serai/coins/monero/src/lib.rs

use lazy_static::lazy_static;
use rand_core::{RngCore, CryptoRng};

use zeroize::{Zeroize, ZeroizeOnDrop};

use tiny_keccak::{Hasher, Keccak};

use curve25519_dalek::{
  constants::{ED25519_BASEPOINT_POINT, ED25519_BASEPOINT_TABLE},
  scalar::Scalar,
  edwards::{EdwardsPoint, EdwardsBasepointTable, CompressedEdwardsY},
};

#[cfg(feature = "multisig")]
pub mod frost;

mod serialize;

pub mod ringct;

pub mod transaction;
pub mod block;

pub mod rpc;
pub mod wallet;

#[cfg(test)]
mod tests;

#[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
#[allow(non_camel_case_types)]
pub enum Protocol {
  Unsupported,
  v14,
  v16,
}

impl Protocol {
  pub fn ring_len(&self) -> usize {
    match self {
      Protocol::Unsupported => panic!("Unsupported protocol version"),
      Protocol::v14 => 11,
      Protocol::v16 => 16,
    }
  }

  pub fn bp_plus(&self) -> bool {
    match self {
      Protocol::Unsupported => panic!("Unsupported protocol version"),
      Protocol::v14 => false,
      Protocol::v16 => true,
    }
  }
}

lazy_static! {
  static ref H: EdwardsPoint =
    CompressedEdwardsY(hash(&ED25519_BASEPOINT_POINT.compress().to_bytes()))
      .decompress()
      .unwrap()
      .mul_by_cofactor();
  static ref H_TABLE: EdwardsBasepointTable = EdwardsBasepointTable::create(&H);
}

#[allow(non_snake_case)]
#[derive(Clone, PartialEq, Eq, Debug, Zeroize, ZeroizeOnDrop)]
pub struct Commitment {
  pub mask: Scalar,
  pub amount: u64,
}

impl Commitment {
  pub fn zero() -> Commitment {
    Commitment { mask: Scalar::one(), amount: 0 }
  }

  pub fn new(mask: Scalar, amount: u64) -> Commitment {
    Commitment { mask, amount }
  }

  pub fn calculate(&self) -> EdwardsPoint {
    (&self.mask * &ED25519_BASEPOINT_TABLE) + (&Scalar::from(self.amount) * &*H_TABLE)
  }
}

// Allows using a modern rand as dalek's is notoriously dated
pub fn random_scalar<R: RngCore + CryptoRng>(rng: &mut R) -> Scalar {
  let mut r = [0; 64];
  rng.fill_bytes(&mut r);
  Scalar::from_bytes_mod_order_wide(&r)
}

pub fn hash(data: &[u8]) -> [u8; 32] {
  let mut keccak = Keccak::v256();
  keccak.update(data);
  let mut res = [0; 32];
  keccak.finalize(&mut res);
  res
}

pub fn hash_to_scalar(data: &[u8]) -> Scalar {
  let scalar = Scalar::from_bytes_mod_order(hash(data));
  // Monero will explicitly error in this case
  // This library acknowledges its practical impossibility of it occurring, and doesn't bother to
  // code in logic to handle it. That said, if it ever occurs, something must happen in order to
  // not generate/verify a proof we believe to be valid when it isn't
  assert!(scalar != Scalar::zero(), "ZERO HASH: {:?}", data);
  scalar
}
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-22 01:36:18 +00:00			`use lazy_static::lazy_static;`
			`use rand_core::{RngCore, CryptoRng};`

Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests 2022-08-03 08:25:18 +00:00			`use zeroize::{Zeroize, ZeroizeOnDrop};`

Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-22 01:36:18 +00:00			`use tiny_keccak::{Hasher, Keccak};`

			`use curve25519_dalek::{`
Don't use a constant for H yet re-calculate it 2022-07-24 12:57:33 +00:00			`constants::{ED25519_BASEPOINT_POINT, ED25519_BASEPOINT_TABLE},`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-22 01:36:18 +00:00			`scalar::Scalar,`
Apply an initial set of rustfmt rules 2022-07-15 05:26:07 +00:00			`edwards::{EdwardsPoint, EdwardsBasepointTable, CompressedEdwardsY},`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-22 01:36:18 +00:00			`};`

