darkfi_sdk/crypto/
note.rs

1/* This file is part of DarkFi (https://dark.fi)
2 *
3 * Copyright (C) 2020-2025 Dyne.org foundation
4 *
5 * This program is free software: you can redistribute it and/or modify
6 * it under the terms of the GNU Affero General Public License as
7 * published by the Free Software Foundation, either version 3 of the
8 * License, or (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13 * GNU Affero General Public License for more details.
14 *
15 * You should have received a copy of the GNU Affero General Public License
16 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
17 */
18
19use std::io::Cursor;
20
21use chacha20poly1305::{AeadInPlace, ChaCha20Poly1305, KeyInit};
22use darkfi_serial::{Decodable, Encodable, SerialDecodable, SerialEncodable};
23use pasta_curves::{group::ff::Field, pallas};
24use rand_core::{CryptoRng, RngCore};
25
26#[cfg(feature = "async")]
27use darkfi_serial::async_trait;
28
29use super::{diffie_hellman, poseidon_hash, util::fp_mod_fv, PublicKey, SecretKey};
30use crate::error::ContractError;
31
32/// AEAD tag length in bytes
33pub const AEAD_TAG_SIZE: usize = 16;
34
35/// An encrypted note using Diffie-Hellman and ChaCha20Poly1305
36#[derive(Debug, Clone, PartialEq, Eq, SerialEncodable, SerialDecodable)]
37pub struct AeadEncryptedNote {
38    pub ciphertext: Vec<u8>,
39    pub ephem_public: PublicKey,
40}
41
42impl AeadEncryptedNote {
43    pub fn encrypt(
44        note: &impl Encodable,
45        public: &PublicKey,
46        rng: &mut (impl CryptoRng + RngCore),
47    ) -> Result<Self, ContractError> {
48        let ephem_secret = SecretKey::random(rng);
49        let ephem_public = PublicKey::from_secret(ephem_secret);
50        let shared_secret = diffie_hellman::sapling_ka_agree(&ephem_secret, public)?;
51        let key = diffie_hellman::kdf_sapling(&shared_secret, &ephem_public);
52
53        let mut input = Vec::new();
54        note.encode(&mut input)?;
55        let input_len = input.len();
56
57        let mut ciphertext = vec![0_u8; input_len + AEAD_TAG_SIZE];
58        ciphertext[..input_len].copy_from_slice(&input);
59
60        ChaCha20Poly1305::new(key.as_ref().into())
61            .encrypt_in_place([0u8; 12][..].into(), &[], &mut ciphertext)
62            .unwrap();
63
64        Ok(Self { ciphertext, ephem_public })
65    }
66
67    pub fn decrypt<D: Decodable>(&self, secret: &SecretKey) -> Result<D, ContractError> {
68        let shared_secret = diffie_hellman::sapling_ka_agree(secret, &self.ephem_public)?;
69        let key = diffie_hellman::kdf_sapling(&shared_secret, &self.ephem_public);
70
71        let ct_len = self.ciphertext.len();
72        let mut plaintext = vec![0_u8; ct_len];
73        plaintext.copy_from_slice(&self.ciphertext);
74
75        match ChaCha20Poly1305::new(key.as_ref().into()).decrypt_in_place(
76            [0u8; 12][..].into(),
77            &[],
78            &mut plaintext,
79        ) {
80            Ok(()) => {
81                let mut cursor = Cursor::new(&plaintext[..ct_len - AEAD_TAG_SIZE]);
82                Ok(D::decode(&mut cursor)?)
83            }
84            Err(e) => Err(ContractError::IoError(format!("Note decrypt failed: {e}"))),
85        }
86    }
87}
88
89/// An encrypted note using an ElGamal scheme verifiable in ZK.
90///
91/// **WARNING:**
92/// Without ZK, there is no authentication of the ciphertexts so these should
93/// not be used without a corresponding ZK proof.
