Implement simple random mixin selection which passes sanity

This commit is contained in:
Luke Parker 2022-05-04 06:24:52 -04:00
parent 9a42391b75
commit f856faa762
No known key found for this signature in database
GPG key ID: F9F1386DB1E119B6
4 changed files with 230 additions and 59 deletions

View file

@ -1,4 +1,4 @@
use std::fmt::Debug; use std::{fmt::Debug, str::FromStr};
use thiserror::Error; use thiserror::Error;
@ -8,8 +8,9 @@ use curve25519_dalek::edwards::{EdwardsPoint, CompressedEdwardsY};
use monero::{ use monero::{
Hash, Hash,
cryptonote::hash::Hashable,
blockdata::{ blockdata::{
transaction::Transaction, transaction::{TxIn, Transaction},
block::Block block::Block
}, },
consensus::encode::{serialize, deserialize} consensus::encode::{serialize, deserialize}
@ -41,6 +42,8 @@ pub enum RpcError {
InvalidTransaction InvalidTransaction
} }
pub struct Rpc(String);
fn rpc_hex(value: &str) -> Result<Vec<u8>, RpcError> { fn rpc_hex(value: &str) -> Result<Vec<u8>, RpcError> {
hex::decode(value).map_err(|_| RpcError::InternalError("Monero returned invalid hex".to_string())) hex::decode(value).map_err(|_| RpcError::InternalError("Monero returned invalid hex".to_string()))
} }
@ -51,8 +54,6 @@ fn rpc_point(point: &str) -> Result<EdwardsPoint, RpcError> {
).decompress().ok_or(RpcError::InvalidPoint(point.to_string())) ).decompress().ok_or(RpcError::InvalidPoint(point.to_string()))
} }
pub struct Rpc(String);
impl Rpc { impl Rpc {
pub fn new(daemon: String) -> Rpc { pub fn new(daemon: String) -> Rpc {
Rpc(daemon) Rpc(daemon)
@ -90,7 +91,7 @@ impl Rpc {
Ok( Ok(
if !method.ends_with(".bin") { if !method.ends_with(".bin") {
serde_json::from_str(&res.text().await.map_err(|_| RpcError::ConnectionError)?) serde_json::from_str(&res.text().await.map_err(|_| RpcError::ConnectionError)?)
.map_err(|_| RpcError::InternalError("Failed to parse json response".to_string()))? .map_err(|_| RpcError::InternalError("Failed to parse JSON response".to_string()))?
} else { } else {
monero_epee_bin_serde::from_bytes(&res.bytes().await.map_err(|_| RpcError::ConnectionError)?) monero_epee_bin_serde::from_bytes(&res.bytes().await.map_err(|_| RpcError::ConnectionError)?)
.map_err(|_| RpcError::InternalError("Failed to parse binary response".to_string()))? .map_err(|_| RpcError::InternalError("Failed to parse binary response".to_string()))?
@ -109,7 +110,8 @@ impl Rpc {
pub async fn get_transactions(&self, hashes: Vec<Hash>) -> Result<Vec<Transaction>, RpcError> { pub async fn get_transactions(&self, hashes: Vec<Hash>) -> Result<Vec<Transaction>, RpcError> {
#[derive(Deserialize, Debug)] #[derive(Deserialize, Debug)]
struct TransactionResponse { struct TransactionResponse {
as_hex: String as_hex: String,
pruned_as_hex: String
} }
#[derive(Deserialize, Debug)] #[derive(Deserialize, Debug)]
struct TransactionsResponse { struct TransactionsResponse {
@ -123,18 +125,26 @@ impl Rpc {
Err(RpcError::TransactionsNotFound(txs.txs.len(), hashes.len()))?; Err(RpcError::TransactionsNotFound(txs.txs.len(), hashes.len()))?;
} }
let mut res = Vec::with_capacity(txs.txs.len()); let mut res: Vec<Transaction> = Vec::with_capacity(txs.txs.len());
for tx in txs.txs { for tx in txs.txs {
res.push( res.push(
deserialize( deserialize(
&rpc_hex(&tx.as_hex)? &rpc_hex(if tx.as_hex.len() != 0 { &tx.as_hex } else { &tx.pruned_as_hex })?
