absolutebi/serai
1
0
Fork 0
mirror of https://github.com/serai-dex/serai.git synced 2025-12-11 21:49:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
c40ce009558b8b9943e8dff84c66d486d454c63b
serai/coins/monero/src/ringct/bulletproofs/mod.rs

230 lines
7.0 KiB
Rust
Raw Normal View History

Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
#![allow(non_snake_case)]
Implement TX creation Updates CLSAG signing as needed. Moves around Error types. CLSAG multisig and the multisig feature is currently completely borked because of this. The created TXs are accepted by Monero nodes.
2022-04-28 03:31:09 -04:00
no-std support for monero-serai (#311) * Move monero-serai from std to std-shims, where possible * no-std fixes * Make the HttpRpc its own feature, thiserror only on std * Drop monero-rs's epee for a homegrown one We only need it for a single function. While I tried jeffro's, it didn't work out of the box, had three unimplemented!s, and is no where near viable for no_std. Fixes #182, though should be further tested. * no-std monero-serai * Allow base58-monero via git * cargo fmt
2023-06-29 04:14:29 -04:00
use std_shims::{
vec::Vec,
io::{self, Read, Write},
};
Standardize serialization within the Monero lib read for R: Read write for W: Write serialize for -> Vec<u8> Also uses std::io::{self, Read, Write} consistently.
2023-01-07 05:18:35 -05:00
Override Monero's random function with a Rust-seedable random Closes https://github.com/serai-dex/serai/issues/2. Also finishes the implementation of https://github.com/monero-project/research-lab/issues/103.
2022-05-22 01:56:17 -04:00
use rand_core::{RngCore, CryptoRng};
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
use zeroize::Zeroize;
Modularize Bulletproofs in prep for BP+
2022-07-26 08:06:56 -04:00
use curve25519_dalek::edwards::EdwardsPoint;
BP Verification (#75) * Use a struct in an enum for Bulletproofs * verification bp working for just one proof * add some more assert tests * Clean BP verification * Implement batch verification * Add a debug assertion w_cache isn't 0 It's initially set to 0 and if not updated, this would be broken. * Correct Monero workflow yaml * Again try to corrent Monero workflow yaml * Again * Finally * Re-apply weights as required by Bulletproofs Removing these was insecure and my fault. Co-authored-by: DangerousFreedom <dangfreed@tutanota.com>
2022-07-31 21:45:53 -05:00
use multiexp::BatchVerifier;
Implement TX creation Updates CLSAG signing as needed. Moves around Error types. CLSAG multisig and the multisig feature is currently completely borked because of this. The created TXs are accepted by Monero nodes.
2022-04-28 03:31:09 -04:00
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
use crate::{Commitment, wallet::TransactionError, serialize::*};
Move Rust definitions of C functions to their respective files
2022-05-13 20:26:53 -04:00
Implement Bulletproofs in Rust (#69) * Initial attempt at Bulletproofs I don't know why this doesn't work. The generators and hash_cache lines up without issue. AFAICT, the inner product proof is valid as well, as are all included formulas. * Add yinvpow asserts * Clean code * Correct bad imports * Fix the definition of TWO_N Bulletproofs work now :D * Tidy up a bit * fmt + clippy * Compile a variety of XMR dependencies with optimizations, even under dev The Rust bulletproof implementation is 8% slower than C right now, under release. This is acceptable, even if suboptimal. Under debug, they take a quarter of a second to two seconds though, depending on the amount of outputs, which justifies this move. * Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
pub(crate) mod scalar_vector;
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
pub(crate) mod core;
Update BP fee_weight Closes https://github.com/serai-dex/serai/issues/8.
