2022-12-14 09:27:49 -05:00
|
|
|
use core::ops::Deref;
|
2023-06-29 04:14:29 -04:00
|
|
|
use std_shims::collections::{HashSet, HashMap};
|
2022-08-22 08:32:09 -04:00
|
|
|
|
2022-12-14 09:27:49 -05:00
|
|
|
use zeroize::{Zeroize, ZeroizeOnDrop, Zeroizing};
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
|
2022-08-22 08:32:09 -04:00
|
|
|
use curve25519_dalek::{
|
|
|
|
|
constants::ED25519_BASEPOINT_TABLE,
|
|
|
|
|
scalar::Scalar,
|
|
|
|
|
edwards::{EdwardsPoint, CompressedEdwardsY},
|
|
|
|
|
};
|
2022-05-21 15:33:35 -04:00
|
|
|
|
Monero: support for legacy transactions (#308)
* add mlsag
* fix last commit
* fix miner v1 txs
* fix non-miner v1 txs
* add borromean + fix mlsag
* add block hash calculations
* fix for the jokester that added unreduced scalars
to the borromean signature of
2368d846e671bf79a1f84c6d3af9f0bfe296f043f50cf17ae5e485384a53707b
* Add Borromean range proof verifying functionality
* Add MLSAG verifying functionality
* fmt & clippy :)
* update MLSAG, ss2_elements will always be 2
* Add MgSig proving
* Tidy block.rs
* Tidy Borromean, fix bugs in last commit, replace todo! with unreachable!
* Mark legacy EcdhInfo amount decryption as experimental
* Correct comments
* Write a new impl of the merkle algorithm
This one tries to be understandable.
* Only pull in things only needed for experimental when experimental
* Stop caching the Monero block hash now in processor that we have Block::hash
* Corrections for recent processor commit
* Use a clearer algorithm for the merkle
Should also be more efficient due to not shifting as often.
* Tidy Mlsag
* Remove verify_rct_* from Mlsag
Both methods were ports from Monero, overtly specific without clear
documentation. They need to be added back in, with documentation, or included
in a node which provides the necessary further context for them to be naturally
understandable.
* Move mlsag/mod.rs to mlsag.rs
This should only be a folder if it has multiple files.
* Replace EcdhInfo terminology
The ECDH encrypted the amount, yet this struct contained the encrypted amount,
not some ECDH.
Also corrects the types on the original EcdhInfo struct.
* Correct handling of commitment masks when scanning
* Route read_array through read_raw_vec
* Misc lint
* Make a proper RctType enum
No longer caches RctType in the RctSignatures as well.
* Replace Vec<Bulletproofs> with Bulletproofs
Monero uses aggregated range proofs, so there's only ever one Bulletproof. This
is enforced with a consensus rule as well, making this safe.
As for why Monero uses a vec, it's probably due to the lack of variadic typing
used. Its effectively an Option for them, yet we don't need an Option since we
do have variadic typing (enums).
* Add necessary checks to Eventuality re: supported protocols
* Fix for block 202612 and fix merkel root calculations
* MLSAG (de)serialisation fix
ss_2_elements will not always be 2 as rct type 1 transactions are not enforced to have one input
* Revert "MLSAG (de)serialisation fix"
This reverts commit 5e710e0c96658092c6ecfe5e4ea5a9c3dbee3ab3.
here it checks number of MGs == number of inputs:
https://github.com/monero-project/monero/blob/0a1eaf26f9dd6b762c2582ee12603b2a4671c735/src/cryptonote_core/tx_verification_utils.cpp#L60-59
and here it checks for RctTypeFull number of MGs == 1:
https://github.com/monero-project/monero/blob/0a1eaf26f9dd6b762c2582ee12603b2a4671c735/src/ringct/rctSigs.cpp#L1325
so number of inputs == 1
so ss_2_elements == 2
* update `MlsagAggregate` comment
* cargo update
Resolves a yanked crate
* Move location of serai-client in Cargo.toml
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-07-04 21:18:05 +00:00
|
|
|
use crate::{
|
|
|
|
|
hash, hash_to_scalar, serialize::write_varint, ringct::EncryptedAmount, transaction::Input,
|
|
|
|
|
};
|
2022-05-21 15:33:35 -04:00
|
|
|
|
2023-01-30 12:25:46 +03:00
|
|
|
pub mod extra;
|
2022-08-21 08:41:19 -04:00
|
|
|
pub(crate) use extra::{PaymentId, ExtraField, Extra};
|
|
|
|
|
|
2023-03-10 22:16:00 +03:00
|
|
|
/// Seed creation and parsing functionality.
