monero_serai/
ringct.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
use std_shims::{
  vec,
  vec::Vec,
  io::{self, Read, Write},
};

use zeroize::Zeroize;

use curve25519_dalek::edwards::EdwardsPoint;

pub use monero_mlsag as mlsag;
pub use monero_clsag as clsag;
pub use monero_borromean as borromean;
pub use monero_bulletproofs as bulletproofs;

use crate::{
  io::*,
  ringct::{mlsag::Mlsag, clsag::Clsag, borromean::BorromeanRange, bulletproofs::Bulletproof},
};

/// An encrypted amount.
#[derive(Clone, PartialEq, Eq, Debug)]
pub enum EncryptedAmount {
  /// The original format for encrypted amounts.
  Original {
    /// A mask used with a mask derived from the shared secret to encrypt the amount.
    mask: [u8; 32],
    /// The amount, as a scalar, encrypted.
    amount: [u8; 32],
  },
  /// The "compact" format for encrypted amounts.
  Compact {
    /// The amount, as a u64, encrypted.
    amount: [u8; 8],
  },
}

impl EncryptedAmount {
  /// Read an EncryptedAmount from a reader.
  pub fn read<R: Read>(compact: bool, r: &mut R) -> io::Result<EncryptedAmount> {
    Ok(if !compact {
      EncryptedAmount::Original { mask: read_bytes(r)?, amount: read_bytes(r)? }
    } else {
      EncryptedAmount::Compact { amount: read_bytes(r)? }
    })
  }

  /// Write the EncryptedAmount to a writer.
  pub fn write<W: Write>(&self, w: &mut W) -> io::Result<()> {
    match self {
      EncryptedAmount::Original { mask, amount } => {
        w.write_all(mask)?;
        w.write_all(amount)
      }
      EncryptedAmount::Compact { amount } => w.write_all(amount),
    }
  }
}

/// The type of the RingCT data.
#[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
pub enum RctType {
  /// One MLSAG for multiple inputs and Borromean range proofs.
  ///
  /// This aligns with RCTTypeFull.
  AggregateMlsagBorromean,
  // One MLSAG for each input and a Borromean range proof.
  ///
  /// This aligns with RCTTypeSimple.
  MlsagBorromean,
  // One MLSAG for each input and a Bulletproof.
  ///
  /// This aligns with RCTTypeBulletproof.
  MlsagBulletproofs,
  /// One MLSAG for each input and a Bulletproof, yet using EncryptedAmount::Compact.
  ///
  /// This aligns with RCTTypeBulletproof2.
  MlsagBulletproofsCompactAmount,
  /// One CLSAG for each input and a Bulletproof.
  ///
  /// This aligns with RCTTypeCLSAG.
  ClsagBulletproof,
  /// One CLSAG for each input and a Bulletproof+.
  ///
  /// This aligns with RCTTypeBulletproofPlus.
  ClsagBulletproofPlus,
}

impl From<RctType> for u8 {
  fn from(rct_type: RctType) -> u8 {
    match rct_type {
      RctType::AggregateMlsagBorromean => 1,
      RctType::MlsagBorromean => 2,
      RctType::MlsagBulletproofs => 3,
      RctType::MlsagBulletproofsCompactAmount => 4,
      RctType::ClsagBulletproof => 5,
      RctType::ClsagBulletproofPlus => 6,
    }
  }
}

impl TryFrom<u8> for RctType {
  type Error = ();
  fn try_from(byte: u8) -> Result<Self, ()> {
    Ok(match byte {
      1 => RctType::AggregateMlsagBorromean,
      2 => RctType::MlsagBorromean,
      3 => RctType::MlsagBulletproofs,
      4 => RctType::MlsagBulletproofsCompactAmount,
      5 => RctType::ClsagBulletproof,
      6 => RctType::ClsagBulletproofPlus,
      _ => Err(())?,
    })
  }
}

impl RctType {
  /// True if this RctType uses compact encrypted amounts, false otherwise.
  pub fn compact_encrypted_amounts(&self) -> bool {
    match self {
      RctType::AggregateMlsagBorromean | RctType::MlsagBorromean | RctType::MlsagBulletproofs => {
        false
      }
      RctType::MlsagBulletproofsCompactAmount |
      RctType::ClsagBulletproof |
      RctType::ClsagBulletproofPlus => true,
    }
  }

