absolutebi/serai
1
0
Fork 0
mirror of https://github.com/serai-dex/serai.git synced 2025-12-08 20:29:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
36034c2f72e595c14a6103dfcdb9d80c34451a9a
serai/coins/monero/src/wallet/send/mod.rs

566 lines
17 KiB
Rust
Raw Normal View History

Fix #237
2023-03-11 10:31:58 -05:00
use core::{ops::Deref, fmt};
Fix https://github.com/serai-dex/serai/issues/150
2022-11-10 22:35:09 -05:00
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
use thiserror::Error;
use rand_core::{RngCore, CryptoRng};
use rand::seq::SliceRandom;
Fix https://github.com/serai-dex/serai/issues/150
2022-11-10 22:35:09 -05:00
use zeroize::{Zeroize, ZeroizeOnDrop, Zeroizing};
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
Use Monero-compatible additional TX keys This still sends a fingerprinting flare up if you send to a subaddress which needs to be fixed. Despite that, Monero no should no longer fail to scan TXs from monero-serai regarding additional keys. Previously it failed becuase we supplied one key as THE key, and n-1 as additional. Monero expects n for additional. This does correctly select when to use THE key versus when to use the additional key when sending. That removes the ability for recipients to fingerprint monero-serai by receiving to a standard address yet needing to use an additional key.
2023-01-21 01:24:13 -05:00
use group::Group;
Fix #237
2023-03-11 10:31:58 -05:00
use curve25519_dalek::{
constants::{ED25519_BASEPOINT_POINT, ED25519_BASEPOINT_TABLE},
scalar::Scalar,
edwards::EdwardsPoint,
};
Use Monero-compatible additional TX keys This still sends a fingerprinting flare up if you send to a subaddress which needs to be fixed. Despite that, Monero no should no longer fail to scan TXs from monero-serai regarding additional keys. Previously it failed becuase we supplied one key as THE key, and n-1 as additional. Monero expects n for additional. This does correctly select when to use THE key versus when to use the additional key when sending. That removes the ability for recipients to fingerprint monero-serai by receiving to a standard address yet needing to use an additional key.
2023-01-21 01:24:13 -05:00
use dalek_ff_group as dfg;
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
#[cfg(feature = "multisig")]
use frost::FrostError;
use crate::{
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
Protocol, Commitment, random_scalar,
Move RingCT code to a deciated folder Should help keep things ordered as more RingCT code is added.
2022-05-22 02:24:24 -04:00
ringct::{
Implement hash_to_point in Rust Closes https://github.com/serai-dex/serai/issues/32.
2022-07-10 16:11:55 -04:00
generate_key_image,
Move RingCT code to a deciated folder Should help keep things ordered as more RingCT code is added.
2022-05-22 02:24:24 -04:00
clsag::{ClsagError, ClsagInput, Clsag},
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
bulletproofs::{MAX_OUTPUTS, Bulletproofs},
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
RctBase, RctPrunable, RctSignatures,
Move RingCT code to a deciated folder Should help keep things ordered as more RingCT code is added.
2022-05-22 02:24:24 -04:00
},
Implement a proper Monero Timelock type Transaction scanning now returns the timelock to ensure it's acknowledged by wallets. Fixes https://github.com/serai-dex/serai/issues/16.
2022-06-02 00:00:26 -04:00
transaction::{Input, Output, Timelock, TransactionPrefix, Transaction},
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
rpc::{Rpc, RpcError},
Implement Guaranteed Addresses Closes https://github.com/serai-dex/serai/issues/27. monero-rs is now solely used for Extra encoding.
2022-06-28 00:01:20 -04:00
wallet::{
Fix #237
2023-03-11 10:31:58 -05:00
address::{Network, AddressSpec, MoneroAddress},
ViewPair, SpendableOutput, Decoys, PaymentId, ExtraField, Extra, key_image_sort, uniqueness,
shared_key, commitment_mask, amount_encryption,
Prefix arbitrary data with 127 Since we cannot expect/guarantee a payment ID will be included, the previous position-based code for determining arbitrary data wasn't sufficient.
2023-03-11 05:47:25 -05:00
extra::{ARBITRARY_DATA_MARKER, MAX_ARBITRARY_DATA_SIZE},
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
},
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
};
Add a builder API to the Monero library Enables more composable construction flows.
