def scalarmult_key(dst, P, s):
dst = _ensure_dst_key(dst)
crypto.decodepoint_into(tmp_pt_1, P)
crypto.decodeint_into_noreduce(tmp_sc_1, s)
crypto.scalarmult_into(tmp_pt_2, tmp_pt_1, tmp_sc_1)
crypto.encodepoint_into(dst, tmp_pt_2)
return dst
def _set_out_additional_keys(
state: State,
dst_entr: MoneroTransactionDestinationEntry) -> crypto.Scalar:
"""
If needed (decided in step 1), additional tx keys are calculated
for this particular output.
"""
if not state.need_additional_txkeys:
return None
additional_txkey_priv = crypto.random_scalar()
if dst_entr.is_subaddress:
# R=r*D
additional_txkey = crypto_helpers.decodepoint(
dst_entr.addr.spend_public_key)
crypto.scalarmult_into(additional_txkey, additional_txkey,
additional_txkey_priv)
else:
# R=r*G
additional_txkey = crypto.scalarmult_base_into(None,
additional_txkey_priv)
state.additional_tx_public_keys.append(
crypto_helpers.encodepoint(additional_txkey))
state.additional_tx_private_keys.append(additional_txkey_priv)
return additional_txkey_priv
def _acc(self, scalar, point):
crypto.decodeint_into_noreduce(tmp_sc_1, scalar)
crypto.decodepoint_into(tmp_pt_2, point)
crypto.scalarmult_into(tmp_pt_3, tmp_pt_2, tmp_sc_1)
crypto.point_add_into(self.acc, self.acc, tmp_pt_3)
self.current_idx += 1
self.size += 1
def generate_first_c_and_key_images(message, pk, xx, kLRki, index, dsRows,
rows, cols):
"""
MLSAG computation - the part with secret keys
:param message: the full message to be signed (actually its hash)
:param pk: matrix of public keys and commitments
:param xx: input secret array composed of a private key and commitment mask
:param kLRki: used only in multisig, currently not implemented
:param index: specifies corresponding public key to the `xx`'s private key in the `pk` array
:param dsRows: row number where the pubkeys "end" (and commitments follow)
:param rows: total number of rows
:param cols: size of ring
"""
II = _key_vector(dsRows)
alpha = _key_vector(rows)
tmp_buff = bytearray(32)
Hi = crypto.new_point()
aGi = crypto.new_point()
aHPi = crypto.new_point()
hasher = _hasher_message(message)
for i in range(dsRows):
# this is somewhat extra as compared to the Ring Confidential Tx paper
# see footnote in From Zero to Monero section 3.3
hasher.update(pk[index][i])
if kLRki:
raise NotImplementedError("Multisig not implemented")
# alpha[i] = kLRki.k
# rv.II[i] = kLRki.ki
# hash_point(hasher, kLRki.L, tmp_buff)
# hash_point(hasher, kLRki.R, tmp_buff)
else:
crypto.hash_to_point_into(Hi, pk[index][i])
alpha[i] = crypto.random_scalar()
# L = alpha_i * G
crypto.scalarmult_base_into(aGi, alpha[i])
# Ri = alpha_i * H(P_i)
crypto.scalarmult_into(aHPi, Hi, alpha[i])
# key image
II[i] = crypto.scalarmult(Hi, xx[i])
_hash_point(hasher, aGi, tmp_buff)
_hash_point(hasher, aHPi, tmp_buff)
for i in range(dsRows, rows):
alpha[i] = crypto.random_scalar()
# L = alpha_i * G
crypto.scalarmult_base_into(aGi, alpha[i])
