serai/coins/monero/src/merkle.rs

use std_shims::vec::Vec;

use crate::hash;

pub(crate) fn merkle_root(root: [u8; 32], leafs: &[[u8; 32]]) -> [u8; 32] {
  match leafs.len() {
    0 => root,
    1 => hash(&[root, leafs[0]].concat()),
    _ => {
      let mut hashes = Vec::with_capacity(1 + leafs.len());
      hashes.push(root);
      hashes.extend(leafs);

      // Monero preprocess this so the length is a power of 2
      let mut high_pow_2 = 4; // 4 is the lowest value this can be
      while high_pow_2 < hashes.len() {
        high_pow_2 *= 2;
      }
      let low_pow_2 = high_pow_2 / 2;

      // Merge right-most hashes until we're at the low_pow_2
      {
        let overage = hashes.len() - low_pow_2;
        let mut rightmost = hashes.drain((low_pow_2 - overage) ..);
        // This is true since we took overage from beneath and above low_pow_2, taking twice as
        // many elements as overage
        debug_assert_eq!(rightmost.len() % 2, 0);

        let mut paired_hashes = Vec::with_capacity(overage);
        while let Some(left) = rightmost.next() {
          let right = rightmost.next().unwrap();
          paired_hashes.push(hash(&[left.as_ref(), &right].concat()));
        }
        drop(rightmost);

        hashes.extend(paired_hashes);
        assert_eq!(hashes.len(), low_pow_2);
      }

      // Do a traditional pairing off
      let mut new_hashes = Vec::with_capacity(hashes.len() / 2);
      while hashes.len() > 1 {
        let mut i = 0;
        while i < hashes.len() {
          new_hashes.push(hash(&[hashes[i], hashes[i + 1]].concat()));
          i += 2;
        }

        hashes = new_hashes;
        new_hashes = Vec::with_capacity(hashes.len() / 2);
      }
      hashes[0]
    }
  }
}
Monero: support for legacy transactions (#308) * add mlsag * fix last commit * fix miner v1 txs * fix non-miner v1 txs * add borromean + fix mlsag * add block hash calculations * fix for the jokester that added unreduced scalars to the borromean signature of 2368d846e671bf79a1f84c6d3af9f0bfe296f043f50cf17ae5e485384a53707b * Add Borromean range proof verifying functionality * Add MLSAG verifying functionality * fmt & clippy :) * update MLSAG, ss2_elements will always be 2 * Add MgSig proving * Tidy block.rs * Tidy Borromean, fix bugs in last commit, replace todo! with unreachable! * Mark legacy EcdhInfo amount decryption as experimental * Correct comments * Write a new impl of the merkle algorithm This one tries to be understandable. * Only pull in things only needed for experimental when experimental * Stop caching the Monero block hash now in processor that we have Block::hash * Corrections for recent processor commit * Use a clearer algorithm for the merkle Should also be more efficient due to not shifting as often. * Tidy Mlsag * Remove verify_rct_* from Mlsag Both methods were ports from Monero, overtly specific without clear documentation. They need to be added back in, with documentation, or included in a node which provides the necessary further context for them to be naturally understandable. * Move mlsag/mod.rs to mlsag.rs This should only be a folder if it has multiple files. * Replace EcdhInfo terminology The ECDH encrypted the amount, yet this struct contained the encrypted amount, not some ECDH. Also corrects the types on the original EcdhInfo struct. * Correct handling of commitment masks when scanning * Route read_array through read_raw_vec * Misc lint * Make a proper RctType enum No longer caches RctType in the RctSignatures as well. * Replace Vec<Bulletproofs> with Bulletproofs Monero uses aggregated range proofs, so there's only ever one Bulletproof. This is enforced with a consensus rule as well, making this safe. As for why Monero uses a vec, it's probably due to the lack of variadic typing used. Its effectively an Option for them, yet we don't need an Option since we do have variadic typing (enums). * Add necessary checks to Eventuality re: supported protocols * Fix for block 202612 and fix merkel root calculations * MLSAG (de)serialisation fix ss_2_elements will not always be 2 as rct type 1 transactions are not enforced to have one input * Revert "MLSAG (de)serialisation fix" This reverts commit 5e710e0c96658092c6ecfe5e4ea5a9c3dbee3ab3. here it checks number of MGs == number of inputs: https://github.com/monero-project/monero/blob/0a1eaf26f9dd6b762c2582ee12603b2a4671c735/src/cryptonote_core/tx_verification_utils.cpp#L60-59 and here it checks for RctTypeFull number of MGs == 1: https://github.com/monero-project/monero/blob/0a1eaf26f9dd6b762c2582ee12603b2a4671c735/src/ringct/rctSigs.cpp#L1325 so number of inputs == 1 so ss_2_elements == 2 * update `MlsagAggregate` comment * cargo update Resolves a yanked crate * Move location of serai-client in Cargo.toml --------- Co-authored-by: Luke Parker <lukeparker5132@gmail.com> 2023-07-04 21:18:05 +00:00			`use std_shims::vec::Vec;`

