2019-04-12 06:36:43 +02:00
|
|
|
// Copyright (c) 2014-2019, The Monero Project
|
2017-01-26 16:07:23 +01:00
|
|
|
//
|
|
|
|
|
// All rights reserved.
|
|
|
|
|
//
|
|
|
|
|
// Redistribution and use in source and binary forms, with or without modification, are
|
|
|
|
|
// permitted provided that the following conditions are met:
|
|
|
|
|
//
|
|
|
|
|
// 1. Redistributions of source code must retain the above copyright notice, this list of
|
|
|
|
|
// conditions and the following disclaimer.
|
|
|
|
|
//
|
|
|
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice, this list
|
|
|
|
|
// of conditions and the following disclaimer in the documentation and/or other
|
|
|
|
|
// materials provided with the distribution.
|
|
|
|
|
//
|
|
|
|
|
// 3. Neither the name of the copyright holder nor the names of its contributors may be
|
|
|
|
|
// used to endorse or promote products derived from this software without specific
|
|
|
|
|
// prior written permission.
|
|
|
|
|
//
|
|
|
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
|
|
|
|
|
// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
|
|
|
// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
|
|
|
|
|
// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
|
|
|
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
|
// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
|
|
|
// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
|
|
|
// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
|
|
|
|
|
// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
|
//
|
|
|
|
|
// Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers
|
|
|
|
|
|
|
|
|
|
#pragma once
|
|
|
|
|
#include "cryptonote_basic/cryptonote_format_utils.h"
|
|
|
|
|
#include <boost/serialization/vector.hpp>
|
|
|
|
|
#include <boost/serialization/utility.hpp>
|
2017-07-31 17:36:52 +02:00
|
|
|
#include "ringct/rctOps.h"
|
2019-08-30 08:04:58 +02:00
|
|
|
#include "cryptonote_core/service_node_list.h"
|
2017-01-26 16:07:23 +01:00
|
|
|
|
|
|
|
|
namespace cryptonote
|
|
|
|
|
{
|
|
|
|
|
//---------------------------------------------------------------
|
2018-11-12 04:02:21 +01:00
|
|
|
keypair get_deterministic_keypair_from_height(uint64_t height);
|
|
|
|
|
bool get_deterministic_output_key (const account_public_address& address, const keypair& tx_key, size_t output_index, crypto::public_key& output_key);
|
2020-07-21 22:40:17 +02:00
|
|
|
bool validate_governance_reward_key (uint64_t height, std::string_view governance_wallet_address_str, size_t output_index, const crypto::public_key& output_key, const cryptonote::network_type nettype);
|
2018-11-12 04:02:21 +01:00
|
|
|
|
2020-03-10 20:40:21 +01:00
|
|
|
uint64_t governance_reward_formula (uint64_t base_reward, uint8_t hf_version);
|
2018-11-12 04:02:21 +01:00
|
|
|
bool block_has_governance_output (network_type nettype, cryptonote::block const &block);
|
2020-03-10 20:40:21 +01:00
|
|
|
bool height_has_governance_output (network_type nettype, uint8_t hard_fork_version, uint64_t height);
|
|
|
|
|
uint64_t derive_governance_from_block_reward (network_type nettype, const cryptonote::block &block, uint8_t hf_version);
|
2018-11-12 04:02:21 +01:00
|
|
|
|
|
|
|
|
uint64_t get_portion_of_reward (uint64_t portions, uint64_t total_service_node_reward);
|
2020-03-10 20:40:21 +01:00
|
|
|
uint64_t service_node_reward_formula (uint64_t base_reward, uint8_t hard_fork_version);
|
2018-11-12 04:02:21 +01:00
|
|
|
|
|
|
|
|
