def test_range_proof2_back(self): proof = ring_ct.prove_range(123456789, backend_impl=True) res = ring_ct.ver_range(proof[0], proof[2]) self.assertTrue(res) res = ring_ct.ver_range( crypto.point_add(proof[0], crypto.scalarmult_base(crypto.sc_init(4))), proof[2], ) self.assertFalse(res)
async def _out_proc_range_proof(self, rsig): if self._is_req_bulletproof(): rsig.V = [] batch_size = self.ct.rsig_batches[self.ct.cur_batch_idx] for i in range(batch_size): commitment = self.ct.tx_out_pk[1 + self.ct.cur_output_idx - batch_size + i].mask commitment = crypto.scalarmult(crypto.decodepoint(commitment), crypto.sc_inv_eight()) rsig.V.append(crypto.encodepoint(commitment)) self.ct.tx_out_rsigs.append(rsig) # Rsig verification try: if not ring_ct.ver_range( C=crypto.decodepoint(self.ct.tx_out_pk[-1].mask), rsig=rsig, use_bulletproof=self._is_req_bulletproof(), ): logger.warning("Rsing not valid") except Exception as e: logger.error("Exception rsig: %s" % e) traceback.print_exc()
def test_range_proof3(self): proof = ring_ct.prove_range(123456789) rsig = proof[2] monero.recode_rangesig(rsig, encode=False) monero.recode_rangesig(rsig, encode=True) res = ring_ct.ver_range(proof[0], rsig) self.assertTrue(res)
def test_range_proof2_old(self): proof = ring_ct.prove_range(123456789, use_asnl=True, mem_opt=False, decode=True) res = ring_ct.ver_range(proof[0], proof[2], use_asnl=True, decode=False) self.assertTrue(res) res = ring_ct.ver_range( crypto.point_add(proof[0], crypto.scalarmult_base(crypto.sc_init(4))), proof[2], use_asnl=True, decode=False, ) self.assertFalse(res)
def test_range_proof_old(self): proof = ring_ct.prove_range(0, use_asnl=True, mem_opt=False, decode=True) res = ring_ct.ver_range(proof[0], proof[2], use_asnl=True, decode=False) self.assertTrue(res)
def test_range_proof(self): proof = ring_ct.prove_range(0) res = ring_ct.ver_range(proof[0], proof[2]) self.assertTrue(res) self.assertTrue( crypto.point_eq( proof[0], crypto.point_add(crypto.scalarmult_base(proof[1]), crypto.scalarmult_h(0)), )) proof = ring_ct.prove_range(0, mem_opt=False) res = ring_ct.ver_range(proof[0], proof[2]) self.assertTrue(res) self.assertTrue( crypto.point_eq( proof[0], crypto.point_add(crypto.scalarmult_base(proof[1]), crypto.scalarmult_h(0)), ))
async def _on_set_outputs_ack(self, t_res): self.ct.tx.vout.append(await tmisc.parse_msg(t_res.tx_out, xmrtypes.TxOut())) self.ct.tx_out_hmacs.append(t_res.vouti_hmac) self.ct.tx_out_pk.append(await tmisc.parse_msg(t_res.out_pk, xmrtypes.CtKey())) self.ct.tx_out_ecdh.append(await tmisc.parse_msg(t_res.ecdh_info, xmrtypes.EcdhTuple())) rsig_buff = None if t_res.rsig_data: tsig_data = t_res.rsig_data if tsig_data.rsig and len(tsig_data.rsig) > 0: rsig_buff = tsig_data.rsig elif tsig_data.rsig_parts and len(tsig_data.rsig_parts) > 0: rsig_buff = b"".join(tsig_data.rsig_parts) if rsig_buff and not self._is_req_bulletproof(): rsig = await tmisc.parse_msg(rsig_buff, xmrtypes.RangeSig()) elif rsig_buff: rsig = await tmisc.parse_msg(rsig_buff, xmrtypes.Bulletproof()) else: return if self._is_req_bulletproof(): rsig.V = [] batch_size = self.ct.rsig_batches[self.ct.cur_batch_idx] for i in range(batch_size): commitment = self.ct.tx_out_pk[1 + self.ct.cur_output_idx - batch_size + i].mask commitment = crypto.scalarmult(crypto.decodepoint(commitment), crypto.sc_inv_eight()) rsig.V.append(crypto.encodepoint(commitment)) self.ct.tx_out_rsigs.append(rsig) # Rsig verification try: if not ring_ct.ver_range( C=crypto.decodepoint(self.ct.tx_out_pk[-1].mask), rsig=rsig, use_bulletproof=self._is_req_bulletproof(), ): logger.warning("Rsing not valid") except Exception as e: logger.error("Exception rsig: %s" % e) traceback.print_exc() self.ct.cur_batch_idx += 1 self.ct.cur_output_in_batch_idx = 0
def test_range_proof2(self): amount = 17 + (1 << 60) proof = ring_ct.prove_range(amount) res = ring_ct.ver_range(proof[0], proof[2]) self.assertTrue(res) self.assertTrue( crypto.point_eq( proof[0], crypto.point_add(crypto.scalarmult_base(proof[1]), crypto.scalarmult_h(amount)), )) proof = ring_ct.prove_range(amount, mem_opt=False, decode=True) res = ring_ct.ver_range(proof[0], proof[2], decode=False) self.assertTrue(res) res = ring_ct.ver_range( crypto.point_add(proof[0], crypto.scalarmult_base(crypto.sc_init(4))), proof[2], decode=False, ) self.assertFalse(res)
def test_range_proof_back(self): proof = ring_ct.prove_range(0, backend_impl=True) res = ring_ct.ver_range(proof[0], proof[2]) self.assertTrue(res)
async def gen_rct_header(self, destinations, outamounts): """ Initializes RV RctSig structure, processes outputs, computes range proofs, ecdh info masking. Common to gen_rct and gen_rct_simple. :param destinations: :param outamounts: :return: """ rv = xmrtypes.RctSig() rv.p = xmrtypes.RctSigPrunable() rv.message = self.tx_prefix_hash rv.outPk = [None] * len(destinations) if self.use_bulletproof: rv.p.bulletproofs = [None] * len(destinations) else: rv.p.rangeSigs = [None] * len(destinations) rv.ecdhInfo = [None] * len(destinations) # Output processing sumout = crypto.sc_0() out_sk = [None] * len(destinations) for idx in range(len(destinations)): rv.outPk[idx] = xmrtypes.CtKey(dest=crypto.encodepoint(destinations[idx])) C, mask, rsig = None, 0, None # Rangeproof if self.use_bulletproof: raise ValueError("Bulletproof not yet supported") else: C, mask, rsig = ring_ct.prove_range(outamounts[idx]) rv.p.rangeSigs[idx] = rsig if __debug__: assert ring_ct.ver_range(C, rsig) assert crypto.point_eq( C, crypto.point_add( crypto.scalarmult_base(mask), crypto.scalarmult_h(outamounts[idx]), ), ) # Mask sum rv.outPk[idx].mask = crypto.encodepoint(C) sumout = crypto.sc_add(sumout, mask) out_sk[idx] = xmrtypes.CtKey(mask=mask) # ECDH masking amount_key = crypto.encodeint(self.output_secrets[idx][0]) rv.ecdhInfo[idx] = xmrtypes.EcdhTuple( mask=mask, amount=crypto.sc_init(outamounts[idx]) ) rv.ecdhInfo[idx] = ring_ct.ecdh_encode( rv.ecdhInfo[idx], derivation=amount_key ) monero.recode_ecdh(rv.ecdhInfo[idx], encode=True) return rv, sumout, out_sk
