Smash out Borromean

coins/monero/src/lib.rs

@@ -23,9 +23,6 @@ mod merkle;
 use monero_io as serialize;
 use serialize::{read_byte, read_u16};
 
-/// UnreducedScalar struct with functionality for recovering incorrectly reduced scalars.
-mod unreduced_scalar;
-
 /// Ring Signature structs and functionality.
 pub mod ring_signatures;
 

coins/monero/src/ringct/borromean.rs

@@ -1,103 +0,0 @@
-use core::fmt::Debug;
-use std_shims::io::{self, Read, Write};
-
-use curve25519_dalek::{traits::Identity, Scalar, EdwardsPoint};
-
-use monero_generators::H_pow_2;
-
-use crate::{hash_to_scalar, unreduced_scalar::UnreducedScalar, serialize::*};
-
-/// 64 Borromean ring signatures, as needed for a 64-bit range proof.
-///
-/// s0 and s1 are stored as `UnreducedScalar`s due to Monero not requiring they were reduced.
-/// `UnreducedScalar` preserves their original byte encoding and implements a custom reduction
-/// algorithm which was in use.
-#[derive(Clone, PartialEq, Eq, Debug)]
-struct BorromeanSignatures {
-  s0: [UnreducedScalar; 64],
-  s1: [UnreducedScalar; 64],
-  ee: Scalar,
-}
-
-impl BorromeanSignatures {
-  /// Read a set of BorromeanSignatures from a reader.
-  fn read<R: Read>(r: &mut R) -> io::Result<BorromeanSignatures> {
-    Ok(BorromeanSignatures {
-      s0: read_array(UnreducedScalar::read, r)?,
-      s1: read_array(UnreducedScalar::read, r)?,
-      ee: read_scalar(r)?,
-    })
-  }
-
-  /// Write the set of BorromeanSignatures to a writer.
-  fn write<W: Write>(&self, w: &mut W) -> io::Result<()> {
-    for s0 in &self.s0 {
-      s0.write(w)?;
-    }
-    for s1 in &self.s1 {
-      s1.write(w)?;
-    }
-    write_scalar(&self.ee, w)
-  }
-
-  fn verify(&self, keys_a: &[EdwardsPoint], keys_b: &[EdwardsPoint]) -> bool {
-    let mut transcript = [0; 2048];
-
-    for i in 0 .. 64 {
-      #[allow(non_snake_case)]
-      let LL = EdwardsPoint::vartime_double_scalar_mul_basepoint(
-        &self.ee,
-        &keys_a[i],
-        &self.s0[i].recover_monero_slide_scalar(),
-      );
-      #[allow(non_snake_case)]
-      let LV = EdwardsPoint::vartime_double_scalar_mul_basepoint(
-        &hash_to_scalar(LL.compress().as_bytes()),
-        &keys_b[i],
-        &self.s1[i].recover_monero_slide_scalar(),
-      );
-      transcript[(i * 32) .. ((i + 1) * 32)].copy_from_slice(LV.compress().as_bytes());
-    }
-
-    hash_to_scalar(&transcript) == self.ee
-  }
-}
-
-/// A range proof premised on Borromean ring signatures.
-#[derive(Clone, PartialEq, Eq, Debug)]
-pub struct BorromeanRange {
-  sigs: BorromeanSignatures,
-  bit_commitments: [EdwardsPoint; 64],
-}
-
-impl BorromeanRange {
-  /// Read a BorromeanRange proof from a reader.
-  pub fn read<R: Read>(r: &mut R) -> io::Result<BorromeanRange> {
-    Ok(BorromeanRange {
-      sigs: BorromeanSignatures::read(r)?,
-      bit_commitments: read_array(read_point, r)?,
-    })
-  }
-
-  /// Write the BorromeanRange proof to a reader.
-  pub fn write<W: Write>(&self, w: &mut W) -> io::Result<()> {
-    self.sigs.write(w)?;
-    write_raw_vec(write_point, &self.bit_commitments, w)
-  }
-
-  /// Verify the commitment contains a 64-bit value.
-  pub fn verify(&self, commitment: &EdwardsPoint) -> bool {
-    if &self.bit_commitments.iter().sum::<EdwardsPoint>() != commitment {
-      return false;
-    }
-
-    #[allow(non_snake_case)]
-    let H_pow_2 = H_pow_2();
-    let mut commitments_sub_one = [EdwardsPoint::identity(); 64];
-    for i in 0 .. 64 {
-      commitments_sub_one[i] = self.bit_commitments[i] - H_pow_2[i];
-    }
-
-    self.sigs.verify(&self.bit_commitments, &commitments_sub_one)
-  }
-}

