mirror of
https://github.com/serai-dex/serai.git
synced 2025-12-14 15:09:23 +00:00
a141deaf36
This helps identify where the various functionalities are used, or rather, not used. The `Ciphersuite` trait present in `patches/ciphersuite`, facilitating the entire FCMP++ tree, only requires the markers _and_ canonical point decoding. I've opened a PR to upstream such a trait into `group` (https://github.com/zkcrypto/group/pull/68). `WrappedGroup` is still justified for as long as `Group::generator` exists. Moving `::generator()` to its own trait, on an independent structure (upstream) would be massively appreciated. @tarcieri also wanted to update from `fn generator()` to `const GENERATOR`, which would encourage further discussion on https://github.com/zkcrypto/group/issues/32 and https://github.com/zkcrypto/group/issues/45, which have been stagnant. The `Id` trait is occasionally used yet really should be first off the chopping block. Finally, `WithPreferredHash` is only actually used around a third of the time, which more than justifies it being a separate trait. --- Updates `dalek_ff_group::Scalar` to directly re-export `curve25519_dalek::Scalar`, as without issue. `dalek_ff_group::RistrettoPoint` also could be replaced with an export of `curve25519_dalek::RistrettoPoint`, yet the coordinator relies on how we implemented `Hash` on it for the hell of it so it isn't worth it at this time. `dalek_ff_group::EdwardsPoint` can't be replaced for an re-export of `curve25519_dalek::SubgroupPoint` as it doesn't implement `zeroize`, `subtle` traits within a released, non-yanked version. Relevance to https://github.com/serai-dex/serai/issues/201 and https://github.com/dalek-cryptography/curve25519-dalek/issues/811#issuecomment-3247732746. Also updates the `Ristretto` ciphersuite to prefer `Blake2b-512` over `SHA2-512`. In order to maintain compliance with FROST's IETF standard, `modular-frost` defines its own ciphersuite for Ristretto which still uses `SHA2-512`.
229 lines
7.2 KiB
Rust
229 lines
7.2 KiB
Rust
use std_shims::{
|
|
vec::Vec,
|
|
collections::HashMap,
|
|
io::{self, Write},
|
|
};
|
|
#[cfg(feature = "std")]
|
|
use std::io::{Read, BufReader};
|
|
|
|
use k256::{
|
|
elliptic_curve::sec1::{Tag, ToEncodedPoint},
|
|
Scalar, ProjectivePoint,
|
|
};
|
|
|
|
#[cfg(feature = "std")]
|
|
use frost::{
|
|
curve::{WrappedGroup, GroupIo, Secp256k1},
|
|
ThresholdKeys,
|
|
};
|
|
|
|
use bitcoin::{
|
|
consensus::encode::serialize, key::TweakedPublicKey, OutPoint, ScriptBuf, TxOut, Transaction,
|
|
Block,
|
|
};
|
|
#[cfg(feature = "std")]
|
|
use bitcoin::{hashes::Hash, consensus::encode::Decodable, TapTweakHash};
|
|
|
|
use crate::crypto::x_only;
|
|
#[cfg(feature = "std")]
|
|
use crate::crypto::needs_negation;
|
|
|
|
#[cfg(feature = "std")]
|
|
mod send;
|
|
#[cfg(feature = "std")]
|
|
pub use send::*;
|
|
|
|
/// Tweak keys to ensure they're usable with Bitcoin's Taproot upgrade.
|
|
///
|
|
/// This adds an unspendable script path to the key, preventing any outputs received to this key
|
|
/// from being spent via a script. To have keys which have spendable script paths, further offsets
|
|
/// from this position must be used.
|
|
///
|
|
/// After adding an unspendable script path, the key is negated if odd.
|
|
///
|
|
/// This has a neligible probability of returning keys whose group key is the point at infinity.