			`#[cfg(feature = "multisig")]`
			`pub mod frost;`

Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense 2022-05-21 19:33:35 +00:00			`mod serialize;`

Move RingCT code to a deciated folder Should help keep things ordered as more RingCT code is added. 2022-05-22 06:24:24 +00:00			`pub mod ringct;`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-22 01:36:18 +00:00
Implement TX creation Updates CLSAG signing as needed. Moves around Error types. CLSAG multisig and the multisig feature is currently completely borked because of this. The created TXs are accepted by Monero nodes. 2022-04-28 07:31:09 +00:00			`pub mod transaction;`
Implement Block types Finishes updating the RPC to not use monero, tests now pass 2022-05-22 01:35:25 +00:00			`pub mod block;`
Implement TX creation Updates CLSAG signing as needed. Moves around Error types. CLSAG multisig and the multisig feature is currently completely borked because of this. The created TXs are accepted by Monero nodes. 2022-04-28 07:31:09 +00:00
Implement Block types Finishes updating the RPC to not use monero, tests now pass 2022-05-22 01:35:25 +00:00			`pub mod rpc;`
			`pub mod wallet;`
Remove monero-rs types Still missing an updated RPC file. Restructures the library as it makes sense 2022-05-21 19:33:35 +00:00
			`#[cfg(test)]`
			`mod tests;`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-22 01:36:18 +00:00
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests 2022-08-03 08:25:18 +00:00			`#[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]`
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time 2022-07-27 09:05:43 +00:00			`#[allow(non_camel_case_types)]`
			`pub enum Protocol {`
			`Unsupported,`
			`v14,`
			`v16,`
			`}`

			`impl Protocol {`
Add init function for BP statics Considering they take 7 seconds to generate, thanks to #68, the ability to generate them at the start instead of on first BP is greatly appreciated. Also performs minor cleanups regarding BPs. 2022-08-02 19:52:27 +00:00			`pub fn ring_len(&self) -> usize {`
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time 2022-07-27 09:05:43 +00:00			`match self {`
			`Protocol::Unsupported => panic!("Unsupported protocol version"),`
			`Protocol::v14 => 11,`
			`Protocol::v16 => 16,`
			`}`
			`}`

Add init function for BP statics Considering they take 7 seconds to generate, thanks to #68, the ability to generate them at the start instead of on first BP is greatly appreciated. Also performs minor cleanups regarding BPs. 2022-08-02 19:52:27 +00:00			`pub fn bp_plus(&self) -> bool {`
Bulletproofs+ (#70) * Initial stab at Bulletproofs+ Does move around the existing Bulletproofs code, does still work as expected. * Make the Clsag RCTPrunable type work with BP and BP+ * Initial set of BP+ bug fixes * Further bug fixes * Remove RING_LEN as a constant * Monero v16 TX support Doesn't implement view tags, nor going back to v14, nor the updated BP clawback logic. * Support v14 and v16 at the same time 2022-07-27 09:05:43 +00:00			`match self {`
			`Protocol::Unsupported => panic!("Unsupported protocol version"),`
			`Protocol::v14 => false,`
			`Protocol::v16 => true,`
			`}`
			`}`
			`}`

Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-22 01:36:18 +00:00			`lazy_static! {`
Don't use a constant for H yet re-calculate it 2022-07-24 12:57:33 +00:00			`static ref H: EdwardsPoint =`
			`CompressedEdwardsY(hash(&ED25519_BASEPOINT_POINT.compress().to_bytes()))`
			`.decompress()`
Apply an initial set of rustfmt rules 2022-07-15 05:26:07 +00:00			`.unwrap()`
Don't use a constant for H yet re-calculate it 2022-07-24 12:57:33 +00:00			`.mul_by_cofactor();`
Correct clippy warnings Currently intended to be done with: cargo clippy --features "recommended merlin batch serialize experimental ed25519 ristretto p256 secp256k1 multisig" -- -A clippy::type_complexity -A dead_code 2022-07-22 06:34:36 +00:00			`static ref H_TABLE: EdwardsBasepointTable = EdwardsBasepointTable::create(&H);`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-22 01:36:18 +00:00			`}`