# for some reasons we omit calculating R here, which seems
# contrary to the paper, but it is in the Monero official client
# see https://github.com/monero-project/monero/blob/636153b2050aa0642ba86842c69ac55a5d81618d/src/ringct/rctSigs.cpp#L191
hasher.update(pk[index][i])
_hash_point(hasher, aGi, tmp_buff)
# the first c
c_old = hasher.digest()
c_old = crypto.decodeint(c_old)
return c_old, II, alpha
def gen_clsag_sig(self, ring_size=11, index=None):
msg = random.bytes(32)
amnt = crypto.sc_init(random.uniform(0xFFFFFF) + 12)
priv = crypto.random_scalar()
msk = crypto.random_scalar()
alpha = crypto.random_scalar()
P = crypto.scalarmult_base(priv)
C = crypto.add_keys2(msk, amnt, crypto.xmr_H())
Cp = crypto.add_keys2(alpha, amnt, crypto.xmr_H())
ring = []
for i in range(ring_size - 1):
tk = TmpKey(
crypto.encodepoint(
crypto.scalarmult_base(crypto.random_scalar())),
crypto.encodepoint(
crypto.scalarmult_base(crypto.random_scalar())),
)
ring.append(tk)
index = index if index is not None else random.uniform(len(ring))
ring.insert(index, TmpKey(crypto.encodepoint(P),
crypto.encodepoint(C)))
ring2 = list(ring)
mg_buffer = []
self.assertTrue(
crypto.point_eq(crypto.scalarmult_base(priv),
crypto.decodepoint(ring[index].dest)))
self.assertTrue(
crypto.point_eq(
crypto.scalarmult_base(crypto.sc_sub(msk, alpha)),
crypto.point_sub(crypto.decodepoint(ring[index].commitment),
Cp),
))
mlsag.generate_clsag_simple(
msg,
ring,
CtKey(priv, msk),
alpha,
Cp,
index,
mg_buffer,
)
sD = crypto.decodepoint(mg_buffer[-1])
sc1 = crypto.decodeint(mg_buffer[-2])
scalars = [crypto.decodeint(x) for x in mg_buffer[1:-2]]
H = crypto.new_point()
sI = crypto.new_point()
crypto.hash_to_point_into(H, crypto.encodepoint(P))
crypto.scalarmult_into(sI, H, priv) # I = p*H
return msg, scalars, sc1, sI, sD, ring2, Cp
async def get_tx_keys(ctx: wire.Context, msg: MoneroGetTxKeyRequest,
keychain: Keychain) -> MoneroGetTxKeyAck:
await paths.validate_path(ctx, keychain, msg.address_n)
do_deriv = msg.reason == _GET_TX_KEY_REASON_TX_DERIVATION
await layout.require_confirm_tx_key(ctx, export_key=not do_deriv)
creds = misc.get_creds(keychain, msg.address_n, msg.network_type)
tx_enc_key = misc.compute_tx_key(
creds.spend_key_private,
msg.tx_prefix_hash,
msg.salt1,
crypto_helpers.decodeint(msg.salt2),
)
# the plain_buff first stores the tx_priv_keys as decrypted here
# and then is used to store the derivations if applicable
plain_buff = chacha_poly.decrypt_pack(tx_enc_key, msg.tx_enc_keys)
utils.ensure(len(plain_buff) % 32 == 0, "Tx key buffer has invalid size")
msg.tx_enc_keys = b""
# If return only derivations do tx_priv * view_pub
if do_deriv:
if msg.view_public_key is None:
raise wire.DataError("Missing view public key")
plain_buff = bytearray(plain_buff)
view_pub = crypto_helpers.decodepoint(msg.view_public_key)
tx_priv = crypto.Scalar()
derivation = crypto.Point()
n_keys = len(plain_buff) // 32
for c in range(n_keys):
crypto.decodeint_into(tx_priv, plain_buff, 32 * c)
crypto.scalarmult_into(derivation, view_pub, tx_priv)
crypto.encodepoint_into(plain_buff, derivation, 32 * c)