).expect("Monero returned a transaction we couldn't deserialize") ).map_err(|_| RpcError::InvalidTransaction)?
); );
if tx.as_hex.len() == 0 {
match res[res.len() - 1].prefix.inputs[0] {
TxIn::Gen { .. } => 0,
_ => Err(RpcError::TransactionsNotFound(hashes.len() - 1, hashes.len()))?
};
}
} }
Ok(res) Ok(res)
} }
pub async fn get_block_transactions(&self, height: usize) -> Result<Vec<Transaction>, RpcError> { pub async fn get_block(&self, height: usize) -> Result<Block, RpcError> {
#[derive(Deserialize, Debug)] #[derive(Deserialize, Debug)]
struct BlockResponse { struct BlockResponse {
blob: String blob: String
@ -147,10 +157,15 @@ impl Rpc {
} }
}))).await?; }))).await?;
let block: Block = deserialize( Ok(
&rpc_hex(&block.result.blob)? deserialize(
).expect("Monero returned a block we couldn't deserialize"); &rpc_hex(&block.result.blob)?
).expect("Monero returned a block we couldn't deserialize")
)
}
pub async fn get_block_transactions(&self, height: usize) -> Result<Vec<Transaction>, RpcError> {
let block = self.get_block(height).await?;
let mut res = vec![block.miner_tx]; let mut res = vec![block.miner_tx];
if block.tx_hashes.len() != 0 { if block.tx_hashes.len() != 0 {
res.extend(self.get_transactions(block.tx_hashes).await?); res.extend(self.get_transactions(block.tx_hashes).await?);
@ -183,11 +198,16 @@ impl Rpc {
Ok(indexes.o_indexes) Ok(indexes.o_indexes)
} }
pub async fn get_ring(&self, mixins: &[u64]) -> Result<Vec<[EdwardsPoint; 2]>, RpcError> { pub async fn get_outputs(
&self,
indexes: &[u64],
height: usize
) -> Result<Vec<Option<[EdwardsPoint; 2]>>, RpcError> {
#[derive(Deserialize, Debug)] #[derive(Deserialize, Debug)]
struct Out { pub struct Out {
key: String, key: String,
mask: String mask: String,
txid: String
} }
#[derive(Deserialize, Debug)] #[derive(Deserialize, Debug)]
@ -196,17 +216,34 @@ impl Rpc {
} }
let outs: Outs = self.rpc_call("get_outs", Some(json!({ let outs: Outs = self.rpc_call("get_outs", Some(json!({
"outputs": mixins.iter().map(|m| json!({ "get_txid": true,
"outputs": indexes.iter().map(|o| json!({
"amount": 0, "amount": 0,
"index": m "index": o
})).collect::<Vec<_>>() })).collect::<Vec<_>>()
}))).await?; }))).await?;
let mut res = vec![]; let txs = self.get_transactions(
for out in outs.outs { outs.outs.iter().map(|out| Hash::from_str(&out.txid).expect("Monero returned an invalid hash")).collect()
res.push([rpc_point(&out.key)?, rpc_point(&out.mask)?]); ).await?;
} // TODO: Support time based lock times. These shouldn't be needed, and it may be painful to
Ok(res) // get the median time for the given height, yet we do need to in order to be complete
outs.outs.iter().enumerate().map(
|(i, out)| Ok(
if txs[i].prefix.unlock_time.0 <= u64::try_from(height).unwrap() {
Some([rpc_point(&out.key)?, rpc_point(&out.mask)?])
} else { None }
)
).collect()
}
pub async fn get_high_output(&self, height: usize) -> Result<u64, RpcError> {
let block = self.get_block(height).await?;
Ok(
*self.get_o_indexes(
*block.tx_hashes.last().unwrap_or(&block.miner_tx.hash())
).await?.last().ok_or(RpcError::InvalidTransaction)?
)
} }
pub async fn publish_transaction(&self, tx: &Transaction) -> Result<(), RpcError> { pub async fn publish_transaction(&self, tx: &Transaction) -> Result<(), RpcError> {

