2024-06-15 17:00:11 -04:00
|
|
|
#![cfg_attr(docsrs, feature(doc_auto_cfg))]
|
|
|
|
|
#![doc = include_str!("../README.md")]
|
|
|
|
|
#![cfg_attr(not(feature = "std"), no_std)]
|
2022-05-21 15:33:35 -04:00
|
|
|
#![allow(non_snake_case)]
|
2022-04-28 03:31:09 -04:00
|
|
|
|
2023-06-29 04:14:29 -04:00
|
|
|
use std_shims::{
|
2024-06-16 10:39:28 -04:00
|
|
|
vec,
|
|
|
|
|
vec::Vec,
|
2023-06-29 04:14:29 -04:00
|
|
|
io::{self, Read, Write},
|
|
|
|
|
};
|
2023-01-07 05:18:35 -05:00
|
|
|
|
2022-05-22 01:56:17 -04:00
|
|
|
use rand_core::{RngCore, CryptoRng};
|
2024-06-15 17:00:11 -04:00
|
|
|
use zeroize::Zeroizing;
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
|
2022-07-26 08:06:56 -04:00
|
|
|
use curve25519_dalek::edwards::EdwardsPoint;
|
2022-04-28 03:31:09 -04:00
|
|
|
|
2024-06-15 17:00:11 -04:00
|
|
|
use monero_io::*;
|
2024-06-16 10:39:28 -04:00
|
|
|
pub use monero_generators::MAX_COMMITMENTS;
|
2024-06-15 17:00:11 -04:00
|
|
|
use monero_primitives::Commitment;
|
2022-05-13 20:26:53 -04:00
|
|
|
|
2022-07-26 02:05:15 -05:00
|
|
|
pub(crate) mod scalar_vector;
|
2022-07-31 23:12:45 -04:00
|
|
|
pub(crate) mod core;
|
2024-06-16 10:39:28 -04:00
|
|
|
use crate::core::LOG_COMMITMENT_BITS;
|
2024-06-15 17:00:11 -04:00
|
|
|
|
2024-06-16 10:39:28 -04:00
|
|
|
pub(crate) mod batch_verifier;
|
|
|
|
|
use batch_verifier::{BulletproofsBatchVerifier, BulletproofsPlusBatchVerifier};
|
|
|
|
|
pub use batch_verifier::BatchVerifier;
|
2022-07-26 02:05:15 -05:00
|
|
|
|
2022-07-31 23:12:45 -04:00
|
|
|
pub(crate) mod original;
|
2024-06-15 17:00:11 -04:00
|
|
|
use crate::original::OriginalStruct;
|
2022-07-26 02:05:15 -05:00
|
|
|
|
2023-08-27 15:33:17 -04:00
|
|
|
pub(crate) mod plus;
|
2024-06-15 17:00:11 -04:00
|
|
|
use crate::plus::*;
|
|
|
|
|
|
|
|
|
|
#[cfg(test)]
|
|
|
|
|
mod tests;
|
|
|
|
|
|
2024-06-16 10:39:28 -04:00
|
|
|
/// An error from proving/verifying Bulletproofs(+).
|
2024-06-15 17:00:11 -04:00
|
|
|
#[derive(Clone, Copy, PartialEq, Eq, Debug)]
|
|
|
|
|
#[cfg_attr(feature = "std", derive(thiserror::Error))]
|
|
|
|
|
pub enum BulletproofError {
|
2024-06-16 10:39:28 -04:00
|
|
|
/// Proving/verifying a Bulletproof(+) range proof with no commitments.
|
2024-06-15 17:00:11 -04:00
|
|
|
#[cfg_attr(feature = "std", error("no commitments to prove the range for"))]
|
|
|
|
|
NoCommitments,
|
2024-06-16 10:39:28 -04:00
|
|
|
/// Proving/verifying a Bulletproof(+) range proof with more commitments than supported.
|
2024-06-15 17:00:11 -04:00
|
|
|
#[cfg_attr(feature = "std", error("too many commitments to prove the range for"))]
|
|
|
|
|
TooManyCommitments,
|
|
|
|
|
}
|
2022-07-31 23:12:45 -04:00
|
|
|
|
2024-06-16 10:39:28 -04:00
|
|
|
/// A Bulletproof(+).
|
|
|
|
|
///
|
|
|
|
|
/// This encapsulates either a Bulletproof or a Bulletproof+.