async def verify(self, tx, con_data=None, creds=None): """ Transaction verification :param tx: :param con_data: :param creds: :return: """ # Unserialize the transaction tx_obj = xmrtypes.Transaction() reader = xmrserialize.MemoryReaderWriter(bytearray(tx)) ar1 = xmrserialize.Archive(reader, False) await ar1.message(tx_obj, msg_type=xmrtypes.Transaction) extras = await monero.parse_extra_fields(tx_obj.extra) monero.expand_transaction(tx_obj) tx_pub = crypto.decodepoint(monero.find_tx_extra_field_by_type( extras, xmrtypes.TxExtraPubKey ).pub_key) additional_pub_keys = monero.find_tx_extra_field_by_type( extras, xmrtypes.TxExtraAdditionalPubKeys ) additional_pub_keys = [crypto.decodepoint(x) for x in additional_pub_keys.data] if additional_pub_keys is not None else None # Verify range proofs out_idx = 0 is_bp = tx_obj.rct_signatures.type in [RctType.SimpleBulletproof, RctType.FullBulletproof] if not is_bp: for idx, rsig in enumerate(tx_obj.rct_signatures.p.rangeSigs): out_pk = tx_obj.rct_signatures.outPk[idx] C = crypto.decodepoint(out_pk.mask) rsig = tx_obj.rct_signatures.p.rangeSigs[idx] res = ring_ct.ver_range(C, rsig, use_bulletproof=is_bp) self.assertTrue(res) else: for idx, rsig in enumerate(tx_obj.rct_signatures.p.bulletproofs): rsig_num_outs = min(len(tx_obj.rct_signatures.outPk), 1 << (len(rsig.L) - 6)) outs = tx_obj.rct_signatures.outPk[out_idx : out_idx + rsig_num_outs] rsig.V = [crypto.encodepoint(ring_ct.bp_comm_to_v(crypto.decodepoint(xx.mask))) for xx in outs] res = ring_ct.ver_range(None, rsig, use_bulletproof=is_bp) self.assertTrue(res) # Prefix hash prefix_hash = await monero.get_transaction_prefix_hash(tx_obj) is_simple = len(tx_obj.vin) > 1 or is_bp self.assertEqual(prefix_hash, con_data.tx_prefix_hash) tx_obj.rct_signatures.message = prefix_hash # MLSAG hash mlsag_hash = await monero.get_pre_mlsag_hash(tx_obj.rct_signatures) # Decrypt transaction key tx_key = misc.compute_tx_key(creds.spend_key_private, prefix_hash, salt=con_data.enc_salt1, rand_mult=con_data.enc_salt2)[0] key_buff = chacha_poly.decrypt_pack(tx_key, con_data.enc_keys) tx_priv_keys = [crypto.decodeint(x) for x in common.chunk(key_buff, 32) if x] tx_priv = tx_priv_keys[0] tx_additional_priv = tx_priv_keys[1:] # Verify mlsag signature monero.recode_msg(tx_obj.rct_signatures.p.MGs, encode=False) for idx in range(len(tx_obj.vin)): if is_simple: mix_ring = [MoneroRctKeyPublic(dest=x[1].dest, commitment=x[1].mask) for x in con_data.tx_data.sources[idx].outputs] if is_bp: pseudo_out = crypto.decodepoint(bytes(tx_obj.rct_signatures.p.pseudoOuts[idx])) else: pseudo_out = crypto.decodepoint(bytes(tx_obj.rct_signatures.pseudoOuts[idx])) self.assertTrue(mlsag2.ver_rct_mg_simple( mlsag_hash, tx_obj.rct_signatures.p.MGs[idx], mix_ring, pseudo_out )) else: txn_fee_key = crypto.scalarmult_h(tx_obj.rct_signatures.txnFee) mix_ring = [[MoneroRctKeyPublic(dest=x[1].dest, commitment=x[1].mask)] for x in con_data.tx_data.sources[idx].outputs] self.assertTrue(mlsag2.ver_rct_mg( tx_obj.rct_signatures.p.MGs[idx], mix_ring, tx_obj.rct_signatures.outPk, txn_fee_key, mlsag_hash ))
