From df1ecc72b1d49cd75bfc7e2c57be9fd1d67e3e2b Mon Sep 17 00:00:00 2001 From: Deirdre Connolly Date: Thu, 11 Mar 2021 07:22:08 -0500 Subject: [PATCH] Most things are filled in, including a guess at Pallas-based Mixing Pedersen Hash --- Cargo.lock | 120 +++++- zebra-chain/Cargo.toml | 2 + zebra-chain/src/orchard/commitment.rs | 49 ++- zebra-chain/src/orchard/keys.rs | 388 ++++++++++-------- zebra-chain/src/orchard/note.rs | 2 +- zebra-chain/src/orchard/note/nullifiers.rs | 28 +- zebra-chain/src/primitives/proofs.rs | 4 +- zebra-chain/src/primitives/redpallas.rs | 3 +- .../primitives/redpallas/verification_key.rs | 125 +----- 9 files changed, 397 insertions(+), 324 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index b5c5fac7e..4c0cb0630 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -59,6 +59,37 @@ version = "0.2.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ee2a4ec343196209d6594e19543ae87a39f96d5534d7174822a3ad825dd6ed7e" +[[package]] +name = "aes" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "884391ef1066acaa41e766ba8f596341b96e93ce34f9a43e7d24bf0a0eaf0561" +dependencies = [ + "aes-soft", + "aesni", + "cipher", +] + +[[package]] +name = "aes-soft" +version = "0.6.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "be14c7498ea50828a38d0e24a765ed2effe92a705885b57d029cd67d45744072" +dependencies = [ + "cipher", + "opaque-debug 0.3.0", +] + +[[package]] +name = "aesni" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ea2e11f5e94c2f7d386164cc2aa1f97823fed6f259e486940a71c174dd01b0ce" +dependencies = [ + "cipher", + "opaque-debug 0.3.0", +] + [[package]] name = "ahash" version = "0.3.8" @@ -377,13 +408,59 @@ dependencies = [ "constant_time_eq", ] +[[package]] +name = "block-buffer" +, - rho: pallas::Base, - psi: pallas::Base, ) -> Option<(CommitmentRandomness, Self)> where T: RngCore + CryptoRng, { - unimplemented!(); + // s as in the argument name for WindowedPedersenCommit_r(s) + let mut s: BitVec = BitVec::new(); - // // s as in the argument name for WindowedPedersenCommit_r(s) - // let mut s: BitVec = BitVec::new(); + // Prefix + s.append(&mut bitvec![1; 6]); - // // Prefix - // s.append(&mut bitvec![1; 6]); + // The `TryFrom` impls for the `pallas::*Point`s handles + // calling `DiversifyHash` implicitly. + let g_d_bytes: [u8; 32]; + if let Ok(g_d) = pallas::Affine::try_from(diversifier) { + g_d_bytes = g_d.to_bytes(); + } else { + return None; + } - // // The `TryFrom` impls for the `jubjub::*Point`s handles - // // calling `DiversifyHash` implicitly. - // let g_d_bytes: [u8; 32]; - // if let Ok(g_d) = pallas::Affine::try_from(diversifier) { - // g_d_bytes = g_d.to_bytes(); - // } else { - // return None; - // } + let pk_d_bytes = <[u8; 32]>::from(transmission_key); + let v_bytes = value.to_bytes(); - // let pk_d_bytes = <[u8; 32]>::from(transmission_key); - // let v_bytes = value.to_bytes(); + // g*d || pk*d || I2LEBSP64(v) + s.append(&mut BitVec::::from_slice(&g_d_bytes[..])); + s.append(&mut BitVec::::from_slice(&pk_d_bytes[..])); + s.append(&mut BitVec::::from_slice(&v_bytes[..])); - // s.append(&mut BitVec::::from_slice(&g_d_bytes[..])); - // s.append(&mut BitVec::::from_slice(&pk_d_bytes[..])); - // s.append(&mut BitVec::::from_slice(&v_bytes[..])); + let rcm = CommitmentRandomness(generate_trapdoor(csprng)); - // let rcm = CommitmentRandomness(generate_trapdoor(csprng)); - - // Some(( - // rcm, - // NoteCommitment::from(windowed_pedersen_commitment(rcm.0, &s)), - // )) + Some(( + rcm, + NoteCommitment::from(sinsemilla_commit(rcm.0, "z.cash:Orchard-NoteCommit", &s)), + )) } } diff --git a/zebra-chain/src/orchard/keys.rs b/zebra-chain/src/orchard/keys.rs index dac430c71..017016123 100644 --- a/zebra-chain/src/orchard/keys.rs +++ b/zebra-chain/src/orchard/keys.rs @@ -15,7 +15,9 @@ use std::{ str::FromStr, }; +use aes::Aes256; use bech32::{self, FromBase32, ToBase32, Variant}; +use fpe::ff1::{BinaryNumeralString, FF1}; use halo2::pasta::pallas; use rand_core::{CryptoRng, RngCore}; @@ -29,6 +31,26 @@ use crate::{ use super::sinsemilla::*; +/// PRP^d_K(d) := FF1-AES256_K("", d) +/// +/// "Let FF1-AES256_K(tweak, x) be the FF1 format-preserving encryption +/// algorithm using AES with a 256-bit key K, and parameters radix = 2, minlen = +/// 88, maxlen = 88. It will be used only with the empty string "" as the +/// tweak. x is a sequence of 88bits, as is the output." +/// +/// https://zips.z.cash/protocol/nu5.pdf#concreteprps +#[allow(non_snake_case)] +fn prp_d(K: [u8; 32], d: [u8; 11]) -> [u8; 11] { + let radix = 2; + let tweak = ""; + + let ff = FF1::::new(&K, radix).expect("valid radix"); + + let enc = ff + .encrypt(tweak.into(), &BinaryNumeralString::from_bytes_le(&d)) + .unwrap(); +} + /// Invokes Blake2b-512 as PRF^expand with parameter t. /// /// PRF^expand(sk, t) := BLAKE2b-512("Zcash_ExpandSeed", sk || t) @@ -256,15 +278,13 @@ impl From for [u8; 32] { impl From for OutgoingViewingKey { /// Derive an `OutgoingViewingKey` from a `FullViewingKey`. /// - /// let 𝐾 = I2LEBSPℓsk(rivk) - /// let 𝐵 = reprP(ak) || I2LEBSP256(nk) - /// let 𝑅 = PRFexpand - /// 𝐾 ([0x82] || LEBS2OSP512(B)) - /// let dk be the rst ℓdk/8 bytes of 𝑅 and let ovk be the remaining ℓovk/8 bytes of 𝑅. - /// - /// https://zips.z.cash/protocol/protocol.pdf#orchardkeycomponents - fn from(spending_key: SpendingKey) -> OutgoingViewingKey { - unimplemented!() + /// [4.2.3]: https://zips.z.cash/protocol/protocol.pdf#orchardkeycomponents + #[allow(non_snake_case)] + fn from(fvk: FullViewingKey) -> OutgoingViewingKey { + let R = fvk.to_R(); + + // let ovk be the remaining [32] bytes of R [which is 64 bytes] + Self(R[32..]) } } @@ -381,6 +401,21 @@ impl fmt::Debug for IvkCommitRandomness { } } +impl From for IvkCommitRandomness { + /// rivk = ToScalar^Orchard(PRF^expand_sk ([8])) + /// + /// https://zips.z.cash/protocol/protocol.pdf#orchardkeycomponents + fn from(sk: SpendingKey) -> Self { + Self(pallas::Scalar::from_bytes_wide(prf_expand(sk, [8]))) + } +} + +impl From for [u8; 32] { + fn from(rivk: IvkCommitRandomness) -> Self { + rivk.0.into() + } +} + /// Magic human-readable strings used to identify what networks Orchard incoming /// viewing keys are associated with when encoded/decoded with bech32. /// @@ -483,161 +518,6 @@ impl PartialEq<[u8; 32]> for IncomingViewingKey { } } -/// A _Diversifier_, as described in [protocol specification §4.2.3][ps]. -/// -/// Combined with an _IncomingViewingKey_, produces a _diversified -/// payment address_. -/// -/// [ps]: https://zips.z.cash/protocol/protocol.pdf#orchardkeycomponents -#[derive(Copy, Clone, Eq, PartialEq)] -#[cfg_attr( - any(test, feature = "proptest-impl"), - derive(proptest_derive::Arbitrary) -)] -pub struct Diversifier(pub [u8; 11]); - -impl fmt::Debug for Diversifier { - fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { - f.debug_tuple("Diversifier") - .field(&hex::encode(&self.0)) - .finish() - } -} - -impl From<[u8; 11]> for Diversifier { - fn from(bytes: [u8; 11]) -> Self { - Self(bytes) - } -} - -impl From for [u8; 11] { - fn from(d: Diversifier) -> [u8; 11] { - d.0 - } -} - -impl TryFrom for pallas::Affine { - type Error = &'static str; - - /// Get a diversified base point from a diversifier value in affine - /// representation. - fn try_from(d: Diversifier) -> Result { - if let Ok(projective_point) = pallas::Point::try_from(d) { - Ok(projective_point.into()) - } else { - Err("Invalid Diversifier -> pallas::Affine") - } - } -} - -impl From for pallas::Point { - /// g_d := DiversifyHash^Orchard(d) - /// - /// [orchardkeycomponents]: https://zips.z.cash/protocol/nu5.pdf#orchardkeycomponents - fn from(d: Diversifier) -> Self { - diversify_hash(d.0) - } -} - -impl From for Diversifier { - /// Derives a [_default diversifier_][4.2.3] from a `SpendingKey`. - /// - /// 'For each spending key, there is also a default diversified - /// payment address with a “random-looking” diversifier. This - /// allows an implementation that does not expose diversified - /// addresses as a user-visible feature, to use a default address - /// that cannot be distinguished (without knowledge of the - /// spending key) from one with a random diversifier...' - /// - /// Derived as specied in [ZIP-32]. - /// - /// [4.2.3]: https://zips.z.cash/protocol/protocol.pdf#orchardkeycomponents - /// [ZIP-32]: https://zips.z.cash/zip-0032#orchard-diversifier-derivation - fn from(sk: SpendingKey) -> Diversifier { - // Needs FF1-AES permutation - unimplemented!() - } -} - -impl PartialEq<[u8; 11]> for Diversifier { - fn eq(&self, other: &[u8; 11]) -> bool { - self.0 == *other - } -} - -impl Diversifier { - /// Generate a new `Diversifier`. - /// - /// https://zips.z.cash/protocol/protocol.pdf#orchardkeycomponents - pub fn new(csprng: &mut T) -> Self - where - T: RngCore + CryptoRng, - { - let mut bytes = [0u8; 11]; - csprng.fill_bytes(&mut bytes); - - Self::from(bytes) - } -} - -/// A (diversified) transmission Key -/// -/// In Orchard, secrets need to be transmitted to a recipient of funds in order -/// for them to be later spent. To transmit these secrets securely to a -/// recipient without requiring an out-of-band communication channel, the -/// transmission key is used to encrypt them. -/// -/// Derived by multiplying a Pallas point [derived][ps] from a `Diversifier` by -/// the `IncomingViewingKey` scalar. -/// -/// [ps]: https://zips.z.cash/protocol/protocol.pdf#concretediversifyhash -#[derive(Copy, Clone, PartialEq)] -pub struct TransmissionKey(pub pallas::Affine); - -impl fmt::Debug for TransmissionKey { - fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { - f.debug_struct("TransmissionKey") - .field("x", &hex::encode(self.0.get_x().to_bytes())) - .field("y", &hex::encode(self.0.get_y().to_bytes())) - .finish() - } -} - -impl Eq for TransmissionKey {} - -impl From<[u8; 32]> for TransmissionKey { - /// Attempts to interpret a byte representation of an affine point, failing - /// if the element is not on the curve or non-canonical. - /// - /// https://github.com/zkcrypto/jubjub/blob/master/src/lib.rs#L411 - fn from(bytes: [u8; 32]) -> Self { - Self(pallas::Affine::from_bytes(bytes).unwrap()) - } -} - -impl From for [u8; 32] { - fn from(pk_d: TransmissionKey) -> [u8; 32] { - pk_d.0.to_bytes() - } -} - -impl