			`use crate::hash;`

Meaningful changes from aggressive-clippy I do want to enable a few specific lints, yet aggressive-clippy as a whole isn't worthwhile. 2023-07-08 15:29:05 +00:00			`pub(crate) fn merkle_root(root: [u8; 32], leafs: &[[u8; 32]]) -> [u8; 32] {`
Monero: support for legacy transactions (#308) * add mlsag * fix last commit * fix miner v1 txs * fix non-miner v1 txs * add borromean + fix mlsag * add block hash calculations * fix for the jokester that added unreduced scalars to the borromean signature of 2368d846e671bf79a1f84c6d3af9f0bfe296f043f50cf17ae5e485384a53707b * Add Borromean range proof verifying functionality * Add MLSAG verifying functionality * fmt & clippy :) * update MLSAG, ss2_elements will always be 2 * Add MgSig proving * Tidy block.rs * Tidy Borromean, fix bugs in last commit, replace todo! with unreachable! * Mark legacy EcdhInfo amount decryption as experimental * Correct comments * Write a new impl of the merkle algorithm This one tries to be understandable. * Only pull in things only needed for experimental when experimental * Stop caching the Monero block hash now in processor that we have Block::hash * Corrections for recent processor commit * Use a clearer algorithm for the merkle Should also be more efficient due to not shifting as often. * Tidy Mlsag * Remove verify_rct_* from Mlsag Both methods were ports from Monero, overtly specific without clear documentation. They need to be added back in, with documentation, or included in a node which provides the necessary further context for them to be naturally understandable. * Move mlsag/mod.rs to mlsag.rs This should only be a folder if it has multiple files. * Replace EcdhInfo terminology The ECDH encrypted the amount, yet this struct contained the encrypted amount, not some ECDH. Also corrects the types on the original EcdhInfo struct. * Correct handling of commitment masks when scanning * Route read_array through read_raw_vec * Misc lint * Make a proper RctType enum No longer caches RctType in the RctSignatures as well. * Replace Vec<Bulletproofs> with Bulletproofs Monero uses aggregated range proofs, so there's only ever one Bulletproof. This is enforced with a consensus rule as well, making this safe. As for why Monero uses a vec, it's probably due to the lack of variadic typing used. Its effectively an Option for them, yet we don't need an Option since we do have variadic typing (enums). * Add necessary checks to Eventuality re: supported protocols * Fix for block 202612 and fix merkel root calculations * MLSAG (de)serialisation fix ss_2_elements will not always be 2 as rct type 1 transactions are not enforced to have one input * Revert "MLSAG (de)serialisation fix" This reverts commit 5e710e0c96658092c6ecfe5e4ea5a9c3dbee3ab3. here it checks number of MGs == number of inputs: https://github.com/monero-project/monero/blob/0a1eaf26f9dd6b762c2582ee12603b2a4671c735/src/cryptonote_core/tx_verification_utils.cpp#L60-59 and here it checks for RctTypeFull number of MGs == 1: https://github.com/monero-project/monero/blob/0a1eaf26f9dd6b762c2582ee12603b2a4671c735/src/ringct/rctSigs.cpp#L1325 so number of inputs == 1 so ss_2_elements == 2 * update `MlsagAggregate` comment * cargo update Resolves a yanked crate * Move location of serai-client in Cargo.toml --------- Co-authored-by: Luke Parker <lukeparker5132@gmail.com> 2023-07-04 21:18:05 +00:00			`match leafs.len() {`
			`0 => root,`
			`1 => hash(&[root, leafs[0]].concat()),`
			`_ => {`
			`let mut hashes = Vec::with_capacity(1 + leafs.len());`
			`hashes.push(root);`
			`hashes.extend(leafs);`

			`// Monero preprocess this so the length is a power of 2`
			`let mut high_pow_2 = 4; // 4 is the lowest value this can be`
			`while high_pow_2 < hashes.len() {`
			`high_pow_2 *= 2;`
			`}`
			`let low_pow_2 = high_pow_2 / 2;`

			`// Merge right-most hashes until we're at the low_pow_2`
			`{`
			`let overage = hashes.len() - low_pow_2;`
			`let mut rightmost = hashes.drain((low_pow_2 - overage) ..);`
			`// This is true since we took overage from beneath and above low_pow_2, taking twice as`
			`// many elements as overage`
			`debug_assert_eq!(rightmost.len() % 2, 0);`

			`let mut paired_hashes = Vec::with_capacity(overage);`
			`while let Some(left) = rightmost.next() {`
			`let right = rightmost.next().unwrap();`
			`paired_hashes.push(hash(&[left.as_ref(), &right].concat()));`
			`}`
			`drop(rightmost);`

			`hashes.extend(paired_hashes);`
			`assert_eq!(hashes.len(), low_pow_2);`
			`}`

			`// Do a traditional pairing off`
			`let mut new_hashes = Vec::with_capacity(hashes.len() / 2);`
			`while hashes.len() > 1 {`
			`let mut i = 0;`
			`while i < hashes.len() {`
			`new_hashes.push(hash(&[hashes[i], hashes[i + 1]].concat()));`
			`i += 2;`
			`}`

			`hashes = new_hashes;`
			`new_hashes = Vec::with_capacity(hashes.len() / 2);`
			`}`
			`hashes[0]`
			`}`
			`}`
			`}`