Implement TX creation Updates CLSAG signing as needed. Moves around Error types. CLSAG multisig and the multisig feature is currently completely borked because of this. The created TXs are accepted by Monero nodes. 2022-04-28 07:31:09 +00:00			`#[allow(non_snake_case)]`
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests 2022-08-03 08:25:18 +00:00			`#[derive(Clone, PartialEq, Eq, Debug, Zeroize, ZeroizeOnDrop)]`
Implement TX creation Updates CLSAG signing as needed. Moves around Error types. CLSAG multisig and the multisig feature is currently completely borked because of this. The created TXs are accepted by Monero nodes. 2022-04-28 07:31:09 +00:00			`pub struct Commitment {`
			`pub mask: Scalar,`
Apply an initial set of rustfmt rules 2022-07-15 05:26:07 +00:00			`pub amount: u64,`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-22 01:36:18 +00:00			`}`

Implement TX creation Updates CLSAG signing as needed. Moves around Error types. CLSAG multisig and the multisig feature is currently completely borked because of this. The created TXs are accepted by Monero nodes. 2022-04-28 07:31:09 +00:00			`impl Commitment {`
			`pub fn zero() -> Commitment {`
Apply an initial set of rustfmt rules 2022-07-15 05:26:07 +00:00			`Commitment { mask: Scalar::one(), amount: 0 }`
Implement TX creation Updates CLSAG signing as needed. Moves around Error types. CLSAG multisig and the multisig feature is currently completely borked because of this. The created TXs are accepted by Monero nodes. 2022-04-28 07:31:09 +00:00			`}`

			`pub fn new(mask: Scalar, amount: u64) -> Commitment {`
			`Commitment { mask, amount }`
			`}`

			`pub fn calculate(&self) -> EdwardsPoint {`
			`(&self.mask * &ED25519_BASEPOINT_TABLE) + (&Scalar::from(self.amount) * &*H_TABLE)`
			`}`
			`}`

Cleanup which makes transcript optional, only required for multisig 2022-05-03 12:49:46 +00:00			`// Allows using a modern rand as dalek's is notoriously dated`
			`pub fn random_scalar<R: RngCore + CryptoRng>(rng: &mut R) -> Scalar {`
			`let mut r = [0; 64];`
			`rng.fill_bytes(&mut r);`
			`Scalar::from_bytes_mod_order_wide(&r)`
			`}`

Implement TX creation Updates CLSAG signing as needed. Moves around Error types. CLSAG multisig and the multisig feature is currently completely borked because of this. The created TXs are accepted by Monero nodes. 2022-04-28 07:31:09 +00:00			`pub fn hash(data: &[u8]) -> [u8; 32] {`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-22 01:36:18 +00:00			`let mut keccak = Keccak::v256();`
			`keccak.update(data);`
			`let mut res = [0; 32];`
			`keccak.finalize(&mut res);`
Implement TX creation Updates CLSAG signing as needed. Moves around Error types. CLSAG multisig and the multisig feature is currently completely borked because of this. The created TXs are accepted by Monero nodes. 2022-04-28 07:31:09 +00:00			`res`
			`}`

			`pub fn hash_to_scalar(data: &[u8]) -> Scalar {`
Remove Monero as a dependency Introduces missing CLSAG checks. The only difference now should be the additional rejection of torsioned points, which is relevant to https://github.com/serai-dex/serai/issues/25. Considering this is only currently used for FROST verification, this should be fine. Closes https://github.com/serai-dex/serai/issues/19 by making it irrelevant. Increases priority of https://github.com/serai-dex/serai/issues/68, as now it's used for the BP generators which are done at first-proof. Also merges BP's stricter hash_to_point with the library's, since CLSAG has the same bound. 2022-07-26 07:25:57 +00:00			`let scalar = Scalar::from_bytes_mod_order(hash(data));`
			`// Monero will explicitly error in this case`
			`// This library acknowledges its practical impossibility of it occurring, and doesn't bother to`
			`// code in logic to handle it. That said, if it ever occurs, something must happen in order to`
			`// not generate/verify a proof we believe to be valid when it isn't`
			`assert!(scalar != Scalar::zero(), "ZERO HASH: {:?}", data);`
			`scalar`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-22 01:36:18 +00:00			`}`