|
|
|
|
|
pub mod seed;
|
|
|
|
|
|
2022-09-29 05:25:29 -04:00
|
|
|
/// Address encoding and decoding functionality.
|
2022-06-28 00:01:20 -04:00
|
|
|
pub mod address;
|
2023-01-07 04:44:23 -05:00
|
|
|
use address::{Network, AddressType, SubaddressIndex, AddressSpec, AddressMeta, MoneroAddress};
|
2022-06-28 00:01:20 -04:00
|
|
|
|
2022-05-21 15:33:35 -04:00
|
|
|
mod scan;
|
2023-01-08 09:09:03 -05:00
|
|
|
pub use scan::{ReceivedOutput, SpendableOutput, Timelocked};
|
2022-05-21 15:33:35 -04:00
|
|
|
|
|
|
|
|
pub(crate) mod decoys;
|
|
|
|
|
pub(crate) use decoys::Decoys;
|
|
|
|
|
|
|
|
|
|
mod send;
|
2023-06-29 04:14:29 -04:00
|
|
|
pub use send::{Fee, TransactionError, Change, SignableTransaction, Eventuality};
|
|
|
|
|
#[cfg(feature = "std")]
|
|
|
|
|
pub use send::SignableTransactionBuilder;
|
2023-03-11 10:31:58 -05:00
|
|
|
#[cfg(feature = "multisig")]
|
|
|
|
|
pub(crate) use send::InternalPayment;
|
2022-06-10 09:36:07 -04:00
|
|
|
#[cfg(feature = "multisig")]
|
|
|
|
|
pub use send::TransactionMachine;
|
2022-05-21 15:33:35 -04:00
|
|
|
|
2023-06-29 04:14:29 -04:00
|
|
|
fn key_image_sort(x: &EdwardsPoint, y: &EdwardsPoint) -> core::cmp::Ordering {
|
2022-05-22 01:56:17 -04:00
|
|
|
x.compress().to_bytes().cmp(&y.compress().to_bytes()).reverse()
|
|
|
|
|
}
|
|
|
|
|
|
2022-06-30 03:16:51 -04:00
|
|
|
// https://gist.github.com/kayabaNerve/8066c13f1fe1573286ba7a2fd79f6100
|
2022-05-21 15:33:35 -04:00
|
|
|
pub(crate) fn uniqueness(inputs: &[Input]) -> [u8; 32] {
|
2022-06-28 00:01:20 -04:00
|
|
|
let mut u = b"uniqueness".to_vec();
|
2022-05-21 15:33:35 -04:00
|
|
|
for input in inputs {
|
|
|
|
|
match input {
|
|
|
|
|
// If Gen, this should be the only input, making this loop somewhat pointless
|
|
|
|
|
// This works and even if there were somehow multiple inputs, it'd be a false negative
|
2022-07-15 01:26:07 -04:00
|
|
|
Input::Gen(height) => {
|
2022-07-22 02:34:36 -04:00
|
|
|
write_varint(height, &mut u).unwrap();
|
2022-07-15 01:26:07 -04:00
|
|
|
}
|
|
|
|
|
Input::ToKey { key_image, .. } => u.extend(key_image.compress().to_bytes()),
|
2022-05-21 15:33:35 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
hash(&u)
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-22 06:54:01 -04:00
|
|
|
// Hs("view_tag" || 8Ra || o), Hs(8Ra || o), and H(8Ra || 0x8d) with uniqueness inclusion in the
|
|
|
|
|
// Scalar as an option
|
2022-05-21 15:33:35 -04:00
|
|
|
#[allow(non_snake_case)]
|
2022-07-15 01:26:07 -04:00
|
|
|
pub(crate) fn shared_key(
|
|
|
|
|
uniqueness: Option<[u8; 32]>,
|
2023-03-11 10:51:40 -05:00
|
|
|
ecdh: EdwardsPoint,
|
2022-07-15 01:26:07 -04:00
|
|
|
o: usize,
|
2022-08-22 06:54:01 -04:00
|
|
|
) -> (u8, Scalar, [u8; 8]) {
|
2022-07-27 06:29:14 -04:00
|
|
|
// 8Ra
|
