async def derive_secret_key(self): derivation = crypto.decodepoint(self._fetch_decrypt()) output_index = self._fetch_u32() sec = self._fetch_decrypt_key() drvsec = crypto.derive_secret_key(derivation, output_index, sec) self._insert_encrypt(crypto.encodeint(drvsec)) return SW_OK
def generate_key_image_helper_precomp( ack, out_key, recv_derivation, real_output_index, received_index ): """ Generates UTXO spending key and key image. :param ack: sender credentials :type ack: AccountCreds :param out_key: real output (from input RCT) destination key :param recv_derivation: :param real_output_index: :param received_index: subaddress index this payment was received to :return: """ if ack.spend_key_private == 0: raise ValueError("Watch-only wallet not supported") # derive secret key with subaddress - step 1: original CN derivation scalar_step1 = crypto.derive_secret_key( recv_derivation, real_output_index, ack.spend_key_private ) # step 2: add Hs(SubAddr || a || index_major || index_minor) subaddr_sk = None scalar_step2 = None if received_index == (0, 0): scalar_step2 = scalar_step1 else: subaddr_sk = get_subaddress_secret_key( ack.view_key_private, major=received_index[0], minor=received_index[1] ) scalar_step2 = crypto.sc_add(scalar_step1, subaddr_sk) # when not in multisig, we know the full spend secret key, so the output pubkey can be obtained by scalarmultBase if len(ack.multisig_keys) == 0: pub_ver = crypto.scalarmult_base(scalar_step2) else: # When in multisig, we only know the partial spend secret key. But we do know the full spend public key, # so the output pubkey can be obtained by using the standard CN key derivation. pub_ver = crypto.derive_public_key( recv_derivation, real_output_index, ack.spend_key_public ) # Add the contribution from the subaddress part if received_index != (0, 0): subaddr_pk = crypto.scalarmult_base(subaddr_sk) pub_ver = crypto.point_add(pub_ver, subaddr_pk) if not crypto.point_eq(pub_ver, out_key): raise ValueError( "key image helper precomp: given output pubkey doesn't match the derived one" ) ki = generate_key_image(crypto.encodepoint(pub_ver), scalar_step2) return scalar_step2, ki
async def test_live_refresh(self): if self.should_test_only_tx() or not int( os.getenv("TREZOR_TEST_LIVE_REFRESH", '1')): self.skipTest("Live refresh skipped") creds = self.get_trezor_creds(0) await self.agent.live_refresh_start() for att in range(22): r = crypto.random_scalar() R = crypto.scalarmult_base(r) D = crypto.scalarmult(R, creds.view_key_private) subaddr = 0, att scalar_step1 = crypto.derive_secret_key(D, att, creds.spend_key_private) # step 2: add Hs(SubAddr || a || index_major || index_minor) if subaddr == (0, 0): scalar_step2 = scalar_step1 else: subaddr_sk = monero.get_subaddress_secret_key( creds.view_key_private, major=0, minor=att) scalar_step2 = crypto.sc_add(scalar_step1, subaddr_sk) pub_ver = crypto.scalarmult_base(scalar_step2) ki = monero.generate_key_image(crypto.encodepoint(pub_ver), scalar_step2) ki2 = await self.agent.live_refresh(creds.view_key_private, crypto.encodepoint(pub_ver), crypto.encodepoint(D), att, 0, att) if not crypto.point_eq(ki, ki2): raise ValueError("Key image inconsistent") time.sleep(0.1) await self.agent.live_refresh_final()
