xmr: code cleanup, refactoring

ph4r05 · Sep 17, 2018 · 6fc8b0e · 6fc8b0e
1 parent 85ecc15
commit 6fc8b0e
Show file tree

Hide file tree

Showing 6 changed files with 38 additions and 102 deletions.
diff --git a/src/apps/monero/protocol/tsx_sign_builder.py b/src/apps/monero/protocol/tsx_sign_builder.py
@@ -713,7 +713,7 @@ async def all_in_set(self, rsig_data):
             if is_last and self.use_simple_rct:
                 crypto.sc_sub_into(cur_mask, self.sumpouts_alphas, self.sumout)
             else:
-                crypto.random_scalar_into(cur_mask)
+                crypto.random_scalar(cur_mask)
 
             crypto.sc_add_into(self.sumout, self.sumout, cur_mask)
             self.output_masks.append(cur_mask)
@@ -766,7 +766,7 @@ def _gen_commitment(self, in_amount):
         """
         alpha = crypto.random_scalar()
         self.sumpouts_alphas = crypto.sc_add(self.sumpouts_alphas, alpha)
-        return alpha, crypto.gen_c(alpha, in_amount)
+        return alpha, crypto.gen_commitment(alpha, in_amount)
 
     def _check_out_commitment(self, amount, mask, C):
         self.assrt(
@@ -901,7 +901,7 @@ def _set_out1_ecdh(self, dest_pub_key, amount, mask, amount_key):
         # Mask sum
         out_pk = misc.StdObj(
             dest=crypto.encodepoint(dest_pub_key),
-            mask=crypto.encodepoint(crypto.gen_c(mask, amount)),
+            mask=crypto.encodepoint(crypto.gen_commitment(mask, amount)),
         )
         self.sumout = crypto.sc_add(self.sumout, mask)
         self.output_sk.append(misc.StdObj(mask=mask))
@@ -1317,7 +1317,7 @@ async def sign_input(
         self.assrt(
             crypto.point_eq(
                 crypto.decodepoint(src_entr.outputs[src_entr.real_output].key.mask),
-                crypto.gen_c(in_sk.mask, src_entr.amount),
+                crypto.gen_commitment(in_sk.mask, src_entr.amount),
             ),
             "a2",
         )

diff --git a/src/apps/monero/xmr/bulletproof.py b/src/apps/monero/xmr/bulletproof.py
diff --git a/src/apps/monero/xmr/crypto.py b/src/apps/monero/xmr/crypto.py
@@ -297,20 +297,16 @@ def sc_inv_into(r, x):
     return tcry.inv256_modm(r, x)
 
 
-def random_scalar():
-    return tcry.xmr_random_scalar()
-
-
-def random_scalar_into(r):
-    return tcry.xmr_random_scalar(r)
+def random_scalar(r=None):
+    return tcry.xmr_random_scalar(r if r is not None else new_scalar())
 
 
 #
 # GE - ed25519 group
 #
 
 
-def ge_double_scalarmult_base_vartime(a, A, b):
+def ge25519_double_scalarmult_base_vartime(a, A, b):
     """
     void ge25519_double_scalarmult_vartime(ge25519 *r, const ge25519 *p1, const bignum256modm s1, const bignum256modm s2);
     r = a * A + b * B
@@ -319,14 +315,7 @@ def ge_double_scalarmult_base_vartime(a, A, b):
     return R
 
 
-def ge_double_scalarmult_precomp_vartime(a, A, b, Bi):
-    """
-    void ge_double_scalarmult_precomp_vartime(ge_p2 *r, const unsigned char *a, const ge_p3 *A, const unsigned char *b, const ge_dsmp Bi)
-    """
-    return ge_double_scalarmult_precomp_vartime2(a, A, b, Bi)
-
-
-def ge_double_scalarmult_precomp_vartime2(a, Ai, b, Bi):
+def ge25519_double_scalarmult_vartime2(a, Ai, b, Bi):
     """
     void ge_double_scalarmult_precomp_vartime2(ge_p2 *r, const unsigned char *a, const ge_dsmp Ai, const unsigned char *b, const ge_dsmp Bi)
     """
@@ -352,14 +341,6 @@ def ge_frombytes_vartime_check(point):
     return 0
 
 
-def ge_frombytes_vartime(point):
-    """
-    https://www.imperialviolet.org/2013/12/25/elligator.html
-    """
-    ge_frombytes_vartime_check(point)
-    return point
-
-
 #
 # Monero specific
 #
@@ -385,7 +366,7 @@ def hash_to_scalar_into(r, data, length=None):
     return tcry.xmr_hash_to_scalar(r, dt)
 
 
-def hash_to_ec(buf):
+def hash_to_point(buf):
     """
     H_p(buf)
 
@@ -396,7 +377,7 @@ def hash_to_ec(buf):
     return tcry.xmr_hash_to_ec(buf)
 
 
-def hash_to_ec_into(r, buf):
+def hash_to_point_into(r, buf):
     return tcry.xmr_hash_to_ec(r, buf)
 
