2019-04-12 06:36:43 +02:00
// Copyright (c) 2014-2019, The Monero Project
2017-01-26 16:07:23 +01:00
//
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are
// permitted provided that the following conditions are met:
//
// 1. Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// 2. Redistributions in binary form must reproduce the above copyright notice, this list
// of conditions and the following disclaimer in the documentation and/or other
// materials provided with the distribution.
//
// 3. Neither the name of the copyright holder nor the names of its contributors may be
// used to endorse or promote products derived from this software without specific
// prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
//
// Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers
2017-02-19 03:42:10 +01:00
# include <unordered_set>
2018-03-31 09:19:14 +02:00
# include <random>
2020-10-24 00:49:42 +02:00
# include "epee/string_tools.h"
2017-09-12 22:40:53 +02:00
# include "common/apply_permutation.h"
2020-07-21 22:40:17 +02:00
# include "common/hex.h"
2017-01-26 16:07:23 +01:00
# include "cryptonote_tx_utils.h"
# include "cryptonote_config.h"
2019-04-23 21:32:27 +02:00
# include "blockchain.h"
2017-01-26 16:07:23 +01:00
# include "cryptonote_basic/miner.h"
2018-08-03 12:21:08 +02:00
# include "cryptonote_basic/tx_extra.h"
2022-04-29 01:51:14 +02:00
# include "cryptonote_basic/cryptonote_format_utils.h"
2017-01-26 16:07:23 +01:00
# include "crypto/crypto.h"
# include "crypto/hash.h"
# include "ringct/rctSigs.h"
2017-09-27 00:16:25 +02:00
# include "multisig/multisig.h"
2020-10-24 00:49:42 +02:00
# include "epee/int-util.h"
2017-01-26 16:07:23 +01:00
2017-10-10 16:47:08 +02:00
using namespace crypto ;
2017-01-26 16:07:23 +01:00
namespace cryptonote
{
Add N/N multisig tx generation and signing
Scheme by luigi1111:
Multisig for RingCT on Monero
2 of 2
User A (coordinator):
Spendkey b,B
Viewkey a,A (shared)
User B:
Spendkey c,C
Viewkey a,A (shared)
Public Address: C+B, A
Both have their own watch only wallet via C+B, a
A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)
A and B watch for incoming outputs
B creates "half" key images for discovered output D:
I2_D = (Hs(aR)+c) * Hp(D)
B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
and sending the pubkeys with I2_D.
A also creates "half" key images:
I1_D = (Hs(aR)+b) * Hp(D)
Then I_D = I1_D + I2_D
Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).
A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
to his own generated ones where they are needed (secret row L, R).
At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).
B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).
B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
to his cache, allowing him to verify spent status as well.
NOTE:
A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
Otherwise, trickery like the following becomes possible:
A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
B creates a fake key C = zG - B. B sends C back to A.
The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).
2 of 3
User A (coordinator)
Shared viewkey a,A
"spendkey" j,J
User B
"spendkey" k,K
User C
"spendkey" m,M
A collects K and M from B and C
B collects J and M from A and C
C collects J and K from A and B
A computes N = nG, n = Hs(jK)
A computes O = oG, o = Hs(jM)
B anc C compute P = pG, p = Hs(kM) || Hs(mK)
B and C can also compute N and O respectively if they wish to be able to coordinate
Address: N+O+P, A
The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other
needed part of the signature/key images from either of the other two.
Alternatively, if secure communication exists between parties:
A gives j to B
B gives k to C
C gives m to A
Address: J+K+M, A
3 of 3
Identical to 2 of 2, except the coordinator must collect the key images from both of the others.
The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it
or send it back to A.
N-1 of N
Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around
(using either the secure or insecure method).
For example (ignoring viewkey so letters line up):
[4 of 5]
User: spendkey
A: a
B: b
C: c
D: d
E: e
a -> B, b -> C, c -> D, d -> E, e -> A
Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with
the transaction so the signers know if they should use 1 or both keys.
Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each.
Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning:
1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image)
2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator
must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use.
You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might
also be straightforward enough to support with minimal changes from N-1 format.
You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc.
The process is somewhat cumbersome:
To create a N/N multisig wallet:
- each participant creates a normal wallet
- each participant runs "prepare_multisig", and sends the resulting string to every other participant
- each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N)
As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent:
- each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant
- each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants
Then, a transaction may be initiated:
- one of the participants runs "transfer ADDRESS AMOUNT"
- this partly signed transaction will be written to the "multisig_monero_tx" file
- the initiator sends this file to another participant
- that other participant runs "sign_multisig multisig_monero_tx"
- the resulting transaction is written to the "multisig_monero_tx" file again
- if the threshold was not reached, the file must be sent to another participant, until enough have signed
- the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
2017-06-03 23:34:26 +02:00
//---------------------------------------------------------------
2020-06-02 00:30:19 +02:00
static void classify_addresses ( const std : : vector < tx_destination_entry > & destinations , const std : : optional < cryptonote : : tx_destination_entry > & change_addr , size_t & num_stdaddresses , size_t & num_subaddresses , account_public_address & single_dest_subaddress )
Add N/N multisig tx generation and signing
Scheme by luigi1111:
Multisig for RingCT on Monero
2 of 2
User A (coordinator):
Spendkey b,B
Viewkey a,A (shared)
User B:
Spendkey c,C
Viewkey a,A (shared)
Public Address: C+B, A
Both have their own watch only wallet via C+B, a
A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)
A and B watch for incoming outputs
B creates "half" key images for discovered output D:
I2_D = (Hs(aR)+c) * Hp(D)
B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
and sending the pubkeys with I2_D.
A also creates "half" key images:
I1_D = (Hs(aR)+b) * Hp(D)
Then I_D = I1_D + I2_D
Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).
A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
to his own generated ones where they are needed (secret row L, R).
At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).
B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).
B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
to his cache, allowing him to verify spent status as well.
NOTE:
A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
Otherwise, trickery like the following becomes possible:
A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
B creates a fake key C = zG - B. B sends C back to A.
The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).
2 of 3
User A (coordinator)
Shared viewkey a,A
"spendkey" j,J
User B
"spendkey" k,K
User C
"spendkey" m,M
A collects K and M from B and C
B collects J and M from A and C
C collects J and K from A and B
A computes N = nG, n = Hs(jK)
A computes O = oG, o = Hs(jM)
B anc C compute P = pG, p = Hs(kM) || Hs(mK)
B and C can also compute N and O respectively if they wish to be able to coordinate
Address: N+O+P, A
The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other
needed part of the signature/key images from either of the other two.
Alternatively, if secure communication exists between parties:
A gives j to B
B gives k to C
C gives m to A
Address: J+K+M, A
3 of 3
Identical to 2 of 2, except the coordinator must collect the key images from both of the others.
The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it
or send it back to A.
N-1 of N
Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around
(using either the secure or insecure method).
For example (ignoring viewkey so letters line up):
[4 of 5]
User: spendkey
A: a
B: b
C: c
D: d
E: e
a -> B, b -> C, c -> D, d -> E, e -> A
Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with
the transaction so the signers know if they should use 1 or both keys.
Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each.
Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning:
1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image)
2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator
must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use.
You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might
also be straightforward enough to support with minimal changes from N-1 format.
You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc.
The process is somewhat cumbersome:
To create a N/N multisig wallet:
- each participant creates a normal wallet
- each participant runs "prepare_multisig", and sends the resulting string to every other participant
- each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N)
As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent:
- each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant
- each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants
Then, a transaction may be initiated:
- one of the participants runs "transfer ADDRESS AMOUNT"
- this partly signed transaction will be written to the "multisig_monero_tx" file
- the initiator sends this file to another participant
- that other participant runs "sign_multisig multisig_monero_tx"
- the resulting transaction is written to the "multisig_monero_tx" file again
- if the threshold was not reached, the file must be sent to another participant, until enough have signed
- the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
2017-06-03 23:34:26 +02:00
{
num_stdaddresses = 0 ;
num_subaddresses = 0 ;
std : : unordered_set < cryptonote : : account_public_address > unique_dst_addresses ;
2018-08-05 05:08:51 +02:00
bool change_found = false ;
Add N/N multisig tx generation and signing
Scheme by luigi1111:
Multisig for RingCT on Monero
2 of 2
User A (coordinator):
Spendkey b,B
Viewkey a,A (shared)
User B:
Spendkey c,C
Viewkey a,A (shared)
Public Address: C+B, A
Both have their own watch only wallet via C+B, a
A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)
A and B watch for incoming outputs
B creates "half" key images for discovered output D:
I2_D = (Hs(aR)+c) * Hp(D)
B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
and sending the pubkeys with I2_D.
A also creates "half" key images:
I1_D = (Hs(aR)+b) * Hp(D)
Then I_D = I1_D + I2_D
Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).
A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
to his own generated ones where they are needed (secret row L, R).
At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).
B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).
B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
to his cache, allowing him to verify spent status as well.
NOTE:
A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
Otherwise, trickery like the following becomes possible:
A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
B creates a fake key C = zG - B. B sends C back to A.
The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).
2 of 3
User A (coordinator)
Shared viewkey a,A
"spendkey" j,J
User B
"spendkey" k,K
User C
"spendkey" m,M
A collects K and M from B and C
B collects J and M from A and C
C collects J and K from A and B
A computes N = nG, n = Hs(jK)
A computes O = oG, o = Hs(jM)
B anc C compute P = pG, p = Hs(kM) || Hs(mK)
B and C can also compute N and O respectively if they wish to be able to coordinate
Address: N+O+P, A
The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other
needed part of the signature/key images from either of the other two.
Alternatively, if secure communication exists between parties:
A gives j to B
B gives k to C
C gives m to A
Address: J+K+M, A
3 of 3
Identical to 2 of 2, except the coordinator must collect the key images from both of the others.
The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it
or send it back to A.
N-1 of N
Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around
(using either the secure or insecure method).
For example (ignoring viewkey so letters line up):
[4 of 5]
User: spendkey
A: a
B: b
C: c
D: d
E: e
a -> B, b -> C, c -> D, d -> E, e -> A
Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with
the transaction so the signers know if they should use 1 or both keys.
Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each.
Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning:
1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image)
2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator
must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use.
You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might
also be straightforward enough to support with minimal changes from N-1 format.
You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc.
The process is somewhat cumbersome:
To create a N/N multisig wallet:
- each participant creates a normal wallet
- each participant runs "prepare_multisig", and sends the resulting string to every other participant
- each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N)
As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent:
- each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant
- each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants
Then, a transaction may be initiated:
- one of the participants runs "transfer ADDRESS AMOUNT"
- this partly signed transaction will be written to the "multisig_monero_tx" file
- the initiator sends this file to another participant
- that other participant runs "sign_multisig multisig_monero_tx"
- the resulting transaction is written to the "multisig_monero_tx" file again
- if the threshold was not reached, the file must be sent to another participant, until enough have signed
- the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
2017-06-03 23:34:26 +02:00
for ( const tx_destination_entry & dst_entr : destinations )
{
2018-08-05 05:08:51 +02:00
if ( change_addr & & * change_addr = = dst_entr & & ! change_found )
{
change_found = true ;
Add N/N multisig tx generation and signing
Scheme by luigi1111:
Multisig for RingCT on Monero
2 of 2
User A (coordinator):
Spendkey b,B
Viewkey a,A (shared)
User B:
Spendkey c,C
Viewkey a,A (shared)
Public Address: C+B, A
Both have their own watch only wallet via C+B, a
A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)
A and B watch for incoming outputs
B creates "half" key images for discovered output D:
I2_D = (Hs(aR)+c) * Hp(D)
B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
and sending the pubkeys with I2_D.
A also creates "half" key images:
I1_D = (Hs(aR)+b) * Hp(D)
Then I_D = I1_D + I2_D
Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).
A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
to his own generated ones where they are needed (secret row L, R).
At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).
B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).
B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
to his cache, allowing him to verify spent status as well.
NOTE:
A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
Otherwise, trickery like the following becomes possible:
A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
B creates a fake key C = zG - B. B sends C back to A.
The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).
2 of 3
User A (coordinator)
Shared viewkey a,A
"spendkey" j,J
User B
"spendkey" k,K
User C
"spendkey" m,M
A collects K and M from B and C
B collects J and M from A and C
C collects J and K from A and B
A computes N = nG, n = Hs(jK)
A computes O = oG, o = Hs(jM)
B anc C compute P = pG, p = Hs(kM) || Hs(mK)
B and C can also compute N and O respectively if they wish to be able to coordinate
Address: N+O+P, A
The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other
needed part of the signature/key images from either of the other two.
Alternatively, if secure communication exists between parties:
A gives j to B
B gives k to C
C gives m to A
Address: J+K+M, A
3 of 3
Identical to 2 of 2, except the coordinator must collect the key images from both of the others.
The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it
or send it back to A.
N-1 of N
Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around
(using either the secure or insecure method).
For example (ignoring viewkey so letters line up):
[4 of 5]
User: spendkey
A: a
B: b
C: c
D: d
E: e
a -> B, b -> C, c -> D, d -> E, e -> A
Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with
the transaction so the signers know if they should use 1 or both keys.
Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each.
Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning:
1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image)
2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator
must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use.
You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might
also be straightforward enough to support with minimal changes from N-1 format.
You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc.
The process is somewhat cumbersome:
To create a N/N multisig wallet:
- each participant creates a normal wallet
- each participant runs "prepare_multisig", and sends the resulting string to every other participant
- each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N)
As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent:
- each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant
- each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants
Then, a transaction may be initiated:
- one of the participants runs "transfer ADDRESS AMOUNT"
- this partly signed transaction will be written to the "multisig_monero_tx" file
- the initiator sends this file to another participant
- that other participant runs "sign_multisig multisig_monero_tx"
- the resulting transaction is written to the "multisig_monero_tx" file again
- if the threshold was not reached, the file must be sent to another participant, until enough have signed
- the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
2017-06-03 23:34:26 +02:00
continue ;
2018-08-05 05:08:51 +02:00
}
Add N/N multisig tx generation and signing
Scheme by luigi1111:
Multisig for RingCT on Monero
2 of 2
User A (coordinator):
Spendkey b,B
Viewkey a,A (shared)
User B:
Spendkey c,C
Viewkey a,A (shared)
Public Address: C+B, A
Both have their own watch only wallet via C+B, a
A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)
A and B watch for incoming outputs
B creates "half" key images for discovered output D:
I2_D = (Hs(aR)+c) * Hp(D)
B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
and sending the pubkeys with I2_D.
