2018-03-05 22:33:44 +03:00
|
|
|
// Copyright 2018 The Grin Developers
|
2017-10-03 03:02:31 +03:00
|
|
|
//
|
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
|
//
|
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
//
|
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
2018-06-08 08:21:54 +03:00
|
|
|
/// Implementation of the Keychain trait based on an extended key derivation
|
|
|
|
|
/// scheme.
|
2018-09-18 11:39:45 +03:00
|
|
|
use rand::distributions::Alphanumeric;
|
2017-10-03 03:02:31 +03:00
|
|
|
use rand::{thread_rng, Rng};
|
|
|
|
|
|
2019-06-27 11:19:17 +03:00
|
|
|
use crate::blake2::blake2b::blake2b;
|
2017-10-03 03:02:31 +03:00
|
|
|
|
2019-06-27 11:19:17 +03:00
|
|
|
use crate::extkey_bip32::{BIP32GrinHasher, ExtendedPrivKey, ExtendedPubKey};
|
|
|
|
|
use crate::types::{
|
|
|
|
|
BlindSum, BlindingFactor, Error, ExtKeychainPath, Identifier, Keychain, SwitchCommitmentType,
|
|
|
|
|
};
|
|
|
|
|
use crate::util::secp::key::{PublicKey, SecretKey};
|
2018-12-08 02:59:40 +03:00
|
|
|
use crate::util::secp::pedersen::Commitment;
|
|
|
|
|
use crate::util::secp::{self, Message, Secp256k1, Signature};
|
2018-02-28 20:56:09 +03:00
|
|
|
|
2017-10-03 03:02:31 +03:00
|
|
|
#[derive(Clone, Debug)]
|
2018-06-08 08:21:54 +03:00
|
|
|
pub struct ExtKeychain {
|
2017-10-03 03:02:31 +03:00
|
|
|
secp: Secp256k1,
|
2019-06-27 11:19:17 +03:00
|
|
|
pub master: ExtendedPrivKey,
|
2018-12-29 01:46:21 +03:00
|
|
|
hasher: BIP32GrinHasher,
|
2017-10-03 03:02:31 +03:00
|
|
|
}
|
|
|
|
|
|
2019-06-27 11:19:17 +03:00
|
|
|
impl ExtKeychain {
|
|
|
|
|
pub fn pub_root_key(&mut self) -> ExtendedPubKey {
|
|
|
|
|
ExtendedPubKey::from_private(&self.secp, &self.master, &mut self.hasher)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub fn hasher(&self) -> BIP32GrinHasher {
|
|
|
|
|
self.hasher.clone()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-06-08 08:21:54 +03:00
|
|
|
impl Keychain for ExtKeychain {
|
2018-12-29 01:46:21 +03:00
|
|
|
fn from_seed(seed: &[u8], is_floo: bool) -> Result<ExtKeychain, Error> {
|
|
|
|
|
let mut h = BIP32GrinHasher::new(is_floo);
|
2017-10-03 03:02:31 +03:00
|
|
|
let secp = secp::Secp256k1::with_caps(secp::ContextFlag::Commit);
|
2018-10-10 12:11:01 +03:00
|
|
|
let master = ExtendedPrivKey::new_master(&secp, &mut h, seed)?;
|
2018-06-08 08:21:54 +03:00
|
|
|
let keychain = ExtKeychain {
|
2017-10-03 03:02:31 +03:00
|
|
|
secp: secp,
|
2018-10-10 12:11:01 +03:00
|
|
|
master: master,
|
2018-12-29 01:46:21 +03:00
|
|
|
hasher: h,
|
2017-10-03 03:02:31 +03:00
|
|
|
};
|
|
|
|
|
Ok(keychain)
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-29 01:46:21 +03:00
|
|
|
fn from_mnemonic(word_list: &str, extension_word: &str, is_floo: bool) -> Result<Self, Error> {
|
2018-11-24 13:03:09 +03:00
|
|
|
let secp = secp::Secp256k1::with_caps(secp::ContextFlag::Commit);
|
2018-12-29 01:46:21 +03:00
|
|
|
let h = BIP32GrinHasher::new(is_floo);
|
|
|
|
|
let master = ExtendedPrivKey::from_mnemonic(&secp, word_list, extension_word, is_floo)?;
|
2018-11-24 13:03:09 +03:00
|
|
|
let keychain = ExtKeychain {
|
|
|
|
|
secp: secp,
|
|
|
|
|
master: master,
|
2018-12-29 01:46:21 +03:00
|
|
|
hasher: h,
|
2018-11-24 13:03:09 +03:00
|
|
|
};
|
|
|
|
|
Ok(keychain)
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-02 13:30:26 +03:00
|
|
|
fn mask_master_key(&mut self, mask: &SecretKey) -> Result<(), Error> {
|
|
|
|
|
for i in 0..secp::constants::SECRET_KEY_SIZE {
|
|
|
|
|
self.master.secret_key.0[i] ^= mask.0[i];
|
|
|
|
|
}
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-03 03:02:31 +03:00
|
|
|
/// For testing - probably not a good idea to use outside of tests.