|
|
#[cfg(feature = "std")]
|
|
pub fn tweak_keys(keys: ThresholdKeys<Secp256k1>) -> ThresholdKeys<Secp256k1> {
|
|
// Adds the unspendable script path per
|
|
// https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-23
|
|
let keys = {
|
|
use k256::elliptic_curve::{
|
|
bigint::{Encoding, U256},
|
|
ops::Reduce,
|
|
group::GroupEncoding,
|
|
};
|
|
let tweak_hash = TapTweakHash::hash(&keys.group_key().to_bytes().as_slice()[1 ..]);
|
|
/*
|
|
https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki#cite_ref-13-0 states how the
|
|
bias is negligible. This reduction shouldn't ever occur, yet if it did, the script path
|
|
would be unusable due to a check the script path hash is less than the order. That doesn't
|
|
impact us as we don't want the script path to be usable.
|
|
*/
|
|
keys.offset(<Secp256k1 as WrappedGroup>::F::reduce(U256::from_be_bytes(
|
|
*tweak_hash.to_raw_hash().as_ref(),
|
|
)))
|
|
};
|
|
|
|
let needs_negation = needs_negation(&keys.group_key());
|
|
keys
|
|
.scale(<_ as subtle::ConditionallySelectable>::conditional_select(
|
|
&Scalar::ONE,
|
|
&-Scalar::ONE,
|
|
needs_negation,
|
|
))
|
|
.expect("scaling keys by 1 or -1 yet interpreted as 0?")
|
|
}
|
|
|
|
/// Return the Taproot address payload for a public key.
|
|
///
|
|
/// If the key is odd, this will return None.
|
|
pub fn p2tr_script_buf(key: ProjectivePoint) -> Option<ScriptBuf> {
|
|
if key.to_encoded_point(true).tag() != Tag::CompressedEvenY {
|
|
return None;
|
|
}
|
|
|
|
Some(ScriptBuf::new_p2tr_tweaked(TweakedPublicKey::dangerous_assume_tweaked(x_only(&key))))
|
|
}
|
|
|
|
/// A spendable output.
|
|
#[derive(Clone, PartialEq, Eq, Debug)]
|
|
pub struct ReceivedOutput {
|
|
// The scalar offset to obtain the key usable to spend this output.
|
|
offset: Scalar,
|
|
// The output to spend.
|
|
output: TxOut,
|
|
// The TX ID and vout of the output to spend.
|
|
outpoint: OutPoint,
|
|
}
|
|
|
|
impl ReceivedOutput {
|
|
/// The offset for this output.
|
|
pub fn offset(&self) -> Scalar {
|
|
self.offset
|
|
}
|
|
|
|
/// The Bitcoin output for this output.
|
|
pub fn output(&self) -> &TxOut {
|
|
&self.output
|
|
}
|
|
|
|
/// The outpoint for this output.
|
|
pub fn outpoint(&self) -> &OutPoint {
|
|
&self.outpoint
|
|
}
|
|
|
|
/// The value of this output.
|
|
pub fn value(&self) -> u64 {
|
|
self.output.value.to_sat()
|
|
}
|
|
|
|
/// Read a ReceivedOutput from a generic satisfying Read.
|
|
#[cfg(feature = "std")]
|
|
pub fn read<R: Read>(r: &mut R) -> io::Result<ReceivedOutput> {
|
|
let offset = Secp256k1::read_F(r)?;
|
|
let output;
|
|
let outpoint;
|
|
{
|
|
let mut buf_r = BufReader::with_capacity(0, r);
|
|
output =
|
|
TxOut::consensus_decode(&mut buf_r).map_err(|_| io::Error::other("invalid TxOut"))?;
|
|
outpoint =
|
|
OutPoint::consensus_decode(&mut buf_r).map_err(|_| io::Error::other("invalid OutPoint"))?;
|
|
}
|
|
Ok(ReceivedOutput { offset, output, outpoint })
|
|
}
|
|
|
|
/// Write a ReceivedOutput to a generic satisfying Write.