A also creates "half" key images:
I1_D = (Hs(aR)+b) * Hp(D)
Then I_D = I1_D + I2_D
Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).
A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
to his own generated ones where they are needed (secret row L, R).
At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).
B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).
B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
to his cache, allowing him to verify spent status as well.
NOTE:
A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
Otherwise, trickery like the following becomes possible:
A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
B creates a fake key C = zG - B. B sends C back to A.
The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).
2 of 3
User A (coordinator)
Shared viewkey a,A
"spendkey" j,J
User B
"spendkey" k,K
User C
"spendkey" m,M
A collects K and M from B and C
B collects J and M from A and C
C collects J and K from A and B
A computes N = nG, n = Hs(jK)
A computes O = oG, o = Hs(jM)
B anc C compute P = pG, p = Hs(kM) || Hs(mK)
B and C can also compute N and O respectively if they wish to be able to coordinate
Address: N+O+P, A
The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other
needed part of the signature/key images from either of the other two.
Alternatively, if secure communication exists between parties:
A gives j to B
B gives k to C
C gives m to A
Address: J+K+M, A
3 of 3
Identical to 2 of 2, except the coordinator must collect the key images from both of the others.
The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it
or send it back to A.
N-1 of N
Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around
(using either the secure or insecure method).
For example (ignoring viewkey so letters line up):
[4 of 5]
User: spendkey
A: a
B: b
C: c
D: d
E: e
a -> B, b -> C, c -> D, d -> E, e -> A
Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with
the transaction so the signers know if they should use 1 or both keys.
Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each.
Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning:
1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image)
2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator
must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use.
You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might
also be straightforward enough to support with minimal changes from N-1 format.
You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc.
The process is somewhat cumbersome:
To create a N/N multisig wallet:
- each participant creates a normal wallet
- each participant runs "prepare_multisig", and sends the resulting string to every other participant
- each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N)
As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent:
- each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant
- each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants
Then, a transaction may be initiated:
- one of the participants runs "transfer ADDRESS AMOUNT"
- this partly signed transaction will be written to the "multisig_monero_tx" file
- the initiator sends this file to another participant
- that other participant runs "sign_multisig multisig_monero_tx"
- the resulting transaction is written to the "multisig_monero_tx" file again
- if the threshold was not reached, the file must be sent to another participant, until enough have signed
- the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
2017-06-03 23:34:26 +02:00
if ( unique_dst_addresses . count ( dst_entr . addr ) = = 0 )
{
unique_dst_addresses . insert ( dst_entr . addr ) ;
if ( dst_entr . is_subaddress )
{
+ + num_subaddresses ;
single_dest_subaddress = dst_entr . addr ;
}
else
{
+ + num_stdaddresses ;
}
}
}
LOG_PRINT_L2 ( " destinations include " < < num_stdaddresses < < " standard addresses and " < < num_subaddresses < < " subaddresses " ) ;
}
2018-03-12 00:24:08 +01:00
keypair get_deterministic_keypair_from_height ( uint64_t height )
{
keypair k ;
ec_scalar & sec = k . sec ;
for ( int i = 0 ; i < 8 ; i + + )
{
uint64_t height_byte = height & ( ( uint64_t ) 0xFF < < ( i * 8 ) ) ;
uint8_t byte = height_byte > > i * 8 ;
sec . data [ i ] = byte ;
}
for ( int i = 8 ; i < 32 ; i + + )
{
sec . data [ i ] = 0x00 ;
}
generate_keys ( k . pub , k . sec , k . sec , true ) ;
return k ;
}
bool get_deterministic_output_key ( const account_public_address & address , const keypair & tx_key , size_t output_index , crypto : : public_key & output_key )
{
2019-10-31 23:26:58 +01:00
crypto : : key_derivation derivation { } ;
2018-03-12 00:24:08 +01:00
bool r = crypto : : generate_key_derivation ( address . m_view_public_key , tx_key . sec , derivation ) ;
CHECK_AND_ASSERT_MES ( r , false , " failed to generate_key_derivation( " < < address . m_view_public_key < < " , " < < tx_key . sec < < " ) " ) ;
r = crypto : : derive_public_key ( derivation , output_index , address . m_spend_public_key , output_key ) ;
CHECK_AND_ASSERT_MES ( r , false , " failed to derive_public_key( " < < derivation < < " , " < < output_index < < " , " < < address . m_spend_public_key < < " ) " ) ;
return true ;
}
2020-07-21 22:40:17 +02:00
bool validate_governance_reward_key ( uint64_t height , std : : string_view governance_wallet_address_str , size_t output_index , const crypto : : public_key & output_key , const cryptonote : : network_type nettype )
2018-03-12 00:24:08 +01:00
{
keypair gov_key = get_deterministic_keypair_from_height ( height ) ;
cryptonote : : address_parse_info governance_wallet_address ;
2018-11-12 04:02:21 +01:00
cryptonote : : get_account_address_from_str ( governance_wallet_address , nettype , governance_wallet_address_str ) ;
2018-03-12 00:24:08 +01:00
crypto : : public_key correct_key ;
2022-04-29 01:51:14 +02:00
2018-03-12 00:24:08 +01:00
if ( ! get_deterministic_output_key ( governance_wallet_address . address , gov_key , output_index , correct_key ) )
{
MERROR ( " Failed to generate deterministic output key for governance wallet output validation " ) ;
return false ;
}
return correct_key = = output_key ;
}
2022-04-29 01:51:14 +02:00
uint64_t governance_reward_formula ( uint8_t hf_version , uint64_t base_reward )
2018-11-12 04:02:21 +01:00
{
2020-09-19 00:03:58 +02:00
return hf_version > = network_version_17 ? FOUNDATION_REWARD_HF17 :
2020-09-25 21:14:26 +02:00
hf_version > = network_version_16_pulse ? FOUNDATION_REWARD_HF15 + CHAINFLIP_LIQUIDITY_HF16 :
2021-02-12 05:19:30 +01:00
hf_version > = network_version_15_ons ? FOUNDATION_REWARD_HF15 :
2020-03-10 20:40:21 +01:00
base_reward / 20 ;
2018-11-12 04:02:21 +01:00
}
bool block_has_governance_output ( network_type nettype , cryptonote : : block const & block )
{
bool result = height_has_governance_output ( nettype , block . major_version , get_block_height ( block ) ) ;
return result ;
}
2020-03-10 20:40:21 +01:00
bool height_has_governance_output ( network_type nettype , uint8_t hard_fork_version , uint64_t height )
2018-11-12 04:02:21 +01:00
{
if ( height = = 0 )
return false ;
2022-04-29 01:51:14 +02:00
if ( hard_fork_version < = network_version_9_service_nodes | | hard_fork_version > = cryptonote : : network_version_19 )
2018-11-12 04:02:21 +01:00
return true ;
2022-04-29 01:51:14 +02:00
2020-07-21 22:40:17 +02:00
if ( height % cryptonote : : get_config ( nettype ) . GOVERNANCE_REWARD_INTERVAL_IN_BLOCKS ! = 0 )
2018-11-12 04:02:21 +01:00
{
return false ;
}
return true ;
}
2020-03-10 20:40:21 +01:00
uint64_t derive_governance_from_block_reward ( network_type nettype , const cryptonote : : block & block , uint8_t hf_version )
2018-11-12 04:02:21 +01:00
{
2020-03-10 20:40:21 +01:00
if ( hf_version > = 15 )
2022-04-29 01:51:14 +02:00
return governance_reward_formula ( hf_version ) ;
2020-03-10 20:40:21 +01:00
2018-11-12 04:02:21 +01:00
uint64_t result = 0 ;
uint64_t snode_reward = 0 ;
2020-03-10 20:40:21 +01:00
size_t vout_end = block . miner_tx . vout . size ( ) ;
2018-11-12 04:02:21 +01:00
if ( block_has_governance_output ( nettype , block ) )
- - vout_end ; // skip the governance output, the governance may be the batched amount. we want the original base reward
for ( size_t vout_index = 1 ; vout_index < vout_end ; + + vout_index )
{
tx_out const & output = block . miner_tx . vout [ vout_index ] ;
snode_reward + = output . amount ;
}
2020-03-10 20:40:21 +01:00
uint64_t base_reward = snode_reward * 2 ; // pre-HF15, SN reward = half of base reward
2022-04-29 01:51:14 +02:00
uint64_t governance = governance_reward_formula ( hf_version , base_reward ) ;
2018-11-12 04:02:21 +01:00
uint64_t block_reward = base_reward - governance ;
uint64_t actual_reward = 0 ; // sanity check
for ( tx_out const & output : block . miner_tx . vout ) actual_reward + = output . amount ;
CHECK_AND_ASSERT_MES ( block_reward < = actual_reward , false ,
" Rederiving the base block reward from the service node reward "
" exceeded the actual amount paid in the block, derived block reward: "
< < block_reward < < " , actual reward: " < < actual_reward ) ;
result = governance ;
return result ;
}
2020-03-10 20:40:21 +01:00
uint64_t service_node_reward_formula ( uint64_t base_reward , uint8_t hard_fork_version )
2018-11-12 04:02:21 +01:00
{
2020-03-10 20:40:21 +01:00
return
2021-02-12 05:19:30 +01:00
hard_fork_version > = network_version_15_ons ? SN_REWARD_HF15 :
2020-03-10 20:40:21 +01:00
hard_fork_version > = network_version_9_service_nodes ? base_reward / 2 : // 50% of base reward up until HF15's fixed payout
0 ;
2018-11-12 04:02:21 +01:00
}
uint64_t get_portion_of_reward ( uint64_t portions , uint64_t total_service_node_reward )
{
uint64_t hi , lo , rewardhi , rewardlo ;
lo = mul128 ( total_service_node_reward , portions , & hi ) ;
div128_64 ( hi , lo , STAKING_PORTIONS , & rewardhi , & rewardlo ) ;
return rewardlo ;
}
2020-09-25 07:09:30 +02:00
std : : vector < uint64_t > distribute_reward_by_portions ( const std : : vector < service_nodes : : payout_entry > & payout , uint64_t total_reward , bool distribute_remainder )
{
uint64_t paid_reward = 0 ;
std : : vector < uint64_t > result ;
result . reserve ( payout . size ( ) ) ;
for ( auto const & entry : payout )
{
uint64_t reward = get_portion_of_reward ( entry . portions , total_reward ) ;
paid_reward + = reward ;
result . push_back ( reward ) ;
}
if ( distribute_remainder & & payout . size ( ) )
{
uint64_t remainder = total_reward - paid_reward ;
result . front ( ) + = remainder ;
}
return result ;
}
2020-07-06 03:10:35 +02:00
static uint64_t calculate_sum_of_portions ( const std : : vector < service_nodes : : payout_entry > & payout , uint64_t total_service_node_reward )
2018-11-12 04:02:21 +01:00
{
uint64_t reward = 0 ;
2020-07-06 03:10:35 +02:00
for ( auto const & entry : payout )
reward + = get_portion_of_reward ( entry . portions , total_service_node_reward ) ;
2018-11-12 04:02:21 +01:00
return reward ;
}
2022-04-29 01:51:14 +02:00
std : : pair < bool , uint64_t > construct_miner_tx (
2018-07-18 08:51:26 +02:00
size_t height ,
2018-10-09 03:31:08 +02:00
size_t median_weight ,
2018-07-18 08:51:26 +02:00
uint64_t already_generated_coins ,
2018-10-09 03:31:08 +02:00
size_t current_block_weight ,
2018-07-18 08:51:26 +02:00
uint64_t fee ,
transaction & tx ,
2021-01-04 01:09:45 +01:00
const oxen_miner_tx_context & miner_tx_context ,
2022-04-29 01:51:14 +02:00
const std : : optional < std : : vector < cryptonote : : batch_sn_payment > > sn_rwds ,
2018-07-18 08:51:26 +02:00
const blobdata & extra_nonce ,
2020-06-25 09:46:31 +02:00
uint8_t hard_fork_version )
2018-07-18 08:51:26 +02:00
{
2017-01-26 16:07:23 +01:00
tx . vin . clear ( ) ;
tx . vout . clear ( ) ;
tx . extra . clear ( ) ;
2018-08-03 03:39:28 +02:00
tx . output_unlock_times . clear ( ) ;
2019-06-11 20:53:46 +02:00
tx . type = txtype : : standard ;
2019-11-29 04:36:43 +01:00
tx . version = transaction : : get_max_version_for_hf ( hard_fork_version ) ;
2018-11-12 04:02:21 +01:00
2020-12-09 03:31:54 +01:00
keypair const txkey { hw : : get_device ( " default " ) } ;
2020-06-26 09:09:41 +02:00
keypair const gov_key = get_deterministic_keypair_from_height ( height ) ; // NOTE: Always need since we use same key for service node
2017-01-26 16:07:23 +01:00
2022-04-29 01:51:14 +02:00
uint64_t block_rewards = 0 ;
2020-06-26 09:09:41 +02:00
// NOTE: TX Extra
2021-03-26 07:13:28 +01:00
add_tx_extra < tx_extra_pub_key > ( tx , txkey . pub ) ;
if ( ! extra_nonce . empty ( ) )
2018-03-12 00:24:08 +01:00
{
2021-03-26 07:13:28 +01:00
if ( ! add_extra_nonce_to_tx_extra ( tx . extra , extra_nonce ) )
2022-04-29 01:51:14 +02:00
return std : : make_pair ( false , block_rewards ) ;
2021-03-26 07:13:28 +01:00
}
2018-07-18 08:51:26 +02:00
2021-03-26 07:13:28 +01:00
// TODO(doyle): We don't need to do this. It's a deterministic key.
if ( already_generated_coins ! = 0 )
add_tx_extra < tx_extra_pub_key > ( tx , gov_key . pub ) ;
2017-01-26 16:07:23 +01:00
2021-03-26 07:13:28 +01:00
add_service_node_winner_to_tx_extra ( tx . extra , miner_tx_context . block_leader . key ) ;
2017-01-26 16:07:23 +01:00
2021-03-26 07:13:28 +01:00
oxen_block_reward_context block_reward_context = { } ;
block_reward_context . fee = fee ;
block_reward_context . height = height ;
block_reward_context . block_leader_payouts = miner_tx_context . block_leader . payouts ;
block_reward_context . batched_governance = miner_tx_context . batched_governance ;
block_reward_parts reward_parts { } ;
if ( ! get_oxen_block_reward ( median_weight , current_block_weight , already_generated_coins , hard_fork_version , reward_parts , block_reward_context ) )
{
LOG_PRINT_L0 ( " Failed to calculate block reward " ) ;
2022-04-29 01:51:14 +02:00
return std : : make_pair ( false , block_rewards ) ;
2017-01-26 16:07:23 +01:00
}
2022-04-29 01:51:14 +02:00
// NOTE: Batched Pulse Block Payment Details
2020-09-11 06:45:41 +02:00
//
2022-04-29 01:51:14 +02:00
// Each block accrues a small reward to each service node this amount
// is essentially 16.5 (Coinbase reward for Service Nodes) divided by
// the size of the service node list.
