Make adaptor signature protocol pass

Cargo.lock

@@ -2305,7 +2305,7 @@ dependencies = [
 [[package]]
 name = "monero"
 version = "0.12.0"
-source = "git+https://github.com/comit-network/monero-rs?rev=fee1f7054a4b8500dcf7867ebd1b9e7f693cd566#fee1f7054a4b8500dcf7867ebd1b9e7f693cd566"
+source = "git+https://github.com/comit-network/monero-rs?rev=2fe0280c5c8a6fadcd8fed780875e1a9e830e57e#2fe0280c5c8a6fadcd8fed780875e1a9e830e57e"
 dependencies = [
  "base58-monero",
  "clear_on_drop",

Cargo.toml

@@ -3,6 +3,6 @@ members = ["monero-adaptor", "monero-harness", "monero-rpc", "swap", "monero-wal
 
 [patch.crates-io]
 torut = { git = "https://github.com/bonomat/torut/", branch = "feature-flag-tor-secret-keys", default-features = false, features = [ "v3", "control" ] }
-monero = { git = "https://github.com/comit-network/monero-rs", rev = "fee1f7054a4b8500dcf7867ebd1b9e7f693cd566" }
+monero = { git = "https://github.com/comit-network/monero-rs", rev = "2fe0280c5c8a6fadcd8fed780875e1a9e830e57e" }
 monero-epee-bin-serde = { git = "https://github.com/comit-network/monero-epee-bin-serde" }
 curve25519-dalek = { git = "https://github.com/thomaseizinger/curve25519-dalek", rev = "8cc9ad36bd30ceab6073ff64655473c6b5aa4aab" }

monero-adaptor/src/alice.rs

@@ -43,9 +43,7 @@ impl Alice0 {
         rng: &mut (impl Rng + CryptoRng),
     ) -> anyhow::Result<Self> {
         let mut fake_responses = [Scalar::zero(); 10];
-        for response in fake_responses.iter_mut().take(10) {
+        fake_responses.fill_with(|| Scalar::random(rng));
-            *response = Scalar::random(rng);
-        }
         let alpha_a = Scalar::random(rng);
 
         let p_k = ring[0];
@@ -92,7 +90,7 @@ impl Alice0 {
             .verify(ED25519_BASEPOINT_POINT, msg.T_b, self.H_p_pk, msg.I_hat_b)?;
 
         let I = self.I_a + msg.I_b;
-        let sig = monero::clsag::sign(
+        let (sig, stupid_constant) = monero::clsag::sign(
             &self.msg,
             self.s_prime_a,
             0,
@@ -109,10 +107,9 @@ impl Alice0 {
         );
 
         let sig = HalfAdaptorSignature {
-            s_0_half: sig.s[0],
+            inner: sig,
-            fake_responses: self.fake_responses,
+            signing_kex_index: 0,
-            h_0: sig.c1,
+            stupid_constant,
-            D: sig.D,
         };
 
         Ok(Alice1 {
@@ -139,7 +136,7 @@ impl Alice1 {
     pub fn next_message(&self) -> Message2 {
         Message2 {
             d_a: Opening::new(self.fake_responses, self.I_a, self.I_hat_a, self.T_a),
-            s_0_a: self.sig.s_0_half,
+            s_0_a: self.sig.s_half(),
         }
     }
 

monero-adaptor/src/bob.rs

@@ -126,7 +126,7 @@ impl Bob1 {
             .verify(ED25519_BASEPOINT_POINT, T_a, self.H_p_pk, I_hat_a)?;
 
         let I = I_a + self.I_b;
-        let sig = monero::clsag::sign(
+        let (sig, stupid_constant) = monero::clsag::sign(
             &self.msg,
             self.s_b,
             0,
@@ -142,13 +142,12 @@ impl Bob1 {
             I,
         );
 
-        let s_0_b = sig.s[0];
         let sig = HalfAdaptorSignature {
-            s_0_half: s_0_b,
+            inner: sig,
-            fake_responses,
+            signing_kex_index: 0,
-            h_0: sig.c1,
+            stupid_constant,
-            D: sig.D,
         };
+        let s_0_b = sig.s_half();
         let adaptor_sig = sig.complete(msg.s_0_a);
 
         Ok(Bob2 { s_0_b, adaptor_sig })

monero-adaptor/src/lib.rs

@@ -14,47 +14,44 @@ pub use self::bob::*;
 pub use self::commitment::*;
 pub use self::messages::*;
 
-use curve25519_dalek::edwards::EdwardsPoint;
 use curve25519_dalek::scalar::Scalar;
 use monero::util::ringct::Clsag;
 
 pub struct AdaptorSignature {
-    s_0: Scalar,
+    inner: Clsag,
-    fake_responses: [Scalar; 10],
+    signing_kex_index: usize,
-    h_0: Scalar,
-    /// Commitment key image `D = z * hash_to_p3(signing_public_key)`
-    D: EdwardsPoint,
 }
 
 pub struct HalfAdaptorSignature {
-    s_0_half: Scalar,
+    inner: Clsag,
-    fake_responses: [Scalar; 10],
+    signing_kex_index: usize,
-    h_0: Scalar,
+    stupid_constant: Scalar,
-    /// Commitment key image `D = z * hash_to_p3(signing_public_key)`
-    D: EdwardsPoint,
 }
 
 impl HalfAdaptorSignature {
     fn complete(self, s_other_half: Scalar) -> AdaptorSignature {
+        let mut sig = self.inner;
+        let signing_kex_index = self.signing_kex_index;
+
+        sig.s[signing_kex_index] += s_other_half;
+        sig.s[signing_kex_index] += self.stupid_constant;
+
         AdaptorSignature {
-            s_0: self.s_0_half + s_other_half,
+            inner: sig,
-            fake_responses: self.fake_responses,
+            signing_kex_index,
-            h_0: self.h_0,
-            D: self.D,
         }
     }
+
+    fn s_half(&self) -> Scalar {
+        self.inner.s[self.signing_kex_index]
+    }
 }
 
 impl AdaptorSignature {
     pub fn adapt(self, y: Scalar) -> Clsag {
-        let r_last = self.s_0 + y;
+        let mut sig = self.inner;
+        sig.s[self.signing_kex_index] += y;
 
-        Clsag {
+        sig
-            s: std::iter::once(r_last)
-                .chain(self.fake_responses.iter().copied())
-                .collect(),
-            D: self.D,
-            c1: self.h_0,
-        }
     }
 }

monero-adaptor/tests/protocol.rs

@@ -1,3 +1,5 @@
+#![allow(non_snake_case)]
+
 use curve25519_dalek::constants::ED25519_BASEPOINT_POINT;
 use curve25519_dalek::scalar::Scalar;
 use hash_edwards_to_edwards::hash_point_to_point;