* monero: only mask user features on new polyseed, not on decode
- This commit ensures a polyseed string that has unsupported features correctly errors on decode (rather than panic in debug build or return an incorrect successful response in prod build)
- Also avoids panicking when checksum calculation is unexpectedly wrong
Polyseed reference impl for feature masking:
- polyseed_create: b7c35bb3c6/src/polyseed.c (L61)
- polyseed_decode: b7c35bb3c6/src/polyseed.c (L212)
* PR comments
* Make from_internal a member of Polyseed
* Add accidentally removed newline
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
* monero: require seed lang when decoding seed
- Require the seed language when decoding a Classic|Polyseed seed string
- As per https://github.com/monero-project/monero/issues/9089 and https://github.com/tevador/polyseed/issues/11
- Fixes#478
- Implementation note: I reused the `SeedType` enum and required it as a param to `Seed::from_string` because it seemed simplest, but perhaps there is a cleaner way to require the seed lang.
- Made sure the print statements from #487 print the seed as early as possible to help debug future issues
- A future PR could support deducing which languages a seed decodes to in order to support the UX @kayabaNerve suggested in https://github.com/monero-project/monero/issues/9089:
- "Wallets can also try to abstract [language specification], by decoding with all languages, and only asking the user if/when multiple valid options show up ("Is this seed Spanish or Italian?")."
* Lint
* Add v1 ring sig verifying
* allow calculating signature hash for v1 txs
* add unreduced scalar type with recovery
I have added this type for borromen sigs, the ee field can be a normal
scalar as in the verify function the ee
field is checked against a reduced scalar mean for it to verify as
correct ee must be reduced
* change block major/ minor versions to u8
this matches Monero
I have also changed a couple varint functions to accept the `VarInt`
trait
* expose `serialize_hashable` on `Block`
* add back MLSAG verifying functions
I still need to revert the commit removing support for >1 input MLSAG FULL
This adds a new rct type to separate Full and simple rct
* add back support for multiple inputs for RCT FULL
* comment `non_adjacent_form` function
also added `#[allow(clippy::needless_range_loop)]` around a loop as without a re-write satisfying clippy without it will make the function worse.
* Improve Mlsag verifying API
* fix rebase errors
* revert the changes on `reserialize_chain`
plus other misc changes
* fix no-std
* Reduce the amount of rpc calls needed for `get_block_by_number`.
This function was causing me problems, every now and then a node would return a block with a different number than requested.
* change `serialize_hashable` to give the POW hashing blob.
Monero calculates the POW hash and the block hash using *slightly* different blobs :/
* make ring_signatures public and add length check when verifying.
* Misc improvements and bug fixes
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
* Add in an implementation of BP+ based off the paper, intended for clarity and review
This was done as part of my work on FCMPs from Monero, and is copied from https://github.com/kayabaNerve/full-chain-membership-proofs
* Remove crate structure of BP+
* Remove arithmetic circuit code
* Remove AC/VC generators code
* Remove generator transcript
Monero uses non-transcripted static generators.
* Further trimming of generators
* Remove the single range proof
It's unused by Monero and accordingly unhelpful.
* Work on getting BP+ to compile in its new env
* Correct BP+ folder name
* Further tweaks to get closer to compiling
* Remove the ScalarMatrix file
It's only used for AC proofs
* Compiles, with tests passing
* Lock BP+ to Ed25519 instead of the generic Ciphersuite
* Resolve most warnings in BP+
* Make existing bulletproofs test easier to read
* Further strip generators
* Swap G/H as Monero did
* Replace RangeCommitment with Commitment
* Hard-code BP+ h to Ed25519's generator
* Use pub(crate) for BP+, not pub
* Replace initial_transcript with hash_plus
* Rename hash_plus to initial_transcript
* Finish integrating the FCMP BP+ impl
* Move BP+ folder
* Correct no-std support
* Rename "long_n" to eta
* Add note on non-prime order dfg points
* add polyseed support
* fix pr comments
* fix tests
* Embed the mempool into the Blockchain
* Plan scheduled payments whenever outputs are received
The scheduler prior waited for the next series of payments to be added.