2022-12-01 11:35:05 -05:00
mod builder;
pub use builder::SignableTransactionBuilder;
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
#[cfg(feature = "multisig")]
mod multisig;
Route networking through Wallet, not Coin
2022-06-10 09:36:07 -04:00
#[cfg(feature = "multisig")]
pub use multisig::TransactionMachine;
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
#[allow(non_snake_case)]
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
#[derive(Clone, PartialEq, Eq, Debug, Zeroize, ZeroizeOnDrop)]
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
struct SendOutput {
R: EdwardsPoint,
Implement view tags
2022-07-27 06:29:14 -04:00
view_tag: u8,
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
dest: EdwardsPoint,
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
commitment: Commitment,
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
amount: [u8; 8],
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
}
impl SendOutput {
Fix #237
2023-03-11 10:31:58 -05:00
#[allow(non_snake_case)]
fn internal(
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
unique: [u8; 32],
Support handling addresses from other networks A type alias of MoneroAddress is provided to abstract away the generic. To keep the rest of the library sane, MoneroAddress is used everywhere. If someone wants to use this library with another coin, they *should* be able to parse a custom address and then recreate it as a Monero address. While that's annoying to them, better them than any person using this lib for Monero. Closes #152.
2022-11-15 00:06:15 -05:00
output: (usize, (MoneroAddress, u64)),
Move ecdh derivation up to prevent Scalar::one() * ecdh
2023-03-11 10:51:40 -05:00
ecdh: EdwardsPoint,
Fix #237
2023-03-11 10:31:58 -05:00
R: EdwardsPoint,
Support sending to integrated addresses
2022-08-22 06:54:01 -04:00
) -> (SendOutput, Option<[u8; 8]>) {
let o = output.0;
let output = output.1;
let (view_tag, shared_key, payment_id_xor) =
Move ecdh derivation up to prevent Scalar::one() * ecdh
2023-03-11 10:51:40 -05:00
shared_key(Some(unique).filter(|_| output.0.is_guaranteed()), ecdh, o);
Implement Featured Addresses Closes https://github.com/serai-dex/serai/issues/37.
2022-08-22 04:27:58 -04:00
Support sending to integrated addresses
2022-08-22 06:54:01 -04:00
(
SendOutput {
Fix #237
2023-03-11 10:31:58 -05:00
R,
Support sending to integrated addresses
2022-08-22 06:54:01 -04:00
view_tag,
dest: ((&shared_key * &ED25519_BASEPOINT_TABLE) + output.0.spend),
commitment: Commitment::new(commitment_mask(shared_key), output.1),
amount: amount_encryption(output.1, shared_key),
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
},
Support sending to integrated addresses
2022-08-22 06:54:01 -04:00
output
.0
.payment_id()
.map(|id| (u64::from_le_bytes(id) ^ u64::from_le_bytes(payment_id_xor)).to_le_bytes()),
)
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
}
Fix #237
2023-03-11 10:31:58 -05:00
fn new(
r: &Zeroizing<Scalar>,
unique: [u8; 32],
output: (usize, (MoneroAddress, u64)),
) -> (SendOutput, Option<[u8; 8]>) {
let address = output.1 .0;
SendOutput::internal(
unique,
output,
Move ecdh derivation up to prevent Scalar::one() * ecdh
2023-03-11 10:51:40 -05:00
r.deref() * address.view,
Fix #237
2023-03-11 10:31:58 -05:00
if !address.is_subaddress() {
r.deref() * &ED25519_BASEPOINT_TABLE
} else {
r.deref() * address.spend
},
)
}
fn change(
Move ecdh derivation up to prevent Scalar::one() * ecdh
2023-03-11 10:51:40 -05:00
ecdh: EdwardsPoint,
Fix #237
2023-03-11 10:31:58 -05:00
unique: [u8; 32],
output: (usize, (MoneroAddress, u64)),
) -> (SendOutput, Option<[u8; 8]>) {
Move ecdh derivation up to prevent Scalar::one() * ecdh
2023-03-11 10:51:40 -05:00
SendOutput::internal(unique, output, ecdh, ED25519_BASEPOINT_POINT)
Fix #237
2023-03-11 10:31:58 -05:00
}
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
}
Correct derives on errors
2022-12-09 09:50:00 -05:00
#[derive(Clone, PartialEq, Eq, Debug, Error)]
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
pub enum TransactionError {
Support sending to integrated addresses
2022-08-22 06:54:01 -04:00
#[error("multiple addresses with payment IDs")]
MultiplePaymentIds,
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
#[error("no inputs")]
NoInputs,
#[error("no outputs")]
NoOutputs,
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
#[error("only one output and no change address")]
NoChange,
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
#[error("too many outputs")]
TooManyOutputs,
Support including arbitrary data in TXs and return it with outputs Fixes a bug where all payments identified as being to (0, 0) instead of their actual subaddress.
2022-08-30 15:42:23 -04:00
#[error("too much data")]
TooMuchData,
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
#[error("not enough funds (in {0}, out {1})")]
NotEnoughFunds(u64, u64),
Error when the wrong spend key is used to sign a transaction Moves decoy selection to being the last step in the multisig process so the RPC is only polled to continue valid transactions.