|
2022-07-31 23:12:45 -04:00
|
|
|
#[allow(clippy::large_enum_variant)]
|
|
|
|
|
#[derive(Clone, PartialEq, Eq, Debug)]
|
2024-04-22 00:00:14 -04:00
|
|
|
pub enum Bulletproof {
|
2022-07-31 23:12:45 -04:00
|
|
|
Original(OriginalStruct),
|
2023-08-27 15:33:17 -04:00
|
|
|
Plus(AggregateRangeProof),
|
2022-07-31 23:12:45 -04:00
|
|
|
}
|
2022-06-19 12:03:01 -04:00
|
|
|
|
2024-04-22 00:00:14 -04:00
|
|
|
impl Bulletproof {
|
2023-07-19 12:06:05 -07:00
|
|
|
fn bp_fields(plus: bool) -> usize {
|
|
|
|
|
if plus {
|
|
|
|
|
6
|
|
|
|
|
} else {
|
|
|
|
|
9
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-08-21 10:35:10 -04:00
|
|
|
|
2024-06-16 10:39:28 -04:00
|
|
|
/// Calculate the weight penalty for the Bulletproof(+).
|
|
|
|
|
///
|
|
|
|
|
/// Bulletproofs(+) are logarithmically sized yet linearly timed. Evaluating by their size alone
|
|
|
|
|
/// accordingly doesn't properly represent the burden of the proof. Monero 'claws back' some of
|
|
|
|
|
/// the weight lost by using a proof smaller than it is fast to compensate for this.
|
2023-07-19 12:06:05 -07:00
|
|
|
// https://github.com/monero-project/monero/blob/94e67bf96bbc010241f29ada6abc89f49a81759c/
|
|
|
|
|
// src/cryptonote_basic/cryptonote_format_utils.cpp#L106-L124
|
2024-06-15 17:00:11 -04:00
|
|
|
pub fn calculate_bp_clawback(plus: bool, n_outputs: usize) -> (usize, usize) {
|
2022-08-21 10:35:10 -04:00
|
|
|
#[allow(non_snake_case)]
|
2023-07-19 12:06:05 -07:00
|
|
|
let mut LR_len = 0;
|
|
|
|
|
let mut n_padded_outputs = 1;
|
|
|
|
|
while n_padded_outputs < n_outputs {
|
|
|
|
|
LR_len += 1;
|
|
|
|
|
n_padded_outputs = 1 << LR_len;
|
|
|
|
|
}
|
2024-06-16 10:39:28 -04:00
|
|
|
LR_len += LOG_COMMITMENT_BITS;
|
2022-08-21 10:35:10 -04:00
|
|
|
|
2023-07-19 12:06:05 -07:00
|
|
|
let mut bp_clawback = 0;
|
|
|
|
|
if n_padded_outputs > 2 {
|
2024-04-22 00:00:14 -04:00
|
|
|
let fields = Bulletproof::bp_fields(plus);
|
2024-06-16 10:39:28 -04:00
|
|
|
let base = ((fields + (2 * (LOG_COMMITMENT_BITS + 1))) * 32) / 2;
|
2023-07-19 12:06:05 -07:00
|
|
|
let size = (fields + (2 * LR_len)) * 32;
|
|
|
|
|
bp_clawback = ((base * n_padded_outputs) - size) * 4 / 5;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
(bp_clawback, LR_len)
|
|
|
|
|
}
|
|
|
|
|
|
2024-06-16 10:39:28 -04:00
|
|
|
/// Calculate the weight of this proof.
|
2024-06-15 17:00:11 -04:00
|
|
|
pub fn fee_weight(plus: bool, outputs: usize) -> usize {
|
2023-07-19 12:06:05 -07:00
|
|
|
#[allow(non_snake_case)]
|
2024-04-22 00:00:14 -04:00
|
|
|
let (bp_clawback, LR_len) = Bulletproof::calculate_bp_clawback(plus, outputs);
|
|
|
|
|
32 * (Bulletproof::bp_fields(plus) + (2 * LR_len)) + 2 + bp_clawback
|
2022-06-19 12:03:01 -04:00
|
|
|
}
|
|
|
|
|
|
2024-04-22 00:00:14 -04:00
|
|
|
/// Prove the list of commitments are within [0 .. 2^64) with an aggregate Bulletproof.
