Commit graph

62 commits

Author SHA1 Message Date
Sarang Noether
4b328c6616 CLSAG signatures 2020-08-27 12:43:29 +00:00
moneromooo-monero
7175dcb107
replace most boost serialization with existing monero serialization
This reduces the attack surface for data that can come from
malicious sources (exported output and key images, multisig
transactions...) since the monero serialization is already
exposed to the outside, and the boost lib we were using had
a few known crashers.

For interoperability, a new load-deprecated-formats wallet
setting is added (off by default). This allows loading boost
format data if there is no alternative. It will likely go
at some point, along with the ability to load those.

Notably, the peer lists file still uses the boost serialization
code, as the data it stores is define in epee, while the new
serialization code is in monero, and migrating it was fairly
hairy. Since this file is local and not obtained from anyone
else, the marginal risk is minimal, but it could be migrated
later if needed.

Some tests and tools also do, this will stay as is for now.
2020-08-17 16:23:58 +00:00
moneromooo-monero
613071f4fa
use memwipe on secret k/alpha values
Reported by UkoeHB_ and sarang
2020-04-15 01:16:31 +00:00
moneromooo-monero
9447e7276d
cryptonote: add function to get weight from a pruned tx
The weight of the prunable data is deterministic from the
unpruned data, so it can be determined from a pruned tx
2019-10-11 12:08:36 +00:00
moneromooo-monero
1387549e90
serialization: check stream good flag at the end
just in case
2019-06-14 08:47:23 +00:00
moneromooo-monero
93bb2f48f7
ringct: prevent use of full ringct signatures for more than one input 2019-04-11 19:44:06 +00:00
moneromooo-monero
b6534c40e6
ringct: remove unused senderPk from ecdhTuple
This was an early ringct field, which was never used in production
2019-01-22 23:17:42 +00:00
moneromooo-monero
7d37598158
ringct: the commitment mask is now deterministic
saves space in the tx and is safe

Found by knaccc
2019-01-22 23:17:39 +00:00
moneromooo-monero
99d946e619
ringct: encode 8 byte amount, saving 24 bytes per output
Found by knaccc
2019-01-22 23:17:31 +00:00
moneromooo-monero
cdc3ccec5f
ringct: save 3 bytes on bulletproof size
Found by luigi1111
2019-01-22 23:17:27 +00:00
moneromooo-monero
f931e16c6e
add a bulletproof version, new bulletproof type, and rct config
This makes it easier to modify the bulletproof format
2019-01-22 23:17:24 +00:00
Tadeas Moravec
6456cb415a
Bulletproof: Initialize members in default construtor.
Fixing a build warning on g++ 7.3.0
2018-12-01 13:03:32 +00:00
stoffu
67a56a9f8b
rctTypes: fix incorrect serialization 2018-09-12 20:33:10 +09:00
moneromooo-monero
61632dc166
ringct: prevent a potential very large allocation
Reported by QuarksLab.
2018-09-11 13:38:14 +00:00
moneromooo-monero
5ffb2ff9b7
v8: per byte fee, pad bulletproofs, fixed 11 ring size 2018-09-11 13:38:07 +00:00
moneromooo-monero
2a8fcb421b
Bulletproof aggregated verification and tests
Also constrains bulletproofs to simple rct, for simplicity
2018-09-11 13:37:37 +00:00
moneromooo-monero
9ce9f8caf6
bulletproofs: add multi output bulletproofs to rct 2018-09-11 13:37:28 +00:00
moneromooo-monero
aacfd6e370
bulletproofs: multi-output bulletproofs 2018-09-11 13:37:17 +00:00
moneromooo-monero
7c8f95d3e2
ringct: make conversion functions return const refs
This might avoid unnecessary copies.

