xmr: multisig removed from protocol and functions

src/apps/monero/protocol/signing/step_02_set_input.py

@@ -71,8 +71,8 @@ async def set_input(state: State, src_entr: MoneroTransactionSourceEntry):
     state.mem_trace(1, True)
 
     # Construct tx.vin
-    ki_real = src_entr.multisig_kLRki.ki if state.multi_sig else ki
-    vini = TxinToKey(amount=src_entr.amount, k_image=crypto.encodepoint(ki_real))
+    # If multisig is used then ki in vini should be src_entr.multisig_kLRki.ki
+    vini = TxinToKey(amount=src_entr.amount, k_image=crypto.encodepoint(ki))
     vini.key_offsets = _absolute_output_offsets_to_relative(
         [x.idx for x in src_entr.outputs]
     )

src/apps/monero/protocol/signing/step_07_all_out1_set.py

@@ -62,16 +62,9 @@ async def all_out1_set(state: State):
     gc.collect()
     state.mem_trace(4)
 
-    # Txprefix match check for multisig
-    if not common.is_empty(state.exp_tx_prefix_hash) and not common.ct_equal(
-        state.exp_tx_prefix_hash, state.tx_prefix_hash
-    ):
-        # state.state.set_fail()  todo needed?
-        # todo   raise wire.NotEnoughFunds(e.message) ??
-        raise misc.TrezorTxPrefixHashNotMatchingError("Tx prefix invalid")
-
-    gc.collect()
-    state.mem_trace(5)
+    # In the multisig mode here needs to be a check whether currently computed
+    # transaction prefix matches expected transaction prefix sent in the
+    # init step.
 
     from trezor.messages.MoneroRingCtSig import MoneroRingCtSig
     from trezor.messages.MoneroTransactionAllOutSetAck import (

src/apps/monero/protocol/signing/step_09_sign_input.py

@@ -110,7 +110,7 @@ async def sign_input(
     # Basic setup, sanity check
     index = src_entr.real_output
     in_sk = CtKey(dest=input_secret, mask=crypto.decodeint(src_entr.mask))
-    kLRki = src_entr.multisig_kLRki if state.multi_sig else None
+    kLRki = None  # for multisig: src_entr.multisig_kLRki
 
     # Private key correctness test
     state.assrt(
@@ -139,14 +139,7 @@ async def sign_input(
         # Simple RingCT
         mix_ring = [x.key for x in src_entr.outputs]
         mg, msc = mlsag2.prove_rct_mg_simple(
-            state.full_message,
-            mix_ring,
-            in_sk,
-            alpha_c,
-            pseudo_out_c,
-            kLRki,
-            None,
-            index,
+            state.full_message, mix_ring, in_sk, alpha_c, pseudo_out_c, kLRki, index
         )
 
     else:
@@ -161,7 +154,6 @@ async def sign_input(
             state.output_sk_masks,
             state.output_pk_masks,
             kLRki,
-            None,
             index,
             txn_fee_key,
         )

src/apps/monero/xmr/mlsag2.py

@@ -46,7 +46,7 @@ def hash_point(hasher, point, tmp_buff):
     hasher.update(tmp_buff)
 
 
-def gen_mlsag_assert(pk, xx, kLRki, mscout, index, dsRows):
+def gen_mlsag_assert(pk, xx, kLRki, index, dsRows):
     """
     Conditions check for gen_mlsag_ext.
     """
@@ -67,10 +67,10 @@ def gen_mlsag_assert(pk, xx, kLRki, mscout, index, dsRows):
         raise ValueError("Bad xx size")
     if dsRows > rows:
         raise ValueError("Bad dsRows size")
-    if (not kLRki or not mscout) and (kLRki or mscout):
-        raise ValueError("Only one of kLRki/mscout is present")
     if kLRki and dsRows != 1:
         raise ValueError("Multisig requires exactly 1 dsRows")
+    if kLRki:
+        raise NotImplementedError("Multisig not implemented")
     return rows, cols
 
