Commit Graph

50 Commits

Author SHA1 Message Date
stoffu
67a56a9f8b
rctTypes: fix incorrect serialization 2018-09-12 20:33:10 +09:00
moneromooo-monero
61632dc166
ringct: prevent a potential very large allocation
Reported by QuarksLab.
2018-09-11 13:38:14 +00:00
moneromooo-monero
5ffb2ff9b7
v8: per byte fee, pad bulletproofs, fixed 11 ring size 2018-09-11 13:38:07 +00:00
moneromooo-monero
2a8fcb421b
Bulletproof aggregated verification and tests
Also constrains bulletproofs to simple rct, for simplicity
2018-09-11 13:37:37 +00:00
moneromooo-monero
9ce9f8caf6
bulletproofs: add multi output bulletproofs to rct 2018-09-11 13:37:28 +00:00
moneromooo-monero
aacfd6e370
bulletproofs: multi-output bulletproofs 2018-09-11 13:37:17 +00:00
moneromooo-monero
7c8f95d3e2
ringct: make conversion functions return const refs
This might avoid unnecessary copies.

Reported by stoffu
2018-09-04 18:28:20 +00:00
moneromooo-monero
d2e26c23f3
add and use constant time 32 byte equality function 2018-08-23 07:56:51 +00:00
Lee Clagett
4616cf2641 Fixed ZMQ-RPC for transactions and GET_BLOCKS_FAST 2018-08-02 07:30:20 +00:00
einsteinsfool
7cdd147da5 Changed URLs to HTTPS 2018-06-23 21:15:29 +02:00
moneromooo-monero
b809058993
ringct: pseudoOuts moved to prunable in the simple bulletproof case
Saves 64 bytes non prunable data per typical tx

This breaks v7 consensus, will require a testnet reorg from v6
2018-01-31 15:56:26 +00:00
moneromooo-monero
2d17feb060
factor STL container serialization 2017-12-22 19:47:12 +00:00
moneromooo-monero
f4eda44ce3
N-1/N multisig 2017-12-17 16:12:12 +00:00
moneromooo-monero
4c313324b1
Add N/N multisig tx generation and signing
Scheme by luigi1111:

    Multisig for RingCT on Monero

    2 of 2

    User A (coordinator):
    Spendkey b,B
    Viewkey a,A (shared)

    User B:
    Spendkey c,C
    Viewkey a,A (shared)

    Public Address: C+B, A

    Both have their own watch only wallet via C+B, a

    A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)

    A and B watch for incoming outputs

    B creates "half" key images for discovered output D:
    I2_D = (Hs(aR)+c) * Hp(D)

    B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
    and sending the pubkeys with I2_D.

    A also creates "half" key images:
    I1_D = (Hs(aR)+b) * Hp(D)

    Then I_D = I1_D + I2_D

    Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).

    A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
    to his own generated ones where they are needed (secret row L, R).

    At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
    which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).

    B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).

    B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
    to his cache, allowing him to verify spent status as well.

    NOTE:
    A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
    Otherwise, trickery like the following becomes possible:
    A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
    B creates a fake key C = zG - B. B sends C back to A.
    The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
    The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).

    2 of 3

    User A (coordinator)
    Shared viewkey a,A
    "spendkey" j,J

    User B
    "spendkey" k,K

    User C
    "spendkey" m,M

    A collects K and M from B and C
    B collects J and M from A and C
    C collects J and K from A and B

    A computes N = nG, n = Hs(jK)
    A computes O = oG, o = Hs(jM)

    B anc C compute P = pG, p = Hs(kM) || Hs(mK)
    B and C can also compute N and O respectively if they wish to be able to coordinate

    Address: N+O+P, A

    The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other
    needed part of the signature/key images from either of the other two.

    Alternatively, if secure communication exists between parties:
    A gives j to B
    B gives k to C
    C gives m to A

    Address: J+K+M, A

    3 of 3

    Identical to 2 of 2, except the coordinator must collect the key images from both of the others.
    The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it
    or send it back to A.