struct loki_miner_tx_context // NOTE(loki): All the custom fields required by Loki to use construct_miner_tx
|
|
|
|
|
{
|
2019-09-09 03:14:19 +02:00
|
|
|
loki_miner_tx_context(network_type type = MAINNET, service_nodes::block_winner const &block_winner = service_nodes::null_block_winner) : nettype(type), block_winner(std::move(block_winner)) { }
|
2019-08-30 08:04:58 +02:00
|
|
|
network_type nettype;
|
|
|
|
|
service_nodes::block_winner block_winner;
|
|
|
|
|
uint64_t batched_governance = 0; // NOTE: 0 until hardfork v10, then use blockchain::calc_batched_governance_reward
|
2018-11-12 04:02:21 +01:00
|
|
|
};
|
|
|
|
|
|
2018-07-18 08:51:26 +02:00
|
|
|
bool construct_miner_tx(
|
|
|
|
|
size_t height,
|
2018-10-09 03:31:08 +02:00
|
|
|
size_t median_weight,
|
2018-07-18 08:51:26 +02:00
|
|
|
uint64_t already_generated_coins,
|
2018-10-09 03:31:08 +02:00
|
|
|
size_t current_block_weight,
|
2018-07-18 08:51:26 +02:00
|
|
|
uint64_t fee,
|
|
|
|
|
const account_public_address &miner_address,
|
|
|
|
|
transaction& tx,
|
|
|
|
|
const blobdata& extra_nonce = blobdata(),
|
|
|
|
|
uint8_t hard_fork_version = 1,
|
2018-11-12 04:02:21 +01:00
|
|
|
const loki_miner_tx_context &miner_context = {});
|
2017-01-26 16:07:23 +01:00
|
|
|
|
2018-11-12 04:02:21 +01:00
|
|
|
struct block_reward_parts
|
|
|
|
|
{
|
|
|
|
|
uint64_t service_node_total;
|
|
|
|
|
uint64_t service_node_paid;
|
|
|
|
|
|
2019-09-19 06:20:16 +02:00
|
|
|
uint64_t governance_due;
|
|
|
|
|
uint64_t governance_paid;
|
|
|
|
|
|
2018-11-12 04:02:21 +01:00
|
|
|
uint64_t base_miner;
|
|
|
|
|
uint64_t base_miner_fee;
|
|
|
|
|
|
2019-09-19 06:20:16 +02:00
|
|
|
/// The base block reward from which non-miner amounts (i.e. SN rewards and governance fees) are
|
|
|
|
|
/// calculated. Before HF 13 this was (mistakenly) reduced by the block size penalty for
|
|
|
|
|
/// exceeding the median block size; starting in HF 13 the miner pays the full penalty.
|
2018-11-12 04:02:21 +01:00
|
|
|
uint64_t original_base_reward;
|
|
|
|
|
|
|
|
|
|
uint64_t miner_reward() { return base_miner + base_miner_fee; }
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct loki_block_reward_context
|
|
|
|
|
{
|
|
|
|
|
using portions = uint64_t;
|
2019-08-30 08:04:58 +02:00
|
|
|
uint64_t height;
|
|
|
|
|
uint64_t fee;
|
|
|
|
|
uint64_t batched_governance; // Optional: 0 hardfork v10, then must be calculated using blockchain::calc_batched_governance_reward
|
|
|
|
|
std::vector<service_nodes::payout_entry> service_node_payouts = service_nodes::null_winner;
|
2018-11-12 04:02:21 +01:00
|
|
|
};
|
2018-03-12 00:24:08 +01:00
|
|
|
|
2018-11-12 04:02:21 +01:00
|
|
|
// NOTE(loki): I would combine this into get_base_block_reward, but
|
|
|
|
|
// cryptonote_basic as a library is to be able to trivially link with
|
|
|
|
|
// cryptonote_core since it would have a circular dependency on Blockchain
|
2018-03-12 00:24:08 +01:00
|
|
|
|
2018-11-12 04:02:21 +01:00
|
|
|
// NOTE: Block reward function that should be called after hard fork v10
|
|
|
|
|
bool get_loki_block_reward(size_t median_weight, size_t current_block_weight, uint64_t already_generated_coins, int hard_fork_version, block_reward_parts &result, const loki_block_reward_context &loki_context);
|
2018-03-12 00:24:08 +01:00
|
|
|
|
2017-01-26 16:07:23 +01:00
|
|
|
struct tx_source_entry
|
|
|
|
|
{
|
|
|
|
|
typedef std::pair<uint64_t, rct::ctkey> output_entry;
|
|
|
|
|
|
|
|
|
|
std::vector<output_entry> outputs; //index + key + optional ringct commitment
|
|
|
|
|
size_t real_output; //index in outputs vector of real output_entry
