def wait_for_tx_update_mk_tree(zeth_client: MixerClient, mk_tree: MerkleTree,
tx_hash: str) -> MixResult:
tx_receipt = zeth_client.web3.eth.waitForTransactionReceipt(tx_hash, 10000)
result = parse_mix_call(zeth_client.mixer_instance, tx_receipt)
for out_ev in result.output_events:
mk_tree.insert(out_ev.commitment)
if mk_tree.recompute_root() != result.new_merkle_root:
raise Exception("Merkle root mismatch between log and local tree")
return result
def _check_merkle_path(self, address: int, mkpath: List[str],
mktree: MerkleTree) -> None:
self.assertEqual(len(mkpath), mktree.depth)
current = mktree.get_node(0, address)
for i in range(mktree.depth):
if address & 1:
current = MerkleTree.combine(bytes.fromhex(mkpath[i]), current)
else:
current = MerkleTree.combine(current, bytes.fromhex(mkpath[i]))
address = address >> 1
self.assertEqual(mktree.get_root(), current)
def test_empty(self) -> None:
mktree = MerkleTree.empty_with_size(MERKLE_TREE_TEST_NUM_LEAVES)
root = mktree.recompute_root()
num_entries = mktree.get_num_entries()
self.assertEqual(0, num_entries)
self.assertEqual(self._expected_empty(), root)
def _check_tree_nodes(self, leaves: List[bytes],
mktree: MerkleTree) -> None:
def layer_size(layer: int) -> int:
return int(MERKLE_TREE_TEST_NUM_LEAVES / pow(2, layer))
# Check layer 0
_, layer_0 = next(mktree.get_layers())
self.assertEqual(leaves, layer_0)
# Check layer `layer`
for layer in range(1, MERKLE_TREE_TEST_DEPTH):
for i in range(layer_size(layer)):
self.assertEqual(
MerkleTree.combine(mktree.get_node(layer - 1, 2 * i),
mktree.get_node(layer - 1, 2 * i + 1)),
mktree.get_node(layer, i), f"Layer {layer}, node {i}")
def _check_path_for_num_entries(num_entries: int,
address: int) -> None:
mktree = MerkleTree.empty_with_size(tree_size, MERKLE_TREE_HASH)
for val in TEST_VALUES[0:num_entries]:
mktree.insert(val)
_ = mktree.recompute_root()
mkpath = compute_merkle_path(address, mktree)
self._check_merkle_path(address, mkpath, mktree)
def test_single_entry_all_nodes(self) -> None:
mktree = MerkleTree.empty_with_size(MERKLE_TREE_TEST_NUM_LEAVES)
mktree.insert(TEST_VALUES[0])
_ = mktree.recompute_root()
self._check_tree_nodes([TEST_VALUES[0]], mktree)
self.assertEqual(mktree.recompute_root(),
mktree.get_node(MERKLE_TREE_TEST_DEPTH, 0))
def test_multiple_entries_all_nodes(self) -> None:
mktree = MerkleTree.empty_with_size(MERKLE_TREE_TEST_NUM_LEAVES)
mktree.insert(TEST_VALUES[0])
mktree.insert(TEST_VALUES[1])
mktree.insert(TEST_VALUES[2])
_ = mktree.recompute_root()
self._check_tree_nodes(
[TEST_VALUES[0], TEST_VALUES[1], TEST_VALUES[2]], mktree)
def test_combine(self) -> None:
# Use test vectors used to test the MiMC contract (generated in
# test_mimc.py)
left = self._test_vector_to_bytes32(
3703141493535563179657531719960160174296085208671919316200479060314459804651
) # noqa
right = self._test_vector_to_bytes32(
15683951496311901749339509118960676303290224812129752890706581988986633412003
) # noqa
expect = self._test_vector_to_bytes32(
16797922449555994684063104214233396200599693715764605878168345782964540311877
) # noqa
result = MerkleTree.combine(left, right)
self.assertEqual(expect, result)
def _test_partial(num_entries: int, step: int = 1) -> None:
"""
Take the first 'num_entries' from TEST_VALUES. Cut them at each possible
place and submit them as two halves to the contract, receiving back the
root for the updated tree.