* Replace Tendermint step with sync_block
Step moved a step forward after an externally synced/added block. This created
a race condition to add the block between the sync process and the Tendermint
machine. Now that the block routes through Tendermint, there is no such race
condition.
* Finish binding Tendermint into Tributary and define a Tributary master object
* Add correction the last commit missed
* Add DoS limits to tributary and require provided transactions be ordered
* Fix the scheduler from dropping UTXOs when there weren't any payments
* Documentation and cargo update
* Add a dedicated db crate with a basic DB trait
It's needed by the processor and tributary (coordinator).
* Add a DB to Tributary
Adds support for reloading most of the blockchain.
* Reloaded provided transactions from the disk
Also resolves a race condition by asserting provided transactions must be
unique, allowing them to be safely provided multiple times.
* must_use annotations on DbTxn
* Support reloading the mempool from disk
* Add a NewSet event to validator-sets
Updates to the latest serai-dex/substrate due to depending on
10ccaca0eb498a2316bbf627d419b29b1a75933a.
* Add basic getters to tributary
* cargo update
* Update to the latest subxt
Writes a custom unsigned extrinic creator due to subxt having an internal error
with the scale metadata. While the code in our scope increased, it's much more
ergonomic to our usage. We may end up rewriting most of subxt, eventually.
* Make unsigned private due to unsafe calling potential
* Start defining the coordinator
* Merge AckBlock with Burns
Offers greater efficiency while reducing concerns re: atomicity.
* Correct processor flow to have the coordinator decide signing set/re-attempts
The signing set should be the first group to submit preprocesses to Tributary.
Re-attempts shouldn't be once every 30s, yet n blocks since the last relevant
message.
Removes the use of an async task/channel in the signer (and Substrate signer).
Also removes the need to be able to get the time from a coin's block, which was
a fragile system marked with a TODO already.
* cargo +nightly fmt
* cargo update
Since p256 now pulls in an extra crate with this update, the {k,p}256 imports
disable default-features to prevent growing the tree.
* Support extracting timestamps from blocks
* Make progres on handling NewSet events
Further bones out the coordinator.
* Resolve#245
* Have InInstructions track the latest block for a network in storage
* Fill out code for the rest of the Substrate events
* Clean up the Substrate block processing code
* Rename transaction file to tributary, add function for genesis
* Add a processor API to the coordinator
* Add extensive commentary on mutable to the processor's main file
Clearly establishes why consistency is guaranteed from a Rust borrow-checker
mindset. While there are plenty of... 'violations', they're clearly explained.
Hopefully, this method of thinking helps promote/ensure consistency in the
future.
* Move ConfirmKeyPair from key_gen to substrate
Clarifies the emitter and accordingly why its mutations are justified.
* Remove BatchSigned
SubstrateBlock's provision of the most recently acknowledged block has
equivalent information with the same latency. Accordingly, there's no need for
it.
* Add note to processor_messages
* Use a single txn for an entire coordinator message
Removes direct DB accesses whre possible. Documents the safety of the rest.
Does uncover one case of unsafety not previously noted.
* cargo update to remove usage of yanked crate
* Clarify safety of Scanner::block_number and KeyGen::keys
* Tweak ConfirmKeyPair to alleviate database requirements of coordinator
* Use an enum for Coin/NetworkId
It originally wasn't an enum so software which had yet to update before an
integration wouldn't error (as now enums are strictly typed). The strict typing
is preferable though.
* Code a method to determine the activation block before any block has consensus
[0; 32] is a magic for no block has been set yet due to this being the first
key pair. If [0; 32] is the latest finalized block, the processor determines
an activation block based on timestamps.
This doesn't use an Option for ergonomic reasons.
* automate whitespace & trimming test cases
* Save keys by their tweaked group_key
Keys are referred to by their tweaked versions. If a tweak was needed, keys
would fail to confirm.
* Use crypto-bigint's reduction in ed448
Achieves feasible performance in the ed448 which makes it potentially viable
for real world usage.
Accordingly prepares a new release, updating the README.
* Move the entirety of ed448 to Residue, offering a further 2-4x speedup
* Resolve#68
Notably speeds up monero-serai's build and CLSAG performance.