  /// True if this RctType uses a Bulletproof, false otherwise.
  pub(crate) fn bulletproof(&self) -> bool {
    match self {
      RctType::MlsagBulletproofs |
      RctType::MlsagBulletproofsCompactAmount |
      RctType::ClsagBulletproof => true,
      RctType::AggregateMlsagBorromean |
      RctType::MlsagBorromean |
      RctType::ClsagBulletproofPlus => false,
    }
  }

  /// True if this RctType uses a Bulletproof+, false otherwise.
  pub(crate) fn bulletproof_plus(&self) -> bool {
    match self {
      RctType::ClsagBulletproofPlus => true,
      RctType::AggregateMlsagBorromean |
      RctType::MlsagBorromean |
      RctType::MlsagBulletproofs |
      RctType::MlsagBulletproofsCompactAmount |
      RctType::ClsagBulletproof => false,
    }
  }
}

/// The base of the RingCT data.
///
/// This excludes all proofs (which once initially verified do not need to be kept around) and
/// solely keeps data which either impacts the effects of the transactions or is needed to scan it.
///
/// The one exception for this is `pseudo_outs`, which was originally present here yet moved to
/// RctPrunable in a later hard fork (causing it to be present in both).
#[derive(Clone, PartialEq, Eq, Debug)]
pub struct RctBase {
  /// The fee used by this transaction.
  pub fee: u64,
  /// The re-randomized amount commitments used within inputs.
  ///
  /// This field was deprecated and is empty for modern RctTypes.
  pub pseudo_outs: Vec<EdwardsPoint>,
  /// The encrypted amounts for the recipients to decrypt.
  pub encrypted_amounts: Vec<EncryptedAmount>,
  /// The output commitments.
  pub commitments: Vec<EdwardsPoint>,
}

impl RctBase {
  /// Write the RctBase.
  pub fn write<W: Write>(&self, w: &mut W, rct_type: RctType) -> io::Result<()> {
    w.write_all(&[u8::from(rct_type)])?;

    write_varint(&self.fee, w)?;
    if rct_type == RctType::MlsagBorromean {
      write_raw_vec(write_point, &self.pseudo_outs, w)?;
    }
    for encrypted_amount in &self.encrypted_amounts {
      encrypted_amount.write(w)?;
    }
    write_raw_vec(write_point, &self.commitments, w)
  }

  /// Read a RctBase.
  pub fn read<R: Read>(
    inputs: usize,
    outputs: usize,
    r: &mut R,
  ) -> io::Result<Option<(RctType, RctBase)>> {
    let rct_type = read_byte(r)?;
    if rct_type == 0 {
      return Ok(None);
    }
    let rct_type =
      RctType::try_from(rct_type).map_err(|()| io::Error::other("invalid RCT type"))?;

    match rct_type {
      RctType::AggregateMlsagBorromean | RctType::MlsagBorromean => {}
      RctType::MlsagBulletproofs |
      RctType::MlsagBulletproofsCompactAmount |
      RctType::ClsagBulletproof |
      RctType::ClsagBulletproofPlus => {
        if outputs == 0 {
          // Because the Bulletproofs(+) layout must be canonical, there must be 1 Bulletproof if
          // Bulletproofs are in use
          // If there are Bulletproofs, there must be a matching amount of outputs, implicitly
          // banning 0 outputs
          // Since HF 12 (CLSAG being 13), a 2-output minimum has also been enforced
          Err(io::Error::other("RCT with Bulletproofs(+) had 0 outputs"))?;
        }
      }
    }

    Ok(Some((
      rct_type,
      RctBase {
        fee: read_varint(r)?,
        // Only read pseudo_outs if they have yet to be moved to RctPrunable
        // This would apply to AggregateMlsagBorromean and MlsagBorromean, except
        // AggregateMlsagBorromean doesn't use pseudo_outs due to using the sum of the output
        // commitments directly as the effective singular pseudo-out
        pseudo_outs: if rct_type == RctType::MlsagBorromean {
          read_raw_vec(read_point, inputs, r)?
        } else {
          vec![]
        },
        encrypted_amounts: (0 .. outputs)
          .map(|_| EncryptedAmount::read(rct_type.compact_encrypted_amounts(), r))
          .collect::<Result<_, _>>()?,
        commitments: read_raw_vec(read_point, outputs, r)?,
      },
    )))
  }
}

