Make adaptor signature protocol pass

3 years ago · 60de1846c9
parent 0c0acaad9e
commit 60de1846c9
6 changed files with 36 additions and 41 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -2305,7 +2305,7 @@ dependencies = [
 [[package]]
 name = "monero"
 version = "0.12.0"
-source = "git+https://github.com/comit-network/monero-rs?rev=fee1f7054a4b8500dcf7867ebd1b9e7f693cd566#fee1f7054a4b8500dcf7867ebd1b9e7f693cd566"
+source = "git+https://github.com/comit-network/monero-rs?rev=2fe0280c5c8a6fadcd8fed780875e1a9e830e57e#2fe0280c5c8a6fadcd8fed780875e1a9e830e57e"
 dependencies = [
 "base58-monero",
 "clear_on_drop",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -3,6 +3,6 @@ members = ["monero-adaptor", "monero-harness", "monero-rpc", "swap", "monero-wal

 [patch.crates-io]
 torut = { git = "https://github.com/bonomat/torut/", branch = "feature-flag-tor-secret-keys", default-features = false, features = [ "v3", "control" ] }
-monero = { git = "https://github.com/comit-network/monero-rs", rev = "fee1f7054a4b8500dcf7867ebd1b9e7f693cd566" }
+monero = { git = "https://github.com/comit-network/monero-rs", rev = "2fe0280c5c8a6fadcd8fed780875e1a9e830e57e" }
 monero-epee-bin-serde = { git = "https://github.com/comit-network/monero-epee-bin-serde" }
 curve25519-dalek = { git = "https://github.com/thomaseizinger/curve25519-dalek", rev = "8cc9ad36bd30ceab6073ff64655473c6b5aa4aab" }
--- a/monero-adaptor/src/alice.rs
+++ b/monero-adaptor/src/alice.rs
@ -43,9 +43,7 @@ impl Alice0 {
        rng: &mut (impl Rng + CryptoRng),
    ) -> anyhow::Result<Self> {
        let mut fake_responses = [Scalar::zero(); 10];
-        for response in fake_responses.iter_mut().take(10) {
-            *response = Scalar::random(rng);
-        }
+        fake_responses.fill_with(|| Scalar::random(rng));
        let alpha_a = Scalar::random(rng);

        let p_k = ring[0];
@ -92,7 +90,7 @@ impl Alice0 {
            .verify(ED25519_BASEPOINT_POINT, msg.T_b, self.H_p_pk, msg.I_hat_b)?;

        let I = self.I_a + msg.I_b;
-        let sig = monero::clsag::sign(
+        let (sig, stupid_constant) = monero::clsag::sign(
            &self.msg,
            self.s_prime_a,
            0,
@ -109,10 +107,9 @@ impl Alice0 {
        );

        let sig = HalfAdaptorSignature {
-            s_0_half: sig.s[0],
-            fake_responses: self.fake_responses,
-            h_0: sig.c1,
-            D: sig.D,
+            inner: sig,
+            signing_kex_index: 0,
+            stupid_constant,
        };

        Ok(Alice1 {
@ -139,7 +136,7 @@ impl Alice1 {
    pub fn next_message(&self) -> Message2 {
        Message2 {
            d_a: Opening::new(self.fake_responses, self.I_a, self.I_hat_a, self.T_a),
-            s_0_a: self.sig.s_0_half,
+            s_0_a: self.sig.s_half(),
        }
    }

--- a/monero-adaptor/src/bob.rs
+++ b/monero-adaptor/src/bob.rs
@ -126,7 +126,7 @@ impl Bob1 {
            .verify(ED25519_BASEPOINT_POINT, T_a, self.H_p_pk, I_hat_a)?;

        let I = I_a + self.I_b;
-        let sig = monero::clsag::sign(
+        let (sig, stupid_constant) = monero::clsag::sign(
            &self.msg,
            self.s_b,
            0,
@ -142,13 +142,12 @@ impl Bob1 {
            I,
        );

-        let s_0_b = sig.s[0];
        let sig = HalfAdaptorSignature {
-            s_0_half: s_0_b,
-            fake_responses,
-            h_0: sig.c1,
-            D: sig.D,
+            inner: sig,
+            signing_kex_index: 0,
+            stupid_constant,
        };
+        let s_0_b = sig.s_half();
        let adaptor_sig = sig.complete(msg.s_0_a);

        Ok(Bob2 { s_0_b, adaptor_sig })
--- a/monero-adaptor/src/lib.rs
+++ b/monero-adaptor/src/lib.rs
@ -14,47 +14,44 @@ pub use self::bob::*;
 pub use self::commitment::*;
 pub use self::messages::*;

-use curve25519_dalek::edwards::EdwardsPoint;
 use curve25519_dalek::scalar::Scalar;
 use monero::util::ringct::Clsag;

 pub struct AdaptorSignature {
-    s_0: Scalar,
-    fake_responses: [Scalar; 10],
-    h_0: Scalar,
-    /// Commitment key image `D = z * hash_to_p3(signing_public_key)`
-    D: EdwardsPoint,
+    inner: Clsag,
+    signing_kex_index: usize,
 }

 pub struct HalfAdaptorSignature {
-    s_0_half: Scalar,
-    fake_responses: [Scalar; 10],
-    h_0: Scalar,
-    /// Commitment key image `D = z * hash_to_p3(signing_public_key)`
-    D: EdwardsPoint,
+    inner: Clsag,
+    signing_kex_index: usize,
+    stupid_constant: Scalar,
 }

 impl HalfAdaptorSignature {
    fn complete(self, s_other_half: Scalar) -> AdaptorSignature {
+        let mut sig = self.inner;
+        let signing_kex_index = self.signing_kex_index;
+
+        sig.s[signing_kex_index] += s_other_half;
+        sig.s[signing_kex_index] += self.stupid_constant;
+
        AdaptorSignature {
-            s_0: self.s_0_half + s_other_half,
-            fake_responses: self.fake_responses,
-            h_0: self.h_0,
-            D: self.D,
+            inner: sig,
+            signing_kex_index,
        }
    }
+
+    fn s_half(&self) -> Scalar {
+        self.inner.s[self.signing_kex_index]
+    }
 }

 impl AdaptorSignature {
    pub fn adapt(self, y: Scalar) -> Clsag {
-        let r_last = self.s_0 + y;
-
-        Clsag {
-            s: std::iter::once(r_last)
-                .chain(self.fake_responses.iter().copied())
-                .collect(),
-            D: self.D,
-            c1: self.h_0,
-        }
+        let mut sig = self.inner;
+        sig.s[self.signing_kex_index] += y;
+
+        sig
    }
 }
--- a/monero-adaptor/tests/protocol.rs
+++ b/monero-adaptor/tests/protocol.rs
@ -1,3 +1,5 @@
+#![allow(non_snake_case)]
+
 use curve25519_dalek::constants::ED25519_BASEPOINT_POINT;
 use curve25519_dalek::scalar::Scalar;
 use hash_edwards_to_edwards::hash_point_to_point;