2022-09-29 05:25:29 -04:00
|
|
|
//! Generators used by Monero in both its Pedersen commitments and Bulletproofs(+).
|
2023-06-28 21:16:33 -04:00
|
|
|
//!
|
2022-09-29 05:25:29 -04:00
|
|
|
//! An implementation of Monero's `ge_fromfe_frombytes_vartime`, simply called
|
|
|
|
|
//! `hash_to_point` here, is included, as needed to generate generators.
|
|
|
|
|
|
2023-04-22 04:38:47 -04:00
|
|
|
#![cfg_attr(not(feature = "std"), no_std)]
|
|
|
|
|
|
Monero: support for legacy transactions (#308)
* add mlsag
* fix last commit
* fix miner v1 txs
* fix non-miner v1 txs
* add borromean + fix mlsag
* add block hash calculations
* fix for the jokester that added unreduced scalars
to the borromean signature of
2368d846e671bf79a1f84c6d3af9f0bfe296f043f50cf17ae5e485384a53707b
* Add Borromean range proof verifying functionality
* Add MLSAG verifying functionality
* fmt & clippy :)
* update MLSAG, ss2_elements will always be 2
* Add MgSig proving
* Tidy block.rs
* Tidy Borromean, fix bugs in last commit, replace todo! with unreachable!
* Mark legacy EcdhInfo amount decryption as experimental
* Correct comments
* Write a new impl of the merkle algorithm
This one tries to be understandable.
* Only pull in things only needed for experimental when experimental
* Stop caching the Monero block hash now in processor that we have Block::hash
* Corrections for recent processor commit
* Use a clearer algorithm for the merkle
Should also be more efficient due to not shifting as often.
* Tidy Mlsag
* Remove verify_rct_* from Mlsag
Both methods were ports from Monero, overtly specific without clear
documentation. They need to be added back in, with documentation, or included
in a node which provides the necessary further context for them to be naturally
understandable.
* Move mlsag/mod.rs to mlsag.rs
This should only be a folder if it has multiple files.
* Replace EcdhInfo terminology
The ECDH encrypted the amount, yet this struct contained the encrypted amount,
not some ECDH.
Also corrects the types on the original EcdhInfo struct.
* Correct handling of commitment masks when scanning
* Route read_array through read_raw_vec
* Misc lint
* Make a proper RctType enum
No longer caches RctType in the RctSignatures as well.
* Replace Vec<Bulletproofs> with Bulletproofs
Monero uses aggregated range proofs, so there's only ever one Bulletproof. This
is enforced with a consensus rule as well, making this safe.
As for why Monero uses a vec, it's probably due to the lack of variadic typing
used. Its effectively an Option for them, yet we don't need an Option since we
do have variadic typing (enums).
* Add necessary checks to Eventuality re: supported protocols
* Fix for block 202612 and fix merkel root calculations
* MLSAG (de)serialisation fix
ss_2_elements will not always be 2 as rct type 1 transactions are not enforced to have one input
* Revert "MLSAG (de)serialisation fix"
This reverts commit 5e710e0c96658092c6ecfe5e4ea5a9c3dbee3ab3.
here it checks number of MGs == number of inputs:
https://github.com/monero-project/monero/blob/0a1eaf26f9dd6b762c2582ee12603b2a4671c735/src/cryptonote_core/tx_verification_utils.cpp#L60-59
and here it checks for RctTypeFull number of MGs == 1:
https://github.com/monero-project/monero/blob/0a1eaf26f9dd6b762c2582ee12603b2a4671c735/src/ringct/rctSigs.cpp#L1325
so number of inputs == 1
so ss_2_elements == 2
* update `MlsagAggregate` comment
* cargo update
Resolves a yanked crate
* Move location of serai-client in Cargo.toml
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-07-04 21:18:05 +00:00
|
|
|
use std_shims::sync::OnceLock;
|
2022-08-21 06:36:53 -04:00
|
|
|
|
2022-09-29 08:08:49 -04:00
|
|
|
use sha3::{Digest, Keccak256};
|
2022-08-21 06:36:53 -04:00
|
|
|
|
2023-04-22 04:38:47 -04:00
|
|
|
use curve25519_dalek::edwards::{EdwardsPoint as DalekPoint, CompressedEdwardsY};
|
2022-08-21 06:36:53 -04:00
|
|
|
|
2023-04-22 04:38:47 -04:00
|
|
|
use group::{Group, GroupEncoding};
|
2022-08-21 06:36:53 -04:00
|
|
|
use dalek_ff_group::EdwardsPoint;
|
|
|
|
|
|
|
|
|
|
mod varint;
|
|
|
|
|
use varint::write_varint;
|
|
|
|
|
|
|
|
|
|
mod hash_to_point;
|
|
|
|
|
pub use hash_to_point::hash_to_point;
|
|
|
|
|
|
|
|
|
|
fn hash(data: &[u8]) -> [u8; 32] {
|
2022-09-29 08:08:49 -04:00
|
|
|
Keccak256::digest(data).into()
|
2022-08-21 06:36:53 -04:00
|
|
|
}
|
|
|
|
|
|
Monero: support for legacy transactions (#308)
* add mlsag
* fix last commit
* fix miner v1 txs
* fix non-miner v1 txs
* add borromean + fix mlsag
* add block hash calculations
* fix for the jokester that added unreduced scalars
to the borromean signature of
2368d846e671bf79a1f84c6d3af9f0bfe296f043f50cf17ae5e485384a53707b
* Add Borromean range proof verifying functionality
* Add MLSAG verifying functionality
* fmt & clippy :)
* update MLSAG, ss2_elements will always be 2
* Add MgSig proving
* Tidy block.rs
* Tidy Borromean, fix bugs in last commit, replace todo! with unreachable!