View file

@ -1,15 +1,113 @@
// TODO use std::collections::HashSet;
pub(crate) fn select(o: u64) -> (u8, Vec<u64>) {
let mut mixins: Vec<u64> = (o .. o + 11).into_iter().collect(); use rand_core::{RngCore, CryptoRng};
mixins.sort();
(0, mixins) use curve25519_dalek::edwards::EdwardsPoint;
use monero::VarInt;
use crate::{transaction::SpendableOutput, rpc::{RpcError, Rpc}};
const MIXINS: usize = 11;
async fn select_single<R: RngCore + CryptoRng>(
rng: &mut R,
rpc: &Rpc,
height: usize,
high: u64,
used: &mut HashSet<u64>
) -> Result<(u64, [EdwardsPoint; 2]), RpcError> {
let mut o;
let mut output = None;
while {
o = rng.next_u64() % u64::try_from(high).unwrap();
used.contains(&o) || {
output = rpc.get_outputs(&[o], height).await?[0];
output.is_none()
}
} {}
used.insert(o);
Ok((o, output.unwrap()))
} }
pub(crate) fn offset(mixins: &[u64]) -> Vec<u64> { // Uses VarInt as this is solely used for key_offsets which is serialized by monero-rs
let mut res = vec![mixins[0]]; fn offset(mixins: &[u64]) -> Vec<VarInt> {
res.resize(11, 0); let mut res = vec![VarInt(mixins[0])];
res.resize(mixins.len(), VarInt(0));
for m in (1 .. mixins.len()).rev() { for m in (1 .. mixins.len()).rev() {
res[m] = mixins[m] - mixins[m - 1]; res[m] = VarInt(mixins[m] - mixins[m - 1]);
} }
res res
} }
pub(crate) async fn select<R: RngCore + CryptoRng>(
rng: &mut R,
rpc: &Rpc,
height: usize,
inputs: &[SpendableOutput]
) -> Result<Vec<(Vec<VarInt>, u8, Vec<[EdwardsPoint; 2]>)>, RpcError> {
// Convert the inputs in question to the raw output data
let mut outputs = Vec::with_capacity(inputs.len());
for input in inputs {
outputs.push((
rpc.get_o_indexes(input.tx).await?[input.o],
[input.key, input.commitment.calculate()]
));
}
let high = rpc.get_high_output(height - 1).await?;
let high_f = high as f64;
if (high_f as u64) != high {
panic!("Transaction output index exceeds f64");
}
let mut used = HashSet::<u64>::new();
for o in &outputs {
used.insert(o.0);
}
let mut res = Vec::with_capacity(inputs.len());
for (i, o) in outputs.iter().enumerate() {
let mut mixins = Vec::with_capacity(MIXINS);
for _ in 0 .. MIXINS {
mixins.push(select_single(rng, rpc, height, high, &mut used).await?);
}
mixins.sort_by(|a, b| a.0.cmp(&b.0));
// Make sure the TX passes the sanity check that the median output is within the last 40%
// This actually checks the median is within the last third, a slightly more aggressive boundary,
// as the height used in this calculation will be slightly under the height this is sanity
// checked against
while mixins[MIXINS / 2].0 < (high * 2 / 3) {
// If it's not, update the bottom half with new values to ensure the median only moves up
for m in 0 .. MIXINS / 2 {
// We could not remove this, saving CPU time and removing low values as possibilities, yet
// it'd increase the amount of mixins required to create this transaction and some banned
// outputs may be the best options
used.remove(&mixins[m].0);
mixins[m] = select_single(rng, rpc, height, high, &mut used).await?;
}
mixins.sort_by(|a, b| a.0.cmp(&b.0));
}
// Replace the closest selected decoy with the actual
let mut replace = 0;
let mut distance = u64::MAX;
for m in 0 .. mixins.len() {
let diff = mixins[m].0.abs_diff(o.0);
if diff < distance {
replace = m;
distance = diff;
}
}
mixins[replace] = outputs[i];
res.push((
offset(&mixins.iter().map(|output| output.0).collect::<Vec<_>>()),
u8::try_from(replace).unwrap(),
mixins.iter().map(|output| output.1).collect()
));
}
Ok(res)
}

