def __init__(self, ctx): from apps.monero.xmr.keccak_hasher import KeccakXmrArchive from apps.monero.xmr.mlsag_hasher import PreMlsagHasher self.ctx = ctx """ Account credentials type: AccountCreds - view private/public key - spend private/public key - and its corresponding address """ self.creds: AccountCreds | None = None # HMAC/encryption keys used to protect offloaded data self.key_hmac: bytes | None = None self.key_enc: bytes | None = None """ Transaction keys - also denoted as r/R - tx_priv is a random number - tx_pub is equal to `r*G` or `r*D` for subaddresses - for subaddresses the `r` is commonly denoted as `s`, however it is still just a random number - the keys are used to derive the one time address and its keys (P = H(A*r)*G + B) """ self.tx_priv: Sc25519 = None self.tx_pub: Ge25519 = None """ In some cases when subaddresses are used we need more tx_keys (explained in step 1). """ self.need_additional_txkeys = False # Connected client version self.client_version = 0 self.hard_fork = 12 self.input_count = 0 self.output_count = 0 self.progress_total = 0 self.progress_cur = 0 self.output_change = None self.fee = 0 self.tx_type = 0 # wallet sub-address major index self.account_idx = 0 # contains additional tx keys if need_additional_tx_keys is True self.additional_tx_private_keys: list[Sc25519] = [] self.additional_tx_public_keys: list[bytes] = [] # currently processed input/output index self.current_input_index = -1 self.current_output_index = -1 self.is_processing_offloaded = False # for pseudo_out recomputation from new mask self.input_last_amount = 0 self.summary_inputs_money = 0 self.summary_outs_money = 0 # output commitments self.output_pk_commitments: list[bytes] = [] self.output_amounts: list[int] = [] # output *range proof* masks. HP10+ makes them deterministic. self.output_masks: list[Sc25519] = [] # the range proofs are calculated in batches, this denotes the grouping self.rsig_grouping: list[int] = [] # is range proof computing offloaded or not self.rsig_offload = False # sum of all inputs' pseudo out masks self.sumpouts_alphas: Sc25519 = crypto.sc_0() # sum of all output' pseudo out masks self.sumout: Sc25519 = crypto.sc_0() self.subaddresses: Subaddresses = {} # TX_EXTRA_NONCE extra field for tx.extra, due to sort_tx_extra() self.extra_nonce = None # contains an array where each item denotes the input's position # (inputs are sorted by key images) self.source_permutation: list[int] = [] # Last key image seen. Used for input permutation correctness check self.last_ki: bytes | None = None # Encryption key to release to host after protocol ends without error self.opening_key: bytes | None = None # Step transition automaton self.last_step = self.STEP_INIT """ Tx prefix hasher/hash. We use the hasher to incrementally hash and then store the final hash in tx_prefix_hash. See Monero-Trezor documentation section 3.3 for more details. """ self.tx_prefix_hasher = KeccakXmrArchive() self.tx_prefix_hash: bytes | None = None """ Full message hasher/hash that is to be signed using MLSAG. Contains tx_prefix_hash. See Monero-Trezor documentation section 3.3 for more details. """ self.full_message_hasher = PreMlsagHasher() self.full_message: bytes | None = None
