xmr: bp last mask fix (+20 squashed commits)

Squashed commits: [fa1c362] xmr: black [3f3e31f] xmr: bulletproofs added to signer [d23d928] xmr: protocol.tsx_sign_builder - logger collects [a28eb55] xmr: bp - memory optimizations [d2fcb23] xmr: tests for bulletproofs added [82eef14] xmr: bp - gc (+14 squashed commits) Squashed commits: [4cf70d9] xmr: bp - gc [42877b0] xmr: bp - minor memory optimization [2c612e4] xmr: bp - use sc_inv_into [d7e9dab] xmr: bp - KeyVEval fix [1523f40] xmr: bp - blacked [b264a65] xmr: bp - KeyVEval - caching current element, avoid allocations [83ba7a6] xmr: bp - memory view optimized [b517906] xmr: bp - gc() during inversion [92d37c8] xmr: bp - gc.collect() after expensive inversion [e7fad55] xmr: bp - hashing memory optimization [4c27815] xmr: bp - deterministic masks optimization, prove_s1 optim [cbf74a7] xmr: bp - detect which modular inversion is usable [8ea1ec4] xmr: better memory tracing for bulletproofs [2f4dd55] xmr: bulletproofs added [1928e2d] xmr: crypto - sc_inv_into added (+2 squashed commits) Squashed commits: [f895fa6] xmr: crypto - hash to existing buffer [b76c6b0] xmr: crypto - in-place crypto functions added - required for Bulletproof to minimize the heap fragmentation [cab4366] extmod: monero - modular inversion mod curve order added (+2 squashed commits) Squashed commits: [52a6e48] extmod: monero - hash into buffer added [695a382] extmod: monero module - muladd256_modm added - required for Bulletproof [3f4498d] xmr: crypto tests added - basic unit tests for crypto, tests monero module and underlying trezor-crypto + basic address manipulation [820d012] pb sync [49eeddd] vendor: trezor-common version bump [3038244] xmr: crypto - point norm not needed [89701c4] tests: xmr - serializer tests added [bfee46d] tests: support async unit tests, assertListEqual added [55c1448] xmr: serialize - serialization logic cleaned, refactored [4b77163] xmr: simplification, do not ask to confirm change tx output - change address checked to match main address in the builder [f334d8a] xmr: protocol: simplification - require change address to equal the main address [1a3416e] xmr: unpack256_modm_noreduce added - 32B array to integer mod curve order, without modular reduction after conversion - required for bulletproofs [1c94b5d] xmr: readme added [3cc9f9f] extmod/monero: mul256_modm added, required for BP
trezor · Aug 18, 2018 · cf0a710 · cf0a710
1 parent baf2dd0
commit cf0a710
Show file tree

Hide file tree

Showing 51 changed files with 3,462 additions and 512 deletions.
diff --git a/embed/extmod/modtrezorcrypto/modtrezorcrypto-monero.h b/embed/extmod/modtrezorcrypto/modtrezorcrypto-monero.h
@@ -22,6 +22,8 @@
 #include "py/mpz.h"
 
 #include "monero/monero.h"
+#include "bignum.h"
+
 #define RSIG_SIZE 6176
 
 typedef struct _mp_obj_hasher_t {
@@ -368,6 +370,19 @@ STATIC mp_obj_t mod_trezorcrypto_monero_sub256_modm(size_t n_args, const mp_obj_
 }
 STATIC MP_DEFINE_CONST_FUN_OBJ_VAR_BETWEEN(mod_trezorcrypto_monero_sub256_modm_obj, 2, 3, mod_trezorcrypto_monero_sub256_modm);
 
+//void sub256_modm
+STATIC mp_obj_t mod_trezorcrypto_monero_mul256_modm(size_t n_args, const mp_obj_t *args){
+    mp_obj_t res = n_args == 3 ? args[0] : mp_obj_new_scalar();
+    const int off = n_args == 3 ? 0 : -1;
+
+    assert_scalar(res);
+    assert_scalar(args[1+off]);
+    assert_scalar(args[2+off]);
+    mul256_modm(MP_OBJ_SCALAR(res), MP_OBJ_C_SCALAR(args[1+off]), MP_OBJ_C_SCALAR(args[2+off]));
+    return res;
+}
+STATIC MP_DEFINE_CONST_FUN_OBJ_VAR_BETWEEN(mod_trezorcrypto_monero_mul256_modm_obj, 2, 3, mod_trezorcrypto_monero_mul256_modm);
+
 //void mulsub256_modm
 STATIC mp_obj_t mod_trezorcrypto_monero_mulsub256_modm(size_t n_args, const mp_obj_t *args){
     mp_obj_t res = n_args == 4 ? args[0] : mp_obj_new_scalar();
@@ -382,6 +397,43 @@ STATIC mp_obj_t mod_trezorcrypto_monero_mulsub256_modm(size_t n_args, const mp_o
 }
 STATIC MP_DEFINE_CONST_FUN_OBJ_VAR_BETWEEN(mod_trezorcrypto_monero_mulsub256_modm_obj, 3, 4, mod_trezorcrypto_monero_mulsub256_modm);
 