|
|
pub fn write<W: Write>(&self, w: &mut W) -> io::Result<()> {
|
|
w.write_all(&self.offset.to_bytes())?;
|
|
w.write_all(&serialize(&self.output))?;
|
|
w.write_all(&serialize(&self.outpoint))
|
|
}
|
|
|
|
/// Serialize a ReceivedOutput to a `Vec<u8>`.
|
|
pub fn serialize(&self) -> Vec<u8> {
|
|
let mut res = Vec::new();
|
|
self.write(&mut res).unwrap();
|
|
res
|
|
}
|
|
}
|
|
|
|
/// A transaction scanner capable of being used with HDKD schemes.
|
|
#[derive(Clone, Debug)]
|
|
pub struct Scanner {
|
|
key: ProjectivePoint,
|
|
scripts: HashMap<ScriptBuf, Scalar>,
|
|
}
|
|
|
|
impl Scanner {
|
|
/// Construct a Scanner for a key.
|
|
///
|
|
/// Returns None if this key can't be scanned for.
|
|
pub fn new(key: ProjectivePoint) -> Option<Scanner> {
|
|
let mut scripts = HashMap::new();
|
|
scripts.insert(p2tr_script_buf(key)?, Scalar::ZERO);
|
|
Some(Scanner { key, scripts })
|
|
}
|
|
|
|
/// Register an offset to scan for.
|
|
///
|
|
/// Due to Bitcoin's requirement that points are even, not every offset may be used.
|
|
/// If an offset isn't usable, it will be incremented until it is. If this offset is already
|
|
/// present, None is returned. Else, Some(offset) will be, with the used offset.
|
|
///
|
|
/// This means offsets are surjective, not bijective, and the order offsets are registered in
|
|
/// may determine the validity of future offsets.
|
|
///
|
|
/// The offsets registered must be securely generated. Arbitrary offsets may introduce a script
|
|
/// path into the output, allowing the output to be spent by satisfaction of an arbitrary script
|
|
/// (not by the signature of the key).
|
|
pub fn register_offset(&mut self, mut offset: Scalar) -> Option<Scalar> {
|
|
// This loop will terminate as soon as an even point is found, with any point having a ~50%
|
|
// chance of being even
|
|
// That means this should terminate within a very small amount of iterations
|
|
loop {
|
|
match p2tr_script_buf(self.key + (ProjectivePoint::GENERATOR * offset)) {
|
|
Some(script) => {
|
|
if self.scripts.contains_key(&script) {
|
|
None?;
|
|
}
|
|
self.scripts.insert(script, offset);
|
|
return Some(offset);
|
|
}
|
|
None => offset += Scalar::ONE,
|
|
}
|
|
}
|
|
}
|
|
|
|
/// Scan a transaction.
|
|
pub fn scan_transaction(&self, tx: &Transaction) -> Vec<ReceivedOutput> {
|
|
let mut res = Vec::new();
|
|
for (vout, output) in tx.output.iter().enumerate() {
|
|
// If the vout index exceeds 2**32, stop scanning outputs
|
|
let Ok(vout) = u32::try_from(vout) else { break };
|
|
|
|
if let Some(offset) = self.scripts.get(&output.script_pubkey) {
|
|
res.push(ReceivedOutput {
|
|
offset: *offset,
|
|
output: output.clone(),
|
|
outpoint: OutPoint::new(tx.compute_txid(), vout),
|
|
});
|
|
}
|
|
}
|
|
res
|
|
}
|
|
|
|
/// Scan a block.
|
|
///
|
|
/// This will also scan the coinbase transaction which is bound by maturity. If received outputs
|
|
/// must be immediately spendable, a post-processing pass is needed to remove those outputs.
|
|
/// Alternatively, scan_transaction can be called on `block.txdata[1 ..]`.
|
|
pub fn scan_block(&self, block: &Block) -> Vec<ReceivedOutput> {
|
|
let mut res = Vec::new();
|
|
for tx in &block.txdata {
|
|
res.extend(self.scan_transaction(tx));
|
|
}
|
|
res
|
|
}
|
|
}
|