Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable supply auditing via cryptographic commitments and proofs #102

Draft
wants to merge 40 commits into
base: trunk
Choose a base branch
from
Draft

Enable supply auditing via cryptographic commitments and proofs #102

wants to merge 40 commits into from

Conversation

HalosGhost
Copy link
Collaborator

This is the initial run of implementing minimal tamper detection via cryptographic commitments. There is still more work to-do (hence the draft status), but it's in a place where people can probably start digging in and offering some feedback.

No benchmarking has been done yet, but the most likely potential cause of slow-down comes from the size of the data that now needs to be transmitted. In particular, each output has an “uncompressed” rangeproof (around 4KiB). There's already a path available to reduce that size dramatically (seems like it should be possible to get the rangeproofs down to <1k total for effectively all transactions), but I haven't yet looked into tackling that problem.

Closes #101

@HalosGhost HalosGhost force-pushed the tamper-detection/crypto branch 3 times, most recently from 176bb29 to 820cbde Compare May 20, 2022 22:40
@HalosGhost HalosGhost force-pushed the tamper-detection/crypto branch 2 times, most recently from 6eb1669 to b38f027 Compare June 30, 2022 20:11
@HalosGhost HalosGhost force-pushed the tamper-detection/crypto branch 2 times, most recently from 3d82bd3 to 06f4716 Compare July 11, 2022 20:33
@HalosGhost HalosGhost force-pushed the tamper-detection/crypto branch 2 times, most recently from 39496ff to b533068 Compare September 29, 2022 21:45
HalosGhost and others added 19 commits June 8, 2023 20:13
@HalosGhost
Retarget secp256k1 submodule
2c04c7b 
Switching to a fork allows us to leverage bulletproofs

Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
Add helpers for creating Pedersen Commitments
404e1b2 
Includes creating commitments directly as well as a facility for
automatically creating an “xonly” Pedersen Commitment.

xonly Pedersen Commitments are a work-around to avoid a larger code-
delta for this solution. In particular, it will allow us to avoid
changing the size of a UHS ID.

Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
Add new supporting data structures for proof
1b43a35 
These data structures will be integrated into transactions and
leveraged to implement confidential transactions.

Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
Add serialization support for std::map
39a125f 
This implementation is mostly cribbed from what we already have
for std::unordered_map and is added only because it will be easier
for us to leverage in some places.

Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
Add some small clean-ups
c9d7d48 
This is separated only so it doesn't muddy review of the other, more
substantial commits.

Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
Give wallets/clients support for bulletproofs
04b1457 
Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
Add auxiliary-commitment creation helper
cefb9bd 
This method allows for the easy creation of valid blinding factors
(and the associated auxiliary Pedersen Commitments) for new outputs
to be created in a transaction.

Using this helper ensures that the auxiliary commitments in a
non-minting transaction will sum to 0, and those in a minting-
transaction will equal G^{minted_value}.

Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
Add helpers for calculating new UHS IDs
7a2fee7 
Only one is exposed as its easiest to use in most circumstances,
but the others can be exposed in the future if-needed (exposing
them for use shouldn't have any negative side-effects).

Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
Leverage Cryptographic Proofs
a69a9b6 
This is the largest commit in the series by-far; however, it's not
immediately clear to me how it could be broken down further and
leave the code functional (passing all tests) at each commit.

Included in this commit:

* Redefine `input`s and `output`s to contain all the proofs
* Modify `full_tx` and `compact_tx` to include the necessary proofs
* Add routines for creating and verifying all proof criteria
* Store the proofs in the UHS (both architectures)
* Modify clients and sentinels to actually prove and verify
* Update all tests for the new structures
* Remove a few tests which are now not possible cases
* Add tests for basic round-tripping of storage through the UHS

Signed-off-by: Sam Stuewe <[email protected]>
@david8544 @HalosGhost
Update shard seeder tool
7d618ae 
Co-authored-by: Sam Stuewe <[email protected]>
Signed-off-by: davidmag854 <[email protected]>
Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
Fix some Lint/CI-related things
787dcc2 
Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
Reconciliation with sentinel attestations
2aa4d1f 
Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
Simplify UHS ID
c0c7541 
Rather than try to use a pedersen commitment as a UHS ID, prefer
a nested hash (almost identical to the values-in-UHS solution).