/// The prunable part of the RingCT data.
#[derive(Clone, PartialEq, Eq, Debug)]
pub enum RctPrunable {
  /// An aggregate MLSAG with Borromean range proofs.
  AggregateMlsagBorromean {
    /// The aggregate MLSAG ring signature.
    mlsag: Mlsag,
    /// The Borromean range proofs for each output.
    borromean: Vec<BorromeanRange>,
  },
  /// MLSAGs with Borromean range proofs.
  MlsagBorromean {
    /// The MLSAG ring signatures for each input.
    mlsags: Vec<Mlsag>,
    /// The Borromean range proofs for each output.
    borromean: Vec<BorromeanRange>,
  },
  /// MLSAGs with Bulletproofs.
  MlsagBulletproofs {
    /// The MLSAG ring signatures for each input.
    mlsags: Vec<Mlsag>,
    /// The re-blinded commitments for the outputs being spent.
    pseudo_outs: Vec<EdwardsPoint>,
    /// The aggregate Bulletproof, proving the outputs are within range.
    bulletproof: Bulletproof,
  },
  /// MLSAGs with Bulletproofs and compact encrypted amounts.
  ///
  /// This has an identical layout to MlsagBulletproofs and is interpreted the exact same way. It's
  /// only differentiated to ensure discovery of the correct RctType.
  MlsagBulletproofsCompactAmount {
    /// The MLSAG ring signatures for each input.
    mlsags: Vec<Mlsag>,
    /// The re-blinded commitments for the outputs being spent.
    pseudo_outs: Vec<EdwardsPoint>,
    /// The aggregate Bulletproof, proving the outputs are within range.
    bulletproof: Bulletproof,
  },
  /// CLSAGs with Bulletproofs(+).
  Clsag {
    /// The CLSAGs for each input.
    clsags: Vec<Clsag>,
    /// The re-blinded commitments for the outputs being spent.
    pseudo_outs: Vec<EdwardsPoint>,
    /// The aggregate Bulletproof(+), proving the outputs are within range.
    bulletproof: Bulletproof,
  },
}

impl RctPrunable {
  /// Write the RctPrunable.
  pub fn write<W: Write>(&self, w: &mut W, rct_type: RctType) -> io::Result<()> {
    match self {
      RctPrunable::AggregateMlsagBorromean { borromean, mlsag } => {
        write_raw_vec(BorromeanRange::write, borromean, w)?;
        mlsag.write(w)
      }
      RctPrunable::MlsagBorromean { borromean, mlsags } => {
        write_raw_vec(BorromeanRange::write, borromean, w)?;
        write_raw_vec(Mlsag::write, mlsags, w)
      }
      RctPrunable::MlsagBulletproofs { bulletproof, mlsags, pseudo_outs } |
      RctPrunable::MlsagBulletproofsCompactAmount { bulletproof, mlsags, pseudo_outs } => {
        if rct_type == RctType::MlsagBulletproofs {
          w.write_all(&1u32.to_le_bytes())?;
        } else {
          w.write_all(&[1])?;
        }
        bulletproof.write(w)?;

        write_raw_vec(Mlsag::write, mlsags, w)?;
        write_raw_vec(write_point, pseudo_outs, w)
      }
      RctPrunable::Clsag { bulletproof, clsags, pseudo_outs } => {
        w.write_all(&[1])?;
        bulletproof.write(w)?;

        write_raw_vec(Clsag::write, clsags, w)?;
        write_raw_vec(write_point, pseudo_outs, w)
      }
    }
  }

  /// Serialize the RctPrunable to a `Vec<u8>`.
  pub fn serialize(&self, rct_type: RctType) -> Vec<u8> {
    let mut serialized = vec![];
    self.write(&mut serialized, rct_type).unwrap();
    serialized
  }