 
@@ -405,7 +386,7 @@ def hash_to_ec_into(r, buf):
 #
 
 
-def gen_H():
+def xmr_H():
     """
     Returns point H
     8b655970153799af2aeadc9ff1add0ea6c7251d54154cfa92c173a0dd39c1f94
@@ -414,7 +395,7 @@ def gen_H():
 
 
 def scalarmult_h(i):
-    return scalarmult(gen_H(), sc_init(i) if isinstance(i, int) else i)
+    return scalarmult(xmr_H(), sc_init(i) if isinstance(i, int) else i)
 
 
 def add_keys2(a, b, B):
@@ -445,7 +426,7 @@ def add_keys3_into(r, a, A, b, B):
     return tcry.xmr_add_keys3_vartime(r, a, A, b, B)
 
 
-def gen_c(a, amount):
+def gen_commitment(a, amount):
     """
     Generates Pedersen commitment
     C = aG + bH

diff --git a/src/apps/monero/xmr/mlsag2.py b/src/apps/monero/xmr/mlsag2.py
@@ -97,7 +97,7 @@ def gen_mlsag_rows(message, rv, pk, xx, kLRki, index, dsRows, rows, cols):
             hash_point(hasher, kLRki.R)
 
         else:
-            Hi = crypto.hash_to_ec(
+            Hi = crypto.hash_to_point(
                 crypto.encodepoint(pk[index][i])
             )  # originally hashToPoint()
             alpha[i] = crypto.random_scalar()
@@ -145,7 +145,7 @@ def gen_mlsag_ext(message, pk, xx, kLRki, mscout, index, dsRows):
 
         for j in range(dsRows):
             L = crypto.add_keys2(rv.ss[i][j], c_old, pk[i][j])
-            Hi = crypto.hash_to_ec(
+            Hi = crypto.hash_to_point(
                 crypto.encodepoint(pk[i][j])
             )  # originally hashToPoint()
             R = crypto.add_keys3(rv.ss[i][j], Hi, c_old, Ip[j])

diff --git a/src/apps/monero/xmr/monero.py b/src/apps/monero/xmr/monero.py
@@ -57,7 +57,7 @@ def generate_key_image(public_key, secret_key):
     """
     Key image: secret_key * H_p(pub_key)
     """
-    point = crypto.hash_to_ec(public_key)
+    point = crypto.hash_to_point(public_key)
     point2 = crypto.scalarmult(point, secret_key)
     return point2
 

diff --git a/src/apps/monero/xmr/ring_ct.py b/src/apps/monero/xmr/ring_ct.py
@@ -38,7 +38,7 @@ def verify_bp(bp_proof, amounts=None, masks=None):
     if amounts:
         bp_proof.V = []
         for i in range(len(amounts)):
-            C = crypto.gen_c(masks[i], amounts[i])
+            C = crypto.gen_commitment(masks[i], amounts[i])
             crypto.scalarmult_into(C, C, crypto.sc_inv_eight())
             bp_proof.V.append(crypto.encodepoint(C))
 
@@ -61,7 +61,7 @@ def prove_range_chunked(amount, last_mask=None):
     tmp_alpha = crypto.sc_init(0)
 
     C_acc = crypto.identity()
-    C_h = crypto.gen_H()
+    C_h = crypto.xmr_H()
     C_tmp = crypto.identity()
     L = crypto.identity()
     Zero = crypto.identity()
@@ -77,12 +77,12 @@ def prove_range_chunked(amount, last_mask=None):
     ee_bin = bytearray(32)
 
     for ii in range(64):
-        crypto.random_scalar_into(tmp_ai)
+        crypto.random_scalar(tmp_ai)
         if last_mask is not None and ii == 63:
             crypto.sc_sub_into(tmp_ai, last_mask, a)
 
         crypto.sc_add_into(a, a, tmp_ai)
-        crypto.random_scalar_into(tmp_alpha)
+        crypto.random_scalar(tmp_alpha)
 
         crypto.scalarmult_base_into(L, tmp_alpha)
         crypto.scalarmult_base_into(C_tmp, tmp_ai)
@@ -97,7 +97,7 @@ def prove_range_chunked(amount, last_mask=None):
         crypto.encodeint_into(alphai, tmp_alpha, ii << 5)
 
         if ((amount >> ii) & 1) == 0:
-            crypto.random_scalar_into(si)
+            crypto.random_scalar(si)
             crypto.encodepoint_into(buff, L)
             crypto.hash_to_scalar_into(c, buff)
 
@@ -116,7 +116,7 @@ def prove_range_chunked(amount, last_mask=None):
     crypto.decodeint_into(ee, tmp_ee)
     del (tmp_ee, kck)
 
-    C_h = crypto.gen_H()
+    C_h = crypto.xmr_H()
     gc.collect()
 