|
2022-07-26 08:06:56 -04:00
|
|
|
pub fn prove<R: RngCore + CryptoRng>(
|
2022-07-15 01:26:07 -04:00
|
|
|
rng: &mut R,
|
|
|
|
|
outputs: &[Commitment],
|
2024-06-15 17:00:11 -04:00
|
|
|
) -> Result<Bulletproof, BulletproofError> {
|
2023-08-27 15:33:17 -04:00
|
|
|
if outputs.is_empty() {
|
2024-06-15 17:00:11 -04:00
|
|
|
Err(BulletproofError::NoCommitments)?;
|
2023-08-27 15:33:17 -04:00
|
|
|
}
|
2024-06-15 17:00:11 -04:00
|
|
|
if outputs.len() > MAX_COMMITMENTS {
|
|
|
|
|
Err(BulletproofError::TooManyCommitments)?;
|
2022-05-21 15:33:35 -04:00
|
|
|
}
|
2024-04-22 00:00:14 -04:00
|
|
|
Ok(Bulletproof::Original(OriginalStruct::prove(rng, outputs)))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Prove the list of commitments are within [0 .. 2^64) with an aggregate Bulletproof+.
|
|
|
|
|
pub fn prove_plus<R: RngCore + CryptoRng>(
|
|
|
|
|
rng: &mut R,
|
|
|
|
|
outputs: Vec<Commitment>,
|
2024-06-15 17:00:11 -04:00
|
|
|
) -> Result<Bulletproof, BulletproofError> {
|
2024-04-22 00:00:14 -04:00
|
|
|
if outputs.is_empty() {
|
2024-06-15 17:00:11 -04:00
|
|
|
Err(BulletproofError::NoCommitments)?;
|
2024-04-22 00:00:14 -04:00
|
|
|
}
|
2024-06-15 17:00:11 -04:00
|
|
|
if outputs.len() > MAX_COMMITMENTS {
|
|
|
|
|
Err(BulletproofError::TooManyCommitments)?;
|
2024-04-22 00:00:14 -04:00
|
|
|
}
|
|
|
|
|
Ok(Bulletproof::Plus(
|
|
|
|
|
AggregateRangeStatement::new(outputs.iter().map(Commitment::calculate).collect())
|
|
|
|
|
.unwrap()
|
|
|
|
|
.prove(rng, &Zeroizing::new(AggregateRangeWitness::new(outputs).unwrap()))
|
|
|
|
|
.unwrap(),
|
|
|
|
|
))
|
2022-05-21 15:33:35 -04:00
|
|
|
}
|
|
|
|
|
|
2024-04-22 00:00:14 -04:00
|
|
|
/// Verify the given Bulletproof(+).
|
2022-07-31 21:45:53 -05:00
|
|
|
#[must_use]
|
|
|
|
|
pub fn verify<R: RngCore + CryptoRng>(&self, rng: &mut R, commitments: &[EdwardsPoint]) -> bool {
|
|
|
|
|
match self {
|
2024-06-16 10:39:28 -04:00
|
|
|
Bulletproof::Original(bp) => {
|
|
|
|
|
let mut verifier = BulletproofsBatchVerifier::default();
|
|
|
|
|
if !bp.verify(rng, &mut verifier, commitments) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
verifier.verify()
|
|
|
|
|
}
|
2024-04-22 00:00:14 -04:00
|
|
|
Bulletproof::Plus(bp) => {
|
2024-06-16 10:39:28 -04:00
|
|
|
let mut verifier = BulletproofsPlusBatchVerifier::default();
|
2024-04-21 23:45:07 -04:00
|
|
|
let Some(statement) = AggregateRangeStatement::new(commitments.to_vec()) else {
|
2023-08-27 15:33:17 -04:00
|
|
|
return false;
|
|
|
|
|
};
|
2024-06-15 17:00:11 -04:00
|
|
|
if !statement.verify(rng, &mut verifier, bp.clone()) {
|
2023-08-27 15:33:17 -04:00
|
|
|
return false;
|
|
|
|
|
}
|
2024-06-15 17:00:11 -04:00
|
|
|
verifier.verify()
|
2023-08-27 15:33:17 -04:00
|
|
|
}
|
2022-07-31 21:45:53 -05:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-06-16 10:39:28 -04:00
|
|
|
/// Accumulate the verification for the given Bulletproof(+) into the specified BatchVerifier.