2022-06-09 04:05:57 -04:00
#[error("wrong spend private key")]
WrongPrivateKey,
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
#[error("rpc error ({0})")]
RpcError(RpcError),
#[error("clsag error ({0})")]
ClsagError(ClsagError),
#[error("invalid transaction ({0})")]
InvalidTransaction(RpcError),
#[cfg(feature = "multisig")]
#[error("frost error {0}")]
FrostError(FrostError),
}
async fn prepare_inputs<R: RngCore + CryptoRng>(
rng: &mut R,
rpc: &Rpc,
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
ring_len: usize,
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
inputs: &[SpendableOutput],
Fix https://github.com/serai-dex/serai/issues/150
2022-11-10 22:35:09 -05:00
spend: &Zeroizing<Scalar>,
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
tx: &mut Transaction,
Fix https://github.com/serai-dex/serai/issues/150
2022-11-10 22:35:09 -05:00
) -> Result<Vec<(Zeroizing<Scalar>, EdwardsPoint, ClsagInput)>, TransactionError> {
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
let mut signable = Vec::with_capacity(inputs.len());
// Select decoys
let decoys = Decoys::select(
rng,
rpc,
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
ring_len,
Correct clippy warnings Currently intended to be done with: cargo clippy --features "recommended merlin batch serialize experimental ed25519 ristretto p256 secp256k1 multisig" -- -A clippy::type_complexity -A dead_code
2022-07-22 02:34:36 -04:00
rpc.get_height().await.map_err(TransactionError::RpcError)? - 10,
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
inputs,
)
.await
Correct clippy warnings Currently intended to be done with: cargo clippy --features "recommended merlin batch serialize experimental ed25519 ristretto p256 secp256k1 multisig" -- -A clippy::type_complexity -A dead_code
2022-07-22 02:34:36 -04:00
.map_err(TransactionError::RpcError)?;
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
for (i, input) in inputs.iter().enumerate() {
Fix https://github.com/serai-dex/serai/issues/150
2022-11-10 22:35:09 -05:00
let input_spend = Zeroizing::new(input.key_offset() + spend.deref());
let image = generate_key_image(&input_spend);
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
signable.push((
Fix https://github.com/serai-dex/serai/issues/150
2022-11-10 22:35:09 -05:00
input_spend,
image,
Fix https://github.com/serai-dex/serai/issues/105
2022-08-22 12:15:14 -04:00
ClsagInput::new(input.commitment().clone(), decoys[i].clone())
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
.map_err(TransactionError::ClsagError)?,
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
));
tx.prefix.inputs.push(Input::ToKey {
amount: 0,
key_offsets: decoys[i].offsets.clone(),
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
key_image: signable[i].1,
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
});
}
signable.sort_by(|x, y| x.1.compress().to_bytes().cmp(&y.1.compress().to_bytes()).reverse());
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
tx.prefix.inputs.sort_by(|x, y| {
if let (Input::ToKey { key_image: x, .. }, Input::ToKey { key_image: y, .. }) = (x, y) {
x.compress().to_bytes().cmp(&y.compress().to_bytes()).reverse()
} else {
panic!("Input wasn't ToKey")
}
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
});
Ok(signable)
}
Initial documentation for the Monero libraries (#122) * Document all features * Largely document the Monero libraries Relevant to https://github.com/serai-dex/serai/issues/103 and likely sufficient to get this removed from https://github.com/serai-dex/serai/issues/102.
2022-09-28 07:44:49 -05:00
/// Fee struct, defined as a per-unit cost and a mask for rounding purposes.
Add a builder API to the Monero library Enables more composable construction flows.
2022-12-01 11:35:05 -05:00
#[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
pub struct Fee {
pub per_weight: u64,
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
pub mask: u64,
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
}
impl Fee {
pub fn calculate(&self, weight: usize) -> u64 {
((((self.per_weight * u64::try_from(weight).unwrap()) - 1) / self.mask) + 1) * self.mask
}
}
Initial documentation for the Monero libraries (#122) * Document all features * Largely document the Monero libraries Relevant to https://github.com/serai-dex/serai/issues/103 and likely sufficient to get this removed from https://github.com/serai-dex/serai/issues/102.
2022-09-28 07:44:49 -05:00
/// A signable transaction, either in a single-signer or multisig context.
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
#[derive(Clone, PartialEq, Eq, Debug, Zeroize, ZeroizeOnDrop)]
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
pub struct SignableTransaction {
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
protocol: Protocol,
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
inputs: Vec<SpendableOutput>,
Fix #237
2023-03-11 10:31:58 -05:00
payments: Vec<InternalPayment>,
support add/read multiple arbitrary tx data (#189) * support add/read multiple arbitrary tx data * fix clippy errors * resolve pr issues
2022-12-09 18:58:11 +03:00
data: Vec<Vec<u8>>,
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
fee: u64,
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
}
Fix #237
2023-03-11 10:31:58 -05:00
/// Specification for a change output.
