Monero: support for legacy transactions (#308)

* add mlsag

* fix last commit

* fix miner v1 txs

* fix non-miner v1 txs

* add borromean + fix mlsag

* add block hash calculations

* fix for the jokester that added unreduced scalars

to the borromean signature of
2368d846e671bf79a1f84c6d3af9f0bfe296f043f50cf17ae5e485384a53707b

* Add Borromean range proof verifying functionality

* Add MLSAG verifying functionality

* fmt & clippy :)

* update MLSAG, ss2_elements will always be 2

* Add MgSig proving

* Tidy block.rs

* Tidy Borromean, fix bugs in last commit, replace todo! with unreachable!

* Mark legacy EcdhInfo amount decryption as experimental

* Correct comments

* Write a new impl of the merkle algorithm

This one tries to be understandable.

* Only pull in things only needed for experimental when experimental

* Stop caching the Monero block hash now in processor that we have Block::hash

* Corrections for recent processor commit

* Use a clearer algorithm for the merkle

Should also be more efficient due to not shifting as often.

* Tidy Mlsag

* Remove verify_rct_* from Mlsag

Both methods were ports from Monero, overtly specific without clear
documentation. They need to be added back in, with documentation, or included
in a node which provides the necessary further context for them to be naturally
understandable.

* Move mlsag/mod.rs to mlsag.rs

This should only be a folder if it has multiple files.

* Replace EcdhInfo terminology

The ECDH encrypted the amount, yet this struct contained the encrypted amount,
not some ECDH.

Also corrects the types on the original EcdhInfo struct.

* Correct handling of commitment masks when scanning

* Route read_array through read_raw_vec

* Misc lint

* Make a proper RctType enum

No longer caches RctType in the RctSignatures as well.

* Replace Vec<Bulletproofs> with Bulletproofs

Monero uses aggregated range proofs, so there's only ever one Bulletproof. This
is enforced with a consensus rule as well, making this safe.

As for why Monero uses a vec, it's probably due to the lack of variadic typing
used. Its effectively an Option for them, yet we don't need an Option since we
do have variadic typing (enums).

* Add necessary checks to Eventuality re: supported protocols

* Fix for block 202612 and fix merkel root calculations

* MLSAG (de)serialisation fix

ss_2_elements will not always be 2 as rct type 1 transactions are not enforced to have one input

* Revert "MLSAG (de)serialisation fix"

This reverts commit 5e710e0c96.

here it checks number of MGs == number of inputs:
0a1eaf26f9/src/cryptonote_core/tx_verification_utils.cpp (L60-59)

and here it checks for RctTypeFull number of MGs == 1:
0a1eaf26f9/src/ringct/rctSigs.cpp (L1325)

so number of inputs == 1
so ss_2_elements == 2

* update `MlsagAggregate` comment

* cargo update

Resolves a yanked crate

* Move location of serai-client in Cargo.toml

---------

Co-authored-by: Luke Parker <lukeparker5132@gmail.com>

coins/monero/src/wallet/mod.rs

@@ -9,7 +9,9 @@ use curve25519_dalek::{
   edwards::{EdwardsPoint, CompressedEdwardsY},
 };
 
-use crate::{hash, hash_to_scalar, serialize::write_varint, transaction::Input};
+use crate::{
+  hash, hash_to_scalar, serialize::write_varint, ringct::EncryptedAmount, transaction::Input,
+};
 
 pub mod extra;
 pub(crate) use extra::{PaymentId, ExtraField, Extra};
@@ -86,20 +88,49 @@ pub(crate) fn shared_key(
   (view_tag, hash_to_scalar(&shared_key), payment_id_xor)
 }
 
+pub(crate) fn commitment_mask(shared_key: Scalar) -> Scalar {
+  let mut mask = b"commitment_mask".to_vec();
+  mask.extend(shared_key.to_bytes());
+  hash_to_scalar(&mask)
+}
+
 pub(crate) fn amount_encryption(amount: u64, key: Scalar) -> [u8; 8] {
   let mut amount_mask = b"amount".to_vec();
   amount_mask.extend(key.to_bytes());
   (amount ^ u64::from_le_bytes(hash(&amount_mask)[.. 8].try_into().unwrap())).to_le_bytes()
 }
 
-fn amount_decryption(amount: [u8; 8], key: Scalar) -> u64 {
-  u64::from_le_bytes(amount_encryption(u64::from_le_bytes(amount), key))
-}
+// TODO: Move this under EncryptedAmount?
+fn amount_decryption(amount: &EncryptedAmount, key: Scalar) -> (Scalar, u64) {
+  match amount {
+    EncryptedAmount::Original { mask, amount } => {
+      #[cfg(feature = "experimental")]
+      {
+        let mask_shared_sec = hash(key.as_bytes());
+        let mask =
+          Scalar::from_bytes_mod_order(*mask) - Scalar::from_bytes_mod_order(mask_shared_sec);
 
-pub(crate) fn commitment_mask(shared_key: Scalar) -> Scalar {
-  let mut mask = b"commitment_mask".to_vec();
-  mask.extend(shared_key.to_bytes());
-  hash_to_scalar(&mask)
+        let amount_shared_sec = hash(&mask_shared_sec);
+        let amount_scalar =
+          Scalar::from_bytes_mod_order(*amount) - Scalar::from_bytes_mod_order(amount_shared_sec);
+        // d2b from rctTypes.cpp
+        let amount = u64::from_le_bytes(amount_scalar.to_bytes()[0 .. 8].try_into().unwrap());
+
+        (mask, amount)
+      }
+
+      #[cfg(not(feature = "experimental"))]
+      {
+        let _ = mask;
+        let _ = amount;
+        todo!("decrypting a legacy monero transaction's amount")
+      }
+    }
+    EncryptedAmount::Compact { amount } => (
+      commitment_mask(key),
+      u64::from_le_bytes(amount_encryption(u64::from_le_bytes(*amount), key)),
+    ),
+  }
 }
 