Reported by stoffu
2018-09-04 18:28:20 +00:00
moneromooo-monero
d2e26c23f3
add and use constant time 32 byte equality function 2018-08-23 07:56:51 +00:00
Lee Clagett
4616cf2641 Fixed ZMQ-RPC for transactions and GET_BLOCKS_FAST 2018-08-02 07:30:20 +00:00
einsteinsfool
7cdd147da5 Changed URLs to HTTPS 2018-06-23 21:15:29 +02:00
moneromooo-monero
b809058993
ringct: pseudoOuts moved to prunable in the simple bulletproof case
Saves 64 bytes non prunable data per typical tx

This breaks v7 consensus, will require a testnet reorg from v6
2018-01-31 15:56:26 +00:00
moneromooo-monero
2d17feb060
factor STL container serialization 2017-12-22 19:47:12 +00:00
moneromooo-monero
f4eda44ce3
N-1/N multisig 2017-12-17 16:12:12 +00:00
moneromooo-monero
4c313324b1
Add N/N multisig tx generation and signing
Scheme by luigi1111:

    Multisig for RingCT on Monero

    2 of 2

    User A (coordinator):
    Spendkey b,B
    Viewkey a,A (shared)

    User B:
    Spendkey c,C
    Viewkey a,A (shared)

    Public Address: C+B, A

    Both have their own watch only wallet via C+B, a

    A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)

    A and B watch for incoming outputs

    B creates "half" key images for discovered output D:
    I2_D = (Hs(aR)+c) * Hp(D)

    B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
    and sending the pubkeys with I2_D.

    A also creates "half" key images:
    I1_D = (Hs(aR)+b) * Hp(D)

    Then I_D = I1_D + I2_D

    Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).

    A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
    to his own generated ones where they are needed (secret row L, R).

    At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
    which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).

    B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).

    B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
    to his cache, allowing him to verify spent status as well.

    NOTE:
    A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
    Otherwise, trickery like the following becomes possible:
    A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
    B creates a fake key C = zG - B. B sends C back to A.
    The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
    The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).

    2 of 3

    User A (coordinator)
    Shared viewkey a,A
    "spendkey" j,J

    User B
    "spendkey" k,K

    User C
    "spendkey" m,M

    A collects K and M from B and C
    B collects J and M from A and C
    C collects J and K from A and B

    A computes N = nG, n = Hs(jK)
    A computes O = oG, o = Hs(jM)

    B anc C compute P = pG, p = Hs(kM) || Hs(mK)
    B and C can also compute N and O respectively if they wish to be able to coordinate

    Address: N+O+P, A

    The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other
    needed part of the signature/key images from either of the other two.

    Alternatively, if secure communication exists between parties:
    A gives j to B
    B gives k to C
    C gives m to A

    Address: J+K+M, A

    3 of 3

    Identical to 2 of 2, except the coordinator must collect the key images from both of the others.
    The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it
    or send it back to A.

    N-1 of N

    Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around
    (using either the secure or insecure method).
    For example (ignoring viewkey so letters line up):
    [4 of 5]
    User: spendkey
    A: a
    B: b
    C: c
    D: d
    E: e

    a -> B, b -> C, c -> D, d -> E, e -> A

    Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with
    the transaction so the signers know if they should use 1 or both keys.
    Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each.
    Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning:
    1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image)
    2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator
    must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use.

    You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might
    also be straightforward enough to support with minimal changes from N-1 format.
    You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc.

The process is somewhat cumbersome:

To create a N/N multisig wallet:

 - each participant creates a normal wallet
 - each participant runs "prepare_multisig", and sends the resulting string to every other participant
 - each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N)

As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent:

 - each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant
 - each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants

Then, a transaction may be initiated:

 - one of the participants runs "transfer ADDRESS AMOUNT"
 - this partly signed transaction will be written to the "multisig_monero_tx" file
 - the initiator sends this file to another participant
 - that other participant runs "sign_multisig multisig_monero_tx"
 - the resulting transaction is written to the "multisig_monero_tx" file again
 - if the threshold was not reached, the file must be sent to another participant, until enough have signed
 - the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
2017-12-17 16:11:57 +00:00
moneromooo-monero
c83d0b3ee2
add bulletproofs from v7 on testnet 2017-12-08 13:50:45 +00:00
moneromooo-monero
d58835b2f6
integrate bulletproofs into monero 2017-12-08 13:48:15 +00:00
moneromooo-monero
383ff4f689
remove "using namespace std" from headers
It's nasty, and actually breaks on Solaris, where if.h fails to
build due to:

  struct map *if_memmap;
2017-11-14 16:56:10 +00:00
kenshi84
53ad5a0f42
Subaddresses 2017-10-07 13:06:21 +09:00
Lee Clagett
93e10f1cc4 Simplified the implementation and features of span 2017-04-11 16:35:14 -04:00
Lee Clagett
4a8f96f95d Improvements for epee binary to hex functions:
- Performance improvements
  - Added `span` for zero-copy pointer+length arguments
  - Added `std::ostream` overload for direct writing to output buffers
  - Removal of unused `string_tools::buff_to_hex`
2017-04-11 16:35:00 -04:00
Timothy D. Prime
6b145763f7 Fix clang build failure, caused by mixing C and C++
Easily fixed by moving a C++ header out of 'extern "C" {...}'.