#[derive(Clone, PartialEq, Eq, Zeroize)]
pub struct Change {
address: MoneroAddress,
view: Option<Zeroizing<Scalar>>,
}
impl fmt::Debug for Change {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
f.debug_struct("Change").field("address", &self.address).finish_non_exhaustive()
}
}
impl Change {
/// Create a change output specification from a ViewPair, as needed to maintain privacy.
pub fn new(view: &ViewPair, guaranteed: bool) -> Change {
Change {
address: view.address(
Network::Mainnet,
if !guaranteed {
AddressSpec::Standard
} else {
AddressSpec::Featured { subaddress: None, payment_id: None, guaranteed: true }
},
),
view: Some(view.view.clone()),
}
}
/// Create a fingerprintable change output specification which will harm privacy. Only use this
/// if you know what you're doing.
pub fn fingerprintable(address: MoneroAddress) -> Change {
Change { address, view: None }
}
}
#[derive(Clone, PartialEq, Eq, Debug, Zeroize)]
pub(crate) enum InternalPayment {
Payment((MoneroAddress, u64)),
Change(Change, u64),
}
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
impl SignableTransaction {
Fix #237
2023-03-11 10:31:58 -05:00
/// Create a signable transaction.
///
/// Up to 16 outputs may be present, including the change output.
///
/// If the change address is specified, leftover funds will be sent to it.
///
/// Each chunk of data must not exceed MAX_ARBITRARY_DATA_SIZE.
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
pub fn new(
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
protocol: Protocol,
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
inputs: Vec<SpendableOutput>,
Support handling addresses from other networks A type alias of MoneroAddress is provided to abstract away the generic. To keep the rest of the library sane, MoneroAddress is used everywhere. If someone wants to use this library with another coin, they *should* be able to parse a custom address and then recreate it as a Monero address. While that's annoying to them, better them than any person using this lib for Monero. Closes #152.
2022-11-15 00:06:15 -05:00
mut payments: Vec<(MoneroAddress, u64)>,
Fix #237
2023-03-11 10:31:58 -05:00
change_address: Option<Change>,
support add/read multiple arbitrary tx data (#189) * support add/read multiple arbitrary tx data * fix clippy errors * resolve pr issues
2022-12-09 18:58:11 +03:00
data: Vec<Vec<u8>>,
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
fee_rate: Fee,
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
) -> Result<SignableTransaction, TransactionError> {
Support sending to integrated addresses
2022-08-22 06:54:01 -04:00
// Make sure there's only one payment ID
Prefix arbitrary data with 127 Since we cannot expect/guarantee a payment ID will be included, the previous position-based code for determining arbitrary data wasn't sufficient.
2023-03-11 05:47:25 -05:00
let mut has_payment_id = {
Support sending to integrated addresses
2022-08-22 06:54:01 -04:00
let mut payment_ids = 0;
Support handling addresses from other networks A type alias of MoneroAddress is provided to abstract away the generic. To keep the rest of the library sane, MoneroAddress is used everywhere. If someone wants to use this library with another coin, they *should* be able to parse a custom address and then recreate it as a Monero address. While that's annoying to them, better them than any person using this lib for Monero. Closes #152.
2022-11-15 00:06:15 -05:00
let mut count = |addr: MoneroAddress| {
Support sending to integrated addresses
2022-08-22 06:54:01 -04:00
if addr.payment_id().is_some() {
payment_ids += 1
}
};
for payment in &payments {
count(payment.0);
}
Fix #237
2023-03-11 10:31:58 -05:00
if let Some(change) = change_address.as_ref() {
count(change.address);
Support sending to integrated addresses
2022-08-22 06:54:01 -04:00
}
if payment_ids > 1 {
Err(TransactionError::MultiplePaymentIds)?;
Implement Featured Addresses Closes https://github.com/serai-dex/serai/issues/37.
2022-08-22 04:27:58 -04:00
}
Prefix arbitrary data with 127 Since we cannot expect/guarantee a payment ID will be included, the previous position-based code for determining arbitrary data wasn't sufficient.
