2022-08-22 08:57:36 -04:00
|
|
|
use std::collections::{HashSet, HashMap};
|
2022-08-22 08:32:09 -04:00
|
|
|
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
use zeroize::{Zeroize, ZeroizeOnDrop};
|
|
|
|
|
|
2022-08-22 08:32:09 -04:00
|
|
|
use curve25519_dalek::{
|
|
|
|
|
constants::ED25519_BASEPOINT_TABLE,
|
|
|
|
|
scalar::Scalar,
|
|
|
|
|
edwards::{EdwardsPoint, CompressedEdwardsY},
|
|
|
|
|
};
|
2022-05-21 15:33:35 -04:00
|
|
|
|
2022-07-15 01:26:07 -04:00
|
|
|
use crate::{hash, hash_to_scalar, serialize::write_varint, transaction::Input};
|
2022-05-21 15:33:35 -04:00
|
|
|
|
2022-08-21 08:41:19 -04:00
|
|
|
mod extra;
|
|
|
|
|
pub(crate) use extra::{PaymentId, ExtraField, Extra};
|
|
|
|
|
|
2022-09-29 05:25:29 -04:00
|
|
|
/// Address encoding and decoding functionality.
|
2022-06-28 00:01:20 -04:00
|
|
|
pub mod address;
|
2022-11-15 00:06:15 -05:00
|
|
|
use address::{Network, AddressType, AddressMeta, MoneroAddress};
|
2022-06-28 00:01:20 -04:00
|
|
|
|
2022-05-21 15:33:35 -04:00
|
|
|
mod scan;
|
|
|
|
|
pub use scan::SpendableOutput;
|
|
|
|
|
|
|
|
|
|
pub(crate) mod decoys;
|
|
|
|
|
pub(crate) use decoys::Decoys;
|
|
|
|
|
|
|
|
|
|
mod send;
|
2022-06-19 12:03:01 -04:00
|
|
|
pub use send::{Fee, TransactionError, SignableTransaction};
|
2022-06-10 09:36:07 -04:00
|
|
|
#[cfg(feature = "multisig")]
|
|
|
|
|
pub use send::TransactionMachine;
|
2022-05-21 15:33:35 -04:00
|
|
|
|
2022-05-22 01:56:17 -04:00
|
|
|
fn key_image_sort(x: &EdwardsPoint, y: &EdwardsPoint) -> std::cmp::Ordering {
|
|
|
|
|
x.compress().to_bytes().cmp(&y.compress().to_bytes()).reverse()
|
|
|
|
|
}
|
|
|
|
|
|
2022-06-30 03:16:51 -04:00
|
|
|
// https://gist.github.com/kayabaNerve/8066c13f1fe1573286ba7a2fd79f6100
|
2022-05-21 15:33:35 -04:00
|
|
|
pub(crate) fn uniqueness(inputs: &[Input]) -> [u8; 32] {
|
2022-06-28 00:01:20 -04:00
|
|
|
let mut u = b"uniqueness".to_vec();
|
2022-05-21 15:33:35 -04:00
|
|
|
for input in inputs {
|
|
|
|
|
match input {
|
|
|
|
|
// If Gen, this should be the only input, making this loop somewhat pointless
|
|
|
|
|
// This works and even if there were somehow multiple inputs, it'd be a false negative
|
2022-07-15 01:26:07 -04:00
|
|
|
Input::Gen(height) => {
|
2022-07-22 02:34:36 -04:00
|
|
|
write_varint(height, &mut u).unwrap();
|
2022-07-15 01:26:07 -04:00
|
|
|
}
|
|
|
|
|
Input::ToKey { key_image, .. } => u.extend(key_image.compress().to_bytes()),
|
2022-05-21 15:33:35 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
hash(&u)
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-22 06:54:01 -04:00
|
|
|
// Hs("view_tag" || 8Ra || o), Hs(8Ra || o), and H(8Ra || 0x8d) with uniqueness inclusion in the
|
|
|
|
|
// Scalar as an option
|
2022-05-21 15:33:35 -04:00
|
|
|
#[allow(non_snake_case)]
|
2022-07-15 01:26:07 -04:00
|
|
|
pub(crate) fn shared_key(
|
|
|
|
|
uniqueness: Option<[u8; 32]>,
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
s: &Scalar,
|
2022-07-15 01:26:07 -04:00
|
|
|
P: &EdwardsPoint,
|
|
|
|
|
o: usize,
|
2022-08-22 06:54:01 -04:00
|
|
|
) -> (u8, Scalar, [u8; 8]) {
|