2020-09-11 06:45:41 +02:00
//
2022-04-29 01:51:14 +02:00
// The service node list is adjusted to only accrue for nodes
// that have been online for greater than 1 hour.
//
2020-09-11 06:45:41 +02:00
// By default, when Pulse round is 0, the Block Producer is the Block
2022-04-29 01:51:14 +02:00
// Leader. Transaction fees are given to the Block Leader.
// This is the common case, and the transaction fees incentivise the
// block producer to produce the block and not stall the network.
2020-09-11 06:45:41 +02:00
//
// On alternative rounds, transaction fees are given to the alternative
// block producer (which is now different from the Block Leader). The
2022-04-29 01:51:14 +02:00
// original block producer still accrues their share of the coinbase. A Pulse
2020-09-11 06:45:41 +02:00
// round's failure is determined by the non-participation of the members of
// the quorum, so failing a round's onus is not always on the original block
// producer (it could be the validators colluding) hence why they still
// receive the coinbase.
//
// Allocating the transaction fee to alternative block producers on
// alternative rounds dis-incentivizes members in the quorum from
// intentionally not participating in the quorum to try and attain a spot as
// the subsequent alternative leader and snag a reward. The reward they
// receive instead is just the transaction fee.
//
// Purposely not participating to exploit alternative round transaction fees
// is further dis-incentivized as it is recorded on their behaviour metrics
// (multiple non-participation marks over the monitoring period will induce
// a decommission) by members of the quorum.
2022-04-29 01:51:14 +02:00
std : : vector < reward_payout > rewards = { } ;
std : : vector < batch_sn_payment > batched_rewards = { } ;
const network_type nettype = miner_tx_context . nettype ;
2020-06-26 09:09:41 +02:00
2020-09-11 06:45:41 +02:00
if ( hard_fork_version > = cryptonote : : network_version_9_service_nodes )
2022-04-29 01:51:14 +02:00
CHECK_AND_ASSERT_MES ( miner_tx_context . block_leader . payouts . size ( ) , std : : make_pair ( false , block_rewards ) , " Constructing a block leader reward for block but no payout entries specified " ) ;
2020-09-11 06:45:41 +02:00
2020-07-03 09:29:52 +02:00
// NOTE: Add Block Producer Reward
2020-09-25 07:09:30 +02:00
service_nodes : : payout const & leader = miner_tx_context . block_leader ;
2020-07-03 09:29:52 +02:00
if ( miner_tx_context . pulse )
2017-01-26 16:07:23 +01:00
{
2022-04-29 01:51:14 +02:00
// PULSE BLOCKS
CHECK_AND_ASSERT_MES ( miner_tx_context . pulse_block_producer . payouts . size ( ) , std : : make_pair ( false , block_rewards ) , " Constructing a reward for block produced by pulse but no payout entries specified " ) ;
CHECK_AND_ASSERT_MES ( miner_tx_context . pulse_block_producer . key , std : : make_pair ( false , block_rewards ) , " Null Key given for Pulse Block Producer " ) ;
CHECK_AND_ASSERT_MES ( hard_fork_version > = cryptonote : : network_version_16_pulse , std : : make_pair ( false , block_rewards ) , " Pulse Block Producer is not valid until HF16, current HF " < < hard_fork_version ) ;
2017-01-26 16:07:23 +01:00
2020-09-25 07:09:30 +02:00
uint64_t leader_reward = reward_parts . service_node_total ;
2020-07-07 09:46:00 +02:00
if ( miner_tx_context . block_leader . key = = miner_tx_context . pulse_block_producer . key )
2018-07-18 08:51:26 +02:00
{
2020-09-25 03:49:52 +02:00
leader_reward + = reward_parts . miner_fee ;
2020-07-03 09:29:52 +02:00
}
2021-02-26 18:57:22 +01:00
else if ( reward_parts . miner_fee )
2020-07-03 09:29:52 +02:00
{
2021-02-26 18:57:22 +01:00
// Alternative Block Producer (receives just miner fee, if there is one)
2020-09-15 03:56:09 +02:00
service_nodes : : payout const & producer = miner_tx_context . pulse_block_producer ;
2020-09-25 07:09:30 +02:00
std : : vector < uint64_t > split_rewards = distribute_reward_by_portions ( producer . payouts , reward_parts . miner_fee , true /*distribute_remainder*/ ) ;
for ( size_t i = 0 ; i < producer . payouts . size ( ) ; i + + )
2022-04-29 01:51:14 +02:00
if ( hard_fork_version < cryptonote : : network_version_19 )
{
rewards . push_back ( { reward_type : : snode , producer . payouts [ i ] . address , split_rewards [ i ] } ) ;
} else {
batched_rewards . emplace_back ( producer . payouts [ i ] . address , split_rewards [ i ] , nettype ) ;
}
2020-09-11 06:45:41 +02:00
}
2017-01-26 16:07:23 +01:00
2020-09-25 07:09:30 +02:00
std : : vector < uint64_t > split_rewards = distribute_reward_by_portions ( leader . payouts , leader_reward , true /*distribute_remainder*/ ) ;
for ( size_t i = 0 ; i < leader . payouts . size ( ) ; i + + )
2022-04-29 01:51:14 +02:00
{
if ( hard_fork_version < cryptonote : : network_version_19 ) {
rewards . push_back ( { reward_type : : snode , leader . payouts [ i ] . address , split_rewards [ i ] } ) ;
} else {
batched_rewards . emplace_back ( leader . payouts [ i ] . address , split_rewards [ i ] , nettype ) ;
}
}
2018-06-29 06:47:00 +02:00
}
2020-06-26 09:09:41 +02:00
else
2018-06-29 06:47:00 +02:00
{
2022-04-29 01:51:14 +02:00
// MINED BLOCKS
CHECK_AND_ASSERT_MES ( miner_tx_context . pulse_block_producer . payouts . empty ( ) , std : : make_pair ( false , block_rewards ) , " Constructing a reward for block produced by miner but payout entries specified " ) ;
2020-09-14 08:48:53 +02:00
2020-09-25 03:49:52 +02:00
if ( uint64_t miner_amount = reward_parts . base_miner + reward_parts . miner_fee ; miner_amount )
2018-07-18 08:51:26 +02:00
{
2022-04-29 01:51:14 +02:00
if ( hard_fork_version < cryptonote : : network_version_19 ) {
rewards . push_back ( { reward_type : : miner , miner_tx_context . miner_block_producer , miner_amount } ) ;
} else {
batched_rewards . emplace_back ( miner_tx_context . miner_block_producer , miner_amount , nettype ) ;
}
}
if ( hard_fork_version > = cryptonote : : network_version_9_service_nodes ) {
2020-09-25 07:09:30 +02:00
std : : vector < uint64_t > split_rewards =
distribute_reward_by_portions ( leader . payouts ,
reward_parts . service_node_total ,
hard_fork_version > = cryptonote : : network_version_16_pulse /*distribute_remainder*/ ) ;
for ( size_t i = 0 ; i < leader . payouts . size ( ) ; i + + )
2022-04-29 01:51:14 +02:00
{
if ( hard_fork_version < cryptonote : : network_version_19 ) {
rewards . push_back ( { reward_type : : snode , leader . payouts [ i ] . address , split_rewards [ i ] } ) ;
} else {
batched_rewards . emplace_back ( leader . payouts [ i ] . address , split_rewards [ i ] , nettype ) ;
}
}
2018-07-18 08:51:26 +02:00
}
2017-01-26 16:07:23 +01:00
}
2020-06-26 09:09:41 +02:00
// NOTE: Add Governance Payout
2018-02-28 15:53:59 +01:00
if ( already_generated_coins ! = 0 )
{
2019-09-19 06:20:16 +02:00
if ( reward_parts . governance_paid = = 0 )
2018-03-12 00:24:08 +01:00
{
2022-04-29 01:51:14 +02:00
CHECK_AND_ASSERT_MES ( hard_fork_version > = network_version_10_bulletproofs , std : : make_pair ( false , block_rewards ) , " Governance reward can NOT be 0 before hardfork 10, hard_fork_version: " < < hard_fork_version ) ;
2018-03-12 00:24:08 +01:00
}
2018-11-12 04:02:21 +01:00
else
{
cryptonote : : address_parse_info governance_wallet_address ;
2020-07-21 22:40:17 +02:00
cryptonote : : get_account_address_from_str ( governance_wallet_address , nettype , cryptonote : : get_config ( nettype ) . governance_wallet_address ( hard_fork_version ) ) ;
2022-04-29 01:51:14 +02:00
// Governance reward paid out through SN rewards batching after HF19
if ( hard_fork_version < cryptonote : : network_version_19 ) {
rewards . push_back ( { reward_type : : governance , governance_wallet_address . address , reward_parts . governance_paid } ) ;
}
}
}
uint64_t total_sn_rewards = 0 ;
// Add SN rewards to the block
if ( sn_rwds )
{
for ( const auto & reward : * sn_rwds )
{
rewards . emplace_back ( reward_type : : snode , reward . address_info . address , reward . amount ) ;
total_sn_rewards + = reward . amount ;
2020-06-26 09:09:41 +02:00
}
}
2022-04-29 01:51:14 +02:00
if ( hard_fork_version < cryptonote : : network_version_19 )
{
CHECK_AND_ASSERT_MES ( rewards . size ( ) < = 9 , std : : make_pair ( false , block_rewards ) , " More rewards specified than supported, number of rewards: " < < rewards . size ( ) < < " , capacity: " < < rewards . size ( ) ) ;
CHECK_AND_ASSERT_MES ( rewards . size ( ) > 0 , std : : make_pair ( false , block_rewards ) , " Zero rewards are to be payed out, there should be at least 1 " ) ;
}
2018-04-09 01:32:12 +02:00
2020-06-26 09:09:41 +02:00
// NOTE: Make TX Outputs
uint64_t summary_amounts = 0 ;
2022-04-29 01:51:14 +02:00
for ( auto it = rewards . begin ( ) ; it ! = rewards . end ( ) ; + + it ) {
auto const & [ type , address , amount ] = * it ;
2020-09-15 03:56:09 +02:00
assert ( amount > 0 ) ;
2020-06-26 09:09:41 +02:00
crypto : : public_key out_eph_public_key { } ;
2018-02-28 15:53:59 +01:00
2020-07-06 07:52:51 +02:00
// TODO(doyle): I don't think txkey is necessary, just use the governance key?
2020-08-06 09:21:00 +02:00
keypair const & derivation_pair = ( type = = reward_type : : miner ) ? txkey : gov_key ;
2020-07-06 07:52:51 +02:00
crypto : : key_derivation derivation { } ;
2022-04-29 01:51:14 +02:00
2018-02-28 15:53:59 +01:00
2022-04-29 01:51:14 +02:00
if ( ! get_deterministic_output_key ( address , derivation_pair , it - rewards . begin ( ) , out_eph_public_key ) )
2020-07-06 07:52:51 +02:00
{
MERROR ( " Failed to generate output one-time public key " ) ;
2022-04-29 01:51:14 +02:00
return std : : make_pair ( false , block_rewards ) ;
2018-11-12 04:02:21 +01:00
}
2020-06-26 09:09:41 +02:00
txout_to_key tk = { } ;
tk . key = out_eph_public_key ;
tx_out out = { } ;
out . target = tk ;
2020-08-06 09:21:00 +02:00
out . amount = amount ;
2020-06-26 09:09:41 +02:00
tx . vout . push_back ( out ) ;
tx . output_unlock_times . push_back ( height + CRYPTONOTE_MINED_MONEY_UNLOCK_WINDOW ) ;
2020-08-06 09:21:00 +02:00
summary_amounts + = amount ;
2018-02-28 15:53:59 +01:00
}
2020-10-09 00:55:47 +02:00
uint64_t expected_amount = 0 ;
2021-02-12 05:19:30 +01:00
if ( hard_fork_version < = cryptonote : : network_version_15_ons )
2020-10-09 00:55:47 +02:00
{
// NOTE: Use the amount actually paid out when we split the service node
// reward (across up to 4 recipients) which may actually pay out less than
// the total reward allocated for Service Nodes (due to remainder from
// division). This occurred prior to HF15, after that we redistribute dust
// properly.
