absolutebi/serai
1
0
Fork 0
mirror of https://github.com/serai-dex/serai.git synced 2025-12-12 22:19:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Implement simple random mixin selection which passes sanity

Browse Source
This commit is contained in:
Luke Parker
2022-05-04 06:24:52 -04:00
parent 9a42391b75
commit f856faa762
4 changed files with 230 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

116
coins/monero/src/transaction/mixins.rs
View File

@@ -1,15 +1,113 @@
// TODO
pub(crate) fn select(o: u64) -> (u8, Vec<u64>) {
let mut mixins: Vec<u64> = (o .. o + 11).into_iter().collect();
mixins.sort();
(0, mixins)
use std::collections::HashSet;
use rand_core::{RngCore, CryptoRng};
use curve25519_dalek::edwards::EdwardsPoint;
use monero::VarInt;
use crate::{transaction::SpendableOutput, rpc::{RpcError, Rpc}};
const MIXINS: usize = 11;
async fn select_single<R: RngCore + CryptoRng>(
rng: &mut R,
rpc: &Rpc,
height: usize,
high: u64,
used: &mut HashSet<u64>
) -> Result<(u64, [EdwardsPoint; 2]), RpcError> {
let mut o;
let mut output = None;
while {
o = rng.next_u64() % u64::try_from(high).unwrap();
used.contains(&o) || {
output = rpc.get_outputs(&[o], height).await?[0];
output.is_none()
}
} {}
used.insert(o);
Ok((o, output.unwrap()))
}
pub(crate) fn offset(mixins: &[u64]) -> Vec<u64> {
let mut res = vec![mixins[0]];
res.resize(11, 0);
// Uses VarInt as this is solely used for key_offsets which is serialized by monero-rs
fn offset(mixins: &[u64]) -> Vec<VarInt> {
let mut res = vec![VarInt(mixins[0])];
res.resize(mixins.len(), VarInt(0));
for m in (1 .. mixins.len()).rev() {
res[m] = mixins[m] - mixins[m - 1];
res[m] = VarInt(mixins[m] - mixins[m - 1]);
}
res
}
pub(crate) async fn select<R: RngCore + CryptoRng>(
rng: &mut R,
rpc: &Rpc,
height: usize,
inputs: &[SpendableOutput]
) -> Result<Vec<(Vec<VarInt>, u8, Vec<[EdwardsPoint; 2]>)>, RpcError> {
// Convert the inputs in question to the raw output data
let mut outputs = Vec::with_capacity(inputs.len());
for input in inputs {
outputs.push((
rpc.get_o_indexes(input.tx).await?[input.o],
[input.key, input.commitment.calculate()]
));
}
let high = rpc.get_high_output(height - 1).await?;
let high_f = high as f64;
if (high_f as u64) != high {
panic!("Transaction output index exceeds f64");
}
let mut used = HashSet::<u64>::new();
for o in &outputs {
used.insert(o.0);
}
let mut res = Vec::with_capacity(inputs.len());
for (i, o) in outputs.iter().enumerate() {
let mut mixins = Vec::with_capacity(MIXINS);
for _ in 0 .. MIXINS {
mixins.push(select_single(rng, rpc, height, high, &mut used).await?);
}
mixins.sort_by(|a, b| a.0.cmp(&b.0));
// Make sure the TX passes the sanity check that the median output is within the last 40%
// This actually checks the median is within the last third, a slightly more aggressive boundary,
// as the height used in this calculation will be slightly under the height this is sanity
// checked against
while mixins[MIXINS / 2].0 < (high * 2 / 3) {
// If it's not, update the bottom half with new values to ensure the median only moves up
for m in 0 .. MIXINS / 2 {
// We could not remove this, saving CPU time and removing low values as possibilities, yet
// it'd increase the amount of mixins required to create this transaction and some banned
// outputs may be the best options
used.remove(&mixins[m].0);
mixins[m] = select_single(rng, rpc, height, high, &mut used).await?;
}
mixins.sort_by(|a, b| a.0.cmp(&b.0));
}
// Replace the closest selected decoy with the actual
let mut replace = 0;
let mut distance = u64::MAX;
for m in 0 .. mixins.len() {
let diff = mixins[m].0.abs_diff(o.0);
if diff < distance {
replace = m;
distance = diff;
}
}
mixins[replace] = outputs[i];
res.push((
offset(&mixins.iter().map(|output| output.0).collect::<Vec<_>>()),
u8::try_from(replace).unwrap(),
mixins.iter().map(|output| output.1).collect()
));
}
Ok(res)
}