From<(IncomingViewingKey, Diversifier)> for TransmissionKey { - /// This includes _KA^Orchard.DerivePublic(ivk, G_d)_, which is just a - /// scalar mult _\[ivk\]G_d_. - /// - /// https://zips.z.cash/protocol/protocol.pdf#orchardkeycomponents - /// https://zips.z.cash/protocol/protocol.pdf#concreteorchardkeyagreement - fn from((ivk, d): (IncomingViewingKey, Diversifier)) -> Self { - Self(pallas::Affine::from(ivk.scalar * pallas::Point::from(d))) - } -} - -impl PartialEq<[u8; 32]> for TransmissionKey { - fn eq(&self, other: &[u8; 32]) -> bool { - <[u8; 32]>::from(*self) == *other - } -} - /// Magic human-readable strings used to identify what networks Orchard full /// viewing keys are associated with when encoded/decoded with bech32. /// @@ -722,9 +602,189 @@ impl FromStr for FullViewingKey { } } +impl FullViewingKey { + /// [4.2.3]: https://zips.z.cash/protocol/protocol.pdf#orchardkeycomponents + #[allow(non_snake_case)] + pub fn to_R(&self) -> [u8; 32] { + // let K = I2LEBSP_l_sk(rivk) + let K: [u8; 32] = self.ivk_commit_randomness.into(); + + // let R = PRF^expand_K( [0x82] || I2LEOSP256(ak) || I2LEOSP256(nk) ) + prf_expand(K, ([0x82], self.ak.into(), self.nk.into()).concat()) + } +} + #[derive(Copy, Clone, PartialEq)] pub struct DiversifierKey([u8; 32]); +impl From for DiversifierKey { + /// Derives a _diversifier key_ from a `FullViewingKey`. + /// + /// 'For each spending key, there is also a default diversified + /// payment address with a “random-looking” diversifier. This + /// allows an implementation that does not expose diversified + /// addresses as a user-visible feature, to use a default address + /// that cannot be distinguished (without knowledge of the + /// spending key) from one with a random diversifier...' + /// + /// Derived as specied in [ZIP-32]. + /// + /// [4.2.3]: https://zips.z.cash/protocol/protocol.pdf#orchardkeycomponents + /// [ZIP-32]: https://zips.z.cash/zip-0032#orchard-diversifier-derivation + #[allow(non_snake_case)] + fn from(fvk: FullViewingKey) -> DiversifierKey { + let R = fvk.to_R(); + + // let dk be the first [32] bytes of R + Self(R[..32]) + } +} + +/// A _Diversifier_, as described in [protocol specification §4.2.3][ps]. +/// +/// Combined with an _IncomingViewingKey_, produces a _diversified +/// payment address_. +/// +/// [ps]: https://zips.z.cash/protocol/protocol.pdf#orchardkeycomponents +#[derive(Copy, Clone, Eq, PartialEq)] +#[cfg_attr( + any(test, feature = "proptest-impl"), + derive(proptest_derive::Arbitrary) +)] +pub struct Diversifier(pub [u8; 11]); + +impl fmt::Debug for Diversifier { + fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { + f.debug_tuple("Diversifier") + .field(&hex::encode(&self.0)) + .finish() + } +} + +impl From<[u8; 11]> for Diversifier { + fn from(bytes: [u8; 11]) -> Self { + Self(bytes) + } +} + +impl From for Diversifier { + /// Generates the _default diversifier_, where the index into the + /// `DiversifierKey` is 0. + /// + /// [orchardkeycomponents]: https://zips.z.cash/protocol/nu5.pdf#orchardkeycomponents + fn from(dk: DiversifierKey) -> Self { + Self(prp_d(dk.into(), [0u8; 11])) + } +} + +impl From for [u8; 11] { + fn from(d: Diversifier) -> [u8; 11] { + d.0 + } +} + +impl From for pallas::Point { + /// g_d := DiversifyHash^Orchard(d) + /// + /// [orchardkeycomponents]: https://zips.z.cash/protocol/nu5.pdf#orchardkeycomponents + fn from(d: Diversifier) -> Self { + diversify_hash(d.0) + } +} + +impl PartialEq<[u8; 11]> for Diversifier { + fn eq(&self, other: &[u8; 11]) -> bool { + self.0 == *other + } +} + +impl TryFrom for pallas::Affine { + type Error = &'static str; + + /// Get a diversified base point from a diversifier value in affine + /// representation. + fn try_from(d: Diversifier) -> Result { + if let Ok(projective_point) = pallas::Point::try_from(d) { + Ok(projective_point.into()) + } else { + Err("Invalid Diversifier -> pallas::Affine") + } + } +} + +impl Diversifier { + /// Generate a new `Diversifier`. + /// + /// https://zips.z.cash/protocol/protocol.pdf#orchardkeycomponents + pub fn new(csprng: &mut T) -> Self + where + T: RngCore + CryptoRng, + { + let mut bytes = [0u8; 11]; + csprng.fill_bytes(&mut bytes); + + Self::from(bytes) + } +} + +/// A (diversified) transmission Key +/// +/// In Orchard, secrets need to be transmitted to a recipient of funds in order +/// for them to be later spent. To transmit these secrets securely to a +/// recipient without requiring an out-of-band communication channel, the +/// transmission key is used to encrypt them. +/// +/// Derived by multiplying a Pallas point [derived][ps] from a `Diversifier` by +/// the `IncomingViewingKey` scalar. +/// +/// [ps]: https://zips.z.cash/protocol/protocol.pdf#concretediversifyhash +#[derive(Copy, Clone, PartialEq)] +pub struct TransmissionKey(pub pallas::Affine); + +impl fmt::Debug for TransmissionKey { + fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { + f.debug_struct("TransmissionKey") + .field("x", &hex::encode(self.0.get_x().to_bytes())) + .field("y", &hex::encode(self.0.get_y().to_bytes())) + .finish() + } +} + +impl Eq for TransmissionKey {} + +impl From<[u8; 32]> for TransmissionKey { + /// Attempts to interpret a byte representation of an affine point, failing + /// if the element is not on the curve or non-canonical. + /// + /// https://github.com/zkcrypto/jubjub/blob/master/src/lib.rs#L411 + fn from(bytes: [u8; 32]) -> Self { + Self(pallas::Affine::from_bytes(bytes).unwrap()) + } +} + +impl From for [u8; 32] { + fn from(pk_d: TransmissionKey) -> [u8; 32] { + pk_d.0.to_bytes() + } +} + +impl From<(IncomingViewingKey, Diversifier)> for TransmissionKey { + /// This includes _KA^Orchard.DerivePublic(ivk, G_d)_, which is just a + /// scalar mult _\[ivk\]G_d_. + /// + /// https://zips.z.cash/protocol/protocol.pdf#orchardkeycomponents + /// https://zips.z.cash/protocol/protocol.pdf#concreteorchardkeyagreement + fn from((ivk, d): (IncomingViewingKey, Diversifier)) -> Self { + Self(pallas::Affine::from(pallas::Point::from(d) * ivk.scalar)) + } +} + +impl PartialEq<[u8; 32]> for TransmissionKey { + fn eq(&self, other: &[u8; 32]) -> bool { + <[u8; 32]>::from(*self) == *other + } +} + /// An ephemeral public key for Orchard key agreement. /// /// https://zips.z.cash/protocol/protocol.pdf#concreteorchardkeyagreement diff --git a/zebra-chain/src/orchard/note.rs b/zebra-chain/src/orchard/note.rs index 22923c1be..2bca3dd6f 100644 --- a/zebra-chain/src/orchard/note.rs +++ b/zebra-chain/src/orchard/note.rs @@ -18,7 +18,7 @@ use super::{ keys::{Diversifier, TransmissionKey}, }; -pub use ciphertexts::EncryptedNote; +pub use ciphertexts::{EncryptedNote, WrappedNoteKey}; pub use nullifiers::Nullifier; diff --git a/zebra-chain/src/orchard/note/nullifiers.rs b/zebra-chain/src/orchard/note/nullifiers.rs index 37f647b9e..a1d86fb3b 