Clean the Monero lib for auditing (#577)

* Remove unsafe creation of dalek_ff_group::EdwardsPoint in BP+

* Rename Bulletproofs to Bulletproof, since they are a single Bulletproof

Also bifurcates prove with prove_plus, and adds a few documentation items.

* Make CLSAG signing private

Also adds a bit more documentation and does a bit more tidying.

* Remove the distribution cache

It's a notable bandwidth/performance improvement, yet it's not ready. We need a
dedicated Distribution struct which is managed by the wallet and passed in.
While we can do that now, it's not currently worth the effort.

* Tidy Borromean/MLSAG a tad

* Remove experimental feature from monero-serai

* Move amount_decryption into EncryptedAmount::decrypt

* Various RingCT doc comments

* Begin crate smashing

* Further documentation, start shoring up API boundaries of existing crates

* Document and clean clsag

* Add a dedicated send/recv CLSAG mask struct

Abstracts the types used internally.

Also moves the tests from monero-serai to monero-clsag.

* Smash out monero-bulletproofs

Removes usage of dalek-ff-group/multiexp for curve25519-dalek.

Makes compiling in the generators an optional feature.

Adds a structured batch verifier which should be notably more performant.

Documentation and clean up still necessary.

* Correct no-std builds for monero-clsag and monero-bulletproofs

* Tidy and document monero-bulletproofs

I still don't like the impl of the original Bulletproofs...

* Error if missing documentation

* Smash out MLSAG

* Smash out Borromean

* Tidy up monero-serai as a meta crate

* Smash out RPC, wallet

* Document the RPC

* Improve docs a bit

* Move Protocol to monero-wallet

* Incomplete work on using Option to remove panic cases

* Finish documenting monero-serai

* Remove TODO on reading pseudo_outs for AggregateMlsagBorromean

* Only read transactions with one Input::Gen or all Input::ToKey

Also adds a helper to fetch a transaction's prefix.

* Smash out polyseed

* Smash out seed

* Get the repo to compile again

* Smash out Monero addresses

* Document cargo features

Credit to @hinto-janai for adding such sections to their work on documenting
monero-serai in #568.

* Fix deserializing v2 miner transactions

* Rewrite monero-wallet's send code

I have yet to redo the multisig code and the builder. This should be much
cleaner, albeit slower due to redoing work.

This compiles with clippy --all-features. I have to finish the multisig/builder
for --all-targets to work (and start updating the rest of Serai).

* Add SignableTransaction Read/Write

* Restore Monero multisig TX code

* Correct invalid RPC type def in monero-rpc

* Update monero-wallet tests to compile

Some are _consistently_ failing due to the inputs we attempt to spend being too
young. I'm unsure what's up with that. Most seem to pass _consistently_,
implying it's not a random issue yet some configuration/env aspect.

* Clean and document monero-address

* Sync rest of repo with monero-serai changes

* Represent height/block number as a u32

* Diversify ViewPair/Scanner into ViewPair/GuaranteedViewPair and Scanner/GuaranteedScanner

Also cleans the Scanner impl.

* Remove non-small-order view key bound

Guaranteed addresses are in fact guaranteed even with this due to prefixing key
images causing zeroing the ECDH to not zero the shared key.

* Finish documenting monero-serai

* Correct imports for no-std

* Remove possible panic in monero-serai on systems < 32 bits

This was done by requiring the system's usize can represent a certain number.

* Restore the reserialize chain binary

* fmt, machete, GH CI

* Correct misc TODOs in monero-serai

* Have Monero test runner evaluate an Eventuality for all signed TXs

* Fix a pair of bugs in the decoy tests

Unfortunately, this test is still failing.

* Fix remaining bugs in monero-wallet tests

* Reject torsioned spend keys to ensure we can spend the outputs we scan

* Tidy inlined epee code in the RPC

* Correct the accidental swap of stagenet/testnet address bytes

* Remove unused dep from processor

* Handle Monero fee logic properly in the processor

* Document v2 TX/RCT output relation assumed when scanning

* Adjust how we mine the initial blocks due to some CI test failures

* Fix weight estimation for RctType::ClsagBulletproof TXs

* Again increase the amount of blocks we mine prior to running tests

* Correct the if check about when to mine blocks on start

Finally fixes the lack of decoy candidates failures in CI.

* Run Monero on Debian, even for internal testnets

Change made due to a segfault incurred when locally testing.

https://github.com/monero-project/monero/issues/9141 for the upstream.