94#[derive(Debug, Copy, Clone, PartialEq, Eq, SerialEncodable, SerialDecodable)]
95pub struct ElGamalEncryptedNote<const N: usize> {
96    /// The values encrypted with the derived shared secret using Diffie-Hellman
97    pub encrypted_values: [pallas::Base; N],
98    /// The ephemeral public key used for Diffie-Hellman key derivation
99    pub ephem_public: PublicKey,
100}
101
102impl<const N: usize> ElGamalEncryptedNote<N> {
103    /// Encrypt given values to the given `PublicKey` using a `SecretKey` for Diffie-Hellman
104    ///
105    /// Note that this does not do any message authentication.
106    /// This means that alterations of the ciphertexts lead to the same alterations
107    /// on the plaintexts.
108    pub fn encrypt_unsafe(
109        values: [pallas::Base; N],
110        ephem_secret: &SecretKey,
111        public: &PublicKey,
112    ) -> Result<Self, ContractError> {
113        // Derive shared secret using DH
114        let ephem_public = PublicKey::from_secret(*ephem_secret);
115        let (ss_x, ss_y) =
116            PublicKey::try_from(public.inner() * fp_mod_fv(ephem_secret.inner()))?.xy();
117        let shared_secret = poseidon_hash([ss_x, ss_y]);
118
119        // Derive the blinds using the shared secret and incremental nonces
120        let mut blinds = [pallas::Base::ZERO; N];
121        for (i, item) in blinds.iter_mut().enumerate().take(N) {
122            *item = poseidon_hash([shared_secret, pallas::Base::from(i as u64 + 1)]);
123        }
124
125        // Encrypt the values
126        let mut encrypted_values = [pallas::Base::ZERO; N];
127        for i in 0..N {
128            encrypted_values[i] = values[i] + blinds[i];
129        }
130
131        Ok(Self { encrypted_values, ephem_public })
132    }
133
134    /// Decrypt the `ElGamalEncryptedNote` using a `SecretKey` for shared secret derivation
135    /// using Diffie-Hellman
136    ///
137    /// Note that this does not do any message authentication.
138    /// This means that alterations of the ciphertexts lead to the same alterations
139    /// on the plaintexts.
140    pub fn decrypt_unsafe(&self, secret: &SecretKey) -> Result<[pallas::Base; N], ContractError> {
141        // Derive shared secret using DH
142        let (ss_x, ss_y) =
143            PublicKey::try_from(self.ephem_public.inner() * fp_mod_fv(secret.inner()))?.xy();
144        let shared_secret = poseidon_hash([ss_x, ss_y]);
145
146        let mut blinds = [pallas::Base::ZERO; N];
147        for (i, item) in blinds.iter_mut().enumerate().take(N) {
148            *item = poseidon_hash([shared_secret, pallas::Base::from(i as u64 + 1)]);
149        }
150
151        let mut decrypted_values = [pallas::Base::ZERO; N];
152        for i in 0..N {
153            decrypted_values[i] = self.encrypted_values[i] - blinds[i];
154        }
155
156        Ok(decrypted_values)
157    }
158}
159
160#[cfg(test)]
161mod tests {
162    use super::*;
163    use crate::crypto::Keypair;
164
165    use rand::rngs::OsRng;
166
167    #[test]
168    fn test_aead_note() {
169        let plaintext = "gm world";
170        let keypair = Keypair::random(&mut OsRng);
171
172        let encrypted_note =
173            AeadEncryptedNote::encrypt(&plaintext, &keypair.public, &mut OsRng).unwrap();
174
175        let plaintext2: String = encrypted_note.decrypt(&keypair.secret).unwrap();
176
177        assert_eq!(plaintext, plaintext2);
178    }
179
180    #[test]
181    fn test_elgamal_note() {
182        const N_MSGS: usize = 10;
183
184        let plain_values = [pallas::Base::random(&mut OsRng); N_MSGS];
185        let keypair = Keypair::random(&mut OsRng);
186        let ephem_secret = SecretKey::random(&mut OsRng);
187
188        let encrypted_note =
189            ElGamalEncryptedNote::encrypt_unsafe(plain_values, &ephem_secret, &keypair.public)
190                .unwrap();
191
192        let decrypted_values = encrypted_note.decrypt_unsafe(&keypair.secret).unwrap();
193
194        assert_eq!(plain_values, decrypted_values);
195    }
196}