absolutebi/serai
1
0
Fork 0
mirror of https://github.com/serai-dex/serai.git synced 2025-12-08 20:29:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d25c668ee4192862d9dfdccf26cac8288fe6e4a6
serai/coins/monero/src/ringct/bulletproofs/core.rs

154 lines
4.0 KiB
Rust
Raw Normal View History

Replace lazy_static with OnceLock inside monero-serai lazy_static, if no_std environments were used, effectively required always using spin locks. This resolves the ergonomics of that while adopting Rust std code. no_std does still use a spin based solution. Theoretically, we could use atomics, yet writing our own Mutex wasn't a priority.
2023-06-28 21:16:33 -04:00
use std_shims::sync::OnceLock;
Implement Bulletproofs in Rust (#69) * Initial attempt at Bulletproofs I don't know why this doesn't work. The generators and hash_cache lines up without issue. AFAICT, the inner product proof is valid as well, as are all included formulas. * Add yinvpow asserts * Clean code * Correct bad imports * Fix the definition of TWO_N Bulletproofs work now :D * Tidy up a bit * fmt + clippy * Compile a variety of XMR dependencies with optimizations, even under dev The Rust bulletproof implementation is 8% slower than C right now, under release. This is acceptable, even if suboptimal. Under debug, they take a quarter of a second to two seconds though, depending on the amount of outputs, which justifies this move. * Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
use rand_core::{RngCore, CryptoRng};
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
use subtle::{Choice, ConditionallySelectable};
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
use curve25519_dalek::edwards::EdwardsPoint as DalekPoint;
Modularize Bulletproofs in prep for BP+
2022-07-26 08:06:56 -04:00
Implement Bulletproofs in Rust (#69) * Initial attempt at Bulletproofs I don't know why this doesn't work. The generators and hash_cache lines up without issue. AFAICT, the inner product proof is valid as well, as are all included formulas. * Add yinvpow asserts * Clean code * Correct bad imports * Fix the definition of TWO_N Bulletproofs work now :D * Tidy up a bit * fmt + clippy * Compile a variety of XMR dependencies with optimizations, even under dev The Rust bulletproof implementation is 8% slower than C right now, under release. This is acceptable, even if suboptimal. Under debug, they take a quarter of a second to two seconds though, depending on the amount of outputs, which justifies this move. * Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
use group::{ff::Field, Group};
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
use dalek_ff_group::{Scalar, EdwardsPoint};
Implement Bulletproofs in Rust (#69) * Initial attempt at Bulletproofs I don't know why this doesn't work. The generators and hash_cache lines up without issue. AFAICT, the inner product proof is valid as well, as are all included formulas. * Add yinvpow asserts * Clean code * Correct bad imports * Fix the definition of TWO_N Bulletproofs work now :D * Tidy up a bit * fmt + clippy * Compile a variety of XMR dependencies with optimizations, even under dev The Rust bulletproof implementation is 8% slower than C right now, under release. This is acceptable, even if suboptimal. Under debug, they take a quarter of a second to two seconds though, depending on the amount of outputs, which justifies this move. * Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
use multiexp::multiexp as multiexp_const;
Implement Bulletproofs in Rust (#69) * Initial attempt at Bulletproofs I don't know why this doesn't work. The generators and hash_cache lines up without issue. AFAICT, the inner product proof is valid as well, as are all included formulas. * Add yinvpow asserts * Clean code * Correct bad imports * Fix the definition of TWO_N Bulletproofs work now :D * Tidy up a bit * fmt + clippy * Compile a variety of XMR dependencies with optimizations, even under dev The Rust bulletproof implementation is 8% slower than C right now, under release. This is acceptable, even if suboptimal. Under debug, they take a quarter of a second to two seconds though, depending on the amount of outputs, which justifies this move. * Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
Generate Bulletproofs(+) generators at compile time Creates a new monero-generators crate so the monero crate can run the code in question at build time. Saves several seconds from running the tests. Closes https://github.com/serai-dex/serai/issues/101.
