blockworks-foundation
/
solana-with-rpc-optimizations
mirror of https://github.com/blockworks-foundation/solana-with-rpc-optimizations.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

refactor: CloseAccount now uses zero-balance-proof

This commit is contained in:
Sam Kim 2021-12-16 09:26:39 -05:00 committed by Michael Vines
parent c26fa1d0e9
commit 584c63bcc4
6 changed files with 61 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
zk-token-sdk/src/instruction/close_account.rs
View File

@ -5,22 +5,13 @@ use {
#[cfg(not(target_arch = "bpf"))] #[cfg(not(target_arch = "bpf"))]
use { use {
crate::{ crate::{
encryption::{ encryption::elgamal::{ElGamalCiphertext, ElGamalKeypair, ElGamalPubkey},
elgamal::{ElGamalCiphertext, ElGamalKeypair, ElGamalPubkey},
pedersen::PedersenBase,
},
errors::ProofError, errors::ProofError,
instruction::Verifiable, instruction::Verifiable,
sigma_proofs::zero_balance_proof::ZeroBalanceProof, sigma_proofs::zero_balance_proof::ZeroBalanceProof,
transcript::TranscriptProtocol, transcript::TranscriptProtocol,
}, },
curve25519_dalek::{
ristretto::RistrettoPoint,
scalar::Scalar,
traits::{IsIdentity, MultiscalarMul},
},
merlin::Transcript, merlin::Transcript,
rand::rngs::OsRng,
std::convert::TryInto, std::convert::TryInto,
}; };
@ -84,42 +75,15 @@ impl CloseAccountProof {
pub fn new(source_keypair: &ElGamalKeypair, balance: &ElGamalCiphertext) -> Self { pub fn new(source_keypair: &ElGamalKeypair, balance: &ElGamalCiphertext) -> Self {
let mut transcript = Self::transcript_new(); let mut transcript = Self::transcript_new();
// TODO: Add ciphertext to transcript
// add a domain separator to record the start of the protocol // add a domain separator to record the start of the protocol
transcript.close_account_proof_domain_sep(); transcript.close_account_proof_domain_sep();
let proof = ZeroBalanceProof::new(source_keypair, balance, &mut transcript);
// extract the relevant scalar and Ristretto points from the input
let P = source_keypair.public.get_point();
let s = source_keypair.secret.get_scalar();
let C = balance.message_comm.get_point();
let D = balance.decrypt_handle.get_point();
// record ElGamal pubkey and ciphertext in the transcript
transcript.append_point(b"P", &P.compress());
transcript.append_point(b"C", &C.compress());
transcript.append_point(b"D", &D.compress());
// generate a random masking factor that also serves as a nonce
let y = Scalar::random(&mut OsRng);
let Y_P = (y * P).compress();
let Y_D = (y * D).compress();
// record Y in transcript and receive a challenge scalar
transcript.append_point(b"Y_P", &Y_P);
transcript.append_point(b"Y_D", &Y_D);
let c = transcript.challenge_scalar(b"c");
transcript.challenge_scalar(b"w");
// compute the masked secret key
let z = c * s + y;
CloseAccountProof { CloseAccountProof {
Y_P: Y_P.into(), proof: proof.into(),
Y_D: Y_D.into(),
z: z.into(),
} }
} }
@ -133,44 +97,9 @@ impl CloseAccountProof {
// add a domain separator to record the start of the protocol // add a domain separator to record the start of the protocol
transcript.close_account_proof_domain_sep(); transcript.close_account_proof_domain_sep();
// extract the relevant scalar and Ristretto points from the input // verify zero balance proof
let P = elgamal_pubkey.get_point(); let proof: ZeroBalanceProof = self.proof.try_into()?;
let C = balance.message_comm.get_point(); proof.verify(elgamal_pubkey, balance, &mut transcript)
let D = balance.decrypt_handle.get_point();
let H = PedersenBase::default().H;
let Y_P = self.Y_P.into();
let Y_D = self.Y_D.into();
let z = self.z.into();
// record ElGamal pubkey and ciphertext in the transcript
transcript.validate_and_append_point(b"P", &P.compress())?;
transcript.append_point(b"C", &C.compress());
transcript.append_point(b"D", &D.compress());
// record Y in transcript and receive challenge scalars
transcript.validate_and_append_point(b"Y_P", &Y_P)?;
transcript.append_point(b"Y_D", &Y_D);
let c = transcript.challenge_scalar(b"c");
let w = transcript.challenge_scalar(b"w"); // w used for multiscalar multiplication verification
// decompress R or return verification error
let Y_P = Y_P.decompress().ok_or(ProofError::VerificationError)?;
let Y_D = Y_D.decompress().ok_or(ProofError::VerificationError)?;
// check the required algebraic relation
let check = RistrettoPoint::multiscalar_mul(
vec![z, -c, -Scalar::one(), w * z, -w * c, -w],
vec![P, H, Y_P, D, C, Y_D],
);
if check.is_identity() {
Ok(())
} else {
Err(ProofError::VerificationError)
}
} }
} }