2023-03-11 10:51:40 -05:00
|
|
|
let mut output_derivation = ecdh.mul_by_cofactor().compress().to_bytes().to_vec();
|
2022-07-27 06:29:14 -04:00
|
|
|
|
2022-08-22 06:54:01 -04:00
|
|
|
let mut payment_id_xor = [0; 8];
|
|
|
|
|
payment_id_xor
|
|
|
|
|
.copy_from_slice(&hash(&[output_derivation.as_ref(), [0x8d].as_ref()].concat())[.. 8]);
|
2022-07-27 06:29:14 -04:00
|
|
|
|
2023-01-17 00:17:54 +03:00
|
|
|
// || o
|
|
|
|
|
write_varint(&o.try_into().unwrap(), &mut output_derivation).unwrap();
|
|
|
|
|
|
|
|
|
|
let view_tag = hash(&[b"view_tag".as_ref(), &output_derivation].concat())[0];
|
|
|
|
|
|
2022-07-27 06:29:14 -04:00
|
|
|
// uniqueness ||
|
|
|
|
|
let shared_key = if let Some(uniqueness) = uniqueness {
|
|
|
|
|
[uniqueness.as_ref(), &output_derivation].concat().to_vec()
|
|
|
|
|
} else {
|
|
|
|
|
output_derivation
|
|
|
|
|
};
|
|
|
|
|
|
2022-08-22 06:54:01 -04:00
|
|
|
(view_tag, hash_to_scalar(&shared_key), payment_id_xor)
|
2022-05-21 15:33:35 -04:00
|
|
|
}
|
|
|
|
|
|
Monero: support for legacy transactions (#308)
* add mlsag
* fix last commit
* fix miner v1 txs
* fix non-miner v1 txs
* add borromean + fix mlsag
* add block hash calculations
* fix for the jokester that added unreduced scalars
to the borromean signature of
2368d846e671bf79a1f84c6d3af9f0bfe296f043f50cf17ae5e485384a53707b
* Add Borromean range proof verifying functionality
* Add MLSAG verifying functionality
* fmt & clippy :)
* update MLSAG, ss2_elements will always be 2
* Add MgSig proving
* Tidy block.rs
* Tidy Borromean, fix bugs in last commit, replace todo! with unreachable!
* Mark legacy EcdhInfo amount decryption as experimental
* Correct comments
* Write a new impl of the merkle algorithm
This one tries to be understandable.
* Only pull in things only needed for experimental when experimental
* Stop caching the Monero block hash now in processor that we have Block::hash
* Corrections for recent processor commit
* Use a clearer algorithm for the merkle
Should also be more efficient due to not shifting as often.
* Tidy Mlsag
* Remove verify_rct_* from Mlsag
Both methods were ports from Monero, overtly specific without clear
documentation. They need to be added back in, with documentation, or included
in a node which provides the necessary further context for them to be naturally
understandable.
* Move mlsag/mod.rs to mlsag.rs
This should only be a folder if it has multiple files.
* Replace EcdhInfo terminology
The ECDH encrypted the amount, yet this struct contained the encrypted amount,
not some ECDH.
Also corrects the types on the original EcdhInfo struct.
* Correct handling of commitment masks when scanning
* Route read_array through read_raw_vec
* Misc lint
* Make a proper RctType enum
No longer caches RctType in the RctSignatures as well.