expected_amount = reward_parts . base_miner + reward_parts . miner_fee + reward_parts . governance_paid ;
2022-04-29 01:51:14 +02:00
for ( auto reward : rewards )
2020-10-09 00:55:47 +02:00
{
2022-04-29 01:51:14 +02:00
[[maybe_unused]] auto const & [ type , address , amount ] = reward ;
2020-10-09 00:55:47 +02:00
if ( type = = reward_type : : snode ) expected_amount + = amount ;
}
}
else
{
2022-04-29 01:51:14 +02:00
expected_amount = 0 ;
if ( hard_fork_version < cryptonote : : network_version_19 )
expected_amount = expected_amount + reward_parts . base_miner + reward_parts . miner_fee + reward_parts . service_node_total + reward_parts . governance_paid ;
else
expected_amount = expected_amount + total_sn_rewards ;
2020-10-09 00:55:47 +02:00
}
2022-04-29 01:51:14 +02:00
CHECK_AND_ASSERT_MES ( summary_amounts = = expected_amount , std : : make_pair ( false , block_rewards ) , " Failed to construct miner tx, summary_amounts = " < < summary_amounts < < " not equal total block_reward = " < < expected_amount ) ;
CHECK_AND_ASSERT_MES ( tx . vout . size ( ) = = rewards . size ( ) , std : : make_pair ( false , block_rewards ) , " TX output mis-match with rewards expected: " < < rewards . size ( ) < < " , tx outputs: " < < tx . vout . size ( ) ) ;
block_rewards = std : : accumulate ( batched_rewards . begin ( ) , batched_rewards . end ( ) , uint64_t ( 0 ) , [ ] ( uint64_t const x , cryptonote : : batch_sn_payment const y ) { return x + y . amount ; } ) ;
2017-01-26 16:07:23 +01:00
//lock
tx . unlock_time = height + CRYPTONOTE_MINED_MONEY_UNLOCK_WINDOW ;
2020-06-26 09:09:41 +02:00
tx . vin . push_back ( txin_gen { height } ) ;
2017-03-25 10:18:53 +01:00
tx . invalidate_hashes ( ) ;
2017-03-22 19:01:09 +01:00
2017-01-26 16:07:23 +01:00
//LOG_PRINT("MINER_TX generated ok, block_reward=" << print_money(block_reward) << "(" << print_money(block_reward - fee) << "+" << print_money(fee)
// << "), current_block_size=" << current_block_size << ", already_generated_coins=" << already_generated_coins << ", tx_id=" << get_transaction_hash(tx), LOG_LEVEL_2);
2022-04-29 01:51:14 +02:00
return std : : make_pair ( true , block_rewards ) ;
2017-01-26 16:07:23 +01:00
}
2018-11-12 04:02:21 +01:00
2021-01-04 01:09:45 +01:00
bool get_oxen_block_reward ( size_t median_weight , size_t current_block_weight , uint64_t already_generated_coins , int hard_fork_version , block_reward_parts & result , const oxen_block_reward_context & oxen_context )
2018-11-12 04:02:21 +01:00
{
result = { } ;
2019-09-19 04:20:33 +02:00
uint64_t base_reward , base_reward_unpenalized ;
2021-01-04 01:09:45 +01:00
if ( ! get_base_block_reward ( median_weight , current_block_weight , already_generated_coins , base_reward , base_reward_unpenalized , hard_fork_version , oxen_context . height ) )
2018-11-12 04:02:21 +01:00
{
MERROR ( " Failed to calculate base block reward " ) ;
return false ;
}
if ( base_reward = = 0 )
{
MERROR ( " Unexpected base reward of 0 " ) ;
return false ;
}
if ( already_generated_coins = = 0 )
{
2019-09-19 06:20:16 +02:00
result . original_base_reward = result . base_miner = base_reward ;
2018-11-12 04:02:21 +01:00
return true ;
}
2019-09-19 06:20:16 +02:00
// We base governance fees and SN rewards based on the block reward formula. (Prior to HF13,
// however, they were accidentally based on the block reward formula *after* subtracting a
2020-09-23 04:48:46 +02:00
// potential penalty if the block producer includes txes beyond the median size limit).
2020-09-25 07:09:30 +02:00
result . original_base_reward = hard_fork_version > = network_version_13_enforce_checkpoints ? base_reward_unpenalized : base_reward ;
2019-09-19 06:20:16 +02:00
// There is a goverance fee due every block. Beginning in hardfork 10 this is still subtracted
// from the block reward as if it was paid, but the actual payments get batched into rare, large
// accumulated payments. (Before hardfork 10 they are included in every block, unbatched).
2022-04-29 01:51:14 +02:00
result . governance_due = governance_reward_formula ( hard_fork_version , result . original_base_reward ) ;
2019-09-19 06:20:16 +02:00
result . governance_paid = hard_fork_version > = network_version_10_bulletproofs
2021-01-04 01:09:45 +01:00
? oxen_context . batched_governance
2019-09-19 06:20:16 +02:00
: result . governance_due ;
2020-09-25 07:09:30 +02:00
uint64_t const service_node_reward = service_node_reward_formula ( result . original_base_reward , hard_fork_version ) ;
if ( hard_fork_version < cryptonote : : network_version_16_pulse )
2020-09-22 06:26:53 +02:00
{
2021-01-04 01:09:45 +01:00
result . service_node_total = calculate_sum_of_portions ( oxen_context . block_leader_payouts , service_node_reward ) ;
2020-09-25 07:09:30 +02:00
// The base_miner amount is everything left in the base reward after subtracting off the service
// node and governance fee amounts (the due amount in the latter case). (Any penalty for
// exceeding the block limit is already removed from base_reward).
uint64_t non_miner_amounts = result . governance_due + result . service_node_total ;
result . base_miner = base_reward > non_miner_amounts ? base_reward - non_miner_amounts : 0 ;
2021-01-04 01:09:45 +01:00
result . miner_fee = oxen_context . fee ;
2020-09-25 07:09:30 +02:00
}
else
{
result . service_node_total = service_node_reward ;
2021-01-04 01:09:45 +01:00
if ( oxen_context . testnet_override )
2020-09-25 07:09:30 +02:00
{
2021-01-04 01:09:45 +01:00
result . miner_fee = oxen_context . fee ;
2020-09-25 07:09:30 +02:00
}
else
{
uint64_t const penalty = base_reward_unpenalized - base_reward ;
2021-01-04 01:09:45 +01:00
result . miner_fee = penalty > = oxen_context . fee ? 0 : oxen_context . fee - penalty ;
2020-09-25 07:09:30 +02:00
}
2020-09-23 04:48:46 +02:00
// In HF16, the block producer changes between the Miner and Service Node
// depending on the state of the Service Node network. The producer is no
// longer allocated a block reward (unless they are a Service Node) but
// always receive the transaction fees. Any penalty for exceeding the
// block limit must now be paid from the common reward received by all
// Block Producer's (i.e. their transaction fees for constructing the
// block).
2020-09-25 07:09:30 +02:00
uint64_t allocated = result . governance_due + result . service_node_total ;
2020-09-25 10:14:17 +02:00
uint64_t remainder = base_reward_unpenalized - allocated ;
if ( allocated > base_reward_unpenalized | | remainder ! = 0 )
2020-09-22 06:26:53 +02:00
{
2020-09-25 10:14:17 +02:00
if ( allocated > base_reward_unpenalized )
MERROR ( " We allocated more reward " < < cryptonote : : print_money ( allocated ) < < " than what was available " < < cryptonote : : print_money ( base_reward_unpenalized ) ) ;
2020-09-25 07:09:30 +02:00
else
2021-01-04 01:09:45 +01:00
MERROR ( " We allocated reward but there was still " < < cryptonote : : print_money ( remainder ) < < " oxen left to distribute. " ) ;
2020-09-22 06:26:53 +02:00
return false ;
}
}
2018-11-12 04:02:21 +01:00
return true ;
}
2021-02-08 06:31:05 +01:00
2020-06-02 00:30:19 +02:00
crypto : : public_key get_destination_view_key_pub ( const std : : vector < tx_destination_entry > & destinations , const std : : optional < cryptonote : : tx_destination_entry > & change_addr )
2017-01-26 16:07:23 +01:00
{
2018-01-22 02:16:25 +01:00
account_public_address addr = { null_pkey , null_pkey } ;
size_t count = 0 ;
2018-08-05 05:08:51 +02:00
bool found_change = false ;
2018-01-22 02:16:25 +01:00
for ( const auto & i : destinations )
2017-01-26 16:07:23 +01:00
{
2018-01-22 02:16:25 +01:00
if ( i . amount = = 0 )
2017-01-26 16:07:23 +01:00
continue ;
2018-08-05 05:08:51 +02:00
if ( change_addr & & * change_addr = = i & & ! found_change )
{
found_change = true ;
2017-01-26 16:07:23 +01:00
continue ;
2018-08-05 05:08:51 +02:00
}
2018-01-22 02:16:25 +01:00
if ( i . addr = = addr )
continue ;
if ( count > 0 )
2017-01-26 16:07:23 +01:00
return null_pkey ;
2018-01-22 02:16:25 +01:00
addr = i . addr ;
+ + count ;
2017-01-26 16:07:23 +01:00
}
2018-03-03 00:27:57 +01:00
if ( count = = 0 & & change_addr )
2018-08-05 05:08:51 +02:00
return change_addr - > addr . m_view_public_key ;
2018-01-22 02:16:25 +01:00
return addr . m_view_public_key ;
2017-01-26 16:07:23 +01:00
}
//---------------------------------------------------------------
2021-01-04 01:09:45 +01:00
bool construct_tx_with_tx_key ( const account_keys & sender_account_keys , const std : : unordered_map < crypto : : public_key , subaddress_index > & subaddresses , std : : vector < tx_source_entry > & sources , std : : vector < tx_destination_entry > & destinations , const std : : optional < tx_destination_entry > & change_addr , const std : : vector < uint8_t > & extra , transaction & tx , uint64_t unlock_time , const crypto : : secret_key & tx_key , const std : : vector < crypto : : secret_key > & additional_tx_keys , const rct : : RCTConfig & rct_config , rct : : multisig_out * msout , bool shuffle_outs , oxen_construct_tx_params const & tx_params )
2017-01-26 16:07:23 +01:00
{
2018-02-20 17:01:27 +01:00
hw : : device & hwdev = sender_account_keys . get_device ( ) ;
2017-12-12 12:08:11 +01:00
if ( sources . empty ( ) )
{
LOG_ERROR ( " Empty sources " ) ;
return false ;
}
2017-01-26 16:07:23 +01:00
std : : vector < rct : : key > amount_keys ;
tx . set_null ( ) ;
amount_keys . clear ( ) ;
Add N/N multisig tx generation and signing
Scheme by luigi1111:
Multisig for RingCT on Monero
2 of 2
User A (coordinator):
Spendkey b,B
Viewkey a,A (shared)
User B:
Spendkey c,C
Viewkey a,A (shared)
Public Address: C+B, A
Both have their own watch only wallet via C+B, a
A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)
A and B watch for incoming outputs
B creates "half" key images for discovered output D:
I2_D = (Hs(aR)+c) * Hp(D)
B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
and sending the pubkeys with I2_D.
A also creates "half" key images:
I1_D = (Hs(aR)+b) * Hp(D)
Then I_D = I1_D + I2_D
Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).
A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
to his own generated ones where they are needed (secret row L, R).
At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).
B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).
B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
to his cache, allowing him to verify spent status as well.
NOTE:
A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
Otherwise, trickery like the following becomes possible:
A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
B creates a fake key C = zG - B. B sends C back to A.
The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).
2 of 3
User A (coordinator)
Shared viewkey a,A
"spendkey" j,J
User B
"spendkey" k,K
User C
"spendkey" m,M
A collects K and M from B and C
B collects J and M from A and C
C collects J and K from A and B
A computes N = nG, n = Hs(jK)
A computes O = oG, o = Hs(jM)
B anc C compute P = pG, p = Hs(kM) || Hs(mK)
B and C can also compute N and O respectively if they wish to be able to coordinate
Address: N+O+P, A
The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other
needed part of the signature/key images from either of the other two.
Alternatively, if secure communication exists between parties:
A gives j to B
B gives k to C
C gives m to A
Address: J+K+M, A
3 of 3
Identical to 2 of 2, except the coordinator must collect the key images from both of the others.
The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it
or send it back to A.
N-1 of N
Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around
(using either the secure or insecure method).
For example (ignoring viewkey so letters line up):
[4 of 5]
User: spendkey
A: a
B: b
C: c
D: d
E: e
a -> B, b -> C, c -> D, d -> E, e -> A
Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with
the transaction so the signers know if they should use 1 or both keys.
Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each.
Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning:
1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image)
2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator
must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use.
You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might
also be straightforward enough to support with minimal changes from N-1 format.
You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc.
The process is somewhat cumbersome:
To create a N/N multisig wallet:
- each participant creates a normal wallet
- each participant runs "prepare_multisig", and sends the resulting string to every other participant
- each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N)
As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent:
- each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant
- each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants
Then, a transaction may be initiated:
- one of the participants runs "transfer ADDRESS AMOUNT"
- this partly signed transaction will be written to the "multisig_monero_tx" file
- the initiator sends this file to another participant
- that other participant runs "sign_multisig multisig_monero_tx"
- the resulting transaction is written to the "multisig_monero_tx" file again
- if the threshold was not reached, the file must be sent to another participant, until enough have signed
- the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
2017-06-03 23:34:26 +02:00
if ( msout )
{
msout - > c . clear ( ) ;
}
2017-01-26 16:07:23 +01:00
2019-11-29 04:36:43 +01:00
tx . version = transaction : : get_max_version_for_hf ( tx_params . hf_version ) ;
2020-11-23 23:25:01 +01:00
CHECK_AND_ASSERT_MES ( tx . version > = txversion : : v4_tx_types , false , " Cannot construct pre-v4 transactions " ) ;
CHECK_AND_ASSERT_MES ( rct_config . range_proof_type = = rct : : RangeProofType : : PaddedBulletproof & &
( rct_config . bp_version = = 0 | | rct_config . bp_version > = 3 ) ,
false , " Cannot construct pre-CLSAG transactions " ) ;
tx . type = tx_params . tx_type ;
2017-01-26 16:07:23 +01:00
2019-11-27 23:21:24 +01:00
if ( tx_params . burn_percent )
{
LOG_ERROR ( " cannot construct tx: internal error: burn percent must be converted to fixed burn amount in the wallet " ) ;
return false ;
}
2019-01-25 04:15:52 +01:00
2017-01-26 16:07:23 +01:00
tx . extra = extra ;
Add N/N multisig tx generation and signing
Scheme by luigi1111:
Multisig for RingCT on Monero
2 of 2
User A (coordinator):
Spendkey b,B
Viewkey a,A (shared)
User B:
Spendkey c,C
Viewkey a,A (shared)
Public Address: C+B, A
Both have their own watch only wallet via C+B, a
A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)
A and B watch for incoming outputs
B creates "half" key images for discovered output D:
I2_D = (Hs(aR)+c) * Hp(D)
B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
and sending the pubkeys with I2_D.
A also creates "half" key images:
I1_D = (Hs(aR)+b) * Hp(D)
Then I_D = I1_D + I2_D
Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).
A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
to his own generated ones where they are needed (secret row L, R).
At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).
B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).
B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
to his cache, allowing him to verify spent status as well.
NOTE:
A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
Otherwise, trickery like the following becomes possible:
A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
B creates a fake key C = zG - B. B sends C back to A.
The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).
2 of 3
User A (coordinator)
Shared viewkey a,A
"spendkey" j,J
User B
"spendkey" k,K
User C
"spendkey" m,M
A collects K and M from B and C
B collects J and M from A and C
C collects J and K from A and B
A computes N = nG, n = Hs(jK)
A computes O = oG, o = Hs(jM)
B anc C compute P = pG, p = Hs(kM) || Hs(mK)
B and C can also compute N and O respectively if they wish to be able to coordinate
Address: N+O+P, A
The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other
needed part of the signature/key images from either of the other two.