* Don't attempt running tests on the verify-chain binary

Adds a minimum XMR fee to the processor and runs fmt.

* Increase minimum Monero fee in processor

I'm truly unsure why this is required right now.

* Distinguish fee from necessary_fee in monero-wallet

If there's no change, the fee is difference of the inputs to the outputs. The
prior code wouldn't check that amount is greater than or equal to the necessary
fee, and returning the would-be change amount as the fee isn't necessarily
helpful.

Now the fee is validated in such cases and the necessary fee is returned,
enabling operating off of that.

* Restore minimum Monero fee from develop

coins/monero/generators/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "monero-generators"
 version = "0.4.0"
-description = "Monero's hash_to_point and generators"
+description = "Monero's hash to point function and generators"
 license = "MIT"
 repository = "https://github.com/serai-dex/serai/tree/develop/coins/monero/generators"
 authors = ["Luke Parker <lukeparker5132@gmail.com>"]
@@ -20,15 +20,27 @@ std-shims = { path = "../../../common/std-shims", version = "^0.1.1", default-fe
 subtle = { version = "^2.4", default-features = false }
 
 sha3 = { version = "0.10", default-features = false }
-
-curve25519-dalek = { version = "4", default-features = false, features = ["alloc", "zeroize", "precomputed-tables"] }
+curve25519-dalek = { version = "4", default-features = false, features = ["alloc", "zeroize"] }
 
 group = { version = "0.13", default-features = false }
 dalek-ff-group = { path = "../../../crypto/dalek-ff-group", version = "0.4", default-features = false }
 
+monero-io = { path = "../io", version = "0.1", default-features = false }
+
 [dev-dependencies]
 hex = "0.4"
 
 [features]
-std = ["std-shims/std", "subtle/std", "sha3/std", "dalek-ff-group/std"]
+std = [
+  "std-shims/std",
+
+  "subtle/std",
+
+  "sha3/std",
+
+  "group/alloc",
+  "dalek-ff-group/std",
+
+  "monero-io/std"
+]
 default = ["std"]

coins/monero/generators/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2022-2023 Luke Parker
+Copyright (c) 2022-2024 Luke Parker
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

coins/monero/generators/README.md

@@ -1,7 +1,13 @@
 # Monero Generators
 
 Generators used by Monero in both its Pedersen commitments and Bulletproofs(+).
-An implementation of Monero's `ge_fromfe_frombytes_vartime`, simply called
-`hash_to_point` here, is included, as needed to generate generators.
+An implementation of Monero's `hash_to_ec` is included, as needed to generate
+the generators.
 
-This library is usable under no-std when the `std` feature is disabled.
+This library is usable under no-std when the `std` feature (on by default) is
+disabled.
+
+### Cargo Features
+
+- `std` (on by default): Enables `std` (and with it, more efficient internal
+  implementations).

coins/monero/generators/src/hash_to_point.rs

@@ -1,27 +1,20 @@
 use subtle::ConditionallySelectable;
 
-use curve25519_dalek::edwards::{EdwardsPoint, CompressedEdwardsY};
+use curve25519_dalek::edwards::EdwardsPoint;
 
 use group::ff::{Field, PrimeField};
 use dalek_ff_group::FieldElement;
 
-use crate::hash;
+use monero_io::decompress_point;
 
-/// Decompress canonically encoded ed25519 point
-/// It does not check if the point is in the prime order subgroup
-pub fn decompress_point(bytes: [u8; 32]) -> Option<EdwardsPoint> {
-  CompressedEdwardsY(bytes)
-    .decompress()
-    // Ban points which are either unreduced or -0
-    .filter(|point| point.compress().to_bytes() == bytes)
-}
+use crate::keccak256;
 
-/// Monero's hash to point function, as named `hash_to_ec`.
+/// Monero's `hash_to_ec` function.
 pub fn hash_to_point(bytes: [u8; 32]) -> EdwardsPoint {
   #[allow(non_snake_case)]
   let A = FieldElement::from(486662u64);
 
