From e69467bc04a51da4e0be536a047b51a94652362e Mon Sep 17 00:00:00 2001 From: Dusan Klinec Date: Wed, 13 Apr 2022 10:36:21 +0200 Subject: [PATCH] chore(crypto): drop support for Monero range proof --- crypto/Makefile | 1 - crypto/monero/monero.h | 1 - crypto/monero/range_proof.c | 115 ------------------------------- crypto/monero/range_proof.h | 31 --------- crypto/tests/test_check.c | 1 - crypto/tests/test_check_monero.h | 51 -------------- 6 files changed, 200 deletions(-) delete mode 100644 crypto/monero/range_proof.c delete mode 100644 crypto/monero/range_proof.h diff --git a/crypto/Makefile b/crypto/Makefile index 1a9d7ecec..24c05cf86 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -118,7 +118,6 @@ SRCS += ed25519-donna/ed25519.c ed25519-donna/curve25519-donna-scalarmult-base. SRCS += monero/base58.c SRCS += monero/serialize.c SRCS += monero/xmr.c -SRCS += monero/range_proof.c SRCS += blake256.c SRCS += blake2b.c blake2s.c SRCS += chacha_drbg.c diff --git a/crypto/monero/monero.h b/crypto/monero/monero.h index ba436c3a3..3a6a9f568 100644 --- a/crypto/monero/monero.h +++ b/crypto/monero/monero.h @@ -14,7 +14,6 @@ #endif #include "base58.h" -#include "range_proof.h" #include "serialize.h" #include "xmr.h" diff --git a/crypto/monero/range_proof.c b/crypto/monero/range_proof.c deleted file mode 100644 index e3fd9b6a2..000000000 --- a/crypto/monero/range_proof.c +++ /dev/null @@ -1,115 +0,0 @@ -// -// Created by Dusan Klinec on 10/05/2018. -// - -#include "range_proof.h" - -static void xmr_hash_ge25519_to_scalar(bignum256modm r, const ge25519 *p) { - unsigned char buff[32] = {0}; - ge25519_pack(buff, p); - xmr_hash_to_scalar(r, buff, sizeof(buff)); -} - -void xmr_gen_range_sig(xmr_range_sig_t *sig, ge25519 *C, bignum256modm mask, - xmr_amount amount, bignum256modm *last_mask) { - bignum256modm ai[64] = {0}; - bignum256modm alpha[64] = {0}; - xmr_gen_range_sig_ex(sig, C, mask, amount, last_mask, ai, alpha); -} - -void xmr_gen_range_sig_ex(xmr_range_sig_t *sig, ge25519 *C, bignum256modm mask, - xmr_amount amount, bignum256modm *last_mask, - bignum256modm ai[64], bignum256modm alpha[64]) { - const unsigned n = XMR_ATOMS; - bignum256modm a = {0}; - bignum256modm si = {0}; - bignum256modm c = {0}; - bignum256modm ee = {0}; - unsigned char buff[32] = {0}; - - Hasher kck = {0}; - xmr_hasher_init(&kck); - - ge25519 C_acc = {0}; - ge25519 C_h = {0}; - ge25519 C_tmp = {0}; - ge25519 L = {0}; - ge25519 Zero = {0}; - - ge25519_set_neutral(&Zero); - ge25519_set_neutral(&C_acc); - ge25519_set_xmr_h(&C_h); - set256_modm(a, 0); - -#define BB(i) ((amount >> (i)) & 1) - - // First pass, generates: ai, alpha, Ci, ee, s1 - for (unsigned ii = 0; ii < n; ++ii) { - xmr_random_scalar(ai[ii]); - if (last_mask != NULL && ii == n - 1) { - sub256_modm(ai[ii], *last_mask, a); - } - - add256_modm(a, a, ai[ii]); // creating the total mask since you have to - // pass this to receiver... - xmr_random_scalar(alpha[ii]); - - ge25519_scalarmult_base_niels(&L, ge25519_niels_base_multiples, alpha[ii]); - ge25519_scalarmult_base_niels(&C_tmp, ge25519_niels_base_multiples, ai[ii]); - - // C_tmp += &Zero if BB(ii) == 0 else &C_h - ge25519_add(&C_tmp, &C_tmp, BB(ii) == 0 ? &Zero : &C_h, 0); - ge25519_add(&C_acc, &C_acc, &C_tmp, 0); - - // Set Ci[ii] to sigs - ge25519_pack(sig->Ci[ii], &C_tmp); - - if (BB(ii) == 0) { - xmr_random_scalar(si); - xmr_hash_ge25519_to_scalar(c, &L); - - ge25519_add(&C_tmp, &C_tmp, &C_h, 1); // Ci[ii] -= c_h - xmr_add_keys2_vartime(&L, si, c, &C_tmp); - - // Set s1[ii] to sigs - contract256_modm(sig->asig.s1[ii], si); - } - - ge25519_pack(buff, &L); - xmr_hasher_update(&kck, buff, sizeof(buff)); - - ge25519_double(&C_h, &C_h); // c_H = crypto.scalarmult(c_H, 