2022-08-21 10:35:10 -04:00
use self::core::LOG_N;
Implement Bulletproofs in Rust (#69) * Initial attempt at Bulletproofs I don't know why this doesn't work. The generators and hash_cache lines up without issue. AFAICT, the inner product proof is valid as well, as are all included formulas. * Add yinvpow asserts * Clean code * Correct bad imports * Fix the definition of TWO_N Bulletproofs work now :D * Tidy up a bit * fmt + clippy * Compile a variety of XMR dependencies with optimizations, even under dev The Rust bulletproof implementation is 8% slower than C right now, under release. This is acceptable, even if suboptimal. Under debug, they take a quarter of a second to two seconds though, depending on the amount of outputs, which justifies this move. * Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
pub(crate) mod original;
Use FCMP implementation of BP+ in monero-serai (#344) * Add in an implementation of BP+ based off the paper, intended for clarity and review This was done as part of my work on FCMPs from Monero, and is copied from https://github.com/kayabaNerve/full-chain-membership-proofs * Remove crate structure of BP+ * Remove arithmetic circuit code * Remove AC/VC generators code * Remove generator transcript Monero uses non-transcripted static generators. * Further trimming of generators * Remove the single range proof It's unused by Monero and accordingly unhelpful. * Work on getting BP+ to compile in its new env * Correct BP+ folder name * Further tweaks to get closer to compiling * Remove the ScalarMatrix file It's only used for AC proofs * Compiles, with tests passing * Lock BP+ to Ed25519 instead of the generic Ciphersuite * Resolve most warnings in BP+ * Make existing bulletproofs test easier to read * Further strip generators * Swap G/H as Monero did * Replace RangeCommitment with Commitment * Hard-code BP+ h to Ed25519's generator * Use pub(crate) for BP+, not pub * Replace initial_transcript with hash_plus * Rename hash_plus to initial_transcript * Finish integrating the FCMP BP+ impl * Move BP+ folder * Correct no-std support * Rename "long_n" to eta * Add note on non-prime order dfg points
2023-08-27 15:33:17 -04:00
use self::original::OriginalStruct;
Implement Bulletproofs in Rust (#69) * Initial attempt at Bulletproofs I don't know why this doesn't work. The generators and hash_cache lines up without issue. AFAICT, the inner product proof is valid as well, as are all included formulas. * Add yinvpow asserts * Clean code * Correct bad imports * Fix the definition of TWO_N Bulletproofs work now :D * Tidy up a bit * fmt + clippy * Compile a variety of XMR dependencies with optimizations, even under dev The Rust bulletproof implementation is 8% slower than C right now, under release. This is acceptable, even if suboptimal. Under debug, they take a quarter of a second to two seconds though, depending on the amount of outputs, which justifies this move. * Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
Use FCMP implementation of BP+ in monero-serai (#344) * Add in an implementation of BP+ based off the paper, intended for clarity and review This was done as part of my work on FCMPs from Monero, and is copied from https://github.com/kayabaNerve/full-chain-membership-proofs * Remove crate structure of BP+ * Remove arithmetic circuit code * Remove AC/VC generators code * Remove generator transcript Monero uses non-transcripted static generators. * Further trimming of generators * Remove the single range proof It's unused by Monero and accordingly unhelpful. * Work on getting BP+ to compile in its new env * Correct BP+ folder name * Further tweaks to get closer to compiling * Remove the ScalarMatrix file It's only used for AC proofs * Compiles, with tests passing * Lock BP+ to Ed25519 instead of the generic Ciphersuite * Resolve most warnings in BP+ * Make existing bulletproofs test easier to read * Further strip generators * Swap G/H as Monero did * Replace RangeCommitment with Commitment * Hard-code BP+ h to Ed25519's generator * Use pub(crate) for BP+, not pub * Replace initial_transcript with hash_plus * Rename hash_plus to initial_transcript * Finish integrating the FCMP BP+ impl * Move BP+ folder * Correct no-std support * Rename "long_n" to eta * Add note on non-prime order dfg points
2023-08-27 15:33:17 -04:00
pub(crate) mod plus;
use self::plus::*;
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
pub(crate) const MAX_OUTPUTS: usize = self::core::MAX_M;
Initial documentation for the Monero libraries (#122) * Document all features * Largely document the Monero libraries Relevant to https://github.com/serai-dex/serai/issues/103 and likely sufficient to get this removed from https://github.com/serai-dex/serai/issues/102.
2022-09-28 07:44:49 -05:00
/// Bulletproofs enum, supporting the original and plus formulations.