 
@@ -89,15 +89,14 @@ def gen_mlsag_rows(message, rv, pk, xx, kLRki, index, dsRows, rows, cols):
     for i in range(dsRows):
         hasher.update(crypto.encodepoint(pk[index][i]))
         if kLRki:
-            alpha[i] = kLRki.k
-            rv.II[i] = kLRki.ki
-            hash_point(hasher, kLRki.L, tmp_buff)
-            hash_point(hasher, kLRki.R, tmp_buff)
+            raise NotImplementedError("Multisig not implemented")
+            # alpha[i] = kLRki.k
+            # rv.II[i] = kLRki.ki
+            # hash_point(hasher, kLRki.L, tmp_buff)
+            # hash_point(hasher, kLRki.R, tmp_buff)
 
         else:
-            Hi = crypto.hash_to_point(
-                crypto.encodepoint(pk[index][i])
-            )  # originally hashToPoint()
+            Hi = crypto.hash_to_point(crypto.encodepoint(pk[index][i]))
             alpha[i] = crypto.random_scalar()
             aGi = crypto.scalarmult_base(alpha[i])
             aHPi = crypto.scalarmult(Hi, alpha[i])
@@ -118,13 +117,13 @@ def gen_mlsag_rows(message, rv, pk, xx, kLRki, index, dsRows, rows, cols):
     return c_old, Ip, alpha
 
 
-def gen_mlsag_ext(message, pk, xx, kLRki, mscout, index, dsRows):
+def gen_mlsag_ext(message, pk, xx, kLRki, index, dsRows):
     """
     Multilayered Spontaneous Anonymous Group Signatures (MLSAG signatures)
     """
     from apps.monero.xmr.serialize_messages.tx_full import MgSig
 
-    rows, cols = gen_mlsag_assert(pk, xx, kLRki, mscout, index, dsRows)
+    rows, cols = gen_mlsag_assert(pk, xx, kLRki, index, dsRows)
 
     rv = MgSig()
     c, L, R, Hi = 0, None, None, None
@@ -144,9 +143,7 @@ def gen_mlsag_ext(message, pk, xx, kLRki, mscout, index, dsRows):
 
         for j in range(dsRows):
             L = crypto.add_keys2(rv.ss[i][j], c_old, pk[i][j])
-            Hi = crypto.hash_to_point(
-                crypto.encodepoint(pk[i][j])
-            )  # originally hashToPoint()
+            Hi = crypto.hash_to_point(crypto.encodepoint(pk[i][j]))
             R = crypto.add_keys3(rv.ss[i][j], Hi, c_old, Ip[j])
             hash_point(hasher, pk[i][j], tmp_buff)
             hash_point(hasher, L, tmp_buff)
@@ -165,18 +162,13 @@ def gen_mlsag_ext(message, pk, xx, kLRki, mscout, index, dsRows):
             rv.cc = c_old
 
     for j in range(rows):
-        rv.ss[index][j] = crypto.sc_mulsub(
-            c, xx[j], alpha[j]
-        )  # alpha[j] - c * xx[j]; sc_mulsub in original does c-ab
-
-    if mscout:
-        mscout(c)
+        rv.ss[index][j] = crypto.sc_mulsub(c, xx[j], alpha[j])
 
     return rv, c
 
 
 def prove_rct_mg(
-    message, pubs, in_sk, out_sk_mask, out_pk_mask, kLRki, mscout, index, txn_fee_key
+    message, pubs, in_sk, out_sk_mask, out_pk_mask, kLRki, index, txn_fee_key
 ):
     """
     c.f. http://eprint.iacr.org/2015/1098 section 4. definition 10.
@@ -198,8 +190,6 @@ def prove_rct_mg(
         raise ValueError("Bad inSk size")
     if len(out_sk_mask) != len(out_pk_mask):
         raise ValueError("Bad outsk/putpk size")
-    if (not kLRki or not mscout) and (kLRki and mscout):
-        raise ValueError("Only one of kLRki/mscout is present")
 
     sk = key_vector(rows + 1)
     M = key_matrix(rows + 1, cols)
@@ -233,10 +223,10 @@ def prove_rct_mg(
             sk[rows], out_sk_mask[j]
         )  # subtract output masks in last row
 