* Make MainDB into SubstrateDB
* Initial Tributary handling
* Add additional checks to key_gen/sign
There is the ability to cause state bloat by flooding Tributary.
KeyGen/Sign specifically shouldn't allow bloat since we check the
commitments/preprocesses/shares for validity. Accordingly, any invalid data
(such as bloat) should be detected.
It was posssible to place bloat after the valid data. Doing so would be
considered a valid KeyGen/Sign message, yet could add up to 50k kB per sign.
* Apply DKG TX handling code to all sign TXs
The existing code was almost entirely applicable. It just needed to be scoped
with an ID. While the handle function is now a bit convoluted, I don't see a
better option.
* Split FinalizedBlock into ExternalBlock and SeraiBlock
Also re-arranges their orders.
* Add support for multiple orderings in Provided
Necessary as our Tributary chains needed to agree when a Serai block has
occurred, and when a Monero block has occurred. Since those could happen at the
same time, some validators may put SeraiBlock before ExternalBlock and vice
versa, causing a chain halt. Now they can have distinct ordering queues.
* Slash on unrecognized ID
* ExternalBlock handler
* Add a SubstrateBlockAck message to the processor
When a Substrate block occurs, the coordinator is expected to emit
SubstrateBlock. This causes the processor to begin a variety of plans. The
processor now emits SubstrateBlockAck, explicitly listing all plan IDs, before
starting signing.
This lets the coordinator provide a SubstrateBlock transaction, and with it,
recognize all plan IDs as valid.
Prior, we would've had to have a spotty algorithm based upon the upcoming
Preprocess messages, or if we immediately provided the SubstrateBlock
transaction, then wait for the processor to inform us of the contained plans.
This creates an explicitly proper async flow not reliant on waiting for data
availability.
Alternatively, we could've replaced Preprocess with (Block, Vec<Preprocess>).
This would've been more efficient, yet also clunky due to the multiple usages
of the Preprocess message.
* Route the SubstrateBlock message, which is the last Tributary transaction type
* Add recent bloat checks added to signer to substrate_signer as well
* Add no_std support to transcript, dalek-ff-group, ed448, ciphersuite, multiexp, schnorr, and monero-generators
transcript, dalek-ff-group, ed449, and ciphersuite are all usable with no_std
alone. The rest additionally require alloc.
Part of #279.
* Add a test to the coordinator for running a Tributary
Impls a LocalP2p for testing.
Moves rebroadcasting into Tendermint, since it's what knows if a message is
fully valid + original.
Removes TributarySpec::validators() HashMap, as its non-determinism caused
different instances to have different round robin schedules. It was already
prior moved to a Vec for this issue, so I'm unsure why this remnant existed.
Also renames the GH no-std workflow from the prior commit.
* Add a test for Tributary
Further fleshes out the Tributary testing code.
* Test handling of DKG commitments transactions
* Add Transaction::sign.
While I don't love the introduction of empty_signed, it's practically fine.
* Tributary test wait_for_tx_inclusion function
* Additionally test DKGShares
* Handle adding new Tributaries
Removes last_block as an argument from Tendermint. It now loads from the DB as
needed. While slightly less performant, it's easiest and should be fine.
* Reload Tributaries
add_active_tributary writes the spec to disk before it returns, so even if the
VecDeque it pushes to isn't popped, the tributary will still be loaded on boot.
* Start handling P2P messages
This defines the tart of a very complex series of locks I'm really unhappy
with. At the same time, there's not immediately a better solution. This also
should work without issue.
* Clarify Arc RwLocks and sleeps in coordinator
* Send a heartbeat message when a Tributary falls behind
* cargo fmt
* cargo update
* Move json word lists to rs
Allows building the seed code without serde_json.
* Break coordinator main into multiple functions
Also moves from std::sync::RwLock to tokio::sync::RwLock to prevent wasting
cycles on spinning.
* Remove reliance on a blockchain read lock from block/commit
* Implement Tributary syncing
Also adds a forwards-lookup to the Tributary blockchain.
* Don't return from sync_block until the Tendermint machine returns if it's valid or not
We had a race condition where'd we be informed of blocks 1 .. 3, and
immediately add 1 .. 3. Because we immediately tried to add 2 after 1, it'd
fail since the tip was still the genesis, yet 2 needs the tip to be 1.