+//void muladd256_modm
+STATIC mp_obj_t mod_trezorcrypto_monero_muladd256_modm(size_t n_args, const mp_obj_t *args){
+    mp_obj_t res = n_args == 4 ? args[0] : mp_obj_new_scalar();
+    const int off = n_args == 4 ? 0 : -1;
+
+    assert_scalar(res);
+    assert_scalar(args[1+off]);
+    assert_scalar(args[2+off]);
+    assert_scalar(args[3+off]);
+    muladd256_modm(MP_OBJ_SCALAR(res), MP_OBJ_C_SCALAR(args[1+off]), MP_OBJ_C_SCALAR(args[2+off]), MP_OBJ_C_SCALAR(args[3+off]));
+    return res;
+}
+STATIC MP_DEFINE_CONST_FUN_OBJ_VAR_BETWEEN(mod_trezorcrypto_monero_muladd256_modm_obj, 3, 4, mod_trezorcrypto_monero_muladd256_modm);
+
+//void inv256_modm
+STATIC mp_obj_t mod_trezorcrypto_monero_inv256_modm(size_t n_args, const mp_obj_t *args){
+    mp_obj_t res = n_args == 2 ? args[0] : mp_obj_new_scalar();
+    const int off = n_args == 2 ? 0 : -1;
+
+    assert_scalar(res);
+    assert_scalar(args[1+off]);
+
+    uint8_t buff[32];
+    bignum256 bn_prime;
+    bignum256 bn_x;
+    const char * L = "\xed\xd3\xf5\x5c\x1a\x63\x12\x58\xd6\x9c\xf7\xa2\xde\xf9\xde\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10";
+
+    contract256_modm(buff, MP_OBJ_C_SCALAR(args[1+off]));
+    bn_read_le((const uint8_t *)L, &bn_prime);
+    bn_read_le(buff, &bn_x);
+    bn_inverse(&bn_x, &bn_prime);
+    bn_write_le(&bn_x, buff);
+    expand_raw256_modm(MP_OBJ_SCALAR(res), buff);
+    return res;
+}
+STATIC MP_DEFINE_CONST_FUN_OBJ_VAR_BETWEEN(mod_trezorcrypto_monero_inv256_modm_obj, 1, 2, mod_trezorcrypto_monero_inv256_modm);
+
 //void contract256_modm_r
 STATIC mp_obj_t mod_trezorcrypto_monero_pack256_modm(const mp_obj_t arg){
     assert_scalar(arg);
@@ -415,6 +467,23 @@ STATIC mp_obj_t mod_trezorcrypto_monero_unpack256_modm(size_t n_args, const mp_o
 }
 STATIC MP_DEFINE_CONST_FUN_OBJ_VAR_BETWEEN(mod_trezorcrypto_monero_unpack256_modm_obj, 1, 2, mod_trezorcrypto_monero_unpack256_modm);
 
+//expand256_modm_r
+STATIC mp_obj_t mod_trezorcrypto_monero_unpack256_modm_noreduce(size_t n_args, const mp_obj_t *args){
+    mp_obj_t res = n_args == 2 ? args[0] : mp_obj_new_scalar();
+    const int off = n_args == 2 ? 0 : -1;
+    assert_scalar(res);
+
+    mp_buffer_info_t buff;
+    mp_get_buffer_raise(args[1+off], &buff, MP_BUFFER_READ);
+    if (buff.len != 32) {
+        mp_raise_ValueError("Invalid length of secret key");
+    }
+
+    expand_raw256_modm(MP_OBJ_SCALAR(res), buff.buf);
+    return res;
+}
+STATIC MP_DEFINE_CONST_FUN_OBJ_VAR_BETWEEN(mod_trezorcrypto_monero_unpack256_modm_noreduce_obj, 1, 2, mod_trezorcrypto_monero_unpack256_modm_noreduce);
+
 //
 // GE25519 Defs
 //
@@ -679,14 +748,25 @@ STATIC mp_obj_t mod_trezorcrypto_monero_xmr_random_scalar(size_t n_args, const m
 STATIC MP_DEFINE_CONST_FUN_OBJ_VAR_BETWEEN(mod_trezorcrypto_monero_xmr_random_scalar_obj, 0, 1, mod_trezorcrypto_monero_xmr_random_scalar);
 