2
zk-token-sdk/src/instruction/transfer.rs
View File

@ -10,10 +10,10 @@ use {
elgamal::{ElGamalCiphertext, ElGamalKeypair, ElGamalPubkey, ElGamalSecretKey}, elgamal::{ElGamalCiphertext, ElGamalKeypair, ElGamalPubkey, ElGamalSecretKey},
pedersen::{Pedersen, PedersenCommitment, PedersenDecryptHandle, PedersenOpening}, pedersen::{Pedersen, PedersenCommitment, PedersenDecryptHandle, PedersenOpening},
}, },
sigma_proofs::{equality_proof::EqualityProof, validity_proof::ValidityProof},
errors::ProofError, errors::ProofError,
instruction::{Role, Verifiable}, instruction::{Role, Verifiable},
range_proof::RangeProof, range_proof::RangeProof,
sigma_proofs::{equality_proof::EqualityProof, validity_proof::ValidityProof},
transcript::TranscriptProtocol, transcript::TranscriptProtocol,
}, },
curve25519_dalek::scalar::Scalar, curve25519_dalek::scalar::Scalar,

2
zk-token-sdk/src/instruction/withdraw.rs
View File

@ -9,10 +9,10 @@ use {
elgamal::{ElGamalCiphertext, ElGamalKeypair, ElGamalPubkey}, elgamal::{ElGamalCiphertext, ElGamalKeypair, ElGamalPubkey},
pedersen::{Pedersen, PedersenCommitment, PedersenOpening}, pedersen::{Pedersen, PedersenCommitment, PedersenOpening},
}, },
sigma_proofs::equality_proof::EqualityProof,
errors::ProofError, errors::ProofError,
instruction::Verifiable, instruction::Verifiable,
range_proof::RangeProof, range_proof::RangeProof,
sigma_proofs::equality_proof::EqualityProof,
transcript::TranscriptProtocol, transcript::TranscriptProtocol,
}, },
merlin::Transcript, merlin::Transcript,