2022-07-27 06:29:14 -04:00
|
|
|
// 8Ra
|
|
|
|
|
let mut output_derivation = (s * P).mul_by_cofactor().compress().to_bytes().to_vec();
|
2022-05-21 15:33:35 -04:00
|
|
|
// || o
|
2022-07-27 06:29:14 -04:00
|
|
|
write_varint(&o.try_into().unwrap(), &mut output_derivation).unwrap();
|
|
|
|
|
|
|
|
|
|
let view_tag = hash(&[b"view_tag".as_ref(), &output_derivation].concat())[0];
|
2022-08-22 06:54:01 -04:00
|
|
|
let mut payment_id_xor = [0; 8];
|
|
|
|
|
payment_id_xor
|
|
|
|
|
.copy_from_slice(&hash(&[output_derivation.as_ref(), [0x8d].as_ref()].concat())[.. 8]);
|
2022-07-27 06:29:14 -04:00
|
|
|
|
|
|
|
|
// uniqueness ||
|
|
|
|
|
let shared_key = if let Some(uniqueness) = uniqueness {
|
|
|
|
|
[uniqueness.as_ref(), &output_derivation].concat().to_vec()
|
|
|
|
|
} else {
|
|
|
|
|
output_derivation
|
|
|
|
|
};
|
|
|
|
|
|
2022-08-22 06:54:01 -04:00
|
|
|
(view_tag, hash_to_scalar(&shared_key), payment_id_xor)
|
2022-05-21 15:33:35 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub(crate) fn amount_encryption(amount: u64, key: Scalar) -> [u8; 8] {
|
|
|
|
|
let mut amount_mask = b"amount".to_vec();
|
|
|
|
|
amount_mask.extend(key.to_bytes());
|
2022-08-22 06:54:01 -04:00
|
|
|
(amount ^ u64::from_le_bytes(hash(&amount_mask)[.. 8].try_into().unwrap())).to_le_bytes()
|
2022-05-21 15:33:35 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn amount_decryption(amount: [u8; 8], key: Scalar) -> u64 {
|
|
|
|
|
u64::from_le_bytes(amount_encryption(u64::from_le_bytes(amount), key))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub(crate) fn commitment_mask(shared_key: Scalar) -> Scalar {
|
|
|
|
|
let mut mask = b"commitment_mask".to_vec();
|
|
|
|
|
mask.extend(shared_key.to_bytes());
|
|
|
|
|
hash_to_scalar(&mask)
|
|
|
|
|
}
|
2022-06-28 00:01:20 -04:00
|
|
|
|
2022-09-28 07:44:49 -05:00
|
|
|
/// The private view key and public spend key, enabling scanning transactions.
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
#[derive(Clone, Zeroize, ZeroizeOnDrop)]
|
2022-06-28 00:01:20 -04:00
|
|
|
pub struct ViewPair {
|
2022-08-22 08:32:09 -04:00
|
|
|
spend: EdwardsPoint,
|
|
|
|
|
view: Scalar,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl ViewPair {
|
|
|
|
|
pub fn new(spend: EdwardsPoint, view: Scalar) -> ViewPair {
|
|
|
|
|
ViewPair { spend, view }
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub(crate) fn subaddress(&self, index: (u32, u32)) -> Scalar {
|
|
|
|
|
if index == (0, 0) {
|
|
|
|
|
return Scalar::zero();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
hash_to_scalar(
|
|
|
|
|
&[
|
|
|
|
|
b"SubAddr\0".as_ref(),
|
|
|
|
|
&self.view.to_bytes(),
|
|
|
|
|
&index.0.to_le_bytes(),
|
|
|
|
|
&index.1.to_le_bytes(),
|
|
|
|
|
]
|
|
|
|
|
.concat(),
|
|
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-28 07:44:49 -05:00
|
|
|
/// Transaction scanner.
|
|
|
|
|
/// This scanner is capable of generating subaddresses, additionally scanning for them once they've
|
|
|
|
|
/// been explicitly generated. If the burning bug is attempted, any secondary outputs will be
|
|
|
|
|
/// ignored.