|
|
|
|
|
crypto::public_key real_out_tx_key; //incoming real tx public key
|
2017-02-19 03:42:10 +01:00
|
|
|
std::vector<crypto::public_key> real_out_additional_tx_keys; //incoming real tx additional public keys
|
2017-01-26 16:07:23 +01:00
|
|
|
size_t real_output_in_tx_index; //index in transaction outputs vector
|
|
|
|
|
uint64_t amount; //money
|
|
|
|
|
bool rct; //true if the output is rct
|
|
|
|
|
rct::key mask; //ringct amount mask
|
Add N/N multisig tx generation and signing
Scheme by luigi1111:
Multisig for RingCT on Monero
2 of 2
User A (coordinator):
Spendkey b,B
Viewkey a,A (shared)
User B:
Spendkey c,C
Viewkey a,A (shared)
Public Address: C+B, A
Both have their own watch only wallet via C+B, a
A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)
A and B watch for incoming outputs
B creates "half" key images for discovered output D:
I2_D = (Hs(aR)+c) * Hp(D)
B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
and sending the pubkeys with I2_D.
A also creates "half" key images:
I1_D = (Hs(aR)+b) * Hp(D)
Then I_D = I1_D + I2_D
Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).
A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
to his own generated ones where they are needed (secret row L, R).
At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).
B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).
B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
to his cache, allowing him to verify spent status as well.
NOTE:
A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
Otherwise, trickery like the following becomes possible:
A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
B creates a fake key C = zG - B. B sends C back to A.
The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).
2 of 3
User A (coordinator)
Shared viewkey a,A
"spendkey" j,J
User B
"spendkey" k,K
User C
"spendkey" m,M
A collects K and M from B and C
B collects J and M from A and C
C collects J and K from A and B
A computes N = nG, n = Hs(jK)
A computes O = oG, o = Hs(jM)
B anc C compute P = pG, p = Hs(kM) || Hs(mK)
B and C can also compute N and O respectively if they wish to be able to coordinate
Address: N+O+P, A
The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other
needed part of the signature/key images from either of the other two.
Alternatively, if secure communication exists between parties:
A gives j to B
B gives k to C
C gives m to A
Address: J+K+M, A
3 of 3
Identical to 2 of 2, except the coordinator must collect the key images from both of the others.
The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it
or send it back to A.
N-1 of N
Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around
(using either the secure or insecure method).
For example (ignoring viewkey so letters line up):
[4 of 5]
User: spendkey
A: a
B: b
C: c
D: d
E: e
a -> B, b -> C, c -> D, d -> E, e -> A
Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with
the transaction so the signers know if they should use 1 or both keys.
Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each.
Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning:
1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image)
2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator
must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use.
You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might
also be straightforward enough to support with minimal changes from N-1 format.
You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc.