"""
leaves = TEST_VALUES[:num_entries]
mktree = MerkleTree.empty_with_depth(ZETH_MERKLE_TREE_DEPTH)
for leaf in leaves:
mktree.insert(leaf)
expected_root = mktree.recompute_root()
for cut in range(0, num_entries + 1, step):
print(f"_test_partial: num_entries={num_entries}, cut={cut}")
first = leaves[:cut]
second = leaves[cut:]
root = contract.functions.testAddLeaves(first, second).call()
assert_root(expected_root, root,
f"num_entries: {num_entries}, cut: {cut}: ")
def test_single_entry(self) -> None:
mktree_file = join(MERKLE_TREE_TEST_DIR, "single")
data = TEST_VALUES[0]
mktree = PersistentMerkleTree.open(mktree_file,
MERKLE_TREE_TEST_NUM_LEAVES)
mktree.insert(data)
self.assertEqual(1, mktree.get_num_entries())
self.assertEqual(data, mktree.get_leaf(0))
self.assertEqual(ZERO_ENTRY, mktree.get_leaf(1))
root_1 = mktree.recompute_root()
self.assertEqual(MerkleTree.combine(data, ZERO_ENTRY),
mktree.get_node(1, 0))
self.assertNotEqual(self._expected_empty(), root_1)
mktree.save()
mktree = PersistentMerkleTree.open(mktree_file,
MERKLE_TREE_TEST_NUM_LEAVES)
self.assertEqual(1, mktree.get_num_entries())
self.assertEqual(data, mktree.get_leaf(0))
self.assertEqual(ZERO_ENTRY, mktree.get_leaf(1))
root_2 = mktree.recompute_root()
self.assertEqual(root_1, root_2)
def charlie_corrupt_bob_deposit(
zeth_client: MixerClient,
mk_tree: MerkleTree,
bob_eth_address: str,
charlie_eth_address: str,
keystore: mock.KeyStore) -> contracts.MixResult:
"""
Charlie tries to break transaction malleability and corrupt the coins
bob is sending in a transaction
She does so by intercepting bob's transaction and either:
- case 1: replacing the ciphertexts (or sender_eph_pk) by garbage/arbitrary
data
- case 2: replacing the ciphertexts by garbage/arbitrary data and using a
new OT-signature
- case 3: Charlie replays the mix call of Bob, to try to receive the vout
Both attacks should fail,
- case 1: the signature check should fail, else Charlie broke UF-CMA of the
OT signature
- case 2: the h_sig/vk verification should fail, as h_sig is not a function
of vk any longer
- case 3: the signature check should fail, because `msg.sender` will no match
the value used in the mix parameters (Bob's Ethereum Address).
NB. If the adversary were to corrupt the ciphertexts (or the encryption key),
replace the OT-signature by a new one and modify the h_sig accordingly so that
the check on the signature verification (key h_sig/vk) passes, the proof would
not verify, which is why we do not test this case.
"""
print(
f"=== Bob deposits {BOB_DEPOSIT_ETH} ETH for himself and split into " +
f"note1: {BOB_SPLIT_1_ETH}ETH, note2: {BOB_SPLIT_2_ETH}ETH " +
"but Charlie attempts to corrupt the transaction ===")
bob_apk = keystore["Bob"].addr_pk.a_pk
bob_ask = keystore["Bob"].addr_sk.a_sk
tree_depth = mk_tree.depth
mk_root = mk_tree.get_root()
# mk_tree_depth = zeth_client.mk_tree_depth
# mk_root = zeth_client.merkle_root
# Create the JoinSplit dummy inputs for the deposit
input1 = get_dummy_input_and_address(bob_apk)
input2 = get_dummy_input_and_address(bob_apk)
dummy_mk_path = mock.get_dummy_merkle_path(tree_depth)
note1_value = to_zeth_units(EtherValue(BOB_SPLIT_1_ETH))
note2_value = to_zeth_units(EtherValue(BOB_SPLIT_2_ETH))
v_in = to_zeth_units(EtherValue(BOB_DEPOSIT_ETH))
(output_note1, output_note2, proof_json, joinsplit_keypair) = \
zeth_client.get_proof_joinsplit_2_by_2(
mk_root,
input1,
dummy_mk_path,
input2,
dummy_mk_path,
bob_ask, # sender
(bob_apk, note1_value), # recipient1
(bob_apk, note2_value), # recipient2
v_in, # v_in
to_zeth_units(EtherValue(0)) # v_out
)
# Encrypt the coins to bob
pk_bob = keystore["Bob"].addr_pk.k_pk
ciphertexts = encrypt_notes([
(output_note1, pk_bob),
(output_note2, pk_bob)])
# ### ATTACK BLOCK
# Charlie intercepts Bob's deposit, corrupts it and
# sends her transaction before Bob's transaction is accepted
# Case 1: replacing the ciphertexts by garbage/arbitrary data
# Corrupt the ciphertexts
# (another way would have been to overwrite sender_eph_pk)
fake_ciphertext0 = urandom(32)
fake_ciphertext1 = urandom(32)
result_corrupt1 = None
try:
joinsplit_sig_charlie = joinsplit_sign(
joinsplit_keypair,
charlie_eth_address,
ciphertexts,
proof_json)
mix_params = contracts.MixParameters(
proof_json,
joinsplit_keypair.vk,
joinsplit_sig_charlie,
[fake_ciphertext0, fake_ciphertext1])
tx_hash = zeth_client.mix(
mix_params,
charlie_eth_address,
None,
EtherValue(BOB_DEPOSIT_ETH))
result_corrupt1 = \
wait_for_tx_update_mk_tree(zeth_client, mk_tree, tx_hash)
except Exception as e:
print(
"Charlie's first corruption attempt" +
f" successfully rejected! (msg: {e})"
)
assert(result_corrupt1 is None), \
"Charlie managed to corrupt Bob's deposit the first time!"
print("")
# Case 2: replacing the ciphertexts by garbage/arbitrary data and
# using a new OT-signature
# Corrupt the ciphertexts
fake_ciphertext0 = urandom(32)
fake_ciphertext1 = urandom(32)
new_joinsplit_keypair = signing.gen_signing_keypair()
# Sign the primary inputs, sender_eph_pk and the ciphertexts
result_corrupt2 = None
try:
joinsplit_sig_charlie = joinsplit_sign(
new_joinsplit_keypair,
charlie_eth_address,
[fake_ciphertext0, fake_ciphertext1],
proof_json)
mix_params = contracts.MixParameters(
proof_json,
new_joinsplit_keypair.vk,
joinsplit_sig_charlie,
[fake_ciphertext0, fake_ciphertext1])
tx_hash = zeth_client.mix(
mix_params,
charlie_eth_address,
None,
EtherValue(BOB_DEPOSIT_ETH))
result_corrupt2 = \
wait_for_tx_update_mk_tree(zeth_client, mk_tree, tx_hash)
except Exception as e:
print(
"Charlie's second corruption attempt" +
f" successfully rejected! (msg: {e})"
)
assert(result_corrupt2 is None), \
"Charlie managed to corrupt Bob's deposit the second time!"
# Case3: Charlie uses the correct mix data, but attempts to send the mix
# call from his own address (thereby receiving the output).
result_corrupt3 = None
try:
joinsplit_sig_bob = joinsplit_sign(
joinsplit_keypair,
bob_eth_address,
ciphertexts,
proof_json)
mix_params = contracts.MixParameters(
proof_json,
joinsplit_keypair.vk,
joinsplit_sig_bob,
ciphertexts)
tx_hash = zeth_client.mix(
mix_params,
charlie_eth_address,
None,
EtherValue(BOB_DEPOSIT_ETH),
4000000)
result_corrupt3 = \
wait_for_tx_update_mk_tree(zeth_client, mk_tree, tx_hash)
except Exception as e:
print(
"Charlie's third corruption attempt" +
f" successfully rejected! (msg: {e})"
)
assert(result_corrupt3 is None), \
"Charlie managed to corrupt Bob's deposit the third time!"
