tiamak/salvium
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ed030081b7a9bc0bec72acfc37ef78a57d34fe9d
salvium/src/carrot_core/scan.cpp
T
jeffro256 ed030081b7 carrot_core [3/27/2025]
2025-05-06 12:48:29 +03:00

468 lines
19 KiB
C++
Raw Blame History

// Copyright (c) 2025, The Monero Project
//
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are
// permitted provided that the following conditions are met:
//
// 1. Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// 2. Redistributions in binary form must reproduce the above copyright notice, this list
// of conditions and the following disclaimer in the documentation and/or other
// materials provided with the distribution.
//
// 3. Neither the name of the copyright holder nor the names of its contributors may be
// used to endorse or promote products derived from this software without specific
// prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Utilities for scanning carrot enotes
//paired header
#include "scan.h"
//local headers
#include "crypto/generators.h"
#include "enote_utils.h"
#include "lazy_amount_commitment.h"
#include "ringct/rctOps.h"
//third party headers
//standard headers
namespace carrot
{
//-------------------------------------------------------------------------------------------------------------------
//-------------------------------------------------------------------------------------------------------------------
static bool is_main_address_spend_pubkey(const crypto::public_key &address_spend_pubkey,
const epee::span<const crypto::public_key> main_address_spend_pubkeys)
{
for (const crypto::public_key &main_address_spend_pubkey : main_address_spend_pubkeys)
if (address_spend_pubkey == main_address_spend_pubkey)
return true;
return false;
}
//-------------------------------------------------------------------------------------------------------------------
//-------------------------------------------------------------------------------------------------------------------
static void scan_carrot_dest_info(const crypto::public_key &onetime_address,
const rct::key &amount_commitment,
const encrypted_janus_anchor_t &encrypted_janus_anchor,
const std::optional<encrypted_payment_id_t> &encrypted_payment_id,
const crypto::hash &s_sender_receiver,
crypto::secret_key &sender_extension_g_out,
crypto::secret_key &sender_extension_t_out,
crypto::public_key &address_spend_pubkey_out,
payment_id_t &payment_id_out,
janus_anchor_t &nominal_janus_anchor_out)
{
// k^o_g = H_n("..g..", s^ctx_sr, C_a)
make_carrot_onetime_address_extension_g(s_sender_receiver,
amount_commitment,
sender_extension_g_out);
// k^o_t = H_n("..t..", s^ctx_sr, C_a)
make_carrot_onetime_address_extension_t(s_sender_receiver,
amount_commitment,
sender_extension_t_out);
// K^j_s = Ko - K^o_ext = Ko - (k^o_g G + k^o_t T)
recover_address_spend_pubkey(onetime_address,
s_sender_receiver,
amount_commitment,
address_spend_pubkey_out);
// pid = pid_enc XOR m_pid, if applicable
if (encrypted_payment_id)
payment_id_out = decrypt_legacy_payment_id(*encrypted_payment_id, s_sender_receiver, onetime_address);
else
payment_id_out = null_payment_id;
// anchor = anchor_enc XOR m_anchor
nominal_janus_anchor_out = decrypt_carrot_anchor(encrypted_janus_anchor,
s_sender_receiver,
onetime_address);
}
//-------------------------------------------------------------------------------------------------------------------
//-------------------------------------------------------------------------------------------------------------------
static bool try_scan_carrot_external_noamount(const crypto::public_key &onetime_address,
const lazy_amount_commitment_t &lazy_amount_commitment,
const encrypted_janus_anchor_t &encrypted_janus_anchor,
const view_tag_t view_tag,
const mx25519_pubkey &enote_ephemeral_pubkey,
const std::optional<encrypted_payment_id_t> &encrypted_payment_id,
const input_context_t &input_context,
const mx25519_pubkey &s_sender_receiver_unctx,
const view_incoming_key_device &k_view_dev,
const epee::span<const crypto::public_key> main_address_spend_pubkeys,