Adding a channel, while ugly, was the simplest way to accomplish this.
Also has any added block be broadcasted. Else there's a race condition where a
node which syncs up to the most recent block does so, yet fails to add the next
block when it's committed to.
* Test handle_p2p and Tributary syncing
Includes bug fixes.
* Tweak tests workflow
* Add a TributaryReader which doesn't require a borrow to operate
Reduces lock contention.
Additionally changes block_key to include the genesis. While not technically
needed, the lack of genesis introduced a side effect where any Tributary on the
the database could return the block of any other Tributary. While that wasn't a
security issue, returning it suggested it was on-chain when it wasn't. This may
have been usable to create issues.
* Document panic in FROST
* Document a pair of panics requiring 256 GB of RAM/4 GB of a context
* Add a UID function to messages
When we receive messages, we're provided with a message ID we can use to
prevent handling an item multiple times. That doesn't prevent us from *sending*
an item multiple times though. Thanks to the UID system, we can now not send if
already present.
Alternatively, we can remove the ordered message ID for just the UID, allowing
duplicates to be sent without issue, and handled on the receiving end.
* Initial code to handle messages from processors
* Document the processor/tributary/coordinator/serai flow
* Have Coordinator MainDb take a mutable borrow
* Update to substrate polkadot-v0.9.42
* Correct error message in ff-group-tests
* Update to May's nightly
Doesn't use the PR due to the needed changes.
* Support arbitrary RPC providers in monero-serai
Sets a clean path for no-std premised RPCs (buffers to an external RPC impl)/
Tor-based RPCs/client-side load balancing/...
* Correct processor's handling of the new Monero RPC code
* Correct Serai Dockerfile
* Publish ExternablBlock/SubstrateBlock, delay *Preprocess until ID acknowledged
Adds a channel for the Tributary scanner to communicate when an ID has been
acknowledged.
* Rename uid to intent
* Use U448 for Ed448 instead of U512
* Spawn a new async task for each block message
This probably should be done with n-long lived tasks, one per Tributary. While
this may not be suitably performant long-term (potential DoS vector), this at
least resolves the halting concerns.
* Move the coordinator to a n-processor design
* Ensure Tributary commits are minimal
* Properly get genesis for a Processor message
* Create a vote transaction upon GeneratedKeyPair
* Remove TODO about code de-duplication
It's infeasible to write a macro/function there. Does add a type alias which
makes things cleaner.
* Have coordinator publish batches to Substrate
* Implement MuSig key aggregation into DKG
Isn't spec compliant due to the lack of a spec to be compliant too.
Slight deviation from the paper by using a unique list instead of a multiset.
Closes#186, progresses #277.
* Correct 2/3rds definitions throughout the codebase
The prior formula failed for some values, such as 20.
20 / 3 = 6, * 2 = 12, + 1 = 13. 13 is 65%, not >= 67.
* cargo update
Resolves a yanked crate and removes some duplicated dependencies.
* Add a dedicated function to get a MuSig key
* Do the minimal amount of work for dkg to compile under no-std
The Substrate runtime requires access to the MuSig key aggregation function.
\#279 related.
* Use a MuSig signature to publish validator set key pairs to Serai
The processor/coordinator flow still has to be rewritten.
* Correct various no_std definitions
* Add a context to MuSig key aggregation
* Use proper messages for ValidatorSets/InInstructions pallet
Provides a DST, and associated metadata as beneficial.
Also utilizes MuSig's context to session-bind. Since set_keys_messages also
binds to set, this is semi-redundant, yet that's appreciated.
* Remove signed Substrate TXs from Coordinator
* Only scan v2 Monero TXs
* Fix for prior commit
* Ensure canonical points in the cross-group DLEq proof
* Fix incorrect sig_hash generation
sig_hash was used as a challenge. challenges should be of the form H(R, A, m).
These sig hashes were solely H(A, m), allowing trivial forgeries.
* cargo update
Resolves an openssl advisory and nets ~-8 crates.
* Build no-std tests with RISC-V 32 IMAC
Turns out wasm still has std, making it suboptimal to use here.
