diff options
author | moneromooo-monero <moneromooo-monero@users.noreply.github.com> | 2019-04-11 18:41:41 +0000 |
---|---|---|
committer | moneromooo-monero <moneromooo-monero@users.noreply.github.com> | 2019-04-11 19:44:06 +0000 |
commit | 93bb2f48f7af95ec9048bcac48cbb372d84d7a11 (patch) | |
tree | c139a038a2d1d75f24c2428c1d664195934ba233 | |
parent | Merge pull request #5386 (diff) | |
download | monero-93bb2f48f7af95ec9048bcac48cbb372d84d7a11.tar.xz |
ringct: prevent use of full ringct signatures for more than one input
Diffstat (limited to '')
-rw-r--r-- | src/ringct/rctSigs.cpp | 1 | ||||
-rw-r--r-- | src/ringct/rctTypes.h | 2 | ||||
-rw-r--r-- | tests/unit_tests/ringct.cpp | 120 | ||||
-rw-r--r-- | tests/unit_tests/serialization.cpp | 79 |
4 files changed, 60 insertions, 142 deletions
diff --git a/src/ringct/rctSigs.cpp b/src/ringct/rctSigs.cpp index e877c13ce..ff2a81d43 100644 --- a/src/ringct/rctSigs.cpp +++ b/src/ringct/rctSigs.cpp @@ -695,6 +695,7 @@ namespace rct { CHECK_AND_ASSERT_THROW_MES(mixRing[n].size() == inSk.size(), "Bad mixRing size"); } CHECK_AND_ASSERT_THROW_MES((kLRki && msout) || (!kLRki && !msout), "Only one of kLRki/msout is present"); + CHECK_AND_ASSERT_THROW_MES(inSk.size() < 2, "genRct is not suitable for 2+ rings"); rctSig rv; rv.type = RCTTypeFull; diff --git a/src/ringct/rctTypes.h b/src/ringct/rctTypes.h index 50d0f4d91..e5413f1dc 100644 --- a/src/ringct/rctTypes.h +++ b/src/ringct/rctTypes.h @@ -191,6 +191,8 @@ namespace rct { Bulletproof(const rct::keyV &V, const rct::key &A, const rct::key &S, const rct::key &T1, const rct::key &T2, const rct::key &taux, const rct::key &mu, const rct::keyV &L, const rct::keyV &R, const rct::key &a, const rct::key &b, const rct::key &t): V(V), A(A), S(S), T1(T1), T2(T2), taux(taux), mu(mu), L(L), R(R), a(a), b(b), t(t) {} + bool operator==(const Bulletproof &other) const { return V == other.V && A == other.A && S == other.S && T1 == other.T1 && T2 == other.T2 && taux == other.taux && mu == other.mu && L == other.L && R == other.R && a == other.a && b == other.b && t == other.t; } + BEGIN_SERIALIZE_OBJECT() // Commitments aren't saved, they're restored via outPk // FIELD(V) diff --git a/tests/unit_tests/ringct.cpp b/tests/unit_tests/ringct.cpp index e239154cf..4d51ec434 100644 --- a/tests/unit_tests/ringct.cpp +++ b/tests/unit_tests/ringct.cpp @@ -143,13 +143,16 @@ TEST(ringct, range_proofs) //ct range proofs ctkeyV sc, pc; ctkey sctmp, pctmp; - //add fake input 5000 - tie(sctmp, pctmp) = ctskpkGen(6000); + std::vector<uint64_t> inamounts; + //add fake input 6000 + inamounts.push_back(6000); + tie(sctmp, pctmp) = ctskpkGen(inamounts.back()); sc.push_back(sctmp); pc.push_back(pctmp); - tie(sctmp, pctmp) = ctskpkGen(7000); + inamounts.push_back(7000); + tie(sctmp, pctmp) = ctskpkGen(inamounts.back()); sc.push_back(sctmp); pc.push_back(pctmp); vector<xmr_amount >amounts; @@ -173,14 +176,20 @@ TEST(ringct, range_proofs) const rct::RCTConfig rct_config { RangeProofBorromean, 0 }; - //compute rct data with mixin 500 - rctSig s = genRct(rct::zero(), sc, pc, destinations, amounts, amount_keys, NULL, NULL, 3, rct_config, hw::get_device("default")); + //compute rct data with mixin 3 - should fail since full type with > 1 input + bool ok = false; + try { genRct(rct::zero(), sc, pc, destinations, amounts, amount_keys, NULL, NULL, 