# Encrypt by view-key based password.
tx_enc_key_host, salt = misc.compute_enc_key_host(creds.view_key_private,
msg.tx_prefix_hash)
res = chacha_poly.encrypt_pack(tx_enc_key_host, plain_buff)
res_msg = MoneroGetTxKeyAck(salt=salt)
if do_deriv:
res_msg.tx_derivations = res
return res_msg
res_msg.tx_keys = res
return res_msg
def verify_bp(bp_proof, amounts, masks):
"""Verifies Bulletproof"""
from apps.monero.xmr import bulletproof as bp
if amounts:
bp_proof.V = []
for i in range(len(amounts)):
C = crypto.gen_commitment(masks[i], amounts[i])
crypto.scalarmult_into(C, C, crypto.sc_inv_eight())
bp_proof.V.append(crypto.encodepoint(C))
bpi = bp.BulletProofBuilder()
res = bpi.verify(bp_proof)
gc.collect()
return res
def generate_key_image(public_key: bytes,
secret_key: crypto.Scalar) -> crypto.Point:
"""
Key image: secret_key * H_p(pub_key)
"""
point = crypto.hash_to_point_into(None, public_key)
point2 = crypto.scalarmult_into(None, point, secret_key)
return point2
def generate_sub_address_keys(view_sec: crypto.Scalar, spend_pub: crypto.Point,
major: int,
minor: int) -> tuple[crypto.Point, crypto.Point]:
if major == 0 and minor == 0: # special case, Monero-defined
return spend_pub, crypto.scalarmult_base_into(None, view_sec)
m = get_subaddress_secret_key(view_sec, major=major, minor=minor)
M = crypto.scalarmult_base_into(None, m)
D = crypto.point_add_into(None, spend_pub, M)
C = crypto.scalarmult_into(None, D, view_sec)
return D, C
def verify_bp(
bp_proof: Bulletproof | BulletproofPlus,
amounts: list[int],
masks: list[crypto.Scalar],
) -> bool:
"""Verifies Bulletproof"""
from apps.monero.xmr import bulletproof as bp
if amounts:
bp_proof.V = []
for i in range(len(amounts)):
C = crypto.gen_commitment_into(None, masks[i], amounts[i])
crypto.scalarmult_into(C, C, crypto_helpers.INV_EIGHT_SC)
bp_proof.V.append(crypto_helpers.encodepoint(C))
from apps.monero.xmr.serialize_messages.tx_rsig_bulletproof import BulletproofPlus
bpi = (bp.BulletProofPlusBuilder() if isinstance(bp_proof, BulletproofPlus)
else bp.BulletProofBuilder())
res = bpi.verify(bp_proof)
gc.collect()
return res
def test_scalarmult(self):
priv = unhexlify(
b"3482fb9735ef879fcae5ec7721b5d3646e155c4fb58d6cc11c732c9c9b76620a"
)
pub = unhexlify(
b"2486224797d05cae3cba4be043be2db0df381f3f19cfa113f86ab38e3d8d2bd0"
)
exp = unhexlify(
b"adcd1f5881f46f254900a03c654e71950a88a0236fa0a3a946c9b8daed6ef43d"
)
res = crypto.scalarmult_into(None, crypto_helpers.decodepoint(pub),
crypto_helpers.decodeint(priv))
self.assertEqual(exp, crypto_helpers.encodepoint(res))
self.assertTrue(crypto.point_eq(crypto_helpers.decodepoint(exp), res))
def _check_subaddresses(
state: State,
outputs: list[MoneroTransactionDestinationEntry]) -> None:
"""
Using subaddresses leads to a few poorly documented exceptions.
Normally we set R=r*G (tx_pub), however for subaddresses this is equal to R=r*D
to achieve the nice blockchain scanning property.
Remember, that R is per-transaction and not per-input. It's all good if we have a
single output or we have a single destination and the second output is our change.
This is because although the R=r*D, we can still derive the change using our private view-key.
In other words, calculate the one-time address as P = H(x*R)*G + Y (where X,Y is the change).
However, this does not work for other outputs than change, because we do not have the
recipient's view key, so we cannot use the same formula -- we need a new R.
The solution is very straightforward -- we create additional `R`s and use the `extra`
field to include them under the `ADDITIONAL_PUBKEYS` tag.