* Replace Vec<Bulletproofs> with Bulletproofs
Monero uses aggregated range proofs, so there's only ever one Bulletproof. This
is enforced with a consensus rule as well, making this safe.
As for why Monero uses a vec, it's probably due to the lack of variadic typing
used. Its effectively an Option for them, yet we don't need an Option since we
do have variadic typing (enums).
* Add necessary checks to Eventuality re: supported protocols
* Fix for block 202612 and fix merkel root calculations
* MLSAG (de)serialisation fix
ss_2_elements will not always be 2 as rct type 1 transactions are not enforced to have one input
* Revert "MLSAG (de)serialisation fix"
This reverts commit 5e710e0c96658092c6ecfe5e4ea5a9c3dbee3ab3.
here it checks number of MGs == number of inputs:
https://github.com/monero-project/monero/blob/0a1eaf26f9dd6b762c2582ee12603b2a4671c735/src/cryptonote_core/tx_verification_utils.cpp#L60-59
and here it checks for RctTypeFull number of MGs == 1:
https://github.com/monero-project/monero/blob/0a1eaf26f9dd6b762c2582ee12603b2a4671c735/src/ringct/rctSigs.cpp#L1325
so number of inputs == 1
so ss_2_elements == 2
* update `MlsagAggregate` comment
* cargo update
Resolves a yanked crate
* Move location of serai-client in Cargo.toml
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-07-04 21:18:05 +00:00
|
|
|
pub(crate) fn commitment_mask(shared_key: Scalar) -> Scalar {
|
|
|
|
|
let mut mask = b"commitment_mask".to_vec();
|
|
|
|
|
mask.extend(shared_key.to_bytes());
|
|
|
|
|
hash_to_scalar(&mask)
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-21 15:33:35 -04:00
|
|
|
pub(crate) fn amount_encryption(amount: u64, key: Scalar) -> [u8; 8] {
|
|
|
|
|
let mut amount_mask = b"amount".to_vec();
|
|
|
|
|
amount_mask.extend(key.to_bytes());
|
2022-08-22 06:54:01 -04:00
|
|
|
(amount ^ u64::from_le_bytes(hash(&amount_mask)[.. 8].try_into().unwrap())).to_le_bytes()
|
2022-05-21 15:33:35 -04:00
|
|
|
}
|
|
|
|
|
|
Monero: support for legacy transactions (#308)
* add mlsag
* fix last commit
* fix miner v1 txs
* fix non-miner v1 txs
* add borromean + fix mlsag
* add block hash calculations
* fix for the jokester that added unreduced scalars
to the borromean signature of
2368d846e671bf79a1f84c6d3af9f0bfe296f043f50cf17ae5e485384a53707b
* Add Borromean range proof verifying functionality
* Add MLSAG verifying functionality
* fmt & clippy :)
* update MLSAG, ss2_elements will always be 2
* Add MgSig proving
* Tidy block.rs
* Tidy Borromean, fix bugs in last commit, replace todo! with unreachable!
* Mark legacy EcdhInfo amount decryption as experimental
* Correct comments
* Write a new impl of the merkle algorithm
This one tries to be understandable.
* Only pull in things only needed for experimental when experimental
* Stop caching the Monero block hash now in processor that we have Block::hash
* Corrections for recent processor commit
* Use a clearer algorithm for the merkle
Should also be more efficient due to not shifting as often.
* Tidy Mlsag
* Remove verify_rct_* from Mlsag
Both methods were ports from Monero, overtly specific without clear
documentation. They need to be added back in, with documentation, or included
in a node which provides the necessary further context for them to be naturally
understandable.
* Move mlsag/mod.rs to mlsag.rs
This should only be a folder if it has multiple files.
* Replace EcdhInfo terminology
The ECDH encrypted the amount, yet this struct contained the encrypted amount,
not some ECDH.
Also corrects the types on the original EcdhInfo struct.
