coins/monero/src/frost.rs

use std::{convert::TryInto, io::Cursor};

use thiserror::Error;
use rand_core::{RngCore, CryptoRng};

use curve25519_dalek::{scalar::Scalar, edwards::EdwardsPoint};

use group::{Group, GroupEncoding};

use transcript::{Transcript, RecommendedTranscript};
use dalek_ff_group as dfg;
use dleq::{Generators, DLEqProof};

#[derive(Clone, Error, Debug)]
pub enum MultisigError {
  #[error("internal error ({0})")]
  InternalError(String),
  #[error("invalid discrete log equality proof")]
  InvalidDLEqProof(u16),
  #[error("invalid key image {0}")]
  InvalidKeyImage(u16)
}

fn transcript() -> RecommendedTranscript {
  RecommendedTranscript::new(b"monero_key_image_dleq")
}

#[allow(non_snake_case)]
pub(crate) fn write_dleq<R: RngCore + CryptoRng>(
  rng: &mut R,
  H: EdwardsPoint,
  x: Scalar
) -> Vec<u8> {
  let mut res = Vec::with_capacity(64);
  DLEqProof::prove(
    rng,
    // Doesn't take in a larger transcript object due to the usage of this
    // Every prover would immediately write their own DLEq proof, when they can only do so in
    // the proper order if they want to reach consensus
    // It'd be a poor API to have CLSAG define a new transcript solely to pass here, just to try to
    // merge later in some form, when it should instead just merge xH (as it does)
    &mut transcript(),
    Generators::new(dfg::EdwardsPoint::generator(), dfg::EdwardsPoint(H)),
    dfg::Scalar(x)
  ).serialize(&mut res).unwrap();
  res
}

#[allow(non_snake_case)]
pub(crate) fn read_dleq(
  serialized: &[u8],
  H: EdwardsPoint,
  l: u16,
  xG: dfg::EdwardsPoint
) -> Result<dfg::EdwardsPoint, MultisigError> {
  if serialized.len() != 96 {
    Err(MultisigError::InvalidDLEqProof(l))?;
  }

  let bytes = (&serialized[.. 32]).try_into().unwrap();
  // dfg ensures the point is torsion free
  let xH = Option::<dfg::EdwardsPoint>::from(
    dfg::EdwardsPoint::from_bytes(&bytes)).ok_or(MultisigError::InvalidDLEqProof(l)
  )?;
  // Ensure this is a canonical point
  if xH.to_bytes() != bytes {
    Err(MultisigError::InvalidDLEqProof(l))?;
  }

  DLEqProof::<dfg::EdwardsPoint>::deserialize(
    &mut Cursor::new(&serialized[32 ..])
  ).map_err(|_| MultisigError::InvalidDLEqProof(l))?.verify(
    &mut transcript(),
    Generators::new(dfg::EdwardsPoint::generator(), dfg::EdwardsPoint(H)),
    (xG, xH)
  ).map_err(|_| MultisigError::InvalidDLEqProof(l))?;