* Mark legacy EcdhInfo amount decryption as experimental
* Correct comments
* Write a new impl of the merkle algorithm
This one tries to be understandable.
* Only pull in things only needed for experimental when experimental
* Stop caching the Monero block hash now in processor that we have Block::hash
* Corrections for recent processor commit
* Use a clearer algorithm for the merkle
Should also be more efficient due to not shifting as often.
* Tidy Mlsag
* Remove verify_rct_* from Mlsag
Both methods were ports from Monero, overtly specific without clear
documentation. They need to be added back in, with documentation, or included
in a node which provides the necessary further context for them to be naturally
understandable.
* Move mlsag/mod.rs to mlsag.rs
This should only be a folder if it has multiple files.
* Replace EcdhInfo terminology
The ECDH encrypted the amount, yet this struct contained the encrypted amount,
not some ECDH.
Also corrects the types on the original EcdhInfo struct.
* Correct handling of commitment masks when scanning
* Route read_array through read_raw_vec
* Misc lint
* Make a proper RctType enum
No longer caches RctType in the RctSignatures as well.
* Replace Vec<Bulletproofs> with Bulletproofs
Monero uses aggregated range proofs, so there's only ever one Bulletproof. This
is enforced with a consensus rule as well, making this safe.
As for why Monero uses a vec, it's probably due to the lack of variadic typing
used. Its effectively an Option for them, yet we don't need an Option since we
do have variadic typing (enums).
* Add necessary checks to Eventuality re: supported protocols
* Fix for block 202612 and fix merkel root calculations
* MLSAG (de)serialisation fix
ss_2_elements will not always be 2 as rct type 1 transactions are not enforced to have one input
* Revert "MLSAG (de)serialisation fix"
This reverts commit 5e710e0c96658092c6ecfe5e4ea5a9c3dbee3ab3.
here it checks number of MGs == number of inputs:
https://github.com/monero-project/monero/blob/0a1eaf26f9dd6b762c2582ee12603b2a4671c735/src/cryptonote_core/tx_verification_utils.cpp#L60-59
and here it checks for RctTypeFull number of MGs == 1:
https://github.com/monero-project/monero/blob/0a1eaf26f9dd6b762c2582ee12603b2a4671c735/src/ringct/rctSigs.cpp#L1325
so number of inputs == 1
so ss_2_elements == 2
* update `MlsagAggregate` comment
* cargo update
Resolves a yanked crate
* Move location of serai-client in Cargo.toml
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-07-04 21:18:05 +00:00
|
|
|
static H_CELL: OnceLock<DalekPoint> = OnceLock::new();
|
|
|
|
|
/// Monero's alternate generator `H`, used for amounts in Pedersen commitments.
|
2023-06-28 21:16:33 -04:00
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
pub fn H() -> DalekPoint {
|
Monero: support for legacy transactions (#308)
* add mlsag
* fix last commit
* fix miner v1 txs
* fix non-miner v1 txs
* add borromean + fix mlsag
* add block hash calculations
* fix for the jokester that added unreduced scalars
to the borromean signature of
2368d846e671bf79a1f84c6d3af9f0bfe296f043f50cf17ae5e485384a53707b
* Add Borromean range proof verifying functionality
* Add MLSAG verifying functionality
* fmt & clippy :)
* update MLSAG, ss2_elements will always be 2
* Add MgSig proving
* Tidy block.rs
* Tidy Borromean, fix bugs in last commit, replace todo! with unreachable!
