2022-09-29 08:47:55 +00:00
|
|
|
#![cfg_attr(docsrs, feature(doc_auto_cfg))]
|
|
|
|
|
|
2022-09-29 14:35:11 +00:00
|
|
|
//! A modern Monero transaction library intended for usage in wallets. It prides
|
|
|
|
|
//! itself on accuracy, correctness, and removing common pit falls developers may
|
|
|
|
|
//! face.
|
|
|
|
|
|
|
|
|
|
//! monero-serai contains safety features, such as first-class acknowledgement of
|
|
|
|
|
//! the burning bug, yet also a high level API around creating transactions.
|
|
|
|
|
//! monero-serai also offers a FROST-based multisig, which is orders of magnitude
|
|
|
|
|
//! more performant than Monero's.
|
|
|
|
|
|
|
|
|
|
//! monero-serai was written for Serai, a decentralized exchange aiming to support
|
|
|
|
|
//! Monero. Despite this, monero-serai is intended to be a widely usable library,
|
|
|
|
|
//! accurate to Monero. monero-serai guarantees the functionality needed for Serai,
|
|
|
|
|
//! yet will not deprive functionality from other users, and may potentially leave
|
|
|
|
|
//! Serai's umbrella at some point.
|
|
|
|
|
|
|
|
|
|
//! Various legacy transaction formats are not currently implemented, yet
|
|
|
|
|
//! monero-serai is still increasing its support for various transaction types.
|
|
|
|
|
|
2022-04-22 01:36:18 +00:00
|
|
|
use lazy_static::lazy_static;
|
|
|
|
|
use rand_core::{RngCore, CryptoRng};
|
|
|
|
|
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 08:25:18 +00:00
|
|
|
use zeroize::{Zeroize, ZeroizeOnDrop};
|
|
|
|
|
|
2022-09-28 13:29:58 +00:00
|
|
|
use sha3::{Digest, Keccak256};
|
2022-04-22 01:36:18 +00:00
|
|
|
|
|
|
|
|
use curve25519_dalek::{
|
2022-08-21 10:36:53 +00:00
|
|
|
constants::ED25519_BASEPOINT_TABLE,
|
2022-04-22 01:36:18 +00:00
|
|
|
scalar::Scalar,
|
2022-08-21 10:36:53 +00:00
|
|
|
edwards::{EdwardsPoint, EdwardsBasepointTable},
|
2022-04-22 01:36:18 +00:00
|
|
|
};
|
|
|
|
|
|
2022-08-21 10:36:53 +00:00
|
|
|
pub use monero_generators::H;
|
|
|
|
|
|
2022-05-21 19:33:35 +00:00
|
|
|
mod serialize;
|
|
|
|
|
|
2022-09-29 09:25:29 +00:00
|
|
|
/// RingCT structs and functionality.
|
2022-05-22 06:24:24 +00:00
|
|
|
pub mod ringct;
|
2022-04-22 01:36:18 +00:00
|
|
|
|
2022-09-29 09:25:29 +00:00
|
|
|
/// Transaction structs.
|
2022-04-28 07:31:09 +00:00
|
|
|
pub mod transaction;
|
2022-09-29 09:25:29 +00:00
|
|
|
/// Block structs.
|
2022-05-22 01:35:25 +00:00
|
|
|
pub mod block;
|
2022-04-28 07:31:09 +00:00
|
|
|
|
2022-09-29 09:25:29 +00:00
|
|
|
/// Monero daemon RPC interface.
|
2022-05-22 01:35:25 +00:00
|
|
|
pub mod rpc;
|
2022-09-29 09:25:29 +00:00
|
|
|
/// Wallet functionality, enabling scanning and sending transactions.
|
2022-05-22 01:35:25 +00:00
|
|
|
pub mod wallet;
|
2022-05-21 19:33:35 +00:00
|
|
|
|
|
|
|
|
#[cfg(test)]
|
|
|
|
|
mod tests;
|
2022-04-22 01:36:18 +00:00
|
|
|
|
2022-09-28 12:44:49 +00:00
|
|
|
/// Monero protocol version. v15 is omitted as v15 was simply v14 and v16 being active at the same
|
|
|
|
|
/// time, with regards to the transactions supported. Accordingly, v16 should be used during v15.
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 08:25:18 +00:00
|
|
|
#[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
|
2022-07-27 09:05:43 +00:00
|
|
|
#[allow(non_camel_case_types)]
|
|
|
|
|
pub enum Protocol {
|
2022-11-15 04:56:28 +00:00
|
|
|
Unsupported(usize),
|
2022-07-27 09:05:43 +00:00
|
|
|
v14,
|
|
|
|
|
v16,
|
2022-11-15 04:28:39 +00:00
|
|
|
Custom { ring_len: usize, bp_plus: bool },
|
2022-07-27 09:05:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl Protocol {
|
2022-09-28 12:44:49 +00:00
|
|
|
/// Amount of ring members under this protocol version.