crypto::hash &s_sender_receiver_out,
crypto::secret_key &sender_extension_g_out,
crypto::secret_key &sender_extension_t_out,
crypto::public_key &address_spend_pubkey_out,
payment_id_t &payment_id_out)
{
// if vt' != vt, then FAIL
if (!test_carrot_view_tag(s_sender_receiver_unctx.data, input_context, onetime_address, view_tag))
return false;
// s^ctx_sr = H_32(s_sr, D_e, input_context)
make_carrot_sender_receiver_secret(s_sender_receiver_unctx.data,
enote_ephemeral_pubkey,
input_context,
s_sender_receiver_out);
// get C_a
const rct::key amount_commitment = calculate_amount_commitment(lazy_amount_commitment);
// k^g_o, k^t_o, K^j_s', pid', anchor'
janus_anchor_t nominal_janus_anchor;
scan_carrot_dest_info(onetime_address,
amount_commitment,
encrypted_janus_anchor,
encrypted_payment_id,
s_sender_receiver_out,
sender_extension_g_out,
sender_extension_t_out,
address_spend_pubkey_out,
payment_id_out,
nominal_janus_anchor);
return verify_carrot_janus_protection(input_context,
onetime_address,
k_view_dev,
address_spend_pubkey_out,
is_main_address_spend_pubkey(address_spend_pubkey_out, main_address_spend_pubkeys),
enote_ephemeral_pubkey,
nominal_janus_anchor,
payment_id_out);
}
//-------------------------------------------------------------------------------------------------------------------
//-------------------------------------------------------------------------------------------------------------------
bool verify_carrot_janus_protection(const input_context_t &input_context,
const crypto::public_key &onetime_address,
const view_incoming_key_device &k_view_dev,
const crypto::public_key &nominal_address_spend_pubkey,
const bool is_main_address_spend_pubkey,
const mx25519_pubkey &enote_ephemeral_pubkey,
const janus_anchor_t &nominal_anchor,
payment_id_t &nominal_payment_id_inout)
{
// make K^j_v'
crypto::public_key nominal_address_view_pubkey;
if (is_main_address_spend_pubkey)
{
// K^j_v' = k_v G
if (!k_view_dev.view_key_scalar_mult_ed25519(crypto::get_G(), nominal_address_view_pubkey))
return false;
}
else // subaddress
{
// K^j_v' = k_v K^j_s'
if (!k_view_dev.view_key_scalar_mult_ed25519(nominal_address_spend_pubkey, nominal_address_view_pubkey))
return false;
}
// if can recompute D_e with pid', then PASS
if (verify_carrot_external_janus_protection(nominal_anchor,
input_context,
nominal_address_spend_pubkey,
nominal_address_view_pubkey,
!is_main_address_spend_pubkey,
nominal_payment_id_inout,
enote_ephemeral_pubkey))
return true;
// if can recompute D_e with null pid, then PASS
nominal_payment_id_inout = null_payment_id;
if (verify_carrot_external_janus_protection(nominal_anchor,
input_context,
nominal_address_spend_pubkey,
nominal_address_view_pubkey,
!is_main_address_spend_pubkey,
null_payment_id,
enote_ephemeral_pubkey))
return true;
// anchor_sp = H_16(D_e, input_context, Ko, k_v)
janus_anchor_t expected_special_anchor;
k_view_dev.make_janus_anchor_special(enote_ephemeral_pubkey,
input_context,
onetime_address,
expected_special_anchor);
// attempt special janus check: anchor_sp ?= anchor'
return expected_special_anchor == nominal_anchor;
}
//-------------------------------------------------------------------------------------------------------------------
bool make_carrot_uncontextualized_shared_key_receiver(
const view_incoming_key_device &k_view_dev,
const mx25519_pubkey &enote_ephemeral_pubkey,
mx25519_pubkey &s_sender_receiver_unctx_out)
{
return k_view_dev.view_key_scalar_mult_x25519(enote_ephemeral_pubkey, s_sender_receiver_unctx_out);
}
//-------------------------------------------------------------------------------------------------------------------
bool try_ecdh_and_scan_carrot_coinbase_enote(const CarrotCoinbaseEnoteV1 &enote,
const view_incoming_key_device &k_view_dev,
const crypto::public_key &main_address_spend_pubkey,
crypto::secret_key &sender_extension_g_out,
crypto::secret_key &sender_extension_t_out)
{
return try_ecdh_and_scan_carrot_coinbase_enote(enote,
k_view_dev,
{&main_address_spend_pubkey, 1},
sender_extension_g_out,
sender_extension_t_out);
}
