monero_oxide/
ring_signatures.rs

1use std_shims::{
2  io::{self, *},
3  vec::Vec,
4};
5
6use zeroize::Zeroize;
7
8use curve25519_dalek::{EdwardsPoint, Scalar};
9
10use crate::{io::*, generators::hash_to_point, primitives::keccak256_to_scalar};
11
12#[derive(Clone, PartialEq, Eq, Debug, Zeroize)]
13pub(crate) struct Signature {
14  #[cfg(test)]
15  pub(crate) c: Scalar,
16  #[cfg(test)]
17  pub(crate) s: Scalar,
18  #[cfg(not(test))]
19  c: Scalar,
20  #[cfg(not(test))]
21  s: Scalar,
22}
23
24impl Signature {
25  fn write<W: Write>(&self, w: &mut W) -> io::Result<()> {
26    write_scalar(&self.c, w)?;
27    write_scalar(&self.s, w)?;
28    Ok(())
29  }
30
31  fn read<R: Read>(r: &mut R) -> io::Result<Signature> {
32    Ok(Signature { c: read_scalar(r)?, s: read_scalar(r)? })
33  }
34}
35
36/// A ring signature.
37///
38/// This was used by the original Cryptonote transaction protocol and was deprecated with RingCT.
39#[derive(Clone, PartialEq, Eq, Debug, Zeroize)]
40pub struct RingSignature {
41  #[cfg(test)]
42  pub(crate) sigs: Vec<Signature>,
43  #[cfg(not(test))]
44  sigs: Vec<Signature>,
45}
46
47impl RingSignature {
48  /// Write the RingSignature.
49  pub fn write<W: Write>(&self, w: &mut W) -> io::Result<()> {
50    for sig in &self.sigs {
51      sig.write(w)?;
52    }
53    Ok(())
54  }
55
56  /// Read a RingSignature.
57  pub fn read<R: Read>(members: usize, r: &mut R) -> io::Result<RingSignature> {
58    Ok(RingSignature { sigs: read_raw_vec(Signature::read, members, r)? })
59  }
60
61  /// Verify the ring signature.
62  pub fn verify(&self, msg: &[u8; 32], ring: &[EdwardsPoint], key_image: &EdwardsPoint) -> bool {
63    if ring.len() != self.sigs.len() {
64      return false;
65    }
66
67    let mut buf = Vec::with_capacity(32 + (2 * 32 * ring.len()));
68    buf.extend_from_slice(msg);
69
70    let mut sum = Scalar::ZERO;
71    for (ring_member, sig) in ring.iter().zip(&self.sigs) {
72      /*
73        The traditional Schnorr signature is:
74          r = sample()
75          c = H(r G || m)
76          s = r - c x
77        Verified as:
78          s G + c A == R
79
80        Each ring member here performs a dual-Schnorr signature for:
81          s G + c A
82          s HtP(A) + c K
83        Where the transcript is pushed both these values, r G, r HtP(A) for the real spend.
84        This also serves as a DLEq proof between the key and the key image.
85
86        Checking sum(c) == H(transcript) acts a disjunction, where any one of the `c`s can be
87        modified to cause the intended sum, if and only if a corresponding `s` value is known.
88      */
89
90      #[allow(non_snake_case)]
91      let Li = EdwardsPoint::vartime_double_scalar_mul_basepoint(&sig.c, ring_member, &sig.s);
92      buf.extend_from_slice(Li.compress().as_bytes());
93      #[allow(non_snake_case)]
94      let Ri = (sig.s * hash_to_point(ring_member.compress().to_bytes())) + (sig.c * key_image);
95      buf.extend_from_slice(Ri.compress().as_bytes());
96
97      sum += sig.c;
98    }
99    sum == keccak256_to_scalar(buf)
100  }
101}