Commit graph

211 commits

Author SHA1 Message Date
Luke Parker
9221dbf048
Bulletproofs+ Verification 2022-08-01 23:30:24 -04:00
Luke Parker
d07fe34a24
Reorganize bulletproofs 2022-07-31 23:12:45 -04:00
Luke Parker
1c4707136c
Ban unreduced points in Monero 2022-07-31 22:46:46 -04:00
Luke Parker
6340607827
BP Verification (#75)
* Use a struct in an enum for Bulletproofs

* verification bp working for just one proof

* add some more assert tests

* Clean BP verification

* Implement batch verification

* Add a debug assertion w_cache isn't 0

It's initially set to 0 and if not updated, this would be broken.

* Correct Monero workflow yaml

* Again try to corrent Monero workflow yaml

* Again

* Finally

* Re-apply weights as required by Bulletproofs

Removing these was insecure and my fault.

Co-authored-by: DangerousFreedom <dangfreed@tutanota.com>
2022-07-31 21:45:53 -05:00
Luke Parker
bba93a64c2
Implement view tags 2022-07-27 06:29:14 -04:00
Luke Parker
755dc84859
Replace rand with rand_core where possible
Turns out rand_core offers OsRng.
2022-07-27 05:45:08 -04:00
Luke Parker
023afaf7ce
Bulletproofs+ (#70)
* Initial stab at Bulletproofs+

Does move around the existing Bulletproofs code, does still work as 
expected.

* Make the Clsag RCTPrunable type work with BP and BP+

* Initial set of BP+ bug fixes

* Further bug fixes

* Remove RING_LEN as a constant

* Monero v16 TX support

Doesn't implement view tags, nor going back to v14, nor the updated BP 
clawback logic.

* Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
Luke Parker
37b8e3c025
Modularize Bulletproofs in prep for BP+ 2022-07-26 08:06:56 -04:00
Luke Parker
60e15d5160
Remove re-calculation of N
Moves most BP assertions to debug.
2022-07-26 05:31:15 -04:00
Luke Parker
7d9834be87
Correct clippy, remove Monero build depends 2022-07-26 03:48:46 -04:00
Luke Parker
696da8228e
Remove Monero as a dependency
Introduces missing CLSAG checks. The only difference now should be the 
additional rejection of torsioned points, which is relevant to 
https://github.com/serai-dex/serai/issues/25. Considering this is only 
currently used for FROST verification, this should be fine.

Closes https://github.com/serai-dex/serai/issues/19 by making it 
irrelevant.

Increases priority of https://github.com/serai-dex/serai/issues/68, as 
now it's used for the BP generators which are done at first-proof.

Also merges BP's stricter hash_to_point with the library's, since CLSAG 
has the same bound.
2022-07-26 03:25:57 -04:00
Luke Parker
ee29f6d6d8
Implement Bulletproofs in Rust (#69)
* Initial attempt at Bulletproofs

I don't know why this doesn't work. The generators and hash_cache lines
up without issue. AFAICT, the inner product proof is valid as well, as
are all included formulas.

* Add yinvpow asserts

* Clean code

* Correct bad imports

* Fix the definition of TWO_N

Bulletproofs work now :D

* Tidy up a bit

* fmt + clippy

* Compile a variety of XMR dependencies with optimizations, even under dev

The Rust bulletproof implementation is 8% slower than C right now, under 
release. This is acceptable, even if suboptimal. Under debug, they take 
a quarter of a second to two seconds though, depending on the amount of 
outputs, which justifies this move.

* Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
Luke Parker
f25bd88030
Test bulletproof creation and verification 2022-07-24 09:00:55 -04:00
Luke Parker
10ab467160
Don't use a constant for H yet re-calculate it 2022-07-24 08:57:33 -04:00
Luke Parker
76a7160ea5
Correct clippy warnings
Currently intended to be done with:
cargo clippy --features "recommended merlin batch serialize experimental 
ed25519 ristretto p256 secp256k1 multisig" -- -A clippy::type_complexity 
-A dead_code
2022-07-22 02:35:17 -04:00
silverpill
194c5acebb Fix compilation errors in monero-serai 2022-07-17 16:55:49 -05:00
Luke Parker
e67033a207 Apply an initial set of rustfmt rules 2022-07-16 15:16:30 -05:00
Luke Parker
5ede5b9e8f
Update the DLEq proof for any amount of generators
The two-generator limit wasn't required nor beneficial. This does 
theoretically optimize FROST, yet not for any current constructions. A 
follow up proof which would optimize current constructions has been 
noted in #38.

Adds explicit no_std support to the core DLEq proof.

Closes #34.
2022-07-13 23:29:48 -04:00
Luke Parker
95a4101a9a
Tweak the hash_to_point test
It ran for too long and had a "test_" prefix not shared with other 
tests.
2022-07-13 02:48:36 -04:00
Luke Parker
6cc8ce840e
Move FROST to Read
Fixes https://github.com/serai-dex/serai/issues/33 and 
https://github.com/serai-dex/serai/issues/35. Also fixes a few potential 
panics/DoS AFAICT.
2022-07-13 02:38:29 -04:00
Luke Parker
5eb61f3a87
Fix https://github.com/serai-dex/serai/issues/14. 2022-07-12 01:28:01 -04:00
Luke Parker
953a873338
Implement hash_to_point in Rust
Closes https://github.com/serai-dex/serai/issues/32.
2022-07-10 16:12:49 -04:00
Luke Parker
854fca3806
Close https://github.com/serai-dex/serai/issues/30.
An extremely minimal subset of Monero is now all that's built, and I'm 
sufficiently happy with it.
2022-07-09 21:51:39 -04:00
Luke Parker
53267a46c8
Return Timelocked instead of (Timelock, Vec<SpendableOutput>)
Timelocked doesn't expose the Vec yet requires calling not_locked(), 
unlocked(Timelock), or ignore_timelock().
2022-07-09 18:53:52 -04:00
Luke Parker
f7106f09ed
Add further must_uses 2022-07-07 14:28:42 -04:00
Luke Parker
5d115f1e1c
Implement a DLEq library
While Serai only needs the simple DLEq which was already present under 
monero, this migrates the implementation of the cross-group DLEq I 
maintain into Serai. This was to have full access to the ecosystem of 
libraries built under Serai while also ensuring support for it.

The cross_group curve, which is extremely experimental, is feature 
flagged off. So is the built in serialization functionality, as this 
should be possible to make nostd once const generics are full featured, 
yet the implemented serialization adds the additional barrier of 
std::io.
2022-06-30 05:42:29 -04:00
Luke Parker
0a690f5632
Update the reference link for Guaranteed Addresses
Also lints Cargo.toml.
2022-06-30 03:16:51 -04:00
Luke Parker
3de7a76051
Use GroupEncoding instead of Curve's from_slice/to_bytes
Increases usage of standardization while expanding dalek_ff_group.

Closes https://github.com/serai-dex/serai/issues/26 by moving 
dfg::EdwardsPoint to only be for the prime subgroup.
2022-06-28 01:25:26 -04:00
Luke Parker
ac17645fc8
Rename MultisigParams/MultisigKeys/MultisigView to Frost* 2022-06-28 00:09:41 -04:00
Luke Parker
7c86e4593a
Implement Guaranteed Addresses
Closes https://github.com/serai-dex/serai/issues/27.

