cuprate_consensus_rules/transactions/
ring_ct.rs

1use curve25519_dalek::{EdwardsPoint, Scalar};
2use hex_literal::hex;
3use monero_serai::{
4    generators::H,
5    io::decompress_point,
6    ringct::{
7        clsag::ClsagError,
8        mlsag::{AggregateRingMatrixBuilder, MlsagError, RingMatrix},
9        RctProofs, RctPrunable, RctType,
10    },
11    transaction::Input,
12};
13use rand::thread_rng;
14#[cfg(feature = "rayon")]
15use rayon::prelude::*;
16
17use crate::{batch_verifier::BatchVerifier, transactions::Rings, try_par_iter, HardFork};
18
19/// This constant contains the IDs of 2 transactions that should be allowed after the fork the ringCT
20/// type they used should be banned.
21const GRANDFATHERED_TRANSACTIONS: [[u8; 32]; 2] = [
22    hex!("c5151944f0583097ba0c88cd0f43e7fabb3881278aa2f73b3b0a007c5d34e910"),
23    hex!("6f2f117cde6fbcf8d4a6ef8974fcac744726574ac38cf25d3322c996b21edd4c"),
24];
25
26#[derive(Debug, Clone, Copy, PartialEq, Eq, thiserror::Error)]
27pub enum RingCTError {
28    #[error("The RingCT type used is not allowed.")]
29    TypeNotAllowed,
30    #[error("RingCT simple: sum pseudo-outs does not equal outputs.")]
31    SimpleAmountDoNotBalance,
32    #[error("The borromean range proof is invalid.")]
33    BorromeanRangeInvalid,
34    #[error("The bulletproofs range proof is invalid.")]
35    BulletproofsRangeInvalid,
36    #[error("One or more input ring is invalid.")]
37    RingInvalid,
38    #[error("MLSAG Error: {0}.")]
39    MLSAGError(#[from] MlsagError),
40    #[error("CLSAG Error: {0}.")]
41    CLSAGError(#[from] ClsagError),
42}
43
44/// Checks the `RingCT` type is allowed for the current hard fork.
45///
46/// <https://monero-book.cuprate.org/consensus_rules/ring_ct.html#type>
47fn check_rct_type(ty: RctType, hf: HardFork, tx_hash: &[u8; 32]) -> Result<(), RingCTError> {
48    use HardFork as F;
49    use RctType as T;
50
51    match ty {
52        T::AggregateMlsagBorromean | T::MlsagBorromean if hf >= F::V4 && hf < F::V9 => Ok(()),
53        T::MlsagBulletproofs if hf >= F::V8 && hf < F::V11 => Ok(()),
54        T::MlsagBulletproofsCompactAmount if hf >= F::V10 && hf < F::V14 => Ok(()),
55        T::MlsagBulletproofsCompactAmount if GRANDFATHERED_TRANSACTIONS.contains(tx_hash) => Ok(()),
56        T::ClsagBulletproof if hf >= F::V13 && hf < F::V16 => Ok(()),
57        T::ClsagBulletproofPlus if hf >= F::V15 => Ok(()),
58        _ => Err(RingCTError::TypeNotAllowed),
59    }
60}
61
62/// Checks that the pseudo-outs sum to the same point as the output commitments.
63///
64/// <https://monero-book.cuprate.org/consensus_rules/ring_ct.html#pseudo-outs-outpks-balance>
65fn simple_type_balances(rct_sig: &RctProofs) -> Result<(), RingCTError> {
66    let pseudo_outs = if rct_sig.rct_type() == RctType::MlsagBorromean {
67        &rct_sig.base.pseudo_outs
68    } else {
69        match &rct_sig.prunable {
70            RctPrunable::Clsag { pseudo_outs, .. }
71            | RctPrunable::MlsagBulletproofsCompactAmount { pseudo_outs, .. }
72            | RctPrunable::MlsagBulletproofs { pseudo_outs, .. } => pseudo_outs,
73            RctPrunable::MlsagBorromean { .. } => &rct_sig.base.pseudo_outs,
74            RctPrunable::AggregateMlsagBorromean { .. } => panic!("RingCT type is not simple!"),
75        }
76    };
77
78    let sum_inputs = pseudo_outs
79        .iter()
80        .copied()
81        .map(decompress_point)
82        .sum::<Option<EdwardsPoint>>()
83        .ok_or(RingCTError::SimpleAmountDoNotBalance)?;
84    let sum_outputs = rct_sig
85        .base
86        .commitments
87        .iter()
88        .copied()
89        .map(decompress_point)
90        .sum::<Option<EdwardsPoint>>()
91        .ok_or(RingCTError::SimpleAmountDoNotBalance)?