The process is somewhat cumbersome:
To create a N/N multisig wallet:
- each participant creates a normal wallet
- each participant runs "prepare_multisig", and sends the resulting string to every other participant
- each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N)
As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent:
- each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant
- each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants
Then, a transaction may be initiated:
- one of the participants runs "transfer ADDRESS AMOUNT"
- this partly signed transaction will be written to the "multisig_monero_tx" file
- the initiator sends this file to another participant
- that other participant runs "sign_multisig multisig_monero_tx"
- the resulting transaction is written to the "multisig_monero_tx" file again
- if the threshold was not reached, the file must be sent to another participant, until enough have signed
- the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
2017-06-03 23:34:26 +02:00
|
|
|
rct::multisig_kLRki multisig_kLRki; //multisig info
|
2017-01-26 16:07:23 +01:00
|
|
|
|
|
|
|
|
void push_output(uint64_t idx, const crypto::public_key &k, uint64_t amount) { outputs.push_back(std::make_pair(idx, rct::ctkey({rct::pk2rct(k), rct::zeroCommit(amount)}))); }
|
2017-11-10 20:39:09 +01:00
|
|
|
|
|
|
|
|
BEGIN_SERIALIZE_OBJECT()
|
|
|
|
|
FIELD(outputs)
|
|
|
|
|
FIELD(real_output)
|
|
|
|
|
FIELD(real_out_tx_key)
|
|
|
|
|
FIELD(real_out_additional_tx_keys)
|
|
|
|
|
FIELD(real_output_in_tx_index)
|
|
|
|
|
FIELD(amount)
|
|
|
|
|
FIELD(rct)
|
|
|
|
|
FIELD(mask)
|
2017-10-21 13:14:31 +02:00
|
|
|
FIELD(multisig_kLRki)
|
2017-11-10 20:39:09 +01:00
|
|
|
|
|
|
|
|
if (real_output >= outputs.size())
|
2020-06-02 05:08:48 +02:00
|
|
|
throw std::invalid_argument{"invalid real_output size"};
|
2017-11-10 20:39:09 +01:00
|
|
|
END_SERIALIZE()
|
2017-01-26 16:07:23 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct tx_destination_entry
|
|
|
|
|
{
|
2018-12-23 15:31:54 +01:00
|
|
|
std::string original;
|
2017-01-26 16:07:23 +01:00
|
|
|
uint64_t amount; //money
|
|
|
|
|
account_public_address addr; //destination address
|
2017-02-19 03:42:10 +01:00
|
|
|
bool is_subaddress;
|
2018-12-23 15:31:54 +01:00
|
|
|
bool is_integrated;
|
2017-01-26 16:07:23 +01:00
|
|
|
|
2019-10-31 23:26:58 +01:00
|
|
|
tx_destination_entry() : amount(0), addr{}, is_subaddress(false), is_integrated(false) { }
|
2018-12-23 15:31:54 +01:00
|
|
|
tx_destination_entry(uint64_t a, const account_public_address &ad, bool is_subaddress) : amount(a), addr(ad), is_subaddress(is_subaddress), is_integrated(false) { }
|
|
|
|
|
tx_destination_entry(const std::string &o, uint64_t a, const account_public_address &ad, bool is_subaddress) : original(o), amount(a), addr(ad), is_subaddress(is_subaddress), is_integrated(false) { }
|
2017-01-26 16:07:23 +01:00
|
|
|
|
2018-08-05 05:08:51 +02:00
|
|
|
bool operator==(const tx_destination_entry& other) const
|
|
|
|
|
{
|
|
|
|
|
return amount == other.amount && addr == other.addr;
|
|
|
|
|
}
|
|
|
|
|
|
2019-07-07 16:45:13 +02:00
|
|
|
std::string address(network_type nettype, const crypto::hash &payment_id) const
|
|
|
|
|
{
|
|
|
|
|
if (!original.empty())
|
|
|
|
|
{
|
|
|
|
|
return original;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (is_integrated)
|
|
|
|
|
{
|
|
|
|
|
return get_account_integrated_address_as_str(nettype, addr, reinterpret_cast<const crypto::hash8 &>(payment_id));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return get_account_address_as_str(nettype, is_subaddress, addr);
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-26 16:07:23 +01:00
|
|
|
BEGIN_SERIALIZE_OBJECT()
|
2018-12-23 15:31:54 +01:00
|
|
|
FIELD(original)
|
2017-01-26 16:07:23 +01:00
|
|
|
VARINT_FIELD(amount)
|
|
|
|
|
FIELD(addr)
|
2017-02-19 03:42:10 +01:00
|
|
|
FIELD(is_subaddress)
|
2018-12-23 15:31:54 +01:00
|
|
|
FIELD(is_integrated)
|
2017-01-26 16:07:23 +01:00
|
|
|
END_SERIALIZE()
|
|
|
|
|
};
|
|
|
|
|
|
2019-01-25 04:15:52 +01:00
|
|
|
struct loki_construct_tx_params
|
|
|
|
|
{
|
2019-11-29 04:36:43 +01:00
|
|
|
uint8_t hf_version = cryptonote::network_version_7;
|
|
|
|
|
txtype tx_type = txtype::standard;
|
2019-11-26 08:13:23 +01:00
|
|
|
|
|
|
|
|
// Can be set to non-zero values to have the tx be constructed specifying required burn amounts
|
|
|
|
|
// Note that the percentage is relative to the minimal base tx fee, *not* the actual tx fee.
