses FIELD() → 8-byte LE, not VARINT_FIELD() Add cn_point_sub to C++ bridge and Go wrapper for BGE ring construction. Add GetZCRingOutputs to chain for fetching ZC ring member data. Co-Authored-By: Charon <charon@lethean.io>
2026-02-22 00:06:10 +00:00
}
return result, nil
}
feat(crypto): CLSAG ring signatures (GG/GGX/GGXXG) and proof verification stubs CLSAG_GG generation and verification with flat-buffer ring marshalling. Cofactor helpers (PointMul8/PointDiv8) for 1/8 premultiplication handling. CLSAG_GGX and CLSAG_GGXXG verify-only bindings (GGX sig size tests). Bulletproofs+, BGE, and Zarcanum verification stubs — implementation deferred to Phase 4 when RPC provides real on-chain proof data. 19 tests pass, 3 skipped (proof stubs), all clean with -race. Co-Authored-By: Charon <charon@lethean.io>
2026-02-20 18:47:08 +00:00
// CLSAGGGSigSize returns the byte size of a CLSAG_GG signature for a given ring size.
func CLSAGGGSigSize(ringSize int) int {
return int(C.cn_clsag_gg_sig_size(C.size_t(ringSize)))
}
// GenerateCLSAGGG creates a CLSAG_GG ring signature.
// ring is a flat slice of [stealth_addr(32) | amount_commitment(32)] per entry.
// pseudoOut is the pseudo output commitment (not premultiplied by 1/8).
// secretX and secretF are the secret scalars for the signer.
func GenerateCLSAGGG(hash [32]byte, ring []byte, ringSize int,
pseudoOut [32]byte, ki [32]byte,
secretX [32]byte, secretF [32]byte, secretIndex int) ([]byte, error) {
sigLen := CLSAGGGSigSize(ringSize)
sig := make([]byte, sigLen)
rc := C.cn_clsag_gg_generate(
(*C.uint8_t)(unsafe.Pointer(&hash[0])),
(*C.uint8_t)(unsafe.Pointer(&ring[0])),
C.size_t(ringSize),
(*C.uint8_t)(unsafe.Pointer(&pseudoOut[0])),
(*C.uint8_t)(unsafe.Pointer(&ki[0])),
(*C.uint8_t)(unsafe.Pointer(&secretX[0])),
(*C.uint8_t)(unsafe.Pointer(&secretF[0])),
C.size_t(secretIndex),
(*C.uint8_t)(unsafe.Pointer(&sig[0])),
)
if rc != 0 {
refactor: complete coreerr.E() conversion across all packages Convert all remaining fmt.Errorf and errors.New in production code to coreerr.E(). Covers crypto/ (keygen, signature, clsag, keyimage, pow), consensus/block, and chain/ring. Only sentinel error definitions in errors.go and varint.go retain errors.New (correct usage). Co-Authored-By: Charon <charon@lethean.io>
2026-03-16 23:42:51 +00:00
return nil, coreerr.E("GenerateCLSAGGG", "generate_CLSAG_GG failed", nil)
feat(crypto): CLSAG ring signatures (GG/GGX/GGXXG) and proof verification stubs CLSAG_GG generation and verification with flat-buffer ring marshalling. Cofactor helpers (PointMul8/PointDiv8) for 1/8 premultiplication handling. CLSAG_GGX and CLSAG_GGXXG verify-only bindings (GGX sig size tests). Bulletproofs+, BGE, and Zarcanum verification stubs — implementation deferred to Phase 4 when RPC provides real on-chain proof data. 19 tests pass, 3 skipped (proof stubs), all clean with -race. Co-Authored-By: Charon <charon@lethean.io>
2026-02-20 18:47:08 +00:00
}
return sig, nil
}
// VerifyCLSAGGG verifies a CLSAG_GG ring signature.
// ring is a flat slice of [stealth_addr(32) | amount_commitment(32)] per entry.
// pseudoOut is the pseudo output commitment (premultiplied by 1/8).
func VerifyCLSAGGG(hash [32]byte, ring []byte, ringSize int,
pseudoOut [32]byte, ki [32]byte, sig []byte) bool {
return C.cn_clsag_gg_verify(
(*C.uint8_t)(unsafe.Pointer(&hash[0])),
(*C.uint8_t)(unsafe.Pointer(&ring[0])),
C.size_t(ringSize),
(*C.uint8_t)(unsafe.Pointer(&pseudoOut[0])),
(*C.uint8_t)(unsafe.Pointer(&ki[0])),
(*C.uint8_t)(unsafe.Pointer(&sig[0])),
) == 0
}
// CLSAGGGXSigSize returns the byte size of a CLSAG_GGX signature for a given ring size.
func CLSAGGGXSigSize(ringSize int) int {
return int(C.cn_clsag_ggx_sig_size(C.size_t(ringSize)))
}
// VerifyCLSAGGGX verifies a CLSAG_GGX ring signature.
// ring is a flat slice of [stealth(32) | commitment(32) | blinded_asset_id(32)] per entry.
func VerifyCLSAGGGX(hash [32]byte, ring []byte, ringSize int,
pseudoOutCommitment [32]byte, pseudoOutAssetID [32]byte,
ki [32]byte, sig []byte) bool {
return C.cn_clsag_ggx_verify(
(*C.uint8_t)(unsafe.Pointer(&hash[0])),
(*C.uint8_t)(unsafe.Pointer(&ring[0])),
C.size_t(ringSize),
(*C.uint8_t)(unsafe.Pointer(&pseudoOutCommitment[0])),
(*C.uint8_t)(unsafe.Pointer(&pseudoOutAssetID[0])),
(*C.uint8_t)(unsafe.Pointer(&ki[0])),
(*C.uint8_t)(unsafe.Pointer(&sig[0])),
) == 0
}
// CLSAGGGXXGSigSize returns the byte size of a CLSAG_GGXXG signature for a given ring size.
func CLSAGGGXXGSigSize(ringSize int) int {
return int(C.cn_clsag_ggxxg_sig_size(C.size_t(ringSize)))
}
// VerifyCLSAGGGXXG verifies a CLSAG_GGXXG ring signature.
// ring is a flat slice of [stealth(32) | commitment(32) | blinded_asset_id(32) | concealing(32)] per entry.
func VerifyCLSAGGGXXG(hash [32]byte, ring []byte, ringSize int,
pseudoOutCommitment [32]byte, pseudoOutAssetID [32]byte,
extendedCommitment [32]byte, ki [32]byte, sig []byte) bool {
return C.cn_clsag_ggxxg_verify(
(*C.uint8_t)(unsafe.Pointer(&hash[0])),
(*C.uint8_t)(unsafe.Pointer(&ring[0])),
C.size_t(ringSize),
(*C.uint8_t)(unsafe.Pointer(&pseudoOutCommitment[0])),
(*C.uint8_t)(unsafe.Pointer(&pseudoOutAssetID[0])),
(*C.uint8_t)(unsafe.Pointer(&extendedCommitment[0])),
(*C.uint8_t)(unsafe.Pointer(&ki[0])),
(*C.uint8_t)(unsafe.Pointer(&sig[0])),
) == 0
}
Reference in a new issue Copy permalink