coins/monero/src/ringct/mod.rs

@@ -16,7 +16,7 @@ pub use monero_mlsag as mlsag;
 /// CLSAG struct, along with signing and verifying functionality.
 pub use monero_clsag as clsag;
 /// BorromeanRange struct, along with verifying functionality.
-pub mod borromean;
+pub use monero_borromean as borromean;
 /// Bulletproofs(+) structs, along with proving and verifying functionality.
 pub use monero_bulletproofs as bulletproofs;
 

coins/monero/src/tests/mod.rs

@@ -1,4 +1,3 @@
-mod unreduced_scalar;
 mod address;
 mod seed;
 mod extra;

coins/monero/src/tests/unreduced_scalar.rs

@@ -1,32 +0,0 @@
-use curve25519_dalek::scalar::Scalar;
-
-use crate::unreduced_scalar::*;
-
-#[test]
-fn recover_scalars() {
-  let test_recover = |stored: &str, recovered: &str| {
-    let stored = UnreducedScalar(hex::decode(stored).unwrap().try_into().unwrap());
-    let recovered =
-      Scalar::from_canonical_bytes(hex::decode(recovered).unwrap().try_into().unwrap()).unwrap();
-    assert_eq!(stored.recover_monero_slide_scalar(), recovered);
-  };
-
-  // https://www.moneroinflation.com/static/data_py/report_scalars_df.pdf
-  // Table 4.
-  test_recover(
-    "cb2be144948166d0a9edb831ea586da0c376efa217871505ad77f6ff80f203f8",
-    "b8ffd6a1aee47828808ab0d4c8524cb5c376efa217871505ad77f6ff80f20308",
-  );
-  test_recover(
-    "343d3df8a1051c15a400649c423dc4ed58bef49c50caef6ca4a618b80dee22f4",
-    "21113355bc682e6d7a9d5b3f2137a30259bef49c50caef6ca4a618b80dee2204",
-  );
-  test_recover(
-    "c14f75d612800ca2c1dcfa387a42c9cc086c005bc94b18d204dd61342418eba7",
-    "4f473804b1d27ab2c789c80ab21d034a096c005bc94b18d204dd61342418eb07",
-  );
-  test_recover(
-    "000102030405060708090a0b0c0d0e0f826c4f6e2329a31bc5bc320af0b2bcbb",
-    "a124cfd387f461bf3719e03965ee6877826c4f6e2329a31bc5bc320af0b2bc0b",
-  );
-}