2023-03-11 05:47:25 -05:00
payment_ids == 1
};
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
Correct clippy warnings Currently intended to be done with: cargo clippy --features "recommended merlin batch serialize experimental ed25519 ristretto p256 secp256k1 multisig" -- -A clippy::type_complexity -A dead_code
2022-07-22 02:34:36 -04:00
if inputs.is_empty() {
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
Err(TransactionError::NoInputs)?;
}
Correct clippy warnings Currently intended to be done with: cargo clippy --features "recommended merlin batch serialize experimental ed25519 ristretto p256 secp256k1 multisig" -- -A clippy::type_complexity -A dead_code
2022-07-22 02:34:36 -04:00
if payments.is_empty() {
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
Err(TransactionError::NoOutputs)?;
}
support add/read multiple arbitrary tx data (#189) * support add/read multiple arbitrary tx data * fix clippy errors * resolve pr issues
2022-12-09 18:58:11 +03:00
for part in &data {
Prefix arbitrary data with 127 Since we cannot expect/guarantee a payment ID will be included, the previous position-based code for determining arbitrary data wasn't sufficient.
2023-03-11 05:47:25 -05:00
if part.len() > MAX_ARBITRARY_DATA_SIZE {
support add/read multiple arbitrary tx data (#189) * support add/read multiple arbitrary tx data * fix clippy errors * resolve pr issues
2022-12-09 18:58:11 +03:00
Err(TransactionError::TooMuchData)?;
}
Support including arbitrary data in TXs and return it with outputs Fixes a bug where all payments identified as being to (0, 0) instead of their actual subaddress.
2022-08-30 15:42:23 -04:00
}
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
// TODO TX MAX SIZE
Fix #237
2023-03-11 10:31:58 -05:00
// If we don't have two outputs, as required by Monero, error
if (payments.len() == 1) && change_address.is_none() {
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
Err(TransactionError::NoChange)?;
}
Fix #237
2023-03-11 10:31:58 -05:00
let outputs = payments.len() + usize::from(change_address.is_some());
Prefix arbitrary data with 127 Since we cannot expect/guarantee a payment ID will be included, the previous position-based code for determining arbitrary data wasn't sufficient.
2023-03-11 05:47:25 -05:00
// Add a dummy payment ID if there's only 2 payments
has_payment_id |= outputs == 2;
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
Fix #48 Removes monero, yet we still use monero-rs's base58 and epee libraries.
2022-08-21 08:41:19 -04:00
// Calculate the extra length
Prefix arbitrary data with 127 Since we cannot expect/guarantee a payment ID will be included, the previous position-based code for determining arbitrary data wasn't sufficient.
2023-03-11 05:47:25 -05:00
let extra = Extra::fee_weight(outputs, has_payment_id, data.as_ref());
Correct Monero's extra length calculation for fee calculation
2022-06-19 12:19:57 -04:00
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
// Calculate the fee.
Fix #237
2023-03-11 10:31:58 -05:00
let fee = fee_rate.calculate(Transaction::fee_weight(protocol, inputs.len(), outputs, extra));
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
// Make sure we have enough funds
Fix https://github.com/serai-dex/serai/issues/105
2022-08-22 12:15:14 -04:00
let in_amount = inputs.iter().map(|input| input.commitment().amount).sum::<u64>();
Fix #237
2023-03-11 10:31:58 -05:00
let out_amount = payments.iter().map(|payment| payment.1).sum::<u64>() + fee;
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
if in_amount < out_amount {
Err(TransactionError::NotEnoughFunds(in_amount, out_amount))?;
}
Fix #237
2023-03-11 10:31:58 -05:00
if outputs > MAX_OUTPUTS {
Err(TransactionError::TooManyOutputs)?;
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
}
Fix #237
2023-03-11 10:31:58 -05:00
let mut payments = payments.drain(..).map(InternalPayment::Payment).collect::<Vec<_>>();
if let Some(change) = change_address {
payments.push(InternalPayment::Change(change, in_amount - out_amount));
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
}
Support including arbitrary data in TXs and return it with outputs Fixes a bug where all payments identified as being to (0, 0) instead of their actual subaddress.
2022-08-30 15:42:23 -04:00
Ok(SignableTransaction { protocol, inputs, payments, data, fee })
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
}
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
fn prepare_transaction<R: RngCore + CryptoRng>(
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
&mut self,
rng: &mut R,
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
uniqueness: [u8; 32],
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
) -> (Transaction, Scalar) {
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
// Shuffle the payments
self.payments.shuffle(rng);
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
Use Monero-compatible additional TX keys This still sends a fingerprinting flare up if you send to a subaddress which needs to be fixed. Despite that, Monero no should no longer fail to scan TXs from monero-serai regarding additional keys. Previously it failed becuase we supplied one key as THE key, and n-1 as additional. Monero expects n for additional. This does correctly select when to use THE key versus when to use the additional key when sending. That removes the ability for recipients to fingerprint monero-serai by receiving to a standard address yet needing to use an additional key.