|
2018-12-29 01:46:21 +03:00
|
|
|
fn from_random_seed(is_floo: bool) -> Result<ExtKeychain, Error> {
|
2018-09-18 11:39:45 +03:00
|
|
|
let seed: String = thread_rng().sample_iter(&Alphanumeric).take(16).collect();
|
2019-06-27 11:19:17 +03:00
|
|
|
let seed = blake2b(32, &[], seed.as_bytes());
|
2018-12-29 01:46:21 +03:00
|
|
|
ExtKeychain::from_seed(seed.as_bytes(), is_floo)
|
2018-06-08 08:21:54 +03:00
|
|
|
}
|
|
|
|
|
|
2018-10-10 12:11:01 +03:00
|
|
|
fn root_key_id() -> Identifier {
|
|
|
|
|
ExtKeychainPath::new(0, 0, 0, 0, 0).to_identifier()
|
2017-10-03 03:02:31 +03:00
|
|
|
}
|
|
|
|
|
|
2018-10-10 12:11:01 +03:00
|
|
|
fn derive_key_id(depth: u8, d1: u32, d2: u32, d3: u32, d4: u32) -> Identifier {
|
|
|
|
|
ExtKeychainPath::new(depth, d1, d2, d3, d4).to_identifier()
|
2017-10-03 03:02:31 +03:00
|
|
|
}
|
|
|
|
|
|
2019-06-27 11:19:17 +03:00
|
|
|
fn public_root_key(&self) -> PublicKey {
|
|
|
|
|
let mut hasher = self.hasher.clone();
|
|
|
|
|
ExtendedPubKey::from_private(&self.secp, &self.master, &mut hasher).public_key
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn derive_key(
|
|
|
|
|
&self,
|
|
|
|
|
amount: u64,
|
|
|
|
|
id: &Identifier,
|
|
|
|
|
switch: &SwitchCommitmentType,
|
|
|
|
|
) -> Result<SecretKey, Error> {
|
2018-12-29 01:46:21 +03:00
|
|
|
let mut h = self.hasher.clone();
|
2018-10-10 12:11:01 +03:00
|
|
|
let p = id.to_path();
|
2019-06-27 11:19:17 +03:00
|
|
|
let mut ext_key = self.master.clone();
|
2018-10-10 12:11:01 +03:00
|
|
|
for i in 0..p.depth {
|
2018-12-18 14:51:44 +03:00
|
|
|
ext_key = ext_key.ckd_priv(&self.secp, &mut h, p.path[i as usize])?;
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-27 11:19:17 +03:00
|
|
|
match *switch {
|
|
|
|
|
SwitchCommitmentType::Regular => {
|
|
|
|
|
Ok(self.secp.blind_switch(amount, ext_key.secret_key)?)