//-------------------------------------------------------------------------------------------------------------------
bool try_ecdh_and_scan_carrot_coinbase_enote(
const CarrotCoinbaseEnoteV1 &enote,
const view_incoming_key_device &k_view_dev,
const epee::span<const crypto::public_key> main_address_spend_pubkeys,
crypto::secret_key &sender_extension_g_out,
crypto::secret_key &sender_extension_t_out)
{
// s_sr = k_v D_e
mx25519_pubkey s_sender_receiver_unctx;
if (!make_carrot_uncontextualized_shared_key_receiver(k_view_dev,
enote.enote_ephemeral_pubkey,
s_sender_receiver_unctx))
return false;
// input_context
input_context_t input_context;
make_carrot_input_context_coinbase(enote.block_index, input_context);
// s^ctx_sr, k^g_o, k^g_t, K^j_s, pid, and Janus verification
crypto::public_key nominal_address_spend_pubkey;
crypto::hash dummy_s_sender_receiver;
payment_id_t dummy_payment_id;
if (!try_scan_carrot_external_noamount(enote.onetime_address,
enote.amount,
enote.anchor_enc,
enote.view_tag,
enote.enote_ephemeral_pubkey,
std::nullopt,
input_context,
s_sender_receiver_unctx,
k_view_dev,
main_address_spend_pubkeys,
dummy_s_sender_receiver,
sender_extension_g_out,
sender_extension_t_out,
nominal_address_spend_pubkey,
dummy_payment_id))
return false;
// if K^j_s' != K_s, then FAIL
// - We have no "hard target" in the amount commitment, so if we want deterministic enote
// scanning without a subaddress table, we reject all non-main addresses in coinbase enotes
return is_main_address_spend_pubkey(nominal_address_spend_pubkey, main_address_spend_pubkeys);
}
//-------------------------------------------------------------------------------------------------------------------
bool try_scan_carrot_enote_external(const CarrotEnoteV1 &enote,
const std::optional<encrypted_payment_id_t> &encrypted_payment_id,
const mx25519_pubkey &s_sender_receiver_unctx,
const view_incoming_key_device &k_view_dev,
const crypto::public_key &main_address_spend_pubkey,
crypto::secret_key &sender_extension_g_out,
crypto::secret_key &sender_extension_t_out,
crypto::public_key &address_spend_pubkey_out,
rct::xmr_amount &amount_out,
crypto::secret_key &amount_blinding_factor_out,
payment_id_t &payment_id_out,
CarrotEnoteType &enote_type_out)
{
return try_scan_carrot_enote_external(enote,
encrypted_payment_id,
s_sender_receiver_unctx,
k_view_dev,
{&main_address_spend_pubkey, 1},
sender_extension_g_out,
sender_extension_t_out,
address_spend_pubkey_out,
amount_out,
amount_blinding_factor_out,
payment_id_out,
enote_type_out);
}
//-------------------------------------------------------------------------------------------------------------------
bool try_scan_carrot_enote_external(const CarrotEnoteV1 &enote,
const std::optional<encrypted_payment_id_t> &encrypted_payment_id,
const mx25519_pubkey &s_sender_receiver_unctx,
const view_incoming_key_device &k_view_dev,
const epee::span<const crypto::public_key> &main_address_spend_pubkeys,
crypto::secret_key &sender_extension_g_out,
crypto::secret_key &sender_extension_t_out,
crypto::public_key &address_spend_pubkey_out,
rct::xmr_amount &amount_out,
crypto::secret_key &amount_blinding_factor_out,
payment_id_t &payment_id_out,
CarrotEnoteType &enote_type_out)
{
// input_context
input_context_t input_context;
make_carrot_input_context(enote.tx_first_key_image, input_context);
// s^ctx_sr, k^g_o, k^g_t, K^j_s, pid, and Janus verification
crypto::hash s_sender_receiver;
if (!try_scan_carrot_external_noamount(enote.onetime_address,
enote.amount_commitment,
enote.anchor_enc,
enote.view_tag,
enote.enote_ephemeral_pubkey,
encrypted_payment_id,
input_context,
s_sender_receiver_unctx,
k_view_dev,
main_address_spend_pubkeys,
s_sender_receiver,
sender_extension_g_out,
sender_extension_t_out,
address_spend_pubkey_out,
payment_id_out))
return false;
// enote_type, a, z
return try_get_carrot_amount(s_sender_receiver,
enote.amount_enc,
enote.onetime_address,
address_spend_pubkey_out,
enote.amount_commitment,
enote_type_out,
amount_out,
amount_blinding_factor_out);
}