* Pin setup-protoc to v2.0.0
* Update to substrate polkadot-v0.9.43
* fix tributary sync test
* Slight terminology correction in sync test
Also correct a mistake from merging the most recent polkadot version.
* Update nightly
* Replace lazy_static with OnceLock inside monero-serai
lazy_static, if no_std environments were used, effectively required always
using spin locks. This resolves the ergonomics of that while adopting Rust std
code.
no_std does still use a spin based solution. Theoretically, we could use
atomics, yet writing our own Mutex wasn't a priority.
* no-std support for monero-serai (#311)
* Move monero-serai from std to std-shims, where possible
* no-std fixes
* Make the HttpRpc its own feature, thiserror only on std
* Drop monero-rs's epee for a homegrown one
We only need it for a single function. While I tried jeffro's, it didn't work
out of the box, had three unimplemented!s, and is no where near viable for
no_std.
Fixes#182, though should be further tested.
* no-std monero-serai
* Allow base58-monero via git
* cargo fmt
* Represent RCT amounts with None, not 0.
Fixes#282.
Does allow any v1 TXs which exist, and v2 miner-TXs, to specify Some(0). As far
as I can tell, both were/are theoreitcally possible.
* Add a message queue
This is intended to be a reliable transport between the processors and
coordinator. Since it'll be intranet only, it's written as never fail.
Primarily needs testing and a proper ID.
* cargo update
Resolves https://github.com/serai-dex/serai/security/dependabot/29
* Correct deny.toml with inclusion of message-queue
* Update nightly
* std-shims: six `Read` for &[u8]
* Use serai- prefixes on Serai-specific packages
Fixes deny.toml, also runs a minor cargo update shrinking the tree.
* Update monero-tests workflow to new name for the processor
* Correct depends for processor-messages
* Disable Rust caching
We hit the cache limit after just one or two builds, making it infeasible.
* cargo update
Resolves a yanked crate
* Move location of serai-client in Cargo.toml
* Monero: support for legacy transactions (#308)
* add mlsag
* fix last commit
* fix miner v1 txs
* fix non-miner v1 txs
* add borromean + fix mlsag
* add block hash calculations
* fix for the jokester that added unreduced scalars
to the borromean signature of
2368d846e671bf79a1f84c6d3af9f0bfe296f043f50cf17ae5e485384a53707b
* Add Borromean range proof verifying functionality
* Add MLSAG verifying functionality
* fmt & clippy :)
* update MLSAG, ss2_elements will always be 2
* Add MgSig proving
* Tidy block.rs
* Tidy Borromean, fix bugs in last commit, replace todo! with unreachable!
* Mark legacy EcdhInfo amount decryption as experimental
* Correct comments
* Write a new impl of the merkle algorithm
This one tries to be understandable.
* Only pull in things only needed for experimental when experimental
* Stop caching the Monero block hash now in processor that we have Block::hash
* Corrections for recent processor commit
* Use a clearer algorithm for the merkle
Should also be more efficient due to not shifting as often.
* Tidy Mlsag
* Remove verify_rct_* from Mlsag
Both methods were ports from Monero, overtly specific without clear
documentation. They need to be added back in, with documentation, or included
in a node which provides the necessary further context for them to be naturally
understandable.
* Move mlsag/mod.rs to mlsag.rs
This should only be a folder if it has multiple files.
* Replace EcdhInfo terminology
The ECDH encrypted the amount, yet this struct contained the encrypted amount,
not some ECDH.
Also corrects the types on the original EcdhInfo struct.
* Correct handling of commitment masks when scanning
* Route read_array through read_raw_vec
* Misc lint
* Make a proper RctType enum
No longer caches RctType in the RctSignatures as well.
* Replace Vec<Bulletproofs> with Bulletproofs
Monero uses aggregated range proofs, so there's only ever one Bulletproof. This
is enforced with a consensus rule as well, making this safe.
As for why Monero uses a vec, it's probably due to the lack of variadic typing
used. Its effectively an Option for them, yet we don't need an Option since we
do have variadic typing (enums).