When building with CC=clang CXX=clang++ make,
[ 21%] Building CXX object src/ringct/CMakeFiles/obj_ringct.dir/rctTypes.cpp.o
In file included from /home/tdprime/bitmonero/src/ringct/rctTypes.cpp:31:
In file included from /home/tdprime/bitmonero/src/ringct/rctTypes.h:43:
In file included from /home/tdprime/bitmonero/src/crypto/generic-ops.h:34:
/usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/cstring💯3: error: conflicting types for 'memchr'
  memchr(void* __s, int __c, size_t __n)
    ^
	/usr/include/string.h:92:14: note: previous declaration is here
	extern void *memchr (const void *__s, int __c, size_t __n)
	             ^
... and 4 more similar errors
2017-01-26 17:30:00 -08:00
Chris Vickio
fb76d43980 add extra braces around subobjects (missing-braces warning) 2017-01-14 15:06:07 +03:00
moneroexamples
374b58d131 fix MGs json 2016-12-14 09:27:37 +08:00
Shen Noether
76958fc75a
ringct: switch to Borromean signatures 2016-12-04 21:54:11 +00:00
moneromooo-monero
59443bf9df
ringct: fix MGs serialization to JSON 2016-12-02 13:16:19 +00:00
moneromooo-monero
3126ba7425
ringct: use const refs as parameters where appropriate 2016-10-08 22:16:23 +01:00
moneromooo-monero
7d413f635f
rct: rework serialization to avoid storing vector sizes 2016-09-14 20:23:06 +01:00
moneromooo-monero
16732a85d7
rct: faster Cryptonote/rct conversions 2016-08-28 21:30:45 +01:00
moneromooo-monero
c3b3260ae5
New "Halfway RingCT" outputs for coinbase transactions
When RingCT is enabled, outputs from coinbase transactions
are created as a single output, and stored as RingCT output,
with a fake mask. Their amount is not hidden on the blockchain
itself, but they are then able to be used as fake inputs in
a RingCT ring. Since the output amounts are hidden, their
"dustiness" is not an obstacle anymore to mixing, and this
makes the coinbase transactions a lot smaller, as well as
helping the TXO set to grow more slowly.

Also add a new "Null" type of rct signature, which decreases
the size required when no signatures are to be stored, as
in a coinbase tx.
2016-08-28 21:30:26 +01:00
moneromooo-monero
d4b8991e44
rct: serialize txnFee as varint 2016-08-28 21:30:21 +01:00
moneromooo-monero
93f5c625f0
rct: rework v2 txes into prunable and non prunable data
Nothing is pruned, but this allows easier changes later.
2016-08-28 21:30:18 +01:00
moneromooo-monero
3ab2ab3e76
rct: change the simple flag to a type
for future expansion
2016-08-28 21:30:14 +01:00
Shen Noether
c5be4b0bea
rct: avoid the need for the last II element
This element is used in the generation of the MLSAG, but isn't
needed in verification.
Also misc changes in the cryptonote code to match, by mooo.
2016-08-28 21:30:12 +01:00
moneromooo-monero
b337aea6cc
rct: do not serialize senderPk - it is not used anymore 2016-08-28 21:30:01 +01:00
moneromooo-monero
9b70856ccb
rct: make the amount key derivable by a third party with the tx key
Scheme design from luigi1114.
2016-08-28 21:29:46 +01:00
moneromooo-monero
cf33e1a52a
rct: do not serialize public keys in outPk
They can be reconstructed from vout
2016-08-28 21:29:43 +01:00
moneromooo-monero
a4d4d6194b
integrate simple rct api 2016-08-28 21:29:20 +01:00
Shen Noether
4fd01f2bee
ringct: "simple" ringct variant
Allows the fake outs to be in different positions for each ring.
For rct inputs only.
2016-08-28 21:29:14 +01:00