async def range_proof(self, idx, dest_pub_key, amount, amount_key): """ Computes rangeproof and related information - out_sk, out_pk, ecdh_info. In order to optimize incremental transaction build, the mask computation is changed compared to the official Monero code. In the official code, the input pedersen commitments are computed after range proof in such a way summed masks for commitments (alpha) and rangeproofs (ai) are equal. In order to save roundtrips we compute commitments randomly and then for the last rangeproof a[63] = (\\sum_{i=0}^{num_inp}alpha_i - \\sum_{i=0}^{num_outs-1} amasks_i) - \\sum_{i=0}^{62}a_i The range proof is incrementally hashed to the final_message. :param idx: :param dest_pub_key: :param amount: :param amount_key: :return: """ from monero_glue.xmr import ring_ct rsig = bytearray(32 * (64 + 64 + 64 + 1)) rsig_mv = memoryview(rsig) out_pk = misc.StdObj(dest=dest_pub_key, mask=None) is_last = idx + 1 == self.num_dests() last_mask = ( None if not is_last or not self.use_simple_rct else crypto.sc_sub(self.sumpouts_alphas, self.sumout) ) # Pedersen commitment on the value, mask from the commitment, range signature. C, mask, rsig = None, 0, None # Rangeproof gc.collect() if self.use_bulletproof: raise ValueError("Bulletproof not yet supported") else: C, mask, rsig = ring_ct.prove_range( amount, last_mask, backend_impl=True, byte_enc=True, rsig=rsig_mv ) rsig = memoryview(rsig) if __debug__: rsig_bytes = monero.inflate_rsig(rsig) self.assrt(ring_ct.ver_range(C, rsig_bytes)) self.assrt( crypto.point_eq( C, crypto.point_add( crypto.scalarmult_base(mask), crypto.scalarmult_h(amount) ), ), "rproof", ) # Incremental hashing await self.full_message_hasher.rsig_val( rsig, self.use_bulletproof, raw=True ) gc.collect() self._log_trace("rproof") # Mask sum out_pk.mask = crypto.encodepoint(C) self.sumout = crypto.sc_add(self.sumout, mask) self.output_sk.append(misc.StdObj(mask=mask)) # ECDH masking from monero_glue.xmr.sub.recode import recode_ecdh from monero_serialize.xmrtypes import EcdhTuple ecdh_info = EcdhTuple(mask=mask, amount=crypto.sc_init(amount)) ecdh_info = ring_ct.ecdh_encode( ecdh_info, derivation=crypto.encodeint(amount_key) ) recode_ecdh(ecdh_info, encode=True) gc.collect() return rsig, out_pk, ecdh_info
async def test_node_transaction(self): tx_j = pkg_resources.resource_string( __name__, os.path.join("data", "tsx_01.json")) tx_c = pkg_resources.resource_string( __name__, os.path.join("data", "tsx_01_plain.txt")) tx_u_c = pkg_resources.resource_string( __name__, os.path.join("data", "tsx_01_uns.txt")) tx_js = json.loads(tx_j.decode("utf8")) reader = xmrserialize.MemoryReaderWriter( bytearray(binascii.unhexlify(tx_c))) ar = xmrserialize.Archive(reader, False, self._get_bc_ver()) tx = xmrtypes.Transaction() await ar.message(tx) reader = xmrserialize.MemoryReaderWriter( bytearray(binascii.unhexlify(tx_u_c))) ar = xmrserialize.Archive(reader, False, self._get_bc_ver()) uns = xmrtypes.UnsignedTxSet() await ar.message(uns) # Test message hash computation tx_prefix_hash = await monero.get_transaction_prefix_hash(tx) message = binascii.unhexlify(tx_js["tx_prefix_hash"]) self.assertEqual(tx_prefix_hash, message) # RingCT, range