2022-08-21 06:36:53 -04:00
pub(crate) use monero_generators::Generators;
Replace lazy_static with OnceLock inside monero-serai lazy_static, if no_std environments were used, effectively required always using spin locks. This resolves the ergonomics of that while adopting Rust std code. no_std does still use a spin based solution. Theoretically, we could use atomics, yet writing our own Mutex wasn't a priority.
2023-06-28 21:16:33 -04:00
use crate::{INV_EIGHT as DALEK_INV_EIGHT, H as DALEK_H, Commitment, hash_to_scalar as dalek_hash};
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
pub(crate) use crate::ringct::bulletproofs::scalar_vector::*;
Implement Bulletproofs in Rust (#69) * Initial attempt at Bulletproofs I don't know why this doesn't work. The generators and hash_cache lines up without issue. AFAICT, the inner product proof is valid as well, as are all included formulas. * Add yinvpow asserts * Clean code * Correct bad imports * Fix the definition of TWO_N Bulletproofs work now :D * Tidy up a bit * fmt + clippy * Compile a variety of XMR dependencies with optimizations, even under dev The Rust bulletproof implementation is 8% slower than C right now, under release. This is acceptable, even if suboptimal. Under debug, they take a quarter of a second to two seconds though, depending on the amount of outputs, which justifies this move. * Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
Replace lazy_static with OnceLock inside monero-serai lazy_static, if no_std environments were used, effectively required always using spin locks. This resolves the ergonomics of that while adopting Rust std code. no_std does still use a spin based solution. Theoretically, we could use atomics, yet writing our own Mutex wasn't a priority.
2023-06-28 21:16:33 -04:00
#[inline]
pub(crate) fn INV_EIGHT() -> Scalar {
Scalar(DALEK_INV_EIGHT())
}
#[inline]
pub(crate) fn H() -> EdwardsPoint {
EdwardsPoint(DALEK_H())
Modularize Bulletproofs in prep for BP+
2022-07-26 08:06:56 -04:00
}
Implement Bulletproofs in Rust (#69) * Initial attempt at Bulletproofs I don't know why this doesn't work. The generators and hash_cache lines up without issue. AFAICT, the inner product proof is valid as well, as are all included formulas. * Add yinvpow asserts * Clean code * Correct bad imports * Fix the definition of TWO_N Bulletproofs work now :D * Tidy up a bit * fmt + clippy * Compile a variety of XMR dependencies with optimizations, even under dev The Rust bulletproof implementation is 8% slower than C right now, under release. This is acceptable, even if suboptimal. Under debug, they take a quarter of a second to two seconds though, depending on the amount of outputs, which justifies this move. * Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
pub(crate) fn hash_to_scalar(data: &[u8]) -> Scalar {
Remove Monero as a dependency Introduces missing CLSAG checks. The only difference now should be the additional rejection of torsioned points, which is relevant to https://github.com/serai-dex/serai/issues/25. Considering this is only currently used for FROST verification, this should be fine. Closes https://github.com/serai-dex/serai/issues/19 by making it irrelevant. Increases priority of https://github.com/serai-dex/serai/issues/68, as now it's used for the BP generators which are done at first-proof. Also merges BP's stricter hash_to_point with the library's, since CLSAG has the same bound.
2022-07-26 03:25:57 -04:00
Scalar(dalek_hash(data))
Implement Bulletproofs in Rust (#69) * Initial attempt at Bulletproofs I don't know why this doesn't work. The generators and hash_cache lines up without issue. AFAICT, the inner product proof is valid as well, as are all included formulas. * Add yinvpow asserts * Clean code * Correct bad imports * Fix the definition of TWO_N Bulletproofs work now :D * Tidy up a bit * fmt + clippy * Compile a variety of XMR dependencies with optimizations, even under dev The Rust bulletproof implementation is 8% slower than C right now, under release. This is acceptable, even if suboptimal. Under debug, they take a quarter of a second to two seconds though, depending on the amount of outputs, which justifies this move. * Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
}
Modularize Bulletproofs in prep for BP+
2022-07-26 08:06:56 -04:00
// Components common between variants
pub(crate) const MAX_M: usize = 16;
Add init function for BP statics Considering they take 7 seconds to generate, thanks to #68, the ability to generate them at the start instead of on first BP is greatly appreciated. Also performs minor cleanups regarding BPs.