This simplifies a lot of the prove/verify procedures, reduces the
amount of code we need overall and makes the security argument
much simpler (because the transaction format is now largely
unchanged).

Signed-off-by: Sam Stuewe <[email protected]>
@metalicjames @HalosGhost
Add audit tool for combining audit logs
bce49af 
Signed-off-by: James Lovejoy <[email protected]>
@metalicjames @HalosGhost
Implement supply auditing for atomizer shard and add audit checks to …
87f6fb6 
…atomizer integration tests

Signed-off-by: James Lovejoy <[email protected]>
Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
WIP: Preliminary update of the audit-tool for cryptographic commitments
3f9f6df 
Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
Fix linting and build issues
036adb6 
Includes:
* Pull in newest secp-zkp changes
* Fix a doxygen doc-comment problem
* remove a potentially-problematic header include

Signed-off-by: Sam Stuewe <[email protected]>
@wadagso-gertjaap @HalosGhost
Log error details of rejected TXs
27974af
@wadagso-gertjaap @HalosGhost
Additional TX logging on failed TXs
2e3914a
wadagso-gertjaap and others added 19 commits June 8, 2023 20:13
@wadagso-gertjaap @HalosGhost
Add logging to the wallet
c091530
@HalosGhost
Change wallet-logging to info
71b2481 
Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
Correct seeded_input creation
3f371f4 
Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
Correct pre-seeded transaction creation
4e9de3d 
Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
Remove UHS ID from compact_output
7d12d79 
Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
Correctly initialize timestamps
f807040 
In the atomizer load-generator, several timestamps were not
initialized; their first use was with `operator+=`.

This simply initializes them to 0 making that first use valid.

Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
Omnibus update to fix quite a few issues
8024286 
Includes
* fixing all tests (locally, at least)
* correctly checking transaction balancing

Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
[WIP]: improve shard-seeder performance for crypto TD
b9c7889 
Signed-off-by: Sam Stuewe <[email protected]>
@AlexRamRam @HalosGhost
Remove rangeproof from transaction input.
aa6b269 
Signed-off-by: Alexander Jung <[email protected]>
@AlexRamRam @HalosGhost
Check for existence of rangeproofs in outputs during validation.
d51ddc6 
Signed-off-by: Alexander Jung <[email protected]>
@AlexRamRam @HalosGhost
Do not compute rangeproof for inputs in transaction::wallet::create_s…
d7bd576 
…eeded_transaction

Signed-off-by: Alexander Jung <[email protected]>
@AlexRamRam @HalosGhost
Initialize output w explicit rangeproof arg
367e2c2 
Signed-off-by: Alexander Jung <[email protected]>
@AlexRamRam @HalosGhost
Add unsigned long suffix(UL) where needed
5d82195 
Signed-off-by: Alexander Jung <[email protected]>
@AlexRamRam @HalosGhost
Remove setting of rangeproof for transaction input
482d884 
Signed-off-by: Alexander Jung <[email protected]>
@AlexRamRam @HalosGhost
Set a dummy rangeproof object for unit tests - accommodate tamper det…
2582ef3 
… changes

Signed-off-by: Alexander Jung <[email protected]>

Set dummy rangeproof for outputs for unit tests where needed

Signed-off-by: Alexander Jung <[email protected]>
@AlexRamRam @HalosGhost
Invoke transaction::calculate_uhs_id() without creating compact_output
af5d1e3 
Signed-off-by: Alexander Jung <[email protected]>
@HalosGhost
Clean-up linting
eef47c8 
Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
Lift create_seeded_transaction outside hot loop
eff5692 
Also includes modifying twophase mode's transaction-creation
to reuse pedersen-commitments/range-proofs

Signed-off-by: Sam Stuewe <[email protected]>
@HalosGhost
[DO NOT MERGE] workaround: let the TC see this PR
c3ea8e1 
Signed-off-by: Sam Stuewe <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enable supply auditing by storing cryptographic commitments
5 participants
@HalosGhost @david8544 @metalicjames @wadagso-gertjaap @AlexRamRam