sigs, hash rv = tx.rct_signatures rv.message = message rv.mixRing = self.mixring(tx_js) digest = await monero.get_pre_mlsag_hash(rv) full_message = binascii.unhexlify(tx_js["pre_mlsag_hash"]) self.assertEqual(digest, full_message) # Recompute missing data monero.expand_transaction(tx) # Unmask ECDH data, check range proofs for i in range(len(tx_js["amount_keys"])): ecdh = monero.copy_ecdh(rv.ecdhInfo[i]) monero.recode_ecdh(ecdh, encode=False) ecdh = ring_ct.ecdh_decode(ecdh, derivation=binascii.unhexlify( tx_js["amount_keys"][i])) self.assertEqual(crypto.sc_get64(ecdh.amount), tx_js["outamounts"][i]) self.assertTrue( crypto.sc_eq( ecdh.mask, crypto.decodeint( binascii.unhexlify(tx_js["outSk"][i])[32:]), )) C = crypto.decodepoint(rv.outPk[i].mask) rsig = rv.p.rangeSigs[i] res = ring_ct.ver_range(C, rsig) self.assertTrue(res) res = ring_ct.ver_range( crypto.point_add(C, crypto.scalarmult_base(crypto.sc_init(3))), rsig) self.assertFalse(res) is_simple = len(tx.vin) > 1 monero.recode_rct(rv, encode=False) if is_simple: for index in range(len(rv.p.MGs)): pseudo_out = crypto.decodepoint( binascii.unhexlify( tx_js["tx"]["rct_signatures"]["pseudoOuts"][index])) r = mlsag2.ver_rct_mg_simple(full_message, rv.p.MGs[index], rv.mixRing[index], pseudo_out) self.assertTrue(r) r = mlsag2.ver_rct_mg_simple(full_message, rv.p.MGs[index], rv.mixRing[index - 1], pseudo_out) self.assertFalse(r) else: txn_fee_key = crypto.scalarmult_h(rv.txnFee) r = mlsag2.ver_rct_mg(rv.p.MGs[0], rv.mixRing, rv.outPk, txn_fee_key, digest) self.assertTrue(r) r = mlsag2.ver_rct_mg( rv.p.MGs[0], rv.mixRing, rv.outPk, crypto.scalarmult_h(rv.txnFee - 100), digest, ) self.assertFalse(r)
async def sign_transaction_data(self, tx, multisig=False, exp_tx_prefix_hash=None, use_tx_keys=None): """ Uses Trezor to sign the transaction :param tx: :type tx: xmrtypes.TxConstructionData :param multisig: :param exp_tx_prefix_hash: :param use_tx_keys: :return: """ self.ct = TData() self.ct.tx_data = tx payment_id = [] extras = await monero.parse_extra_fields(tx.extra) extra_nonce = monero.find_tx_extra_field_by_type( extras, xmrtypes.TxExtraNonce) if extra_nonce and monero.has_encrypted_payment_id(extra_nonce.nonce): payment_id = monero.get_encrypted_payment_id_from_tx_extra_nonce( extra_nonce.nonce) elif extra_nonce and monero.has_payment_id(extra_nonce.nonce): payment_id = monero.get_payment_id_from_tx_extra_nonce( extra_nonce.nonce) # Init transaction tsx_data = TsxData() tsx_data.version = 1 tsx_data.payment_id = payment_id tsx_data.unlock_time = tx.unlock_time tsx_data.outputs = tx.splitted_dsts tsx_data.change_dts = tx.change_dts tsx_data.num_inputs = len(tx.sources) tsx_data.mixin = len(tx.sources[0].outputs) tsx_data.fee = sum([x.amount for x in tx.sources]) - sum( [x.amount for x in tx.splitted_dsts]) tsx_data.account = tx.subaddr_account tsx_data.minor_indices = tx.subaddr_indices tsx_data.is_multisig = multisig tsx_data.is_bulletproof = False tsx_data.exp_tx_prefix_hash = common.defval(exp_tx_prefix_hash, b"") tsx_data.use_tx_keys = common.defval(use_tx_keys, []) self.ct.tx.unlock_time = tx.unlock_time self.ct.tsx_data = tsx_data tsx_data_pb = await tmisc.translate_tsx_data_pb(tsx_data) init_msg = MoneroTransactionInitRequest( version=0, address_n=self.address_n, network_type=self.network_type, tsx_data=tsx_data_pb, ) t_res = await self.trezor.tsx_sign( MoneroTransactionSignRequest(init=init_msg) ) # type: MoneroTransactionInitAck self.handle_error(t_res) in_memory = t_res.in_memory self.ct.tx_out_entr_hmacs = t_res.hmacs # Set transaction inputs for idx, src in enumerate(tx.sources): src_bin = await tmisc.dump_msg(src) msg = MoneroTransactionSetInputRequest(src_entr=src_bin) t_res = await self.trezor.tsx_sign( MoneroTransactionSignRequest(set_input=msg) ) # type: MoneroTransactionSetInputAck self.handle_error(t_res) vini = await tmisc.parse_msg(t_res.vini, xmrtypes.TxinToKey()) self.ct.tx.vin.append(vini) self.ct.tx_in_hmacs.append(t_res.vini_hmac) self.ct.pseudo_outs.append( (t_res.pseudo_out, t_res.pseudo_out_hmac)) self.ct.alphas.append(t_res.alpha_enc) self.ct.spend_encs.append(t_res.spend_enc) # Sort key image self.ct.source_permutation = list(range(len(tx.sources))) self.ct.source_permutation.sort( key=lambda x: self.ct.tx.vin[x].k_image, reverse=True) def swapper(x, y): self.ct.tx.vin[x], self.ct.tx.vin[y] = self.ct.tx.vin[ y], self.ct.tx.vin[x] self.ct.tx_in_hmacs[x], self.ct.tx_in_hmacs[y] = ( self.ct.tx_in_hmacs[y], self.ct.tx_in_hmacs[x], ) self.ct.pseudo_outs[x], self.ct.pseudo_outs[y] = ( self.ct.pseudo_outs[y], self.ct.pseudo_outs[x], ) self.ct.alphas[x], self.ct.alphas[y] = self.ct.alphas[ y], self.ct.alphas[x] self.ct.spend_encs[x], self.ct.spend_encs[y] = ( self.ct.spend_encs[y], self.ct.spend_encs[x], ) tx.sources[x], tx.sources[y] = tx.sources[y], tx.sources[x] common.apply_permutation(self.ct.source_permutation, swapper) if not in_memory: msg = MoneroTransactionInputsPermutationRequest( perm=self.ct.source_permutation) t_res = await self.trezor.tsx_sign( MoneroTransactionSignRequest(input_permutation=msg)) self.handle_error(t_res) # Set vin_i back - tx prefix hashing # Done only if not in-memory. if not in_memory: for idx in range(len(self.ct.tx.vin)): msg = MoneroTransactionInputViniRequest( src_entr=await tmisc.dump_msg(tx.sources[idx]), vini=await tmisc.dump_msg(self.ct.tx.vin[idx]), vini_hmac=self.ct.tx_in_hmacs[idx], pseudo_out=self.ct.pseudo_outs[idx][0] if not in_memory else None, pseudo_out_hmac=self.ct.pseudo_outs[idx][1] if not in_memory else None, ) t_res = await self.trezor.tsx_sign( MoneroTransactionSignRequest(input_vini=msg)) self.handle_error(t_res) # Set transaction outputs for idx, dst in enumerate(tx.splitted_dsts): msg = MoneroTransactionSetOutputRequest( dst_entr=await tmisc.dump_msg(dst), dst_entr_hmac=self.ct.tx_out_entr_hmacs[idx], ) t_res = await self.trezor.tsx_sign( MoneroTransactionSignRequest(set_output=msg) ) # type: MoneroTransactionSetOutputAck self.handle_error(t_res) self.ct.tx.vout.append(await tmisc.parse_msg(t_res.tx_out, xmrtypes.TxOut())) self.ct.tx_out_hmacs.append(t_res.vouti_hmac) self.ct.tx_out_rsigs.append(await