Monero: use only the first input ring length for RCT deserialization. #504
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is what Monero does: https://github.com/monero-project/monero/blob/ac02af92867590ca80b2779a7bbeafa99ff94dcb/src/ringct/rctTypes.h#L422 https://github.com/monero-project/monero/blob/master/src/cryptonote_basic/cryptonote_basic.h#L308-L309 This isn't an issue for current transactions as from hf 12 Monero requires all inputs to have the same number of decoys but for transactions before that Monero would reject RCT txs with differing ring lengths. Monero would deserialize each inputs signature using the ring length of the first so the signatures for inputs other than the first would have a different (wrong) number of elements for that input meaning the signature is invalid. But as we are using the ring length of each input, which arguably is the *correct* way, we would approve of transactions with inputs differing in ring lengths.
Boog900
changed the title
|
ACK. Thanks for tightening this up :) |
kayabaNerve
added
bug
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This changes RCT deserialization to use the first inputs ring size for all inputs, which is how Monero does it [1] [2]. By using the first inputs ring size for all inputs Monero restricts all RCT transactions to have the same number of ring members across all inputs, otherwise the signatures would be incorrect as they would have a different number of elements than required.
This isn't an issue for current txs as from hf 12 Monero requires all inputs to have the same number of decoys anyway, but for transactions before that we would accept RCT txs with inputs differing in ring size whereas Monero would reject them.
I could add a rule in Cuprate that all RCT txs must have a constant number of decoys but I think it would be better to fix this mismatch in deserialization.
This also adds a check I missed in #383, Monero checks that MLSAG signatures have at least 2 ring members.