100644 --- a/zebra-chain/src/orchard/note/nullifiers.rs +++ b/zebra-chain/src/orchard/note/nullifiers.rs @@ -3,7 +3,24 @@ use halo2::pasta::pallas; -use super::super::{commitment::NoteCommitment, keys::NullifierDerivingKey, tree::Position}; +use super::super::{ + commitment::NoteCommitment, keys::NullifierDerivingKey, sinsemilla::*, tree::Position, +}; + +/// Orchard ixing Pedersen hash Function +/// +/// Used to compute ρ from a note commitment and its position in the note +/// commitment tree. It takes as input a Pedersen commitment P, and hashes it +/// with another input x. +/// +/// MixingPedersenHash(P, x) := P + [x]GroupHash^P^(r)(“Zcash_P_”, “”) +/// +/// https://zips.z.cash/protocol/protocol.pdf#concretemixinghash +// TODO: I'M EXTRAPOLATING HERE, DOUBLE CHECK THE SPEC WHEN FINALIZED +#[allow(non_snake_case)] +pub fn mixing_pedersen_hash(P: pallas::Point, x: pallas::Scalar) -> pallas::Point { + P + pallas_group_hash(*b"Zcash_P_", b"") * x +} /// A cryptographic permutation, defined in [poseidonhash]. /// @@ -42,8 +59,15 @@ impl From<[u8; 32]> for Nullifier { } impl<'a> From<(NoteCommitment, Position, &'a NullifierDerivingKey)> for Nullifier { + /// Derive a `Nullifier` for an Orchard _note_. + /// + /// For a _note_, the _nullifier_ is derived as PRF^nfOrchard_nk(ρ*), where + /// k is a representation of the _nullifier deriving key_ associated with + /// the _note_ and ρ = repr_P(ρ). + /// + /// https://zips.z.cash/protocol/nu5.pdf#commitmentsandnullifiers fn from((cm, pos, nk): (NoteCommitment, Position, &'a NullifierDerivingKey)) -> Self { - let rho = jubjub::AffinePoint::from(mixing_pedersen_hash(cm.0.into(), pos.0.into())); + let rho = pallas::Affine::from(mixing_pedersen_hash(cm.0.into(), pos.0.into())); Nullifier(prf_nf(nk.into(), rho.to_bytes())) } diff --git a/zebra-chain/src/primitives/proofs.rs b/zebra-chain/src/primitives/proofs.rs index 18c8aba74..50b4b4354 100644 --- a/zebra-chain/src/primitives/proofs.rs +++ b/zebra-chain/src/primitives/proofs.rs @@ -16,8 +16,8 @@ pub use self::halo2::Halo2Proof; /// A marker trait used to abstract over BCTV14, Groth16, or Halo2 proofs. pub trait ZkSnarkProof: - Copy - + Clone + // Copy + + Clone + Debug + PartialEq + Eq diff --git a/zebra-chain/src/primitives/redpallas.rs b/zebra-chain/src/primitives/redpallas.rs index 3cb6f93bb..f2ee5f643 100644 --- a/zebra-chain/src/primitives/redpallas.rs +++ b/zebra-chain/src/primitives/redpallas.rs @@ -11,9 +11,10 @@ mod constants; // mod hash; // mod scalar_mul; // mod signature; -// mod signing_key; +mod signing_key; mod verification_key; +pub use signing_key::SigningKey; pub use verification_key::{VerificationKey, VerificationKeyBytes}; /// Abstracts over different RedPallas parameter choices, [`Binding`] diff --git a/zebra-chain/src/primitives/redpallas/verification_key.rs b/zebra-chain/src/primitives/redpallas/verification_key.rs index 9a060be43..5a44f184b 100644 --- a/zebra-chain/src/primitives/redpallas/verification_key.rs +++ b/zebra-chain/src/primitives/redpallas/verification_key.rs @@ -6,7 +6,7 @@ use std::{ use halo2::pasta::pallas; -use super::{Error, SigType, Signature, SpendAuth}; +use super::SigType; /// A refinement type for `[u8; 32]` indicating that the bytes represent /// an encoding of a RedPallas verification key. @@ -65,126 +65,3 @@ pub struct VerificationKey { pub(crate) point: pallas::Point, pub(crate) bytes: VerificationKeyBytes, } - -impl