2022-08-02 15:52:27 -04:00
pub(crate) const LOG_N: usize = 6; // 2 << 6 == N
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
pub(crate) const N: usize = 64;
Modularize Bulletproofs in prep for BP+
2022-07-26 08:06:56 -04:00
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
pub(crate) fn prove_multiexp(pairs: &[(Scalar, EdwardsPoint)]) -> EdwardsPoint {
Replace lazy_static with OnceLock inside monero-serai lazy_static, if no_std environments were used, effectively required always using spin locks. This resolves the ergonomics of that while adopting Rust std code. no_std does still use a spin based solution. Theoretically, we could use atomics, yet writing our own Mutex wasn't a priority.
2023-06-28 21:16:33 -04:00
multiexp_const(pairs) * INV_EIGHT()
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
}
pub(crate) fn vector_exponent(
generators: &Generators,
a: &ScalarVector,
b: &ScalarVector,
) -> EdwardsPoint {
Remove re-calculation of N Moves most BP assertions to debug.
2022-07-26 05:31:15 -04:00
debug_assert_eq!(a.len(), b.len());
Modularize Bulletproofs in prep for BP+
2022-07-26 08:06:56 -04:00
(a * &generators.G[.. a.len()]) + (b * &generators.H[.. b.len()])
Implement Bulletproofs in Rust (#69) * Initial attempt at Bulletproofs I don't know why this doesn't work. The generators and hash_cache lines up without issue. AFAICT, the inner product proof is valid as well, as are all included formulas. * Add yinvpow asserts * Clean code * Correct bad imports * Fix the definition of TWO_N Bulletproofs work now :D * Tidy up a bit * fmt + clippy * Compile a variety of XMR dependencies with optimizations, even under dev The Rust bulletproof implementation is 8% slower than C right now, under release. This is acceptable, even if suboptimal. Under debug, they take a quarter of a second to two seconds though, depending on the amount of outputs, which justifies this move. * Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
}
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
pub(crate) fn hash_cache(cache: &mut Scalar, mash: &[[u8; 32]]) -> Scalar {
Implement Bulletproofs in Rust (#69) * Initial attempt at Bulletproofs I don't know why this doesn't work. The generators and hash_cache lines up without issue. AFAICT, the inner product proof is valid as well, as are all included formulas. * Add yinvpow asserts * Clean code * Correct bad imports * Fix the definition of TWO_N Bulletproofs work now :D * Tidy up a bit * fmt + clippy * Compile a variety of XMR dependencies with optimizations, even under dev The Rust bulletproof implementation is 8% slower than C right now, under release. This is acceptable, even if suboptimal. Under debug, they take a quarter of a second to two seconds though, depending on the amount of outputs, which justifies this move. * Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
let slice =
&[cache.to_bytes().as_ref(), mash.iter().cloned().flatten().collect::<Vec<_>>().as_ref()]
.concat();
*cache = hash_to_scalar(slice);
*cache
}
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
pub(crate) fn MN(outputs: usize) -> (usize, usize, usize) {
Implement Bulletproofs in Rust (#69) * Initial attempt at Bulletproofs I don't know why this doesn't work. The generators and hash_cache lines up without issue. AFAICT, the inner product proof is valid as well, as are all included formulas. * Add yinvpow asserts * Clean code * Correct bad imports * Fix the definition of TWO_N Bulletproofs work now :D * Tidy up a bit * fmt + clippy * Compile a variety of XMR dependencies with optimizations, even under dev The Rust bulletproof implementation is 8% slower than C right now, under release. This is acceptable, even if suboptimal. Under debug, they take a quarter of a second to two seconds though, depending on the amount of outputs, which justifies this move. * Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
let mut logM = 0;
let mut M;
while {
M = 1 << logM;
Modularize Bulletproofs in prep for BP+
2022-07-26 08:06:56 -04:00
(M <= MAX_M) && (M < outputs)
Implement Bulletproofs in Rust (#69) * Initial attempt at Bulletproofs I don't know why this doesn't work. The generators and hash_cache lines up without issue. AFAICT, the inner product proof is valid as well, as are all included formulas. * Add yinvpow asserts * Clean code * Correct bad imports * Fix the definition of TWO_N Bulletproofs work now :D * Tidy up a bit * fmt + clippy * Compile a variety of XMR dependencies with optimizations, even under dev The Rust bulletproof implementation is 8% slower than C right now, under release. This is acceptable, even if suboptimal. Under debug, they take a quarter of a second to two seconds though, depending on the amount of outputs, which justifies this move. * Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
} {
logM += 1;
}
Add init function for BP statics Considering they take 7 seconds to generate, thanks to #68, the ability to generate them at the start instead of on first BP is greatly appreciated. Also performs minor cleanups regarding BPs.