monero-rs is now solely used for Extra encoding.
2022-06-28 00:01:20 -04:00
Luke Parker
60254a0171
Reorganize FROST's handling of curves 2022-06-24 19:47:19 -04:00
Luke Parker
a46524f0ce
Supply a RecommendedTranscript type of DT<Blake2b512> 2022-06-24 18:58:24 -04:00
Luke Parker
1d4018c1ba
Correct when the decoys distribution lock is acquired
The existing design maintained a non-Send object across async contexts.
2022-06-24 08:41:05 -04:00
Luke Parker
1caa6a9606
Enforce FROST StateMachine progression via the type system
A comment on the matter was made in 
https://github.com/serai-dex/serai/issues/12. While I do believe the API 
is slightly worse, I appreciate the explicitness.
2022-06-24 08:40:14 -04:00
Luke Parker
462d0e74ce
Pre-allocate the distribution 2022-06-20 23:10:13 -04:00
Luke Parker
f10bd5feee
Cache output distribution
Also moves to the expected sanity median
2022-06-20 23:00:49 -04:00
Luke Parker
9d817a00b2
Correct Monero's extra length calculation for fee calculation 2022-06-19 12:19:57 -04:00
Luke Parker
f50f249468
Add fee handling code to Monero
Updates how change outputs are handled, with a far more logical 
construction offering greater flexibility.

prepare_outputs can not longer error. SignaableTransaction::new will.
2022-06-19 12:03:01 -04:00
Luke Parker
32473d9976
Route networking through Wallet, not Coin 2022-06-10 09:36:07 -04:00
Luke Parker
b91279f4ce
Support sending to subaddresses 2022-06-10 02:38:19 -04:00
Luke Parker
1ef528bf8c
Bound decoy selection to prevent it from infinite looping 2022-06-10 00:32:56 -04:00
Luke Parker
e1831ee5af
Error when a message is passed to a Monero TransactionMachine 2022-06-10 00:20:59 -04:00
Luke Parker
d611300adb
Error when the wrong spend key is used to sign a transaction
Moves decoy selection to being the last step in the multisig process so 
the RPC is only polled to continue valid transactions.
2022-06-09 04:05:57 -04:00
Luke Parker
27751d8d98
Successfully get processor to send a transaction out
Modifies FROST behavior so group_key has the offset applied regardless 
of if view was called. The unaltered secret_share and 
verification_shares (as they have differing values depending on the 
signing set) are no longer publicly accessible.
2022-06-09 02:48:53 -04:00
Luke Parker
301634dd8e
Add support for Ristretto
Replaces P-256 as the curve used for testing FROST.
2022-06-06 04:22:49 -04:00
Luke Parker
e0ce6e5c12
Add Ed25519 to FROST and remove expand_xmd for elliptic_curve's
Doesn't fully utilize ec's hash2curve module as k256 Scalar doesn't have 
FromOkm for some reason. The previously present bigint reduction is 
preserved.

Updates ff/group to 0.12.

Premised on https://github.com/cfrg/draft-irtf-cfrg-frost/pull/205 being 
merged, as while this Ed25519 is vector compliant, it's technically not 
spec compliant due to that conflict.
2022-06-06 02:18:25 -04:00
Luke Parker
5313210526
Monero prepare_send 2022-06-05 15:10:50 -04:00
Luke Parker
fdb1929ba4
Move to Arc/RwLock 2022-06-05 07:33:15 -04:00
Luke Parker
3617ed4eb7
Use const values for our traits where we can 2022-06-03 23:22:08 -04:00
Luke Parker
9b52cf4d20
Generalize out the FROST test for signing/signing with an offset
Moves Schnorr signature tests from test_curve to the new test_schnorr, 
which is more a test_frost.

Relevant to https://github.com/serai-dex/serai/issues/9.
2022-06-03 19:08:25 -04:00
Luke Parker
f8d127bf8a
Add FROST Ed25519 test vectors 2022-06-03 03:56:17 -04:00
Luke Parker
b4cd29f49a
Finish implementing FROST v5
Identity check for P256 and H4 was all that was needed.
2022-06-03 02:00:38 -04:00
Luke Parker
e4fc469e58
Use a transcript when generating the per-chain binding for a given set of keys
While it was fine as-is, as it only had one variable length property, 
this is a bit more robust. Also binds the Curve ID, which should declare 
differently even for just different basepoints, and therefore adds two 
variable length properties (justifying the transcript).
2022-06-03 01:37:12 -04:00
Luke Parker
44452d9bfe
Verify being FROST v5 compliant
No functional changes have been made to signing, with solely slight API 
changes being made.

