diff --git a/src/carrot_core/enote_utils.cpp b/src/carrot_core/enote_utils.cpp index 98c82ad39..c6a40f79c 100644 --- a/src/carrot_core/enote_utils.cpp +++ b/src/carrot_core/enote_utils.cpp @@ -125,16 +125,29 @@ bool make_carrot_uncontextualized_shared_key_receiver(const crypto::secret_key & // @TODO: this is slower than a turtle on morphine, and will cripple scan speed, but should be correct // K_e = ConvertPointM(D_e) - ge_p3 D_e_in_ed25519_p3; - if (ge_fromx25519_vartime(&D_e_in_ed25519_p3, enote_ephemeral_pubkey.data) != 0) + ge_p3 p3_tmp; + if (ge_fromx25519_vartime(&p3_tmp, enote_ephemeral_pubkey.data) != 0) + return false; + + // serialize K_e + crypto::public_key K_e; + ge_p3_tobytes(to_bytes(K_e), &p3_tmp); + + // [ed25519] s_sr = 8 d_e K^j_v + crypto::key_derivation s_sr_in_ed25519; + if (!crypto::wallet::generate_key_derivation(K_e, k_view, s_sr_in_ed25519)) + return false; + else if (memcmp(&s_sr_in_ed25519, &rct::I, sizeof(rct::key)) == 0) return false; - // serialize K_e - crypto::public_key D_e_in_ed25519; - ge_p3_tobytes(to_bytes(D_e_in_ed25519), &D_e_in_ed25519_p3); + // deserialize s_sr + ge_p3 s_sr_in_ed25519_p3; + ge_frombytes_vartime(&s_sr_in_ed25519_p3, to_bytes(s_sr_in_ed25519)); - // do ECDH exchange 8 k_v D_e - return make_carrot_uncontextualized_shared_key_sender(k_view, D_e_in_ed25519, s_sender_receiver_unctx_out); + // ConvertPointE(s_sr) + ge_p3_to_x25519(s_sender_receiver_unctx_out.data, &s_sr_in_ed25519_p3); + + return true; } //------------------------------------------------------------------------------------------------------------------- bool make_carrot_uncontextualized_shared_key_sender(const crypto::secret_key &enote_ephemeral_privkey, diff --git a/src/carrot_core/output_set_finalization.cpp b/src/carrot_core/output_set_finalization.cpp index 7f39815a0..e05654492 100644 --- a/src/carrot_core/output_set_finalization.cpp +++ b/src/carrot_core/output_set_finalization.cpp @@ -171,6 +171,22 @@ void get_output_enote_proposals(std::vector &&normal_pa CHECK_AND_ASSERT_THROW_MES(num_integrated <= 1, "get output enote proposals: only one integrated address is allowed per tx output set"); + // assert anchor_norm != 0 for payments + for (const CarrotPaymentProposalV1 &normal_payment_proposal : normal_payment_proposals) + CHECK_AND_ASSERT_THROW_MES(normal_payment_proposal.randomness != janus_anchor_t{}, + "get output enote proposals: normal payment proposal has unset anchor_norm AKA randomness"); + + // sort normal payment proposals by anchor_norm and assert uniqueness of randomness for each payment + const auto sort_by_randomness = [](const CarrotPaymentProposalV1 &a, const CarrotPaymentProposalV1 &b) -> bool + { + return memcmp(&a.randomness, &b.randomness, JANUS_ANCHOR_BYTES) < 0; + }; + std::sort(normal_payment_proposals.begin(), normal_payment_proposals.end(), sort_by_randomness); + const bool has_unique_randomness = tools::is_sorted_and_unique(normal_payment_proposals, + sort_by_randomness); + CHECK_AND_ASSERT_THROW_MES(has_unique_randomness, + "get output enote proposals: normal payment proposals contain duplicate anchor_norm AKA randomness"); + // input_context = "R" || KI_1 input_context_t input_context; make_carrot_input_context(tx_first_key_image, input_context); diff --git a/tests/unit_tests/carrot_core.cpp b/tests/unit_tests/carrot_core.cpp index 165aeb6ff..0313fe5e4 100644 --- a/tests/unit_tests/carrot_core.cpp +++ b/tests/unit_tests/carrot_core.cpp @@ -146,6 +146,27 @@ TEST(carrot_core, ECDH_subaddress_completeness) EXPECT_EQ(s_sr_sender, s_sr_receiver); } //---------------------------------------------------------------------------------------------------------------------- +TEST(carrot_core, ECDH_mx25519_convergence) +{ + const crypto::x25519_pubkey P = crypto::x25519_pubkey_gen(); + const crypto::x25519_secret_key a = crypto::x25519_secret_key_gen(); + const crypto::x25519_secret_key eight = crypto::x25519_scalar{{8}}; + + // do Q = 8 * a * P using mx25519 + crypto::x25519_pubkey