  Ok(xH)
}
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`use std::{convert::TryInto, io::Cursor};`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00
Implement TX creation Updates CLSAG signing as needed. Moves around Error types. CLSAG multisig and the multisig feature is currently completely borked because of this. The created TXs are accepted by Monero nodes. 2022-04-28 03:31:09 -04:00			`use thiserror::Error;`
Transcript crate with both a merlin backend and a basic label len value backend Moves binding factor/seeded RNGs over to the transcripts. 2022-05-03 07:20:24 -04:00			`use rand_core::{RngCore, CryptoRng};`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`use curve25519_dalek::{scalar::Scalar, edwards::EdwardsPoint};`
Use GroupEncoding instead of Curve's from_slice/to_bytes Increases usage of standardization while expanding dalek_ff_group. Closes https://github.com/serai-dex/serai/issues/26 by moving dfg::EdwardsPoint to only be for the prime subgroup. 2022-06-28 01:25:26 -04:00
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`use group::{Group, GroupEncoding};`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00
Fix https://github.com/serai-dex/serai/issues/14. 2022-07-12 01:28:01 -04:00			`use transcript::{Transcript, RecommendedTranscript};`
Cleanup which makes transcript optional, only required for multisig 2022-05-03 08:49:46 -04:00			`use dalek_ff_group as dfg;`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`use dleq::{Generators, DLEqProof};`
Implement TX creation Updates CLSAG signing as needed. Moves around Error types. CLSAG multisig and the multisig feature is currently completely borked because of this. The created TXs are accepted by Monero nodes. 2022-04-28 03:31:09 -04:00
Add get_block_transactions_possible which automatically filters invalid TXs Adds Clone to the various error types, which they already should've had. 2022-05-28 05:08:37 -04:00			`#[derive(Clone, Error, Debug)]`
Implement TX creation Updates CLSAG signing as needed. Moves around Error types. CLSAG multisig and the multisig feature is currently completely borked because of this. The created TXs are accepted by Monero nodes. 2022-04-28 03:31:09 -04:00			`pub enum MultisigError {`
			`#[error("internal error ({0})")]`
			`InternalError(String),`
Implement a CLSAG algorithm extension which also does key images Practically, this should be mergeable. There's little reason to do a CLSAG and not also a key image. Keeps them isolated for now. 2022-04-29 22:03:34 -04:00			`#[error("invalid discrete log equality proof")]`
Move FROST to HashMaps Honestly, the borrowed keys are frustrating, and this probably reduces performance while no longer offering an order when iterating. That said, they enable full u16 indexing and should mildly improve the API. Cleans the Proof of Knowledge handling present in key gen. 2022-05-24 21:41:14 -04:00			`InvalidDLEqProof(u16),`
Implement TX creation Updates CLSAG signing as needed. Moves around Error types. CLSAG multisig and the multisig feature is currently completely borked because of this. The created TXs are accepted by Monero nodes. 2022-04-28 03:31:09 -04:00			`#[error("invalid key image {0}")]`
Move FROST to HashMaps Honestly, the borrowed keys are frustrating, and this probably reduces performance while no longer offering an order when iterating. That said, they enable full u16 indexing and should mildly improve the API. Cleans the Proof of Knowledge handling present in key gen. 2022-05-24 21:41:14 -04:00			`InvalidKeyImage(u16)`
Implement TX creation Updates CLSAG signing as needed. Moves around Error types. CLSAG multisig and the multisig feature is currently completely borked because of this. The created TXs are accepted by Monero nodes. 2022-04-28 03:31:09 -04:00			`}`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00
Fix https://github.com/serai-dex/serai/issues/14. 2022-07-12 01:28:01 -04:00			`fn transcript() -> RecommendedTranscript {`
			`RecommendedTranscript::new(b"monero_key_image_dleq")`
			`}`

Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00			`#[allow(non_snake_case)]`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`pub(crate) fn write_dleq<R: RngCore + CryptoRng>(`
			`rng: &mut R,`
			`H: EdwardsPoint,`
			`x: Scalar`
			`) -> Vec<u8> {`
			`let mut res = Vec::with_capacity(64);`
			`DLEqProof::prove(`
			`rng,`
Move the DLEQProof to a Transcript 2022-05-23 03:24:33 -04:00			`// Doesn't take in a larger transcript object due to the usage of this`
			`// Every prover would immediately write their own DLEq proof, when they can only do so in`
			`// the proper order if they want to reach consensus`
			`// It'd be a poor API to have CLSAG define a new transcript solely to pass here, just to try to`
			`// merge later in some form, when it should instead just merge xH (as it does)`
Fix https://github.com/serai-dex/serai/issues/14. 2022-07-12 01:28:01 -04:00			`&mut transcript(),`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`Generators::new(dfg::EdwardsPoint::generator(), dfg::EdwardsPoint(H)),`
			`dfg::Scalar(x)`
			`).serialize(&mut res).unwrap();`
			`res`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-21 21:36:18 -04:00			`}`
Simplify Monero key image handling 2022-05-17 19:15:53 -04:00
			`#[allow(non_snake_case)]`
Use GroupEncoding instead of Curve's from_slice/to_bytes Increases usage of standardization while expanding dalek_ff_group. Closes https://github.com/serai-dex/serai/issues/26 by moving dfg::EdwardsPoint to only be for the prime subgroup. 2022-06-28 01:25:26 -04:00			`pub(crate) fn read_dleq(`
Simplify Monero key image handling 2022-05-17 19:15:53 -04:00			`serialized: &[u8],`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`H: EdwardsPoint,`
Move FROST to HashMaps Honestly, the borrowed keys are frustrating, and this probably reduces performance while no longer offering an order when iterating. That said, they enable full u16 indexing and should mildly improve the API. Cleans the Proof of Knowledge handling present in key gen. 2022-05-24 21:41:14 -04:00			`l: u16,`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`xG: dfg::EdwardsPoint`
Simplify Monero key image handling 2022-05-17 19:15:53 -04:00			`) -> Result<dfg::EdwardsPoint, MultisigError> {`
Fix https://github.com/serai-dex/serai/issues/14. 2022-07-12 01:28:01 -04:00			`if serialized.len() != 96 {`
Use GroupEncoding instead of Curve's from_slice/to_bytes Increases usage of standardization while expanding dalek_ff_group. Closes https://github.com/serai-dex/serai/issues/26 by moving dfg::EdwardsPoint to only be for the prime subgroup. 2022-06-28 01:25:26 -04:00			`Err(MultisigError::InvalidDLEqProof(l))?;`
			`}`

Fix https://github.com/serai-dex/serai/issues/14. 2022-07-12 01:28:01 -04:00			`let bytes = (&serialized[.. 32]).try_into().unwrap();`
Use GroupEncoding instead of Curve's from_slice/to_bytes Increases usage of standardization while expanding dalek_ff_group. Closes https://github.com/serai-dex/serai/issues/26 by moving dfg::EdwardsPoint to only be for the prime subgroup. 2022-06-28 01:25:26 -04:00			`// dfg ensures the point is torsion free`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`let xH = Option::<dfg::EdwardsPoint>::from(`
Use GroupEncoding instead of Curve's from_slice/to_bytes Increases usage of standardization while expanding dalek_ff_group. Closes https://github.com/serai-dex/serai/issues/26 by moving dfg::EdwardsPoint to only be for the prime subgroup. 2022-06-28 01:25:26 -04:00			`dfg::EdwardsPoint::from_bytes(&bytes)).ok_or(MultisigError::InvalidDLEqProof(l)`
			`)?;`
			`// Ensure this is a canonical point`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`if xH.to_bytes() != bytes {`
Use GroupEncoding instead of Curve's from_slice/to_bytes Increases usage of standardization while expanding dalek_ff_group. Closes https://github.com/serai-dex/serai/issues/26 by moving dfg::EdwardsPoint to only be for the prime subgroup. 2022-06-28 01:25:26 -04:00			`Err(MultisigError::InvalidDLEqProof(l))?;`
			`}`
Simplify Monero key image handling 2022-05-17 19:15:53 -04:00
Fix https://github.com/serai-dex/serai/issues/14. 2022-07-12 01:28:01 -04:00			`DLEqProof::<dfg::EdwardsPoint>::deserialize(`
			`&mut Cursor::new(&serialized[32 ..])`
			`).map_err(\|_\| MultisigError::InvalidDLEqProof(l))?.verify(`
			`&mut transcript(),`
			`Generators::new(dfg::EdwardsPoint::generator(), dfg::EdwardsPoint(H)),`
			`(xG, xH)`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`).map_err(\|_\| MultisigError::InvalidDLEqProof(l))?;`

			`Ok(xH)`
Simplify Monero key image handling 2022-05-17 19:15:53 -04:00			`}`