-  let v = FieldElement::from_square(hash(&bytes)).double();
+  let v = FieldElement::from_square(keccak256(&bytes)).double();
   let w = v + FieldElement::ONE;
   let x = w.square() + (-A.square() * v);
 

coins/monero/generators/src/lib.rs

@@ -1,45 +1,46 @@
-//! Generators used by Monero in both its Pedersen commitments and Bulletproofs(+).
-//!
-//! An implementation of Monero's `ge_fromfe_frombytes_vartime`, simply called
-//! `hash_to_point` here, is included, as needed to generate generators.
-
+#![cfg_attr(docsrs, feature(doc_auto_cfg))]
+#![doc = include_str!("../README.md")]
+#![deny(missing_docs)]
 #![cfg_attr(not(feature = "std"), no_std)]
 
 use std_shims::{sync::OnceLock, vec::Vec};
 
 use sha3::{Digest, Keccak256};
 
-use curve25519_dalek::edwards::{EdwardsPoint as DalekPoint};
+use curve25519_dalek::{constants::ED25519_BASEPOINT_POINT, edwards::EdwardsPoint};
 
-use group::{Group, GroupEncoding};
-use dalek_ff_group::EdwardsPoint;
-
-mod varint;
-use varint::write_varint;
+use monero_io::{write_varint, decompress_point};
 
 mod hash_to_point;
-pub use hash_to_point::{hash_to_point, decompress_point};
+pub use hash_to_point::hash_to_point;
 
 #[cfg(test)]
 mod tests;
 
-fn hash(data: &[u8]) -> [u8; 32] {
+fn keccak256(data: &[u8]) -> [u8; 32] {
   Keccak256::digest(data).into()
 }
 
-static H_CELL: OnceLock<DalekPoint> = OnceLock::new();
-/// Monero's alternate generator `H`, used for amounts in Pedersen commitments.
+static H_CELL: OnceLock<EdwardsPoint> = OnceLock::new();
+/// Monero's `H` generator.
+///
+/// Contrary to convention (`G` for values, `H` for randomness), `H` is used by Monero for amounts
+/// within Pedersen commitments.
 #[allow(non_snake_case)]
-pub fn H() -> DalekPoint {
+pub fn H() -> EdwardsPoint {
   *H_CELL.get_or_init(|| {
-    decompress_point(hash(&EdwardsPoint::generator().to_bytes())).unwrap().mul_by_cofactor()
+    decompress_point(keccak256(&ED25519_BASEPOINT_POINT.compress().to_bytes()))
+      .unwrap()
+      .mul_by_cofactor()
   })
 }
 
-static H_POW_2_CELL: OnceLock<[DalekPoint; 64]> = OnceLock::new();
-/// Monero's alternate generator `H`, multiplied by 2**i for i in 1 ..= 64.
+static H_POW_2_CELL: OnceLock<[EdwardsPoint; 64]> = OnceLock::new();
+/// Monero's `H` generator, multiplied by 2**i for i in 1 ..= 64.
+///
+/// This table is useful when working with amounts, which are u64s.
 #[allow(non_snake_case)]
-pub fn H_pow_2() -> &'static [DalekPoint; 64] {
+pub fn H_pow_2() -> &'static [EdwardsPoint; 64] {
   H_POW_2_CELL.get_or_init(|| {
     let mut res = [H(); 64];
     for i in 1 .. 64 {
@@ -49,31 +50,45 @@ pub fn H_pow_2() -> &'static [DalekPoint; 64] {
   })
 }
 
-const MAX_M: usize = 16;
-const N: usize = 64;
-const MAX_MN: usize = MAX_M * N;
+/// The maximum amount of commitments provable for within a single range proof.
+pub const MAX_COMMITMENTS: usize = 16;
+/// The amount of bits a value within a commitment may use.
+pub const COMMITMENT_BITS: usize = 64;
+/// The logarithm (over 2) of the amount of bits a value within a commitment may use.
+pub const LOG_COMMITMENT_BITS: usize = 6; // 2 ** 6 == N
 
 /// Container struct for Bulletproofs(+) generators.
 #[allow(non_snake_case)]
 pub struct Generators {
+  /// The G (bold) vector of generators.
   pub G: Vec<EdwardsPoint>,
+  /// The H (bold) vector of generators.
   pub H: Vec<EdwardsPoint>,
 }
 
 /// Generate generators as needed for Bulletproofs(+), as Monero does.
+///
+/// Consumers should not call this function ad-hoc, yet call it within a build script or use a
+/// once-initialized static.
 pub fn bulletproofs_generators(dst: &'static [u8]) -> Generators {
+  // The maximum amount of bits used within a single range proof.
+  const MAX_MN: usize = MAX_COMMITMENTS * COMMITMENT_BITS;
+
+  let mut preimage = H().compress().to_bytes().to_vec();
+  preimage.extend(dst);
+
   let mut res = Generators { G: Vec::with_capacity(MAX_MN), H: Vec::with_capacity(MAX_MN) };
   for i in 0 .. MAX_MN {
+    // We generate a pair of generators per iteration
     let i = 2 * i;
 