//-------------------------------------------------------------------------------------------------------------------
bool try_scan_carrot_enote_internal(const CarrotEnoteV1 &enote,
const view_balance_secret_device &s_view_balance_dev,
crypto::secret_key &sender_extension_g_out,
crypto::secret_key &sender_extension_t_out,
crypto::public_key &address_spend_pubkey_out,
rct::xmr_amount &amount_out,
crypto::secret_key &amount_blinding_factor_out,
CarrotEnoteType &enote_type_out,
janus_anchor_t &internal_message_out)
{
// input_context
input_context_t input_context;
make_carrot_input_context(enote.tx_first_key_image, input_context);
// vt = H_3(s_sr || input_context || Ko)
view_tag_t nominal_view_tag;
s_view_balance_dev.make_internal_view_tag(input_context, enote.onetime_address, nominal_view_tag);
// test view tag
if (nominal_view_tag != enote.view_tag)
return false;
// s^ctx_sr = H_32(s_vb, D_e, input_context)
crypto::hash s_sender_receiver;
s_view_balance_dev.make_internal_sender_receiver_secret(enote.enote_ephemeral_pubkey,
input_context,
s_sender_receiver);
// k^g_o, k^t_o, K^j_s', pid', anchor'
payment_id_t dummy_payment_id;
scan_carrot_dest_info(enote.onetime_address,
enote.amount_commitment,
enote.anchor_enc,
std::nullopt,
s_sender_receiver,
sender_extension_g_out,
sender_extension_t_out,
address_spend_pubkey_out,
dummy_payment_id,
internal_message_out);
// janus protection checks are not needed for internal scans
// enote_type, a, z
return try_get_carrot_amount(s_sender_receiver,
enote.amount_enc,
enote.onetime_address,
address_spend_pubkey_out,
enote.amount_commitment,
enote_type_out,
amount_out,
amount_blinding_factor_out);
}
//-------------------------------------------------------------------------------------------------------------------
bool try_ecdh_and_scan_carrot_enote_external(const CarrotEnoteV1 &enote,
const std::optional<encrypted_payment_id_t> &encrypted_payment_id,
const view_incoming_key_device &k_view_dev,
const crypto::public_key &main_address_spend_pubkey,
crypto::secret_key &sender_extension_g_out,
crypto::secret_key &sender_extension_t_out,
crypto::public_key &address_spend_pubkey_out,
rct::xmr_amount &amount_out,
crypto::secret_key &amount_blinding_factor_out,
payment_id_t &payment_id_out,
CarrotEnoteType &enote_type_out)
{
// s_sr = k_v D_e
mx25519_pubkey s_sender_receiver_unctx;
if (!k_view_dev.view_key_scalar_mult_x25519(enote.enote_ephemeral_pubkey,
s_sender_receiver_unctx))
return false;
return try_scan_carrot_enote_external(enote,
encrypted_payment_id,
s_sender_receiver_unctx,
k_view_dev,
main_address_spend_pubkey,
sender_extension_g_out,
sender_extension_t_out,
address_spend_pubkey_out,
amount_out,
amount_blinding_factor_out,
payment_id_out,
enote_type_out);
}
//-------------------------------------------------------------------------------------------------------------------
bool try_scan_carrot_enote_external_destination_only(const CarrotEnoteV1 &enote,
const std::optional<encrypted_payment_id_t> &encrypted_payment_id,
const mx25519_pubkey &s_sender_receiver_unctx,
const view_incoming_key_device &k_view_dev,
const crypto::public_key &main_address_spend_pubkey,
crypto::secret_key &sender_extension_g_out,
crypto::secret_key &sender_extension_t_out,
crypto::public_key &address_spend_pubkey_out,
payment_id_t &payment_id_out)
{
// input_context
input_context_t input_context;
make_carrot_input_context(enote.tx_first_key_image, input_context);
// s^ctx_sr, k^g_o, k^g_t, K^j_s, pid, and Janus verification
crypto::hash s_sender_receiver;
return try_scan_carrot_external_noamount(enote.onetime_address,
enote.amount_commitment,
enote.anchor_enc,
enote.view_tag,
enote.enote_ephemeral_pubkey,
encrypted_payment_id,
input_context,
s_sender_receiver_unctx,
k_view_dev,
{&main_address_spend_pubkey, 1},
s_sender_receiver,
sender_extension_g_out,
sender_extension_t_out,
address_spend_pubkey_out,
payment_id_out);
}
//-------------------------------------------------------------------------------------------------------------------
} //namespace carrot
Reference in New Issue View Git Blame Copy Permalink