2022-08-02 15:52:27 -04:00
(logM + LOG_N, M, M * N)
Modularize Bulletproofs in prep for BP+
2022-07-26 08:06:56 -04:00
}
Implement Bulletproofs in Rust (#69) * Initial attempt at Bulletproofs I don't know why this doesn't work. The generators and hash_cache lines up without issue. AFAICT, the inner product proof is valid as well, as are all included formulas. * Add yinvpow asserts * Clean code * Correct bad imports * Fix the definition of TWO_N Bulletproofs work now :D * Tidy up a bit * fmt + clippy * Compile a variety of XMR dependencies with optimizations, even under dev The Rust bulletproof implementation is 8% slower than C right now, under release. This is acceptable, even if suboptimal. Under debug, they take a quarter of a second to two seconds though, depending on the amount of outputs, which justifies this move. * Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
pub(crate) fn bit_decompose(commitments: &[Commitment]) -> (ScalarVector, ScalarVector) {
Modularize Bulletproofs in prep for BP+
2022-07-26 08:06:56 -04:00
let (_, M, MN) = MN(commitments.len());
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
let sv = commitments.iter().map(|c| Scalar::from(c.amount)).collect::<Vec<_>>();
Implement Bulletproofs in Rust (#69) * Initial attempt at Bulletproofs I don't know why this doesn't work. The generators and hash_cache lines up without issue. AFAICT, the inner product proof is valid as well, as are all included formulas. * Add yinvpow asserts * Clean code * Correct bad imports * Fix the definition of TWO_N Bulletproofs work now :D * Tidy up a bit * fmt + clippy * Compile a variety of XMR dependencies with optimizations, even under dev The Rust bulletproof implementation is 8% slower than C right now, under release. This is acceptable, even if suboptimal. Under debug, they take a quarter of a second to two seconds though, depending on the amount of outputs, which justifies this move. * Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
let mut aL = ScalarVector::new(MN);
let mut aR = ScalarVector::new(MN);
for j in 0 .. M {
for i in (0 .. N).rev() {
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
let mut bit = Choice::from(0);
if j < sv.len() {
bit = Choice::from((sv[j][i / 8] >> (i % 8)) & 1);
Implement Bulletproofs in Rust (#69) * Initial attempt at Bulletproofs I don't know why this doesn't work. The generators and hash_cache lines up without issue. AFAICT, the inner product proof is valid as well, as are all included formulas. * Add yinvpow asserts * Clean code * Correct bad imports * Fix the definition of TWO_N Bulletproofs work now :D * Tidy up a bit * fmt + clippy * Compile a variety of XMR dependencies with optimizations, even under dev The Rust bulletproof implementation is 8% slower than C right now, under release. This is acceptable, even if suboptimal. Under debug, they take a quarter of a second to two seconds though, depending on the amount of outputs, which justifies this move. * Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
}
ff 0.13 (#269) * Partial move to ff 0.13 It turns out the newly released k256 0.12 isn't on ff 0.13, preventing further work at this time. * Update all crates to work on ff 0.13 The provided curves still need to be expanded to fit the new API. * Finish adding dalek-ff-group ff 0.13 constants * Correct FieldElement::product definition Also stops exporting macros. * Test most new parts of ff 0.13 * Additionally test ff-group-tests with BLS12-381 and the pasta curves We only tested curves from RustCrypto. Now we test a curve offered by zk-crypto, the group behind ff/group, and the pasta curves, which is by Zcash (though Zcash developers are also behind zk-crypto). * Finish Ed448 Fully specifies all constants, passes all tests in ff-group-tests, and finishes moving to ff-0.13. * Add RustCrypto/elliptic-curves to allowed git repos Needed due to k256/p256 incorrectly defining product. * Finish writing ff 0.13 tests * Add additional comments to dalek * Further comments * Update ethereum-serai to ff 0.13
2023-03-28 04:38:01 -04:00
aL.0[(j * N) + i] = Scalar::conditional_select(&Scalar::ZERO, &Scalar::ONE, bit);
aR.0[(j * N) + i] = Scalar::conditional_select(&-Scalar::ONE, &Scalar::ZERO, bit);