-    let mut even = H().compress().to_bytes().to_vec();
-    even.extend(dst);
-    let mut odd = even.clone();
+    let mut even = preimage.clone();
+    write_varint(&i, &mut even).unwrap();
+    res.H.push(hash_to_point(keccak256(&even)));
 
-    write_varint(&i.try_into().unwrap(), &mut even).unwrap();
-    write_varint(&(i + 1).try_into().unwrap(), &mut odd).unwrap();
-    res.H.push(EdwardsPoint(hash_to_point(hash(&even))));
-    res.G.push(EdwardsPoint(hash_to_point(hash(&odd))));
+    let mut odd = preimage.clone();
+    write_varint(&(i + 1), &mut odd).unwrap();
+    res.G.push(hash_to_point(keccak256(&odd)));
   }
   res
 }

coins/monero/generators/src/tests/hash_to_point.rs

@@ -1,38 +0,0 @@
-use crate::{decompress_point, hash_to_point};
-
-#[test]
-fn crypto_tests() {
-  // tests.txt file copied from monero repo
-  // https://github.com/monero-project/monero/
-  //   blob/ac02af92867590ca80b2779a7bbeafa99ff94dcb/tests/crypto/tests.txt
-  let reader = include_str!("./tests.txt");
-
-  for line in reader.lines() {
-    let mut words = line.split_whitespace();
-    let command = words.next().unwrap();
-
-    match command {
-      "check_key" => {
-        let key = words.next().unwrap();
-        let expected = match words.next().unwrap() {
-          "true" => true,
-          "false" => false,
-          _ => unreachable!("invalid result"),
-        };
-
-        let actual = decompress_point(hex::decode(key).unwrap().try_into().unwrap());
-
-        assert_eq!(actual.is_some(), expected);
-      }
-      "hash_to_ec" => {
-        let bytes = words.next().unwrap();
-        let expected = words.next().unwrap();
-
-        let actual = hash_to_point(hex::decode(bytes).unwrap().try_into().unwrap());
-
-        assert_eq!(hex::encode(actual.compress().to_bytes()), expected);
-      }
-      _ => unreachable!("unknown command"),
-    }
-  }
-}

coins/monero/generators/src/tests/mod.rs

@@ -1 +1,36 @@
-mod hash_to_point;
+use crate::{decompress_point, hash_to_point};
+
+#[test]
+fn test_vectors() {
+  // tests.txt file copied from monero repo
+  // https://github.com/monero-project/monero/
+  //   blob/ac02af92867590ca80b2779a7bbeafa99ff94dcb/tests/crypto/tests.txt
+  let reader = include_str!("./tests.txt");
+
+  for line in reader.lines() {
+    let mut words = line.split_whitespace();
+    let command = words.next().unwrap();
+
+    match command {
+      "check_key" => {
+        let key = words.next().unwrap();
+        let expected = match words.next().unwrap() {
+          "true" => true,
+          "false" => false,
+          _ => unreachable!("invalid result"),
+        };
+
+        let actual = decompress_point(hex::decode(key).unwrap().try_into().unwrap());
+        assert_eq!(actual.is_some(), expected);
+      }
+      "hash_to_ec" => {
+        let bytes = words.next().unwrap();
+        let expected = words.next().unwrap();
+
+        let actual = hash_to_point(hex::decode(bytes).unwrap().try_into().unwrap());
+        assert_eq!(hex::encode(actual.compress().to_bytes()), expected);
+      }
+      _ => unreachable!("unknown command"),
+    }
+  }
+}

coins/monero/generators/src/varint.rs

@@ -1,16 +0,0 @@
-use std_shims::io::{self, Write};
-
-const VARINT_CONTINUATION_MASK: u8 = 0b1000_0000;
-pub(crate) fn write_varint<W: Write>(varint: &u64, w: &mut W) -> io::Result<()> {
-  let mut varint = *varint;
-  while {
-    let mut b = u8::try_from(varint & u64::from(!VARINT_CONTINUATION_MASK)).unwrap();
-    varint >>= 7;
-    if varint != 0 {
-      b |= VARINT_CONTINUATION_MASK;
-    }
-    w.write_all(&[b])?;
-    varint != 0
-  } {}
-  Ok(())
-}