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
#[allow(clippy::large_enum_variant)]
#[derive(Clone, PartialEq, Eq, Debug)]
pub enum Bulletproofs {
Original(OriginalStruct),
Use FCMP implementation of BP+ in monero-serai (#344) * Add in an implementation of BP+ based off the paper, intended for clarity and review This was done as part of my work on FCMPs from Monero, and is copied from https://github.com/kayabaNerve/full-chain-membership-proofs * Remove crate structure of BP+ * Remove arithmetic circuit code * Remove AC/VC generators code * Remove generator transcript Monero uses non-transcripted static generators. * Further trimming of generators * Remove the single range proof It's unused by Monero and accordingly unhelpful. * Work on getting BP+ to compile in its new env * Correct BP+ folder name * Further tweaks to get closer to compiling * Remove the ScalarMatrix file It's only used for AC proofs * Compiles, with tests passing * Lock BP+ to Ed25519 instead of the generic Ciphersuite * Resolve most warnings in BP+ * Make existing bulletproofs test easier to read * Further strip generators * Swap G/H as Monero did * Replace RangeCommitment with Commitment * Hard-code BP+ h to Ed25519's generator * Use pub(crate) for BP+, not pub * Replace initial_transcript with hash_plus * Rename hash_plus to initial_transcript * Finish integrating the FCMP BP+ impl * Move BP+ folder * Correct no-std support * Rename "long_n" to eta * Add note on non-prime order dfg points
2023-08-27 15:33:17 -04:00
Plus(AggregateRangeProof),
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
}
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
impl Bulletproofs {
monero-serai: fee calculation parity with Monero's wallet2 (#301) * monero-serai: fee calculation parity with Monero's wallet2 * Minor lint --------- Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-07-19 12:06:05 -07:00
fn bp_fields(plus: bool) -> usize {
if plus {
6
} else {
9
}
}
Update BP fee_weight Closes https://github.com/serai-dex/serai/issues/8.
2022-08-21 10:35:10 -04:00
monero-serai: fee calculation parity with Monero's wallet2 (#301) * monero-serai: fee calculation parity with Monero's wallet2 * Minor lint --------- Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-07-19 12:06:05 -07:00
// https://github.com/monero-project/monero/blob/94e67bf96bbc010241f29ada6abc89f49a81759c/
// src/cryptonote_basic/cryptonote_format_utils.cpp#L106-L124
pub(crate) fn calculate_bp_clawback(plus: bool, n_outputs: usize) -> (usize, usize) {
Update BP fee_weight Closes https://github.com/serai-dex/serai/issues/8.
2022-08-21 10:35:10 -04:00
#[allow(non_snake_case)]
monero-serai: fee calculation parity with Monero's wallet2 (#301) * monero-serai: fee calculation parity with Monero's wallet2 * Minor lint --------- Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-07-19 12:06:05 -07:00
let mut LR_len = 0;
let mut n_padded_outputs = 1;
while n_padded_outputs < n_outputs {
LR_len += 1;
n_padded_outputs = 1 << LR_len;
}
Update BP fee_weight Closes https://github.com/serai-dex/serai/issues/8.
2022-08-21 10:35:10 -04:00
LR_len += LOG_N;
monero-serai: fee calculation parity with Monero's wallet2 (#301) * monero-serai: fee calculation parity with Monero's wallet2 * Minor lint --------- Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-07-19 12:06:05 -07:00
let mut bp_clawback = 0;
if n_padded_outputs > 2 {
let fields = Bulletproofs::bp_fields(plus);
let base = ((fields + (2 * (LOG_N + 1))) * 32) / 2;
let size = (fields + (2 * LR_len)) * 32;
bp_clawback = ((base * n_padded_outputs) - size) * 4 / 5;
}
(bp_clawback, LR_len)
}
pub(crate) fn fee_weight(plus: bool, outputs: usize) -> usize {
#[allow(non_snake_case)]
let (bp_clawback, LR_len) = Bulletproofs::calculate_bp_clawback(plus, outputs);
32 * (Bulletproofs::bp_fields(plus) + (2 * LR_len)) + 2 + bp_clawback
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
}
Initial documentation for the Monero libraries (#122) * Document all features * Largely document the Monero libraries Relevant to https://github.com/serai-dex/serai/issues/103 and likely sufficient to get this removed from https://github.com/serai-dex/serai/issues/102.
2022-09-28 07:44:49 -05:00
/// Prove the list of commitments are within [0 .. 2^64).