class PreMlsagHasher: """ Iterative construction of the pre_mlsag_hash """ def __init__(self): self.state = 0 self.kc_master = crypto.get_keccak() self.rsig_hasher = crypto.get_keccak() self.rtcsig_hasher = KeccakXmrArchive() def init(self): if self.state != 0: raise ValueError("State error") self.state = 1 def set_message(self, message: bytes): self.kc_master.update(message) def set_type_fee(self, rv_type: int, fee: int): if self.state != 1: raise ValueError("State error") self.state = 2 self.rtcsig_hasher.uint(rv_type, 1) # UInt8 self.rtcsig_hasher.uvarint(fee) # UVarintType def set_ecdh(self, ecdh: bytes): if self.state not in (2, 3, 4): raise ValueError("State error") self.state = 4 self.rtcsig_hasher.buffer(ecdh) def set_out_pk_commitment(self, out_pk_commitment: bytes): if self.state not in (4, 5): raise ValueError("State error") self.state = 5 self.rtcsig_hasher.buffer(out_pk_commitment) # ECKey def rctsig_base_done(self): if self.state != 5: raise ValueError("State error") self.state = 6 c_hash = self.rtcsig_hasher.get_digest() self.kc_master.update(c_hash) self.rtcsig_hasher = None def rsig_val(self, p: bytes | list[bytes] | Bulletproof, raw: bool = False): if self.state == 8: raise ValueError("State error") if raw: # Avoiding problem with the memory fragmentation. # If the range proof is passed as a list, hash each element # as the range proof is split to multiple byte arrays while # preserving the byte ordering if isinstance(p, list): for x in p: self.rsig_hasher.update(x) else: self.rsig_hasher.update(p) return # Hash Bulletproof self.rsig_hasher.update(p.A) self.rsig_hasher.update(p.S) self.rsig_hasher.update(p.T1) self.rsig_hasher.update(p.T2) self.rsig_hasher.update(p.taux) self.rsig_hasher.update(p.mu) for i in range(len(p.L)): self.rsig_hasher.update(p.L[i]) for i in range(len(p.R)): self.rsig_hasher.update(p.R[i]) self.rsig_hasher.update(p.a) self.rsig_hasher.update(p.b) self.rsig_hasher.update(p.t) def get_digest(self) -> bytes: if self.state != 6: raise ValueError("State error") self.state = 8 c_hash = self.rsig_hasher.digest() self.rsig_hasher = None self.kc_master.update(c_hash) return self.kc_master.digest()
def __init__(self): self.state = 0 self.kc_master = crypto.get_keccak() self.rsig_hasher = crypto.get_keccak() self.rtcsig_hasher = KeccakXmrArchive()
def __init__(self, ctx): from apps.monero.xmr.keccak_hasher import KeccakXmrArchive from apps.monero.xmr.mlsag_hasher import PreMlsagHasher self.ctx = ctx """ Account credentials type: AccountCreds - view private/public key - spend private/public key - and its corresponding address """ self.creds = None # HMAC/encryption keys used to protect offloaded data self.key_hmac = None self.key_enc = None """ Transaction keys - also denoted as r/R - tx_priv is a random number - tx_pub is equal to `r*G` or `r*D` for subaddresses - for subaddresses the `r` is commonly denoted as `s`, however it is still just a random number - the keys are used to derive the one time address and its keys (P = H(A*r)*G + B) """ self.tx_priv = None self.tx_pub = None """ In some cases when subaddresses are used we need more tx_keys (explained in step 1). """ self.need_additional_txkeys = False # Ring Confidential Transaction type # allowed values: RctType.{Full, Simple} self.rct_type = None # Range Signature type (also called range proof) # allowed values: RsigType.{Borromean, Bulletproof} self.rsig_type = None self.input_count = 0 self.output_count = 0 self.output_change = None self.fee = 0 # wallet sub-address major index self.account_idx = 0 # contains additional tx keys if need_additional_tx_keys is True self.additional_tx_private_keys = [] self.additional_tx_public_keys = [] # currently processed input/output index self.current_input_index = -1 self.current_output_index = -1 self.summary_inputs_money = 0 self.summary_outs_money = 0 # output commitments self.output_pk_commitments = [] # masks used in the output commitment self.output_sk_masks = [] self.output_amounts = [] # output *range proof* masks self.output_masks = [] # the range proofs are calculated in batches, this denotes the grouping self.rsig_grouping = [] # is range proof computing offloaded or not self.rsig_offload = False # sum of all inputs' pseudo out