 /// The private view key and public spend key, enabling scanning transactions.

coins/monero/src/wallet/scan.rs

@@ -16,7 +16,6 @@ use crate::{
   rpc::{RpcError, RpcConnection, Rpc},
   wallet::{
     PaymentId, Extra, address::SubaddressIndex, Scanner, uniqueness, shared_key, amount_decryption,
-    commitment_mask,
   },
 };
 
@@ -379,15 +378,15 @@ impl Scanner {
           commitment.amount = amount;
         // Regular transaction
         } else {
-          let amount = match tx.rct_signatures.base.ecdh_info.get(o) {
-            Some(amount) => amount_decryption(*amount, shared_key),
+          let (mask, amount) = match tx.rct_signatures.base.encrypted_amounts.get(o) {
+            Some(amount) => amount_decryption(amount, shared_key),
             // This should never happen, yet it may be possible with miner transactions?
             // Using get just decreases the possibility of a panic and lets us move on in that case
             None => break,
           };
 
           // Rebuild the commitment to verify it
-          commitment = Commitment::new(commitment_mask(shared_key), amount);
+          commitment = Commitment::new(mask, amount);
           // If this is a malicious commitment, move to the next output
           // Any other R value will calculate to a different spend key and are therefore ignorable
           if Some(&commitment.calculate()) != tx.rct_signatures.base.commitments.get(o) {

coins/monero/src/wallet/send/mod.rs

@@ -53,6 +53,7 @@ pub use builder::SignableTransactionBuilder;
 mod multisig;
 #[cfg(feature = "multisig")]
 pub use multisig::TransactionMachine;
+use crate::ringct::EncryptedAmount;
 
 #[allow(non_snake_case)]
 #[derive(Clone, PartialEq, Eq, Debug, Zeroize, ZeroizeOnDrop)]
@@ -629,7 +630,7 @@ impl SignableTransaction {
 
     let mut fee = self.inputs.iter().map(|input| input.commitment().amount).sum::<u64>();
     let mut tx_outputs = Vec::with_capacity(outputs.len());
-    let mut ecdh_info = Vec::with_capacity(outputs.len());
+    let mut encrypted_amounts = Vec::with_capacity(outputs.len());
     for output in &outputs {
       fee -= output.commitment.amount;
       tx_outputs.push(Output {
@@ -637,7 +638,7 @@ impl SignableTransaction {
         key: output.dest.compress(),
         view_tag: Some(output.view_tag).filter(|_| matches!(self.protocol, Protocol::v16)),
       });
-      ecdh_info.push(output.amount);
+      encrypted_amounts.push(EncryptedAmount::Compact { amount: output.amount });
     }
 
     (
@@ -653,14 +654,11 @@ impl SignableTransaction {
         rct_signatures: RctSignatures {
           base: RctBase {
             fee,
-            ecdh_info,
+            encrypted_amounts,
+            pseudo_outs: vec![],
             commitments: commitments.iter().map(|commitment| commitment.calculate()).collect(),
           },
-          prunable: RctPrunable::Clsag {
-            bulletproofs: vec![bp],
-            clsags: vec![],
-            pseudo_outs: vec![],
-          },
+          prunable: RctPrunable::Clsag { bulletproofs: bp, clsags: vec![], pseudo_outs: vec![] },
         },
       },
       sum,
@@ -706,6 +704,7 @@ impl SignableTransaction {
         clsags.append(&mut clsag_pairs.iter().map(|clsag| clsag.0.clone()).collect::<Vec<_>>());
         pseudo_outs.append(&mut clsag_pairs.iter().map(|clsag| clsag.1).collect::<Vec<_>>());
       }
+      _ => unreachable!("attempted to sign a TX which wasn't CLSAG"),
     }
     Ok(tx)
   }
@@ -747,6 +746,16 @@ impl Eventuality {
       uniqueness(&tx.prefix.inputs),
     );
 
+    let rct_type = tx.rct_signatures.rct_type();
+    if rct_type != self.protocol.optimal_rct_type() {
+      return false;
+    }
+
+    // TODO: Remove this when the following for loop is updated
+    if !rct_type.compact_encrypted_amounts() {
+      panic!("created an Eventuality for a very old RctType we don't support proving for");
+    }
+
     for (o, (expected, actual)) in outputs.iter().zip(tx.prefix.outputs.iter()).enumerate() {
       // Verify the output, commitment, and encrypted amount.
       if (&Output {
@@ -755,7 +764,8 @@ impl Eventuality {
         view_tag: Some(expected.view_tag).filter(|_| matches!(self.protocol, Protocol::v16)),
       } != actual) ||
         (Some(&expected.commitment.calculate()) != tx.rct_signatures.base.commitments.get(o)) ||
-        (Some(&expected.amount) != tx.rct_signatures.base.ecdh_info.get(o))
+        (Some(&EncryptedAmount::Compact { amount: expected.amount }) !=
+          tx.rct_signatures.base.encrypted_amounts.get(o))
       {
         return false;
       }

coins/monero/src/wallet/send/multisig.rs

@@ -430,6 +430,7 @@ impl SignatureMachine<Transaction> for TransactionSignatureMachine {
           pseudo_outs.push(pseudo_out);
         }
       }
+      _ => unreachable!("attempted to sign a multisig TX which wasn't CLSAG"),
     }
     Ok(tx)
   }