3, rct_config, hw::get_device("default")); } + catch(...) { ok = true; } + ASSERT_TRUE(ok); + + //compute rct data with mixin 3 + rctSig s = genRctSimple(rct::zero(), sc, pc, destinations, inamounts, amounts, amount_keys, NULL, NULL, 0, 3, rct_config, hw::get_device("default")); //verify rct data - ASSERT_TRUE(verRct(s)); + ASSERT_TRUE(verRctSimple(s)); //decode received amount - decodeRct(s, amount_keys[1], 1, mask, hw::get_device("default")); + decodeRctSimple(s, amount_keys[1], 1, mask, hw::get_device("default")); // Ring CT with failing MG sig part should not verify! // Since sum of inputs != outputs @@ -190,14 +199,14 @@ TEST(ringct, range_proofs) destinations[1] = Pk; - //compute rct data with mixin 500 - s = genRct(rct::zero(), sc, pc, destinations, amounts, amount_keys, NULL, NULL, 3, rct_config, hw::get_device("default")); + //compute rct data with mixin 3 + s = genRctSimple(rct::zero(), sc, pc, destinations, inamounts, amounts, amount_keys, NULL, NULL, 0, 3, rct_config, hw::get_device("default")); //verify rct data - ASSERT_FALSE(verRct(s)); + ASSERT_FALSE(verRctSimple(s)); //decode received amount - decodeRct(s, amount_keys[1], 1, mask, hw::get_device("default")); + decodeRctSimple(s, amount_keys[1], 1, mask, hw::get_device("default")); } TEST(ringct, range_proofs_with_fee) @@ -206,13 +215,16 @@ TEST(ringct, range_proofs_with_fee) //ct range proofs ctkeyV sc, pc; ctkey sctmp, pctmp; - //add fake input 5000 - tie(sctmp, pctmp) = ctskpkGen(6001); + std::vector<uint64_t> inamounts; + //add fake input 6001 + inamounts.push_back(6001); + tie(sctmp, pctmp) = ctskpkGen(inamounts.back()); sc.push_back(sctmp); pc.push_back(pctmp); - tie(sctmp, pctmp) = ctskpkGen(7000); + inamounts.push_back(7000); + tie(sctmp, pctmp) = ctskpkGen(inamounts.back()); sc.push_back(sctmp); pc.push_back(pctmp); vector<xmr_amount >amounts; @@ -227,10 +239,6 @@ TEST(ringct, range_proofs_with_fee) skpkGen(Sk, Pk); destinations.push_back(Pk); - //add txn fee for 1 - //has no corresponding destination.. - amounts.push_back(1); - //add output for 12500 amounts.push_back(12500); amount_keys.push_back(hash_to_scalar(zero())); @@ -239,14 +247,14 @@ TEST(ringct, range_proofs_with_fee) const rct::RCTConfig rct_config { RangeProofBorromean, 0 }; - //compute rct data with mixin 500 - rctSig s = genRct(rct::zero(), sc, pc, destinations, amounts, amount_keys, NULL, NULL, 3, rct_config, hw::get_device("default")); + //compute rct data with mixin 3 + rctSig s = genRctSimple(rct::zero(), sc, pc, destinations, inamounts, amounts, amount_keys, NULL, NULL, 1, 3, rct_config, hw::get_device("default")); //verify rct data - ASSERT_TRUE(verRct(s)); + ASSERT_TRUE(verRctSimple(s)); //decode received amount - decodeRct(s, amount_keys[1], 1, mask, hw::get_device("default")); + decodeRctSimple(s, amount_keys[1], 1, mask, hw::get_device("default")); // Ring CT with failing MG sig part should not verify! // Since sum of inputs != outputs @@ -256,14 +264,14 @@ TEST(ringct, range_proofs_with_fee) destinations[1] = Pk; - //compute rct data with mixin 500 - s = genRct(rct::zero(), sc, pc, destinations, amounts, amount_keys, NULL, NULL, 3, rct_config, hw::get_device("default")); + //compute rct data with mixin 3 + s = genRctSimple(rct::zero(), sc, pc, destinations, inamounts, amounts, amount_keys, NULL, NULL, 500, 