|
2024-04-22 00:00:14 -04:00
|
|
|
///
|
2024-06-16 10:39:28 -04:00
|
|
|
/// Returns false if the Bulletproof(+) isn't sane, leaving the BatchVerifier in an undefined
|
2024-04-22 00:00:14 -04:00
|
|
|
/// state.
|
2024-06-16 10:39:28 -04:00
|
|
|
///
|
|
|
|
|
/// Returns true if the Bulletproof(+) is sane, regardless of its validity.
|
|
|
|
|
///
|
|
|
|
|
/// The BatchVerifier must have its verification function executed to actually verify this proof.
|
2022-07-31 21:45:53 -05:00
|
|
|
#[must_use]
|
2024-06-15 17:00:11 -04:00
|
|
|
pub fn batch_verify<R: RngCore + CryptoRng>(
|
2022-07-31 21:45:53 -05:00
|
|
|
&self,
|
|
|
|
|
rng: &mut R,
|
2024-06-15 17:00:11 -04:00
|
|
|
verifier: &mut BatchVerifier,
|
2022-07-31 21:45:53 -05:00
|
|
|
commitments: &[EdwardsPoint],
|
|
|
|
|
) -> bool {
|
|
|
|
|
match self {
|
2024-06-16 10:39:28 -04:00
|
|
|
Bulletproof::Original(bp) => bp.verify(rng, &mut verifier.original, commitments),
|
2024-04-22 00:00:14 -04:00
|
|
|
Bulletproof::Plus(bp) => {
|
2024-04-21 23:45:07 -04:00
|
|
|
let Some(statement) = AggregateRangeStatement::new(commitments.to_vec()) else {
|
2023-08-27 15:33:17 -04:00
|
|
|
return false;
|
|
|
|
|
};
|
2024-06-15 17:00:11 -04:00
|
|
|
statement.verify(rng, &mut verifier.plus, bp.clone())
|
2023-08-27 15:33:17 -04:00
|
|
|
}
|
2022-07-31 21:45:53 -05:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-07 05:18:35 -05:00
|
|
|
fn write_core<W: Write, F: Fn(&[EdwardsPoint], &mut W) -> io::Result<()>>(
|
2022-07-15 01:26:07 -04:00
|
|
|
&self,
|
|
|
|
|
w: &mut W,
|
|
|
|
|
specific_write_vec: F,
|
2023-01-07 05:18:35 -05:00
|
|
|
) -> io::Result<()> {
|
2022-07-26 08:06:56 -04:00
|
|
|
match self {
|
2024-04-22 00:00:14 -04:00
|
|
|
Bulletproof::Original(bp) => {
|
2022-07-31 21:45:53 -05:00
|
|
|
write_point(&bp.A, w)?;
|
|
|
|
|
write_point(&bp.S, w)?;
|
|
|
|
|
write_point(&bp.T1, w)?;
|
|
|
|
|
write_point(&bp.T2, w)?;
|
2024-06-15 17:00:11 -04:00
|
|
|
write_scalar(&bp.tau_x, w)?;
|
2022-07-31 21:45:53 -05:00
|
|
|
write_scalar(&bp.mu, w)?;
|
|
|
|
|
specific_write_vec(&bp.L, w)?;
|
|
|
|
|
specific_write_vec(&bp.R, w)?;
|
|
|
|
|
write_scalar(&bp.a, w)?;
|
|
|
|
|
write_scalar(&bp.b, w)?;
|
|
|
|
|
write_scalar(&bp.t, w)
|
2022-07-26 08:06:56 -04:00
|
|
|
}
|
2022-07-27 04:05:43 -05:00
|
|
|
|
2024-04-22 00:00:14 -04:00
|
|
|
Bulletproof::Plus(bp) => {
|
2024-06-15 17:00:11 -04:00
|
|
|
write_point(&bp.A, w)?;
|
|
|
|
|
write_point(&bp.wip.A, w)?;
|
|
|
|
|
write_point(&bp.wip.B, w)?;
|
|
|
|
|
write_scalar(&bp.wip.r_answer, w)?;
|
|
|
|
|
write_scalar(&bp.wip.s_answer, w)?;
|
|
|
|
|
write_scalar(&bp.wip.delta_answer, w)?;
|
|
|
|
|
specific_write_vec(&bp.wip.L, w)?;
|
|
|
|
|
specific_write_vec(&bp.wip.R, w)
|
2022-07-27 04:05:43 -05:00
|
|
|
}
|
2022-07-26 08:06:56 -04:00
|
|
|
}
|
2022-04-28 03:31:09 -04:00
|
|
|
}
|
|
|
|
|
|
2024-06-16 10:39:28 -04:00
|
|
|
/// Write a Bulletproof(+) for the message signed by a transaction's signature.