See:
- https://lab.getmonero.org/pubs/MRL-0006.pdf
- https://github.com/monero-project/monero/pull/2056
"""
from apps.monero.xmr.addresses import classify_subaddresses
# let's first figure out what kind of destinations we have
num_stdaddresses, num_subaddresses, single_dest_subaddress = classify_subaddresses(
outputs, state.change_address())
# if this is a single-destination transfer to a subaddress,
# we set (override) the tx pubkey to R=r*D and no additional
# tx keys are needed
if num_stdaddresses == 0 and num_subaddresses == 1:
state.tx_pub = crypto.scalarmult_into(
None,
crypto_helpers.decodepoint(
single_dest_subaddress.spend_public_key),
state.tx_priv,
)
# if a subaddress is used and either standard address is as well
# or more than one subaddress is used we need to add additional tx keys
state.need_additional_txkeys = num_subaddresses > 0 and (
num_stdaddresses > 0 or num_subaddresses > 1)
state.mem_trace(4, True)
def scalarmultH(dst, x):
dst = _ensure_dst_key(dst)
crypto.decodeint_into(tmp_sc_1, x)
crypto.scalarmult_into(tmp_pt_1, _XMR_HP, tmp_sc_1)
crypto.encodepoint_into(dst, tmp_pt_1)
return dst
def _generate_clsag(
message: bytes,
P: List[bytes],
p: Sc25519,
C_nonzero: List[bytes],
z: Sc25519,
Cout: Ge25519,
index: int,
mg_buff: List[bytes],
) -> List[bytes]:
sI = crypto.new_point() # sig.I
sD = crypto.new_point() # sig.D
sc1 = crypto.new_scalar() # sig.c1
a = crypto.random_scalar()
H = crypto.new_point()
D = crypto.new_point()
Cout_bf = crypto.encodepoint(Cout)
tmp_sc = crypto.new_scalar()
tmp = crypto.new_point()
tmp_bf = bytearray(32)
crypto.hash_to_point_into(H, P[index])
crypto.scalarmult_into(sI, H, p) # I = p*H
crypto.scalarmult_into(D, H, z) # D = z*H
crypto.sc_mul_into(tmp_sc, z, crypto.sc_inv_eight()) # 1/8*z
crypto.scalarmult_into(sD, H, tmp_sc) # sig.D = 1/8*z*H
sD = crypto.encodepoint(sD)
hsh_P = crypto.get_keccak() # domain, I, D, P, C, C_offset
hsh_C = crypto.get_keccak() # domain, I, D, P, C, C_offset
hsh_P.update(_HASH_KEY_CLSAG_AGG_0)
hsh_C.update(_HASH_KEY_CLSAG_AGG_1)
def hsh_PC(x):
nonlocal hsh_P, hsh_C
hsh_P.update(x)
hsh_C.update(x)
for x in P:
hsh_PC(x)
for x in C_nonzero:
hsh_PC(x)
hsh_PC(crypto.encodepoint_into(tmp_bf, sI))
hsh_PC(sD)
hsh_PC(Cout_bf)
mu_P = crypto.decodeint(hsh_P.digest())
mu_C = crypto.decodeint(hsh_C.digest())
del (hsh_PC, hsh_P, hsh_C)
c_to_hash = crypto.get_keccak() # domain, P, C, C_offset, message, aG, aH
c_to_hash.update(_HASH_KEY_CLSAG_ROUND)
for i in range(len(P)):
c_to_hash.update(P[i])
for i in range(len(P)):
c_to_hash.update(C_nonzero[i])
c_to_hash.update(Cout_bf)
c_to_hash.update(message)
chasher = c_to_hash.copy()
crypto.scalarmult_base_into(tmp, a)
chasher.update(crypto.encodepoint_into(tmp_bf, tmp)) # aG
crypto.scalarmult_into(tmp, H, a)