masks self.sumpouts_alphas = crypto.sc_0() # sum of all output' pseudo out masks self.sumout = crypto.sc_0() self.subaddresses = {} # simple stub containing items hashed into tx prefix self.tx = TprefixStub(vin=[], vout=[], extra=b"") # TX_EXTRA_NONCE extra field for tx.extra, due to sort_tx_extra() self.extra_nonce = None # contains an array where each item denotes the input's position # (inputs are sorted by key images) self.source_permutation = [] """ Tx prefix hasher/hash. We use the hasher to incrementally hash and then store the final hash in tx_prefix_hash. See Monero-Trezor documentation section 3.3 for more details. """ self.tx_prefix_hasher = KeccakXmrArchive() self.tx_prefix_hash = None """ Full message hasher/hash that is to be signed using MLSAG. Contains tx_prefix_hash. See Monero-Trezor documentation section 3.3 for more details. """ self.full_message_hasher = PreMlsagHasher() self.full_message = None
def __init__(self) -> None: self.state = 0 self.kc_master: HashContext = crypto_helpers.get_keccak() self.rsig_hasher: HashContext = crypto_helpers.get_keccak() self.rtcsig_hasher: KeccakXmrArchive = KeccakXmrArchive()
class PreMlsagHasher: """ Iterative construction of the pre_mlsag_hash """ def __init__(self): self.is_simple = None self.state = 0 self.kc_master = crypto.get_keccak() self.rsig_hasher = crypto.get_keccak() self.rtcsig_hasher = KeccakXmrArchive() def init(self, is_simple): if self.state != 0: raise ValueError("State error") self.state = 1 self.is_simple = is_simple def set_message(self, message): self.kc_master.update(message) def set_type_fee(self, rv_type, fee): if self.state != 1: raise ValueError("State error") self.state = 2 self.rtcsig_hasher.uint(rv_type, 1) # UInt8 self.rtcsig_hasher.uvarint(fee) # UVarintType def set_pseudo_out(self, out): if self.state != 2 and self.state != 3: raise ValueError("State error") self.state = 3 # Manual serialization of the ECKey self.rtcsig_hasher.buffer(out) def set_ecdh(self, ecdh): if self.state != 2 and self.state != 3 and self.state != 4: raise ValueError("State error") self.state = 4 self.rtcsig_hasher.buffer(ecdh) def set_out_pk_commitment(self, out_pk_commitment): if self.state != 4 and self.state != 5: raise ValueError("State error") self.state = 5 self.rtcsig_hasher.buffer(out_pk_commitment) # ECKey def rctsig_base_done(self): if self.state != 5: raise ValueError("State error") self.state = 6 c_hash = self.rtcsig_hasher.get_digest() self.kc_master.update(c_hash) self.rtcsig_hasher = None def rsig_val(self, p, bulletproof, raw=False): if self.state == 8: raise ValueError("State error") if raw: # Avoiding problem with the memory fragmentation. # If the range proof is passed as a list, hash each element # as the range proof is split to multiple byte arrays while # preserving the byte ordering if isinstance(p, list): for x in p: self.rsig_hasher.update(x) else: self.rsig_hasher.update(p) return if bulletproof: self.rsig_hasher.update(p.A) self.rsig_hasher.update(p.S) self.rsig_hasher.update(p.T1) self.rsig_hasher.update(p.T2) self.rsig_hasher.update(p.taux) self.rsig_hasher.update(p.mu) for i in range(len(p.L)): self.rsig_hasher.update(p.L[i]) for i in range(len(p.R)): self.rsig_hasher.update(p.R[i]) self.rsig_hasher.update(p.a) self.rsig_hasher.update(p.b) self.rsig_hasher.update(p.t) else: for i in range(64): self.rsig_hasher.update(p.asig.s0[i]) for i in range(64): self.rsig_hasher.update(p.asig.s1[i]) self.rsig_hasher.update(p.asig.ee) for i in range(64): self.rsig_hasher.update(p.Ci[i]) def get_digest(self): if self.state != 6: raise ValueError("State error") self.state = 8 c_hash = self.rsig_hasher.digest() self.rsig_hasher = None self.kc_master.update(c_hash) return self.kc_master.digest()