|
|
|
|
|
}
|
|
|
|
|
SwitchCommitmentType::None => Ok(ext_key.secret_key),
|
2017-10-12 06:35:40 +03:00
|
|
|
}
|
2018-06-08 08:21:54 +03:00
|
|
|
}
|
|
|
|
|
|
2019-06-27 11:19:17 +03:00
|
|
|
fn commit(
|
|
|
|
|
&self,
|
|
|
|
|
amount: u64,
|
|
|
|
|
id: &Identifier,
|
|
|
|
|
switch: &SwitchCommitmentType,
|
|
|
|
|
) -> Result<Commitment, Error> {
|
|
|
|
|
let key = self.derive_key(amount, id, switch)?;
|
2018-12-18 14:51:44 +03:00
|
|
|
let commit = self.secp.commit(amount, key)?;
|
2018-06-08 08:21:54 +03:00
|
|
|
Ok(commit)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn blind_sum(&self, blind_sum: &BlindSum) -> Result<BlindingFactor, Error> {
|
|
|
|
|
let mut pos_keys: Vec<SecretKey> = blind_sum
|
|
|
|
|
.positive_key_ids
|
|
|
|
|
.iter()
|
2018-10-10 12:11:01 +03:00
|
|
|
.filter_map(|k| {
|
2019-06-27 11:19:17 +03:00
|
|
|
let res = self.derive_key(
|
|
|
|
|
k.value,
|
|
|
|
|
&Identifier::from_path(&k.ext_keychain_path),
|
|
|
|
|
&k.switch,
|
|
|
|
|
);
|
2018-10-10 12:11:01 +03:00
|
|
|
if let Ok(s) = res {
|
2018-12-18 14:51:44 +03:00
|
|
|
Some(s)
|
2018-10-10 12:11:01 +03:00
|
|
|
} else {
|
|
|
|
|
None
|
|
|
|
|
}
|
2018-12-08 02:59:40 +03:00
|
|
|
})
|
|
|
|
|
.collect();
|
2018-06-08 08:21:54 +03:00
|
|
|
|
|
|
|
|
let mut neg_keys: Vec<SecretKey> = blind_sum
|
|
|
|
|
.negative_key_ids
|
|
|
|
|
.iter()
|
2018-10-10 12:11:01 +03:00
|
|
|
.filter_map(|k| {
|
2019-06-27 11:19:17 +03:00
|
|
|
let res = self.derive_key(
|
|
|
|
|
k.value,
|
|
|
|
|
&Identifier::from_path(&k.ext_keychain_path),
|
|
|
|
|
&k.switch,
|
|
|
|
|
);
|
2018-10-10 12:11:01 +03:00
|
|
|
if let Ok(s) = res {
|
2018-12-18 14:51:44 +03:00
|
|
|
Some(s)
|
2018-10-10 12:11:01 +03:00
|
|
|
} else {
|
|
|
|
|
None
|
|
|
|
|
}
|
2018-12-08 02:59:40 +03:00
|
|
|
})
|
|
|
|
|
.collect();
|
2018-06-08 08:21:54 +03:00
|
|
|
|
2019-06-27 11:19:17 +03:00
|
|
|
let keys = blind_sum
|
|
|
|
|
.positive_blinding_factors
|
|
|
|
|
.iter()
|
|
|
|
|
.filter_map(|b| b.secret_key(&self.secp).ok().clone())
|
|
|
|
|
.collect::<Vec<SecretKey>>();
|
|
|
|
|
pos_keys.extend(keys);
|
2018-06-08 08:21:54 +03:00
|
|
|
|
2019-06-27 11:19:17 +03:00
|
|
|
let keys = blind_sum
|
|
|
|
|
.negative_blinding_factors
|
|
|
|
|
.iter()
|
|
|
|
|
.filter_map(|b| b.secret_key(&self.secp).ok().clone())
|
|
|
|
|
.collect::<Vec<SecretKey>>();
|
|
|
|
|
neg_keys.extend(keys);
|
2018-06-08 08:21:54 +03:00
|
|
|
|
|
|
|
|
let sum = self.secp.blind_sum(pos_keys, neg_keys)?;
|
|
|
|
|
Ok(BlindingFactor::from_secret_key(sum))
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-27 11:19:17 +03:00
|
|
|
fn sign(
|
|
|
|
|
&self,
|
|
|
|
|
