coins/monero/src/tests/clsag.rs

#[cfg(feature = "multisig")]
use std::{cell::RefCell, rc::Rc, collections::HashMap};

use rand::{RngCore, rngs::OsRng};

use curve25519_dalek::{constants::ED25519_BASEPOINT_TABLE, scalar::Scalar};

use crate::{
  Commitment,
  random_scalar, generate_key_image,
  wallet::Decoys,
  ringct::clsag::{ClsagInput, Clsag}
};
#[cfg(feature = "multisig")]
use crate::{frost::{MultisigError, Transcript}, ringct::clsag::{ClsagDetails, ClsagMultisig}};

#[cfg(feature = "multisig")]
use crate::tests::frost::{THRESHOLD, generate_keys, sign};

const RING_LEN: u64 = 11;
const AMOUNT: u64 = 1337;

#[cfg(feature = "multisig")]
const RING_INDEX: u8 = 3;

#[test]
fn clsag() {
  for real in 0 .. RING_LEN {
    let msg = [1; 32];

    let mut secrets = [Scalar::zero(), Scalar::zero()];
    let mut ring = vec![];
    for i in 0 .. RING_LEN {
      let dest = random_scalar(&mut OsRng);
      let mask = random_scalar(&mut OsRng);
      let amount;
      if i == u64::from(real) {
        secrets = [dest, mask];
        amount = AMOUNT;
      } else {
        amount = OsRng.next_u64();
      }
      ring.push([&dest * &ED25519_BASEPOINT_TABLE, Commitment::new(mask, amount).calculate()]);
    }

    let image = generate_key_image(&secrets[0]);
    let (clsag, pseudo_out) = Clsag::sign(
      &mut OsRng,
      &vec![(
        secrets[0],
        image,
        ClsagInput::new(
          Commitment::new(secrets[1], AMOUNT),
          Decoys {
            i: u8::try_from(real).unwrap(),
            offsets: (1 ..= RING_LEN).into_iter().collect(),
            ring: ring.clone()
          }
        ).unwrap()
      )],
      random_scalar(&mut OsRng),
      msg
    ).swap_remove(0);
    clsag.verify(&ring, &image, &pseudo_out, &msg).unwrap();
    #[cfg(feature = "experimental")]
    clsag.rust_verify(&ring, &image, &pseudo_out, &msg).unwrap();
  }
}

#[cfg(feature = "multisig")]
#[test]
fn clsag_multisig() -> Result<(), MultisigError> {
  let (keys, group_private) = generate_keys();

  let randomness = random_scalar(&mut OsRng);
  let mut ring = vec![];
  for i in 0 .. RING_LEN {
    let dest;
    let mask;
    let amount;
    if i != u64::from(RING_INDEX) {
      dest = random_scalar(&mut OsRng);
      mask = random_scalar(&mut OsRng);
      amount = OsRng.next_u64();
    } else {
      dest = group_private.0;
      mask = randomness;
      amount = AMOUNT;
    }
    ring.push([&dest * &ED25519_BASEPOINT_TABLE, Commitment::new(mask, amount).calculate()]);
  }

  let mask_sum = random_scalar(&mut OsRng);
  let mut machines = HashMap::new();
  for i in 1 ..= THRESHOLD {
    machines.insert(
      i,
      sign::AlgorithmMachine::new(
        ClsagMultisig::new(
          Transcript::new(b"Monero Serai CLSAG Test".to_vec()),
          Rc::new(RefCell::new(Some(
            ClsagDetails::new(
              ClsagInput::new(
                Commitment::new(randomness, AMOUNT),
                Decoys {
                  i: RING_INDEX,
                  offsets: (1 ..= RING_LEN).into_iter().collect(),
                  ring: ring.clone()
                }
              ).unwrap(),
              mask_sum
            )
          )))
        ).unwrap(),
        Rc::new(keys[&i].clone()),
        &(1 ..= THRESHOLD).collect::<Vec<_>>()
      ).unwrap()
    );
  }