chasher.update(crypto.encodepoint_into(tmp_bf, tmp)) # aH
c = crypto.decodeint(chasher.digest())
del (chasher, H)
L = crypto.new_point()
R = crypto.new_point()
c_p = crypto.new_scalar()
c_c = crypto.new_scalar()
i = (index + 1) % len(P)
if i == 0:
crypto.sc_copy(sc1, c)
mg_buff.append(int_serialize.dump_uvarint_b(len(P)))
for _ in range(len(P)):
mg_buff.append(bytearray(32))
while i != index:
crypto.random_scalar(tmp_sc)
crypto.encodeint_into(mg_buff[i + 1], tmp_sc)
crypto.sc_mul_into(c_p, mu_P, c)
crypto.sc_mul_into(c_c, mu_C, c)
# L = tmp_sc * G + c_P * P[i] + c_c * C[i]
crypto.add_keys2_into(L, tmp_sc, c_p,
crypto.decodepoint_into(tmp, P[i]))
crypto.decodepoint_into(tmp, C_nonzero[i]) # C = C_nonzero - Cout
crypto.point_sub_into(tmp, tmp, Cout)
crypto.scalarmult_into(tmp, tmp, c_c)
crypto.point_add_into(L, L, tmp)
# R = tmp_sc * HP + c_p * I + c_c * D
crypto.hash_to_point_into(tmp, P[i])
crypto.add_keys3_into(R, tmp_sc, tmp, c_p, sI)
crypto.point_add_into(R, R, crypto.scalarmult_into(tmp, D, c_c))
chasher = c_to_hash.copy()
chasher.update(crypto.encodepoint_into(tmp_bf, L))
chasher.update(crypto.encodepoint_into(tmp_bf, R))
crypto.decodeint_into(c, chasher.digest())
P[i] = None
C_nonzero[i] = None
i = (i + 1) % len(P)
if i == 0:
crypto.sc_copy(sc1, c)
if i & 3 == 0:
gc.collect()
# Final scalar = a - c * (mu_P * p + mu_c * Z)
crypto.sc_mul_into(tmp_sc, mu_P, p)
crypto.sc_muladd_into(tmp_sc, mu_C, z, tmp_sc)
crypto.sc_mulsub_into(tmp_sc, c, tmp_sc, a)
crypto.encodeint_into(mg_buff[index + 1], tmp_sc)
mg_buff.append(crypto.encodeint(sc1))
mg_buff.append(sD)
return mg_buff
def verify_clsag(self, msg, ss, sc1, sI, sD, pubs, C_offset):
n = len(pubs)
c = crypto.Scalar()
D_8 = crypto.Point()
tmp_bf = bytearray(32)
C_offset_bf = crypto_helpers.encodepoint(C_offset)
crypto.sc_copy(c, sc1)
point_mul8_into(D_8, sD)
hsh_P = crypto_helpers.get_keccak() # domain, I, D, P, C, C_offset
hsh_C = crypto_helpers.get_keccak() # domain, I, D, P, C, C_offset
hsh_P.update(clsag._HASH_KEY_CLSAG_AGG_0)
hsh_C.update(clsag._HASH_KEY_CLSAG_AGG_1)
def hsh_PC(x):
hsh_P.update(x)
hsh_C.update(x)
for x in pubs:
hsh_PC(x.dest)
for x in pubs:
hsh_PC(x.commitment)
hsh_PC(crypto.encodepoint_into(tmp_bf, sI))
hsh_PC(crypto.encodepoint_into(tmp_bf, sD))
hsh_PC(C_offset_bf)
mu_P = crypto_helpers.decodeint(hsh_P.digest())
mu_C = crypto_helpers.decodeint(hsh_C.digest())
c_to_hash = crypto_helpers.get_keccak(
) # domain, P, C, C_offset, message, L, R
c_to_hash.update(clsag._HASH_KEY_CLSAG_ROUND)
for i in range(len(pubs)):
c_to_hash.update(pubs[i].dest)
for i in range(len(pubs)):
c_to_hash.update(pubs[i].commitment)
c_to_hash.update(C_offset_bf)
c_to_hash.update(msg)
c_p = crypto.Scalar()
c_c = crypto.Scalar()
L = crypto.Point()
R = crypto.Point()
tmp_pt = crypto.Point()