|
2022-08-02 19:52:27 +00:00
|
|
|
pub fn ring_len(&self) -> usize {
|
2022-07-27 09:05:43 +00:00
|
|
|
match self {
|
2022-11-15 04:56:28 +00:00
|
|
|
Protocol::Unsupported(_) => panic!("Unsupported protocol version"),
|
2022-07-27 09:05:43 +00:00
|
|
|
Protocol::v14 => 11,
|
|
|
|
|
Protocol::v16 => 16,
|
2022-11-15 04:28:39 +00:00
|
|
|
Protocol::Custom { ring_len, .. } => *ring_len,
|
2022-07-27 09:05:43 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-28 12:44:49 +00:00
|
|
|
/// Whether or not the specified version uses Bulletproofs or Bulletproofs+.
|
|
|
|
|
/// This method will likely be reworked when versions not using Bulletproofs at all are added.
|
2022-08-02 19:52:27 +00:00
|
|
|
pub fn bp_plus(&self) -> bool {
|
2022-07-27 09:05:43 +00:00
|
|
|
match self {
|
2022-11-15 04:56:28 +00:00
|
|
|
Protocol::Unsupported(_) => panic!("Unsupported protocol version"),
|
2022-07-27 09:05:43 +00:00
|
|
|
Protocol::v14 => false,
|
|
|
|
|
Protocol::v16 => true,
|
2022-11-15 04:28:39 +00:00
|
|
|
Protocol::Custom { bp_plus, .. } => *bp_plus,
|
2022-07-27 09:05:43 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-22 01:36:18 +00:00
|
|
|
lazy_static! {
|
2022-07-22 06:34:36 +00:00
|
|
|
static ref H_TABLE: EdwardsBasepointTable = EdwardsBasepointTable::create(&H);
|
2022-04-22 01:36:18 +00:00
|
|
|
}
|
|
|
|
|
|
2022-09-28 12:44:49 +00:00
|
|
|
/// Transparent structure representing a Pedersen commitment's contents.
|
2022-04-28 07:31:09 +00:00
|
|
|
#[allow(non_snake_case)]
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 08:25:18 +00:00
|
|
|
#[derive(Clone, PartialEq, Eq, Debug, Zeroize, ZeroizeOnDrop)]
|
2022-04-28 07:31:09 +00:00
|
|
|
pub struct Commitment {
|
|
|
|
|
pub mask: Scalar,
|
2022-07-15 05:26:07 +00:00
|
|
|
pub amount: u64,
|
2022-04-22 01:36:18 +00:00
|
|
|
}
|
|
|
|
|
|
2022-04-28 07:31:09 +00:00
|
|
|
impl Commitment {
|
2022-09-28 12:44:49 +00:00
|
|
|
/// The zero commitment, defined as a mask of 1 (as to not be the identity) and a 0 amount.
|
2022-04-28 07:31:09 +00:00
|
|
|
pub fn zero() -> Commitment {
|
2022-07-15 05:26:07 +00:00
|
|
|
Commitment { mask: Scalar::one(), amount: 0 }
|
2022-04-28 07:31:09 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub fn new(mask: Scalar, amount: u64) -> Commitment {
|
|
|
|
|
Commitment { mask, amount }
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-28 12:44:49 +00:00
|
|
|
/// Calculate a Pedersen commitment, as a point, from the transparent structure.
|
2022-04-28 07:31:09 +00:00
|
|
|
pub fn calculate(&self) -> EdwardsPoint {
|
|
|
|
|
(&self.mask * &ED25519_BASEPOINT_TABLE) + (&Scalar::from(self.amount) * &*H_TABLE)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-28 12:44:49 +00:00
|
|
|
/// Support generating a random scalar using a modern rand, as dalek's is notoriously dated.
|
2022-05-03 12:49:46 +00:00
|
|
|
pub fn random_scalar<R: RngCore + CryptoRng>(rng: &mut R) -> Scalar {
|
|
|
|
|
let mut r = [0; 64];
|
|
|
|
|
rng.fill_bytes(&mut r);
|
|
|
|
|
Scalar::from_bytes_mod_order_wide(&r)
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-28 13:29:58 +00:00
|
|
|
pub(crate) fn hash(data: &[u8]) -> [u8; 32] {
|
|
|
|
|
Keccak256::digest(data).into()
|
2022-04-28 07:31:09 +00:00
|
|
|
}
|
|
|
|
|
|
2022-09-28 12:44:49 +00:00
|
|
|
/// Hash the provided data to a scalar via keccak256(data) % l.
|
2022-04-28 07:31:09 +00:00
|
|
|
pub fn hash_to_scalar(data: &[u8]) -> Scalar {
|
2022-07-26 07:25:57 +00:00
|
|
|
let scalar = Scalar::from_bytes_mod_order(hash(data));
|
|
|
|
|
// Monero will explicitly error in this case
|
|
|
|
|
// This library acknowledges its practical impossibility of it occurring, and doesn't bother to
|
|
|
|
|
// code in logic to handle it. That said, if it ever occurs, something must happen in order to
|
|
|
|
|
// not generate/verify a proof we believe to be valid when it isn't
|
2023-01-01 09:18:23 +00:00
|
|
|
assert!(scalar != Scalar::zero(), "ZERO HASH: {data:?}");
|
2022-07-26 07:25:57 +00:00
|
|
|
scalar
|
2022-04-22 01:36:18 +00:00
|
|
|
}
|