|
|
|
|
|
//
|
|
|
|
|
// For example if the base tx fee is 0.5, the priority sets the fee to 500%, the fixed burn
|
2019-11-27 23:21:24 +01:00
|
|
|
// amount is 0.1, and the percentage burn is 300% then the tx overall fee will be 0.1+2.5=2.6,
|
|
|
|
|
// and the burn amount will be 0.1+3(0.5)=1.6 (and thus the miner tx coinbase amount will be
|
|
|
|
|
// 1.0). (See also wallet2's get_fee_percent which needs to return a value large enough to
|
|
|
|
|
// allow these amounts to be burned).
|
2019-11-29 04:36:43 +01:00
|
|
|
uint64_t burn_fixed = 0; // atomic units
|
|
|
|
|
uint64_t burn_percent = 0; // 123 = 1.23x base fee.
|
2019-01-25 04:15:52 +01:00
|
|
|
};
|
|
|
|
|
|
2019-11-26 08:13:23 +01:00
|
|
|
//---------------------------------------------------------------
|
2020-06-02 00:30:19 +02:00
|
|
|
crypto::public_key get_destination_view_key_pub(const std::vector<tx_destination_entry> &destinations, const std::optional<cryptonote::tx_destination_entry>& change_addr);
|
|
|
|
|
bool construct_tx(const account_keys& sender_account_keys, std::vector<tx_source_entry> &sources, const std::vector<tx_destination_entry>& destinations, const std::optional<cryptonote::tx_destination_entry>& change_addr, const std::vector<uint8_t> &extra, transaction& tx, uint64_t unlock_time, const loki_construct_tx_params &tx_params = {});
|
|
|
|
|
bool construct_tx_with_tx_key (const account_keys& sender_account_keys, const std::unordered_map<crypto::public_key, subaddress_index>& subaddresses, std::vector<tx_source_entry>& sources, std::vector<tx_destination_entry>& destinations, const std::optional<cryptonote::tx_destination_entry>& change_addr, const std::vector<uint8_t> &extra, transaction& tx, uint64_t unlock_time, const crypto::secret_key &tx_key, const std::vector<crypto::secret_key> &additional_tx_keys, const rct::RCTConfig &rct_config = { rct::RangeProofBorromean, 0}, rct::multisig_out *msout = NULL, bool shuffle_outs = true, loki_construct_tx_params const &tx_params = {});
|
|
|
|
|
bool construct_tx_and_get_tx_key(const account_keys& sender_account_keys, const std::unordered_map<crypto::public_key, subaddress_index>& subaddresses, std::vector<tx_source_entry>& sources, std::vector<tx_destination_entry>& destinations, const std::optional<cryptonote::tx_destination_entry>& change_addr, const std::vector<uint8_t> &extra, transaction& tx, uint64_t unlock_time, crypto::secret_key &tx_key, std::vector<crypto::secret_key> &additional_tx_keys, const rct::RCTConfig &rct_config = { rct::RangeProofBorromean, 0}, rct::multisig_out *msout = NULL, loki_construct_tx_params const &tx_params = {});
|
2018-12-11 10:20:21 +01:00
|
|
|
bool generate_output_ephemeral_keys(const size_t tx_version, bool &found_change,
|
|
|
|
|
const cryptonote::account_keys &sender_account_keys, const crypto::public_key &txkey_pub, const crypto::secret_key &tx_key,
|
2020-06-02 00:30:19 +02:00
|
|
|
const cryptonote::tx_destination_entry &dst_entr, const std::optional<cryptonote::tx_destination_entry> &change_addr, const size_t output_index,
|
2018-12-11 10:20:21 +01:00
|
|
|
const bool &need_additional_txkeys, const std::vector<crypto::secret_key> &additional_tx_keys,
|
|
|
|
|
std::vector<crypto::public_key> &additional_tx_public_keys,
|
|
|
|
|
std::vector<rct::key> &amount_keys,