Technically not actually FROST v5 compatible, due to differing on zero 
checks and randomness, yet the vectors do confirm the core algorithm. 
For any valid FROST implementation, this will be interoperable if they 
can successfully communicate. For any devious FROST implementation, this 
will be fingerprintable, yet should still be valid.

Relevant to https://github.com/serai-dex/serai/issues/9 as any curve can 
now specify vectors for itself and be tested against them.

Moves the FROST testing curve from k256 to p256. Does not expose p256 
despite being compliant. It's not at a point I'm happy with it, notably 
regarding hash to curve, and I'm not sure I care to support p256. If it 
has value to the larger FROST ecosystem...
2022-06-03 01:25:46 -04:00
Luke Parker
dfd2f624ee
Implement a proper Monero Timelock type
Transaction scanning now returns the timelock to ensure it's 
acknowledged by wallets.

Fixes https://github.com/serai-dex/serai/issues/16.
2022-06-02 00:00:26 -04:00
Luke Parker
2ae715f899
Ignore transactions which use a timelock 2022-06-01 17:14:57 -04:00
Luke Parker
7b4c5dbe52
Remove rng_seed's additional entropy
It was never used as we derive entropy via the other fields in the 
transcript, and explicitly add fields directly as needed for entropy.

Also drops an unused crate and corrects a bug in FROST's Schnorr 
implementation which used the Group's generator, instead of the Curve's.

Also updates the Monero crate's description.
2022-05-31 02:12:14 -04:00
Luke Parker
ce4c899422
Remove "as", except for floats as needed
Also updates Bulletproofs from C to not be length prefixed, yet rather 
have Rust calculate their length.

Corrects an error in key_gen where self was blamed, instead of the 
faulty participant.
2022-05-30 02:14:34 -04:00
Luke Parker
244d1b6b68
Clarify FROST's hash functions
Updates the keygen challenge to a format not vulnerable to collisions 
due to having multiple variable length elements.
2022-05-28 20:34:44 -04:00
Luke Parker
e950b9682b
Add get_block_transactions_possible which automatically filters invalid TXs
Adds Clone to the various error types, which they already should've had.
2022-05-28 05:08:37 -04:00
Luke Parker
ba032cca4a
Optimize decoy selection
Saves roughly 0.8s when running the tests, which took 16.6s and now take 
15.8 (5%).

Removes the larger sample size, which replaced the closest selected 
decoy with the real spend, per advice of Rucknium.
2022-05-28 03:17:02 -04:00
Luke Parker
c90e957e6a
Add a batch verifier to multiexp, along with constant time variants
Saves ~8% during FROST key gen, even with dropping a vartime for a 
constant time (as needed to be secure), as the new batch verifier is 
used where batch verification previously wasn't. The new multiexp API 
itself also offered a very slight performance boost, which may solely be 
a measurement error.

Handles most of https://github.com/serai-dex/serai/issues/10. The blame 
function isn't binary searched nor randomly sorted yet.
2022-05-27 00:52:44 -04:00
Luke Parker
5ca0945cbf
Implement serialization for SpendableOutput
Changes the output index to a u8. While it may expand to a u16 at some 
point, this can remain canonical using little endian serialization while 
dropping the latter byte if it's 0 (or simply only using u16 when it's 
actually possible).
2022-05-26 03:51:27 -04:00
Luke Parker
3a2e5bea0d
Move the CLSAG test to the newly modular FROST test setup 2022-05-25 00:30:51 -04:00
Luke Parker
d67d6f2f98
Add PartialEq to structs 2022-05-25 00:21:01 -04:00
Luke Parker
d10c6e16dc
Move FROST to HashMaps
Honestly, the borrowed keys are frustrating, and this probably reduces 
performance while no longer offering an order when iterating. That said, 
they enable full u16 indexing and should mildly improve the API.

