monero_generators/
lib.rs

1#![cfg_attr(docsrs, feature(doc_auto_cfg))]
2#![doc = include_str!("../README.md")]
3#![deny(missing_docs)]
4#![cfg_attr(not(feature = "std"), no_std)]
5
6use std_shims::{sync::LazyLock, vec::Vec};
7
8use sha3::{Digest, Keccak256};
9
10use curve25519_dalek::{constants::ED25519_BASEPOINT_POINT, edwards::EdwardsPoint};
11use curve25519_dalek::edwards::CompressedEdwardsY;
12use monero_io::{write_varint, decompress_point};
13
14mod hash_to_point;
15pub use hash_to_point::hash_to_point;
16
17#[cfg(test)]
18mod tests;
19
20fn keccak256(data: &[u8]) -> [u8; 32] {
21  Keccak256::digest(data).into()
22}
23
24/// Monero's `H` generator.
25///
26/// Contrary to convention (`G` for values, `H` for randomness), `H` is used by Monero for amounts
27/// within Pedersen commitments.
28#[allow(non_snake_case)]
29pub static H: LazyLock<EdwardsPoint> = LazyLock::new(|| {
30  decompress_point(CompressedEdwardsY(keccak256(&ED25519_BASEPOINT_POINT.compress().to_bytes())))
31    .unwrap()
32    .mul_by_cofactor()
33});
34
35static H_POW_2_CELL: LazyLock<[EdwardsPoint; 64]> = LazyLock::new(|| {
36  let mut res = [*H; 64];
37  for i in 1 .. 64 {
38    res[i] = res[i - 1] + res[i - 1];
39  }
40  res
41});
42/// Monero's `H` generator, multiplied by 2**i for i in 1 ..= 64.
43///
44/// This table is useful when working with amounts, which are u64s.
45#[allow(non_snake_case)]
46pub fn H_pow_2() -> &'static [EdwardsPoint; 64] {
47  &H_POW_2_CELL
48}
49
50/// The maximum amount of commitments provable for within a single range proof.
51pub const MAX_COMMITMENTS: usize = 16;
52/// The amount of bits a value within a commitment may use.
53pub const COMMITMENT_BITS: usize = 64;
54/// The logarithm (over 2) of the amount of bits a value within a commitment may use.
55pub const LOG_COMMITMENT_BITS: usize = 6; // 2 ** 6 == N
56
57/// Container struct for Bulletproofs(+) generators.
58#[allow(non_snake_case)]
59pub struct Generators {
60  /// The G (bold) vector of generators.
61  pub G: Vec<EdwardsPoint>,
62  /// The H (bold) vector of generators.
63  pub H: Vec<EdwardsPoint>,
64}
65
66/// Generate generators as needed for Bulletproofs(+), as Monero does.
67///
68/// Consumers should not call this function ad-hoc, yet call it within a build script or use a
69/// once-initialized static.
70pub fn bulletproofs_generators(dst: &'static [u8]) -> Generators {
71  // The maximum amount of bits used within a single range proof.
72  const MAX_MN: usize = MAX_COMMITMENTS * COMMITMENT_BITS;
73
74  let mut preimage = H.compress().to_bytes().to_vec();
75  preimage.extend(dst);
76
77  let mut res = Generators { G: Vec::with_capacity(MAX_MN), H: Vec::with_capacity(MAX_MN) };
78  for i in 0 .. MAX_MN {
79    // We generate a pair of generators per iteration
80    let i = 2 * i;
81
82    let mut even = preimage.clone();
83    write_varint(&i, &mut even).unwrap();
84    res.H.push(hash_to_point(keccak256(&even)));
85
86    let mut odd = preimage.clone();
87    write_varint(&(i + 1), &mut odd).unwrap();
88    res.G.push(hash_to_point(keccak256(&odd)));
89  }
90  res
91}