carrot+fcmp: order rerandomized outputs for SA/L proofs

And transfer small amount in k_anonymity test so FCMP++ can handle the amount with limited # of inputs.

Author: jeffro256

src/wallet/tx_builder.cpp

@@ -40,6 +40,7 @@
 #include "carrot_impl/tx_builder_outputs.h"
 #include "carrot_impl/format_utils.h"
 #include "carrot_impl/input_selection.h"
+#include "common/apply_permutation.h"
 #include "common/container_helpers.h"
 #include "common/perf_timer.h"
 #include "common/threadpool.h"
@@ -817,10 +818,6 @@ std::unordered_map<crypto::key_image, fcmp_pp::FcmpPpSalProof> sign_carrot_trans
     CHECK_AND_ASSERT_THROW_MES(rerandomized_outputs.size() == n_inputs,
         __func__ << ": wrong size for rerandomized_outputs");
 
-    std::unordered_map<crypto::key_image, fcmp_pp::FcmpPpSalProof> sal_proofs_by_ki;
-
-    const auto best_transfer_by_ota = collect_non_burned_transfers_by_onetime_address(transfers);
-
     //! @TODO: carrot hierarchy
     const carrot::cryptonote_hierarchy_address_device_ram_borrowed addr_dev(
         acc_keys.m_account_address.m_spend_public_key,
@@ -839,6 +836,7 @@ std::unordered_map<crypto::key_image, fcmp_pp::FcmpPpSalProof> sign_carrot_trans
         key_image_dev,
         signable_tx_hash);
 
+    std::unordered_map<crypto::key_image, fcmp_pp::FcmpPpSalProof> sal_proofs_by_ki;
     for (size_t input_idx = 0; input_idx < n_inputs; ++input_idx)
     {
         //! @TODO: spend device
@@ -941,7 +939,7 @@ cryptonote::transaction finalize_all_proofs_from_transfer_details(
             __func__ << ": cannot find transfer by onetime address");
         const size_t transfer_idx = ota_it->second;
         CHECK_AND_ASSERT_THROW_MES(transfer_idx < transfers.size(),
-            "finalize_all_proofs_from_transfer_details: transfer index out of range");
+            __func__ << ": transfer index out of range");
         const wallet2_basic::transfer_details &td = transfers.at(transfer_idx);
         const fcmp_pp::curve_trees::OutputPair input_pair = td.get_output_pair();
         input_onetime_addresses.push_back(input_pair.output_pubkey);
@@ -1057,11 +1055,15 @@ cryptonote::transaction finalize_all_proofs_from_transfer_details(
     //! @TODO: parallelize jobs
     std::vector<fcmp_pp::FcmpPpSalProof> sal_proofs(n_inputs);
     tpool.submit(&pre_membership_waiter, 
-        [&tx_proposal, &sorted_input_key_images, &rerandomized_outputs, &transfers, &acc_keys, &sal_proofs](){
+        [&tx_proposal, &sorted_input_key_images, &rerandomized_outputs, &transfers, &acc_keys, &sal_proofs, &key_image_order]() {
+            // hacky: permutate tx proposal input proposals in key image order
+            carrot::CarrotTransactionProposalV1 tx_proposal_sorted_ins = tx_proposal;
+            tools::apply_permutation(key_image_order, tx_proposal_sorted_ins.input_proposals);
+
             PERF_TIMER(sign_carrot_transaction_proposal_from_transfer_details);
             std::unordered_map<crypto::key_image, fcmp_pp::FcmpPpSalProof> sal_proofs_by_ki =
                 sign_carrot_transaction_proposal_from_transfer_details(
-                    tx_proposal, rerandomized_outputs, transfers, acc_keys);
+                    tx_proposal_sorted_ins, rerandomized_outputs, transfers, acc_keys);
 
             CHECK_AND_ASSERT_THROW_MES(sal_proofs.size() == sorted_input_key_images.size(),
                 __func__ << ": bad SA/L result buffer size");

tests/functional_tests/k_anonymity.py

@@ -162,6 +162,8 @@ def transfer_around(self):
 
         print("Creating transfers b/t wallets")
 
+        max_n_inputs = 8
+
         num_successful_transfers = 0
         fee_margin = 0.05 # 5%
         for sender in range(N):
@@ -175,6 +177,15 @@ def transfer_around(self):
                     break
                 imperfect_starting_balance = unlocked_balance * (N - 1) / (N - 1 - j) * (1 - fee_margin)
                 transfer_amount = int(imperfect_starting_balance / (N - 1))
+
+                # Limit transfer amount to sum of max_n_inputs-1 random unlocked input candidates,
+                # so that FCMP++ txs can always pay the target sum
+                incoming_transfers = self.wallet[sender].get_transfers(out=False, pending=False, pool=False)['in']
+                unlocked_incoming_transfers = list(filter(lambda e: not e.locked, incoming_transfers))
+                random.shuffle(unlocked_incoming_transfers)
+                random_unlocked_subset_sum = sum(e.amount for e in unlocked_incoming_transfers[:(max_n_inputs-1)])
+                transfer_amount = min(transfer_amount, random_unlocked_subset_sum)
+
                 assert transfer_amount < unlocked_balance
                 dst = {'address': pub_addrs[receiver], 'amount': transfer_amount}
                 res = self.wallet[sender].transfer([dst], get_tx_metadata = True)