6

In principle it's clear from the CN whitepaper:

Bob checks every passing transaction with his private key (a,b), and computes P' = Hs(aR)G + B. If Alice's transaction for with Bob as the recipient was among them, then aR = arG = rA and P' = P.

What I'm interested in is the particular implementation in the current software. How I see it, there could be 2 options:

  1. For each TX, the wallet fetches R and all Ps from the daemon, and computes P'. The wallet tests P' == P.
  2. For each TX, the wallet fetches only the R from the daemon, computes P' and sends it to the daemon. The daemon tests P' == P and if matching, returns the matching outputs to the wallet.

Which way is currently used? Option 1. is safer but option 2. looks like it would significantly reduce the amount of data that needs to be transferred between the wallet and daemon. Could 2. be implemented for light wallets connecting to a trusted daemon, if not already?

Edit: adding some clarification for reference

JollyMort
  • 20,004
  • 3
  • 49
  • 105

1 Answers1

3

As far as I can tell from the code, the option 1 seems to be the case. Most of the core functions of the wallet are implemented in src/wallet/wallet2.cpp. In pull_blocks which is called from within refresh, the wallet fetches individual blocks in its entirety. Subsequent to that function is process_blocks which then calls process_new_blockchain_entry which then calls process_new_transaction. In that function, the wallet generates the key derivation (i.e. the shared secret aR) which is passed to check_acc_out_precomp to test if each output in the given transaction belongs to the wallet. The actual test is performed by cryptonote::is_out_to_acc_precomp defined in src/cryptonote_core/cryptonote_format_utils.cpp.

The option 2 seems to be a natural approach for implementing light wallets and I guess it's quite feasible; I'm curious what the core devs have to say :)

kenshi84
  • 2,485
  • 1
  • 14
  • 33