FCMP++: output_to_tuple {output pubkey, commitment} -> {O,I,C}

j-berman · j-berman · commit 564be619878c · 2026-03-06T17:01:46.000-08:00
- Function to convert an {output pubkey, commitment} to an output
tuple {O,I,C} in prepartion to insert the output tuple into the
curve tree.
- O = torsion cleared valid output pubkey checked for identity.
- I = key image generator.
- C = torsion cleared valid Commitment checked for identity.
- None of {O,I,C} should have torsion nor == identity.
- Introduces the OutputPair variant, which can either be Legacy
or Carrot V1 types. Legacy outputs are not checked for torsion
at consensus, and use the legacy biased hash to point fn to derive
the key image generator (I). Carrot V1 outputs **are** checked for
torsion at consensus, and use the unbiased hash to point to derive
the key image generator (I).
diff --git a/src/fcmp_pp/CMakeLists.txt b/src/fcmp_pp/CMakeLists.txt
@@ -27,10 +27,14 @@
 # THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 set(fcmp_pp_sources
-  fcmp_pp_crypto.cpp)
+  curve_trees.cpp
+  fcmp_pp_crypto.cpp
+  fcmp_pp_types.cpp)
 
 monero_find_all_headers(fcmp_pp_headers "${CMAKE_CURRENT_SOURCE_DIR}")
 