68
zk-token-sdk/src/sigma_proofs/zero_balance_proof.rs
View File

@ -34,7 +34,6 @@ impl ZeroBalanceProof {
elgamal_ciphertext: &ElGamalCiphertext, elgamal_ciphertext: &ElGamalCiphertext,
transcript: &mut Transcript, transcript: &mut Transcript,
) -> Self { ) -> Self {
// extract the relevant scalar and Ristretto points from the input // extract the relevant scalar and Ristretto points from the input
let P = elgamal_keypair.public.get_point(); let P = elgamal_keypair.public.get_point();
let s = elgamal_keypair.secret.get_scalar(); let s = elgamal_keypair.secret.get_scalar();
@ -61,11 +60,7 @@ impl ZeroBalanceProof {
// compute the masked secret key // compute the masked secret key
let z = c * s + y; let z = c * s + y;
Self { Self { Y_P, Y_D, z }
Y_P,
Y_D,
z,
}
} }
pub fn verify( pub fn verify(
@ -128,18 +123,17 @@ impl ZeroBalanceProof {
let z = Scalar::from_canonical_bytes(*z).ok_or(ProofError::FormatError)?; let z = Scalar::from_canonical_bytes(*z).ok_or(ProofError::FormatError)?;
Ok(ZeroBalanceProof { Ok(ZeroBalanceProof { Y_P, Y_D, z })
Y_P,
Y_D,
z,
})
} }
} }
#[cfg(test)] #[cfg(test)]
mod test { mod test {
use super::*; use super::*;
use crate::encryption::{elgamal::ElGamalKeypair, pedersen::Pedersen}; use crate::encryption::{
elgamal::ElGamalKeypair,
pedersen::{Pedersen, PedersenDecryptHandle, PedersenOpening},
};
#[test] #[test]
fn test_zero_balance_proof() { fn test_zero_balance_proof() {
@ -150,18 +144,34 @@ mod test {
// general case: encryption of 0 // general case: encryption of 0
let elgamal_ciphertext = source_keypair.public.encrypt(0_u64); let elgamal_ciphertext = source_keypair.public.encrypt(0_u64);
let proof = ZeroBalanceProof::new(&source_keypair, &elgamal_ciphertext, &mut transcript_prover); let proof =
assert!(proof.verify(&source_keypair.public, &elgamal_ciphertext, &mut transcript_verifier).is_ok()); ZeroBalanceProof::new(&source_keypair, &elgamal_ciphertext, &mut transcript_prover);
assert!(proof
.verify(
&source_keypair.public,
&elgamal_ciphertext,
&mut transcript_verifier
)
.is_ok());
// general case: encryption of > 0 // general case: encryption of > 0
let elgamal_ciphertext = source_keypair.public.encrypt(1_u64); let elgamal_ciphertext = source_keypair.public.encrypt(1_u64);
let proof = ZeroBalanceProof::new(&source_keypair, &elgamal_ciphertext, &mut transcript_prover); let proof =
assert!(proof.verify(&source_keypair.public, &elgamal_ciphertext, &mut transcript_verifier).is_err()); ZeroBalanceProof::new(&source_keypair, &elgamal_ciphertext, &mut transcript_prover);
assert!(proof
.verify(
&source_keypair.public,
&elgamal_ciphertext,
&mut transcript_verifier
)
.is_err());
// // edge case: all zero ciphertext - such ciphertext should always be a valid encryption of 0 // // edge case: all zero ciphertext - such ciphertext should always be a valid encryption of 0
let zeroed_ct = ElGamalCiphertext::default(); let zeroed_ct = ElGamalCiphertext::default();
let proof = ZeroBalanceProof::new(&source_keypair, &zeroed_ct, &mut transcript_prover); let proof = ZeroBalanceProof::new(&source_keypair, &zeroed_ct, &mut transcript_prover);
assert!(proof.verify(&source_keypair.public, &zeroed_ct, &mut transcript_verifier).is_ok()); assert!(proof
.verify(&source_keypair.public, &zeroed_ct, &mut transcript_verifier)
.is_ok());
// edge cases: only C or D is zero - such ciphertext is always invalid // edge cases: only C or D is zero - such ciphertext is always invalid
let zeroed_comm = Pedersen::with(0_u64, &PedersenOpening::default()); let zeroed_comm = Pedersen::with(0_u64, &PedersenOpening::default());
@ -172,9 +182,17 @@ mod test {
decrypt_handle: handle, decrypt_handle: handle,
}; };
let proof = ZeroBalanceProof::new(&source_keypair, &zeroed_comm_ciphertext, &mut transcript_prover); let proof = ZeroBalanceProof::new(
&source_keypair,
&zeroed_comm_ciphertext,
&mut transcript_prover,
);
assert!(proof assert!(proof
.verify(&source_keypair.public, &zeroed_comm_ciphertext, &mut transcript_verifier) .verify(
&source_keypair.public,
&zeroed_comm_ciphertext,
&mut transcript_verifier
)
.is_err()); .is_err());
let (zero_comm, _) = Pedersen::new(0_u64); let (zero_comm, _) = Pedersen::new(0_u64);
@ -183,9 +201,17 @@ mod test {
decrypt_handle: PedersenDecryptHandle::default(), decrypt_handle: PedersenDecryptHandle::default(),
}; };
let proof = ZeroBalanceProof::new(&source_keypair, &zeroed_handle_ciphertext, &mut transcript_prover); let proof = ZeroBalanceProof::new(
&source_keypair,
&zeroed_handle_ciphertext,
&mut transcript_prover,
);
assert!(proof assert!(proof
.verify(&source_keypair.public, &zeroed_handle_ciphertext, &mut transcript_verifier) .verify(
&source_keypair.public,
&zeroed_handle_ciphertext,
&mut transcript_verifier
)
.is_err()); .is_err());
} }
} }

5
zk-token-sdk/src/zk_token_elgamal/convert.rs
View File

@ -20,9 +20,12 @@ mod target_arch {
elgamal::{ElGamalCiphertext, ElGamalPubkey}, elgamal::{ElGamalCiphertext, ElGamalPubkey},
pedersen::{PedersenCommitment, PedersenDecryptHandle}, pedersen::{PedersenCommitment, PedersenDecryptHandle},
}, },
sigma_proofs::{equality_proof::EqualityProof, validity_proof::ValidityProof, zero_balance_proof::ZeroBalanceProof},
errors::ProofError, errors::ProofError,
range_proof::RangeProof, range_proof::RangeProof,
sigma_proofs::{
equality_proof::EqualityProof, validity_proof::ValidityProof,
zero_balance_proof::ZeroBalanceProof,
},
}, },
curve25519_dalek::{ristretto::CompressedRistretto, scalar::Scalar}, curve25519_dalek::{ristretto::CompressedRistretto, scalar::Scalar},
std::convert::TryFrom, std::convert::TryFrom,

2
zk-token-sdk/src/zk_token_elgamal/pod.rs
View File

@ -72,7 +72,7 @@ unsafe impl Pod for ValidityProof {}
/// Serialization of zero balance proofs /// Serialization of zero balance proofs
#[derive(Clone, Copy)] #[derive(Clone, Copy)]
#[repr(transparent)] #[repr(transparent)]
pub struct ZeroBalanceProof(pub [u8; 160]); pub struct ZeroBalanceProof(pub [u8; 96]);
// `ZeroBalanceProof` is a Pod and Zeroable. // `ZeroBalanceProof` is a Pod and Zeroable.
// Add the marker traits manually because `bytemuck` only adds them for some `u8` arrays // Add the marker traits manually because `bytemuck` only adds them for some `u8` arrays