|
|
|
|
|
///
|
|
|
|
|
/// This has a distinct encoding from the standard encoding.
|
2024-06-15 17:00:11 -04:00
|
|
|
pub fn signature_write<W: Write>(&self, w: &mut W) -> io::Result<()> {
|
2023-01-07 05:18:35 -05:00
|
|
|
self.write_core(w, |points, w| write_raw_vec(write_point, points, w))
|
|
|
|
|
}
|
|
|
|
|
|
2024-06-16 10:39:28 -04:00
|
|
|
/// Write a Bulletproof(+).
|
2023-01-07 05:18:35 -05:00
|
|
|
pub fn write<W: Write>(&self, w: &mut W) -> io::Result<()> {
|
|
|
|
|
self.write_core(w, |points, w| write_vec(write_point, points, w))
|
2022-05-21 15:33:35 -04:00
|
|
|
}
|
2022-04-28 20:09:31 -04:00
|
|
|
|
2024-06-16 10:39:28 -04:00
|
|
|
/// Serialize a Bulletproof(+) to a `Vec<u8>`.
|
2023-01-07 05:18:35 -05:00
|
|
|
pub fn serialize(&self) -> Vec<u8> {
|
|
|
|
|
let mut serialized = vec![];
|
|
|
|
|
self.write(&mut serialized).unwrap();
|
|
|
|
|
serialized
|
2022-04-28 20:09:31 -04:00
|
|
|
}
|
|
|
|
|
|
2024-04-22 00:00:14 -04:00
|
|
|
/// Read a Bulletproof.
|
|
|
|
|
pub fn read<R: Read>(r: &mut R) -> io::Result<Bulletproof> {
|
|
|
|
|
Ok(Bulletproof::Original(OriginalStruct {
|
2022-05-21 15:33:35 -04:00
|
|
|
A: read_point(r)?,
|
|
|
|
|
S: read_point(r)?,
|
|
|
|
|
T1: read_point(r)?,
|
|
|
|
|
T2: read_point(r)?,
|
2024-06-15 17:00:11 -04:00
|
|
|
tau_x: read_scalar(r)?,
|
2022-05-21 15:33:35 -04:00
|
|
|
mu: read_scalar(r)?,
|
2022-05-21 20:27:21 -04:00
|
|
|
L: read_vec(read_point, r)?,
|
|
|
|
|
R: read_vec(read_point, r)?,
|
2022-05-21 15:33:35 -04:00
|
|
|
a: read_scalar(r)?,
|
|
|
|
|
b: read_scalar(r)?,
|
2022-07-15 01:26:07 -04:00
|
|
|
t: read_scalar(r)?,
|
2022-07-31 21:45:53 -05:00
|
|
|
}))
|
2022-04-28 20:09:31 -04:00
|
|
|
}
|
2022-07-27 04:05:43 -05:00
|
|
|
|
2024-04-22 00:00:14 -04:00
|
|
|
/// Read a Bulletproof+.
|
|
|
|
|
pub fn read_plus<R: Read>(r: &mut R) -> io::Result<Bulletproof> {
|
|
|
|
|
Ok(Bulletproof::Plus(AggregateRangeProof {
|
2024-06-15 17:00:11 -04:00
|
|
|
A: read_point(r)?,
|
2023-08-27 15:33:17 -04:00
|
|
|
wip: WipProof {
|
2024-06-15 17:00:11 -04:00
|
|
|
A: read_point(r)?,
|
|
|
|
|
B: read_point(r)?,
|
|
|
|
|
r_answer: read_scalar(r)?,
|
|
|
|
|
s_answer: read_scalar(r)?,
|
|
|
|
|
delta_answer: read_scalar(r)?,
|
|
|
|
|
L: read_vec(read_point, r)?.into_iter().collect(),
|
|
|
|
|
R: read_vec(read_point, r)?.into_iter().collect(),
|
2023-08-27 15:33:17 -04:00
|
|
|
},
|
2022-07-31 21:45:53 -05:00
|
|
|
}))
|
2022-07-27 04:05:43 -05:00
|
|
|
}
|
2022-04-28 20:09:31 -04:00
|
|
|
}
|