2023-01-21 01:24:13 -05:00
// Used for all non-subaddress outputs, or if there's only one subaddress output and a change
let tx_key = Zeroizing::new(random_scalar(rng));
Fix #237
2023-03-11 10:31:58 -05:00
let mut tx_public_key = tx_key.deref() * &ED25519_BASEPOINT_TABLE;
// If any of these outputs are to a subaddress, we need keys distinct to them
// The only time this *does not* force having additional keys is when the only other output
// is a change output we have the view key for, enabling rewriting rA to aR
let mut has_change_view = false;
let subaddresses = self
.payments
.iter()
.filter(|payment| match *payment {
InternalPayment::Payment(payment) => payment.0.is_subaddress(),
InternalPayment::Change(change, _) => {
if change.view.is_some() {
has_change_view = true;
// It should not be possible to construct a change specification to a subaddress with a
// view key
debug_assert!(!change.address.is_subaddress());
}
change.address.is_subaddress()
}
})
.count() !=
0;
// We need additional keys if we have any subaddresses
let mut additional = subaddresses;
// Unless the above change view key path is taken
if (self.payments.len() == 2) && has_change_view {
additional = false;
}
let modified_change_ecdh = subaddresses && (!additional);
// If we're using the aR rewrite, update tx_public_key from rG to rB
if modified_change_ecdh {
for payment in &self.payments {
match payment {
InternalPayment::Payment(payment) => {
// This should be the only payment and it should be a subaddress
debug_assert!(payment.0.is_subaddress());
tx_public_key = tx_key.deref() * payment.0.spend;
}
InternalPayment::Change(_, _) => {}
}
}
debug_assert!(tx_public_key != (tx_key.deref() * &ED25519_BASEPOINT_TABLE));
}
Use Monero-compatible additional TX keys This still sends a fingerprinting flare up if you send to a subaddress which needs to be fixed. Despite that, Monero no should no longer fail to scan TXs from monero-serai regarding additional keys. Previously it failed becuase we supplied one key as THE key, and n-1 as additional. Monero expects n for additional. This does correctly select when to use THE key versus when to use the additional key when sending. That removes the ability for recipients to fingerprint monero-serai by receiving to a standard address yet needing to use an additional key.
2023-01-21 01:24:13 -05:00
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
// Actually create the outputs
Support sending to integrated addresses
2022-08-22 06:54:01 -04:00
let mut outputs = Vec::with_capacity(self.payments.len());
let mut id = None;
Fix #237
2023-03-11 10:31:58 -05:00
for (o, mut payment) in self.payments.drain(..).enumerate() {
// Downcast the change output to a payment output if it doesn't require special handling
// regarding it's view key
payment = if !modified_change_ecdh {
if let InternalPayment::Change(change, amount) = &payment {
InternalPayment::Payment((change.address, *amount))
} else {
payment
}
} else {
payment
};
let (output, payment_id) = match payment {
InternalPayment::Payment(payment) => {
// If this is a subaddress, generate a dedicated r. Else, reuse the TX key
let dedicated = Zeroizing::new(random_scalar(&mut *rng));
let use_dedicated = additional && payment.0.is_subaddress();
let r = if use_dedicated { &dedicated } else { &tx_key };
let (mut output, payment_id) = SendOutput::new(r, uniqueness, (o, payment));
if modified_change_ecdh {
debug_assert_eq!(tx_public_key, output.R);
}
// If this used tx_key, randomize its R
if !use_dedicated {
output.R = dfg::EdwardsPoint::random(&mut *rng).0;
}
(output, payment_id)
}
InternalPayment::Change(change, amount) => {
// Instead of rA, use Ra, where R is r * subaddress_spend_key
// change.view must be Some as if it's None, this payment would've been downcast
let ecdh = tx_public_key * change.view.unwrap().deref();
Move ecdh derivation up to prevent Scalar::one() * ecdh
2023-03-11 10:51:40 -05:00
SendOutput::change(ecdh, uniqueness, (o, (change.address, amount)))
Fix #237
2023-03-11 10:31:58 -05:00
}
};
Use Monero-compatible additional TX keys This still sends a fingerprinting flare up if you send to a subaddress which needs to be fixed. Despite that, Monero no should no longer fail to scan TXs from monero-serai regarding additional keys. Previously it failed becuase we supplied one key as THE key, and n-1 as additional. Monero expects n for additional. This does correctly select when to use THE key versus when to use the additional key when sending. That removes the ability for recipients to fingerprint monero-serai by receiving to a standard address yet needing to use an additional key.