Modularize Bulletproofs in prep for BP+
2022-07-26 08:06:56 -04:00
pub fn prove<R: RngCore + CryptoRng>(
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
rng: &mut R,
outputs: &[Commitment],
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
plus: bool,
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
) -> Result<Bulletproofs, TransactionError> {
Use FCMP implementation of BP+ in monero-serai (#344) * Add in an implementation of BP+ based off the paper, intended for clarity and review This was done as part of my work on FCMPs from Monero, and is copied from https://github.com/kayabaNerve/full-chain-membership-proofs * Remove crate structure of BP+ * Remove arithmetic circuit code * Remove AC/VC generators code * Remove generator transcript Monero uses non-transcripted static generators. * Further trimming of generators * Remove the single range proof It's unused by Monero and accordingly unhelpful. * Work on getting BP+ to compile in its new env * Correct BP+ folder name * Further tweaks to get closer to compiling * Remove the ScalarMatrix file It's only used for AC proofs * Compiles, with tests passing * Lock BP+ to Ed25519 instead of the generic Ciphersuite * Resolve most warnings in BP+ * Make existing bulletproofs test easier to read * Further strip generators * Swap G/H as Monero did * Replace RangeCommitment with Commitment * Hard-code BP+ h to Ed25519's generator * Use pub(crate) for BP+, not pub * Replace initial_transcript with hash_plus * Rename hash_plus to initial_transcript * Finish integrating the FCMP BP+ impl * Move BP+ folder * Correct no-std support * Rename "long_n" to eta * Add note on non-prime order dfg points
2023-08-27 15:33:17 -04:00
if outputs.is_empty() {
Err(TransactionError::NoOutputs)?;
}
Add fee handling code to Monero Updates how change outputs are handled, with a far more logical construction offering greater flexibility. prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
if outputs.len() > MAX_OUTPUTS {
Use FCMP implementation of BP+ in monero-serai (#344) * Add in an implementation of BP+ based off the paper, intended for clarity and review This was done as part of my work on FCMPs from Monero, and is copied from https://github.com/kayabaNerve/full-chain-membership-proofs * Remove crate structure of BP+ * Remove arithmetic circuit code * Remove AC/VC generators code * Remove generator transcript Monero uses non-transcripted static generators. * Further trimming of generators * Remove the single range proof It's unused by Monero and accordingly unhelpful. * Work on getting BP+ to compile in its new env * Correct BP+ folder name * Further tweaks to get closer to compiling * Remove the ScalarMatrix file It's only used for AC proofs * Compiles, with tests passing * Lock BP+ to Ed25519 instead of the generic Ciphersuite * Resolve most warnings in BP+ * Make existing bulletproofs test easier to read * Further strip generators * Swap G/H as Monero did * Replace RangeCommitment with Commitment * Hard-code BP+ h to Ed25519's generator * Use pub(crate) for BP+, not pub * Replace initial_transcript with hash_plus * Rename hash_plus to initial_transcript * Finish integrating the FCMP BP+ impl * Move BP+ folder * Correct no-std support * Rename "long_n" to eta * Add note on non-prime order dfg points
2023-08-27 15:33:17 -04:00
Err(TransactionError::TooManyOutputs)?;
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
}
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
Ok(if !plus {
Bulletproofs::Original(OriginalStruct::prove(rng, outputs))
} else {
Use FCMP implementation of BP+ in monero-serai (#344) * Add in an implementation of BP+ based off the paper, intended for clarity and review This was done as part of my work on FCMPs from Monero, and is copied from https://github.com/kayabaNerve/full-chain-membership-proofs * Remove crate structure of BP+ * Remove arithmetic circuit code * Remove AC/VC generators code * Remove generator transcript Monero uses non-transcripted static generators. * Further trimming of generators * Remove the single range proof It's unused by Monero and accordingly unhelpful. * Work on getting BP+ to compile in its new env * Correct BP+ folder name * Further tweaks to get closer to compiling * Remove the ScalarMatrix file It's only used for AC proofs * Compiles, with tests passing * Lock BP+ to Ed25519 instead of the generic Ciphersuite * Resolve most warnings in BP+ * Make existing bulletproofs test easier to read * Further strip generators * Swap G/H as Monero did * Replace RangeCommitment with Commitment * Hard-code BP+ h to Ed25519's generator * Use pub(crate) for BP+, not pub * Replace initial_transcript with hash_plus * Rename hash_plus to initial_transcript * Finish integrating the FCMP BP+ impl * Move BP+ folder * Correct no-std support * Rename "long_n" to eta * Add note on non-prime order dfg points
2023-08-27 15:33:17 -04:00
use dalek_ff_group::EdwardsPoint as DfgPoint;
Bulletproofs::Plus(
AggregateRangeStatement::new(outputs.iter().map(|com| DfgPoint(com.calculate())).collect())
.unwrap()
.prove(rng, AggregateRangeWitness::new(outputs).unwrap())
.unwrap(),
)
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
})
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
}
Initial documentation for the Monero libraries (#122) * Document all features * Largely document the Monero libraries Relevant to https://github.com/serai-dex/serai/issues/103 and likely sufficient to get this removed from https://github.com/serai-dex/serai/issues/102.
2022-09-28 07:44:49 -05:00
/// Verify the given Bulletproofs.