From> for VerificationKeyBytes { - fn from(pk: VerificationKey) -> VerificationKeyBytes { - pk.bytes - } -} - -impl From> for [u8; 32] { - fn from(pk: VerificationKey) -> [u8; 32] { - pk.bytes.bytes - } -} - -impl TryFrom> for VerificationKey { - type Error = Error; - - fn try_from(bytes: VerificationKeyBytes) -> Result { - // XXX-pasta-curves: this should not use CtOption - // XXX-pasta-curves: this takes ownership of bytes, while Fr doesn't. - // This checks that the encoding is canonical... - let maybe_point = pallas::Point::from_bytes(bytes.bytes); - if maybe_point.is_some().into() { - let point = maybe_point.unwrap(); - // This checks that the verification key is not of small order. - if ::from(point.is_small_order()) == false { - Ok(VerificationKey { point, bytes }) - } else { - Err(Error::MalformedVerificationKey) - } - } else { - Err(Error::MalformedVerificationKey) - } - } -} - -impl TryFrom<[u8; 32]> for VerificationKey { - type Error = Error; - - fn try_from(bytes: [u8; 32]) -> Result { - use std::convert::TryInto; - VerificationKeyBytes::from(bytes).try_into() - } -} - -impl VerificationKey { - /// Randomize this verification key with the given `randomizer`. - /// - /// Randomization is only supported for `SpendAuth` keys. - pub fn randomize(&self, randomizer: &pallas::Scalar) -> VerificationKey { - use super::private::Sealed; - let point = self.point + &(&SpendAuth::basepoint() * randomizer); - let bytes = VerificationKeyBytes { - bytes: point.to_bytes().as_ref().try_into().unwrap(), - _marker: PhantomData, - }; - VerificationKey { bytes, point } - } -} - -impl VerificationKey { - pub(crate) fn from(s: &pallas::Scalar) -> VerificationKey { - let point = &T::basepoint() * s; - let bytes = VerificationKeyBytes { - bytes: point.to_bytes().as_ref().try_into().unwrap(), - _marker: PhantomData, - }; - VerificationKey { bytes, point } - } - - /// Verify a purported `signature` over `msg` made by this verification key. - // This is similar to impl signature::Verifier but without boxed errors - pub fn verify(&self, msg: &[u8], signature: &Signature) -> Result<(), Error> { - use super::HStar; - let c = HStar::default() - .update(&signature.r_bytes[..]) - .update(&self.bytes.bytes[..]) // XXX ugly - .update(msg) - .finalize(); - self.verify_prehashed(signature, c) - } - - /// Verify a purported `signature` with a prehashed challenge. - #[allow(non_snake_case)] - pub(crate) fn verify_prehashed( - &self, - signature: &Signature, - c: pallas::Scalar, - ) -> Result<(), Error> { - let r = { - // XXX-pasta-curves: should not use CtOption here - // XXX-pasta-curves: inconsistent ownership in from_bytes - let maybe_point = pallas::Point::from_bytes(signature.r_bytes); - if maybe_point.is_some().into() { - maybe_point.unwrap() - } else { - return Err(Error::InvalidSignature); - } - }; - - let s = { - // XXX-pasta-curves: should not use CtOption here - let maybe_scalar = pallas::Scalar::from_bytes(&signature.s_bytes); - if maybe_scalar.is_some().into() { - maybe_scalar.unwrap() - } else { - return Err(Error::InvalidSignature); - } - }; - - // XXX rewrite as normal double scalar mul - // Verify check is h * ( - s * B + R + c * A) == 0 - // h * ( s * B - c * A - R) == 0 - let sB = T::basepoint() * s; - let cA = self.point * c; - let check = sB - cA - r; - - if check.is_small_order().into() { - Ok(()) - } else { - Err(Error::InvalidSignature) - } - } -}