Alternatively, if secure communication exists between parties:
A gives j to B
B gives k to C
C gives m to A
Address: J+K+M, A
3 of 3
Identical to 2 of 2, except the coordinator must collect the key images from both of the others.
The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it
or send it back to A.
N-1 of N
Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around
(using either the secure or insecure method).
For example (ignoring viewkey so letters line up):
[4 of 5]
User: spendkey
A: a
B: b
C: c
D: d
E: e
a -> B, b -> C, c -> D, d -> E, e -> A
Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with
the transaction so the signers know if they should use 1 or both keys.
Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each.
Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning:
1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image)
2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator
must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use.
You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might
also be straightforward enough to support with minimal changes from N-1 format.
You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc.
The process is somewhat cumbersome:
To create a N/N multisig wallet:
- each participant creates a normal wallet
- each participant runs "prepare_multisig", and sends the resulting string to every other participant
- each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N)
As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent:
- each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant
- each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants
Then, a transaction may be initiated:
- one of the participants runs "transfer ADDRESS AMOUNT"
- this partly signed transaction will be written to the "multisig_monero_tx" file
- the initiator sends this file to another participant
- that other participant runs "sign_multisig multisig_monero_tx"
- the resulting transaction is written to the "multisig_monero_tx" file again
- if the threshold was not reached, the file must be sent to another participant, until enough have signed
- the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
2017-06-03 23:34:26 +02:00
crypto : : public_key txkey_pub ;
2017-01-26 16:07:23 +01:00
2020-12-04 16:56:46 +01:00
if ( tx . type = = txtype : : stake ) {
2020-12-14 16:47:46 +01:00
crypto : : secret_key tx_sk { tx_key } ;
bool added = hwdev . update_staking_tx_secret_key ( tx_sk ) ;
2020-12-04 16:56:46 +01:00
CHECK_AND_NO_ASSERT_MES ( added , false , " Failed to add tx secret key to stake transaction " ) ;
2020-12-14 16:47:46 +01:00
cryptonote : : add_tx_secret_key_to_tx_extra ( tx . extra , tx_sk ) ;
2020-12-04 16:56:46 +01:00
}
2019-01-25 04:15:52 +01:00
2017-01-26 16:07:23 +01:00
// if we have a stealth payment id, find it and encrypt it with the tx key now
std : : vector < tx_extra_field > tx_extra_fields ;
if ( parse_tx_extra ( tx . extra , tx_extra_fields ) )
{
2019-06-25 02:01:34 +02:00
bool add_dummy_payment_id = true ;
2019-01-30 01:24:59 +01:00
2017-01-26 16:07:23 +01:00
tx_extra_nonce extra_nonce ;
if ( find_tx_extra_field_by_type ( tx_extra_fields , extra_nonce ) )
{
2018-12-23 15:32:40 +01:00
crypto : : hash payment_id = null_hash ;
crypto : : hash8 payment_id8 = null_hash8 ;
if ( get_encrypted_payment_id_from_tx_extra_nonce ( extra_nonce . nonce , payment_id8 ) )
2017-01-26 16:07:23 +01:00
{
2018-12-23 15:32:40 +01:00
LOG_PRINT_L2 ( " Encrypting payment id " < < payment_id8 ) ;
2018-01-22 02:16:25 +01:00
crypto : : public_key view_key_pub = get_destination_view_key_pub ( destinations , change_addr ) ;
2017-01-26 16:07:23 +01:00
if ( view_key_pub = = null_pkey )
{
LOG_ERROR ( " Destinations have to have exactly one output to support encrypted payment ids " ) ;
return false ;
}
2018-12-23 15:32:40 +01:00
if ( ! hwdev . encrypt_payment_id ( payment_id8 , view_key_pub , tx_key ) )
2017-01-26 16:07:23 +01:00
{
LOG_ERROR ( " Failed to encrypt payment id " ) ;
return false ;
}
std : : string extra_nonce ;
2018-12-23 15:32:40 +01:00
set_encrypted_payment_id_to_tx_extra_nonce ( extra_nonce , payment_id8 ) ;
2020-06-02 05:47:20 +02:00
remove_field_from_tx_extra < tx_extra_nonce > ( tx . extra ) ;
2017-01-26 16:07:23 +01:00
if ( ! add_extra_nonce_to_tx_extra ( tx . extra , extra_nonce ) )
{
LOG_ERROR ( " Failed to add encrypted payment id to tx extra " ) ;
return false ;
}
2018-12-23 15:32:40 +01:00
LOG_PRINT_L1 ( " Encrypted payment ID: " < < payment_id8 ) ;
add_dummy_payment_id = false ;
}
else if ( get_payment_id_from_tx_extra_nonce ( extra_nonce . nonce , payment_id ) )
{
add_dummy_payment_id = false ;
}
}
// we don't add one if we've got more than the usual 1 destination plus change
if ( destinations . size ( ) > 2 )
add_dummy_payment_id = false ;
if ( add_dummy_payment_id )
{
// if we have neither long nor short payment id, add a dummy short one,
// this should end up being the vast majority of txes as time goes on
std : : string extra_nonce ;
crypto : : hash8 payment_id8 = null_hash8 ;
crypto : : public_key view_key_pub = get_destination_view_key_pub ( destinations , change_addr ) ;
if ( view_key_pub = = null_pkey )
{
LOG_ERROR ( " Failed to get key to encrypt dummy payment id with " ) ;
}
else
{
hwdev . encrypt_payment_id ( payment_id8 , view_key_pub , tx_key ) ;
set_encrypted_payment_id_to_tx_extra_nonce ( extra_nonce , payment_id8 ) ;
if ( ! add_extra_nonce_to_tx_extra ( tx . extra , extra_nonce ) )
{
LOG_ERROR ( " Failed to add dummy encrypted payment id to tx extra " ) ;
// continue anyway
}
2017-01-26 16:07:23 +01:00
}
}
}
else
{
2018-12-23 12:33:05 +01:00
MWARNING ( " Failed to parse tx extra " ) ;
tx_extra_fields . clear ( ) ;
2017-01-26 16:07:23 +01:00
}
struct input_generation_context_data
{
keypair in_ephemeral ;
} ;
std : : vector < input_generation_context_data > in_contexts ;
uint64_t summary_inputs_money = 0 ;
//fill inputs
int idx = - 1 ;
for ( const tx_source_entry & src_entr : sources )
{
+ + idx ;
if ( src_entr . real_output > = src_entr . outputs . size ( ) )
{
LOG_ERROR ( " real_output index ( " < < src_entr . real_output < < " )bigger than output_keys.size()= " < < src_entr . outputs . size ( ) ) ;
return false ;
}
summary_inputs_money + = src_entr . amount ;
//key_derivation recv_derivation;
in_contexts . push_back ( input_generation_context_data ( ) ) ;
keypair & in_ephemeral = in_contexts . back ( ) . in_ephemeral ;
crypto : : key_image img ;
2017-10-21 13:14:31 +02:00
const auto & out_key = reinterpret_cast < const crypto : : public_key & > ( src_entr . outputs [ src_entr . real_output ] . second . dest ) ;
2018-02-20 17:01:27 +01:00
if ( ! generate_key_image_helper ( sender_account_keys , subaddresses , out_key , src_entr . real_out_tx_key , src_entr . real_out_additional_tx_keys , src_entr . real_output_in_tx_index , in_ephemeral , img , hwdev ) )
2017-02-19 03:42:10 +01:00
{
LOG_ERROR ( " Key image generation failed! " ) ;
2017-01-26 16:07:23 +01:00
return false ;
2017-02-19 03:42:10 +01:00
}
2017-01-26 16:07:23 +01:00
2017-10-21 13:14:31 +02:00
//check that derivated key is equal with real output key (if non multisig)
if ( ! msout & & ! ( in_ephemeral . pub = = src_entr . outputs [ src_entr . real_output ] . second . dest ) )
2017-01-26 16:07:23 +01:00
{
2020-04-03 18:30:11 +02:00
LOG_ERROR ( " derived public key mismatch with output public key at index " < < idx < < " , real out " < < src_entr . real_output < < " ! \n derived_key: "
2020-10-23 22:32:28 +02:00
< < tools : : type_to_hex ( in_ephemeral . pub ) < < " \n real output_public_key: "
< < tools : : type_to_hex ( src_entr . outputs [ src_entr . real_output ] . second . dest ) ) ;
2017-01-26 16:07:23 +01:00
LOG_ERROR ( " amount " < < src_entr . amount < < " , rct " < < src_entr . rct ) ;
LOG_ERROR ( " tx pubkey " < < src_entr . real_out_tx_key < < " , real_output_in_tx_index " < < src_entr . real_output_in_tx_index ) ;
return false ;
}
//put key image into tx input
txin_to_key input_to_key ;
input_to_key . amount = src_entr . amount ;
Add N/N multisig tx generation and signing
Scheme by luigi1111:
Multisig for RingCT on Monero
2 of 2
User A (coordinator):
Spendkey b,B
Viewkey a,A (shared)
User B:
Spendkey c,C
Viewkey a,A (shared)
Public Address: C+B, A
Both have their own watch only wallet via C+B, a
A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)
A and B watch for incoming outputs
B creates "half" key images for discovered output D:
I2_D = (Hs(aR)+c) * Hp(D)
B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
and sending the pubkeys with I2_D.
A also creates "half" key images:
I1_D = (Hs(aR)+b) * Hp(D)
Then I_D = I1_D + I2_D
Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).
A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
to his own generated ones where they are needed (secret row L, R).
At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).
B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).
B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
to his cache, allowing him to verify spent status as well.
NOTE:
A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
Otherwise, trickery like the following becomes possible:
A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
B creates a fake key C = zG - B. B sends C back to A.
The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).
2 of 3
User A (coordinator)
Shared viewkey a,A
"spendkey" j,J
User B
"spendkey" k,K
User C
"spendkey" m,M
A collects K and M from B and C
B collects J and M from A and C
C collects J and K from A and B
A computes N = nG, n = Hs(jK)
A computes O = oG, o = Hs(jM)
B anc C compute P = pG, p = Hs(kM) || Hs(mK)
B and C can also compute N and O respectively if they wish to be able to coordinate
Address: N+O+P, A
The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other
needed part of the signature/key images from either of the other two.
Alternatively, if secure communication exists between parties:
A gives j to B
B gives k to C
C gives m to A
Address: J+K+M, A
3 of 3
Identical to 2 of 2, except the coordinator must collect the key images from both of the others.
The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it
or send it back to A.
N-1 of N
Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around
(using either the secure or insecure method).
For example (ignoring viewkey so letters line up):
[4 of 5]
User: spendkey
A: a
B: b
C: c
D: d
E: e
a -> B, b -> C, c -> D, d -> E, e -> A
Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with
the transaction so the signers know if they should use 1 or both keys.
Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each.
Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning:
1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image)
2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator
must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use.
You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might
also be straightforward enough to support with minimal changes from N-1 format.
You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc.
The process is somewhat cumbersome:
To create a N/N multisig wallet:
- each participant creates a normal wallet
- each participant runs "prepare_multisig", and sends the resulting string to every other participant
- each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N)
As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent:
- each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant
- each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants
Then, a transaction may be initiated:
- one of the participants runs "transfer ADDRESS AMOUNT"
- this partly signed transaction will be written to the "multisig_monero_tx" file
- the initiator sends this file to another participant
- that other participant runs "sign_multisig multisig_monero_tx"
- the resulting transaction is written to the "multisig_monero_tx" file again
- if the threshold was not reached, the file must be sent to another participant, until enough have signed
- the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
2017-06-03 23:34:26 +02:00
input_to_key . k_image = msout ? rct : : rct2ki ( src_entr . multisig_kLRki . ki ) : img ;
2017-01-26 16:07:23 +01:00
//fill outputs array and use relative offsets
for ( const tx_source_entry : : output_entry & out_entry : src_entr . outputs )
input_to_key . key_offsets . push_back ( out_entry . first ) ;
input_to_key . key_offsets = absolute_output_offsets_to_relative ( input_to_key . key_offsets ) ;
tx . vin . push_back ( input_to_key ) ;
}
2018-05-20 02:38:41 +02:00
if ( shuffle_outs )
{
2019-07-03 11:05:01 +02:00
std : : shuffle ( destinations . begin ( ) , destinations . end ( ) , crypto : : random_device { } ) ;
2018-05-20 02:38:41 +02:00
}
2017-09-26 18:31:15 +02:00
2017-09-12 22:40:53 +02:00
// sort ins by their key image
std : : vector < size_t > ins_order ( sources . size ( ) ) ;
for ( size_t n = 0 ; n < sources . size ( ) ; + + n )
ins_order [ n ] = n ;
std : : sort ( ins_order . begin ( ) , ins_order . end ( ) , [ & ] ( const size_t i0 , const size_t i1 ) {
2020-10-16 00:44:36 +02:00
const txin_to_key & tk0 = var : : get < txin_to_key > ( tx . vin [ i0 ] ) ;
const txin_to_key & tk1 = var : : get < txin_to_key > ( tx . vin [ i1 ] ) ;
2017-12-09 12:24:38 +01:00
return memcmp ( & tk0 . k_image , & tk1 . k_image , sizeof ( tk0 . k_image ) ) > 0 ;
2017-09-12 22:40:53 +02:00
} ) ;
tools : : apply_permutation ( ins_order , [ & ] ( size_t i0 , size_t i1 ) {
std : : swap ( tx . vin [ i0 ] , tx . vin [ i1 ] ) ;
std : : swap ( in_contexts [ i0 ] , in_contexts [ i1 ] ) ;
std : : swap ( sources [ i0 ] , sources [ i1 ] ) ;
} ) ;
2017-01-26 16:07:23 +01:00
2017-02-19 03:42:10 +01:00
// figure out if we need to make additional tx pubkeys
size_t num_stdaddresses = 0 ;
size_t num_subaddresses = 0 ;
account_public_address single_dest_subaddress ;
Add N/N multisig tx generation and signing
Scheme by luigi1111:
Multisig for RingCT on Monero
2 of 2
User A (coordinator):
Spendkey b,B
Viewkey a,A (shared)
User B:
Spendkey c,C
Viewkey a,A (shared)
Public Address: C+B, A
Both have their own watch only wallet via C+B, a
A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)
A and B watch for incoming outputs
B creates "half" key images for discovered output D:
I2_D = (Hs(aR)+c) * Hp(D)
B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
and sending the pubkeys with I2_D.