30
coins/monero/src/transaction/mod.rs
View File

@@ -71,6 +71,7 @@ pub enum TransactionError {
pub struct SpendableOutput {
pub tx: Hash,
pub o: usize,
pub key: EdwardsPoint,
pub key_offset: Scalar,
pub commitment: Commitment
}
@@ -126,7 +127,7 @@ pub fn scan(tx: &Transaction, view: Scalar, spend: EdwardsPoint) -> Vec<Spendabl
}
}
res.push(SpendableOutput { tx: tx.hash(), o, key_offset, commitment });
res.push(SpendableOutput { tx: tx.hash(), o, key: output_key, key_offset, commitment });
break;
}
}
@@ -191,26 +192,31 @@ impl Output {
}
}
async fn prepare_inputs(
async fn prepare_inputs<R: RngCore + CryptoRng>(
rng: &mut R,
rpc: &Rpc,
spend: &Scalar,
inputs: &[SpendableOutput],
spend: &Scalar,
tx: &mut Transaction
) -> Result<Vec<(Scalar, clsag::Input, EdwardsPoint)>, TransactionError> {
// TODO sort inputs
let mut signable = Vec::with_capacity(inputs.len());
for (i, input) in inputs.iter().enumerate() {
// Select mixins
let (m, mixins) = mixins::select(
rpc.get_o_indexes(input.tx).await.map_err(|e| TransactionError::RpcError(e))?[input.o]
);
// Select mixins
let mixins = mixins::select(
rng,
rpc,
rpc.get_height().await.map_err(|e| TransactionError::RpcError(e))?,
inputs
).await.map_err(|e| TransactionError::RpcError(e))?;
for (i, input) in inputs.iter().enumerate() {
signable.push((
spend + input.key_offset,
clsag::Input::new(
rpc.get_ring(&mixins).await.map_err(|e| TransactionError::RpcError(e))?,
m,
mixins[i].2.clone(),
mixins[i].1,
input.commitment
).map_err(|e| TransactionError::ClsagError(e))?,
key_image::generate(&(spend + input.key_offset))
@@ -218,7 +224,7 @@ async fn prepare_inputs(
tx.prefix.inputs.push(TxIn::ToKey {
amount: VarInt(0),
key_offsets: mixins::offset(&mixins).iter().map(|x| VarInt(*x)).collect(),
key_offsets: mixins[i].0.clone(),
k_image: KeyImage { image: Hash(signable[i].2.compress().to_bytes()) }
});
}
@@ -360,7 +366,7 @@ impl SignableTransaction {
let (commitments, mask_sum) = self.prepare_outputs(rng)?;
let mut tx = self.prepare_transaction(&commitments, bulletproofs::generate(&commitments)?);
let signable = prepare_inputs(rpc, spend, &self.inputs, &mut tx).await?;
let signable = prepare_inputs(rng, rpc, &self.inputs, spend, &mut tx).await?;
let clsags = clsag::sign(
rng,

60
coins/monero/src/transaction/multisig.rs
View File

@@ -25,11 +25,11 @@ pub struct TransactionMachine {
leader: bool,
signable: SignableTransaction,
our_images: Vec<EdwardsPoint>,
inputs: Vec<TxIn>,
tx: Option<Transaction>,
mask_sum: Rc<RefCell<Scalar>>,
msg: Rc<RefCell<[u8; 32]>>,
clsags: Vec<AlgorithmMachine<Ed25519, clsag::Multisig>>
clsags: Vec<AlgorithmMachine<Ed25519, clsag::Multisig>>,
inputs: Vec<TxIn>,
tx: Option<Transaction>,
}
impl SignableTransaction {
@@ -41,28 +41,58 @@ impl SignableTransaction {
included: &[usize]
) -> Result<TransactionMachine, TransactionError> {
let mut our_images = vec![];
let mut inputs = vec![];
let mask_sum = Rc::new(RefCell::new(Scalar::zero()));
let msg = Rc::new(RefCell::new([0; 32]));
let mut clsags = vec![];
for input in &self.inputs {
// Select mixins
let (m, mixins) = mixins::select(
rpc.get_o_indexes(input.tx).await.map_err(|e| TransactionError::RpcError(e))?[input.o]
);
let mut inputs = vec![];
// Create a RNG out of the input shared keys, which either requires the view key or being every
// sender, and the payments (address and amount), which a passive adversary may be able to know
// The use of input shared keys technically makes this one time given a competent wallet which
// can withstand the burning attack
// The lack of dedicated entropy here is frustrating. We can probably provide entropy inclusion
// if we move CLSAG ring to a Rc RefCell like msg and mask? TODO
let mut transcript = Transcript::new(b"InputMixins");
let mut shared_keys = Vec::with_capacity(self.inputs.len() * 32);
for input in &self.inputs {
shared_keys.extend(&input.key_offset.to_bytes());
}
transcript.append_message(b"input_shared_keys", &shared_keys);
let mut payments = Vec::with_capacity(self.payments.len() * ((2 * 32) + 8));
for payment in &self.payments {
// Network byte and spend/view key
// Doesn't use the full address as monero-rs may provide a payment ID which adds bytes
// By simply cutting this short, we get the relevant data without length differences nor the
// need to prefix
payments.extend(&payment.0.as_bytes()[0 .. 65]);
payments.extend(payment.1.to_le_bytes());
}
transcript.append_message(b"payments", &payments);
// Select mixins
let mixins = mixins::select(
&mut transcript.seeded_rng(b"mixins", None),
rpc,
rpc.get_height().await.map_err(|e| TransactionError::RpcError(e))?,
&self.inputs
).await.map_err(|e| TransactionError::RpcError(e))?;
for (i, input) in self.inputs.iter().enumerate() {
let keys = keys.offset(dalek_ff_group::Scalar(input.key_offset));
let (image, _) = key_image::generate_share(
rng,
&keys.view(included).map_err(|e| TransactionError::FrostError(e))?
);
our_images.push(image);
clsags.push(
AlgorithmMachine::new(
clsag::Multisig::new(
clsag::Input::new(
rpc.get_ring(&mixins).await.map_err(|e| TransactionError::RpcError(e))?,
m,
mixins[i].2.clone(),
mixins[i].1,
input.commitment
).map_err(|e| TransactionError::ClsagError(e))?,
msg.clone(),
@@ -75,7 +105,7 @@ impl SignableTransaction {
inputs.push(TxIn::ToKey {
amount: VarInt(0),
key_offsets: mixins::offset(&mixins).iter().map(|x| VarInt(*x)).collect(),
key_offsets: mixins[i].0.clone(),
k_image: KeyImage { image: Hash([0; 32]) }
});
}
@@ -87,11 +117,11 @@ impl SignableTransaction {
leader: keys.params().i() == included[0],
signable: self,
our_images,
inputs,
tx: None,
mask_sum,
msg,
clsags
clsags,
inputs,
tx: None
})
}
}