i = 0
while i < n:
crypto.sc_mul_into(c_p, mu_P, c)
crypto.sc_mul_into(c_c, mu_C, c)
C_P = crypto.point_sub_into(
None, crypto.decodepoint_into(tmp_pt, pubs[i].commitment),
C_offset)
crypto.add_keys2_into(
L, ss[i], c_p, crypto.decodepoint_into(tmp_pt, pubs[i].dest))
crypto.point_add_into(L, L,
crypto.scalarmult_into(tmp_pt, C_P, c_c))
HP = crypto.hash_to_point_into(None, pubs[i].dest)
crypto.add_keys3_into(R, ss[i], HP, c_p, sI)
crypto.point_add_into(R, R,
crypto.scalarmult_into(tmp_pt, D_8, c_c))
chasher = c_to_hash.copy()
chasher.update(crypto.encodepoint_into(tmp_bf, L))
chasher.update(crypto.encodepoint_into(tmp_bf, R))
crypto.decodeint_into(c, chasher.digest())
i += 1
res = crypto.sc_sub_into(None, c, sc1)
if not crypto.sc_eq(res, crypto.Scalar(0)):
raise ValueError("Signature error")
def generate_ring_signature(
prefix_hash: bytes,
image: crypto.Point,
pubs: list[crypto.Point],
sec: crypto.Scalar,
sec_idx: int,
test: bool = False,
) -> Sig:
"""
Generates ring signature with key image.
void crypto_ops::generate_ring_signature()
"""
from trezor.utils import memcpy
if test:
t = crypto.scalarmult_base_into(None, sec)
if not crypto.point_eq(t, pubs[sec_idx]):
raise ValueError("Invalid sec key")
k_i = monero.generate_key_image(
crypto_helpers.encodepoint(pubs[sec_idx]), sec)
if not crypto.point_eq(k_i, image):
raise ValueError("Key image invalid")
for k in pubs:
crypto.ge25519_check(k)
buff_off = len(prefix_hash)
buff = bytearray(buff_off + 2 * 32 * len(pubs))
memcpy(buff, 0, prefix_hash, 0, buff_off)
mvbuff = memoryview(buff)
sum = crypto.Scalar(0)
k = crypto.Scalar(0)
sig = []
for _ in range(len(pubs)):
sig.append([crypto.Scalar(0), crypto.Scalar(0)]) # c, r
for i in range(len(pubs)):
if i == sec_idx:
k = crypto.random_scalar()
tmp3 = crypto.scalarmult_base_into(None, k)
crypto.encodepoint_into(mvbuff[buff_off:buff_off + 32], tmp3)
buff_off += 32
tmp3 = crypto.hash_to_point_into(
None, crypto_helpers.encodepoint(pubs[i]))
tmp2 = crypto.scalarmult_into(None, tmp3, k)
crypto.encodepoint_into(mvbuff[buff_off:buff_off + 32], tmp2)
buff_off += 32
else:
sig[i] = [crypto.random_scalar(), crypto.random_scalar()]
tmp3 = pubs[i]
tmp2 = crypto.ge25519_double_scalarmult_vartime_into(
None, tmp3, sig[i][0], sig[i][1])
crypto.encodepoint_into(mvbuff[buff_off:buff_off + 32], tmp2)
buff_off += 32
tmp3 = crypto.hash_to_point_into(None,
crypto_helpers.encodepoint(tmp3))
tmp2 = crypto.add_keys3_into(None, sig[i][1], tmp3, sig[i][0],
image)
crypto.encodepoint_into(mvbuff[buff_off:buff_off + 32], tmp2)
buff_off += 32
crypto.sc_add_into(sum, sum, sig[i][0])
h = crypto.hash_to_scalar_into(None, buff)
sig[sec_idx][0] = crypto.sc_sub_into(None, h, sum)
sig[sec_idx][1] = crypto.sc_mulsub_into(None, sig[sec_idx][0], sec, k)
return sig