BP Verification (#75) * Use a struct in an enum for Bulletproofs * verification bp working for just one proof * add some more assert tests * Clean BP verification * Implement batch verification * Add a debug assertion w_cache isn't 0 It's initially set to 0 and if not updated, this would be broken. * Correct Monero workflow yaml * Again try to corrent Monero workflow yaml * Again * Finally * Re-apply weights as required by Bulletproofs Removing these was insecure and my fault. Co-authored-by: DangerousFreedom <dangfreed@tutanota.com>
2022-07-31 21:45:53 -05:00
#[must_use]
pub fn verify<R: RngCore + CryptoRng>(&self, rng: &mut R, commitments: &[EdwardsPoint]) -> bool {
match self {
Bulletproofs::Original(bp) => bp.verify(rng, commitments),
Use FCMP implementation of BP+ in monero-serai (#344) * Add in an implementation of BP+ based off the paper, intended for clarity and review This was done as part of my work on FCMPs from Monero, and is copied from https://github.com/kayabaNerve/full-chain-membership-proofs * Remove crate structure of BP+ * Remove arithmetic circuit code * Remove AC/VC generators code * Remove generator transcript Monero uses non-transcripted static generators. * Further trimming of generators * Remove the single range proof It's unused by Monero and accordingly unhelpful. * Work on getting BP+ to compile in its new env * Correct BP+ folder name * Further tweaks to get closer to compiling * Remove the ScalarMatrix file It's only used for AC proofs * Compiles, with tests passing * Lock BP+ to Ed25519 instead of the generic Ciphersuite * Resolve most warnings in BP+ * Make existing bulletproofs test easier to read * Further strip generators * Swap G/H as Monero did * Replace RangeCommitment with Commitment * Hard-code BP+ h to Ed25519's generator * Use pub(crate) for BP+, not pub * Replace initial_transcript with hash_plus * Rename hash_plus to initial_transcript * Finish integrating the FCMP BP+ impl * Move BP+ folder * Correct no-std support * Rename "long_n" to eta * Add note on non-prime order dfg points
2023-08-27 15:33:17 -04:00
Bulletproofs::Plus(bp) => {
let mut verifier = BatchVerifier::new(1);
// If this commitment is torsioned (which is allowed), this won't be a well-formed
// dfg::EdwardsPoint (expected to be of prime-order)
// The actual BP+ impl will perform a torsion clear though, making this safe
// TODO: Have AggregateRangeStatement take in dalek EdwardsPoint for clarity on this
let Some(statement) = AggregateRangeStatement::new(
commitments.iter().map(|c| dalek_ff_group::EdwardsPoint(*c)).collect(),
) else {
return false;
};
if !statement.verify(rng, &mut verifier, (), bp.clone()) {
return false;
}
verifier.verify_vartime()
}
BP Verification (#75) * Use a struct in an enum for Bulletproofs * verification bp working for just one proof * add some more assert tests * Clean BP verification * Implement batch verification * Add a debug assertion w_cache isn't 0 It's initially set to 0 and if not updated, this would be broken. * Correct Monero workflow yaml * Again try to corrent Monero workflow yaml * Again * Finally * Re-apply weights as required by Bulletproofs Removing these was insecure and my fault. Co-authored-by: DangerousFreedom <dangfreed@tutanota.com>
2022-07-31 21:45:53 -05:00
}
}
Initial documentation for the Monero libraries (#122) * Document all features * Largely document the Monero libraries Relevant to https://github.com/serai-dex/serai/issues/103 and likely sufficient to get this removed from https://github.com/serai-dex/serai/issues/102.
2022-09-28 07:44:49 -05:00
/// Accumulate the verification for the given Bulletproofs into the specified BatchVerifier.
/// Returns false if the Bulletproofs aren't sane, without mutating the BatchVerifier.
/// Returns true if the Bulletproofs are sane, regardless of their validity.