A also creates "half" key images:
I1_D = (Hs(aR)+b) * Hp(D)
Then I_D = I1_D + I2_D
Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).
A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
to his own generated ones where they are needed (secret row L, R).
At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).
B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).
B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
to his cache, allowing him to verify spent status as well.
NOTE:
A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
Otherwise, trickery like the following becomes possible:
A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
B creates a fake key C = zG - B. B sends C back to A.
The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).
2 of 3
User A (coordinator)
Shared viewkey a,A
"spendkey" j,J
User B
"spendkey" k,K
User C
"spendkey" m,M
A collects K and M from B and C
B collects J and M from A and C
C collects J and K from A and B
A computes N = nG, n = Hs(jK)
A computes O = oG, o = Hs(jM)
B anc C compute P = pG, p = Hs(kM) || Hs(mK)
B and C can also compute N and O respectively if they wish to be able to coordinate
Address: N+O+P, A
The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other
needed part of the signature/key images from either of the other two.
Alternatively, if secure communication exists between parties:
A gives j to B
B gives k to C
C gives m to A
Address: J+K+M, A
3 of 3
Identical to 2 of 2, except the coordinator must collect the key images from both of the others.
The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it
or send it back to A.
N-1 of N
Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around
(using either the secure or insecure method).
For example (ignoring viewkey so letters line up):
[4 of 5]
User: spendkey
A: a
B: b
C: c
D: d
E: e
a -> B, b -> C, c -> D, d -> E, e -> A
Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with
the transaction so the signers know if they should use 1 or both keys.
Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each.
Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning:
1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image)
2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator
must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use.
You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might
also be straightforward enough to support with minimal changes from N-1 format.
You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc.
The process is somewhat cumbersome:
To create a N/N multisig wallet:
- each participant creates a normal wallet
- each participant runs "prepare_multisig", and sends the resulting string to every other participant
- each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N)
As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent:
- each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant
- each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants
Then, a transaction may be initiated:
- one of the participants runs "transfer ADDRESS AMOUNT"
- this partly signed transaction will be written to the "multisig_monero_tx" file
- the initiator sends this file to another participant
- that other participant runs "sign_multisig multisig_monero_tx"
- the resulting transaction is written to the "multisig_monero_tx" file again
- if the threshold was not reached, the file must be sent to another participant, until enough have signed
- the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
2017-06-03 23:34:26 +02:00
classify_addresses ( destinations , change_addr , num_stdaddresses , num_subaddresses , single_dest_subaddress ) ;
2017-02-19 03:42:10 +01:00
// if this is a single-destination transfer to a subaddress, we set the tx pubkey to R=s*D
if ( num_stdaddresses = = 0 & & num_subaddresses = = 1 )
{
2018-03-05 08:16:30 +01:00
txkey_pub = rct : : rct2pk ( hwdev . scalarmultKey ( rct : : pk2rct ( single_dest_subaddress . m_spend_public_key ) , rct : : sk2rct ( tx_key ) ) ) ;
2017-02-19 03:42:10 +01:00
}
2017-10-18 01:46:00 +02:00
else
{
2018-03-05 08:16:30 +01:00
txkey_pub = rct : : rct2pk ( hwdev . scalarmultBase ( rct : : sk2rct ( tx_key ) ) ) ;
2017-10-18 01:46:00 +02:00
}
2020-06-02 05:47:20 +02:00
remove_field_from_tx_extra < tx_extra_pub_key > ( tx . extra ) ;
2020-06-02 06:21:05 +02:00
add_tx_extra < tx_extra_pub_key > ( tx , txkey_pub ) ;
2017-02-19 03:42:10 +01:00
std : : vector < crypto : : public_key > additional_tx_public_keys ;
// we don't need to include additional tx keys if:
// - all the destinations are standard addresses
// - there's only one destination which is a subaddress
bool need_additional_txkeys = num_subaddresses > 0 & & ( num_stdaddresses > 0 | | num_subaddresses > 1 ) ;
Add N/N multisig tx generation and signing
Scheme by luigi1111:
Multisig for RingCT on Monero
2 of 2
User A (coordinator):
Spendkey b,B
Viewkey a,A (shared)
User B:
Spendkey c,C
Viewkey a,A (shared)
Public Address: C+B, A
Both have their own watch only wallet via C+B, a
A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)
A and B watch for incoming outputs
B creates "half" key images for discovered output D:
I2_D = (Hs(aR)+c) * Hp(D)
B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
and sending the pubkeys with I2_D.
A also creates "half" key images:
I1_D = (Hs(aR)+b) * Hp(D)
Then I_D = I1_D + I2_D
Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).
A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
to his own generated ones where they are needed (secret row L, R).
At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).
B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).
B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
to his cache, allowing him to verify spent status as well.
NOTE:
A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
Otherwise, trickery like the following becomes possible:
A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
B creates a fake key C = zG - B. B sends C back to A.
The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).
2 of 3
User A (coordinator)
Shared viewkey a,A
"spendkey" j,J
User B
"spendkey" k,K
User C
"spendkey" m,M
A collects K and M from B and C
B collects J and M from A and C
C collects J and K from A and B
A computes N = nG, n = Hs(jK)
A computes O = oG, o = Hs(jM)
B anc C compute P = pG, p = Hs(kM) || Hs(mK)
B and C can also compute N and O respectively if they wish to be able to coordinate
Address: N+O+P, A
The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other
needed part of the signature/key images from either of the other two.
Alternatively, if secure communication exists between parties:
A gives j to B
B gives k to C
C gives m to A
Address: J+K+M, A
3 of 3
Identical to 2 of 2, except the coordinator must collect the key images from both of the others.
The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it
or send it back to A.
N-1 of N
Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around
(using either the secure or insecure method).
For example (ignoring viewkey so letters line up):
[4 of 5]
User: spendkey
A: a
B: b
C: c
D: d
E: e
a -> B, b -> C, c -> D, d -> E, e -> A
Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with
the transaction so the signers know if they should use 1 or both keys.
Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each.
Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning:
1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image)
2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator
must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use.
You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might
also be straightforward enough to support with minimal changes from N-1 format.
You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc.
The process is somewhat cumbersome:
To create a N/N multisig wallet:
- each participant creates a normal wallet
- each participant runs "prepare_multisig", and sends the resulting string to every other participant
- each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N)
As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent:
- each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant
- each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants
Then, a transaction may be initiated:
- one of the participants runs "transfer ADDRESS AMOUNT"
- this partly signed transaction will be written to the "multisig_monero_tx" file
- the initiator sends this file to another participant
- that other participant runs "sign_multisig multisig_monero_tx"
- the resulting transaction is written to the "multisig_monero_tx" file again
- if the threshold was not reached, the file must be sent to another participant, until enough have signed
- the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
2017-06-03 23:34:26 +02:00
if ( need_additional_txkeys )
CHECK_AND_ASSERT_MES ( destinations . size ( ) = = additional_tx_keys . size ( ) , false , " Wrong amount of additional tx keys " ) ;
2017-02-19 03:42:10 +01:00
2017-01-26 16:07:23 +01:00
uint64_t summary_outs_money = 0 ;
//fill outputs
size_t output_index = 0 ;
2019-01-25 04:15:52 +01:00
tx_extra_tx_key_image_proofs key_image_proofs ;
2019-02-21 03:21:12 +01:00
bool found_change_already = false ;
2018-05-20 02:38:41 +02:00
for ( const tx_destination_entry & dst_entr : destinations )
2017-01-26 16:07:23 +01:00
{
2018-12-11 10:20:21 +01:00
crypto : : public_key out_eph_public_key ;
2017-02-19 03:42:10 +01:00
2019-02-21 03:21:12 +01:00
bool this_dst_is_change_addr = false ;
2019-06-11 20:53:46 +02:00
hwdev . generate_output_ephemeral_keys ( static_cast < uint16_t > ( tx . version ) , this_dst_is_change_addr , sender_account_keys , txkey_pub , tx_key ,
2018-12-11 10:20:21 +01:00
dst_entr , change_addr , output_index ,
need_additional_txkeys , additional_tx_keys ,
additional_tx_public_keys , amount_keys , out_eph_public_key ) ;
2017-02-19 03:42:10 +01:00
2020-11-23 23:25:01 +01:00
// Per-output unlock times:
2017-02-19 03:42:10 +01:00
{
2019-02-21 03:21:12 +01:00
if ( change_addr & & * change_addr = = dst_entr & & this_dst_is_change_addr & & ! found_change_already )
2018-08-03 03:39:28 +02:00
{
2019-02-21 03:21:12 +01:00
found_change_already = true ;
2018-08-03 03:39:28 +02:00
tx . output_unlock_times . push_back ( 0 ) ; // 0 unlock time for change
}
2018-12-11 10:20:21 +01:00
else
2018-08-03 03:39:28 +02:00
{
tx . output_unlock_times . push_back ( unlock_time ) ; // for now, all non-change have same unlock time
}
2017-02-19 03:42:10 +01:00
}
2019-11-29 04:36:43 +01:00
if ( tx . type = = txtype : : stake )
2019-01-25 04:15:52 +01:00
{
CHECK_AND_ASSERT_MES ( dst_entr . addr = = sender_account_keys . m_account_address , false , " A staking contribution must return back to the original sendee otherwise the pre-calculated key image is incorrect " ) ;
2021-01-04 01:09:45 +01:00
CHECK_AND_ASSERT_MES ( dst_entr . is_subaddress = = false , false , " Staking back to a subaddress is not allowed " ) ; // TODO(oxen): Maybe one day, revisit this
CHECK_AND_ASSERT_MES ( need_additional_txkeys = = false , false , " Staking TX's can not required additional TX Keys " ) ; // TODO(oxen): Maybe one day, revisit this
2019-01-25 04:15:52 +01:00
if ( ! ( change_addr & & * change_addr = = dst_entr ) )
{
2020-12-02 03:27:44 +01:00
auto & proof = key_image_proofs . proofs . emplace_back ( ) ;
keypair ephemeral_keys { } ;
2019-01-25 04:15:52 +01:00
if ( ! generate_key_image_helper ( sender_account_keys , subaddresses , out_eph_public_key , txkey_pub , additional_tx_public_keys , output_index , ephemeral_keys , proof . key_image , hwdev ) )
{
LOG_ERROR ( " Key image generation failed for staking TX! " ) ;
return false ;
}
2020-12-04 16:54:33 +01:00
hwdev . generate_key_image_signature ( proof . key_image , out_eph_public_key , ephemeral_keys . sec , proof . signature ) ;
2019-01-25 04:15:52 +01:00
}
}
2017-01-26 16:07:23 +01:00
tx_out out ;
out . amount = dst_entr . amount ;
txout_to_key tk ;
tk . key = out_eph_public_key ;
out . target = tk ;
tx . vout . push_back ( out ) ;
output_index + + ;
summary_outs_money + = dst_entr . amount ;
}
Add N/N multisig tx generation and signing
Scheme by luigi1111:
Multisig for RingCT on Monero
2 of 2
User A (coordinator):
Spendkey b,B
Viewkey a,A (shared)
User B:
Spendkey c,C
Viewkey a,A (shared)
Public Address: C+B, A
Both have their own watch only wallet via C+B, a
A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)
A and B watch for incoming outputs
B creates "half" key images for discovered output D:
I2_D = (Hs(aR)+c) * Hp(D)
B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
and sending the pubkeys with I2_D.
A also creates "half" key images:
I1_D = (Hs(aR)+b) * Hp(D)
Then I_D = I1_D + I2_D
Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).
A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
to his own generated ones where they are needed (secret row L, R).
At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).
B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).
B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
to his cache, allowing him to verify spent status as well.
NOTE:
A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
Otherwise, trickery like the following becomes possible:
A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
B creates a fake key C = zG - B. B sends C back to A.
The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).
2 of 3
User A (coordinator)
Shared viewkey a,A
"spendkey" j,J
User B
"spendkey" k,K
User C
"spendkey" m,M
A collects K and M from B and C
B collects J and M from A and C
C collects J and K from A and B
A computes N = nG, n = Hs(jK)
A computes O = oG, o = Hs(jM)
B anc C compute P = pG, p = Hs(kM) || Hs(mK)
B and C can also compute N and O respectively if they wish to be able to coordinate
Address: N+O+P, A
The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other
needed part of the signature/key images from either of the other two.
Alternatively, if secure communication exists between parties:
A gives j to B
B gives k to C
C gives m to A
Address: J+K+M, A
3 of 3
Identical to 2 of 2, except the coordinator must collect the key images from both of the others.
The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it
or send it back to A.
N-1 of N
Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around
(using either the secure or insecure method).
For example (ignoring viewkey so letters line up):
[4 of 5]
User: spendkey
A: a
B: b
C: c
D: d
E: e
a -> B, b -> C, c -> D, d -> E, e -> A
Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with
the transaction so the signers know if they should use 1 or both keys.
Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each.
Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning:
1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image)
2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator
must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use.
You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might
also be straightforward enough to support with minimal changes from N-1 format.
You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc.
The process is somewhat cumbersome:
To create a N/N multisig wallet:
- each participant creates a normal wallet
- each participant runs "prepare_multisig", and sends the resulting string to every other participant
- each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N)
As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent:
- each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant
- each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants
Then, a transaction may be initiated:
- one of the participants runs "transfer ADDRESS AMOUNT"
- this partly signed transaction will be written to the "multisig_monero_tx" file
- the initiator sends this file to another participant
- that other participant runs "sign_multisig multisig_monero_tx"
- the resulting transaction is written to the "multisig_monero_tx" file again
- if the threshold was not reached, the file must be sent to another participant, until enough have signed
- the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
2017-06-03 23:34:26 +02:00
CHECK_AND_ASSERT_MES ( additional_tx_public_keys . size ( ) = = additional_tx_keys . size ( ) , false , " Internal error creating additional public keys " ) ;
2017-01-26 16:07:23 +01:00
2019-11-29 04:36:43 +01:00
if ( tx . type = = txtype : : stake )
2019-01-25 04:15:52 +01:00
{
CHECK_AND_ASSERT_MES ( key_image_proofs . proofs . size ( ) > = 1 , false , " No key image proofs were generated for staking tx " ) ;
add_tx_key_image_proofs_to_tx_extra ( tx . extra , key_image_proofs ) ;
2019-11-29 04:36:43 +01:00
if ( tx_params . hf_version < = cryptonote : : network_version_13_enforce_checkpoints )
tx . type = txtype : : standard ;
2019-01-25 04:15:52 +01:00
}
2020-06-02 05:47:20 +02:00
remove_field_from_tx_extra < tx_extra_additional_pub_keys > ( tx . extra ) ;
2017-02-19 03:42:10 +01:00
Add N/N multisig tx generation and signing
Scheme by luigi1111:
Multisig for RingCT on Monero
2 of 2
User A (coordinator):
Spendkey b,B
Viewkey a,A (shared)
User B:
Spendkey c,C
Viewkey a,A (shared)
Public Address: C+B, A
Both have their own watch only wallet via C+B, a
A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)
A and B watch for incoming outputs
B creates "half" key images for discovered output D:
I2_D = (Hs(aR)+c) * Hp(D)
B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
and sending the pubkeys with I2_D.