 //xmr_fast_hash
-STATIC mp_obj_t mod_trezorcrypto_monero_xmr_fast_hash(const mp_obj_t arg){
+STATIC mp_obj_t mod_trezorcrypto_monero_xmr_fast_hash(size_t n_args, const mp_obj_t *args){
+    const int off = n_args == 2 ? 0 : -1;
     uint8_t buff[32];
+    uint8_t * buff_use = buff;
+    if (n_args > 1){
+        mp_buffer_info_t odata;
+        mp_get_buffer_raise(args[0], &odata, MP_BUFFER_WRITE);
+        if (odata.len < 32){
+            mp_raise_ValueError("Output buffer too small");
+        }
+        buff_use = odata.buf;
+    }
+
     mp_buffer_info_t data;
-    mp_get_buffer_raise(arg, &data, MP_BUFFER_READ);
-    xmr_fast_hash(buff, data.buf, data.len);
-    return mp_obj_new_bytes(buff, 32);
+    mp_get_buffer_raise(args[1+off], &data, MP_BUFFER_READ);
+    xmr_fast_hash(buff_use, data.buf, data.len);
+    return n_args == 2 ? args[0] : mp_obj_new_bytes(buff, 32);
 }
-STATIC MP_DEFINE_CONST_FUN_OBJ_1(mod_trezorcrypto_monero_xmr_fast_hash_obj, mod_trezorcrypto_monero_xmr_fast_hash);
+STATIC MP_DEFINE_CONST_FUN_OBJ_VAR_BETWEEN(mod_trezorcrypto_monero_xmr_fast_hash_obj, 1, 2, mod_trezorcrypto_monero_xmr_fast_hash);
 
 //xmr_hash_to_ec
 STATIC mp_obj_t mod_trezorcrypto_monero_xmr_hash_to_ec(size_t n_args, const mp_obj_t *args){
@@ -991,10 +1071,14 @@ STATIC const mp_rom_map_elem_t mod_trezorcrypto_monero_globals_table[] = {
     { MP_ROM_QSTR(MP_QSTR_reduce256_modm), MP_ROM_PTR(&mod_trezorcrypto_monero_reduce256_modm_obj) },
     { MP_ROM_QSTR(MP_QSTR_add256_modm), MP_ROM_PTR(&mod_trezorcrypto_monero_add256_modm_obj) },
     { MP_ROM_QSTR(MP_QSTR_sub256_modm), MP_ROM_PTR(&mod_trezorcrypto_monero_sub256_modm_obj) },
+    { MP_ROM_QSTR(MP_QSTR_mul256_modm), MP_ROM_PTR(&mod_trezorcrypto_monero_mul256_modm_obj) },
     { MP_ROM_QSTR(MP_QSTR_mulsub256_modm), MP_ROM_PTR(&mod_trezorcrypto_monero_mulsub256_modm_obj) },
+    { MP_ROM_QSTR(MP_QSTR_muladd256_modm), MP_ROM_PTR(&mod_trezorcrypto_monero_muladd256_modm_obj) },
+    { MP_ROM_QSTR(MP_QSTR_inv256_modm), MP_ROM_PTR(&mod_trezorcrypto_monero_inv256_modm_obj) },
     { MP_ROM_QSTR(MP_QSTR_pack256_modm), MP_ROM_PTR(&mod_trezorcrypto_monero_pack256_modm_obj) },
     { MP_ROM_QSTR(MP_QSTR_pack256_modm_into), MP_ROM_PTR(&mod_trezorcrypto_monero_pack256_modm_into_obj) },
     { MP_ROM_QSTR(MP_QSTR_unpack256_modm), MP_ROM_PTR(&mod_trezorcrypto_monero_unpack256_modm_obj) },
+    { MP_ROM_QSTR(MP_QSTR_unpack256_modm_noreduce), MP_ROM_PTR(&mod_trezorcrypto_monero_unpack256_modm_noreduce_obj) },
     { MP_ROM_QSTR(MP_QSTR_ge25519_set_neutral), MP_ROM_PTR(&mod_trezorcrypto_monero_ge25519_set_neutral_obj) },
     { MP_ROM_QSTR(MP_QSTR_ge25519_set_h), MP_ROM_PTR(&mod_trezorcrypto_monero_ge25519_set_xmr_h_obj) },
     { MP_ROM_QSTR(MP_QSTR_ge25519_pack), MP_ROM_PTR(&mod_trezorcrypto_monero_ge25519_pack_obj) },