Implement Bulletproofs in Rust (#69) * Initial attempt at Bulletproofs I don't know why this doesn't work. The generators and hash_cache lines up without issue. AFAICT, the inner product proof is valid as well, as are all included formulas. * Add yinvpow asserts * Clean code * Correct bad imports * Fix the definition of TWO_N Bulletproofs work now :D * Tidy up a bit * fmt + clippy * Compile a variety of XMR dependencies with optimizations, even under dev The Rust bulletproof implementation is 8% slower than C right now, under release. This is acceptable, even if suboptimal. Under debug, they take a quarter of a second to two seconds though, depending on the amount of outputs, which justifies this move. * Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
}
}
Modularize Bulletproofs in prep for BP+
2022-07-26 08:06:56 -04:00
(aL, aR)
}
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
pub(crate) fn hash_commitments<C: IntoIterator<Item = DalekPoint>>(
BP Verification (#75) * Use a struct in an enum for Bulletproofs * verification bp working for just one proof * add some more assert tests * Clean BP verification * Implement batch verification * Add a debug assertion w_cache isn't 0 It's initially set to 0 and if not updated, this would be broken. * Correct Monero workflow yaml * Again try to corrent Monero workflow yaml * Again * Finally * Re-apply weights as required by Bulletproofs Removing these was insecure and my fault. Co-authored-by: DangerousFreedom <dangfreed@tutanota.com>
2022-07-31 21:45:53 -05:00
commitments: C,
) -> (Scalar, Vec<EdwardsPoint>) {
Replace lazy_static with OnceLock inside monero-serai lazy_static, if no_std environments were used, effectively required always using spin locks. This resolves the ergonomics of that while adopting Rust std code. no_std does still use a spin based solution. Theoretically, we could use atomics, yet writing our own Mutex wasn't a priority.
2023-06-28 21:16:33 -04:00
let V = commitments.into_iter().map(|c| EdwardsPoint(c) * INV_EIGHT()).collect::<Vec<_>>();
BP Verification (#75) * Use a struct in an enum for Bulletproofs * verification bp working for just one proof * add some more assert tests * Clean BP verification * Implement batch verification * Add a debug assertion w_cache isn't 0 It's initially set to 0 and if not updated, this would be broken. * Correct Monero workflow yaml * Again try to corrent Monero workflow yaml * Again * Finally * Re-apply weights as required by Bulletproofs Removing these was insecure and my fault. Co-authored-by: DangerousFreedom <dangfreed@tutanota.com>
2022-07-31 21:45:53 -05:00
(hash_to_scalar(&V.iter().flat_map(|V| V.compress().to_bytes()).collect::<Vec<_>>()), V)
Modularize Bulletproofs in prep for BP+
2022-07-26 08:06:56 -04:00
}
Implement Bulletproofs in Rust (#69) * Initial attempt at Bulletproofs I don't know why this doesn't work. The generators and hash_cache lines up without issue. AFAICT, the inner product proof is valid as well, as are all included formulas. * Add yinvpow asserts * Clean code * Correct bad imports * Fix the definition of TWO_N Bulletproofs work now :D * Tidy up a bit * fmt + clippy * Compile a variety of XMR dependencies with optimizations, even under dev The Rust bulletproof implementation is 8% slower than C right now, under release. This is acceptable, even if suboptimal. Under debug, they take a quarter of a second to two seconds though, depending on the amount of outputs, which justifies this move. * Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
pub(crate) fn alpha_rho<R: RngCore + CryptoRng>(
Modularize Bulletproofs in prep for BP+
2022-07-26 08:06:56 -04:00
rng: &mut R,
generators: &Generators,
aL: &ScalarVector,
aR: &ScalarVector,
) -> (Scalar, EdwardsPoint) {
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
let ar = Scalar::random(rng);
Replace lazy_static with OnceLock inside monero-serai lazy_static, if no_std environments were used, effectively required always using spin locks. This resolves the ergonomics of that while adopting Rust std code. no_std does still use a spin based solution. Theoretically, we could use atomics, yet writing our own Mutex wasn't a priority.