* Add necessary checks to Eventuality re: supported protocols
* Fix for block 202612 and fix merkel root calculations
* MLSAG (de)serialisation fix
ss_2_elements will not always be 2 as rct type 1 transactions are not enforced to have one input
* Revert "MLSAG (de)serialisation fix"
This reverts commit 5e710e0c96.
here it checks number of MGs == number of inputs:
0a1eaf26f9/src/cryptonote_core/tx_verification_utils.cpp (L60-59)
and here it checks for RctTypeFull number of MGs == 1:
0a1eaf26f9/src/ringct/rctSigs.cpp (L1325)
so number of inputs == 1
so ss_2_elements == 2
* update `MlsagAggregate` comment
* cargo update
Resolves a yanked crate
* Move location of serai-client in Cargo.toml
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
* Fix the known issue with the DSA
I wrote it to only select TXs with a timelock, not only TXs which are unlocked.
This most likely explains why it so heavily selected coinbases.
Also moves an InternalError which would've never been hit on mainnet, yet
technically isn't an invariant, to only exist when cfg(test).
* Add a bin to download a chain, over RPC, reserializing and hashing every item
Parallelized. Doesn't check the deserialization is correct. Does use distinct,
persistent HTTP clients.
* Correct how Monero integration tests are run
* Support multiple RPCs in the reserialize_chain bin
* Don't call get_height every block
* Modify get_transactions to split requests as to not hit the restricted RPC limits
* Meaningful changes from aggressive-clippy
I do want to enable a few specific lints, yet aggressive-clippy as a whole
isn't worthwhile.
* Extend reserialize_chain with CLSAG/BP(+) verification
* Remove spammy println from reserialize_chain
* Update reserialize_chain for v1 and migration TXs
Also always marks 0-amount inputs as RCT due to impossibility of non-RCT
0-amount outputs.
* Only deserialize RctSignatures where's there at least one input
This is only enforced by the Monero protocol due to a single check the mixRing
isn't empty in get_pre_mlsag_hash. The value in ensuring there's a least one
input is to ensure the safety of our rct_type functions, which determines the
RctType based off structural analysis (specifically, input data if
MlsagBorromean).
rct_type was technically safe without this. A 0-input transaction would be
mis-classified as RctFull/MlsagAggregate, which would then make the
RctSignatures invalid for being RctFull (requiring exactly one input) yet not
having inputs, meaning an invalid RctSignatures would be mis-classified yet
still invalid.
This just removes the risk of mis-classification in the first place, tightening
the library's safety.
* docs/Getting Started.md: cargo build --release --all-features
* Fix the known instance of #295
* Bind RocksDB into serai-db
* Split up tests in CI to avoid node storage limits
* Corrections to prior commit
* Again
I called git commit --amend without calling git add . again :(
* Update the flow for completed signing processes
Now, an on-chain transaction exists. This resolves some ambiguities and
provides greater coordination.
* Clean Polyseed code
* Final tweaks
* Correct no-std builds for Polyseed
* Again correct no-std
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
Co-authored-by: GitHub Actions <unknown>
Co-authored-by: Boog900 <54e72d8a-345f-4599-bd90-c6b9bc7d0ec5@aleeas.com>
Co-authored-by: Boog900 <108027008+Boog900@users.noreply.github.com>
Co-authored-by: Steven Chang <stevenchang5000@gmail.com>
* Move monero-serai from std to std-shims, where possible
* no-std fixes
* Make the HttpRpc its own feature, thiserror only on std
* Drop monero-rs's epee for a homegrown one
We only need it for a single function. While I tried jeffro's, it didn't work
out of the box, had three unimplemented!s, and is no where near viable for
no_std.
Fixes#182, though should be further tested.
* no-std monero-serai
* Allow base58-monero via git
* cargo fmt
* add monero seed support
* fix some of the pr comments
* remove languages module and unnecessary error returns
* Clean classic seed impl
Fixes a few issues regarding Zeroize usage/API safety. Mainly a cleanup.
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
This still sends a fingerprinting flare up if you send to a subaddress which
needs to be fixed. Despite that, Monero no should no longer fail to scan TXs
from monero-serai regarding additional keys.
Previously it failed becuase we supplied one key as THE key, and n-1 as
additional. Monero expects n for additional.
This does correctly select when to use THE key versus when to use the additional
key when sending. That removes the ability for recipients to fingerprint
monero-serai by receiving to a standard address yet needing to use an additional
key.