* Correct handling of commitment masks when scanning
* Route read_array through read_raw_vec
* Misc lint
* Make a proper RctType enum
No longer caches RctType in the RctSignatures as well.
* Replace Vec<Bulletproofs> with Bulletproofs
Monero uses aggregated range proofs, so there's only ever one Bulletproof. This
is enforced with a consensus rule as well, making this safe.
As for why Monero uses a vec, it's probably due to the lack of variadic typing
used. Its effectively an Option for them, yet we don't need an Option since we
do have variadic typing (enums).
* Add necessary checks to Eventuality re: supported protocols
* Fix for block 202612 and fix merkel root calculations
* MLSAG (de)serialisation fix
ss_2_elements will not always be 2 as rct type 1 transactions are not enforced to have one input
* Revert "MLSAG (de)serialisation fix"
This reverts commit 5e710e0c96658092c6ecfe5e4ea5a9c3dbee3ab3.
here it checks number of MGs == number of inputs:
https://github.com/monero-project/monero/blob/0a1eaf26f9dd6b762c2582ee12603b2a4671c735/src/cryptonote_core/tx_verification_utils.cpp#L60-59
and here it checks for RctTypeFull number of MGs == 1:
https://github.com/monero-project/monero/blob/0a1eaf26f9dd6b762c2582ee12603b2a4671c735/src/ringct/rctSigs.cpp#L1325
so number of inputs == 1
so ss_2_elements == 2
* update `MlsagAggregate` comment
* cargo update
Resolves a yanked crate
* Move location of serai-client in Cargo.toml
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-07-04 21:18:05 +00:00
|
|
|
// TODO: Move this under EncryptedAmount?
|
|
|
|
|
fn amount_decryption(amount: &EncryptedAmount, key: Scalar) -> (Scalar, u64) {
|
|
|
|
|
match amount {
|
|
|
|
|
EncryptedAmount::Original { mask, amount } => {
|
|
|
|
|
#[cfg(feature = "experimental")]
|
|
|
|
|
{
|
|
|
|
|
let mask_shared_sec = hash(key.as_bytes());
|
|
|
|
|
let mask =
|
|
|
|
|
Scalar::from_bytes_mod_order(*mask) - Scalar::from_bytes_mod_order(mask_shared_sec);
|
|
|
|
|
|
|
|
|
|
let amount_shared_sec = hash(&mask_shared_sec);
|
|
|
|
|
let amount_scalar =
|
|
|
|
|
Scalar::from_bytes_mod_order(*amount) - Scalar::from_bytes_mod_order(amount_shared_sec);
|
|
|
|
|
// d2b from rctTypes.cpp
|
|
|
|
|
let amount = u64::from_le_bytes(amount_scalar.to_bytes()[0 .. 8].try_into().unwrap());
|
|
|
|
|
|
|
|
|
|
(mask, amount)
|
|
|
|
|
}
|
2022-05-21 15:33:35 -04:00
|
|
|
|
Monero: support for legacy transactions (#308)
* add mlsag
* fix last commit
* fix miner v1 txs
* fix non-miner v1 txs
* add borromean + fix mlsag
* add block hash calculations
* fix for the jokester that added unreduced scalars
to the borromean signature of
2368d846e671bf79a1f84c6d3af9f0bfe296f043f50cf17ae5e485384a53707b
* Add Borromean range proof verifying functionality
* Add MLSAG verifying functionality
* fmt & clippy :)
* update MLSAG, ss2_elements will always be 2
* Add MgSig proving
* Tidy block.rs
* Tidy Borromean, fix bugs in last commit, replace todo! with unreachable!
* Mark legacy EcdhInfo amount decryption as experimental
* Correct comments
* Write a new impl of the merkle algorithm
This one tries to be understandable.
* Only pull in things only needed for experimental when experimental
* Stop caching the Monero block hash now in processor that we have Block::hash
* Corrections for recent processor commit
* Use a clearer algorithm for the merkle
Should also be more efficient due to not shifting as often.