  let mut signatures = sign(&mut machines, &[1; 32]);
  let signature = signatures.swap_remove(0);
  for s in 0 .. usize::from(THRESHOLD - 1) {
    // Verify the commitments and the non-decoy s scalar are identical to every other signature
    // FROST will already have called verify on the produced signature, before checking individual
    // key shares. For FROST Schnorr, it's cheaper. For CLSAG, it may be more expensive? Yet it
    // ensures we have usable signatures, not just signatures we think are usable
    assert_eq!(signatures[s].1, signature.1);
    assert_eq!(signatures[s].0.s[RING_INDEX as usize], signature.0.s[RING_INDEX as usize]);
  }

  Ok(())
}
Cleanup which makes transcript optional, only required for multisig 2022-05-03 08:49:46 -04:00			`#[cfg(feature = "multisig")]`
Move FROST to HashMaps Honestly, the borrowed keys are frustrating, and this probably reduces performance while no longer offering an order when iterating. That said, they enable full u16 indexing and should mildly improve the API. Cleans the Proof of Knowledge handling present in key gen. 2022-05-24 21:41:14 -04:00			`use std::{cell::RefCell, rc::Rc, collections::HashMap};`
Working multisig TXs 2022-04-30 04:32:19 -04:00
Various corrections to multisig API 2022-04-29 15:28:04 -04:00			`use rand::{RngCore, rngs::OsRng};`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00
Update the CLSAG multisig API for TX signing 2022-04-30 01:41:05 -04:00			`use curve25519_dalek::{constants::ED25519_BASEPOINT_TABLE, scalar::Scalar};`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00
Changes meant for the previous commit 2022-05-21 20:26:28 -04:00			`use crate::{`
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense 2022-05-21 15:33:35 -04:00			`Commitment,`
			`random_scalar, generate_key_image,`
Changes meant for the previous commit 2022-05-21 20:26:28 -04:00			`wallet::Decoys,`
Move RingCT code to a deciated folder Should help keep things ordered as more RingCT code is added. 2022-05-22 02:24:24 -04:00			`ringct::clsag::{ClsagInput, Clsag}`
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense 2022-05-21 15:33:35 -04:00			`};`
Cleanup which makes transcript optional, only required for multisig 2022-05-03 08:49:46 -04:00			`#[cfg(feature = "multisig")]`
Move RingCT code to a deciated folder Should help keep things ordered as more RingCT code is added. 2022-05-22 02:24:24 -04:00			`use crate::{frost::{MultisigError, Transcript}, ringct::clsag::{ClsagDetails, ClsagMultisig}};`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00
			`#[cfg(feature = "multisig")]`
Changes meant for the previous commit 2022-05-21 20:26:28 -04:00			`use crate::tests::frost::{THRESHOLD, generate_keys, sign};`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00
			`const RING_LEN: u64 = 11;`
			`const AMOUNT: u64 = 1337;`

Slightly simplify CLSAG signing Expands its test to test all possible ring indexes, though just 0 and a single n would be sufficient. 2022-05-14 00:45:13 -04:00			`#[cfg(feature = "multisig")]`
			`const RING_INDEX: u8 = 3;`

Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00			`#[test]`
Add Rust CLSAG verification Marked experimental, not guaranteed to match Monero yet 2022-05-13 20:26:29 -04:00			`fn clsag() {`
Slightly simplify CLSAG signing Expands its test to test all possible ring indexes, though just 0 and a single n would be sufficient. 2022-05-14 00:45:13 -04:00			`for real in 0 .. RING_LEN {`
			`let msg = [1; 32];`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00
Slightly simplify CLSAG signing Expands its test to test all possible ring indexes, though just 0 and a single n would be sufficient. 2022-05-14 00:45:13 -04:00			`let mut secrets = [Scalar::zero(), Scalar::zero()];`
			`let mut ring = vec![];`
			`for i in 0 .. RING_LEN {`
			`let dest = random_scalar(&mut OsRng);`
			`let mask = random_scalar(&mut OsRng);`
			`let amount;`
			`if i == u64::from(real) {`
			`secrets = [dest, mask];`
			`amount = AMOUNT;`
			`} else {`
			`amount = OsRng.next_u64();`
			`}`
			`ring.push([&dest * &ED25519_BASEPOINT_TABLE, Commitment::new(mask, amount).calculate()]);`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00			`}`