     # Second pass, s0, s1
@@ -129,7 +129,7 @@ def prove_range_chunked(amount, last_mask=None):
             crypto.encodeint_into(s0s, si, ii << 5)
 
         else:
-            crypto.random_scalar_into(si)
+            crypto.random_scalar(si)
             crypto.encodeint_into(s0s, si, ii << 5)
 
             crypto.decodepoint_into(C_tmp, Cis, ii << 5)
@@ -198,8 +198,6 @@ def generate_ring_signature(prefix_hash, image, pubs, sec, sec_idx, test=False):
         for k in pubs:
             crypto.ge_frombytes_vartime_check(k)
 
-    image_unp = crypto.ge_frombytes_vartime(image)
-
     buff_off = len(prefix_hash)
     buff = bytearray(buff_off + 2 * 32 * len(pubs))
     memcpy(buff, 0, prefix_hash, 0, buff_off)
@@ -218,21 +216,23 @@ def generate_ring_signature(prefix_hash, image, pubs, sec, sec_idx, test=False):
             crypto.encodepoint_into(mvbuff[buff_off : buff_off + 32], tmp3)
             buff_off += 32
 
-            tmp3 = crypto.hash_to_ec(crypto.encodepoint(pubs[i]))
+            tmp3 = crypto.hash_to_point(crypto.encodepoint(pubs[i]))
             tmp2 = crypto.scalarmult(tmp3, k)
             crypto.encodepoint_into(mvbuff[buff_off : buff_off + 32], tmp2)
             buff_off += 32
 
         else:
             sig[i] = [crypto.random_scalar(), crypto.random_scalar()]
-            tmp3 = crypto.ge_frombytes_vartime(pubs[i])
-            tmp2 = crypto.ge_double_scalarmult_base_vartime(sig[i][0], tmp3, sig[i][1])
+            tmp3 = pubs[i]
+            tmp2 = crypto.ge25519_double_scalarmult_base_vartime(
+                sig[i][0], tmp3, sig[i][1]
+            )
             crypto.encodepoint_into(mvbuff[buff_off : buff_off + 32], tmp2)
             buff_off += 32
 
-            tmp3 = crypto.hash_to_ec(crypto.encodepoint(tmp3))
-            tmp2 = crypto.ge_double_scalarmult_precomp_vartime(
-                sig[i][1], tmp3, sig[i][0], image_unp
+            tmp3 = crypto.hash_to_point(crypto.encodepoint(tmp3))
+            tmp2 = crypto.ge25519_double_scalarmult_vartime2(
+                sig[i][1], tmp3, sig[i][0], image
             )
             crypto.encodepoint_into(mvbuff[buff_off : buff_off + 32], tmp2)
             buff_off += 32
@@ -245,49 +245,8 @@ def generate_ring_signature(prefix_hash, image, pubs, sec, sec_idx, test=False):
     return sig
 
 
-def check_ring_singature(prefix_hash, image, pubs, sig):
-    from trezor.utils import memcpy
-
-    image_unp = crypto.ge_frombytes_vartime(image)
-
-    buff_off = len(prefix_hash)
-    buff = bytearray(buff_off + 2 * 32 * len(pubs))
-    memcpy(buff, 0, prefix_hash, 0, buff_off)
-    mvbuff = memoryview(buff)
-
-    sum = crypto.sc_0()
-    for i in range(len(pubs)):
-        if crypto.sc_check(sig[i][0]) != 0 or crypto.sc_check(sig[i][1]) != 0:
-            return False
-
-        tmp3 = crypto.ge_frombytes_vartime(pubs[i])
-        tmp2 = crypto.ge_double_scalarmult_base_vartime(sig[i][0], tmp3, sig[i][1])
-        crypto.encodepoint_into(mvbuff[buff_off : buff_off + 32], tmp2)
-        buff_off += 32
-
-        tmp3 = crypto.hash_to_ec(crypto.encodepoint(pubs[i]))
-        tmp2 = crypto.ge_double_scalarmult_precomp_vartime(
-            sig[i][1], tmp3, sig[i][0], image_unp
-        )
-        crypto.encodepoint_into(mvbuff[buff_off : buff_off + 32], tmp2)
-        buff_off += 32
-
-        sum = crypto.sc_add(sum, sig[i][0])
-
-    h = crypto.hash_to_scalar(buff)
-    h = crypto.sc_sub(h, sum)
-    return crypto.sc_isnonzero(h) == 0
-
-
 def export_key_image(
-    creds,
-    subaddresses,
-    pkey,
-    tx_pub_key,
-    additional_tx_pub_keys,
-    out_idx,
-    test=True,
-    verify=True,
+    creds, subaddresses, pkey, tx_pub_key, additional_tx_pub_keys, out_idx, test=True
 ):
     """
     Generates key image for the TXO + signature for the key image
@@ -302,8 +261,4 @@ def export_key_image(
     phash = crypto.encodepoint(ki)
     sig = generate_ring_signature(phash, ki, [pkey], xi, 0, test)
 
-    if verify:
-        if check_ring_singature(phash, ki, [pkey], sig) != 1:
-            raise ValueError("Signature error")
-
     return ki, sig