# ### ATTACK BLOCK
# Bob transaction is finally mined
joinsplit_sig_bob = joinsplit_sign(
joinsplit_keypair,
bob_eth_address,
ciphertexts,
proof_json)
mix_params = contracts.MixParameters(
proof_json,
joinsplit_keypair.vk,
joinsplit_sig_bob,
ciphertexts)
tx_hash = zeth_client.mix(
mix_params,
bob_eth_address,
None,
EtherValue(BOB_DEPOSIT_ETH))
return wait_for_tx_update_mk_tree(zeth_client, mk_tree, tx_hash)
def charlie_double_withdraw(
zeth_client: MixerClient,
mk_tree: MerkleTree,
input1: Tuple[int, ZethNote],
charlie_eth_address: str,
keystore: mock.KeyStore) -> contracts.MixResult:
"""
Charlie tries to carry out a double spending by modifying the value of the
nullifier of the previous payment
"""
print(
f" === Charlie attempts to withdraw {CHARLIE_WITHDRAW_ETH}ETH once " +
"more (double spend) one of his note on the Mixer ===")
charlie_apk = keystore["Charlie"].addr_pk.a_pk
charlie_ask = keystore["Charlie"].addr_sk.a_sk
tree_depth = mk_tree.depth
mk_path1 = compute_merkle_path(input1[0], mk_tree)
mk_root = mk_tree.get_root()
# Create the an additional dummy input for the MixerClient
input2 = get_dummy_input_and_address(charlie_apk)
dummy_mk_path = mock.get_dummy_merkle_path(tree_depth)
note1_value = to_zeth_units(EtherValue(CHARLIE_WITHDRAW_CHANGE_ETH))
v_out = EtherValue(CHARLIE_WITHDRAW_ETH)
# ### ATTACK BLOCK
# Add malicious nullifiers: we reuse old nullifiers to double spend by
# adding $r$ to them so that they have the same value as before in Z_r,
# and so the zksnark verification passes, but have different values in
# {0;1}^256 so that they appear different to the contract.
# See: https://github.com/clearmatics/zeth/issues/38
attack_primary_input3: int = 0
attack_primary_input4: int = 0
def compute_h_sig_attack_nf(
nf0: bytes,
nf1: bytes,
sign_vk: JoinsplitSigVerificationKey) -> bytes:
# We disassemble the nfs to get the formatting of the primary inputs
input_nullifier0 = nf0.hex()
input_nullifier1 = nf1.hex()
nf0_rev = "{0:0256b}".format(int(input_nullifier0, 16))
primary_input3_bits = nf0_rev[:FIELD_CAPACITY]
primary_input3_res_bits = nf0_rev[FIELD_CAPACITY:]
nf1_rev = "{0:0256b}".format(int(input_nullifier1, 16))
primary_input4_bits = nf1_rev[:FIELD_CAPACITY]
primary_input4_res_bits = nf1_rev[FIELD_CAPACITY:]
# We perform the attack, recoding the modified public input values
nonlocal attack_primary_input3
nonlocal attack_primary_input4
attack_primary_input3 = int(primary_input3_bits, 2) + ZETH_PRIME
attack_primary_input4 = int(primary_input4_bits, 2) + ZETH_PRIME
# We reassemble the nfs
attack_primary_input3_bits = "{0:0256b}".format(attack_primary_input3)
attack_nf0_bits = attack_primary_input3_bits[
len(attack_primary_input3_bits) - FIELD_CAPACITY:] +\
primary_input3_res_bits
attack_nf0 = "{0:064x}".format(int(attack_nf0_bits, 2))
attack_primary_input4_bits = "{0:0256b}".format(attack_primary_input4)
attack_nf1_bits = attack_primary_input4_bits[
len(attack_primary_input4_bits) - FIELD_CAPACITY:] +\
primary_input4_res_bits
attack_nf1 = "{0:064x}".format(int(attack_nf1_bits, 2))
return compute_h_sig(
bytes.fromhex(attack_nf0), bytes.fromhex(attack_nf1), sign_vk)
(output_note1, output_note2, proof_json, signing_keypair) = \
zeth_client.get_proof_joinsplit_2_by_2(
mk_root,
input1,
mk_path1,
input2,
dummy_mk_path,
charlie_ask, # sender
(charlie_apk, note1_value), # recipient1
(charlie_apk, 0), # recipient2
to_zeth_units(EtherValue(0)), # v_in
to_zeth_units(v_out), # v_out
compute_h_sig_attack_nf)