Q_mx25519; + crypto::x25519_scmul_key(eight, P, Q_mx25519); + crypto::x25519_scmul_key(a, Q_mx25519, Q_mx25519); + + // do Q = 8 * a * P using make_carrot_uncontextualized_shared_key_receiver() + crypto::secret_key a_sk; + memcpy(&a_sk, &a, sizeof(a_sk)); + crypto::x25519_pubkey Q_carrot; + ASSERT_TRUE(make_carrot_uncontextualized_shared_key_receiver(a_sk, P, Q_carrot)); + + // check equal + EXPECT_EQ(Q_mx25519, Q_carrot); +} +//---------------------------------------------------------------------------------------------------------------------- TEST(carrot_core, main_address_normal_scan_completeness) { const mock_carrot_keys keys = mock_carrot_keys::generate(); @@ -751,3 +772,92 @@ TEST(carrot_core, main_address_coinbase_scan_completeness) enote.onetime_address)); } //---------------------------------------------------------------------------------------------------------------------- +/* +TEST(carrot_core, subaddress_transfer_2out_completeness) +{ + + const mock_carrot_keys alice = mock_carrot_keys::generate(); + const mock_carrot_keys bob = mock_carrot_keys::generate(); + + const uint32_t alice_j_major = crypto::rand(); + const uint32_t alice_j_minor = crypto::rand(); + CarrotDestinationV1 alice_address; + make_carrot_subaddress_v1(alice.account_spend_pubkey, + alice.main_address_view_pubkey, + alice.s_generate_address, + alice_j_major, + alice_j_minor, + alice_address); + + const uint32_t bob_j_major = crypto::rand(); + const uint32_t bob_j_minor = crypto::rand(); + CarrotDestinationV1 bob_address; + make_carrot_subaddress_v1(bob.account_spend_pubkey, + bob.main_address_view_pubkey, + bob.s_generate_address, + bob_j_major, + bob_j_minor, + bob_address); + + const CarrotPaymentProposalV1 proposal = CarrotPaymentProposalV1{ + .destination = main_address, + .amount = crypto::rand(), + .randomness = gen_janus_anchor() + }; + + const crypto::key_image tx_first_key_image = rct::rct2ki(rct::pkGen()); + + RCTOutputEnoteProposal enote_proposal; + encrypted_payment_id_t encrypted_payment_id; + get_output_proposal_normal_v1(proposal, + tx_first_key_image, + enote_proposal, + encrypted_payment_id); + + ASSERT_EQ(proposal.amount, enote_proposal.amount); + const rct::key recomputed_amount_commitment = rct::commit(enote_proposal.amount, rct::sk2rct(enote_proposal.amount_blinding_factor)); + ASSERT_EQ(enote_proposal.enote.amount_commitment, recomputed_amount_commitment); + + crypto::x25519_pubkey s_sender_receiver_unctx; + make_carrot_uncontextualized_shared_key_receiver(keys.k_view, + enote_proposal.enote.enote_ephemeral_pubkey, + s_sender_receiver_unctx); + + crypto::secret_key recovered_sender_extension_g; + crypto::secret_key recovered_sender_extension_t; + crypto::public_key recovered_address_spend_pubkey; + rct::xmr_amount recovered_amount; + crypto::secret_key recovered_amount_blinding_factor; + encrypted_payment_id_t recovered_payment_id; + CarrotEnoteType recovered_enote_type; + const bool scan_success = try_scan_carrot_enote_external(enote_proposal.enote, + encrypted_payment_id, + s_sender_receiver_unctx, + keys.k_view_dev, + keys.account_spend_pubkey, + recovered_sender_extension_g, + recovered_sender_extension_t, + recovered_address_spend_pubkey, + recovered_amount, + recovered_amount_blinding_factor, + recovered_payment_id, + recovered_enote_type); + + ASSERT_TRUE(scan_success); + + // check recovered data + EXPECT_EQ(proposal.destination.address_spend_pubkey, recovered_address_spend_pubkey); + EXPECT_EQ(proposal.amount, recovered_amount); + EXPECT_EQ(enote_proposal.amount_blinding_factor, recovered_amount_blinding_factor); + EXPECT_EQ(null_payment_id, recovered_payment_id); + EXPECT_EQ(CarrotEnoteType::PAYMENT, recovered_enote_type); + + // check spendability + EXPECT_TRUE(can_open_fcmp_onetime_address(keys.k_prove_spend, + keys.k_generate_image, + rct::rct2sk(rct::I), + recovered_sender_extension_g, + recovered_sender_extension_t, + enote_proposal.enote.onetime_address)); +}*/ +//----------------------------------------------------------------------------------------------------------------------