View file

@ -71,6 +71,7 @@ pub enum TransactionError {
pub struct SpendableOutput { pub struct SpendableOutput {
pub tx: Hash, pub tx: Hash,
pub o: usize, pub o: usize,
pub key: EdwardsPoint,
pub key_offset: Scalar, pub key_offset: Scalar,
pub commitment: Commitment pub commitment: Commitment
} }
@ -126,7 +127,7 @@ pub fn scan(tx: &Transaction, view: Scalar, spend: EdwardsPoint) -> Vec<Spendabl
} }
} }
res.push(SpendableOutput { tx: tx.hash(), o, key_offset, commitment }); res.push(SpendableOutput { tx: tx.hash(), o, key: output_key, key_offset, commitment });
break; break;
} }
} }
@ -191,26 +192,31 @@ impl Output {
} }
} }
async fn prepare_inputs( async fn prepare_inputs<R: RngCore + CryptoRng>(
rng: &mut R,
rpc: &Rpc, rpc: &Rpc,
spend: &Scalar,
inputs: &[SpendableOutput], inputs: &[SpendableOutput],
spend: &Scalar,
tx: &mut Transaction tx: &mut Transaction
) -> Result<Vec<(Scalar, clsag::Input, EdwardsPoint)>, TransactionError> { ) -> Result<Vec<(Scalar, clsag::Input, EdwardsPoint)>, TransactionError> {
// TODO sort inputs // TODO sort inputs
let mut signable = Vec::with_capacity(inputs.len()); let mut signable = Vec::with_capacity(inputs.len());
for (i, input) in inputs.iter().enumerate() {
// Select mixins
let (m, mixins) = mixins::select(
rpc.get_o_indexes(input.tx).await.map_err(|e| TransactionError::RpcError(e))?[input.o]
);
// Select mixins
let mixins = mixins::select(
rng,
rpc,
rpc.get_height().await.map_err(|e| TransactionError::RpcError(e))?,
inputs
).await.map_err(|e| TransactionError::RpcError(e))?;
for (i, input) in inputs.iter().enumerate() {
signable.push(( signable.push((
spend + input.key_offset, spend + input.key_offset,
clsag::Input::new( clsag::Input::new(
rpc.get_ring(&mixins).await.map_err(|e| TransactionError::RpcError(e))?, mixins[i].2.clone(),
m, mixins[i].1,
input.commitment input.commitment
).map_err(|e| TransactionError::ClsagError(e))?, ).map_err(|e| TransactionError::ClsagError(e))?,
key_image::generate(&(spend + input.key_offset)) key_image::generate(&(spend + input.key_offset))
@ -218,7 +224,7 @@ async fn prepare_inputs(
tx.prefix.inputs.push(TxIn::ToKey { tx.prefix.inputs.push(TxIn::ToKey {
amount: VarInt(0), amount: VarInt(0),
key_offsets: mixins::offset(&mixins).iter().map(|x| VarInt(*x)).collect(), key_offsets: mixins[i].0.clone(),
k_image: KeyImage { image: Hash(signable[i].2.compress().to_bytes()) } k_image: KeyImage { image: Hash(signable[i].2.compress().to_bytes()) }
}); });
} }
@ -360,7 +366,7 @@ impl SignableTransaction {
let (commitments, mask_sum) = self.prepare_outputs(rng)?; let (commitments, mask_sum) = self.prepare_outputs(rng)?;
let mut tx = self.prepare_transaction(&commitments, bulletproofs::generate(&commitments)?); let mut tx = self.prepare_transaction(&commitments, bulletproofs::generate(&commitments)?);
let signable = prepare_inputs(rpc, spend, &self.inputs, &mut tx).await?; let signable = prepare_inputs(rng, rpc, &self.inputs, spend, &mut tx).await?;
let clsags = clsag::sign( let clsags = clsag::sign(
rng, rng,