2023-06-28 21:16:33 -04:00
(ar, (vector_exponent(generators, aL, aR) + (EdwardsPoint::generator() * ar)) * INV_EIGHT())
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
}
Reorganize bulletproofs
2022-07-31 23:12:45 -04:00
pub(crate) fn LR_statements(
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
a: &ScalarVector,
G_i: &[EdwardsPoint],
b: &ScalarVector,
H_i: &[EdwardsPoint],
cL: Scalar,
U: EdwardsPoint,
) -> Vec<(Scalar, EdwardsPoint)> {
let mut res = a
.0
.iter()
.cloned()
.zip(G_i.iter().cloned())
.chain(b.0.iter().cloned().zip(H_i.iter().cloned()))
.collect::<Vec<_>>();
res.push((cL, U));
res
}
Replace lazy_static with OnceLock inside monero-serai lazy_static, if no_std environments were used, effectively required always using spin locks. This resolves the ergonomics of that while adopting Rust std code. no_std does still use a spin based solution. Theoretically, we could use atomics, yet writing our own Mutex wasn't a priority.
2023-06-28 21:16:33 -04:00
static TWO_N_CELL: OnceLock<ScalarVector> = OnceLock::new();
pub(crate) fn TWO_N() -> &'static ScalarVector {
TWO_N_CELL.get_or_init(|| ScalarVector::powers(Scalar::from(2u8), N))
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
}
Bulletproofs+ Verification
2022-08-01 23:30:24 -04:00
pub(crate) fn challenge_products(w: &[Scalar], winv: &[Scalar]) -> Vec<Scalar> {
ff 0.13 (#269) * Partial move to ff 0.13 It turns out the newly released k256 0.12 isn't on ff 0.13, preventing further work at this time. * Update all crates to work on ff 0.13 The provided curves still need to be expanded to fit the new API. * Finish adding dalek-ff-group ff 0.13 constants * Correct FieldElement::product definition Also stops exporting macros. * Test most new parts of ff 0.13 * Additionally test ff-group-tests with BLS12-381 and the pasta curves We only tested curves from RustCrypto. Now we test a curve offered by zk-crypto, the group behind ff/group, and the pasta curves, which is by Zcash (though Zcash developers are also behind zk-crypto). * Finish Ed448 Fully specifies all constants, passes all tests in ff-group-tests, and finishes moving to ff-0.13. * Add RustCrypto/elliptic-curves to allowed git repos Needed due to k256/p256 incorrectly defining product. * Finish writing ff 0.13 tests * Add additional comments to dalek * Further comments * Update ethereum-serai to ff 0.13
2023-03-28 04:38:01 -04:00
let mut products = vec![Scalar::ZERO; 1 << w.len()];
Bulletproofs+ Verification
2022-08-01 23:30:24 -04:00
products[0] = winv[0];
products[1] = w[0];
for j in 1 .. w.len() {
let mut slots = (1 << (j + 1)) - 1;
while slots > 0 {
products[slots] = products[slots / 2] * w[j];
products[slots - 1] = products[slots / 2] * winv[j];
slots = slots.saturating_sub(2);
}
}
// Sanity check as if the above failed to populate, it'd be critical
for w in &products {
debug_assert!(!bool::from(w.is_zero()));
}
products
}
Reference in New Issue Copy Permalink