92        + Scalar::from(rct_sig.base.fee) * *H;
93
94    if sum_inputs == sum_outputs {
95        Ok(())
96    } else {
97        Err(RingCTError::SimpleAmountDoNotBalance)
98    }
99}
100
101/// Checks the outputs range proof(s)
102///
103/// <https://monero-book.cuprate.org/consensus_rules/ring_ct/borromean.html>
104/// <https://monero-book.cuprate.org/consensus_rules/ring_ct/bulletproofs.html>
105/// <https://monero-book.cuprate.org/consensus_rules/ring_ct/bulletproofs+.html>
106fn check_output_range_proofs(
107    proofs: &RctProofs,
108    mut verifier: impl BatchVerifier,
109) -> Result<(), RingCTError> {
110    let commitments = &proofs.base.commitments;
111
112    match &proofs.prunable {
113        RctPrunable::MlsagBorromean { borromean, .. }
114        | RctPrunable::AggregateMlsagBorromean { borromean, .. } => try_par_iter(borromean)
115            .zip(commitments)
116            .try_for_each(|(borro, commitment)| {
117                if borro.verify(commitment) {
118                    Ok(())
119                } else {
120                    Err(RingCTError::BorromeanRangeInvalid)
121                }
122            }),
123        RctPrunable::MlsagBulletproofs { bulletproof, .. }
124        | RctPrunable::MlsagBulletproofsCompactAmount { bulletproof, .. }
125        | RctPrunable::Clsag { bulletproof, .. } => {
126            if verifier.queue_statement(|verifier| {
127                bulletproof.batch_verify(&mut thread_rng(), verifier, commitments)
128            }) {
129                Ok(())
130            } else {
131                Err(RingCTError::BulletproofsRangeInvalid)
132            }
133        }
134    }
135}
136
137pub(crate) fn ring_ct_semantic_checks(
138    proofs: &RctProofs,
139    tx_hash: &[u8; 32],
140    verifier: impl BatchVerifier,
141    hf: HardFork,
142) -> Result<(), RingCTError> {
143    let rct_type = proofs.rct_type();
144
145    check_rct_type(rct_type, hf, tx_hash)?;
146    check_output_range_proofs(proofs, verifier)?;
147
148    if rct_type != RctType::AggregateMlsagBorromean {
149        simple_type_balances(proofs)?;
150    }
151
152    Ok(())
153}
154
155/// Check the input signatures: MLSAG, CLSAG.
156///
157/// <https://monero-book.cuprate.org/consensus_rules/ring_ct/mlsag.html>
158/// <https://monero-book.cuprate.org/consensus_rules/ring_ct/clsag.html>
159pub(crate) fn check_input_signatures(
160    msg: &[u8; 32],
161    inputs: &[Input],
162    proofs: &RctProofs,
163    rings: &Rings,
164) -> Result<(), RingCTError> {
165    let Rings::RingCT(rings) = rings else {
166        panic!("Tried to verify RCT transaction without RCT ring");
167    };
168
169    if rings.is_empty() {
170        return Err(RingCTError::RingInvalid);
171    }
172
173    let pseudo_outs = match &proofs.prunable {
174        RctPrunable::MlsagBulletproofs { pseudo_outs, .. }
175        | RctPrunable::MlsagBulletproofsCompactAmount { pseudo_outs, .. }
176        | RctPrunable::Clsag { pseudo_outs, .. } => pseudo_outs.as_slice(),
177        RctPrunable::MlsagBorromean { .. } => proofs.base.pseudo_outs.as_slice(),
178        RctPrunable::AggregateMlsagBorromean { .. } => &[],
179    };
180
181    match &proofs.prunable {
182        RctPrunable::AggregateMlsagBorromean { mlsag, .. } => {
183            let key_images = inputs
184                .iter()
185                .map(|inp| {
186                    let Input::ToKey { key_image, .. } = inp else {
187                        panic!("How did we build a ring with no decoys?");
188                    };
189                    *key_image
190                })
191                .collect::<Vec<_>>();
192
193            let mut matrix =
194                AggregateRingMatrixBuilder::new(&proofs.base.commitments, proofs.base.fee)?;
195
196            rings.iter().try_for_each(|ring| matrix.push_ring(ring))?;
197
198            Ok(mlsag.verify(msg, &matrix.build()?, &key_images)?)
199        }
200        RctPrunable::MlsagBorromean { mlsags, .. }
201        | RctPrunable::MlsagBulletproofsCompactAmount { mlsags, .. }
202        | RctPrunable::MlsagBulletproofs { mlsags, .. } => try_par_iter(mlsags)
203            .zip(pseudo_outs)
204            .zip(inputs)
205            .zip(rings)
206            .try_for_each(|(((mlsag, pseudo_out), input), ring)| {
207                let Input::ToKey { key_image, .. } = input else {
208                    panic!("How did we build a ring with no decoys?");
209                };
210
211                Ok(mlsag.verify(
212                    msg,
213                    &RingMatrix::individual(ring, *pseudo_out)?,
214                    &[*key_image],
215                )?)
216            }),
217        RctPrunable::Clsag { clsags, .. } => try_par_iter(clsags)
218            .zip(pseudo_outs)
219            .zip(inputs)
220            .zip(rings)
221            .try_for_each(|(((clsags, pseudo_out), input), ring)| {
222                let Input::ToKey { key_image, .. } = input else {
223                    panic!("How did we build a ring with no decoys?");
224                };
225
226                Ok(clsags.verify(ring.clone(), key_image, pseudo_out, msg)?)
227            }),
228    }
229}
230
231#[cfg(test)]
232mod tests {
233    use super::*;
234
235    #[test]
236    fn grandfathered_bulletproofs2() {
237        assert!(check_rct_type(
238            RctType::MlsagBulletproofsCompactAmount,
239            HardFork::V14,
240            &[0; 32]
241        )
242        .is_err());
243
244        assert!(check_rct_type(
245            RctType::MlsagBulletproofsCompactAmount,
246            HardFork::V14,
247            &GRANDFATHERED_TRANSACTIONS[0]
248        )
249        .is_ok());
250        assert!(check_rct_type(
251            RctType::MlsagBulletproofsCompactAmount,
252            HardFork::V14,
253            &GRANDFATHERED_TRANSACTIONS[1]
254        )
255        .is_ok());
256    }
257}