2) - } - - // Compute ee - xmr_hasher_final(&kck, buff); - expand256_modm(ee, buff, sizeof(buff)); - - ge25519_set_xmr_h(&C_h); - - // Second pass, s0, s1 - for (unsigned ii = 0; ii < n; ++ii) { - if (BB(ii) == 0) { - mulsub256_modm(si, ai[ii], ee, alpha[ii]); - contract256_modm(sig->asig.s0[ii], si); - - } else { - xmr_random_scalar(si); - contract256_modm(sig->asig.s0[ii], si); - - ge25519_unpack_vartime(&C_tmp, sig->Ci[ii]); - xmr_add_keys2_vartime(&L, si, ee, &C_tmp); - xmr_hash_ge25519_to_scalar(c, &L); - - mulsub256_modm(si, ai[ii], c, alpha[ii]); - contract256_modm(sig->asig.s1[ii], si); - } - - ge25519_double(&C_h, &C_h); // c_H = crypto.scalarmult(c_H, 2) - } - - ge25519_copy(C, &C_acc); - copy256_modm(mask, a); - contract256_modm(sig->asig.ee, ee); -#undef BB -} diff --git a/crypto/monero/range_proof.h b/crypto/monero/range_proof.h deleted file mode 100644 index f614ab04e..000000000 --- a/crypto/monero/range_proof.h +++ /dev/null @@ -1,31 +0,0 @@ -// -// Created by Dusan Klinec on 10/05/2018. -// - -#ifndef TREZOR_CRYPTO_RANGE_PROOF_H -#define TREZOR_CRYPTO_RANGE_PROOF_H - -#include "xmr.h" -#define XMR_ATOMS 64 - -typedef uint64_t xmr_amount; -typedef xmr_key_t xmr_key64_t[64]; - -typedef struct xmr_boro_sig { - xmr_key64_t s0; - xmr_key64_t s1; - xmr_key_t ee; -} xmr_boro_sig_t; - -typedef struct range_sig { - xmr_boro_sig_t asig; - xmr_key64_t Ci; -} xmr_range_sig_t; - -void xmr_gen_range_sig(xmr_range_sig_t* sig, ge25519* C, bignum256modm mask, - xmr_amount amount, bignum256modm* last_mask); -void xmr_gen_range_sig_ex(xmr_range_sig_t* sig, ge25519* C, bignum256modm mask, - xmr_amount amount, bignum256modm* last_mask, - bignum256modm ai[64], bignum256modm alpha[64]); - -#endif // TREZOR_CRYPTO_RANGE_PROOF_H diff --git a/crypto/tests/test_check.c b/crypto/tests/test_check.c index 4e74923c2..79ceca2bc 100644 --- a/crypto/tests/test_check.c +++ b/crypto/tests/test_check.c @@ -9718,7 +9718,6 @@ Suite *test_suite(void) { tcase_add_test(tc, test_xmr_get_subaddress_secret_key); tcase_add_test(tc, test_xmr_gen_c); tcase_add_test(tc, test_xmr_varint); - tcase_add_test(tc, test_xmr_gen_range_sig); suite_add_tcase(s, tc); #endif return s; diff --git a/crypto/tests/test_check_monero.h b/crypto/tests/test_check_monero.h index eb247d939..278d47c9d 100644 --- a/crypto/tests/test_check_monero.h +++ b/crypto/tests/test_check_monero.h @@ -1126,55 +1126,4 @@ START_TEST(test_xmr_varint) { } } END_TEST - -START_TEST(test_xmr_gen_range_sig) { - uint64_t tests[] = { - 0, 1, 65535, 65537, 0xffffffffffffffffULL, 0xdeadc0deULL, - }; - - unsigned char buff[32]; - xmr_range_sig_t sig; - ge25519 C, Ctmp, Cb, Ch, P1, P2, LL; - bignum256modm mask, hsh, ee, s, ee_comp; - Hasher hasher; - - for (size_t i = 0; i < (sizeof(tests) / sizeof(*tests)); i++) { - xmr_gen_range_sig(&sig, &C, mask, tests[i], NULL); - - ge25519_set_neutral(&Ctmp); - for (int j = 0; j < XMR_ATOMS; j++) { - ge25519_unpack_vartime(&Cb, sig.Ci[j]); - ge25519_add(&Ctmp, &Ctmp, &Cb, 0); - } - - ck_assert_int_eq(ge25519_eq(&C, &Ctmp), 1); - - xmr_hasher_init(&hasher); - ge25519_set_xmr_h(&Ch); - expand256_modm(ee, sig.asig.ee, 32); - - for (int j = 0; j < XMR_ATOMS; j++) { - ge25519_unpack_vartime(&P1, sig.Ci[j]); - ge25519_add(&P2, &P1, &Ch, 1); - expand256_modm(s, sig.asig.s0[j], 32); - - xmr_add_keys2(&LL, s, ee, &P1); - ge25519_pack(buff, &LL); - xmr_hash_to_scalar(hsh, buff, 32); - - expand256_modm(s, sig.asig.s1[j], 32); - xmr_add_keys2(&LL, s, hsh, &P2); - - ge25519_pack(buff, &LL); - xmr_hasher_update(&hasher, buff, 32); - - ge25519_double(&Ch, &Ch); - } - - xmr_hasher_final(&hasher, buff); - expand256_modm(ee_comp, buff, 32); - ck_assert_int_eq(eq256_modm(ee, ee_comp), 1); - } -} -END_TEST #endif