CLSAG D transcripting differs from Monero's

The prover is expected to scale their D by 8**-1 prior to transmission. Then, the verifier scales it by 8 to ensure it's torsion-free but still transcripts the originally communicated version.

https://github.com/monero-project/monero/blob/257db6dff257bc9f60641b16d199ffde252655b2/src/ringct/rctSigs.cpp#L894-#L920

Serai performs the torsion clear, obtaining D without any torsion, but then then transcripts D * 8**-1. This causes transcripting of a torsion-free D * 8**-1, not the originally communicated D * 8**-1.

serai/networks/monero/ringct/clsag/src/lib.rs

Lines 377 to 382 in dc1b8df

    
           let D = self.D.mul_by_cofactor(); 
        
           if D.is_identity() { 
        
             Err(ClsagError::InvalidD)?; 
        
           } 
        
           let (_, c1) = core(ring, I, pseudo_out, msg, &D, &self.s, &Mode::Verify(self.c1));

serai/networks/monero/ringct/clsag/src/lib.rs

Lines 114 to 143 in dc1b8df

    
           let D_INV_EIGHT = D * INV_EIGHT(); 
        
           // Generate the transcript 
        
           // Instead of generating multiple, a single transcript is created and then edited as needed 
        
           const PREFIX: &[u8] = b"CLSAG_"; 
        
           #[rustfmt::skip] 
        
           const AGG_0: &[u8]  =       b"agg_0"; 
        
           #[rustfmt::skip] 
        
           const ROUND: &[u8]  =       b"round"; 
        
           const PREFIX_AGG_0_LEN: usize = PREFIX.len() + AGG_0.len(); 
        
           let mut to_hash = Vec::with_capacity(((2 * n) + 5) * 32); 
        
           to_hash.extend(PREFIX); 
        
           to_hash.extend(AGG_0); 
        
           to_hash.extend([0; 32 - PREFIX_AGG_0_LEN]); 
        
           let mut P = Vec::with_capacity(n); 
        
           for member in ring { 
        
             P.push(member[0]); 
        
             to_hash.extend(member[0].compress().to_bytes()); 
        
           } 
        
           let mut C = Vec::with_capacity(n); 
        
           for member in ring { 
        
             C.push(member[1] - pseudo_out); 
        
             to_hash.extend(member[1].compress().to_bytes()); 
        
           } 
        
           to_hash.extend(I.compress().to_bytes()); 
        
           to_hash.extend(D_INV_EIGHT.compress().to_bytes());

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	let D = self.D.mul_by_cofactor();
	if D.is_identity() {
	Err(ClsagError::InvalidD)?;
	}

	let (_, c1) = core(ring, I, pseudo_out, msg, &D, &self.s, &Mode::Verify(self.c1));

	let D_INV_EIGHT = D * INV_EIGHT();

	// Generate the transcript
	// Instead of generating multiple, a single transcript is created and then edited as needed
	const PREFIX: &[u8] = b"CLSAG_";
	#[rustfmt::skip]
	const AGG_0: &[u8] = b"agg_0";
	#[rustfmt::skip]
	const ROUND: &[u8] = b"round";
	const PREFIX_AGG_0_LEN: usize = PREFIX.len() + AGG_0.len();

	let mut to_hash = Vec::with_capacity(((2 * n) + 5) * 32);
	to_hash.extend(PREFIX);
	to_hash.extend(AGG_0);
	to_hash.extend([0; 32 - PREFIX_AGG_0_LEN]);

	let mut P = Vec::with_capacity(n);
	for member in ring {
	P.push(member[0]);
	to_hash.extend(member[0].compress().to_bytes());
	}

	let mut C = Vec::with_capacity(n);
	for member in ring {
	C.push(member[1] - pseudo_out);
	to_hash.extend(member[1].compress().to_bytes());
	}

	to_hash.extend(I.compress().to_bytes());
	to_hash.extend(D_INV_EIGHT.compress().to_bytes());

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions