fixed key image calculation for return_payment outputs

src/carrot_core/config.h

@@ -75,5 +75,6 @@ static constexpr const unsigned int CARROT_MAX_TX_INPUTS = 128;
 // SPARC addressing protocol domain separators
 static constexpr const unsigned char SPARC_DOMAIN_SEP_RETURN_PUBKEY_ENCRYPTION_MASK[] = "SPARC return pubkey encryption mask";
 static constexpr const unsigned char SPARC_DOMAIN_SEP_RETURN_ADDRESS_SCALAR[] = "SPARC return address scalar";
+static constexpr const unsigned char SPARC_DOMAIN_SEP_RETURN_INDEX_SCALAR[] = "SPARC return index scalar";
  
 } //namespace carrot

src/carrot_core/enote_utils.cpp

@@ -211,6 +211,17 @@ void make_sparc_return_privkey(const unsigned char s_sender_receiver_unctx[32],
     derive_scalar(transcript.data(), transcript.size(), s_sender_receiver_unctx, &return_privkey_out);
 }
 //-------------------------------------------------------------------------------------------------------------------
+void make_sparc_return_index(const unsigned char s_sender_receiver_unctx[32],
+                             const input_context_t &input_context,
+                             const crypto::public_key &onetime_address,
+                             const uint64_t idx,
+                             crypto::secret_key &return_index_out)
+{
+    // k_return = H_32(s_sr || input_context || Ko)
+    const auto transcript = sp::make_fixed_transcript<SPARC_DOMAIN_SEP_RETURN_INDEX_SCALAR>(input_context, onetime_address, idx);
+    derive_scalar(transcript.data(), transcript.size(), s_sender_receiver_unctx, &return_index_out);
+}
+//-------------------------------------------------------------------------------------------------------------------
 void make_sparc_return_pubkey_encryption_mask(const unsigned char s_sender_receiver_unctx[32],
     const input_context_t &input_context,
     const crypto::public_key &onetime_address,
@@ -222,22 +233,33 @@ void make_sparc_return_pubkey_encryption_mask(const unsigned char s_sender_recei
 }
 //-------------------------------------------------------------------------------------------------------------------
 void make_sparc_return_pubkey(const unsigned char s_sender_receiver_unctx[32],
-    const input_context_t &input_context,
+                              const input_context_t &input_context,
-    const view_balance_secret_device *s_view_balance_dev,
+                              const view_balance_secret_device *s_view_balance_dev,
-    const crypto::public_key &onetime_address,
+                              const crypto::public_key &onetime_address,
-    encrypted_return_pubkey_t &return_pubkey_out)
+                              const uint64_t idx,
+                              encrypted_return_pubkey_t &return_enc_pubkey_out)
 {
-    // K_return = k_return G ^ m_return
+    // K_return = k_return G + k_idx T
     crypto::secret_key k_return;
-    crypto::public_key return_pub;
+    crypto::secret_key k_idx = crypto::null_skey;
-    encrypted_return_pubkey_t K_return;
+    encrypted_return_pubkey_t return_pub;
-    encrypted_return_pubkey_t m_return;
     s_view_balance_dev->make_internal_return_privkey(input_context, onetime_address, k_return);
-    crypto::secret_key_to_public_key(k_return, return_pub);
+    make_sparc_return_index(to_bytes(onetime_address), input_context, onetime_address, idx, k_idx);
-    static_assert(sizeof(K_return.bytes) == sizeof(return_pub.data), "Size mismatch");
+    rct::key K_return;
-    memcpy(K_return.bytes, return_pub.data, sizeof(encrypted_return_pubkey_t));
+    rct::addKeys2(K_return,
+                  rct::sk2rct(k_return),
+                  rct::sk2rct(k_idx),
+                  rct::pk2rct(crypto::get_T()));
+    //K_return = rct::scalarmult8(K_return);
+    if (!rct::isInMainSubgroup(K_return))
+      throw std::runtime_error("K_return is not in main subgroup");
+    static_assert(sizeof(K_return.bytes) == sizeof(return_pub.bytes), "Size mismatch");
+    memcpy(return_pub.bytes, K_return.bytes, sizeof(encrypted_return_pubkey_t));
+
+    // return_enc = return_pub ^ m_return
+    encrypted_return_pubkey_t m_return;
     make_sparc_return_pubkey_encryption_mask(s_sender_receiver_unctx, input_context, onetime_address, m_return);
-    return_pubkey_out = K_return ^ m_return;
+    return_enc_pubkey_out = return_pub ^ m_return;
 }
 //-------------------------------------------------------------------------------------------------------------------
 //-------------------------------------------------------------------------------------------------------------------