Cleans the Proof of Knowledge handling present in key gen.
2022-05-24 21:41:14 -04:00
Luke Parker
5ff65bd268
Move the DLEQProof to a Transcript 2022-05-23 03:24:33 -04:00
Luke Parker
30529038f2
Move serialize from a folder to a file 2022-05-22 02:24:35 -04:00
Luke Parker
cc65b6e055
Move RingCT code to a deciated folder
Should help keep things ordered as more RingCT code is added.
2022-05-22 02:24:24 -04:00
Luke Parker
790e89902a
Override Monero's random function with a Rust-seedable random
Closes https://github.com/serai-dex/serai/issues/2. Also finishes the 
implementation of 
https://github.com/monero-project/research-lab/issues/103.
2022-05-22 01:56:17 -04:00
Luke Parker
0c01ad69d8
Correct RctPrunable decoding 2022-05-21 23:16:06 -04:00
Luke Parker
e1fd462a50
Properly calculate uniqueness when creating change outputs
It was missing sorting its inputs by their key images.
2022-05-21 21:44:57 -04:00
Luke Parker
890f7104f7
Remove a stray dbg 2022-05-21 21:39:20 -04:00
Luke Parker
ec6927e66e
Add Clone/Debug derivations to structs 2022-05-21 21:36:28 -04:00
Luke Parker
703b18c6e8
Implement Block types
Finishes updating the RPC to not use monero, tests now pass
2022-05-21 21:35:25 -04:00
Luke Parker
3282b19536
Transaction deserialization 2022-05-21 20:27:21 -04:00
Luke Parker
aa5d95ef1d
Changes meant for the previous commit 2022-05-21 20:26:28 -04:00
Luke Parker
517db6448a
Remove monero-rs types
Still missing an updated RPC file. Restructures the library as it makes 
sense
2022-05-21 15:33:35 -04:00
Luke Parker
573f847a9b
Implement shared key derivation according to https://github.com/monero-project/research-lab/issues/103
Currently solely used for single signer change outputs, intended to be 
used for funds into Serai and multisig change outputs (dependent on #2).

Also cleans the file layout, makes scanning a bit more robust, doesn't 
return outputs of amount 0, and shuffles outputs.
2022-05-20 01:03:54 -04:00
Luke Parker
8945b50988
Minor lint 2022-05-19 16:49:45 -04:00
Luke Parker
90fccc444b
Remove .is_some() unwraps for if let Some 2022-05-18 01:08:54 -04:00
Luke Parker
7c0886a113
Support signing Monero TXs with multiple inputs
Remove's CLSAG's msg Rc for the msg available through AlgorithmMachine. 
Potentially slightly more inefficient, as it needs to be converted from 
a slice to a [u8; 32], yet removes a re-impl.

Also removes a match for an if.
2022-05-18 00:53:13 -04:00
Luke Parker
3a13f80bdd
Patch for previous commit 2022-05-17 19:51:04 -04:00
Luke Parker
fd0fd77cf5
Simplify Monero key image handling 2022-05-17 19:15:53 -04:00
Luke Parker
3f02ab3037
Optimize decoy selection by batching the get_outputs call per input 2022-05-14 02:12:54 -04:00
Luke Parker
94bd30083b
Slightly simplify CLSAG signing
Expands its test to test all possible ring indexes, though just 0 and a 
single n would be sufficient.
2022-05-14 00:45:13 -04:00
Luke Parker
0aeab04c70
Move Rust definitions of C functions to their respective files 2022-05-13 20:26:53 -04:00
Luke Parker
3533e66c7f
Add Rust CLSAG verification
Marked experimental, not guaranteed to match Monero yet
2022-05-13 20:26:29 -04:00
Luke Parker
bb840da44d
Get Monero tests to pass on a brand new network
Updates decoy selection with an explicit panic, the removal of a divide 
by 0 (causing tests to fail on new chains), and a minor optimization 
when dealing with a large quantity of locked outputs.