|
2022-08-22 08:32:09 -04:00
|
|
|
#[derive(Clone)]
|
|
|
|
|
pub struct Scanner {
|
|
|
|
|
pair: ViewPair,
|
|
|
|
|
network: Network,
|
|
|
|
|
pub(crate) subaddresses: HashMap<CompressedEdwardsY, (u32, u32)>,
|
2022-08-22 08:57:36 -04:00
|
|
|
pub(crate) burning_bug: Option<HashSet<CompressedEdwardsY>>,
|
2022-08-22 08:32:09 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl Zeroize for Scanner {
|
|
|
|
|
fn zeroize(&mut self) {
|
|
|
|
|
self.pair.zeroize();
|
|
|
|
|
self.network.zeroize();
|
2022-08-22 08:57:36 -04:00
|
|
|
|
|
|
|
|
// These may not be effective, unfortunately
|
2022-08-22 08:32:09 -04:00
|
|
|
for (mut key, mut value) in self.subaddresses.drain() {
|
|
|
|
|
key.zeroize();
|
|
|
|
|
value.zeroize();
|
|
|
|
|
}
|
2022-08-22 08:57:36 -04:00
|
|
|
if let Some(ref mut burning_bug) = self.burning_bug.take() {
|
|
|
|
|
for mut output in burning_bug.drain() {
|
|
|
|
|
output.zeroize();
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-08-22 08:32:09 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl Drop for Scanner {
|
|
|
|
|
fn drop(&mut self) {
|
|
|
|
|
self.zeroize();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl ZeroizeOnDrop for Scanner {}
|
|
|
|
|
|
|
|
|
|
impl Scanner {
|
2022-09-28 07:44:49 -05:00
|
|
|
/// Create a Scanner from a ViewPair.
|
|
|
|
|
/// The network is used for generating subaddresses.
|
|
|
|
|
/// burning_bug is a HashSet of used keys, intended to prevent key reuse which would burn funds.
|
|
|
|
|
/// When an output is successfully scanned, the output key MUST be saved to disk.
|
|
|
|
|
/// When a new scanner is created, ALL saved output keys must be passed in to be secure.
|
|
|
|
|
/// If None is passed, a modified shared key derivation is used which is immune to the burning
|
|
|
|
|
/// bug (specifically the Guaranteed feature from Featured Addresses).
|
2022-09-29 01:24:33 -05:00
|
|
|
// TODO: Should this take in a DB access handle to ensure output keys are saved?
|
2022-08-22 08:57:36 -04:00
|
|
|
pub fn from_view(
|
|
|
|
|
pair: ViewPair,
|
|
|
|
|
network: Network,
|
|
|
|
|
burning_bug: Option<HashSet<CompressedEdwardsY>>,
|
|
|
|
|
) -> Scanner {
|
2022-08-22 08:32:09 -04:00
|
|
|
let mut subaddresses = HashMap::new();
|
|
|
|
|
subaddresses.insert(pair.spend.compress(), (0, 0));
|
2022-08-22 08:57:36 -04:00
|
|
|
Scanner { pair, network, subaddresses, burning_bug }
|
2022-08-22 08:32:09 -04:00
|
|
|
}
|
|
|
|
|
|
2022-09-28 07:44:49 -05:00
|
|
|
/// Return the main address for this view pair.
|
2022-11-15 00:06:15 -05:00
|
|
|
pub fn address(&self) -> MoneroAddress {
|
|
|
|
|
MoneroAddress::new(
|
|
|
|
|
AddressMeta::new(
|
|
|
|
|
self.network,
|
|
|
|
|
if self.burning_bug.is_none() {
|
2022-08-22 08:32:09 -04:00
|
|
|
AddressType::Featured(false, None, true)
|
|
|
|
|
} else {
|
|
|
|
|
AddressType::Standard
|
|
|
|
|
},
|
2022-11-15 00:06:15 -05:00
|
|
|
),
|
2022-08-22 08:32:09 -04:00
|
|
|
self.pair.spend,
|
|
|
|
|
&self.pair.view * &ED25519_BASEPOINT_TABLE,
|
|
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-28 07:44:49 -05:00
|
|
|
/// Return the specified subaddress for this view pair.
|
2022-11-15 00:06:15 -05:00
|
|
|
pub fn subaddress(&mut self, index: (u32, u32)) -> MoneroAddress {
|
2022-08-22 08:32:09 -04:00
|
|
|
if index == (0, 0) {
|
|
|
|
|
return self.address();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let spend = self.pair.spend + (&self.pair.subaddress(index) * &ED25519_BASEPOINT_TABLE);
|
|
|
|
|
self.subaddresses.insert(spend.compress(), index);
|
|
|
|
|
|
2022-11-15 00:06:15 -05:00
|
|
|
MoneroAddress::new(
|
|
|
|
|
AddressMeta::new(
|
|
|
|
|
self.network,
|
|
|
|
|
if self.burning_bug.is_none() {
|
2022-08-22 08:32:09 -04:00
|
|
|
AddressType::Featured(true, None, true)
|
|
|
|
|
} else {
|
|
|
|
|
AddressType::Subaddress
|
|
|
|
|
},
|
2022-11-15 00:06:15 -05:00
|
|
|
),
|
2022-08-22 08:32:09 -04:00
|
|
|
spend,
|
|
|
|
|
self.pair.view * spend,
|
|
|
|
|
)
|
|
|
|
|
}
|
2022-06-28 00:01:20 -04:00
|
|
|
}
|