* Initial work on an In Inherents pallet
* Add an event for when a batch is executed
* Add a dummy provider for InInstructions
* Add in-instructions to the node
* Add the Serai runtime API to the processor
* Move processor tests around
* Build a subxt Client around Serai
* Successfully get Batch events from Serai
Renamed processor/substrate to processor/serai.
* Much more robust InInstruction pallet
* Implement the workaround from https://github.com/paritytech/subxt/issues/602
* Initial prototype of processor generated InInstructions
* Correct PendingCoins data flow for InInstructions
* Minor lint to in-instructions
* Remove the global Serai connection for a partial re-impl
* Correct ID handling of the processor test
* Workaround the delay in the subscription
* Make an unwrap an if let Some, remove old comments
* Lint the processor toml
* Rebase and update
* Move substrate/in-instructions to substrate/in-instructions/pallet
* Start an in-instructions primitives lib
* Properly update processor to subxt 0.24
Also corrects failures from the rebase.
* in-instructions cargo update
* Implement IsFatalError
* is_inherent -> true
* Rename in-instructions crates and misc cleanup
* Update documentation
* cargo update
* Misc update fixes
* Replace height with block_number
* Update processor src to latest subxt
* Correct pipeline for InInstructions testing
* Remove runtime::AccountId for serai_primitives::NativeAddress
* Rewrite the in-instructions pallet
Complete with respect to the currently written docs.
Drops the custom serializer for just using SCALE.
Makes slight tweaks as relevant.
* Move instructions' InherentDataProvider to a client crate
* Correct doc gen
* Add serde to in-instructions-primitives
* Add in-instructions-primitives to pallet
* Heights -> BlockNumbers
* Get batch pub test loop working
* Update in instructions pallet terminology
Removes the ambiguous Coin for Update.
Removes pending/artificial latency for furture client work.
Also moves to using serai_primitives::Coin.
* Add a BlockNumber primitive
* Belated cargo fmt
* Further document why DifferentBatch isn't fatal
* Correct processor sleeps
* Remove metadata at compile time, add test framework for Serai nodes
* Remove manual RPC client
* Simplify update test
* Improve re-exporting behavior of serai-runtime
It now re-exports all pallets underneath it.
* Add a function to get storage values to the Serai RPC
* Update substrate/ to latest substrate
* Create a dedicated crate for the Serai RPC
* Remove unused dependencies in substrate/
* Remove unused dependencies in coins/
Out of scope for this branch, just minor and path of least resistance.
* Use substrate/serai/client for the Serai RPC lib
It's a bit out of place, since these client folders are intended for the node to
access pallets and so on. This is for end-users to access Serai as a whole.
In that sense, it made more sense as a top level folder, yet that also felt
out of place.
* Move InInstructions test to serai-client for now
* Final cleanup
* Update deny.toml
* Cargo.lock update from merging develop
* Update nightly
Attempt to work around the current CI failure, which is a Rust ICE.
We previously didn't upgrade due to clippy 10134, yet that's been reverted.
* clippy
* clippy
* fmt
* NativeAddress -> SeraiAddress
* Sec fix on non-provided updates and doc fixes
* Add Serai as a Coin
Necessary in order to swap to Serai.
* Add a BlockHash type, used for batch IDs
* Remove origin from InInstruction
Makes InInstructionTarget. Adds RefundableInInstruction with origin.
* Document storage items in in-instructions
* Rename serai/client/tests/serai.rs to updates.rs
It only tested publishing updates and their successful acceptance.
Not only did we already have multiple booleans in it, yet it theoretically
could expand in the future. Not only is this more explicit, it actually cleans
some existing code.
* Remove the explicit included participants from FROST
Now, whoever submits preprocesses becomes the signing set. Better separates
preprocess from sign, at the cost of slightly more annoying integrations
(Monero needs to now independently lagrange/offset its key images).
* Support caching preprocesses
Closes https://github.com/serai-dex/serai/issues/40.
I *could* have added a serialization trait to Algorithm and written a ton of
data to disk, while requiring Algorithm implementors also accept such work.
