From 55a593aa7d09bda29bb1779a62037dcf7b4e4371 Mon Sep 17 00:00:00 2001 From: Dusan Klinec Date: Wed, 3 Oct 2018 16:52:18 +0200 Subject: [PATCH] xmr: multisig removed from protocol and functions --- .../protocol/signing/step_02_set_input.py | 4 +- .../protocol/signing/step_07_all_out1_set.py | 13 ++--- .../protocol/signing/step_09_sign_input.py | 12 +---- src/apps/monero/xmr/mlsag2.py | 47 +++++++------------ src/apps/monero/xmr/monero.py | 30 ++++++------ src/apps/monero/xmr/sub/creds.py | 1 - 6 files changed, 39 insertions(+), 68 deletions(-) diff --git a/src/apps/monero/protocol/signing/step_02_set_input.py b/src/apps/monero/protocol/signing/step_02_set_input.py index 483270c69..8cf188b70 100644 --- a/src/apps/monero/protocol/signing/step_02_set_input.py +++ b/src/apps/monero/protocol/signing/step_02_set_input.py @@ -71,8 +71,8 @@ async def set_input(state: State, src_entr: MoneroTransactionSourceEntry): state.mem_trace(1, True) # Construct tx.vin - ki_real = src_entr.multisig_kLRki.ki if state.multi_sig else ki - vini = TxinToKey(amount=src_entr.amount, k_image=crypto.encodepoint(ki_real)) + # If multisig is used then ki in vini should be src_entr.multisig_kLRki.ki + vini = TxinToKey(amount=src_entr.amount, k_image=crypto.encodepoint(ki)) vini.key_offsets = _absolute_output_offsets_to_relative( [x.idx for x in src_entr.outputs] ) diff --git a/src/apps/monero/protocol/signing/step_07_all_out1_set.py b/src/apps/monero/protocol/signing/step_07_all_out1_set.py index 94c1e891d..d6547cbbf 100644 --- a/src/apps/monero/protocol/signing/step_07_all_out1_set.py +++ b/src/apps/monero/protocol/signing/step_07_all_out1_set.py @@ -62,16 +62,9 @@ async def all_out1_set(state: State): gc.collect() state.mem_trace(4) - # Txprefix match check for multisig - if not common.is_empty(state.exp_tx_prefix_hash) and not common.ct_equal( - state.exp_tx_prefix_hash, state.tx_prefix_hash - ): - # state.state.set_fail() todo needed? - # todo raise wire.NotEnoughFunds(e.message) ?? - raise misc.TrezorTxPrefixHashNotMatchingError("Tx prefix invalid") - - gc.collect() - state.mem_trace(5) + # In the multisig mode here needs to be a check whether currently computed + # transaction prefix matches expected transaction prefix sent in the + # init step. from trezor.messages.MoneroRingCtSig import MoneroRingCtSig from trezor.messages.MoneroTransactionAllOutSetAck import ( diff --git a/src/apps/monero/protocol/signing/step_09_sign_input.py b/src/apps/monero/protocol/signing/step_09_sign_input.py index 39318c275..fca858f7e 100644 --- a/src/apps/monero/protocol/signing/step_09_sign_input.py +++ b/src/apps/monero/protocol/signing/step_09_sign_input.py @@ -110,7 +110,7 @@ async def sign_input( # Basic setup, sanity check index = src_entr.real_output in_sk = CtKey(dest=input_secret, mask=crypto.decodeint(src_entr.mask)) - kLRki = src_entr.multisig_kLRki if state.multi_sig else None + kLRki = None # for multisig: src_entr.multisig_kLRki # Private key correctness test state.assrt( @@ -139,14 +139,7 @@ async def sign_input( # Simple RingCT mix_ring = [x.key for x in src_entr.outputs] mg, msc = mlsag2.prove_rct_mg_simple( - state.full_message, - mix_ring, - in_sk, - alpha_c, - pseudo_out_c, - kLRki, - None, - index, + state.full_message, mix_ring, in_sk, alpha_c, pseudo_out_c, kLRki, index ) else: @@ -161,7 +154,6 @@ async def sign_input( state.output_sk_masks, state.output_pk_masks, kLRki, - None, index, txn_fee_key, ) diff --git a/src/apps/monero/xmr/mlsag2.py