2023-01-21 01:24:13 -05:00
Support sending to integrated addresses
2022-08-22 06:54:01 -04:00
outputs.push(output);
id = id.or(payment_id);
}
// Include a random payment ID if we don't actually have one
// It prevents transactions from leaking if they're sending to integrated addresses or not
Fix #251
2023-03-11 05:23:38 -05:00
// Only do this if we only have two outputs though, as Monero won't add a dummy if there's
// more than two outputs
if outputs.len() <= 2 {
let mut rand = [0; 8];
rng.fill_bytes(&mut rand);
id = id.or(Some(rand));
}
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
let commitments = outputs.iter().map(|output| output.commitment.clone()).collect::<Vec<_>>();
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
let sum = commitments.iter().map(|commitment| commitment.mask).sum();
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
// Safe due to the constructor checking MAX_OUTPUTS
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
let bp = Bulletproofs::prove(rng, &commitments, self.protocol.bp_plus()).unwrap();
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
// Create the TX extra
Fix #48 Removes monero, yet we still use monero-rs's base58 and epee libraries.
2022-08-21 08:41:19 -04:00
let extra = {
Use Monero-compatible additional TX keys This still sends a fingerprinting flare up if you send to a subaddress which needs to be fixed. Despite that, Monero no should no longer fail to scan TXs from monero-serai regarding additional keys. Previously it failed becuase we supplied one key as THE key, and n-1 as additional. Monero expects n for additional. This does correctly select when to use THE key versus when to use the additional key when sending. That removes the ability for recipients to fingerprint monero-serai by receiving to a standard address yet needing to use an additional key.
2023-01-21 01:24:13 -05:00
let mut extra = Extra::new(
Fix #237
2023-03-11 10:31:58 -05:00
tx_public_key,
Use Monero-compatible additional TX keys This still sends a fingerprinting flare up if you send to a subaddress which needs to be fixed. Despite that, Monero no should no longer fail to scan TXs from monero-serai regarding additional keys. Previously it failed becuase we supplied one key as THE key, and n-1 as additional. Monero expects n for additional. This does correctly select when to use THE key versus when to use the additional key when sending. That removes the ability for recipients to fingerprint monero-serai by receiving to a standard address yet needing to use an additional key.
2023-01-21 01:24:13 -05:00
if additional { outputs.iter().map(|output| output.R).collect() } else { vec![] },
);
Fix #48 Removes monero, yet we still use monero-rs's base58 and epee libraries.
2022-08-21 08:41:19 -04:00
Fix #251
2023-03-11 05:23:38 -05:00
if let Some(id) = id {
let mut id_vec = Vec::with_capacity(1 + 8);
PaymentId::Encrypted(id).write(&mut id_vec).unwrap();
extra.push(ExtraField::Nonce(id_vec));
}
Support including arbitrary data in TXs and return it with outputs Fixes a bug where all payments identified as being to (0, 0) instead of their actual subaddress.
2022-08-30 15:42:23 -04:00
// Include data if present
support add/read multiple arbitrary tx data (#189) * support add/read multiple arbitrary tx data * fix clippy errors * resolve pr issues
2022-12-09 18:58:11 +03:00
for part in self.data.drain(..) {
Prefix arbitrary data with 127 Since we cannot expect/guarantee a payment ID will be included, the previous position-based code for determining arbitrary data wasn't sufficient.
2023-03-11 05:47:25 -05:00
let mut arb = vec![ARBITRARY_DATA_MARKER];
arb.extend(part);
extra.push(ExtraField::Nonce(arb));
Support including arbitrary data in TXs and return it with outputs Fixes a bug where all payments identified as being to (0, 0) instead of their actual subaddress.
2022-08-30 15:42:23 -04:00
}
Fix #48 Removes monero, yet we still use monero-rs's base58 and epee libraries.
2022-08-21 08:41:19 -04:00
Prefix arbitrary data with 127 Since we cannot expect/guarantee a payment ID will be included, the previous position-based code for determining arbitrary data wasn't sufficient.
2023-03-11 05:47:25 -05:00
let mut serialized =
Vec::with_capacity(Extra::fee_weight(outputs.len(), id.is_some(), self.data.as_ref()));
Standardize serialization within the Monero lib read for R: Read write for W: Write serialize for -> Vec<u8> Also uses std::io::{self, Read, Write} consistently.
2023-01-07 05:18:35 -05:00
extra.write(&mut serialized).unwrap();
Fix #48 Removes monero, yet we still use monero-rs's base58 and epee libraries.
2022-08-21 08:41:19 -04:00
serialized
};
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
let mut tx_outputs = Vec::with_capacity(outputs.len());
let mut ecdh_info = Vec::with_capacity(outputs.len());
for output in &outputs {
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
tx_outputs.push(Output {
amount: 0,
Remove Monero torsion-free requirement and make output keys 32 bytes Maintains the torsion-free requirement in the one place it's used (key images). In the modern day, the output keys are checked to be points, yet in older protocol versions they were allowed to be arbitrary bytes. Closes https://github.com/serai-dex/serai/issues/23 and https://github.com/serai-dex/serai/issues/25.