# Update the primary inputs to the modified nullifiers, since libsnark
# overwrites them with values in Z_p
assert attack_primary_input3 != 0
assert attack_primary_input4 != 0
print("proof_json => ", proof_json)
print("proof_json[inputs][3] => ", proof_json["inputs"][3])
print("proof_json[inputs][4] => ", proof_json["inputs"][4])
proof_json["inputs"][3] = hex(attack_primary_input3)
proof_json["inputs"][4] = hex(attack_primary_input4)
# ### ATTACK BLOCK
# construct pk object from bytes
pk_charlie = keystore["Charlie"].addr_pk.k_pk
# encrypt the coins
ciphertexts = encrypt_notes([
(output_note1, pk_charlie),
(output_note2, pk_charlie)])
# Compute the joinSplit signature
joinsplit_sig_charlie = joinsplit_sign(
signing_keypair,
charlie_eth_address,
ciphertexts,
proof_json)
mix_params = contracts.MixParameters(
proof_json,
signing_keypair.vk,
joinsplit_sig_charlie,
ciphertexts)
tx_hash = zeth_client.mix(
mix_params,
charlie_eth_address,
# Pay an arbitrary amount (1 wei here) that will be refunded since the
# `mix` function is payable
None,
EtherValue(1, 'wei'))
return wait_for_tx_update_mk_tree(zeth_client, mk_tree, tx_hash)
def test_tree_empty(contract: Any) -> None:
mktree = MerkleTree.empty_with_depth(ZETH_MERKLE_TREE_DEPTH)
expected_root = mktree.recompute_root()
root = contract.functions.testAddLeaves([], []).call()
assert_root(expected_root, root, "test_tree_empty")
def create_mix_parameters_keep_signing_key(
self,
mk_tree: MerkleTree,
sender_ownership_keypair: OwnershipKeyPair,
sender_eth_address: str,
inputs: List[Tuple[int, ZethNote]],
outputs: List[Tuple[ZethAddressPub, EtherValue]],
v_in: EtherValue,
v_out: EtherValue,
compute_h_sig_cb: Optional[ComputeHSigCB] = None
) -> Tuple[contracts.MixParameters, JoinsplitSigKeyPair]:
assert len(inputs) <= constants.JS_INPUTS
assert len(outputs) <= constants.JS_OUTPUTS
sender_a_sk = sender_ownership_keypair.a_sk
sender_a_pk = sender_ownership_keypair.a_pk
inputs = \
inputs + \
[get_dummy_input_and_address(sender_a_pk)
for _ in range(constants.JS_INPUTS - len(inputs))]
mk_root = mk_tree.get_root()
mk_paths = [compute_merkle_path(addr, mk_tree) for addr, _ in inputs]
# Generate output notes and proof. Dummy outputs are constructed with
# value 0 to an invalid ZethAddressPub, formed from the senders
# a_pk, and an ephemeral k_pk.
dummy_k_pk = generate_encryption_keypair().k_pk
dummy_addr_pk = ZethAddressPub(sender_a_pk, dummy_k_pk)
outputs = \
outputs + \
[(dummy_addr_pk, EtherValue(0))
for _ in range(constants.JS_OUTPUTS - len(outputs))]
outputs_with_a_pk = \
[(zeth_addr.a_pk, to_zeth_units(value))
for (zeth_addr, value) in outputs]
# Timer used to time proof-generation round trip time.
timer = Timer.started()
(output_note1, output_note2, extproof, signing_keypair) = \
self.get_proof_joinsplit_2_by_2(
mk_root,
inputs[0],
mk_paths[0],
inputs[1],
mk_paths[1],
sender_a_sk,
outputs_with_a_pk[0],
outputs_with_a_pk[1],
to_zeth_units(v_in),
to_zeth_units(v_out),
compute_h_sig_cb)
proof_gen_time_s = timer.elapsed_seconds()
print(f"PROOF GEN ROUND TRIP: {proof_gen_time_s} seconds")
# Encrypt the notes
outputs_and_notes = zip(outputs, [output_note1, output_note2])
output_notes_with_k_pk = \
[(note, zeth_addr.k_pk)
for ((zeth_addr, _), note) in outputs_and_notes]
ciphertexts = encrypt_notes(output_notes_with_k_pk)
# Sign
signature = joinsplit_sign(signing_keypair, sender_eth_address,
ciphertexts, extproof)
mix_params = contracts.MixParameters(extproof, signing_keypair.vk,
signature, ciphertexts)
return mix_params, signing_keypair