BP Verification (#75) * Use a struct in an enum for Bulletproofs * verification bp working for just one proof * add some more assert tests * Clean BP verification * Implement batch verification * Add a debug assertion w_cache isn't 0 It's initially set to 0 and if not updated, this would be broken. * Correct Monero workflow yaml * Again try to corrent Monero workflow yaml * Again * Finally * Re-apply weights as required by Bulletproofs Removing these was insecure and my fault. Co-authored-by: DangerousFreedom <dangfreed@tutanota.com>
2022-07-31 21:45:53 -05:00
#[must_use]
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
pub fn batch_verify<ID: Copy + Zeroize, R: RngCore + CryptoRng>(
BP Verification (#75) * Use a struct in an enum for Bulletproofs * verification bp working for just one proof * add some more assert tests * Clean BP verification * Implement batch verification * Add a debug assertion w_cache isn't 0 It's initially set to 0 and if not updated, this would be broken. * Correct Monero workflow yaml * Again try to corrent Monero workflow yaml * Again * Finally * Re-apply weights as required by Bulletproofs Removing these was insecure and my fault. Co-authored-by: DangerousFreedom <dangfreed@tutanota.com>
2022-07-31 21:45:53 -05:00
&self,
rng: &mut R,
verifier: &mut BatchVerifier<ID, dalek_ff_group::EdwardsPoint>,
id: ID,
commitments: &[EdwardsPoint],
) -> bool {
match self {
Bulletproofs::Original(bp) => bp.batch_verify(rng, verifier, id, commitments),
Use FCMP implementation of BP+ in monero-serai (#344) * Add in an implementation of BP+ based off the paper, intended for clarity and review This was done as part of my work on FCMPs from Monero, and is copied from https://github.com/kayabaNerve/full-chain-membership-proofs * Remove crate structure of BP+ * Remove arithmetic circuit code * Remove AC/VC generators code * Remove generator transcript Monero uses non-transcripted static generators. * Further trimming of generators * Remove the single range proof It's unused by Monero and accordingly unhelpful. * Work on getting BP+ to compile in its new env * Correct BP+ folder name * Further tweaks to get closer to compiling * Remove the ScalarMatrix file It's only used for AC proofs * Compiles, with tests passing * Lock BP+ to Ed25519 instead of the generic Ciphersuite * Resolve most warnings in BP+ * Make existing bulletproofs test easier to read * Further strip generators * Swap G/H as Monero did * Replace RangeCommitment with Commitment * Hard-code BP+ h to Ed25519's generator * Use pub(crate) for BP+, not pub * Replace initial_transcript with hash_plus * Rename hash_plus to initial_transcript * Finish integrating the FCMP BP+ impl * Move BP+ folder * Correct no-std support * Rename "long_n" to eta * Add note on non-prime order dfg points
2023-08-27 15:33:17 -04:00
Bulletproofs::Plus(bp) => {
let Some(statement) = AggregateRangeStatement::new(
commitments.iter().map(|c| dalek_ff_group::EdwardsPoint(*c)).collect(),
) else {
return false;
};
statement.verify(rng, verifier, id, bp.clone())
}
BP Verification (#75) * Use a struct in an enum for Bulletproofs * verification bp working for just one proof * add some more assert tests * Clean BP verification * Implement batch verification * Add a debug assertion w_cache isn't 0 It's initially set to 0 and if not updated, this would be broken. * Correct Monero workflow yaml * Again try to corrent Monero workflow yaml * Again * Finally * Re-apply weights as required by Bulletproofs Removing these was insecure and my fault. Co-authored-by: DangerousFreedom <dangfreed@tutanota.com>
2022-07-31 21:45:53 -05:00
}
}
Standardize serialization within the Monero lib read for R: Read write for W: Write serialize for -> Vec<u8> Also uses std::io::{self, Read, Write} consistently.
2023-01-07 05:18:35 -05:00
fn write_core<W: Write, F: Fn(&[EdwardsPoint], &mut W) -> io::Result<()>>(
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
&self,
w: &mut W,
specific_write_vec: F,
Standardize serialization within the Monero lib read for R: Read write for W: Write serialize for -> Vec<u8> Also uses std::io::{self, Read, Write} consistently.