Also increases documentation, acknowledging infinite loops and breakage 
from Monero more.
2022-05-13 00:05:34 -04:00
Luke Parker
3e7598315c
Reorganize CLSAG sign flow 2022-05-06 19:07:37 -04:00
Luke Parker
a541903895
Replace the term mixin with decoy
https://libera.monerologs.net/monero-research-lab/20211002#c34977
2022-05-06 08:12:30 -04:00
Luke Parker
3dab26cd94
Correct discrepancies with the IETF draft
While all the transcript/extension code works as expected, which means, 
they don't cause any conflicts, n was still capped at u64::MAX at 
creation when it needs to be u16. Furthermore, participant index and 
scalars/points were little endian instead of big endian/curve dependent.
2022-05-06 07:49:18 -04:00
Luke Parker
964cb357e6
Use a global transcript 2022-05-06 07:33:08 -04:00
Luke Parker
cc9c2e0d40
Use dom-sep tags in the transcripts
Also simplifies form in some places
2022-05-06 01:35:23 -04:00
Luke Parker
0f481773df
Use a gamma distribution for mixin selection 2022-05-04 08:18:43 -04:00
Luke Parker
f856faa762
Implement simple random mixin selection which passes sanity 2022-05-04 06:24:52 -04:00
Luke Parker
9a42391b75
Cleanup which makes transcript optional, only required for multisig 2022-05-03 08:49:46 -04:00
Luke Parker
bf257b3a1f
Transcript crate with both a merlin backend and a basic label len value backend
Moves binding factor/seeded RNGs over to the transcripts.
2022-05-03 07:20:24 -04:00
Luke Parker
9ccf683e9d
Working multisig TXs 2022-04-30 04:32:19 -04:00
Luke Parker
d6649fffb1
Merge InputMultisig into Multisig
There's no reason to use the latter.
2022-04-30 01:43:15 -04:00
Luke Parker
22ac5ce3b6
Update the CLSAG multisig API for TX signing 2022-04-30 01:41:05 -04:00
Luke Parker
27396a6291
Implement a CLSAG algorithm extension which also does key images
Practically, this should be mergeable. There's little reason to do a 
CLSAG and not also a key image. Keeps them isolated for now.
2022-04-29 22:03:34 -04:00
Luke Parker
45559e14ee
Various corrections to multisig API 2022-04-29 15:28:04 -04:00
Luke Parker
777bb3df34
Add a send test 2022-04-28 20:41:43 -04:00
Luke Parker
1d0a0c7c16
Clean up code, correct a few bugs, add leader based one-time-key/BP gen 2022-04-28 20:09:31 -04:00
Luke Parker
c4b7cb71d7
Move SignableInput to clsag::Input 2022-04-28 17:29:56 -04:00
Luke Parker
7ed1fca270
Use a SeedableRng for CLSAG multisig signing 2022-04-28 17:12:54 -04:00
Luke Parker
20f214c300
Update CLSAG multisig to work again 2022-04-28 12:01:20 -04:00
Luke Parker
f3a5e3c27e
Implement TX creation
Updates CLSAG signing as needed. Moves around Error types.

CLSAG multisig and the multisig feature is currently completely borked 
because of this. The created TXs are accepted by Monero nodes.
2022-04-28 03:31:09 -04:00
Luke Parker
c9537a08a1
Files meant for the previous commit 2022-04-27 00:09:25 -04:00
Luke Parker
df4be9ca0c
Move the Monero create to coins/
Includes misc bug fixes
2022-04-27 00:09:05 -04:00