2022-08-30 01:02:55 -04:00
key: output.dest.compress(),
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
view_tag: Some(output.view_tag).filter(|_| matches!(self.protocol, Protocol::v16)),
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
});
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
ecdh_info.push(output.amount);
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
}
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
(
Transaction {
prefix: TransactionPrefix {
version: 2,
timelock: Timelock::None,
inputs: vec![],
outputs: tx_outputs,
extra,
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
},
Support v1 transactions Closes https://github.com/serai-dex/serai/issues/117.
2022-09-28 05:28:42 -04:00
signatures: vec![],
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
rct_signatures: RctSignatures {
base: RctBase {
fee: self.fee,
ecdh_info,
commitments: commitments.iter().map(|commitment| commitment.calculate()).collect(),
},
prunable: RctPrunable::Clsag {
bulletproofs: vec![bp],
clsags: vec![],
pseudo_outs: vec![],
},
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
},
},
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
sum,
)
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
}
Initial documentation for the Monero libraries (#122) * Document all features * Largely document the Monero libraries Relevant to https://github.com/serai-dex/serai/issues/103 and likely sufficient to get this removed from https://github.com/serai-dex/serai/issues/102.
2022-09-28 07:44:49 -05:00
/// Sign this transaction.
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
pub async fn sign<R: RngCore + CryptoRng>(
Write a test runner for Monero transactions Also includes a few fixes for the library itself. Supersedes #172.
2022-12-05 17:25:09 -05:00
mut self,
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
rng: &mut R,
rpc: &Rpc,
Fix https://github.com/serai-dex/serai/issues/150
2022-11-10 22:35:09 -05:00
spend: &Zeroizing<Scalar>,
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
) -> Result<Transaction, TransactionError> {
Properly calculate uniqueness when creating change outputs It was missing sorting its inputs by their key images.
2022-05-21 21:44:57 -04:00
let mut images = Vec::with_capacity(self.inputs.len());
for input in &self.inputs {
Fix https://github.com/serai-dex/serai/issues/150
2022-11-10 22:35:09 -05:00
let mut offset = Zeroizing::new(spend.deref() + input.key_offset());
if (offset.deref() * &ED25519_BASEPOINT_TABLE) != input.key() {
Error when the wrong spend key is used to sign a transaction Moves decoy selection to being the last step in the multisig process so the RPC is only polled to continue valid transactions.
2022-06-09 04:05:57 -04:00
Err(TransactionError::WrongPrivateKey)?;
}
Fix https://github.com/serai-dex/serai/issues/150
2022-11-10 22:35:09 -05:00
images.push(generate_key_image(&offset));
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
offset.zeroize();
Properly calculate uniqueness when creating change outputs It was missing sorting its inputs by their key images.
2022-05-21 21:44:57 -04:00
}
Override Monero's random function with a Rust-seedable random Closes https://github.com/serai-dex/serai/issues/2. Also finishes the implementation of https://github.com/monero-project/research-lab/issues/103.
2022-05-22 01:56:17 -04:00
images.sort_by(key_image_sort);
Properly calculate uniqueness when creating change outputs It was missing sorting its inputs by their key images.
2022-05-21 21:44:57 -04:00
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
let (mut tx, mask_sum) = self.prepare_transaction(
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
rng,
Override Monero's random function with a Rust-seedable random Closes https://github.com/serai-dex/serai/issues/2. Also finishes the implementation of https://github.com/monero-project/research-lab/issues/103.
2022-05-22 01:56:17 -04:00
uniqueness(
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
&images
.iter()
.map(|image| Input::ToKey { amount: 0, key_offsets: vec![], key_image: *image })
.collect::<Vec<_>>(),
),
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
);
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
let signable =
prepare_inputs(rng, rpc, self.protocol.ring_len(), &self.inputs, spend, &mut tx).await?;
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
let clsag_pairs = Clsag::sign(rng, signable, mask_sum, tx.signature_hash());
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
match tx.rct_signatures.prunable {
RctPrunable::Null => panic!("Signing for RctPrunable::Null"),
RctPrunable::Clsag { ref mut clsags, ref mut pseudo_outs, .. } => {
clsags.append(&mut clsag_pairs.iter().map(|clsag| clsag.0.clone()).collect::<Vec<_>>());
Correct clippy warnings Currently intended to be done with: cargo clippy --features "recommended merlin batch serialize experimental ed25519 ristretto p256 secp256k1 multisig" -- -A clippy::type_complexity -A dead_code
2022-07-22 02:34:36 -04:00
pseudo_outs.append(&mut clsag_pairs.iter().map(|clsag| clsag.1).collect::<Vec<_>>());
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
}
}
Ok(tx)
}
}
Reference in New Issue Copy Permalink