* Tidy Mlsag
* Remove verify_rct_* from Mlsag
Both methods were ports from Monero, overtly specific without clear
documentation. They need to be added back in, with documentation, or included
in a node which provides the necessary further context for them to be naturally
understandable.
* Move mlsag/mod.rs to mlsag.rs
This should only be a folder if it has multiple files.
* Replace EcdhInfo terminology
The ECDH encrypted the amount, yet this struct contained the encrypted amount,
not some ECDH.
Also corrects the types on the original EcdhInfo struct.
* Correct handling of commitment masks when scanning
* Route read_array through read_raw_vec
* Misc lint
* Make a proper RctType enum
No longer caches RctType in the RctSignatures as well.
* Replace Vec<Bulletproofs> with Bulletproofs
Monero uses aggregated range proofs, so there's only ever one Bulletproof. This
is enforced with a consensus rule as well, making this safe.
As for why Monero uses a vec, it's probably due to the lack of variadic typing
used. Its effectively an Option for them, yet we don't need an Option since we
do have variadic typing (enums).
* Add necessary checks to Eventuality re: supported protocols
* Fix for block 202612 and fix merkel root calculations
* MLSAG (de)serialisation fix
ss_2_elements will not always be 2 as rct type 1 transactions are not enforced to have one input
* Revert "MLSAG (de)serialisation fix"
This reverts commit 5e710e0c96658092c6ecfe5e4ea5a9c3dbee3ab3.
here it checks number of MGs == number of inputs:
https://github.com/monero-project/monero/blob/0a1eaf26f9dd6b762c2582ee12603b2a4671c735/src/cryptonote_core/tx_verification_utils.cpp#L60-59
and here it checks for RctTypeFull number of MGs == 1:
https://github.com/monero-project/monero/blob/0a1eaf26f9dd6b762c2582ee12603b2a4671c735/src/ringct/rctSigs.cpp#L1325
so number of inputs == 1
so ss_2_elements == 2
* update `MlsagAggregate` comment
* cargo update
Resolves a yanked crate
* Move location of serai-client in Cargo.toml
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-07-04 21:18:05 +00:00
|
|
|
#[cfg(not(feature = "experimental"))]
|
|
|
|
|
{
|
|
|
|
|
let _ = mask;
|
|
|
|
|
let _ = amount;
|
|
|
|
|
todo!("decrypting a legacy monero transaction's amount")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
EncryptedAmount::Compact { amount } => (
|
|
|
|
|
commitment_mask(key),
|
|
|
|
|
u64::from_le_bytes(amount_encryption(u64::from_le_bytes(*amount), key)),
|
|
|
|
|
),
|
|
|
|
|
}
|
2022-05-21 15:33:35 -04:00
|
|
|
}
|
2022-06-28 00:01:20 -04:00
|
|
|
|
2022-09-28 07:44:49 -05:00
|
|
|
/// The private view key and public spend key, enabling scanning transactions.