msg: &Message,
|
|
|
|
|
amount: u64,
|
|
|
|
|
id: &Identifier,
|
|
|
|
|
switch: &SwitchCommitmentType,
|
|
|
|
|
) -> Result<Signature, Error> {
|
|
|
|
|
let skey = self.derive_key(amount, id, switch)?;
|
2018-12-18 14:51:44 +03:00
|
|
|
let sig = self.secp.sign(msg, &skey)?;
|
2018-06-08 08:21:54 +03:00
|
|
|
Ok(sig)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn sign_with_blinding(
|
|
|
|
|
&self,
|
|
|
|
|
msg: &Message,
|
|
|
|
|
blinding: &BlindingFactor,
|
|
|
|
|
) -> Result<Signature, Error> {
|
|
|
|
|
let skey = &blinding.secret_key(&self.secp)?;
|
|
|
|
|
let sig = self.secp.sign(msg, &skey)?;
|
|
|
|
|
Ok(sig)
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-18 18:44:55 +03:00
|
|
|
fn secp(&self) -> &Secp256k1 {
|
|
|
|
|
&self.secp
|
2018-12-18 14:51:44 +03:00
|
|
|
}
|
2018-06-08 08:21:54 +03:00
|
|
|
}
|
|
|
|
|
|
2017-10-03 03:02:31 +03:00
|
|
|
#[cfg(test)]
|
|
|
|
|
mod test {
|
2018-12-08 02:59:40 +03:00
|
|
|
use crate::keychain::ExtKeychain;
|
|
|
|
|
use crate::types::{BlindSum, BlindingFactor, ExtKeychainPath, Keychain};
|
|
|
|
|
use crate::util::secp;
|
|
|
|
|
use crate::util::secp::key::SecretKey;
|
2019-06-27 11:19:17 +03:00
|
|
|
use crate::SwitchCommitmentType;
|
2018-02-02 17:51:55 +03:00
|
|
|
|
2017-10-03 03:02:31 +03:00
|
|
|
#[test]
|
|
|
|
|
fn test_key_derivation() {
|
2018-12-29 01:46:21 +03:00
|
|
|
let keychain = ExtKeychain::from_random_seed(false).unwrap();
|
2017-11-09 22:26:45 +03:00
|
|
|
let secp = keychain.secp();
|
2019-06-27 11:19:17 +03:00
|
|
|
let switch = &SwitchCommitmentType::None;
|
2017-10-03 03:02:31 +03:00
|
|
|
|
2018-10-10 12:11:01 +03:00
|
|
|
let path = ExtKeychainPath::new(1, 1, 0, 0, 0);
|
|
|
|
|
let key_id = path.to_identifier();
|
2017-10-03 03:02:31 +03:00
|
|
|
|
|
|
|
|
let msg_bytes = [0; 32];
|
|
|
|
|
let msg = secp::Message::from_slice(&msg_bytes[..]).unwrap();
|
|
|
|
|
|
|
|
|
|
// now create a zero commitment using the key on the keychain associated with
|
2018-01-17 06:03:40 +03:00
|
|
|
// the key_id
|
2019-06-27 11:19:17 +03:00
|
|
|
let commit = keychain.commit(0, &key_id, switch).unwrap();
|
2017-10-03 03:02:31 +03:00
|
|
|
|
|
|
|
|
// now check we can use our key to verify a signature from this zero commitment
|
2019-06-27 11:19:17 +03:00
|
|
|
let sig = keychain.sign(&msg, 0, &key_id, switch).unwrap();
|
2017-10-03 03:02:31 +03:00
|
|
|
secp.verify_from_commit(&msg, &sig, &commit).unwrap();
|
|
|
|
|
}
|
2017-10-06 00:40:46 +03:00
|
|
|
|
2018-02-02 17:51:55 +03:00
|
|
|
// We plan to "offset" the key used in the kernel commitment
|
|
|
|
|
// so we are going to be doing some key addition/subtraction.
