1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
use curve25519_dalek::{EdwardsPoint, Scalar};
use hex_literal::hex;
use monero_serai::{
    generators::H,
    ringct::{
        clsag::ClsagError,
        mlsag::{AggregateRingMatrixBuilder, MlsagError, RingMatrix},
        RctProofs, RctPrunable, RctType,
    },
    transaction::Input,
};
use rand::thread_rng;
#[cfg(feature = "rayon")]
use rayon::prelude::*;

use crate::{batch_verifier::BatchVerifier, transactions::Rings, try_par_iter, HardFork};

/// This constant contains the IDs of 2 transactions that should be allowed after the fork the ringCT
/// type they used should be banned.
const GRANDFATHERED_TRANSACTIONS: [[u8; 32]; 2] = [
    hex!("c5151944f0583097ba0c88cd0f43e7fabb3881278aa2f73b3b0a007c5d34e910"),
    hex!("6f2f117cde6fbcf8d4a6ef8974fcac744726574ac38cf25d3322c996b21edd4c"),
];

#[derive(Debug, Clone, Copy, PartialEq, Eq, thiserror::Error)]
pub enum RingCTError {
    #[error("The RingCT type used is not allowed.")]
    TypeNotAllowed,
    #[error("RingCT simple: sum pseudo-outs does not equal outputs.")]
    SimpleAmountDoNotBalance,
    #[error("The borromean range proof is invalid.")]
    BorromeanRangeInvalid,
    #[error("The bulletproofs range proof is invalid.")]
    BulletproofsRangeInvalid,
    #[error("One or more input ring is invalid.")]
    RingInvalid,
    #[error("MLSAG Error: {0}.")]
    MLSAGError(#[from] MlsagError),
    #[error("CLSAG Error: {0}.")]
    CLSAGError(#[from] ClsagError),
}

/// Checks the RingCT type is allowed for the current hard fork.
///
/// <https://monero-book.cuprate.org/consensus_rules/ring_ct.html#type>
fn check_rct_type(ty: &RctType, hf: HardFork, tx_hash: &[u8; 32]) -> Result<(), RingCTError> {
    use HardFork as F;
    use RctType as T;

    match ty {
        T::AggregateMlsagBorromean | T::MlsagBorromean if hf >= F::V4 && hf < F::V9 => Ok(()),
        T::MlsagBulletproofs if hf >= F::V8 && hf < F::V11 => Ok(()),
        T::MlsagBulletproofsCompactAmount if hf >= F::V10 && hf < F::V14 => Ok(()),
        T::MlsagBulletproofsCompactAmount if GRANDFATHERED_TRANSACTIONS.contains(tx_hash) => Ok(()),
        T::ClsagBulletproof if hf >= F::V13 && hf < F::V16 => Ok(()),
        T::ClsagBulletproofPlus if hf >= F::V15 => Ok(()),
        _ => Err(RingCTError::TypeNotAllowed),
    }
}

/// Checks that the pseudo-outs sum to the same point as the output commitments.
///
/// <https://monero-book.cuprate.org/consensus_rules/ring_ct.html#pseudo-outs-outpks-balance>
fn simple_type_balances(rct_sig: &RctProofs) -> Result<(), RingCTError> {
    let pseudo_outs = if rct_sig.rct_type() == RctType::MlsagBorromean {
        &rct_sig.base.pseudo_outs
    } else {
        match &rct_sig.prunable {
            RctPrunable::Clsag { pseudo_outs, .. }
            | RctPrunable::MlsagBulletproofsCompactAmount { pseudo_outs, .. }
            | RctPrunable::MlsagBulletproofs { pseudo_outs, .. } => pseudo_outs,
            RctPrunable::MlsagBorromean { .. } => &rct_sig.base.pseudo_outs,
            RctPrunable::AggregateMlsagBorromean { .. } => panic!("RingCT type is not simple!"),
        }
    };

    let sum_inputs = pseudo_outs.iter().sum::<EdwardsPoint>();
    let sum_outputs =
        rct_sig.base.commitments.iter().sum::<EdwardsPoint>() + Scalar::from(rct_sig.base.fee) * *H;

    if sum_inputs == sum_outputs {
        Ok(())
    } else {
        Err(RingCTError::SimpleAmountDoNotBalance)
    }
}