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
#[derive(Clone, Zeroize, ZeroizeOnDrop)]
|
2022-06-28 00:01:20 -04:00
|
|
|
pub struct ViewPair {
|
2022-08-22 08:32:09 -04:00
|
|
|
spend: EdwardsPoint,
|
2022-12-14 09:27:49 -05:00
|
|
|
view: Zeroizing<Scalar>,
|
2022-08-22 08:32:09 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl ViewPair {
|
2022-12-14 09:27:49 -05:00
|
|
|
pub fn new(spend: EdwardsPoint, view: Zeroizing<Scalar>) -> ViewPair {
|
2022-08-22 08:32:09 -04:00
|
|
|
ViewPair { spend, view }
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-17 00:17:54 +03:00
|
|
|
pub fn spend(&self) -> EdwardsPoint {
|
|
|
|
|
self.spend
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub fn view(&self) -> EdwardsPoint {
|
|
|
|
|
self.view.deref() * &ED25519_BASEPOINT_TABLE
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-07 04:44:23 -05:00
|
|
|
fn subaddress_derivation(&self, index: SubaddressIndex) -> Scalar {
|
2022-12-14 09:27:49 -05:00
|
|
|
hash_to_scalar(&Zeroizing::new(
|
|
|
|
|
[
|
2022-08-22 08:32:09 -04:00
|
|
|
b"SubAddr\0".as_ref(),
|
2022-12-14 09:27:49 -05:00
|
|
|
Zeroizing::new(self.view.to_bytes()).as_ref(),
|
2023-01-07 04:44:23 -05:00
|
|
|
&index.account().to_le_bytes(),
|
|
|
|
|
&index.address().to_le_bytes(),
|
2022-08-22 08:32:09 -04:00
|
|
|
]
|
|
|
|
|
.concat(),
|
2022-12-14 09:27:49 -05:00
|
|
|
))
|
2022-08-22 08:32:09 -04:00
|
|
|
}
|
2023-01-06 04:33:17 -05:00
|
|
|
|
2023-01-07 04:44:23 -05:00
|
|
|
fn subaddress_keys(&self, index: SubaddressIndex) -> (EdwardsPoint, EdwardsPoint) {
|
2023-01-06 04:33:17 -05:00
|
|
|
let scalar = self.subaddress_derivation(index);
|
|
|
|
|
let spend = self.spend + (&scalar * &ED25519_BASEPOINT_TABLE);
|
|
|
|
|
let view = self.view.deref() * spend;
|
2023-01-07 04:44:23 -05:00
|
|
|
(spend, view)
|
2023-01-06 04:33:17 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Returns an address with the provided specification.
|
|
|
|
|
pub fn address(&self, network: Network, spec: AddressSpec) -> MoneroAddress {
|
|
|
|
|
let mut spend = self.spend;
|
|
|
|
|
let mut view: EdwardsPoint = self.view.deref() * &ED25519_BASEPOINT_TABLE;
|
|
|
|
|
|
|
|
|
|
// construct the address meta
|
|
|
|
|
let meta = match spec {
|
|
|
|
|
AddressSpec::Standard => AddressMeta::new(network, AddressType::Standard),
|
|
|
|
|
AddressSpec::Integrated(payment_id) => {
|
|
|
|
|
AddressMeta::new(network, AddressType::Integrated(payment_id))
|
|
|
|
|
}
|
2023-01-07 04:44:23 -05:00
|
|
|
AddressSpec::Subaddress(index) => {
|
|
|
|
|
(spend, view) = self.subaddress_keys(index);
|
|
|
|
|
AddressMeta::new(network, AddressType::Subaddress)
|
2023-01-06 04:33:17 -05:00
|
|
|
}
|
2023-01-07 05:37:43 -05:00
|
|
|
AddressSpec::Featured { subaddress, payment_id, guaranteed } => {
|
2023-01-07 04:44:23 -05:00
|
|
|
if let Some(index) = subaddress {
|
|
|
|
|
(spend, view) = self.subaddress_keys(index);
|
2023-01-06 04:33:17 -05:00
|
|
|
}
|
2023-01-07 04:44:23 -05:00
|
|
|
AddressMeta::new(
|
|
|
|
|
network,
|
2023-01-07 05:37:43 -05:00
|
|
|
AddressType::Featured { subaddress: subaddress.is_some(), payment_id, guaranteed },
|
2023-01-07 04:44:23 -05:00
|
|
|
)
|
2023-01-06 04:33:17 -05:00
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
MoneroAddress::new(meta, spend, view)
|
|
|
|
|
}
|
2022-08-22 08:32:09 -04:00
|
|
|
}
|
|
|
|
|
|
2022-09-28 07:44:49 -05:00
|
|
|
/// Transaction scanner.
|
|
|
|
|
/// This scanner is capable of generating subaddresses, additionally scanning for them once they've
|
|
|
|
|
/// been explicitly generated. If the burning bug is attempted, any secondary outputs will be
|
|
|
|
|
/// ignored.
