absolutebi/serai
1
0
Fork 0
mirror of https://github.com/serai-dex/serai.git synced 2025-12-08 12:19:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

Respond to 2 2

Browse Source
This commit is contained in:
Luke Parker
2025-07-23 09:27:50 -04:00
parent 6b8cf6653a
commit cb1e6535cb
3 changed files with 12 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
networks/monero/primitives/src/tests.rs
View File

@@ -8,7 +8,7 @@ fn recover_scalars() {
let stored = UnreducedScalar(hex::decode(stored).unwrap().try_into().unwrap());
let recovered =
Scalar::from_canonical_bytes(hex::decode(recovered).unwrap().try_into().unwrap()).unwrap();
assert_eq!(stored.recover_monero_slide_scalar(), recovered);
assert_eq!(stored.ref10_slide_scalar_vartime(), recovered);
};
// https://www.moneroinflation.com/static/data_py/report_scalars_df.pdf

16
networks/monero/primitives/src/unreduced_scalar.rs
View File

@@ -54,7 +54,7 @@ impl UnreducedScalar {
// This matches Monero's `slide` function and intentionally gives incorrect outputs under
// certain conditions in order to match Monero.
//
// This function does not execute in constant time.
// This function does not execute in constant time and must only be used with public data.
fn non_adjacent_form(&self) -> [i8; 256] {
let bits = self.as_bits();
let mut naf = [0i8; 256];
@@ -107,15 +107,17 @@ impl UnreducedScalar {
naf
}
/// Recover the scalar that an array of bytes was incorrectly interpreted as by Monero's `slide`
/// function.
/// Recover the scalar that an array of bytes was incorrectly interpreted as by ref10's `slide`
/// function (as used by the reference Monero implementation in C++).
///
/// In Borromean range proofs, Monero was not checking that the scalars used were
/// reduced. This lead to the scalar stored being interpreted as a different scalar.
/// This function recovers that scalar.
/// For Borromean range proofs, Monero did not check the scalars used were reduced. This led to
/// some scalars serialized being interpreted as distinct scalars. This function recovers these
/// distinct scalars, as required to verify Borromean range proofs within the Monero protocol.
///
/// See <https://github.com/monero-project/monero/issues/8438> for more info.
pub fn recover_monero_slide_scalar(&self) -> Scalar {
//
/// This function does not execute in constant time and must only be used with public data.
pub fn ref10_slide_scalar_vartime(&self) -> Scalar {
if self.0[31] & 128 == 0 {
// Computing the w-NAF of a number can only give an output with 1 more bit than
// the number, so even if the number isn't reduced, the `slide` function will be

4
networks/monero/ringct/borromean/src/lib.rs
View File

@@ -56,13 +56,13 @@ impl BorromeanSignatures {
let LL = EdwardsPoint::vartime_double_scalar_mul_basepoint(
&self.ee,
&keys_a[i],
&self.s0[i].recover_monero_slide_scalar(),
&self.s0[i].ref10_slide_scalar_vartime(),
);
#[allow(non_snake_case)]
let LV = EdwardsPoint::vartime_double_scalar_mul_basepoint(
&keccak256_to_scalar(LL.compress().as_bytes()),
&keys_b[i],
&self.s1[i].recover_monero_slide_scalar(),
&self.s1[i].ref10_slide_scalar_vartime(),
);
transcript[(i * 32) .. ((i + 1) * 32)].copy_from_slice(LV.compress().as_bytes());
}