|
|
|
|
|
crypto::public_key &out_eph_public_key);
|
2017-01-26 16:07:23 +01:00
|
|
|
|
2018-12-11 10:20:21 +01:00
|
|
|
bool generate_output_ephemeral_keys(const size_t tx_version, const cryptonote::account_keys &sender_account_keys, const crypto::public_key &txkey_pub, const crypto::secret_key &tx_key,
|
2020-06-02 00:30:19 +02:00
|
|
|
const cryptonote::tx_destination_entry &dst_entr, const std::optional<cryptonote::account_public_address> &change_addr, const size_t output_index,
|
2018-12-11 10:20:21 +01:00
|
|
|
const bool &need_additional_txkeys, const std::vector<crypto::secret_key> &additional_tx_keys,
|
|
|
|
|
std::vector<crypto::public_key> &additional_tx_public_keys,
|
|
|
|
|
std::vector<rct::key> &amount_keys,
|
|
|
|
|
crypto::public_key &out_eph_public_key) ;
|
|
|
|
|
|
2020-08-11 23:55:06 +02:00
|
|
|
bool generate_genesis_block(block& bl, network_type nettype);
|
2017-01-26 16:07:23 +01:00
|
|
|
|
2020-05-29 05:37:35 +02:00
|
|
|
struct randomx_longhash_context
|
|
|
|
|
{
|
|
|
|
|
uint64_t seed_height;
|
|
|
|
|
crypto::hash seed_block_hash;
|
|
|
|
|
uint64_t current_blockchain_height;
|
|
|
|
|
randomx_longhash_context() = default;
|
|
|
|
|
randomx_longhash_context(const Blockchain *pbc, const block& b /*block to longhash*/, const uint64_t height);
|
|
|
|
|
};
|
|
|
|
|
|
2019-04-23 21:32:27 +02:00
|
|
|
class Blockchain;
|
2020-06-25 05:31:44 +02:00
|
|
|
crypto::hash get_block_longhash(cryptonote::network_type nettype, randomx_longhash_context const &randomx_context, const block& b, uint64_t height, int miners);
|
|
|
|
|
crypto::hash get_altblock_longhash(cryptonote::network_type nettype, randomx_longhash_context const &randomx_context, const block& b, uint64_t height);
|
|
|
|
|
crypto::hash get_block_longhash_w_blockchain(cryptonote::network_type nettype, const Blockchain *pb, const block& b, uint64_t height, int miners);
|
2019-04-23 21:32:27 +02:00
|
|
|
void get_block_longhash_reorg(const uint64_t split_height);
|
|
|
|
|
|
2017-01-26 16:07:23 +01:00
|
|
|
}
|
|
|
|
|
|
2017-10-21 13:14:31 +02:00
|
|
|
BOOST_CLASS_VERSION(cryptonote::tx_source_entry, 1)
|
2018-12-23 15:31:54 +01:00
|
|
|
BOOST_CLASS_VERSION(cryptonote::tx_destination_entry, 2)
|
2017-01-26 16:07:23 +01:00
|
|
|
|
|
|
|
|
namespace boost
|
|
|
|
|
{
|
|
|
|
|
namespace serialization
|
|
|
|
|
{
|
|
|
|
|
template <class Archive>
|
|
|
|
|
inline void serialize(Archive &a, cryptonote::tx_source_entry &x, const boost::serialization::version_type ver)
|
|
|
|
|
{
|
|
|
|
|
a & x.outputs;
|
|
|
|
|
a & x.real_output;
|
|
|
|
|
a & x.real_out_tx_key;
|
|
|
|
|
a & x.real_output_in_tx_index;
|
|
|
|
|
a & x.amount;
|
|
|
|
|
a & x.rct;
|
|
|
|
|
a & x.mask;
|
2017-10-21 13:14:31 +02:00
|
|
|
if (ver < 1)
|
|
|
|
|
return;
|
Add N/N multisig tx generation and signing
Scheme by luigi1111:
Multisig for RingCT on Monero
2 of 2
User A (coordinator):
Spendkey b,B
Viewkey a,A (shared)
User B:
Spendkey c,C
Viewkey a,A (shared)
Public Address: C+B, A
Both have their own watch only wallet via C+B, a
A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)
A and B watch for incoming outputs
B creates "half" key images for discovered output D:
I2_D = (Hs(aR)+c) * Hp(D)
B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
and sending the pubkeys with I2_D.