b/src/apps/monero/xmr/mlsag2.py index 44a21f44a..ebd201f56 100644 --- a/src/apps/monero/xmr/mlsag2.py +++ b/src/apps/monero/xmr/mlsag2.py @@ -46,7 +46,7 @@ def hash_point(hasher, point, tmp_buff): hasher.update(tmp_buff) -def gen_mlsag_assert(pk, xx, kLRki, mscout, index, dsRows): +def gen_mlsag_assert(pk, xx, kLRki, index, dsRows): """ Conditions check for gen_mlsag_ext. """ @@ -67,10 +67,10 @@ def gen_mlsag_assert(pk, xx, kLRki, mscout, index, dsRows): raise ValueError("Bad xx size") if dsRows > rows: raise ValueError("Bad dsRows size") - if (not kLRki or not mscout) and (kLRki or mscout): - raise ValueError("Only one of kLRki/mscout is present") if kLRki and dsRows != 1: raise ValueError("Multisig requires exactly 1 dsRows") + if kLRki: + raise NotImplementedError("Multisig not implemented") return rows, cols @@ -89,15 +89,14 @@ def gen_mlsag_rows(message, rv, pk, xx, kLRki, index, dsRows, rows, cols): for i in range(dsRows): hasher.update(crypto.encodepoint(pk[index][i])) if kLRki: - alpha[i] = kLRki.k - rv.II[i] = kLRki.ki - hash_point(hasher, kLRki.L, tmp_buff) - hash_point(hasher, kLRki.R, tmp_buff) + raise NotImplementedError("Multisig not implemented") + # alpha[i] = kLRki.k + # rv.II[i] = kLRki.ki + # hash_point(hasher, kLRki.L, tmp_buff) + # hash_point(hasher, kLRki.R, tmp_buff) else: - Hi = crypto.hash_to_point( - crypto.encodepoint(pk[index][i]) - ) # originally hashToPoint() + Hi = crypto.hash_to_point(crypto.encodepoint(pk[index][i])) alpha[i] = crypto.random_scalar() aGi = crypto.scalarmult_base(alpha[i]) aHPi = crypto.scalarmult(Hi, alpha[i]) @@ -118,13 +117,13 @@ def gen_mlsag_rows(message, rv, pk, xx, kLRki, index, dsRows, rows, cols): return c_old, Ip, alpha -def gen_mlsag_ext(message, pk, xx, kLRki, mscout, index, dsRows): +def gen_mlsag_ext(message, pk, xx, kLRki, index, dsRows): """ Multilayered Spontaneous Anonymous Group Signatures (MLSAG signatures) """ from apps.monero.xmr.serialize_messages.tx_full import MgSig - rows, cols = gen_mlsag_assert(pk, xx, kLRki, mscout, index, dsRows) + rows, cols = gen_mlsag_assert(pk, xx, kLRki, index, dsRows) rv = MgSig() c, L, R, Hi = 0, None, None, None @@ -144,9 +143,7 @@ def gen_mlsag_ext(message, pk, xx, kLRki, mscout, index, dsRows): for j in range(dsRows): L = crypto.add_keys2(rv.ss[i][j], c_old, pk[i][j]) - Hi = crypto.hash_to_point( - crypto.encodepoint(pk[i][j]) - ) # originally hashToPoint() + Hi = crypto.hash_to_point(crypto.encodepoint(pk[i][j])) R = crypto.add_keys3(rv.ss[i][j], Hi, c_old, Ip[j]) hash_point(hasher, pk[i][j], tmp_buff) hash_point(hasher, L, tmp_buff) @@ -165,18 +162,13 @@ def gen_mlsag_ext(message, pk, xx, kLRki, mscout, index, dsRows): rv.cc = c_old for j in range(rows): - rv.ss[index][j] = crypto.sc_mulsub( - c, xx[j], alpha[j] - ) # alpha[j] - c * xx[j]; sc_mulsub in original does c-ab - - if mscout: - mscout(c) + rv.ss[index][j] = crypto.sc_mulsub(c, xx[j], alpha[j]) return rv, c def prove_rct_mg( - message, pubs, in_sk, out_sk_mask, out_pk_mask, kLRki, mscout, index, txn_fee_key + message, pubs, in_sk, out_sk_mask, out_pk_mask, kLRki, index, txn_fee_key ): """ c.f. http://eprint.iacr.org/2015/1098 section 4. definition 10. @@ -198,8 +190,6 @@ def prove_rct_mg( raise ValueError("Bad inSk size") if len(out_sk_mask) != len(out_pk_mask): raise ValueError("Bad outsk/putpk size") - if (not kLRki or not mscout) and (kLRki and mscout): - raise ValueError("Only one of kLRki/mscout is present") sk = key_vector(rows + 1) M = key_matrix(rows + 1, cols) @@ -233,10 +223,10 @@ def prove_rct_mg( sk[rows], out_sk_mask[j] ) # subtract output masks in last row - return gen_mlsag_ext(message, M, sk, kLRki, mscout, index, rows) + return gen_mlsag_ext(message, M, sk, kLRki, index, rows) -def prove_rct_mg_simple(message, pubs, in_sk, a, cout, kLRki, mscout, index): +def prove_rct_mg_simple(message, pubs, in_sk, a, cout, kLRki, index): """ Simple version for when we assume only post rct inputs @@ -248,7 +238,6 @@ def prove_rct_mg_simple(message, pubs, in_sk, a, cout, kLRki, mscout, index): :param a: mask from the pseudo_output commitment (alpha) :param cout: point, decoded. Pseudo output public key. :param kLRki: - :param mscout: lambda accepting c :param index: :return: """ @@ -256,8 +245,6 @@ def prove_rct_mg_simple(message, pubs, in_sk, a, cout, kLRki, mscout, index): cols = len(pubs) if cols == 0: raise ValueError("Empty pubs") - if (not kLRki or not mscout) and (kLRki and mscout): - raise ValueError("Only one of kLRki/mscout is present") sk = key_vector(rows + 1) M = key_matrix(rows + 1, cols) @@ -269,4 +256,4 @@ def prove_rct_mg_simple(message, pubs, in_sk, a, cout, kLRki, mscout, index): M[i][0] = crypto.decodepoint(pubs[i].dest) M[i][1] = crypto.point_sub(crypto.decodepoint(pubs[i].mask), cout) - return gen_mlsag_ext(message, M, sk, kLRki, mscout, index, rows) + return gen_mlsag_ext(message, M, sk, kLRki, index, rows) diff --git a/src/apps/monero/xmr/monero.py b/src/apps/monero/xmr/monero.py index 678bd9847..52d28098f 100644 --- a/src/apps/monero/xmr/monero.py +++ b/src/apps/monero/xmr/monero.py @@ -131,21 +131,21 @@ def generate_tx_spend_and_key_image( ) scalar_step2 = crypto.sc_add(scalar_step1, subaddr_sk) - # when not in multisig, we know the full spend secret key, so the output pubkey can be obtained by scalarmultBase - if len(ack.multisig_keys) == 0: - pub_ver = crypto.scalarmult_base(scalar_step2) - - else: - # When in multisig, we only know the partial spend secret key. But we do know the full spend public key, - # so the output pubkey can be obtained by using the standard CN key derivation. - pub_ver = crypto.derive_public_key( - recv_derivation, real_output_index, ack.spend_key_public - ) - - # Add the contribution from the subaddress part - if received_index != (0, 0): - subaddr_pk = crypto.scalarmult_base(subaddr_sk) - pub_ver = crypto.point_add(pub_ver, subaddr_pk) + # When not in multisig, we know the full spend secret key, so the output pubkey can be obtained by scalarmultBase + pub_ver = crypto.scalarmult_base(scalar_step2) + + # , branch deactivated until implemented + # # When in multisig, we only know the partial spend secret key. But we do know the full spend public key, + # # so the output pubkey can be obtained by using the standard CN key derivation. + # pub_ver = crypto.derive_public_key( + # recv_derivation, real_output_index, ack.spend_key_public + # ) + # + # # Add the contribution from the subaddress part + # if received_index != (0, 0): + # subaddr_pk = crypto.scalarmult_base(subaddr_sk) + # pub_ver = crypto.point_add(pub_ver, subaddr_pk) + # if not crypto.point_eq(pub_ver, out_key): raise ValueError( diff --git a/src/apps/monero/xmr/sub/creds.py b/src/apps/monero/xmr/sub/creds.py index 77159d91f..49f8ee38c 100644 --- a/src/apps/monero/xmr/sub/creds.py +++ b/src/apps/monero/xmr/sub/creds.py @@ -23,7 +23,6 @@ def __init__( self.spend_key_public = spend_key_public self.address = address self.network_type = network_type - self.multisig_keys = [] @classmethod def new_wallet(