def rekey_input(self, inp, keys, subs=None, new_keys=None, new_subs=None, mixin_change=None): subs = subs if subs else {} real_out_key = inp.outputs[inp.real_output][1] out_key = crypto.decodepoint(real_out_key.dest) tx_key = crypto.decodepoint(inp.real_out_tx_key) additional_keys = [ crypto.decodepoint(x) for x in inp.real_out_additional_tx_keys ] logger.debug("Current out key: %s" % binascii.hexlify(real_out_key.dest)) secs = monero.generate_key_image_helper( keys, subs, out_key, tx_key, additional_keys, inp.real_output_in_tx_index ) xi, ki, di = secs need_additional = additional_keys is not None and len(additional_keys) > 0 is_dst_sub = self.dest_sub_major != 0 and ( self.args.minors[0] != 0 or len(self.args.minors) > 1 ) logger.debug( "Is dst sub: %s, need additional: %s" % (is_dst_sub, need_additional) ) if is_dst_sub and self.add_additionals: need_additional = True if is_dst_sub: rand_minor = random.choice(self.args.minors) m = monero.get_subaddress_secret_key( new_keys.view_key_private, major=self.dest_sub_major, minor=rand_minor ) M = crypto.scalarmult_base(m) d = crypto.sc_add(m, new_keys.spend_key_private) D = crypto.point_add(new_keys.spend_key_public, M) C = crypto.scalarmult(D, new_keys.view_key_private) if not need_additional and not is_dst_sub: # real_out_key.dst = Hs(R*new_a || idx)G + newB r = crypto.random_scalar() tx_key = crypto.scalarmult_base(r) new_deriv = crypto.generate_key_derivation(new_keys.view_key_public, r) new_out_pr = crypto.derive_secret_key( new_deriv, inp.real_output_in_tx_index, new_keys.spend_key_private ) new_out = crypto.scalarmult_base(new_out_pr) real_out_key.dest = crypto.encodepoint(new_out) elif not need_additional and is_dst_sub: # real_out_key.dst = Hs(r*C || idx)G + newB, R=rD r = crypto.random_scalar() tx_key = crypto.scalarmult(D, r) new_deriv = crypto.generate_key_derivation(C, r) new_out_pr = crypto.derive_secret_key( new_deriv, inp.real_output_in_tx_index, d ) new_out = crypto.scalarmult_base(new_out_pr) real_out_key.dest = crypto.encodepoint(new_out) else: r = crypto.random_scalar() tx_key = crypto.scalarmult_base(r) gen_additionals = min(2, inp.real_output_in_tx_index + 1) if additional_keys is None or len(additional_keys) < gen_additionals: additional_keys = [ crypto.scalarmult_base(crypto.random_scalar()) for _ in range(gen_additionals) ] ri = crypto.random_scalar() if is_dst_sub: add_tx = crypto.scalarmult(D, ri) new_deriv = crypto.generate_key_derivation(C, ri) new_out_pr = crypto.derive_secret_key( new_deriv, inp.real_output_in_tx_index, d ) new_out = crypto.scalarmult_base(new_out_pr) if not crypto.point_eq( new_out, crypto.derive_public_key(new_deriv, inp.real_output_in_tx_index, D), ): raise ValueError("Invalid txout computation") else: add_tx = crypto.scalarmult_base(ri) new_deriv = crypto.generate_key_derivation(new_keys.view_key_public, r) new_out_pr = crypto.derive_secret_key( new_deriv, inp.real_output_in_tx_index, new_keys.spend_key_private ) new_out = crypto.scalarmult_base(new_out_pr) additional_keys[inp.real_output_in_tx_index] = add_tx real_out_key.dest = crypto.encodepoint(new_out) # Increasing the size of the mixin if mixin_change and len(inp.outputs) < mixin_change: for i in range(mixin_change - len(inp.outputs)): inp.outputs.append((0, CtKey( mask=crypto.encodepoint(self.random_pub()), dest=crypto.encodepoint(self.random_pub())))) if additional_keys: additional_keys.append(self.random_pub()) inp.real_out_tx_key = crypto.encodepoint(tx_key) inp.real_out_additional_tx_keys = [ crypto.encodepoint(x) for x in additional_keys ] logger.debug("New pub: %s" % binascii.hexlify(real_out_key.dest)) # Self-check self.check_input(inp, new_keys, new_subs) return inp