2023-01-07 05:18:35 -05:00
) -> io::Result<()> {
Modularize Bulletproofs in prep for BP+
2022-07-26 08:06:56 -04:00
match self {
BP Verification (#75) * Use a struct in an enum for Bulletproofs * verification bp working for just one proof * add some more assert tests * Clean BP verification * Implement batch verification * Add a debug assertion w_cache isn't 0 It's initially set to 0 and if not updated, this would be broken. * Correct Monero workflow yaml * Again try to corrent Monero workflow yaml * Again * Finally * Re-apply weights as required by Bulletproofs Removing these was insecure and my fault. Co-authored-by: DangerousFreedom <dangfreed@tutanota.com>
2022-07-31 21:45:53 -05:00
Bulletproofs::Original(bp) => {
write_point(&bp.A, w)?;
write_point(&bp.S, w)?;
write_point(&bp.T1, w)?;
write_point(&bp.T2, w)?;
write_scalar(&bp.taux, w)?;
write_scalar(&bp.mu, w)?;
specific_write_vec(&bp.L, w)?;
specific_write_vec(&bp.R, w)?;
write_scalar(&bp.a, w)?;
write_scalar(&bp.b, w)?;
write_scalar(&bp.t, w)
Modularize Bulletproofs in prep for BP+
2022-07-26 08:06:56 -04:00
}
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
BP Verification (#75) * Use a struct in an enum for Bulletproofs * verification bp working for just one proof * add some more assert tests * Clean BP verification * Implement batch verification * Add a debug assertion w_cache isn't 0 It's initially set to 0 and if not updated, this would be broken. * Correct Monero workflow yaml * Again try to corrent Monero workflow yaml * Again * Finally * Re-apply weights as required by Bulletproofs Removing these was insecure and my fault. Co-authored-by: DangerousFreedom <dangfreed@tutanota.com>
2022-07-31 21:45:53 -05:00
Bulletproofs::Plus(bp) => {
Use FCMP implementation of BP+ in monero-serai (#344) * Add in an implementation of BP+ based off the paper, intended for clarity and review This was done as part of my work on FCMPs from Monero, and is copied from https://github.com/kayabaNerve/full-chain-membership-proofs * Remove crate structure of BP+ * Remove arithmetic circuit code * Remove AC/VC generators code * Remove generator transcript Monero uses non-transcripted static generators. * Further trimming of generators * Remove the single range proof It's unused by Monero and accordingly unhelpful. * Work on getting BP+ to compile in its new env * Correct BP+ folder name * Further tweaks to get closer to compiling * Remove the ScalarMatrix file It's only used for AC proofs * Compiles, with tests passing * Lock BP+ to Ed25519 instead of the generic Ciphersuite * Resolve most warnings in BP+ * Make existing bulletproofs test easier to read * Further strip generators * Swap G/H as Monero did * Replace RangeCommitment with Commitment * Hard-code BP+ h to Ed25519's generator * Use pub(crate) for BP+, not pub * Replace initial_transcript with hash_plus * Rename hash_plus to initial_transcript * Finish integrating the FCMP BP+ impl * Move BP+ folder * Correct no-std support * Rename "long_n" to eta * Add note on non-prime order dfg points
2023-08-27 15:33:17 -04:00
write_point(&bp.A.0, w)?;
write_point(&bp.wip.A.0, w)?;
write_point(&bp.wip.B.0, w)?;
write_scalar(&bp.wip.r_answer.0, w)?;
write_scalar(&bp.wip.s_answer.0, w)?;
write_scalar(&bp.wip.delta_answer.0, w)?;
specific_write_vec(&bp.wip.L.iter().cloned().map(|L| L.0).collect::<Vec<_>>(), w)?;
specific_write_vec(&bp.wip.R.iter().cloned().map(|R| R.0).collect::<Vec<_>>(), w)
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
}
Modularize Bulletproofs in prep for BP+
2022-07-26 08:06:56 -04:00
}
Implement TX creation Updates CLSAG signing as needed. Moves around Error types. CLSAG multisig and the multisig feature is currently completely borked because of this. The created TXs are accepted by Monero nodes.
2022-04-28 03:31:09 -04:00
}
Standardize serialization within the Monero lib read for R: Read write for W: Write serialize for -> Vec<u8> Also uses std::io::{self, Read, Write} consistently.
2023-01-07 05:18:35 -05:00
pub(crate) fn signature_write<W: Write>(&self, w: &mut W) -> io::Result<()> {
self.write_core(w, |points, w| write_raw_vec(write_point, points, w))
}
pub fn write<W: Write>(&self, w: &mut W) -> io::Result<()> {
self.write_core(w, |points, w| write_vec(write_point, points, w))
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
}
Clean up code, correct a few bugs, add leader based one-time-key/BP gen
2022-04-28 20:09:31 -04:00
Standardize serialization within the Monero lib read for R: Read write for W: Write serialize for -> Vec<u8> Also uses std::io::{self, Read, Write} consistently.
2023-01-07 05:18:35 -05:00
pub fn serialize(&self) -> Vec<u8> {
let mut serialized = vec![];
self.write(&mut serialized).unwrap();
serialized
Clean up code, correct a few bugs, add leader based one-time-key/BP gen
2022-04-28 20:09:31 -04:00
}
Standardize serialization within the Monero lib read for R: Read write for W: Write serialize for -> Vec<u8> Also uses std::io::{self, Read, Write} consistently.