tmisc.parse_msg( t_res.rsig, xmrtypes.RangeSig())) self.ct.tx_out_pk.append(await tmisc.parse_msg(t_res.out_pk, xmrtypes.CtKey())) self.ct.tx_out_ecdh.append(await tmisc.parse_msg(t_res.ecdh_info, xmrtypes.EcdhTuple())) # Rsig verification try: rsig = self.ct.tx_out_rsigs[-1] if not ring_ct.ver_range(C=None, rsig=rsig): logger.warning("Rsing not valid") except Exception as e: logger.error("Exception rsig: %s" % e) traceback.print_exc() t_res = await self.trezor.tsx_sign( MoneroTransactionSignRequest( all_out_set=MoneroTransactionAllOutSetRequest()) ) # type: MoneroTransactionAllOutSetAck self.handle_error(t_res) rv = xmrtypes.RctSig() rv.p = xmrtypes.RctSigPrunable() rv.txnFee = t_res.rv.txn_fee rv.message = t_res.rv.message rv.type = t_res.rv.rv_type self.ct.tx.extra = list(bytearray(t_res.extra)) # Verify transaction prefix hash correctness, tx hash in one pass self.ct.tx_prefix_hash = await monero.get_transaction_prefix_hash( self.ct.tx) if not common.ct_equal(t_res.tx_prefix_hash, self.ct.tx_prefix_hash): raise ValueError("Transaction prefix has does not match") # RctSig if self.is_simple(rv): if self.is_bulletproof(rv): rv.p.pseudoOuts = [x[0] for x in self.ct.pseudo_outs] else: rv.pseudoOuts = [x[0] for x in self.ct.pseudo_outs] # Range proof rv.p.rangeSigs = [] rv.outPk = [] rv.ecdhInfo = [] for idx in range(len(self.ct.tx_out_rsigs)): rv.p.rangeSigs.append(self.ct.tx_out_rsigs[idx]) rv.outPk.append(self.ct.tx_out_pk[idx]) rv.ecdhInfo.append(self.ct.tx_out_ecdh[idx]) # MLSAG message check t_res = await self.trezor.tsx_sign( MoneroTransactionSignRequest( mlsag_done=MoneroTransactionMlsagDoneRequest()) ) # type: MoneroTransactionMlsagDoneAck self.handle_error(t_res) mlsag_hash = t_res.full_message_hash mlsag_hash_computed = await monero.get_pre_mlsag_hash(rv) if not common.ct_equal(mlsag_hash, mlsag_hash_computed): raise ValueError("Pre MLSAG hash has does not match") # Sign each input couts = [] rv.p.MGs = [] for idx, src in enumerate(tx.sources): msg = MoneroTransactionSignInputRequest( await tmisc.dump_msg(src), await tmisc.dump_msg(self.ct.tx.vin[idx]), self.ct.tx_in_hmacs[idx], self.ct.pseudo_outs[idx][0] if not in_memory else None, self.ct.pseudo_outs[idx][1] if not in_memory else None, self.ct.alphas[idx], self.ct.spend_encs[idx], ) t_res = await self.trezor.tsx_sign( MoneroTransactionSignRequest(sign_input=msg) ) # type: MoneroTransactionSignInputAck self.handle_error(t_res) mg = await tmisc.parse_msg(t_res.signature, xmrtypes.MgSig()) rv.p.MGs.append(mg) couts.append(t_res.cout) self.ct.tx.signatures = [] self.ct.tx.rct_signatures = rv t_res = await self.trezor.tsx_sign( MoneroTransactionSignRequest( final_msg=MoneroTransactionFinalRequest()) ) # type: MoneroTransactionFinalAck self.handle_error(t_res) if multisig: cout_key = t_res.cout_key for ccout in couts: self.ct.couts.append( chacha_poly.decrypt(cout_key, ccout[0], ccout[1], ccout[2])) self.ct.enc_salt1, self.ct.enc_salt2 = t_res.salt, t_res.rand_mult self.ct.enc_keys = t_res.tx_enc_keys return self.ct.tx