darkfi_sdk/crypto/
diffie_hellman.rs

1/* This file is part of DarkFi (https://dark.fi)
2 *
3 * Copyright (C) 2020-2025 Dyne.org foundation
4 *
5 * This program is free software: you can redistribute it and/or modify
6 * it under the terms of the GNU Affero General Public License as
7 * published by the Free Software Foundation, either version 3 of the
8 * License, or (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13 * GNU Affero General Public License for more details.
14 *
15 * You should have received a copy of the GNU Affero General Public License
16 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
17 */
18
19use blake2b_simd::{Hash as Blake2bHash, Params as Blake2bParams};
20use pasta_curves::group::{GroupEncoding, Wnaf};
21
22use super::{util::fp_mod_fv, PublicKey, SecretKey};
23use crate::error::ContractError;
24
25pub const KDF_SAPLING_PERSONALIZATION: &[u8; 16] = b"DarkFiSaplingKDF";
26
27/// Sapling key agreement for note encryption.
28/// Implements section 5.4.4.3 of the Zcash Protocol Specification
29pub fn sapling_ka_agree(esk: &SecretKey, pk_d: &PublicKey) -> Result<PublicKey, ContractError> {
30    let esk_s = fp_mod_fv(esk.inner());
31    // Windowed multiplication is constant time. Hence that is used here vs naive EC mult.
32    // Decrypting notes is a an amortized operation, so you want successful rare-case note
33    // decryptions to be indistinguishable from the usual case.
34    let mut wnaf = Wnaf::new();
35    PublicKey::try_from(wnaf.scalar(&esk_s).base(pk_d.inner()))
36}
37
38/// Sapling KDF for note encryption.
39pub fn kdf_sapling(dhsecret: &PublicKey, epk: &PublicKey) -> Blake2bHash {
40    // The P.to_bytes() for P ∈ ℙₚ function used on affine curves it not perfectly constant time,
41    // but it's close enough. The function returns 0 when P = ∞ is the identity which is the
42    // edge case but almost never occurs.
43    Blake2bParams::new()
44        .hash_length(32)
45        .personal(KDF_SAPLING_PERSONALIZATION)
46        .to_state()
47        .update(&dhsecret.inner().to_bytes())
48        .update(&epk.inner().to_bytes())
49        .finalize()
50}