+add_subdirectory(fcmp_pp_rust)
+
 monero_add_library(fcmp_pp
   ${fcmp_pp_sources}
   ${fcmp_pp_headers})
diff --git a/src/fcmp_pp/curve_trees.cpp b/src/fcmp_pp/curve_trees.cpp
@@ -0,0 +1,104 @@
+// Copyright (c) 2024, The Monero Project
+// 
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+// 
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+//    conditions and the following disclaimer.
+// 
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+//    of conditions and the following disclaimer in the documentation and/or other
+//    materials provided with the distribution.
+// 
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+//    used to endorse or promote products derived from this software without specific
+//    prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#include "curve_trees.h"
+
+#include "crypto/crypto.h"
+#include "fcmp_pp_crypto.h"
+#include "fcmp_pp_types.h"
+#include "profile_tools.h"
+
+
+namespace fcmp_pp
+{
+namespace curve_trees
+{
+//----------------------------------------------------------------------------------------------------------------------
+//----------------------------------------------------------------------------------------------------------------------
+OutputTuple output_to_tuple(const OutputPair &output_pair)
+{
+    const crypto::public_key &output_pubkey = output_pubkey_cref(output_pair);
+    const crypto::ec_point &commitment      = commitment_cref(output_pair);
+
+    crypto::ec_point O = output_pubkey;
+    crypto::ec_point C = commitment;
+
+    // If the output has already been checked for torsion, then we don't need to clear torsion here
+    if (!output_checked_for_torsion(output_pair))
+    {
+        TIME_MEASURE_NS_START(clear_torsion_ns);
+
+        if (!fcmp_pp::get_valid_torsion_cleared_point(output_pubkey, O))
+            throw std::runtime_error("O is invalid for insertion to tree");
+        if (!fcmp_pp::get_valid_torsion_cleared_point(commitment, C))
+            throw std::runtime_error("C is invalid for insertion to tree");
+
+        if (O != output_pubkey)
+            LOG_PRINT_L2("Output pubkey has torsion: " << output_pubkey);
+        if (C != commitment)
+            LOG_PRINT_L2("Commitment has torsion: " << commitment);
+
+        TIME_MEASURE_NS_FINISH(clear_torsion_ns);
+
+        LOG_PRINT_L3("clear_torsion_ns: " << clear_torsion_ns);
+    }
+
+#if !defined(NDEBUG)
+    {
+        // Debug build safety checks
+        crypto::ec_point O_debug;
+        crypto::ec_point C_debug;
+        assert(fcmp_pp::get_valid_torsion_cleared_point(output_pubkey, O_debug));
+        assert(fcmp_pp::get_valid_torsion_cleared_point(commitment, C_debug));
+        assert(O == O_debug);
+        assert(C == C_debug);
+    }
+#endif
+
+    // Redundant check for safety
+    if (O == crypto::EC_I)
+        throw std::runtime_error("O cannot equal identity");
+    if (C == crypto::EC_I)
+        throw std::runtime_error("C cannot equal identity");
+
+    TIME_MEASURE_NS_START(derive_key_image_generator_ns);
+
+    // Derive key image generator using original output pubkey
+    crypto::ec_point I;
+    crypto::derive_key_image_generator(output_pubkey, use_biased_hash_to_point(output_pair), I);
+
+    TIME_MEASURE_NS_FINISH(derive_key_image_generator_ns);
+
+    LOG_PRINT_L3("derive_key_image_generator_ns: " << derive_key_image_generator_ns);
+
+    return output_tuple_from_bytes(O, I, C);
+}
+//----------------------------------------------------------------------------------------------------------------------
+//----------------------------------------------------------------------------------------------------------------------
+} //namespace curve_trees
+} //namespace fcmp_pp
diff --git a/src/fcmp_pp/curve_trees.h b/src/fcmp_pp/curve_trees.h
@@ -0,0 +1,46 @@
+// Copyright (c) 2024, The Monero Project
+// 
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+// 
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+//    conditions and the following disclaimer.
+// 
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+//    of conditions and the following disclaimer in the documentation and/or other
+//    materials provided with the distribution.
+// 
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+//    used to endorse or promote products derived from this software without specific
+//    prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#pragma once
+
+#include "crypto/crypto.h"
+#include "fcmp_pp_types.h"
+#include "misc_log_ex.h"
+
+
+namespace fcmp_pp
+{
+namespace curve_trees
+{
+//----------------------------------------------------------------------------------------------------------------------
+//----------------------------------------------------------------------------------------------------------------------
+OutputTuple output_to_tuple(const OutputPair &output_pair);
+//----------------------------------------------------------------------------------------------------------------------
+//----------------------------------------------------------------------------------------------------------------------
+} //namespace curve_trees
+} //namespace fcmp_pp
diff --git a/src/fcmp_pp/fcmp_pp_rust/CMakeLists.txt b/src/fcmp_pp/fcmp_pp_rust/CMakeLists.txt
@@ -0,0 +1,27 @@
+# Copyright (c) 2024, The Monero Project
+#
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without modification, are
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this list of
+#    conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright notice, this list
+#    of conditions and the following disclaimer in the documentation and/or other
+#    materials provided with the distribution.
+#
+# 3. Neither the name of the copyright holder nor the names of its contributors may be
+#    used to endorse or promote products derived from this software without specific
+#    prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+# THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/src/fcmp_pp/fcmp_pp_rust/fcmp++.h b/src/fcmp_pp/fcmp_pp_rust/fcmp++.h
@@ -0,0 +1,39 @@
+// Copyright (c) 2025, The Monero Project
+// 
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+// 
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+//    conditions and the following disclaimer.
+// 
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+//    of conditions and the following disclaimer in the documentation and/or other
+//    materials provided with the distribution.
+// 
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+//    used to endorse or promote products derived from this software without specific
+//    prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#pragma once
+
+#include <stdint.h>
+
+
+struct OutputTuple
+{
+  uint8_t O[32];
+  uint8_t I[32];
+  uint8_t C[32];
+};
diff --git a/src/fcmp_pp/fcmp_pp_types.cpp b/src/fcmp_pp/fcmp_pp_types.cpp
@@ -0,0 +1,108 @@
+// Copyright (c) 2024, The Monero Project
+//
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+//    conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+//    of conditions and the following disclaimer in the documentation and/or other
+//    materials provided with the distribution.
+//
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+//    used to endorse or promote products derived from this software without specific
+//    prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#include "fcmp_pp_types.h"
+
+#include "misc_log_ex.h"
+
+namespace fcmp_pp
+{
+//----------------------------------------------------------------------------------------------------------------------
+//----------------------------------------------------------------------------------------------------------------------
+// Helpers
+//----------------------------------------------------------------------------------------------------------------------
+OutputTuple output_tuple_from_bytes(const crypto::ec_point &O, const crypto::ec_point &I, const crypto::ec_point &C)
+{
+    OutputTuple output_tuple;
+
+    static_assert(sizeof(output_tuple.O) == sizeof(O), "unexpected sizeof O");
+    static_assert(sizeof(output_tuple.I) == sizeof(I), "unexpected sizeof I");
+    static_assert(sizeof(output_tuple.C) == sizeof(C), "unexpected sizeof C");
+
+    memcpy(output_tuple.O, &O, sizeof(O));
+    memcpy(output_tuple.I, &I, sizeof(I));
+    memcpy(output_tuple.C, &C, sizeof(C));
+
+    return output_tuple;
+}
+//----------------------------------------------------------------------------------------------------------------------
+//----------------------------------------------------------------------------------------------------------------------
+const crypto::public_key &output_pubkey_cref(const OutputPair &output_pair)
+{
+    struct output_pair_visitor
+    {
+        const crypto::public_key &operator()(const LegacyOutputPair &o) const
+        { return o.output_pubkey; }
+        const crypto::public_key &operator()(const CarrotOutputPairV1 &o) const
+        { return o.output_pubkey; }
+    };
+
+    return std::visit(output_pair_visitor{}, output_pair);
+}
+//----------------------------------------------------------------------------------------------------------------------
+const crypto::ec_point &commitment_cref(const OutputPair &output_pair)
+{
+    struct output_pair_visitor
+    {
+        const crypto::ec_point &operator()(const LegacyOutputPair &o) const
+        { return o.commitment; }
+        const crypto::ec_point &operator()(const CarrotOutputPairV1 &o) const
+        { return o.commitment; }
+    };
+
+    return std::visit(output_pair_visitor{}, output_pair);
+}
+//----------------------------------------------------------------------------------------------------------------------
+bool output_checked_for_torsion(const OutputPair &output_pair)
+{
+    struct output_pair_visitor
+    {
+        bool operator()(const CarrotOutputPairV1&) const
+        { return true; }
+        bool operator()(const LegacyOutputPair&) const
+        { return false; }
+    };
+
+    return std::visit(output_pair_visitor{}, output_pair);
+}
+//----------------------------------------------------------------------------------------------------------------------
+bool use_biased_hash_to_point(const OutputPair &output_pair)
+{
+    struct output_pair_visitor
+    {
+        bool operator()(const CarrotOutputPairV1&) const
+        { return false; }
+        bool operator()(const LegacyOutputPair&) const
+        { return true; }
+    };
+
+    return std::visit(output_pair_visitor{}, output_pair);
+}
+//----------------------------------------------------------------------------------------------------------------------
+//----------------------------------------------------------------------------------------------------------------------
+}//namespace fcmp_pp
diff --git a/src/fcmp_pp/fcmp_pp_types.h b/src/fcmp_pp/fcmp_pp_types.h
diff --git a/src/fcmp_pp/ffi_api_c_compat.c b/src/fcmp_pp/ffi_api_c_compat.c