* Mark legacy EcdhInfo amount decryption as experimental
* Correct comments
* Write a new impl of the merkle algorithm
This one tries to be understandable.
* Only pull in things only needed for experimental when experimental
* Stop caching the Monero block hash now in processor that we have Block::hash
* Corrections for recent processor commit
* Use a clearer algorithm for the merkle
Should also be more efficient due to not shifting as often.
* Tidy Mlsag
* Remove verify_rct_* from Mlsag
Both methods were ports from Monero, overtly specific without clear
documentation. They need to be added back in, with documentation, or included
in a node which provides the necessary further context for them to be naturally
understandable.
* Move mlsag/mod.rs to mlsag.rs
This should only be a folder if it has multiple files.
* Replace EcdhInfo terminology
The ECDH encrypted the amount, yet this struct contained the encrypted amount,
not some ECDH.
Also corrects the types on the original EcdhInfo struct.
* Correct handling of commitment masks when scanning
* Route read_array through read_raw_vec
* Misc lint
* Make a proper RctType enum
No longer caches RctType in the RctSignatures as well.
* Replace Vec<Bulletproofs> with Bulletproofs
Monero uses aggregated range proofs, so there's only ever one Bulletproof. This
is enforced with a consensus rule as well, making this safe.
As for why Monero uses a vec, it's probably due to the lack of variadic typing
used. Its effectively an Option for them, yet we don't need an Option since we
do have variadic typing (enums).
* Add necessary checks to Eventuality re: supported protocols
* Fix for block 202612 and fix merkel root calculations
* MLSAG (de)serialisation fix
ss_2_elements will not always be 2 as rct type 1 transactions are not enforced to have one input
* Revert "MLSAG (de)serialisation fix"
This reverts commit 5e710e0c96658092c6ecfe5e4ea5a9c3dbee3ab3.
here it checks number of MGs == number of inputs:
https://github.com/monero-project/monero/blob/0a1eaf26f9dd6b762c2582ee12603b2a4671c735/src/cryptonote_core/tx_verification_utils.cpp#L60-59
and here it checks for RctTypeFull number of MGs == 1:
https://github.com/monero-project/monero/blob/0a1eaf26f9dd6b762c2582ee12603b2a4671c735/src/ringct/rctSigs.cpp#L1325
so number of inputs == 1
so ss_2_elements == 2
* update `MlsagAggregate` comment
* cargo update
Resolves a yanked crate
* Move location of serai-client in Cargo.toml
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-07-04 21:18:05 +00:00
|
|
|
*H_CELL.get_or_init(|| {
|
2023-04-22 04:38:47 -04:00
|
|
|
CompressedEdwardsY(hash(&EdwardsPoint::generator().to_bytes()))
|
2022-08-21 06:36:53 -04:00
|
|
|
.decompress()
|
|
|
|
|
.unwrap()
|
2023-06-28 21:16:33 -04:00
|
|
|
.mul_by_cofactor()
|
|
|
|
|
})
|
2022-08-21 06:36:53 -04:00
|
|
|
}
|
|
|
|
|
|
Monero: support for legacy transactions (#308)
* add mlsag
* fix last commit
* fix miner v1 txs
* fix non-miner v1 txs
* add borromean + fix mlsag
* add block hash calculations
* fix for the jokester that added unreduced scalars
to the borromean signature of
2368d846e671bf79a1f84c6d3af9f0bfe296f043f50cf17ae5e485384a53707b
* Add Borromean range proof verifying functionality
* Add MLSAG verifying functionality
* fmt & clippy :)
* update MLSAG, ss2_elements will always be 2
* Add MgSig proving
* Tidy block.rs
* Tidy Borromean, fix bugs in last commit, replace todo! with unreachable!
* Mark legacy EcdhInfo amount decryption as experimental
* Correct comments
* Write a new impl of the merkle algorithm
This one tries to be understandable.
* Only pull in things only needed for experimental when experimental
* Stop caching the Monero block hash now in processor that we have Block::hash
* Corrections for recent processor commit
* Use a clearer algorithm for the merkle
Should also be more efficient due to not shifting as often.
* Tidy Mlsag
* Remove verify_rct_* from Mlsag
Both methods were ports from Monero, overtly specific without clear
documentation. They need to be added back in, with documentation, or included
in a node which provides the necessary further context for them to be naturally
understandable.
* Move mlsag/mod.rs to mlsag.rs
This should only be a folder if it has multiple files.