    N-1 of N

    Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around
    (using either the secure or insecure method).
    For example (ignoring viewkey so letters line up):
    [4 of 5]
    User: spendkey
    A: a
    B: b
    C: c
    D: d
    E: e

    a -> B, b -> C, c -> D, d -> E, e -> A

    Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with
    the transaction so the signers know if they should use 1 or both keys.
    Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each.
    Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning:
    1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image)
    2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator
    must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use.

    You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might
    also be straightforward enough to support with minimal changes from N-1 format.
    You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc.

The process is somewhat cumbersome:

To create a N/N multisig wallet:

 - each participant creates a normal wallet
 - each participant runs "prepare_multisig", and sends the resulting string to every other participant
 - each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N)

As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent:

 - each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant
 - each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants

Then, a transaction may be initiated:

 - one of the participants runs "transfer ADDRESS AMOUNT"
 - this partly signed transaction will be written to the "multisig_monero_tx" file
 - the initiator sends this file to another participant
 - that other participant runs "sign_multisig multisig_monero_tx"
 - the resulting transaction is written to the "multisig_monero_tx" file again
 - if the threshold was not reached, the file must be sent to another participant, until enough have signed
 - the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
2017-12-17 16:11:57 +00:00
moneromooo-monero
c83d0b3ee2
add bulletproofs from v7 on testnet 2017-12-08 13:50:45 +00:00
moneromooo-monero
d58835b2f6
integrate bulletproofs into monero 2017-12-08 13:48:15 +00:00
moneromooo-monero
383ff4f689
remove "using namespace std" from headers
It's nasty, and actually breaks on Solaris, where if.h fails to
build due to:

  struct map *if_memmap;
2017-11-14 16:56:10 +00:00
kenshi84
53ad5a0f42
Subaddresses 2017-10-07 13:06:21 +09:00
Lee Clagett
93e10f1cc4 Simplified the implementation and features of span 2017-04-11 16:35:14 -04:00
Lee Clagett
4a8f96f95d Improvements for epee binary to hex functions:
- Performance improvements
  - Added `span` for zero-copy pointer+length arguments
  - Added `std::ostream` overload for direct writing to output buffers
  - Removal of unused `string_tools::buff_to_hex`
2017-04-11 16:35:00 -04:00
Timothy D. Prime
6b145763f7 Fix clang build failure, caused by mixing C and C++
Easily fixed by moving a C++ header out of 'extern "C" {...}'.

When building with CC=clang CXX=clang++ make,
[ 21%] Building CXX object src/ringct/CMakeFiles/obj_ringct.dir/rctTypes.cpp.o
In file included from /home/tdprime/bitmonero/src/ringct/rctTypes.cpp:31:
In file included from /home/tdprime/bitmonero/src/ringct/rctTypes.h:43:
In file included from /home/tdprime/bitmonero/src/crypto/generic-ops.h:34:
/usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/cstring💯3: error: conflicting types for 'memchr'
  memchr(void* __s, int __c, size_t __n)
    ^
	/usr/include/string.h:92:14: note: previous declaration is here
	extern void *memchr (const void *__s, int __c, size_t __n)
	             ^
... and 4 more similar errors
2017-01-26 17:30:00 -08:00
Chris Vickio
fb76d43980 add extra braces around subobjects (missing-braces warning) 2017-01-14 15:06:07 +03:00
moneroexamples
374b58d131 fix MGs json 2016-12-14 09:27:37 +08:00
Shen Noether
76958fc75a
ringct: switch to Borromean signatures 2016-12-04 21:54:11 +00:00
moneromooo-monero
59443bf9df
ringct: fix MGs serialization to JSON 2016-12-02 13:16:19 +00:00
moneromooo-monero
3126ba7425
ringct: use const refs as parameters where appropriate 2016-10-08 22:16:23 +01:00
moneromooo-monero
7d413f635f
rct: rework serialization to avoid storing vector sizes 2016-09-14 20:23:06 +01:00
moneromooo-monero
16732a85d7
rct: faster Cryptonote/rct conversions 2016-08-28 21:30:45 +01:00
moneromooo-monero
c3b3260ae5
New "Halfway RingCT" outputs for coinbase transactions
When RingCT is enabled, outputs from coinbase transactions
are created as a single output, and stored as RingCT output,
with a fake mask. Their amount is not hidden on the blockchain
itself, but they are then able to be used as fake inputs in
a RingCT ring. Since the output amounts are hidden, their
"dustiness" is not an obstacle anymore to mixing, and this
makes the coinbase transactions a lot smaller, as well as
helping the TXO set to grow more slowly.