A also creates "half" key images:
I1_D = (Hs(aR)+b) * Hp(D)
Then I_D = I1_D + I2_D
Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).
A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
to his own generated ones where they are needed (secret row L, R).
At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).
B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).
B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
to his cache, allowing him to verify spent status as well.
NOTE:
A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
Otherwise, trickery like the following becomes possible:
A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
B creates a fake key C = zG - B. B sends C back to A.
The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).
2 of 3
User A (coordinator)
Shared viewkey a,A
"spendkey" j,J
User B
"spendkey" k,K
User C
"spendkey" m,M
A collects K and M from B and C
B collects J and M from A and C
C collects J and K from A and B
A computes N = nG, n = Hs(jK)
A computes O = oG, o = Hs(jM)
B anc C compute P = pG, p = Hs(kM) || Hs(mK)
B and C can also compute N and O respectively if they wish to be able to coordinate
Address: N+O+P, A
The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other
needed part of the signature/key images from either of the other two.
Alternatively, if secure communication exists between parties:
A gives j to B
B gives k to C
C gives m to A
Address: J+K+M, A
3 of 3
Identical to 2 of 2, except the coordinator must collect the key images from both of the others.
The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it
or send it back to A.
N-1 of N
Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around
(using either the secure or insecure method).
For example (ignoring viewkey so letters line up):
[4 of 5]
User: spendkey
A: a
B: b
C: c
D: d
E: e
a -> B, b -> C, c -> D, d -> E, e -> A
Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with
the transaction so the signers know if they should use 1 or both keys.
Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each.
Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning:
1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image)
2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator
must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use.
You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might
also be straightforward enough to support with minimal changes from N-1 format.
You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc.
The process is somewhat cumbersome:
To create a N/N multisig wallet:
- each participant creates a normal wallet
- each participant runs "prepare_multisig", and sends the resulting string to every other participant
- each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N)
As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent:
- each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant
- each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants
Then, a transaction may be initiated:
- one of the participants runs "transfer ADDRESS AMOUNT"
- this partly signed transaction will be written to the "multisig_monero_tx" file
- the initiator sends this file to another participant
- that other participant runs "sign_multisig multisig_monero_tx"
- the resulting transaction is written to the "multisig_monero_tx" file again
- if the threshold was not reached, the file must be sent to another participant, until enough have signed
- the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
2017-06-03 23:34:26 +02:00
|
|
|
a & x.multisig_kLRki;
|
2017-10-21 13:14:31 +02:00
|
|
|
a & x.real_out_additional_tx_keys;
|
2017-01-26 16:07:23 +01:00
|
|
|
}
|
2017-02-19 03:42:10 +01:00
|
|
|
|
|
|
|
|
template <class Archive>
|
|
|
|
|
inline void serialize(Archive& a, cryptonote::tx_destination_entry& x, const boost::serialization::version_type ver)
|
|
|
|
|
{
|
|
|
|
|
a & x.amount;
|
|
|
|
|
a & x.addr;
|
|
|
|
|
if (ver < 1)
|
|
|
|
|
return;
|
|
|
|
|
a & x.is_subaddress;
|
2018-12-23 15:31:54 +01:00
|
|
|
if (ver < 2)
|
|
|
|
|
{
|
|
|
|
|
x.is_integrated = false;
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
a & x.original;
|
|
|
|
|
a & x.is_integrated;
|
2017-02-19 03:42:10 +01:00
|
|
|
}
|
2017-01-26 16:07:23 +01:00
|
|
|
}
|
|
|
|
|
}
|