|
2022-08-22 08:32:09 -04:00
|
|
|
#[derive(Clone)]
|
|
|
|
|
pub struct Scanner {
|
|
|
|
|
pair: ViewPair,
|
2023-01-07 04:44:23 -05:00
|
|
|
// Also contains the spend key as None
|
|
|
|
|
pub(crate) subaddresses: HashMap<CompressedEdwardsY, Option<SubaddressIndex>>,
|
2022-08-22 08:57:36 -04:00
|
|
|
pub(crate) burning_bug: Option<HashSet<CompressedEdwardsY>>,
|
2022-08-22 08:32:09 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl Zeroize for Scanner {
|
|
|
|
|
fn zeroize(&mut self) {
|
|
|
|
|
self.pair.zeroize();
|
2022-08-22 08:57:36 -04:00
|
|
|
|
|
|
|
|
// These may not be effective, unfortunately
|
2022-08-22 08:32:09 -04:00
|
|
|
for (mut key, mut value) in self.subaddresses.drain() {
|
|
|
|
|
key.zeroize();
|
|
|
|
|
value.zeroize();
|
|
|
|
|
}
|
2022-08-22 08:57:36 -04:00
|
|
|
if let Some(ref mut burning_bug) = self.burning_bug.take() {
|
|
|
|
|
for mut output in burning_bug.drain() {
|
|
|
|
|
output.zeroize();
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-08-22 08:32:09 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl Drop for Scanner {
|
|
|
|
|
fn drop(&mut self) {
|
|
|
|
|
self.zeroize();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl ZeroizeOnDrop for Scanner {}
|
|
|
|
|
|
|
|
|
|
impl Scanner {
|
2022-09-28 07:44:49 -05:00
|
|
|
/// Create a Scanner from a ViewPair.
|
2023-07-08 11:29:05 -04:00
|
|
|
///
|
2022-09-28 07:44:49 -05:00
|
|
|
/// burning_bug is a HashSet of used keys, intended to prevent key reuse which would burn funds.
|
2023-07-08 11:29:05 -04:00
|
|
|
///
|
2022-09-28 07:44:49 -05:00
|
|
|
/// When an output is successfully scanned, the output key MUST be saved to disk.
|
2023-07-08 11:29:05 -04:00
|
|
|
///
|
2022-09-28 07:44:49 -05:00
|
|
|
/// When a new scanner is created, ALL saved output keys must be passed in to be secure.
|
2023-07-08 11:29:05 -04:00
|
|
|
///
|
2022-09-28 07:44:49 -05:00
|
|
|
/// If None is passed, a modified shared key derivation is used which is immune to the burning
|
|
|
|
|
/// bug (specifically the Guaranteed feature from Featured Addresses).
|
2023-01-06 04:33:17 -05:00
|
|
|
pub fn from_view(pair: ViewPair, burning_bug: Option<HashSet<CompressedEdwardsY>>) -> Scanner {
|
2022-08-22 08:32:09 -04:00
|
|
|
let mut subaddresses = HashMap::new();
|
2023-01-07 04:44:23 -05:00
|
|
|
subaddresses.insert(pair.spend.compress(), None);
|
2023-01-06 04:33:17 -05:00
|
|
|
Scanner { pair, subaddresses, burning_bug }
|
2022-08-22 08:32:09 -04:00
|
|
|
}
|
|
|
|
|
|
2023-01-06 04:33:17 -05:00
|
|
|
/// Register a subaddress.
|
|
|
|
|
// There used to be an address function here, yet it wasn't safe. It could generate addresses
|
|
|
|
|
// incompatible with the Scanner. While we could return None for that, then we have the issue
|
|
|
|
|
// of runtime failures to generate an address.
|
|
|
|
|
// Removing that API was the simplest option.
|
2023-01-07 04:44:23 -05:00
|
|
|
pub fn register_subaddress(&mut self, subaddress: SubaddressIndex) {
|
|
|
|
|
let (spend, _) = self.pair.subaddress_keys(subaddress);
|
|
|
|
|
self.subaddresses.insert(spend.compress(), Some(subaddress));
|
2022-08-22 08:32:09 -04:00
|
|
|
}
|
2022-06-28 00:01:20 -04:00
|
|
|
}
|