3, rct_config, hw::get_device("default")); //verify rct data - ASSERT_FALSE(verRct(s)); + ASSERT_FALSE(verRctSimple(s)); //decode received amount - decodeRct(s, amount_keys[1], 1, mask, hw::get_device("default")); + decodeRctSimple(s, amount_keys[1], 1, mask, hw::get_device("default")); } TEST(ringct, simple) @@ -538,10 +546,10 @@ TEST(ringct, range_proofs_accept_zero_out_middle_simple) EXPECT_TRUE(range_proof_test(true, NELTS(inputs), inputs, NELTS(outputs), outputs, false, true)); } -TEST(ringct, range_proofs_accept_zero_in_first) +TEST(ringct, range_proofs_accept_zero) { - const uint64_t inputs[] = {0, 5000}; - const uint64_t outputs[] = {5000}; + const uint64_t inputs[] = {0}; + const uint64_t outputs[] = {0}; EXPECT_TRUE(range_proof_test(true, NELTS(inputs), inputs, NELTS(outputs), outputs, false, false)); } @@ -552,13 +560,6 @@ TEST(ringct, range_proofs_accept_zero_in_first_simple) EXPECT_TRUE(range_proof_test(true, NELTS(inputs), inputs, NELTS(outputs), outputs, false, true)); } -TEST(ringct, range_proofs_accept_zero_in_last) -{ - const uint64_t inputs[] = {5000, 0}; - const uint64_t outputs[] = {5000}; - EXPECT_TRUE(range_proof_test(true, NELTS(inputs), inputs, NELTS(outputs), outputs, false, false)); -} - TEST(ringct, range_proofs_accept_zero_in_last_simple) { const uint64_t inputs[] = {5000, 0}; @@ -566,13 +567,6 @@ TEST(ringct, range_proofs_accept_zero_in_last_simple) EXPECT_TRUE(range_proof_test(true, NELTS(inputs), inputs, NELTS(outputs), outputs, false, true)); } -TEST(ringct, range_proofs_accept_zero_in_middle) -{ - const uint64_t inputs[] = {2500, 0, 2500}; - const uint64_t outputs[] = {5000}; - EXPECT_TRUE(range_proof_test(true, NELTS(inputs), inputs, NELTS(outputs), outputs, false, false)); -} - TEST(ringct, range_proofs_accept_zero_in_middle_simple) { const uint64_t inputs[] = {2500, 0, 2500}; @@ -762,13 +756,6 @@ TEST(ringct, range_proofs_accept_1_to_N_simple) EXPECT_TRUE(range_proof_test(true, NELTS(inputs), inputs, NELTS(outputs), outputs, false,true)); } -TEST(ringct, range_proofs_accept_N_to_1) -{ - const uint64_t inputs[] = {1000, 1000, 1000, 1000, 1000}; - const uint64_t outputs[] = {5000}; - EXPECT_TRUE(range_proof_test(true, NELTS(inputs), inputs, NELTS(outputs), outputs, false, false)); -} - TEST(ringct, range_proofs_accept_N_to_1_simple) { const uint64_t inputs[] = {1000, 1000, 1000, 1000, 1000}; @@ -776,13 +763,6 @@ TEST(ringct, range_proofs_accept_N_to_1_simple) EXPECT_TRUE(range_proof_test(true, NELTS(inputs), inputs, NELTS(outputs), outputs, false, true)); } -TEST(ringct, range_proofs_accept_N_to_N) -{ - const uint64_t inputs[] = {1000, 1000, 1000, 1000, 1000}; - const uint64_t outputs[] = {1000, 1000, 1000, 1000, 1000}; - EXPECT_TRUE(range_proof_test(true, NELTS(inputs), inputs, NELTS(outputs), outputs, false, false)); -} - TEST(ringct, range_proofs_accept_N_to_N_simple) { const uint64_t inputs[] = {1000, 1000, 1000, 1000, 1000}; @@ -790,20 +770,6 @@ TEST(ringct, range_proofs_accept_N_to_N_simple) EXPECT_TRUE(range_proof_test(true, NELTS(inputs), inputs, NELTS(outputs), outputs, false, true)); } -TEST(ringct, range_proofs_accept_very_long) -{ - const size_t N=12; - uint64_t inputs[N]; - uint64_t outputs[N]; - for (size_t n = 0; n < N; ++n) { - inputs[n] = n; - outputs[n] = n; - } - std::random_shuffle(inputs, inputs + N); - std::random_shuffle(outputs, outputs + N); - EXPECT_TRUE(range_proof_test(true, NELTS(inputs), inputs, NELTS(outputs), outputs, false, false)); -} - TEST(ringct, range_proofs_accept_very_long_simple) { const size_t N=12; @@ -861,7 +827,7 @@ TEST(ringct, prooveRange_is_non_deterministic) TEST(ringct, fee_0_valid) { - const uint64_t inputs[] = {1000, 1000}; + const uint64_t inputs[] = {2000}; const uint64_t outputs[] = {2000, 0}; EXPECT_TRUE(range_proof_test(true, NELTS(inputs), inputs, NELTS(outputs), outputs, true, false)); } @@ -875,7 +841,7 @@ TEST(ringct, fee_0_valid_simple) TEST(ringct, fee_non_0_valid) { - const uint64_t inputs[] = {1000, 1000}; + const uint64_t inputs[] = {2000}; const uint64_t outputs[] = {1900, 100}; EXPECT_TRUE(range_proof_test(true, NELTS(inputs), inputs, NELTS(outputs), outputs, true, false)); } @@ -917,7 +883,7 @@ TEST(ringct, fee_non_0_invalid_lower_simple) TEST(ringct, fee_burn_valid_one_out) { - const uint64_t inputs[] = {1000, 1000}; + const uint64_t inputs[] = {2000}; const uint64_t outputs[] = {0, 2000}; EXPECT_TRUE(range_proof_test(true, NELTS(inputs), inputs, NELTS(outputs), outputs, true, false)); } @@ -931,7 +897,7 @@ TEST(ringct, fee_burn_valid_one_out_simple) TEST(ringct, fee_burn_valid_zero_out) { - const uint64_t inputs[] = {1000, 1000}; + const uint64_t inputs[] = {2000}; const uint64_t outputs[] = {2000}; EXPECT_TRUE(range_proof_test(true, NELTS(inputs), inputs, NELTS(outputs), outputs, true, false)); } @@ -945,7 +911,7 @@ TEST(ringct, fee_burn_valid_zero_out_simple) static rctSig make_sig() { - static const uint64_t inputs[] = {1000, 1000}; + static const uint64_t inputs[] = {2000}; static const uint64_t outputs[] = {1000, 1000}; static rct::rctSig sig = make_sample_rct_sig(NELTS(inputs), inputs, NELTS(outputs), outputs, true); return sig; @@ -1044,7 +1010,7 @@ TEST(ringct, reject_gen_simple_ver_non_simple) TEST(ringct, reject_gen_non_simple_ver_simple) { - const uint64_t inputs[] = {1000, 1000}; + const uint64_t inputs[] = {2000}; const uint64_t outputs[] = {1000, 1000}; rct::rctSig sig = make_sample_rct_sig(NELTS(inputs), inputs, NELTS(outputs), outputs, true); ASSERT_FALSE(rct::verRctSimple(sig)); diff --git a/tests/unit_tests/serialization.cpp b/tests/unit_tests/serialization.cpp index 27b14ffff..23f028464 100644 --- a/tests/unit_tests/serialization.cpp +++ b/tests/unit_tests/serialization.cpp @@ -477,7 +477,7 @@ TEST(Serialization, serializes_ringct_types) rct::ecdhTuple ecdh0, ecdh1; rct::boroSig boro0, boro1; rct::mgSig mg0, mg1; - rct::rangeSig rg0, rg1; + rct::Bulletproof bp0, bp1; rct::rctSig s0, s1; cryptonote::transaction tx0, tx1; @@ -566,12 +566,15 @@ TEST(Serialization, serializes_ringct_types) ASSERT_TRUE(!memcmp(&boro0, &boro1, sizeof(boro0))); // create a full rct signature to use its innards + vector<uint64_t> inamounts; rct::ctkeyV sc, pc; rct::ctkey sctmp, pctmp; - tie(sctmp, pctmp) = rct::ctskpkGen(6000); + inamounts.push_back(6000); + tie(sctmp, pctmp) = rct::ctskpkGen(inamounts.back()); sc.push_back(sctmp); pc.push_back(pctmp); - tie(sctmp, pctmp) = rct::ctskpkGen(7000); + inamounts.push_back(7000); + tie(sctmp, pctmp) = rct::ctskpkGen(inamounts.back()); sc.push_back(sctmp); pc.push_back(pctmp); vector<uint64_t> amounts; @@ -588,9 +591,9 @@ TEST(Serialization, serializes_ringct_types) amount_keys.push_back(rct::hash_to_scalar(rct::zero())); rct::skpkGen(Sk, Pk); destinations.push_back(Pk); - //compute