Also add a new "Null" type of rct signature, which decreases
the size required when no signatures are to be stored, as
in a coinbase tx.
2016-08-28 21:30:26 +01:00
moneromooo-monero
d4b8991e44
rct: serialize txnFee as varint 2016-08-28 21:30:21 +01:00
moneromooo-monero
93f5c625f0
rct: rework v2 txes into prunable and non prunable data
Nothing is pruned, but this allows easier changes later.
2016-08-28 21:30:18 +01:00
moneromooo-monero
3ab2ab3e76
rct: change the simple flag to a type
for future expansion
2016-08-28 21:30:14 +01:00
Shen Noether
c5be4b0bea
rct: avoid the need for the last II element
This element is used in the generation of the MLSAG, but isn't
needed in verification.
Also misc changes in the cryptonote code to match, by mooo.
2016-08-28 21:30:12 +01:00
moneromooo-monero
b337aea6cc
rct: do not serialize senderPk - it is not used anymore 2016-08-28 21:30:01 +01:00
moneromooo-monero
9b70856ccb
rct: make the amount key derivable by a third party with the tx key
Scheme design from luigi1114.
2016-08-28 21:29:46 +01:00
moneromooo-monero
cf33e1a52a
rct: do not serialize public keys in outPk
They can be reconstructed from vout
2016-08-28 21:29:43 +01:00
moneromooo-monero
a4d4d6194b
integrate simple rct api 2016-08-28 21:29:20 +01:00
Shen Noether
4fd01f2bee
ringct: "simple" ringct variant
Allows the fake outs to be in different positions for each ring.
For rct inputs only.
2016-08-28 21:29:14 +01:00
moneromooo-monero
20e50ec7f7
ringct: do not serialize what can be reconstructed
The mixRing (output keys and commitments) and II fields (key images)
can be reconstructed from vin data.
This saves some modest amount of space in the tx.
2016-08-28 21:28:55 +01:00
moneromooo-monero
cc7f449d57
make rct tx serialization work
It may be suboptimal, but it's a pain to have to rebuild everything
when some of this changes.
Also, no clue why there seems to be two different code paths for
serializing a tx...
2016-08-28 21:28:31 +01:00
Shen Noether
f8c04ad94f
ringct: txn fee stuff 2016-08-28 21:28:23 +01:00
moneromooo-monero
789b2e21f6
ringct: add more convenience functions 2016-08-28 21:28:20 +01:00
moneromooo-monero
c3a2e1450a
ringct: add convenience functions to bridge ringct and cryptonote 2016-08-28 21:28:14 +01:00
moneromooo-monero
700248f59e
tests: more ringct range proof tests 2016-08-28 21:27:43 +01:00
moneromooo-monero
d02f9995a8
rct: add serialization machinery to rct types 2016-08-28 21:27:41 +01:00
moneromooo-monero
0ff8305426
serialization: declare do_serialize specializations before use
This lets my gcc picks those instead of the generic template
where appropriate (and then fail since std::vector<something>
does not have a serialize method.
2016-08-28 21:27:38 +01:00
Shen Noether
8b135e7aa3
Added note on generating H2 2016-08-28 21:27:36 +01:00
Shen Noether
4d639d90ca
Fixed missing last index H2 2016-08-28 21:27:34 +01:00
moneromooo-monero
b656001030
ringct: add convenience operators to key 2016-08-28 21:27:24 +01:00
moneromooo-monero
9b1afe5f2d
ringct: import of Shen Noether's ring confidential transactions 2016-08-28 21:26:54 +01:00