coins/monero/src/unreduced_scalar.rs

@@ -1,133 +0,0 @@
-use core::cmp::Ordering;
-
-use std_shims::{
-  sync::OnceLock,
-  io::{self, *},
-};
-
-use curve25519_dalek::scalar::Scalar;
-
-use crate::serialize::*;
-
-static PRECOMPUTED_SCALARS_CELL: OnceLock<[Scalar; 8]> = OnceLock::new();
-/// Precomputed scalars used to recover an incorrectly reduced scalar.
-#[allow(non_snake_case)]
-pub(crate) fn PRECOMPUTED_SCALARS() -> [Scalar; 8] {
-  *PRECOMPUTED_SCALARS_CELL.get_or_init(|| {
-    let mut precomputed_scalars = [Scalar::ONE; 8];
-    for (i, scalar) in precomputed_scalars.iter_mut().enumerate().skip(1) {
-      *scalar = Scalar::from(u8::try_from((i * 2) + 1).unwrap());
-    }
-    precomputed_scalars
-  })
-}
-
-#[derive(Clone, PartialEq, Eq, Debug)]
-pub struct UnreducedScalar(pub [u8; 32]);
-
-impl UnreducedScalar {
-  pub fn write<W: Write>(&self, w: &mut W) -> io::Result<()> {
-    w.write_all(&self.0)
-  }
-
-  pub fn read<R: Read>(r: &mut R) -> io::Result<UnreducedScalar> {
-    Ok(UnreducedScalar(read_bytes(r)?))
-  }
-
-  fn as_bits(&self) -> [u8; 256] {
-    let mut bits = [0; 256];
-    for (i, bit) in bits.iter_mut().enumerate() {
-      *bit = core::hint::black_box(1 & (self.0[i / 8] >> (i % 8)))
-    }
-
-    bits
-  }
-
-  /// Computes the non-adjacent form of this scalar with width 5.
-  ///
-  /// This matches Monero's `slide` function and intentionally gives incorrect outputs under
-  /// certain conditions in order to match Monero.
-  ///
-  /// This function does not execute in constant time.
-  fn non_adjacent_form(&self) -> [i8; 256] {
-    let bits = self.as_bits();
-    let mut naf = [0i8; 256];
-    for (b, bit) in bits.into_iter().enumerate() {
-      naf[b] = i8::try_from(bit).unwrap();
-    }
-
-    for i in 0 .. 256 {
-      if naf[i] != 0 {
-        // if the bit is a one, work our way up through the window
-        // combining the bits with this bit.
-        for b in 1 .. 6 {
-          if (i + b) >= 256 {
-            // if we are at the length of the array then break out
-            // the loop.
-            break;
-          }
-          // potential_carry - the value of the bit at i+b compared to the bit at i
-          let potential_carry = naf[i + b] << b;
-
-          if potential_carry != 0 {
-            if (naf[i] + potential_carry) <= 15 {
-              // if our current "bit" plus the potential carry is less than 16
-              // add it to our current "bit" and set the potential carry bit to 0.
-              naf[i] += potential_carry;
-              naf[i + b] = 0;
-            } else if (naf[i] - potential_carry) >= -15 {
-              // else if our current "bit" minus the potential carry is more than -16
-              // take it away from our current "bit".
-              // we then work our way up through the bits setting ones to zero, when
-              // we hit the first zero we change it to one then stop, this is to factor
-              // in the minus.
-              naf[i] -= potential_carry;
-              #[allow(clippy::needless_range_loop)]
-              for k in (i + b) .. 256 {
-                if naf[k] == 0 {
-                  naf[k] = 1;
-                  break;
-                }
-                naf[k] = 0;
-              }
-            } else {
-              break;
-            }
-          }
-        }
-      }
-    }
-
-    naf
-  }
-
-  /// Recover the scalar that an array of bytes was incorrectly interpreted as by Monero's `slide`
-  /// function.
-  ///
-  /// In Borromean range proofs Monero was not checking that the scalars used were
-  /// reduced. This lead to the scalar stored being interpreted as a different scalar,
-  /// this function recovers that scalar.
-  ///
-  /// See: https://github.com/monero-project/monero/issues/8438
-  pub fn recover_monero_slide_scalar(&self) -> Scalar {
-    if self.0[31] & 128 == 0 {
-      // Computing the w-NAF of a number can only give an output with 1 more bit than
-      // the number, so even if the number isn't reduced, the `slide` function will be
-      // correct when the last bit isn't set.
-      return Scalar::from_bytes_mod_order(self.0);
-    }
-
-    let precomputed_scalars = PRECOMPUTED_SCALARS();
-
-    let mut recovered = Scalar::ZERO;
-    for &numb in self.non_adjacent_form().iter().rev() {
-      recovered += recovered;
-      match numb.cmp(&0) {
-        Ordering::Greater => recovered += precomputed_scalars[usize::try_from(numb).unwrap() / 2],
-        Ordering::Less => recovered -= precomputed_scalars[usize::try_from(-numb).unwrap() / 2],
-        Ordering::Equal => (),
-      }
-    }
-    recovered
-  }
-}