-    return gen_mlsag_ext(message, M, sk, kLRki, mscout, index, rows)
+    return gen_mlsag_ext(message, M, sk, kLRki, index, rows)
 
 
-def prove_rct_mg_simple(message, pubs, in_sk, a, cout, kLRki, mscout, index):
+def prove_rct_mg_simple(message, pubs, in_sk, a, cout, kLRki, index):
     """
     Simple version for when we assume only
         post rct inputs
@@ -248,16 +238,13 @@ def prove_rct_mg_simple(message, pubs, in_sk, a, cout, kLRki, mscout, index):
     :param a: mask from the pseudo_output commitment (alpha)
     :param cout: point, decoded. Pseudo output public key.
     :param kLRki:
-    :param mscout: lambda accepting c
     :param index:
     :return:
     """
     rows = 1
     cols = len(pubs)
     if cols == 0:
         raise ValueError("Empty pubs")
-    if (not kLRki or not mscout) and (kLRki and mscout):
-        raise ValueError("Only one of kLRki/mscout is present")
 
     sk = key_vector(rows + 1)
     M = key_matrix(rows + 1, cols)
@@ -269,4 +256,4 @@ def prove_rct_mg_simple(message, pubs, in_sk, a, cout, kLRki, mscout, index):
         M[i][0] = crypto.decodepoint(pubs[i].dest)
         M[i][1] = crypto.point_sub(crypto.decodepoint(pubs[i].mask), cout)
 
-    return gen_mlsag_ext(message, M, sk, kLRki, mscout, index, rows)
+    return gen_mlsag_ext(message, M, sk, kLRki, index, rows)

src/apps/monero/xmr/monero.py

@@ -131,21 +131,21 @@ def generate_tx_spend_and_key_image(
         )
         scalar_step2 = crypto.sc_add(scalar_step1, subaddr_sk)
 
-    # when not in multisig, we know the full spend secret key, so the output pubkey can be obtained by scalarmultBase
-    if len(ack.multisig_keys) == 0:
-        pub_ver = crypto.scalarmult_base(scalar_step2)
-
-    else:
-        # When in multisig, we only know the partial spend secret key. But we do know the full spend public key,
-        # so the output pubkey can be obtained by using the standard CN key derivation.
-        pub_ver = crypto.derive_public_key(
-            recv_derivation, real_output_index, ack.spend_key_public
-        )
-
-        # Add the contribution from the subaddress part
-        if received_index != (0, 0):
-            subaddr_pk = crypto.scalarmult_base(subaddr_sk)
-            pub_ver = crypto.point_add(pub_ver, subaddr_pk)
+    # When not in multisig, we know the full spend secret key, so the output pubkey can be obtained by scalarmultBase
+    pub_ver = crypto.scalarmult_base(scalar_step2)
+
+    # <Multisig>, branch deactivated until implemented
+    # # When in multisig, we only know the partial spend secret key. But we do know the full spend public key,
+    # # so the output pubkey can be obtained by using the standard CN key derivation.
+    # pub_ver = crypto.derive_public_key(
+    #     recv_derivation, real_output_index, ack.spend_key_public
+    # )
+    #
+    # # Add the contribution from the subaddress part
+    # if received_index != (0, 0):
+    #     subaddr_pk = crypto.scalarmult_base(subaddr_sk)
+    #     pub_ver = crypto.point_add(pub_ver, subaddr_pk)
+    # </Multisig>
 
     if not crypto.point_eq(pub_ver, out_key):
         raise ValueError(

src/apps/monero/xmr/sub/creds.py

@@ -23,7 +23,6 @@ def __init__(
         self.spend_key_public = spend_key_public
         self.address = address
         self.network_type = network_type
-        self.multisig_keys = []
 
     @classmethod
     def new_wallet(