* Replace EcdhInfo terminology
The ECDH encrypted the amount, yet this struct contained the encrypted amount,
not some ECDH.
Also corrects the types on the original EcdhInfo struct.
* Correct handling of commitment masks when scanning
* Route read_array through read_raw_vec
* Misc lint
* Make a proper RctType enum
No longer caches RctType in the RctSignatures as well.
* Replace Vec<Bulletproofs> with Bulletproofs
Monero uses aggregated range proofs, so there's only ever one Bulletproof. This
is enforced with a consensus rule as well, making this safe.
As for why Monero uses a vec, it's probably due to the lack of variadic typing
used. Its effectively an Option for them, yet we don't need an Option since we
do have variadic typing (enums).
* Add necessary checks to Eventuality re: supported protocols
* Fix for block 202612 and fix merkel root calculations
* MLSAG (de)serialisation fix
ss_2_elements will not always be 2 as rct type 1 transactions are not enforced to have one input
* Revert "MLSAG (de)serialisation fix"
This reverts commit 5e710e0c96658092c6ecfe5e4ea5a9c3dbee3ab3.
here it checks number of MGs == number of inputs:
https://github.com/monero-project/monero/blob/0a1eaf26f9dd6b762c2582ee12603b2a4671c735/src/cryptonote_core/tx_verification_utils.cpp#L60-59
and here it checks for RctTypeFull number of MGs == 1:
https://github.com/monero-project/monero/blob/0a1eaf26f9dd6b762c2582ee12603b2a4671c735/src/ringct/rctSigs.cpp#L1325
so number of inputs == 1
so ss_2_elements == 2
* update `MlsagAggregate` comment
* cargo update
Resolves a yanked crate
* Move location of serai-client in Cargo.toml
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-07-04 21:18:05 +00:00
|
|
|
static H_POW_2_CELL: OnceLock<[DalekPoint; 64]> = OnceLock::new();
|
|
|
|
|
/// Monero's alternate generator `H`, multiplied by 2**i for i in 1 ..= 64.
|
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
pub fn H_pow_2() -> &'static [DalekPoint; 64] {
|
|
|
|
|
H_POW_2_CELL.get_or_init(|| {
|
|
|
|
|
let mut res = [H(); 64];
|
|
|
|
|
for i in 1 .. 64 {
|
|
|
|
|
res[i] = res[i - 1] + res[i - 1];
|
|
|
|
|
}
|
|
|
|
|
res
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-21 06:36:53 -04:00
|
|
|
const MAX_M: usize = 16;
|
|
|
|
|
const N: usize = 64;
|
|
|
|
|
const MAX_MN: usize = MAX_M * N;
|
|
|
|
|
|
2022-09-28 07:44:49 -05:00
|
|
|
/// Container struct for Bulletproofs(+) generators.
|
2022-08-21 06:36:53 -04:00
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
pub struct Generators {
|
|
|
|
|
pub G: [EdwardsPoint; MAX_MN],
|
|
|
|
|
pub H: [EdwardsPoint; MAX_MN],
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-28 07:44:49 -05:00
|
|
|
/// Generate generators as needed for Bulletproofs(+), as Monero does.
|
2023-07-08 00:56:43 -04:00
|
|
|
#[must_use]
|
2022-09-28 07:44:49 -05:00
|
|
|
pub fn bulletproofs_generators(dst: &'static [u8]) -> Generators {
|
2022-08-21 06:36:53 -04:00
|
|
|
let mut res =
|
|
|
|
|
Generators { G: [EdwardsPoint::identity(); MAX_MN], H: [EdwardsPoint::identity(); MAX_MN] };
|
|
|
|
|
for i in 0 .. MAX_MN {
|
|
|
|
|
let i = 2 * i;
|
|
|
|
|
|
2023-06-28 21:16:33 -04:00
|
|
|
let mut even = H().compress().to_bytes().to_vec();
|
2022-09-28 07:44:49 -05:00
|
|
|
even.extend(dst);
|
2022-08-21 06:36:53 -04:00
|
|
|
let mut odd = even.clone();
|
|
|
|
|
|
|
|
|
|
write_varint(&i.try_into().unwrap(), &mut even).unwrap();
|
|
|
|
|
write_varint(&(i + 1).try_into().unwrap(), &mut odd).unwrap();
|
|
|
|
|
res.H[i / 2] = EdwardsPoint(hash_to_point(hash(&even)));
|
|
|
|
|
res.G[i / 2] = EdwardsPoint(hash_to_point(hash(&odd)));
|
|
|
|
|
}
|
|
|
|
|
res
|
|
|
|
|
}
|