View file

@ -25,11 +25,11 @@ pub struct TransactionMachine {
leader: bool, leader: bool,
signable: SignableTransaction, signable: SignableTransaction,
our_images: Vec<EdwardsPoint>, our_images: Vec<EdwardsPoint>,
inputs: Vec<TxIn>,
tx: Option<Transaction>,
mask_sum: Rc<RefCell<Scalar>>, mask_sum: Rc<RefCell<Scalar>>,
msg: Rc<RefCell<[u8; 32]>>, msg: Rc<RefCell<[u8; 32]>>,
clsags: Vec<AlgorithmMachine<Ed25519, clsag::Multisig>> clsags: Vec<AlgorithmMachine<Ed25519, clsag::Multisig>>,
inputs: Vec<TxIn>,
tx: Option<Transaction>,
} }
impl SignableTransaction { impl SignableTransaction {
@ -41,28 +41,58 @@ impl SignableTransaction {
included: &[usize] included: &[usize]
) -> Result<TransactionMachine, TransactionError> { ) -> Result<TransactionMachine, TransactionError> {
let mut our_images = vec![]; let mut our_images = vec![];
let mut inputs = vec![];
let mask_sum = Rc::new(RefCell::new(Scalar::zero())); let mask_sum = Rc::new(RefCell::new(Scalar::zero()));
let msg = Rc::new(RefCell::new([0; 32])); let msg = Rc::new(RefCell::new([0; 32]));
let mut clsags = vec![]; let mut clsags = vec![];
for input in &self.inputs {
// Select mixins
let (m, mixins) = mixins::select(
rpc.get_o_indexes(input.tx).await.map_err(|e| TransactionError::RpcError(e))?[input.o]
);
let mut inputs = vec![];
// Create a RNG out of the input shared keys, which either requires the view key or being every
// sender, and the payments (address and amount), which a passive adversary may be able to know
// The use of input shared keys technically makes this one time given a competent wallet which
// can withstand the burning attack
// The lack of dedicated entropy here is frustrating. We can probably provide entropy inclusion
// if we move CLSAG ring to a Rc RefCell like msg and mask? TODO
let mut transcript = Transcript::new(b"InputMixins");
let mut shared_keys = Vec::with_capacity(self.inputs.len() * 32);
for input in &self.inputs {
shared_keys.extend(&input.key_offset.to_bytes());
}
transcript.append_message(b"input_shared_keys", &shared_keys);
let mut payments = Vec::with_capacity(self.payments.len() * ((2 * 32) + 8));
for payment in &self.payments {
// Network byte and spend/view key
// Doesn't use the full address as monero-rs may provide a payment ID which adds bytes
// By simply cutting this short, we get the relevant data without length differences nor the
// need to prefix
payments.extend(&payment.0.as_bytes()[0 .. 65]);
payments.extend(payment.1.to_le_bytes());
}
transcript.append_message(b"payments", &payments);
// Select mixins
let mixins = mixins::select(
&mut transcript.seeded_rng(b"mixins", None),
rpc,
rpc.get_height().await.map_err(|e| TransactionError::RpcError(e))?,
&self.inputs
).await.map_err(|e| TransactionError::RpcError(e))?;
for (i, input) in self.inputs.iter().enumerate() {
let keys = keys.offset(dalek_ff_group::Scalar(input.key_offset)); let keys = keys.offset(dalek_ff_group::Scalar(input.key_offset));
let (image, _) = key_image::generate_share( let (image, _) = key_image::generate_share(
rng, rng,
&keys.view(included).map_err(|e| TransactionError::FrostError(e))? &keys.view(included).map_err(|e| TransactionError::FrostError(e))?
); );
our_images.push(image); our_images.push(image);
clsags.push( clsags.push(
AlgorithmMachine::new( AlgorithmMachine::new(
clsag::Multisig::new( clsag::Multisig::new(
clsag::Input::new( clsag::Input::new(
rpc.get_ring(&mixins).await.map_err(|e| TransactionError::RpcError(e))?, mixins[i].2.clone(),
m, mixins[i].1,
input.commitment input.commitment
).map_err(|e| TransactionError::ClsagError(e))?, ).map_err(|e| TransactionError::ClsagError(e))?,
msg.clone(), msg.clone(),
@ -75,7 +105,7 @@ impl SignableTransaction {
inputs.push(TxIn::ToKey { inputs.push(TxIn::ToKey {
amount: VarInt(0), amount: VarInt(0),
key_offsets: mixins::offset(&mixins).iter().map(|x| VarInt(*x)).collect(), key_offsets: mixins[i].0.clone(),
k_image: KeyImage { image: Hash([0; 32]) } k_image: KeyImage { image: Hash([0; 32]) }
}); });
} }
@ -87,11 +117,11 @@ impl SignableTransaction {
leader: keys.params().i() == included[0], leader: keys.params().i() == included[0],
signable: self, signable: self,
our_images, our_images,
inputs,
tx: None,
mask_sum, mask_sum,
msg, msg,
clsags clsags,
inputs,
tx: None
}) })
} }
} }