Simplify Monero key image handling 2022-05-17 19:15:53 -04:00			`let image = generate_key_image(&secrets[0]);`
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense 2022-05-21 15:33:35 -04:00			`let (clsag, pseudo_out) = Clsag::sign(`
Slightly simplify CLSAG signing Expands its test to test all possible ring indexes, though just 0 and a single n would be sufficient. 2022-05-14 00:45:13 -04:00			`&mut OsRng,`
			`&vec![(`
			`secrets[0],`
			`image,`
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense 2022-05-21 15:33:35 -04:00			`ClsagInput::new(`
Slightly simplify CLSAG signing Expands its test to test all possible ring indexes, though just 0 and a single n would be sufficient. 2022-05-14 00:45:13 -04:00			`Commitment::new(secrets[1], AMOUNT),`
			`Decoys {`
			`i: u8::try_from(real).unwrap(),`
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense 2022-05-21 15:33:35 -04:00			`offsets: (1 ..= RING_LEN).into_iter().collect(),`
Slightly simplify CLSAG signing Expands its test to test all possible ring indexes, though just 0 and a single n would be sufficient. 2022-05-14 00:45:13 -04:00			`ring: ring.clone()`
			`}`
			`).unwrap()`
			`)],`
			`random_scalar(&mut OsRng),`
			`msg`
Changes meant for the previous commit 2022-05-21 20:26:28 -04:00			`).swap_remove(0);`
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense 2022-05-21 15:33:35 -04:00			`clsag.verify(&ring, &image, &pseudo_out, &msg).unwrap();`
Slightly simplify CLSAG signing Expands its test to test all possible ring indexes, though just 0 and a single n would be sufficient. 2022-05-14 00:45:13 -04:00			`#[cfg(feature = "experimental")]`
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense 2022-05-21 15:33:35 -04:00			`clsag.rust_verify(&ring, &image, &pseudo_out, &msg).unwrap();`
Slightly simplify CLSAG signing Expands its test to test all possible ring indexes, though just 0 and a single n would be sufficient. 2022-05-14 00:45:13 -04:00			`}`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00			`}`

			`#[cfg(feature = "multisig")]`
			`#[test]`
Add Rust CLSAG verification Marked experimental, not guaranteed to match Monero yet 2022-05-13 20:26:29 -04:00			`fn clsag_multisig() -> Result<(), MultisigError> {`
Consolidate FROST testing code 2022-04-28 21:47:25 -04:00			`let (keys, group_private) = generate_keys();`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00
			`let randomness = random_scalar(&mut OsRng);`
			`let mut ring = vec![];`
			`for i in 0 .. RING_LEN {`
			`let dest;`
Update CLSAG multisig to work again 2022-04-28 12:01:20 -04:00			`let mask;`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00			`let amount;`
Rename monero-sign to monero-serai 2022-04-27 22:48:58 -04:00			`if i != u64::from(RING_INDEX) {`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00			`dest = random_scalar(&mut OsRng);`
Update CLSAG multisig to work again 2022-04-28 12:01:20 -04:00			`mask = random_scalar(&mut OsRng);`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00			`amount = OsRng.next_u64();`
			`} else {`
			`dest = group_private.0;`
Update CLSAG multisig to work again 2022-04-28 12:01:20 -04:00			`mask = randomness;`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00			`amount = AMOUNT;`
			`}`
Update CLSAG multisig to work again 2022-04-28 12:01:20 -04:00			`ring.push([&dest * &ED25519_BASEPOINT_TABLE, Commitment::new(mask, amount).calculate()]);`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00			`}`