A also creates "half" key images:
I1_D = (Hs(aR)+b) * Hp(D)
Then I_D = I1_D + I2_D
Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).
A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
to his own generated ones where they are needed (secret row L, R).
At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).
B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).
B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
to his cache, allowing him to verify spent status as well.
NOTE:
A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
Otherwise, trickery like the following becomes possible:
A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
B creates a fake key C = zG - B. B sends C back to A.
The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).
2 of 3
User A (coordinator)
Shared viewkey a,A
"spendkey" j,J
User B
"spendkey" k,K
User C
"spendkey" m,M
A collects K and M from B and C
B collects J and M from A and C
C collects J and K from A and B
A computes N = nG, n = Hs(jK)
A computes O = oG, o = Hs(jM)
B anc C compute P = pG, p = Hs(kM) || Hs(mK)
B and C can also compute N and O respectively if they wish to be able to coordinate
Address: N+O+P, A
The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other
needed part of the signature/key images from either of the other two.
Alternatively, if secure communication exists between parties:
A gives j to B
B gives k to C
C gives m to A
Address: J+K+M, A
3 of 3
Identical to 2 of 2, except the coordinator must collect the key images from both of the others.
The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it
or send it back to A.
N-1 of N
Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around
(using either the secure or insecure method).
For example (ignoring viewkey so letters line up):
[4 of 5]
User: spendkey
A: a
B: b
C: c
D: d
E: e
a -> B, b -> C, c -> D, d -> E, e -> A
Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with
the transaction so the signers know if they should use 1 or both keys.
Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each.
Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning:
1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image)
2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator
must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use.
You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might
also be straightforward enough to support with minimal changes from N-1 format.
You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc.
The process is somewhat cumbersome:
To create a N/N multisig wallet:
- each participant creates a normal wallet
- each participant runs "prepare_multisig", and sends the resulting string to every other participant
- each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N)
As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent:
- each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant
- each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants
Then, a transaction may be initiated:
- one of the participants runs "transfer ADDRESS AMOUNT"
- this partly signed transaction will be written to the "multisig_monero_tx" file
- the initiator sends this file to another participant
- that other participant runs "sign_multisig multisig_monero_tx"
- the resulting transaction is written to the "multisig_monero_tx" file again
- if the threshold was not reached, the file must be sent to another participant, until enough have signed
- the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
2017-06-03 23:34:26 +02:00
LOG_PRINT_L2 ( " tx pubkey: " < < txkey_pub ) ;
2017-02-19 03:42:10 +01:00
if ( need_additional_txkeys )
{
LOG_PRINT_L2 ( " additional tx pubkeys: " ) ;
for ( size_t i = 0 ; i < additional_tx_public_keys . size ( ) ; + + i )
LOG_PRINT_L2 ( additional_tx_public_keys [ i ] ) ;
2017-10-19 09:57:03 +02:00
add_additional_tx_pub_keys_to_extra ( tx . extra , additional_tx_public_keys ) ;
2017-02-19 03:42:10 +01:00
}
2018-08-03 12:21:08 +02:00
if ( ! sort_tx_extra ( tx . extra , tx . extra ) )
return false ;
2017-01-26 16:07:23 +01:00
//check money
if ( summary_outs_money > summary_inputs_money )
{
LOG_ERROR ( " Transaction inputs money ( " < < summary_inputs_money < < " ) less than outputs money ( " < < summary_outs_money < < " ) " ) ;
return false ;
}
// check for watch only wallet
bool zero_secret_key = true ;
for ( size_t i = 0 ; i < sizeof ( sender_account_keys . m_spend_secret_key ) ; + + i )
zero_secret_key & = ( sender_account_keys . m_spend_secret_key . data [ i ] = = 0 ) ;
if ( zero_secret_key )
{
MDEBUG ( " Null secret key, skipping signatures " ) ;
}
2020-11-23 23:25:01 +01:00
uint64_t amount_in = 0 , amount_out = 0 ;
rct : : ctkeyV inSk ;
inSk . reserve ( sources . size ( ) ) ;
// mixRing indexing is done the other way round for simple
rct : : ctkeyM mixRing ( sources . size ( ) ) ;
rct : : keyV dest_keys ;
std : : vector < uint64_t > inamounts , outamounts ;
std : : vector < unsigned int > index ;
std : : vector < rct : : multisig_kLRki > kLRki ;
for ( size_t i = 0 ; i < sources . size ( ) ; + + i )
2017-01-26 16:07:23 +01:00
{
2020-11-23 23:25:01 +01:00
rct : : ctkey ctkey ;
amount_in + = sources [ i ] . amount ;
inamounts . push_back ( sources [ i ] . amount ) ;
index . push_back ( sources [ i ] . real_output ) ;
// inSk: (secret key, mask)
ctkey . dest = rct : : sk2rct ( in_contexts [ i ] . in_ephemeral . sec ) ;
ctkey . mask = sources [ i ] . mask ;
inSk . push_back ( ctkey ) ;
memwipe ( & ctkey , sizeof ( rct : : ctkey ) ) ;
// inPk: (public key, commitment)
// will be done when filling in mixRing
if ( msout )
2017-01-26 16:07:23 +01:00
{
2020-11-23 23:25:01 +01:00
kLRki . push_back ( sources [ i ] . multisig_kLRki ) ;
2017-01-26 16:07:23 +01:00
}
}
2020-11-23 23:25:01 +01:00
for ( size_t i = 0 ; i < tx . vout . size ( ) ; + + i )
2017-01-26 16:07:23 +01:00
{
2020-11-23 23:25:01 +01:00
dest_keys . push_back ( rct : : pk2rct ( var : : get < txout_to_key > ( tx . vout [ i ] . target ) . key ) ) ;
outamounts . push_back ( tx . vout [ i ] . amount ) ;
amount_out + = tx . vout [ i ] . amount ;
}
2017-01-26 16:07:23 +01:00
2020-11-23 23:25:01 +01:00
for ( size_t i = 0 ; i < sources . size ( ) ; + + i )
{
mixRing [ i ] . resize ( sources [ i ] . outputs . size ( ) ) ;
for ( size_t n = 0 ; n < sources [ i ] . outputs . size ( ) ; + + n )
2017-01-26 16:07:23 +01:00
{
2020-11-23 23:25:01 +01:00
mixRing [ i ] [ n ] = sources [ i ] . outputs [ n ] . second ;
2017-01-26 16:07:23 +01:00
}
2020-11-23 23:25:01 +01:00
}
2017-01-26 16:07:23 +01:00
2020-11-23 23:25:01 +01:00
if ( tx_params . burn_fixed )
{
if ( amount_in < amount_out + tx_params . burn_fixed )
2017-01-26 16:07:23 +01:00
{
2020-11-23 23:25:01 +01:00
LOG_ERROR ( " invalid burn amount: tx does not have enough unspent funds available; amount_in: " < < std : : to_string ( amount_in ) < < " ; amount_out + tx_params.burn_fixed: " < < std : : to_string ( amount_out ) < < " + " < < std : : to_string ( tx_params . burn_fixed ) ) ;
return false ;
2017-01-26 16:07:23 +01:00
}
2020-11-23 23:25:01 +01:00
remove_field_from_tx_extra < tx_extra_burn > ( tx . extra ) ; // doesn't have to be present (but the wallet puts a dummy here as a safety to avoid growing the tx)
if ( ! add_burned_amount_to_tx_extra ( tx . extra , tx_params . burn_fixed ) )
2017-01-26 16:07:23 +01:00
{
2020-11-23 23:25:01 +01:00
LOG_ERROR ( " failed to add burn amount to tx extra " ) ;
return false ;
2017-01-26 16:07:23 +01:00
}
2020-11-23 23:25:01 +01:00
}
2017-01-26 16:07:23 +01:00
2020-11-23 23:25:01 +01:00
// zero out all amounts to mask rct outputs, real amounts are now encrypted
for ( size_t i = 0 ; i < tx . vin . size ( ) ; + + i )
{
if ( sources [ i ] . rct )
var : : get < txin_to_key > ( tx . vin [ i ] ) . amount = 0 ;
}
for ( size_t i = 0 ; i < tx . vout . size ( ) ; + + i )
tx . vout [ i ] . amount = 0 ;
2019-11-27 23:21:24 +01:00
2020-11-23 23:25:01 +01:00
crypto : : hash tx_prefix_hash ;
get_transaction_prefix_hash ( tx , tx_prefix_hash , hwdev ) ;
rct : : ctkeyV outSk ;
tx . rct_signatures = rct : : genRctSimple ( rct : : hash2rct ( tx_prefix_hash ) , inSk , dest_keys , inamounts , outamounts , amount_in - amount_out , mixRing , amount_keys , msout ? & kLRki : NULL , msout , index , outSk , rct_config , hwdev ) ;
memwipe ( inSk . data ( ) , inSk . size ( ) * sizeof ( rct : : ctkey ) ) ;
2017-01-26 16:07:23 +01:00
2020-11-23 23:25:01 +01:00
CHECK_AND_ASSERT_MES ( tx . vout . size ( ) = = outSk . size ( ) , false , " outSk size does not match vout " ) ;
2017-01-26 16:07:23 +01:00
2020-11-23 23:25:01 +01:00
MCINFO ( " construct_tx " , " transaction_created: " < < get_transaction_hash ( tx ) < < " \n " < < obj_to_json_str ( tx ) < < " \n " ) ;
2017-01-26 16:07:23 +01:00
2017-03-25 10:18:53 +01:00
tx . invalidate_hashes ( ) ;
2017-03-22 19:01:09 +01:00
2017-01-26 16:07:23 +01:00
return true ;
}
//---------------------------------------------------------------
2021-01-04 01:09:45 +01:00
bool construct_tx_and_get_tx_key ( const account_keys & sender_account_keys , const std : : unordered_map < crypto : : public_key , subaddress_index > & subaddresses , std : : vector < tx_source_entry > & sources , std : : vector < tx_destination_entry > & destinations , const std : : optional < cryptonote : : tx_destination_entry > & change_addr , const std : : vector < uint8_t > & extra , transaction & tx , uint64_t unlock_time , crypto : : secret_key & tx_key , std : : vector < crypto : : secret_key > & additional_tx_keys , const rct : : RCTConfig & rct_config , rct : : multisig_out * msout , oxen_construct_tx_params const & tx_params )
Add N/N multisig tx generation and signing
Scheme by luigi1111:
Multisig for RingCT on Monero
2 of 2
User A (coordinator):
Spendkey b,B
Viewkey a,A (shared)
User B:
Spendkey c,C
Viewkey a,A (shared)
Public Address: C+B, A
Both have their own watch only wallet via C+B, a
A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)
A and B watch for incoming outputs
B creates "half" key images for discovered output D:
I2_D = (Hs(aR)+c) * Hp(D)
B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
and sending the pubkeys with I2_D.
A also creates "half" key images:
I1_D = (Hs(aR)+b) * Hp(D)
Then I_D = I1_D + I2_D
Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).
A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
to his own generated ones where they are needed (secret row L, R).
At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).
B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).
B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
to his cache, allowing him to verify spent status as well.
NOTE:
A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
Otherwise, trickery like the following becomes possible:
A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
B creates a fake key C = zG - B. B sends C back to A.
The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).
2 of 3
User A (coordinator)
Shared viewkey a,A
"spendkey" j,J
User B
"spendkey" k,K
User C
"spendkey" m,M
A collects K and M from B and C
B collects J and M from A and C
C collects J and K from A and B
A computes N = nG, n = Hs(jK)
A computes O = oG, o = Hs(jM)
B anc C compute P = pG, p = Hs(kM) || Hs(mK)
B and C can also compute N and O respectively if they wish to be able to coordinate
Address: N+O+P, A
The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other
needed part of the signature/key images from either of the other two.
Alternatively, if secure communication exists between parties:
A gives j to B
B gives k to C
C gives m to A
Address: J+K+M, A
3 of 3
Identical to 2 of 2, except the coordinator must collect the key images from both of the others.
The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it
or send it back to A.
N-1 of N
Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around
(using either the secure or insecure method).
For example (ignoring viewkey so letters line up):
[4 of 5]
User: spendkey
A: a
B: b
C: c
D: d
E: e
a -> B, b -> C, c -> D, d -> E, e -> A
Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with
the transaction so the signers know if they should use 1 or both keys.
Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each.
Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning:
1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image)
2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator
must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use.
You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might
also be straightforward enough to support with minimal changes from N-1 format.
You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc.
The process is somewhat cumbersome:
To create a N/N multisig wallet:
- each participant creates a normal wallet
- each participant runs "prepare_multisig", and sends the resulting string to every other participant
- each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N)
As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent:
- each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant
- each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants
Then, a transaction may be initiated:
- one of the participants runs "transfer ADDRESS AMOUNT"
- this partly signed transaction will be written to the "multisig_monero_tx" file
- the initiator sends this file to another participant
- that other participant runs "sign_multisig multisig_monero_tx"
- the resulting transaction is written to the "multisig_monero_tx" file again
- if the threshold was not reached, the file must be sent to another participant, until enough have signed
- the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
2017-06-03 23:34:26 +02:00
{
2018-02-20 17:01:27 +01:00
hw : : device & hwdev = sender_account_keys . get_device ( ) ;
2020-12-07 04:19:20 +01:00
hwdev . open_tx ( tx_key , transaction : : get_max_version_for_hf ( tx_params . hf_version ) , tx_params . tx_type ) ;
2019-09-25 14:31:14 +02:00
try {
// figure out if we need to make additional tx pubkeys
size_t num_stdaddresses = 0 ;
size_t num_subaddresses = 0 ;
account_public_address single_dest_subaddress ;
classify_addresses ( destinations , change_addr , num_stdaddresses , num_subaddresses , single_dest_subaddress ) ;
bool need_additional_txkeys = num_subaddresses > 0 & & ( num_stdaddresses > 0 | | num_subaddresses > 1 ) ;
if ( need_additional_txkeys )
{
additional_tx_keys . clear ( ) ;
for ( const auto & d : destinations )
2020-12-09 03:31:54 +01:00
additional_tx_keys . push_back ( keypair { sender_account_keys . get_device ( ) } . sec ) ;
2019-09-25 14:31:14 +02:00
}
Add N/N multisig tx generation and signing
Scheme by luigi1111:
Multisig for RingCT on Monero
2 of 2
User A (coordinator):
Spendkey b,B
Viewkey a,A (shared)
User B:
Spendkey c,C
Viewkey a,A (shared)
Public Address: C+B, A
Both have their own watch only wallet via C+B, a
A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)
A and B watch for incoming outputs
B creates "half" key images for discovered output D:
I2_D = (Hs(aR)+c) * Hp(D)
B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
and sending the pubkeys with I2_D.