|
|
|
|
|
// This test is mainly to demonstrate that idea that summing commitments
|
|
|
|
|
// and summing the keys used to commit to 0 have the same result.
|
|
|
|
|
#[test]
|
|
|
|
|
fn secret_key_addition() {
|
2018-12-29 01:46:21 +03:00
|
|
|
let keychain = ExtKeychain::from_random_seed(false).unwrap();
|
2018-02-02 17:51:55 +03:00
|
|
|
|
|
|
|
|
let skey1 = SecretKey::from_slice(
|
|
|
|
|
&keychain.secp,
|
|
|
|
|
&[
|
2018-03-04 03:19:54 +03:00
|
|
|
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
|
|
|
|
0, 0, 0, 1,
|
2018-02-02 17:51:55 +03:00
|
|
|
],
|
2018-12-08 02:59:40 +03:00
|
|
|
)
|
|
|
|
|
.unwrap();
|
2018-02-02 17:51:55 +03:00
|
|
|
|
|
|
|
|
let skey2 = SecretKey::from_slice(
|
|
|
|
|
&keychain.secp,
|
|
|
|
|
&[
|
2018-03-04 03:19:54 +03:00
|
|
|
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
|
|
|
|
0, 0, 0, 2,
|
2018-02-02 17:51:55 +03:00
|
|
|
],
|
2018-12-08 02:59:40 +03:00
|
|
|
)
|
|
|
|
|
.unwrap();
|
2018-02-02 17:51:55 +03:00
|
|
|
|
|
|
|
|
// adding secret keys 1 and 2 to give secret key 3
|
|
|
|
|
let mut skey3 = skey1.clone();
|
|
|
|
|
let _ = skey3.add_assign(&keychain.secp, &skey2).unwrap();
|
|
|
|
|
|
|
|
|
|
// create commitments for secret keys 1, 2 and 3
|
|
|
|
|
// all committing to the value 0 (which is what we do for tx_kernels)
|
2019-06-27 11:19:17 +03:00
|
|
|
let commit_1 = keychain.secp.commit(0, skey1.clone()).unwrap();
|
|
|
|
|
let commit_2 = keychain.secp.commit(0, skey2.clone()).unwrap();
|
|
|
|
|
let commit_3 = keychain.secp.commit(0, skey3.clone()).unwrap();
|
2018-02-02 17:51:55 +03:00
|
|
|
|
|
|
|
|
// now sum commitments for keys 1 and 2
|
2018-03-04 03:19:54 +03:00
|
|
|
let sum = keychain
|
|
|
|
|
.secp
|
|
|
|
|
.commit_sum(vec![commit_1.clone(), commit_2.clone()], vec![])
|
|
|
|
|
.unwrap();
|
2018-02-02 17:51:55 +03:00
|
|
|
|
|
|
|
|
// confirm the commitment for key 3 matches the sum of the commitments 1 and 2
|
|
|
|
|
assert_eq!(sum, commit_3);
|
|
|
|
|
|
|
|
|
|
// now check we can sum keys up using keychain.blind_sum()
|
|
|
|
|
// in the same way (convenience function)
|
|
|
|
|
assert_eq!(
|
2018-03-04 03:19:54 +03:00
|
|
|
keychain
|
2018-09-04 12:58:26 +03:00
|
|
|
.blind_sum(
|
|
|
|
|
&BlindSum::new()
|
|
|
|
|
.add_blinding_factor(BlindingFactor::from_secret_key(skey1))
|
|
|
|
|
.add_blinding_factor(BlindingFactor::from_secret_key(skey2))
|
2018-12-08 02:59:40 +03:00
|
|
|
)
|
|
|
|
|
.unwrap(),
|
2018-02-13 18:35:30 +03:00
|
|
|
BlindingFactor::from_secret_key(skey3),
|
2018-02-02 17:51:55 +03:00
|
|
|
);
|
|
|
|
|
}
|
2017-10-03 03:02:31 +03:00
|
|
|
}
|