Instead, I moved preprocess to a seeded RNG (Chacha20) which should be as
secure as the regular RNG. Rebuilding from cache simply loads the previously
used Chacha seed, making the Algorithm oblivious to the fact it's being
rebuilt from a cache. This removes any requirements for it to be modified
while guaranteeing equivalency.
This builds on the last commit which delayed determining the signing set till
post-preprocess acquisition. Unfortunately, that commit did force preprocess
from ThresholdView to ThresholdKeys which had visible effects on Monero.
Serai will actually need delayed set determination for #163, and overall,
it remains better, hence it's inclusion.
* Document FROST preprocess caching
* Update ethereum to new FROST
* Fix bug in Monero offset calculation and update processor
A type alias of MoneroAddress is provided to abstract away the generic.
To keep the rest of the library sane, MoneroAddress is used everywhere.
If someone wants to use this library with another coin, they *should* be
able to parse a custom address and then recreate it as a Monero address.
While that's annoying to them, better them than any person using this
lib for Monero.
Closes#152.
* Create message types for FROST key gen
Taking in reader borrows absolutely wasn't feasible. Now, proper types
which can be read (and then passed directly, without a mutable borrow)
exist for key_gen. sign coming next.
* Move FROST signing to messages, not Readers/Writers/Vec<u8>
Also takes the nonce handling code and makes a dedicated file for it,
aiming to resolve complex types and make the code more legible by
replacing its previously inlined state.
* clippy
* Update FROST tests
* read_signature_share
* Update the Monero library to the new FROST packages
* Update processor to latest FROST
* Tweaks to terminology and documentation
Creates a new monero-generators crate so the monero crate can run the
code in question at build time.
Saves several seconds from running the tests.
Closes https://github.com/serai-dex/serai/issues/101.
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
Considering they take 7 seconds to generate, thanks to #68, the ability
to generate them at the start instead of on first BP is greatly
appreciated.
Also performs minor cleanups regarding BPs.
* Use a struct in an enum for Bulletproofs
* verification bp working for just one proof
* add some more assert tests
* Clean BP verification
* Implement batch verification
* Add a debug assertion w_cache isn't 0
It's initially set to 0 and if not updated, this would be broken.
* Correct Monero workflow yaml
* Again try to corrent Monero workflow yaml
* Again
* Finally
* Re-apply weights as required by Bulletproofs
Removing these was insecure and my fault.
Co-authored-by: DangerousFreedom <dangfreed@tutanota.com>
Introduces missing CLSAG checks. The only difference now should be the
additional rejection of torsioned points, which is relevant to
https://github.com/serai-dex/serai/issues/25. Considering this is only
currently used for FROST verification, this should be fine.
Closes https://github.com/serai-dex/serai/issues/19 by making it
irrelevant.
Increases priority of https://github.com/serai-dex/serai/issues/68, as
now it's used for the BP generators which are done at first-proof.
Also merges BP's stricter hash_to_point with the library's, since CLSAG
has the same bound.
* Initial attempt at Bulletproofs
I don't know why this doesn't work. The generators and hash_cache lines
up without issue. AFAICT, the inner product proof is valid as well, as
are all included formulas.
* Add yinvpow asserts
* Clean code
* Correct bad imports
* Fix the definition of TWO_N
Bulletproofs work now :D
* Tidy up a bit
* fmt + clippy
* Compile a variety of XMR dependencies with optimizations, even under dev
The Rust bulletproof implementation is 8% slower than C right now, under
release. This is acceptable, even if suboptimal. Under debug, they take
a quarter of a second to two seconds though, depending on the amount of
outputs, which justifies this move.
* Remove unnecessary deref in BPs
Doesn't fully utilize ec's hash2curve module as k256 Scalar doesn't have
FromOkm for some reason. The previously present bigint reduction is
preserved.
Updates ff/group to 0.12.
Premised on https://github.com/cfrg/draft-irtf-cfrg-frost/pull/205 being
merged, as while this Ed25519 is vector compliant, it's technically not
spec compliant due to that conflict.
While it was fine as-is, as it only had one variable length property,
this is a bit more robust. Also binds the Curve ID, which should declare
differently even for just different basepoints, and therefore adds two
variable length properties (justifying the transcript).