Reorganize CLSAG sign flow 2022-05-06 19:07:37 -04:00			`let mask_sum = random_scalar(&mut OsRng);`
Move FROST to HashMaps Honestly, the borrowed keys are frustrating, and this probably reduces performance while no longer offering an order when iterating. That said, they enable full u16 indexing and should mildly improve the API. Cleans the Proof of Knowledge handling present in key gen. 2022-05-24 21:41:14 -04:00			`let mut machines = HashMap::new();`
			`for i in 1 ..= THRESHOLD {`
			`machines.insert(`
			`i,`
Make a trait out of sign::StateMachine for more complex Transaction flows 2022-04-29 22:36:43 -04:00			`sign::AlgorithmMachine::new(`
Changes meant for the previous commit 2022-05-21 20:26:28 -04:00			`ClsagMultisig::new(`
Use a global transcript 2022-05-06 07:33:08 -04:00			`Transcript::new(b"Monero Serai CLSAG Test".to_vec()),`
Reorganize CLSAG sign flow 2022-05-06 19:07:37 -04:00			`Rc::new(RefCell::new(Some(`
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense 2022-05-21 15:33:35 -04:00			`ClsagDetails::new(`
			`ClsagInput::new(`
Reorganize CLSAG sign flow 2022-05-06 19:07:37 -04:00			`Commitment::new(randomness, AMOUNT),`
			`Decoys {`
			`i: RING_INDEX,`
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense 2022-05-21 15:33:35 -04:00			`offsets: (1 ..= RING_LEN).into_iter().collect(),`
Reorganize CLSAG sign flow 2022-05-06 19:07:37 -04:00			`ring: ring.clone()`
			`}`
			`).unwrap(),`
			`mask_sum`
			`)`
Support signing Monero TXs with multiple inputs Remove's CLSAG's msg Rc for the msg available through AlgorithmMachine. Potentially slightly more inefficient, as it needs to be converted from a slice to a [u8; 32], yet removes a re-impl. Also removes a match for an if. 2022-05-18 00:53:13 -04:00			`)))`
Make a trait out of sign::StateMachine for more complex Transaction flows 2022-04-29 22:36:43 -04:00			`).unwrap(),`
Move FROST to HashMaps Honestly, the borrowed keys are frustrating, and this probably reduces performance while no longer offering an order when iterating. That said, they enable full u16 indexing and should mildly improve the API. Cleans the Proof of Knowledge handling present in key gen. 2022-05-24 21:41:14 -04:00			`Rc::new(keys[&i].clone()),`
			`&(1 ..= THRESHOLD).collect::<Vec<_>>()`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00			`).unwrap()`
			`);`
			`}`

Support signing Monero TXs with multiple inputs Remove's CLSAG's msg Rc for the msg available through AlgorithmMachine. Potentially slightly more inefficient, as it needs to be converted from a slice to a [u8; 32], yet removes a re-impl. Also removes a match for an if. 2022-05-18 00:53:13 -04:00			`let mut signatures = sign(&mut machines, &[1; 32]);`
Consolidate FROST testing code 2022-04-28 21:47:25 -04:00			`let signature = signatures.swap_remove(0);`
Move FROST to HashMaps Honestly, the borrowed keys are frustrating, and this probably reduces performance while no longer offering an order when iterating. That said, they enable full u16 indexing and should mildly improve the API. Cleans the Proof of Knowledge handling present in key gen. 2022-05-24 21:41:14 -04:00			`for s in 0 .. usize::from(THRESHOLD - 1) {`
Consolidate FROST testing code 2022-04-28 21:47:25 -04:00			`// Verify the commitments and the non-decoy s scalar are identical to every other signature`
			`// FROST will already have called verify on the produced signature, before checking individual`
			`// key shares. For FROST Schnorr, it's cheaper. For CLSAG, it may be more expensive? Yet it`
			`// ensures we have usable signatures, not just signatures we think are usable`
			`assert_eq!(signatures[s].1, signature.1);`
			`assert_eq!(signatures[s].0.s[RING_INDEX as usize], signature.0.s[RING_INDEX as usize]);`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00			`}`

			`Ok(())`
			`}`