diff --git a/src/apps/monero/layout/confirms.py b/src/apps/monero/layout/confirms.py index c36eb788e1..2d6a6c40e5 100644 --- a/src/apps/monero/layout/confirms.py +++ b/src/apps/monero/layout/confirms.py @@ -8,6 +8,8 @@ from trezor.utils import chunks from apps.common.confirm import require_confirm, require_hold_to_confirm from apps.monero.layout import common +DUMMY_PAYMENT_ID = b"\x00\x00\x00\x00\x00\x00\x00\x00" + async def require_confirm_watchkey(ctx): content = Text("Confirm export", ui.ICON_SEND, icon_color=ui.GREEN) @@ -67,7 +69,7 @@ async def require_confirm_transaction(ctx, tsx_data, network_type): if ( has_payment and not has_integrated - and tsx_data.payment_id != b"\x00\x00\x00\x00\x00\x00\x00\x00" + and tsx_data.payment_id != DUMMY_PAYMENT_ID ): await _require_confirm_payment_id(ctx, tsx_data.payment_id) diff --git a/src/apps/monero/signing/__init__.py b/src/apps/monero/signing/__init__.py index f21ec78823..94ced93892 100644 --- a/src/apps/monero/signing/__init__.py +++ b/src/apps/monero/signing/__init__.py @@ -46,7 +46,7 @@ class RsigType: def get_monero_rct_type(bp_version=1): """ Returns transaction RctType according to the BP version. - Only HP9+ is supported, thus Full and Simple variants are removed. + Only HP9+ is supported, thus only Simple variant is concerned. """ if bp_version == 1: return 3 # TxRctType.Bulletproof diff --git a/src/apps/monero/signing/step_02_set_input.py b/src/apps/monero/signing/step_02_set_input.py index b9733e063c..af62823264 100644 --- a/src/apps/monero/signing/step_02_set_input.py +++ b/src/apps/monero/signing/step_02_set_input.py @@ -97,7 +97,7 @@ async def set_input(state: State, src_entr: MoneroTransactionSourceEntry): alpha, pseudo_out = _gen_commitment(state, src_entr.amount) pseudo_out = crypto.encodepoint(pseudo_out) - # In full version the alpha is encrypted and passed back for storage + # The alpha is encrypted and passed back for storage pseudo_out_hmac = crypto.compute_hmac( offloading_keys.hmac_key_txin_comm(state.key_hmac, state.current_input_index), pseudo_out, diff --git a/src/apps/monero/signing/step_04_input_vini.py b/src/apps/monero/signing/step_04_input_vini.py index 0bbc8e79de..874bc09e73 100644 --- a/src/apps/monero/signing/step_04_input_vini.py +++ b/src/apps/monero/signing/step_04_input_vini.py @@ -1,7 +1,13 @@ """ -This step successively hashes the inputs in the order -received in the previous step. -Also hashes `pseudo_out` to the final_message. +This step serves for an incremental hashing of tx.vin[i] to the tx_prefix_hasher +after the sorting on tx.vin[i].ki. The sorting order was received in the previous step. + +Originally, this step also incrementaly hashed pseudo_output[i] to the full_message_hasher for +RctSimple transactions with Borromean proofs (HF8). + +In later hard-forks, the pseudo_outputs were moved to the rctsig.prunable +which is not hashed to the final signature, thus pseudo_output hashing has been removed +(as we support only HF9 and HF10 now). """ from .state import State @@ -22,17 +28,6 @@ async def input_vini( vini_bin: bytes, vini_hmac: bytes, ): - """ - This step serves for an incremental hashing of tx.vin[i] to the tx_prefix_hasher - after the sorting on tx.vin[i].ki. - - Originally, this step also incrementaly hashed pseudo_output[i] to the full_message_hasher for - RctSimple transactions with Borromean proofs (HF8). - - In later hard-forks, the pseudo_outputs were moved to the rctsig.prunable - which is not hashed to the final signature, thus pseudo_output hashing has been removed - (as we support only HF9 and HF10 now). - """ from trezor.messages.MoneroTransactionInputViniAck import ( MoneroTransactionInputViniAck, ) diff --git a/src/apps/monero/signing/step_09_sign_input.py b/src/apps/monero/signing/step_09_sign_input.py index ab4cb50a63..0a7639e4e0 100644 --- a/src/apps/monero/signing/step_09_sign_input.py +++ b/src/apps/monero/signing/step_09_sign_input.py @@ -1,5 +1,13 @@ """ Generates a MLSAG signature for one input. + +Mask Balancing. +Sum of input masks has to be equal to the sum of output masks. +As the output masks has been made deterministic in HF10 the mask sum equality is corrected +in this step. The last input mask (and thus pseudo_out) is recomputed so the sums equal. + +If deterministic masks cannot be used (client_version=0), the balancing is done in step 5 +on output masks as pseudo outputs have to remain same. """ import gc @@ -28,16 +36,6 @@ async def sign_input( spend_enc: bytes, ): """ - Signing UTXO. - - Mask Balancing. - Sum of input masks has to be equal to the sum of output masks. - As the output masks has been made deterministic in HF10 the mask sum equality is corrected - in this step. The last input mask (and thus pseudo_out) is recomputed so the sums equal. - - If deterministic masks cannot be used (client_version=0), the balancing is done in step 5 - on output masks as pseudo outputs have to remain same. - :param state: transaction state :param src_entr: Source entry :param vini_bin: tx.vin[i] for the transaction. Contains key image, offsets, amount (usually zero) diff --git a/src/apps/monero/xmr/mlsag.py b/src/apps/monero/xmr/mlsag.py index 944c6c475a..d4361e6bca 100644 --- a/src/apps/monero/xmr/mlsag.py +++ b/src/apps/monero/xmr/mlsag.py @@ -1,7 +1,6 @@ """ Multilayer Linkable Spontaneous Anonymous Group (MLSAG) Optimized versions with incremental hashing. -Both Simple and Full Monero tx types are supported. See https://eprint.iacr.org/2015/1098.pdf for details. Also explained in From Zero to Monero section 3.3 and 5.