async def gen_input(self, value=1, sub_major=None, sub_minor=0, additionals=False): creds = self.src_keys r = self.random_scalar() R = crypto.scalarmult_base(r) additional_keys = [] Additional = None sub_major = sub_major if sub_major is not None else self.account_idx is_sub = sub_major != 0 or sub_minor != 0 if sub_major != self.account_idx: logger.warning( "Generating input with different major subindex, cannot be spent in the resulting " "transaction") kssec = monero.get_subaddress_secret_key(creds.view_key_private, major=sub_major, minor=sub_minor) kssub = crypto.sc_add( kssec, creds.spend_key_private) if is_sub else creds.spend_key_private kvsub = crypto.sc_mul(creds.view_key_private, kssub) if is_sub else creds.view_key_private KSSUB, KVSUB = monero.generate_sub_address_keys( creds.view_key_private, creds.spend_key_public, sub_major, sub_minor) if not crypto.point_eq(KSSUB, crypto.scalarmult_base(kssub)): raise ValueError("Invariant error") oidx = self.prng.randint(0, 12) additionals_cnt = self.prng.randint(oidx + 1, 2 * oidx + 1) deriv = crypto.generate_key_derivation(KVSUB, r) kout = crypto.derive_secret_key(deriv, oidx, kssub) KOUT = crypto.derive_public_key(deriv, oidx, KSSUB) if not crypto.point_eq(KOUT, crypto.scalarmult_base(kout)): raise ValueError("Invariant error") if additionals: if is_sub: Additional = crypto.scalarmult(KSSUB, r) else: Additional = crypto.scalarmult_base(r) else: if is_sub: R = crypto.scalarmult(KSSUB, r) amnt = crypto.sc_init(value) msk = self.random_scalar() # commitment mask C = crypto.add_keys2(msk, amnt, crypto.xmr_H()) ring = [] for i in range(self.ring_size - 1): tk = CtKey( dest=crypto.encodepoint(self.random_pub()), mask=crypto.encodepoint(self.random_pub()), ) ring.append(tk) index = self.prng.randint(0, len(ring)) ring.insert( index, CtKey(dest=crypto.encodepoint(KOUT), mask=crypto.encodepoint(C))) if additionals: additional_keys = [ self.random_pub() for _ in range(additionals_cnt) ] additional_keys[oidx] = Additional src = TxSourceEntry() src.outputs = [(self.random_glob_idx(), x) for x in ring] src.real_output = index src.real_out_tx_key = crypto.encodepoint(R) src.real_out_additional_tx_keys = [ crypto.encodepoint(x) for x in additional_keys ] src.real_output_in_tx_index = oidx src.amount = value src.rct = True src.mask = crypto.encodeint(msk) src.multisig_kLRki = MultisigKLRki(K=crypto.ZERO, L=crypto.ZERO, R=crypto.ZERO, ki=crypto.ZERO) td = TransferDetails() td.m_internal_output_index = oidx td.m_global_output_index = src.outputs[index][0] td.m_mask = src.mask td.m_amount = value td.m_subaddr_index = SubaddressIndex(major=sub_major, minor=sub_minor) td.m_rct = True td.m_txid = self.random_bytes(32) td.m_block_height = self.prng.randint(0, 0xFFFF) td.m_spent = False td.m_spent_height = 0 td.m_key_image_known = True td.m_key_image_requested = False td.m_key_image_partial = False td.m_multisig_k = [] td.m_multisig_info = [] td.m_uses = [] td.m_pk_index = 0 td.m_tx = self.gen_tx_prefix(self.prng.randint(1, 10), additionals_cnt) td.m_tx.vout[oidx].target.key = crypto.encodepoint(KOUT) extras = [] extras.append(TxExtraNonce(nonce=self.random_bytes(8))) extras.append(TxExtraPubKey(pub_key=src.real_out_tx_key)) if src.real_out_additional_tx_keys: extras.append( TxExtraAdditionalPubKeys(data=src.real_out_additional_tx_keys)) td.m_tx.extra = await self.dump_extra_fields(extras) tmpsubs = {} monero.compute_subaddresses(creds, sub_major, [sub_minor], tmpsubs) xi, ki, rderiv = self.check_input(src, creds, tmpsubs) if not crypto.sc_eq(xi, kout): raise ValueError("Invariant error") td.m_key_image = crypto.encodepoint(ki) self.sources.append(src) self.selected_transfers.append(len(self.transfers)) self.transfers.append(td) self.sources_creds.append(creds) if not crypto.point_eq( crypto.decodepoint(src.outputs[src.real_output][1].dest), crypto.scalarmult_base(kout)): raise ValueError("Invariant error") return self