  /// Read a RctPrunable.
  pub fn read<R: Read>(
    rct_type: RctType,
    ring_length: usize,
    inputs: usize,
    outputs: usize,
    r: &mut R,
  ) -> io::Result<RctPrunable> {
    Ok(match rct_type {
      RctType::AggregateMlsagBorromean => RctPrunable::AggregateMlsagBorromean {
        borromean: read_raw_vec(BorromeanRange::read, outputs, r)?,
        mlsag: Mlsag::read(ring_length, inputs + 1, r)?,
      },
      RctType::MlsagBorromean => RctPrunable::MlsagBorromean {
        borromean: read_raw_vec(BorromeanRange::read, outputs, r)?,
        mlsags: (0 .. inputs).map(|_| Mlsag::read(ring_length, 2, r)).collect::<Result<_, _>>()?,
      },
      RctType::MlsagBulletproofs | RctType::MlsagBulletproofsCompactAmount => {
        let bulletproof = {
          if (if rct_type == RctType::MlsagBulletproofs {
            u64::from(read_u32(r)?)
          } else {
            read_varint(r)?
          }) != 1
          {
            Err(io::Error::other("n bulletproofs instead of one"))?;
          }
          Bulletproof::read(r)?
        };
        let mlsags =
          (0 .. inputs).map(|_| Mlsag::read(ring_length, 2, r)).collect::<Result<_, _>>()?;
        let pseudo_outs = read_raw_vec(read_point, inputs, r)?;
        if rct_type == RctType::MlsagBulletproofs {
          RctPrunable::MlsagBulletproofs { bulletproof, mlsags, pseudo_outs }
        } else {
          debug_assert_eq!(rct_type, RctType::MlsagBulletproofsCompactAmount);
          RctPrunable::MlsagBulletproofsCompactAmount { bulletproof, mlsags, pseudo_outs }
        }
      }
      RctType::ClsagBulletproof | RctType::ClsagBulletproofPlus => RctPrunable::Clsag {
        bulletproof: {
          if read_varint::<_, u64>(r)? != 1 {
            Err(io::Error::other("n bulletproofs instead of one"))?;
          }
          (if rct_type == RctType::ClsagBulletproof {
            Bulletproof::read
          } else {
            Bulletproof::read_plus
          })(r)?
        },
        clsags: (0 .. inputs).map(|_| Clsag::read(ring_length, r)).collect::<Result<_, _>>()?,
        pseudo_outs: read_raw_vec(read_point, inputs, r)?,
      },
    })
  }

  /// Write the RctPrunable as necessary for signing the signature.
  pub(crate) fn signature_write<W: Write>(&self, w: &mut W) -> io::Result<()> {
    match self {
      RctPrunable::AggregateMlsagBorromean { borromean, .. } |
      RctPrunable::MlsagBorromean { borromean, .. } => {
        borromean.iter().try_for_each(|rs| rs.write(w))
      }
      RctPrunable::MlsagBulletproofs { bulletproof, .. } |
      RctPrunable::MlsagBulletproofsCompactAmount { bulletproof, .. } |
      RctPrunable::Clsag { bulletproof, .. } => bulletproof.signature_write(w),
    }
  }
}

/// The RingCT proofs.
///
/// This contains both the RctBase and RctPrunable structs.
///
/// The C++ codebase refers to this as rct_signatures.
#[derive(Clone, PartialEq, Eq, Debug)]
pub struct RctProofs {
  /// The data necessary for handling this transaction.
  pub base: RctBase,
  /// The data necessary for verifying this transaction.
  pub prunable: RctPrunable,
}

impl RctProofs {
  /// RctType for a given RctProofs struct.
  pub fn rct_type(&self) -> RctType {
    match &self.prunable {
      RctPrunable::AggregateMlsagBorromean { .. } => RctType::AggregateMlsagBorromean,
      RctPrunable::MlsagBorromean { .. } => RctType::MlsagBorromean,
      RctPrunable::MlsagBulletproofs { .. } => RctType::MlsagBulletproofs,
      RctPrunable::MlsagBulletproofsCompactAmount { .. } => RctType::MlsagBulletproofsCompactAmount,
      RctPrunable::Clsag { bulletproof, .. } => {
        if matches!(bulletproof, Bulletproof::Original { .. }) {
          RctType::ClsagBulletproof
        } else {
          RctType::ClsagBulletproofPlus
        }
      }
    }
  }

  /// Write the RctProofs.
  pub fn write<W: Write>(&self, w: &mut W) -> io::Result<()> {
    let rct_type = self.rct_type();
    self.base.write(w, rct_type)?;
    self.prunable.write(w, rct_type)
  }

  /// Serialize the RctProofs to a `Vec<u8>`.
  pub fn serialize(&self) -> Vec<u8> {
    let mut serialized = vec![];
    self.write(&mut serialized).unwrap();
    serialized
  }

  /// Read a RctProofs.
  pub fn read<R: Read>(
    ring_length: usize,
    inputs: usize,
    outputs: usize,
    r: &mut R,
  ) -> io::Result<Option<RctProofs>> {
    let Some((rct_type, base)) = RctBase::read(inputs, outputs, r)? else { return Ok(None) };
    Ok(Some(RctProofs {
      base,
      prunable: RctPrunable::read(rct_type, ring_length, inputs, outputs, r)?,
    }))
  }
}

/// A pruned set of RingCT proofs.
#[derive(Clone, PartialEq, Eq, Debug)]
pub struct PrunedRctProofs {
  /// The type of RctProofs this used to be.
  pub rct_type: RctType,
  /// The data necessary for handling this transaction.
  pub base: RctBase,
}