A also creates "half" key images:
I1_D = (Hs(aR)+b) * Hp(D)
Then I_D = I1_D + I2_D
Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).
A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
to his own generated ones where they are needed (secret row L, R).
At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).
B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).
B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
to his cache, allowing him to verify spent status as well.
NOTE:
A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
Otherwise, trickery like the following becomes possible:
A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
B creates a fake key C = zG - B. B sends C back to A.
The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).
2 of 3
User A (coordinator)
Shared viewkey a,A
"spendkey" j,J
User B
"spendkey" k,K
User C
"spendkey" m,M
A collects K and M from B and C
B collects J and M from A and C
C collects J and K from A and B
A computes N = nG, n = Hs(jK)
A computes O = oG, o = Hs(jM)
B anc C compute P = pG, p = Hs(kM) || Hs(mK)
B and C can also compute N and O respectively if they wish to be able to coordinate
Address: N+O+P, A
The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other
needed part of the signature/key images from either of the other two.
Alternatively, if secure communication exists between parties:
A gives j to B
B gives k to C
C gives m to A
Address: J+K+M, A
3 of 3
Identical to 2 of 2, except the coordinator must collect the key images from both of the others.
The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it
or send it back to A.
N-1 of N
Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around
(using either the secure or insecure method).
For example (ignoring viewkey so letters line up):
[4 of 5]
User: spendkey
A: a
B: b
C: c
D: d
E: e
a -> B, b -> C, c -> D, d -> E, e -> A
Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with
the transaction so the signers know if they should use 1 or both keys.
Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each.
Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning:
1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image)
2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator
must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use.
You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might
also be straightforward enough to support with minimal changes from N-1 format.
You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc.
The process is somewhat cumbersome:
To create a N/N multisig wallet:
- each participant creates a normal wallet
- each participant runs "prepare_multisig", and sends the resulting string to every other participant
- each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N)
As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent:
- each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant
- each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants
Then, a transaction may be initiated:
- one of the participants runs "transfer ADDRESS AMOUNT"
- this partly signed transaction will be written to the "multisig_monero_tx" file
- the initiator sends this file to another participant
- that other participant runs "sign_multisig multisig_monero_tx"
- the resulting transaction is written to the "multisig_monero_tx" file again
- if the threshold was not reached, the file must be sent to another participant, until enough have signed
- the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
2017-06-03 23:34:26 +02:00
2020-05-25 07:26:29 +02:00
bool r = construct_tx_with_tx_key ( sender_account_keys , subaddresses , sources , destinations , change_addr , extra , tx , unlock_time , tx_key , additional_tx_keys , rct_config , msout , true /*shuffle_outs*/ , tx_params ) ;
2019-09-25 14:31:14 +02:00
hwdev . close_tx ( ) ;
return r ;
} catch ( . . . ) {
hwdev . close_tx ( ) ;
throw ;
Add N/N multisig tx generation and signing
Scheme by luigi1111:
Multisig for RingCT on Monero
2 of 2
User A (coordinator):
Spendkey b,B
Viewkey a,A (shared)
User B:
Spendkey c,C
Viewkey a,A (shared)
Public Address: C+B, A
Both have their own watch only wallet via C+B, a
A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)
A and B watch for incoming outputs
B creates "half" key images for discovered output D:
I2_D = (Hs(aR)+c) * Hp(D)
B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
and sending the pubkeys with I2_D.
A also creates "half" key images:
I1_D = (Hs(aR)+b) * Hp(D)
Then I_D = I1_D + I2_D
Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).
A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
to his own generated ones where they are needed (secret row L, R).
At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).
B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).
B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
to his cache, allowing him to verify spent status as well.
NOTE:
A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
Otherwise, trickery like the following becomes possible:
A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
B creates a fake key C = zG - B. B sends C back to A.
The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).
2 of 3
User A (coordinator)
Shared viewkey a,A
"spendkey" j,J
User B
"spendkey" k,K
User C
"spendkey" m,M
A collects K and M from B and C
B collects J and M from A and C
C collects J and K from A and B
A computes N = nG, n = Hs(jK)
A computes O = oG, o = Hs(jM)
B anc C compute P = pG, p = Hs(kM) || Hs(mK)
B and C can also compute N and O respectively if they wish to be able to coordinate
Address: N+O+P, A
The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other
needed part of the signature/key images from either of the other two.
Alternatively, if secure communication exists between parties:
A gives j to B
B gives k to C
C gives m to A
Address: J+K+M, A
3 of 3
Identical to 2 of 2, except the coordinator must collect the key images from both of the others.
The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it
or send it back to A.
N-1 of N
Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around
(using either the secure or insecure method).
For example (ignoring viewkey so letters line up):
[4 of 5]
User: spendkey
A: a
B: b
C: c
D: d
E: e
a -> B, b -> C, c -> D, d -> E, e -> A
Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with
the transaction so the signers know if they should use 1 or both keys.
Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each.
Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning:
1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image)
2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator
must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use.
You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might
also be straightforward enough to support with minimal changes from N-1 format.
You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc.
The process is somewhat cumbersome:
To create a N/N multisig wallet:
- each participant creates a normal wallet
- each participant runs "prepare_multisig", and sends the resulting string to every other participant
- each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N)
As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent:
- each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant
- each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants
Then, a transaction may be initiated:
- one of the participants runs "transfer ADDRESS AMOUNT"
- this partly signed transaction will be written to the "multisig_monero_tx" file
- the initiator sends this file to another participant
- that other participant runs "sign_multisig multisig_monero_tx"
- the resulting transaction is written to the "multisig_monero_tx" file again
- if the threshold was not reached, the file must be sent to another participant, until enough have signed
- the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
2017-06-03 23:34:26 +02:00
}
}
//---------------------------------------------------------------
2021-01-04 01:09:45 +01:00
bool construct_tx ( const account_keys & sender_account_keys , std : : vector < tx_source_entry > & sources , const std : : vector < tx_destination_entry > & destinations , const std : : optional < cryptonote : : tx_destination_entry > & change_addr , const std : : vector < uint8_t > & extra , transaction & tx , uint64_t unlock_time , const oxen_construct_tx_params & tx_params )
2017-01-26 16:07:23 +01:00
{
2017-02-19 03:42:10 +01:00
std : : unordered_map < crypto : : public_key , cryptonote : : subaddress_index > subaddresses ;
subaddresses [ sender_account_keys . m_account_address . m_spend_public_key ] = { 0 , 0 } ;
2017-01-26 16:07:23 +01:00
crypto : : secret_key tx_key ;
2017-02-19 03:42:10 +01:00
std : : vector < crypto : : secret_key > additional_tx_keys ;
2018-05-20 02:38:41 +02:00
std : : vector < tx_destination_entry > destinations_copy = destinations ;
2018-11-16 06:07:41 +01:00
2020-12-09 03:33:08 +01:00
// Always construct CLSAG transactions. They weren't actually acceptable before HF 16, but
// they are now for our fake networks (which we need to do because we no longer have pre-CLSAG
// tx generation code).
rct : : RCTConfig rct_config { rct : : RangeProofType : : PaddedBulletproof , 3 } ;
2019-01-30 06:59:47 +01:00
return construct_tx_and_get_tx_key ( sender_account_keys , subaddresses , sources , destinations_copy , change_addr , extra , tx , unlock_time , tx_key , additional_tx_keys , rct_config , NULL , tx_params ) ;
2017-01-26 16:07:23 +01:00
}
//---------------------------------------------------------------
2020-08-11 23:55:06 +02:00
bool generate_genesis_block ( block & bl , network_type nettype )
2017-01-26 16:07:23 +01:00
{
2020-08-11 23:55:06 +02:00
const auto & conf = get_config ( nettype ) ;
2017-01-26 16:07:23 +01:00
//genesis block
2019-10-31 23:26:58 +01:00
bl = { } ;
2017-01-26 16:07:23 +01:00
2022-02-10 19:25:55 +01:00
CHECK_AND_ASSERT_MES ( oxenc : : is_hex ( conf . GENESIS_TX ) , false , " failed to parse coinbase tx from hard coded blob " ) ;
std : : string tx_bl = oxenc : : from_hex ( conf . GENESIS_TX ) ;
2020-07-21 22:40:17 +02:00
bool r = parse_and_validate_tx_from_blob ( tx_bl , bl . miner_tx ) ;
2017-01-26 16:07:23 +01:00
CHECK_AND_ASSERT_MES ( r , false , " failed to parse coinbase tx from hard coded blob " ) ;
2018-04-09 01:32:12 +02:00
bl . major_version = 7 ;
bl . minor_version = 7 ;
2017-01-26 16:07:23 +01:00
bl . timestamp = 0 ;
2020-08-11 23:55:06 +02:00
bl . nonce = conf . GENESIS_NONCE ;
2019-10-31 02:05:58 +01:00
miner : : find_nonce_for_given_block ( [ ] ( const cryptonote : : block & b , uint64_t height , unsigned int threads , crypto : : hash & hash ) {
2020-06-25 05:31:44 +02:00
hash = cryptonote : : get_block_longhash ( UNDEFINED , cryptonote : : randomx_longhash_context ( NULL , b , height ) , b , height , threads ) ;
2020-05-29 05:37:35 +02:00
return true ;
2019-10-31 02:05:58 +01:00
} , bl , 1 , 0 ) ;
2017-03-25 10:18:53 +01:00
bl . invalidate_hashes ( ) ;
2017-01-26 16:07:23 +01:00
return true ;
}
//---------------------------------------------------------------
2020-06-25 05:31:44 +02:00
crypto : : hash get_altblock_longhash ( cryptonote : : network_type nettype , randomx_longhash_context const & randomx_context , const block & b , uint64_t height )
2019-04-23 21:32:27 +02:00
{
2020-06-25 05:31:44 +02:00
crypto : : hash result = { } ;
if ( nettype = = FAKECHAIN | | b . major_version < network_version_12_checkpointing )
{
result = get_block_longhash ( nettype , randomx_context , b , height , 0 ) ;
}
else
{
blobdata bd = get_block_hashing_blob ( b ) ;
rx_slow_hash ( randomx_context . current_blockchain_height , randomx_context . seed_height , randomx_context . seed_block_hash . data , bd . data ( ) , bd . size ( ) , result . data , 0 , 1 ) ;
}
2020-05-29 05:37:35 +02:00
return result ;
2019-04-23 21:32:27 +02:00
}
2020-05-29 05:37:35 +02:00
randomx_longhash_context : : randomx_longhash_context ( const Blockchain * pbc ,
const block & b /*block to longhash*/ ,
const uint64_t height )
2019-04-23 21:32:27 +02:00
{
2020-05-29 05:37:35 +02:00
* this = { } ;
if ( b . major_version > = network_version_12_checkpointing )
{
if ( pbc ) // null only happens when generating genesis block, 0 init randomx is ok
{
seed_height = rx_seedheight ( height ) ;
seed_block_hash = pbc - > get_pending_block_id_by_height ( seed_height ) ;
current_blockchain_height = pbc - > get_current_blockchain_height ( ) ;
}
}
}
2020-06-25 05:31:44 +02:00
crypto : : hash get_block_longhash ( cryptonote : : network_type nettype , randomx_longhash_context const & randomx_context , const block & b , uint64_t height , int miners )
2020-05-29 05:37:35 +02:00
{
crypto : : hash result = { } ;
const blobdata bd = get_block_hashing_blob ( b ) ;
const uint8_t hf_version = b . major_version ;
2019-06-26 17:12:44 +02:00
2020-06-25 05:31:44 +02:00
crypto : : cn_slow_hash_type cn_type = cn_slow_hash_type : : heavy_v1 ;
if ( nettype = = FAKECHAIN )
2020-05-29 05:37:35 +02:00
{
2020-06-25 05:31:44 +02:00
cn_type = cn_slow_hash_type : : turtle_lite_v2 ;
2019-04-23 21:32:27 +02:00
}
2020-06-25 05:31:44 +02:00
else
{
if ( hf_version > = network_version_12_checkpointing )
{
rx_slow_hash ( randomx_context . current_blockchain_height ,
randomx_context . seed_height ,
randomx_context . seed_block_hash . data ,
bd . data ( ) ,
bd . size ( ) ,
result . data ,
miners ,
0 ) ;
return result ;
}
2019-06-26 17:12:44 +02:00
2020-06-25 05:31:44 +02:00
if ( hf_version > = network_version_11_infinite_staking )
cn_type = cn_slow_hash_type : : turtle_lite_v2 ;
else if ( hf_version > = network_version_7 )
cn_type = crypto : : cn_slow_hash_type : : heavy_v2 ;
}
2019-06-26 17:12:44 +02:00
2020-05-29 05:37:35 +02:00
crypto : : cn_slow_hash ( bd . data ( ) , bd . size ( ) , result , cn_type ) ;
return result ;
2019-04-23 21:32:27 +02:00
}
2020-06-25 05:31:44 +02:00
crypto : : hash get_block_longhash_w_blockchain ( cryptonote : : network_type nettype , const Blockchain * pbc , const block & b , uint64_t height , int miners )
2019-04-23 21:32:27 +02:00
{
2020-06-25 05:31:44 +02:00
crypto : : hash result = get_block_longhash ( nettype , randomx_longhash_context ( pbc , b , height ) , b , height , miners ) ;
2020-05-29 05:37:35 +02:00
return result ;
2019-04-23 21:32:27 +02:00
}
void get_block_longhash_reorg ( const uint64_t split_height )
{
rx_reorg ( split_height ) ;
}
2017-01-26 16:07:23 +01:00
}