rct data with mixin 500 + //compute rct data with mixin 3 const rct::RCTConfig rct_config{ rct::RangeProofPaddedBulletproof, 0 }; - s0 = rct::genRct(rct::zero(), sc, pc, destinations, amounts, amount_keys, NULL, NULL, 3, rct_config, hw::get_device("default")); + s0 = rct::genRctSimple(rct::zero(), sc, pc, destinations, inamounts, amounts, amount_keys, NULL, NULL, 0, 3, rct_config, hw::get_device("default")); mg0 = s0.p.MGs[0]; ASSERT_TRUE(serialization::dump_binary(mg0, blob)); @@ -605,66 +608,12 @@ TEST(Serialization, serializes_ringct_types) // mixRing and II are not serialized, they are meant to be reconstructed ASSERT_TRUE(mg1.II.empty()); - rg0 = s0.p.rangeSigs.front(); - ASSERT_TRUE(serialization::dump_binary(rg0, blob)); - ASSERT_TRUE(serialization::parse_binary(blob, rg1)); - ASSERT_TRUE(!memcmp(&rg0, &rg1, sizeof(rg0))); - -#if 0 - ASSERT_TRUE(serialization::dump_binary(s0, blob)); - ASSERT_TRUE(serialization::parse_binary(blob, s1)); - ASSERT_TRUE(s0.type == s1.type); - ASSERT_TRUE(s0.p.rangeSigs.size() == s1.p.rangeSigs.size()); - for (size_t n = 0; n < s0.p.rangeSigs.size(); ++n) - { - ASSERT_TRUE(!memcmp(&s0.p.rangeSigs[n], &s1.p.rangeSigs[n], sizeof(s0.p.rangeSigs[n]))); - } - ASSERT_TRUE(s0.p.MGs.size() == s1.p.MGs.size()); - ASSERT_TRUE(s0.p.MGs[0].ss.size() == s1.p.MGs[0].ss.size()); - for (size_t n = 0; n < s0.p.MGs[0].ss.size(); ++n) - { - ASSERT_TRUE(s0.p.MGs[0].ss[n] == s1.p.MGs[0].ss[n]); - } - ASSERT_TRUE(s0.p.MGs[0].cc == s1.p.MGs[0].cc); - // mixRing and II are not serialized, they are meant to be reconstructed - ASSERT_TRUE(s1.p.MGs[0].II.empty()); - - // mixRing and II are not serialized, they are meant to be reconstructed - ASSERT_TRUE(s1.mixRing.size() == 0); - - ASSERT_TRUE(s0.ecdhInfo.size() == s1.ecdhInfo.size()); - for (size_t n = 0; n < s0.ecdhInfo.size(); ++n) - { - ASSERT_TRUE(!memcmp(&s0.ecdhInfo[n], &s1.ecdhInfo[n], sizeof(s0.ecdhInfo[n]))); - } - ASSERT_TRUE(s0.outPk.size() == s1.outPk.size()); - for (size_t n = 0; n < s0.outPk.size(); ++n) - { - // serialization only does the mask - ASSERT_TRUE(!memcmp(&s0.outPk[n].mask, &s1.outPk[n].mask, sizeof(s0.outPk[n].mask))); - } -#endif - - tx0.set_null(); - tx0.version = 2; - cryptonote::txin_to_key txin_to_key1{}; - txin_to_key1.amount = 100; - txin_to_key1.key_offsets.resize(4); - cryptonote::txin_to_key txin_to_key2{}; - txin_to_key2.amount = 200; - txin_to_key2.key_offsets.resize(4); - tx0.vin.push_back(txin_to_key1); - tx0.vin.push_back(txin_to_key2); - tx0.vout.push_back(cryptonote::tx_out()); - tx0.vout.push_back(cryptonote::tx_out()); - tx0.rct_signatures = s0; - ASSERT_EQ(tx0.rct_signatures.p.rangeSigs.size(), 2); - ASSERT_TRUE(serialization::dump_binary(tx0, blob)); - ASSERT_TRUE(serialization::parse_binary(blob, tx1)); - ASSERT_EQ(tx1.rct_signatures.p.rangeSigs.size(), 2); - std::string blob2; - ASSERT_TRUE(serialization::dump_binary(tx1, blob2)); - ASSERT_TRUE(blob == blob2); + ASSERT_FALSE(s0.p.bulletproofs.empty()); + bp0 = s0.p.bulletproofs.front(); + ASSERT_TRUE(serialization::dump_binary(bp0, blob)); + ASSERT_TRUE(serialization::parse_binary(blob, bp1)); + bp1.V = bp0.V; // this is not saved, as it is reconstructed from other tx data + ASSERT_EQ(bp0, bp1); } TEST(Serialization, portability_wallet) |