2023-01-07 05:18:35 -05:00
/// Read Bulletproofs.
pub fn read<R: Read>(r: &mut R) -> io::Result<Bulletproofs> {
BP Verification (#75) * Use a struct in an enum for Bulletproofs * verification bp working for just one proof * add some more assert tests * Clean BP verification * Implement batch verification * Add a debug assertion w_cache isn't 0 It's initially set to 0 and if not updated, this would be broken. * Correct Monero workflow yaml * Again try to corrent Monero workflow yaml * Again * Finally * Re-apply weights as required by Bulletproofs Removing these was insecure and my fault. Co-authored-by: DangerousFreedom <dangfreed@tutanota.com>
2022-07-31 21:45:53 -05:00
Ok(Bulletproofs::Original(OriginalStruct {
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
A: read_point(r)?,
S: read_point(r)?,
T1: read_point(r)?,
T2: read_point(r)?,
taux: read_scalar(r)?,
mu: read_scalar(r)?,
Transaction deserialization
2022-05-21 20:27:21 -04:00
L: read_vec(read_point, r)?,
R: read_vec(read_point, r)?,
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense
2022-05-21 15:33:35 -04:00
a: read_scalar(r)?,
b: read_scalar(r)?,
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
t: read_scalar(r)?,
BP Verification (#75) * Use a struct in an enum for Bulletproofs * verification bp working for just one proof * add some more assert tests * Clean BP verification * Implement batch verification * Add a debug assertion w_cache isn't 0 It's initially set to 0 and if not updated, this would be broken. * Correct Monero workflow yaml * Again try to corrent Monero workflow yaml * Again * Finally * Re-apply weights as required by Bulletproofs Removing these was insecure and my fault. Co-authored-by: DangerousFreedom <dangfreed@tutanota.com>
2022-07-31 21:45:53 -05:00
}))
Clean up code, correct a few bugs, add leader based one-time-key/BP gen
2022-04-28 20:09:31 -04:00
}
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
Standardize serialization within the Monero lib read for R: Read write for W: Write serialize for -> Vec<u8> Also uses std::io::{self, Read, Write} consistently.
2023-01-07 05:18:35 -05:00
/// Read Bulletproofs+.
pub fn read_plus<R: Read>(r: &mut R) -> io::Result<Bulletproofs> {
Use FCMP implementation of BP+ in monero-serai (#344) * Add in an implementation of BP+ based off the paper, intended for clarity and review This was done as part of my work on FCMPs from Monero, and is copied from https://github.com/kayabaNerve/full-chain-membership-proofs * Remove crate structure of BP+ * Remove arithmetic circuit code * Remove AC/VC generators code * Remove generator transcript Monero uses non-transcripted static generators. * Further trimming of generators * Remove the single range proof It's unused by Monero and accordingly unhelpful. * Work on getting BP+ to compile in its new env * Correct BP+ folder name * Further tweaks to get closer to compiling * Remove the ScalarMatrix file It's only used for AC proofs * Compiles, with tests passing * Lock BP+ to Ed25519 instead of the generic Ciphersuite * Resolve most warnings in BP+ * Make existing bulletproofs test easier to read * Further strip generators * Swap G/H as Monero did * Replace RangeCommitment with Commitment * Hard-code BP+ h to Ed25519's generator * Use pub(crate) for BP+, not pub * Replace initial_transcript with hash_plus * Rename hash_plus to initial_transcript * Finish integrating the FCMP BP+ impl * Move BP+ folder * Correct no-std support * Rename "long_n" to eta * Add note on non-prime order dfg points
2023-08-27 15:33:17 -04:00
use dalek_ff_group::{Scalar as DfgScalar, EdwardsPoint as DfgPoint};
Ok(Bulletproofs::Plus(AggregateRangeProof {
A: DfgPoint(read_point(r)?),
wip: WipProof {
A: DfgPoint(read_point(r)?),
B: DfgPoint(read_point(r)?),
r_answer: DfgScalar(read_scalar(r)?),
s_answer: DfgScalar(read_scalar(r)?),
delta_answer: DfgScalar(read_scalar(r)?),
L: read_vec(read_point, r)?.into_iter().map(DfgPoint).collect(),
R: read_vec(read_point, r)?.into_iter().map(DfgPoint).collect(),
},
BP Verification (#75) * Use a struct in an enum for Bulletproofs * verification bp working for just one proof * add some more assert tests * Clean BP verification * Implement batch verification * Add a debug assertion w_cache isn't 0 It's initially set to 0 and if not updated, this would be broken. * Correct Monero workflow yaml * Again try to corrent Monero workflow yaml * Again * Finally * Re-apply weights as required by Bulletproofs Removing these was insecure and my fault. Co-authored-by: DangerousFreedom <dangfreed@tutanota.com>
2022-07-31 21:45:53 -05:00
}))
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
}
Clean up code, correct a few bugs, add leader based one-time-key/BP gen
2022-04-28 20:09:31 -04:00
}
Reference in New Issue Copy Permalink