/// Checks the outputs range proof(s)
///
/// <https://monero-book.cuprate.org/consensus_rules/ring_ct/borromean.html>
/// <https://monero-book.cuprate.org/consensus_rules/ring_ct/bulletproofs.html>
/// <https://monero-book.cuprate.org/consensus_rules/ring_ct/bulletproofs+.html>
fn check_output_range_proofs(
    proofs: &RctProofs,
    mut verifier: impl BatchVerifier,
) -> Result<(), RingCTError> {
    let commitments = &proofs.base.commitments;

    match &proofs.prunable {
        RctPrunable::MlsagBorromean { borromean, .. }
        | RctPrunable::AggregateMlsagBorromean { borromean, .. } => try_par_iter(borromean)
            .zip(commitments)
            .try_for_each(|(borro, commitment)| {
                if borro.verify(commitment) {
                    Ok(())
                } else {
                    Err(RingCTError::BorromeanRangeInvalid)
                }
            }),
        RctPrunable::MlsagBulletproofs { bulletproof, .. }
        | RctPrunable::MlsagBulletproofsCompactAmount { bulletproof, .. }
        | RctPrunable::Clsag { bulletproof, .. } => {
            if verifier.queue_statement(|verifier| {
                bulletproof.batch_verify(&mut thread_rng(), verifier, commitments)
            }) {
                Ok(())
            } else {
                Err(RingCTError::BulletproofsRangeInvalid)
            }
        }
    }
}

pub(crate) fn ring_ct_semantic_checks(
    proofs: &RctProofs,
    tx_hash: &[u8; 32],
    verifier: impl BatchVerifier,
    hf: &HardFork,
) -> Result<(), RingCTError> {
    let rct_type = proofs.rct_type();

    check_rct_type(&rct_type, *hf, tx_hash)?;
    check_output_range_proofs(proofs, verifier)?;

    if rct_type != RctType::AggregateMlsagBorromean {
        simple_type_balances(proofs)?;
    }

    Ok(())
}

/// Check the input signatures: MLSAG, CLSAG.
///
/// <https://monero-book.cuprate.org/consensus_rules/ring_ct/mlsag.html>
/// <https://monero-book.cuprate.org/consensus_rules/ring_ct/clsag.html>
pub(crate) fn check_input_signatures(
    msg: &[u8; 32],
    inputs: &[Input],
    proofs: &RctProofs,
    rings: &Rings,
) -> Result<(), RingCTError> {
    let Rings::RingCT(rings) = rings else {
        panic!("Tried to verify RCT transaction without RCT ring");
    };

    if rings.is_empty() {
        Err(RingCTError::RingInvalid)?;
    }

    let pseudo_outs = match &proofs.prunable {
        RctPrunable::MlsagBulletproofs { pseudo_outs, .. }
        | RctPrunable::MlsagBulletproofsCompactAmount { pseudo_outs, .. }
        | RctPrunable::Clsag { pseudo_outs, .. } => pseudo_outs.as_slice(),
        RctPrunable::MlsagBorromean { .. } => proofs.base.pseudo_outs.as_slice(),
        RctPrunable::AggregateMlsagBorromean { .. } => &[],
    };

    match &proofs.prunable {
        RctPrunable::AggregateMlsagBorromean { mlsag, .. } => {
            let key_images = inputs
                .iter()
                .map(|inp| {
                    let Input::ToKey { key_image, .. } = inp else {
                        panic!("How did we build a ring with no decoys?");
                    };
                    *key_image
                })
                .collect::<Vec<_>>();

            let mut matrix =
                AggregateRingMatrixBuilder::new(&proofs.base.commitments, proofs.base.fee);

            rings.iter().try_for_each(|ring| matrix.push_ring(ring))?;

            Ok(mlsag.verify(msg, &matrix.build()?, &key_images)?)
        }
        RctPrunable::MlsagBorromean { mlsags, .. }
        | RctPrunable::MlsagBulletproofsCompactAmount { mlsags, .. }
        | RctPrunable::MlsagBulletproofs { mlsags, .. } => try_par_iter(mlsags)
            .zip(pseudo_outs)
            .zip(inputs)
            .zip(rings)
            .try_for_each(|(((mlsag, pseudo_out), input), ring)| {
                let Input::ToKey { key_image, .. } = input else {
                    panic!("How did we build a ring with no decoys?");
                };

                Ok(mlsag.verify(
                    msg,
                    &RingMatrix::individual(ring, *pseudo_out)?,
                    &[*key_image],
                )?)
            }),
        RctPrunable::Clsag { clsags, .. } => try_par_iter(clsags)
            .zip(pseudo_outs)
            .zip(inputs)
            .zip(rings)
            .try_for_each(|(((clsags, pseudo_out), input), ring)| {
                let Input::ToKey { key_image, .. } = input else {
                    panic!("How did we build a ring with no decoys?");
                };

                Ok(clsags.verify(ring, key_image, pseudo_out, msg)?)
            }),
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn grandfathered_bulletproofs2() {
        assert!(check_rct_type(
            &RctType::MlsagBulletproofsCompactAmount,
            HardFork::V14,
            &[0; 32]
        )
        .is_err());

        assert!(check_rct_type(
            &RctType::MlsagBulletproofsCompactAmount,
            HardFork::V14,
            &GRANDFATHERED_TRANSACTIONS[0]
        )
        .is_ok());
        assert!(check_rct_type(
            &RctType::MlsagBulletproofsCompactAmount,
            HardFork::V14,
            &GRANDFATHERED_TRANSACTIONS[1]
        )
        .is_ok());
    }
}