src/carrot_core/enote_utils.h

@@ -138,6 +138,20 @@ void make_sparc_return_privkey(const unsigned char s_sender_receiver_unctx[32],
     const crypto::public_key &onetime_address,
     crypto::secret_key &return_privkey_out);
 /**
+* brief: make_sparc_return_index - return k_idx, given non-secret data
+*    k_idx = H_32(s_sr || input_context || Ko || idx)
+* param: s_sender_receiver_unctx - s_sr
+* param: input_context - input_context
+* param: onetime_address - Ko
+* param: idx
+* outparam: return_index_out - k_idx
+*/
+void make_sparc_return_index(const unsigned char s_sender_receiver_unctx[32],
+    const input_context_t &input_context,
+    const crypto::public_key &onetime_address,
+    const uint64_t idx,
+    crypto::secret_key &return_index_out);
+/**
 * brief: make_sparc_return_pubkey_encryption_mask - used for hiding return pubkey
 *    m_return = H_32(s_sr || input_context || Ko)
 * param: s_sender_receiver_unctx - s_sr
@@ -156,13 +170,15 @@ void make_sparc_return_pubkey_encryption_mask(const unsigned char s_sender_recei
 * param: input_context - input_context
 * param: s_view_balance_dev - s_vb
 * param: onetime_address - Ko
+* param: idx
 * outparam: return_pubkey_mask_out - K_return
 */
 void make_sparc_return_pubkey(const unsigned char s_sender_receiver_unctx[32],
-    const input_context_t &input_context,
+                              const input_context_t &input_context,
-    const view_balance_secret_device *s_view_balance_dev,
+                              const view_balance_secret_device *s_view_balance_dev,
-    const crypto::public_key &onetime_address,
+                              const crypto::public_key &onetime_address,
-    encrypted_return_pubkey_t &return_pubkey_out);
+                              const uint64_t idx,
+                              encrypted_return_pubkey_t &return_pubkey_out);
 /**
 * brief: make_carrot_input_context_coinbase - input context for a sender-receiver secret (coinbase txs)
 *    input_context = "C" || IntToBytes256(block_index)

src/carrot_core/output_set_finalization.cpp

@@ -361,11 +361,11 @@ void get_output_enote_proposals(const std::vector<CarrotPaymentProposalV1> &norm
         component_out_of_order, "this set contains duplicate onetime addresses");
 
     // assert all K_o lie in prime order subgroup
-    // for (const RCTOutputEnoteProposal &output_enote_proposal : output_enote_proposals_out)
+    for (const RCTOutputEnoteProposal &output_enote_proposal : output_enote_proposals_out)
-    // {
+    {
-    //     CARROT_CHECK_AND_THROW(rct::isInMainSubgroup(rct::pk2rct(output_enote_proposal.enote.onetime_address)),
+        CARROT_CHECK_AND_THROW(rct::isInMainSubgroup(rct::pk2rct(output_enote_proposal.enote.onetime_address)),
-    //         invalid_point, "this set contains an invalid onetime address");
+                               invalid_point, "this set contains an invalid onetime address");
-    // }
+    }
 
     // assert unique and non-trivial k_a
     memcmp_set<crypto::secret_key> amount_blinding_factors;

src/carrot_core/payment_proposal.cpp

@@ -208,10 +208,11 @@ static void get_external_output_proposal_parts(const mx25519_pubkey &s_sender_re
     // 4. construct the return pubkey
     if (s_view_balance_dev != nullptr)
         make_sparc_return_pubkey(s_sender_receiver_unctx.data,
-            input_context,
+                                 input_context,
-            s_view_balance_dev,
+                                 s_view_balance_dev,
-            onetime_address_out,
+                                 onetime_address_out,
-            return_pubkey_out);
+                                 0/*idx*/,
+                                 return_pubkey_out);
 }
 //-------------------------------------------------------------------------------------------------------------------    
 //-------------------------------------------------------------------------------------------------------------------

src/carrot_core/scan.cpp

@@ -34,6 +34,11 @@
 //local headers
 #include "destination.h"
 #include "enote_utils.h"
+extern "C"
+{
+#include "crypto/crypto-ops.h"
+}
+#include "crypto/generators.h"
 #include "ringct/rctOps.h"
 #include "scan_unsafe.h"
 
@@ -508,20 +513,31 @@ bool try_scan_carrot_enote_internal_receiver(const CarrotEnoteV1 &enote,
             const carrot::input_context_t input_context = carrot::make_carrot_input_context(enote.tx_first_key_image);
             account.s_view_balance_dev.make_internal_return_privkey(input_context, output_key, k_return);
 
-            // compute K_return = k_return * G
+            // make k_idx
-            crypto::public_key K_return;
+            crypto::secret_key k_idx = crypto::null_skey;
-            crypto::secret_key_to_public_key(k_return, K_return);
+            uint64_t idx = 0;
+            make_sparc_return_index(to_bytes(output_key), input_context, output_key, idx, k_idx);
+
+            // compute K_return = k_return * G + k_idx * T
+            rct::key K_return;
+            rct::addKeys2(K_return,
+                          rct::sk2rct(k_return),
+                          rct::sk2rct(k_idx),
+                          rct::pk2rct(crypto::get_T()));
+            //K_return = rct::scalarmult8(K_return);
 
             // compute K_r = K_return + K_o
-            crypto::public_key K_r = rct::rct2pk(rct::addKeys(rct::pk2rct(K_return), rct::pk2rct(enote.onetime_address)));
+            crypto::public_key K_r = rct::rct2pk(rct::addKeys(K_return, rct::pk2rct(enote.onetime_address)));
 
             // calculate the key image for the return output
             crypto::secret_key sum_g;
             sc_add(to_bytes(sum_g), to_bytes(sender_extension_g_out), to_bytes(k_return));
+            crypto::secret_key sum_t;
+            sc_add(to_bytes(sum_t), to_bytes(sender_extension_t_out), to_bytes(k_idx));
             crypto::key_image key_image = account.derive_key_image(
                 account.get_keys().m_carrot_account_address.m_spend_public_key,
                 sum_g,
-                sender_extension_t_out,
+                sum_t,
                 K_r
             );
 
@@ -529,7 +545,7 @@ bool try_scan_carrot_enote_internal_receiver(const CarrotEnoteV1 &enote,
             account.try_searching_for_opening_for_onetime_address(
                 account.get_keys().m_carrot_account_address.m_spend_public_key,
                 sum_g,
-                sender_extension_t_out,
+                sum_t,
                 x,
                 y
             );